diff --git a/CMakeLists.txt b/CMakeLists.txt index e198f7cc..41834993 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1,4 +1,12 @@ -cmake_minimum_required (VERSION 3.0) +if(MSVC) + cmake_minimum_required (VERSION 3.16.4) + cmake_policy(SET CMP0091 NEW) +else() + cmake_minimum_required (VERSION 3.0) +endif() + +project (LibreSSL C ASM) + include(CheckFunctionExists) include(CheckSymbolExists) include(CheckLibraryExists) @@ -9,8 +17,6 @@ set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}" ${CMAKE_MODULE_PATH}) include(cmake_export_symbol) include(GNUInstallDirs) -project (LibreSSL C ASM) - enable_testing() file(READ ${CMAKE_CURRENT_SOURCE_DIR}/ssl/VERSION SSL_VERSION) @@ -36,6 +42,11 @@ option(ENABLE_EXTRATESTS "Enable extra tests that may be unreliable on some plat option(ENABLE_NC "Enable installing TLS-enabled nc(1)" OFF) set(OPENSSLDIR ${OPENSSLDIR} CACHE PATH "Set the default openssl directory" FORCE) +option(USE_STATIC_MSVC_RUNTIMES "Use /MT instead of /MD in MSVC" OFF) +if(USE_STATIC_MSVC_RUNTIMES) + set(CMAKE_MSVC_RUNTIME_LIBRARY "MultiThreaded$<$:Debug>") +endif() + if(NOT LIBRESSL_SKIP_INSTALL) set( ENABLE_LIBRESSL_INSTALL ON ) endif(NOT LIBRESSL_SKIP_INSTALL) @@ -108,7 +119,7 @@ if(WIN32) add_definitions(-D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS) add_definitions(-DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0600) add_definitions(-DCPPFLAGS -DNO_SYSLOG -DNO_CRYPT) - set(PLATFORM_LIBS ${PLATFORM_LIBS} ws2_32) + set(PLATFORM_LIBS ${PLATFORM_LIBS} ws2_32 bcrypt) endif() if(MSVC) @@ -289,7 +300,7 @@ if(ENABLE_ASM) endif() elseif(APPLE AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "x86_64") set(HOST_ASM_MACOSX_X86_64 true) - elseif(MSVC AND "${CMAKE_GENERATOR}" MATCHES "Win64") + elseif(MSVC AND ("${CMAKE_GENERATOR}" MATCHES "Win64" OR "${CMAKE_GENERATOR_PLATFORM}" STREQUAL "x64")) set(HOST_ASM_MASM_X86_64 true) ENABLE_LANGUAGE(ASM_MASM) elseif(CMAKE_SYSTEM_NAME MATCHES "MINGW" AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "x86_64") @@ -357,6 +368,17 @@ if(NOT MSVC) DESTINATION ${CMAKE_INSTALL_LIBDIR}) endif() +if(NOT "${OPENSSLDIR}" STREQUAL "") + set(CONF_DIR "${OPENSSLDIR}") +else() + set(CONF_DIR "${CMAKE_INSTALL_PREFIX}/etc/ssl") +endif() + +if(ENABLE_LIBRESSL_INSTALL) + install(FILES cert.pem openssl.cnf x509v3.cnf DESTINATION ${CONF_DIR}) + install(DIRECTORY DESTINATION ${CONF_DIR}/certs) +endif(ENABLE_LIBRESSL_INSTALL) + if(NOT TARGET uninstall) configure_file( "${CMAKE_CURRENT_SOURCE_DIR}/cmake_uninstall.cmake.in" diff --git a/ChangeLog b/ChangeLog index 3062fc48..57225d48 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,6 +28,782 @@ history is also available from Git. LibreSSL Portable Release Notes: +3.3.3 - Stable release + + * This is the first stable release from the 3.3.x series. + There are no changes from 3.3.2. + +3.3.2 - Development release + + * This release adds support for DTLSv1.2 and continues the rewrite + of the record layer for the legacy stack. Numerous bugs and + interoperability issues were fixed in the new verifier. A few bugs + and incompatibilities remain, so this release uses the old verifier + by default. The OpenSSL 1.1 TLSv1.3 API is not yet available. + + * Switch finish{,_peer}_md_len from an int to a size_t. + + * Make SSL_get{,_peer}_finished() work when used with TLSv1.3. + + * Use EVP_MD_MAX_MD_SIZE instead of 2 * EVP_MD_MAX_MD_SIZE as size + for cert_verify_md[], finish_md[] and peer_finish_md[]. The factor 2 + was a historical artefact. + + * Correct the return value type from ERR_peek_error() to a long. + + * Avoid use of uninitialized in ASN1_time_parse() which could happen + on parsing UTCTime if the caller did not initialise the passed + struct tm. + + * Destroy the mutex in a tls_config object on tls_config_free(). + + * Free alert_data and phh_data in tls13_record_layer_free() + these could leak if SSL_shutdown() or tls_close() were called + after closing the underlying socket(). + + * Free struct members in tls13_record_layer_free() in their natural + order for reviewability. + + * Gracefully handle root certificates being both trusted and + untrusted. + + * Handle X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE in the new + verifier. + + * Use the legacy verifier when building auto chains for TLS. + + * Use consistent names in tls13_{client,server}_finished_{recv,send}(). + + * Add tls13_secret_{init,cleanup}() and use them throughout the + TLSv1.3 code base. + + * Move the read MAC key into the TLSv1.2 record layer. + + * Make tls12_record_layer_free() NULL safe. + + * Search the intermediates only after searching the root certs in the + new verifier to avoid problems with the legacy callback. + + * Bail out early after finding a single chain in the new verifier, if + we have been called via the legacy verifier API. + + * Set (invalid and likely incomplete) chain on the xsc on chain build + failure prior to calling the callback. This is required by various + callers, including auto chain. + + * Align SSL_get_shared_ciphers() with OpenSSL. This takes into account + that it never returned server ciphers, so now it will fail when + called from the client side. + + * Add support for SSL_get_shared_ciphers() with TLSv1.3. + + * Split the record protection from the TLSv1.2 record layer. + + * Clean up sequence number handling in the new TLSv1.2 record layer. + + * Clean up sequence number handling in DTLS. + + * Clean up dtls1_reset_seq_numbers(). + + * Factor out code for explicit IV length, block size and MAC length + from tls12_record_layer_open_record_protected_cipher(). + + * Provide record layer overhead for DTLS. + + * Provide functions to determine if TLSv1.2 record protection is + engaged. + + * Add code to handle change of cipher state in the new TLSv1.2 record + layer. + + * Mop up now unused dtls1_build_sequence_numbers() function. + + * Allow setting a keypair on a tls context without specifying the + private key, and fake it internally in libtls. This removes the + need for privsep engines like relayd to use bogus keys. + + * Skip the private key check for fake private keys. + + * Move the private key setup from tls_configure_ssl_keypair() to a + helper function with proper error checking. + + * Change the internal tls_configure_ssl_keypair() function to + return -1 instead of 1 on failure. + + * Move sequence numbers into the new TLSv1.2 record layer. + + * Move AEAD handling into the new TLSv1.2 record layer. + + * Remove direct assignment of aead_ctx to avoid a leak. + + * Add a number of RPKI OIDs from RFC 6482, 6484, 6493, 8182, 8360, + draft-ietf-sidrops-rpki-rta, and draft-ietf-opsawg-finding-geofeeds. + + * Fail early in legacy exporter if the master secret is not available + to avoid a segfault if it is called when the handshake is not + completed. + + * Factor out legacy stack version checks. + + * Correct handshake MAC/PRF for various TLSv1.2 cipher suites which + were originally added with the default handshake MAC and PRF rather + than the SHA256 handshake MAC and PRF. + + * Absorb ssl3_get_algorithm2() into ssl_get_handshake_evp_md(). + + * Use dtls1_record_retrieve_buffered_record() to load buffered + application data. + + * Enforce read ahead with DTLS. + + * Remove bogus DTLS checks that disabled ECC and OCSP. + + * Sync cert.pem with Mozilla NSS root CAs except "GeoTrust Global CA". + + * Only print the certificate file once on verification failure. + + * Pull in fix for EVP_CipherUpdate() overflow from OpenSSL. + + * Clean up and simplify dtls1_get_cipher(). + + * Group HelloVerifyRequest decoding and add missing check for trailing + data. + + * Revise HelloVerifyRequest handling for DTLSv1.2. + + * Handle DTLS1_2_VERSION in various places. + + * Add DTLSv1.2 methods. + + * Make SSL{_CTX,}_get_{min,max}_proto_version() return a version of + zero if the minimum or maximum has been set to zero to match + OpenSSL's behavior. + + * Rename the "truncated" label into "decode_err" and the "f_err" + label into "fatal_err". + + * Factor out and change some of the legacy client version code. + + * Simplify version checks in the TLSv1.3 client. Ensure that the + server announced TLSv1.3 and nothing higher and check that the + legacy_version is set to TLSv1.2 as required by RFC 8446. + + * Fix an off-by-one in x509_verify_set_xsc_chain() to make sure that + the new validator checks for EXFLAG_CRITICAL in + x509_vfy_check_chain_extension() for all untrusted certs in the + chain. Take into account that the root is not necessarily trusted. + + * Avoid passing last and depth to x509_verify_cert_error() on ENOMEM. + + * Rename depth to num_untrusted. + + * Only use TLS versions internally rather than both TLS and DTLS + versions since the latter are the one's complement of the human + readable version numbers, which means that newer versions decrease + in value. + + * Fix two bugs in the legacy verifier that resulted from refactoring + of X509_verify_cert() for the new verifier: a return value was + incorrectly treated as boolean, making it insufficient to decide + whether validation should carry on or not. + + * Identify DTLS based on the version major value. + + * Move handling of cipher/hash based cipher suites into the new record + layer. + + * Add tls12_record_protection_unused() and call it from CCS functions. + + * Move key/IV length checks closer to usage sites. Also add explicit + checks against EVP_CIPHER_{iv,key}_length(). + + * Replace two handrolled tls12_record_protection_engaged(). + + * Improve internal version handling: add handshake fields for our + minimum version, our maximum version and the TLS version negotiated + during the handshake. Convert most of the internal code to use these + version fields. + + * Guard against future internal use of TLS1_get_{client,}_version() + macros. + + * Remove the internal ssl_downgrade_max_version() function which is no + longer needed. + + * Fix checks for memory caps of constraints names. There are internal + caps on the number of name constraints and other names, that the new + name constraints code allocates per cert chain. These limits were + checked too late, making them only partially effective. + + * Use EXFLAG_INVALID to handle out of memory and parse errors in + x509v3_cache_extensions(). + + * Add support for DTLSv1.2 version handling. + + * Enable DTLSv1.2 support. + + * Add DTLSv1.2 support to openssl s_client/s_server. + + * Remove no longer needed read ahead workarounds in the s_client and + s_server. + + * Fix a copy-paste error - skid was confused with an akid when + checking for EXFLAG_INVALID. This broke OCSP validation with + certain mirrors. + + * Make supported protocols and options for DHE params more prominent + in tls_config_set_protocols.3. + + * Avoid a use-after-scope in tls13_cert_add(). + + * Split TLSv1.3 record protection from record layer. + + * Move the TLSv1.3 handshake struct inside the shared handshake + struct. + + * Fully initialize rrec in tls12_record_layer_open_record_protected() + to avoid confusing some static analyzers. + + * Use tls_set_errorx() on OCSP_basic_verify() failure since the latter + does not set errno. + + * Convert openssl(1) x509 to new option handling and do the usual + clean up that goes along with it. + + * Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data. + + * Rename new_cipher to cipher to align naming with keyblock or other + parts of the handshake data. + + * Avoid mangled output in BIO_debug_callback(). + + * Fix client initiated renegotiation by replacing use of s->internal-type + with s->server. + + * Move the TLSv1.2 record number increment into the new record layer. + + * Move finished and peer finished into the handshake struct. + + * Avoid transcript initialization when sending a TLS HelloRequest, + fixing server initiated renegotiation. + + * Remove pointless assignment in SSL_get0_alpn_selected(). + + * Provide EVP_PKEY_new_CMAC_KEY(3). + + * Add missing prototype for d2i_DSAPrivateKey_fp(3) to x509.h. + + * Add DTLSv1.2 to openssl(1) s_server and s_client protocol message + logging. + + * Avoid leaking param->name in x509_verify_param_zero(). + + * Avoid a leak in an error path in openssl(1) x509. + + * Add some error checking to openssl(1) x509. + + * When sending an alert in TLSv1.3, only set its error code when no + other error was set previously. Certain clients rely on specific + SSL_R_ error codes to identify that they are dealing with a self + signed cert. + + * Switch to the legacy verifier for the stable release. + + * Provide SSL_use_certificate_chain_file(3). + + * Provide SSL_set_hostflags(3) and SSL_get0_peername(3). + + * Provide various DTLSv1.2 specific functions and defines. + + * Document meaning of '*' in the genrsa output. + + * Updated documentation for SSL_get_shared_ciphers(3). + + * Add documentation for SSL_get_finished(3). + + * Document EVP_PKEY_new_CMAC_key(3) + + * Document SSL_use_certificate_chain_file(3). + + * Document SSL_set_hostflags(3) and SSL_get0_peername(3). + + * Update SSL_get_version.3 manual for DTLSv.1.2 support. + + * Added '--enable-libtls-only' build option, which builds and installs a + statically-linked libtls, skipping libcrypto and libssl. This is useful + for systems that ship with OpenSSL but wish to also package libtls. + +3.3.1 - Security fix + + * Malformed ASN.1 in a certificate revocation list or a timestamp + response token can lead to a NULL pointer dereference. + + Bug fixes + + * Move point-on-curve check to set_affine_coordinates to avoid + verifying ECDSA signatures with unchecked public keys. + + * Fix SSL_is_server() to behave as documented by re-introducing the + client-specific methods. + + * Avoid undefined behavior due to memcpy(NULL, NULL, 0). + + * Mark a few more internal static tables const. + +3.3.0 - Development release + + * Make openssl(1) s_server ignore -4 and -6 for compatibility with + OpenSSL. + + * Further cleanup of the DTLS record handling. + + * Continue the replacement of the TLSv1.2 record layer by + reimplementing the read side of the TLSv1.2 record handling. + + * Replace DTLSv1_enc_data() with TLSv1_1_enc_data(). + + * Merge d1_{clnt,srvr}.c into ssl_{clnt,srvr}.c. + + * When switching from the TLSv1.3 stack to the legacy stack include + a TLS record header. This is necessary if there is more than one + handshake message in the TLS plaintext record. + + * Set SO_REUSEADDR on the server socket in the openssl(1) ocsp + command. + + * Fix resource handling on error in OCSP_request_add0_id(). + + * Add const to ssl_ciphers and tls1[23]_sigalgs* to push them into + .data.rel.ro and .rodata, respectively. + + * Add a const qualifier to srtp_known_profiles. + + * Simplify TLS method by removing the client and server specific + methods internally. + + * Avoid casting away const in ssl_ctx_make_profiles(). + + * Make sure there is enough room for stashing the handshake message + when switching to the legacy TLS stack. + + * Avoid explicitly conditioning an assert on DTLS1_VERSION to make + the assert work for newer DTLS versions. + + * Merge SSL_ENC_METHOD into SSL_METHOD_INTERNAL. + + * Send a host header with OCSP queries to make openssl(1) ocsp + work with some widely used OCSP responders. + + * Fix a memory leak in the openssl(1) s_client. + + * Add a flag to mark DTLS methods as DTLS to have an easy way to + recognize DTLS methods that avoids inspecting the version number. + + * Implement SSL_is_dtls() and use it internally in place of the + SSL_IS_DTLS macro. + + * Unbreak DTLS retransmissions for flights that include a CCS. + + * Add ability to ocspcheck(8) to parse a port in the specified + OCSP URL. + + * Refactor and clean up ocspcheck(8) and add regression tests. + + * If x509_verify() fails, ensure that the error is set on both + the x509_verify_ctx() and its store context to make some failures + visible from SSL_get_verify_result(). + + * Use the X509_STORE_CTX get_issuer() callback from the new X.509 + verifier to fix hashed certificate directories. + + * Only check BIO_should_read() on read and BIO_should_write() on + write. Previously, BIO_should_write() was also checked after read + and BIO_should_read() after write which could cause stalls in + software that uses the same BIO for read and write. + + * In openssl(1) verify, also check for error on the store context + since the return value of X509_verify_cert() is unreliable in + presence of a callback that returns 1 too often. + + * Update getentropy on Windows to use Cryptography Next Generation + (CNG). wincrypt is deprecated and no longer works with newer Windows + environments, such as in Windows Store apps. + + * Implement auto chain for the TLSv1.3 server since some software + relies on this. + + * Handle additional certificate error cases in the new X.509 verifier. + Keep track of the errors encountered if a verify callback tells the + verifier to continue and report them back via the error on the store + context. This mimics the behavior of the old verifier that would + persist the first error encountered while building the chain. + + * Report specific failures for "self signed certificates" in a way + compatible with the old verifier since software relies on the + error code. + + * Implement key exporter for TLSv1.3. + + * Plug a large memory leak in the new verifier caused by calling + X509_policy_check() repeatedly. + + * Avoid leaking memory in x509_verify_chain_dup(). + + * Various documentation improvements, particularly around TLS methods. + +3.2.3 - Security fix + + * Malformed ASN.1 in a certificate revocation list or a timestamp + response token can lead to a NULL pointer dereference. + +3.2.2 - Stable release + + * This is the first stable release with the new TLSv1.3 + implementation enabled by default for both client and server. The + OpenSSL 1.1 TLSv1.3 API is not yet available and will be provided + in an upcoming release. + + * New X509 certificate chain validator that correctly handles + multiple paths through intermediate certificates. Loosely based on + Go's X509 validator. + + * New name constraints verification implementation which passes the + bettertls.com certificate validation check suite. + + * Improve the handling of BIO_read()/BIO_write() failures in the + TLSv1.3 stack. + + * Start replacing the existing TLSv1.2 record layer. + + * Define OPENSSL_NO_SSL_TRACE in opensslfeatures.h. + + * Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash. + + * Send alert on ssl_get_prev_session() failure. + + * Zero out variable on the stack to avoid leaving garbage in the tail + of short session IDs. + + * Move state initialization from SSL_clear() to ssl3_clear() to ensure + that it gets correctly reinitialized across a SSL_set_ssl_method() + call. + + * Avoid an out-of-bounds write in BN_rand(). + + * Fix numerous leaks in the UI_dup_* functions. Simplify and tidy up + the code in ui_lib.c. + + * Correctly track selected ALPN length to avoid a potential segmentation + fault with SSL_get0_alpn_selected() when alpn_selected is NULL. + + * Include machine/endian.h gost2814789.c in order to pick up the + __STRICT_ALIGNMENT define. + + * Simplify SSL method lookups. + + * Clean up and simplify SSL_get_ciphers(), SSL_set_session(), + SSL_set_ssl_method() and several internal functions. + + * Correctly handle ssl_cert_dup() failure in SSL_set_SSL_CTX(). + + * Refactor dtls1_new(), dtls1_hm_fragment_new(), + dtls1_drain_fragments(), dtls1_clear_queues(). + + * Copy the session ID directly in ssl_get_prev_session() instead of + handing it through several functions for copying. + + * Clean up and refactor ssl_get_prev_session(); simplify + tls_decrypt_ticket() and tls1_process_ticket() exit paths. + + * Avoid memset() before memcpy() in CBS_add_bytes(). + + * Rewrite X509_INFO_{new,free}() more idiomatically. + + * Remove unnecessary zeroing after recallocarray() in + ASN1_BIT_STRING_set_bit(). + + * Convert openssl(1) ocsp new option handling. + + * Document SSL_set1_host(3), SSL_set_SSL_CTX(3). + + * Document return value from EC_KEY_get0_public_key(3). + + * Greatly expanded test coverage via the tlsfuzzer test scripts. + + * Expanded test coverage via the bettertls certificate test suite. + + * Test interoperability with the Botan TLS client. + + * Make pthread_mutex static initialisation work on Windows. + + * Get __STRICT_ALIGNMENT from machine/endian.h with portable build. + +3.2.1 - Development release + + * Propagate alerts from the read half of the TLSv1.3 record layer to I/O + functions. + + * Send a record overflow alert for TLSv1.3 messages having overlong + plaintext or inner plaintext. + + * Send an illegal parameter alert if a client sends an invalid DH key + share. + + * Document PKCS7_final(3), PKCS7_add_attribute(3). + + * Collapse x509v3 directory into x509. + + * Improve TLSv1.3 client certificate selection to allow EC certificates + instead of only RSA certificates. + + * Fail on receiving an invalid NID in X509_ATTRIBUTE_create() instead + of constructing a broken objects that may cause NULL pointer accesses. + + * Add support for additional GOST curves from RFC 7836 and + draft-deremin-rfc4491-bis. + + * Add OIDs for HMAC using the Streebog hash function. + + * Allow GOST R 34.11-2012 in PBE/PBKDF2/PKCS#5. + + * Enable GOST_SIG_FORMAT_RS_LE when verifying certificate signatures. + + * Handle GOST in ssl_cert_dup(). + + * Stop sending GOST R 34.10-94 as a CertificateType. + + * Use IANA allocated GOST ClientCertificateTypes. + + * Add a custom copy handler for AES keywrap to fix a use-after-free. + + * Enforce in the TLSv1.3 server that that ClientHello messages after + a HelloRetryRequest match the original ClientHello as per RFC 8446 + section 4.1.2 + + * Document more PKCS7 attribute functions. + + * Document PKCS7_get_signer_info(3). + + * Document PEM_ASN1_read(3) and PEM_ASN1_read_bio(3). + + * Document PEM_def_callback(3). + + * Document EVP_read_pw_string_min(3). + + * Merge documentation of X509_get0_serialNumber from OpenSSL 1.1.1. + + * Document error handling of X509_PUBKEY_get0(3) and X509_PUBKEY_get(3) + + * Document X509_get0_pubkey_bitstr(3). + + * Fix an off-by-one in the CBC padding removal. From BoringSSL. + + * Enforce restrictions on extensions present in the ClientHello as per + RFC 8446, section 9.2. + + * Add new CMAC_Init(3) and ChaCha(3) manual pages. + + * Fix SSL_shutdown behavior to match the legacy stack. The previous + behavior could cause a hang. + + * Add initial support for openbsd/powerpc64. + + * Make the message type available in the internal TLS extensions API + functions. + + * Enable TLSv1.3 for the generic TLS_method(). + + * Convert openssl(1) s_client option handling. + + * Document openssl(1) certhash. + + * Convert openssl(1) verify option handling. + + * Fix a longstanding bug in PEM_X509_INFO_read_bio(3) that could cause + use-after-free and double-free issues in calling programs. + + * Document PEM_X509_INFO_read(3) and PEM_X509_INFO_read_bio(3). + + * Handle SSL_MODE_AUTO_RETRY being changed during a TLSv1.3 session. + + * Convert openssl(1) s_server option handling. + + * Add minimal info callback support for TLSv1.3. + + * Refactor, clean up and simplify some SSL3/DTLS1 record writing code. + + * Correctly handle server requests for an OCSP response. + + * Add the P-521 curve to the list of curves supported by default + in the client. + + * Convert openssl(1) req option handling. + + * Avoid calling freezero with a negative size if a server sends a + malformed plaintext of all zeroes. + + * Send an unexpected message alert if no valid content type is found + in a TLSv1.3 record. + +3.2.0 - Development release + + * Enable TLS 1.3 server side in addition to client by default. + With this change TLS 1.3 is handled entirely on the new stack + and state machine, with fallback to the legacy stack and + state machine for older versions. Note that the OpenSSL TLS 1.3 + API is not yet visible/available. + + * Improve length checks in the TLS 1.3 record layer and provide + appropriate alerts for violations of record layer limits. + + * Enforce that SNI hostnames received by the TLS server are correctly + formed as per RFC 5890 and RFC 6066, responding with illegal parameter + for a nonconformant host name. + + * Support SSL_MODE_AUTO_RETRY in TLS 1.3 to allow the automatic + retry of handshake messages. + + * Modify I/O behavior so that SSL_MODE_AUTO_RETRY is the default + similar to new OpenSSL releases. + + * Modify openssl(1) to clear SSL_MODE_AUTO_RETRY appropriately in + various commands. + + * Add tlsfuzzer based regression tests. + + * Support sending certificate status requests from the TLS 1.3 + client to request OCSP staples for leaf certificates. + + * Support sending certificate status replies from the TLS 1.3 server + in order to send OCSP staples for leaf certificates. + + * Send correct alerts when handling failed key share extensions + on the TLS 1.3 server. + + * Various compatibility fixes for TLS 1.3 to 1.2 fallback for + switching from the new to legacy stacks. + + * Support TLS 1.3 options in the openssl(1) command. + + * Many alert cleanups in TLS 1.3 to provide expected alerts in failure + conditions. + + * Modify "openssl x509" to display invalid certificate times as + invalid, and correctly deal with the failing return case from + X509_cmp_time so that a certificate with an invalid NotAfter does + not appear valid. + + * Support sending dummy change_cipher_spec records for TLS 1.3 middlebox + compatibility. + + * Ensure only PSS signatures are used with RSA in TLS 1.3. + + * Ensure that TLS 1.3 clients advertise exactly the "null" compression + method in its legacy_compression_methods. + + * Correct use of sockaddr_storage instead of sockaddr in openssl(1) + s_client, which could lead to using 14 bytes of stack garbage instead + of an IPv6 address in DTLS mode. + + * Use non-expired certificates first when building a certificate chain. + +3.1.5 - Security fix + + * Malformed ASN.1 in a certificate revocation list or a timestamp + response token can lead to a NULL pointer dereference. + +3.1.4 - Interoperability and bug fixes for the TLSv1.3 client: + + * Improve client certificate selection to allow EC certificates + instead of only RSA certificates. + + * Do not error out if a TLSv1.3 server requests an OCSP response as + part of a certificate request. + + * Fix SSL_shutdown behavior to match the legacy stack. The previous + behaviour could cause a hang. + + * Fix a memory leak and add a missing error check in the handling of + the key update message. + + * Fix a memory leak in tls13_record_layer_set_traffic_key. + + * Avoid calling freezero with a negative size if a server sends a + malformed plaintext of all zeroes. + + * Ensure that only PSS may be used with RSA in TLSv1.3 in order + to avoid using PKCS1-based signatures. + + * Add the P-521 curve to the list of curves supported by default + in the client. + +3.1.3 - Bug fix + + * libcrypto may fail to build a valid certificate chain due to + expired untrusted issuer certificates. + +3.1.2 - Bug fix + + * A TLS client with peer verification disabled may crash when + contacting a server that sends an empty certificate list. + +3.1.1 - Stable release + + * Improved cipher suite handling to automatically include TLSv1.3 + cipher suites when they are not explicitly referred to in the + cipher string. + + * Improved handling of TLSv1.3 HelloRetryRequests, simplifying + state transitions and ensuring that the legacy session identifer + retains the same value across the handshake. + + * Provided TLSv1.3 cipher suite aliases to match the names used + in RFC 8446. + + * Improved TLSv1.3 client key share handling to allow the use of + any groups in our configured NID list. + + * Fixed printing the serialNumber with X509_print_ex() fall back to + the colon separated hex bytes in case greater than int value. + + * Fix to disallow setting the AES-GCM IV length to zero. + + * Added -groups option to openssl(1) s_server subcommand. + + * Fix to show TLSv1.3 extension types with openssl(1) -tlsextdebug. + + * Improved portable builds to support the use of static MSVC runtimes. + + * Fixed portable builds to avoid exporting a sleep() symbol. + +3.1.0 - Development release + + * Completed initial TLS 1.3 implementation with a completely new state + machine and record layer. TLS 1.3 is now enabled by default for the + client side, with the server side to be enabled in a future release. + Note that the OpenSSL TLS 1.3 API is not yet visible/available. + + * Many more code cleanups, fixes, and improvements to memory handling + and protocol parsing. + + * Added RSA-PSS and RSA-OAEP methods from OpenSSL 1.1.1. + + * Ported Cryptographic Message Syntax (CMS) implementation from OpenSSL + 1.1.1 and enabled by default. + + * Improved compatibility by backporting functionality and documentation + from OpenSSL 1.1.1. + + * Added many new additional crypto test vectors. + + * Adjusted EVP_chacha20()'s behavior to match OpenSSL's semantics. + + * Default CA bundle location is now configurable in portable builds. + + * Added cms subcommand to openssl(1). + + * Added -addext option to openssl(1) req subcommand. + 3.0.2 - Stable release * Use a valid curve when constructing an EC_KEY that looks like X25519. diff --git a/FindLibreSSL.cmake b/FindLibreSSL.cmake index d87b96eb..6bdc069d 100644 --- a/FindLibreSSL.cmake +++ b/FindLibreSSL.cmake @@ -66,6 +66,8 @@ Set LIBRESSL_ROOT_DIR to the root directory of an LibreSSL installation. ]=======================================================================] +INCLUDE(FindPackageHandleStandardArgs) + # Set Hints set(_LIBRESSL_ROOT_HINTS ${LIBRESSL_ROOT_DIR} diff --git a/Makefile.am b/Makefile.am index 1cf0fc66..ed59df0b 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,11 +1,45 @@ -SUBDIRS = crypto ssl tls include apps tests man +SUBDIRS = crypto ssl tls include apps man +if ENABLE_TESTS +SUBDIRS += tests +endif ACLOCAL_AMFLAGS = -I m4 pkgconfigdir = $(libdir)/pkgconfig -pkgconfig_DATA = libcrypto.pc libssl.pc libtls.pc openssl.pc +pkgconfig_DATA = libtls.pc +if !ENABLE_LIBTLS_ONLY +pkgconfig_DATA += libcrypto.pc libssl.pc openssl.pc +endif EXTRA_DIST = README.md README.windows VERSION config scripts EXTRA_DIST += CMakeLists.txt cmake_export_symbol.cmake cmake_uninstall.cmake.in FindLibreSSL.cmake +EXTRA_DIST += cert.pem openssl.cnf x509v3.cnf .PHONY: install_sw install_sw: install + +install-exec-hook: + @if [ "@OPENSSLDIR@x" != "x" ]; then \ + OPENSSLDIR="$(DESTDIR)@OPENSSLDIR@"; \ + else \ + OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \ + fi; \ + mkdir -p "$$OPENSSLDIR/certs"; \ + for i in cert.pem openssl.cnf x509v3.cnf; do \ + if [ ! -f "$$OPENSSLDIR/$i" ]; then \ + $(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \ + else \ + echo " $$OPENSSLDIR/$$i already exists, install will not overwrite"; \ + fi \ + done + +uninstall-local: + @if [ "@OPENSSLDIR@x" != "x" ]; then \ + OPENSSLDIR="$(DESTDIR)@OPENSSLDIR@"; \ + else \ + OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \ + fi; \ + for i in cert.pem openssl.cnf x509v3.cnf; do \ + if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \ + rm -f "$$OPENSSLDIR/$$i"; \ + fi \ + done diff --git a/Makefile.in b/Makefile.in index 79b36991..16ff0409 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -88,9 +88,13 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ +@ENABLE_TESTS_TRUE@am__append_1 = tests +@ENABLE_LIBTLS_ONLY_FALSE@am__append_2 = libcrypto.pc libssl.pc openssl.pc subdir = . ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/check-hardening-options.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_add_fortify_source.m4 \ + $(top_srcdir)/m4/ax_check_compile_flag.m4 \ + $(top_srcdir)/m4/check-hardening-options.m4 \ $(top_srcdir)/m4/check-libc.m4 \ $(top_srcdir)/m4/check-os-options.m4 \ $(top_srcdir)/m4/disable-compiler-warnings.m4 \ @@ -190,7 +194,7 @@ am__define_uniq_tagged_files = \ ETAGS = etags CTAGS = ctags CSCOPE = cscope -DIST_SUBDIRS = $(SUBDIRS) +DIST_SUBDIRS = crypto ssl tls include apps man tests am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/libcrypto.pc.in \ $(srcdir)/libssl.pc.in $(srcdir)/libtls.pc.in \ $(srcdir)/openssl.pc.in COPYING ChangeLog INSTALL compile \ @@ -234,6 +238,8 @@ am__relativize = \ DIST_ARCHIVES = $(distdir).tar.gz GZIP_ENV = --best DIST_TARGETS = dist-gzip +# Exists only to be overridden by the user if desired. +AM_DISTCHECK_DVI_TARGET = dvi distuninstallcheck_listfiles = find . -type f -print am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \ | sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$' @@ -353,6 +359,7 @@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -361,13 +368,14 @@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ -SUBDIRS = crypto ssl tls include apps tests man +SUBDIRS = crypto ssl tls include apps man $(am__append_1) ACLOCAL_AMFLAGS = -I m4 pkgconfigdir = $(libdir)/pkgconfig -pkgconfig_DATA = libcrypto.pc libssl.pc libtls.pc openssl.pc +pkgconfig_DATA = libtls.pc $(am__append_2) EXTRA_DIST = README.md README.windows VERSION config scripts \ CMakeLists.txt cmake_export_symbol.cmake \ - cmake_uninstall.cmake.in FindLibreSSL.cmake + cmake_uninstall.cmake.in FindLibreSSL.cmake cert.pem \ + openssl.cnf x509v3.cnf all: all-recursive .SUFFIXES: @@ -632,6 +640,10 @@ dist-xz: distdir tardir=$(distdir) && $(am__tar) | XZ_OPT=$${XZ_OPT--e} xz -c >$(distdir).tar.xz $(am__post_remove_distdir) +dist-zstd: distdir + tardir=$(distdir) && $(am__tar) | zstd -c $${ZSTD_CLEVEL-$${ZSTD_OPT--19}} >$(distdir).tar.zst + $(am__post_remove_distdir) + dist-tarZ: distdir @echo WARNING: "Support for distribution archives compressed with" \ "legacy program 'compress' is deprecated." >&2 @@ -674,6 +686,8 @@ distcheck: dist eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).shar.gz | unshar ;;\ *.zip*) \ unzip $(distdir).zip ;;\ + *.tar.zst*) \ + zstd -dc $(distdir).tar.zst | $(am__untar) ;;\ esac chmod -R a-w $(distdir) chmod u+w $(distdir) @@ -689,7 +703,7 @@ distcheck: dist $(DISTCHECK_CONFIGURE_FLAGS) \ --srcdir=../.. --prefix="$$dc_install_base" \ && $(MAKE) $(AM_MAKEFLAGS) \ - && $(MAKE) $(AM_MAKEFLAGS) dvi \ + && $(MAKE) $(AM_MAKEFLAGS) $(AM_DISTCHECK_DVI_TARGET) \ && $(MAKE) $(AM_MAKEFLAGS) check \ && $(MAKE) $(AM_MAKEFLAGS) install \ && $(MAKE) $(AM_MAKEFLAGS) installcheck \ @@ -807,7 +821,8 @@ install-dvi: install-dvi-recursive install-dvi-am: install-exec-am: - + @$(NORMAL_INSTALL) + $(MAKE) $(AM_MAKEFLAGS) install-exec-hook install-html: install-html-recursive install-html-am: @@ -846,26 +861,28 @@ ps: ps-recursive ps-am: -uninstall-am: uninstall-pkgconfigDATA +uninstall-am: uninstall-local uninstall-pkgconfigDATA -.MAKE: $(am__recursive_targets) install-am install-strip +.MAKE: $(am__recursive_targets) install-am install-exec-am \ + install-strip .PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am \ am--refresh check check-am clean clean-cscope clean-generic \ clean-libtool cscope cscopelist-am ctags ctags-am dist \ dist-all dist-bzip2 dist-gzip dist-lzip dist-shar dist-tarZ \ - dist-xz dist-zip distcheck distclean distclean-generic \ - distclean-libtool distclean-tags distcleancheck distdir \ - distuninstallcheck dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am install-dvi \ - install-dvi-am install-exec install-exec-am install-html \ - install-html-am install-info install-info-am install-man \ - install-pdf install-pdf-am install-pkgconfigDATA install-ps \ - install-ps-am install-strip installcheck installcheck-am \ - installdirs installdirs-am maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-generic \ - mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ - uninstall-am uninstall-pkgconfigDATA + dist-xz dist-zip dist-zstd distcheck distclean \ + distclean-generic distclean-libtool distclean-tags \ + distcleancheck distdir distuninstallcheck dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-exec-hook install-html install-html-am \ + install-info install-info-am install-man install-pdf \ + install-pdf-am install-pkgconfigDATA install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + installdirs-am maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \ + ps ps-am tags tags-am uninstall uninstall-am uninstall-local \ + uninstall-pkgconfigDATA .PRECIOUS: Makefile @@ -873,6 +890,33 @@ uninstall-am: uninstall-pkgconfigDATA .PHONY: install_sw install_sw: install +install-exec-hook: + @if [ "@OPENSSLDIR@x" != "x" ]; then \ + OPENSSLDIR="$(DESTDIR)@OPENSSLDIR@"; \ + else \ + OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \ + fi; \ + mkdir -p "$$OPENSSLDIR/certs"; \ + for i in cert.pem openssl.cnf x509v3.cnf; do \ + if [ ! -f "$$OPENSSLDIR/$i" ]; then \ + $(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \ + else \ + echo " $$OPENSSLDIR/$$i already exists, install will not overwrite"; \ + fi \ + done + +uninstall-local: + @if [ "@OPENSSLDIR@x" != "x" ]; then \ + OPENSSLDIR="$(DESTDIR)@OPENSSLDIR@"; \ + else \ + OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \ + fi; \ + for i in cert.pem openssl.cnf x509v3.cnf; do \ + if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \ + rm -f "$$OPENSSLDIR/$$i"; \ + fi \ + done + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/README.md b/README.md index 2b45fc0d..f2f5ab0a 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ ![LibreSSL image](https://www.libressl.org/images/libressl.jpg) ## Official portable version of [LibreSSL](https://www.libressl.org) ## -[![Build Status](https://travis-ci.org/libressl-portable/portable.svg?branch=master)](https://travis-ci.org/libressl-portable/portable) +[![Build Status](https://travis-ci.org/libressl-portable/portable.svg?branch=master)](https://travis-ci.org/libressl-portable/portable) [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/libressl.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:libressl) LibreSSL is a fork of [OpenSSL](https://www.openssl.org) 1.0.1g developed by the [OpenBSD](https://www.openbsd.org) project. Our goal is to modernize the codebase, @@ -26,7 +26,7 @@ the LibreSSL portable project attempts to provide working alternatives for other operating systems, and assists with improving OS-native implementations where possible. -At the time of this writing, LibreSSL is know to build and work on: +At the time of this writing, LibreSSL is known to build and work on: * Linux (kernel 3.17 or later recommended) * FreeBSD (tested with 9.2 and later) @@ -37,9 +37,9 @@ At the time of this writing, LibreSSL is know to build and work on: * AIX (5.3 and later) LibreSSL also supports the following Windows environments: -* Microsoft Windows (Vista or higher, x86 and x64) +* Microsoft Windows (Windows 7 / Windows Server 2008r2 or later, x86 and x64) * Wine (32-bit and 64-bit) -* Builds with Mingw-w64, Cygwin, and Visual Studio +* Mingw-w64, Cygwin, and Visual Studio Official release tarballs are available at your friendly neighborhood OpenBSD mirror in directory @@ -134,7 +134,7 @@ directory and run: cmake -G"Visual Studio 12 2013" .. ``` -Replace "Visual Studion 12 2013" with whatever version of Visual Studio you +Replace "Visual Studio 12 2013" with whatever version of Visual Studio you have installed. This will generate a LibreSSL.sln file that you can incorporate into other projects or build by itself. diff --git a/VERSION b/VERSION index cfc41cfd..dd34db09 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -3.0.2.0 +3.3.3.0 diff --git a/aclocal.m4 b/aclocal.m4 index c5cfb8ae..a997cf4f 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -1,6 +1,6 @@ -# generated automatically by aclocal 1.16.1 -*- Autoconf -*- +# generated automatically by aclocal 1.16.3 -*- Autoconf -*- -# Copyright (C) 1996-2018 Free Software Foundation, Inc. +# Copyright (C) 1996-2020 Free Software Foundation, Inc. # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,7 @@ You have another version of autoconf. It may work, but is not guaranteed to. If you have problems, you may need to regenerate the build system entirely. To do so, use the procedure documented by the package, typically 'autoreconf'.])]) -# Copyright (C) 2002-2018 Free Software Foundation, Inc. +# Copyright (C) 2002-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -35,7 +35,7 @@ AC_DEFUN([AM_AUTOMAKE_VERSION], [am__api_version='1.16' dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to dnl require some minimum version. Point them to the right macro. -m4_if([$1], [1.16.1], [], +m4_if([$1], [1.16.3], [], [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl ]) @@ -51,14 +51,14 @@ m4_define([_AM_AUTOCONF_VERSION], []) # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. # This function is AC_REQUIREd by AM_INIT_AUTOMAKE. AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION], -[AM_AUTOMAKE_VERSION([1.16.1])dnl +[AM_AUTOMAKE_VERSION([1.16.3])dnl m4_ifndef([AC_AUTOCONF_VERSION], [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) # Figure out how to run the assembler. -*- Autoconf -*- -# Copyright (C) 2001-2018 Free Software Foundation, Inc. +# Copyright (C) 2001-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -78,7 +78,7 @@ _AM_IF_OPTION([no-dependencies],, [_AM_DEPENDENCIES([CCAS])])dnl # AM_AUX_DIR_EXPAND -*- Autoconf -*- -# Copyright (C) 2001-2018 Free Software Foundation, Inc. +# Copyright (C) 2001-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -130,7 +130,7 @@ am_aux_dir=`cd "$ac_aux_dir" && pwd` # AM_CONDITIONAL -*- Autoconf -*- -# Copyright (C) 1997-2018 Free Software Foundation, Inc. +# Copyright (C) 1997-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -161,7 +161,7 @@ AC_CONFIG_COMMANDS_PRE( Usually this means the macro was only invoked conditionally.]]) fi])]) -# Copyright (C) 1999-2018 Free Software Foundation, Inc. +# Copyright (C) 1999-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -352,7 +352,7 @@ _AM_SUBST_NOTMAKE([am__nodep])dnl # Generate code to set up dependency tracking. -*- Autoconf -*- -# Copyright (C) 1999-2018 Free Software Foundation, Inc. +# Copyright (C) 1999-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -391,7 +391,9 @@ AC_DEFUN([_AM_OUTPUT_DEPENDENCY_COMMANDS], done if test $am_rc -ne 0; then AC_MSG_FAILURE([Something went wrong bootstrapping makefile fragments - for automatic dependency tracking. Try re-running configure with the + for automatic dependency tracking. If GNU make was not used, consider + re-running the configure script with MAKE="gmake" (or whatever is + necessary). You can also try re-running configure with the '--disable-dependency-tracking' option to at least be able to build the package (albeit without support for automatic dependency tracking).]) fi @@ -418,7 +420,7 @@ AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS], # Do all the work for Automake. -*- Autoconf -*- -# Copyright (C) 1996-2018 Free Software Foundation, Inc. +# Copyright (C) 1996-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -615,7 +617,7 @@ for _am_header in $config_headers :; do done echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count]) -# Copyright (C) 2001-2018 Free Software Foundation, Inc. +# Copyright (C) 2001-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -636,7 +638,7 @@ if test x"${install_sh+set}" != xset; then fi AC_SUBST([install_sh])]) -# Copyright (C) 2003-2018 Free Software Foundation, Inc. +# Copyright (C) 2003-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -657,7 +659,7 @@ AC_SUBST([am__leading_dot])]) # Check to see how 'make' treats includes. -*- Autoconf -*- -# Copyright (C) 2001-2018 Free Software Foundation, Inc. +# Copyright (C) 2001-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -700,7 +702,7 @@ AC_SUBST([am__quote])]) # Fake the existence of programs that GNU maintainers use. -*- Autoconf -*- -# Copyright (C) 1997-2018 Free Software Foundation, Inc. +# Copyright (C) 1997-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -721,12 +723,7 @@ AC_DEFUN([AM_MISSING_HAS_RUN], [AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl AC_REQUIRE_AUX_FILE([missing])dnl if test x"${MISSING+set}" != xset; then - case $am_aux_dir in - *\ * | *\ *) - MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;; - *) - MISSING="\${SHELL} $am_aux_dir/missing" ;; - esac + MISSING="\${SHELL} '$am_aux_dir/missing'" fi # Use eval to expand $SHELL if eval "$MISSING --is-lightweight"; then @@ -739,7 +736,7 @@ fi # Helper functions for option handling. -*- Autoconf -*- -# Copyright (C) 2001-2018 Free Software Foundation, Inc. +# Copyright (C) 2001-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -768,7 +765,7 @@ AC_DEFUN([_AM_SET_OPTIONS], AC_DEFUN([_AM_IF_OPTION], [m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])]) -# Copyright (C) 1999-2018 Free Software Foundation, Inc. +# Copyright (C) 1999-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -815,7 +812,7 @@ AC_LANG_POP([C])]) # For backward compatibility. AC_DEFUN_ONCE([AM_PROG_CC_C_O], [AC_REQUIRE([AC_PROG_CC])]) -# Copyright (C) 2001-2018 Free Software Foundation, Inc. +# Copyright (C) 2001-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -834,7 +831,7 @@ AC_DEFUN([AM_RUN_LOG], # Check to make sure that the build environment is sane. -*- Autoconf -*- -# Copyright (C) 1996-2018 Free Software Foundation, Inc. +# Copyright (C) 1996-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -915,7 +912,7 @@ AC_CONFIG_COMMANDS_PRE( rm -f conftest.file ]) -# Copyright (C) 2009-2018 Free Software Foundation, Inc. +# Copyright (C) 2009-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -975,7 +972,7 @@ AC_SUBST([AM_BACKSLASH])dnl _AM_SUBST_NOTMAKE([AM_BACKSLASH])dnl ]) -# Copyright (C) 2001-2018 Free Software Foundation, Inc. +# Copyright (C) 2001-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1003,7 +1000,7 @@ fi INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s" AC_SUBST([INSTALL_STRIP_PROGRAM])]) -# Copyright (C) 2006-2018 Free Software Foundation, Inc. +# Copyright (C) 2006-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1022,7 +1019,7 @@ AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)]) # Check how to create a tarball. -*- Autoconf -*- -# Copyright (C) 2004-2018 Free Software Foundation, Inc. +# Copyright (C) 2004-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1153,6 +1150,8 @@ AC_SUBST([am__tar]) AC_SUBST([am__untar]) ]) # _AM_PROG_TAR +m4_include([m4/ax_add_fortify_source.m4]) +m4_include([m4/ax_check_compile_flag.m4]) m4_include([m4/check-hardening-options.m4]) m4_include([m4/check-libc.m4]) m4_include([m4/check-os-options.m4]) diff --git a/apps/Makefile.in b/apps/Makefile.in index 8f0bb5cf..81461a34 100644 --- a/apps/Makefile.in +++ b/apps/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -89,7 +89,9 @@ build_triplet = @build@ host_triplet = @host@ subdir = apps ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/check-hardening-options.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_add_fortify_source.m4 \ + $(top_srcdir)/m4/ax_check_compile_flag.m4 \ + $(top_srcdir)/m4/check-hardening-options.m4 \ $(top_srcdir)/m4/check-libc.m4 \ $(top_srcdir)/m4/check-os-options.m4 \ $(top_srcdir)/m4/disable-compiler-warnings.m4 \ @@ -300,6 +302,7 @@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ diff --git a/apps/nc/Makefile.am b/apps/nc/Makefile.am index 4b5b5613..58b5c011 100644 --- a/apps/nc/Makefile.am +++ b/apps/nc/Makefile.am @@ -1,5 +1,7 @@ include $(top_srcdir)/Makefile.am.common +-include $(abs_top_builddir)/crypto/libcrypto_la_objects.mk + if BUILD_NC if ENABLE_NC @@ -12,11 +14,13 @@ endif EXTRA_DIST = nc.1 EXTRA_DIST += CMakeLists.txt -nc_LDADD = $(abs_top_builddir)/crypto/libcrypto.la -nc_LDADD += $(abs_top_builddir)/ssl/libssl.la -nc_LDADD += $(abs_top_builddir)/tls/libtls.la +nc_LDADD = $(abs_top_builddir)/tls/libtls.la nc_LDADD += $(PLATFORM_LDADD) $(PROG_LDADD) +nc_LDADD += $(libcrypto_la_objects) +nc_LDADD += $(libcompat_la_objects) +nc_LDADD += $(libcompatnoopt_la_objects) + AM_CPPFLAGS += -I$(top_srcdir)/apps/nc/compat nc_SOURCES = atomicio.c diff --git a/apps/nc/Makefile.in b/apps/nc/Makefile.in index e71e7fe4..f6c379ef 100644 --- a/apps/nc/Makefile.in +++ b/apps/nc/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -98,7 +98,9 @@ host_triplet = @host@ @BUILD_NC_TRUE@@HAVE_STRTONUM_FALSE@am__append_5 = compat/strtonum.c subdir = apps/nc ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/check-hardening-options.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_add_fortify_source.m4 \ + $(top_srcdir)/m4/ax_check_compile_flag.m4 \ + $(top_srcdir)/m4/check-hardening-options.m4 \ $(top_srcdir)/m4/check-libc.m4 \ $(top_srcdir)/m4/check-os-options.m4 \ $(top_srcdir)/m4/disable-compiler-warnings.m4 \ @@ -131,10 +133,7 @@ am__dirstamp = $(am__leading_dot)dirstamp @BUILD_NC_TRUE@ $(am__objects_3) $(am__objects_4) nc_OBJECTS = $(am_nc_OBJECTS) am__DEPENDENCIES_1 = -@BUILD_NC_TRUE@nc_DEPENDENCIES = \ -@BUILD_NC_TRUE@ $(abs_top_builddir)/crypto/libcrypto.la \ -@BUILD_NC_TRUE@ $(abs_top_builddir)/ssl/libssl.la \ -@BUILD_NC_TRUE@ $(abs_top_builddir)/tls/libtls.la \ +@BUILD_NC_TRUE@nc_DEPENDENCIES = $(abs_top_builddir)/tls/libtls.la \ @BUILD_NC_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) @@ -354,6 +353,7 @@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -368,10 +368,10 @@ AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat \ -D__END_HIDDEN_DECLS= $(am__append_1) @BUILD_NC_TRUE@@ENABLE_NC_TRUE@dist_man_MANS = nc.1 @BUILD_NC_TRUE@EXTRA_DIST = nc.1 CMakeLists.txt -@BUILD_NC_TRUE@nc_LDADD = $(abs_top_builddir)/crypto/libcrypto.la \ -@BUILD_NC_TRUE@ $(abs_top_builddir)/ssl/libssl.la \ -@BUILD_NC_TRUE@ $(abs_top_builddir)/tls/libtls.la \ -@BUILD_NC_TRUE@ $(PLATFORM_LDADD) $(PROG_LDADD) +@BUILD_NC_TRUE@nc_LDADD = $(abs_top_builddir)/tls/libtls.la \ +@BUILD_NC_TRUE@ $(PLATFORM_LDADD) $(PROG_LDADD) \ +@BUILD_NC_TRUE@ $(libcrypto_la_objects) $(libcompat_la_objects) \ +@BUILD_NC_TRUE@ $(libcompatnoopt_la_objects) @BUILD_NC_TRUE@nc_SOURCES = atomicio.c netcat.c socks.c \ @BUILD_NC_TRUE@ compat/socket.c $(am__append_2) $(am__append_3) \ @BUILD_NC_TRUE@ $(am__append_4) $(am__append_5) @@ -816,6 +816,8 @@ uninstall-man: uninstall-man1 .PRECIOUS: Makefile +-include $(abs_top_builddir)/crypto/libcrypto_la_objects.mk + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/apps/nc/nc.1 b/apps/nc/nc.1 index 6bdfe4f9..14733597 100644 --- a/apps/nc/nc.1 +++ b/apps/nc/nc.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: nc.1,v 1.93 2018/12/27 17:45:36 jmc Exp $ +.\" $OpenBSD: nc.1,v 1.96 2021/03/31 20:41:35 jmc Exp $ .\" .\" Copyright (c) 1996 David Sacerdote .\" All rights reserved. @@ -25,7 +25,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 27 2018 $ +.Dd $Mdocdate: March 31 2021 $ .Dt NC 1 .Os .Sh NAME @@ -47,7 +47,7 @@ .Op Fl P Ar proxy_username .Op Fl p Ar source_port .Op Fl R Ar CAfile -.Op Fl s Ar source +.Op Fl s Ar sourceaddr .Op Fl T Ar keyword .Op Fl V Ar rtable .Op Fl W Ar recvlimit @@ -192,8 +192,8 @@ Ask the kernel to drop incoming packets whose TTL / hop limit is under the network socket after EOF on the input. Some servers require this to finish their work. .It Fl n -Do not do any DNS or service lookups on any specified addresses, -hostnames or ports. +Do not perform domain name resolution. +If a name cannot be resolved without DNS, an error will be reported. .It Fl O Ar length Specify the size of the TCP send buffer. .It Fl o Ar staplefile @@ -228,10 +228,9 @@ instead of sequentially within a range or in the order that the system assigns them. .It Fl S Enable the RFC 2385 TCP MD5 signature option. -.It Fl s Ar source -Send packets from the interface with the -.Ar source -IP address. +.It Fl s Ar sourceaddr +Set the source address to send packets from, +which is useful on machines with multiple interfaces. For .Ux Ns -domain datagram sockets, specifies the local temporary socket file @@ -415,7 +414,7 @@ On a second console .Pq or a second machine , connect to the machine and port being listened on: .Pp -.Dl $ nc 127.0.0.1 1234 +.Dl $ nc -N 127.0.0.1 1234 .Pp There should now be a connection between the ports. Anything typed at the second console will be concatenated to the first, @@ -428,7 +427,10 @@ and which side is being used as a .Sq client . The connection may be terminated using an .Dv EOF -.Pq Sq ^D . +.Pq Sq ^D , +as the +.Fl N +flag was given. .Sh DATA TRANSFER The example in the previous section can be expanded to build a basic data transfer model. diff --git a/apps/nc/netcat.c b/apps/nc/netcat.c index 4d0c522f..ef7e38a0 100644 --- a/apps/nc/netcat.c +++ b/apps/nc/netcat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: netcat.c,v 1.206 2019/08/08 16:49:35 mestre Exp $ */ +/* $OpenBSD: netcat.c,v 1.217 2020/02/12 14:46:36 schwarze Exp $ */ /* * Copyright (c) 2001 Eric Jackson * Copyright (c) 2015 Bob Beck. All rights reserved. @@ -129,7 +129,7 @@ void help(void) __attribute__((noreturn)); int local_listen(const char *, const char *, struct addrinfo); void readwrite(int, struct tls *); void fdpass(int nfd) __attribute__((noreturn)); -int remote_connect(const char *, const char *, struct addrinfo); +int remote_connect(const char *, const char *, struct addrinfo, char *); int timeout_tls(int, struct tls *, int (*)(struct tls *)); int timeout_connect(int, const struct sockaddr *, socklen_t); int socks_connect(const char *, const char *, struct addrinfo, @@ -155,6 +155,7 @@ main(int argc, char *argv[]) { int ch, s = -1, ret, socksv; char *host, *uport; + char ipaddr[NI_MAXHOST]; struct addrinfo hints; struct servent *sv; socklen_t len; @@ -361,15 +362,11 @@ main(int argc, char *argv[]) #endif /* Cruft to make sure options are clean, and used properly. */ - if (argv[0] && !argv[1] && family == AF_UNIX) { + if (argc == 1 && family == AF_UNIX) { host = argv[0]; - uport = NULL; - } else if (argv[0] && !argv[1]) { - if (!lflag) - usage(1); + } else if (argc == 1 && lflag) { uport = argv[0]; - host = NULL; - } else if (argv[0] && argv[1]) { + } else if (argc == 2) { host = argv[0]; uport = argv[1]; } else @@ -384,13 +381,24 @@ main(int argc, char *argv[]) err(1, "unveil"); if (oflag && unveil(oflag, "r") == -1) err(1, "unveil"); + } else if (family == AF_UNIX && uflag && lflag && !kflag) { + /* + * After recvfrom(2) from client, the server connects + * to the client socket. As the client path is determined + * during runtime, we cannot unveil(2). + */ } else { if (family == AF_UNIX) { if (unveil(host, "rwc") == -1) err(1, "unveil"); - if (uflag && !lflag) { - if (unveil(sflag ? sflag : "/tmp", "rwc") == -1) - err(1, "unveil"); + if (uflag && !kflag) { + if (sflag) { + if (unveil(sflag, "rwc") == -1) + err(1, "unveil"); + } else { + if (unveil("/tmp", "rwc") == -1) + err(1, "unveil"); + } } } else { /* no filesystem visibility */ @@ -582,6 +590,10 @@ main(int argc, char *argv[]) if (s == -1) err(1, NULL); if (uflag && kflag) { + if (family == AF_UNIX) { + if (pledge("stdio unix", NULL) == -1) + err(1, "pledge"); + } /* * For UDP and -k, don't connect the socket, * let it receive datagrams from multiple @@ -608,9 +620,14 @@ main(int argc, char *argv[]) if (rv == -1) err(1, "connect"); + if (family == AF_UNIX) { + if (pledge("stdio unix", NULL) == -1) + err(1, "pledge"); + } if (vflag) report_sock("Connection received", - (struct sockaddr *)&z, len, NULL); + (struct sockaddr *)&z, len, + family == AF_UNIX ? host : NULL); readwrite(s, NULL); } else { @@ -687,7 +704,8 @@ main(int argc, char *argv[]) proxy, proxyport, proxyhints, socksv, Pflag); else - s = remote_connect(host, portlist[i], hints); + s = remote_connect(host, portlist[i], hints, + ipaddr); if (s == -1) continue; @@ -711,10 +729,18 @@ main(int argc, char *argv[]) uflag ? "udp" : "tcp"); } - fprintf(stderr, - "Connection to %s %s port [%s/%s] " - "succeeded!\n", host, portlist[i], - uflag ? "udp" : "tcp", + fprintf(stderr, "Connection to %s", host); + + /* + * if we aren't connecting thru a proxy and + * there is something to report, print IP + */ + if (!nflag && !xflag + && (strcmp(host, ipaddr) != 0)) + fprintf(stderr, " (%s)", ipaddr); + + fprintf(stderr, " %s port [%s/%s] succeeded!\n", + portlist[i], uflag ? "udp" : "tcp", sv ? sv->s_name : "*"); } if (Fflag) @@ -819,8 +845,8 @@ tls_setup_client(struct tls *tls_ctx, int s, char *host) } if (vflag) report_tls(tls_ctx, host); - if (tls_expecthash && tls_peer_cert_hash(tls_ctx) && - strcmp(tls_expecthash, tls_peer_cert_hash(tls_ctx)) != 0) + if (tls_expecthash && (tls_peer_cert_hash(tls_ctx) == NULL || + strcmp(tls_expecthash, tls_peer_cert_hash(tls_ctx)) != 0)) errx(1, "peer certificate is not %s", tls_expecthash); if (Zflag) { save_peer_cert(tls_ctx, Zflag); @@ -848,8 +874,9 @@ tls_setup_server(struct tls *tls_ctx, int connfd, char *host) report_tls(tls_cctx, host); if ((TLSopt & TLS_CCERT) && !gotcert) warnx("No client certificate provided"); - else if (gotcert && tls_peer_cert_hash(tls_ctx) && tls_expecthash && - strcmp(tls_expecthash, tls_peer_cert_hash(tls_ctx)) != 0) + else if (gotcert && tls_expecthash && + (tls_peer_cert_hash(tls_cctx) == NULL || + strcmp(tls_expecthash, tls_peer_cert_hash(tls_cctx)) != 0)) warnx("peer certificate is not %s", tls_expecthash); else if (gotcert && tls_expectname && (!tls_peer_cert_contains_name(tls_cctx, tls_expectname))) @@ -926,10 +953,11 @@ unix_listen(char *path) * port or source address if needed. Returns -1 on failure. */ int -remote_connect(const char *host, const char *port, struct addrinfo hints) +remote_connect(const char *host, const char *port, struct addrinfo hints, + char *ipaddr) { struct addrinfo *res, *res0; - int s = -1, error, save_errno; + int s = -1, error, herr, save_errno; #ifdef SO_BINDANY int on = 1; #endif @@ -967,11 +995,32 @@ remote_connect(const char *host, const char *port, struct addrinfo hints) set_common_sockopts(s, res->ai_family); + if (ipaddr != NULL) { + herr = getnameinfo(res->ai_addr, res->ai_addrlen, + ipaddr, NI_MAXHOST, NULL, 0, NI_NUMERICHOST); + switch (herr) { + case 0: + break; + case EAI_SYSTEM: + err(1, "getnameinfo"); + default: + errx(1, "getnameinfo: %s", gai_strerror(herr)); + } + } + if (timeout_connect(s, res->ai_addr, res->ai_addrlen) == 0) break; - if (vflag) - warn("connect to %s port %s (%s) failed", host, port, - uflag ? "udp" : "tcp"); + + if (vflag) { + /* only print IP if there is something to report */ + if (nflag || ipaddr == NULL || + (strncmp(host, ipaddr, NI_MAXHOST) == 0)) + warn("connect to %s port %s (%s) failed", host, + port, uflag ? "udp" : "tcp"); + else + warn("connect to %s (%s) port %s (%s) failed", + host, ipaddr, port, uflag ? "udp" : "tcp"); + } save_errno = errno; close(s); @@ -1761,11 +1810,14 @@ report_sock(const char *msg, const struct sockaddr *sa, socklen_t salen, if (nflag) flags |= NI_NUMERICHOST; - if ((herr = getnameinfo(sa, salen, host, sizeof(host), - port, sizeof(port), flags)) != 0) { - if (herr == EAI_SYSTEM) + herr = getnameinfo(sa, salen, host, sizeof(host), port, sizeof(port), + flags); + switch (herr) { + case 0: + break; + case EAI_SYSTEM: err(1, "getnameinfo"); - else + default: errx(1, "getnameinfo: %s", gai_strerror(herr)); } @@ -1803,21 +1855,17 @@ help(void) \t-R CAfile CA bundle\n\ \t-r Randomize remote ports\n" #ifdef TCP_MD5SIG - "\ - \t-S Enable the TCP MD5 signature option\n" + "\t-S Enable the TCP MD5 signature option\n" #endif - "\ - \t-s source Local source address\n\ + "\t-s sourceaddr Local source address\n\ \t-T keyword TOS value or TLS options\n\ \t-t Answer TELNET negotiation\n\ \t-U Use UNIX domain socket\n\ \t-u UDP mode\n" #ifdef SO_RTABLE - "\ - \t-V rtable Specify alternate routing table\n" + "\t-V rtable Specify alternate routing table\n" #endif - "\ - \t-v Verbose\n\ + "\t-v Verbose\n\ \t-W recvlimit Terminate after receiving a number of packets\n\ \t-w timeout Timeout for connects and final net reads\n\ \t-X proto Proxy protocol: \"4\", \"5\" (SOCKS) or \"connect\"\n\ @@ -1837,7 +1885,7 @@ usage(int ret) "\t [-i interval] [-K keyfile] [-M ttl] [-m minttl] [-O length]\n" "\t [-o staplefile] [-P proxy_username] [-p source_port] " "[-R CAfile]\n" - "\t [-s source] [-T keyword] [-V rtable] [-W recvlimit] " + "\t [-s sourceaddr] [-T keyword] [-V rtable] [-W recvlimit] " "[-w timeout]\n" "\t [-X proxy_protocol] [-x proxy_address[:port]] " "[-Z peercertfile]\n" diff --git a/apps/nc/socks.c b/apps/nc/socks.c index 5ec5c95c..9766be7d 100644 --- a/apps/nc/socks.c +++ b/apps/nc/socks.c @@ -1,4 +1,4 @@ -/* $OpenBSD: socks.c,v 1.29 2019/07/29 15:19:03 benno Exp $ */ +/* $OpenBSD: socks.c,v 1.30 2019/11/04 17:33:28 millert Exp $ */ /* * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. @@ -53,7 +53,7 @@ #define SOCKS_DOMAIN 3 #define SOCKS_IPV6 4 -int remote_connect(const char *, const char *, struct addrinfo); +int remote_connect(const char *, const char *, struct addrinfo, char *); int socks_connect(const char *, const char *, struct addrinfo, const char *, const char *, struct addrinfo, int, const char *); @@ -201,7 +201,7 @@ socks_connect(const char *host, const char *port, if (authretry++ > 3) errx(1, "Too many authentication failures"); - proxyfd = remote_connect(proxyhost, proxyport, proxyhints); + proxyfd = remote_connect(proxyhost, proxyport, proxyhints, NULL); if (proxyfd < 0) return (-1); diff --git a/apps/ocspcheck/CMakeLists.txt b/apps/ocspcheck/CMakeLists.txt index 3c804585..b960a816 100644 --- a/apps/ocspcheck/CMakeLists.txt +++ b/apps/ocspcheck/CMakeLists.txt @@ -13,6 +13,13 @@ else() set(OCSPCHECK_SRC ${OCSPCHECK_SRC} compat/memmem.c) endif() +check_function_exists(strtonum HAVE_STRTONUM) +if(HAVE_STRTONUM) + add_definitions(-DHAVE_STRTONUM) +else() + set(OCSPCHECK_SRC ${OCSPCHECK_SRC} compat/strtonum.c) +endif() + if(NOT "${OPENSSLDIR}" STREQUAL "") add_definitions(-DDEFAULT_CA_FILE=\"${OPENSSLDIR}/cert.pem\") else() diff --git a/apps/ocspcheck/Makefile.am b/apps/ocspcheck/Makefile.am index 7482101a..71a73ea4 100644 --- a/apps/ocspcheck/Makefile.am +++ b/apps/ocspcheck/Makefile.am @@ -1,6 +1,11 @@ include $(top_srcdir)/Makefile.am.common +if !ENABLE_LIBTLS_ONLY bin_PROGRAMS = ocspcheck +dist_man_MANS = ocspcheck.8 +else +noinst_PROGRAMS = ocspcheck +endif EXTRA_DIST = ocspcheck.8 EXTRA_DIST += CMakeLists.txt @@ -17,3 +22,7 @@ noinst_HEADERS = http.h if !HAVE_MEMMEM ocspcheck_SOURCES += compat/memmem.c endif + +if !HAVE_STRTONUM +ocspcheck_SOURCES += compat/strtonum.c +endif diff --git a/apps/ocspcheck/Makefile.in b/apps/ocspcheck/Makefile.in index e6a7b4a3..35a35327 100644 --- a/apps/ocspcheck/Makefile.in +++ b/apps/ocspcheck/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -89,11 +89,15 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -bin_PROGRAMS = ocspcheck$(EXEEXT) +@ENABLE_LIBTLS_ONLY_FALSE@bin_PROGRAMS = ocspcheck$(EXEEXT) +@ENABLE_LIBTLS_ONLY_TRUE@noinst_PROGRAMS = ocspcheck$(EXEEXT) @HAVE_MEMMEM_FALSE@am__append_1 = compat/memmem.c +@HAVE_STRTONUM_FALSE@am__append_2 = compat/strtonum.c subdir = apps/ocspcheck ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/check-hardening-options.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_add_fortify_source.m4 \ + $(top_srcdir)/m4/ax_check_compile_flag.m4 \ + $(top_srcdir)/m4/check-hardening-options.m4 \ $(top_srcdir)/m4/check-libc.m4 \ $(top_srcdir)/m4/check-os-options.m4 \ $(top_srcdir)/m4/disable-compiler-warnings.m4 \ @@ -107,13 +111,15 @@ DIST_COMMON = $(srcdir)/Makefile.am $(noinst_HEADERS) \ mkinstalldirs = $(install_sh) -d CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = -am__installdirs = "$(DESTDIR)$(bindir)" -PROGRAMS = $(bin_PROGRAMS) -am__ocspcheck_SOURCES_DIST = http.c ocspcheck.c compat/memmem.c +am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man8dir)" +PROGRAMS = $(bin_PROGRAMS) $(noinst_PROGRAMS) +am__ocspcheck_SOURCES_DIST = http.c ocspcheck.c compat/memmem.c \ + compat/strtonum.c am__dirstamp = $(am__leading_dot)dirstamp @HAVE_MEMMEM_FALSE@am__objects_1 = compat/memmem.$(OBJEXT) +@HAVE_STRTONUM_FALSE@am__objects_2 = compat/strtonum.$(OBJEXT) am_ocspcheck_OBJECTS = http.$(OBJEXT) ocspcheck.$(OBJEXT) \ - $(am__objects_1) + $(am__objects_1) $(am__objects_2) ocspcheck_OBJECTS = $(am_ocspcheck_OBJECTS) am__DEPENDENCIES_1 = ocspcheck_DEPENDENCIES = $(abs_top_builddir)/crypto/libcrypto.la \ @@ -140,7 +146,7 @@ DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp am__maybe_remake_depfiles = depfiles am__depfiles_remade = ./$(DEPDIR)/http.Po ./$(DEPDIR)/ocspcheck.Po \ - compat/$(DEPDIR)/memmem.Po + compat/$(DEPDIR)/memmem.Po compat/$(DEPDIR)/strtonum.Po am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -167,6 +173,36 @@ am__can_run_installinfo = \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(dist_man_MANS) HEADERS = $(noinst_HEADERS) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, @@ -187,7 +223,7 @@ am__define_uniq_tagged_files = \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags -am__DIST_COMMON = $(srcdir)/Makefile.in \ +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ $(top_srcdir)/Makefile.am.common $(top_srcdir)/depcomp DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ @@ -305,6 +341,7 @@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -317,12 +354,13 @@ AM_CFLAGS = AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat \ -DLIBRESSL_INTERNAL -D__BEGIN_HIDDEN_DECLS= \ -D__END_HIDDEN_DECLS= +@ENABLE_LIBTLS_ONLY_FALSE@dist_man_MANS = ocspcheck.8 EXTRA_DIST = ocspcheck.8 CMakeLists.txt ocspcheck_LDADD = $(abs_top_builddir)/crypto/libcrypto.la \ $(abs_top_builddir)/ssl/libssl.la \ $(abs_top_builddir)/tls/libtls.la $(PLATFORM_LDADD) \ $(PROG_LDADD) -ocspcheck_SOURCES = http.c ocspcheck.c $(am__append_1) +ocspcheck_SOURCES = http.c ocspcheck.c $(am__append_1) $(am__append_2) noinst_HEADERS = http.h all: all-am @@ -407,6 +445,15 @@ clean-binPROGRAMS: list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ echo " rm -f" $$list; \ rm -f $$list + +clean-noinstPROGRAMS: + @list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list compat/$(am__dirstamp): @$(MKDIR_P) compat @: > compat/$(am__dirstamp) @@ -415,6 +462,8 @@ compat/$(DEPDIR)/$(am__dirstamp): @: > compat/$(DEPDIR)/$(am__dirstamp) compat/memmem.$(OBJEXT): compat/$(am__dirstamp) \ compat/$(DEPDIR)/$(am__dirstamp) +compat/strtonum.$(OBJEXT): compat/$(am__dirstamp) \ + compat/$(DEPDIR)/$(am__dirstamp) ocspcheck$(EXEEXT): $(ocspcheck_OBJECTS) $(ocspcheck_DEPENDENCIES) $(EXTRA_ocspcheck_DEPENDENCIES) @rm -f ocspcheck$(EXEEXT) @@ -430,6 +479,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/http.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocspcheck.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@compat/$(DEPDIR)/memmem.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@compat/$(DEPDIR)/strtonum.Po@am__quote@ # am--include-marker $(am__depfiles_remade): @$(MKDIR_P) $(@D) @@ -466,6 +516,49 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs +install-man8: $(dist_man_MANS) + @$(NORMAL_INSTALL) + @list1=''; \ + list2='$(dist_man_MANS)'; \ + test -n "$(man8dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.8[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ + done; } + +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man8dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.8[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique @@ -554,9 +647,9 @@ distdir-am: $(DISTFILES) done check-am: all-am check: check-am -all-am: Makefile $(PROGRAMS) $(HEADERS) +all-am: Makefile $(PROGRAMS) $(MANS) $(HEADERS) installdirs: - for dir in "$(DESTDIR)$(bindir)"; do \ + for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man8dir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -593,12 +686,14 @@ maintainer-clean-generic: @echo "it deletes files that may require special tools to rebuild." clean: clean-am -clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am +clean-am: clean-binPROGRAMS clean-generic clean-libtool \ + clean-noinstPROGRAMS mostlyclean-am distclean: distclean-am -rm -f ./$(DEPDIR)/http.Po -rm -f ./$(DEPDIR)/ocspcheck.Po -rm -f compat/$(DEPDIR)/memmem.Po + -rm -f compat/$(DEPDIR)/strtonum.Po -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -615,7 +710,7 @@ info: info-am info-am: -install-data-am: +install-data-am: install-man install-dvi: install-dvi-am @@ -631,7 +726,7 @@ install-info: install-info-am install-info-am: -install-man: +install-man: install-man8 install-pdf: install-pdf-am @@ -647,6 +742,7 @@ maintainer-clean: maintainer-clean-am -rm -f ./$(DEPDIR)/http.Po -rm -f ./$(DEPDIR)/ocspcheck.Po -rm -f compat/$(DEPDIR)/memmem.Po + -rm -f compat/$(DEPDIR)/strtonum.Po -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -663,23 +759,27 @@ ps: ps-am ps-am: -uninstall-am: uninstall-binPROGRAMS +uninstall-am: uninstall-binPROGRAMS uninstall-man + +uninstall-man: uninstall-man8 .MAKE: install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-am clean \ - clean-binPROGRAMS clean-generic clean-libtool cscopelist-am \ - ctags ctags-am distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am install-binPROGRAMS \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-pdf \ + clean-binPROGRAMS clean-generic clean-libtool \ + clean-noinstPROGRAMS cscopelist-am ctags ctags-am distclean \ + distclean-compile distclean-generic distclean-libtool \ + distclean-tags distdir dvi dvi-am html html-am info info-am \ + install install-am install-binPROGRAMS install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ install-pdf-am install-ps install-ps-am install-strip \ installcheck installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags tags-am uninstall uninstall-am uninstall-binPROGRAMS + tags tags-am uninstall uninstall-am uninstall-binPROGRAMS \ + uninstall-man uninstall-man8 .PRECIOUS: Makefile diff --git a/apps/ocspcheck/compat/memmem.c b/apps/ocspcheck/compat/memmem.c index 384857df..9b11960d 100644 --- a/apps/ocspcheck/compat/memmem.c +++ b/apps/ocspcheck/compat/memmem.c @@ -1,63 +1,183 @@ -/* $OpenBSD: memmem.c,v 1.4 2015/08/31 02:53:57 guenther Exp $ */ -/*- - * Copyright (c) 2005 Pascal Gloor +/* $OpenBSD: memmem.c,v 1.5 2020/04/16 12:39:28 claudio Exp $ */ + +/* + * Copyright (c) 2005-2020 Rich Felker, et al. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior written - * permission. + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. + * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY + * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, + * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ #include +#include + +static char * +twobyte_memmem(const unsigned char *h, size_t k, const unsigned char *n) +{ + uint16_t nw = n[0]<<8 | n[1], hw = h[0]<<8 | h[1]; + for (h+=2, k-=2; k; k--, hw = hw<<8 | *h++) + if (hw == nw) return (char *)h-2; + return hw == nw ? (char *)h-2 : 0; +} + +static char * +threebyte_memmem(const unsigned char *h, size_t k, const unsigned char *n) +{ + uint32_t nw = n[0]<<24 | n[1]<<16 | n[2]<<8; + uint32_t hw = h[0]<<24 | h[1]<<16 | h[2]<<8; + for (h+=3, k-=3; k; k--, hw = (hw|*h++)<<8) + if (hw == nw) return (char *)h-3; + return hw == nw ? (char *)h-3 : 0; +} + +static char * +fourbyte_memmem(const unsigned char *h, size_t k, const unsigned char *n) +{ + uint32_t nw = n[0]<<24 | n[1]<<16 | n[2]<<8 | n[3]; + uint32_t hw = h[0]<<24 | h[1]<<16 | h[2]<<8 | h[3]; + for (h+=4, k-=4; k; k--, hw = hw<<8 | *h++) + if (hw == nw) return (char *)h-4; + return hw == nw ? (char *)h-4 : 0; +} + +#define MAX(a,b) ((a)>(b)?(a):(b)) +#define MIN(a,b) ((a)<(b)?(a):(b)) + +#define BITOP(a,b,op) \ + ((a)[(size_t)(b)/(8*sizeof *(a))] op (size_t)1<<((size_t)(b)%(8*sizeof *(a)))) /* - * Find the first occurrence of the byte string s in byte string l. + * Maxime Crochemore and Dominique Perrin, Two-way string-matching, + * Journal of the ACM, 38(3):651-675, July 1991. */ - -void * -memmem(const void *l, size_t l_len, const void *s, size_t s_len) +static char * +twoway_memmem(const unsigned char *h, const unsigned char *z, + const unsigned char *n, size_t l) { - const char *cur, *last; - const char *cl = l; - const char *cs = s; + size_t i, ip, jp, k, p, ms, p0, mem, mem0; + size_t byteset[32 / sizeof(size_t)] = { 0 }; + size_t shift[256]; + + /* Computing length of needle and fill shift table */ + for (i=0; i n[jp+k]) { + jp += k; + k = 1; + p = jp - ip; + } else { + ip = jp++; + k = p = 1; + } + } + ms = ip; + p0 = p; + + /* And with the opposite comparison */ + ip = -1; jp = 0; k = p = 1; + while (jp+k ms+1) ms = ip; + else p = p0; - /* a zero length needle should just return the haystack */ - if (s_len == 0) - return (void *)cl; + /* Periodic needle? */ + if (memcmp(n, n+p, ms+1)) { + mem0 = 0; + p = MAX(ms, l-ms-1) + 1; + } else mem0 = l-p; + mem = 0; - /* "s" must be smaller or equal to "l" */ - if (l_len < s_len) - return NULL; + /* Search loop */ + for (;;) { + /* If remainder of haystack is shorter than needle, done */ + if (z-h < l) return 0; + + /* Check last byte first; advance by shift on mismatch */ + if (BITOP(byteset, h[l-1], &)) { + k = l-shift[h[l-1]]; + if (k) { + if (k < mem) k = mem; + h += k; + mem = 0; + continue; + } + } else { + h += l; + mem = 0; + continue; + } + + /* Compare right half */ + for (k=MAX(ms+1,mem); kmem && n[k-1] == h[k-1]; k--); + if (k <= mem) return (char *)h; + h += p; + mem = mem0; + } +} + +void * +memmem(const void *h0, size_t k, const void *n0, size_t l) +{ + const unsigned char *h = h0, *n = n0; - /* special case where s_len == 1 */ - if (s_len == 1) - return memchr(l, *cs, l_len); + /* Return immediately on empty needle */ + if (!l) return (void *)h; - /* the last position where its possible to find "s" in "l" */ - last = cl + l_len - s_len; + /* Return immediately when needle is longer than haystack */ + if (k +#include +#include + +#define INVALID 1 +#define TOOSMALL 2 +#define TOOLARGE 3 + +long long +strtonum(const char *numstr, long long minval, long long maxval, + const char **errstrp) +{ + long long ll = 0; + int error = 0; + char *ep; + struct errval { + const char *errstr; + int err; + } ev[4] = { + { NULL, 0 }, + { "invalid", EINVAL }, + { "too small", ERANGE }, + { "too large", ERANGE }, + }; + + ev[0].err = errno; + errno = 0; + if (minval > maxval) { + error = INVALID; + } else { + ll = strtoll(numstr, &ep, 10); + if (numstr == ep || *ep != '\0') + error = INVALID; + else if ((ll == LLONG_MIN && errno == ERANGE) || ll < minval) + error = TOOSMALL; + else if ((ll == LLONG_MAX && errno == ERANGE) || ll > maxval) + error = TOOLARGE; + } + if (errstrp != NULL) + *errstrp = ev[error].errstr; + errno = ev[error].err; + if (error) + ll = 0; + + return (ll); +} diff --git a/apps/ocspcheck/http.c b/apps/ocspcheck/http.c index e0df6cfa..6666bb07 100644 --- a/apps/ocspcheck/http.c +++ b/apps/ocspcheck/http.c @@ -1,4 +1,4 @@ -/* $Id: http.c,v 1.12 2019/06/28 13:32:49 deraadt Exp $ */ +/* $Id: http.c,v 1.13 2020/01/11 17:37:19 sthen Exp $ */ /* * Copyright (c) 2016 Kristaps Dzonsons * @@ -349,6 +349,7 @@ http_open(const struct http *http, const void *p, size_t psz) c = asprintf(&req, "POST %s HTTP/1.0\r\n" "Host: %s\r\n" + "Content-Type: application/ocsp-request\r\n" "Content-Length: %zu\r\n" "\r\n", http->path, http->host, psz); diff --git a/apps/ocspcheck/ocspcheck.c b/apps/ocspcheck/ocspcheck.c index 41700f91..50f114f0 100644 --- a/apps/ocspcheck/ocspcheck.c +++ b/apps/ocspcheck/ocspcheck.c @@ -1,7 +1,7 @@ -/* $OpenBSD: ocspcheck.c,v 1.25 2019/05/15 13:44:18 bcook Exp $ */ +/* $OpenBSD: ocspcheck.c,v 1.29 2021/02/09 16:55:51 claudio Exp $ */ /* - * Copyright (c) 2017 Bob Beck + * Copyright (c) 2017,2020 Bob Beck * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -113,7 +113,6 @@ host_dns(const char *s, struct addr vec[MAX_SERVERS_DNS]) dspew("DNS returns %s for %s\n", vec[vecsz].ip, s); vecsz++; - break; } freeaddrinfo(res0); @@ -155,7 +154,7 @@ url2host(const char *host, short *port, char **path) *path = strdup(ep); *ep = '\0'; } else - *path = strdup(""); + *path = strdup("/"); if (*path == NULL) { warn("strdup"); @@ -163,6 +162,21 @@ url2host(const char *host, short *port, char **path) return (NULL); } + /* Check to see if there is a port in the url */ + if ((ep = strchr(url, ':')) != NULL) { + const char *errstr; + short pp; + pp = strtonum(ep + 1, 1, SHRT_MAX, &errstr); + if (errstr != NULL) { + warnx("error parsing port from '%s': %s", url, errstr); + free(url); + free(*path); + return NULL; + } + *port = pp; + *ep = '\0'; + } + return (url); } @@ -184,38 +198,44 @@ parse_ocsp_time(ASN1_GENERALIZEDTIME *gt) } static X509_STORE * -read_cacerts(char *file) +read_cacerts(const char *file, const char *dir) { - X509_STORE *store; + X509_STORE *store = NULL; X509_LOOKUP *lookup; - if ((store = X509_STORE_new()) == NULL) { - warnx("Malloc failed"); + if (file == NULL && dir == NULL) { + warnx("No CA certs to load"); goto end; } - if ((lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())) == - NULL) { - warnx("Unable to load CA certs from file %s", file); + if ((store = X509_STORE_new()) == NULL) { + warnx("Malloc failed"); goto end; } - if (file) { + if (file != NULL) { + if ((lookup = X509_STORE_add_lookup(store, + X509_LOOKUP_file())) == NULL) { + warnx("Unable to load CA cert file"); + goto end; + } if (!X509_LOOKUP_load_file(lookup, file, X509_FILETYPE_PEM)) { warnx("Unable to load CA certs from file %s", file); goto end; } - } else - X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT); - - if ((lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir())) == - NULL) { - warnx("Unable to load CA certs from file %s", file); - goto end; } - X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT); - ERR_clear_error(); + if (dir != NULL) { + if ((lookup = X509_STORE_add_lookup(store, + X509_LOOKUP_hash_dir())) == NULL) { + warnx("Unable to load CA cert directory"); + goto end; + } + if (!X509_LOOKUP_add_dir(lookup, dir, X509_FILETYPE_PEM)) { + warnx("Unable to load CA certs from directory %s", dir); + goto end; + } + } return store; -end: + end: X509_STORE_free(store); return NULL; } @@ -233,14 +253,12 @@ read_fullchain(const char *file, int *count) if ((bio = BIO_new_file(file, "r")) == NULL) { warn("Unable to read a certificate from %s", file); - return NULL; + goto end; } if ((xis = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL)) == NULL) { warnx("Unable to read PEM format from %s", file); - return NULL; + goto end; } - BIO_free(bio); - if (sk_X509_INFO_num(xis) <= 0) { warnx("No certificates in file %s", file); goto end; @@ -263,7 +281,8 @@ read_fullchain(const char *file, int *count) xi->x509 = NULL; (*count)++; } -end: + end: + BIO_free(bio); sk_X509_INFO_pop_free(xis, X509_INFO_free); return rv; } @@ -274,77 +293,81 @@ cert_from_chain(STACK_OF(X509) *fullchain) return sk_X509_value(fullchain, 0); } -static X509 * +static const X509 * issuer_from_chain(STACK_OF(X509) *fullchain) { - X509 *cert, *issuer; + const X509 *cert; X509_NAME *issuer_name; cert = cert_from_chain(fullchain); if ((issuer_name = X509_get_issuer_name(cert)) == NULL) return NULL; - issuer = X509_find_by_subject(fullchain, issuer_name); - return issuer; + return X509_find_by_subject(fullchain, issuer_name); } static ocsp_request * -ocsp_request_new_from_cert(char *file, int nonce) +ocsp_request_new_from_cert(const char *cadir, char *file, int nonce) { - X509 *cert = NULL; + X509 *cert; int count = 0; - OCSP_CERTID *id; - ocsp_request *request; + OCSP_CERTID *id = NULL; + ocsp_request *request = NULL; const EVP_MD *cert_id_md = NULL; - X509 *issuer = NULL; - STACK_OF(OPENSSL_STRING) *urls; + const X509 *issuer; + STACK_OF(OPENSSL_STRING) *urls = NULL; if ((request = calloc(1, sizeof(ocsp_request))) == NULL) { warn("malloc"); - return NULL; + goto err; } if ((request->req = OCSP_REQUEST_new()) == NULL) - return NULL; + goto err; request->fullchain = read_fullchain(file, &count); - /* Drop rpath from pledge, we don't need to read anymore */ - if (pledge("stdio inet dns", NULL) == -1) - err(1, "pledge"); - - if (request->fullchain == NULL) - return NULL; + if (cadir == NULL) { + /* Drop rpath from pledge, we don't need to read anymore */ + if (pledge("stdio inet dns", NULL) == -1) + err(1, "pledge"); + } + if (request->fullchain == NULL) { + warnx("Unable to read cert chain from file %s", file); + goto err; + } if (count <= 1) { warnx("File %s does not contain a cert chain", file); - return NULL; + goto err; } if ((cert = cert_from_chain(request->fullchain)) == NULL) { warnx("No certificate found in %s", file); - return NULL; + goto err; } if ((issuer = issuer_from_chain(request->fullchain)) == NULL) { warnx("Unable to find issuer for cert in %s", file); - return NULL; + goto err; } urls = X509_get1_ocsp(cert); if (urls == NULL || sk_OPENSSL_STRING_num(urls) <= 0) { warnx("Certificate in %s contains no OCSP url", file); - return NULL; + goto err; } if ((request->url = strdup(sk_OPENSSL_STRING_value(urls, 0))) == NULL) - return NULL; + goto err; X509_email_free(urls); + urls = NULL; cert_id_md = EVP_sha1(); /* XXX. This sucks but OCSP is poopy */ if ((id = OCSP_cert_to_id(cert_id_md, cert, issuer)) == NULL) { warnx("Unable to get certificate id from cert in %s", file); - return NULL; + goto err; } if (OCSP_request_add0_id(request->req, id) == NULL) { warnx("Unable to add certificate id to request"); - return NULL; + goto err; } + id = NULL; request->nonce = nonce; if (request->nonce) @@ -353,13 +376,25 @@ ocsp_request_new_from_cert(char *file, int nonce) if ((request->size = i2d_OCSP_REQUEST(request->req, &request->data)) <= 0) { warnx("Unable to encode ocsp request"); - return NULL; + goto err; } if (request->data == NULL) { warnx("Unable to allocte memory"); - return NULL; + goto err; } - return (request); + return request; + + err: + if (request != NULL) { + sk_X509_pop_free(request->fullchain, X509_free); + free(request->url); + OCSP_REQUEST_free(request->req); + free(request->data); + } + X509_email_free(urls); + OCSP_CERTID_free(id); + free(request); + return NULL; } @@ -369,40 +404,41 @@ validate_response(char *buf, size_t size, ocsp_request *request, { ASN1_GENERALIZEDTIME *revtime = NULL, *thisupd = NULL, *nextupd = NULL; const unsigned char **p = (const unsigned char **)&buf; - int status, cert_status=0, crl_reason=0; + int status, cert_status = 0, crl_reason = 0; time_t now, rev_t = -1, this_t, next_t; - OCSP_RESPONSE *resp; - OCSP_BASICRESP *bresp; - OCSP_CERTID *cid; - X509 *cert, *issuer; + OCSP_RESPONSE *resp = NULL; + OCSP_BASICRESP *bresp = NULL; + OCSP_CERTID *cid = NULL; + const X509 *cert, *issuer; + int ret = 0; if ((cert = cert_from_chain(request->fullchain)) == NULL) { warnx("No certificate found in %s", file); - return 0; + goto err; } if ((issuer = issuer_from_chain(request->fullchain)) == NULL) { warnx("Unable to find certificate issuer for cert in %s", file); - return 0; + goto err; } if ((cid = OCSP_cert_to_id(NULL, cert, issuer)) == NULL) { warnx("Unable to get issuer cert/CID in %s", file); - return 0; + goto err; } if ((resp = d2i_OCSP_RESPONSE(NULL, p, size)) == NULL) { warnx("OCSP response unserializable from host %s", host); - return 0; + goto err; } if ((bresp = OCSP_response_get1_basic(resp)) == NULL) { warnx("Failed to load OCSP response from %s", host); - return 0; + goto err; } if (OCSP_basic_verify(bresp, request->fullchain, store, OCSP_TRUSTOTHER) != 1) { warnx("OCSP verify failed from %s", host); - return 0; + goto err; } dspew("OCSP response signature validated from %s\n", host); @@ -410,7 +446,7 @@ validate_response(char *buf, size_t size, ocsp_request *request, if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) { warnx("OCSP Failure: code %d (%s) from host %s", status, OCSP_response_status_str(status), host); - return 0; + goto err; } dspew("OCSP response status %d from host %s\n", status, host); @@ -419,19 +455,19 @@ validate_response(char *buf, size_t size, ocsp_request *request, if (request->nonce) { if (OCSP_check_nonce(request->req, bresp) <= 0) { warnx("No OCSP nonce, or mismatch, from host %s", host); - return 0; + goto err; } } if (OCSP_resp_find_status(bresp, cid, &cert_status, &crl_reason, &revtime, &thisupd, &nextupd) != 1) { warnx("OCSP verify failed: no result for cert"); - return 0; + goto err; } if (revtime && (rev_t = parse_ocsp_time(revtime)) == -1) { warnx("Unable to parse revocation time in OCSP reply"); - return 0; + goto err; } /* * Belt and suspenders, Treat it as revoked if there is either @@ -441,21 +477,21 @@ validate_response(char *buf, size_t size, ocsp_request *request, warnx("Invalid OCSP reply: certificate is revoked"); if (rev_t != -1) warnx("Certificate revoked at: %s", ctime(&rev_t)); - return 0; + goto err; } if ((this_t = parse_ocsp_time(thisupd)) == -1) { warnx("unable to parse this update time in OCSP reply"); - return 0; + goto err; } if ((next_t = parse_ocsp_time(nextupd)) == -1) { warnx("unable to parse next update time in OCSP reply"); - return 0; + goto err; } /* Don't allow this update to precede next update */ if (this_t >= next_t) { warnx("Invalid OCSP reply: this update >= next update"); - return 0; + goto err; } now = time(NULL); @@ -464,9 +500,9 @@ validate_response(char *buf, size_t size, ocsp_request *request, * in the future. */ if (this_t > now + JITTER_SEC) { - warnx("Invalid OCSP reply: this update is in the future (%s)", + warnx("Invalid OCSP reply: this update is in the future at %s", ctime(&this_t)); - return 0; + goto err; } /* @@ -474,24 +510,29 @@ validate_response(char *buf, size_t size, ocsp_request *request, * in the past. */ if (this_t < now - MAXAGE_SEC) { - warnx("Invalid OCSP reply: this update is too old (%s)", + warnx("Invalid OCSP reply: this update is too old %s", ctime(&this_t)); - return 0; + goto err; } /* * Check that next update is still valid */ if (next_t < now - JITTER_SEC) { - warnx("Invalid OCSP reply: reply has expired (%s)", + warnx("Invalid OCSP reply: reply has expired at %s", ctime(&next_t)); - return 0; + goto err; } vspew("OCSP response validated from %s\n", host); vspew(" This Update: %s", ctime(&this_t)); vspew(" Next Update: %s", ctime(&next_t)); - return 1; + ret = 1; + err: + OCSP_RESPONSE_free(resp); + OCSP_BASICRESP_free(bresp); + OCSP_CERTID_free(cid); + return ret; } static void @@ -506,8 +547,9 @@ usage(void) int main(int argc, char **argv) { - char *host = NULL, *path = "/", *certfile = NULL, *outfile = NULL, - *cafile = NULL, *instaple = NULL, *infile = NULL; + const char *cafile = NULL, *cadir = NULL; + char *host = NULL, *path = NULL, *certfile = NULL, *outfile = NULL, + *instaple = NULL, *infile = NULL; struct addr addrs[MAX_SERVERS_DNS] = {{0}}; struct source sources[MAX_SERVERS_DNS]; int i, ch, staplefd = -1, infd = -1, nonce = 1; @@ -543,7 +585,7 @@ main(int argc, char **argv) argc -= optind; argv += optind; - if ((certfile = argv[0]) == NULL) + if (argc != 1 || (certfile = argv[0]) == NULL) usage(); if (outfile != NULL) { @@ -566,6 +608,24 @@ main(int argc, char **argv) nonce = 0; /* Can't validate a nonce on a saved reply */ } + if (cafile == NULL) { + if (access(X509_get_default_cert_file(), R_OK) == 0) + cafile = X509_get_default_cert_file(); + if (access(X509_get_default_cert_dir(), F_OK) == 0) + cadir = X509_get_default_cert_dir(); + } + + if (cafile != NULL) { + if (unveil(cafile, "r") == -1) + err(1, "unveil"); + } + if (cadir != NULL) { + if (unveil(cadir, "r") == -1) + err(1, "unveil"); + } + if (unveil(certfile, "r") == -1) + err(1, "unveil"); + if (pledge("stdio inet rpath dns", NULL) == -1) err(1, "pledge"); @@ -574,9 +634,10 @@ main(int argc, char **argv) * OCSP request based on the full certificate chain * we have been given to check. */ - if ((castore = read_cacerts(cafile)) == NULL) + if ((castore = read_cacerts(cafile, cadir)) == NULL) exit(1); - if ((request = ocsp_request_new_from_cert(certfile, nonce)) == NULL) + if ((request = ocsp_request_new_from_cert(cadir, certfile, nonce)) + == NULL) exit(1); dspew("Built an %zu byte ocsp request\n", request->size); @@ -584,8 +645,6 @@ main(int argc, char **argv) if ((host = url2host(request->url, &port, &path)) == NULL) errx(1, "Invalid OCSP url %s from %s", request->url, certfile); - if (*path == '\0') - path = "/"; if (infd == -1) { /* Get a new OCSP response from the indicated server */ @@ -612,8 +671,13 @@ main(int argc, char **argv) * routines and parsing untrusted input from someone's OCSP * server. */ - if (pledge("stdio", NULL) == -1) - err(1, "pledge"); + if (cadir == NULL) { + if (pledge("stdio", NULL) == -1) + err(1, "pledge"); + } else { + if (pledge("stdio rpath", NULL) == -1) + err(1, "pledge"); + } dspew("Server at %s returns:\n", host); for (i = 0; i < httphsz; i++) @@ -641,8 +705,13 @@ main(int argc, char **argv) /* * Pledge minimally before fiddling with libcrypto init */ - if (pledge("stdio", NULL) == -1) - err(1, "pledge"); + if (cadir == NULL) { + if (pledge("stdio", NULL) == -1) + err(1, "pledge"); + } else { + if (pledge("stdio rpath", NULL) == -1) + err(1, "pledge"); + } dspew("Using ocsp response saved in %s:\n", infile); @@ -670,10 +739,12 @@ main(int argc, char **argv) * write out the DER format response to the staplefd */ if (staplefd >= 0) { - while (ftruncate(staplefd, 0) < 0) + while (ftruncate(staplefd, 0) < 0) { + if (errno == EINVAL) + break; if (errno != EINTR && errno != EAGAIN) err(1, "Write of OCSP response failed"); - w = 0; + } written = 0; while (written < instaplesz) { w = write(staplefd, instaple + written, diff --git a/apps/openssl/CMakeLists.txt b/apps/openssl/CMakeLists.txt index 6d89c069..b9cd2221 100644 --- a/apps/openssl/CMakeLists.txt +++ b/apps/openssl/CMakeLists.txt @@ -6,6 +6,7 @@ set( ciphers.c crl.c crl2p7.c + cms.c dgst.c dh.c dhparam.c @@ -82,13 +83,3 @@ if(ENABLE_LIBRESSL_INSTALL) install(TARGETS openssl DESTINATION ${CMAKE_INSTALL_BINDIR}) install(FILES openssl.1 DESTINATION ${CMAKE_INSTALL_MANDIR}/man1) endif(ENABLE_LIBRESSL_INSTALL) - -if(NOT "${OPENSSLDIR}" STREQUAL "") - set(CONF_DIR "${OPENSSLDIR}") -else() - set(CONF_DIR "${CMAKE_INSTALL_PREFIX}/etc/ssl") -endif() -if(ENABLE_LIBRESSL_INSTALL) - install(FILES cert.pem openssl.cnf x509v3.cnf DESTINATION ${CONF_DIR}) - install(DIRECTORY DESTINATION ${CONF_DIR}/certs) -endif(ENABLE_LIBRESSL_INSTALL) diff --git a/apps/openssl/Makefile.am b/apps/openssl/Makefile.am index f100adb2..b98e08db 100644 --- a/apps/openssl/Makefile.am +++ b/apps/openssl/Makefile.am @@ -1,8 +1,11 @@ include $(top_srcdir)/Makefile.am.common +if !ENABLE_LIBTLS_ONLY bin_PROGRAMS = openssl - dist_man_MANS = openssl.1 +else +noinst_PROGRAMS = openssl +endif openssl_LDADD = $(abs_top_builddir)/ssl/libssl.la openssl_LDADD += $(abs_top_builddir)/crypto/libcrypto.la @@ -14,6 +17,7 @@ openssl_SOURCES += ca.c openssl_SOURCES += ciphers.c openssl_SOURCES += crl.c openssl_SOURCES += crl2p7.c +openssl_SOURCES += cms.c openssl_SOURCES += dgst.c openssl_SOURCES += dh.c openssl_SOURCES += dhparam.c @@ -91,34 +95,5 @@ noinst_HEADERS += testdsa.h noinst_HEADERS += testrsa.h noinst_HEADERS += timeouts.h -EXTRA_DIST = cert.pem -EXTRA_DIST += openssl.cnf -EXTRA_DIST += x509v3.cnf -EXTRA_DIST += CMakeLists.txt - -install-exec-hook: - @if [ "@OPENSSLDIR@x" != "x" ]; then \ - OPENSSLDIR="$(DESTDIR)@OPENSSLDIR@"; \ - else \ - OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \ - fi; \ - mkdir -p "$$OPENSSLDIR/certs"; \ - for i in cert.pem openssl.cnf x509v3.cnf; do \ - if [ ! -f "$$OPENSSLDIR/$i" ]; then \ - $(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \ - else \ - echo " $$OPENSSLDIR/$$i already exists, install will not overwrite"; \ - fi \ - done +EXTRA_DIST = CMakeLists.txt -uninstall-local: - @if [ "@OPENSSLDIR@x" != "x" ]; then \ - OPENSSLDIR="$(DESTDIR)@OPENSSLDIR@"; \ - else \ - OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \ - fi; \ - for i in cert.pem openssl.cnf x509v3.cnf; do \ - if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \ - rm -f "$$OPENSSLDIR/$$i"; \ - fi \ - done diff --git a/apps/openssl/Makefile.in b/apps/openssl/Makefile.in index 09c5079f..b99f0f35 100644 --- a/apps/openssl/Makefile.in +++ b/apps/openssl/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -89,7 +89,8 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -bin_PROGRAMS = openssl$(EXEEXT) +@ENABLE_LIBTLS_ONLY_FALSE@bin_PROGRAMS = openssl$(EXEEXT) +@ENABLE_LIBTLS_ONLY_TRUE@noinst_PROGRAMS = openssl$(EXEEXT) @BUILD_CERTHASH_TRUE@am__append_1 = certhash.c @BUILD_CERTHASH_FALSE@am__append_2 = certhash_win.c @HOST_WIN_TRUE@am__append_3 = apps_win.c @@ -99,7 +100,9 @@ bin_PROGRAMS = openssl$(EXEEXT) @HAVE_STRTONUM_FALSE@am__append_7 = compat/strtonum.c subdir = apps/openssl ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/check-hardening-options.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_add_fortify_source.m4 \ + $(top_srcdir)/m4/ax_check_compile_flag.m4 \ + $(top_srcdir)/m4/check-hardening-options.m4 \ $(top_srcdir)/m4/check-libc.m4 \ $(top_srcdir)/m4/check-os-options.m4 \ $(top_srcdir)/m4/disable-compiler-warnings.m4 \ @@ -114,15 +117,15 @@ mkinstalldirs = $(install_sh) -d CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)" -PROGRAMS = $(bin_PROGRAMS) +PROGRAMS = $(bin_PROGRAMS) $(noinst_PROGRAMS) am__openssl_SOURCES_DIST = apps.c asn1pars.c ca.c ciphers.c crl.c \ - crl2p7.c dgst.c dh.c dhparam.c dsa.c dsaparam.c ec.c ecparam.c \ - enc.c errstr.c gendh.c gendsa.c genpkey.c genrsa.c nseq.c \ - ocsp.c openssl.c passwd.c pkcs12.c pkcs7.c pkcs8.c pkey.c \ - pkeyparam.c pkeyutl.c prime.c rand.c req.c rsa.c rsautl.c \ - s_cb.c s_client.c s_server.c s_socket.c s_time.c sess_id.c \ - smime.c speed.c spkac.c ts.c verify.c version.c x509.c \ - certhash.c certhash_win.c apps_win.c apps_posix.c \ + crl2p7.c cms.c dgst.c dh.c dhparam.c dsa.c dsaparam.c ec.c \ + ecparam.c enc.c errstr.c gendh.c gendsa.c genpkey.c genrsa.c \ + nseq.c ocsp.c openssl.c passwd.c pkcs12.c pkcs7.c pkcs8.c \ + pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c rsa.c \ + rsautl.c s_cb.c s_client.c s_server.c s_socket.c s_time.c \ + sess_id.c smime.c speed.c spkac.c ts.c verify.c version.c \ + x509.c certhash.c certhash_win.c apps_win.c apps_posix.c \ compat/poll_win.c compat/clock_gettime_osx.c compat/strtonum.c @BUILD_CERTHASH_TRUE@am__objects_1 = certhash.$(OBJEXT) @BUILD_CERTHASH_FALSE@am__objects_2 = certhash_win.$(OBJEXT) @@ -134,7 +137,7 @@ am__dirstamp = $(am__leading_dot)dirstamp @HAVE_CLOCK_GETTIME_FALSE@@HOST_DARWIN_TRUE@am__objects_6 = compat/clock_gettime_osx.$(OBJEXT) @HAVE_STRTONUM_FALSE@am__objects_7 = compat/strtonum.$(OBJEXT) am_openssl_OBJECTS = apps.$(OBJEXT) asn1pars.$(OBJEXT) ca.$(OBJEXT) \ - ciphers.$(OBJEXT) crl.$(OBJEXT) crl2p7.$(OBJEXT) \ + ciphers.$(OBJEXT) crl.$(OBJEXT) crl2p7.$(OBJEXT) cms.$(OBJEXT) \ dgst.$(OBJEXT) dh.$(OBJEXT) dhparam.$(OBJEXT) dsa.$(OBJEXT) \ dsaparam.$(OBJEXT) ec.$(OBJEXT) ecparam.$(OBJEXT) \ enc.$(OBJEXT) errstr.$(OBJEXT) gendh.$(OBJEXT) \ @@ -178,9 +181,9 @@ am__depfiles_remade = ./$(DEPDIR)/apps.Po ./$(DEPDIR)/apps_posix.Po \ ./$(DEPDIR)/apps_win.Po ./$(DEPDIR)/asn1pars.Po \ ./$(DEPDIR)/ca.Po ./$(DEPDIR)/certhash.Po \ ./$(DEPDIR)/certhash_win.Po ./$(DEPDIR)/ciphers.Po \ - ./$(DEPDIR)/crl.Po ./$(DEPDIR)/crl2p7.Po ./$(DEPDIR)/dgst.Po \ - ./$(DEPDIR)/dh.Po ./$(DEPDIR)/dhparam.Po ./$(DEPDIR)/dsa.Po \ - ./$(DEPDIR)/dsaparam.Po ./$(DEPDIR)/ec.Po \ + ./$(DEPDIR)/cms.Po ./$(DEPDIR)/crl.Po ./$(DEPDIR)/crl2p7.Po \ + ./$(DEPDIR)/dgst.Po ./$(DEPDIR)/dh.Po ./$(DEPDIR)/dhparam.Po \ + ./$(DEPDIR)/dsa.Po ./$(DEPDIR)/dsaparam.Po ./$(DEPDIR)/ec.Po \ ./$(DEPDIR)/ecparam.Po ./$(DEPDIR)/enc.Po \ ./$(DEPDIR)/errstr.Po ./$(DEPDIR)/gendh.Po \ ./$(DEPDIR)/gendsa.Po ./$(DEPDIR)/genpkey.Po \ @@ -392,6 +395,7 @@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -404,22 +408,23 @@ AM_CFLAGS = AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat \ -DLIBRESSL_INTERNAL -D__BEGIN_HIDDEN_DECLS= \ -D__END_HIDDEN_DECLS= -dist_man_MANS = openssl.1 +@ENABLE_LIBTLS_ONLY_FALSE@dist_man_MANS = openssl.1 openssl_LDADD = $(abs_top_builddir)/ssl/libssl.la \ $(abs_top_builddir)/crypto/libcrypto.la $(PLATFORM_LDADD) \ $(PROG_LDADD) openssl_SOURCES = apps.c asn1pars.c ca.c ciphers.c crl.c crl2p7.c \ - dgst.c dh.c dhparam.c dsa.c dsaparam.c ec.c ecparam.c enc.c \ - errstr.c gendh.c gendsa.c genpkey.c genrsa.c nseq.c ocsp.c \ - openssl.c passwd.c pkcs12.c pkcs7.c pkcs8.c pkey.c pkeyparam.c \ - pkeyutl.c prime.c rand.c req.c rsa.c rsautl.c s_cb.c \ - s_client.c s_server.c s_socket.c s_time.c sess_id.c smime.c \ - speed.c spkac.c ts.c verify.c version.c x509.c $(am__append_1) \ - $(am__append_2) $(am__append_3) $(am__append_4) \ - $(am__append_5) $(am__append_6) $(am__append_7) + cms.c dgst.c dh.c dhparam.c dsa.c dsaparam.c ec.c ecparam.c \ + enc.c errstr.c gendh.c gendsa.c genpkey.c genrsa.c nseq.c \ + ocsp.c openssl.c passwd.c pkcs12.c pkcs7.c pkcs8.c pkey.c \ + pkeyparam.c pkeyutl.c prime.c rand.c req.c rsa.c rsautl.c \ + s_cb.c s_client.c s_server.c s_socket.c s_time.c sess_id.c \ + smime.c speed.c spkac.c ts.c verify.c version.c x509.c \ + $(am__append_1) $(am__append_2) $(am__append_3) \ + $(am__append_4) $(am__append_5) $(am__append_6) \ + $(am__append_7) noinst_HEADERS = apps.h progs.h s_apps.h testdsa.h testrsa.h \ timeouts.h -EXTRA_DIST = cert.pem openssl.cnf x509v3.cnf CMakeLists.txt +EXTRA_DIST = CMakeLists.txt all: all-am .SUFFIXES: @@ -503,6 +508,15 @@ clean-binPROGRAMS: list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ echo " rm -f" $$list; \ rm -f $$list + +clean-noinstPROGRAMS: + @list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list compat/$(am__dirstamp): @$(MKDIR_P) compat @: > compat/$(am__dirstamp) @@ -535,6 +549,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certhash.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certhash_win.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ciphers.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cms.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crl.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crl2p7.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dgst.Po@am__quote@ # am--include-marker @@ -787,7 +802,8 @@ maintainer-clean-generic: @echo "it deletes files that may require special tools to rebuild." clean: clean-am -clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am +clean-am: clean-binPROGRAMS clean-generic clean-libtool \ + clean-noinstPROGRAMS mostlyclean-am distclean: distclean-am -rm -f ./$(DEPDIR)/apps.Po @@ -798,6 +814,7 @@ distclean: distclean-am -rm -f ./$(DEPDIR)/certhash.Po -rm -f ./$(DEPDIR)/certhash_win.Po -rm -f ./$(DEPDIR)/ciphers.Po + -rm -f ./$(DEPDIR)/cms.Po -rm -f ./$(DEPDIR)/crl.Po -rm -f ./$(DEPDIR)/crl2p7.Po -rm -f ./$(DEPDIR)/dgst.Po @@ -867,8 +884,7 @@ install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-binPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook + install-html: install-html-am install-html-am: @@ -898,6 +914,7 @@ maintainer-clean: maintainer-clean-am -rm -f ./$(DEPDIR)/certhash.Po -rm -f ./$(DEPDIR)/certhash_win.Po -rm -f ./$(DEPDIR)/ciphers.Po + -rm -f ./$(DEPDIR)/cms.Po -rm -f ./$(DEPDIR)/crl.Po -rm -f ./$(DEPDIR)/crl2p7.Po -rm -f ./$(DEPDIR)/dgst.Po @@ -960,58 +977,31 @@ ps: ps-am ps-am: -uninstall-am: uninstall-binPROGRAMS uninstall-local uninstall-man +uninstall-am: uninstall-binPROGRAMS uninstall-man uninstall-man: uninstall-man1 -.MAKE: install-am install-exec-am install-strip +.MAKE: install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-am clean \ - clean-binPROGRAMS clean-generic clean-libtool cscopelist-am \ - ctags ctags-am distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am install-binPROGRAMS \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-exec-hook install-html \ - install-html-am install-info install-info-am install-man \ - install-man1 install-pdf install-pdf-am install-ps \ - install-ps-am install-strip installcheck installcheck-am \ - installdirs maintainer-clean maintainer-clean-generic \ - mostlyclean mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ - uninstall-am uninstall-binPROGRAMS uninstall-local \ + clean-binPROGRAMS clean-generic clean-libtool \ + clean-noinstPROGRAMS cscopelist-am ctags ctags-am distclean \ + distclean-compile distclean-generic distclean-libtool \ + distclean-tags distdir dvi dvi-am html html-am info info-am \ + install install-am install-binPROGRAMS install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man1 install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags tags-am uninstall uninstall-am uninstall-binPROGRAMS \ uninstall-man uninstall-man1 .PRECIOUS: Makefile -install-exec-hook: - @if [ "@OPENSSLDIR@x" != "x" ]; then \ - OPENSSLDIR="$(DESTDIR)@OPENSSLDIR@"; \ - else \ - OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \ - fi; \ - mkdir -p "$$OPENSSLDIR/certs"; \ - for i in cert.pem openssl.cnf x509v3.cnf; do \ - if [ ! -f "$$OPENSSLDIR/$i" ]; then \ - $(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \ - else \ - echo " $$OPENSSLDIR/$$i already exists, install will not overwrite"; \ - fi \ - done - -uninstall-local: - @if [ "@OPENSSLDIR@x" != "x" ]; then \ - OPENSSLDIR="$(DESTDIR)@OPENSSLDIR@"; \ - else \ - OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \ - fi; \ - for i in cert.pem openssl.cnf x509v3.cnf; do \ - if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \ - rm -f "$$OPENSSLDIR/$$i"; \ - fi \ - done - # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/apps/openssl/apps.c b/apps/openssl/apps.c index c9a2f34b..5e4e8d52 100644 --- a/apps/openssl/apps.c +++ b/apps/openssl/apps.c @@ -1,4 +1,4 @@ -/* $OpenBSD: apps.c,v 1.54 2019/07/14 03:30:45 guenther Exp $ */ +/* $OpenBSD: apps.c,v 1.60 2021/03/31 17:13:54 tb Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -141,12 +141,12 @@ #include #include #include +#include #include +#include #include #include -#include - typedef struct { const char *name; unsigned long flag; @@ -216,7 +216,6 @@ chopup_args(ARGS *arg, char *buf, int *argc, char **argv[]) *argc = 0; *argv = NULL; - i = 0; if (arg->count == 0) { arg->count = 20; arg->data = reallocarray(NULL, arg->count, sizeof(char *)); @@ -1917,6 +1916,8 @@ args_verify(char ***pargs, int *pargc, int *badarg, BIO *err, flags |= X509_V_FLAG_POLICY_CHECK; else if (!strcmp(arg, "-explicit_policy")) flags |= X509_V_FLAG_EXPLICIT_POLICY; + else if (!strcmp(arg, "-legacy_verify")) + flags |= X509_V_FLAG_LEGACY_VERIFY; else if (!strcmp(arg, "-inhibit_any")) flags |= X509_V_FLAG_INHIBIT_ANY; else if (!strcmp(arg, "-inhibit_map")) @@ -2299,6 +2300,14 @@ options_parse(int argc, char **argv, const struct option *opts, char **unnamed, *opt->opt.value |= opt->value; break; + case OPTION_UL_VALUE_OR: + *opt->opt.ulvalue |= opt->ulvalue; + break; + + case OPTION_ORDER: + *opt->opt.order = ++(*opt->order); + break; + default: fprintf(stderr, "option %s - unknown type %i\n", opt->name, opt->type); @@ -2331,4 +2340,3 @@ show_cipher(const OBJ_NAME *name, void *arg) fprintf(stderr, " -%-24s%s", name->name, (++*n % 3 != 0 ? "" : "\n")); } - diff --git a/apps/openssl/apps.h b/apps/openssl/apps.h index 48e5ba3a..9a4ffd00 100644 --- a/apps/openssl/apps.h +++ b/apps/openssl/apps.h @@ -1,4 +1,4 @@ -/* $OpenBSD: apps.h,v 1.23 2019/07/14 03:30:45 guenther Exp $ */ +/* $OpenBSD: apps.h,v 1.27 2021/03/31 17:13:54 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -303,6 +303,8 @@ struct option { OPTION_VALUE, OPTION_VALUE_AND, OPTION_VALUE_OR, + OPTION_UL_VALUE_OR, + OPTION_ORDER, } type; union { char **arg; @@ -312,9 +314,13 @@ struct option { int (*func)(void); long *lvalue; int *value; + unsigned long *ulvalue; time_t *tvalue; + int *order; } opt; const int value; + const unsigned long ulvalue; + int *order; }; void options_usage(const struct option *opts); diff --git a/apps/openssl/ca.c b/apps/openssl/ca.c index ac183f28..6952226f 100644 --- a/apps/openssl/ca.c +++ b/apps/openssl/ca.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ca.c,v 1.27 2019/07/03 03:24:02 deraadt Exp $ */ +/* $OpenBSD: ca.c,v 1.28 2020/12/16 18:53:10 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -219,7 +219,7 @@ static int setCertificateTime(ASN1_TIME *x509time, char *timestring) { struct tm tm1; - memset(&tm1, 0, sizeof(tm1)); + if (ASN1_time_parse(timestring, strlen(timestring), &tm1, 0) == -1) return (-1); if (!ASN1_TIME_set_tm(x509time, &tm1)) diff --git a/apps/openssl/cms.c b/apps/openssl/cms.c new file mode 100644 index 00000000..cad85567 --- /dev/null +++ b/apps/openssl/cms.c @@ -0,0 +1,1282 @@ +/* $OpenBSD: cms.c,v 1.17 2020/01/04 14:17:55 inoguchi Exp $ */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +/* CMS utility function */ + +#include +#include + +#include "apps.h" + +#ifndef OPENSSL_NO_CMS + +#include +#include +#include +#include +#include + +#include + +static int save_certs(char *signerfile, STACK_OF(X509) *signers); +static int cms_cb(int ok, X509_STORE_CTX *ctx); +static void receipt_request_print(BIO *out, CMS_ContentInfo *cms); +static CMS_ReceiptRequest *make_receipt_request( + STACK_OF(OPENSSL_STRING) *rr_to, int rr_allorfirst, + STACK_OF(OPENSSL_STRING) *rr_from); +static int cms_set_pkey_param(EVP_PKEY_CTX *pctx, + STACK_OF(OPENSSL_STRING) *param); + +#define SMIME_OP 0x10 +#define SMIME_IP 0x20 +#define SMIME_SIGNERS 0x40 +#define SMIME_ENCRYPT (1 | SMIME_OP) +#define SMIME_DECRYPT (2 | SMIME_IP) +#define SMIME_SIGN (3 | SMIME_OP | SMIME_SIGNERS) +#define SMIME_VERIFY (4 | SMIME_IP) +#define SMIME_CMSOUT (5 | SMIME_IP | SMIME_OP) +#define SMIME_RESIGN (6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS) +#define SMIME_DATAOUT (7 | SMIME_IP) +#define SMIME_DATA_CREATE (8 | SMIME_OP) +#define SMIME_DIGEST_VERIFY (9 | SMIME_IP) +#define SMIME_DIGEST_CREATE (10 | SMIME_OP) +#define SMIME_UNCOMPRESS (11 | SMIME_IP) +#define SMIME_COMPRESS (12 | SMIME_OP) +#define SMIME_ENCRYPTED_DECRYPT (13 | SMIME_IP) +#define SMIME_ENCRYPTED_ENCRYPT (14 | SMIME_OP) +#define SMIME_SIGN_RECEIPT (15 | SMIME_IP | SMIME_OP) +#define SMIME_VERIFY_RECEIPT (16 | SMIME_IP) + +int verify_err = 0; + +struct cms_key_param { + int idx; + STACK_OF(OPENSSL_STRING) *param; + struct cms_key_param *next; +}; + +int +cms_main(int argc, char **argv) +{ + int operation = 0; + int ret = 0; + char **args; + const char *inmode = "r", *outmode = "w"; + char *infile = NULL, *outfile = NULL, *rctfile = NULL; + char *signerfile = NULL, *recipfile = NULL; + STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL; + char *certfile = NULL, *keyfile = NULL, *contfile = NULL; + char *certsoutfile = NULL; + const EVP_CIPHER *cipher = NULL; + CMS_ContentInfo *cms = NULL, *rcms = NULL; + X509_STORE *store = NULL; + X509 *cert = NULL, *recip = NULL, *signer = NULL; + EVP_PKEY *key = NULL; + STACK_OF(X509) *encerts = NULL, *other = NULL; + BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL; + int badarg = 0; + int flags = CMS_DETACHED, noout = 0, print = 0; + int verify_retcode = 0; + int rr_print = 0, rr_allorfirst = -1; + STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL; + CMS_ReceiptRequest *rr = NULL; + char *to = NULL, *from = NULL, *subject = NULL; + char *CAfile = NULL, *CApath = NULL; + char *passargin = NULL, *passin = NULL; + const EVP_MD *sign_md = NULL; + int informat = FORMAT_SMIME, outformat = FORMAT_SMIME; + int rctformat = FORMAT_SMIME, keyform = FORMAT_PEM; + unsigned char *secret_key = NULL, *secret_keyid = NULL; + unsigned char *pwri_pass = NULL, *pwri_tmp = NULL; + size_t secret_keylen = 0, secret_keyidlen = 0; + + struct cms_key_param *key_first = NULL, *key_param = NULL; + + ASN1_OBJECT *econtent_type = NULL; + + X509_VERIFY_PARAM *vpm = NULL; + + if (single_execution) { + if (pledge("stdio rpath wpath cpath tty", NULL) == -1) { + perror("pledge"); + exit(1); + } + } + + args = argv + 1; + ret = 1; + + while (!badarg && *args && *args[0] == '-') { + if (!strcmp(*args, "-encrypt")) + operation = SMIME_ENCRYPT; + else if (!strcmp(*args, "-decrypt")) + operation = SMIME_DECRYPT; + else if (!strcmp(*args, "-sign")) + operation = SMIME_SIGN; + else if (!strcmp(*args, "-sign_receipt")) + operation = SMIME_SIGN_RECEIPT; + else if (!strcmp(*args, "-resign")) + operation = SMIME_RESIGN; + else if (!strcmp(*args, "-verify")) + operation = SMIME_VERIFY; + else if (!strcmp(*args, "-verify_retcode")) + verify_retcode = 1; + else if (!strcmp(*args, "-verify_receipt")) { + operation = SMIME_VERIFY_RECEIPT; + if (!args[1]) + goto argerr; + args++; + rctfile = *args; + } else if (!strcmp(*args, "-cmsout")) + operation = SMIME_CMSOUT; + else if (!strcmp(*args, "-data_out")) + operation = SMIME_DATAOUT; + else if (!strcmp(*args, "-data_create")) + operation = SMIME_DATA_CREATE; + else if (!strcmp(*args, "-digest_verify")) + operation = SMIME_DIGEST_VERIFY; + else if (!strcmp(*args, "-digest_create")) + operation = SMIME_DIGEST_CREATE; + else if (!strcmp(*args, "-compress")) + operation = SMIME_COMPRESS; + else if (!strcmp(*args, "-uncompress")) + operation = SMIME_UNCOMPRESS; + else if (!strcmp(*args, "-EncryptedData_decrypt")) + operation = SMIME_ENCRYPTED_DECRYPT; + else if (!strcmp(*args, "-EncryptedData_encrypt")) + operation = SMIME_ENCRYPTED_ENCRYPT; +#ifndef OPENSSL_NO_DES + else if (!strcmp(*args, "-des3")) + cipher = EVP_des_ede3_cbc(); + else if (!strcmp(*args, "-des")) + cipher = EVP_des_cbc(); +#endif +#ifndef OPENSSL_NO_RC2 + else if (!strcmp(*args, "-rc2-40")) + cipher = EVP_rc2_40_cbc(); + else if (!strcmp(*args, "-rc2-128")) + cipher = EVP_rc2_cbc(); + else if (!strcmp(*args, "-rc2-64")) + cipher = EVP_rc2_64_cbc(); +#endif +#ifndef OPENSSL_NO_AES + else if (!strcmp(*args, "-aes128")) + cipher = EVP_aes_128_cbc(); + else if (!strcmp(*args, "-aes192")) + cipher = EVP_aes_192_cbc(); + else if (!strcmp(*args, "-aes256")) + cipher = EVP_aes_256_cbc(); +#endif +#ifndef OPENSSL_NO_CAMELLIA + else if (!strcmp(*args, "-camellia128")) + cipher = EVP_camellia_128_cbc(); + else if (!strcmp(*args, "-camellia192")) + cipher = EVP_camellia_192_cbc(); + else if (!strcmp(*args, "-camellia256")) + cipher = EVP_camellia_256_cbc(); +#endif + else if (!strcmp(*args, "-debug_decrypt")) + flags |= CMS_DEBUG_DECRYPT; + else if (!strcmp(*args, "-text")) + flags |= CMS_TEXT; + else if (!strcmp(*args, "-nointern")) + flags |= CMS_NOINTERN; + else if (!strcmp(*args, "-noverify") || + !strcmp(*args, "-no_signer_cert_verify")) + flags |= CMS_NO_SIGNER_CERT_VERIFY; + else if (!strcmp(*args, "-nocerts")) + flags |= CMS_NOCERTS; + else if (!strcmp(*args, "-noattr")) + flags |= CMS_NOATTR; + else if (!strcmp(*args, "-nodetach")) + flags &= ~CMS_DETACHED; + else if (!strcmp(*args, "-nosmimecap")) + flags |= CMS_NOSMIMECAP; + else if (!strcmp(*args, "-binary")) + flags |= CMS_BINARY; + else if (!strcmp(*args, "-keyid")) + flags |= CMS_USE_KEYID; + else if (!strcmp(*args, "-nosigs")) + flags |= CMS_NOSIGS; + else if (!strcmp(*args, "-no_content_verify")) + flags |= CMS_NO_CONTENT_VERIFY; + else if (!strcmp(*args, "-no_attr_verify")) + flags |= CMS_NO_ATTR_VERIFY; + else if (!strcmp(*args, "-stream")) + flags |= CMS_STREAM; + else if (!strcmp(*args, "-indef")) + flags |= CMS_STREAM; + else if (!strcmp(*args, "-noindef")) + flags &= ~CMS_STREAM; + else if (!strcmp(*args, "-nooldmime")) + flags |= CMS_NOOLDMIMETYPE; + else if (!strcmp(*args, "-crlfeol")) + flags |= CMS_CRLFEOL; + else if (!strcmp(*args, "-noout")) + noout = 1; + else if (!strcmp(*args, "-receipt_request_print")) + rr_print = 1; + else if (!strcmp(*args, "-receipt_request_all")) + rr_allorfirst = 0; + else if (!strcmp(*args, "-receipt_request_first")) + rr_allorfirst = 1; + else if (!strcmp(*args, "-receipt_request_from")) { + if (!args[1]) + goto argerr; + args++; + if (rr_from == NULL && + (rr_from = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + if (!sk_OPENSSL_STRING_push(rr_from, *args)) + goto end; + } else if (!strcmp(*args, "-receipt_request_to")) { + if (!args[1]) + goto argerr; + args++; + if (rr_to == NULL && + (rr_to = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + if (!sk_OPENSSL_STRING_push(rr_to, *args)) + goto end; + } else if (!strcmp(*args, "-print")) { + noout = 1; + print = 1; + } else if (!strcmp(*args, "-secretkey")) { + long ltmp; + if (!args[1]) + goto argerr; + args++; + secret_key = string_to_hex(*args, <mp); + if (!secret_key) { + BIO_printf(bio_err, "Invalid key %s\n", *args); + goto argerr; + } + secret_keylen = (size_t) ltmp; + } else if (!strcmp(*args, "-secretkeyid")) { + long ltmp; + if (!args[1]) + goto argerr; + args++; + secret_keyid = string_to_hex(*args, <mp); + if (!secret_keyid) { + BIO_printf(bio_err, "Invalid id %s\n", *args); + goto argerr; + } + secret_keyidlen = (size_t) ltmp; + } else if (!strcmp(*args, "-pwri_password")) { + if (!args[1]) + goto argerr; + args++; + pwri_pass = (unsigned char *) *args; + } else if (!strcmp(*args, "-econtent_type")) { + if (!args[1]) + goto argerr; + args++; + econtent_type = OBJ_txt2obj(*args, 0); + if (!econtent_type) { + BIO_printf(bio_err, "Invalid OID %s\n", *args); + goto argerr; + } + } + else if (!strcmp(*args, "-passin")) { + if (!args[1]) + goto argerr; + passargin = *++args; + } else if (!strcmp(*args, "-to")) { + if (!args[1]) + goto argerr; + to = *++args; + } else if (!strcmp(*args, "-from")) { + if (!args[1]) + goto argerr; + from = *++args; + } else if (!strcmp(*args, "-subject")) { + if (!args[1]) + goto argerr; + subject = *++args; + } else if (!strcmp(*args, "-signer")) { + if (!args[1]) + goto argerr; + /* If previous -signer argument add signer to list */ + + if (signerfile) { + if (sksigners == NULL && + (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + if (!sk_OPENSSL_STRING_push(sksigners, signerfile)) + goto end; + if (!keyfile) + keyfile = signerfile; + if (skkeys == NULL && + (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + if (!sk_OPENSSL_STRING_push(skkeys, keyfile)) + goto end; + keyfile = NULL; + } + signerfile = *++args; + } else if (!strcmp(*args, "-recip")) { + if (!args[1]) + goto argerr; + if (operation == SMIME_ENCRYPT) { + if (encerts == NULL && + (encerts = sk_X509_new_null()) == NULL) + goto end; + cert = load_cert(bio_err, *++args, FORMAT_PEM, + NULL, "recipient certificate file"); + if (cert == NULL) + goto end; + if (!sk_X509_push(encerts, cert)) + goto end; + cert = NULL; + } else { + recipfile = *++args; + } + } else if (!strcmp(*args, "-certsout")) { + if (!args[1]) + goto argerr; + certsoutfile = *++args; + } else if (!strcmp(*args, "-md")) { + if (!args[1]) + goto argerr; + sign_md = EVP_get_digestbyname(*++args); + if (sign_md == NULL) { + BIO_printf(bio_err, "Unknown digest %s\n", + *args); + goto argerr; + } + } else if (!strcmp(*args, "-inkey")) { + if (!args[1]) + goto argerr; + /* If previous -inkey arument add signer to list */ + if (keyfile) { + if (!signerfile) { + BIO_puts(bio_err, + "Illegal -inkey without -signer\n"); + goto argerr; + } + if (sksigners == NULL && + (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + if (!sk_OPENSSL_STRING_push(sksigners, signerfile)) + goto end; + signerfile = NULL; + if (skkeys == NULL && + (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + if (!sk_OPENSSL_STRING_push(skkeys, keyfile)) + goto end; + } + keyfile = *++args; + } else if (!strcmp(*args, "-keyform")) { + if (!args[1]) + goto argerr; + keyform = str2fmt(*++args); + } else if (!strcmp (*args, "-keyopt")) { + int keyidx = -1; + if (!args[1]) + goto argerr; + if (operation == SMIME_ENCRYPT) { + if (encerts != NULL) + keyidx += sk_X509_num(encerts); + } else { + if (keyfile != NULL || signerfile != NULL) + keyidx++; + if (skkeys != NULL) + keyidx += sk_OPENSSL_STRING_num(skkeys); + } + if (keyidx < 0) { + BIO_printf(bio_err, "No key specified\n"); + goto argerr; + } + if (key_param == NULL || key_param->idx != keyidx) { + struct cms_key_param *nparam; + if ((nparam = malloc(sizeof(struct cms_key_param))) == NULL) + goto end; + nparam->idx = keyidx; + if ((nparam->param = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + nparam->next = NULL; + if (key_first == NULL) + key_first = nparam; + else + key_param->next = nparam; + key_param = nparam; + } + if (!sk_OPENSSL_STRING_push(key_param->param, *++args)) + goto end; + } else if (!strcmp(*args, "-rctform")) { + if (!args[1]) + goto argerr; + rctformat = str2fmt(*++args); + } else if (!strcmp(*args, "-certfile")) { + if (!args[1]) + goto argerr; + certfile = *++args; + } else if (!strcmp(*args, "-CAfile")) { + if (!args[1]) + goto argerr; + CAfile = *++args; + } else if (!strcmp(*args, "-CApath")) { + if (!args[1]) + goto argerr; + CApath = *++args; + } else if (!strcmp(*args, "-in")) { + if (!args[1]) + goto argerr; + infile = *++args; + } else if (!strcmp(*args, "-inform")) { + if (!args[1]) + goto argerr; + informat = str2fmt(*++args); + } else if (!strcmp(*args, "-outform")) { + if (!args[1]) + goto argerr; + outformat = str2fmt(*++args); + } else if (!strcmp(*args, "-out")) { + if (!args[1]) + goto argerr; + outfile = *++args; + } else if (!strcmp(*args, "-content")) { + if (!args[1]) + goto argerr; + contfile = *++args; + } else if (args_verify(&args, NULL, &badarg, bio_err, &vpm)) + continue; + else if ((cipher = EVP_get_cipherbyname(*args + 1)) == NULL) + badarg = 1; + args++; + } + + if (((rr_allorfirst != -1) || rr_from) && !rr_to) { + BIO_puts(bio_err, "No Signed Receipts Recipients\n"); + goto argerr; + } + if (!(operation & SMIME_SIGNERS) && (rr_to || rr_from)) { + BIO_puts(bio_err, "Signed receipts only allowed with -sign\n"); + goto argerr; + } + if (!(operation & SMIME_SIGNERS) && (skkeys || sksigners)) { + BIO_puts(bio_err, "Multiple signers or keys not allowed\n"); + goto argerr; + } + if (operation & SMIME_SIGNERS) { + if (keyfile && !signerfile) { + BIO_puts(bio_err, "Illegal -inkey without -signer\n"); + goto argerr; + } + /* Check to see if any final signer needs to be appended */ + if (signerfile) { + if (sksigners == NULL && + (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + if (!sk_OPENSSL_STRING_push(sksigners, signerfile)) + goto end; + if (skkeys == NULL && + (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + if (!keyfile) + keyfile = signerfile; + if (!sk_OPENSSL_STRING_push(skkeys, keyfile)) + goto end; + } + if (!sksigners) { + BIO_printf(bio_err, + "No signer certificate specified\n"); + badarg = 1; + } + signerfile = NULL; + keyfile = NULL; + } else if (operation == SMIME_DECRYPT) { + if (!recipfile && !keyfile && !secret_key && !pwri_pass) { + BIO_printf(bio_err, + "No recipient certificate or key specified\n"); + badarg = 1; + } + } else if (operation == SMIME_ENCRYPT) { + if (!*args && !secret_key && !pwri_pass && !encerts) { + BIO_printf(bio_err, + "No recipient(s) certificate(s) specified\n"); + badarg = 1; + } + } else if (!operation) + badarg = 1; + + if (badarg) { + argerr: + BIO_printf(bio_err, "Usage cms [options] cert.pem ...\n"); + BIO_printf(bio_err, "where options are\n"); + BIO_printf(bio_err, "-encrypt encrypt message\n"); + BIO_printf(bio_err, "-decrypt decrypt encrypted message\n"); + BIO_printf(bio_err, "-sign sign message\n"); + BIO_printf(bio_err, "-verify verify signed message\n"); + BIO_printf(bio_err, "-cmsout output CMS structure\n"); +#ifndef OPENSSL_NO_DES + BIO_printf(bio_err, "-des3 encrypt with triple DES\n"); + BIO_printf(bio_err, "-des encrypt with DES\n"); +#endif +#ifndef OPENSSL_NO_RC2 + BIO_printf(bio_err, "-rc2-40 encrypt with RC2-40 (default)\n"); + BIO_printf(bio_err, "-rc2-64 encrypt with RC2-64\n"); + BIO_printf(bio_err, "-rc2-128 encrypt with RC2-128\n"); +#endif +#ifndef OPENSSL_NO_AES + BIO_printf(bio_err, "-aes128, -aes192, -aes256\n"); + BIO_printf(bio_err, " encrypt PEM output with cbc aes\n"); +#endif +#ifndef OPENSSL_NO_CAMELLIA + BIO_printf(bio_err, "-camellia128, -camellia192, -camellia256\n"); + BIO_printf(bio_err, " encrypt PEM output with cbc camellia\n"); +#endif + BIO_printf(bio_err, "-nointern don't search certificates in message for signer\n"); + BIO_printf(bio_err, "-nosigs don't verify message signature\n"); + BIO_printf(bio_err, "-noverify don't verify signers certificate\n"); + BIO_printf(bio_err, "-nocerts don't include signers certificate when signing\n"); + BIO_printf(bio_err, "-nodetach use opaque signing\n"); + BIO_printf(bio_err, "-noattr don't include any signed attributes\n"); + BIO_printf(bio_err, "-binary don't translate message to text\n"); + BIO_printf(bio_err, "-certfile file other certificates file\n"); + BIO_printf(bio_err, "-certsout file certificate output file\n"); + BIO_printf(bio_err, "-signer file signer certificate file\n"); + BIO_printf(bio_err, "-recip file recipient certificate file for decryption\n"); + BIO_printf(bio_err, "-keyid use subject key identifier\n"); + BIO_printf(bio_err, "-in file input file\n"); + BIO_printf(bio_err, "-inform arg input format SMIME (default), PEM or DER\n"); + BIO_printf(bio_err, "-inkey file input private key (if not signer or recipient)\n"); + BIO_printf(bio_err, "-keyform arg input private key format (PEM)\n"); + BIO_printf(bio_err, "-keyopt nm:v set public key parameters\n"); + BIO_printf(bio_err, "-out file output file\n"); + BIO_printf(bio_err, "-outform arg output format SMIME (default), PEM or DER\n"); + BIO_printf(bio_err, "-content file supply or override content for detached signature\n"); + BIO_printf(bio_err, "-to addr to address\n"); + BIO_printf(bio_err, "-from ad from address\n"); + BIO_printf(bio_err, "-subject s subject\n"); + BIO_printf(bio_err, "-text include or delete text MIME headers\n"); + BIO_printf(bio_err, "-CApath dir trusted certificates directory\n"); + BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); + BIO_printf(bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n"); + BIO_printf(bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); + BIO_printf(bio_err, "-passin arg input file pass phrase source\n"); + BIO_printf(bio_err, "cert.pem recipient certificate(s) for encryption\n"); + goto end; + } + + if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) { + BIO_printf(bio_err, "Error getting password\n"); + goto end; + } + ret = 2; + + if (!(operation & SMIME_SIGNERS)) + flags &= ~CMS_DETACHED; + + if (operation & SMIME_OP) { + if (outformat == FORMAT_ASN1) + outmode = "wb"; + } else { + if (flags & CMS_BINARY) + outmode = "wb"; + } + + if (operation & SMIME_IP) { + if (informat == FORMAT_ASN1) + inmode = "rb"; + } else { + if (flags & CMS_BINARY) + inmode = "rb"; + } + + if (operation == SMIME_ENCRYPT) { + if (!cipher) { +#ifndef OPENSSL_NO_DES + cipher = EVP_des_ede3_cbc(); +#else + BIO_printf(bio_err, "No cipher selected\n"); + goto end; +#endif + } + if (secret_key && !secret_keyid) { + BIO_printf(bio_err, "No secret key id\n"); + goto end; + } + if (*args && encerts == NULL) + if ((encerts = sk_X509_new_null()) == NULL) + goto end; + while (*args) { + if (!(cert = load_cert(bio_err, *args, FORMAT_PEM, + NULL, "recipient certificate file"))) + goto end; + if (!sk_X509_push(encerts, cert)) + goto end; + cert = NULL; + args++; + } + } + if (certfile) { + if (!(other = load_certs(bio_err, certfile, FORMAT_PEM, NULL, + "certificate file"))) { + ERR_print_errors(bio_err); + goto end; + } + } + if (recipfile && (operation == SMIME_DECRYPT)) { + if (!(recip = load_cert(bio_err, recipfile, FORMAT_PEM, NULL, + "recipient certificate file"))) { + ERR_print_errors(bio_err); + goto end; + } + } + if (operation == SMIME_SIGN_RECEIPT) { + if (!(signer = load_cert(bio_err, signerfile, FORMAT_PEM, NULL, + "receipt signer certificate file"))) { + ERR_print_errors(bio_err); + goto end; + } + } + if (operation == SMIME_DECRYPT) { + if (!keyfile) + keyfile = recipfile; + } else if ((operation == SMIME_SIGN) || + (operation == SMIME_SIGN_RECEIPT)) { + if (!keyfile) + keyfile = signerfile; + } else + keyfile = NULL; + + if (keyfile) { + key = load_key(bio_err, keyfile, keyform, 0, passin, + "signing key file"); + if (!key) + goto end; + } + if (infile) { + if (!(in = BIO_new_file(infile, inmode))) { + BIO_printf(bio_err, + "Can't open input file %s\n", infile); + goto end; + } + } else + in = BIO_new_fp(stdin, BIO_NOCLOSE); + + if (operation & SMIME_IP) { + if (informat == FORMAT_SMIME) + cms = SMIME_read_CMS(in, &indata); + else if (informat == FORMAT_PEM) + cms = PEM_read_bio_CMS(in, NULL, NULL, NULL); + else if (informat == FORMAT_ASN1) + cms = d2i_CMS_bio(in, NULL); + else { + BIO_printf(bio_err, "Bad input format for CMS file\n"); + goto end; + } + + if (!cms) { + BIO_printf(bio_err, "Error reading S/MIME message\n"); + goto end; + } + if (contfile) { + BIO_free(indata); + if (!(indata = BIO_new_file(contfile, "rb"))) { + BIO_printf(bio_err, + "Can't read content file %s\n", contfile); + goto end; + } + } + if (certsoutfile) { + STACK_OF(X509) *allcerts; + if ((allcerts = CMS_get1_certs(cms)) == NULL) + goto end; + if (!save_certs(certsoutfile, allcerts)) { + BIO_printf(bio_err, + "Error writing certs to %s\n", + certsoutfile); + ret = 5; + goto end; + } + sk_X509_pop_free(allcerts, X509_free); + } + } + if (rctfile) { + char *rctmode = (rctformat == FORMAT_ASN1) ? "rb" : "r"; + if (!(rctin = BIO_new_file(rctfile, rctmode))) { + BIO_printf(bio_err, + "Can't open receipt file %s\n", rctfile); + goto end; + } + if (rctformat == FORMAT_SMIME) + rcms = SMIME_read_CMS(rctin, NULL); + else if (rctformat == FORMAT_PEM) + rcms = PEM_read_bio_CMS(rctin, NULL, NULL, NULL); + else if (rctformat == FORMAT_ASN1) + rcms = d2i_CMS_bio(rctin, NULL); + else { + BIO_printf(bio_err, "Bad input format for receipt\n"); + goto end; + } + + if (!rcms) { + BIO_printf(bio_err, "Error reading receipt\n"); + goto end; + } + } + if (outfile) { + if (!(out = BIO_new_file(outfile, outmode))) { + BIO_printf(bio_err, + "Can't open output file %s\n", outfile); + goto end; + } + } else { + out = BIO_new_fp(stdout, BIO_NOCLOSE); + } + + if ((operation == SMIME_VERIFY) || + (operation == SMIME_VERIFY_RECEIPT)) { + if (!(store = setup_verify(bio_err, CAfile, CApath))) + goto end; + X509_STORE_set_verify_cb(store, cms_cb); + if (vpm) + X509_STORE_set1_param(store, vpm); + } + ret = 3; + + if (operation == SMIME_DATA_CREATE) { + cms = CMS_data_create(in, flags); + } else if (operation == SMIME_DIGEST_CREATE) { + cms = CMS_digest_create(in, sign_md, flags); + } else if (operation == SMIME_COMPRESS) { + cms = CMS_compress(in, -1, flags); + } else if (operation == SMIME_ENCRYPT) { + int i; + flags |= CMS_PARTIAL; + cms = CMS_encrypt(NULL, in, cipher, flags); + if (cms == NULL) + goto end; + for (i = 0; i < sk_X509_num(encerts); i++) { + CMS_RecipientInfo *ri; + struct cms_key_param *kparam; + int tflags = flags; + X509 *x = sk_X509_value(encerts, i); + for (kparam = key_first; kparam; kparam = kparam->next) { + if (kparam->idx == i) { + tflags |= CMS_KEY_PARAM; + break; + } + } + ri = CMS_add1_recipient_cert(cms, x, tflags); + if (ri == NULL) + goto end; + if (kparam != NULL) { + EVP_PKEY_CTX *pctx; + if ((pctx = CMS_RecipientInfo_get0_pkey_ctx(ri)) == NULL) + goto end; + if (!cms_set_pkey_param(pctx, kparam->param)) + goto end; + } + } + + if (secret_key) { + if (!CMS_add0_recipient_key(cms, NID_undef, secret_key, + secret_keylen, secret_keyid, secret_keyidlen, + NULL, NULL, NULL)) + goto end; + /* NULL these because call absorbs them */ + secret_key = NULL; + secret_keyid = NULL; + } + if (pwri_pass) { + pwri_tmp = strdup(pwri_pass); + if (!pwri_tmp) + goto end; + if (!CMS_add0_recipient_password(cms, -1, NID_undef, + NID_undef, pwri_tmp, -1, NULL)) + goto end; + pwri_tmp = NULL; + } + if (!(flags & CMS_STREAM)) { + if (!CMS_final(cms, in, NULL, flags)) + goto end; + } + } else if (operation == SMIME_ENCRYPTED_ENCRYPT) { + cms = CMS_EncryptedData_encrypt(in, cipher, secret_key, + secret_keylen, flags); + + } else if (operation == SMIME_SIGN_RECEIPT) { + CMS_ContentInfo *srcms = NULL; + STACK_OF(CMS_SignerInfo) *sis; + CMS_SignerInfo *si; + sis = CMS_get0_SignerInfos(cms); + if (!sis) + goto end; + si = sk_CMS_SignerInfo_value(sis, 0); + srcms = CMS_sign_receipt(si, signer, key, other, flags); + if (!srcms) + goto end; + CMS_ContentInfo_free(cms); + cms = srcms; + } else if (operation & SMIME_SIGNERS) { + int i; + /* + * If detached data content we enable streaming if S/MIME + * output format. + */ + if (operation == SMIME_SIGN) { + + if (flags & CMS_DETACHED) { + if (outformat == FORMAT_SMIME) + flags |= CMS_STREAM; + } + flags |= CMS_PARTIAL; + cms = CMS_sign(NULL, NULL, other, in, flags); + if (!cms) + goto end; + if (econtent_type) + if (!CMS_set1_eContentType(cms, econtent_type)) + goto end; + + if (rr_to) { + rr = make_receipt_request(rr_to, rr_allorfirst, + rr_from); + if (!rr) { + BIO_puts(bio_err, + "Signed Receipt Request Creation Error\n"); + goto end; + } + } + } else + flags |= CMS_REUSE_DIGEST; + for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) { + CMS_SignerInfo *si; + struct cms_key_param *kparam; + int tflags = flags; + signerfile = sk_OPENSSL_STRING_value(sksigners, i); + keyfile = sk_OPENSSL_STRING_value(skkeys, i); + + signer = load_cert(bio_err, signerfile, FORMAT_PEM, + NULL, "signer certificate"); + if (!signer) + goto end; + key = load_key(bio_err, keyfile, keyform, 0, passin, + "signing key file"); + if (!key) + goto end; + for (kparam = key_first; kparam; kparam = kparam->next) { + if (kparam->idx == i) { + tflags |= CMS_KEY_PARAM; + break; + } + } + si = CMS_add1_signer(cms, signer, key, sign_md, tflags); + if (si == NULL) + goto end; + if (kparam != NULL) { + EVP_PKEY_CTX *pctx; + if ((pctx = CMS_SignerInfo_get0_pkey_ctx(si)) == NULL) + goto end; + if (!cms_set_pkey_param(pctx, kparam->param)) + goto end; + } + if (rr && !CMS_add1_ReceiptRequest(si, rr)) + goto end; + X509_free(signer); + signer = NULL; + EVP_PKEY_free(key); + key = NULL; + } + /* If not streaming or resigning finalize structure */ + if ((operation == SMIME_SIGN) && !(flags & CMS_STREAM)) { + if (!CMS_final(cms, in, NULL, flags)) + goto end; + } + } + if (!cms) { + BIO_printf(bio_err, "Error creating CMS structure\n"); + goto end; + } + ret = 4; + if (operation == SMIME_DECRYPT) { + if (flags & CMS_DEBUG_DECRYPT) + CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags); + + if (secret_key) { + if (!CMS_decrypt_set1_key(cms, secret_key, + secret_keylen, secret_keyid, secret_keyidlen)) { + BIO_puts(bio_err, + "Error decrypting CMS using secret key\n"); + goto end; + } + } + if (key) { + if (!CMS_decrypt_set1_pkey(cms, key, recip)) { + BIO_puts(bio_err, + "Error decrypting CMS using private key\n"); + goto end; + } + } + if (pwri_pass) { + if (!CMS_decrypt_set1_password(cms, pwri_pass, -1)) { + BIO_puts(bio_err, + "Error decrypting CMS using password\n"); + goto end; + } + } + if (!CMS_decrypt(cms, NULL, NULL, indata, out, flags)) { + BIO_printf(bio_err, "Error decrypting CMS structure\n"); + goto end; + } + } else if (operation == SMIME_DATAOUT) { + if (!CMS_data(cms, out, flags)) + goto end; + } else if (operation == SMIME_UNCOMPRESS) { + if (!CMS_uncompress(cms, indata, out, flags)) + goto end; + } else if (operation == SMIME_DIGEST_VERIFY) { + if (CMS_digest_verify(cms, indata, out, flags) > 0) + BIO_printf(bio_err, "Verification successful\n"); + else { + BIO_printf(bio_err, "Verification failure\n"); + goto end; + } + } else if (operation == SMIME_ENCRYPTED_DECRYPT) { + if (!CMS_EncryptedData_decrypt(cms, secret_key, secret_keylen, + indata, out, flags)) + goto end; + } else if (operation == SMIME_VERIFY) { + if (CMS_verify(cms, other, store, indata, out, flags) > 0) + BIO_printf(bio_err, "Verification successful\n"); + else { + BIO_printf(bio_err, "Verification failure\n"); + if (verify_retcode) + ret = verify_err + 32; + goto end; + } + if (signerfile) { + STACK_OF(X509) *signers; + if ((signers = CMS_get0_signers(cms)) == NULL) + goto end; + if (!save_certs(signerfile, signers)) { + BIO_printf(bio_err, + "Error writing signers to %s\n", + signerfile); + ret = 5; + goto end; + } + sk_X509_free(signers); + } + if (rr_print) + receipt_request_print(bio_err, cms); + + } else if (operation == SMIME_VERIFY_RECEIPT) { + if (CMS_verify_receipt(rcms, cms, other, store, flags) > 0) + BIO_printf(bio_err, "Verification successful\n"); + else { + BIO_printf(bio_err, "Verification failure\n"); + goto end; + } + } else { + if (noout) { + if (print && + !CMS_ContentInfo_print_ctx(out, cms, 0, NULL)) + goto end; + } else if (outformat == FORMAT_SMIME) { + if (to) + BIO_printf(out, "To: %s\n", to); + if (from) + BIO_printf(out, "From: %s\n", from); + if (subject) + BIO_printf(out, "Subject: %s\n", subject); + if (operation == SMIME_RESIGN) + ret = SMIME_write_CMS(out, cms, indata, flags); + else + ret = SMIME_write_CMS(out, cms, in, flags); + } else if (outformat == FORMAT_PEM) + ret = PEM_write_bio_CMS_stream(out, cms, in, flags); + else if (outformat == FORMAT_ASN1) + ret = i2d_CMS_bio_stream(out, cms, in, flags); + else { + BIO_printf(bio_err, "Bad output format for CMS file\n"); + goto end; + } + if (ret <= 0) { + ret = 6; + goto end; + } + } + ret = 0; + + end: + if (ret) + ERR_print_errors(bio_err); + + sk_X509_pop_free(encerts, X509_free); + sk_X509_pop_free(other, X509_free); + X509_VERIFY_PARAM_free(vpm); + sk_OPENSSL_STRING_free(sksigners); + sk_OPENSSL_STRING_free(skkeys); + free(secret_key); + free(secret_keyid); + free(pwri_tmp); + ASN1_OBJECT_free(econtent_type); + CMS_ReceiptRequest_free(rr); + sk_OPENSSL_STRING_free(rr_to); + sk_OPENSSL_STRING_free(rr_from); + for (key_param = key_first; key_param;) { + struct cms_key_param *tparam; + sk_OPENSSL_STRING_free(key_param->param); + tparam = key_param->next; + free(key_param); + key_param = tparam; + } + X509_STORE_free(store); + X509_free(cert); + X509_free(recip); + X509_free(signer); + EVP_PKEY_free(key); + CMS_ContentInfo_free(cms); + CMS_ContentInfo_free(rcms); + BIO_free(rctin); + BIO_free(in); + BIO_free(indata); + BIO_free_all(out); + free(passin); + + return (ret); +} + +static int +save_certs(char *signerfile, STACK_OF(X509) *signers) +{ + int i; + BIO *tmp; + + if (!signerfile) + return 1; + tmp = BIO_new_file(signerfile, "w"); + if (!tmp) + return 0; + for (i = 0; i < sk_X509_num(signers); i++) + PEM_write_bio_X509(tmp, sk_X509_value(signers, i)); + BIO_free(tmp); + return 1; +} + +/* Minimal callback just to output policy info (if any) */ + +static int +cms_cb(int ok, X509_STORE_CTX *ctx) +{ + int error; + + error = X509_STORE_CTX_get_error(ctx); + + verify_err = error; + + if ((error != X509_V_ERR_NO_EXPLICIT_POLICY) && + ((error != X509_V_OK) || (ok != 2))) + return ok; + + policies_print(NULL, ctx); + + return ok; +} + +static void +gnames_stack_print(BIO *out, STACK_OF(GENERAL_NAMES) *gns) +{ + STACK_OF(GENERAL_NAME) *gens; + GENERAL_NAME *gen; + int i, j; + + for (i = 0; i < sk_GENERAL_NAMES_num(gns); i++) { + gens = sk_GENERAL_NAMES_value(gns, i); + for (j = 0; j < sk_GENERAL_NAME_num(gens); j++) { + gen = sk_GENERAL_NAME_value(gens, j); + BIO_puts(out, " "); + GENERAL_NAME_print(out, gen); + BIO_puts(out, "\n"); + } + } + return; +} + +static void +receipt_request_print(BIO *out, CMS_ContentInfo *cms) +{ + STACK_OF(CMS_SignerInfo) *sis; + CMS_SignerInfo *si; + CMS_ReceiptRequest *rr; + int allorfirst; + STACK_OF(GENERAL_NAMES) *rto, *rlist; + ASN1_STRING *scid; + int i, rv; + + if ((sis = CMS_get0_SignerInfos(cms)) == NULL) + return; + for (i = 0; i < sk_CMS_SignerInfo_num(sis); i++) { + si = sk_CMS_SignerInfo_value(sis, i); + rv = CMS_get1_ReceiptRequest(si, &rr); + BIO_printf(bio_err, "Signer %d:\n", i + 1); + if (rv == 0) + BIO_puts(bio_err, " No Receipt Request\n"); + else if (rv < 0) { + BIO_puts(bio_err, " Receipt Request Parse Error\n"); + ERR_print_errors(bio_err); + } else { + char *id; + int idlen; + CMS_ReceiptRequest_get0_values(rr, &scid, &allorfirst, + &rlist, &rto); + BIO_puts(out, " Signed Content ID:\n"); + idlen = ASN1_STRING_length(scid); + id = (char *) ASN1_STRING_data(scid); + BIO_dump_indent(out, id, idlen, 4); + BIO_puts(out, " Receipts From"); + if (rlist) { + BIO_puts(out, " List:\n"); + gnames_stack_print(out, rlist); + } else if (allorfirst == 1) + BIO_puts(out, ": First Tier\n"); + else if (allorfirst == 0) + BIO_puts(out, ": All\n"); + else + BIO_printf(out, " Unknown (%d)\n", allorfirst); + BIO_puts(out, " Receipts To:\n"); + gnames_stack_print(out, rto); + } + if (rr) + CMS_ReceiptRequest_free(rr); + } +} + +static STACK_OF(GENERAL_NAMES) * +make_names_stack(STACK_OF(OPENSSL_STRING) *ns) +{ + int i; + STACK_OF(GENERAL_NAMES) *ret; + GENERAL_NAMES *gens = NULL; + GENERAL_NAME *gen = NULL; + if ((ret = sk_GENERAL_NAMES_new_null()) == NULL) + goto err; + for (i = 0; i < sk_OPENSSL_STRING_num(ns); i++) { + char *str = sk_OPENSSL_STRING_value(ns, i); + gen = a2i_GENERAL_NAME(NULL, NULL, NULL, GEN_EMAIL, str, 0); + if (!gen) + goto err; + gens = GENERAL_NAMES_new(); + if (!gens) + goto err; + if (!sk_GENERAL_NAME_push(gens, gen)) + goto err; + gen = NULL; + if (!sk_GENERAL_NAMES_push(ret, gens)) + goto err; + gens = NULL; + } + + return ret; + + err: + sk_GENERAL_NAMES_pop_free(ret, GENERAL_NAMES_free); + GENERAL_NAMES_free(gens); + GENERAL_NAME_free(gen); + + return NULL; +} + + +static CMS_ReceiptRequest * +make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to, int rr_allorfirst, + STACK_OF(OPENSSL_STRING) *rr_from) +{ + STACK_OF(GENERAL_NAMES) *rct_to, *rct_from; + CMS_ReceiptRequest *rr; + + rct_to = make_names_stack(rr_to); + if (!rct_to) + goto err; + if (rr_from) { + rct_from = make_names_stack(rr_from); + if (!rct_from) + goto err; + } else + rct_from = NULL; + + if ((rr = CMS_ReceiptRequest_create0(NULL, -1, rr_allorfirst, rct_from, + rct_to)) == NULL) + goto err; + + return rr; + + err: + return NULL; +} + +static int +cms_set_pkey_param(EVP_PKEY_CTX *pctx, STACK_OF(OPENSSL_STRING) *param) +{ + char *keyopt; + int i; + + if (sk_OPENSSL_STRING_num(param) <= 0) + return 1; + for (i = 0; i < sk_OPENSSL_STRING_num(param); i++) { + keyopt = sk_OPENSSL_STRING_value(param, i); + if (pkey_ctrl_string(pctx, keyopt) <= 0) { + BIO_printf(bio_err, "parameter error \"%s\"\n", keyopt); + ERR_print_errors(bio_err); + return 0; + } + } + return 1; +} + +#endif diff --git a/apps/openssl/ocsp.c b/apps/openssl/ocsp.c index 04a719bf..f954d969 100644 --- a/apps/openssl/ocsp.c +++ b/apps/openssl/ocsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp.c,v 1.15 2018/02/07 05:49:36 jsing Exp $ */ +/* $OpenBSD: ocsp.c,v 1.21 2020/10/13 18:25:35 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -79,72 +79,676 @@ /* Maximum leeway in validity period: default 5 minutes */ #define MAX_VALIDITY_PERIOD (5 * 60) -static int -add_ocsp_cert(OCSP_REQUEST ** req, X509 * cert, const EVP_MD * cert_id_md, X509 * issuer, - STACK_OF(OCSP_CERTID) * ids); -static int add_ocsp_serial(OCSP_REQUEST ** req, char *serial, const EVP_MD * cert_id_md, X509 * issuer, - STACK_OF(OCSP_CERTID) * ids); -static int print_ocsp_summary(BIO * out, OCSP_BASICRESP * bs, OCSP_REQUEST * req, - STACK_OF(OPENSSL_STRING) * names, - STACK_OF(OCSP_CERTID) * ids, long nsec, +static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, + const EVP_MD *cert_id_md, X509 *issuer, STACK_OF(OCSP_CERTID) *ids); +static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, + const EVP_MD *cert_id_md, X509 *issuer, STACK_OF(OCSP_CERTID) *ids); +static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, + STACK_OF(OPENSSL_STRING) *names, STACK_OF(OCSP_CERTID) *ids, long nsec, long maxage); -static int make_ocsp_response(OCSP_RESPONSE ** resp, OCSP_REQUEST * req, CA_DB * db, - X509 * ca, X509 * rcert, EVP_PKEY * rkey, - STACK_OF(X509) * rother, unsigned long flags, - int nmin, int ndays); +static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, + CA_DB *db, X509 *ca, X509 *rcert, EVP_PKEY *rkey, STACK_OF(X509) *rother, + unsigned long flags, int nmin, int ndays); -static char **lookup_serial(CA_DB * db, ASN1_INTEGER * ser); +static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser); static BIO *init_responder(char *port); -static int do_responder(OCSP_REQUEST ** preq, BIO ** pcbio, BIO * acbio, char *port); -static int send_ocsp_response(BIO * cbio, OCSP_RESPONSE * resp); -static OCSP_RESPONSE *query_responder(BIO * err, BIO * cbio, char *path, - STACK_OF(CONF_VALUE) * headers, - OCSP_REQUEST * req, int req_timeout); +static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, + char *port); +static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp); +static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, + STACK_OF(CONF_VALUE) *headers, const char *host, OCSP_REQUEST *req, + int req_timeout); + +static struct { + int accept_count; + int add_nonce; + char *CAfile; + char *CApath; + X509 *cert; + const EVP_MD *cert_id_md; + STACK_OF(CONF_VALUE) *headers; + char *host; + STACK_OF(OCSP_CERTID) *ids; + int ignore_err; + X509 *issuer; + char *keyfile; + long maxage; + int ndays; + int nmin; + int no_usage; + int noverify; + long nsec; + char *outfile; + char *path; + char *port; + char *rca_filename; + char *rcertfile; + OCSP_REQUEST *req; + int req_text; + int req_timeout; + char *reqin; + STACK_OF(OPENSSL_STRING) *reqnames; + char *reqout; + int resp_text; + char *respin; + char *respout; + unsigned long rflags; + char *ridx_filename; + char *rkeyfile; + char *rsignfile; + char *sign_certfile; + unsigned long sign_flags; + char *signfile; + int use_ssl; + char *verify_certfile; + unsigned long verify_flags; +} ocsp_config; + +static int +ocsp_opt_cert(char *arg) +{ + X509_free(ocsp_config.cert); + ocsp_config.cert = load_cert(bio_err, arg, FORMAT_PEM, NULL, + "certificate"); + if (ocsp_config.cert == NULL) { + ocsp_config.no_usage = 1; + return (1); + } + if (ocsp_config.cert_id_md == NULL) + ocsp_config.cert_id_md = EVP_sha1(); + if (!add_ocsp_cert(&ocsp_config.req, ocsp_config.cert, + ocsp_config.cert_id_md, ocsp_config.issuer, ocsp_config.ids)) { + ocsp_config.no_usage = 1; + return (1); + } + if (!sk_OPENSSL_STRING_push(ocsp_config.reqnames, arg)) { + ocsp_config.no_usage = 1; + return (1); + } + return (0); +} + +static int +ocsp_opt_cert_id_md(int argc, char **argv, int *argsused) +{ + char *name = argv[0]; + + if (*name++ != '-') + return (1); + + if ((ocsp_config.cert_id_md = EVP_get_digestbyname(name)) == NULL) + return (1); + + *argsused = 1; + return (0); +} + +static int +ocsp_opt_header(int argc, char **argv, int *argsused) +{ + if (argc < 3 || argv[1] == NULL || argv[2] == NULL) + return (1); + + if (!X509V3_add_value(argv[1], argv[2], &ocsp_config.headers)) { + ocsp_config.no_usage = 1; + return (1); + } + + *argsused = 3; + return (0); +} + +static int +ocsp_opt_host(char *arg) +{ + if (ocsp_config.use_ssl != -1) + return (1); + + ocsp_config.host = arg; + return (0); +} + +static int +ocsp_opt_issuer(char *arg) +{ + X509_free(ocsp_config.issuer); + ocsp_config.issuer = load_cert(bio_err, arg, FORMAT_PEM, NULL, + "issuer certificate"); + if (ocsp_config.issuer == NULL) { + ocsp_config.no_usage = 1; + return (1); + } + return (0); +} + +static int +ocsp_opt_ndays(char *arg) +{ + const char *errstr = NULL; + + ocsp_config.ndays = strtonum(arg, 0, INT_MAX, &errstr); + if (errstr != NULL) { + BIO_printf(bio_err, "Illegal update period %s: %s\n", + arg, errstr); + return (1); + } + return (0); +} + +static int +ocsp_opt_nmin(char *arg) +{ + const char *errstr = NULL; + + ocsp_config.nmin = strtonum(arg, 0, INT_MAX, &errstr); + if (errstr != NULL) { + BIO_printf(bio_err, "Illegal update period %s: %s\n", + arg, errstr); + return (1); + } + + if (ocsp_config.ndays != -1) + return (1); + + ocsp_config.ndays = 0; + return (0); +} + +static int +ocsp_opt_nrequest(char *arg) +{ + const char *errstr = NULL; + + ocsp_config.accept_count = strtonum(arg, 0, INT_MAX, &errstr); + if (errstr != NULL) { + BIO_printf(bio_err, "Illegal accept count %s: %s\n", + arg, errstr); + return (1); + } + return (0); +} + +static int +ocsp_opt_port(char *arg) +{ + if (ocsp_config.use_ssl != -1) + return (1); + + ocsp_config.port = arg; + return (0); +} + +static int +ocsp_opt_serial(char *arg) +{ + if (ocsp_config.cert_id_md == NULL) + ocsp_config.cert_id_md = EVP_sha1(); + if (!add_ocsp_serial(&ocsp_config.req, arg, ocsp_config.cert_id_md, + ocsp_config.issuer, ocsp_config.ids)) { + ocsp_config.no_usage = 1; + return (1); + } + if (!sk_OPENSSL_STRING_push(ocsp_config.reqnames, arg)) { + ocsp_config.no_usage = 1; + return (1); + } + return (0); +} + +static int +ocsp_opt_status_age(char *arg) +{ + const char *errstr = NULL; + + ocsp_config.maxage = strtonum(arg, 0, LONG_MAX, &errstr); + if (errstr != NULL) { + BIO_printf(bio_err, "Illegal validity age %s: %s\n", + arg, errstr); + return (1); + } + return (0); +} + +static int +ocsp_opt_text(void) +{ + ocsp_config.req_text = 1; + ocsp_config.resp_text = 1; + return (0); +} + +static int +ocsp_opt_timeout(char *arg) +{ + const char *errstr = NULL; + + ocsp_config.req_timeout = strtonum(arg, 0, INT_MAX, &errstr); + if (errstr != NULL) { + BIO_printf(bio_err, "Illegal timeout value %s: %s\n", + arg, errstr); + return (1); + } + return (0); +} + +static int +ocsp_opt_url(char *arg) +{ + if (ocsp_config.host == NULL && ocsp_config.port == NULL && + ocsp_config.path == NULL) { + if (!OCSP_parse_url(arg, &ocsp_config.host, &ocsp_config.port, + &ocsp_config.path, &ocsp_config.use_ssl)) { + BIO_printf(bio_err, "Error parsing URL\n"); + return (1); + } + } + return (0); +} + +static int +ocsp_opt_vafile(char *arg) +{ + ocsp_config.verify_certfile = arg; + ocsp_config.verify_flags |= OCSP_TRUSTOTHER; + return (0); +} + +static int +ocsp_opt_validity_period(char *arg) +{ + const char *errstr = NULL; + + ocsp_config.nsec = strtonum(arg, 0, LONG_MAX, &errstr); + if (errstr != NULL) { + BIO_printf(bio_err, "Illegal validity period %s: %s\n", + arg, errstr); + return (1); + } + return (0); +} + +static const struct option ocsp_options[] = { + { + .name = "CA", + .argname = "file", + .desc = "CA certificate corresponding to the revocation information", + .type = OPTION_ARG, + .opt.arg = &ocsp_config.rca_filename, + }, + { + .name = "CAfile", + .argname = "file", + .desc = "Trusted certificates file", + .type = OPTION_ARG, + .opt.arg = &ocsp_config.CAfile, + }, + { + .name = "CApath", + .argname = "directory", + .desc = "Trusted certificates directory", + .type = OPTION_ARG, + .opt.arg = &ocsp_config.CApath, + }, + { + .name = "cert", + .argname = "file", + .desc = "Certificate to check", + .type = OPTION_ARG_FUNC, + .opt.argfunc = ocsp_opt_cert, + }, + { + .name = "header", + .argname = "name value", + .desc = "Add the header name with the value to the request", + .type = OPTION_ARGV_FUNC, + .opt.argvfunc = ocsp_opt_header, + }, + { + .name = "host", + .argname = "hostname:port", + .desc = "Send OCSP request to host on port", + .type = OPTION_ARG_FUNC, + .opt.argfunc = ocsp_opt_host, + }, + { + .name = "ignore_err", + .desc = "Ignore the invalid response", + .type = OPTION_FLAG, + .opt.flag = &ocsp_config.ignore_err, + }, + { + .name = "index", + .argname = "indexfile", + .desc = "Certificate status index file", + .type = OPTION_ARG, + .opt.arg = &ocsp_config.ridx_filename, + }, + { + .name = "issuer", + .argname = "file", + .desc = "Issuer certificate", + .type = OPTION_ARG_FUNC, + .opt.argfunc = ocsp_opt_issuer, + }, + { + .name = "ndays", + .argname = "days", + .desc = "Number of days before next update", + .type = OPTION_ARG_FUNC, + .opt.argfunc = ocsp_opt_ndays, + }, + { + .name = "nmin", + .argname = "minutes", + .desc = "Number of minutes before next update", + .type = OPTION_ARG_FUNC, + .opt.argfunc = ocsp_opt_nmin, + }, + { + .name = "no_cert_checks", + .desc = "Don't do additional checks on signing certificate", + .type = OPTION_UL_VALUE_OR, + .opt.ulvalue = &ocsp_config.verify_flags, + .ulvalue = OCSP_NOCHECKS, + }, + { + .name = "no_cert_verify", + .desc = "Don't check signing certificate", + .type = OPTION_UL_VALUE_OR, + .opt.ulvalue = &ocsp_config.verify_flags, + .ulvalue = OCSP_NOVERIFY, + }, + { + .name = "no_certs", + .desc = "Don't include any certificates in signed request", + .type = OPTION_UL_VALUE_OR, + .opt.ulvalue = &ocsp_config.sign_flags, + .ulvalue = OCSP_NOCERTS, + }, + { + .name = "no_chain", + .desc = "Don't use certificates in the response", + .type = OPTION_UL_VALUE_OR, + .opt.ulvalue = &ocsp_config.verify_flags, + .ulvalue = OCSP_NOCHAIN, + }, + { + .name = "no_explicit", + .desc = "Don't check the explicit trust for OCSP signing", + .type = OPTION_UL_VALUE_OR, + .opt.ulvalue = &ocsp_config.verify_flags, + .ulvalue = OCSP_NOEXPLICIT, + }, + { + .name = "no_intern", + .desc = "Don't search certificates contained in response for signer", + .type = OPTION_UL_VALUE_OR, + .opt.ulvalue = &ocsp_config.verify_flags, + .ulvalue = OCSP_NOINTERN, + }, + { + .name = "no_nonce", + .desc = "Don't add OCSP nonce to request", + .type = OPTION_VALUE, + .opt.value = &ocsp_config.add_nonce, + .value = 0, + }, + { + .name = "no_signature_verify", + .desc = "Don't check signature on response", + .type = OPTION_UL_VALUE_OR, + .opt.ulvalue = &ocsp_config.verify_flags, + .ulvalue = OCSP_NOSIGS, + }, + { + .name = "nonce", + .desc = "Add OCSP nonce to request", + .type = OPTION_VALUE, + .opt.value = &ocsp_config.add_nonce, + .value = 2, + }, + { + .name = "noverify", + .desc = "Don't verify response at all", + .type = OPTION_FLAG, + .opt.flag = &ocsp_config.noverify, + }, + { + .name = "nrequest", + .argname = "number", + .desc = "Number of requests to accept (default unlimited)", + .type = OPTION_ARG_FUNC, + .opt.argfunc = ocsp_opt_nrequest, + }, + { + .name = "out", + .argname = "file", + .desc = "Output filename", + .type = OPTION_ARG, + .opt.arg = &ocsp_config.outfile, + }, + { + .name = "path", + .argname = "path", + .desc = "Path to use in OCSP request", + .type = OPTION_ARG, + .opt.arg = &ocsp_config.path, + }, + { + .name = "port", + .argname = "portnum", + .desc = "Port to run responder on", + .type = OPTION_ARG_FUNC, + .opt.argfunc = ocsp_opt_port, + }, + { + .name = "req_text", + .desc = "Print text form of request", + .type = OPTION_FLAG, + .opt.flag = &ocsp_config.req_text, + }, + { + .name = "reqin", + .argname = "file", + .desc = "Read DER encoded OCSP request from \"file\"", + .type = OPTION_ARG, + .opt.arg = &ocsp_config.reqin, + }, + { + .name = "reqout", + .argname = "file", + .desc = "Write DER encoded OCSP request to \"file\"", + .type = OPTION_ARG, + .opt.arg = &ocsp_config.reqout, + }, + { + .name = "resp_key_id", + .desc = "Identify response by signing certificate key ID", + .type = OPTION_UL_VALUE_OR, + .opt.ulvalue = &ocsp_config.rflags, + .ulvalue = OCSP_RESPID_KEY, + }, + { + .name = "resp_no_certs", + .desc = "Don't include any certificates in response", + .type = OPTION_UL_VALUE_OR, + .opt.ulvalue = &ocsp_config.rflags, + .ulvalue = OCSP_NOCERTS, + }, + { + .name = "resp_text", + .desc = "Print text form of response", + .type = OPTION_FLAG, + .opt.flag = &ocsp_config.resp_text, + }, + { + .name = "respin", + .argname = "file", + .desc = "Read DER encoded OCSP response from \"file\"", + .type = OPTION_ARG, + .opt.arg = &ocsp_config.respin, + }, + { + .name = "respout", + .argname = "file", + .desc = "Write DER encoded OCSP response to \"file\"", + .type = OPTION_ARG, + .opt.arg = &ocsp_config.respout, + }, + { + .name = "rkey", + .argname = "file", + .desc = "Responder key to sign responses with", + .type = OPTION_ARG, + .opt.arg = &ocsp_config.rkeyfile, + }, + { + .name = "rother", + .argname = "file", + .desc = "Other certificates to include in response", + .type = OPTION_ARG, + .opt.arg = &ocsp_config.rcertfile, + }, + { + .name = "rsigner", + .argname = "file", + .desc = "Responder certificate to sign responses with", + .type = OPTION_ARG, + .opt.arg = &ocsp_config.rsignfile, + }, + { + .name = "serial", + .argname = "num", + .desc = "Serial number to check", + .type = OPTION_ARG_FUNC, + .opt.argfunc = ocsp_opt_serial, + }, + { + .name = "sign_other", + .argname = "file", + .desc = "Additional certificates to include in signed request", + .type = OPTION_ARG, + .opt.arg = &ocsp_config.sign_certfile, + }, + { + .name = "signer", + .argname = "file", + .desc = "Certificate to sign OCSP request with", + .type = OPTION_ARG, + .opt.arg = &ocsp_config.signfile, + }, + { + .name = "signkey", + .argname = "file", + .desc = "Private key to sign OCSP request with", + .type = OPTION_ARG, + .opt.arg = &ocsp_config.keyfile, + }, + { + .name = "status_age", + .argname = "age", + .desc = "Maximum status age in seconds", + .type = OPTION_ARG_FUNC, + .opt.argfunc = ocsp_opt_status_age, + }, + { + .name = "text", + .desc = "Print text form of request and response", + .type = OPTION_FUNC, + .opt.func = ocsp_opt_text, + }, + { + .name = "timeout", + .argname = "seconds", + .desc = "Connection timeout to the OCSP responder in seconds", + .type = OPTION_ARG_FUNC, + .opt.argfunc = ocsp_opt_timeout, + }, + { + .name = "trust_other", + .desc = "Don't verify additional certificates", + .type = OPTION_UL_VALUE_OR, + .opt.ulvalue = &ocsp_config.verify_flags, + .ulvalue = OCSP_TRUSTOTHER, + }, + { + .name = "url", + .argname = "responder_url", + .desc = "OCSP responder URL", + .type = OPTION_ARG_FUNC, + .opt.argfunc = ocsp_opt_url, + }, + { + .name = "VAfile", + .argname = "file", + .desc = "Explicitly trusted responder certificates", + .type = OPTION_ARG_FUNC, + .opt.argfunc = ocsp_opt_vafile, + }, + { + .name = "validity_period", + .argname = "n", + .desc = "Maximum validity discrepancy in seconds", + .type = OPTION_ARG_FUNC, + .opt.argfunc = ocsp_opt_validity_period, + }, + { + .name = "verify_other", + .argname = "file", + .desc = "Additional certificates to search for signer", + .type = OPTION_ARG, + .opt.arg = &ocsp_config.verify_certfile, + }, + { + .name = NULL, + .desc = "", + .type = OPTION_ARGV_FUNC, + .opt.argvfunc = ocsp_opt_cert_id_md, + }, + { NULL }, +}; + +static void +ocsp_usage(void) +{ + fprintf(stderr, "usage: ocsp " + "[-CA file] [-CAfile file] [-CApath directory] [-cert file]\n" + " [-dgst alg] [-header name value] [-host hostname:port]\n" + " [-ignore_err] [-index indexfile] [-issuer file]\n" + " [-ndays days] [-nmin minutes] [-no_cert_checks]\n" + " [-no_cert_verify] [-no_certs] [-no_chain] [-no_explicit]\n" + " [-no_intern] [-no_nonce] [-no_signature_verify] [-nonce]\n" + " [-noverify] [-nrequest number] [-out file] [-path path]\n" + " [-port portnum] [-req_text] [-reqin file] [-reqout file]\n" + " [-resp_key_id] [-resp_no_certs] [-resp_text] [-respin file]\n" + " [-respout file] [-rkey file] [-rother file] [-rsigner file]\n" + " [-serial num] [-sign_other file] [-signer file]\n" + " [-signkey file] [-status_age age] [-text]\n" + " [-timeout seconds] [-trust_other] [-url responder_url]\n" + " [-VAfile file] [-validity_period nsec] [-verify_other file]\n"); + fprintf(stderr, "\n"); + options_usage(ocsp_options); + fprintf(stderr, "\n"); +} int ocsp_main(int argc, char **argv) { - char **args; - char *host = NULL, *port = NULL, *path = NULL; - char *reqin = NULL, *respin = NULL; - char *reqout = NULL, *respout = NULL; - char *signfile = NULL, *keyfile = NULL; - char *rsignfile = NULL, *rkeyfile = NULL; - char *outfile = NULL; - int add_nonce = 1, noverify = 0, use_ssl = -1; - STACK_OF(CONF_VALUE) * headers = NULL; - OCSP_REQUEST *req = NULL; OCSP_RESPONSE *resp = NULL; OCSP_BASICRESP *bs = NULL; - X509 *issuer = NULL, *cert = NULL; X509 *signer = NULL, *rsigner = NULL; EVP_PKEY *key = NULL, *rkey = NULL; BIO *acbio = NULL, *cbio = NULL; BIO *derbio = NULL; BIO *out = NULL; - int req_timeout = -1; - int req_text = 0, resp_text = 0; - long nsec = MAX_VALIDITY_PERIOD, maxage = -1; - char *CAfile = NULL, *CApath = NULL; X509_STORE *store = NULL; - STACK_OF(X509) * sign_other = NULL, *verify_other = NULL, *rother = NULL; - char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL; - unsigned long sign_flags = 0, verify_flags = 0, rflags = 0; + STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL; int ret = 1; - int accept_count = -1; int badarg = 0; int i; - int ignore_err = 0; - STACK_OF(OPENSSL_STRING) * reqnames = NULL; - STACK_OF(OCSP_CERTID) * ids = NULL; X509 *rca_cert = NULL; - char *ridx_filename = NULL; - char *rca_filename = NULL; CA_DB *rdb = NULL; - int nmin = 0, ndays = -1; - const EVP_MD *cert_id_md = NULL; - const char *errstr = NULL; if (single_execution) { if (pledge("stdio cpath wpath rpath inet dns tty", NULL) == -1) { @@ -153,359 +757,37 @@ ocsp_main(int argc, char **argv) } } - args = argv + 1; - reqnames = sk_OPENSSL_STRING_new_null(); - ids = sk_OCSP_CERTID_new_null(); - while (!badarg && *args && *args[0] == '-') { - if (!strcmp(*args, "-out")) { - if (args[1]) { - args++; - outfile = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-timeout")) { - if (args[1]) { - args++; - req_timeout = strtonum(*args, 0, - INT_MAX, &errstr); - if (errstr) { - BIO_printf(bio_err, - "Illegal timeout value %s: %s\n", - *args, errstr); - badarg = 1; - } - } else - badarg = 1; - } else if (!strcmp(*args, "-url")) { - if (args[1] && host == NULL && port == NULL && - path == NULL) { - args++; - if (!OCSP_parse_url(*args, &host, &port, &path, &use_ssl)) { - BIO_printf(bio_err, "Error parsing URL\n"); - badarg = 1; - } - } else - badarg = 1; - } else if (!strcmp(*args, "-host")) { - if (args[1] && use_ssl == -1) { - args++; - host = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-port")) { - if (args[1] && use_ssl == -1) { - args++; - port = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-header")) { - if (args[1] && args[2]) { - if (!X509V3_add_value(args[1], args[2], &headers)) - goto end; - args += 2; - } else - badarg = 1; - } else if (!strcmp(*args, "-ignore_err")) - ignore_err = 1; - else if (!strcmp(*args, "-noverify")) - noverify = 1; - else if (!strcmp(*args, "-nonce")) - add_nonce = 2; - else if (!strcmp(*args, "-no_nonce")) - add_nonce = 0; - else if (!strcmp(*args, "-resp_no_certs")) - rflags |= OCSP_NOCERTS; - else if (!strcmp(*args, "-resp_key_id")) - rflags |= OCSP_RESPID_KEY; - else if (!strcmp(*args, "-no_certs")) - sign_flags |= OCSP_NOCERTS; - else if (!strcmp(*args, "-no_signature_verify")) - verify_flags |= OCSP_NOSIGS; - else if (!strcmp(*args, "-no_cert_verify")) - verify_flags |= OCSP_NOVERIFY; - else if (!strcmp(*args, "-no_chain")) - verify_flags |= OCSP_NOCHAIN; - else if (!strcmp(*args, "-no_cert_checks")) - verify_flags |= OCSP_NOCHECKS; - else if (!strcmp(*args, "-no_explicit")) - verify_flags |= OCSP_NOEXPLICIT; - else if (!strcmp(*args, "-trust_other")) - verify_flags |= OCSP_TRUSTOTHER; - else if (!strcmp(*args, "-no_intern")) - verify_flags |= OCSP_NOINTERN; - else if (!strcmp(*args, "-text")) { - req_text = 1; - resp_text = 1; - } else if (!strcmp(*args, "-req_text")) - req_text = 1; - else if (!strcmp(*args, "-resp_text")) - resp_text = 1; - else if (!strcmp(*args, "-reqin")) { - if (args[1]) { - args++; - reqin = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-respin")) { - if (args[1]) { - args++; - respin = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-signer")) { - if (args[1]) { - args++; - signfile = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-VAfile")) { - if (args[1]) { - args++; - verify_certfile = *args; - verify_flags |= OCSP_TRUSTOTHER; - } else - badarg = 1; - } else if (!strcmp(*args, "-sign_other")) { - if (args[1]) { - args++; - sign_certfile = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-verify_other")) { - if (args[1]) { - args++; - verify_certfile = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-CAfile")) { - if (args[1]) { - args++; - CAfile = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-CApath")) { - if (args[1]) { - args++; - CApath = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-validity_period")) { - if (args[1]) { - args++; - nsec = strtonum(*args, 0, LONG_MAX, &errstr); - if (errstr) { - BIO_printf(bio_err, - "Illegal validity period %s: %s\n", - *args, errstr); - badarg = 1; - } - } else - badarg = 1; - } else if (!strcmp(*args, "-status_age")) { - if (args[1]) { - args++; - maxage = strtonum(*args, 0, LONG_MAX, &errstr); - if (errstr) { - BIO_printf(bio_err, - "Illegal validity age %s: %s\n", - *args, errstr); - badarg = 1; - } - } else - badarg = 1; - } else if (!strcmp(*args, "-signkey")) { - if (args[1]) { - args++; - keyfile = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-reqout")) { - if (args[1]) { - args++; - reqout = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-respout")) { - if (args[1]) { - args++; - respout = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-path")) { - if (args[1] && use_ssl == -1) { - args++; - path = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-issuer")) { - if (args[1]) { - args++; - X509_free(issuer); - issuer = load_cert(bio_err, *args, FORMAT_PEM, - NULL, "issuer certificate"); - if (!issuer) - goto end; - } else - badarg = 1; - } else if (!strcmp(*args, "-cert")) { - if (args[1]) { - args++; - X509_free(cert); - cert = load_cert(bio_err, *args, FORMAT_PEM, - NULL, "certificate"); - if (!cert) - goto end; - if (!cert_id_md) - cert_id_md = EVP_sha1(); - if (!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids)) - goto end; - if (!sk_OPENSSL_STRING_push(reqnames, *args)) - goto end; - } else - badarg = 1; - } else if (!strcmp(*args, "-serial")) { - if (args[1]) { - args++; - if (!cert_id_md) - cert_id_md = EVP_sha1(); - if (!add_ocsp_serial(&req, *args, cert_id_md, issuer, ids)) - goto end; - if (!sk_OPENSSL_STRING_push(reqnames, *args)) - goto end; - } else - badarg = 1; - } else if (!strcmp(*args, "-index")) { - if (args[1]) { - args++; - ridx_filename = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-CA")) { - if (args[1]) { - args++; - rca_filename = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-nmin")) { - if (args[1]) { - args++; - nmin = strtonum(*args, 0, INT_MAX, &errstr); - if (errstr) { - BIO_printf(bio_err, - "Illegal update period %s: %s\n", - *args, errstr); - badarg = 1; - } - } - if (ndays == -1) - ndays = 0; - else - badarg = 1; - } else if (!strcmp(*args, "-nrequest")) { - if (args[1]) { - args++; - accept_count = strtonum(*args, 0, INT_MAX, &errstr); - if (errstr) { - BIO_printf(bio_err, - "Illegal accept count %s: %s\n", - *args, errstr); - badarg = 1; - } - } else - badarg = 1; - } else if (!strcmp(*args, "-ndays")) { - if (args[1]) { - args++; - ndays = strtonum(*args, 0, INT_MAX, &errstr); - if (errstr) { - BIO_printf(bio_err, - "Illegal update period %s: %s\n", - *args, errstr); - badarg = 1; - } - } else - badarg = 1; - } else if (!strcmp(*args, "-rsigner")) { - if (args[1]) { - args++; - rsignfile = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-rkey")) { - if (args[1]) { - args++; - rkeyfile = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-rother")) { - if (args[1]) { - args++; - rcertfile = *args; - } else - badarg = 1; - } else if ((cert_id_md = EVP_get_digestbyname((*args) + 1)) == NULL) { + memset(&ocsp_config, 0, sizeof(ocsp_config)); + ocsp_config.accept_count = -1; + ocsp_config.add_nonce = 1; + if ((ocsp_config.ids = sk_OCSP_CERTID_new_null()) == NULL) + goto end; + ocsp_config.maxage = -1; + ocsp_config.ndays = -1; + ocsp_config.nsec = MAX_VALIDITY_PERIOD; + ocsp_config.req_timeout = -1; + if ((ocsp_config.reqnames = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + ocsp_config.use_ssl = -1; + + if (options_parse(argc, argv, ocsp_options, NULL, NULL) != 0) { + if (ocsp_config.no_usage) + goto end; + else badarg = 1; - } - args++; } /* Have we anything to do? */ - if (!req && !reqin && !respin && !(port && ridx_filename)) + if (!ocsp_config.req && !ocsp_config.reqin && !ocsp_config.respin && + !(ocsp_config.port && ocsp_config.ridx_filename)) badarg = 1; if (badarg) { - BIO_printf(bio_err, "OCSP utility\n"); - BIO_printf(bio_err, "Usage ocsp [options]\n"); - BIO_printf(bio_err, "where options are\n"); - BIO_printf(bio_err, "-out file output filename\n"); - BIO_printf(bio_err, "-issuer file issuer certificate\n"); - BIO_printf(bio_err, "-cert file certificate to check\n"); - BIO_printf(bio_err, "-serial n serial number to check\n"); - BIO_printf(bio_err, "-signer file certificate to sign OCSP request with\n"); - BIO_printf(bio_err, "-signkey file private key to sign OCSP request with\n"); - BIO_printf(bio_err, "-sign_other file additional certificates to include in signed request\n"); - BIO_printf(bio_err, "-no_certs don't include any certificates in signed request\n"); - BIO_printf(bio_err, "-req_text print text form of request\n"); - BIO_printf(bio_err, "-resp_text print text form of response\n"); - BIO_printf(bio_err, "-text print text form of request and response\n"); - BIO_printf(bio_err, "-reqout file write DER encoded OCSP request to \"file\"\n"); - BIO_printf(bio_err, "-respout file write DER encoded OCSP reponse to \"file\"\n"); - BIO_printf(bio_err, "-reqin file read DER encoded OCSP request from \"file\"\n"); - BIO_printf(bio_err, "-respin file read DER encoded OCSP reponse from \"file\"\n"); - BIO_printf(bio_err, "-nonce add OCSP nonce to request\n"); - BIO_printf(bio_err, "-no_nonce don't add OCSP nonce to request\n"); - BIO_printf(bio_err, "-url URL OCSP responder URL\n"); - BIO_printf(bio_err, "-host host:n send OCSP request to host on port n\n"); - BIO_printf(bio_err, "-path path to use in OCSP request\n"); - BIO_printf(bio_err, "-CApath dir trusted certificates directory\n"); - BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); - BIO_printf(bio_err, "-VAfile file validator certificates file\n"); - BIO_printf(bio_err, "-validity_period n maximum validity discrepancy in seconds\n"); - BIO_printf(bio_err, "-status_age n maximum status age in seconds\n"); - BIO_printf(bio_err, "-noverify don't verify response at all\n"); - BIO_printf(bio_err, "-verify_other file additional certificates to search for signer\n"); - BIO_printf(bio_err, "-trust_other don't verify additional certificates\n"); - BIO_printf(bio_err, "-no_intern don't search certificates contained in response for signer\n"); - BIO_printf(bio_err, "-no_signature_verify don't check signature on response\n"); - BIO_printf(bio_err, "-no_cert_verify don't check signing certificate\n"); - BIO_printf(bio_err, "-no_chain don't chain verify response\n"); - BIO_printf(bio_err, "-no_cert_checks don't do additional checks on signing certificate\n"); - BIO_printf(bio_err, "-port num port to run responder on\n"); - BIO_printf(bio_err, "-index file certificate status index file\n"); - BIO_printf(bio_err, "-CA file CA certificate\n"); - BIO_printf(bio_err, "-rsigner file responder certificate to sign responses with\n"); - BIO_printf(bio_err, "-rkey file responder key to sign responses with\n"); - BIO_printf(bio_err, "-rother file other certificates to include in response\n"); - BIO_printf(bio_err, "-resp_no_certs don't include any certificates in response\n"); - BIO_printf(bio_err, "-nmin n number of minutes before next update\n"); - BIO_printf(bio_err, "-ndays n number of days before next update\n"); - BIO_printf(bio_err, "-resp_key_id identify reponse by signing certificate key ID\n"); - BIO_printf(bio_err, "-nrequest n number of requests to accept (default unlimited)\n"); - BIO_printf(bio_err, "- use specified digest in the request\n"); + ocsp_usage(); goto end; } - if (outfile) - out = BIO_new_file(outfile, "w"); + if (ocsp_config.outfile) + out = BIO_new_file(ocsp_config.outfile, "w"); else out = BIO_new_fp(stdout, BIO_NOCLOSE); @@ -513,131 +795,149 @@ ocsp_main(int argc, char **argv) BIO_printf(bio_err, "Error opening output file\n"); goto end; } - if (!req && (add_nonce != 2)) - add_nonce = 0; + if (!ocsp_config.req && (ocsp_config.add_nonce != 2)) + ocsp_config.add_nonce = 0; - if (!req && reqin) { - derbio = BIO_new_file(reqin, "rb"); + if (!ocsp_config.req && ocsp_config.reqin) { + derbio = BIO_new_file(ocsp_config.reqin, "rb"); if (!derbio) { - BIO_printf(bio_err, "Error Opening OCSP request file\n"); + BIO_printf(bio_err, + "Error Opening OCSP request file\n"); goto end; } - req = d2i_OCSP_REQUEST_bio(derbio, NULL); + ocsp_config.req = d2i_OCSP_REQUEST_bio(derbio, NULL); BIO_free(derbio); - if (!req) { + if (!ocsp_config.req) { BIO_printf(bio_err, "Error reading OCSP request\n"); goto end; } } - if (!req && port) { - acbio = init_responder(port); + if (!ocsp_config.req && ocsp_config.port) { + acbio = init_responder(ocsp_config.port); if (!acbio) goto end; } - if (rsignfile && !rdb) { - if (!rkeyfile) - rkeyfile = rsignfile; - rsigner = load_cert(bio_err, rsignfile, FORMAT_PEM, + if (ocsp_config.rsignfile && !rdb) { + if (!ocsp_config.rkeyfile) + ocsp_config.rkeyfile = ocsp_config.rsignfile; + rsigner = load_cert(bio_err, ocsp_config.rsignfile, FORMAT_PEM, NULL, "responder certificate"); if (!rsigner) { - BIO_printf(bio_err, "Error loading responder certificate\n"); + BIO_printf(bio_err, + "Error loading responder certificate\n"); goto end; } - rca_cert = load_cert(bio_err, rca_filename, FORMAT_PEM, - NULL, "CA certificate"); - if (rcertfile) { - rother = load_certs(bio_err, rcertfile, FORMAT_PEM, - NULL, "responder other certificates"); + rca_cert = load_cert(bio_err, ocsp_config.rca_filename, + FORMAT_PEM, NULL, "CA certificate"); + if (ocsp_config.rcertfile) { + rother = load_certs(bio_err, ocsp_config.rcertfile, + FORMAT_PEM, NULL, "responder other certificates"); if (!rother) goto end; } - rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, 0, NULL, - "responder private key"); + rkey = load_key(bio_err, ocsp_config.rkeyfile, FORMAT_PEM, 0, + NULL, "responder private key"); if (!rkey) goto end; } if (acbio) BIO_printf(bio_err, "Waiting for OCSP client connections...\n"); -redo_accept: + redo_accept: if (acbio) { - if (!do_responder(&req, &cbio, acbio, port)) + if (!do_responder(&ocsp_config.req, &cbio, acbio, + ocsp_config.port)) goto end; - if (!req) { - resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL); + if (!ocsp_config.req) { + resp = OCSP_response_create( + OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL); send_ocsp_response(cbio, resp); goto done_resp; } } - if (!req && (signfile || reqout || host || add_nonce || ridx_filename)) { - BIO_printf(bio_err, "Need an OCSP request for this operation!\n"); + if (!ocsp_config.req && + (ocsp_config.signfile || ocsp_config.reqout || ocsp_config.host || + ocsp_config.add_nonce || ocsp_config.ridx_filename)) { + BIO_printf(bio_err, + "Need an OCSP request for this operation!\n"); goto end; } - if (req && add_nonce) - OCSP_request_add1_nonce(req, NULL, -1); + if (ocsp_config.req && ocsp_config.add_nonce) + OCSP_request_add1_nonce(ocsp_config.req, NULL, -1); - if (signfile) { - if (!keyfile) - keyfile = signfile; - signer = load_cert(bio_err, signfile, FORMAT_PEM, + if (ocsp_config.signfile) { + if (!ocsp_config.keyfile) + ocsp_config.keyfile = ocsp_config.signfile; + signer = load_cert(bio_err, ocsp_config.signfile, FORMAT_PEM, NULL, "signer certificate"); if (!signer) { - BIO_printf(bio_err, "Error loading signer certificate\n"); + BIO_printf(bio_err, + "Error loading signer certificate\n"); goto end; } - if (sign_certfile) { - sign_other = load_certs(bio_err, sign_certfile, FORMAT_PEM, - NULL, "signer certificates"); + if (ocsp_config.sign_certfile) { + sign_other = load_certs(bio_err, + ocsp_config.sign_certfile, FORMAT_PEM, NULL, + "signer certificates"); if (!sign_other) goto end; } - key = load_key(bio_err, keyfile, FORMAT_PEM, 0, NULL, - "signer private key"); + key = load_key(bio_err, ocsp_config.keyfile, FORMAT_PEM, 0, + NULL, "signer private key"); if (!key) goto end; - if (!OCSP_request_sign(req, signer, key, NULL, sign_other, sign_flags)) { + if (!OCSP_request_sign(ocsp_config.req, signer, key, NULL, + sign_other, ocsp_config.sign_flags)) { BIO_printf(bio_err, "Error signing OCSP request\n"); goto end; } } - if (req_text && req) - OCSP_REQUEST_print(out, req, 0); + if (ocsp_config.req_text && ocsp_config.req) + OCSP_REQUEST_print(out, ocsp_config.req, 0); - if (reqout) { - derbio = BIO_new_file(reqout, "wb"); + if (ocsp_config.reqout) { + derbio = BIO_new_file(ocsp_config.reqout, "wb"); if (!derbio) { - BIO_printf(bio_err, "Error opening file %s\n", reqout); + BIO_printf(bio_err, "Error opening file %s\n", + ocsp_config.reqout); goto end; } - i2d_OCSP_REQUEST_bio(derbio, req); + i2d_OCSP_REQUEST_bio(derbio, ocsp_config.req); BIO_free(derbio); } - if (ridx_filename && (!rkey || !rsigner || !rca_cert)) { - BIO_printf(bio_err, "Need a responder certificate, key and CA for this operation!\n"); + if (ocsp_config.ridx_filename && (!rkey || !rsigner || !rca_cert)) { + BIO_printf(bio_err, + "Need a responder certificate, key and CA for this operation!\n"); goto end; } - if (ridx_filename && !rdb) { - rdb = load_index(ridx_filename, NULL); + if (ocsp_config.ridx_filename && !rdb) { + rdb = load_index(ocsp_config.ridx_filename, NULL); if (!rdb) goto end; if (!index_index(rdb)) goto end; } if (rdb) { - i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey, rother, rflags, nmin, ndays); + i = make_ocsp_response(&resp, ocsp_config.req, rdb, rca_cert, + rsigner, rkey, rother, ocsp_config.rflags, + ocsp_config.nmin, ocsp_config.ndays); if (cbio) send_ocsp_response(cbio, resp); - } else if (host) { - resp = process_responder(bio_err, req, host, path ? path : "/", - port, use_ssl, headers, req_timeout); + } else if (ocsp_config.host) { + resp = process_responder(bio_err, ocsp_config.req, + ocsp_config.host, + ocsp_config.path ? ocsp_config.path : "/", + ocsp_config.port, ocsp_config.use_ssl, ocsp_config.headers, + ocsp_config.req_timeout); if (!resp) goto end; - } else if (respin) { - derbio = BIO_new_file(respin, "rb"); + } else if (ocsp_config.respin) { + derbio = BIO_new_file(ocsp_config.respin, "rb"); if (!derbio) { - BIO_printf(bio_err, "Error Opening OCSP response file\n"); + BIO_printf(bio_err, + "Error Opening OCSP response file\n"); goto end; } resp = d2i_OCSP_RESPONSE_bio(derbio, NULL); @@ -651,12 +951,13 @@ ocsp_main(int argc, char **argv) goto end; } -done_resp: + done_resp: - if (respout) { - derbio = BIO_new_file(respout, "wb"); + if (ocsp_config.respout) { + derbio = BIO_new_file(ocsp_config.respout, "wb"); if (!derbio) { - BIO_printf(bio_err, "Error opening file %s\n", respout); + BIO_printf(bio_err, "Error opening file %s\n", + ocsp_config.respout); goto end; } i2d_OCSP_RESPONSE_bio(derbio, resp); @@ -667,24 +968,24 @@ ocsp_main(int argc, char **argv) if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL) { BIO_printf(bio_err, "Responder Error: %s (%d)\n", OCSP_response_status_str(i), i); - if (ignore_err) + if (ocsp_config.ignore_err) goto redo_accept; ret = 1; goto end; } - if (resp_text) + if (ocsp_config.resp_text) OCSP_RESPONSE_print(out, resp, 0); /* If running as responder don't verify our own response */ if (cbio) { - if (accept_count > 0) - accept_count--; + if (ocsp_config.accept_count > 0) + ocsp_config.accept_count--; /* Redo if more connections needed */ - if (accept_count) { + if (ocsp_config.accept_count) { BIO_free_all(cbio); cbio = NULL; - OCSP_REQUEST_free(req); - req = NULL; + OCSP_REQUEST_free(ocsp_config.req); + ocsp_config.req = NULL; OCSP_RESPONSE_free(resp); resp = NULL; goto redo_accept; @@ -692,12 +993,13 @@ ocsp_main(int argc, char **argv) goto end; } if (!store) - store = setup_verify(bio_err, CAfile, CApath); + store = setup_verify(bio_err, ocsp_config.CAfile, + ocsp_config.CApath); if (!store) goto end; - if (verify_certfile) { - verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM, - NULL, "validator certificate"); + if (ocsp_config.verify_certfile) { + verify_other = load_certs(bio_err, ocsp_config.verify_certfile, + FORMAT_PEM, NULL, "validator certificate"); if (!verify_other) goto end; } @@ -707,27 +1009,31 @@ ocsp_main(int argc, char **argv) BIO_printf(bio_err, "Error parsing response\n"); goto end; } - if (!noverify) { - if (req && ((i = OCSP_check_nonce(req, bs)) <= 0)) { - if (i == -1) - BIO_printf(bio_err, "WARNING: no nonce in response\n"); - else { + if (!ocsp_config.noverify) { + if (ocsp_config.req && + ((i = OCSP_check_nonce(ocsp_config.req, bs)) <= 0)) { + if (i == -1) { + BIO_printf(bio_err, + "WARNING: no nonce in response\n"); + } else { BIO_printf(bio_err, "Nonce Verify error\n"); goto end; } } - i = OCSP_basic_verify(bs, verify_other, store, verify_flags); + i = OCSP_basic_verify(bs, verify_other, store, + ocsp_config.verify_flags); if (i < 0) i = OCSP_basic_verify(bs, NULL, store, 0); if (i <= 0) { BIO_printf(bio_err, "Response Verify Failure\n"); ERR_print_errors(bio_err); - } else + } else { BIO_printf(bio_err, "Response verify OK\n"); - + } } - if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage)) + if (!print_ocsp_summary(out, bs, ocsp_config.req, ocsp_config.reqnames, + ocsp_config.ids, ocsp_config.nsec, ocsp_config.maxage)) goto end; ret = 0; @@ -738,36 +1044,37 @@ ocsp_main(int argc, char **argv) X509_STORE_free(store); EVP_PKEY_free(key); EVP_PKEY_free(rkey); - X509_free(issuer); - X509_free(cert); + X509_free(ocsp_config.issuer); + X509_free(ocsp_config.cert); X509_free(rsigner); X509_free(rca_cert); free_index(rdb); BIO_free_all(cbio); BIO_free_all(acbio); BIO_free(out); - OCSP_REQUEST_free(req); + OCSP_REQUEST_free(ocsp_config.req); OCSP_RESPONSE_free(resp); OCSP_BASICRESP_free(bs); - sk_OPENSSL_STRING_free(reqnames); - sk_OCSP_CERTID_free(ids); + sk_OPENSSL_STRING_free(ocsp_config.reqnames); + sk_OCSP_CERTID_free(ocsp_config.ids); sk_X509_pop_free(sign_other, X509_free); sk_X509_pop_free(verify_other, X509_free); - sk_CONF_VALUE_pop_free(headers, X509V3_conf_free); + sk_CONF_VALUE_pop_free(ocsp_config.headers, X509V3_conf_free); - if (use_ssl != -1) { - free(host); - free(port); - free(path); + if (ocsp_config.use_ssl != -1) { + free(ocsp_config.host); + free(ocsp_config.port); + free(ocsp_config.path); } return (ret); } static int -add_ocsp_cert(OCSP_REQUEST ** req, X509 * cert, const EVP_MD * cert_id_md, X509 * issuer, - STACK_OF(OCSP_CERTID) * ids) +add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, const EVP_MD *cert_id_md, + X509 *issuer, STACK_OF(OCSP_CERTID) *ids) { OCSP_CERTID *id; + if (!issuer) { BIO_printf(bio_err, "No issuer certificate specified\n"); return 0; @@ -789,13 +1096,14 @@ add_ocsp_cert(OCSP_REQUEST ** req, X509 * cert, const EVP_MD * cert_id_md, X509 } static int -add_ocsp_serial(OCSP_REQUEST ** req, char *serial, const EVP_MD * cert_id_md, X509 * issuer, - STACK_OF(OCSP_CERTID) * ids) +add_ocsp_serial(OCSP_REQUEST **req, char *serial, const EVP_MD *cert_id_md, + X509 *issuer, STACK_OF(OCSP_CERTID) *ids) { OCSP_CERTID *id; X509_NAME *iname; ASN1_BIT_STRING *ikey; ASN1_INTEGER *sno; + if (!issuer) { BIO_printf(bio_err, "No issuer certificate specified\n"); return 0; @@ -808,7 +1116,8 @@ add_ocsp_serial(OCSP_REQUEST ** req, char *serial, const EVP_MD * cert_id_md, X5 ikey = X509_get0_pubkey_bitstr(issuer); sno = s2i_ASN1_INTEGER(NULL, serial); if (!sno) { - BIO_printf(bio_err, "Error converting serial number %s\n", serial); + BIO_printf(bio_err, "Error converting serial number %s\n", + serial); return 0; } id = OCSP_cert_id_new(cert_id_md, iname, ikey, sno); @@ -825,20 +1134,19 @@ add_ocsp_serial(OCSP_REQUEST ** req, char *serial, const EVP_MD * cert_id_md, X5 } static int -print_ocsp_summary(BIO * out, OCSP_BASICRESP * bs, OCSP_REQUEST * req, - STACK_OF(OPENSSL_STRING) * names, - STACK_OF(OCSP_CERTID) * ids, long nsec, +print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, + STACK_OF(OPENSSL_STRING) *names, STACK_OF(OCSP_CERTID) *ids, long nsec, long maxage) { OCSP_CERTID *id; char *name; int i; - int status, reason; ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; - if (!bs || !req || !sk_OPENSSL_STRING_num(names) || !sk_OCSP_CERTID_num(ids)) + if (!bs || !req || !sk_OPENSSL_STRING_num(names) || + !sk_OCSP_CERTID_num(ids)) return 1; for (i = 0; i < sk_OCSP_CERTID_num(ids); i++) { @@ -887,10 +1195,9 @@ print_ocsp_summary(BIO * out, OCSP_BASICRESP * bs, OCSP_REQUEST * req, static int -make_ocsp_response(OCSP_RESPONSE ** resp, OCSP_REQUEST * req, CA_DB * db, - X509 * ca, X509 * rcert, EVP_PKEY * rkey, - STACK_OF(X509) * rother, unsigned long flags, - int nmin, int ndays) +make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db, + X509 *ca, X509 *rcert, EVP_PKEY *rkey, STACK_OF(X509) *rother, + unsigned long flags, int nmin, int ndays) { ASN1_TIME *thisupd = NULL, *nextupd = NULL; OCSP_CERTID *cid, *ca_id = NULL; @@ -900,7 +1207,8 @@ make_ocsp_response(OCSP_RESPONSE ** resp, OCSP_REQUEST * req, CA_DB * db, id_count = OCSP_request_onereq_count(req); if (id_count <= 0) { - *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL); + *resp = OCSP_response_create( + OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL); goto end; } bs = OCSP_BASICRESP_new(); @@ -922,8 +1230,8 @@ make_ocsp_response(OCSP_RESPONSE ** resp, OCSP_REQUEST * req, CA_DB * db, cert_id_md = EVP_get_digestbyobj(cert_id_md_oid); if (!cert_id_md) { - *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, - NULL); + *resp = OCSP_response_create( + OCSP_RESPONSE_STATUS_INTERNALERROR, NULL); goto end; } OCSP_CERTID_free(ca_id); @@ -932,38 +1240,39 @@ make_ocsp_response(OCSP_RESPONSE ** resp, OCSP_REQUEST * req, CA_DB * db, /* Is this request about our CA? */ if (OCSP_id_issuer_cmp(ca_id, cid)) { OCSP_basic_add1_status(bs, cid, - V_OCSP_CERTSTATUS_UNKNOWN, - 0, NULL, + V_OCSP_CERTSTATUS_UNKNOWN, 0, NULL, thisupd, nextupd); continue; } OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid); inf = lookup_serial(db, serial); - if (!inf) + if (!inf) { OCSP_basic_add1_status(bs, cid, - V_OCSP_CERTSTATUS_UNKNOWN, - 0, NULL, + V_OCSP_CERTSTATUS_UNKNOWN, 0, NULL, thisupd, nextupd); - else if (inf[DB_type][0] == DB_TYPE_VAL) + } else if (inf[DB_type][0] == DB_TYPE_VAL) { OCSP_basic_add1_status(bs, cid, - V_OCSP_CERTSTATUS_GOOD, - 0, NULL, + V_OCSP_CERTSTATUS_GOOD, 0, NULL, thisupd, nextupd); - else if (inf[DB_type][0] == DB_TYPE_REV) { + } else if (inf[DB_type][0] == DB_TYPE_REV) { ASN1_OBJECT *inst = NULL; ASN1_TIME *revtm = NULL; ASN1_GENERALIZEDTIME *invtm = NULL; OCSP_SINGLERESP *single; int reason = -1; - unpack_revinfo(&revtm, &reason, &inst, &invtm, inf[DB_rev_date]); + + unpack_revinfo(&revtm, &reason, &inst, &invtm, + inf[DB_rev_date]); single = OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_REVOKED, reason, revtm, thisupd, nextupd); if (invtm) - OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0); + OCSP_SINGLERESP_add1_ext_i2d(single, + NID_invalidity_date, invtm, 0, 0); else if (inst) - OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0); + OCSP_SINGLERESP_add1_ext_i2d(single, + NID_hold_instruction_code, inst, 0, 0); ASN1_OBJECT_free(inst); ASN1_TIME_free(revtm); ASN1_GENERALIZEDTIME_free(invtm); @@ -982,15 +1291,15 @@ make_ocsp_response(OCSP_RESPONSE ** resp, OCSP_REQUEST * req, CA_DB * db, OCSP_CERTID_free(ca_id); OCSP_BASICRESP_free(bs); return ret; - } static char ** -lookup_serial(CA_DB * db, ASN1_INTEGER * ser) +lookup_serial(CA_DB *db, ASN1_INTEGER *ser) { int i; BIGNUM *bn = NULL; char *itmp, *row[DB_NUMBER], **rrow; + for (i = 0; i < DB_NUMBER; i++) row[i] = NULL; bn = ASN1_INTEGER_to_BN(ser, NULL); @@ -1013,12 +1322,14 @@ static BIO * init_responder(char *port) { BIO *acbio = NULL, *bufbio = NULL; + bufbio = BIO_new(BIO_f_buffer()); if (!bufbio) goto err; acbio = BIO_new_accept(port); if (!acbio) goto err; + BIO_set_bind_mode(acbio, BIO_BIND_REUSEADDR); BIO_set_accept_bios(acbio, bufbio); bufbio = NULL; @@ -1036,7 +1347,7 @@ init_responder(char *port) } static int -do_responder(OCSP_REQUEST ** preq, BIO ** pcbio, BIO * acbio, char *port) +do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port) { int have_post = 0, len; OCSP_REQUEST *req = NULL; @@ -1079,15 +1390,15 @@ do_responder(OCSP_REQUEST ** preq, BIO ** pcbio, BIO * acbio, char *port) *preq = req; return 1; - } static int -send_ocsp_response(BIO * cbio, OCSP_RESPONSE * resp) +send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp) { static const char http_resp[] = "HTTP/1.0 200 OK\r\nContent-type: application/ocsp-response\r\n" "Content-Length: %d\r\n\r\n"; + if (!cbio) return 0; BIO_printf(cbio, http_resp, i2d_OCSP_RESPONSE(resp, NULL)); @@ -1097,13 +1408,13 @@ send_ocsp_response(BIO * cbio, OCSP_RESPONSE * resp) } static OCSP_RESPONSE * -query_responder(BIO * err, BIO * cbio, char *path, - STACK_OF(CONF_VALUE) * headers, - OCSP_REQUEST * req, int req_timeout) +query_responder(BIO *err, BIO *cbio, char *path, STACK_OF(CONF_VALUE) *headers, + const char *host, OCSP_REQUEST *req, int req_timeout) { int fd; int rv; int i; + int have_host = 0; OCSP_REQ_CTX *ctx = NULL; OCSP_RESPONSE *rsp = NULL; struct pollfd pfd[1]; @@ -1140,10 +1451,17 @@ query_responder(BIO * err, BIO * cbio, char *path, for (i = 0; i < sk_CONF_VALUE_num(headers); i++) { CONF_VALUE *hdr = sk_CONF_VALUE_value(headers, i); + if (strcasecmp("host", hdr->name) == 0) + have_host = 1; if (!OCSP_REQ_CTX_add1_header(ctx, hdr->name, hdr->value)) goto err; } + if (!have_host) { + if (!OCSP_REQ_CTX_add1_header(ctx, "Host", host)) + goto err; + } + if (!OCSP_REQ_CTX_set1_req(ctx, req)) goto err; @@ -1154,11 +1472,11 @@ query_responder(BIO * err, BIO * cbio, char *path, if (req_timeout == -1) continue; pfd[0].fd = fd; - if (BIO_should_read(cbio)) + if (BIO_should_read(cbio)) { pfd[0].events = POLLIN; - else if (BIO_should_write(cbio)) + } else if (BIO_should_write(cbio)) { pfd[0].events = POLLOUT; - else { + } else { BIO_puts(err, "Unexpected retry condition\n"); goto err; } @@ -1172,21 +1490,20 @@ query_responder(BIO * err, BIO * cbio, char *path, break; } } + err: OCSP_REQ_CTX_free(ctx); - return rsp; } OCSP_RESPONSE * -process_responder(BIO * err, OCSP_REQUEST * req, - char *host, char *path, char *port, int use_ssl, - STACK_OF(CONF_VALUE) * headers, - int req_timeout) +process_responder(BIO *err, OCSP_REQUEST *req, char *host, char *path, + char *port, int use_ssl, STACK_OF(CONF_VALUE) *headers, int req_timeout) { BIO *cbio = NULL; SSL_CTX *ctx = NULL; OCSP_RESPONSE *resp = NULL; + cbio = BIO_new_connect(host); if (!cbio) { BIO_printf(err, "Error creating connect BIO\n"); @@ -1196,7 +1513,7 @@ process_responder(BIO * err, OCSP_REQUEST * req, BIO_set_conn_port(cbio, port); if (use_ssl == 1) { BIO *sbio; - ctx = SSL_CTX_new(SSLv23_client_method()); + ctx = SSL_CTX_new(TLS_client_method()); if (ctx == NULL) { BIO_printf(err, "Error creating SSL context.\n"); goto end; @@ -1205,13 +1522,13 @@ process_responder(BIO * err, OCSP_REQUEST * req, sbio = BIO_new_ssl(ctx, 1); cbio = BIO_push(sbio, cbio); } - resp = query_responder(err, cbio, path, headers, req, req_timeout); + resp = query_responder(err, cbio, path, headers, host, req, req_timeout); if (!resp) BIO_printf(bio_err, "Error querying OCSP responder\n"); + end: BIO_free_all(cbio); SSL_CTX_free(ctx); return resp; } - #endif diff --git a/apps/openssl/openssl.1 b/apps/openssl/openssl.1 index 958e517c..84627a84 100644 --- a/apps/openssl/openssl.1 +++ b/apps/openssl/openssl.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: openssl.1,v 1.114 2019/10/04 06:22:51 jmc Exp $ +.\" $OpenBSD: openssl.1,v 1.129 2021/03/17 18:08:32 jsing Exp $ .\" ==================================================================== .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. .\" @@ -110,7 +110,7 @@ .\" copied and put under another distribution licence .\" [including the GNU Public Licence.] .\" -.Dd $Mdocdate: October 4 2019 $ +.Dd $Mdocdate: March 17 2021 $ .Dt OPENSSL 1 .Os .Sh NAME @@ -200,6 +200,7 @@ is not able to detect pseudo-commands such as or .Cm no- Ns Ar command itself. +.Tg asn1parse .Sh ASN1PARSE .Bl -hang -width "openssl asn1parse" .It Nm openssl asn1parse @@ -296,6 +297,7 @@ This option can be used multiple times to .Qq drill down into a nested structure. .El +.Tg ca .Sh CA .Bl -hang -width "openssl ca" .It Nm openssl ca @@ -845,6 +847,62 @@ The default value is The same as .Fl extensions . .El +.Tg certhash +.Sh CERTHASH +.Bl -hang -width "openssl certhash" +.It Nm openssl certhash +.Bk -words +.Op Fl nv +.Ar dir ... +.Ek +.El +.Pp +The +.Nm certhash +command calculates a hash value of +.Qq .pem +file in the specified directory list and creates symbolic links for each file, +where the name of the link is the hash value. +See the +.Xr SSL_CTX_load_verify_locations 3 +manual page for how hash links are used. +.Pp +The links created are of the form +.Qq HHHHHHHH.D , +where each +.Sq H +is a hexadecimal character and +.Sq D +is a single decimal digit. +The hashes for CRLs look similar, except the letter +.Sq r +appears after the period, like this: +.Qq HHHHHHHH.rD . +When processing a directory, +.Nm certhash +will first remove all links that have a name in that syntax and invalid +reference. +.Pp +Multiple objects may have the same hash; they will be indicated by +incrementing the +.Sq D +value. +Duplicates are found by comparing the full SHA256 fingerprint. +A warning will be displayed if a duplicate is found. +.Pp +A warning will also be displayed if there are files that cannot be parsed as +either a certificate or a CRL. +.Pp +The options are as follows: +.Bl -tag -width Ds +.It Fl n +Perform a dry-run, and do not make any changes. +.It Fl v +Print extra details about the processing. +.It Ar dir ... +Specify the directories to process. +.El +.Tg ciphers .Sh CIPHERS .Nm openssl ciphers .Op Fl hVv @@ -877,6 +935,524 @@ Like .Fl V , but without cipher suite codes. .El +.Tg cms +.Sh CMS +.Bl -hang -width "openssl cms" +.It Nm openssl cms +.Bk -words +.Oo +.Fl aes128 | aes192 | aes256 | camellia128 | +.Fl camellia192 | camellia256 | des | des3 | +.Fl rc2-40 | rc2-64 | rc2-128 +.Oc +.Op Fl CAfile Ar file +.Op Fl CApath Ar directory +.Op Fl binary +.Op Fl certfile Ar file +.Op Fl certsout Ar file +.Op Fl cmsout +.Op Fl compress +.Op Fl content Ar file +.Op Fl crlfeol +.Op Fl data_create +.Op Fl data_out +.Op Fl debug_decrypt +.Op Fl decrypt +.Op Fl digest_create +.Op Fl digest_verify +.Op Fl econtent_type Ar type +.Op Fl encrypt +.Op Fl EncryptedData_decrypt +.Op Fl EncryptedData_encrypt +.Op Fl from Ar addr +.Op Fl in Ar file +.Op Fl inform Cm der | pem | smime +.Op Fl inkey Ar file +.Op Fl keyform Cm der | pem +.Op Fl keyid +.Op Fl keyopt Ar nm:v +.Op Fl md Ar digest +.Op Fl no_attr_verify +.Op Fl no_content_verify +.Op Fl no_signer_cert_verify +.Op Fl noattr +.Op Fl nocerts +.Op Fl nodetach +.Op Fl nointern +.Op Fl nooldmime +.Op Fl noout +.Op Fl nosigs +.Op Fl nosmimecap +.Op Fl noverify +.Op Fl out Ar file +.Op Fl outform Cm der | pem | smime +.Op Fl passin Ar src +.Op Fl print +.Op Fl pwri_password Ar arg +.Op Fl rctform Cm der | pem | smime +.Op Fl receipt_request_all | receipt_request_first +.Op Fl receipt_request_from Ar addr +.Op Fl receipt_request_print +.Op Fl receipt_request_to Ar addr +.Op Fl recip Ar file +.Op Fl resign +.Op Fl secretkey Ar key +.Op Fl secretkeyid Ar id +.Op Fl sign +.Op Fl sign_receipt +.Op Fl signer Ar file +.Op Fl stream | indef | noindef +.Op Fl subject Ar s +.Op Fl text +.Op Fl to Ar addr +.Op Fl uncompress +.Op Fl verify +.Op Fl verify_receipt Ar file +.Op Fl verify_retcode +.Op Ar cert.pem ... +.Ek +.El +.Pp +The +.Nm cms +command handles S/MIME v3.1 mail. +It can encrypt, decrypt, sign and verify, compress and uncompress S/MIME +messages. +.Pp +The MIME message must be sent without any blank lines between the headers and +the output. +Some mail programs will automatically add a blank line. +Piping the mail directly to sendmail is one way to achieve the correct format. +.Pp +The supplied message to be signed or encrypted must include the necessary MIME +headers or many S/MIME clients won't display it properly (if at all). +You can use the +.Fl text +option to automatically add plain text headers. +.Pp +A "signed and encrypted" message is one where a signed message is then +encrypted. +This can be produced by encrypting an already signed message. +.Pp +There are various operation options that set the type of operation to be +performed. +The meaning of the other options varies according to the operation type. +.Bl -tag -width "XXXX" +.It Fl encrypt +Encrypt mail for the given recipient certificates. +Input file is the message to be encrypted. +The output file is the encrypted mail in MIME format. +The actual CMS type is EnvelopedData. +Note that no revocation check is done for the recipient cert, so if that +key has been compromised, others may be able to decrypt the text. +.It Fl decrypt +Decrypt mail using the supplied certificate and private key. +Expects an encrypted mail message in MIME format for the input file. +The decrypted mail is written to the output file. +.It Fl sign +Sign mail using the supplied certificate and private key. +Input file is the message to be signed. +The signed message in MIME format is written to the output file. +.It Fl verify +Verify signed mail. +Expects a signed mail message on input and outputs the signed data. +Both clear text and opaque signing are supported. +.It Fl cmsout +Take an input message and write out a PEM encoded CMS structure. +.It Fl resign +Resign a message. +Take an existing message and one or more new signers. +This operation uses an existing message digest when adding a new signer. +This means that attributes must be present in at least one existing +signer using the same message digest or this operation will fail. +.It Fl data_create +Create a CMS Data type. +.It Fl data_out +Output a content from the input CMS Data type. +.It Fl digest_create +Create a CMS DigestedData type. +.It Fl digest_verify +Verify a CMS DigestedData type and output the content. +.It Fl compress +Create a CMS CompressedData type. +Must be compiled with zlib support for this option to work. +.It Fl uncompress +Uncompress a CMS CompressedData type and output the content. +Must be compiled with zlib support for this option to work. +.It Fl EncryptedData_encrypt +Encrypt a content using supplied symmetric key and algorithm using a +CMS EncryptedData type. +.It Fl EncryptedData_decrypt +Decrypt a CMS EncryptedData type using supplied symmetric key. +.It Fl sign_receipt +Generate and output a signed receipt for the supplied message. +The input message must contain a signed receipt request. +Functionality is otherwise similar to the +.Fl sign +operation. +.It Xo +.Fl verify_receipt Ar file +.Xc +Verify a signed receipt in file. +The input message must contain the original receipt request. +Functionality is otherwise similar to the +.Fl verify +operation. +.El +.Pp +The remaining options are as follows: +.Bl -tag -width "XXXX" +.It Xo +.Fl aes128 | aes192 | aes256 | camellia128 | +.Fl camellia192 | camellia256 | des | des3 | +.Fl rc2-40 | rc2-64 | rc2-128 +.Xc +The encryption algorithm to use. +128-, 192-, or 256-bit AES, 128-, 192-, or 256-bit CAMELLIA, +DES (56 bits), triple DES (168 bits), +or 40-, 64-, or 128-bit RC2, respectively; +if not specified, triple DES is +used. +Only used with +.Fl encrypt +and +.Fl EncryptedData_encrypt +commands. +.It Fl binary +Normally the input message is converted to "canonical" format which is +effectively using CR/LF as end of line, as required by the S/MIME specification. +When this option is present, no translation occurs. +This is useful when handling binary data which may not be in MIME format. +.It Fl CAfile Ar file +A file containing trusted CA certificates, used with +.Fl verify +and +.Fl verify_receipt . +.It Fl CApath Ar directory +A directory containing trusted CA certificates, used with +.Fl verify +and +.Fl verify_receipt . +This directory must be a standard certificate directory: that is a hash +of each subject name (using +.Nm x509 Fl hash ) +should be linked to each certificate. +.It Ar cert.pem ... +One or more certificates of message recipients: used when encrypting a message. +.It Fl certfile Ar file +Allows additional certificates to be specified. +When signing these will be included with the message. +When verifying these will be searched for the signer's certificates. +The certificates should be in PEM format. +.It Fl certsout Ar file +A file that any certificates contained in the message are written to. +.It Xo +.Fl check_ss_sig , +.Fl crl_check , +.Fl crl_check_all , +.Fl extended_crl , +.Fl ignore_critical , +.Fl issuer_checks , +.Fl policy , +.Fl policy_check , +.Fl purpose , +.Fl x509_strict +.Xc +Set various certificate chain validation options. +See the +.Nm verify +command for details. +.It Fl content Ar file +A file containing the detached content. +This is only useful with the +.Fl verify +command. +This is only usable if the CMS structure is using the detached signature +form where the content is not included. +This option will override any content if the input format is S/MIME and +it uses the multipart/signed MIME content type. +.It Fl crlfeol +Output a S/MIME message with CR/LF end of line. +.It Fl debug_decrypt +Set the CMS_DEBUG_DECRYPT flag when decrypting. +This option should be used with caution, since this can be used to disable +the MMA attack protection and return an error if no recipient can be found. +See the +.Xr CMS_decrypt 3 +manual page for details of the flag. +.It Xo +.Fl from Ar addr , +.Fl subject Ar s , +.Fl to Ar addr +.Xc +The relevant mail headers. +These are included outside the signed portion of a message so they may +be included manually. +If signing then many S/MIME mail clients check the signer's certificate's +email address matches that specified in the From: address. +.It Fl econtent_type Ar type +Set the encapsulated content type, used with +.Fl sign . +If not supplied the Data type is used. +The type argument can be any valid OID name in either text or numerical format. +.It Fl in Ar file +The input message to be encrypted or signed or the message to be decrypted or +verified. +.It Fl inform Cm der | pem | smime +The input format for the CMS structure. +The default is +.Cm smime , +which reads an S/MIME format message. +.Cm pem +and +.Cm der +format change this to expect PEM and DER format CMS structures instead. +This currently only affects the input format of the CMS structure; if no +CMS structure is being input (for example with +.Fl encrypt +or +.Fl sign ) +this option has no effect. +.It Fl inkey Ar file +The private key to use when signing or decrypting. +This must match the corresponding certificate. +If this option is not specified then the private key must be included in +the certificate file specified with the +.Fl recip +or +.Fl signer +file. +When signing this option can be used multiple times to specify successive keys. +.It Fl keyform Cm der | pem +Input private key format. +The default is +.Cm pem . +.It Fl keyid +Use subject key identifier to identify certificates instead of issuer +name and serial number. +The supplied certificate must include a subject key identifier extension. +Supported by +.Fl sign +and +.Fl encrypt +operations. +.It Fl keyopt Ar nm:v +Set customised parameters for the preceding key or certificate +for encryption and signing. +It can currently be used to set RSA-PSS for signing, RSA-OAEP for +encryption or to modify default parameters for ECDH. +This option can be used multiple times. +.It Fl md Ar digest +The digest algorithm to use when signing or resigning. +If not present then the default digest algorithm for the signing key +will be used (usually SHA1). +.It Fl no_attr_verify +Do not verify the signer's attribute of a signature. +.It Fl no_content_verify +Do not verify the content of a signed message. +.It Fl no_signer_cert_verify +Do not verify the signer's certificate of a signed message. +.It Fl noattr +Do not include attributes. +Normally when a message is signed a set of attributes are included which +include the signing time and supported symmetric algorithms. +With this option they are not included. +.It Fl nocerts +Do not include the signer's certificate. +This will reduce the size of the signed message but the verifier must +have a copy of the signer's certificate available locally (passed using +the +.Fl certfile +option for example). +.It Fl nodetach +When signing a message use opaque signing. +This form is more resistant to translation by mail relays but it cannot be +read by mail agents that do not support S/MIME. +Without this option cleartext signing with the MIME type multipart/signed is +used. +.It Fl nointern +Only the certificates specified in the +.Fl certfile +option are used. +When verifying a message normally certificates (if any) included in the +message are searched for the signing certificate. +The supplied certificates can still be used as untrusted CAs however. +.It Fl nooldmime +Output an old S/MIME content type like "application/x-pkcs7-". +.It Fl noout +Do not output the parsed CMS structure for the +.Fl cmsout +operation. +This is useful when combined with the +.Fl print +option or if the syntax of the CMS structure is being checked. +.It Fl nosigs +Do not try to verify the signatures on the message. +.It Fl nosmimecap +Exclude the list of supported algorithms from signed attributes; other +options such as signing time and content type are still included. +.It Fl noverify +Do not verify the signer's certificate of a signed message. +.It Fl out Ar file +The message text that has been decrypted or verified or the output MIME +format message that has been signed or verified. +.It Fl outform Cm der | pem | smime +This specifies the output format for the CMS structure. +The default is +.Cm smime , +which writes an S/MIME format message. +.Cm pem +and +.Cm der +format change this to write PEM and DER format CMS structures instead. +This currently only affects the output format of the CMS structure; if +no CMS structure is being output (for example with +.Fl verify +or +.Fl decrypt ) +this option has no effect. +.It Fl passin Ar src +The private key password source. +.It Fl print +Print out all fields of the CMS structure for the +.Fl cmsout +operation. +This is mainly useful for testing purposes. +.It Fl pwri_password Ar arg +Specify PasswordRecipientInfo (PWRI) password to use. +Supported by the +.Fl encrypt +and +.Fl decrypt +operations. +.It Fl rctform Cm der | pem | smime +Specify the format for a signed receipt for use with the +.Fl receipt_verify +operation. +The default is +.Cm smime . +.It Fl receipt_request_all | receipt_request_first +Indicate requests should be provided by all recipient or first tier +recipients (those mailed directly and not from a mailing list), for the +.Fl sign +operation to include a signed receipt request. +Ignored if +.Fl receipt_request_from +is included. +.It Fl receipt_request_from Ar addr +Add an explicit email address where receipts should be supplied. +.It Fl receipt_request_print +Print out the contents of any signed receipt requests for the +.Fl verify +operation. +.It Fl receipt_request_to Ar addr +Add an explicit email address where signed receipts should be sent to. +This option must be supplied if a signed receipt is requested. +.It Fl recip Ar file +When decrypting a message this specifies the recipient's certificate. +The certificate must match one of the recipients of the message or an +error occurs. +When encrypting a message this option may be used multiple times to +specify each recipient. +This form must be used if customised parameters are required (for example to +specify RSA-OAEP). +Only certificates carrying RSA, Diffie-Hellman or EC keys are supported +by this option. +.It Fl secretkey Ar key +Specify symmetric key to use. +The key must be supplied in hex format and be consistent with the +algorithm used. +Supported by the +.Fl EncryptedData_encrypt , +.Fl EncryptedData_decrypt , +.Fl encrypt +and +.Fl decrypt +operations. +When used with +.Fl encrypt +or +.Fl decrypt +the supplied key is used to wrap or unwrap the content encryption key +using an AES key in the KEKRecipientInfo type. +.It Fl secretkeyid Ar id +The key identifier for the supplied symmetric key for KEKRecipientInfo type. +This option must be present if the +.Fl secretkey +option is used with +.Fl encrypt . +With +.Fl decrypt +operations the id is used to locate the relevant key; if it is not supplied +then an attempt is used to decrypt any KEKRecipientInfo structures. +.It Fl signer Ar file +A signing certificate when signing or resigning a message; this option +can be used multiple times if more than one signer is required. +If a message is being verified then the signers certificates will be +written to this file if the verification was successful. +.It Xo +.Fl stream | +.Fl indef | +.Fl noindef +.Xc +The +.Fl stream +and +.Fl indef +options are equivalent and enable streaming I/O for encoding operations. +This permits single pass processing of data without the need to hold the +entire contents in memory, potentially supporting very large files. +Streaming is automatically set for S/MIME signing with detached data if +the output format is +.Cm smime ; +it is currently off by default for all other operations. +.Fl noindef +disable streaming I/O where it would produce an indefinite length +constructed encoding. +This option currently has no effect. +.It Fl text +Add plain text (text/plain) MIME headers to the supplied message if +encrypting or signing. +If decrypting or verifying it strips off text headers: if the decrypted +or verified message is not of MIME type text/plain then an error occurs. +.It Fl verify_retcode +Set verification error code to exit code to indicate what verification error +has occurred. +Supported by +.Fl verify +operation only. +Exit code value minus 32 shows verification error code. +See +.Nm verify +command for the list of verification error code. +.El +.Pp +The exit codes for +.Nm cms +are as follows: +.Pp +.Bl -tag -width "XXXX" -offset 3n -compact +.It 0 +The operation was completely successful. +.It 1 +An error occurred parsing the command options. +.It 2 +One of the input files could not be read. +.It 3 +An error occurred creating the CMS file or when reading the MIME message. +.It 4 +An error occurred decrypting or verifying the message. +.It 5 +The message was verified correctly but an error occurred writing out the +signer's certificates. +.It 6 +An error occurred writing the output file. +.It 32+ +A verify error occurred while +.Fl verify_retcode +is specified. +.El +.Tg crl .Sh CRL .Bl -hang -width "openssl crl" .It Nm openssl crl @@ -953,6 +1529,7 @@ Print the CRL in plain text. .It Fl verify Verify the signature on the CRL. .El +.Tg crl2pkcs7 .Sh CRL2PKCS7 .Bl -hang -width "openssl crl2pkcs7" .It Nm openssl crl2pkcs7 @@ -998,6 +1575,7 @@ or standard output if not specified. .It Fl outform Cm der | pem The output format. .El +.Tg dgst .Sh DGST .Bl -hang -width "openssl dgst" .It Nm openssl dgst @@ -1112,6 +1690,7 @@ or File or files to digest. If no files are specified then standard input is used. .El +.Tg dhparam .Sh DHPARAM .Bl -hang -width "openssl dhparam" .It Nm openssl dhparam @@ -1188,6 +1767,7 @@ If not present, a value of 2048 is used. If this value is present, the input file is ignored and parameters are generated instead. .El +.Tg dsa .Sh DSA .Bl -hang -width "openssl dsa" .It Nm openssl dsa @@ -1276,6 +1856,7 @@ The default is .It Fl text Print the public/private key in plain text. .El +.Tg dsaparam .Sh DSAPARAM .Bl -hang -width "openssl dsaparam" .It Nm openssl dsaparam @@ -1328,6 +1909,7 @@ Generate a parameter set of size .Ar numbits . If this option is included, the input file is ignored. .El +.Tg ec .Sh EC .Bl -hang -width "openssl ec" .It Nm openssl ec @@ -1389,7 +1971,7 @@ Encrypt the private key with DES, triple DES, or any other cipher supported by .Nm openssl . A pass phrase is prompted for. -If none of these options is specified the key is written in plain text. +If none of these options are specified, the key is written in plain text. This means that using the .Nm ec utility to read in an encrypted key with no @@ -1400,7 +1982,7 @@ These options can only be used with PEM format output files. .It Fl in Ar file The input file to read a key from, or standard input if not specified. -If the key is encrypted a pass phrase will be prompted for. +If the key is encrypted, a pass phrase will be prompted for. .It Fl inform Cm der | pem The input format. .It Fl noout @@ -1440,6 +2022,7 @@ Automatically set if the input is a public key. .It Fl text Print the public/private key in plain text. .El +.Tg ecparam .Sh ECPARAM .Bl -hang -width "openssl ecparam" .It Nm openssl ecparam @@ -1535,6 +2118,7 @@ is currently not implemented. .It Fl text Print the EC parameters in plain text. .El +.Tg enc .Sh ENC .Bl -hang -width "openssl enc" .It Nm openssl enc @@ -1660,11 +2244,8 @@ option. Use .Ar digest to create a key from a pass phrase. -.Ar digest -may be one of -.Cm md5 -or -.Cm sha1 . +Currently, the default value is +.Cm sha256 . .It Fl none Use NULL cipher (no encryption or decryption of input). .It Fl nopad @@ -1701,6 +2282,7 @@ encrypted file when it is decrypted. .It Fl v Print extra details about the processing. .El +.Tg errstr .Sh ERRSTR .Nm openssl errstr .Op Fl stats @@ -1731,6 +2313,7 @@ The options are as follows: .It Fl stats Print debugging statistics about various aspects of the hash table. .El +.Tg gendsa .Sh GENDSA .Bl -hang -width "openssl gendsa" .It Nm openssl gendsa @@ -1777,6 +2360,7 @@ The output file password source. Specify the DSA parameter file to use. The parameters in this file determine the size of the private key. .El +.Tg genpkey .Sh GENPKEY .Bl -hang -width "openssl genpkey" .It Nm openssl genpkey @@ -1876,11 +2460,12 @@ The value to use for the generator .Ar g . .It ec_paramgen_curve : Ns Ar curve (EC) -The EC curve to use. +The elliptic curve to use. .El .It Fl text Print the private/public key in plain text. .El +.Tg genrsa .Sh GENRSA .Bl -hang -width "openssl genrsa" .It Nm openssl genrsa @@ -1906,7 +2491,10 @@ A .Sq \&. represents each number which has passed an initial sieve test; .Sq + -means a number has passed a single round of the Miller-Rabin primality test. +means a number has passed a single round of the Miller-Rabin primality test; +.Sq * +means the number has failed primality testing +and needs to be generated afresh. A newline means that the number has passed all the prime tests (the actual number depends on the key size). .Pp @@ -1938,6 +2526,7 @@ The size of the private key to generate in bits. This must be the last option specified. The default is 2048. .El +.Tg nseq .Sh NSEQ .Nm openssl nseq .Op Fl in Ar file @@ -1968,6 +2557,7 @@ With the option the situation is reversed: a Netscape certificate sequence is created from a file of certificates. .El +.Tg ocsp .Sh OCSP .Bl -hang -width "openssl ocsp" .It Nm openssl ocsp @@ -2051,7 +2641,7 @@ option, or an error occurs if no issuer certificate is specified. Use the digest algorithm .Ar alg for certificate identification in the OCSP request. -By default SHA-1 is used. +By default SHA1 is used. .It Xo .Fl host Ar hostname : Ns Ar port , .Fl path Ar path @@ -2320,6 +2910,7 @@ Alternatively, the responder certificate itself can be explicitly trusted with the .Fl VAfile option. +.Tg passwd .Sh PASSWD .Bl -hang -width "openssl passwd" .It Nm openssl passwd @@ -2383,6 +2974,7 @@ Read passwords from standard input. In the output list, prepend the cleartext password and a TAB character to each password hash. .El +.Tg pkcs7 .Sh PKCS7 .Bl -hang -width "openssl pkcs7" .It Nm openssl pkcs7 @@ -2428,6 +3020,7 @@ preceded by their subject and issuer names in a one-line format. .It Fl text Print certificate details in full rather than just subject and issuer names. .El +.Tg pkcs8 .Sh PKCS8 .Bl -hang -width "openssl pkcs8" .It Nm openssl pkcs8 @@ -2511,6 +3104,7 @@ is the encryption algorithm to use; valid values include des, des3, and rc2. It is recommended that des3 is used. .El +.Tg pkcs12 .Sh PKCS12 .Bl -hang -width "openssl pkcs12" .It Nm openssl pkcs12 @@ -2728,6 +3322,7 @@ Otherwise, is equivalent to .Fl passin . .El +.Tg pkey .Sh PKEY .Bl -hang -width "openssl pkey" .It Nm openssl pkey @@ -2764,7 +3359,7 @@ is acceptable, such as .It Fl in Ar file The input file to read from, or standard input if not specified. -If the key is encrypted a pass phrase will be prompted for. +If the key is encrypted, a pass phrase will be prompted for. .It Fl inform Cm der | pem The input format. .It Fl noout @@ -2791,6 +3386,7 @@ Print the public/private key in plain text. Print out only public key components even if a private key is being processed. .El +.Tg pkeyparam .Sh PKEYPARAM .Cm openssl pkeyparam .Op Fl in Ar file @@ -2816,6 +3412,7 @@ or standard output if not specified. .It Fl text Print the parameters in plain text. .El +.Tg pkeyutl .Sh PKEYUTL .Bl -hang -width "openssl pkeyutl" .It Nm openssl pkeyutl @@ -2935,8 +3532,8 @@ For pss mode only this option specifies the salt length. Two special values are supported: -1 sets the salt length to the digest length. -When signing -2 sets the salt length to the maximum permissible value. -When verifying -2 causes the salt length to be automatically determined +When signing, -2 sets the salt length to the maximum permissible value. +When verifying, -2 causes the salt length to be automatically determined based on the PSS block structure. .El .Pp @@ -2968,6 +3565,7 @@ verification succeeded or failed. .It Fl verifyrecover Verify the input data and output the recovered data. .El +.Tg prime .Sh PRIME .Cm openssl prime .Op Fl bits Ar n @@ -3012,6 +3610,7 @@ Test if number .Ar p is prime. .El +.Tg rand .Sh RAND .Bl -hang -width "openssl rand" .It Nm openssl rand @@ -3039,10 +3638,12 @@ Specify hexadecimal output. The output file to write to, or standard output if not specified. .El +.Tg req .Sh REQ .Bl -hang -width "openssl req" .It Nm openssl req .Bk -words +.Op Fl addext Ar ext .Op Fl asn1-kludge .Op Fl batch .Op Fl config Ar file @@ -3092,6 +3693,13 @@ for use as root CAs, for example. .Pp The options are as follows: .Bl -tag -width Ds +.It Fl addext Ar ext +Add a specific extension to the certificate (if the +.Fl x509 +option is present) or certificate request. +The argument must have the form of a key=value pair as it would appear in a +config file. +This option can be given multiple times. .It Fl asn1-kludge Produce requests in an invalid format for certain picky CAs. Very few CAs still require the use of this option. @@ -3480,6 +4088,7 @@ or options in the configuration file. Any additional fields will be treated as though they were a .Cm DirectoryString . +.Tg rsa .Sh RSA .Bl -hang -width "openssl rsa" .It Nm openssl rsa @@ -3577,6 +4186,7 @@ and SGC keys. .It Fl text Print the public/private key components in plain text. .El +.Tg rsautl .Sh RSAUTL .Bl -hang -width "openssl rsautl" .It Nm openssl rsautl @@ -3651,6 +4261,7 @@ This requires an RSA private key. .It Fl verify Verify the input data and output the recovered data. .El +.Tg s_client .Sh S_CLIENT .Bl -hang -width "openssl s_client" .It Nm openssl s_client @@ -3669,9 +4280,11 @@ Verify the input data and output the recovered data. .Op Fl crl_check_all .Op Fl crlf .Op Fl debug +.Op Fl dtls .Op Fl dtls1 +.Op Fl dtls1_2 .Op Fl extended_crl -.Op Fl groups +.Op Fl groups Ar list .Op Fl host Ar host .Op Fl ign_eof .Op Fl ignore_critical @@ -3692,6 +4305,7 @@ Verify the input data and output the recovered data. .Op Fl no_tls1 .Op Fl no_tls1_1 .Op Fl no_tls1_2 +.Op Fl no_tls1_3 .Op Fl pass Ar arg .Op Fl pause .Op Fl policy_check @@ -3712,6 +4326,7 @@ Verify the input data and output the recovered data. .Op Fl tls1 .Op Fl tls1_1 .Op Fl tls1_2 +.Op Fl tls1_3 .Op Fl tlsextdebug .Op Fl use_srtp Ar profiles .Op Fl verify Ar depth @@ -3811,10 +4426,17 @@ Translate a line feed from the terminal into CR+LF, as required by some servers. .It Fl debug Print extensive debugging information, including a hex dump of all traffic. +.It Fl dtls +Permit any version of DTLS. .It Fl dtls1 Permit only DTLS1.0. -.It Fl groups Ar ecgroups -Specify a colon-separated list of permitted EC curve groups. +.It Fl dtls1_2 +Permit only DTLS1.2. +.It Fl groups Ar list +Set the supported elliptic curve groups to the colon separated +.Ar list +of group NIDs or names as documented in +.Xr SSL_CTX_set1_groups_list 3 . .It Fl host Ar host The .Ar host @@ -3849,8 +4471,8 @@ Can be used to override the implicit .Fl ign_eof after .Fl quiet . -.It Fl no_tls1 | no_tls1_1 | no_tls1_2 -Disable the use of TLS1.0, 1.1, and 1.2, respectively. +.It Fl no_tls1 | no_tls1_1 | no_tls1_2 | no_tls1_3 +Disable the use of TLS1.0, 1.1, 1.2 and 1.3 respectively. .It Fl no_ticket Disable RFC 4507 session ticket support. .It Fl pass Ar arg @@ -3923,8 +4545,8 @@ Send a certificate status request to the server (OCSP stapling). The server response (if any) is printed out. .It Fl timeout Enable send/receive timeout on DTLS connections. -.It Fl tls1 | tls1_1 | tls1_2 -Permit only TLS1.0, 1.1, or 1.2, respectively. +.It Fl tls1 | tls1_1 | tls1_2 | tls1_3 +Permit only TLS1.0, 1.1, 1.2 or 1.3 respectively. .It Fl tlsextdebug Print a hex dump of any TLS extensions received from the server. .It Fl use_srtp Ar profiles @@ -3947,6 +4569,7 @@ If this option is not specified then the host specified with .Fl connect will be used. .El +.Tg s_server .Sh S_SERVER .Bl -hang -width "openssl s_server" .It Nm openssl s_server @@ -3971,7 +4594,10 @@ will be used. .Op Fl dkey Ar file .Op Fl dkeyform Cm der | pem .Op Fl dpass Ar arg +.Op Fl dtls .Op Fl dtls1 +.Op Fl dtls1_2 +.Op Fl groups Ar list .Op Fl HTTP .Op Fl id_prefix Ar arg .Op Fl key Ar keyfile @@ -3991,6 +4617,7 @@ will be used. .Op Fl no_tls1 .Op Fl no_tls1_1 .Op Fl no_tls1_2 +.Op Fl no_tls1_3 .Op Fl no_tmp_rsa .Op Fl nocert .Op Fl pass Ar arg @@ -4007,6 +4634,7 @@ will be used. .Op Fl tls1 .Op Fl tls1_1 .Op Fl tls1_2 +.Op Fl tls1_3 .Op Fl tlsextdebug .Op Fl use_srtp Ar profiles .Op Fl Verify Ar depth @@ -4134,8 +4762,17 @@ load the parameters from the server certificate file. If this fails, a static set of parameters hard coded into the .Nm s_server program will be used. +.It Fl dtls +Permit any version of DTLS. .It Fl dtls1 Permit only DTLS1.0. +.It Fl dtls1_2 +Permit only DTLS1.2. +.It Fl groups Ar list +Set the supported elliptic curve groups to the colon separated +.Ar list +of group NIDs or names as documented in +.Xr SSL_CTX_set1_groups_list 3 . .It Fl HTTP Emulate a simple web server. Pages are resolved relative to the current directory. @@ -4172,6 +4809,9 @@ Show all protocol messages with hex dump. Set the link layer MTU. .It Fl named_curve Ar arg Specify the elliptic curve name to use for ephemeral ECDH keys. +This option is deprecated; use +.Fl groups +instead. .It Fl nbio Turn on non-blocking I/O. .It Fl nbio_test @@ -4184,8 +4824,8 @@ Disable ephemeral DH cipher suites. Disable ephemeral ECDH cipher suites. .It Fl no_ticket Disable RFC 4507 session ticket support. -.It Fl no_tls1 | no_tls1_1 | no_tls1_2 -Disable the use of TLS1.0, 1.1, and 1.2, respectively. +.It Fl no_tls1 | no_tls1_1 | no_tls1_2 | no_tls1_3 +Disable the use of TLS1.0, 1.1, 1.2, and 1.3, respectively. .It Fl no_tmp_rsa Disable temporary RSA key generation. .It Fl nocert @@ -4220,8 +4860,8 @@ Enables certificate status request support (OCSP stapling) and gives a verbose printout of the OCSP response. .It Fl timeout Enable send/receive timeout on DTLS connections. -.It Fl tls1 | tls1_1 | tls1_2 -Permit only TLS1.0, 1.1, or 1.2, respectively. +.It Fl tls1 | tls1_1 | tls1_2 | tls1_3 +Permit only TLS1.0, 1.1, 1.2, or 1.3, respectively. .It Fl tlsextdebug Print a hex dump of any TLS extensions received from the server. .It Fl use_srtp Ar profiles @@ -4252,6 +4892,7 @@ with .Fl verify , a certificate is requested but the client does not have to send one. .El +.Tg s_time .Sh S_TIME .Bl -hang -width "openssl s_time" .It Nm openssl s_time @@ -4362,6 +5003,7 @@ If this parameter is not specified, will only perform the handshake to establish SSL connections but not transfer any payload data. .El +.Tg sess_id .Sh SESS_ID .Bl -hang -width "openssl sess_id" .It Nm openssl sess_id @@ -4454,6 +5096,7 @@ should be taken if the information is being output by a application. This is, however, strongly discouraged and should only be used for debugging purposes. +.Tg smime .Sh SMIME .Bl -hang -width "openssl smime" .It Nm openssl smime @@ -4574,7 +5217,7 @@ Normally, the input message is converted to .Qq canonical format which uses CR/LF as end of line, as required by the S/MIME specification. -When this option is present no translation occurs. +When this option is present, no translation occurs. This is useful when handling binary data which may not be in MIME format. .It Fl CAfile Ar file A @@ -4750,6 +5393,7 @@ An error occurred decrypting or verifying the message. .It 5 An error occurred writing certificates. .El +.Tg speed .Sh SPEED .Bl -hang -width "openssl speed" .It Nm openssl speed @@ -4787,6 +5431,7 @@ Run .Ar number benchmarks in parallel. .El +.Tg spkac .Sh SPKAC .Bl -hang -width "openssl spkac" .It Nm openssl spkac @@ -4848,6 +5493,7 @@ containing the SPKAC. .It Fl verify Verify the digital signature on the supplied SPKAC. .El +.Tg ts .Sh TS .Bk -words .Bl -hang -width "openssl ts" @@ -4957,7 +5603,7 @@ The message digest to apply to the data file. It supports all the message digest algorithms that are supported by the .Nm dgst command. -The default is SHA-1. +The default is SHA1. .It Fl no_nonce Specify no nonce in the request. The default, to include a 64-bit long pseudo-random nonce, @@ -4970,7 +5616,7 @@ The policy that the client expects the TSA to use for creating the time stamp token. Either dotted OID notation or OID names defined in the config file can be used. -If no policy is requested the TSA uses its own default policy. +If no policy is requested, the TSA uses its own default policy. .It Fl text Output in human-readable text format instead of DER. .El @@ -5210,6 +5856,7 @@ If this variable is set to no, only the signing certificate identifier is included. The default is no. .El +.Tg verify .Sh VERIFY .Bl -hang -width "openssl verify" .It Nm openssl verify @@ -5227,6 +5874,7 @@ The default is no. .Op Fl inhibit_any .Op Fl inhibit_map .Op Fl issuer_checks +.Op Fl legacy_verify .Op Fl policy_check .Op Fl purpose Ar purpose .Op Fl trusted Ar file @@ -5275,7 +5923,7 @@ The should contain one or more CRLs in PEM format. .It Fl crl_check Check end entity certificate validity by attempting to look up a valid CRL. -If a valid CRL cannot be found an error occurs. +If a valid CRL cannot be found, an error occurs. .It Fl crl_check_all Check the validity of all certificates in the chain by attempting to look up valid CRLs. @@ -5299,6 +5947,8 @@ showing why each candidate issuer certificate was rejected. The presence of rejection messages does not itself imply that anything is wrong: during the normal verify process several rejections may take place. +.It Fl legacy_verify +Use the legacy X.509 certificate chain verification code. .It Fl policy_check Enable certificate policy processing. .It Fl purpose Ar purpose @@ -5537,6 +6187,7 @@ extension does not permit certificate signing. An application specific error. Unused. .El +.Tg version .Sh VERSION .Nm openssl version .Op Fl abdfopv @@ -5568,6 +6219,7 @@ The current .Nm openssl version. .El +.Tg x509 .Sh X509 .Bl -hang -width "openssl x509" .It Nm openssl x509 @@ -5926,7 +6578,7 @@ Print the full certificate in text form. A trusted certificate is a certificate which has several additional pieces of information attached to it such as the permitted and prohibited uses of the certificate and an alias. -When a certificate is being verified at least one certificate must be trusted. +When a certificate is being verified, at least one certificate must be trusted. By default, a trusted certificate must be stored locally and be a root CA. The following are x509 trust settings options: .Bl -tag -width "XXXX" diff --git a/apps/openssl/openssl.c b/apps/openssl/openssl.c index 73e5117d..fe92a126 100644 --- a/apps/openssl/openssl.c +++ b/apps/openssl/openssl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: openssl.c,v 1.29 2019/03/17 17:46:00 tb Exp $ */ +/* $OpenBSD: openssl.c,v 1.30 2019/11/04 15:25:54 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -154,6 +154,9 @@ FUNCTION functions[] = { { FUNC_TYPE_GENERAL, "ca", ca_main }, { FUNC_TYPE_GENERAL, "certhash", certhash_main }, { FUNC_TYPE_GENERAL, "ciphers", ciphers_main }, +#ifndef OPENSSL_NO_CMS + { FUNC_TYPE_GENERAL, "cms", cms_main }, +#endif { FUNC_TYPE_GENERAL, "crl2pkcs7", crl2pkcs7_main }, { FUNC_TYPE_GENERAL, "crl", crl_main }, { FUNC_TYPE_GENERAL, "dgst", dgst_main }, diff --git a/apps/openssl/progs.h b/apps/openssl/progs.h index 1c11a356..8ccf8123 100644 --- a/apps/openssl/progs.h +++ b/apps/openssl/progs.h @@ -1,10 +1,11 @@ -/* $OpenBSD: progs.h,v 1.8 2016/09/05 10:45:19 deraadt Exp $ */ +/* $OpenBSD: progs.h,v 1.9 2019/11/04 15:25:54 jsing Exp $ */ /* Public domain */ int asn1parse_main(int argc, char **argv); int ca_main(int argc, char **argv); int certhash_main(int argc, char **argv); int ciphers_main(int argc, char **argv); +int cms_main(int argc, char **argv); int crl2pkcs7_main(int argc, char **argv); int crl_main(int argc, char **argv); int dgst_main(int argc, char **argv); diff --git a/apps/openssl/req.c b/apps/openssl/req.c index 6b7dfb98..dfba8e28 100644 --- a/apps/openssl/req.c +++ b/apps/openssl/req.c @@ -1,4 +1,4 @@ -/* $OpenBSD: req.c,v 1.16 2019/07/03 03:24:02 deraadt Exp $ */ +/* $OpenBSD: req.c,v 1.19 2020/08/09 16:38:24 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -62,9 +62,10 @@ #undef OPENSSL_NO_DEPRECATED #endif +#include +#include #include #include -#include #include #include @@ -100,26 +101,6 @@ #define DEFAULT_KEY_LENGTH 2048 #define MIN_KEY_LENGTH 384 - -/* -inform arg - input format - default PEM (DER or PEM) - * -outform arg - output format - default PEM - * -in arg - input file - default stdin - * -out arg - output file - default stdout - * -verify - check request signature - * -noout - don't print stuff out. - * -text - print out human readable text. - * -nodes - no des encryption - * -config file - Load configuration file. - * -key file - make a request using key in file (or use it for verification). - * -keyform arg - key file format. - * -newkey - make a key and a request. - * -modulus - print RSA modulus. - * -pubkey - output Public Key. - * -x509 - output a self signed X509 structure instead. - * -asn1-kludge - output new certificate request in a format that some CA's - * require. This format is wrong - */ - static int make_REQ(X509_REQ * req, EVP_PKEY * pkey, char *dn, int multirdn, int attribs, unsigned long chtype); static int build_subject(X509_REQ * req, char *subj, unsigned long chtype, @@ -141,40 +122,459 @@ static int req_check_len(int len, int n_min, int n_max); static int check_end(const char *str, const char *end); static EVP_PKEY_CTX *set_keygen_ctx(BIO * err, const char *gstr, int *pkey_type, long *pkeylen, char **palgnam); +static unsigned long ext_name_hash(const OPENSSL_STRING *a); +static int ext_name_cmp(const OPENSSL_STRING *a, const OPENSSL_STRING *b); +static void exts_cleanup(OPENSSL_STRING *x); +static int duplicated(LHASH_OF(OPENSSL_STRING) *addexts, char *kv); static CONF *req_conf = NULL; -static int batch = 0; +static CONF *addext_conf = NULL; + +struct { + LHASH_OF(OPENSSL_STRING) *addexts; + BIO *addext_bio; + int batch; + unsigned long chtype; + int days; + const EVP_MD *digest; + char *extensions; + char *infile; + int informat; + char *keyalg; + char *keyfile; + int keyform; + char *keyout; + int kludge; + int modulus; + int multirdn; + int newhdr; + long newkey; + int newreq; + unsigned long nmflag; + int nodes; + int noout; + char *outfile; + int outformat; + char *passargin; + char *passargout; + STACK_OF(OPENSSL_STRING) *pkeyopts; + int pubkey; + char *req_exts; + unsigned long reqflag; + ASN1_INTEGER *serial; + STACK_OF(OPENSSL_STRING) *sigopts; + char *subj; + int subject; + char *template; + int text; + int verbose; + int verify; + int x509; +} req_config; + +static int +req_opt_addext(char *arg) +{ + int i; + + if (req_config.addexts == NULL) { + req_config.addexts = (LHASH_OF(OPENSSL_STRING) *)lh_new( + (LHASH_HASH_FN_TYPE)ext_name_hash, + (LHASH_COMP_FN_TYPE)ext_name_cmp); + req_config.addext_bio = BIO_new(BIO_s_mem()); + if (req_config.addexts == NULL || + req_config.addext_bio == NULL) + return (1); + } + i = duplicated(req_config.addexts, arg); + if (i == 1) + return (1); + if (i < 0 || BIO_printf(req_config.addext_bio, "%s\n", arg) < 0) + return (1); + + return (0); +} + +static int +req_opt_days(char *arg) +{ + const char *errstr; + + req_config.days = strtonum(arg, 1, INT_MAX, &errstr); + if (errstr != NULL) { + BIO_printf(bio_err, "bad -days %s, using 0: %s\n", + arg, errstr); + req_config.days = 30; + } + return (0); +} + +static int +req_opt_digest(int argc, char **argv, int *argsused) +{ + char *name = argv[0]; + + if (*name++ != '-') + return (1); + + if ((req_config.digest = EVP_get_digestbyname(name)) == NULL) + return (1); + + *argsused = 1; + return (0); +} + +static int +req_opt_newkey(char *arg) +{ + req_config.keyalg = arg; + req_config.newreq = 1; + return (0); +} + +static int +req_opt_nameopt(char *arg) +{ + if (!set_name_ex(&req_config.nmflag, arg)) + return (1); + return (0); +} + +static int +req_opt_pkeyopt(char *arg) +{ + if (req_config.pkeyopts == NULL) + req_config.pkeyopts = sk_OPENSSL_STRING_new_null(); + if (req_config.pkeyopts == NULL) + return (1); + if (!sk_OPENSSL_STRING_push(req_config.pkeyopts, arg)) + return (1); + return (0); +} + +static int +req_opt_reqopt(char *arg) +{ + if (!set_cert_ex(&req_config.reqflag, arg)) + return (1); + return (0); +} + +static int +req_opt_set_serial(char *arg) +{ + req_config.serial = s2i_ASN1_INTEGER(NULL, arg); + if (req_config.serial == NULL) + return (1); + return (0); +} + +static int +req_opt_sigopt(char *arg) +{ + if (req_config.sigopts == NULL) + req_config.sigopts = sk_OPENSSL_STRING_new_null(); + if (req_config.sigopts == NULL) + return (1); + if (!sk_OPENSSL_STRING_push(req_config.sigopts, arg)) + return (1); + return (0); +} + +static int +req_opt_utf8(void) +{ + req_config.chtype = MBSTRING_UTF8; + return (0); +} + +static const struct option req_options[] = { + { + .name = "addext", + .argname = "key=value", + .desc = "Additional certificate extension (may be repeated)", + .type = OPTION_ARG_FUNC, + .opt.argfunc = req_opt_addext, + }, + { + .name = "asn1-kludge", + .type = OPTION_VALUE, + .opt.value = &req_config.kludge, + .value = 1, + }, + { + .name = "batch", + .desc = "Operate in batch mode", + .type = OPTION_FLAG, + .opt.flag = &req_config.batch, + }, + { + .name = "config", + .argname = "file", + .desc = "Configuration file to use as request template", + .type = OPTION_ARG, + .opt.arg = &req_config.template, + }, + { + .name = "days", + .argname = "number", + .desc = "Number of days generated certificate is valid for", + .type = OPTION_ARG_FUNC, + .opt.argfunc = req_opt_days, + }, + { + .name = "extensions", + .argname = "section", + .desc = "Config section to use for certificate extensions", + .type = OPTION_ARG, + .opt.arg = &req_config.extensions, + }, + { + .name = "in", + .argname = "file", + .desc = "Input file (default stdin)", + .type = OPTION_ARG, + .opt.arg = &req_config.infile, + }, + { + .name = "inform", + .argname = "format", + .desc = "Input format (DER or PEM (default))", + .type = OPTION_ARG_FORMAT, + .opt.value = &req_config.informat, + }, + { + .name = "key", + .argname = "file", + .desc = "Private key file", + .type = OPTION_ARG, + .opt.arg = &req_config.keyfile, + }, + { + .name = "keyform", + .argname = "format", + .desc = "Private key format (DER or PEM (default))", + .type = OPTION_ARG_FORMAT, + .opt.value = &req_config.keyform, + }, + { + .name = "keyout", + .argname = "file", + .desc = "Private key output file", + .type = OPTION_ARG, + .opt.arg = &req_config.keyout, + }, + { + .name = "modulus", + .desc = "Print RSA modulus", + .type = OPTION_FLAG, + .opt.flag = &req_config.modulus, + }, + { + .name = "multivalue-rdn", + .desc = "Enable support for multivalued RDNs", + .type = OPTION_FLAG, + .opt.flag = &req_config.multirdn, + }, + { + .name = "nameopt", + .argname = "arg", + .desc = "Certificate name options", + .type = OPTION_ARG_FUNC, + .opt.argfunc = req_opt_nameopt, + }, + { + .name = "new", + .desc = "New request", + .type = OPTION_FLAG, + .opt.flag = &req_config.newreq, + }, + { + .name = "newhdr", + .desc = "Include 'NEW' in header lines", + .type = OPTION_FLAG, + .opt.flag = &req_config.newhdr, + }, + { + .name = "newkey", + .argname = "param", + .desc = "Generate a new key using given parameters", + .type = OPTION_ARG_FUNC, + .opt.argfunc = req_opt_newkey, + }, + { + .name = "no-asn1-kludge", + .type = OPTION_VALUE, + .opt.value = &req_config.kludge, + .value = 0, + }, + { + .name = "nodes", + .desc = "Do not encrypt output private key", + .type = OPTION_FLAG, + .opt.flag = &req_config.nodes, + }, + { + .name = "noout", + .desc = "Do not output request", + .type = OPTION_FLAG, + .opt.flag = &req_config.noout, + }, + { + .name = "out", + .argname = "file", + .desc = "Output file (default stdout)", + .type = OPTION_ARG, + .opt.arg = &req_config.outfile, + }, + { + .name = "outform", + .argname = "format", + .desc = "Output format (DER or PEM (default))", + .type = OPTION_ARG_FORMAT, + .opt.value = &req_config.outformat, + }, + { + .name = "passin", + .argname = "source", + .desc = "Private key input password source", + .type = OPTION_ARG, + .opt.arg = &req_config.passargin, + }, + { + .name = "passout", + .argname = "source", + .desc = "Private key output password source", + .type = OPTION_ARG, + .opt.arg = &req_config.passargout, + }, + { + .name = "pkeyopt", + .argname = "opt:val", + .desc = "Set the public key algorithm option opt to val", + .type = OPTION_ARG_FUNC, + .opt.argfunc = req_opt_pkeyopt, + }, + { + .name = "pubkey", + .desc = "Output the public key", + .type = OPTION_FLAG, + .opt.flag = &req_config.pubkey, + }, + { + .name = "reqexts", + .argname = "section", + .desc = "Config section to use for request extensions", + .type = OPTION_ARG, + .opt.arg = &req_config.req_exts, + }, + { + .name = "reqopt", + .argname = "option", + .desc = "Request text options", + .type = OPTION_ARG_FUNC, + .opt.argfunc = req_opt_reqopt, + }, + { + .name = "set_serial", + .argname = "serial", + .desc = "Serial number to use for generated certificate", + .type = OPTION_ARG_FUNC, + .opt.argfunc = req_opt_set_serial, + }, + { + .name = "sigopt", + .argname = "name:val", + .desc = "Signature options", + .type = OPTION_ARG_FUNC, + .opt.argfunc = req_opt_sigopt, + }, + { + .name = "subj", + .argname = "name", + .desc = "Set or modify the request subject", + .type = OPTION_ARG, + .opt.arg = &req_config.subj, + }, + { + .name = "subject", + .desc = "Output the subject of the request", + .type = OPTION_FLAG, + .opt.flag = &req_config.subject, + }, + { + .name = "text", + .desc = "Print request in text form", + .type = OPTION_FLAG, + .opt.flag = &req_config.text, + }, + { + .name = "utf8", + .desc = "Input characters are in UTF-8 (default ASCII)", + .type = OPTION_FUNC, + .opt.func = req_opt_utf8, + }, + { + .name = "verbose", + .desc = "Verbose", + .type = OPTION_FLAG, + .opt.flag = &req_config.verbose, + }, + { + .name = "verify", + .desc = "Verify signature on request", + .type = OPTION_FLAG, + .opt.flag = &req_config.verify, + }, + { + .name = "x509", + .desc = "Output an X.509 structure instead of a certificate request", + .type = OPTION_FLAG, + .opt.flag = &req_config.x509, + }, + { + .name = NULL, + .desc = "", + .type = OPTION_ARGV_FUNC, + .opt.argvfunc = req_opt_digest, + }, + { NULL }, +}; + +static void +req_usage(void) +{ + fprintf(stderr, + "usage: req [-addext ext] [-asn1-kludge] [-batch] [-config file]\n" + " [-days n] [-extensions section] [-in file]\n" + " [-inform der | pem] [-key keyfile] [-keyform der | pem]\n" + " [-keyout file] [-md4 | -md5 | -sha1] [-modulus]\n" + " [-multivalue-rdn] [-nameopt option] [-new] [-newhdr]\n" + " [-newkey arg] [-no-asn1-kludge] [-nodes] [-noout]\n" + " [-out file] [-outform der | pem] [-passin arg]\n" + " [-passout arg] [-pkeyopt opt:value] [-pubkey]\n" + " [-reqexts section] [-reqopt option] [-set_serial n]\n" + " [-sigopt nm:v] [-subj arg] [-subject] [-text] [-utf8]\n" + " [-verbose] [-verify] [-x509]\n\n"); + + options_usage(req_options); + fprintf(stderr, "\n"); +} int req_main(int argc, char **argv) { - unsigned long nmflag = 0, reqflag = 0; - int ex = 1, x509 = 0, days = 30; + int ex = 1; X509 *x509ss = NULL; X509_REQ *req = NULL; EVP_PKEY_CTX *genctx = NULL; - const char *keyalg = NULL; char *keyalgstr = NULL; - STACK_OF(OPENSSL_STRING) * pkeyopts = NULL, *sigopts = NULL; + const EVP_CIPHER *cipher = NULL; EVP_PKEY *pkey = NULL; - int i = 0, badops = 0, newreq = 0, verbose = 0, pkey_type = -1; - long newkey = -1; + int i = 0, pkey_type = -1; BIO *in = NULL, *out = NULL; - int informat, outformat, verify = 0, noout = 0, text = 0, keyform = FORMAT_PEM; - int nodes = 0, kludge = 0, newhdr = 0, subject = 0, pubkey = 0; - char *infile, *outfile, *prog, *keyfile = NULL, *template = NULL, - *keyout = NULL; - char *extensions = NULL; - char *req_exts = NULL; - const EVP_CIPHER *cipher = NULL; - ASN1_INTEGER *serial = NULL; - int modulus = 0; - char *passargin = NULL, *passargout = NULL; char *passin = NULL, *passout = NULL; + const EVP_MD *md_alg = NULL; char *p; - char *subj = NULL; - int multirdn = 0; - const EVP_MD *md_alg = NULL, *digest = NULL; - unsigned long chtype = MBSTRING_ASC; if (single_execution) { if (pledge("stdio cpath wpath rpath tty", NULL) == -1) { @@ -183,217 +583,37 @@ req_main(int argc, char **argv) } } - req_conf = NULL; - cipher = EVP_aes_256_cbc(); - digest = EVP_sha256(); - - infile = NULL; - outfile = NULL; - informat = FORMAT_PEM; - outformat = FORMAT_PEM; - - prog = argv[0]; - argc--; - argv++; - while (argc >= 1) { - if (strcmp(*argv, "-inform") == 0) { - if (--argc < 1) - goto bad; - informat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-outform") == 0) { - if (--argc < 1) - goto bad; - outformat = str2fmt(*(++argv)); - } - else if (strcmp(*argv, "-key") == 0) { - if (--argc < 1) - goto bad; - keyfile = *(++argv); - } else if (strcmp(*argv, "-pubkey") == 0) { - pubkey = 1; - } else if (strcmp(*argv, "-new") == 0) { - newreq = 1; - } else if (strcmp(*argv, "-config") == 0) { - if (--argc < 1) - goto bad; - template = *(++argv); - } else if (strcmp(*argv, "-keyform") == 0) { - if (--argc < 1) - goto bad; - keyform = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-in") == 0) { - if (--argc < 1) - goto bad; - infile = *(++argv); - } else if (strcmp(*argv, "-out") == 0) { - if (--argc < 1) - goto bad; - outfile = *(++argv); - } else if (strcmp(*argv, "-keyout") == 0) { - if (--argc < 1) - goto bad; - keyout = *(++argv); - } else if (strcmp(*argv, "-passin") == 0) { - if (--argc < 1) - goto bad; - passargin = *(++argv); - } else if (strcmp(*argv, "-passout") == 0) { - if (--argc < 1) - goto bad; - passargout = *(++argv); - } else if (strcmp(*argv, "-newkey") == 0) { - if (--argc < 1) - goto bad; - keyalg = *(++argv); - newreq = 1; - } else if (strcmp(*argv, "-pkeyopt") == 0) { - if (--argc < 1) - goto bad; - if (!pkeyopts) - pkeyopts = sk_OPENSSL_STRING_new_null(); - if (!pkeyopts || !sk_OPENSSL_STRING_push(pkeyopts, *(++argv))) - goto bad; - } else if (strcmp(*argv, "-sigopt") == 0) { - if (--argc < 1) - goto bad; - if (!sigopts) - sigopts = sk_OPENSSL_STRING_new_null(); - if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv))) - goto bad; - } else if (strcmp(*argv, "-batch") == 0) - batch = 1; - else if (strcmp(*argv, "-newhdr") == 0) - newhdr = 1; - else if (strcmp(*argv, "-modulus") == 0) - modulus = 1; - else if (strcmp(*argv, "-verify") == 0) - verify = 1; - else if (strcmp(*argv, "-nodes") == 0) - nodes = 1; - else if (strcmp(*argv, "-noout") == 0) - noout = 1; - else if (strcmp(*argv, "-verbose") == 0) - verbose = 1; - else if (strcmp(*argv, "-utf8") == 0) - chtype = MBSTRING_UTF8; - else if (strcmp(*argv, "-nameopt") == 0) { - if (--argc < 1) - goto bad; - if (!set_name_ex(&nmflag, *(++argv))) - goto bad; - } else if (strcmp(*argv, "-reqopt") == 0) { - if (--argc < 1) - goto bad; - if (!set_cert_ex(&reqflag, *(++argv))) - goto bad; - } else if (strcmp(*argv, "-subject") == 0) - subject = 1; - else if (strcmp(*argv, "-text") == 0) - text = 1; - else if (strcmp(*argv, "-x509") == 0) - x509 = 1; - else if (strcmp(*argv, "-asn1-kludge") == 0) - kludge = 1; - else if (strcmp(*argv, "-no-asn1-kludge") == 0) - kludge = 0; - else if (strcmp(*argv, "-subj") == 0) { - if (--argc < 1) - goto bad; - subj = *(++argv); - } else if (strcmp(*argv, "-multivalue-rdn") == 0) - multirdn = 1; - else if (strcmp(*argv, "-days") == 0) { - const char *errstr; - - if (--argc < 1) - goto bad; - days = strtonum(*(++argv), 1, INT_MAX, &errstr); - if (errstr) { - BIO_printf(bio_err, "bad -days %s, using 0: %s\n", - *argv, errstr); - days = 30; - } - } else if (strcmp(*argv, "-set_serial") == 0) { - if (--argc < 1) - goto bad; - serial = s2i_ASN1_INTEGER(NULL, *(++argv)); - if (!serial) - goto bad; - } else if (strcmp(*argv, "-extensions") == 0) { - if (--argc < 1) - goto bad; - extensions = *(++argv); - } else if (strcmp(*argv, "-reqexts") == 0) { - if (--argc < 1) - goto bad; - req_exts = *(++argv); - } else if ((md_alg = EVP_get_digestbyname(&((*argv)[1]))) != NULL) { - /* ok */ - digest = md_alg; - } else { - BIO_printf(bio_err, "unknown option %s\n", *argv); - badops = 1; - break; - } - argc--; - argv++; - } + memset(&req_config, 0, sizeof(req_config)); - if (badops) { - bad: - BIO_printf(bio_err, "%s [options] outfile\n", prog); - BIO_printf(bio_err, "where options are\n"); - BIO_printf(bio_err, " -inform arg input format - DER or PEM\n"); - BIO_printf(bio_err, " -outform arg output format - DER or PEM\n"); - BIO_printf(bio_err, " -in arg input file\n"); - BIO_printf(bio_err, " -out arg output file\n"); - BIO_printf(bio_err, " -text text form of request\n"); - BIO_printf(bio_err, " -pubkey output public key\n"); - BIO_printf(bio_err, " -noout do not output REQ\n"); - BIO_printf(bio_err, " -verify verify signature on REQ\n"); - BIO_printf(bio_err, " -modulus RSA modulus\n"); - BIO_printf(bio_err, " -nodes don't encrypt the output key\n"); - BIO_printf(bio_err, " -subject output the request's subject\n"); - BIO_printf(bio_err, " -passin private key password source\n"); - BIO_printf(bio_err, " -key file use the private key contained in file\n"); - BIO_printf(bio_err, " -keyform arg key file format\n"); - BIO_printf(bio_err, " -keyout arg file to send the key to\n"); - BIO_printf(bio_err, " -newkey rsa:bits generate a new RSA key of 'bits' in size\n"); - BIO_printf(bio_err, " -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'\n"); - BIO_printf(bio_err, " -newkey ec:file generate a new EC key, parameters taken from CA in 'file'\n"); - BIO_printf(bio_err, " -[digest] Digest to sign with (md5, sha1, md4)\n"); - BIO_printf(bio_err, " -config file request template file.\n"); - BIO_printf(bio_err, " -subj arg set or modify request subject\n"); - BIO_printf(bio_err, " -multivalue-rdn enable support for multivalued RDNs\n"); - BIO_printf(bio_err, " -new new request.\n"); - BIO_printf(bio_err, " -batch do not ask anything during request generation\n"); - BIO_printf(bio_err, " -x509 output a x509 structure instead of a cert. req.\n"); - BIO_printf(bio_err, " -days number of days a certificate generated by -x509 is valid for.\n"); - BIO_printf(bio_err, " -set_serial serial number to use for a certificate generated by -x509.\n"); - BIO_printf(bio_err, " -newhdr output \"NEW\" in the header lines\n"); - BIO_printf(bio_err, " -asn1-kludge Output the 'request' in a format that is wrong but some CA's\n"); - BIO_printf(bio_err, " have been reported as requiring\n"); - BIO_printf(bio_err, " -extensions .. specify certificate extension section (override value in config file)\n"); - BIO_printf(bio_err, " -reqexts .. specify request extension section (override value in config file)\n"); - BIO_printf(bio_err, " -utf8 input characters are UTF8 (default ASCII)\n"); - BIO_printf(bio_err, " -nameopt arg - various certificate name options\n"); - BIO_printf(bio_err, " -reqopt arg - various request text options\n\n"); - goto end; + req_config.chtype = MBSTRING_ASC; + req_config.days = 30; + req_config.digest = EVP_sha256(); + req_config.newkey = -1; + req_config.informat = FORMAT_PEM; + req_config.keyform = FORMAT_PEM; + req_config.outformat = FORMAT_PEM; + + if (options_parse(argc, argv, req_options, NULL, NULL) != 0) { + req_usage(); + return (1); } - if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { + req_conf = NULL; + cipher = EVP_aes_256_cbc(); + + if (!app_passwd(bio_err, req_config.passargin, req_config.passargout, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); goto end; } - if (template != NULL) { + if (req_config.template != NULL) { long errline = -1; - if (verbose) - BIO_printf(bio_err, "Using configuration from %s\n", template); - req_conf = NCONF_new(NULL); - i = NCONF_load(req_conf, template, &errline); - if (i == 0) { - BIO_printf(bio_err, "error on line %ld of %s\n", errline, template); + if (req_config.verbose) + BIO_printf(bio_err, "Using configuration from %s\n", req_config.template); + if ((req_conf = NCONF_new(NULL)) == NULL) + goto end; + if(!NCONF_load(req_conf, req_config.template, &errline)) { + BIO_printf(bio_err, "error on line %ld of %s\n", errline, req_config.template); goto end; } } else { @@ -401,13 +621,28 @@ req_main(int argc, char **argv) if (req_conf == NULL) { BIO_printf(bio_err, "Unable to load config info from %s\n", default_config_file); - if (newreq) + if (req_config.newreq) goto end; - } else if (verbose) + } else if (req_config.verbose) BIO_printf(bio_err, "Using configuration from %s\n", default_config_file); } + if (req_config.addext_bio != NULL) { + long errline = -1; + if (req_config.verbose) + BIO_printf(bio_err, + "Using additional configuration from command line\n"); + if ((addext_conf = NCONF_new(NULL)) == NULL) + goto end; + if (!NCONF_load_bio(addext_conf, req_config.addext_bio, &errline)) { + BIO_printf(bio_err, + "req: Error on line %ld of config input\n", + errline); + goto end; + } + } + if (req_conf != NULL) { if (!load_config(bio_err, req_conf)) goto end; @@ -438,22 +673,33 @@ req_main(int argc, char **argv) ERR_clear_error(); if (p != NULL) { if ((md_alg = EVP_get_digestbyname(p)) != NULL) - digest = md_alg; + req_config.digest = md_alg; } } - if (!extensions) { - extensions = NCONF_get_string(req_conf, SECTION, V3_EXTENSIONS); - if (!extensions) + if (!req_config.extensions) { + req_config.extensions = NCONF_get_string(req_conf, SECTION, V3_EXTENSIONS); + if (!req_config.extensions) ERR_clear_error(); } - if (extensions) { + if (req_config.extensions) { /* Check syntax of file */ X509V3_CTX ctx; X509V3_set_ctx_test(&ctx); X509V3_set_nconf(&ctx, req_conf); - if (!X509V3_EXT_add_nconf(req_conf, &ctx, extensions, NULL)) { + if (!X509V3_EXT_add_nconf(req_conf, &ctx, req_config.extensions, NULL)) { BIO_printf(bio_err, - "Error Loading extension section %s\n", extensions); + "Error Loading extension section %s\n", req_config.extensions); + goto end; + } + } + if (addext_conf != NULL) { + /* Check syntax of command line extensions */ + X509V3_CTX ctx; + X509V3_set_ctx_test(&ctx); + X509V3_set_nconf(&ctx, addext_conf); + if (!X509V3_EXT_add_nconf(addext_conf, &ctx, "default", NULL)) { + BIO_printf(bio_err, + "Error Loading command line extensions\n"); goto end; } } @@ -475,27 +721,27 @@ req_main(int argc, char **argv) BIO_printf(bio_err, "Invalid global string mask setting %s\n", p); goto end; } - if (chtype != MBSTRING_UTF8) { + if (req_config.chtype != MBSTRING_UTF8) { p = NCONF_get_string(req_conf, SECTION, UTF8_IN); if (!p) ERR_clear_error(); else if (!strcmp(p, "yes")) - chtype = MBSTRING_UTF8; + req_config.chtype = MBSTRING_UTF8; } - if (!req_exts) { - req_exts = NCONF_get_string(req_conf, SECTION, REQ_EXTENSIONS); - if (!req_exts) + if (!req_config.req_exts) { + req_config.req_exts = NCONF_get_string(req_conf, SECTION, REQ_EXTENSIONS); + if (!req_config.req_exts) ERR_clear_error(); } - if (req_exts) { + if (req_config.req_exts) { /* Check syntax of file */ X509V3_CTX ctx; X509V3_set_ctx_test(&ctx); X509V3_set_nconf(&ctx, req_conf); - if (!X509V3_EXT_add_nconf(req_conf, &ctx, req_exts, NULL)) { + if (!X509V3_EXT_add_nconf(req_conf, &ctx, req_config.req_exts, NULL)) { BIO_printf(bio_err, "Error Loading request extension section %s\n", - req_exts); + req_config.req_exts); goto end; } } @@ -504,8 +750,8 @@ req_main(int argc, char **argv) if ((in == NULL) || (out == NULL)) goto end; - if (keyfile != NULL) { - pkey = load_key(bio_err, keyfile, keyform, 0, passin, + if (req_config.keyfile != NULL) { + pkey = load_key(bio_err, req_config.keyfile, req_config.keyform, 0, passin, "Private Key"); if (!pkey) { /* @@ -515,31 +761,31 @@ req_main(int argc, char **argv) goto end; } } - if (newreq && (pkey == NULL)) { - if (!NCONF_get_number(req_conf, SECTION, BITS, &newkey)) { - newkey = DEFAULT_KEY_LENGTH; + if (req_config.newreq && (pkey == NULL)) { + if (!NCONF_get_number(req_conf, SECTION, BITS, &req_config.newkey)) { + req_config.newkey = DEFAULT_KEY_LENGTH; } - if (keyalg) { - genctx = set_keygen_ctx(bio_err, keyalg, &pkey_type, &newkey, + if (req_config.keyalg) { + genctx = set_keygen_ctx(bio_err, req_config.keyalg, &pkey_type, &req_config.newkey, &keyalgstr); if (!genctx) goto end; } - if (newkey < MIN_KEY_LENGTH && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA)) { + if (req_config.newkey < MIN_KEY_LENGTH && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA)) { BIO_printf(bio_err, "private key length is too short,\n"); - BIO_printf(bio_err, "it needs to be at least %d bits, not %ld\n", MIN_KEY_LENGTH, newkey); + BIO_printf(bio_err, "it needs to be at least %d bits, not %ld\n", MIN_KEY_LENGTH, req_config.newkey); goto end; } if (!genctx) { - genctx = set_keygen_ctx(bio_err, NULL, &pkey_type, &newkey, + genctx = set_keygen_ctx(bio_err, NULL, &pkey_type, &req_config.newkey, &keyalgstr); if (!genctx) goto end; } - if (pkeyopts) { + if (req_config.pkeyopts) { char *genopt; - for (i = 0; i < sk_OPENSSL_STRING_num(pkeyopts); i++) { - genopt = sk_OPENSSL_STRING_value(pkeyopts, i); + for (i = 0; i < sk_OPENSSL_STRING_num(req_config.pkeyopts); i++) { + genopt = sk_OPENSSL_STRING_value(req_config.pkeyopts, i); if (pkey_ctrl_string(genctx, genopt) <= 0) { BIO_printf(bio_err, "parameter error \"%s\"\n", @@ -550,7 +796,7 @@ req_main(int argc, char **argv) } } BIO_printf(bio_err, "Generating a %ld bit %s private key\n", - newkey, keyalgstr); + req_config.newkey, keyalgstr); EVP_PKEY_CTX_set_cb(genctx, genpkey_cb); EVP_PKEY_CTX_set_app_data(genctx, bio_err); @@ -562,18 +808,18 @@ req_main(int argc, char **argv) EVP_PKEY_CTX_free(genctx); genctx = NULL; - if (keyout == NULL) { - keyout = NCONF_get_string(req_conf, SECTION, KEYFILE); - if (keyout == NULL) + if (req_config.keyout == NULL) { + req_config.keyout = NCONF_get_string(req_conf, SECTION, KEYFILE); + if (req_config.keyout == NULL) ERR_clear_error(); } - if (keyout == NULL) { + if (req_config.keyout == NULL) { BIO_printf(bio_err, "writing new private key to stdout\n"); BIO_set_fp(out, stdout, BIO_NOCLOSE); } else { - BIO_printf(bio_err, "writing new private key to '%s'\n", keyout); - if (BIO_write_filename(out, keyout) <= 0) { - perror(keyout); + BIO_printf(bio_err, "writing new private key to '%s'\n", req_config.keyout); + if (BIO_write_filename(out, req_config.keyout) <= 0) { + perror(req_config.keyout); goto end; } } @@ -587,7 +833,7 @@ req_main(int argc, char **argv) } if ((p != NULL) && (strcmp(p, "no") == 0)) cipher = NULL; - if (nodes) + if (req_config.nodes) cipher = NULL; i = 0; @@ -604,24 +850,24 @@ req_main(int argc, char **argv) } BIO_printf(bio_err, "-----\n"); } - if (!newreq) { + if (!req_config.newreq) { /* * Since we are using a pre-existing certificate request, the * kludge 'format' info should not be changed. */ - kludge = -1; - if (infile == NULL) + req_config.kludge = -1; + if (req_config.infile == NULL) BIO_set_fp(in, stdin, BIO_NOCLOSE); else { - if (BIO_read_filename(in, infile) <= 0) { - perror(infile); + if (BIO_read_filename(in, req_config.infile) <= 0) { + perror(req_config.infile); goto end; } } - if (informat == FORMAT_ASN1) + if (req_config.informat == FORMAT_ASN1) req = d2i_X509_REQ_bio(in, NULL); - else if (informat == FORMAT_PEM) + else if (req_config.informat == FORMAT_PEM) req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL); else { BIO_printf(bio_err, "bad input format specified for X509 request\n"); @@ -632,7 +878,7 @@ req_main(int argc, char **argv) goto end; } } - if (newreq || x509) { + if (req_config.newreq || req_config.x509) { if (pkey == NULL) { BIO_printf(bio_err, "you need to specify a private key\n"); goto end; @@ -642,9 +888,9 @@ req_main(int argc, char **argv) if (req == NULL) { goto end; } - i = make_REQ(req, pkey, subj, multirdn, !x509, chtype); - subj = NULL; /* done processing '-subj' option */ - if ((kludge > 0) && !sk_X509_ATTRIBUTE_num(req->req_info->attributes)) { + i = make_REQ(req, pkey, req_config.subj, req_config.multirdn, !req_config.x509, req_config.chtype); + req_config.subj = NULL; /* done processing '-subj' option */ + if ((req_config.kludge > 0) && !sk_X509_ATTRIBUTE_num(req->req_info->attributes)) { sk_X509_ATTRIBUTE_free(req->req_info->attributes); req->req_info->attributes = NULL; } @@ -653,17 +899,18 @@ req_main(int argc, char **argv) goto end; } } - if (x509) { + if (req_config.x509) { EVP_PKEY *tmppkey; X509V3_CTX ext_ctx; if ((x509ss = X509_new()) == NULL) goto end; /* Set version to V3 */ - if (extensions && !X509_set_version(x509ss, 2)) + if ((req_config.extensions != NULL || addext_conf != NULL) && + !X509_set_version(x509ss, 2)) goto end; - if (serial) { - if (!X509_set_serialNumber(x509ss, serial)) + if (req_config.serial) { + if (!X509_set_serialNumber(x509ss, req_config.serial)) goto end; } else { if (!rand_serial(NULL, @@ -675,7 +922,7 @@ req_main(int argc, char **argv) goto end; if (!X509_gmtime_adj(X509_get_notBefore(x509ss), 0)) goto end; - if (!X509_time_adj_ex(X509_get_notAfter(x509ss), days, 0, NULL)) + if (!X509_time_adj_ex(X509_get_notAfter(x509ss), req_config.days, 0, NULL)) goto end; if (!X509_set_subject_name(x509ss, X509_REQ_get_subject_name(req))) goto end; @@ -690,14 +937,21 @@ req_main(int argc, char **argv) X509V3_set_nconf(&ext_ctx, req_conf); /* Add extensions */ - if (extensions && !X509V3_EXT_add_nconf(req_conf, - &ext_ctx, extensions, x509ss)) { + if (req_config.extensions && !X509V3_EXT_add_nconf(req_conf, + &ext_ctx, req_config.extensions, x509ss)) { BIO_printf(bio_err, "Error Loading extension section %s\n", - extensions); + req_config.extensions); goto end; } - i = do_X509_sign(bio_err, x509ss, pkey, digest, sigopts); + if (addext_conf != NULL && + !X509V3_EXT_add_nconf(addext_conf, &ext_ctx, + "default", x509ss)) { + BIO_printf(bio_err, + "Error Loading command line extensions\n"); + goto end; + } + i = do_X509_sign(bio_err, x509ss, pkey, req_config.digest, req_config.sigopts); if (!i) { ERR_print_errors(bio_err); goto end; @@ -711,41 +965,48 @@ req_main(int argc, char **argv) X509V3_set_nconf(&ext_ctx, req_conf); /* Add extensions */ - if (req_exts && !X509V3_EXT_REQ_add_nconf(req_conf, - &ext_ctx, req_exts, req)) { + if (req_config.req_exts && !X509V3_EXT_REQ_add_nconf(req_conf, + &ext_ctx, req_config.req_exts, req)) { BIO_printf(bio_err, "Error Loading extension section %s\n", - req_exts); + req_config.req_exts); + goto end; + } + if (addext_conf != NULL && + !X509V3_EXT_REQ_add_nconf(addext_conf, &ext_ctx, + "default", req)) { + BIO_printf(bio_err, + "Error Loading command line extensions\n"); goto end; } - i = do_X509_REQ_sign(bio_err, req, pkey, digest, sigopts); + i = do_X509_REQ_sign(bio_err, req, pkey, req_config.digest, req_config.sigopts); if (!i) { ERR_print_errors(bio_err); goto end; } } } - if (subj && x509) { - BIO_printf(bio_err, "Cannot modifiy certificate subject\n"); + if (req_config.subj && req_config.x509) { + BIO_printf(bio_err, "Cannot modify certificate subject\n"); goto end; } - if (subj && !x509) { - if (verbose) { + if (req_config.subj && !req_config.x509) { + if (req_config.verbose) { BIO_printf(bio_err, "Modifying Request's Subject\n"); - print_name(bio_err, "old subject=", X509_REQ_get_subject_name(req), nmflag); + print_name(bio_err, "old subject=", X509_REQ_get_subject_name(req), req_config.nmflag); } - if (build_subject(req, subj, chtype, multirdn) == 0) { + if (build_subject(req, req_config.subj, req_config.chtype, req_config.multirdn) == 0) { BIO_printf(bio_err, "ERROR: cannot modify subject\n"); ex = 1; goto end; } req->req_info->enc.modified = 1; - if (verbose) { - print_name(bio_err, "new subject=", X509_REQ_get_subject_name(req), nmflag); + if (req_config.verbose) { + print_name(bio_err, "new subject=", X509_REQ_get_subject_name(req), req_config.nmflag); } } - if (verify && !x509) { + if (req_config.verify && !req_config.x509) { int tmp = 0; if (pkey == NULL) { @@ -767,24 +1028,24 @@ req_main(int argc, char **argv) } else /* if (i > 0) */ BIO_printf(bio_err, "verify OK\n"); } - if (noout && !text && !modulus && !subject && !pubkey) { + if (req_config.noout && !req_config.text && !req_config.modulus && !req_config.subject && !req_config.pubkey) { ex = 0; goto end; } - if (outfile == NULL) { + if (req_config.outfile == NULL) { BIO_set_fp(out, stdout, BIO_NOCLOSE); } else { - if ((keyout != NULL) && (strcmp(outfile, keyout) == 0)) - i = (int) BIO_append_filename(out, outfile); + if ((req_config.keyout != NULL) && (strcmp(req_config.outfile, req_config.keyout) == 0)) + i = (int) BIO_append_filename(out, req_config.outfile); else - i = (int) BIO_write_filename(out, outfile); + i = (int) BIO_write_filename(out, req_config.outfile); if (!i) { - perror(outfile); + perror(req_config.outfile); goto end; } } - if (pubkey) { + if (req_config.pubkey) { EVP_PKEY *tpubkey; tpubkey = X509_REQ_get_pubkey(req); if (tpubkey == NULL) { @@ -795,22 +1056,22 @@ req_main(int argc, char **argv) PEM_write_bio_PUBKEY(out, tpubkey); EVP_PKEY_free(tpubkey); } - if (text) { - if (x509) - X509_print_ex(out, x509ss, nmflag, reqflag); + if (req_config.text) { + if (req_config.x509) + X509_print_ex(out, x509ss, req_config.nmflag, req_config.reqflag); else - X509_REQ_print_ex(out, req, nmflag, reqflag); + X509_REQ_print_ex(out, req, req_config.nmflag, req_config.reqflag); } - if (subject) { - if (x509) - print_name(out, "subject=", X509_get_subject_name(x509ss), nmflag); + if (req_config.subject) { + if (req_config.x509) + print_name(out, "subject=", X509_get_subject_name(x509ss), req_config.nmflag); else - print_name(out, "subject=", X509_REQ_get_subject_name(req), nmflag); + print_name(out, "subject=", X509_REQ_get_subject_name(req), req_config.nmflag); } - if (modulus) { + if (req_config.modulus) { EVP_PKEY *tpubkey; - if (x509) + if (req_config.x509) tpubkey = X509_get_pubkey(x509ss); else tpubkey = X509_REQ_get_pubkey(req); @@ -826,11 +1087,11 @@ req_main(int argc, char **argv) EVP_PKEY_free(tpubkey); fprintf(stdout, "\n"); } - if (!noout && !x509) { - if (outformat == FORMAT_ASN1) + if (!req_config.noout && !req_config.x509) { + if (req_config.outformat == FORMAT_ASN1) i = i2d_X509_REQ_bio(out, req); - else if (outformat == FORMAT_PEM) { - if (newhdr) + else if (req_config.outformat == FORMAT_PEM) { + if (req_config.newhdr) i = PEM_write_bio_X509_REQ_NEW(out, req); else i = PEM_write_bio_X509_REQ(out, req); @@ -843,10 +1104,10 @@ req_main(int argc, char **argv) goto end; } } - if (!noout && x509 && (x509ss != NULL)) { - if (outformat == FORMAT_ASN1) + if (!req_config.noout && req_config.x509 && (x509ss != NULL)) { + if (req_config.outformat == FORMAT_ASN1) i = i2d_X509_bio(out, x509ss); - else if (outformat == FORMAT_PEM) + else if (req_config.outformat == FORMAT_PEM) i = PEM_write_bio_X509(out, x509ss); else { BIO_printf(bio_err, "bad output format specified for outfile\n"); @@ -864,22 +1125,26 @@ req_main(int argc, char **argv) } if ((req_conf != NULL) && (req_conf != config)) NCONF_free(req_conf); + NCONF_free(addext_conf); + BIO_free(req_config.addext_bio); BIO_free(in); BIO_free_all(out); EVP_PKEY_free(pkey); if (genctx) EVP_PKEY_CTX_free(genctx); - if (pkeyopts) - sk_OPENSSL_STRING_free(pkeyopts); - if (sigopts) - sk_OPENSSL_STRING_free(sigopts); + if (req_config.pkeyopts) + sk_OPENSSL_STRING_free(req_config.pkeyopts); + if (req_config.sigopts) + sk_OPENSSL_STRING_free(req_config.sigopts); + lh_OPENSSL_STRING_doall(req_config.addexts, (LHASH_DOALL_FN_TYPE)exts_cleanup); + lh_OPENSSL_STRING_free(req_config.addexts); free(keyalgstr); X509_REQ_free(req); X509_free(x509ss); - ASN1_INTEGER_free(serial); - if (passargin && passin) + ASN1_INTEGER_free(req_config.serial); + if (req_config.passargin && passin) free(passin); - if (passargout && passout) + if (req_config.passargout && passout) free(passout); OBJ_cleanup(); @@ -985,7 +1250,7 @@ prompt_info(X509_REQ * req, X509_NAME *subj; subj = X509_REQ_get_subject_name(req); - if (!batch) { + if (!req_config.batch) { BIO_printf(bio_err, "You are about to be asked to enter information that will be incorporated\n"); BIO_printf(bio_err, "into your certificate request.\n"); BIO_printf(bio_err, "What you are about to enter is what is called a Distinguished Name or a DN.\n"); @@ -1079,7 +1344,7 @@ prompt_info(X509_REQ * req, } if (attribs) { if ((attr_sk != NULL) && (sk_CONF_VALUE_num(attr_sk) > 0) && - (!batch)) { + (!req_config.batch)) { BIO_printf(bio_err, "\nPlease enter the following 'extra' attributes\n"); BIO_printf(bio_err, @@ -1215,7 +1480,7 @@ add_DN_object(X509_NAME * n, char *text, const char *def, char *value, int i, ret = 0; char buf[1024]; start: - if (!batch) + if (!req_config.batch) BIO_printf(bio_err, "%s [%s]:", text, def); (void) BIO_flush(bio_err); if (value != NULL) { @@ -1224,7 +1489,7 @@ add_DN_object(X509_NAME * n, char *text, const char *def, char *value, BIO_printf(bio_err, "%s\n", value); } else { buf[0] = '\0'; - if (!batch) { + if (!req_config.batch) { if (!fgets(buf, sizeof buf, stdin)) return 0; } else { @@ -1268,7 +1533,7 @@ add_attribute_object(X509_REQ * req, char *text, const char *def, static char buf[1024]; start: - if (!batch) + if (!req_config.batch) BIO_printf(bio_err, "%s [%s]:", text, def); (void) BIO_flush(bio_err); if (value != NULL) { @@ -1277,7 +1542,7 @@ add_attribute_object(X509_REQ * req, char *text, const char *def, BIO_printf(bio_err, "%s\n", value); } else { buf[0] = '\0'; - if (!batch) { + if (!req_config.batch) { if (!fgets(buf, sizeof buf, stdin)) return 0; } else { @@ -1558,3 +1823,62 @@ do_X509_CRL_sign(BIO * err, X509_CRL * x, EVP_PKEY * pkey, const EVP_MD * md, EVP_MD_CTX_cleanup(&mctx); return rv > 0 ? 1 : 0; } + +static unsigned long +ext_name_hash(const OPENSSL_STRING *a) +{ + return lh_strhash((const char *)a); +} + +static int +ext_name_cmp(const OPENSSL_STRING *a, const OPENSSL_STRING *b) +{ + return strcmp((const char *)a, (const char *)b); +} + +static void +exts_cleanup(OPENSSL_STRING *x) +{ + free((char *)x); +} + +/* + * Is the |kv| key already duplicated ? This is remarkably tricky to get right. + * Return 0 if unique, -1 on runtime error; 1 if found or a syntax error. + */ +static int +duplicated(LHASH_OF(OPENSSL_STRING) *addexts, char *kv) +{ + char *p; + size_t off; + + /* Check syntax. */ + /* Skip leading whitespace, make a copy. */ + while (*kv && isspace(*kv)) + if (*++kv == '\0') + return 1; + if ((p = strchr(kv, '=')) == NULL) + return 1; + off = p - kv; + if ((kv = strdup(kv)) == NULL) + return -1; + + /* Skip trailing space before the equal sign. */ + for (p = kv + off; p > kv; --p) + if (!isspace(p[-1])) + break; + if (p == kv) { + free(kv); + return 1; + } + *p = '\0'; + + /* See if "key" is there by attempting to add it. */ + if ((p = (char *)lh_OPENSSL_STRING_insert(addexts, (OPENSSL_STRING*)kv)) + != NULL || lh_OPENSSL_STRING_error(addexts)) { + free(p != NULL ? p : kv); + return -1; + } + + return 0; +} diff --git a/apps/openssl/s_cb.c b/apps/openssl/s_cb.c index ec25515b..3a0c89bb 100644 --- a/apps/openssl/s_cb.c +++ b/apps/openssl/s_cb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s_cb.c,v 1.11 2018/11/06 05:45:50 jsing Exp $ */ +/* $OpenBSD: s_cb.c,v 1.15 2021/04/02 10:19:19 inoguchi Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -390,6 +390,7 @@ msg_cb(int write_p, int version, int content_type, const void *buf, size_t len, str_write_p = write_p ? ">>>" : "<<<"; + /* XXX convert to using ssl_get_version */ switch (version) { case SSL2_VERSION: str_version = "SSL 2.0"; @@ -406,9 +407,15 @@ msg_cb(int write_p, int version, int content_type, const void *buf, size_t len, case TLS1_2_VERSION: str_version = "TLS 1.2 "; break; + case TLS1_3_VERSION: + str_version = "TLS 1.3 "; + break; case DTLS1_VERSION: str_version = "DTLS 1.0 "; break; + case DTLS1_2_VERSION: + str_version = "DTLS 1.2 "; + break; default: str_version = "???"; } @@ -417,6 +424,7 @@ msg_cb(int write_p, int version, int content_type, const void *buf, size_t len, str_details1 = "???"; if (len > 0) { + /* XXX magic numbers */ switch (((const unsigned char *) buf)[0]) { case 0: str_details1 = ", ERROR:"; @@ -469,7 +477,9 @@ msg_cb(int write_p, int version, int content_type, const void *buf, size_t len, } if (version == SSL3_VERSION || version == TLS1_VERSION || version == TLS1_1_VERSION || version == TLS1_2_VERSION || - version == DTLS1_VERSION) { + version == TLS1_3_VERSION || version == DTLS1_VERSION || + version == DTLS1_2_VERSION) { + /* XXX magic numbers are in ssl3.h */ switch (content_type) { case 20: str_content_type = "ChangeCipherSpec"; @@ -604,6 +614,15 @@ msg_cb(int write_p, int version, int content_type, const void *buf, size_t len, case 3: str_details1 = ", HelloVerifyRequest"; break; + case 4: + str_details1 = ", NewSessionTicket"; + break; + case 5: + str_details1 = ", EndOfEarlyData"; + break; + case 8: + str_details1 = ", EncryptedExtensions"; + break; case 11: str_details1 = ", Certificate"; break; @@ -625,6 +644,9 @@ msg_cb(int write_p, int version, int content_type, const void *buf, size_t len, case 20: str_details1 = ", Finished"; break; + case 24: + str_details1 = ", KeyUpdate"; + break; } } } @@ -724,20 +746,62 @@ tlsext_cb(SSL * s, int client_server, int type, unsigned char *data, int len, extname = "heartbeat"; break; + case TLSEXT_TYPE_application_layer_protocol_negotiation: + extname = "application layer protocol negotiation"; + break; + + case TLSEXT_TYPE_padding: + extname = "TLS padding"; + break; + case TLSEXT_TYPE_session_ticket: extname = "session ticket"; break; - case TLSEXT_TYPE_renegotiate: - extname = "renegotiation info"; +#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) + case TLSEXT_TYPE_pre_shared_key: + extname = "pre shared key"; break; - case TLSEXT_TYPE_application_layer_protocol_negotiation: - extname = "application layer protocol negotiation"; + case TLSEXT_TYPE_early_data: + extname = "early data"; break; - case TLSEXT_TYPE_padding: - extname = "TLS padding"; + case TLSEXT_TYPE_supported_versions: + extname = "supported versions"; + break; + + case TLSEXT_TYPE_cookie: + extname = "cookie"; + break; + + case TLSEXT_TYPE_psk_key_exchange_modes: + extname = "PSK key exchange modes"; + break; + + case TLSEXT_TYPE_certificate_authorities: + extname = "certificate authorities"; + break; + + case TLSEXT_TYPE_oid_filters: + extname = "OID filters"; + break; + + case TLSEXT_TYPE_post_handshake_auth: + extname = "post handshake auth"; + break; + + case TLSEXT_TYPE_signature_algorithms_cert: + extname = "signature algorithms cert"; + break; + + case TLSEXT_TYPE_key_share: + extname = "key share"; + break; +#endif + + case TLSEXT_TYPE_renegotiate: + extname = "renegotiation info"; break; default: diff --git a/apps/openssl/s_client.c b/apps/openssl/s_client.c index 23bf67e6..df35ffbc 100644 --- a/apps/openssl/s_client.c +++ b/apps/openssl/s_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s_client.c,v 1.38 2019/06/28 13:35:02 deraadt Exp $ */ +/* $OpenBSD: s_client.c,v 1.54 2021/03/17 18:11:01 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -170,168 +170,746 @@ #define BUFSIZZ 1024*8 -static int c_nbio = 0; -static int c_Pause = 0; -static int c_debug = 0; -static int c_tlsextdebug = 0; -static int c_status_req = 0; -static int c_msg = 0; -static int c_showcerts = 0; +static void sc_usage(void); +static void print_stuff(BIO *berr, SSL *con, int full); +static int ocsp_resp_cb(SSL *s, void *arg); +static int ssl_servername_cb(SSL *s, int *ad, void *arg); -static char *keymatexportlabel = NULL; -static int keymatexportlen = 20; +enum { + PROTO_OFF = 0, + PROTO_SMTP, + PROTO_LMTP, + PROTO_POP3, + PROTO_IMAP, + PROTO_FTP, + PROTO_XMPP, +}; -static void sc_usage(void); -static void print_stuff(BIO * berr, SSL * con, int full); -static int ocsp_resp_cb(SSL * s, void *arg); -static BIO *bio_c_out = NULL; -static int c_quiet = 0; -static int c_ign_eof = 0; +/* This is a context that we pass to callbacks */ +typedef struct tlsextctx_st { + BIO *biodebug; + int ack; +} tlsextctx; +static struct { + int af; + char *alpn_in; + int bugs; + char *CAfile; + char *CApath; + char *cert_file; + int cert_format; + char *cipher; + unsigned int clr; + char *connect; + int crlf; + int debug; + int enable_timeouts; + const char *errstr; + char *groups_in; + char *host; + int ign_eof; + char *key_file; + int key_format; + char *keymatexportlabel; + int keymatexportlen; + uint16_t max_version; + uint16_t min_version; + const SSL_METHOD *meth; + int msg; + int nbio; + int nbio_test; + char *npn_in; + unsigned int off; + char *passarg; + int pause; + int peekaboo; + char *port; + int prexit; + char *proxy; + int quiet; + int reconnect; + char *servername; + char *sess_in; + char *sess_out; + int showcerts; + int socket_type; + long socket_mtu; +#ifndef OPENSSL_NO_SRTP + char *srtp_profiles; +#endif + int starttls_proto; + int state; + int status_req; + int tlsextdebug; + int verify; + X509_VERIFY_PARAM *vpm; + char *xmpphost; +} s_client_config; -static void -sc_usage(void) +static int +s_client_opt_keymatexportlen(char *arg) { - BIO_printf(bio_err, "usage: s_client args\n"); - BIO_printf(bio_err, "\n"); - BIO_printf(bio_err, " -4 - Force IPv4\n"); - BIO_printf(bio_err, " -6 - Force IPv6\n"); - BIO_printf(bio_err, " -host host - use -connect instead\n"); - BIO_printf(bio_err, " -port port - use -connect instead\n"); - BIO_printf(bio_err, " -connect host:port - who to connect to (default is %s:%s)\n", SSL_HOST_NAME, PORT_STR); - BIO_printf(bio_err, " -proxy host:port - connect to http proxy\n"); - - BIO_printf(bio_err, " -verify arg - turn on peer certificate verification\n"); - BIO_printf(bio_err, " -cert arg - certificate file to use, PEM format assumed\n"); - BIO_printf(bio_err, " -certform arg - certificate format (PEM or DER) PEM default\n"); - BIO_printf(bio_err, " -key arg - Private key file to use, in cert file if\n"); - BIO_printf(bio_err, " not specified but cert file is.\n"); - BIO_printf(bio_err, " -keyform arg - key format (PEM or DER) PEM default\n"); - BIO_printf(bio_err, " -pass arg - private key file pass phrase source\n"); - BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n"); - BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n"); - BIO_printf(bio_err, " -reconnect - Drop and re-make the connection with the same Session-ID\n"); - BIO_printf(bio_err, " -pause - sleep(1) after each read(2) and write(2) system call\n"); - BIO_printf(bio_err, " -showcerts - show all certificates in the chain\n"); - BIO_printf(bio_err, " -debug - extra output\n"); - BIO_printf(bio_err, " -msg - Show protocol messages\n"); - BIO_printf(bio_err, " -nbio_test - more ssl protocol testing\n"); - BIO_printf(bio_err, " -state - print the 'ssl' states\n"); - BIO_printf(bio_err, " -nbio - Run with non-blocking IO\n"); - BIO_printf(bio_err, " -crlf - convert LF from terminal into CRLF\n"); - BIO_printf(bio_err, " -quiet - no s_client output\n"); - BIO_printf(bio_err, " -ign_eof - ignore input eof (default when -quiet)\n"); - BIO_printf(bio_err, " -no_ign_eof - don't ignore input eof\n"); - BIO_printf(bio_err, " -tls1_2 - just use TLSv1.2\n"); - BIO_printf(bio_err, " -tls1_1 - just use TLSv1.1\n"); - BIO_printf(bio_err, " -tls1 - just use TLSv1\n"); - BIO_printf(bio_err, " -dtls1 - just use DTLSv1\n"); - BIO_printf(bio_err, " -mtu - set the link layer MTU\n"); - BIO_printf(bio_err, " -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n"); - BIO_printf(bio_err, " -bugs - Switch on all SSL implementation bug workarounds\n"); - BIO_printf(bio_err, " -cipher - preferred cipher to use, use the 'openssl ciphers'\n"); - BIO_printf(bio_err, " command to see what is available\n"); - BIO_printf(bio_err, " -starttls prot - use the STARTTLS command before starting TLS\n"); - BIO_printf(bio_err, " for those protocols that support it, where\n"); - BIO_printf(bio_err, " 'prot' defines which one to assume. Currently,\n"); - BIO_printf(bio_err, " only \"smtp\", \"lmtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n"); - BIO_printf(bio_err, " are supported.\n"); - BIO_printf(bio_err, " -xmpphost host - connect to this virtual host on the xmpp server\n"); - BIO_printf(bio_err, " -sess_out arg - file to write SSL session to\n"); - BIO_printf(bio_err, " -sess_in arg - file to read SSL session from\n"); - BIO_printf(bio_err, " -servername host - Set TLS extension servername in ClientHello\n"); - BIO_printf(bio_err, " -tlsextdebug - hex dump of all TLS extensions received\n"); - BIO_printf(bio_err, " -status - request certificate status from server\n"); - BIO_printf(bio_err, " -no_ticket - disable use of RFC4507bis session tickets\n"); - BIO_printf(bio_err, " -alpn arg - enable ALPN extension, considering named protocols supported (comma-separated list)\n"); - BIO_printf(bio_err, " -groups arg - specify EC curve groups (colon-separated list)\n"); -#ifndef OPENSSL_NO_SRTP - BIO_printf(bio_err, " -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n"); + s_client_config.keymatexportlen = strtonum(arg, 1, INT_MAX, + &s_client_config.errstr); + if (s_client_config.errstr != NULL) { + BIO_printf(bio_err, "invalid argument %s: %s\n", + arg, s_client_config.errstr); + return (1); + } + return (0); +} + +#ifndef OPENSSL_NO_DTLS +static int +s_client_opt_mtu(char *arg) +{ + s_client_config.socket_mtu = strtonum(arg, 0, LONG_MAX, + &s_client_config.errstr); + if (s_client_config.errstr != NULL) { + BIO_printf(bio_err, "invalid argument %s: %s\n", + arg, s_client_config.errstr); + return (1); + } + return (0); +} #endif - BIO_printf(bio_err, " -keymatexport label - Export keying material using label\n"); - BIO_printf(bio_err, " -keymatexportlen len - Export len bytes of keying material (default 20)\n"); + +static int +s_client_opt_port(char *arg) +{ + if (*arg == '\0') + return (1); + + s_client_config.port = arg; + return (0); } +#ifndef OPENSSL_NO_DTLS +static int +s_client_opt_protocol_version_dtls(void) +{ + s_client_config.meth = DTLS_client_method(); + s_client_config.socket_type = SOCK_DGRAM; + return (0); +} +#endif -/* This is a context that we pass to callbacks */ -typedef struct tlsextctx_st { - BIO *biodebug; - int ack; -} tlsextctx; +#ifndef OPENSSL_NO_DTLS1 +static int +s_client_opt_protocol_version_dtls1(void) +{ + s_client_config.meth = DTLS_client_method(); + s_client_config.min_version = DTLS1_VERSION; + s_client_config.max_version = DTLS1_VERSION; + s_client_config.socket_type = SOCK_DGRAM; + return (0); +} +#endif +#ifndef OPENSSL_NO_DTLS1_2 +static int +s_client_opt_protocol_version_dtls1_2(void) +{ + s_client_config.meth = DTLS_client_method(); + s_client_config.min_version = DTLS1_2_VERSION; + s_client_config.max_version = DTLS1_2_VERSION; + s_client_config.socket_type = SOCK_DGRAM; + return (0); +} +#endif static int -ssl_servername_cb(SSL * s, int *ad, void *arg) +s_client_opt_protocol_version_tls1(void) { - tlsextctx *p = (tlsextctx *) arg; - const char *hn = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); - if (SSL_get_servername_type(s) != -1) - p->ack = !SSL_session_reused(s) && hn != NULL; + s_client_config.min_version = TLS1_VERSION; + s_client_config.max_version = TLS1_VERSION; + return (0); +} + +static int +s_client_opt_protocol_version_tls1_1(void) +{ + s_client_config.min_version = TLS1_1_VERSION; + s_client_config.max_version = TLS1_1_VERSION; + return (0); +} + +static int +s_client_opt_protocol_version_tls1_2(void) +{ + s_client_config.min_version = TLS1_2_VERSION; + s_client_config.max_version = TLS1_2_VERSION; + return (0); +} + +static int +s_client_opt_protocol_version_tls1_3(void) +{ + s_client_config.min_version = TLS1_3_VERSION; + s_client_config.max_version = TLS1_3_VERSION; + return (0); +} + +static int +s_client_opt_quiet(void) +{ + s_client_config.quiet = 1; + s_client_config.ign_eof = 1; + return (0); +} + +static int +s_client_opt_starttls(char *arg) +{ + if (strcmp(arg, "smtp") == 0) + s_client_config.starttls_proto = PROTO_SMTP; + else if (strcmp(arg, "lmtp") == 0) + s_client_config.starttls_proto = PROTO_LMTP; + else if (strcmp(arg, "pop3") == 0) + s_client_config.starttls_proto = PROTO_POP3; + else if (strcmp(arg, "imap") == 0) + s_client_config.starttls_proto = PROTO_IMAP; + else if (strcmp(arg, "ftp") == 0) + s_client_config.starttls_proto = PROTO_FTP; + else if (strcmp(arg, "xmpp") == 0) + s_client_config.starttls_proto = PROTO_XMPP; else - BIO_printf(bio_err, "Can't use SSL_get_servername\n"); + return (1); + return (0); +} - return SSL_TLSEXT_ERR_OK; +static int +s_client_opt_verify(char *arg) +{ + s_client_config.verify = SSL_VERIFY_PEER; + + verify_depth = strtonum(arg, 0, INT_MAX, &s_client_config.errstr); + if (s_client_config.errstr != NULL) { + BIO_printf(bio_err, "invalid argument %s: %s\n", + arg, s_client_config.errstr); + return (1); + } + BIO_printf(bio_err, "verify depth is %d\n", verify_depth); + return (0); } +static int +s_client_opt_verify_param(int argc, char **argv, int *argsused) +{ + char **pargs = argv; + int pargc = argc; + int badarg = 0; + + if (!args_verify(&pargs, &pargc, &badarg, bio_err, + &s_client_config.vpm)) { + BIO_printf(bio_err, "unknown option %s\n", *argv); + return (1); + } + if (badarg) + return (1); + + *argsused = argc - pargc; + return (0); +} + +static const struct option s_client_options[] = { + { + .name = "4", + .desc = "Use IPv4 only", + .type = OPTION_VALUE, + .opt.value = &s_client_config.af, + .value = AF_INET, + }, + { + .name = "6", + .desc = "Use IPv6 only", + .type = OPTION_VALUE, + .opt.value = &s_client_config.af, + .value = AF_INET6, + }, + { + .name = "alpn", + .argname = "protocols", + .desc = "Set the advertised protocols for ALPN" + " (comma-separated list)", + .type = OPTION_ARG, + .opt.arg = &s_client_config.alpn_in, + }, + { + .name = "bugs", + .desc = "Enable various workarounds for buggy implementations", + .type = OPTION_FLAG, + .opt.flag = &s_client_config.bugs, + }, + { + .name = "CAfile", + .argname = "file", + .desc = "PEM format file of CA certificates", + .type = OPTION_ARG, + .opt.arg = &s_client_config.CAfile, + }, + { + .name = "CApath", + .argname = "directory", + .desc = "PEM format directory of CA certificates", + .type = OPTION_ARG, + .opt.arg = &s_client_config.CApath, + }, + { + .name = "cert", + .argname = "file", + .desc = "Certificate file to use, PEM format assumed", + .type = OPTION_ARG, + .opt.arg = &s_client_config.cert_file, + }, + { + .name = "certform", + .argname = "fmt", + .desc = "Certificate format (PEM or DER) PEM default", + .type = OPTION_ARG_FORMAT, + .opt.value = &s_client_config.cert_format, + }, + { + .name = "cipher", + .argname = "cipherlist", + .desc = "Preferred cipher to use (see 'openssl ciphers')", + .type = OPTION_ARG, + .opt.arg = &s_client_config.cipher, + }, + { + .name = "connect", + .argname = "host:port", + .desc = "Who to connect to (default is localhost:4433)", + .type = OPTION_ARG, + .opt.arg = &s_client_config.connect, + }, + { + .name = "crlf", + .desc = "Convert LF from terminal into CRLF", + .type = OPTION_FLAG, + .opt.flag = &s_client_config.crlf, + }, + { + .name = "debug", + .desc = "Print extensive debugging information", + .type = OPTION_FLAG, + .opt.flag = &s_client_config.debug, + }, +#ifndef OPENSSL_NO_DTLS + { + .name = "dtls", + .desc = "Use any version of DTLS", + .type = OPTION_FUNC, + .opt.func = s_client_opt_protocol_version_dtls, + }, +#endif +#ifndef OPENSSL_NO_DTLS1 + { + .name = "dtls1", + .desc = "Just use DTLSv1", + .type = OPTION_FUNC, + .opt.func = s_client_opt_protocol_version_dtls1, + }, +#endif +#ifndef OPENSSL_NO_DTLS1_2 + { + .name = "dtls1_2", + .desc = "Just use DTLSv1.2", + .type = OPTION_FUNC, + .opt.func = s_client_opt_protocol_version_dtls1_2, + }, +#endif + { + .name = "groups", + .argname = "list", + .desc = "Specify EC groups (colon-separated list)", + .type = OPTION_ARG, + .opt.arg = &s_client_config.groups_in, + }, + { + .name = "host", + .argname = "host", + .desc = "Use -connect instead", + .type = OPTION_ARG, + .opt.arg = &s_client_config.host, + }, + { + .name = "ign_eof", + .desc = "Ignore input EOF (default when -quiet)", + .type = OPTION_VALUE, + .opt.value = &s_client_config.ign_eof, + .value = 1, + }, + { + .name = "key", + .argname = "file", + .desc = "Private key file to use, if not, -cert file is used", + .type = OPTION_ARG, + .opt.arg = &s_client_config.key_file, + }, + { + .name = "keyform", + .argname = "fmt", + .desc = "Key format (PEM or DER) PEM default", + .type = OPTION_ARG_FORMAT, + .opt.value = &s_client_config.key_format, + }, + { + .name = "keymatexport", + .argname = "label", + .desc = "Export keying material using label", + .type = OPTION_ARG, + .opt.arg = &s_client_config.keymatexportlabel, + }, + { + .name = "keymatexportlen", + .argname = "len", + .desc = "Export len bytes of keying material (default 20)", + .type = OPTION_ARG_FUNC, + .opt.argfunc = s_client_opt_keymatexportlen, + }, + { + .name = "legacy_renegotiation", + .type = OPTION_DISCARD, + }, + { + .name = "legacy_server_connect", + .desc = "Allow initial connection to servers that don't support RI", + .type = OPTION_VALUE_OR, + .opt.value = &s_client_config.off, + .value = SSL_OP_LEGACY_SERVER_CONNECT, + }, + { + .name = "msg", + .desc = "Show all protocol messages with hex dump", + .type = OPTION_FLAG, + .opt.flag = &s_client_config.msg, + }, +#ifndef OPENSSL_NO_DTLS + { + .name = "mtu", + .argname = "mtu", + .desc = "Set the link layer MTU on DTLS connections", + .type = OPTION_ARG_FUNC, + .opt.argfunc = s_client_opt_mtu, + }, +#endif + { + .name = "nbio", + .desc = "Turn on non-blocking I/O", + .type = OPTION_FLAG, + .opt.flag = &s_client_config.nbio, + }, + { + .name = "nbio_test", + .desc = "Test non-blocking I/O", + .type = OPTION_FLAG, + .opt.flag = &s_client_config.nbio_test, + }, + { + .name = "nextprotoneg", + .argname = "protocols", + .type = OPTION_ARG, + .opt.arg = &s_client_config.npn_in, /* Ignored. */ + }, + { + .name = "no_comp", + .type = OPTION_VALUE_OR, + .opt.value = &s_client_config.off, + .value = SSL_OP_NO_COMPRESSION, + }, + { + .name = "no_ign_eof", + .desc = "Don't ignore input EOF", + .type = OPTION_VALUE, + .opt.value = &s_client_config.ign_eof, + .value = 0, + }, + { + .name = "no_legacy_server_connect", + .desc = "Disallow initial connection to servers that don't support RI", + .type = OPTION_VALUE_OR, + .opt.value = &s_client_config.clr, + .value = SSL_OP_LEGACY_SERVER_CONNECT, + }, + { + .name = "no_ssl2", + .type = OPTION_VALUE_OR, + .opt.value = &s_client_config.off, + .value = SSL_OP_NO_SSLv2, + }, + { + .name = "no_ssl3", + .type = OPTION_VALUE_OR, + .opt.value = &s_client_config.off, + .value = SSL_OP_NO_SSLv3, + }, + { + .name = "no_ticket", + .desc = "Disable use of RFC4507 session ticket support", + .type = OPTION_VALUE_OR, + .opt.value = &s_client_config.off, + .value = SSL_OP_NO_TICKET, + }, + { + .name = "no_tls1", + .desc = "Disable the use of TLSv1", + .type = OPTION_VALUE_OR, + .opt.value = &s_client_config.off, + .value = SSL_OP_NO_TLSv1, + }, + { + .name = "no_tls1_1", + .desc = "Disable the use of TLSv1.1", + .type = OPTION_VALUE_OR, + .opt.value = &s_client_config.off, + .value = SSL_OP_NO_TLSv1_1, + }, + { + .name = "no_tls1_2", + .desc = "Disable the use of TLSv1.2", + .type = OPTION_VALUE_OR, + .opt.value = &s_client_config.off, + .value = SSL_OP_NO_TLSv1_2, + }, + { + .name = "no_tls1_3", + .desc = "Disable the use of TLSv1.3", + .type = OPTION_VALUE_OR, + .opt.value = &s_client_config.off, + .value = SSL_OP_NO_TLSv1_3, + }, + { + .name = "pass", + .argname = "arg", + .desc = "Private key file pass phrase source", + .type = OPTION_ARG, + .opt.arg = &s_client_config.passarg, + }, + { + .name = "pause", + .desc = "Pause 1 second between each read and write call", + .type = OPTION_FLAG, + .opt.flag = &s_client_config.pause, + }, + { + .name = "peekaboo", + .type = OPTION_FLAG, + .opt.flag = &s_client_config.peekaboo, + }, + { + .name = "port", + .argname = "port", + .desc = "Use -connect instead", + .type = OPTION_ARG_FUNC, + .opt.argfunc = s_client_opt_port, + }, + { + .name = "prexit", + .desc = "Print session information when the program exits", + .type = OPTION_FLAG, + .opt.flag = &s_client_config.prexit, + }, + { + .name = "proxy", + .argname = "host:port", + .desc = "Connect to http proxy", + .type = OPTION_ARG, + .opt.arg = &s_client_config.proxy, + }, + { + .name = "quiet", + .desc = "Inhibit printing of session and certificate info", + .type = OPTION_FUNC, + .opt.func = s_client_opt_quiet, + }, + { + .name = "reconnect", + .desc = "Drop and re-make the connection with the same Session-ID", + .type = OPTION_VALUE, + .opt.value = &s_client_config.reconnect, + .value = 5, + }, + { + .name = "servername", + .argname = "name", + .desc = "Set TLS extension servername in ClientHello (SNI)", + .type = OPTION_ARG, + .opt.arg = &s_client_config.servername, + }, + { + .name = "serverpref", + .desc = "Use server's cipher preferences", + .type = OPTION_VALUE_OR, + .opt.value = &s_client_config.off, + .value = SSL_OP_CIPHER_SERVER_PREFERENCE, + }, + { + .name = "sess_in", + .argname = "file", + .desc = "File to read TLS session from", + .type = OPTION_ARG, + .opt.arg = &s_client_config.sess_in, + }, + { + .name = "sess_out", + .argname = "file", + .desc = "File to write TLS session to", + .type = OPTION_ARG, + .opt.arg = &s_client_config.sess_out, + }, + { + .name = "showcerts", + .desc = "Show all server certificates in the chain", + .type = OPTION_FLAG, + .opt.flag = &s_client_config.showcerts, + }, + { + .name = "starttls", + .argname = "protocol", + .desc = "Use the STARTTLS command before starting TLS,\n" + "smtp, lmtp, pop3, imap, ftp and xmpp are supported.", + .type = OPTION_ARG_FUNC, + .opt.argfunc = s_client_opt_starttls, + }, + { + .name = "state", + .desc = "Print the TLS session states", + .type = OPTION_FLAG, + .opt.flag = &s_client_config.state, + }, + { + .name = "status", + .desc = "Send a certificate status request to the server (OCSP)", + .type = OPTION_FLAG, + .opt.flag = &s_client_config.status_req, + }, +#ifndef OPENSSL_NO_DTLS + { + .name = "timeout", + .desc = "Enable send/receive timeout on DTLS connections", + .type = OPTION_FLAG, + .opt.flag = &s_client_config.enable_timeouts, + }, +#endif + { + .name = "tls1", + .desc = "Just use TLSv1", + .type = OPTION_FUNC, + .opt.func = s_client_opt_protocol_version_tls1, + }, + { + .name = "tls1_1", + .desc = "Just use TLSv1.1", + .type = OPTION_FUNC, + .opt.func = s_client_opt_protocol_version_tls1_1, + }, + { + .name = "tls1_2", + .desc = "Just use TLSv1.2", + .type = OPTION_FUNC, + .opt.func = s_client_opt_protocol_version_tls1_2, + }, + { + .name = "tls1_3", + .desc = "Just use TLSv1.3", + .type = OPTION_FUNC, + .opt.func = s_client_opt_protocol_version_tls1_3, + }, + { + .name = "tlsextdebug", + .desc = "Hex dump of all TLS extensions received", + .type = OPTION_FLAG, + .opt.flag = &s_client_config.tlsextdebug, + }, #ifndef OPENSSL_NO_SRTP -char *srtp_profiles = NULL; + { + .name = "use_srtp", + .argname = "profiles", + .desc = "Offer SRTP key management with a colon-separated profiles", + .type = OPTION_ARG, + .opt.arg = &s_client_config.srtp_profiles, + }, #endif - -enum { - PROTO_OFF = 0, - PROTO_SMTP, - PROTO_LMTP, - PROTO_POP3, - PROTO_IMAP, - PROTO_FTP, - PROTO_XMPP + { + .name = "verify", + .argname = "depth", + .desc = "Turn on peer certificate verification, with a max of depth", + .type = OPTION_ARG_FUNC, + .opt.argfunc = s_client_opt_verify, + }, + { + .name = "verify_return_error", + .desc = "Return verification error", + .type = OPTION_FLAG, + .opt.flag = &verify_return_error, + }, + { + .name = "xmpphost", + .argname = "host", + .desc = "Connect to this virtual host on the xmpp server", + .type = OPTION_ARG, + .opt.arg = &s_client_config.xmpphost, + }, + { + .name = NULL, + .desc = "", + .type = OPTION_ARGV_FUNC, + .opt.argvfunc = s_client_opt_verify_param, + }, + { NULL }, }; +static void +sc_usage(void) +{ + fprintf(stderr, "usage: s_client " + "[-4 | -6] [-alpn protocols] [-bugs] [-CAfile file]\n" + " [-CApath directory] [-cert file] [-certform der | pem] [-check_ss_sig]\n" + " [-cipher cipherlist] [-connect host[:port]] [-crl_check]\n" + " [-crl_check_all] [-crlf] [-debug] [-dtls] [-dtls1] [-dtls1_2] [-extended_crl]\n" + " [-groups list] [-host host] [-ign_eof] [-ignore_critical]\n" + " [-issuer_checks] [-key keyfile] [-keyform der | pem]\n" + " [-keymatexport label] [-keymatexportlen len] [-legacy_server_connect]\n" + " [-msg] [-mtu mtu] [-nbio] [-nbio_test] [-no_comp] [-no_ign_eof]\n" + " [-no_legacy_server_connect] [-no_ticket] [-no_tls1] [-no_tls1_1]\n" + " [-no_tls1_2] [-no_tls1_3] [-pass arg] [-pause] [-policy_check]\n" + " [-port port] [-prexit] [-proxy host:port] [-quiet] [-reconnect]\n" + " [-servername name] [-serverpref] [-sess_in file] [-sess_out file]\n" + " [-showcerts] [-starttls protocol] [-state] [-status] [-timeout]\n" + " [-tls1] [-tls1_1] [-tls1_2] [-tls1_3] [-tlsextdebug]\n" + " [-use_srtp profiles] [-verify depth] [-verify_return_error]\n" + " [-x509_strict] [-xmpphost host]\n"); + fprintf(stderr, "\n"); + options_usage(s_client_options); + fprintf(stderr, "\n"); +} + int s_client_main(int argc, char **argv) { - unsigned int off = 0, clr = 0; SSL *con = NULL; - int s, k, state = 0, af = AF_UNSPEC; - char *cbuf = NULL, *sbuf = NULL, *mbuf = NULL; + int s, k, p = 0, pending = 0; + char *cbuf = NULL, *sbuf = NULL, *mbuf = NULL, *pbuf = NULL; int cbuf_len, cbuf_off; int sbuf_len, sbuf_off; - char *port = PORT_STR; + int pbuf_len, pbuf_off; int full_log = 1; - char *host = SSL_HOST_NAME; - char *xmpphost = NULL; - char *proxy = NULL, *connect = NULL; - char *cert_file = NULL, *key_file = NULL; - int cert_format = FORMAT_PEM, key_format = FORMAT_PEM; - char *passarg = NULL, *pass = NULL; + char *pass = NULL; X509 *cert = NULL; EVP_PKEY *key = NULL; - char *CApath = NULL, *CAfile = NULL, *cipher = NULL; - int reconnect = 0, badop = 0, verify = SSL_VERIFY_NONE, bugs = 0; - int crlf = 0; + int badop = 0; int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending; SSL_CTX *ctx = NULL; - int ret = 1, in_init = 1, i, nbio_test = 0; - int starttls_proto = PROTO_OFF; - int prexit = 0; - X509_VERIFY_PARAM *vpm = NULL; - int badarg = 0; - const SSL_METHOD *meth = NULL; - int socket_type = SOCK_STREAM; + int ret = 1, in_init = 1, i; + BIO *bio_c_out = NULL; BIO *sbio; int mbuf_len = 0; struct timeval timeout; - const char *errstr = NULL; - char *servername = NULL; tlsextctx tlsextcbp = {NULL, 0}; - const char *alpn_in = NULL; - const char *groups_in = NULL; - char *sess_in = NULL; - char *sess_out = NULL; - struct sockaddr peer; + struct sockaddr_storage peer; int peerlen = sizeof(peer); - int enable_timeouts = 0; - long socket_mtu = 0; if (single_execution) { if (pledge("stdio cpath wpath rpath inet dns tty", NULL) == -1) { @@ -340,286 +918,70 @@ s_client_main(int argc, char **argv) } } - meth = SSLv23_client_method(); - - c_Pause = 0; - c_quiet = 0; - c_ign_eof = 0; - c_debug = 0; - c_msg = 0; - c_showcerts = 0; + memset(&s_client_config, 0, sizeof(s_client_config)); + s_client_config.af = AF_UNSPEC; + s_client_config.cert_format = FORMAT_PEM; + s_client_config.host = SSL_HOST_NAME; + s_client_config.key_format = FORMAT_PEM; + s_client_config.keymatexportlen = 20; + s_client_config.meth = TLS_client_method(); + s_client_config.port = PORT_STR; + s_client_config.socket_type = SOCK_STREAM; + s_client_config.starttls_proto = PROTO_OFF; + s_client_config.verify = SSL_VERIFY_NONE; if (((cbuf = malloc(BUFSIZZ)) == NULL) || ((sbuf = malloc(BUFSIZZ)) == NULL) || + ((pbuf = malloc(BUFSIZZ)) == NULL) || ((mbuf = malloc(BUFSIZZ + 1)) == NULL)) { /* NUL byte */ BIO_printf(bio_err, "out of memory\n"); goto end; } verify_depth = 0; - c_nbio = 0; - - argc--; - argv++; - while (argc >= 1) { - if (strcmp(*argv, "-host") == 0) { - if (--argc < 1) - goto bad; - host = *(++argv); - } else if (strcmp(*argv, "-port") == 0) { - if (--argc < 1) - goto bad; - port = *(++argv); - if (port == NULL || *port == '\0') - goto bad; - } else if (strcmp(*argv, "-connect") == 0) { - if (--argc < 1) - goto bad; - connect = *(++argv); - } else if (strcmp(*argv, "-proxy") == 0) { - if (--argc < 1) - goto bad; - proxy = *(++argv); - } else if (strcmp(*argv,"-xmpphost") == 0) { - if (--argc < 1) - goto bad; - xmpphost= *(++argv); - } else if (strcmp(*argv, "-verify") == 0) { - verify = SSL_VERIFY_PEER; - if (--argc < 1) - goto bad; - verify_depth = strtonum(*(++argv), 0, INT_MAX, &errstr); - if (errstr) - goto bad; - BIO_printf(bio_err, "verify depth is %d\n", verify_depth); - } else if (strcmp(*argv, "-cert") == 0) { - if (--argc < 1) - goto bad; - cert_file = *(++argv); - } else if (strcmp(*argv, "-sess_out") == 0) { - if (--argc < 1) - goto bad; - sess_out = *(++argv); - } else if (strcmp(*argv, "-sess_in") == 0) { - if (--argc < 1) - goto bad; - sess_in = *(++argv); - } else if (strcmp(*argv, "-certform") == 0) { - if (--argc < 1) - goto bad; - cert_format = str2fmt(*(++argv)); - } else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) { - if (badarg) - goto bad; - continue; - } else if (strcmp(*argv, "-verify_return_error") == 0) - verify_return_error = 1; - else if (strcmp(*argv, "-prexit") == 0) - prexit = 1; - else if (strcmp(*argv, "-crlf") == 0) - crlf = 1; - else if (strcmp(*argv, "-quiet") == 0) { - c_quiet = 1; - c_ign_eof = 1; - } else if (strcmp(*argv, "-ign_eof") == 0) - c_ign_eof = 1; - else if (strcmp(*argv, "-no_ign_eof") == 0) - c_ign_eof = 0; - else if (strcmp(*argv, "-pause") == 0) - c_Pause = 1; - else if (strcmp(*argv, "-debug") == 0) - c_debug = 1; - else if (strcmp(*argv, "-tlsextdebug") == 0) - c_tlsextdebug = 1; - else if (strcmp(*argv, "-status") == 0) - c_status_req = 1; - else if (strcmp(*argv, "-msg") == 0) - c_msg = 1; - else if (strcmp(*argv, "-showcerts") == 0) - c_showcerts = 1; - else if (strcmp(*argv, "-nbio_test") == 0) - nbio_test = 1; - else if (strcmp(*argv, "-state") == 0) - state = 1; - else if (strcmp(*argv, "-tls1_2") == 0) - meth = TLSv1_2_client_method(); - else if (strcmp(*argv, "-tls1_1") == 0) - meth = TLSv1_1_client_method(); - else if (strcmp(*argv, "-tls1") == 0) - meth = TLSv1_client_method(); -#ifndef OPENSSL_NO_DTLS1 - else if (strcmp(*argv, "-dtls1") == 0) { - meth = DTLSv1_client_method(); - socket_type = SOCK_DGRAM; - } else if (strcmp(*argv, "-timeout") == 0) - enable_timeouts = 1; - else if (strcmp(*argv, "-mtu") == 0) { - if (--argc < 1) - goto bad; - socket_mtu = strtonum(*(++argv), 0, LONG_MAX, &errstr); - if (errstr) - goto bad; - } -#endif - else if (strcmp(*argv, "-bugs") == 0) - bugs = 1; - else if (strcmp(*argv, "-keyform") == 0) { - if (--argc < 1) - goto bad; - key_format = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-pass") == 0) { - if (--argc < 1) - goto bad; - passarg = *(++argv); - } else if (strcmp(*argv, "-key") == 0) { - if (--argc < 1) - goto bad; - key_file = *(++argv); - } else if (strcmp(*argv, "-reconnect") == 0) { - reconnect = 5; - } else if (strcmp(*argv, "-CApath") == 0) { - if (--argc < 1) - goto bad; - CApath = *(++argv); - } else if (strcmp(*argv, "-CAfile") == 0) { - if (--argc < 1) - goto bad; - CAfile = *(++argv); - } else if (strcmp(*argv, "-no_tls1_2") == 0) - off |= SSL_OP_NO_TLSv1_2; - else if (strcmp(*argv, "-no_tls1_1") == 0) - off |= SSL_OP_NO_TLSv1_1; - else if (strcmp(*argv, "-no_tls1") == 0) - off |= SSL_OP_NO_TLSv1; - else if (strcmp(*argv, "-no_ssl3") == 0) - off |= SSL_OP_NO_SSLv3; - else if (strcmp(*argv, "-no_ssl2") == 0) - off |= SSL_OP_NO_SSLv2; - else if (strcmp(*argv, "-no_comp") == 0) { - off |= SSL_OP_NO_COMPRESSION; - } else if (strcmp(*argv, "-no_ticket") == 0) { - off |= SSL_OP_NO_TICKET; - } else if (strcmp(*argv, "-nextprotoneg") == 0) { - /* Ignored. */ - if (--argc < 1) - goto bad; - ++argv; - } else if (strcmp(*argv, "-alpn") == 0) { - if (--argc < 1) - goto bad; - alpn_in = *(++argv); - } else if (strcmp(*argv, "-groups") == 0) { - if (--argc < 1) - goto bad; - groups_in = *(++argv); - } else if (strcmp(*argv, "-serverpref") == 0) - off |= SSL_OP_CIPHER_SERVER_PREFERENCE; - else if (strcmp(*argv, "-legacy_renegotiation") == 0) - ; /* no-op */ - else if (strcmp(*argv, "-legacy_server_connect") == 0) { - off |= SSL_OP_LEGACY_SERVER_CONNECT; - } else if (strcmp(*argv, "-no_legacy_server_connect") == 0) { - clr |= SSL_OP_LEGACY_SERVER_CONNECT; - } else if (strcmp(*argv, "-cipher") == 0) { - if (--argc < 1) - goto bad; - cipher = *(++argv); - } - else if (strcmp(*argv, "-nbio") == 0) { - c_nbio = 1; - } - else if (strcmp(*argv, "-starttls") == 0) { - if (--argc < 1) - goto bad; - ++argv; - if (strcmp(*argv, "smtp") == 0) - starttls_proto = PROTO_SMTP; - else if (strcmp(*argv, "lmtp") == 0) - starttls_proto = PROTO_LMTP; - else if (strcmp(*argv, "pop3") == 0) - starttls_proto = PROTO_POP3; - else if (strcmp(*argv, "imap") == 0) - starttls_proto = PROTO_IMAP; - else if (strcmp(*argv, "ftp") == 0) - starttls_proto = PROTO_FTP; - else if (strcmp(*argv, "xmpp") == 0) - starttls_proto = PROTO_XMPP; - else - goto bad; - } - else if (strcmp(*argv, "-4") == 0) { - af = AF_INET; - } else if (strcmp(*argv, "-6") == 0) { - af = AF_INET6; - } - else if (strcmp(*argv, "-servername") == 0) { - if (--argc < 1) - goto bad; - servername = *(++argv); - /* meth=TLSv1_client_method(); */ - } -#ifndef OPENSSL_NO_SRTP - else if (strcmp(*argv, "-use_srtp") == 0) { - if (--argc < 1) - goto bad; - srtp_profiles = *(++argv); - } -#endif - else if (strcmp(*argv, "-keymatexport") == 0) { - if (--argc < 1) - goto bad; - keymatexportlabel = *(++argv); - } else if (strcmp(*argv, "-keymatexportlen") == 0) { - if (--argc < 1) - goto bad; - keymatexportlen = strtonum(*(++argv), 1, INT_MAX, &errstr); - if (errstr) - goto bad; - } else { - BIO_printf(bio_err, "unknown option %s\n", *argv); - badop = 1; - break; - } - argc--; - argv++; + + if (options_parse(argc, argv, s_client_options, NULL, NULL) != 0) { + badop = 1; + goto bad; } - if (proxy != NULL) { - if (!extract_host_port(proxy, &host, NULL, &port)) + if (s_client_config.proxy != NULL) { + if (!extract_host_port(s_client_config.proxy, + &s_client_config.host, NULL, &s_client_config.port)) goto bad; - if (connect == NULL) - connect = SSL_HOST_NAME; - } else if (connect != NULL) { - if (!extract_host_port(connect, &host, NULL, &port)) + if (s_client_config.connect == NULL) + s_client_config.connect = SSL_HOST_NAME; + } else if (s_client_config.connect != NULL) { + if (!extract_host_port(s_client_config.connect, + &s_client_config.host, NULL, &s_client_config.port)) goto bad; } if (badop) { bad: - if (errstr) - BIO_printf(bio_err, "invalid argument %s: %s\n", - *argv, errstr); - else + if (s_client_config.errstr == NULL) sc_usage(); goto end; } - if (!app_passwd(bio_err, passarg, NULL, &pass, NULL)) { + if (!app_passwd(bio_err, s_client_config.passarg, NULL, &pass, NULL)) { BIO_printf(bio_err, "Error getting password\n"); goto end; } - if (key_file == NULL) - key_file = cert_file; + if (s_client_config.key_file == NULL) + s_client_config.key_file = s_client_config.cert_file; - if (key_file) { + if (s_client_config.key_file) { - key = load_key(bio_err, key_file, key_format, 0, pass, + key = load_key(bio_err, s_client_config.key_file, + s_client_config.key_format, 0, pass, "client certificate private key file"); if (!key) { ERR_print_errors(bio_err); goto end; } } - if (cert_file) { - cert = load_cert(bio_err, cert_file, cert_format, + if (s_client_config.cert_file) { + cert = load_cert(bio_err, s_client_config.cert_file, + s_client_config.cert_format, NULL, "client certificate file"); if (!cert) { @@ -627,45 +989,48 @@ s_client_main(int argc, char **argv) goto end; } } - if (bio_c_out == NULL) { - if (c_quiet && !c_debug && !c_msg) { - bio_c_out = BIO_new(BIO_s_null()); - } else { - if (bio_c_out == NULL) - bio_c_out = BIO_new_fp(stdout, BIO_NOCLOSE); - } + if (s_client_config.quiet && !s_client_config.debug && + !s_client_config.msg) { + if ((bio_c_out = BIO_new(BIO_s_null())) == NULL) + goto end; + } else { + if ((bio_c_out = BIO_new_fp(stdout, BIO_NOCLOSE)) == NULL) + goto end; } - ctx = SSL_CTX_new(meth); + ctx = SSL_CTX_new(s_client_config.meth); if (ctx == NULL) { ERR_print_errors(bio_err); goto end; } - if (vpm) - SSL_CTX_set1_param(ctx, vpm); + + SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY); + + if (s_client_config.vpm) + SSL_CTX_set1_param(ctx, s_client_config.vpm); + + if (!SSL_CTX_set_min_proto_version(ctx, s_client_config.min_version)) + goto end; + if (!SSL_CTX_set_max_proto_version(ctx, s_client_config.max_version)) + goto end; #ifndef OPENSSL_NO_SRTP - if (srtp_profiles != NULL) - SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles); + if (s_client_config.srtp_profiles != NULL) + SSL_CTX_set_tlsext_use_srtp(ctx, s_client_config.srtp_profiles); #endif - if (bugs) - SSL_CTX_set_options(ctx, SSL_OP_ALL | off); + if (s_client_config.bugs) + SSL_CTX_set_options(ctx, SSL_OP_ALL | s_client_config.off); else - SSL_CTX_set_options(ctx, off); + SSL_CTX_set_options(ctx, s_client_config.off); - if (clr) - SSL_CTX_clear_options(ctx, clr); - /* - * DTLS: partial reads end up discarding unread UDP bytes :-( Setting - * read ahead solves this problem. - */ - if (socket_type == SOCK_DGRAM) - SSL_CTX_set_read_ahead(ctx, 1); + if (s_client_config.clr) + SSL_CTX_clear_options(ctx, s_client_config.clr); - if (alpn_in) { + if (s_client_config.alpn_in) { unsigned short alpn_len; - unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in); + unsigned char *alpn; + alpn = next_protos_parse(&alpn_len, s_client_config.alpn_in); if (alpn == NULL) { BIO_printf(bio_err, "Error parsing -alpn argument\n"); goto end; @@ -673,47 +1038,48 @@ s_client_main(int argc, char **argv) SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len); free(alpn); } - if (groups_in != NULL) { - if (SSL_CTX_set1_groups_list(ctx, groups_in) != 1) { + if (s_client_config.groups_in != NULL) { + if (SSL_CTX_set1_groups_list(ctx, s_client_config.groups_in) != 1) { BIO_printf(bio_err, "Failed to set groups '%s'\n", - groups_in); + s_client_config.groups_in); goto end; } } - if (state) + if (s_client_config.state) SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback); - if (cipher != NULL) - if (!SSL_CTX_set_cipher_list(ctx, cipher)) { + if (s_client_config.cipher != NULL) + if (!SSL_CTX_set_cipher_list(ctx, s_client_config.cipher)) { BIO_printf(bio_err, "error setting cipher list\n"); ERR_print_errors(bio_err); goto end; } - SSL_CTX_set_verify(ctx, verify, verify_callback); + SSL_CTX_set_verify(ctx, s_client_config.verify, verify_callback); if (!set_cert_key_stuff(ctx, cert, key)) goto end; - if ((CAfile || CApath) - && !SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) + if ((s_client_config.CAfile || s_client_config.CApath) + && !SSL_CTX_load_verify_locations(ctx, s_client_config.CAfile, + s_client_config.CApath)) ERR_print_errors(bio_err); if (!SSL_CTX_set_default_verify_paths(ctx)) ERR_print_errors(bio_err); - if (servername != NULL) { + if (s_client_config.servername != NULL) { tlsextcbp.biodebug = bio_err; SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb); SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp); } con = SSL_new(ctx); - if (sess_in) { + if (s_client_config.sess_in) { SSL_SESSION *sess; - BIO *stmp = BIO_new_file(sess_in, "r"); + BIO *stmp = BIO_new_file(s_client_config.sess_in, "r"); if (!stmp) { BIO_printf(bio_err, "Can't open session file %s\n", - sess_in); + s_client_config.sess_in); ERR_print_errors(bio_err); goto end; } @@ -721,45 +1087,47 @@ s_client_main(int argc, char **argv) BIO_free(stmp); if (!sess) { BIO_printf(bio_err, "Can't open session file %s\n", - sess_in); + s_client_config.sess_in); ERR_print_errors(bio_err); goto end; } SSL_set_session(con, sess); SSL_SESSION_free(sess); } - if (servername != NULL) { - if (!SSL_set_tlsext_host_name(con, servername)) { - BIO_printf(bio_err, "Unable to set TLS servername extension.\n"); + if (s_client_config.servername != NULL) { + if (!SSL_set_tlsext_host_name(con, s_client_config.servername)) { + BIO_printf(bio_err, + "Unable to set TLS servername extension.\n"); ERR_print_errors(bio_err); goto end; } } /* SSL_set_cipher_list(con,"RC4-MD5"); */ -re_start: + re_start: - if (init_client(&s, host, port, socket_type, af) == 0) { + if (init_client(&s, s_client_config.host, s_client_config.port, + s_client_config.socket_type, s_client_config.af) == 0) { BIO_printf(bio_err, "connect:errno=%d\n", errno); goto end; } BIO_printf(bio_c_out, "CONNECTED(%08X)\n", s); - if (c_nbio) { - if (!c_quiet) + if (s_client_config.nbio) { + if (!s_client_config.quiet) BIO_printf(bio_c_out, "turning on non blocking io\n"); if (!BIO_socket_nbio(s, 1)) { ERR_print_errors(bio_err); goto end; } } - if (c_Pause & 0x01) + if (s_client_config.pause & 0x01) SSL_set_debug(con, 1); - if (SSL_version(con) == DTLS1_VERSION) { - + if (SSL_is_dtls(con)) { sbio = BIO_new_dgram(s, BIO_NOCLOSE); - if (getsockname(s, &peer, (void *) &peerlen) == -1) { + if (getsockname(s, (struct sockaddr *)&peer, + (void *)&peerlen) == -1) { BIO_printf(bio_err, "getsockname:errno=%d\n", errno); shutdown(s, SHUT_RD); @@ -768,44 +1136,46 @@ s_client_main(int argc, char **argv) } (void) BIO_ctrl_set_connected(sbio, 1, &peer); - if (enable_timeouts) { + if (s_client_config.enable_timeouts) { timeout.tv_sec = 0; timeout.tv_usec = DGRAM_RCV_TIMEOUT; - BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout); + BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, + &timeout); timeout.tv_sec = 0; timeout.tv_usec = DGRAM_SND_TIMEOUT; - BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); + BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, + &timeout); } - if (socket_mtu > 28) { + if (s_client_config.socket_mtu > 28) { SSL_set_options(con, SSL_OP_NO_QUERY_MTU); - SSL_set_mtu(con, socket_mtu - 28); + SSL_set_mtu(con, s_client_config.socket_mtu - 28); } else /* want to do MTU discovery */ BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL); } else sbio = BIO_new_socket(s, BIO_NOCLOSE); - if (nbio_test) { + if (s_client_config.nbio_test) { BIO *test; test = BIO_new(BIO_f_nbio_test()); sbio = BIO_push(test, sbio); } - if (c_debug) { + if (s_client_config.debug) { SSL_set_debug(con, 1); BIO_set_callback(sbio, bio_dump_callback); BIO_set_callback_arg(sbio, (char *) bio_c_out); } - if (c_msg) { + if (s_client_config.msg) { SSL_set_msg_callback(con, msg_cb); SSL_set_msg_callback_arg(con, bio_c_out); } - if (c_tlsextdebug) { + if (s_client_config.tlsextdebug) { SSL_set_tlsext_debug_callback(con, tlsext_cb); SSL_set_tlsext_debug_arg(con, bio_c_out); } - if (c_status_req) { + if (s_client_config.status_req) { SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp); SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb); SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out); @@ -825,6 +1195,8 @@ s_client_main(int argc, char **argv) cbuf_off = 0; sbuf_len = 0; sbuf_off = 0; + pbuf_len = 0; + pbuf_off = 0; /* This is an ugly hack that does a lot of assumptions */ /* @@ -834,7 +1206,8 @@ s_client_main(int argc, char **argv) * push a buffering BIO into the chain that is removed again later on * to not disturb the rest of the s_client operation. */ - if (starttls_proto == PROTO_SMTP || starttls_proto == PROTO_LMTP) { + if (s_client_config.starttls_proto == PROTO_SMTP || + s_client_config.starttls_proto == PROTO_LMTP) { int foundit = 0; BIO *fbio = BIO_new(BIO_f_buffer()); BIO_push(fbio, sbio); @@ -845,7 +1218,7 @@ s_client_main(int argc, char **argv) while (mbuf_len > 3 && mbuf[3] == '-'); /* STARTTLS command requires EHLO... */ BIO_printf(fbio, "%cHLO openssl.client.net\r\n", - starttls_proto == PROTO_SMTP ? 'E' : 'L'); + s_client_config.starttls_proto == PROTO_SMTP ? 'E' : 'L'); (void) BIO_flush(fbio); /* wait for multi-line response to end EHLO SMTP response */ do { @@ -863,7 +1236,7 @@ s_client_main(int argc, char **argv) " try anyway...\n"); BIO_printf(sbio, "STARTTLS\r\n"); BIO_read(sbio, sbuf, BUFSIZZ); - } else if (starttls_proto == PROTO_POP3) { + } else if (s_client_config.starttls_proto == PROTO_POP3) { mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ); if (mbuf_len == -1) { BIO_printf(bio_err, "BIO_read failed\n"); @@ -871,7 +1244,7 @@ s_client_main(int argc, char **argv) } BIO_printf(sbio, "STLS\r\n"); BIO_read(sbio, sbuf, BUFSIZZ); - } else if (starttls_proto == PROTO_IMAP) { + } else if (s_client_config.starttls_proto == PROTO_IMAP) { int foundit = 0; BIO *fbio = BIO_new(BIO_f_buffer()); BIO_push(fbio, sbio); @@ -895,7 +1268,7 @@ s_client_main(int argc, char **argv) " try anyway...\n"); BIO_printf(sbio, ". STARTTLS\r\n"); BIO_read(sbio, sbuf, BUFSIZZ); - } else if (starttls_proto == PROTO_FTP) { + } else if (s_client_config.starttls_proto == PROTO_FTP) { BIO *fbio = BIO_new(BIO_f_buffer()); BIO_push(fbio, sbio); /* wait for multi-line response to end from FTP */ @@ -908,11 +1281,13 @@ s_client_main(int argc, char **argv) BIO_free(fbio); BIO_printf(sbio, "AUTH TLS\r\n"); BIO_read(sbio, sbuf, BUFSIZZ); - } else if (starttls_proto == PROTO_XMPP) { + } else if (s_client_config.starttls_proto == PROTO_XMPP) { int seen = 0; BIO_printf(sbio, "", xmpphost ? xmpphost : host); + "xmlns='jabber:client' to='%s' version='1.0'>", + s_client_config.xmpphost ? + s_client_config.xmpphost : s_client_config.host); seen = BIO_read(sbio, mbuf, BUFSIZZ); if (seen <= 0) @@ -928,14 +1303,16 @@ s_client_main(int argc, char **argv) mbuf[seen] = 0; } - BIO_printf(sbio, ""); + BIO_printf(sbio, + ""); seen = BIO_read(sbio, sbuf, BUFSIZZ); sbuf[seen] = 0; if (!strstr(sbuf, " 0) full_log--; - if (starttls_proto) { + if (s_client_config.starttls_proto) { BIO_write(bio_err, mbuf, mbuf_len); /* We don't need to know any more */ - starttls_proto = PROTO_OFF; + s_client_config.starttls_proto = PROTO_OFF; } - if (reconnect) { - reconnect--; - BIO_printf(bio_c_out, "drop connection and then reconnect\n"); + if (s_client_config.reconnect) { + s_client_config.reconnect--; + BIO_printf(bio_c_out, + "drop connection and then reconnect\n"); SSL_shutdown(con); SSL_set_connect_state(con); shutdown(SSL_get_fd(con), SHUT_RD); @@ -1020,10 +1402,11 @@ s_client_main(int argc, char **argv) /* goto end; */ } } - if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) { + if (SSL_is_dtls(con) && + DTLSv1_handle_timeout(con) > 0) BIO_printf(bio_err, "TIMEOUT occured\n"); - } - if (!ssl_pending && (pfd[2].revents & (POLLOUT|POLLERR|POLLNVAL))) { + if (!ssl_pending && + (pfd[2].revents & (POLLOUT|POLLERR|POLLNVAL))) { if (pfd[2].revents & (POLLERR|POLLNVAL)) { BIO_printf(bio_err, "poll error"); goto shut; @@ -1114,7 +1497,20 @@ s_client_main(int argc, char **argv) } } #endif - k = SSL_read(con, sbuf, 1024 /* BUFSIZZ */ ); + if (s_client_config.peekaboo) { + k = p = SSL_peek(con, pbuf, 1024 /* BUFSIZZ */ ); + pending = SSL_pending(con); + if (SSL_get_error(con, p) == SSL_ERROR_NONE) { + if (p <= 0) + goto end; + pbuf_off = 0; + pbuf_len = p; + + k = SSL_read(con, sbuf, p); + } + } else { + k = SSL_read(con, sbuf, 1024 /* BUFSIZZ */ ); + } switch (SSL_get_error(con, k)) { case SSL_ERROR_NONE: @@ -1122,7 +1518,29 @@ s_client_main(int argc, char **argv) goto end; sbuf_off = 0; sbuf_len = k; - + if (s_client_config.peekaboo) { + if (p != pending) { + ret = -1; + BIO_printf(bio_err, + "peeked %d but pending %d!\n", + p, pending); + goto shut; + } + if (k < p) { + ret = -1; + BIO_printf(bio_err, + "read less than peek!\n"); + goto shut; + } + if (p > 0 && + (memcmp(sbuf, pbuf, p) != 0)) { + ret = -1; + BIO_printf(bio_err, + "peek of %d different from read of %d!\n", + p, k); + goto shut; + } + } read_ssl = 0; write_tty = 1; break; @@ -1159,7 +1577,7 @@ s_client_main(int argc, char **argv) BIO_printf(bio_err, "poll error"); goto shut; } - if (crlf) { + if (s_client_config.crlf) { int j, lf_num; i = read(fileno(stdin), cbuf, BUFSIZZ / 2); @@ -1180,12 +1598,13 @@ s_client_main(int argc, char **argv) } else i = read(fileno(stdin), cbuf, BUFSIZZ); - if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q'))) { + if ((!s_client_config.ign_eof) && + ((i <= 0) || (cbuf[0] == 'Q'))) { BIO_printf(bio_err, "DONE\n"); ret = 0; goto shut; } - if ((!c_ign_eof) && (cbuf[0] == 'R')) { + if ((!s_client_config.ign_eof) && (cbuf[0] == 'R')) { BIO_printf(bio_err, "RENEGOTIATING\n"); SSL_renegotiate(con); cbuf_len = 0; @@ -1208,7 +1627,7 @@ s_client_main(int argc, char **argv) close(SSL_get_fd(con)); end: if (con != NULL) { - if (prexit != 0) + if (s_client_config.prexit != 0) print_stuff(bio_c_out, con, 1); SSL_free(con); } @@ -1216,28 +1635,25 @@ s_client_main(int argc, char **argv) X509_free(cert); EVP_PKEY_free(key); free(pass); - X509_VERIFY_PARAM_free(vpm); + X509_VERIFY_PARAM_free(s_client_config.vpm); freezero(cbuf, BUFSIZZ); freezero(sbuf, BUFSIZZ); + freezero(pbuf, BUFSIZZ); freezero(mbuf, BUFSIZZ); - if (bio_c_out != NULL) { - BIO_free(bio_c_out); - bio_c_out = NULL; - } + BIO_free(bio_c_out); return (ret); } - static void -print_stuff(BIO * bio, SSL * s, int full) +print_stuff(BIO *bio, SSL *s, int full) { X509 *peer = NULL; char *p; static const char *space = " "; char buf[BUFSIZ]; - STACK_OF(X509) * sk; - STACK_OF(X509_NAME) * sk2; + STACK_OF(X509) *sk; + STACK_OF(X509_NAME) *sk2; const SSL_CIPHER *c; X509_NAME *xn; int j, i; @@ -1259,18 +1675,19 @@ print_stuff(BIO * bio, SSL * s, int full) X509_NAME_oneline(X509_get_issuer_name( sk_X509_value(sk, i)), buf, sizeof buf); BIO_printf(bio, " i:%s\n", buf); - if (c_showcerts) - PEM_write_bio_X509(bio, sk_X509_value(sk, i)); + if (s_client_config.showcerts) + PEM_write_bio_X509(bio, + sk_X509_value(sk, i)); } } BIO_printf(bio, "---\n"); peer = SSL_get_peer_certificate(s); if (peer != NULL) { BIO_printf(bio, "Server certificate\n"); - if (!(c_showcerts && got_a_chain)) /* Redundant if we - * showed the whole - * chain */ + if (!(s_client_config.showcerts && got_a_chain)) { + /* Redundant if we showed the whole chain */ PEM_write_bio_X509(bio, peer); + } X509_NAME_oneline(X509_get_subject_name(peer), buf, sizeof buf); BIO_printf(bio, "subject=%s\n", buf); @@ -1282,7 +1699,8 @@ print_stuff(BIO * bio, SSL * s, int full) sk2 = SSL_get_client_CA_list(s); if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0)) { - BIO_printf(bio, "---\nAcceptable client certificate CA names\n"); + BIO_printf(bio, + "---\nAcceptable client certificate CA names\n"); for (i = 0; i < sk_X509_NAME_num(sk2); i++) { xn = sk_X509_NAME_value(sk2, i); X509_NAME_oneline(xn, buf, sizeof(buf)); @@ -1290,7 +1708,8 @@ print_stuff(BIO * bio, SSL * s, int full) BIO_write(bio, "\n", 1); } } else { - BIO_printf(bio, "---\nNo client certificate CA names sent\n"); + BIO_printf(bio, + "---\nNo client certificate CA names sent\n"); } p = SSL_get_shared_ciphers(s, buf, sizeof buf); if (p != NULL) { @@ -1301,14 +1720,16 @@ print_stuff(BIO * bio, SSL * s, int full) * current connection) the server supports. */ - BIO_printf(bio, "---\nCiphers common between both SSL endpoints:\n"); + BIO_printf(bio, + "---\nCiphers common between both SSL endpoints:\n"); j = i = 0; while (*p) { if (*p == ':') { BIO_write(bio, space, 15 - j % 25); i++; j = 0; - BIO_write(bio, ((i % 3) ? " " : "\n"), 1); + BIO_write(bio, + ((i % 3) ? " " : "\n"), 1); } else { BIO_write(bio, p, 1); j++; @@ -1320,7 +1741,8 @@ print_stuff(BIO * bio, SSL * s, int full) ssl_print_tmp_key(bio, s); - BIO_printf(bio, "---\nSSL handshake has read %ld bytes and written %ld bytes\n", + BIO_printf(bio, + "---\nSSL handshake has read %ld bytes and written %ld bytes\n", BIO_number_read(SSL_get_rbio(s)), BIO_number_written(SSL_get_wbio(s))); } @@ -1351,7 +1773,8 @@ print_stuff(BIO * bio, SSL * s, int full) socklen_t ladd_size = sizeof(ladd); sock = SSL_get_fd(s); getsockname(sock, (struct sockaddr *) & ladd, &ladd_size); - BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port)); + BIO_printf(bio, "LOCAL PORT is %u\n", + ntohs(ladd.sin_port)); } #endif @@ -1369,30 +1792,34 @@ print_stuff(BIO * bio, SSL * s, int full) #ifndef OPENSSL_NO_SRTP { - SRTP_PROTECTION_PROFILE *srtp_profile = SSL_get_selected_srtp_profile(s); + SRTP_PROTECTION_PROFILE *srtp_profile; + srtp_profile = SSL_get_selected_srtp_profile(s); if (srtp_profile) - BIO_printf(bio, "SRTP Extension negotiated, profile=%s\n", + BIO_printf(bio, + "SRTP Extension negotiated, profile=%s\n", srtp_profile->name); } #endif SSL_SESSION_print(bio, SSL_get_session(s)); - if (keymatexportlabel != NULL) { + if (s_client_config.keymatexportlabel != NULL) { BIO_printf(bio, "Keying material exporter:\n"); - BIO_printf(bio, " Label: '%s'\n", keymatexportlabel); - BIO_printf(bio, " Length: %i bytes\n", keymatexportlen); - exportedkeymat = malloc(keymatexportlen); + BIO_printf(bio, " Label: '%s'\n", + s_client_config.keymatexportlabel); + BIO_printf(bio, " Length: %i bytes\n", + s_client_config.keymatexportlen); + exportedkeymat = malloc(s_client_config.keymatexportlen); if (exportedkeymat != NULL) { if (!SSL_export_keying_material(s, exportedkeymat, - keymatexportlen, - keymatexportlabel, - strlen(keymatexportlabel), + s_client_config.keymatexportlen, + s_client_config.keymatexportlabel, + strlen(s_client_config.keymatexportlabel), NULL, 0, 0)) { BIO_printf(bio, " Error\n"); } else { BIO_printf(bio, " Keying material: "); - for (i = 0; i < keymatexportlen; i++) + for (i = 0; i < s_client_config.keymatexportlen; i++) BIO_printf(bio, "%02X", exportedkeymat[i]); BIO_printf(bio, "\n"); @@ -1406,9 +1833,8 @@ print_stuff(BIO * bio, SSL * s, int full) (void) BIO_flush(bio); } - static int -ocsp_resp_cb(SSL * s, void *arg) +ocsp_resp_cb(SSL *s, void *arg) { const unsigned char *p; int len; @@ -1432,3 +1858,16 @@ ocsp_resp_cb(SSL * s, void *arg) return 1; } +static int +ssl_servername_cb(SSL *s, int *ad, void *arg) +{ + tlsextctx *p = (tlsextctx *) arg; + const char *hn = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); + if (SSL_get_servername_type(s) != -1) + p->ack = !SSL_session_reused(s) && hn != NULL; + else + BIO_printf(bio_err, "Can't use SSL_get_servername\n"); + + return SSL_TLSEXT_ERR_OK; +} + diff --git a/apps/openssl/s_server.c b/apps/openssl/s_server.c index 2026e729..1bd54432 100644 --- a/apps/openssl/s_server.c +++ b/apps/openssl/s_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s_server.c,v 1.32 2019/10/04 09:47:34 bcook Exp $ */ +/* $OpenBSD: s_server.c,v 1.47 2021/03/17 18:11:01 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -177,21 +177,22 @@ #include "s_apps.h" #include "timeouts.h" +static void s_server_init(void); +static void sv_usage(void); +static void print_stats(BIO *bp, SSL_CTX *ctx); static int sv_body(char *hostname, int s, unsigned char *context); -static int www_body(char *hostname, int s, unsigned char *context); static void close_accept_socket(void); -static void sv_usage(void); -static int init_ssl_connection(SSL * s); -static void print_stats(BIO * bp, SSL_CTX * ctx); -static int -generate_session_id(const SSL * ssl, unsigned char *id, - unsigned int *id_len); +static int init_ssl_connection(SSL *s); #ifndef OPENSSL_NO_DH static DH *load_dh_param(const char *dhfile); #endif - -static void s_server_init(void); - +static int www_body(char *hostname, int s, unsigned char *context); +static int generate_session_id(const SSL *ssl, unsigned char *id, + unsigned int *id_len); +static int ssl_servername_cb(SSL *s, int *ad, void *arg); +static int cert_status_cb(SSL * s, void *arg); +static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen, + const unsigned char *in, unsigned int inlen, void *arg); /* static int load_CA(SSL_CTX *ctx, char *file);*/ #define BUFSIZZ 16*1024 @@ -201,386 +202,876 @@ static int accept_socket = -1; #define TEST_CERT "server.pem" #define TEST_CERT2 "server2.pem" -static char *cipher = NULL; -static int s_server_verify = SSL_VERIFY_NONE; static int s_server_session_id_context = 1; /* anything will do */ -static const char *s_cert_file = TEST_CERT, *s_key_file = NULL; -static const char *s_cert_file2 = TEST_CERT2, *s_key_file2 = NULL; -static char *s_dcert_file = NULL, *s_dkey_file = NULL; -static int s_nbio = 0; -static int s_nbio_test = 0; -int s_crlf = 0; static SSL_CTX *ctx = NULL; static SSL_CTX *ctx2 = NULL; -static int www = 0; - static BIO *bio_s_out = NULL; -static int s_debug = 0; -static int s_tlsextdebug = 0; -static int s_tlsextstatus = 0; -static int cert_status_cb(SSL * s, void *arg); -static int s_msg = 0; -static int s_quiet = 0; -static char *keymatexportlabel = NULL; -static int keymatexportlen = 20; +static int local_argc = 0; +static char **local_argv; -static const char *session_id_prefix = NULL; +/* This is a context that we pass to callbacks */ +typedef struct tlsextctx_st { + char *servername; + BIO *biodebug; + int extension_error; +} tlsextctx; -static int enable_timeouts = 0; -static long socket_mtu; -#ifndef OPENSSL_NO_DTLS1 -static int cert_chain = 0; -#endif +/* Structure passed to cert status callback */ +typedef struct tlsextstatusctx_st { + /* Default responder to use */ + char *host, *path, *port; + int use_ssl; + int timeout; + BIO *err; + int verbose; +} tlsextstatusctx; +/* This the context that we pass to alpn_cb */ +typedef struct tlsextalpnctx_st { + unsigned char *data; + unsigned short len; +} tlsextalpnctx; +static struct { + char *alpn_in; + char *npn_in; /* Ignored. */ + int bugs; + char *CAfile; + char *CApath; +#ifndef OPENSSL_NO_DTLS + int cert_chain; +#endif + char *cert_file; + char *cert_file2; + int cert_format; + char *cipher; + unsigned char *context; + int crlf; + char *dcert_file; + int dcert_format; + int debug; + char *dhfile; + char *dkey_file; + int dkey_format; + char *dpassarg; + int enable_timeouts; + const char *errstr; + char *groups_in; + char *key_file; + char *key_file2; + int key_format; + char *keymatexportlabel; + int keymatexportlen; + uint16_t max_version; + uint16_t min_version; + const SSL_METHOD *meth; + int msg; + char *named_curve; + int nbio; + int nbio_test; + int no_cache; + int nocert; + int no_dhe; + int no_ecdhe; + int no_tmp_rsa; /* No-op. */ + int off; + char *passarg; + short port; + int quiet; + int server_verify; + char *session_id_prefix; + long socket_mtu; + int socket_type; +#ifndef OPENSSL_NO_SRTP + char *srtp_profiles; +#endif + int state; + tlsextstatusctx tlscstatp; + tlsextctx tlsextcbp; + int tlsextdebug; + int tlsextstatus; + X509_VERIFY_PARAM *vpm; + int www; +} s_server_config; +static int +s_server_opt_context(char *arg) +{ + s_server_config.context = (unsigned char *) arg; + return (0); +} -static void -s_server_init(void) +static int +s_server_opt_keymatexportlen(char *arg) { - accept_socket = -1; - cipher = NULL; - s_server_verify = SSL_VERIFY_NONE; - s_dcert_file = NULL; - s_dkey_file = NULL; - s_cert_file = TEST_CERT; - s_key_file = NULL; - s_cert_file2 = TEST_CERT2; - s_key_file2 = NULL; - ctx2 = NULL; - s_nbio = 0; - s_nbio_test = 0; - ctx = NULL; - www = 0; + s_server_config.keymatexportlen = strtonum(arg, 1, INT_MAX, + &s_server_config.errstr); + if (s_server_config.errstr != NULL) { + BIO_printf(bio_err, "invalid argument %s: %s\n", + arg, s_server_config.errstr); + return (1); + } + return (0); +} - bio_s_out = NULL; - s_debug = 0; - s_msg = 0; - s_quiet = 0; +#ifndef OPENSSL_NO_DTLS +static int +s_server_opt_mtu(char *arg) +{ + s_server_config.socket_mtu = strtonum(arg, 0, LONG_MAX, + &s_server_config.errstr); + if (s_server_config.errstr != NULL) { + BIO_printf(bio_err, "invalid argument %s: %s\n", + arg, s_server_config.errstr); + return (1); + } + return (0); } +#endif -static void -sv_usage(void) +#ifndef OPENSSL_NO_DTLS +static int +s_server_opt_protocol_version_dtls(void) { - BIO_printf(bio_err, "usage: s_server [args ...]\n"); - BIO_printf(bio_err, "\n"); - BIO_printf(bio_err, " -accept arg - port to accept on (default is %d)\n", PORT); - BIO_printf(bio_err, " -context arg - set session ID context\n"); - BIO_printf(bio_err, " -verify arg - turn on peer certificate verification\n"); - BIO_printf(bio_err, " -Verify arg - turn on peer certificate verification, must have a cert.\n"); - BIO_printf(bio_err, " -cert arg - certificate file to use\n"); - BIO_printf(bio_err, " (default is %s)\n", TEST_CERT); - BIO_printf(bio_err, " -crl_check - check the peer certificate has not been revoked by its CA.\n" \ - " The CRL(s) are appended to the certificate file\n"); - BIO_printf(bio_err, " -crl_check_all - check the peer certificate has not been revoked by its CA\n" \ - " or any other CRL in the CA chain. CRL(s) are appended to the\n" \ - " the certificate file.\n"); - BIO_printf(bio_err, " -certform arg - certificate format (PEM or DER) PEM default\n"); - BIO_printf(bio_err, " -key arg - Private Key file to use, in cert file if\n"); - BIO_printf(bio_err, " not specified (default is %s)\n", TEST_CERT); - BIO_printf(bio_err, " -keyform arg - key format (PEM or DER) PEM default\n"); - BIO_printf(bio_err, " -pass arg - private key file pass phrase source\n"); - BIO_printf(bio_err, " -dcert arg - second certificate file to use (usually for DSA)\n"); - BIO_printf(bio_err, " -dcertform x - second certificate format (PEM or DER) PEM default\n"); - BIO_printf(bio_err, " -dkey arg - second private key file to use (usually for DSA)\n"); - BIO_printf(bio_err, " -dkeyform arg - second key format (PEM or DER) PEM default\n"); - BIO_printf(bio_err, " -dpass arg - second private key file pass phrase source\n"); - BIO_printf(bio_err, " -dhparam arg - DH parameter file to use, in cert file if not specified\n"); - BIO_printf(bio_err, " or a default set of parameters is used\n"); - BIO_printf(bio_err, " -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \ - " Use \"openssl ecparam -list_curves\" for all names\n" \ - " (default is nistp256).\n"); - BIO_printf(bio_err, " -nbio - Run with non-blocking IO\n"); - BIO_printf(bio_err, " -nbio_test - test with the non-blocking test bio\n"); - BIO_printf(bio_err, " -crlf - convert LF from terminal into CRLF\n"); - BIO_printf(bio_err, " -debug - Print more output\n"); - BIO_printf(bio_err, " -msg - Show protocol messages\n"); - BIO_printf(bio_err, " -state - Print the SSL states\n"); - BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n"); - BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n"); - BIO_printf(bio_err, " -nocert - Don't use any certificates (Anon-DH)\n"); - BIO_printf(bio_err, " -cipher arg - play with 'openssl ciphers' to see what goes here\n"); - BIO_printf(bio_err, " -serverpref - Use server's cipher preferences\n"); - BIO_printf(bio_err, " -quiet - Inhibit printing of session and certificate information\n"); - BIO_printf(bio_err, " -tls1_2 - Just talk TLSv1.2\n"); - BIO_printf(bio_err, " -tls1_1 - Just talk TLSv1.1\n"); - BIO_printf(bio_err, " -tls1 - Just talk TLSv1\n"); - BIO_printf(bio_err, " -dtls1 - Just talk DTLSv1\n"); - BIO_printf(bio_err, " -timeout - Enable timeouts\n"); - BIO_printf(bio_err, " -mtu - Set link layer MTU\n"); - BIO_printf(bio_err, " -chain - Read a certificate chain\n"); - BIO_printf(bio_err, " -no_ssl2 - Just disable SSLv2\n"); - BIO_printf(bio_err, " -no_ssl3 - Just disable SSLv3\n"); - BIO_printf(bio_err, " -no_tls1 - Just disable TLSv1\n"); - BIO_printf(bio_err, " -no_tls1_1 - Just disable TLSv1.1\n"); - BIO_printf(bio_err, " -no_tls1_2 - Just disable TLSv1.2\n"); -#ifndef OPENSSL_NO_DH - BIO_printf(bio_err, " -no_dhe - Disable ephemeral DH\n"); + s_server_config.meth = DTLS_server_method(); + s_server_config.socket_type = SOCK_DGRAM; + return (0); +} #endif - BIO_printf(bio_err, " -no_ecdhe - Disable ephemeral ECDH\n"); - BIO_printf(bio_err, " -bugs - Turn on SSL bug compatibility\n"); - BIO_printf(bio_err, " -www - Respond to a 'GET /' with a status page\n"); - BIO_printf(bio_err, " -WWW - Respond to a 'GET / HTTP/1.0' with file ./\n"); - BIO_printf(bio_err, " -HTTP - Respond to a 'GET / HTTP/1.0' with file ./\n"); - BIO_printf(bio_err, " with the assumption it contains a complete HTTP response.\n"); - BIO_printf(bio_err, " -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n"); - BIO_printf(bio_err, " -servername host - servername for HostName TLS extension\n"); - BIO_printf(bio_err, " -servername_fatal - on mismatch send fatal alert (default warning alert)\n"); - BIO_printf(bio_err, " -cert2 arg - certificate file to use for servername\n"); - BIO_printf(bio_err, " (default is %s)\n", TEST_CERT2); - BIO_printf(bio_err, " -key2 arg - Private Key file to use for servername, in cert file if\n"); - BIO_printf(bio_err, " not specified (default is %s)\n", TEST_CERT2); - BIO_printf(bio_err, " -tlsextdebug - hex dump of all TLS extensions received\n"); - BIO_printf(bio_err, " -no_ticket - disable use of RFC4507bis session tickets\n"); - BIO_printf(bio_err," -alpn arg - set the advertised protocols for the ALPN extension (comma-separated list)\n"); -#ifndef OPENSSL_NO_SRTP - BIO_printf(bio_err, " -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n"); + +#ifndef OPENSSL_NO_DTLS1 +static int +s_server_opt_protocol_version_dtls1(void) +{ + s_server_config.meth = DTLS_server_method(); + s_server_config.min_version = DTLS1_VERSION; + s_server_config.max_version = DTLS1_VERSION; + s_server_config.socket_type = SOCK_DGRAM; + return (0); +} #endif - BIO_printf(bio_err, " -keymatexport label - Export keying material using label\n"); - BIO_printf(bio_err, " -keymatexportlen len - Export len bytes of keying material (default 20)\n"); + +#ifndef OPENSSL_NO_DTLS1_2 +static int +s_server_opt_protocol_version_dtls1_2(void) +{ + s_server_config.meth = DTLS_server_method(); + s_server_config.min_version = DTLS1_2_VERSION; + s_server_config.max_version = DTLS1_2_VERSION; + s_server_config.socket_type = SOCK_DGRAM; + return (0); } +#endif -static int local_argc = 0; -static char **local_argv; +static int +s_server_opt_protocol_version_tls1(void) +{ + s_server_config.min_version = TLS1_VERSION; + s_server_config.max_version = TLS1_VERSION; + return (0); +} +static int +s_server_opt_protocol_version_tls1_1(void) +{ + s_server_config.min_version = TLS1_1_VERSION; + s_server_config.max_version = TLS1_1_VERSION; + return (0); +} -/* This is a context that we pass to callbacks */ -typedef struct tlsextctx_st { - char *servername; - BIO *biodebug; - int extension_error; -} tlsextctx; +static int +s_server_opt_protocol_version_tls1_2(void) +{ + s_server_config.min_version = TLS1_2_VERSION; + s_server_config.max_version = TLS1_2_VERSION; + return (0); +} +static int +s_server_opt_protocol_version_tls1_3(void) +{ + s_server_config.min_version = TLS1_3_VERSION; + s_server_config.max_version = TLS1_3_VERSION; + return (0); +} static int -ssl_servername_cb(SSL * s, int *ad, void *arg) +s_server_opt_nbio_test(void) { - tlsextctx *p = (tlsextctx *) arg; - const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); - if (servername && p->biodebug) - BIO_printf(p->biodebug, "Hostname in TLS extension: \"%s\"\n", servername); + s_server_config.nbio = 1; + s_server_config.nbio_test = 1; + return (0); +} - if (!p->servername) - return SSL_TLSEXT_ERR_NOACK; +static int +s_server_opt_port(char *arg) +{ + if (!extract_port(arg, &s_server_config.port)) + return (1); + return (0); +} - if (servername) { - if (strcmp(servername, p->servername)) - return p->extension_error; - if (ctx2) { - BIO_printf(p->biodebug, "Switching server context.\n"); - SSL_set_SSL_CTX(s, ctx2); - } +static int +s_server_opt_status_timeout(char *arg) +{ + s_server_config.tlsextstatus = 1; + s_server_config.tlscstatp.timeout = strtonum(arg, 0, INT_MAX, + &s_server_config.errstr); + if (s_server_config.errstr != NULL) { + BIO_printf(bio_err, "invalid argument %s: %s\n", + arg, s_server_config.errstr); + return (1); } - return SSL_TLSEXT_ERR_OK; + return (0); } -/* Structure passed to cert status callback */ - -typedef struct tlsextstatusctx_st { - /* Default responder to use */ - char *host, *path, *port; - int use_ssl; - int timeout; - BIO *err; - int verbose; -} tlsextstatusctx; - -static tlsextstatusctx tlscstatp = {NULL, NULL, NULL, 0, -1, NULL, 0}; - -/* Certificate Status callback. This is called when a client includes a - * certificate status request extension. - * - * This is a simplified version. It examines certificates each time and - * makes one OCSP responder query for each request. - * - * A full version would store details such as the OCSP certificate IDs and - * minimise the number of OCSP responses by caching them until they were - * considered "expired". - */ +static int +s_server_opt_status_url(char *arg) +{ + s_server_config.tlsextstatus = 1; + if (!OCSP_parse_url(arg, &s_server_config.tlscstatp.host, + &s_server_config.tlscstatp.port, &s_server_config.tlscstatp.path, + &s_server_config.tlscstatp.use_ssl)) { + BIO_printf(bio_err, "Error parsing URL\n"); + return (1); + } + return (0); +} static int -cert_status_cb(SSL * s, void *arg) +s_server_opt_status_verbose(void) { - tlsextstatusctx *srctx = arg; - BIO *err = srctx->err; - char *host = NULL, *port = NULL, *path = NULL; - int use_ssl; - unsigned char *rspder = NULL; - int rspderlen; - STACK_OF(OPENSSL_STRING) * aia = NULL; - X509 *x = NULL; - X509_STORE_CTX inctx; - X509_OBJECT obj; - OCSP_REQUEST *req = NULL; - OCSP_RESPONSE *resp = NULL; - OCSP_CERTID *id = NULL; - STACK_OF(X509_EXTENSION) * exts; - int ret = SSL_TLSEXT_ERR_NOACK; - int i; + s_server_config.tlsextstatus = 1; + s_server_config.tlscstatp.verbose = 1; + return (0); +} - if (srctx->verbose) - BIO_puts(err, "cert_status: callback called\n"); - /* Build up OCSP query from server certificate */ - x = SSL_get_certificate(s); - aia = X509_get1_ocsp(x); - if (aia) { - if (!OCSP_parse_url(sk_OPENSSL_STRING_value(aia, 0), - &host, &port, &path, &use_ssl)) { - BIO_puts(err, "cert_status: can't parse AIA URL\n"); - goto err; - } - if (srctx->verbose) - BIO_printf(err, "cert_status: AIA URL: %s\n", - sk_OPENSSL_STRING_value(aia, 0)); - } else { - if (!srctx->host) { - BIO_puts(srctx->err, "cert_status: no AIA and no default responder URL\n"); - goto done; - } - host = srctx->host; - path = srctx->path; - port = srctx->port; - use_ssl = srctx->use_ssl; +static int +s_server_opt_verify(char *arg) +{ + s_server_config.server_verify = SSL_VERIFY_PEER | + SSL_VERIFY_CLIENT_ONCE; + verify_depth = strtonum(arg, 0, INT_MAX, &s_server_config.errstr); + if (s_server_config.errstr != NULL) { + BIO_printf(bio_err, "invalid argument %s: %s\n", + arg, s_server_config.errstr); + return (1); } + BIO_printf(bio_err, "verify depth is %d\n", verify_depth); + return (0); +} - if (!X509_STORE_CTX_init(&inctx, - SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s)), - NULL, NULL)) - goto err; - if (X509_STORE_get_by_subject(&inctx, X509_LU_X509, - X509_get_issuer_name(x), &obj) <= 0) { - BIO_puts(err, "cert_status: Can't retrieve issuer certificate.\n"); - X509_STORE_CTX_cleanup(&inctx); - goto done; - } - req = OCSP_REQUEST_new(); - if (!req) - goto err; - id = OCSP_cert_to_id(NULL, x, obj.data.x509); - X509_free(obj.data.x509); - X509_STORE_CTX_cleanup(&inctx); - if (!id) - goto err; - if (!OCSP_request_add0_id(req, id)) - goto err; - id = NULL; - /* Add any extensions to the request */ - SSL_get_tlsext_status_exts(s, &exts); - for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) { - X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i); - if (!OCSP_REQUEST_add_ext(req, ext, -1)) - goto err; - } - resp = process_responder(err, req, host, path, port, use_ssl, NULL, - srctx->timeout); - if (!resp) { - BIO_puts(err, "cert_status: error querying responder\n"); - goto done; - } - rspderlen = i2d_OCSP_RESPONSE(resp, &rspder); - if (rspderlen <= 0) - goto err; - SSL_set_tlsext_status_ocsp_resp(s, rspder, rspderlen); - if (srctx->verbose) { - BIO_puts(err, "cert_status: ocsp response sent:\n"); - OCSP_RESPONSE_print(err, resp, 2); - } - ret = SSL_TLSEXT_ERR_OK; - done: - if (ret != SSL_TLSEXT_ERR_OK) - ERR_print_errors(err); - if (aia) { - free(host); - free(path); - free(port); - X509_email_free(aia); +static int +s_server_opt_verify_fail(char *arg) +{ + s_server_config.server_verify = SSL_VERIFY_PEER | + SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_CLIENT_ONCE; + verify_depth = strtonum(arg, 0, INT_MAX, &s_server_config.errstr); + if (s_server_config.errstr != NULL) { + BIO_printf(bio_err, "invalid argument %s: %s\n", + arg, s_server_config.errstr); + return (1); } - if (id) - OCSP_CERTID_free(id); - if (req) - OCSP_REQUEST_free(req); - if (resp) - OCSP_RESPONSE_free(resp); - return ret; - err: - ret = SSL_TLSEXT_ERR_ALERT_FATAL; - goto done; + BIO_printf(bio_err, "verify depth is %d, must return a certificate\n", + verify_depth); + return (0); } -/* This the context that we pass to alpn_cb */ -typedef struct tlsextalpnctx_st { - unsigned char *data; - unsigned short len; -} tlsextalpnctx; - static int -alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen, - const unsigned char *in, unsigned int inlen, void *arg) +s_server_opt_verify_param(int argc, char **argv, int *argsused) { - tlsextalpnctx *alpn_ctx = arg; - - if (!s_quiet) { - /* We can assume that in is syntactically valid. */ - unsigned i; + char **pargs = argv; + int pargc = argc; + int badarg = 0; - BIO_printf(bio_s_out, - "ALPN protocols advertised by the client: "); - for (i = 0; i < inlen; ) { - if (i) - BIO_write(bio_s_out, ", ", 2); - BIO_write(bio_s_out, &in[i + 1], in[i]); - i += in[i] + 1; - } - BIO_write(bio_s_out, "\n", 1); + if (!args_verify(&pargs, &pargc, &badarg, bio_err, + &s_server_config.vpm)) { + BIO_printf(bio_err, "unknown option %s\n", *argv); + return (1); } + if (badarg) + return (1); - if (SSL_select_next_proto((unsigned char**)out, outlen, alpn_ctx->data, - alpn_ctx->len, in, inlen) != OPENSSL_NPN_NEGOTIATED) - return (SSL_TLSEXT_ERR_NOACK); + *argsused = argc - pargc; + return (0); +} + +static const struct option s_server_options[] = { + { + .name = "4", + .type = OPTION_DISCARD, + }, + { + .name = "6", + .type = OPTION_DISCARD, + }, + { + .name = "accept", + .argname = "port", + .desc = "Port to accept on (default is 4433)", + .type = OPTION_ARG_FUNC, + .opt.argfunc = s_server_opt_port, + }, + { + .name = "alpn", + .argname = "protocols", + .desc = "Set the advertised protocols for the ALPN extension" + " (comma-separated list)", + .type = OPTION_ARG, + .opt.arg = &s_server_config.alpn_in, + }, + { + .name = "bugs", + .desc = "Turn on SSL bug compatibility", + .type = OPTION_FLAG, + .opt.flag = &s_server_config.bugs, + }, + { + .name = "CAfile", + .argname = "file", + .desc = "PEM format file of CA certificates", + .type = OPTION_ARG, + .opt.arg = &s_server_config.CAfile, + }, + { + .name = "CApath", + .argname = "directory", + .desc = "PEM format directory of CA certificates", + .type = OPTION_ARG, + .opt.arg = &s_server_config.CApath, + }, + { + .name = "cert", + .argname = "file", + .desc = "Certificate file to use\n" + "(default is " TEST_CERT ")", + .type = OPTION_ARG, + .opt.arg = &s_server_config.cert_file, + }, + { + .name = "cert2", + .argname = "file", + .desc = "Certificate file to use for servername\n" + "(default is " TEST_CERT2 ")", + .type = OPTION_ARG, + .opt.arg = &s_server_config.cert_file2, + }, + { + .name = "certform", + .argname = "fmt", + .desc = "Certificate format (PEM or DER) PEM default", + .type = OPTION_ARG_FORMAT, + .opt.value = &s_server_config.cert_format, + }, +#ifndef OPENSSL_NO_DTLS + { + .name = "chain", + .type = OPTION_FLAG, + .opt.flag = &s_server_config.cert_chain, + }, +#endif + { + .name = "cipher", + .argname = "list", + .desc = "List of ciphers to enable (see `openssl ciphers`)", + .type = OPTION_ARG, + .opt.arg = &s_server_config.cipher, + }, + { + .name = "context", + .argname = "id", + .desc = "Set session ID context", + .type = OPTION_ARG_FUNC, + .opt.argfunc = s_server_opt_context, + }, + { + .name = "crlf", + .desc = "Convert LF from terminal into CRLF", + .type = OPTION_FLAG, + .opt.flag = &s_server_config.crlf, + }, + { + .name = "dcert", + .argname = "file", + .desc = "Second certificate file to use (usually for DSA)", + .type = OPTION_ARG, + .opt.arg = &s_server_config.dcert_file, + }, + { + .name = "dcertform", + .argname = "fmt", + .desc = "Second certificate format (PEM or DER) PEM default", + .type = OPTION_ARG_FORMAT, + .opt.value = &s_server_config.dcert_format, + }, + { + .name = "debug", + .desc = "Print more output", + .type = OPTION_FLAG, + .opt.flag = &s_server_config.debug, + }, + { + .name = "dhparam", + .argname = "file", + .desc = "DH parameter file to use, in cert file if not specified", + .type = OPTION_ARG, + .opt.arg = &s_server_config.dhfile, + }, + { + .name = "dkey", + .argname = "file", + .desc = "Second private key file to use (usually for DSA)", + .type = OPTION_ARG, + .opt.arg = &s_server_config.dkey_file, + }, + { + .name = "dkeyform", + .argname = "fmt", + .desc = "Second key format (PEM or DER) PEM default", + .type = OPTION_ARG_FORMAT, + .opt.value = &s_server_config.dkey_format, + }, + { + .name = "dpass", + .argname = "arg", + .desc = "Second private key file pass phrase source", + .type = OPTION_ARG, + .opt.arg = &s_server_config.dpassarg, + }, +#ifndef OPENSSL_NO_DTLS + { + .name = "dtls", + .desc = "Use any version of DTLS", + .type = OPTION_FUNC, + .opt.func = s_server_opt_protocol_version_dtls, + }, +#endif +#ifndef OPENSSL_NO_DTLS1 + { + .name = "dtls1", + .desc = "Just use DTLSv1", + .type = OPTION_FUNC, + .opt.func = s_server_opt_protocol_version_dtls1, + }, +#endif +#ifndef OPENSSL_NO_DTLS1_2 + { + .name = "dtls1_2", + .desc = "Just use DTLSv1.2", + .type = OPTION_FUNC, + .opt.func = s_server_opt_protocol_version_dtls1_2, + }, +#endif + { + .name = "groups", + .argname = "list", + .desc = "Specify EC groups (colon-separated list)", + .type = OPTION_ARG, + .opt.arg = &s_server_config.groups_in, + }, + { + .name = "HTTP", + .desc = "Respond to a 'GET / HTTP/1.0' with file ./", + .type = OPTION_VALUE, + .opt.value = &s_server_config.www, + .value = 3, + }, + { + .name = "id_prefix", + .argname = "arg", + .desc = "Generate SSL/TLS session IDs prefixed by 'arg'", + .type = OPTION_ARG, + .opt.arg = &s_server_config.session_id_prefix, + }, + { + .name = "key", + .argname = "file", + .desc = "Private Key file to use, in cert file if\n" + "not specified (default is " TEST_CERT ")", + .type = OPTION_ARG, + .opt.arg = &s_server_config.key_file, + }, + { + .name = "key2", + .argname = "file", + .desc = "Private Key file to use for servername, in cert file if\n" + "not specified (default is " TEST_CERT2 ")", + .type = OPTION_ARG, + .opt.arg = &s_server_config.key_file2, + }, + { + .name = "keyform", + .argname = "fmt", + .desc = "Key format (PEM or DER) PEM default", + .type = OPTION_ARG_FORMAT, + .opt.value = &s_server_config.key_format, + }, + { + .name = "keymatexport", + .argname = "label", + .desc = "Export keying material using label", + .type = OPTION_ARG, + .opt.arg = &s_server_config.keymatexportlabel, + }, + { + .name = "keymatexportlen", + .argname = "len", + .desc = "Export len bytes of keying material (default 20)", + .type = OPTION_ARG_FUNC, + .opt.argfunc = s_server_opt_keymatexportlen, + }, + { + .name = "legacy_renegotiation", + .type = OPTION_DISCARD, + }, + { + .name = "msg", + .desc = "Show protocol messages", + .type = OPTION_FLAG, + .opt.flag = &s_server_config.msg, + }, +#ifndef OPENSSL_NO_DTLS + { + .name = "mtu", + .argname = "mtu", + .desc = "Set link layer MTU", + .type = OPTION_ARG_FUNC, + .opt.argfunc = s_server_opt_mtu, + }, +#endif + { + .name = "named_curve", + .argname = "arg", + .type = OPTION_ARG, + .opt.arg = &s_server_config.named_curve, + }, + { + .name = "nbio", + .desc = "Run with non-blocking I/O", + .type = OPTION_FLAG, + .opt.flag = &s_server_config.nbio, + }, + { + .name = "nbio_test", + .desc = "Test with the non-blocking test bio", + .type = OPTION_FUNC, + .opt.func = s_server_opt_nbio_test, + }, + { + .name = "nextprotoneg", + .argname = "arg", + .type = OPTION_ARG, + .opt.arg = &s_server_config.npn_in, /* Ignored. */ + }, + { + .name = "no_cache", + .desc = "Disable session cache", + .type = OPTION_FLAG, + .opt.flag = &s_server_config.no_cache, + }, + { + .name = "no_comp", + .desc = "Disable SSL/TLS compression", + .type = OPTION_VALUE_OR, + .opt.value = &s_server_config.off, + .value = SSL_OP_NO_COMPRESSION, + }, + { + .name = "no_dhe", + .desc = "Disable ephemeral DH", + .type = OPTION_FLAG, + .opt.flag = &s_server_config.no_dhe, + }, + { + .name = "no_ecdhe", + .desc = "Disable ephemeral ECDH", + .type = OPTION_FLAG, + .opt.flag = &s_server_config.no_ecdhe, + }, + { + .name = "no_ticket", + .desc = "Disable use of RFC4507bis session tickets", + .type = OPTION_VALUE_OR, + .opt.value = &s_server_config.off, + .value = SSL_OP_NO_TICKET, + }, + { + .name = "no_ssl2", + .type = OPTION_VALUE_OR, + .opt.value = &s_server_config.off, + .value = SSL_OP_NO_SSLv2, + }, + { + .name = "no_ssl3", + .type = OPTION_VALUE_OR, + .opt.value = &s_server_config.off, + .value = SSL_OP_NO_SSLv3, + }, + { + .name = "no_tls1", + .desc = "Just disable TLSv1", + .type = OPTION_VALUE_OR, + .opt.value = &s_server_config.off, + .value = SSL_OP_NO_TLSv1, + }, + { + .name = "no_tls1_1", + .desc = "Just disable TLSv1.1", + .type = OPTION_VALUE_OR, + .opt.value = &s_server_config.off, + .value = SSL_OP_NO_TLSv1_1, + }, + { + .name = "no_tls1_2", + .desc = "Just disable TLSv1.2", + .type = OPTION_VALUE_OR, + .opt.value = &s_server_config.off, + .value = SSL_OP_NO_TLSv1_2, + }, + { + .name = "no_tls1_3", + .desc = "Just disable TLSv1.3", + .type = OPTION_VALUE_OR, + .opt.value = &s_server_config.off, + .value = SSL_OP_NO_TLSv1_3, + }, + { + .name = "no_tmp_rsa", + .type = OPTION_DISCARD, + }, + { + .name = "nocert", + .desc = "Don't use any certificates (Anon-DH)", + .type = OPTION_FLAG, + .opt.flag = &s_server_config.nocert, + }, + { + .name = "pass", + .argname = "arg", + .desc = "Private key file pass phrase source", + .type = OPTION_ARG, + .opt.arg = &s_server_config.passarg, + }, + { + .name = "port", + .argname = "port", + .type = OPTION_ARG_FUNC, + .opt.argfunc = s_server_opt_port, + }, + { + .name = "quiet", + .desc = "Inhibit printing of session and certificate information", + .type = OPTION_FLAG, + .opt.flag = &s_server_config.quiet, + }, + { + .name = "servername", + .argname = "name", + .desc = "Servername for HostName TLS extension", + .type = OPTION_ARG, + .opt.arg = &s_server_config.tlsextcbp.servername, + }, + { + .name = "servername_fatal", + .desc = "On mismatch send fatal alert (default warning alert)", + .type = OPTION_VALUE, + .opt.value = &s_server_config.tlsextcbp.extension_error, + .value = SSL_TLSEXT_ERR_ALERT_FATAL, + }, + { + .name = "serverpref", + .desc = "Use server's cipher preferences", + .type = OPTION_VALUE_OR, + .opt.value = &s_server_config.off, + .value = SSL_OP_CIPHER_SERVER_PREFERENCE, + }, + { + .name = "state", + .desc = "Print the SSL states", + .type = OPTION_FLAG, + .opt.flag = &s_server_config.state, + }, + { + .name = "status", + .desc = "Respond to certificate status requests", + .type = OPTION_FLAG, + .opt.flag = &s_server_config.tlsextstatus, + }, + { + .name = "status_timeout", + .argname = "nsec", + .desc = "Status request responder timeout", + .type = OPTION_ARG_FUNC, + .opt.argfunc = s_server_opt_status_timeout, + }, + { + .name = "status_url", + .argname = "url", + .desc = "Status request fallback URL", + .type = OPTION_ARG_FUNC, + .opt.argfunc = s_server_opt_status_url, + }, + { + .name = "status_verbose", + .desc = "Enable status request verbose printout", + .type = OPTION_FUNC, + .opt.func = s_server_opt_status_verbose, + }, +#ifndef OPENSSL_NO_DTLS + { + .name = "timeout", + .desc = "Enable timeouts", + .type = OPTION_FLAG, + .opt.flag = &s_server_config.enable_timeouts, + }, +#endif + { + .name = "tls1", + .desc = "Just talk TLSv1", + .type = OPTION_FUNC, + .opt.func = s_server_opt_protocol_version_tls1, + }, + { + .name = "tls1_1", + .desc = "Just talk TLSv1.1", + .type = OPTION_FUNC, + .opt.func = s_server_opt_protocol_version_tls1_1, + }, + { + .name = "tls1_2", + .desc = "Just talk TLSv1.2", + .type = OPTION_FUNC, + .opt.func = s_server_opt_protocol_version_tls1_2, + }, + { + .name = "tls1_3", + .desc = "Just talk TLSv1.3", + .type = OPTION_FUNC, + .opt.func = s_server_opt_protocol_version_tls1_3, + }, + { + .name = "tlsextdebug", + .desc = "Hex dump of all TLS extensions received", + .type = OPTION_FLAG, + .opt.flag = &s_server_config.tlsextdebug, + }, +#ifndef OPENSSL_NO_SRTP + { + .name = "use_srtp", + .argname = "profiles", + .desc = "Offer SRTP key management with a colon-separated profile list", + .type = OPTION_ARG, + .opt.arg = &s_server_config.srtp_profiles, + }, +#endif + { + .name = "Verify", + .argname = "depth", + .desc = "Turn on peer certificate verification, must have a cert", + .type = OPTION_ARG_FUNC, + .opt.argfunc = s_server_opt_verify_fail, + }, + { + .name = "verify", + .argname = "depth", + .desc = "Turn on peer certificate verification", + .type = OPTION_ARG_FUNC, + .opt.argfunc = s_server_opt_verify, + }, + { + .name = "verify_return_error", + .desc = "Return verification error", + .type = OPTION_FLAG, + .opt.flag = &verify_return_error, + }, + { + .name = "WWW", + .desc = "Respond to a 'GET / HTTP/1.0' with file ./", + .type = OPTION_VALUE, + .opt.value = &s_server_config.www, + .value = 2, + }, + { + .name = "www", + .desc = "Respond to a 'GET /' with a status page", + .type = OPTION_VALUE, + .opt.value = &s_server_config.www, + .value = 1, + }, + { + .name = NULL, + .desc = "", + .type = OPTION_ARGV_FUNC, + .opt.argvfunc = s_server_opt_verify_param, + }, + { NULL }, +}; - if (!s_quiet) { - BIO_printf(bio_s_out, "ALPN protocols selected: "); - BIO_write(bio_s_out, *out, *outlen); - BIO_write(bio_s_out, "\n", 1); - } +static void +s_server_init(void) +{ + accept_socket = -1; + s_server_config.cipher = NULL; + s_server_config.server_verify = SSL_VERIFY_NONE; + s_server_config.dcert_file = NULL; + s_server_config.dkey_file = NULL; + s_server_config.cert_file = TEST_CERT; + s_server_config.key_file = NULL; + s_server_config.cert_file2 = TEST_CERT2; + s_server_config.key_file2 = NULL; + ctx2 = NULL; + s_server_config.nbio = 0; + s_server_config.nbio_test = 0; + ctx = NULL; + s_server_config.www = 0; - return (SSL_TLSEXT_ERR_OK); + bio_s_out = NULL; + s_server_config.debug = 0; + s_server_config.msg = 0; + s_server_config.quiet = 0; } -#ifndef OPENSSL_NO_SRTP -static char *srtp_profiles = NULL; -#endif +static void +sv_usage(void) +{ + fprintf(stderr, "usage: s_server " + "[-accept port] [-alpn protocols] [-bugs] [-CAfile file]\n" + " [-CApath directory] [-cert file] [-cert2 file]\n" + " [-certform der | pem] [-cipher cipherlist]\n" + " [-context id] [-crl_check] [-crl_check_all] [-crlf]\n" + " [-dcert file] [-dcertform der | pem] [-debug]\n" + " [-dhparam file] [-dkey file] [-dkeyform der | pem]\n" + " [-dpass arg] [-dtls] [-dtls1] [-dtls1_2] [-groups list] [-HTTP]\n" + " [-id_prefix arg] [-key keyfile] [-key2 keyfile]\n" + " [-keyform der | pem] [-keymatexport label]\n" + " [-keymatexportlen len] [-msg] [-mtu mtu]\n" + " [-named_curve arg] [-nbio] [-nbio_test] [-no_cache]\n" + " [-no_dhe] [-no_ecdhe] [-no_ticket] [-no_tls1]\n" + " [-no_tls1_1] [-no_tls1_2] [-no_tls1_3] [-no_tmp_rsa]\n" + " [-nocert] [-pass arg] [-quiet] [-servername name]\n" + " [-servername_fatal] [-serverpref] [-state] [-status]\n" + " [-status_timeout nsec] [-status_url url]\n" + " [-status_verbose] [-timeout] [-tls1] [-tls1_1]\n" + " [-tls1_2] [-tls1_3] [-tlsextdebug] [-use_srtp profiles]\n" + " [-Verify depth] [-verify depth] [-verify_return_error]\n" + " [-WWW] [-www]\n"); + fprintf(stderr, "\n"); + options_usage(s_server_options); + fprintf(stderr, "\n"); +} int s_server_main(int argc, char *argv[]) { - X509_VERIFY_PARAM *vpm = NULL; - int badarg = 0; - short port = PORT; - char *CApath = NULL, *CAfile = NULL; - unsigned char *context = NULL; - char *dhfile = NULL; - char *named_curve = NULL; - int badop = 0, bugs = 0; + int badop = 0; int ret = 1; - int off = 0; - int no_dhe = 0, no_ecdhe = 0, nocert = 0; - int state = 0; - const SSL_METHOD *meth = NULL; - int socket_type = SOCK_STREAM; - int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM; - char *passarg = NULL, *pass = NULL; - char *dpassarg = NULL, *dpass = NULL; - int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM; + char *pass = NULL; + char *dpass = NULL; X509 *s_cert = NULL, *s_dcert = NULL; EVP_PKEY *s_key = NULL, *s_dkey = NULL; - int no_cache = 0; - const char *errstr = NULL; EVP_PKEY *s_key2 = NULL; X509 *s_cert2 = NULL; - tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING}; - const char *alpn_in = NULL; tlsextalpnctx alpn_ctx = { NULL, 0 }; if (single_execution) { @@ -590,7 +1081,21 @@ s_server_main(int argc, char *argv[]) } } - meth = SSLv23_server_method(); + memset(&s_server_config, 0, sizeof(s_server_config)); + s_server_config.keymatexportlen = 20; + s_server_config.meth = TLS_server_method(); + s_server_config.port = PORT; + s_server_config.cert_file = TEST_CERT; + s_server_config.cert_file2 = TEST_CERT2; + s_server_config.cert_format = FORMAT_PEM; + s_server_config.dcert_format = FORMAT_PEM; + s_server_config.dkey_format = FORMAT_PEM; + s_server_config.key_format = FORMAT_PEM; + s_server_config.server_verify = SSL_VERIFY_NONE; + s_server_config.socket_type = SOCK_STREAM; + s_server_config.tlscstatp.timeout = -1; + s_server_config.tlsextcbp.extension_error = + SSL_TLSEXT_ERR_ALERT_WARNING; local_argc = argc; local_argv = argv; @@ -598,306 +1103,54 @@ s_server_main(int argc, char *argv[]) s_server_init(); verify_depth = 0; - s_nbio = 0; - s_nbio_test = 0; - - argc--; - argv++; - - while (argc >= 1) { - if ((strcmp(*argv, "-port") == 0) || - (strcmp(*argv, "-accept") == 0)) { - if (--argc < 1) - goto bad; - if (!extract_port(*(++argv), &port)) - goto bad; - } else if (strcmp(*argv, "-verify") == 0) { - s_server_verify = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE; - if (--argc < 1) - goto bad; - verify_depth = strtonum(*(++argv), 0, INT_MAX, &errstr); - if (errstr) - goto bad; - BIO_printf(bio_err, "verify depth is %d\n", verify_depth); - } else if (strcmp(*argv, "-Verify") == 0) { - s_server_verify = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT | - SSL_VERIFY_CLIENT_ONCE; - if (--argc < 1) - goto bad; - verify_depth = strtonum(*(++argv), 0, INT_MAX, &errstr); - if (errstr) - goto bad; - BIO_printf(bio_err, "verify depth is %d, must return a certificate\n", verify_depth); - } else if (strcmp(*argv, "-context") == 0) { - if (--argc < 1) - goto bad; - context = (unsigned char *) *(++argv); - } else if (strcmp(*argv, "-cert") == 0) { - if (--argc < 1) - goto bad; - s_cert_file = *(++argv); - } else if (strcmp(*argv, "-certform") == 0) { - if (--argc < 1) - goto bad; - s_cert_format = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-key") == 0) { - if (--argc < 1) - goto bad; - s_key_file = *(++argv); - } else if (strcmp(*argv, "-keyform") == 0) { - if (--argc < 1) - goto bad; - s_key_format = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-pass") == 0) { - if (--argc < 1) - goto bad; - passarg = *(++argv); - } else if (strcmp(*argv, "-dhparam") == 0) { - if (--argc < 1) - goto bad; - dhfile = *(++argv); - } - else if (strcmp(*argv, "-named_curve") == 0) { - if (--argc < 1) - goto bad; - named_curve = *(++argv); - } - else if (strcmp(*argv, "-dcertform") == 0) { - if (--argc < 1) - goto bad; - s_dcert_format = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-dcert") == 0) { - if (--argc < 1) - goto bad; - s_dcert_file = *(++argv); - } else if (strcmp(*argv, "-dkeyform") == 0) { - if (--argc < 1) - goto bad; - s_dkey_format = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-dpass") == 0) { - if (--argc < 1) - goto bad; - dpassarg = *(++argv); - } else if (strcmp(*argv, "-dkey") == 0) { - if (--argc < 1) - goto bad; - s_dkey_file = *(++argv); - } else if (strcmp(*argv, "-nocert") == 0) { - nocert = 1; - } else if (strcmp(*argv, "-CApath") == 0) { - if (--argc < 1) - goto bad; - CApath = *(++argv); - } else if (strcmp(*argv, "-no_cache") == 0) - no_cache = 1; - else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) { - if (badarg) - goto bad; - continue; - } else if (strcmp(*argv, "-verify_return_error") == 0) - verify_return_error = 1; - else if (strcmp(*argv, "-serverpref") == 0) { - off |= SSL_OP_CIPHER_SERVER_PREFERENCE; - } else if (strcmp(*argv, "-legacy_renegotiation") == 0) - ; /* no-op */ - else if (strcmp(*argv, "-cipher") == 0) { - if (--argc < 1) - goto bad; - cipher = *(++argv); - } else if (strcmp(*argv, "-CAfile") == 0) { - if (--argc < 1) - goto bad; - CAfile = *(++argv); - } - else if (strcmp(*argv, "-nbio") == 0) { - s_nbio = 1; - } - else if (strcmp(*argv, "-nbio_test") == 0) { - s_nbio = 1; - s_nbio_test = 1; - } else if (strcmp(*argv, "-debug") == 0) { - s_debug = 1; - } - else if (strcmp(*argv, "-tlsextdebug") == 0) - s_tlsextdebug = 1; - else if (strcmp(*argv, "-status") == 0) - s_tlsextstatus = 1; - else if (strcmp(*argv, "-status_verbose") == 0) { - s_tlsextstatus = 1; - tlscstatp.verbose = 1; - } else if (!strcmp(*argv, "-status_timeout")) { - s_tlsextstatus = 1; - if (--argc < 1) - goto bad; - tlscstatp.timeout = strtonum(*(++argv), 0, INT_MAX, &errstr); - if (errstr) - goto bad; - } else if (!strcmp(*argv, "-status_url")) { - s_tlsextstatus = 1; - if (--argc < 1) - goto bad; - if (!OCSP_parse_url(*(++argv), - &tlscstatp.host, - &tlscstatp.port, - &tlscstatp.path, - &tlscstatp.use_ssl)) { - BIO_printf(bio_err, "Error parsing URL\n"); - goto bad; - } - } - else if (strcmp(*argv, "-msg") == 0) { - s_msg = 1; - } else if (strcmp(*argv, "-state") == 0) { - state = 1; - } else if (strcmp(*argv, "-crlf") == 0) { - s_crlf = 1; - } else if (strcmp(*argv, "-quiet") == 0) { - s_quiet = 1; - } else if (strcmp(*argv, "-bugs") == 0) { - bugs = 1; - } else if (strcmp(*argv, "-no_tmp_rsa") == 0) { - /* No-op. */ - } else if (strcmp(*argv, "-no_dhe") == 0) { - no_dhe = 1; - } else if (strcmp(*argv, "-no_ecdhe") == 0) { - no_ecdhe = 1; - } else if (strcmp(*argv, "-www") == 0) { - www = 1; - } else if (strcmp(*argv, "-WWW") == 0) { - www = 2; - } else if (strcmp(*argv, "-HTTP") == 0) { - www = 3; - } else if (strcmp(*argv, "-no_ssl2") == 0) { - off |= SSL_OP_NO_SSLv2; - } else if (strcmp(*argv, "-no_ssl3") == 0) { - off |= SSL_OP_NO_SSLv3; - } else if (strcmp(*argv, "-no_tls1") == 0) { - off |= SSL_OP_NO_TLSv1; - } else if (strcmp(*argv, "-no_tls1_1") == 0) { - off |= SSL_OP_NO_TLSv1_1; - } else if (strcmp(*argv, "-no_tls1_2") == 0) { - off |= SSL_OP_NO_TLSv1_2; - } else if (strcmp(*argv, "-no_comp") == 0) { - off |= SSL_OP_NO_COMPRESSION; - } else if (strcmp(*argv, "-no_ticket") == 0) { - off |= SSL_OP_NO_TICKET; - } else if (strcmp(*argv, "-tls1") == 0) { - meth = TLSv1_server_method(); - } else if (strcmp(*argv, "-tls1_1") == 0) { - meth = TLSv1_1_server_method(); - } else if (strcmp(*argv, "-tls1_2") == 0) { - meth = TLSv1_2_server_method(); - } -#ifndef OPENSSL_NO_DTLS1 - else if (strcmp(*argv, "-dtls1") == 0) { - meth = DTLSv1_server_method(); - socket_type = SOCK_DGRAM; - } else if (strcmp(*argv, "-timeout") == 0) - enable_timeouts = 1; - else if (strcmp(*argv, "-mtu") == 0) { - if (--argc < 1) - goto bad; - socket_mtu = strtonum(*(++argv), 0, LONG_MAX, &errstr); - if (errstr) - goto bad; - } else if (strcmp(*argv, "-chain") == 0) - cert_chain = 1; -#endif - else if (strcmp(*argv, "-id_prefix") == 0) { - if (--argc < 1) - goto bad; - session_id_prefix = *(++argv); - } - else if (strcmp(*argv, "-servername") == 0) { - if (--argc < 1) - goto bad; - tlsextcbp.servername = *(++argv); - } else if (strcmp(*argv, "-servername_fatal") == 0) { - tlsextcbp.extension_error = SSL_TLSEXT_ERR_ALERT_FATAL; - } else if (strcmp(*argv, "-cert2") == 0) { - if (--argc < 1) - goto bad; - s_cert_file2 = *(++argv); - } else if (strcmp(*argv, "-key2") == 0) { - if (--argc < 1) - goto bad; - s_key_file2 = *(++argv); - } else if (strcmp(*argv, "-nextprotoneg") == 0) { - /* Ignored. */ - if (--argc < 1) - goto bad; - ++argv; - } else if (strcmp(*argv,"-alpn") == 0) { - if (--argc < 1) - goto bad; - alpn_in = *(++argv); - } -#ifndef OPENSSL_NO_SRTP - else if (strcmp(*argv, "-use_srtp") == 0) { - if (--argc < 1) - goto bad; - srtp_profiles = *(++argv); - } -#endif - else if (strcmp(*argv, "-keymatexport") == 0) { - if (--argc < 1) - goto bad; - keymatexportlabel = *(++argv); - } else if (strcmp(*argv, "-keymatexportlen") == 0) { - if (--argc < 1) - goto bad; - keymatexportlen = strtonum(*(++argv), 1, INT_MAX, &errstr); - if (errstr) - goto bad; - } else { - BIO_printf(bio_err, "unknown option %s\n", *argv); - badop = 1; - break; - } - argc--; - argv++; + + if (options_parse(argc, argv, s_server_options, NULL, NULL) != 0) { + badop = 1; + goto bad; } if (badop) { bad: - if (errstr) - BIO_printf(bio_err, "invalid argument %s: %s\n", - *argv, errstr); - else + if (s_server_config.errstr == NULL) sv_usage(); goto end; } - if (!app_passwd(bio_err, passarg, dpassarg, &pass, &dpass)) { + if (!app_passwd(bio_err, s_server_config.passarg, + s_server_config.dpassarg, &pass, &dpass)) { BIO_printf(bio_err, "Error getting password\n"); goto end; } - if (s_key_file == NULL) - s_key_file = s_cert_file; - if (s_key_file2 == NULL) - s_key_file2 = s_cert_file2; - - if (nocert == 0) { - s_key = load_key(bio_err, s_key_file, s_key_format, 0, pass, + if (s_server_config.key_file == NULL) + s_server_config.key_file = s_server_config.cert_file; + if (s_server_config.key_file2 == NULL) + s_server_config.key_file2 = s_server_config.cert_file2; + + if (s_server_config.nocert == 0) { + s_key = load_key(bio_err, s_server_config.key_file, + s_server_config.key_format, 0, pass, "server certificate private key file"); if (!s_key) { ERR_print_errors(bio_err); goto end; } - s_cert = load_cert(bio_err, s_cert_file, s_cert_format, + s_cert = load_cert(bio_err, s_server_config.cert_file, + s_server_config.cert_format, NULL, "server certificate file"); if (!s_cert) { ERR_print_errors(bio_err); goto end; } - if (tlsextcbp.servername) { - s_key2 = load_key(bio_err, s_key_file2, s_key_format, 0, pass, + if (s_server_config.tlsextcbp.servername) { + s_key2 = load_key(bio_err, s_server_config.key_file2, + s_server_config.key_format, 0, pass, "second server certificate private key file"); if (!s_key2) { ERR_print_errors(bio_err); goto end; } - s_cert2 = load_cert(bio_err, s_cert_file2, s_cert_format, + s_cert2 = load_cert(bio_err, s_server_config.cert_file2, + s_server_config.cert_format, NULL, "second server certificate file"); if (!s_cert2) { @@ -907,26 +1160,29 @@ s_server_main(int argc, char *argv[]) } } alpn_ctx.data = NULL; - if (alpn_in) { + if (s_server_config.alpn_in) { unsigned short len; - alpn_ctx.data = next_protos_parse(&len, alpn_in); + alpn_ctx.data = next_protos_parse(&len, + s_server_config.alpn_in); if (alpn_ctx.data == NULL) goto end; alpn_ctx.len = len; } - if (s_dcert_file) { + if (s_server_config.dcert_file) { - if (s_dkey_file == NULL) - s_dkey_file = s_dcert_file; + if (s_server_config.dkey_file == NULL) + s_server_config.dkey_file = s_server_config.dcert_file; - s_dkey = load_key(bio_err, s_dkey_file, s_dkey_format, + s_dkey = load_key(bio_err, s_server_config.dkey_file, + s_server_config.dkey_format, 0, dpass, "second certificate private key file"); if (!s_dkey) { ERR_print_errors(bio_err); goto end; } - s_dcert = load_cert(bio_err, s_dcert_file, s_dcert_format, + s_dcert = load_cert(bio_err, s_server_config.dcert_file, + s_server_config.dcert_format, NULL, "second server certificate file"); if (!s_dcert) { @@ -935,31 +1191,40 @@ s_server_main(int argc, char *argv[]) } } if (bio_s_out == NULL) { - if (s_quiet && !s_debug && !s_msg) { + if (s_server_config.quiet && !s_server_config.debug && + !s_server_config.msg) { bio_s_out = BIO_new(BIO_s_null()); } else { if (bio_s_out == NULL) bio_s_out = BIO_new_fp(stdout, BIO_NOCLOSE); } } - if (nocert) { - s_cert_file = NULL; - s_key_file = NULL; - s_dcert_file = NULL; - s_dkey_file = NULL; - s_cert_file2 = NULL; - s_key_file2 = NULL; + if (s_server_config.nocert) { + s_server_config.cert_file = NULL; + s_server_config.key_file = NULL; + s_server_config.dcert_file = NULL; + s_server_config.dkey_file = NULL; + s_server_config.cert_file2 = NULL; + s_server_config.key_file2 = NULL; } - ctx = SSL_CTX_new(meth); + ctx = SSL_CTX_new(s_server_config.meth); if (ctx == NULL) { ERR_print_errors(bio_err); goto end; } - if (session_id_prefix) { - if (strlen(session_id_prefix) >= 32) + + SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY); + + if (!SSL_CTX_set_min_proto_version(ctx, s_server_config.min_version)) + goto end; + if (!SSL_CTX_set_max_proto_version(ctx, s_server_config.max_version)) + goto end; + + if (s_server_config.session_id_prefix) { + if (strlen(s_server_config.session_id_prefix) >= 32) BIO_printf(bio_err, "warning: id_prefix is too long, only one new session will be possible\n"); - else if (strlen(session_id_prefix) >= 16) + else if (strlen(s_server_config.session_id_prefix) >= 16) BIO_printf(bio_err, "warning: id_prefix is too long if you use SSLv2\n"); if (!SSL_CTX_set_generate_session_id(ctx, generate_session_id)) { @@ -967,102 +1232,111 @@ s_server_main(int argc, char *argv[]) ERR_print_errors(bio_err); goto end; } - BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix); + BIO_printf(bio_err, "id_prefix '%s' set.\n", + s_server_config.session_id_prefix); } SSL_CTX_set_quiet_shutdown(ctx, 1); - if (bugs) + if (s_server_config.bugs) SSL_CTX_set_options(ctx, SSL_OP_ALL); - SSL_CTX_set_options(ctx, off); - /* - * DTLS: partial reads end up discarding unread UDP bytes :-( Setting - * read ahead solves this problem. - */ - if (socket_type == SOCK_DGRAM) - SSL_CTX_set_read_ahead(ctx, 1); - - if (state) + SSL_CTX_set_options(ctx, s_server_config.off); + + if (s_server_config.state) SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback); - if (no_cache) + if (s_server_config.no_cache) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); else SSL_CTX_sess_set_cache_size(ctx, 128); #ifndef OPENSSL_NO_SRTP - if (srtp_profiles != NULL) - SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles); + if (s_server_config.srtp_profiles != NULL) + SSL_CTX_set_tlsext_use_srtp(ctx, s_server_config.srtp_profiles); #endif - - if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) || + if ((!SSL_CTX_load_verify_locations(ctx, s_server_config.CAfile, + s_server_config.CApath)) || (!SSL_CTX_set_default_verify_paths(ctx))) { /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */ ERR_print_errors(bio_err); /* goto end; */ } - if (vpm) - SSL_CTX_set1_param(ctx, vpm); + if (s_server_config.vpm) + SSL_CTX_set1_param(ctx, s_server_config.vpm); if (s_cert2) { - ctx2 = SSL_CTX_new(meth); + ctx2 = SSL_CTX_new(s_server_config.meth); if (ctx2 == NULL) { ERR_print_errors(bio_err); goto end; } + + if (!SSL_CTX_set_min_proto_version(ctx2, + s_server_config.min_version)) + goto end; + if (!SSL_CTX_set_max_proto_version(ctx2, + s_server_config.max_version)) + goto end; + SSL_CTX_clear_mode(ctx2, SSL_MODE_AUTO_RETRY); } if (ctx2) { BIO_printf(bio_s_out, "Setting secondary ctx parameters\n"); - if (session_id_prefix) { - if (strlen(session_id_prefix) >= 32) + if (s_server_config.session_id_prefix) { + if (strlen(s_server_config.session_id_prefix) >= 32) BIO_printf(bio_err, "warning: id_prefix is too long, only one new session will be possible\n"); - else if (strlen(session_id_prefix) >= 16) + else if (strlen(s_server_config.session_id_prefix) >= 16) BIO_printf(bio_err, "warning: id_prefix is too long if you use SSLv2\n"); - if (!SSL_CTX_set_generate_session_id(ctx2, generate_session_id)) { - BIO_printf(bio_err, "error setting 'id_prefix'\n"); + if (!SSL_CTX_set_generate_session_id(ctx2, + generate_session_id)) { + BIO_printf(bio_err, + "error setting 'id_prefix'\n"); ERR_print_errors(bio_err); goto end; } - BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix); + BIO_printf(bio_err, "id_prefix '%s' set.\n", + s_server_config.session_id_prefix); } SSL_CTX_set_quiet_shutdown(ctx2, 1); - if (bugs) + if (s_server_config.bugs) SSL_CTX_set_options(ctx2, SSL_OP_ALL); - SSL_CTX_set_options(ctx2, off); - /* - * DTLS: partial reads end up discarding unread UDP bytes :-( - * Setting read ahead solves this problem. - */ - if (socket_type == SOCK_DGRAM) - SSL_CTX_set_read_ahead(ctx2, 1); + SSL_CTX_set_options(ctx2, s_server_config.off); - if (state) + if (s_server_config.state) SSL_CTX_set_info_callback(ctx2, apps_ssl_info_callback); - if (no_cache) + if (s_server_config.no_cache) SSL_CTX_set_session_cache_mode(ctx2, SSL_SESS_CACHE_OFF); else SSL_CTX_sess_set_cache_size(ctx2, 128); - if ((!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) || + if ((!SSL_CTX_load_verify_locations(ctx2, + s_server_config.CAfile, s_server_config.CApath)) || (!SSL_CTX_set_default_verify_paths(ctx2))) { ERR_print_errors(bio_err); } - if (vpm) - SSL_CTX_set1_param(ctx2, vpm); + if (s_server_config.vpm) + SSL_CTX_set1_param(ctx2, s_server_config.vpm); } if (alpn_ctx.data) SSL_CTX_set_alpn_select_cb(ctx, alpn_cb, &alpn_ctx); + if (s_server_config.groups_in != NULL) { + if (SSL_CTX_set1_groups_list(ctx, s_server_config.groups_in) != 1) { + BIO_printf(bio_err, "Failed to set groups '%s'\n", + s_server_config.groups_in); + goto end; + } + } + #ifndef OPENSSL_NO_DH - if (!no_dhe) { + if (!s_server_config.no_dhe) { DH *dh = NULL; - if (dhfile) - dh = load_dh_param(dhfile); - else if (s_cert_file) - dh = load_dh_param(s_cert_file); + if (s_server_config.dhfile) + dh = load_dh_param(s_server_config.dhfile); + else if (s_server_config.cert_file) + dh = load_dh_param(s_server_config.cert_file); if (dh != NULL) BIO_printf(bio_s_out, "Setting temp DH parameters\n"); @@ -1081,13 +1355,15 @@ s_server_main(int argc, char *argv[]) } if (ctx2) { - if (!dhfile) { + if (!s_server_config.dhfile) { DH *dh2 = NULL; - if (s_cert_file2 != NULL) - dh2 = load_dh_param(s_cert_file2); + if (s_server_config.cert_file2 != NULL) + dh2 = load_dh_param( + s_server_config.cert_file2); if (dh2 != NULL) { - BIO_printf(bio_s_out, "Setting temp DH parameters\n"); + BIO_printf(bio_s_out, + "Setting temp DH parameters\n"); (void) BIO_flush(bio_s_out); DH_free(dh); @@ -1108,34 +1384,21 @@ s_server_main(int argc, char *argv[]) } #endif - if (!no_ecdhe) { + if (!s_server_config.no_ecdhe && s_server_config.named_curve != NULL) { EC_KEY *ecdh = NULL; + int nid; - if (named_curve) { - int nid = OBJ_sn2nid(named_curve); - - if (nid == 0) { - BIO_printf(bio_err, "unknown curve name (%s)\n", - named_curve); - goto end; - } - ecdh = EC_KEY_new_by_curve_name(nid); - if (ecdh == NULL) { - BIO_printf(bio_err, "unable to create curve (%s)\n", - named_curve); - goto end; - } - } - if (ecdh != NULL) { - BIO_printf(bio_s_out, "Setting temp ECDH parameters\n"); - } else { - BIO_printf(bio_s_out, "Using default temp ECDH parameters\n"); - ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); - if (ecdh == NULL) { - BIO_printf(bio_err, "unable to create curve (nistp256)\n"); - goto end; - } - } + if ((nid = OBJ_sn2nid(s_server_config.named_curve)) == 0) { + BIO_printf(bio_err, "unknown curve name (%s)\n", + s_server_config.named_curve); + goto end; + } + if ((ecdh = EC_KEY_new_by_curve_name(nid)) == NULL) { + BIO_printf(bio_err, "unable to create curve (%s)\n", + s_server_config.named_curve); + goto end; + } + BIO_printf(bio_s_out, "Setting temp ECDH parameters\n"); (void) BIO_flush(bio_s_out); SSL_CTX_set_tmp_ecdh(ctx, ecdh); @@ -1153,20 +1416,22 @@ s_server_main(int argc, char *argv[]) goto end; } - if (cipher != NULL) { - if (!SSL_CTX_set_cipher_list(ctx, cipher)) { + if (s_server_config.cipher != NULL) { + if (!SSL_CTX_set_cipher_list(ctx, s_server_config.cipher)) { BIO_printf(bio_err, "error setting cipher list\n"); ERR_print_errors(bio_err); goto end; } - if (ctx2 && !SSL_CTX_set_cipher_list(ctx2, cipher)) { + if (ctx2 && !SSL_CTX_set_cipher_list(ctx2, + s_server_config.cipher)) { BIO_printf(bio_err, "error setting cipher list\n"); ERR_print_errors(bio_err); goto end; } } - SSL_CTX_set_verify(ctx, s_server_verify, verify_callback); - SSL_CTX_set_session_id_context(ctx, (void *) &s_server_session_id_context, + SSL_CTX_set_verify(ctx, s_server_config.server_verify, verify_callback); + SSL_CTX_set_session_id_context(ctx, + (void *) &s_server_session_id_context, sizeof s_server_session_id_context); /* Set DTLS cookie generation and verification callbacks */ @@ -1174,28 +1439,36 @@ s_server_main(int argc, char *argv[]) SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback); if (ctx2) { - SSL_CTX_set_verify(ctx2, s_server_verify, verify_callback); - SSL_CTX_set_session_id_context(ctx2, (void *) &s_server_session_id_context, + SSL_CTX_set_verify(ctx2, s_server_config.server_verify, + verify_callback); + SSL_CTX_set_session_id_context(ctx2, + (void *) &s_server_session_id_context, sizeof s_server_session_id_context); - tlsextcbp.biodebug = bio_s_out; + s_server_config.tlsextcbp.biodebug = bio_s_out; SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb); - SSL_CTX_set_tlsext_servername_arg(ctx2, &tlsextcbp); + SSL_CTX_set_tlsext_servername_arg(ctx2, + &s_server_config.tlsextcbp); SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb); - SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp); + SSL_CTX_set_tlsext_servername_arg(ctx, + &s_server_config.tlsextcbp); } - if (CAfile != NULL) { - SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile)); + if (s_server_config.CAfile != NULL) { + SSL_CTX_set_client_CA_list(ctx, + SSL_load_client_CA_file(s_server_config.CAfile)); if (ctx2) - SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(CAfile)); + SSL_CTX_set_client_CA_list(ctx2, + SSL_load_client_CA_file(s_server_config.CAfile)); } BIO_printf(bio_s_out, "ACCEPT\n"); (void) BIO_flush(bio_s_out); - if (www) - do_server(port, socket_type, &accept_socket, www_body, context); + if (s_server_config.www) + do_server(s_server_config.port, s_server_config.socket_type, + &accept_socket, www_body, s_server_config.context); else - do_server(port, socket_type, &accept_socket, sv_body, context); + do_server(s_server_config.port, s_server_config.socket_type, + &accept_socket, sv_body, s_server_config.context); print_stats(bio_s_out, ctx); ret = 0; end: @@ -1206,10 +1479,10 @@ s_server_main(int argc, char *argv[]) EVP_PKEY_free(s_dkey); free(pass); free(dpass); - X509_VERIFY_PARAM_free(vpm); - free(tlscstatp.host); - free(tlscstatp.port); - free(tlscstatp.path); + X509_VERIFY_PARAM_free(s_server_config.vpm); + free(s_server_config.tlscstatp.host); + free(s_server_config.tlscstatp.port); + free(s_server_config.tlscstatp.path); SSL_CTX_free(ctx2); X509_free(s_cert2); EVP_PKEY_free(s_key2); @@ -1223,7 +1496,7 @@ s_server_main(int argc, char *argv[]) } static void -print_stats(BIO * bio, SSL_CTX * ssl_ctx) +print_stats(BIO *bio, SSL_CTX *ssl_ctx) { BIO_printf(bio, "%4ld items in the session cache\n", SSL_CTX_sess_number(ssl_ctx)); @@ -1239,10 +1512,14 @@ print_stats(BIO * bio, SSL_CTX * ssl_ctx) SSL_CTX_sess_accept_renegotiate(ssl_ctx)); BIO_printf(bio, "%4ld server accepts that finished\n", SSL_CTX_sess_accept_good(ssl_ctx)); - BIO_printf(bio, "%4ld session cache hits\n", SSL_CTX_sess_hits(ssl_ctx)); - BIO_printf(bio, "%4ld session cache misses\n", SSL_CTX_sess_misses(ssl_ctx)); - BIO_printf(bio, "%4ld session cache timeouts\n", SSL_CTX_sess_timeouts(ssl_ctx)); - BIO_printf(bio, "%4ld callback cache hits\n", SSL_CTX_sess_cb_hits(ssl_ctx)); + BIO_printf(bio, "%4ld session cache hits\n", + SSL_CTX_sess_hits(ssl_ctx)); + BIO_printf(bio, "%4ld session cache misses\n", + SSL_CTX_sess_misses(ssl_ctx)); + BIO_printf(bio, "%4ld session cache timeouts\n", + SSL_CTX_sess_timeouts(ssl_ctx)); + BIO_printf(bio, "%4ld callback cache hits\n", + SSL_CTX_sess_cb_hits(ssl_ctx)); BIO_printf(bio, "%4ld cache full overflows (%ld allowed)\n", SSL_CTX_sess_cache_full(ssl_ctx), SSL_CTX_sess_get_cache_size(ssl_ctx)); @@ -1263,8 +1540,8 @@ sv_body(char *hostname, int s, unsigned char *context) BIO_printf(bio_err, "out of memory\n"); goto err; } - if (s_nbio) { - if (!s_quiet) + if (s_server_config.nbio) { + if (!s_server_config.quiet) BIO_printf(bio_err, "turning on non blocking io\n"); if (!BIO_socket_nbio(s, 1)) ERR_print_errors(bio_err); @@ -1272,14 +1549,15 @@ sv_body(char *hostname, int s, unsigned char *context) if (con == NULL) { con = SSL_new(ctx); - if (s_tlsextdebug) { + if (s_server_config.tlsextdebug) { SSL_set_tlsext_debug_callback(con, tlsext_cb); SSL_set_tlsext_debug_arg(con, bio_s_out); } - if (s_tlsextstatus) { + if (s_server_config.tlsextstatus) { SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb); - tlscstatp.err = bio_err; - SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp); + s_server_config.tlscstatp.err = bio_err; + SSL_CTX_set_tlsext_status_arg(ctx, + &s_server_config.tlscstatp); } if (context) SSL_set_session_id_context(con, context, @@ -1287,22 +1565,23 @@ sv_body(char *hostname, int s, unsigned char *context) } SSL_clear(con); - if (SSL_version(con) == DTLS1_VERSION) { - + if (SSL_is_dtls(con)) { sbio = BIO_new_dgram(s, BIO_NOCLOSE); - if (enable_timeouts) { + if (s_server_config.enable_timeouts) { timeout.tv_sec = 0; timeout.tv_usec = DGRAM_RCV_TIMEOUT; - BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout); + BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, + &timeout); timeout.tv_sec = 0; timeout.tv_usec = DGRAM_SND_TIMEOUT; - BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); + BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, + &timeout); } - if (socket_mtu > 28) { + if (s_server_config.socket_mtu > 28) { SSL_set_options(con, SSL_OP_NO_QUERY_MTU); - SSL_set_mtu(con, socket_mtu - 28); + SSL_set_mtu(con, s_server_config.socket_mtu - 28); } else /* want to do MTU discovery */ BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL); @@ -1312,7 +1591,7 @@ sv_body(char *hostname, int s, unsigned char *context) } else sbio = BIO_new_socket(s, BIO_NOCLOSE); - if (s_nbio_test) { + if (s_server_config.nbio_test) { BIO *test; test = BIO_new(BIO_f_nbio_test()); @@ -1323,16 +1602,16 @@ sv_body(char *hostname, int s, unsigned char *context) SSL_set_accept_state(con); /* SSL_set_fd(con,s); */ - if (s_debug) { + if (s_server_config.debug) { SSL_set_debug(con, 1); BIO_set_callback(SSL_get_rbio(con), bio_dump_callback); BIO_set_callback_arg(SSL_get_rbio(con), (char *) bio_s_out); } - if (s_msg) { + if (s_server_config.msg) { SSL_set_msg_callback(con, msg_cb); SSL_set_msg_callback_arg(con, bio_s_out); } - if (s_tlsextdebug) { + if (s_server_config.tlsextdebug) { SSL_set_tlsext_debug_callback(con, tlsext_cb); SSL_set_tlsext_debug_arg(con, bio_s_out); } @@ -1352,7 +1631,7 @@ sv_body(char *hostname, int s, unsigned char *context) pfd[1].fd = s; pfd[1].events = POLLIN; - if ((SSL_version(con) == DTLS1_VERSION) && + if (SSL_is_dtls(con) && DTLSv1_get_timeout(con, &timeout)) ptimeout = timeout.tv_sec * 1000 + timeout.tv_usec / 1000; @@ -1361,9 +1640,9 @@ sv_body(char *hostname, int s, unsigned char *context) i = poll(pfd, 2, ptimeout); - if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) { + if (SSL_is_dtls(con) && + DTLSv1_handle_timeout(con) > 0) BIO_printf(bio_err, "TIMEOUT occured\n"); - } if (i <= 0) continue; if (pfd[0].revents) { @@ -1378,7 +1657,7 @@ sv_body(char *hostname, int s, unsigned char *context) } } if (read_from_terminal) { - if (s_crlf) { + if (s_server_config.crlf) { int j, lf_num; i = read(fileno(stdin), buf, bufsize / 2); @@ -1398,7 +1677,7 @@ sv_body(char *hostname, int s, unsigned char *context) assert(lf_num == 0); } else i = read(fileno(stdin), buf, bufsize); - if (!s_quiet) { + if (!s_server_config.quiet) { if ((i <= 0) || (buf[0] == 'Q')) { BIO_printf(bio_s_out, "DONE\n"); shutdown(s, SHUT_RD); @@ -1409,7 +1688,7 @@ sv_body(char *hostname, int s, unsigned char *context) } if ((i <= 0) || (buf[0] == 'q')) { BIO_printf(bio_s_out, "DONE\n"); - if (SSL_version(con) != DTLS1_VERSION) { + if (!SSL_is_dtls(con)) { shutdown(s, SHUT_RD); close(s); } @@ -1432,7 +1711,9 @@ sv_body(char *hostname, int s, unsigned char *context) if ((buf[0] == 'R') && ((buf[1] == '\n') || (buf[1] == '\r'))) { SSL_set_verify(con, - SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, NULL); + SSL_VERIFY_PEER | + SSL_VERIFY_CLIENT_ONCE, + NULL); SSL_renegotiate(con); i = SSL_do_handshake(con); printf("SSL_do_handshake -> %d\n", i); @@ -1444,11 +1725,14 @@ sv_body(char *hostname, int s, unsigned char *context) */ } if (buf[0] == 'P') { - static const char *str = "Lets print some clear text\n"; - BIO_write(SSL_get_wbio(con), str, strlen(str)); + static const char *str = + "Lets print some clear text\n"; + BIO_write(SSL_get_wbio(con), str, + strlen(str)); } if (buf[0] == 'S') { - print_stats(bio_s_out, SSL_get_SSL_CTX(con)); + print_stats(bio_s_out, + SSL_get_SSL_CTX(con)); } } l = k = 0; @@ -1484,6 +1768,8 @@ sv_body(char *hostname, int s, unsigned char *context) ret = 1; goto err; } + if (k <= 0) + continue; l += k; i -= k; if (i <= 0) @@ -1543,7 +1829,8 @@ sv_body(char *hostname, int s, unsigned char *context) err: if (con != NULL) { BIO_printf(bio_s_out, "shutting down SSL\n"); - SSL_set_shutdown(con, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN); + SSL_set_shutdown(con, + SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN); SSL_free(con); } BIO_printf(bio_s_out, "CONNECTION CLOSED\n"); @@ -1564,7 +1851,7 @@ close_accept_socket(void) } static int -init_ssl_connection(SSL * con) +init_ssl_connection(SSL *con) { int i; const char *str; @@ -1611,7 +1898,8 @@ init_ssl_connection(SSL * con) = SSL_get_selected_srtp_profile(con); if (srtp_profile) - BIO_printf(bio_s_out, "SRTP Extension negotiated, profile=%s\n", + BIO_printf(bio_s_out, + "SRTP Extension negotiated, profile=%s\n", srtp_profile->name); } #endif @@ -1619,22 +1907,23 @@ init_ssl_connection(SSL * con) BIO_printf(bio_s_out, "Reused session-id\n"); BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n", SSL_get_secure_renegotiation_support(con) ? "" : " NOT"); - if (keymatexportlabel != NULL) { + if (s_server_config.keymatexportlabel != NULL) { BIO_printf(bio_s_out, "Keying material exporter:\n"); - BIO_printf(bio_s_out, " Label: '%s'\n", keymatexportlabel); + BIO_printf(bio_s_out, " Label: '%s'\n", + s_server_config.keymatexportlabel); BIO_printf(bio_s_out, " Length: %i bytes\n", - keymatexportlen); - exportedkeymat = malloc(keymatexportlen); + s_server_config.keymatexportlen); + exportedkeymat = malloc(s_server_config.keymatexportlen); if (exportedkeymat != NULL) { if (!SSL_export_keying_material(con, exportedkeymat, - keymatexportlen, - keymatexportlabel, - strlen(keymatexportlabel), + s_server_config.keymatexportlen, + s_server_config.keymatexportlabel, + strlen(s_server_config.keymatexportlabel), NULL, 0, 0)) { BIO_printf(bio_s_out, " Error\n"); } else { BIO_printf(bio_s_out, " Keying material: "); - for (i = 0; i < keymatexportlen; i++) + for (i = 0; i < s_server_config.keymatexportlen; i++) BIO_printf(bio_s_out, "%02X", exportedkeymat[i]); BIO_printf(bio_s_out, "\n"); @@ -1679,8 +1968,8 @@ www_body(char *hostname, int s, unsigned char *context) if ((io == NULL) || (ssl_bio == NULL)) goto err; - if (s_nbio) { - if (!s_quiet) + if (s_server_config.nbio) { + if (!s_server_config.quiet) BIO_printf(bio_err, "turning on non blocking io\n"); if (!BIO_socket_nbio(s, 1)) ERR_print_errors(bio_err); @@ -1692,7 +1981,7 @@ www_body(char *hostname, int s, unsigned char *context) if ((con = SSL_new(ctx)) == NULL) goto err; - if (s_tlsextdebug) { + if (s_server_config.tlsextdebug) { SSL_set_tlsext_debug_callback(con, tlsext_cb); SSL_set_tlsext_debug_arg(con, bio_s_out); } @@ -1701,7 +1990,7 @@ www_body(char *hostname, int s, unsigned char *context) strlen((char *) context)); sbio = BIO_new_socket(s, BIO_NOCLOSE); - if (s_nbio_test) { + if (s_server_config.nbio_test) { BIO *test; test = BIO_new(BIO_f_nbio_test()); @@ -1714,12 +2003,12 @@ www_body(char *hostname, int s, unsigned char *context) BIO_set_ssl(ssl_bio, con, BIO_CLOSE); BIO_push(io, ssl_bio); - if (s_debug) { + if (s_server_config.debug) { SSL_set_debug(con, 1); BIO_set_callback(SSL_get_rbio(con), bio_dump_callback); BIO_set_callback_arg(SSL_get_rbio(con), (char *) bio_s_out); } - if (s_msg) { + if (s_server_config.msg) { SSL_set_msg_callback(con, msg_cb); SSL_set_msg_callback_arg(con, bio_s_out); } @@ -1727,12 +2016,14 @@ www_body(char *hostname, int s, unsigned char *context) i = BIO_gets(io, buf, bufsize - 1); if (i < 0) { /* error */ if (!BIO_should_retry(io)) { - if (!s_quiet) + if (!s_server_config.quiet) ERR_print_errors(bio_err); goto err; } else { - BIO_printf(bio_s_out, "read R BLOCK\n"); - sleep(1); + if (s_server_config.debug) { + BIO_printf(bio_s_out, "read R BLOCK\n"); + sleep(1); + } continue; } } else if (i == 0) { /* end of input */ @@ -1740,11 +2031,13 @@ www_body(char *hostname, int s, unsigned char *context) goto end; } /* else we have data */ - if (((www == 1) && (strncmp("GET ", buf, 4) == 0)) || - ((www == 2) && (strncmp("GET /stats ", buf, 11) == 0))) { + if (((s_server_config.www == 1) && + (strncmp("GET ", buf, 4) == 0)) || + ((s_server_config.www == 2) && + (strncmp("GET /stats ", buf, 11) == 0))) { char *p; X509 *peer; - STACK_OF(SSL_CIPHER) * sk; + STACK_OF(SSL_CIPHER) *sk; static const char *space = " "; BIO_puts(io, "HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n"); @@ -1767,7 +2060,8 @@ www_body(char *hostname, int s, unsigned char *context) * The following is evil and should not really be * done */ - BIO_printf(io, "Ciphers supported in s_server binary\n"); + BIO_printf(io, + "Ciphers supported in s_server binary\n"); sk = SSL_get_ciphers(con); j = sk_SSL_CIPHER_num(sk); for (i = 0; i < j; i++) { @@ -1781,14 +2075,16 @@ www_body(char *hostname, int s, unsigned char *context) BIO_puts(io, "\n"); p = SSL_get_shared_ciphers(con, buf, bufsize); if (p != NULL) { - BIO_printf(io, "---\nCiphers common between both SSL end points:\n"); + BIO_printf(io, + "---\nCiphers common between both SSL end points:\n"); j = i = 0; while (*p) { if (*p == ':') { BIO_write(io, space, 26 - j); i++; j = 0; - BIO_write(io, ((i % 3) ? " " : "\n"), 1); + BIO_write(io, + ((i % 3) ? " " : "\n"), 1); } else { BIO_write(io, p, 1); j++; @@ -1814,11 +2110,13 @@ www_body(char *hostname, int s, unsigned char *context) X509_print(io, peer); PEM_write_bio_X509(io, peer); } else - BIO_puts(io, "no client certificate available\n"); + BIO_puts(io, + "no client certificate available\n"); BIO_puts(io, "\r\n\r\n"); break; - } else if ((www == 2 || www == 3) - && (strncmp("GET /", buf, 5) == 0)) { + } else if ((s_server_config.www == 2 || + s_server_config.www == 3) && + (strncmp("GET /", buf, 5) == 0)) { BIO *file; char *p, *e; static const char *text = "HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n"; @@ -1839,30 +2137,35 @@ www_body(char *hostname, int s, unsigned char *context) dot = (e[0] == '.') ? 3 : 0; break; case 3: - dot = (e[0] == '/' || e[0] == '\\') ? -1 : 0; + dot = (e[0] == '/' || e[0] == '\\') ? + -1 : 0; break; } if (dot == 0) - dot = (e[0] == '/' || e[0] == '\\') ? 1 : 0; + dot = (e[0] == '/' || e[0] == '\\') ? + 1 : 0; } - dot = (dot == 3) || (dot == -1); /* filename contains - * ".." component */ + dot = (dot == 3) || (dot == -1); /* filename contains + * ".." component */ if (*e == '\0') { BIO_puts(io, text); - BIO_printf(io, "'%s' is an invalid file name\r\n", p); + BIO_printf(io, + "'%s' is an invalid file name\r\n", p); break; } *e = '\0'; if (dot) { BIO_puts(io, text); - BIO_printf(io, "'%s' contains '..' reference\r\n", p); + BIO_printf(io, + "'%s' contains '..' reference\r\n", p); break; } if (*p == '/') { BIO_puts(io, text); - BIO_printf(io, "'%s' is an invalid path\r\n", p); + BIO_printf(io, + "'%s' is an invalid path\r\n", p); break; } /* if a directory, do the index thang */ @@ -1877,10 +2180,10 @@ www_body(char *hostname, int s, unsigned char *context) ERR_print_errors(io); break; } - if (!s_quiet) + if (!s_server_config.quiet) BIO_printf(bio_err, "FILE:%s\n", p); - if (www == 2) { + if (s_server_config.www == 2) { i = strlen(p); if (((i > 5) && (strcmp(&(p[i - 5]), ".html") == 0)) || ((i > 4) && (strcmp(&(p[i - 4]), ".php") == 0)) || @@ -1919,7 +2222,8 @@ www_body(char *hostname, int s, unsigned char *context) if (!BIO_should_retry(io)) goto write_error; else { - BIO_printf(bio_s_out, "rwrite W BLOCK\n"); + BIO_printf(bio_s_out, + "rwrite W BLOCK\n"); } } else { j += k; @@ -1957,8 +2261,7 @@ www_body(char *hostname, int s, unsigned char *context) #define MAX_SESSION_ID_ATTEMPTS 10 static int -generate_session_id(const SSL * ssl, unsigned char *id, - unsigned int *id_len) +generate_session_id(const SSL *ssl, unsigned char *id, unsigned int *id_len) { unsigned int count = 0; do { @@ -1970,9 +2273,9 @@ generate_session_id(const SSL * ssl, unsigned char *id, * 1 session ID (ie. the prefix!) so all future session * negotiations will fail due to conflicts. */ - memcpy(id, session_id_prefix, - (strlen(session_id_prefix) < *id_len) ? - strlen(session_id_prefix) : *id_len); + memcpy(id, s_server_config.session_id_prefix, + (strlen(s_server_config.session_id_prefix) < *id_len) ? + strlen(s_server_config.session_id_prefix) : *id_len); } while (SSL_has_matching_session_id(ssl, id, *id_len) && (++count < MAX_SESSION_ID_ATTEMPTS)); @@ -1980,3 +2283,184 @@ generate_session_id(const SSL * ssl, unsigned char *id, return 0; return 1; } + +static int +ssl_servername_cb(SSL *s, int *ad, void *arg) +{ + tlsextctx *p = (tlsextctx *) arg; + const char *servername = SSL_get_servername(s, + TLSEXT_NAMETYPE_host_name); + + if (servername && p->biodebug) + BIO_printf(p->biodebug, "Hostname in TLS extension: \"%s\"\n", + servername); + + if (!p->servername) + return SSL_TLSEXT_ERR_NOACK; + + if (servername) { + if (strcmp(servername, p->servername)) + return p->extension_error; + if (ctx2) { + BIO_printf(p->biodebug, "Switching server context.\n"); + SSL_set_SSL_CTX(s, ctx2); + } + } + return SSL_TLSEXT_ERR_OK; +} + +/* Certificate Status callback. This is called when a client includes a + * certificate status request extension. + * + * This is a simplified version. It examines certificates each time and + * makes one OCSP responder query for each request. + * + * A full version would store details such as the OCSP certificate IDs and + * minimise the number of OCSP responses by caching them until they were + * considered "expired". + */ + +static int +cert_status_cb(SSL *s, void *arg) +{ + tlsextstatusctx *srctx = arg; + BIO *err = srctx->err; + char *host = NULL, *port = NULL, *path = NULL; + int use_ssl; + unsigned char *rspder = NULL; + int rspderlen; + STACK_OF(OPENSSL_STRING) *aia = NULL; + X509 *x = NULL; + X509_STORE_CTX inctx; + X509_OBJECT obj; + OCSP_REQUEST *req = NULL; + OCSP_RESPONSE *resp = NULL; + OCSP_CERTID *id = NULL; + STACK_OF(X509_EXTENSION) *exts; + int ret = SSL_TLSEXT_ERR_NOACK; + int i; + + if (srctx->verbose) + BIO_puts(err, "cert_status: callback called\n"); + /* Build up OCSP query from server certificate */ + x = SSL_get_certificate(s); + aia = X509_get1_ocsp(x); + if (aia) { + if (!OCSP_parse_url(sk_OPENSSL_STRING_value(aia, 0), + &host, &port, &path, &use_ssl)) { + BIO_puts(err, "cert_status: can't parse AIA URL\n"); + goto err; + } + if (srctx->verbose) + BIO_printf(err, "cert_status: AIA URL: %s\n", + sk_OPENSSL_STRING_value(aia, 0)); + } else { + if (!srctx->host) { + BIO_puts(srctx->err, + "cert_status: no AIA and no default responder URL\n"); + goto done; + } + host = srctx->host; + path = srctx->path; + port = srctx->port; + use_ssl = srctx->use_ssl; + } + + if (!X509_STORE_CTX_init(&inctx, + SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s)), + NULL, NULL)) + goto err; + if (X509_STORE_get_by_subject(&inctx, X509_LU_X509, + X509_get_issuer_name(x), &obj) <= 0) { + BIO_puts(err, + "cert_status: Can't retrieve issuer certificate.\n"); + X509_STORE_CTX_cleanup(&inctx); + goto done; + } + req = OCSP_REQUEST_new(); + if (!req) + goto err; + id = OCSP_cert_to_id(NULL, x, obj.data.x509); + X509_free(obj.data.x509); + X509_STORE_CTX_cleanup(&inctx); + if (!id) + goto err; + if (!OCSP_request_add0_id(req, id)) + goto err; + id = NULL; + /* Add any extensions to the request */ + SSL_get_tlsext_status_exts(s, &exts); + for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) { + X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i); + if (!OCSP_REQUEST_add_ext(req, ext, -1)) + goto err; + } + resp = process_responder(err, req, host, path, port, use_ssl, NULL, + srctx->timeout); + if (!resp) { + BIO_puts(err, "cert_status: error querying responder\n"); + goto done; + } + rspderlen = i2d_OCSP_RESPONSE(resp, &rspder); + if (rspderlen <= 0) + goto err; + SSL_set_tlsext_status_ocsp_resp(s, rspder, rspderlen); + if (srctx->verbose) { + BIO_puts(err, "cert_status: ocsp response sent:\n"); + OCSP_RESPONSE_print(err, resp, 2); + } + ret = SSL_TLSEXT_ERR_OK; + done: + if (ret != SSL_TLSEXT_ERR_OK) + ERR_print_errors(err); + if (aia) { + free(host); + free(path); + free(port); + X509_email_free(aia); + } + if (id) + OCSP_CERTID_free(id); + if (req) + OCSP_REQUEST_free(req); + if (resp) + OCSP_RESPONSE_free(resp); + return ret; + err: + ret = SSL_TLSEXT_ERR_ALERT_FATAL; + goto done; +} + +static int +alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen, + const unsigned char *in, unsigned int inlen, void *arg) +{ + tlsextalpnctx *alpn_ctx = arg; + + if (!s_server_config.quiet) { + /* We can assume that in is syntactically valid. */ + unsigned i; + + BIO_printf(bio_s_out, + "ALPN protocols advertised by the client: "); + for (i = 0; i < inlen; ) { + if (i) + BIO_write(bio_s_out, ", ", 2); + BIO_write(bio_s_out, &in[i + 1], in[i]); + i += in[i] + 1; + } + BIO_write(bio_s_out, "\n", 1); + } + + if (SSL_select_next_proto((unsigned char**)out, outlen, alpn_ctx->data, + alpn_ctx->len, in, inlen) != OPENSSL_NPN_NEGOTIATED) + return (SSL_TLSEXT_ERR_NOACK); + + if (!s_server_config.quiet) { + BIO_printf(bio_s_out, "ALPN protocols selected: "); + BIO_write(bio_s_out, *out, *outlen); + BIO_write(bio_s_out, "\n", 1); + } + + return (SSL_TLSEXT_ERR_OK); +} diff --git a/apps/openssl/verify.c b/apps/openssl/verify.c index f616e3c4..dd321761 100644 --- a/apps/openssl/verify.c +++ b/apps/openssl/verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: verify.c,v 1.7 2018/02/07 05:47:55 jsing Exp $ */ +/* $OpenBSD: verify.c,v 1.14 2021/02/15 17:57:58 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -68,22 +68,205 @@ #include #include -static int cb(int ok, X509_STORE_CTX * ctx); -static int check(X509_STORE * ctx, char *file, STACK_OF(X509) * uchain, - STACK_OF(X509) * tchain, STACK_OF(X509_CRL) * crls); -static int v_verbose = 0, vflags = 0; +static int cb(int ok, X509_STORE_CTX *ctx); +static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, + STACK_OF(X509) *tchain, STACK_OF(X509_CRL) *crls); +static int vflags = 0; + +static struct { + char *CAfile; + char *CApath; + char *crlfile; + char *trustfile; + char *untfile; + int verbose; + X509_VERIFY_PARAM *vpm; +} verify_config; + +static int +verify_opt_args(int argc, char **argv, int *argsused) +{ + int oargc = argc; + int badarg = 0; + + if (!args_verify(&argv, &argc, &badarg, bio_err, &verify_config.vpm)) + return (1); + if (badarg) + return (1); + + *argsused = oargc - argc; + + return (0); +} + +static const struct option verify_options[] = { + { + .name = "CAfile", + .argname = "file", + .desc = "Certificate Authority file", + .type = OPTION_ARG, + .opt.arg = &verify_config.CAfile, + }, + { + .name = "CApath", + .argname = "path", + .desc = "Certificate Authority path", + .type = OPTION_ARG, + .opt.arg = &verify_config.CApath, + }, + { + .name = "CRLfile", + .argname = "file", + .desc = "Certificate Revocation List file", + .type = OPTION_ARG, + .opt.arg = &verify_config.crlfile, + }, + { + .name = "trusted", + .argname = "file", + .desc = "Trusted certificates file", + .type = OPTION_ARG, + .opt.arg = &verify_config.trustfile, + }, + { + .name = "untrusted", + .argname = "file", + .desc = "Untrusted certificates file", + .type = OPTION_ARG, + .opt.arg = &verify_config.untfile, + }, + { + .name = "verbose", + .desc = "Verbose", + .type = OPTION_FLAG, + .opt.flag = &verify_config.verbose, + }, + { + .name = NULL, + .desc = "", + .type = OPTION_ARGV_FUNC, + .opt.argvfunc = verify_opt_args, + }, + { NULL }, +}; + +static const struct option verify_shared_options[] = { + { + .name = "attime", + .argname = "epoch", + .desc = "Use epoch as the verification time", + }, + { + .name = "check_ss_sig", + .desc = "Check the root CA self-signed certificate signature", + }, + { + .name = "crl_check", + .desc = "Enable CRL checking for the leaf certificate", + }, + { + .name = "crl_check_all", + .desc = "Enable CRL checking for the entire certificate chain", + }, + { + .name = "explicit_policy", + .desc = "Require explicit policy (per RFC 3280)", + }, + { + .name = "extended_crl", + .desc = "Enable extended CRL support", + }, + { + .name = "ignore_critical", + .desc = "Disable critical extension checking", + }, + { + .name = "inhibit_any", + .desc = "Inhibit any policy (per RFC 3280)", + }, + { + .name = "inhibit_map", + .desc = "Inhibit policy mapping (per RFC 3280)", + }, + { + .name = "issuer_checks", + .desc = "Enable debugging of certificate issuer checks", + }, + { + .name = "legacy_verify", + .desc = "Use legacy certificate chain verification", + }, + { + .name = "policy", + .argname = "name", + .desc = "Add given policy to the acceptable set", + }, + { + .name = "policy_check", + .desc = "Enable certificate policy checking", + }, + { + .name = "policy_print", + .desc = "Print policy", + }, + { + .name = "purpose", + .argname = "name", + .desc = "Verify for the given purpose", + }, + { + .name = "use_deltas", + .desc = "Use delta CRLS (if present)", + }, + { + .name = "verify_depth", + .argname = "num", + .desc = "Limit verification to the given depth", + }, + { + .name = "x509_strict", + .desc = "Use strict X.509 rules (disables workarounds)", + }, + { NULL }, +}; + +static void +verify_usage(void) +{ + int i; + + fprintf(stderr, + "usage: verify [-CAfile file] [-CApath directory] [-check_ss_sig]\n" + " [-CRLfile file] [-crl_check] [-crl_check_all]\n" + " [-explicit_policy] [-extended_crl]\n" + " [-ignore_critical] [-inhibit_any] [-inhibit_map]\n" + " [-issuer_checks] [-policy_check] [-purpose purpose]\n" + " [-trusted file] [-untrusted file] [-verbose]\n" + " [-x509_strict] [certificates]\n\n"); + + options_usage(verify_options); + + fprintf(stderr, "\nVerification options:\n\n"); + options_usage(verify_shared_options); + + fprintf(stderr, "\nValid purposes:\n\n"); + for (i = 0; i < X509_PURPOSE_get_count(); i++) { + X509_PURPOSE *ptmp = X509_PURPOSE_get0(i); + fprintf(stderr, " %-18s%s\n", X509_PURPOSE_get0_sname(ptmp), + X509_PURPOSE_get0_name(ptmp)); + } +} int verify_main(int argc, char **argv) { - int i, ret = 1, badarg = 0; - char *CApath = NULL, *CAfile = NULL; - char *untfile = NULL, *trustfile = NULL, *crlfile = NULL; - STACK_OF(X509) * untrusted = NULL, *trusted = NULL; - STACK_OF(X509_CRL) * crls = NULL; + STACK_OF(X509) *untrusted = NULL, *trusted = NULL; + STACK_OF(X509_CRL) *crls = NULL; X509_STORE *cert_ctx = NULL; X509_LOOKUP *lookup = NULL; - X509_VERIFY_PARAM *vpm = NULL; + char **cert_files = NULL; + int argsused; + int ret = 1; if (single_execution) { if (pledge("stdio rpath", NULL) == -1) { @@ -92,65 +275,32 @@ verify_main(int argc, char **argv) } } + memset(&verify_config, 0, sizeof(verify_config)); + + if (options_parse(argc, argv, verify_options, NULL, &argsused) != 0) { + verify_usage(); + goto end; + } + + if (argsused < argc) + cert_files = &argv[argsused]; + cert_ctx = X509_STORE_new(); if (cert_ctx == NULL) goto end; X509_STORE_set_verify_cb(cert_ctx, cb); - argc--; - argv++; - for (;;) { - if (argc >= 1) { - if (strcmp(*argv, "-CApath") == 0) { - if (argc-- < 1) - goto end; - CApath = *(++argv); - } else if (strcmp(*argv, "-CAfile") == 0) { - if (argc-- < 1) - goto end; - CAfile = *(++argv); - } else if (args_verify(&argv, &argc, &badarg, bio_err, - &vpm)) { - if (badarg) - goto end; - continue; - } else if (strcmp(*argv, "-untrusted") == 0) { - if (argc-- < 1) - goto end; - untfile = *(++argv); - } else if (strcmp(*argv, "-trusted") == 0) { - if (argc-- < 1) - goto end; - trustfile = *(++argv); - } else if (strcmp(*argv, "-CRLfile") == 0) { - if (argc-- < 1) - goto end; - crlfile = *(++argv); - } - else if (strcmp(*argv, "-help") == 0) - goto end; - else if (strcmp(*argv, "-verbose") == 0) - v_verbose = 1; - else if (argv[0][0] == '-') - goto end; - else - break; - argc--; - argv++; - } else - break; - } - - if (vpm) - X509_STORE_set1_param(cert_ctx, vpm); + if (verify_config.vpm) + X509_STORE_set1_param(cert_ctx, verify_config.vpm); lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file()); if (lookup == NULL) - abort(); - if (CAfile) { - i = X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM); - if (!i) { - BIO_printf(bio_err, "Error loading file %s\n", CAfile); + abort(); /* XXX */ + if (verify_config.CAfile) { + if (!X509_LOOKUP_load_file(lookup, verify_config.CAfile, + X509_FILETYPE_PEM)) { + BIO_printf(bio_err, "Error loading file %s\n", + verify_config.CAfile); ERR_print_errors(bio_err); goto end; } @@ -159,11 +309,12 @@ verify_main(int argc, char **argv) lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir()); if (lookup == NULL) - abort(); - if (CApath) { - i = X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM); - if (!i) { - BIO_printf(bio_err, "Error loading directory %s\n", CApath); + abort(); /* XXX */ + if (verify_config.CApath) { + if (!X509_LOOKUP_add_dir(lookup, verify_config.CApath, + X509_FILETYPE_PEM)) { + BIO_printf(bio_err, "Error loading directory %s\n", + verify_config.CApath); ERR_print_errors(bio_err); goto end; } @@ -172,52 +323,39 @@ verify_main(int argc, char **argv) ERR_clear_error(); - if (untfile) { - untrusted = load_certs(bio_err, untfile, FORMAT_PEM, - NULL, "untrusted certificates"); + if (verify_config.untfile) { + untrusted = load_certs(bio_err, verify_config.untfile, + FORMAT_PEM, NULL, "untrusted certificates"); if (!untrusted) goto end; } - if (trustfile) { - trusted = load_certs(bio_err, trustfile, FORMAT_PEM, - NULL, "trusted certificates"); + if (verify_config.trustfile) { + trusted = load_certs(bio_err, verify_config.trustfile, + FORMAT_PEM, NULL, "trusted certificates"); if (!trusted) goto end; } - if (crlfile) { - crls = load_crls(bio_err, crlfile, FORMAT_PEM, + if (verify_config.crlfile) { + crls = load_crls(bio_err, verify_config.crlfile, FORMAT_PEM, NULL, "other CRLs"); if (!crls) goto end; } ret = 0; - if (argc < 1) { + if (cert_files == NULL) { if (1 != check(cert_ctx, NULL, untrusted, trusted, crls)) ret = -1; } else { - for (i = 0; i < argc; i++) - if (1 != check(cert_ctx, argv[i], untrusted, trusted, - crls)) + do { + if (1 != check(cert_ctx, *cert_files++, untrusted, + trusted, crls)) ret = -1; + } while (*cert_files != NULL); } end: - if (ret == 1) { - BIO_printf(bio_err, "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]"); - BIO_printf(bio_err, " [-attime timestamp]"); - BIO_printf(bio_err, " cert1 cert2 ...\n"); - - BIO_printf(bio_err, "recognized usages:\n"); - for (i = 0; i < X509_PURPOSE_get_count(); i++) { - X509_PURPOSE *ptmp; - ptmp = X509_PURPOSE_get0(i); - BIO_printf(bio_err, "\t%-10s\t%s\n", - X509_PURPOSE_get0_sname(ptmp), - X509_PURPOSE_get0_name(ptmp)); - } - } - if (vpm) - X509_VERIFY_PARAM_free(vpm); + if (verify_config.vpm) + X509_VERIFY_PARAM_free(verify_config.vpm); if (cert_ctx != NULL) X509_STORE_free(cert_ctx); sk_X509_pop_free(untrusted, X509_free); @@ -228,51 +366,51 @@ verify_main(int argc, char **argv) } static int -check(X509_STORE * ctx, char *file, STACK_OF(X509) * uchain, - STACK_OF(X509) * tchain, STACK_OF(X509_CRL) * crls) +check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, + STACK_OF(X509) *tchain, STACK_OF(X509_CRL) *crls) { X509 *x = NULL; + X509_STORE_CTX *csc = NULL; + const char *certfile = (file == NULL) ? "stdin" : file; + int verify_err; int i = 0, ret = 0; - X509_STORE_CTX *csc; x = load_cert(bio_err, file, FORMAT_PEM, NULL, "certificate file"); if (x == NULL) goto end; - fprintf(stdout, "%s: ", (file == NULL) ? "stdin" : file); - csc = X509_STORE_CTX_new(); - if (csc == NULL) { - ERR_print_errors(bio_err); + if ((csc = X509_STORE_CTX_new()) == NULL) goto end; - } X509_STORE_set_flags(ctx, vflags); - if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) { - ERR_print_errors(bio_err); + if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) goto end; - } if (tchain) X509_STORE_CTX_trusted_stack(csc, tchain); if (crls) X509_STORE_CTX_set0_crls(csc, crls); + i = X509_verify_cert(csc); - X509_STORE_CTX_free(csc); + verify_err = X509_STORE_CTX_get_error(csc); - ret = 0; + if (i > 0 && verify_err == X509_V_OK) { + fprintf(stdout, "%s: OK\n", certfile); + ret = 1; + } else { + fprintf(stdout, "%s: verification failed: %d (%s)\n", certfile, + verify_err, X509_verify_cert_error_string(verify_err)); + } end: - if (i > 0) { - fprintf(stdout, "OK\n"); - ret = 1; - } else + if (i <= 0) ERR_print_errors(bio_err); - if (x != NULL) - X509_free(x); + X509_free(x); + X509_STORE_CTX_free(csc); return (ret); } static int -cb(int ok, X509_STORE_CTX * ctx) +cb(int ok, X509_STORE_CTX *ctx) { int cert_error = X509_STORE_CTX_get_error(ctx); X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx); @@ -318,7 +456,7 @@ cb(int ok, X509_STORE_CTX * ctx) } if (cert_error == X509_V_OK && ok == 2) policies_print(NULL, ctx); - if (!v_verbose) + if (!verify_config.verbose) ERR_clear_error(); return (ok); } diff --git a/apps/openssl/x509.c b/apps/openssl/x509.c index b25a7c82..9a2fdd9d 100644 --- a/apps/openssl/x509.c +++ b/apps/openssl/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.17 2019/01/19 21:17:05 jsg Exp $ */ +/* $OpenBSD: x509.c,v 1.23 2021/04/07 10:44:03 inoguchi Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -57,9 +57,9 @@ */ #include +#include #include #include -#include #include #include "apps.h" @@ -67,83 +67,18 @@ #include #include #include +#include #include #include #include #include +#include #include #include -#include - -#include - #define POSTFIX ".srl" #define DEF_DAYS 30 -static const char *x509_usage[] = { - "usage: x509 args\n", - " -inform arg - input format - default PEM (one of DER, NET or PEM)\n", - " -outform arg - output format - default PEM (one of DER, NET or PEM)\n", - " -keyform arg - private key format - default PEM\n", - " -CAform arg - CA format - default PEM\n", - " -CAkeyform arg - CA key format - default PEM\n", - " -in arg - input file - default stdin\n", - " -out arg - output file - default stdout\n", - " -passin arg - private key password source\n", - " -serial - print serial number value\n", - " -subject_hash - print subject hash value\n", -#ifndef OPENSSL_NO_MD5 - " -subject_hash_old - print old-style (MD5) subject hash value\n", -#endif - " -issuer_hash - print issuer hash value\n", -#ifndef OPENSSL_NO_MD5 - " -issuer_hash_old - print old-style (MD5) issuer hash value\n", -#endif - " -hash - synonym for -subject_hash\n", - " -subject - print subject DN\n", - " -issuer - print issuer DN\n", - " -email - print email address(es)\n", - " -startdate - notBefore field\n", - " -enddate - notAfter field\n", - " -purpose - print out certificate purposes\n", - " -dates - both Before and After dates\n", - " -modulus - print the RSA key modulus\n", - " -pubkey - output the public key\n", - " -fingerprint - print the certificate fingerprint\n", - " -alias - output certificate alias\n", - " -noout - no certificate output\n", - " -ocspid - print OCSP hash values for the subject name and public key\n", - " -ocsp_uri - print OCSP Responder URL(s)\n", - " -trustout - output a \"trusted\" certificate\n", - " -clrtrust - clear all trusted purposes\n", - " -clrreject - clear all rejected purposes\n", - " -addtrust arg - trust certificate for a given purpose\n", - " -addreject arg - reject certificate for a given purpose\n", - " -setalias arg - set certificate alias\n", - " -days arg - How long till expiry of a signed certificate - def 30 days\n", - " -checkend arg - check whether the cert expires in the next arg seconds\n", - " exit 1 if so, 0 if not\n", - " -signkey arg - self sign cert with arg\n", - " -x509toreq - output a certification request object\n", - " -req - input is a certificate request, sign and output.\n", - " -CA arg - set the CA certificate, must be PEM format.\n", - " -CAkey arg - set the CA key, must be PEM format\n", - " missing, it is assumed to be in the CA file.\n", - " -CAcreateserial - create serial number file if it does not exist\n", - " -CAserial arg - serial file\n", - " -set_serial - serial number to use\n", - " -text - print the certificate in text form\n", - " -C - print out C code forms\n", - " -md5/-sha1 - digest to use\n", - " -extfile - configuration file with X509V3 extensions to add\n", - " -extensions - section from config file with X509V3 extensions to add\n", - " -clrext - delete extensions before signing and input certificate\n", - " -nameopt arg - various certificate name options\n", - " -certopt arg - various certificate text options\n", - NULL -}; - static int callb(int ok, X509_STORE_CTX *ctx); static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest, CONF *conf, char *section); @@ -152,7 +87,637 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, char *serial, int create, int days, int clrext, CONF *conf, char *section, ASN1_INTEGER *sno); static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt); -static int reqfile = 0; + +static struct { + char *alias; + int aliasout; + int badops; + int C; + int CA_createserial; + int CA_flag; + char *CAfile; + int CAformat; + char *CAkeyfile; + int CAkeyformat; + char *CAserial; + unsigned long certflag; + int checkend; + int checkoffset; + int clrext; + int clrreject; + int clrtrust; + int days; + const EVP_MD *digest; + int email; + int enddate; + char *extfile; + char *extsect; + int fingerprint; + char *infile; + int informat; + int issuer; + int issuer_hash; +#ifndef OPENSSL_NO_MD5 + int issuer_hash_old; +#endif + char *keyfile; + int keyformat; + const EVP_MD *md_alg; + int modulus; + int next_serial; + unsigned long nmflag; + int noout; + int num; + int ocspid; + ASN1_OBJECT *objtmp; + int ocsp_uri; + char *outfile; + int outformat; + char *passargin; + int pprint; + int pubkey; + STACK_OF(ASN1_OBJECT) *reject; + int reqfile; + int serial; + int sign_flag; + STACK_OF(OPENSSL_STRING) *sigopts; + ASN1_INTEGER *sno; + int startdate; + int subject; + int subject_hash; +#ifndef OPENSSL_NO_MD5 + int subject_hash_old; +#endif + int text; + STACK_OF(ASN1_OBJECT) *trust; + int trustout; + int x509req; +} x509_config; + +static int +x509_opt_addreject(char *arg) +{ + if ((x509_config.objtmp = OBJ_txt2obj(arg, 0)) == NULL) { + BIO_printf(bio_err, "Invalid reject object value %s\n", arg); + return (1); + } + + if (x509_config.reject == NULL && + (x509_config.reject = sk_ASN1_OBJECT_new_null()) == NULL) + return (1); + + if (!sk_ASN1_OBJECT_push(x509_config.reject, x509_config.objtmp)) + return (1); + + x509_config.trustout = 1; + return (0); +} + +static int +x509_opt_addtrust(char *arg) +{ + if ((x509_config.objtmp = OBJ_txt2obj(arg, 0)) == NULL) { + BIO_printf(bio_err, "Invalid trust object value %s\n", arg); + return (1); + } + + if (x509_config.trust == NULL && + (x509_config.trust = sk_ASN1_OBJECT_new_null()) == NULL) + return (1); + + if (!sk_ASN1_OBJECT_push(x509_config.trust, x509_config.objtmp)) + return (1); + + x509_config.trustout = 1; + return (0); +} + +static int +x509_opt_ca(char *arg) +{ + x509_config.CAfile = arg; + x509_config.CA_flag = ++x509_config.num; + return (0); +} + +static int +x509_opt_certopt(char *arg) +{ + if (!set_cert_ex(&x509_config.certflag, arg)) + return (1); + + return (0); +} + +static int +x509_opt_checkend(char *arg) +{ + const char *errstr; + + x509_config.checkoffset = strtonum(arg, 0, INT_MAX, &errstr); + if (errstr != NULL) { + BIO_printf(bio_err, "checkend unusable: %s\n", errstr); + return (1); + } + x509_config.checkend = 1; + return (0); +} + +static int +x509_opt_dates(void) +{ + x509_config.startdate = ++x509_config.num; + x509_config.enddate = ++x509_config.num; + return (0); +} + +static int +x509_opt_days(char *arg) +{ + const char *errstr; + + x509_config.days = strtonum(arg, 1, INT_MAX, &errstr); + if (errstr != NULL) { + BIO_printf(bio_err, "bad number of days: %s\n", errstr); + return (1); + } + return (0); +} + +static int +x509_opt_digest(int argc, char **argv, int *argsused) +{ + char *name = argv[0]; + + if (*name++ != '-') + return (1); + + if ((x509_config.md_alg = EVP_get_digestbyname(name)) != NULL) { + x509_config.digest = x509_config.md_alg; + } else { + BIO_printf(bio_err, "unknown option %s\n", *argv); + x509_config.badops = 1; + return (1); + } + + *argsused = 1; + return (0); +} + +static int +x509_opt_nameopt(char *arg) +{ + if (!set_name_ex(&x509_config.nmflag, arg)) + return (1); + + return (0); +} + +static int +x509_opt_set_serial(char *arg) +{ + ASN1_INTEGER_free(x509_config.sno); + if ((x509_config.sno = s2i_ASN1_INTEGER(NULL, arg)) == NULL) + return (1); + + return (0); +} + +static int +x509_opt_setalias(char *arg) +{ + x509_config.alias = arg; + x509_config.trustout = 1; + return (0); +} + +static int +x509_opt_signkey(char *arg) +{ + x509_config.keyfile = arg; + x509_config.sign_flag = ++x509_config.num; + return (0); +} + +static int +x509_opt_sigopt(char *arg) +{ + if (x509_config.sigopts == NULL && + (x509_config.sigopts = sk_OPENSSL_STRING_new_null()) == NULL) + return (1); + + if (!sk_OPENSSL_STRING_push(x509_config.sigopts, arg)) + return (1); + + return (0); +} + +static const struct option x509_options[] = { + { + .name = "C", + .desc = "Convert the certificate into C code", + .type = OPTION_ORDER, + .opt.order = &x509_config.C, + .order = &x509_config.num, + }, + { + .name = "addreject", + .argname = "arg", + .desc = "Reject certificate for a given purpose", + .type = OPTION_ARG_FUNC, + .opt.argfunc = x509_opt_addreject, + }, + { + .name = "addtrust", + .argname = "arg", + .desc = "Trust certificate for a given purpose", + .type = OPTION_ARG_FUNC, + .opt.argfunc = x509_opt_addtrust, + }, + { + .name = "alias", + .desc = "Output certificate alias", + .type = OPTION_ORDER, + .opt.order = &x509_config.aliasout, + .order = &x509_config.num, + }, + { + .name = "CA", + .argname = "file", + .desc = "CA certificate in PEM format unless -CAform is specified", + .type = OPTION_ARG_FUNC, + .opt.argfunc = x509_opt_ca, + }, + { + .name = "CAcreateserial", + .desc = "Create serial number file if it does not exist", + .type = OPTION_ORDER, + .opt.order = &x509_config.CA_createserial, + .order = &x509_config.num, + }, + { + .name = "CAform", + .argname = "fmt", + .desc = "CA format - default PEM", + .type = OPTION_ARG_FORMAT, + .opt.value = &x509_config.CAformat, + }, + { + .name = "CAkey", + .argname = "file", + .desc = "CA key in PEM format unless -CAkeyform is specified\n" + "if omitted, the key is assumed to be in the CA file", + .type = OPTION_ARG, + .opt.arg = &x509_config.CAkeyfile, + }, + { + .name = "CAkeyform", + .argname = "fmt", + .desc = "CA key format - default PEM", + .type = OPTION_ARG_FORMAT, + .opt.value = &x509_config.CAkeyformat, + }, + { + .name = "CAserial", + .argname = "file", + .desc = "Serial file", + .type = OPTION_ARG, + .opt.arg = &x509_config.CAserial, + }, + { + .name = "certopt", + .argname = "option", + .desc = "Various certificate text options", + .type = OPTION_ARG_FUNC, + .opt.argfunc = x509_opt_certopt, + }, + { + .name = "checkend", + .argname = "arg", + .desc = "Check whether the cert expires in the next arg seconds\n" + "exit 1 if so, 0 if not", + .type = OPTION_ARG_FUNC, + .opt.argfunc = x509_opt_checkend, + }, + { + .name = "clrext", + .desc = "Clear all extensions", + .type = OPTION_FLAG, + .opt.flag = &x509_config.clrext, + }, + { + .name = "clrreject", + .desc = "Clear all rejected purposes", + .type = OPTION_ORDER, + .opt.order = &x509_config.clrreject, + .order = &x509_config.num, + }, + { + .name = "clrtrust", + .desc = "Clear all trusted purposes", + .type = OPTION_ORDER, + .opt.order = &x509_config.clrtrust, + .order = &x509_config.num, + }, + { + .name = "dates", + .desc = "Both Before and After dates", + .type = OPTION_FUNC, + .opt.func = x509_opt_dates, + }, + { + .name = "days", + .argname = "arg", + .desc = "How long till expiry of a signed certificate - def 30 days", + .type = OPTION_ARG_FUNC, + .opt.argfunc = x509_opt_days, + }, + { + .name = "email", + .desc = "Print email address(es)", + .type = OPTION_ORDER, + .opt.order = &x509_config.email, + .order = &x509_config.num, + }, + { + .name = "enddate", + .desc = "Print notAfter field", + .type = OPTION_ORDER, + .opt.order = &x509_config.enddate, + .order = &x509_config.num, + }, + { + .name = "extensions", + .argname = "section", + .desc = "Section from config file with X509V3 extensions to add", + .type = OPTION_ARG, + .opt.arg = &x509_config.extsect, + }, + { + .name = "extfile", + .argname = "file", + .desc = "Configuration file with X509V3 extensions to add", + .type = OPTION_ARG, + .opt.arg = &x509_config.extfile, + }, + { + .name = "fingerprint", + .desc = "Print the certificate fingerprint", + .type = OPTION_ORDER, + .opt.order = &x509_config.fingerprint, + .order = &x509_config.num, + }, + { + .name = "hash", + .desc = "Synonym for -subject_hash", + .type = OPTION_ORDER, + .opt.order = &x509_config.subject_hash, + .order = &x509_config.num, + }, + { + .name = "in", + .argname = "file", + .desc = "Input file - default stdin", + .type = OPTION_ARG, + .opt.arg = &x509_config.infile, + }, + { + .name = "inform", + .argname = "fmt", + .desc = "Input format - default PEM (one of DER, NET or PEM)", + .type = OPTION_ARG_FORMAT, + .opt.value = &x509_config.informat, + }, + { + .name = "issuer", + .desc = "Print issuer name", + .type = OPTION_ORDER, + .opt.order = &x509_config.issuer, + .order = &x509_config.num, + }, + { + .name = "issuer_hash", + .desc = "Print issuer hash value", + .type = OPTION_ORDER, + .opt.order = &x509_config.issuer_hash, + .order = &x509_config.num, + }, +#ifndef OPENSSL_NO_MD5 + { + .name = "issuer_hash_old", + .desc = "Print old-style (MD5) issuer hash value", + .type = OPTION_ORDER, + .opt.order = &x509_config.issuer_hash_old, + .order = &x509_config.num, + }, +#endif + { + .name = "keyform", + .argname = "fmt", + .desc = "Private key format - default PEM", + .type = OPTION_ARG_FORMAT, + .opt.value = &x509_config.keyformat, + }, + { + .name = "modulus", + .desc = "Print the RSA key modulus", + .type = OPTION_ORDER, + .opt.order = &x509_config.modulus, + .order = &x509_config.num, + }, + { + .name = "nameopt", + .argname = "option", + .desc = "Various certificate name options", + .type = OPTION_ARG_FUNC, + .opt.argfunc = x509_opt_nameopt, + }, + { + .name = "next_serial", + .desc = "Print the next serial number", + .type = OPTION_ORDER, + .opt.order = &x509_config.next_serial, + .order = &x509_config.num, + }, + { + .name = "noout", + .desc = "No certificate output", + .type = OPTION_ORDER, + .opt.order = &x509_config.noout, + .order = &x509_config.num, + }, + { + .name = "ocsp_uri", + .desc = "Print OCSP Responder URL(s)", + .type = OPTION_ORDER, + .opt.order = &x509_config.ocsp_uri, + .order = &x509_config.num, + }, + { + .name = "ocspid", + .desc = "Print OCSP hash values for the subject name and public key", + .type = OPTION_ORDER, + .opt.order = &x509_config.ocspid, + .order = &x509_config.num, + }, + { + .name = "out", + .argname = "file", + .desc = "Output file - default stdout", + .type = OPTION_ARG, + .opt.arg = &x509_config.outfile, + }, + { + .name = "outform", + .argname = "fmt", + .desc = "Output format - default PEM (one of DER, NET or PEM)", + .type = OPTION_ARG_FORMAT, + .opt.value = &x509_config.outformat, + }, + { + .name = "passin", + .argname = "src", + .desc = "Private key password source", + .type = OPTION_ARG, + .opt.arg = &x509_config.passargin, + }, + { + .name = "pubkey", + .desc = "Output the public key", + .type = OPTION_ORDER, + .opt.order = &x509_config.pubkey, + .order = &x509_config.num, + }, + { + .name = "purpose", + .desc = "Print out certificate purposes", + .type = OPTION_ORDER, + .opt.order = &x509_config.pprint, + .order = &x509_config.num, + }, + { + .name = "req", + .desc = "Input is a certificate request, sign and output", + .type = OPTION_FLAG, + .opt.flag = &x509_config.reqfile, + }, + { + .name = "serial", + .desc = "Print serial number value", + .type = OPTION_ORDER, + .opt.order = &x509_config.serial, + .order = &x509_config.num, + }, + { + .name = "set_serial", + .argname = "n", + .desc = "Serial number to use", + .type = OPTION_ARG_FUNC, + .opt.argfunc = x509_opt_set_serial, + }, + { + .name = "setalias", + .argname = "arg", + .desc = "Set certificate alias", + .type = OPTION_ARG_FUNC, + .opt.argfunc = x509_opt_setalias, + }, + { + .name = "signkey", + .argname = "file", + .desc = "Self sign cert with arg", + .type = OPTION_ARG_FUNC, + .opt.argfunc = x509_opt_signkey, + }, + { + .name = "sigopt", + .argname = "nm:v", + .desc = "Various signature algorithm options", + .type = OPTION_ARG_FUNC, + .opt.argfunc = x509_opt_sigopt, + }, + { + .name = "startdate", + .desc = "Print notBefore field", + .type = OPTION_ORDER, + .opt.order = &x509_config.startdate, + .order = &x509_config.num, + }, + { + .name = "subject", + .desc = "Print subject name", + .type = OPTION_ORDER, + .opt.order = &x509_config.subject, + .order = &x509_config.num, + }, + { + .name = "subject_hash", + .desc = "Print subject hash value", + .type = OPTION_ORDER, + .opt.order = &x509_config.subject_hash, + .order = &x509_config.num, + }, +#ifndef OPENSSL_NO_MD5 + { + .name = "subject_hash_old", + .desc = "Print old-style (MD5) subject hash value", + .type = OPTION_ORDER, + .opt.order = &x509_config.subject_hash_old, + .order = &x509_config.num, + }, +#endif + { + .name = "text", + .desc = "Print the certificate in text form", + .type = OPTION_ORDER, + .opt.order = &x509_config.text, + .order = &x509_config.num, + }, + { + .name = "trustout", + .desc = "Output a trusted certificate", + .type = OPTION_FLAG, + .opt.flag = &x509_config.trustout, + }, + { + .name = "x509toreq", + .desc = "Output a certification request object", + .type = OPTION_ORDER, + .opt.order = &x509_config.x509req, + .order = &x509_config.num, + }, + { + .name = NULL, + .desc = "", + .type = OPTION_ARGV_FUNC, + .opt.argvfunc = x509_opt_digest, + }, + { NULL }, +}; + +static void +x509_usage(void) +{ + fprintf(stderr, "usage: x509 " + "[-C] [-addreject arg] [-addtrust arg] [-alias] [-CA file]\n" + " [-CAcreateserial] [-CAform der | pem] [-CAkey file]\n" + " [-CAkeyform der | pem] [-CAserial file] [-certopt option]\n" + " [-checkend arg] [-clrext] [-clrreject] [-clrtrust] [-dates]\n" + " [-days arg] [-email] [-enddate] [-extensions section]\n" + " [-extfile file] [-fingerprint] [-hash] [-in file]\n" + " [-inform der | net | pem] [-issuer] [-issuer_hash]\n" + " [-issuer_hash_old] [-keyform der | pem] [-md5 | -sha1]\n" + " [-modulus] [-nameopt option] [-next_serial] [-noout]\n" + " [-ocsp_uri] [-ocspid] [-out file]\n" + " [-outform der | net | pem] [-passin arg] [-pubkey]\n" + " [-purpose] [-req] [-serial] [-set_serial n] [-setalias arg]\n" + " [-signkey file] [-sigopt nm:v] [-startdate] [-subject]\n" + " [-subject_hash] [-subject_hash_old] [-text] [-trustout]\n" + " [-x509toreq]\n"); + fprintf(stderr, "\n"); + options_usage(x509_options); + fprintf(stderr, "\n"); +} int x509_main(int argc, char **argv) @@ -160,43 +725,15 @@ x509_main(int argc, char **argv) int ret = 1; X509_REQ *req = NULL; X509 *x = NULL, *xca = NULL; - ASN1_OBJECT *objtmp; - STACK_OF(OPENSSL_STRING) *sigopts = NULL; EVP_PKEY *Upkey = NULL, *CApkey = NULL; - ASN1_INTEGER *sno = NULL; - int i, num, badops = 0; + int i; BIO *out = NULL; BIO *STDout = NULL; - STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL; - int informat, outformat, keyformat, CAformat, CAkeyformat; - char *infile = NULL, *outfile = NULL, *keyfile = NULL, *CAfile = NULL; - char *CAkeyfile = NULL, *CAserial = NULL; - char *alias = NULL; - int text = 0, serial = 0, subject = 0, issuer = 0, startdate = 0, - enddate = 0; - int next_serial = 0; - int subject_hash = 0, issuer_hash = 0, ocspid = 0; -#ifndef OPENSSL_NO_MD5 - int subject_hash_old = 0, issuer_hash_old = 0; -#endif - int noout = 0, sign_flag = 0, CA_flag = 0, CA_createserial = 0, - email = 0; - int ocsp_uri = 0; - int trustout = 0, clrtrust = 0, clrreject = 0, aliasout = 0, clrext = 0; - int C = 0; - int x509req = 0, days = DEF_DAYS, modulus = 0, pubkey = 0; - int pprint = 0; - const char **pp; X509_STORE *ctx = NULL; X509_REQ *rq = NULL; - int fingerprint = 0; char buf[256]; - const EVP_MD *md_alg, *digest = NULL; CONF *extconf = NULL; - char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL; - int checkend = 0, checkoffset = 0; - unsigned long nmflag = 0, certflag = 0; - const char *errstr = NULL; + char *passin = NULL; if (single_execution) { if (pledge("stdio cpath wpath rpath tty", NULL) == -1) { @@ -205,237 +742,31 @@ x509_main(int argc, char **argv) } } - reqfile = 0; + memset(&x509_config, 0, sizeof(x509_config)); + x509_config.days = DEF_DAYS; + x509_config.informat = FORMAT_PEM; + x509_config.outformat = FORMAT_PEM; + x509_config.keyformat = FORMAT_PEM; + x509_config.CAformat = FORMAT_PEM; + x509_config.CAkeyformat = FORMAT_PEM; STDout = BIO_new_fp(stdout, BIO_NOCLOSE); - informat = FORMAT_PEM; - outformat = FORMAT_PEM; - keyformat = FORMAT_PEM; - CAformat = FORMAT_PEM; - CAkeyformat = FORMAT_PEM; - ctx = X509_STORE_new(); if (ctx == NULL) goto end; X509_STORE_set_verify_cb(ctx, callb); - argc--; - argv++; - num = 0; - while (argc >= 1) { - if (strcmp(*argv, "-inform") == 0) { - if (--argc < 1) - goto bad; - informat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-outform") == 0) { - if (--argc < 1) - goto bad; - outformat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-keyform") == 0) { - if (--argc < 1) - goto bad; - keyformat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-req") == 0) { - reqfile = 1; - } else if (strcmp(*argv, "-CAform") == 0) { - if (--argc < 1) - goto bad; - CAformat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-CAkeyform") == 0) { - if (--argc < 1) - goto bad; - CAkeyformat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-sigopt") == 0) { - if (--argc < 1) - goto bad; - if (!sigopts) - sigopts = sk_OPENSSL_STRING_new_null(); - if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv))) - goto bad; - } else if (strcmp(*argv, "-days") == 0) { - if (--argc < 1) - goto bad; - days = strtonum(*(++argv), 1, INT_MAX, &errstr); - if (errstr) { - BIO_printf(bio_err, "bad number of days: %s\n", errstr); - goto bad; - } - } else if (strcmp(*argv, "-passin") == 0) { - if (--argc < 1) - goto bad; - passargin = *(++argv); - } else if (strcmp(*argv, "-extfile") == 0) { - if (--argc < 1) - goto bad; - extfile = *(++argv); - } else if (strcmp(*argv, "-extensions") == 0) { - if (--argc < 1) - goto bad; - extsect = *(++argv); - } else if (strcmp(*argv, "-in") == 0) { - if (--argc < 1) - goto bad; - infile = *(++argv); - } else if (strcmp(*argv, "-out") == 0) { - if (--argc < 1) - goto bad; - outfile = *(++argv); - } else if (strcmp(*argv, "-signkey") == 0) { - if (--argc < 1) - goto bad; - keyfile = *(++argv); - sign_flag = ++num; - } else if (strcmp(*argv, "-CA") == 0) { - if (--argc < 1) - goto bad; - CAfile = *(++argv); - CA_flag = ++num; - } else if (strcmp(*argv, "-CAkey") == 0) { - if (--argc < 1) - goto bad; - CAkeyfile = *(++argv); - } else if (strcmp(*argv, "-CAserial") == 0) { - if (--argc < 1) - goto bad; - CAserial = *(++argv); - } else if (strcmp(*argv, "-set_serial") == 0) { - if (--argc < 1) - goto bad; - ASN1_INTEGER_free(sno); - if (!(sno = s2i_ASN1_INTEGER(NULL, *(++argv)))) - goto bad; - } else if (strcmp(*argv, "-addtrust") == 0) { - if (--argc < 1) - goto bad; - if (!(objtmp = OBJ_txt2obj(*(++argv), 0))) { - BIO_printf(bio_err, - "Invalid trust object value %s\n", *argv); - goto bad; - } - if (!trust) - trust = sk_ASN1_OBJECT_new_null(); - sk_ASN1_OBJECT_push(trust, objtmp); - trustout = 1; - } else if (strcmp(*argv, "-addreject") == 0) { - if (--argc < 1) - goto bad; - if (!(objtmp = OBJ_txt2obj(*(++argv), 0))) { - BIO_printf(bio_err, - "Invalid reject object value %s\n", *argv); - goto bad; - } - if (!reject) - reject = sk_ASN1_OBJECT_new_null(); - sk_ASN1_OBJECT_push(reject, objtmp); - trustout = 1; - } else if (strcmp(*argv, "-setalias") == 0) { - if (--argc < 1) - goto bad; - alias = *(++argv); - trustout = 1; - } else if (strcmp(*argv, "-certopt") == 0) { - if (--argc < 1) - goto bad; - if (!set_cert_ex(&certflag, *(++argv))) - goto bad; - } else if (strcmp(*argv, "-nameopt") == 0) { - if (--argc < 1) - goto bad; - if (!set_name_ex(&nmflag, *(++argv))) - goto bad; - } - else if (strcmp(*argv, "-C") == 0) - C = ++num; - else if (strcmp(*argv, "-email") == 0) - email = ++num; - else if (strcmp(*argv, "-ocsp_uri") == 0) - ocsp_uri = ++num; - else if (strcmp(*argv, "-serial") == 0) - serial = ++num; - else if (strcmp(*argv, "-next_serial") == 0) - next_serial = ++num; - else if (strcmp(*argv, "-modulus") == 0) - modulus = ++num; - else if (strcmp(*argv, "-pubkey") == 0) - pubkey = ++num; - else if (strcmp(*argv, "-x509toreq") == 0) - x509req = ++num; - else if (strcmp(*argv, "-text") == 0) - text = ++num; - else if (strcmp(*argv, "-hash") == 0 || - strcmp(*argv, "-subject_hash") == 0) - subject_hash = ++num; -#ifndef OPENSSL_NO_MD5 - else if (strcmp(*argv, "-subject_hash_old") == 0) - subject_hash_old = ++num; -#endif - else if (strcmp(*argv, "-issuer_hash") == 0) - issuer_hash = ++num; -#ifndef OPENSSL_NO_MD5 - else if (strcmp(*argv, "-issuer_hash_old") == 0) - issuer_hash_old = ++num; -#endif - else if (strcmp(*argv, "-subject") == 0) - subject = ++num; - else if (strcmp(*argv, "-issuer") == 0) - issuer = ++num; - else if (strcmp(*argv, "-fingerprint") == 0) - fingerprint = ++num; - else if (strcmp(*argv, "-dates") == 0) { - startdate = ++num; - enddate = ++num; - } else if (strcmp(*argv, "-purpose") == 0) - pprint = ++num; - else if (strcmp(*argv, "-startdate") == 0) - startdate = ++num; - else if (strcmp(*argv, "-enddate") == 0) - enddate = ++num; - else if (strcmp(*argv, "-checkend") == 0) { - if (--argc < 1) - goto bad; - checkoffset = strtonum(*(++argv), 0, INT_MAX, &errstr); - if (errstr) { - BIO_printf(bio_err, "checkend unusable: %s\n", errstr); - goto bad; - } - checkend = 1; - } else if (strcmp(*argv, "-noout") == 0) - noout = ++num; - else if (strcmp(*argv, "-trustout") == 0) - trustout = 1; - else if (strcmp(*argv, "-clrtrust") == 0) - clrtrust = ++num; - else if (strcmp(*argv, "-clrreject") == 0) - clrreject = ++num; - else if (strcmp(*argv, "-alias") == 0) - aliasout = ++num; - else if (strcmp(*argv, "-CAcreateserial") == 0) - CA_createserial = ++num; - else if (strcmp(*argv, "-clrext") == 0) - clrext = 1; - else if (strcmp(*argv, "-ocspid") == 0) - ocspid = ++num; - else if ((md_alg = EVP_get_digestbyname(*argv + 1))) { - /* ok */ - digest = md_alg; - } else { - BIO_printf(bio_err, "unknown option %s\n", *argv); - badops = 1; - break; - } - argc--; - argv++; - } + if (options_parse(argc, argv, x509_options, NULL, NULL) != 0) + goto bad; - if (badops) { + if (x509_config.badops) { bad: - for (pp = x509_usage; (*pp != NULL); pp++) - BIO_printf(bio_err, "%s", *pp); + x509_usage(); goto end; } - if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) { + if (!app_passwd(bio_err, x509_config.passargin, NULL, &passin, NULL)) { BIO_printf(bio_err, "Error getting password\n"); goto end; } @@ -443,52 +774,55 @@ x509_main(int argc, char **argv) ERR_print_errors(bio_err); goto end; } - if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM)) { - CAkeyfile = CAfile; - } else if ((CA_flag) && (CAkeyfile == NULL)) { + if ((x509_config.CAkeyfile == NULL) && (x509_config.CA_flag) && + (x509_config.CAformat == FORMAT_PEM)) { + x509_config.CAkeyfile = x509_config.CAfile; + } else if ((x509_config.CA_flag) && (x509_config.CAkeyfile == NULL)) { BIO_printf(bio_err, "need to specify a CAkey if using the CA command\n"); goto end; } - if (extfile) { + if (x509_config.extfile != NULL) { long errorline = -1; X509V3_CTX ctx2; extconf = NCONF_new(NULL); - if (!NCONF_load(extconf, extfile, &errorline)) { + if (!NCONF_load(extconf, x509_config.extfile, &errorline)) { if (errorline <= 0) BIO_printf(bio_err, "error loading the config file '%s'\n", - extfile); + x509_config.extfile); else BIO_printf(bio_err, "error on line %ld of config file '%s'\n", - errorline, extfile); + errorline, x509_config.extfile); goto end; } - if (!extsect) { - extsect = NCONF_get_string(extconf, "default", - "extensions"); - if (!extsect) { + if (x509_config.extsect == NULL) { + x509_config.extsect = NCONF_get_string(extconf, + "default", "extensions"); + if (x509_config.extsect == NULL) { ERR_clear_error(); - extsect = "default"; + x509_config.extsect = "default"; } } X509V3_set_ctx_test(&ctx2); X509V3_set_nconf(&ctx2, extconf); - if (!X509V3_EXT_add_nconf(extconf, &ctx2, extsect, NULL)) { + if (!X509V3_EXT_add_nconf(extconf, &ctx2, x509_config.extsect, + NULL)) { BIO_printf(bio_err, "Error Loading extension section %s\n", - extsect); + x509_config.extsect); ERR_print_errors(bio_err); goto end; } } - if (reqfile) { + if (x509_config.reqfile) { EVP_PKEY *pkey; BIO *in; - if (!sign_flag && !CA_flag) { - BIO_printf(bio_err, "We need a private key to sign with\n"); + if (!x509_config.sign_flag && !x509_config.CA_flag) { + BIO_printf(bio_err, + "We need a private key to sign with\n"); goto end; } in = BIO_new(BIO_s_file()); @@ -496,11 +830,11 @@ x509_main(int argc, char **argv) ERR_print_errors(bio_err); goto end; } - if (infile == NULL) + if (x509_config.infile == NULL) BIO_set_fp(in, stdin, BIO_NOCLOSE | BIO_FP_TEXT); else { - if (BIO_read_filename(in, infile) <= 0) { - perror(infile); + if (BIO_read_filename(in, x509_config.infile) <= 0) { + perror(x509_config.infile); BIO_free(in); goto end; } @@ -516,8 +850,10 @@ x509_main(int argc, char **argv) (req->req_info->pubkey == NULL) || (req->req_info->pubkey->public_key == NULL) || (req->req_info->pubkey->public_key->data == NULL)) { - BIO_printf(bio_err, "The certificate request appears to corrupted\n"); - BIO_printf(bio_err, "It does not contain a public key\n"); + BIO_printf(bio_err, + "The certificate request appears to corrupted\n"); + BIO_printf(bio_err, + "It does not contain a public key\n"); goto end; } if ((pkey = X509_REQ_get_pubkey(req)) == NULL) { @@ -532,25 +868,28 @@ x509_main(int argc, char **argv) goto end; } if (i == 0) { - BIO_printf(bio_err, "Signature did not match the certificate request\n"); + BIO_printf(bio_err, + "Signature did not match the certificate request\n"); goto end; } else BIO_printf(bio_err, "Signature ok\n"); - print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), nmflag); + print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), + x509_config.nmflag); if ((x = X509_new()) == NULL) goto end; - if (sno == NULL) { - sno = ASN1_INTEGER_new(); - if (!sno || !rand_serial(NULL, sno)) + if (x509_config.sno == NULL) { + x509_config.sno = ASN1_INTEGER_new(); + if (x509_config.sno == NULL || + !rand_serial(NULL, x509_config.sno)) goto end; - if (!X509_set_serialNumber(x, sno)) + if (!X509_set_serialNumber(x, x509_config.sno)) goto end; - ASN1_INTEGER_free(sno); - sno = NULL; - } else if (!X509_set_serialNumber(x, sno)) + ASN1_INTEGER_free(x509_config.sno); + x509_config.sno = NULL; + } else if (!X509_set_serialNumber(x, x509_config.sno)) goto end; if (!X509_set_issuer_name(x, req->req_info->subject)) @@ -558,93 +897,117 @@ x509_main(int argc, char **argv) if (!X509_set_subject_name(x, req->req_info->subject)) goto end; - X509_gmtime_adj(X509_get_notBefore(x), 0); - X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL); + if (X509_gmtime_adj(X509_get_notBefore(x), 0) == NULL) + goto end; + if (X509_time_adj_ex(X509_get_notAfter(x), x509_config.days, 0, + NULL) == NULL) + goto end; - pkey = X509_REQ_get_pubkey(req); - X509_set_pubkey(x, pkey); + if ((pkey = X509_REQ_get_pubkey(req)) == NULL) + goto end; + if (!X509_set_pubkey(x, pkey)) { + EVP_PKEY_free(pkey); + goto end; + } EVP_PKEY_free(pkey); - } else - x = load_cert(bio_err, infile, informat, NULL, "Certificate"); - + } else { + x = load_cert(bio_err, x509_config.infile, x509_config.informat, + NULL, "Certificate"); + } if (x == NULL) goto end; - if (CA_flag) { - xca = load_cert(bio_err, CAfile, CAformat, NULL, "CA Certificate"); + + if (x509_config.CA_flag) { + xca = load_cert(bio_err, x509_config.CAfile, + x509_config.CAformat, NULL, "CA Certificate"); if (xca == NULL) goto end; } - if (!noout || text || next_serial) { - OBJ_create("2.99999.3", - "SET.ex3", "SET x509v3 extension 3"); + if (!x509_config.noout || x509_config.text || x509_config.next_serial) { + OBJ_create("2.99999.3", "SET.ex3", "SET x509v3 extension 3"); out = BIO_new(BIO_s_file()); if (out == NULL) { ERR_print_errors(bio_err); goto end; } - if (outfile == NULL) { + if (x509_config.outfile == NULL) { BIO_set_fp(out, stdout, BIO_NOCLOSE); } else { - if (BIO_write_filename(out, outfile) <= 0) { - perror(outfile); + if (BIO_write_filename(out, x509_config.outfile) <= 0) { + perror(x509_config.outfile); goto end; } } } - if (alias) - X509_alias_set1(x, (unsigned char *) alias, -1); + if (x509_config.alias != NULL) { + if (!X509_alias_set1(x, (unsigned char *)x509_config.alias, -1)) + goto end; + } - if (clrtrust) + if (x509_config.clrtrust) X509_trust_clear(x); - if (clrreject) + if (x509_config.clrreject) X509_reject_clear(x); - if (trust) { - for (i = 0; i < sk_ASN1_OBJECT_num(trust); i++) { - objtmp = sk_ASN1_OBJECT_value(trust, i); - X509_add1_trust_object(x, objtmp); + if (x509_config.trust != NULL) { + for (i = 0; i < sk_ASN1_OBJECT_num(x509_config.trust); i++) { + x509_config.objtmp = sk_ASN1_OBJECT_value( + x509_config.trust, i); + if (!X509_add1_trust_object(x, x509_config.objtmp)) + goto end; } } - if (reject) { - for (i = 0; i < sk_ASN1_OBJECT_num(reject); i++) { - objtmp = sk_ASN1_OBJECT_value(reject, i); - X509_add1_reject_object(x, objtmp); + if (x509_config.reject != NULL) { + for (i = 0; i < sk_ASN1_OBJECT_num(x509_config.reject); i++) { + x509_config.objtmp = sk_ASN1_OBJECT_value( + x509_config.reject, i); + if (!X509_add1_reject_object(x, x509_config.objtmp)) + goto end; } } - if (num) { - for (i = 1; i <= num; i++) { - if (issuer == i) { + if (x509_config.num) { + for (i = 1; i <= x509_config.num; i++) { + if (x509_config.issuer == i) { print_name(STDout, "issuer= ", - X509_get_issuer_name(x), nmflag); - } else if (subject == i) { + X509_get_issuer_name(x), + x509_config.nmflag); + } else if (x509_config.subject == i) { print_name(STDout, "subject= ", - X509_get_subject_name(x), nmflag); - } else if (serial == i) { + X509_get_subject_name(x), + x509_config.nmflag); + } else if (x509_config.serial == i) { BIO_printf(STDout, "serial="); i2a_ASN1_INTEGER(STDout, X509_get_serialNumber(x)); BIO_printf(STDout, "\n"); - } else if (next_serial == i) { + } else if (x509_config.next_serial == i) { BIGNUM *bnser; ASN1_INTEGER *ser; ser = X509_get_serialNumber(x); + if (ser == NULL) + goto end; bnser = ASN1_INTEGER_to_BN(ser, NULL); - if (!bnser) + if (bnser == NULL) goto end; - if (!BN_add_word(bnser, 1)) + if (!BN_add_word(bnser, 1)) { + BN_free(bnser); goto end; + } ser = BN_to_ASN1_INTEGER(bnser, NULL); - if (!ser) + if (ser == NULL) { + BN_free(bnser); goto end; + } BN_free(bnser); i2a_ASN1_INTEGER(out, ser); ASN1_INTEGER_free(ser); BIO_puts(out, "\n"); - } else if ((email == i) || (ocsp_uri == i)) { + } else if ((x509_config.email == i) || + (x509_config.ocsp_uri == i)) { int j; STACK_OF(OPENSSL_STRING) *emlst; - if (email == i) + if (x509_config.email == i) emlst = X509_get1_email(x); else emlst = X509_get1_ocsp(x); @@ -652,30 +1015,34 @@ x509_main(int argc, char **argv) BIO_printf(STDout, "%s\n", sk_OPENSSL_STRING_value(emlst, j)); X509_email_free(emlst); - } else if (aliasout == i) { + } else if (x509_config.aliasout == i) { unsigned char *alstr; alstr = X509_alias_get0(x, NULL); - if (alstr) + if (alstr != NULL) BIO_printf(STDout, "%s\n", alstr); else BIO_puts(STDout, "\n"); - } else if (subject_hash == i) { - BIO_printf(STDout, "%08lx\n", X509_subject_name_hash(x)); + } else if (x509_config.subject_hash == i) { + BIO_printf(STDout, "%08lx\n", + X509_subject_name_hash(x)); } #ifndef OPENSSL_NO_MD5 - else if (subject_hash_old == i) { - BIO_printf(STDout, "%08lx\n", X509_subject_name_hash_old(x)); + else if (x509_config.subject_hash_old == i) { + BIO_printf(STDout, "%08lx\n", + X509_subject_name_hash_old(x)); } #endif - else if (issuer_hash == i) { - BIO_printf(STDout, "%08lx\n", X509_issuer_name_hash(x)); + else if (x509_config.issuer_hash == i) { + BIO_printf(STDout, "%08lx\n", + X509_issuer_name_hash(x)); } #ifndef OPENSSL_NO_MD5 - else if (issuer_hash_old == i) { - BIO_printf(STDout, "%08lx\n", X509_issuer_name_hash_old(x)); + else if (x509_config.issuer_hash_old == i) { + BIO_printf(STDout, "%08lx\n", + X509_issuer_name_hash_old(x)); } #endif - else if (pprint == i) { + else if (x509_config.pprint == i) { X509_PURPOSE *ptmp; int j; BIO_printf(STDout, "Certificate purposes:\n"); @@ -683,50 +1050,59 @@ x509_main(int argc, char **argv) ptmp = X509_PURPOSE_get0(j); purpose_print(STDout, x, ptmp); } - } else if (modulus == i) { + } else if (x509_config.modulus == i) { EVP_PKEY *pkey; pkey = X509_get_pubkey(x); if (pkey == NULL) { - BIO_printf(bio_err, "Modulus=unavailable\n"); + BIO_printf(bio_err, + "Modulus=unavailable\n"); ERR_print_errors(bio_err); goto end; } BIO_printf(STDout, "Modulus="); if (pkey->type == EVP_PKEY_RSA) BN_print(STDout, pkey->pkey.rsa->n); + else if (pkey->type == EVP_PKEY_DSA) + BN_print(STDout, + pkey->pkey.dsa->pub_key); else - if (pkey->type == EVP_PKEY_DSA) - BN_print(STDout, pkey->pkey.dsa->pub_key); - else - BIO_printf(STDout, "Wrong Algorithm type"); + BIO_printf(STDout, + "Wrong Algorithm type"); BIO_printf(STDout, "\n"); EVP_PKEY_free(pkey); - } else if (pubkey == i) { + } else if (x509_config.pubkey == i) { EVP_PKEY *pkey; pkey = X509_get_pubkey(x); if (pkey == NULL) { - BIO_printf(bio_err, "Error getting public key\n"); + BIO_printf(bio_err, + "Error getting public key\n"); ERR_print_errors(bio_err); goto end; } PEM_write_bio_PUBKEY(STDout, pkey); EVP_PKEY_free(pkey); - } else if (C == i) { + } else if (x509_config.C == i) { unsigned char *d; char *m; int y, z; - X509_NAME_oneline(X509_get_subject_name(x), + m = X509_NAME_oneline(X509_get_subject_name(x), buf, sizeof buf); + if (m == NULL) + goto end; BIO_printf(STDout, "/* subject:%s */\n", buf); - m = X509_NAME_oneline( - X509_get_issuer_name(x), buf, - sizeof buf); + m = X509_NAME_oneline(X509_get_issuer_name(x), + buf, sizeof buf); + if (m == NULL) + goto end; BIO_printf(STDout, "/* issuer :%s */\n", buf); z = i2d_X509(x, NULL); + if (z < 0) + goto end; + m = malloc(z); if (m == NULL) { BIO_printf(bio_err, "out of mem\n"); @@ -735,7 +1111,12 @@ x509_main(int argc, char **argv) d = (unsigned char *) m; z = i2d_X509_NAME(X509_get_subject_name(x), &d); - BIO_printf(STDout, "unsigned char XXX_subject_name[%d]={\n", z); + if (z < 0) { + free(m); + goto end; + } + BIO_printf(STDout, + "unsigned char XXX_subject_name[%d]={\n", z); d = (unsigned char *) m; for (y = 0; y < z; y++) { BIO_printf(STDout, "0x%02X,", d[y]); @@ -747,7 +1128,12 @@ x509_main(int argc, char **argv) BIO_printf(STDout, "};\n"); z = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x), &d); - BIO_printf(STDout, "unsigned char XXX_public_key[%d]={\n", z); + if (z < 0) { + free(m); + goto end; + } + BIO_printf(STDout, + "unsigned char XXX_public_key[%d]={\n", z); d = (unsigned char *) m; for (y = 0; y < z; y++) { BIO_printf(STDout, "0x%02X,", d[y]); @@ -759,7 +1145,12 @@ x509_main(int argc, char **argv) BIO_printf(STDout, "};\n"); z = i2d_X509(x, &d); - BIO_printf(STDout, "unsigned char XXX_certificate[%d]={\n", z); + if (z < 0) { + free(m); + goto end; + } + BIO_printf(STDout, + "unsigned char XXX_certificate[%d]={\n", z); d = (unsigned char *) m; for (y = 0; y < z; y++) { BIO_printf(STDout, "0x%02X,", d[y]); @@ -771,23 +1162,37 @@ x509_main(int argc, char **argv) BIO_printf(STDout, "};\n"); free(m); - } else if (text == i) { - X509_print_ex(STDout, x, nmflag, certflag); - } else if (startdate == i) { + } else if (x509_config.text == i) { + if(!X509_print_ex(STDout, x, x509_config.nmflag, + x509_config.certflag)) + goto end; + } else if (x509_config.startdate == i) { + ASN1_TIME *nB = X509_get_notBefore(x); BIO_puts(STDout, "notBefore="); - ASN1_TIME_print(STDout, X509_get_notBefore(x)); + if (ASN1_time_parse(nB->data, nB->length, NULL, + 0) == -1) + BIO_puts(STDout, + "INVALID RFC5280 TIME"); + else + ASN1_TIME_print(STDout, nB); BIO_puts(STDout, "\n"); - } else if (enddate == i) { + } else if (x509_config.enddate == i) { + ASN1_TIME *nA = X509_get_notAfter(x); BIO_puts(STDout, "notAfter="); - ASN1_TIME_print(STDout, X509_get_notAfter(x)); + if (ASN1_time_parse(nA->data, nA->length, NULL, + 0) == -1) + BIO_puts(STDout, + "INVALID RFC5280 TIME"); + else + ASN1_TIME_print(STDout, nA); BIO_puts(STDout, "\n"); - } else if (fingerprint == i) { + } else if (x509_config.fingerprint == i) { int j; unsigned int n; unsigned char md[EVP_MAX_MD_SIZE]; - const EVP_MD *fdig = digest; + const EVP_MD *fdig = x509_config.digest; - if (!fdig) + if (fdig == NULL) fdig = EVP_sha256(); if (!X509_digest(x, fdig, md, &n)) { @@ -800,71 +1205,88 @@ x509_main(int argc, char **argv) BIO_printf(STDout, "%02X%c", md[j], (j + 1 == (int)n) ? '\n' : ':'); } - } + /* should be in the library */ - else if ((sign_flag == i) && (x509req == 0)) { + } else if ((x509_config.sign_flag == i) && + (x509_config.x509req == 0)) { BIO_printf(bio_err, "Getting Private key\n"); if (Upkey == NULL) { Upkey = load_key(bio_err, - keyfile, keyformat, 0, - passin, "Private key"); + x509_config.keyfile, + x509_config.keyformat, 0, passin, + "Private key"); if (Upkey == NULL) goto end; } - if (!sign(x, Upkey, days, clrext, digest, - extconf, extsect)) + if (!sign(x, Upkey, x509_config.days, + x509_config.clrext, x509_config.digest, + extconf, x509_config.extsect)) goto end; - } else if (CA_flag == i) { + } else if (x509_config.CA_flag == i) { BIO_printf(bio_err, "Getting CA Private Key\n"); - if (CAkeyfile != NULL) { + if (x509_config.CAkeyfile != NULL) { CApkey = load_key(bio_err, - CAkeyfile, CAkeyformat, - 0, passin, "CA Private Key"); + x509_config.CAkeyfile, + x509_config.CAkeyformat, 0, passin, + "CA Private Key"); if (CApkey == NULL) goto end; } - if (!x509_certify(ctx, CAfile, digest, x, xca, - CApkey, sigopts, - CAserial, CA_createserial, days, clrext, - extconf, extsect, sno)) + if (!x509_certify(ctx, x509_config.CAfile, + x509_config.digest, x, xca, CApkey, + x509_config.sigopts, x509_config.CAserial, + x509_config.CA_createserial, + x509_config.days, x509_config.clrext, + extconf, x509_config.extsect, + x509_config.sno)) goto end; - } else if (x509req == i) { + } else if (x509_config.x509req == i) { EVP_PKEY *pk; - BIO_printf(bio_err, "Getting request Private Key\n"); - if (keyfile == NULL) { - BIO_printf(bio_err, "no request key file specified\n"); + BIO_printf(bio_err, + "Getting request Private Key\n"); + if (x509_config.keyfile == NULL) { + BIO_printf(bio_err, + "no request key file specified\n"); goto end; } else { pk = load_key(bio_err, - keyfile, keyformat, 0, - passin, "request key"); + x509_config.keyfile, + x509_config.keyformat, 0, passin, + "request key"); if (pk == NULL) goto end; } - BIO_printf(bio_err, "Generating certificate request\n"); + BIO_printf(bio_err, + "Generating certificate request\n"); - rq = X509_to_X509_REQ(x, pk, digest); + rq = X509_to_X509_REQ(x, pk, x509_config.digest); EVP_PKEY_free(pk); if (rq == NULL) { ERR_print_errors(bio_err); goto end; } - if (!noout) { - X509_REQ_print(out, rq); - PEM_write_bio_X509_REQ(out, rq); + if (!x509_config.noout) { + if (!X509_REQ_print(out, rq)) + goto end; + if (!PEM_write_bio_X509_REQ(out, rq)) + goto end; } - noout = 1; - } else if (ocspid == i) { - X509_ocspid_print(out, x); + x509_config.noout = 1; + } else if (x509_config.ocspid == i) { + if (!X509_ocspid_print(out, x)) + goto end; } } } - if (checkend) { - time_t tcheck = time(NULL) + checkoffset; - - if (X509_cmp_time(X509_get_notAfter(x), &tcheck) < 0) { + if (x509_config.checkend) { + time_t tcheck = time(NULL) + x509_config.checkoffset; + int timecheck = X509_cmp_time(X509_get_notAfter(x), &tcheck); + if (timecheck == 0) { + BIO_printf(out, "Certificate expiry time is invalid\n"); + ret = 1; + } else if (timecheck < 0) { BIO_printf(out, "Certificate will expire\n"); ret = 1; } else { @@ -873,18 +1295,18 @@ x509_main(int argc, char **argv) } goto end; } - if (noout) { + if (x509_config.noout) { ret = 0; goto end; } - if (outformat == FORMAT_ASN1) + if (x509_config.outformat == FORMAT_ASN1) i = i2d_X509_bio(out, x); - else if (outformat == FORMAT_PEM) { - if (trustout) + else if (x509_config.outformat == FORMAT_PEM) { + if (x509_config.trustout) i = PEM_write_bio_X509_AUX(out, x); else i = PEM_write_bio_X509(out, x); - } else if (outformat == FORMAT_NETSCAPE) { + } else if (x509_config.outformat == FORMAT_NETSCAPE) { NETSCAPE_X509 nx; ASN1_OCTET_STRING hdr; @@ -895,7 +1317,8 @@ x509_main(int argc, char **argv) i = ASN1_item_i2d_bio(&NETSCAPE_X509_it, out, &nx); } else { - BIO_printf(bio_err, "bad output format specified for outfile\n"); + BIO_printf(bio_err, + "bad output format specified for outfile\n"); goto end; } if (!i) { @@ -916,11 +1339,11 @@ x509_main(int argc, char **argv) X509_free(xca); EVP_PKEY_free(Upkey); EVP_PKEY_free(CApkey); - sk_OPENSSL_STRING_free(sigopts); + sk_OPENSSL_STRING_free(x509_config.sigopts); X509_REQ_free(rq); - ASN1_INTEGER_free(sno); - sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free); - sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free); + ASN1_INTEGER_free(x509_config.sno); + sk_ASN1_OBJECT_pop_free(x509_config.trust, ASN1_OBJECT_free); + sk_ASN1_OBJECT_pop_free(x509_config.reject, ASN1_OBJECT_free); free(passin); return (ret); @@ -982,6 +1405,8 @@ x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, X509 *x, EVP_PKEY *upkey; upkey = X509_get_pubkey(xca); + if (upkey == NULL) + goto end; EVP_PKEY_copy_parameters(upkey, pkey); EVP_PKEY_free(upkey); @@ -989,9 +1414,9 @@ x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, X509 *x, BIO_printf(bio_err, "Error initialising X509 store\n"); goto end; } - if (sno) + if (sno != NULL) bs = sno; - else if (!(bs = x509_load_serial(CAfile, serialfile, create))) + else if ((bs = x509_load_serial(CAfile, serialfile, create)) == NULL) goto end; /* if (!X509_STORE_add_cert(ctx,x)) goto end;*/ @@ -1002,11 +1427,12 @@ x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, X509 *x, */ X509_STORE_CTX_set_cert(&xsc, x); X509_STORE_CTX_set_flags(&xsc, X509_V_FLAG_CHECK_SS_SIGNATURE); - if (!reqfile && X509_verify_cert(&xsc) <= 0) + if (!x509_config.reqfile && X509_verify_cert(&xsc) <= 0) goto end; if (!X509_check_private_key(xca, pkey)) { - BIO_printf(bio_err, "CA certificate and CA private key do not match\n"); + BIO_printf(bio_err, + "CA certificate and CA private key do not match\n"); goto end; } if (!X509_set_issuer_name(x, X509_get_subject_name(xca))) @@ -1022,12 +1448,15 @@ x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, X509 *x, goto end; if (clrext) { - while (X509_get_ext_count(x) > 0) - X509_delete_ext(x, 0); + while (X509_get_ext_count(x) > 0) { + if (X509_delete_ext(x, 0) == NULL) + goto end; + } } - if (conf) { + if (conf != NULL) { X509V3_CTX ctx2; - X509_set_version(x, 2); /* version 3 certificate */ + if (!X509_set_version(x, 2)) /* version 3 certificate */ + goto end; X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0); X509V3_set_nconf(&ctx2, conf); if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x)) @@ -1035,12 +1464,13 @@ x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, X509 *x, } if (!do_X509_sign(bio_err, x, pkey, digest, sigopts)) goto end; + ret = 1; end: X509_STORE_CTX_cleanup(&xsc); if (!ret) ERR_print_errors(bio_err); - if (!sno) + if (sno == NULL) ASN1_INTEGER_free(bs); return ret; } @@ -1066,12 +1496,14 @@ callb(int ok, X509_STORE_CTX *ctx) * DEPTH_ZERO_SELF_.... */ if (ok) { - BIO_printf(bio_err, "error with certificate to be certified - should be self signed\n"); + BIO_printf(bio_err, + "error with certificate to be certified - should be self signed\n"); return 0; } else { err_cert = X509_STORE_CTX_get_current_cert(ctx); print_name(bio_err, NULL, X509_get_subject_name(err_cert), 0); - BIO_printf(bio_err, "error with certificate - error %d at depth %d\n%s\n", + BIO_printf(bio_err, + "error with certificate - error %d at depth %d\n%s\n", err, X509_STORE_CTX_get_error_depth(ctx), X509_verify_cert_error_string(err)); return 1; @@ -1083,10 +1515,11 @@ static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest, CONF *conf, char *section) { - EVP_PKEY *pktmp; pktmp = X509_get_pubkey(x); + if (pktmp == NULL) + goto err; EVP_PKEY_copy_parameters(pktmp, pkey); EVP_PKEY_save_parameters(pktmp, 1); EVP_PKEY_free(pktmp); @@ -1107,12 +1540,15 @@ sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest, if (!X509_set_pubkey(x, pkey)) goto err; if (clrext) { - while (X509_get_ext_count(x) > 0) - X509_delete_ext(x, 0); + while (X509_get_ext_count(x) > 0) { + if (X509_delete_ext(x, 0) == NULL) + goto err; + } } - if (conf) { + if (conf != NULL) { X509V3_CTX ctx; - X509_set_version(x, 2); /* version 3 certificate */ + if (!X509_set_version(x, 2)) /* version 3 certificate */ + goto err; X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0); X509V3_set_nconf(&ctx, conf); if (!X509V3_EXT_add_nconf(conf, &ctx, section, x)) @@ -1120,6 +1556,7 @@ sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest, } if (!X509_sign(x, pkey, digest)) goto err; + return 1; err: diff --git a/apps/openssl/cert.pem b/cert.pem similarity index 87% rename from apps/openssl/cert.pem rename to cert.pem index 92263add..ce2fe697 100644 --- a/apps/openssl/cert.pem +++ b/cert.pem @@ -1,4 +1,4 @@ -# $OpenBSD: cert.pem,v 1.19 2019/04/04 12:42:01 sthen Exp $ +# $OpenBSD: cert.pem,v 1.22 2021/02/12 12:16:53 sthen Exp $ ### /C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068 === /C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068 @@ -68,7 +68,8 @@ jLMi6Et8Vcad+qMUu2WFbm5PEn4KPJ2V Certificate: Data: Version: 3 (0x2) - Serial Number: 11806822484801597146 (0xa3da427ea4b1aeda) + Serial Number: + a3:da:42:7e:a4:b1:ae:da Signature Algorithm: sha1WithRSAEncryption Validity Not Before: Aug 1 12:29:50 2008 GMT @@ -138,7 +139,8 @@ d0jQ Certificate: Data: Version: 3 (0x2) - Serial Number: 14541511773111788494 (0xc9cdd3e9d57d23ce) + Serial Number: + c9:cd:d3:e9:d5:7d:23:ce Signature Algorithm: sha1WithRSAEncryption Validity Not Before: Aug 1 12:31:40 2008 GMT @@ -348,58 +350,6 @@ LysRJyU3eExRarDzzFhdFPFqSBX/wge2sY0PjlxQRrM9vwGYT7JZVEc+NHt4bVaT LnPqZih4zR0Uv6CPLy64Lo7yFIrM6bV8+2ydDKXhlg== -----END CERTIFICATE----- -### AddTrust AB - -=== /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 1 (0x1) - Signature Algorithm: sha1WithRSAEncryption - Validity - Not Before: May 30 10:48:38 2000 GMT - Not After : May 30 10:48:38 2020 GMT - Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root - X509v3 extensions: - X509v3 Subject Key Identifier: - AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A - X509v3 Key Usage: - Certificate Sign, CRL Sign - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Authority Key Identifier: - keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A - DirName:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root - serial:01 - -SHA1 Fingerprint=02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68 -SHA256 Fingerprint=68:7F:A4:51:38:22:78:FF:F0:C8:B1:1F:8D:43:D5:76:67:1C:6E:B2:BC:EA:B4:13:FB:83:D9:65:D0:6D:2F:F2 ------BEGIN CERTIFICATE----- -MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU -MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs -IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290 -MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux -FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h -bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v -dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt -H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9 -uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX -mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX -a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN -E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0 -WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD -VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0 -Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU -cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx -IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN -AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH -YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 -6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC -Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX -c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a -mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= ------END CERTIFICATE----- - ### AffirmTrust === /C=US/O=AffirmTrust/CN=AffirmTrust Commercial @@ -784,9 +734,6 @@ CkcO8DdZEv8tmZQoTipPNU0zWgIxAOp1AE47xDqUEpHJWEadIRNyp4iciuRMStuW 1KyLa2tJElMzrdfkviT8tQp21KW8EA== -----END CERTIFICATE----- -### AS Sertifitseerimiskeskus - - ### Atos === /CN=Atos TrustedRoot 2011/O=Atos/C=DE @@ -982,115 +929,6 @@ u79leNKGef9JOxqDDPDeeOzI8k1MGt6CKfjBWtrt7uYnXuhF0J0cUahoq0Tj0Itq 4/g7u9xN12TyUb7mqqta6THuBrxzvxNiCp/HuZc= -----END CERTIFICATE----- -### Certinomis - -=== /C=FR/O=Certinomis/OU=0002 433998903/CN=Certinomis - Root CA -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 1 (0x1) - Signature Algorithm: sha256WithRSAEncryption - Validity - Not Before: Oct 21 09:17:18 2013 GMT - Not After : Oct 21 09:17:18 2033 GMT - Subject: C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - Root CA - X509v3 extensions: - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Subject Key Identifier: - EF:91:4C:F5:A5:C3:30:E8:2F:08:EA:D3:71:22:A4:92:68:78:74:D9 - X509v3 Authority Key Identifier: - keyid:EF:91:4C:F5:A5:C3:30:E8:2F:08:EA:D3:71:22:A4:92:68:78:74:D9 - -SHA1 Fingerprint=9D:70:BB:01:A5:A4:A0:18:11:2E:F7:1C:01:B9:32:C5:34:E7:88:A8 -SHA256 Fingerprint=2A:99:F5:BC:11:74:B7:3C:BB:1D:62:08:84:E0:1C:34:E5:1C:CB:39:78:DA:12:5F:0E:33:26:88:83:BF:41:58 ------BEGIN CERTIFICATE----- -MIIFkjCCA3qgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJGUjET -MBEGA1UEChMKQ2VydGlub21pczEXMBUGA1UECxMOMDAwMiA0MzM5OTg5MDMxHTAb -BgNVBAMTFENlcnRpbm9taXMgLSBSb290IENBMB4XDTEzMTAyMTA5MTcxOFoXDTMz -MTAyMTA5MTcxOFowWjELMAkGA1UEBhMCRlIxEzARBgNVBAoTCkNlcnRpbm9taXMx -FzAVBgNVBAsTDjAwMDIgNDMzOTk4OTAzMR0wGwYDVQQDExRDZXJ0aW5vbWlzIC0g -Um9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANTMCQosP5L2 -fxSeC5yaah1AMGT9qt8OHgZbn1CF6s2Nq0Nn3rD6foCWnoR4kkjW4znuzuRZWJfl -LieY6pOod5tK8O90gC3rMB+12ceAnGInkYjwSond3IjmFPnVAy//ldu9n+ws+hQV -WZUKxkd8aRi5pwP5ynapz8dvtF4F/u7BUrJ1Mofs7SlmO/NKFoL21prbcpjp3vDF -TKWrteoB4owuZH9kb/2jJZOLyKIOSY008B/sWEUuNKqEUL3nskoTuLAPrjhdsKkb -5nPJWqHZZkCqqU2mNAKthH6yI8H7KsZn9DS2sJVqM09xRLWtwHkziOC/7aOgFLSc -CbAK42C++PhmiM1b8XcF4LVzbsF9Ri6OSyemzTUK/eVNfaoqoynHWmgE6OXWk6Ri -wsXm9E/G+Z8ajYJJGYrKWUM66A0ywfRMEwNvbqY/kXPLynNvEiCL7sCCeN5LLsJJ -wx3tFvYk9CcbXFcx3FXuqB5vbKziRcxXV4p1VxngtViZSTYxPDMBbRZKzbgqg4SG -m/lg0h9tkQPTYKbVPZrdd5A9NaSfD171UkRpucC63M9933zZxKyGIjK8e2uR73r4 -F2iw4lNVYC2vPsKD2NkJK/DAZNuHi5HMkesE/Xa0lZrmFAYb1TQdvtj/dBxThZng -WVJKYe2InmtJiUZ+IFrZ50rlau7SZRFDAgMBAAGjYzBhMA4GA1UdDwEB/wQEAwIB -BjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTvkUz1pcMw6C8I6tNxIqSSaHh0 -2TAfBgNVHSMEGDAWgBTvkUz1pcMw6C8I6tNxIqSSaHh02TANBgkqhkiG9w0BAQsF -AAOCAgEAfj1U2iJdGlg+O1QnurrMyOMaauo++RLrVl89UM7g6kgmJs95Vn6RHJk/ -0KGRHCwPT5iVWVO90CLYiF2cN/z7ZMF4jIuaYAnq1fohX9B0ZedQxb8uuQsLrbWw -F6YSjNRieOpWauwK0kDDPAUwPk2Ut59KA9N9J0u2/kTO+hkzGm2kQtHdzMjI1xZS -g081lLMSVX3l4kLr5JyTCcBMWwerx20RoFAXlCOotQqSD7J6wWAsOMwaplv/8gzj -qh8c3LigkyfeY+N/IZ865Z764BNqdeuWXGKRlI5nU7aJ+BIJy29SWwNyhlCVCNSN -h4YVH5Uk2KRvms6knZtt0rJ2BobGVgjF6wnaNsIbW0G+YSrjcOa4pvi2WsS9Iff/ -ql+hbHY5ZtbqTFXhADObE5hjyW/QASAJN1LnDE8+zbz1X5YnpyACleAu6AdBBR8V -btaw5BngDwKTACdyxYvRVB9dSsNAl35VpnzBMwQUAR1JIGkLGZOdblgi90AMRgwj -Y/M50n92Uaf0yKHxDHYiI0ZSKS3io0EHVmmY0gUJvGnHWmHNj4FgFU2A3ZDifcRQ -8ow7bkrHxuaAKzyBvBGAFhAn1/DNP3nMcyrDflOR1m749fPH0FFNjkulW+YZFzvW -gQncItzujrnEj1PhZ7szuIgVRs/taTX/dQ1G885x4cVrhkIGuUE= ------END CERTIFICATE----- - -### Certplus - -=== /C=FR/O=Certplus/CN=Class 2 Primary CA -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - 85:bd:4b:f3:d8:da:e3:69:f6:94:d7:5f:c3:a5:44:23 - Signature Algorithm: sha1WithRSAEncryption - Validity - Not Before: Jul 7 17:05:00 1999 GMT - Not After : Jul 6 23:59:59 2019 GMT - Subject: C=FR, O=Certplus, CN=Class 2 Primary CA - X509v3 extensions: - X509v3 Basic Constraints: - CA:TRUE, pathlen:10 - X509v3 Key Usage: - Certificate Sign, CRL Sign - X509v3 Subject Key Identifier: - E3:73:2D:DF:CB:0E:28:0C:DE:DD:B3:A4:CA:79:B8:8E:BB:E8:30:89 - Netscape Cert Type: - SSL CA, S/MIME CA - X509v3 CRL Distribution Points: - - Full Name: - URI:http://www.certplus.com/CRL/class2.crl - -SHA1 Fingerprint=74:20:74:41:72:9C:DD:92:EC:79:31:D8:23:10:8D:C2:81:92:E2:BB -SHA256 Fingerprint=0F:99:3C:8A:EF:97:BA:AF:56:87:14:0E:D5:9A:D1:82:1B:B4:AF:AC:F0:AA:9A:58:B5:D5:7A:33:8A:3A:FB:CB ------BEGIN CERTIFICATE----- -MIIDkjCCAnqgAwIBAgIRAIW9S/PY2uNp9pTXX8OlRCMwDQYJKoZIhvcNAQEFBQAw -PTELMAkGA1UEBhMCRlIxETAPBgNVBAoTCENlcnRwbHVzMRswGQYDVQQDExJDbGFz -cyAyIFByaW1hcnkgQ0EwHhcNOTkwNzA3MTcwNTAwWhcNMTkwNzA2MjM1OTU5WjA9 -MQswCQYDVQQGEwJGUjERMA8GA1UEChMIQ2VydHBsdXMxGzAZBgNVBAMTEkNsYXNz -IDIgUHJpbWFyeSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANxQ -ltAS+DXSCHh6tlJw/W/uz7kRy1134ezpfgSN1sxvc0NXYKwzCkTsA18cgCSR5aiR -VhKC9+Ar9NuuYS6JEI1rbLqzAr3VNsVINyPi8Fo3UjMXEuLRYE2+L0ER4/YXJQyL -kcAbmXuZVg2v7tK8R1fjeUl7NIknJITesezpWE7+Tt9avkGtrAjFGA7v0lPubNCd -EgETjdyAYveVqUSISnFOYFWe2yMZeVYHDD9jC1yw4r5+FfyUM1hBOHTE4Y+L3yas -H7WLO7dDWWuwJKZtkIvEcupdM5i3y95ee++U8Rs+yskhwcWYAqqi9lt3m/V+llU0 -HGdpwPFC40es/CgcZlUCAwEAAaOBjDCBiTAPBgNVHRMECDAGAQH/AgEKMAsGA1Ud -DwQEAwIBBjAdBgNVHQ4EFgQU43Mt38sOKAze3bOkynm4jrvoMIkwEQYJYIZIAYb4 -QgEBBAQDAgEGMDcGA1UdHwQwMC4wLKAqoCiGJmh0dHA6Ly93d3cuY2VydHBsdXMu -Y29tL0NSTC9jbGFzczIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCnVM+IRBnL39R/ -AN9WM2K191EBkOvDP9GIROkkXe/nFL0gt5o8AP5tn9uQ3Nf0YtaLcF3n5QRIqWh8 -yfFC82x/xXp8HVGIutIKPidd3i1RTtMTZGnkLuPT55sJmabglZvOGtd/vjzOUrMR -FcEPF80Du5wlFbqidon8BvEY0JNLDnyCt6X09l/+7UCmnYR0ObncHoUW2ikbhiMA -ybuJfm6AiB4vFLQDJKgybwOaRywwvlbGp0ICcBvqQNi6BQNwB6SW//1IMwrh3KWB -kJtN3X3n57LNXMhqlfil9o3EXXgIvnsG1knPGTZQIy4I5p4FTUcY1Rbpsda2ENW7 -l7+ijrRU ------END CERTIFICATE----- - ### certSIGN === /C=RO/O=certSIGN/OU=certSIGN ROOT CA @@ -1133,6 +971,60 @@ i/nDhDwTqn6Sm1dTk/pwwpEOMfmbZ13pljheX7NzTogVZ96edhBiIL5VaZVDADlN 9u6wWk5JRFRYX0KD -----END CERTIFICATE----- +### CERTSIGN SA + +=== /C=RO/O=CERTSIGN SA/OU=certSIGN ROOT CA G2 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 11:00:34:b6:4e:c6:36:2d:36 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Feb 6 09:27:35 2017 GMT + Not After : Feb 6 09:27:35 2042 GMT + Subject: C=RO, O=CERTSIGN SA, OU=certSIGN ROOT CA G2 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 82:21:2D:66:C6:D7:A0:E0:15:EB:CE:4C:09:77:C4:60:9E:54:6E:03 +SHA1 Fingerprint=26:F9:93:B4:ED:3D:28:27:B0:B9:4B:A7:E9:15:1D:A3:8D:92:E5:32 +SHA256 Fingerprint=65:7C:FE:2F:A7:3F:AA:38:46:25:71:F3:32:A2:36:3A:46:FC:E7:02:09:51:71:07:02:CD:FB:B6:EE:DA:33:05 +-----BEGIN CERTIFICATE----- +MIIFRzCCAy+gAwIBAgIJEQA0tk7GNi02MA0GCSqGSIb3DQEBCwUAMEExCzAJBgNV +BAYTAlJPMRQwEgYDVQQKEwtDRVJUU0lHTiBTQTEcMBoGA1UECxMTY2VydFNJR04g +Uk9PVCBDQSBHMjAeFw0xNzAyMDYwOTI3MzVaFw00MjAyMDYwOTI3MzVaMEExCzAJ +BgNVBAYTAlJPMRQwEgYDVQQKEwtDRVJUU0lHTiBTQTEcMBoGA1UECxMTY2VydFNJ +R04gUk9PVCBDQSBHMjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMDF +dRmRfUR0dIf+DjuW3NgBFszuY5HnC2/OOwppGnzC46+CjobXXo9X69MhWf05N0Iw +vlDqtg+piNguLWkh59E3GE59kdUWX2tbAMI5Qw02hVK5U2UPHULlj88F0+7cDBrZ +uIt4ImfkabBoxTzkbFpG583H+u/E7Eu9aqSs/cwoUe+StCmrqzWaTOTECMYmzPhp +n+Sc8CnTXPnGFiWeI8MgwT0PPzhAsP6CRDiqWhqKa2NYOLQV07YRaXseVO6MGiKs +cpc/I1mbySKEwQdPzH/iV8oScLumZfNpdWO9lfsbl83kqK/20U6o2YpxJM02PbyW +xPFsqa7lzw1uKA2wDrXKUXt4FMMgL3/7FFXhEZn91QqhngLjYl/rNUssuHLoPj1P +rCy7Lobio3aP5ZMqz6WryFyNSwb/EkaseMsUBzXgqd+L6a8VTxaJW732jcZZroiF +DsGJ6x9nxUWO/203Nit4ZoORUSs9/1F3dmKh7Gc+PoGD4FapUB8fepmrY7+EF3fx +DTvf95xhszWYijqy7DwaNz9+j5LP2RIUZNoQAhVB/0/E6xyjyfqZ90bp4RjZsbgy +LcsUDFDYg2WD7rlcz8sFWkz6GZdr1l0T08JcVLwyc6B49fFtHsufpaafItzRUZ6C +eWRgKRM+o/1Pcmqr4tTluCRVLERLiohEnMqE0yo7AgMBAAGjQjBAMA8GA1UdEwEB +/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSCIS1mxteg4BXrzkwJ +d8RgnlRuAzANBgkqhkiG9w0BAQsFAAOCAgEAYN4auOfyYILVAzOBywaK8SJJ6ejq +kX/GM15oGQOGO0MBzwdw5AgeZYWR5hEit/UCI46uuR59H35s5r0l1ZUa8gWmr4UC +b6741jH/JclKyMeKqdmfS0mbEVeZkkMR3rYzpMzXjWR91M08KCy0mpbqTfXERMQl +qiCA2ClV9+BB/AYm/7k29UMUA2Z44RGx2iBfRgB4ACGlHgAoYXhvqAEBj500mv/0 +OJD7uNGzcgbJceaBxXntC6Z58hMLnPddDnskk7RI24Zf3lCGeOdA5jGokHZwYa+c +NywRtYK3qq4kNFtyDGkNzVmf9nGvnAvRCjj5BiKDUyUM/FHE5r7iOZULJK2v0ZXk +ltd0ZGtxTgI8qoXzIKNDOXZbbFD+mpwUHmUUihW9o4JFWklWatKcsWMy5WHgUyIO +pwpJ6st+H6jiYoD2EEVSmAYY3qXNL3+q1Ok+CHLsIwMCPKaq2LxndD0UF/tUSxfj +03k9bWtJySgOLnRQvwzZRjoQhsmnP+mg7H/rpXdYaXHmgwo38oZJar55CJD2AhZk +PuXaTH4MNMn5X7azKFGnpyuqSfqNZSlO42sTp5SjLVFteAxEy9/eCG/Oo2Sr05WE +1LlSVHJ7liXMvGnjSG4N0MedJ5qq+BOS3R7fY581qRY27Iy4g/Q9iY/NtBde17MX +QRBdJ3NghVdJIgc= +-----END CERTIFICATE----- + ### China Financial Certification Authority === /C=CN/O=China Financial Certification Authority/CN=CFCA EV ROOT @@ -1605,57 +1497,14 @@ xpeG0ILD5EJt/rDiZE4OJudANCa1CInXCGNjOCd1HjPqbqjdn5lPdE2BiYBL3ZqX KVwvvoFBuYz/6n1gBp7N1z3TLqMVvKjmJuVvw9y4AyHqnxbxLFS1 -----END CERTIFICATE----- -### Deutsche Telekom AG - -=== /C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2 -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 38 (0x26) - Signature Algorithm: sha1WithRSAEncryption - Validity - Not Before: Jul 9 12:11:00 1999 GMT - Not After : Jul 9 23:59:00 2019 GMT - Subject: C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center, CN=Deutsche Telekom Root CA 2 - X509v3 extensions: - X509v3 Subject Key Identifier: - 31:C3:79:1B:BA:F5:53:D7:17:E0:89:7A:2D:17:6C:0A:B3:2B:9D:33 - X509v3 Basic Constraints: - CA:TRUE, pathlen:5 - X509v3 Key Usage: critical - Certificate Sign, CRL Sign -SHA1 Fingerprint=85:A4:08:C0:9C:19:3E:5D:51:58:7D:CD:D6:13:30:FD:8C:DE:37:BF -SHA256 Fingerprint=B6:19:1A:50:D0:C3:97:7F:7D:A9:9B:CD:AA:C8:6A:22:7D:AE:B9:67:9E:C7:0B:A3:B0:C9:D9:22:71:C1:70:D3 ------BEGIN CERTIFICATE----- -MIIDnzCCAoegAwIBAgIBJjANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJERTEc -MBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxlU2Vj -IFRydXN0IENlbnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290IENB -IDIwHhcNOTkwNzA5MTIxMTAwWhcNMTkwNzA5MjM1OTAwWjBxMQswCQYDVQQGEwJE -RTEcMBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxl -U2VjIFRydXN0IENlbnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290 -IENBIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrC6M14IspFLEU -ha88EOQ5bzVdSq7d6mGNlUn0b2SjGmBmpKlAIoTZ1KXleJMOaAGtuU1cOs7TuKhC -QN/Po7qCWWqSG6wcmtoIKyUn+WkjR/Hg6yx6m/UTAtB+NHzCnjwAWav12gz1Mjwr -rFDa1sPeg5TKqAyZMg4ISFZbavva4VhYAUlfckE8FQYBjl2tqriTtM2e66foai1S -NNs671x1Udrb8zH57nGYMsRUFUQM+ZtV7a3fGAigo4aKSe5TBY8ZTNXeWHmb0moc -QqvF1afPaA+W5OFhmHZhyJF81j4A4pFQh+GdCuatl9Idxjp9y7zaAzTVjlsB9WoH -txa2bkp/AgMBAAGjQjBAMB0GA1UdDgQWBBQxw3kbuvVT1xfgiXotF2wKsyudMzAP -BgNVHRMECDAGAQH/AgEFMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOC -AQEAlGRZrTlk5ynrE/5aw4sTV8gEJPB0d8Bg42f76Ymmg7+Wgnxu1MM9756Abrsp -tJh6sTtU6zkXR34ajgv8HzFZMQSyzhfzLMdiNlXiItiJVbSYSKpk+tYcNthEeFpa -IzpXl/V6ME+un2pMSyuOoAPjPuCp1NJ70rOo4nI8rZ7/gFnkm0W09juwzTkZmDLl -6iFhkOQxIY40sfcvNUqFENrnijchvllj4PKFiDFT1FQUhXB59C4Gdyd1Lx+4ivn+ -xbrYNuSD7Odlt79jWvNGr4GUN9RBjNYj1h7P9WgbRGOiWrqnNVmh5XAFmw4jV5mU -Cm26OWMohpLzGITY+9HPBVZkVw== ------END CERTIFICATE----- - ### Dhimyotis === /C=FR/O=Dhimyotis/CN=Certigna Certificate: Data: Version: 3 (0x2) - Serial Number: 18364802974209362175 (0xfedce3010fc948ff) + Serial Number: + fe:dc:e3:01:0f:c9:48:ff Signature Algorithm: sha1WithRSAEncryption Validity Not Before: Jun 29 15:13:05 2007 GMT @@ -2165,7 +2014,8 @@ Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ Certificate: Data: Version: 3 (0x2) - Serial Number: 10572350602393338211 (0x92b888dbb08ac163) + Serial Number: + 92:b8:88:db:b0:8a:c1:63 Signature Algorithm: sha256WithRSAEncryption Validity Not Before: Jul 19 09:15:30 2012 GMT @@ -2273,6 +2123,164 @@ y4Q08ijE6m30Ku/Ba3ba+367hTzSU8JNvnHhRdH9I2cNE3X7z2VnIp2usAnRCf8d NL/+I5c30jn6PQ0GC7TbO6Orb1wdtn7os4I07QZcJA== -----END CERTIFICATE----- +### eMudhra Inc + +=== /C=US/OU=emSign PKI/O=eMudhra Inc/CN=emSign ECC Root CA - C3 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 7b:71:b6:82:56:b8:12:7c:9c:a8 + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: Feb 18 18:30:00 2018 GMT + Not After : Feb 18 18:30:00 2043 GMT + Subject: C=US, OU=emSign PKI, O=eMudhra Inc, CN=emSign ECC Root CA - C3 + X509v3 extensions: + X509v3 Subject Key Identifier: + FB:5A:48:D0:80:20:40:F2:A8:E9:00:07:69:19:77:A7:E6:C3:F4:CF + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE +SHA1 Fingerprint=B6:AF:43:C2:9B:81:53:7D:F6:EF:6B:C3:1F:1F:60:15:0C:EE:48:66 +SHA256 Fingerprint=BC:4D:80:9B:15:18:9D:78:DB:3E:1D:8C:F4:F9:72:6A:79:5D:A1:64:3C:A5:F1:35:8E:1D:DB:0E:DC:0D:7E:B3 +-----BEGIN CERTIFICATE----- +MIICKzCCAbGgAwIBAgIKe3G2gla4EnycqDAKBggqhkjOPQQDAzBaMQswCQYDVQQG +EwJVUzETMBEGA1UECxMKZW1TaWduIFBLSTEUMBIGA1UEChMLZU11ZGhyYSBJbmMx +IDAeBgNVBAMTF2VtU2lnbiBFQ0MgUm9vdCBDQSAtIEMzMB4XDTE4MDIxODE4MzAw +MFoXDTQzMDIxODE4MzAwMFowWjELMAkGA1UEBhMCVVMxEzARBgNVBAsTCmVtU2ln +biBQS0kxFDASBgNVBAoTC2VNdWRocmEgSW5jMSAwHgYDVQQDExdlbVNpZ24gRUND +IFJvb3QgQ0EgLSBDMzB2MBAGByqGSM49AgEGBSuBBAAiA2IABP2lYa57JhAd6bci +MK4G9IGzsUJxlTm801Ljr6/58pc1kjZGDoeVjbk5Wum739D+yAdBPLtVb4Ojavti +sIGJAnB9SMVK4+kiVCJNk7tCDK93nCOmfddhEc5lx/h//vXyqaNCMEAwHQYDVR0O +BBYEFPtaSNCAIEDyqOkAB2kZd6fmw/TPMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB +Af8EBTADAQH/MAoGCCqGSM49BAMDA2gAMGUCMQC02C8Cif22TGK6Q04ThHK1rt0c +3ta13FaPWEBaLd4gTCKDypOofu4SQMfWh0/434UCMBwUZOR8loMRnLDRWmFLpg9J +0wD8ofzkpf9/rdcw0Md3f76BB1UwUCAU9Vc4CqgxUQ== +-----END CERTIFICATE----- +=== /C=US/OU=emSign PKI/O=eMudhra Inc/CN=emSign Root CA - C1 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + ae:cf:00:ba:c4:cf:32:f8:43:b2 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Feb 18 18:30:00 2018 GMT + Not After : Feb 18 18:30:00 2043 GMT + Subject: C=US, OU=emSign PKI, O=eMudhra Inc, CN=emSign Root CA - C1 + X509v3 extensions: + X509v3 Subject Key Identifier: + FE:A1:E0:70:1E:2A:03:39:52:5A:42:BE:5C:91:85:7A:18:AA:4D:B5 + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE +SHA1 Fingerprint=E7:2E:F1:DF:FC:B2:09:28:CF:5D:D4:D5:67:37:B1:51:CB:86:4F:01 +SHA256 Fingerprint=12:56:09:AA:30:1D:A0:A2:49:B9:7A:82:39:CB:6A:34:21:6F:44:DC:AC:9F:39:54:B1:42:92:F2:E8:C8:60:8F +-----BEGIN CERTIFICATE----- +MIIDczCCAlugAwIBAgILAK7PALrEzzL4Q7IwDQYJKoZIhvcNAQELBQAwVjELMAkG +A1UEBhMCVVMxEzARBgNVBAsTCmVtU2lnbiBQS0kxFDASBgNVBAoTC2VNdWRocmEg +SW5jMRwwGgYDVQQDExNlbVNpZ24gUm9vdCBDQSAtIEMxMB4XDTE4MDIxODE4MzAw +MFoXDTQzMDIxODE4MzAwMFowVjELMAkGA1UEBhMCVVMxEzARBgNVBAsTCmVtU2ln +biBQS0kxFDASBgNVBAoTC2VNdWRocmEgSW5jMRwwGgYDVQQDExNlbVNpZ24gUm9v +dCBDQSAtIEMxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz+upufGZ +BczYKCFK83M0UYRWEPWgTywS4/oTmifQz/l5GnRfHXk5/Fv4cI7gklL35CX5VIPZ +HdPIWoU/Xse2B+4+wM6ar6xWQio5JXDWv7V7Nq2s9nPczdcdioOl+yuQFTdrHCZH +3DspVpNqs8FqOp099cGXOFgFixwR4+S0uF2FHYP+eF8LRWgYSKVGczQ7/g/IdrvH +GPMF0Ybzhe3nudkyrVWIzqa2kbBPrH4VI5b2P/AgNBbeCsbEBEV5f6f9vtKppa+c +xSMq9zwhbL2vj07FOrLzNBL834AaSaTUqZX3noleoomslMuoaJuvimUnzYnu3Yy1 +aylwQ6BpC+S5DwIDAQABo0IwQDAdBgNVHQ4EFgQU/qHgcB4qAzlSWkK+XJGFehiq +TbUwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL +BQADggEBAMJKVvoVIXsoounlHfv4LcQ5lkFMOycsxGwYFYDGrK9HWS8mC+M2sO87 +/kOXSTKZEhVb3xEp/6tT+LvBeA+snFOvV71ojD1pM/CjoCNjO2RnIkSt1XHLVip4 +kqNPEjE2NuLe/gDEo2APJ62gsIq1NnpSob0n9CAnYuhNlCQT5AoE6TyrLshDCUrG +YQTlSTR+08TI9Q/Aqum6VF7zYytPT1DU/rl7mYw9wC68AivTxEDkigcxHpvOJpkT ++xHqmiIMERnHXhuBUDDIlhJu58tBf5E7oke3VIAb3ADMmpDqw8NQBmIMMMAVSKeo +WXzhriKi4gp6D/piq1JM4fHfyr6DDUI= +-----END CERTIFICATE----- + +### eMudhra Technologies Limited + +=== /C=IN/OU=emSign PKI/O=eMudhra Technologies Limited/CN=emSign ECC Root CA - G3 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 3c:f6:07:a9:68:70:0e:da:8b:84 + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: Feb 18 18:30:00 2018 GMT + Not After : Feb 18 18:30:00 2043 GMT + Subject: C=IN, OU=emSign PKI, O=eMudhra Technologies Limited, CN=emSign ECC Root CA - G3 + X509v3 extensions: + X509v3 Subject Key Identifier: + 7C:5D:02:84:13:D4:CC:8A:9B:81:CE:17:1C:2E:29:1E:9C:48:63:42 + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE +SHA1 Fingerprint=30:43:FA:4F:F2:57:DC:A0:C3:80:EE:2E:58:EA:78:B2:3F:E6:BB:C1 +SHA256 Fingerprint=86:A1:EC:BA:08:9C:4A:8D:3B:BE:27:34:C6:12:BA:34:1D:81:3E:04:3C:F9:E8:A8:62:CD:5C:57:A3:6B:BE:6B +-----BEGIN CERTIFICATE----- +MIICTjCCAdOgAwIBAgIKPPYHqWhwDtqLhDAKBggqhkjOPQQDAzBrMQswCQYDVQQG +EwJJTjETMBEGA1UECxMKZW1TaWduIFBLSTElMCMGA1UEChMcZU11ZGhyYSBUZWNo +bm9sb2dpZXMgTGltaXRlZDEgMB4GA1UEAxMXZW1TaWduIEVDQyBSb290IENBIC0g +RzMwHhcNMTgwMjE4MTgzMDAwWhcNNDMwMjE4MTgzMDAwWjBrMQswCQYDVQQGEwJJ +TjETMBEGA1UECxMKZW1TaWduIFBLSTElMCMGA1UEChMcZU11ZGhyYSBUZWNobm9s +b2dpZXMgTGltaXRlZDEgMB4GA1UEAxMXZW1TaWduIEVDQyBSb290IENBIC0gRzMw +djAQBgcqhkjOPQIBBgUrgQQAIgNiAAQjpQy4LRL1KPOxst3iAhKAnjlfSU2fySU0 +WXTsuwYc58Byr+iuL+FBVIcUqEqy6HyC5ltqtdyzdc6LBtCGI79G1Y4PPwT01xyS +fvalY8L1X44uT6EYGQIrMgqCZH0Wk9GjQjBAMB0GA1UdDgQWBBR8XQKEE9TMipuB +zhccLikenEhjQjAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAKBggq +hkjOPQQDAwNpADBmAjEAvvNhzwIQHWSVB7gYboiFBS+DCBeQyh+KTOgNG3qxrdWB +CUfvO6wIBHxcmbHtRwfSAjEAnbpV/KlK6O3t5nYBQnvI+GDZjVGLVTv7jHvrZQnD ++JbNR6iC8hZVdyR+EhCVBCyj +-----END CERTIFICATE----- +=== /C=IN/OU=emSign PKI/O=eMudhra Technologies Limited/CN=emSign Root CA - G1 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 31:f5:e4:62:0c:6c:58:ed:d6:d8 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Feb 18 18:30:00 2018 GMT + Not After : Feb 18 18:30:00 2043 GMT + Subject: C=IN, OU=emSign PKI, O=eMudhra Technologies Limited, CN=emSign Root CA - G1 + X509v3 extensions: + X509v3 Subject Key Identifier: + FB:EF:0D:86:9E:B0:E3:DD:A9:B9:F1:21:17:7F:3E:FC:F0:77:2B:1A + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE +SHA1 Fingerprint=8A:C7:AD:8F:73:AC:4E:C1:B5:75:4D:A5:40:F4:FC:CF:7C:B5:8E:8C +SHA256 Fingerprint=40:F6:AF:03:46:A9:9A:A1:CD:1D:55:5A:4E:9C:CE:62:C7:F9:63:46:03:EE:40:66:15:83:3D:C8:C8:D0:03:67 +-----BEGIN CERTIFICATE----- +MIIDlDCCAnygAwIBAgIKMfXkYgxsWO3W2DANBgkqhkiG9w0BAQsFADBnMQswCQYD +VQQGEwJJTjETMBEGA1UECxMKZW1TaWduIFBLSTElMCMGA1UEChMcZU11ZGhyYSBU +ZWNobm9sb2dpZXMgTGltaXRlZDEcMBoGA1UEAxMTZW1TaWduIFJvb3QgQ0EgLSBH +MTAeFw0xODAyMTgxODMwMDBaFw00MzAyMTgxODMwMDBaMGcxCzAJBgNVBAYTAklO +MRMwEQYDVQQLEwplbVNpZ24gUEtJMSUwIwYDVQQKExxlTXVkaHJhIFRlY2hub2xv +Z2llcyBMaW1pdGVkMRwwGgYDVQQDExNlbVNpZ24gUm9vdCBDQSAtIEcxMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAk0u76WaK7p1b1TST0Bsew+eeuGQz +f2N4aLTNLnF115sgxk0pvLZoYIr3IZpWNVrzdr3YzZr/k1ZLpVkGoZM0Kd0WNHVO +8oG0x5ZOrRkVUkr+PHB1cM2vK6sVmjM8qrOLqs1D/fXqcP/tzxE7lM5OMhbTI0Aq +d7OvPAEsbO2ZLIvZTmmYsvePQbAyeGHWDV/D+qJAkh1cF+ZwPjXnorfCYuKrpDhM +tTk1b+oDafo6VGiFbdbyL0NVHpENDtjVaqSW0RM8LHhQ6DqS0hdW5TUaQBw+jSzt +Od9C4INBdN+jzcKGYEho42kLVACL5HZpIQ15TjQIXhTCzLG3rdd8cIrHhQIDAQAB +o0IwQDAdBgNVHQ4EFgQU++8Nhp6w492pufEhF38+/PB3KxowDgYDVR0PAQH/BAQD +AgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAFn/8oz1h31x +PaOfG1vR2vjTnGs2vZupYeveFix0PZ7mddrXuqe8QhfnPZHr5X3dPpzxz5KsbEjM +wiI/aTvFthUvozXGaCocV685743QNcMYDHsAVhzNixl03r4PEuDQqqE/AjSxcM6d +GNYIAwlG7mDgfrbESQRRfXBgvKqy/3lyeqYdPV8q+Mri/Tm3R7nrft8EI6/6nAYH +6ftjk4BAtcZsCjEozgyfz7MjNYBBjWzEN3uBL4ChQEKF6dk4jeihU80Bv2noWgby +RQuQ+q7hv53yrlc8pa6yVvSLZUDp/TGBLPQ5Cdjua6e0ph0VpZj3AYHYhX3zUVxx +iN66zB+Afko= +-----END CERTIFICATE----- + ### Entrust, Inc. === /C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2 @@ -2357,6 +2365,62 @@ BBYEFLdj5xrdjekIplWDpOBqUEFlEUJJMAoGCCqGSM49BAMDA2cAMGQCMGF52OVC R98crlOZF7ZvHH3hvxGU0QOIdeSNiaSKd0bebWHvAvX7td/M/k7//qnmpwIwW5nX hTcGtXsI/esni0qU+eH6p44mCOh8kmhtc9hvJqwhAriZtyZBWyVgrtBIGu4G -----END CERTIFICATE----- +=== /C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2015 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G4 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + d9:b5:43:7f:af:a9:39:0f:00:00:00:00:55:65:ad:58 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: May 27 11:11:16 2015 GMT + Not After : Dec 27 11:41:16 2037 GMT + Subject: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2015 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G4 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 9F:38:C4:56:23:C3:39:E8:A0:71:6C:E8:54:4C:E4:E8:3A:B1:BF:67 +SHA1 Fingerprint=14:88:4E:86:26:37:B0:26:AF:59:62:5C:40:77:EC:35:29:BA:96:01 +SHA256 Fingerprint=DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88 +-----BEGIN CERTIFICATE----- +MIIGSzCCBDOgAwIBAgIRANm1Q3+vqTkPAAAAAFVlrVgwDQYJKoZIhvcNAQELBQAw +gb4xCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQL +Ex9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykg +MjAxNSBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMjAw +BgNVBAMTKUVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEc0 +MB4XDTE1MDUyNzExMTExNloXDTM3MTIyNzExNDExNlowgb4xCzAJBgNVBAYTAlVT +MRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1 +c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykgMjAxNSBFbnRydXN0LCBJ +bmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMjAwBgNVBAMTKUVudHJ1c3Qg +Um9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEc0MIICIjANBgkqhkiG9w0B +AQEFAAOCAg8AMIICCgKCAgEAsewsQu7i0TD/pZJH4i3DumSXbcr3DbVZwbPLqGgZ +2K+EbTBwXX7zLtJTmeH+H17ZSK9dE43b/2MzTdMAArzE+NEGCJR5WIoV3imz/f3E +T+iq4qA7ec2/a0My3dl0ELn39GjUu9CH1apLiipvKgS1sqbHoHrmSKvS0VnM1n4j +5pds8ELl3FFLFUHtSUrJ3hCX1nbB76W1NhSXNdh4IjVS70O92yfbYVaCNNzLiGAM +C1rlLAHGVK/XqsEQe9IFWrhAnoanw5CGAlZSCXqc0ieCU0plUmr1POeo8pyvi73T +DtTUXm6Hnmo9RR3RXRv06QqsYJn7ibT/mCzPfB3pAqoEmh643IhuJbNsZvc8kPNX +wbMv9W3y+8qh+CmdRouzavbmZwe+LGcKKh9asj5XxNMhIWNlUpEbsZmOeX7m640A +2Vqq6nPopIICR5b+W45UYaPrL0swsIsjdXJ8ITzI9vF01Bx7owVV7rtNOzK+mndm +nqxpkCIHH2E6lr7lmk/MBTwoWdPBDFSoWWG9yHJM6Nyfh3+9nEg2XpWjDrk4JFX8 +dWbrAuMINClKxuMrLzOg2qOGpRKX/YAr2hRC45K9PvJdXmd0LhyIRyk0X+IyqJwl +N4y6mACXi0mWHv0liqzc2thddG5msP9E36EYxr5ILzeUePiVSj9/E15dWf10hkNj +c0kCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD +VR0OBBYEFJ84xFYjwznooHFs6FRM5Og6sb9nMA0GCSqGSIb3DQEBCwUAA4ICAQAS +5UKme4sPDORGpbZgQIeMJX6tuGguW8ZAdjwD+MlZ9POrYs4QjbRaZIxowLByQzTS +Gwv2LFPSypBLhmb8qoMi9IsabyZIrHZ3CL/FmFz0Jomee8O5ZDIBf9PD3Vht7LGr +hFV0d4QEJ1JrhkzO3bll/9bGXp+aEJlLdWr+aumXIOTkdnrG0CSqkM0gkLpHZPt/ +B7NTeLUKYvJzQ85BK4FqLoUWlFPUa19yIqtRLULVAJyZv967lDtX/Zr1hstWO1uI +AeV8KEsD+UmDfLJ/fOPtjqF/YFOOVZ1QNBIPt5d7bIdKROf1beyAN/BYGW5KaHbw +H5Lk6rWS02FREAutp9lfx1/cH6NcjKF+m7ee01ZvZl4HliDtC3T7Zk6LERXpgUl+ +b7DUUH8i119lAg2m9IUe2K4GS0qn0jFmwvjO5QimpAKWRGhXxNUzzxkvFMSUHHuk +2fCfDrGA4tGeEWSpiBE6doLlYsKA2KSD7ZPvfC+QsDJMlhVoSFLUmQjAJOgc47Ol +IQ6SwJAfzyBfyjs4x7dtOvPmRLgOMWuIjnDrnBdSqEGULoe256YSxXXfW8AKbnuk +5F6G+TaU33fD6Q3AOfF5u0aOq0NZJ7cguyPpVkAh7DE9ZapD8j3fcEThuk0mEDuY +n/PIjhs4ViFqUZPTkcpG2om3PVODLAgfi49T3f+sHw== +-----END CERTIFICATE----- === /C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority Certificate: Data: @@ -2559,153 +2623,6 @@ PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV 5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw== -----END CERTIFICATE----- -=== /C=US/O=GeoTrust Inc./CN=GeoTrust Primary Certification Authority -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - 18:ac:b5:6a:fd:69:b6:15:3a:63:6c:af:da:fa:c4:a1 - Signature Algorithm: sha1WithRSAEncryption - Validity - Not Before: Nov 27 00:00:00 2006 GMT - Not After : Jul 16 23:59:59 2036 GMT - Subject: C=US, O=GeoTrust Inc., CN=GeoTrust Primary Certification Authority - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - X509v3 Subject Key Identifier: - 2C:D5:50:41:97:15:8B:F0:8F:36:61:5B:4A:FB:6B:D9:99:C9:33:92 -SHA1 Fingerprint=32:3C:11:8E:1B:F7:B8:B6:52:54:E2:E2:10:0D:D6:02:90:37:F0:96 -SHA256 Fingerprint=37:D5:10:06:C5:12:EA:AB:62:64:21:F1:EC:8C:92:01:3F:C5:F8:2A:E9:8E:E5:33:EB:46:19:B8:DE:B4:D0:6C ------BEGIN CERTIFICATE----- -MIIDfDCCAmSgAwIBAgIQGKy1av1pthU6Y2yv2vrEoTANBgkqhkiG9w0BAQUFADBY -MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjExMC8GA1UEAxMo -R2VvVHJ1c3QgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjEx -MjcwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMFgxCzAJBgNVBAYTAlVTMRYwFAYDVQQK -Ew1HZW9UcnVzdCBJbmMuMTEwLwYDVQQDEyhHZW9UcnVzdCBQcmltYXJ5IENlcnRp -ZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAvrgVe//UfH1nrYNke8hCUy3f9oQIIGHWAVlqnEQRr+92/ZV+zmEwu3qDXwK9 -AWbK7hWNb6EwnL2hhZ6UOvNWiAAxz9juapYC2e0DjPt1befquFUWBRaa9OBesYjA -ZIVcFU2Ix7e64HXprQU9nceJSOC7KMgD4TCTZF5SwFlwIjVXiIrxlQqD17wxcwE0 -7e9GceBrAqg1cmuXm2bgyxx5X9gaBGgeRwLmnWDiNpcB3841kt++Z8dtd1k7j53W -kBWUvEI0EME5+bEnPn7WinXFsq+W06Lem+SYvn3h6YGttm/81w7a4DSwDRp35+MI -mO9Y+pyEtzavwt+s0vQQBnBxNQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4G -A1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQULNVQQZcVi/CPNmFbSvtr2ZnJM5IwDQYJ -KoZIhvcNAQEFBQADggEBAFpwfyzdtzRP9YZRqSa+S7iq8XEN3GHHoOo0Hnp3DwQ1 -6CePbJC/kRYkRj5KTs4rFtULUh38H2eiAkUxT87z+gOneZ1TatnaYzr4gNfTmeGl -4b7UVXGYNTq+k+qurUKykG/g/CFNNWMziUnWm07Kx+dOCQD32sfvmWKZd7aVIl6K -oKv0uHiYyjgZmclynnjNS6yvGaBzEi38wkG6gZHaFloxt/m0cYASSJlyc1pZU8Fj -UjPtp8nSOQJw+uCxQmYpqptR7TBUIhRf2asdweSU8Pj1K/fqynhG1riR/aYNKxoU -AT6A8EKglQdebc3MS6RFjasS6LPeWuWgfOgPIh1a6Vk= ------END CERTIFICATE----- -=== /C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 1 (0x1) - Signature Algorithm: sha1WithRSAEncryption - Validity - Not Before: Mar 4 05:00:00 2004 GMT - Not After : Mar 4 05:00:00 2029 GMT - Subject: C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Subject Key Identifier: - DA:BB:2E:AA:B0:0C:B8:88:26:51:74:5C:6D:03:D3:C0:D8:8F:7A:D6 - X509v3 Authority Key Identifier: - keyid:DA:BB:2E:AA:B0:0C:B8:88:26:51:74:5C:6D:03:D3:C0:D8:8F:7A:D6 - - X509v3 Key Usage: critical - Digital Signature, Certificate Sign, CRL Sign -SHA1 Fingerprint=E6:21:F3:35:43:79:05:9A:4B:68:30:9D:8A:2F:74:22:15:87:EC:79 -SHA256 Fingerprint=A0:45:9B:9F:63:B2:25:59:F5:FA:5D:4C:6D:B3:F9:F7:2F:F1:93:42:03:35:78:F0:73:BF:1D:1B:46:CB:B9:12 ------BEGIN CERTIFICATE----- -MIIFaDCCA1CgAwIBAgIBATANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJVUzEW -MBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEeMBwGA1UEAxMVR2VvVHJ1c3QgVW5pdmVy -c2FsIENBMB4XDTA0MDMwNDA1MDAwMFoXDTI5MDMwNDA1MDAwMFowRTELMAkGA1UE -BhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xHjAcBgNVBAMTFUdlb1RydXN0 -IFVuaXZlcnNhbCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKYV -VaCjxuAfjJ0hUNfBvitbtaSeodlyWL0AG0y/YckUHUWCq8YdgNY96xCcOq9tJPi8 -cQGeBvV8Xx7BDlXKg5pZMK4ZyzBIle0iN430SppyZj6tlcDgFgDgEB8rMQ7XlFTT -QjOgNB0eRXbdT8oYN+yFFXoZCPzVx5zw8qkuEKmS5j1YPakWaDwvdSEYfyh3peFh -F7em6fgemdtzbvQKoiFs7tqqhZJmr/Z6a4LauiIINQ/PQvE1+mrufislzDoR5G2v -c7J2Ha3QsnhnGqQ5HFELZ1aD/ThdDc7d8Lsrlh/eezJS/R27tQahsiFepdaVaH/w -mZ7cRQg+59IJDTWU3YBOU5fXtQlEIGQWFwMCTFMNaN7VqnJNk22CDtucvc+081xd -VHppCZbW2xHBjXWotM85yM48vCR85mLK4b19p71XZQvk/iXttmkQ3CgaRr0BHdCX -teGYO8A3ZNY9lO4L4fUorgtWv3GLIylBjobFS1J72HGrH4oVpjuDWtdYAVHGTEHZ -f9hBZ3KiKN9gg6meyHv8U3NyWfWTehd2Ds735VzZC1U0oqpbtWpU5xPKV+yXbfRe -Bi9Fi1jUIxaS5BZuKGNZMN9QAZxjiRqf2xeUgnA3wySemkfWWspOqGmJch+RbNt+ -nhutxx9z3SxPGWX9f5NAEC7S8O08ni4oPmkmM8V7AgMBAAGjYzBhMA8GA1UdEwEB -/wQFMAMBAf8wHQYDVR0OBBYEFNq7LqqwDLiIJlF0XG0D08DYj3rWMB8GA1UdIwQY -MBaAFNq7LqqwDLiIJlF0XG0D08DYj3rWMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG -9w0BAQUFAAOCAgEAMXjmx7XfuJRAyXHEqDXsRh3ChfMoWIawC/yOsjmPRFWrZIRc -aanQmjg8+uUfNeVE44B5lGiku8SfPeE0zTBGi1QrlaXv9z+ZhP015s8xxtxqv6fX -IwjhmF7DWgh2qaavdy+3YL1ERmrvl/9zlcGO6JP7/TG37FcREUWbMPEaiDnBTzyn -ANXH/KttgCJwpQzgXQQpAvvLoJHRfNbDflDVnVi+QTjruXU8FdmbyUqDWcDaU/0z -uzYYm4UPFd3uLax2k7nZAY1IEKj79TiG8dsKxr2EoyNB3tZ3b4XUhRxQ4K5RirqN -Pnbiucon8l+f725ZDQbYKxek0nxru18UGkiPGkzns0ccjkxFKyDuSN/n3QmOGKja -QI2SJhFTYXNd673nxE0pN2HrrDktZy4W1vUAg4WhzH92xH3kt0tm7wNFYGm2DFKW -koRepqO1pD4r2czYG0eq8kTaT/kD6PAUyz/zg97QwVTjt+gKN02LIFkDMBmhLMi9 -ER/frslKxfMnZmaGrGiR/9nmUxwPi1xpZQomyB40w11Re9epnAahNt3ViZS82eQt -DF4JbAiXfKM9fJP/P6EUp8+1Xevb2xzEdt+Iub1FBZUbrvxGakyvSOPOrg/Sfuvm -bJxPgWp6ZKy7PtXny3YuxadIwVyQD8vIP/rmMuGNG2+k5o7Y+SlIis5z/iw= ------END CERTIFICATE----- -=== /C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA 2 -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 1 (0x1) - Signature Algorithm: sha1WithRSAEncryption - Validity - Not Before: Mar 4 05:00:00 2004 GMT - Not After : Mar 4 05:00:00 2029 GMT - Subject: C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA 2 - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Subject Key Identifier: - 76:F3:55:E1:FA:A4:36:FB:F0:9F:5C:62:71:ED:3C:F4:47:38:10:2B - X509v3 Authority Key Identifier: - keyid:76:F3:55:E1:FA:A4:36:FB:F0:9F:5C:62:71:ED:3C:F4:47:38:10:2B - - X509v3 Key Usage: critical - Digital Signature, Certificate Sign, CRL Sign -SHA1 Fingerprint=37:9A:19:7B:41:85:45:35:0C:A6:03:69:F3:3C:2E:AF:47:4F:20:79 -SHA256 Fingerprint=A0:23:4F:3B:C8:52:7C:A5:62:8E:EC:81:AD:5D:69:89:5D:A5:68:0D:C9:1D:1C:B8:47:7F:33:F8:78:B9:5B:0B ------BEGIN CERTIFICATE----- -MIIFbDCCA1SgAwIBAgIBATANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJVUzEW -MBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXR2VvVHJ1c3QgVW5pdmVy -c2FsIENBIDIwHhcNMDQwMzA0MDUwMDAwWhcNMjkwMzA0MDUwMDAwWjBHMQswCQYD -VQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXR2VvVHJ1 -c3QgVW5pdmVyc2FsIENBIDIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC -AQCzVFLByT7y2dyxUxpZKeexw0Uo5dfR7cXFS6GqdHtXr0om/Nj1XqduGdt0DE81 -WzILAePb63p3NeqqWuDW6KFXlPCQo3RWlEQwAx5cTiuFJnSCegx2oG9NzkEtoBUG -FF+3Qs17j1hhNNwqCPkuwwGmIkQcTAeC5lvO0Ep8BNMZcyfwqph/Lq9O64ceJHdq -XbboW0W63MOhBW9Wjo8QJqVJwy7XQYci4E+GymC16qFjwAGXEHm9ADwSbSsVsaxL -se4YuU6W3Nx2/zu+z18DwPw76L5GG//aQMJS9/7jOvdqdzXQ2o3rXhhqMcceujwb -KNZrVMaqW9eiLBsZzKIC9ptZvTdrhrVtgrrY6slWvKk2WP0+GfPtDCapkzj4T8Fd -IgbQl+rhrcZV4IErKIM6+vR7IVEAvlI4zs1meaj0gVbi0IMJR1FbUGrP20gaXT73 -y/Zl92zxlfgCOzJWgjl6W70viRu/obTo/3+NjN8D8WBOWBFM66M/ECuDmgFz2ZRt -hAAnZqzwcEAJQpKtT5MNYQlRJNiS1QuUYbKHsu3/mjX/hVTK7URDrBs8FmtISgoc -QIgfksILAAX/8sgCSqSqqcyZlpwvWOB94b67B9xfBHJcMTTD7F8t4D1kkCLm0ey4 -Lt1ZrtmhN79UNdxzMk+MBB4zsslG8dhcyFVQyWi9qLo2CQIDAQABo2MwYTAPBgNV -HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR281Xh+qQ2+/CfXGJx7Tz0RzgQKzAfBgNV -HSMEGDAWgBR281Xh+qQ2+/CfXGJx7Tz0RzgQKzAOBgNVHQ8BAf8EBAMCAYYwDQYJ -KoZIhvcNAQEFBQADggIBAGbBxiPz2eAubl/oz66wsCVNK/g7WJtAJDday6sWSf+z -dXkzoS9tcBc0kf5nfo/sm+VegqlVHy/c1FEHEv6sFj4sNcZj/NwQ6w2jqtB8zNHQ -L1EuxBRa3ugZ4T7GzKQp5y6EqgYweHZUcyiYWTjgAA1i00J9IZ+uPTqM1fp3DRgr -Fg5fNuH8KrUwJM/gYwx7WBr+mbpCErGR9Hxo4sjoryzqyX6uuyo9DRXcNJW2GHSo -ag/HtPQTxORb7QrSpJdMKu0vbBKJPfEncKpqA1Ihn0CoZ1Dy81of398j9tx4TuaY -T1U6U+Pv8vSfx3zYWK8pIpe44L2RLrB27FcRz+8pRPPphXpgY+RdM4kX2TGq2tbz -GDVyz4crL2MjhF2EjD9XoIj8mZEoJmmZ1I+XRL6O1UixpCgp8RW04eWe3fiPpm8m -1wk8OhwRDqZsN/etRIcsKMfYdIKz0G9KV7s1KSegi+ghp4dkNl3M2Basx7InQJJV -OCiNUW7dFGdTbHFcJoRNdVq2fmBWqU2t+5sel/MN2dKXVHfaPRK34B7vCAas+YWH -6aLcr34YEoP9VhdBLtUpgn2Z9DH2canPLAEnpQW5qrJITirvn5NSUZU8UnOOVkwX -QMAJKOSLakhT2+zNVVXxxvjpoixMptEmX36vWkzaH6byHCx+rgIW0lbQL1dTR+iS ------END CERTIFICATE----- === /C=US/O=GeoTrust Inc./OU=(c) 2007 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G2 Certificate: Data: @@ -2743,50 +2660,6 @@ CCqGSM49BAMDA2cAMGQCMGSWWaboCd6LuvpaiIjwH5HTRqjySkwCY/tsXzjbLkGT qQ7mndwxHLKgpxgceeHHNgIwOlavmnRs9vuD4DPTCF+hnMJbn0bWtsuRBmOiBucz rD6ogRLQy7rQkgu2npaqBA+K -----END CERTIFICATE----- -=== /C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3 -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - 15:ac:6e:94:19:b2:79:4b:41:f6:27:a9:c3:18:0f:1f - Signature Algorithm: sha256WithRSAEncryption - Validity - Not Before: Apr 2 00:00:00 2008 GMT - Not After : Dec 1 23:59:59 2037 GMT - Subject: C=US, O=GeoTrust Inc., OU=(c) 2008 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G3 - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - X509v3 Subject Key Identifier: - C4:79:CA:8E:A1:4E:03:1D:1C:DC:6B:DB:31:5B:94:3E:3F:30:7F:2D -SHA1 Fingerprint=03:9E:ED:B8:0B:E7:A0:3C:69:53:89:3B:20:D2:D9:32:3A:4C:2A:FD -SHA256 Fingerprint=B4:78:B8:12:25:0D:F8:78:63:5C:2A:A7:EC:7D:15:5E:AA:62:5E:E8:29:16:E2:CD:29:43:61:88:6C:D1:FB:D4 ------BEGIN CERTIFICATE----- -MIID/jCCAuagAwIBAgIQFaxulBmyeUtB9iepwxgPHzANBgkqhkiG9w0BAQsFADCB -mDELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsT -MChjKSAyMDA4IEdlb1RydXN0IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25s -eTE2MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhv -cml0eSAtIEczMB4XDTA4MDQwMjAwMDAwMFoXDTM3MTIwMTIzNTk1OVowgZgxCzAJ -BgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMTkwNwYDVQQLEzAoYykg -MjAwOCBHZW9UcnVzdCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxNjA0 -BgNVBAMTLUdlb1RydXN0IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg -LSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANziXmJYHTNXOTIz -+uvLh4yn1ErdBojqZI4xmKU4kB6Yzy5jK/BGvESyiaHAKAxJcCGVn2TAppMSAmUm -hsalifD614SgcK9PGpc/BkTVyetyEH3kMSj7HGHmKAdEc5IiaacDiGydY8hS2pgn -5whMcD60yRLBxWeDXTPzAxHsatBT4tG6NmCUgLthY2xbF37fQJQeqw3CIShwiP/W -JmxsYAQlTlV+fe+/lEjetx3dcI0FX4ilm/LC7urRQEFtYjgdVgbFA0dRIBn8exAL -DmKudlW/X3e+PkkBUz2YJQN2JFodtNuJ6nnltrM7P7pMKEF/BqxqjsHQ9gUdfeZC -huOl1UcCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw -HQYDVR0OBBYEFMR5yo6hTgMdHNxr2zFblD4/MH8tMA0GCSqGSIb3DQEBCwUAA4IB -AQAtxRPPVoB7eni9n64smefv2t+UXglpp+duaIy9cr5HqQ6XErhK8WTTOd8lNNTB -zU6B8A8ExCSzNJbGpqow32hhc9f5joWJ7w5elShKKiePEI4ufIbEAp7aDHdlDkQN -kv39sxY2+hENHYwOB4lqKVb3cvTdFZx3NWZXqxNT2I7BQMXXExZacse3aQHEerGD -AWh9jUGhlBjBJVz88P6DAod8DQ3PLghcSkANPuyBYeYk28rgDi0Hsj5W3I31QYUH -SJsMC8tJP33st/3LjWeJGqvtux6jAAgIFyqCXDFdRootD4abdNlF+9RAsXqqaC2G -spki4cErx5z481+oghLrGREt ------END CERTIFICATE----- ### GlobalSign @@ -3264,61 +3137,6 @@ CMRw3J5QdCHojXohw0+WbhXRIjVhLfoIN+4Zba3bssx9BzT1YBkstTTZbyACMANx sbqjYAuG7ZoIapVon+Kz4ZNkfF6Tpt95LY2F45TPI11xzPKwTdb+mciUqXWi4w== -----END CERTIFICATE----- -### Government Root Certification Authority - -=== /C=TW/O=Government Root Certification Authority -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - 1f:9d:59:5a:d7:2f:c2:06:44:a5:80:08:69:e3:5e:f6 - Signature Algorithm: sha1WithRSAEncryption - Validity - Not Before: Dec 5 13:23:33 2002 GMT - Not After : Dec 5 13:23:33 2032 GMT - Subject: C=TW, O=Government Root Certification Authority - X509v3 extensions: - X509v3 Subject Key Identifier: - CC:CC:EF:CC:29:60:A4:3B:B1:92:B6:3C:FA:32:62:8F:AC:25:15:3B - X509v3 Basic Constraints: - CA:TRUE - setCext-hashedRoot: - 0/0-...0...+......0...g*........"...(6....2.1:.Qe -SHA1 Fingerprint=F4:8B:11:BF:DE:AB:BE:94:54:20:71:E6:41:DE:6B:BE:88:2B:40:B9 -SHA256 Fingerprint=76:00:29:5E:EF:E8:5B:9E:1F:D6:24:DB:76:06:2A:AA:AE:59:81:8A:54:D2:77:4C:D4:C0:B2:C0:11:31:E1:B3 ------BEGIN CERTIFICATE----- -MIIFcjCCA1qgAwIBAgIQH51ZWtcvwgZEpYAIaeNe9jANBgkqhkiG9w0BAQUFADA/ -MQswCQYDVQQGEwJUVzEwMC4GA1UECgwnR292ZXJubWVudCBSb290IENlcnRpZmlj -YXRpb24gQXV0aG9yaXR5MB4XDTAyMTIwNTEzMjMzM1oXDTMyMTIwNTEzMjMzM1ow -PzELMAkGA1UEBhMCVFcxMDAuBgNVBAoMJ0dvdmVybm1lbnQgUm9vdCBDZXJ0aWZp -Y2F0aW9uIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB -AJoluOzMonWoe/fOW1mKydGGEghU7Jzy50b2iPN86aXfTEc2pBsBHH8eV4qNw8XR -IePaJD9IK/ufLqGU5ywck9G/GwGHU5nOp/UKIXZ3/6m3xnOUT0b3EEk3+qhZSV1q -gQdW8or5BtD3cCJNtLdBuTK4sfCxw5w/cP1T3YGq2GN49thTbqGsaoQkclSGxtKy -yhwOeYHWtXBiCAEuTk8O1RGvqa/lmr/czIdtJuTJV6L7lvnM4T9TjGxMfptTCAts -F/tnyMKtsc2AtJfcdgEWFelq16TheEfOhtX7MfP6Mb40qij7cEwdScevLJ1tZqa2 -jWR+tSBqnTuBto9AAGdLiYa4zGX+FVPpBMHWXx1E1wovJ5pGfaENda1UhhXcSTvx -ls4Pm6Dso3pdvtUqdULle96ltqqvKKyskKw4t9VoNSZ63Pc78/1Fm9G7Q3hub/FC -VGqY8A2tl+lSXunVanLeavcbYBT0peS2cWeqH+riTcFCQP5nRhc4L0c/cZyu5SHK -YS1tB6iEfC3uUSXxY5Ce/eFXiGvviiNtsea9P63RPZYLhY3Naye7twWb7LuRqQoH -EgKXTiCQ8P8NHuJBO9NAOueNXdpm5AKwB1KYXA6OM5zCppX7VRluTI6uSw+9wThN -Xo+EHWbNxWCWtFJaBYmOlXqYwZE8lSOyDvR5tMl8wUohAgMBAAGjajBoMB0GA1Ud -DgQWBBTMzO/MKWCkO7GStjz6MmKPrCUVOzAMBgNVHRMEBTADAQH/MDkGBGcqBwAE -MTAvMC0CAQAwCQYFKw4DAhoFADAHBgVnKgMAAAQUA5vwIhP/lSg209yewDL7MTqK -UWUwDQYJKoZIhvcNAQEFBQADggIBAECASvomyc5eMN1PhnR2WPWus4MzeKR6dBcZ -TulStbngCnRiqmjKeKBMmo4sIy7VahIkv9Ro04rQ2JyftB8M3jh+Vzj8jeJPXgyf -qzvS/3WXy6TjZwj/5cAWtUgBfen5Cv8b5Wppv3ghqMKnI6mGq3ZW6A4M9hPdKmaK -ZEk9GhiHkASfQlK3T8v+R0F2Ne//AHY2RTKbxkaFXeIksB7jSJaYV0eUVXoPQbFE -JPPB/hprv4j9wabak2BegUqZIJxIZhm1AHlUD7gsL0u8qV1bYH+Mh6XgUmMqvtg7 -hUAV/h62ZT/FS9p+tXo1KaMuephgIqP0fSdOLeq0dDzpD6QzDxARvBMB1uUO07+1 -EqLhRSPAzAhuYbeJq4PjJB7mXQfnHyA+z2fI56wwbSdLaG5LKlwCCDTb+HbkZ6Mm -nD+iMsJKxYEYMRBWqoTvLQr/uB930r+lWKBi5NdLkXWNiYCYfm3LU05er/ayl4WX -udpVBrkk7tfGOB5jGxI7leFYrPLfhNVfmS8NVVvmONsuP3LpSIXLuykTjx44Vbnz -ssQwmSNOXfJIoRIM3BKQCZBUkQM8R+XVyWXgt0t97EfTsws+rZ7QdAAO671RrcDe -LMDDav7v3Aun+kbfYNucpllQdSNpc5Oy+fwC00fmcc4QAu4njIT/rEUNE1yDMuAl -pYYsfPQS ------END CERTIFICATE----- - ### GUANG DONG CERTIFICATE AUTHORITY CO.,LTD. === /C=CN/O=GUANG DONG CERTIFICATE AUTHORITY CO.,LTD./CN=GDCA TrustAUTH R5 ROOT @@ -3560,6 +3378,63 @@ EhTkYY2sEJCehFC78JZvRZ+K88psT/oROhUVRsPNH4NbLUES7VBnQRM9IauUiqpO fMGx+6fWtScvl6tu4B3i0RwsH0Ti/L6RoZz71ilTc4afU9hDDl3WY4JxHYB0yvbi AmvZWg== -----END CERTIFICATE----- +=== /C=HK/ST=Hong Kong/L=Hong Kong/O=Hongkong Post/CN=Hongkong Post Root CA 3 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 08:16:5f:8a:4c:a5:ec:00:c9:93:40:df:c4:c6:ae:23:b8:1c:5a:a4 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Jun 3 02:29:46 2017 GMT + Not After : Jun 3 02:29:46 2042 GMT + Subject: C=HK, ST=Hong Kong, L=Hong Kong, O=Hongkong Post, CN=Hongkong Post Root CA 3 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Authority Key Identifier: + keyid:17:9D:CD:1E:8B:D6:39:2B:70:D3:5C:D4:A0:B8:1F:B0:00:FC:C5:61 + + X509v3 Subject Key Identifier: + 17:9D:CD:1E:8B:D6:39:2B:70:D3:5C:D4:A0:B8:1F:B0:00:FC:C5:61 +SHA1 Fingerprint=58:A2:D0:EC:20:52:81:5B:C1:F3:F8:64:02:24:4E:C2:8E:02:4B:02 +SHA256 Fingerprint=5A:2F:C0:3F:0C:83:B0:90:BB:FA:40:60:4B:09:88:44:6C:76:36:18:3D:F9:84:6E:17:10:1A:44:7F:B8:EF:D6 +-----BEGIN CERTIFICATE----- +MIIFzzCCA7egAwIBAgIUCBZfikyl7ADJk0DfxMauI7gcWqQwDQYJKoZIhvcNAQEL +BQAwbzELMAkGA1UEBhMCSEsxEjAQBgNVBAgTCUhvbmcgS29uZzESMBAGA1UEBxMJ +SG9uZyBLb25nMRYwFAYDVQQKEw1Ib25na29uZyBQb3N0MSAwHgYDVQQDExdIb25n +a29uZyBQb3N0IFJvb3QgQ0EgMzAeFw0xNzA2MDMwMjI5NDZaFw00MjA2MDMwMjI5 +NDZaMG8xCzAJBgNVBAYTAkhLMRIwEAYDVQQIEwlIb25nIEtvbmcxEjAQBgNVBAcT +CUhvbmcgS29uZzEWMBQGA1UEChMNSG9uZ2tvbmcgUG9zdDEgMB4GA1UEAxMXSG9u +Z2tvbmcgUG9zdCBSb290IENBIDMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK +AoICAQCziNfqzg8gTr7m1gNt7ln8wlffKWihgw4+aMdoWJwcYEuJQwy51BWy7sFO +dem1p+/l6TWZ5Mwc50tfjTMwIDNT2aa71T4Tjukfh0mtUC1Qyhi+AViiE3CWu4mI +VoBc+L0sPOFMV4i707mV78vH9toxdCim5lSJ9UExyuUmGs2C4HDaOym71QP1mbpV +9WTRYA6ziUm4ii8F0oRFKHyPaFASePwLtVPLwpgchKOesL4jpNrcyCse2m5FHomY +2vkALgbpDDtw1VAliJnLzXNg99X/NWfFobxeq81KuEXryGgeDQ0URhLj0mRiikKY +vLTGCAj4/ahMZJx2Ab0vqWwzD9g/KLg8aQFChn5pwckGyuV6RmXpwtZQQS4/t+Tt +bNe/JgERohYpSms0BpDsE9K2+2p20jzt8NYt3eEV7KObLyzJPivkaTv/ciWxNoZb +x39ri1UbSsUgYT2uy1DhCDq+sI9jQVMwCFk8mB13umOResoQUGC/8Ne8lYePl8X+ +l2oBlKN8W4UdKjk60FSh0Tlxnf0h+bV78OLgAo9uliQlLKAeLKjEiafv7ZkGL7YK +TE/bosw3Gq9HhS2KX8Q0NEwA/RiTZxPRN+ZItIsGxVd7GYYKecsAyVKvQv83j+Gj +Hno9UKtjBucVtT+2RTeUN7F+8kjDf8V1/peNRY8apxpyKBpADwIDAQABo2MwYTAP +BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAfBgNVHSMEGDAWgBQXnc0e +i9Y5K3DTXNSguB+wAPzFYTAdBgNVHQ4EFgQUF53NHovWOStw01zUoLgfsAD8xWEw +DQYJKoZIhvcNAQELBQADggIBAFbVe27mIgHSQpsY1Q7XZiNc4/6gx5LS6ZStS6LG +7BJ8dNVI0lkUmcDrudHr9EgwW62nV3OZqdPlt9EuWSRY3GguLmLYauRwCy0gUCCk +MpXRAJi70/33MvJJrsZ64Ee+bs7Lo3I6LWldy8joRTnU+kLBEUx3XZL7av9YROXr +gZ6voJmtvqkBZss4HTzfQx/0TW60uhdG/H39h4F5ag0zD/ov+BS5gLNdTaqX4fnk +GMX41TiMJjz98iji7lpJiCzfeT2OnpA8vUFKOt1b9pq0zj8lMH8yfaIDlNDceqFS +3m6TjRgm/VWsvY+b0s+v54Ysyx8Jb6NvqYTUc79NoXQbTiNg8swOqn+knEwlqLJm +Ozj/2ZQw9nKEvmhVEA/GcywWaZMH/rFF7buiVWqw2rVKAiUnhde3t4ZEFolsgCs+ +l6mc1X5VTMbeRRAc6uk7nwNT7u56AQIWeNTowr5GdogTPyK7SBIdUgC0An4hGh6c +JfTzPV4e0hz5sy229zdcxsshTrD3mUcYhcErulWuBurQB7Lcq9CClnXO0lD+mefP +L5/ndtFhKvshuzHQqp9HpLIiyhY6UFfEW0NnxWViA0kB60PZ2Pierc+xYw5F9KBa +LJstxabArahH9CdMOA0uG0k7UvToiIMrVCjU8jVStDKDYmlkDJGcn5fqdBb9HxEG +mpv0 +-----END CERTIFICATE----- ### IdenTrust @@ -3866,76 +3741,52 @@ d05DpYhfhmehPea0XGG2Ptv+tyjFogeutcrKjSoS75ftwjCkySp6+/NNIxuZMzSg LvWpCz/UXeHPhJ/iGcJfitYgHuNztw== -----END CERTIFICATE----- -### LuxTrust S.A. +### Microsec Ltd. -=== /C=LU/O=LuxTrust S.A./CN=LuxTrust Global Root 2 +=== /C=HU/L=Budapest/O=Microsec Ltd./2.5.4.97=VATHU-23584497/CN=e-Szigno Root CA 2017 Certificate: Data: Version: 3 (0x2) Serial Number: - 0a:7e:a6:df:4b:44:9e:da:6a:24:85:9e:e6:b8:15:d3:16:7f:bb:b1 - Signature Algorithm: sha256WithRSAEncryption + 01:54:48:ef:21:fd:97:59:0d:f5:04:0a + Signature Algorithm: ecdsa-with-SHA256 Validity - Not Before: Mar 5 13:21:57 2015 GMT - Not After : Mar 5 13:21:57 2035 GMT - Subject: C=LU, O=LuxTrust S.A., CN=LuxTrust Global Root 2 + Not Before: Aug 22 12:07:06 2017 GMT + Not After : Aug 22 12:07:06 2042 GMT + Subject: C=HU, L=Budapest, O=Microsec Ltd./2.5.4.97=VATHU-23584497, CN=e-Szigno Root CA 2017 X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE - X509v3 Certificate Policies: - Policy: 1.3.171.1.1.1.10 - CPS: https://repository.luxtrust.lu - X509v3 Key Usage: critical Certificate Sign, CRL Sign - X509v3 Authority Key Identifier: - keyid:FF:18:28:76:F9:48:05:2C:A1:AE:F1:2B:1B:2B:B2:53:F8:4B:7C:B3 - X509v3 Subject Key Identifier: - FF:18:28:76:F9:48:05:2C:A1:AE:F1:2B:1B:2B:B2:53:F8:4B:7C:B3 -SHA1 Fingerprint=1E:0E:56:19:0A:D1:8B:25:98:B2:04:44:FF:66:8A:04:17:99:5F:3F -SHA256 Fingerprint=54:45:5F:71:29:C2:0B:14:47:C4:18:F9:97:16:8F:24:C5:8F:C5:02:3B:F5:DA:5B:E2:EB:6E:1D:D8:90:2E:D5 ------BEGIN CERTIFICATE----- -MIIFwzCCA6ugAwIBAgIUCn6m30tEntpqJIWe5rgV0xZ/u7EwDQYJKoZIhvcNAQEL -BQAwRjELMAkGA1UEBhMCTFUxFjAUBgNVBAoMDUx1eFRydXN0IFMuQS4xHzAdBgNV -BAMMFkx1eFRydXN0IEdsb2JhbCBSb290IDIwHhcNMTUwMzA1MTMyMTU3WhcNMzUw -MzA1MTMyMTU3WjBGMQswCQYDVQQGEwJMVTEWMBQGA1UECgwNTHV4VHJ1c3QgUy5B -LjEfMB0GA1UEAwwWTHV4VHJ1c3QgR2xvYmFsIFJvb3QgMjCCAiIwDQYJKoZIhvcN -AQEBBQADggIPADCCAgoCggIBANeFl78RmOnwYoNMPIf5U2o3C/IPPIfOb9wmKb3F -ibrJgz337spbxm1Jc7TJRqMbNBM/wYlFV/TZsfs2ZUv7COJIcRHIbjuend+JZTem -hfY7RBi2xjcwYkSSl2l9QjAk5A0MiWtj3sXh306pFGxT4GHO9hcvHTy95iJMHZP1 -EMShduxq3sVs35a0VkBCwGKSMKEtFZSg0iAGCW5qbeXrt77U8PEVfIvmTroTzEsn -Xpk8F12PgX8zPU/TPxvsXD/wPEx1bvKm1Z3aLQdjAsZy6ZS8TEmVT4hSyNvoaYL4 -zDRbIvCGp4m9SAptZoFtyMhk+wHh9OHe2Z7d21vUKpkmFRseTJIpgp7VkoGSQXAZ -96Tlk0u8d2cx3Rz9MXANF5kM+Qw5GSoXtTBxVdUPrljhPS80m8+f9niFwpN6cj5m -j5wWEWCPnolvZ77gR1o7DJpni89Gxq44o/KnvObWhWszJHAiS8sIm7vI+AIpHb4g -DEa/a4ebsypmQjVGbKq6rfmYe+lQVRQxv7HaLe2ArWgk+2mr2HETMOZns4dA/Yl+ -8kPREd8vZS9kzl8UubG/Mb2HeFpZZYiq/FkySIbWTLkpS5XTdvN3JW1CHDiDTf2j -X5t/Lax5Gw5CMZdjpPuKadUiDTSQMC6otOBttpSsvItO13D8xTiOZCXhTTmQzsmH -hFhxAgMBAAGjgagwgaUwDwYDVR0TAQH/BAUwAwEB/zBCBgNVHSAEOzA5MDcGByuB -KwEBAQowLDAqBggrBgEFBQcCARYeaHR0cHM6Ly9yZXBvc2l0b3J5Lmx1eHRydXN0 -Lmx1MA4GA1UdDwEB/wQEAwIBBjAfBgNVHSMEGDAWgBT/GCh2+UgFLKGu8SsbK7JT -+Et8szAdBgNVHQ4EFgQU/xgodvlIBSyhrvErGyuyU/hLfLMwDQYJKoZIhvcNAQEL -BQADggIBAGoZFO1uecEsh9QNcH7X9njJCwROxLHOk3D+sFTAMs2ZMGQXvw/l4jP9 -BzZAcg4atmpZ1gDlaCDdLnINH2pkMSCEfUmmWjfrRcmF9dTHF5kH5ptV5AzoqbTO -jFu1EVzPig4N1qx3gf4ynCSecs5U89BvolbW7MM3LGVYvlcAGvI1+ut7MV3CwRI9 -loGIlonBWVx65n9wNOeD4rHh4bhY79SV5GCc8JaXcozrhAIuZY+kt9J/Z93I055c -qqmkoCUUBpvsT34tC38ddfEz2O3OuHVtPlu5mB0xDVbYQw8wkbIEa91WvpWAVWe+ -2M2D2RjuLg+GLZKecBPs3lHJQ3gCpU3I+V/EkVhGFndadKpAvAefMLmx9xIX3eP/ -JEAdemrRTxgKqpAd60Ae36EeRJIQmvKN4dFLRp7oRUKX6kWZ8+xm1QL68qZKJKre -zrnK+T+Tb/mjuuqlPpmt/f97mfVl7vBZKGfXkJWkE4SphMHozs51k2MavDzq1WQf -LSoSOcbDWjLtR5EWDrw4wVDej8oqkDQc7kGUnF4ZLvhFSZl0kbAEb+MEWrGrKqv+ -x9CWttrhSmQGbmBNvUJO/3jaJMobtNeWOWyu8Q6qp31IiyBMz2TWuJdGsE7RKlY6 -oJO9r4Ak4Ap+58rVyuiFVdw2KuGUaJPHZnJED4AhMmwlxyOAgwrr + 87:11:15:08:D1:AA:C1:78:0C:B1:AF:CE:C6:C9:90:EF:BF:30:04:C0 + X509v3 Authority Key Identifier: + keyid:87:11:15:08:D1:AA:C1:78:0C:B1:AF:CE:C6:C9:90:EF:BF:30:04:C0 + +SHA1 Fingerprint=89:D4:83:03:4F:9E:9A:48:80:5F:72:37:D4:A9:A6:EF:CB:7C:1F:D1 +SHA256 Fingerprint=BE:B0:0B:30:83:9B:9B:C3:2C:32:E4:44:79:05:95:06:41:F2:64:21:B1:5E:D0:89:19:8B:51:8A:E2:EA:1B:99 +-----BEGIN CERTIFICATE----- +MIICQDCCAeWgAwIBAgIMAVRI7yH9l1kN9QQKMAoGCCqGSM49BAMCMHExCzAJBgNV +BAYTAkhVMREwDwYDVQQHDAhCdWRhcGVzdDEWMBQGA1UECgwNTWljcm9zZWMgTHRk +LjEXMBUGA1UEYQwOVkFUSFUtMjM1ODQ0OTcxHjAcBgNVBAMMFWUtU3ppZ25vIFJv +b3QgQ0EgMjAxNzAeFw0xNzA4MjIxMjA3MDZaFw00MjA4MjIxMjA3MDZaMHExCzAJ +BgNVBAYTAkhVMREwDwYDVQQHDAhCdWRhcGVzdDEWMBQGA1UECgwNTWljcm9zZWMg +THRkLjEXMBUGA1UEYQwOVkFUSFUtMjM1ODQ0OTcxHjAcBgNVBAMMFWUtU3ppZ25v +IFJvb3QgQ0EgMjAxNzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJbcPYrYsHtv +xie+RJCxs1YVe45DJH0ahFnuY2iyxl6H0BVIHqiQrb1TotreOpCmYF9oMrWGQd+H +Wyx7xf58etqjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0G +A1UdDgQWBBSHERUI0arBeAyxr87GyZDvvzAEwDAfBgNVHSMEGDAWgBSHERUI0arB +eAyxr87GyZDvvzAEwDAKBggqhkjOPQQDAgNJADBGAiEAtVfd14pVCzbhhkT61Nlo +jbjcI4qKDdQvfepz7L9NbKgCIQDLpbQS+ue16M9+k/zzNY9vTlp8tLxOsvxyqltZ ++efcMQ== -----END CERTIFICATE----- - -### Microsec Ltd. - === /C=HU/L=Budapest/O=Microsec Ltd./CN=Microsec e-Szigno Root CA 2009/emailAddress=info@e-szigno.hu Certificate: Data: Version: 3 (0x2) - Serial Number: 14014712776195784473 (0xc27e43044e473f19) + Serial Number: + c2:7e:43:04:4e:47:3f:19 Signature Algorithm: sha256WithRSAEncryption Validity Not Before: Jun 16 11:30:18 2009 GMT @@ -3980,6 +3831,157 @@ tyERzAMBVnCnEJIeGzSBHq2cGsMEPO0CYdYeBvNfOofyK/FFh+U9rNHHV4S9a67c HMN1Rq41Bab2XD0h7lbwyYIiLXpUq3DDfSJlgnCW -----END CERTIFICATE----- +### Microsoft Corporation + +=== /C=US/O=Microsoft Corporation/CN=Microsoft ECC Root Certificate Authority 2017 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 66:f2:3d:af:87:de:8b:b1:4a:ea:0c:57:31:01:c2:ec + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: Dec 18 23:06:45 2019 GMT + Not After : Jul 18 23:16:04 2042 GMT + Subject: C=US, O=Microsoft Corporation, CN=Microsoft ECC Root Certificate Authority 2017 + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + C8:CB:99:72:70:52:0C:F8:E6:BE:B2:04:57:29:2A:CF:42:10:ED:35 + 1.3.6.1.4.1.311.21.1: + ... +SHA1 Fingerprint=99:9A:64:C3:7F:F4:7D:9F:AB:95:F1:47:69:89:14:60:EE:C4:C3:C5 +SHA256 Fingerprint=35:8D:F3:9D:76:4A:F9:E1:B7:66:E9:C9:72:DF:35:2E:E1:5C:FA:C2:27:AF:6A:D1:D7:0E:8E:4A:6E:DC:BA:02 +-----BEGIN CERTIFICATE----- +MIICWTCCAd+gAwIBAgIQZvI9r4fei7FK6gxXMQHC7DAKBggqhkjOPQQDAzBlMQsw +CQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTYwNAYD +VQQDEy1NaWNyb3NvZnQgRUNDIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIw +MTcwHhcNMTkxMjE4MjMwNjQ1WhcNNDIwNzE4MjMxNjA0WjBlMQswCQYDVQQGEwJV +UzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTYwNAYDVQQDEy1NaWNy +b3NvZnQgRUNDIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTcwdjAQBgcq +hkjOPQIBBgUrgQQAIgNiAATUvD0CQnVBEyPNgASGAlEvaqiBYgtlzPbKnR5vSmZR +ogPZnZH6thaxjG7efM3beaYvzrvOcS/lpaso7GMEZpn4+vKTEAXhgShC48Zo9OYb +hGBKia/teQ87zvH2RPUBeMCjVDBSMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8E +BTADAQH/MB0GA1UdDgQWBBTIy5lycFIM+Oa+sgRXKSrPQhDtNTAQBgkrBgEEAYI3 +FQEEAwIBADAKBggqhkjOPQQDAwNoADBlAjBY8k3qDPlfXu5gKcs68tvWMoQZP3zV +L8KxzJOuULsJMsbG7X7JNpQS5GiFBqIb0C8CMQCZ6Ra0DvpWSNSkMBaReNtUjGUB +iudQZsIxtzm6uBoiB078a1QWIP8rtedMDE2mT3M= +-----END CERTIFICATE----- +=== /C=US/O=Microsoft Corporation/CN=Microsoft RSA Root Certificate Authority 2017 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 1e:d3:97:09:5f:d8:b4:b3:47:70:1e:aa:be:7f:45:b3 + Signature Algorithm: sha384WithRSAEncryption + Validity + Not Before: Dec 18 22:51:22 2019 GMT + Not After : Jul 18 23:00:23 2042 GMT + Subject: C=US, O=Microsoft Corporation, CN=Microsoft RSA Root Certificate Authority 2017 + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 09:CB:59:7F:86:B2:70:8F:1A:C3:39:E3:C0:D9:E9:BF:BB:4D:B2:23 + 1.3.6.1.4.1.311.21.1: + ... +SHA1 Fingerprint=73:A5:E6:4A:3B:FF:83:16:FF:0E:DC:CC:61:8A:90:6E:4E:AE:4D:74 +SHA256 Fingerprint=C7:41:F7:0F:4B:2A:8D:88:BF:2E:71:C1:41:22:EF:53:EF:10:EB:A0:CF:A5:E6:4C:FA:20:F4:18:85:30:73:E0 +-----BEGIN CERTIFICATE----- +MIIFqDCCA5CgAwIBAgIQHtOXCV/YtLNHcB6qvn9FszANBgkqhkiG9w0BAQwFADBl +MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTYw +NAYDVQQDEy1NaWNyb3NvZnQgUlNBIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 +IDIwMTcwHhcNMTkxMjE4MjI1MTIyWhcNNDIwNzE4MjMwMDIzWjBlMQswCQYDVQQG +EwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTYwNAYDVQQDEy1N +aWNyb3NvZnQgUlNBIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTcwggIi +MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDKW76UM4wplZEWCpW9R2LBifOZ +Nt9GkMml7Xhqb0eRaPgnZ1AzHaGm++DlQ6OEAlcBXZxIQIJTELy/xztokLaCLeX0 +ZdDMbRnMlfl7rEqUrQ7eS0MdhweSE5CAg2Q1OQT85elss7YfUJQ4ZVBcF0a5toW1 +HLUX6NZFndiyJrDKxHBKrmCk3bPZ7Pw71VdyvD/IybLeS2v4I2wDwAW9lcfNcztm +gGTjGqwu+UcF8ga2m3P1eDNbx6H7JyqhtJqRjJHTOoI+dkC0zVJhUXAoP8XFWvLJ +jEm7FFtNyP9nTUwSlq31/niol4fX/V4ggNyhSyL71Imtus5Hl0dVe49FyGcohJUc +aDDv70ngNXtk55iwlNpNhTs+VcQor1fznhPbRiefHqJeRIOkpcrVE7NLP8TjwuaG +YaRSMLl6IE9vDzhTyzMMEyuP1pq9KsgtsRx9S1HKR9FIJ3Jdh+vVReZIZZ2vUpC6 +W6IYZVcSn2i51BVrlMRpIpj0M+Dt+VGOQVDJNE92kKz8OMHY4Xu54+OU4UZpyw4K +UGsTuqwPN1q3ErWQgR5WrlcihtnJ0tHXUeOrO8ZV/R4O03QK0dqq6mm4lyiPSMQH ++FJDOvTKVTUssKZqwJz58oHhEmrARdlns87/I6KJClTUFLkqqNfs+avNJVgyeY+Q +W5g5xAgGwax/Dj0ApQIDAQABo1QwUjAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/ +BAUwAwEB/zAdBgNVHQ4EFgQUCctZf4aycI8awznjwNnpv7tNsiMwEAYJKwYBBAGC +NxUBBAMCAQAwDQYJKoZIhvcNAQEMBQADggIBAKyvPl3CEZaJjqPnktaXFbgToqZC +LgLNFgVZJ8og6Lq46BrsTaiXVq5lQ7GPAJtSzVXNUzltYkyLDVt8LkS/gxCP81OC +gMNPOsduET/m4xaRhPtthH80dK2Jp86519efhGSSvpWhrQlTM93uCupKUY5vVau6 +tZRGrox/2KJQJWVggEbbMwSubLWYdFQl3JPk+ONVFT24bcMKpBLBaYVu32TxU5nh +SnUgnZUP5NbcA/FZGOhHibJXWpS2qdgXKxdJ5XbLwVaZOjex/2kskZGT4d9Mozd2 +TaGf+G0eHdP67Pv0RR0Tbc/3WeUiJ3IrhvNXuzDtJE3cfVa7o7P4NHmJweDyAmH3 +pvwPuxwXC65B2Xy9J6P9LjrRk5Sxcx0ki69bIImtt2dmefU6xqaWM/5TkshGsRGR +xpl/j8nWZjEgQRCHLQzWwa80mMpkg/sTV9HB8Dx6jKXB/ZUhoHHBk2dxEuqPiApp +GWSZI1b7rCoucL5mxAyE7+WL85MB+GqQk2dLsmijtWKP6T+MejteD+eMuMZ87zf9 +dOLITzNy4ZQ5bb0Sr74MTnB8G2+NszKTc0QWbej09+CVgI+WXTik9KveCjCHk9hN +AHFiRSdLOkKEW39lt2c0Ui2cFmuqqNh7o0JMcccMyj6D5KbvtwEwXlGjefVwaaZB +RA+GsCyRxj3qrg+E +-----END CERTIFICATE----- + +### NAVER BUSINESS PLATFORM Corp. + +=== /C=KR/O=NAVER BUSINESS PLATFORM Corp./CN=NAVER Global Root Certification Authority +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 01:94:30:1e:a2:0b:dd:f5:c5:33:2a:b1:43:44:71:f8:d6:50:4d:0d + Signature Algorithm: sha384WithRSAEncryption + Validity + Not Before: Aug 18 08:58:42 2017 GMT + Not After : Aug 18 23:59:59 2037 GMT + Subject: C=KR, O=NAVER BUSINESS PLATFORM Corp., CN=NAVER Global Root Certification Authority + X509v3 extensions: + X509v3 Subject Key Identifier: + D2:9F:88:DF:A1:CD:2C:BD:EC:F5:3B:01:01:93:33:27:B2:EB:60:4B + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE +SHA1 Fingerprint=8F:6B:F2:A9:27:4A:DA:14:A0:C4:F4:8E:61:27:F9:C0:1E:78:5D:D1 +SHA256 Fingerprint=88:F4:38:DC:F8:FF:D1:FA:8F:42:91:15:FF:E5:F8:2A:E1:E0:6E:0C:70:C3:75:FA:AD:71:7B:34:A4:9E:72:65 +-----BEGIN CERTIFICATE----- +MIIFojCCA4qgAwIBAgIUAZQwHqIL3fXFMyqxQ0Rx+NZQTQ0wDQYJKoZIhvcNAQEM +BQAwaTELMAkGA1UEBhMCS1IxJjAkBgNVBAoMHU5BVkVSIEJVU0lORVNTIFBMQVRG +T1JNIENvcnAuMTIwMAYDVQQDDClOQVZFUiBHbG9iYWwgUm9vdCBDZXJ0aWZpY2F0 +aW9uIEF1dGhvcml0eTAeFw0xNzA4MTgwODU4NDJaFw0zNzA4MTgyMzU5NTlaMGkx +CzAJBgNVBAYTAktSMSYwJAYDVQQKDB1OQVZFUiBCVVNJTkVTUyBQTEFURk9STSBD +b3JwLjEyMDAGA1UEAwwpTkFWRVIgR2xvYmFsIFJvb3QgQ2VydGlmaWNhdGlvbiBB +dXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC21PGTXLVA +iQqrDZBbUGOukJR0F0Vy1ntlWilLp1agS7gvQnXp2XskWjFlqxcX0TM62RHcQDaH +38dq6SZeWYp34+hInDEW+j6RscrJo+KfziFTowI2MMtSAuXaMl3Dxeb57hHHi8lE +HoSTGEq0n+USZGnQJoViAbbJAh2+g1G7XNr4rRVqmfeSVPc0W+m/6imBEtRTkZaz +kVrd/pBzKPswRrXKCAfHcXLJZtM0l/aM9BhK4dA9WkW2aacp+yPOiNgSnABIqKYP +szuSjXEOdMWLyEz59JuOuDxp7W87UC9Y7cSw0BwbagzivESq2M0UXZR4Yb8Obtoq +vC8MC3GmsxY/nOb5zJ9TNeIDoKAYv7vxvvTWjIcNQvcGufFt7QSUqP620wbGQGHf +nZ3zVHbOUzoBppJB7ASjjw2i1QnK1sua8e9DXcCrpUHPXFNwcMmIpi3Ua2FzUCaG +YQ5fG8Ir4ozVu53BA0K6lNpfqbDKzE0K70dpAy8i+/Eozr9dUGWokG2zdLAIx6yo +0es+nPxdGoMuK8u180SdOqcXYZaicdNwlhVNt0xz7hlcxVs+Qf6sdWA7G2POAN3a +CJBitOUt7kinaxeZVL6HSuOpXgRM6xBtVNbv8ejyYhbLgGvtPe31HzClrkvJE+2K +AQHJuFFYwGY6sWZLxNUxAmLpdIQM201GLQIDAQABo0IwQDAdBgNVHQ4EFgQU0p+I +36HNLL3s9TsBAZMzJ7LrYEswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB +Af8wDQYJKoZIhvcNAQEMBQADggIBADLKgLOdPVQG3dLSLvCkASELZ0jKbY7gyKoN +qo0hV4/GPnrK21HUUrPUloSlWGB/5QuOH/XcChWB5Tu2tyIvCZwTFrFsDDUIbatj +cu3cvuzHV+YwIHHW1xDBE1UBjCpD5EHxzzp6U5LOogMFDTjfArsQLtk70pt6wKGm ++LUx5vR1yblTmXVHIloUFcd4G7ad6Qz4G3bxhYTeodoS76TiEJd6eN4MUZeoIUCL +hr0N8F5OSza7OyAfikJW4Qsav3vQIkMsRIz75Sq0bBwcupTgE34h5prCy8VCZLQe +lHsIJchxzIdFV4XTnyliIoNRlwAYl3dqmJLJfGBs32x9SuRwTMKeuB330DTHD8z7 +p/8Dvq1wkNoL3chtl1+afwkyQf3NosxabUzyqkn+Zvjp2DXrDige7kgvOtB5CTh8 +piKCk5XQA76+AqAF3SAi428diDRgxuYKuQl1C/AH6GmWNcf7I4GOODm4RStDeKLR +LBT/DShycpWbXgnbiUSYqqFJu3FS8r/2/yehNq+4tneI3TqkbZs0kNwUXTC/t+sX +5Ie3cdCh13cV1ELX8vMxmV2b3RZtP+oGI/hGoiLtk/bdmuYqh7GYVPEi92tF4+KO +dh2ajcQGjTa3FPOdVGm3jjzVpG2Tgbet9r1ke8LJaDmgkpzNNIaRkPpkUZ3+/uul +9XXeifdy +-----END CERTIFICATE----- + ### NetLock Kft. === /C=HU/L=Budapest/O=NetLock Kft./OU=Tan\xC3\xBAs\xC3\xADtv\xC3\xA1nykiad\xC3\xB3k (Certification Services)/CN=NetLock Arany (Class Gold) F\xC5\x91tan\xC3\xBAs\xC3\xADtv\xC3\xA1ny @@ -4900,62 +4902,6 @@ eG9QgkRQP2YGiqtDhFZKDyAthg710tvSeopLzaXoTvFeJiUBWSOgftL2fiFX1ye8 FVdMpEbB4IMeDExNH08GGeL5qPQ6gqGyeUN51q1veieQA6TqJIc/2b3Z6fJfUEkc 7uzXLg== -----END CERTIFICATE----- -=== /C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA - G2 -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 10000012 (0x98968c) - Signature Algorithm: sha256WithRSAEncryption - Validity - Not Before: Mar 26 11:18:17 2008 GMT - Not After : Mar 25 11:03:10 2020 GMT - Subject: C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G2 - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Certificate Policies: - Policy: X509v3 Any Policy - CPS: http://www.pkioverheid.nl/policies/root-policy-G2 - - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - X509v3 Subject Key Identifier: - 91:68:32:87:15:1D:89:E2:B5:F1:AC:36:28:34:8D:0B:7C:62:88:EB -SHA1 Fingerprint=59:AF:82:79:91:86:C7:B4:75:07:CB:CF:03:57:46:EB:04:DD:B7:16 -SHA256 Fingerprint=66:8C:83:94:7D:A6:3B:72:4B:EC:E1:74:3C:31:A0:E6:AE:D0:DB:8E:C5:B3:1B:E3:77:BB:78:4F:91:B6:71:6F ------BEGIN CERTIFICATE----- -MIIFyjCCA7KgAwIBAgIEAJiWjDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJO -TDEeMBwGA1UECgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSswKQYDVQQDDCJTdGFh -dCBkZXIgTmVkZXJsYW5kZW4gUm9vdCBDQSAtIEcyMB4XDTA4MDMyNjExMTgxN1oX -DTIwMDMyNTExMDMxMFowWjELMAkGA1UEBhMCTkwxHjAcBgNVBAoMFVN0YWF0IGRl -ciBOZWRlcmxhbmRlbjErMCkGA1UEAwwiU3RhYXQgZGVyIE5lZGVybGFuZGVuIFJv -b3QgQ0EgLSBHMjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMVZ5291 -qj5LnLW4rJ4L5PnZyqtdj7U5EILXr1HgO+EASGrP2uEGQxGZqhQlEq0i6ABtQ8Sp -uOUfiUtnvWFI7/3S4GCI5bkYYCjDdyutsDeqN95kWSpGV+RLufg3fNU254DBtvPU -Z5uW6M7XxgpT0GtJlvOjCwV3SPcl5XCsMBQgJeN/dVrlSPhOewMHBPqCYYdu8DvE -pMfQ9XQ+pV0aCPKbJdL2rAQmPlU6Yiile7Iwr/g3wtG61jj99O9JMDeZJiFIhQGp -5Rbn3JBV3w/oOM2ZNyFPXfUib2rFEhZgF1XyZWampzCROME4HYYEhLoaJXhena/M -UGDWE4dS7WMfbWV9whUYdMrhfmQpjHLYFhN9C0lK8SgbIHRrxT3dsKpICT0ugpTN -GmXZK4iambwYfp/ufWZ8Pr2UuIHOzZgweMFvZ9C+X+Bo7d7iscksWXiSqt8rYGPy -5V6548r6f1CGPqI0GAwJaCgRHOThuVw+R7oyPxjMW4T182t0xHJ04eOLoEq9jWYv -6q012iDTiIJh8BIitrzQ1aTsr1SIJSQ8p22xcik/Plemf1WvbibG/ufMQFxRRIEK -eN5KzlW/HdXZt1bv8Hb/C3m1r737qWmRRpdogBQ2HbN/uymYNqUg+oJgYjOk7Na6 -B6duxc8UpufWkjTYgfX8HV2qXB72o007uPc5AgMBAAGjgZcwgZQwDwYDVR0TAQH/ -BAUwAwEB/zBSBgNVHSAESzBJMEcGBFUdIAAwPzA9BggrBgEFBQcCARYxaHR0cDov -L3d3dy5wa2lvdmVyaGVpZC5ubC9wb2xpY2llcy9yb290LXBvbGljeS1HMjAOBgNV -HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFJFoMocVHYnitfGsNig0jQt8YojrMA0GCSqG -SIb3DQEBCwUAA4ICAQCoQUpnKpKBglBu4dfYszk78wIVCVBR7y29JHuIhjv5tLyS -CZa59sCrI2AGeYwRTlHSeYAz+51IvuxBQ4EffkdAHOV6CMqqi3WtFMTC6GY8ggen -5ieCWxjmD27ZUD6KQhgpxrRW/FYQoAUXvQwjf/ST7ZwaUb7dRUG/kSS0H4zpX897 -IZmflZ85OkYcbPnNe5yQzSipx6lVu6xiNGI1E0sUOlWDuYaNkqbG9AclVMwWVxJK -gnjIFNkXgiYtXSAfea7+1HAWFpWD2DU5/1JddRwWxRNVz0fMdWVSSt7wsKfkCpYL -+63C4iWEst3kvX5ZbJvw8NjnyvLplzh+ib7M+zkXYT9y2zqR2GUBGR2tUKRXCnxL -vJxxcypFURmFzI79R6d0lR2o0a9OF7FpJsKqeFdbxU2n5Z4FF5TKsl+gSRiNNOkm -bEgeqmiSBeGCc1qb3AdbCG19ndeNIdn8FCCqwkXfP+cAslHkwvgFuXkajDTznlvk -N1trSt8sV4pAWja63XVECDdCcAz+3F4hoKOKwJCcaNpQ5kUQR3i2TtJlycM33+FC -Y7BXN0Ute4qcvwXqZVUz9zkQxSgqIXobisQk+T8VyJoVIPVVYpbtbZNQvOSqeK3Z -ywplh6ZmwcSBo3c6WB4L7oOLnR7SUqTMHW+wmG2UMbX4cQrcufx9MmDm66+KAQ== ------END CERTIFICATE----- === /C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA - G3 Certificate: Data: @@ -5148,7 +5094,8 @@ sSi6 Certificate: Data: Version: 3 (0x2) - Serial Number: 13492815561806991280 (0xbb401c43f55e4fb0) + Serial Number: + bb:40:1c:43:f5:5e:4f:b0 Signature Algorithm: sha1WithRSAEncryption Validity Not Before: Oct 25 08:30:35 2006 GMT @@ -5494,135 +5441,6 @@ HL/EVlP6Y2XQ8xwOFvVrhlhNGNTkDY6lnVuR3HYkUD/GKvvZt5y11ubQ2egZixVx SK236thZiNSQvxaz2emsWWFUyBy6ysHK4bkgTI86k4mloMy/0/Z1pHWWbVY= -----END CERTIFICATE----- -### thawte, Inc. - -=== /C=US/O=thawte, Inc./OU=(c) 2007 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G2 -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - 35:fc:26:5c:d9:84:4f:c9:3d:26:3d:57:9b:ae:d7:56 - Signature Algorithm: ecdsa-with-SHA384 - Validity - Not Before: Nov 5 00:00:00 2007 GMT - Not After : Jan 18 23:59:59 2038 GMT - Subject: C=US, O=thawte, Inc., OU=(c) 2007 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA - G2 - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - X509v3 Subject Key Identifier: - 9A:D8:00:30:00:E7:6B:7F:85:18:EE:8B:B6:CE:8A:0C:F8:11:E1:BB -SHA1 Fingerprint=AA:DB:BC:22:23:8F:C4:01:A1:27:BB:38:DD:F4:1D:DB:08:9E:F0:12 -SHA256 Fingerprint=A4:31:0D:50:AF:18:A6:44:71:90:37:2A:86:AF:AF:8B:95:1F:FB:43:1D:83:7F:1E:56:88:B4:59:71:ED:15:57 ------BEGIN CERTIFICATE----- -MIICiDCCAg2gAwIBAgIQNfwmXNmET8k9Jj1Xm67XVjAKBggqhkjOPQQDAzCBhDEL -MAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjE4MDYGA1UECxMvKGMp -IDIwMDcgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxJDAi -BgNVBAMTG3RoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EgLSBHMjAeFw0wNzExMDUwMDAw -MDBaFw0zODAxMTgyMzU5NTlaMIGEMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhh -d3RlLCBJbmMuMTgwNgYDVQQLEy8oYykgMjAwNyB0aGF3dGUsIEluYy4gLSBGb3Ig -YXV0aG9yaXplZCB1c2Ugb25seTEkMCIGA1UEAxMbdGhhd3RlIFByaW1hcnkgUm9v -dCBDQSAtIEcyMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEotWcgnuVnfFSeIf+iha/ -BebfowJPDQfGAFG6DAJSLSKkQjnE/o/qycG+1E3/n3qe4rF8mq2nhglzh9HnmuN6 -papu+7qzcMBniKI11KOasf2twu8x+qi58/sIxpHR+ymVo0IwQDAPBgNVHRMBAf8E -BTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUmtgAMADna3+FGO6Lts6K -DPgR4bswCgYIKoZIzj0EAwMDaQAwZgIxAN344FdHW6fmCsO99YCKlzUNG4k8VIZ3 -KMqh9HneteY4sPBlcIx/AlTCv//YoT7ZzwIxAMSNlPzcU9LcnXgWHxUzI1NS41ox -XZ3Krr0TKUQNJ1uo52icEvdYPy5yAlejj6EULg== ------END CERTIFICATE----- -=== /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - 34:4e:d5:57:20:d5:ed:ec:49:f4:2f:ce:37:db:2b:6d - Signature Algorithm: sha1WithRSAEncryption - Validity - Not Before: Nov 17 00:00:00 2006 GMT - Not After : Jul 16 23:59:59 2036 GMT - Subject: C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - X509v3 Subject Key Identifier: - 7B:5B:45:CF:AF:CE:CB:7A:FD:31:92:1A:6A:B6:F3:46:EB:57:48:50 -SHA1 Fingerprint=91:C6:D6:EE:3E:8A:C8:63:84:E5:48:C2:99:29:5C:75:6C:81:7B:81 -SHA256 Fingerprint=8D:72:2F:81:A9:C1:13:C0:79:1D:F1:36:A2:96:6D:B2:6C:95:0A:97:1D:B4:6B:41:99:F4:EA:54:B7:8B:FB:9F ------BEGIN CERTIFICATE----- -MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/ON9srbTANBgkqhkiG9w0BAQUFADCB -qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf -Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw -MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV -BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMDYxMTE3MDAwMDAwWhcNMzYw -NzE2MjM1OTU5WjCBqTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5j -LjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYG -A1UECxMvKGMpIDIwMDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNl -IG9ubHkxHzAdBgNVBAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwggEiMA0GCSqG -SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsoPD7gFnUnMekz52hWXMJEEUMDSxuaPFs -W0hoSVk3/AszGcJ3f8wQLZU0HObrTQmnHNK4yZc2AreJ1CRfBsDMRJSUjQJib+ta -3RGNKJpchJAQeg29dGYvajig4tVUROsdB58Hum/u6f1OCyn1PoSgAfGcq/gcfomk -6KHYcWUNo1F77rzSImANuVud37r8UVsLr5iy6S7pBOhih94ryNdOwUxkHt3Ph1i6 -Sk/KaAcdHJ1KxtUvkcx8cXIcxcBn6zL9yZJclNqFwJu/U30rCfSMnZEfl2pSy94J -NqR32HuHUETVPm4pafs5SSYeCaWAe0At6+gnhcn+Yf1+5nyXHdWdAgMBAAGjQjBA -MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR7W0XP -r87Lev0xkhpqtvNG61dIUDANBgkqhkiG9w0BAQUFAAOCAQEAeRHAS7ORtvzw6WfU -DW5FvlXok9LOAz/t2iWwHVfLHjp2oEzsUHboZHIMpKnxuIvW1oeEuzLlQRHAd9mz -YJ3rG9XRbkREqaYB7FViHXe4XI5ISXycO1cRrK1zN44veFyQaEfZYGDm/Ac9IiAX -xPcW6cTYcvnIc3zfFi8VqT79aie2oetaupgf1eNNZAqdE8hhuvU5HIe6uL17In/2 -/qxAeeWsEG89jxt5dovEN7MhGITlNgDrYyCZuen+MwS7QcjBAvlEYyCegc5C09Y/ -LHbTY5xZ3Y+m4Q6gLkH3LpVHz7z9M/P2C2F+fpErgUfCJzDupxBdN49cOSvkBPB7 -jVaMaA== ------END CERTIFICATE----- -=== /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2008 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G3 -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - 60:01:97:b7:46:a7:ea:b4:b4:9a:d6:4b:2f:f7:90:fb - Signature Algorithm: sha256WithRSAEncryption - Validity - Not Before: Apr 2 00:00:00 2008 GMT - Not After : Dec 1 23:59:59 2037 GMT - Subject: C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2008 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA - G3 - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - X509v3 Subject Key Identifier: - AD:6C:AA:94:60:9C:ED:E4:FF:FA:3E:0A:74:2B:63:03:F7:B6:59:BF -SHA1 Fingerprint=F1:8B:53:8D:1B:E9:03:B6:A6:F0:56:43:5B:17:15:89:CA:F3:6B:F2 -SHA256 Fingerprint=4B:03:F4:58:07:AD:70:F2:1B:FC:2C:AE:71:C9:FD:E4:60:4C:06:4C:F5:FF:B6:86:BA:E5:DB:AA:D7:FD:D3:4C ------BEGIN CERTIFICATE----- -MIIEKjCCAxKgAwIBAgIQYAGXt0an6rS0mtZLL/eQ+zANBgkqhkiG9w0BAQsFADCB -rjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf -Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw -MDggdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxJDAiBgNV -BAMTG3RoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EgLSBHMzAeFw0wODA0MDIwMDAwMDBa -Fw0zNzEyMDEyMzU5NTlaMIGuMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3Rl -LCBJbmMuMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9u -MTgwNgYDVQQLEy8oYykgMjAwOCB0aGF3dGUsIEluYy4gLSBGb3IgYXV0aG9yaXpl -ZCB1c2Ugb25seTEkMCIGA1UEAxMbdGhhd3RlIFByaW1hcnkgUm9vdCBDQSAtIEcz -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsr8nLPvb2FvdeHsbnndm -gcs+vHyu86YnmjSjaDFxODNi5PNxZnmxqWWjpYvVj2AtP0LMqmsywCPLLEHd5N/8 -YZzic7IilRFDGF/Eth9XbAoFWCLINkw6fKXRz4aviKdEAhN0cXMKQlkC+BsUa0Lf -b1+6a4KinVvnSr0eAXLbS3ToO39/fR8EtCab4LRarEc9VbjXsCZSKAExQGbY2SS9 -9irY7CFJXJv2eul/VTV+lmuNk5Mny5K76qxAwJ/C+IDPXfRa3M50hqY+bAtTyr2S -zhkGcuYMXDhpxwTWvGzOW/b3aJzcJRVIiKHpqfiYnODz1TEoYRFsZ5aNOZnLwkUk -OQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV -HQ4EFgQUrWyqlGCc7eT/+j4KdCtjA/e2Wb8wDQYJKoZIhvcNAQELBQADggEBABpA -2JVlrAmSicY59BDlqQ5mU1143vokkbvnRFHfxhY0Cu9qRFHqKweKA3rD6z8KLFIW -oCtDuSWQP3CpMyVtRRooOyfPqsMpQhvfO0zAMzRbQYi/aytlryjvsvXDqmbOe1bu -t8jLZ8HJnBoYuMTDSQPxYA5QzUbF83d597YV4Djbxy8ooAw/dyZ02SUS2jHaGh7c -KUGRIjxpp7sC8rZcJwOJ9Abqm+RyguOhCcHpABnTPtRwa7pxpqpYrvS76Wy274fM -m7v/OeZWYdMKp8RcTGB7BXcmer/YB1IsYvdwY9k5vG8cwnncdimvzsUsZAReiDZu -MdRAGmI0Nj81Aa6sY6A= ------END CERTIFICATE----- - ### The Go Daddy Group, Inc. === /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority @@ -5771,7 +5589,8 @@ jjxDah2nGN59PRbxYvnKkKj9 Certificate: Data: Version: 3 (0x2) - Serial Number: 9548242946988625984 (0x84822c5f1c62d040) + Serial Number: + 84:82:2c:5f:1c:62:d0:40 Signature Algorithm: sha256WithRSAEncryption Validity Not Before: Feb 4 12:32:33 2016 GMT @@ -5818,7 +5637,8 @@ tJ/X5g== Certificate: Data: Version: 3 (0x2) - Serial Number: 15752444095811006489 (0xda9bec71f303b019) + Serial Number: + da:9b:ec:71:f3:03:b0:19 Signature Algorithm: sha256WithRSAEncryption Validity Not Before: Feb 4 12:32:16 2016 GMT @@ -5965,6 +5785,135 @@ jZBf3+6f9L/uHfuY5H+QK4R4EA5sSVPvFVtlRkpdr7r7OnIdzfYliB6XzCGcKQEN ZetX2fNXlrtIzYE= -----END CERTIFICATE----- +### Trustwave Holdings, Inc. + +=== /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global Certification Authority +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 05:f7:0e:86:da:49:f3:46:35:2e:ba:b2 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Aug 23 19:34:12 2017 GMT + Not After : Aug 23 19:34:12 2042 GMT + Subject: C=US, ST=Illinois, L=Chicago, O=Trustwave Holdings, Inc., CN=Trustwave Global Certification Authority + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 99:E0:19:67:0D:62:DB:76:B3:DA:3D:B8:5B:E8:FD:42:D2:31:0E:87 + X509v3 Key Usage: critical + Certificate Sign, CRL Sign +SHA1 Fingerprint=2F:8F:36:4F:E1:58:97:44:21:59:87:A5:2A:9A:D0:69:95:26:7F:B5 +SHA256 Fingerprint=97:55:20:15:F5:DD:FC:3C:87:88:C0:06:94:45:55:40:88:94:45:00:84:F1:00:86:70:86:BC:1A:2B:B5:8D:C8 +-----BEGIN CERTIFICATE----- +MIIF2jCCA8KgAwIBAgIMBfcOhtpJ80Y1LrqyMA0GCSqGSIb3DQEBCwUAMIGIMQsw +CQYDVQQGEwJVUzERMA8GA1UECAwISWxsaW5vaXMxEDAOBgNVBAcMB0NoaWNhZ28x +ITAfBgNVBAoMGFRydXN0d2F2ZSBIb2xkaW5ncywgSW5jLjExMC8GA1UEAwwoVHJ1 +c3R3YXZlIEdsb2JhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xNzA4MjMx +OTM0MTJaFw00MjA4MjMxOTM0MTJaMIGIMQswCQYDVQQGEwJVUzERMA8GA1UECAwI +SWxsaW5vaXMxEDAOBgNVBAcMB0NoaWNhZ28xITAfBgNVBAoMGFRydXN0d2F2ZSBI +b2xkaW5ncywgSW5jLjExMC8GA1UEAwwoVHJ1c3R3YXZlIEdsb2JhbCBDZXJ0aWZp +Y2F0aW9uIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB +ALldUShLPDeS0YLOvR29zd24q88KPuFd5dyqCblXAj7mY2Hf8g+CY66j96xz0Xzn +swuvCAAJWX/NKSqIk4cXGIDtiLK0thAfLdZfVaITXdHG6wZWiYj+rDKd/VzDBcdu +7oaJuogDnXIhhpCujwOl3J+IKMujkkkP7NAP4m1ET4BqstTnoApTAbqOl5F2brz8 +1Ws25kCI1nsvXwXoLG0R8+eyvpJETNKXpP7ScoFDB5zpET71ixpZfR9oWN0EACyW +80OzfpgZdNmcc9kYvkHHNHnZ9GLCQ7mzJ7Aiy/k9UscwR7PJPrhq4ufogXBeQotP +JqX+OsIgbrv4Fo7NDKm0G2x2EOFYeUY+VM6AqFcJNykbmROPDMjWLBz7BegIlT1l +RtzuzWniTY+HKE40Cz7PFNm73bZQmq131BnW2hqIyE4bJ3XYsgjxroMwuREOzYfw +hI0Vcnyh78zyiGG69Gm7DIwLdVcEuE4qFC49DxweMqZiNu5m4iK4BUBjECLzMx10 +coos9TkpoNPnG4CELcU9402x/RpvumUHO1jsQkUm+9jaJXLE9gCxInm943xZYkqc +BW89zubWR2OZxiRvchLIrH+QtAuRcOi35hYQcRfO3gZPSEF9NUqjifLJS3tBEW1n +twiYTOURGa5CgNz7kAXU+FDKvuStx8KU1xad5hePrzb7AgMBAAGjQjBAMA8GA1Ud +EwEB/wQFMAMBAf8wHQYDVR0OBBYEFJngGWcNYtt2s9o9uFvo/ULSMQ6HMA4GA1Ud +DwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAmHNw4rDT7TnsTGDZqRKGFx6W +0OhUKDtkLSGm+J1WE2pIPU/HPinbbViDVD2HfSMF1OQc3Og4ZYbFdada2zUFvXfe +uyk3QAUHw5RSn8pk3fEbK9xGChACMf1KaA0HZJDmHvUqoai7PF35owgLEQzxPy0Q +lG/+4jSHg9bP5Rs1bdID4bANqKCqRieCNqcVtgimQlRXtpla4gt5kNdXElE1GYhB +aCXUNxeEFfsBctyV3lImIJgm4nb1J2/6ADtKYdkNy1GTKv0WBpanI5ojSP5RvbbE +sLFUzt5sQa0WZ37b/TjNuThOssFgy50X31ieemKyJo90lZvkWx3SD92YHJtZuSPT +MaCm/zjdzyBP6VhWOmfD0faZmZ26NraAL4hHT4a/RDqA5Dccprrql5gR0IRiR2Qe +qu5AvzSxnI9O4fKSTx+O856X3vOmeWqJcU9LJxdI/uz0UA9PSX3MReO9ekDFQdxh +VicGaeVyQYHTtgGJoC86cnn+OjC/QezHYj6RS8fZMXZC+fc8Y+wmjHMMfRod6qh8 +h6jCJ3zhM0EPz8/8AKAigJ5Kp28AsEFFtyLKaEjFQqKu3R3y4G5OBVixwJAWKqQ9 +EEC+j2Jjg6mcgn0tAumDMHzLJ8n9HmYAsC7TIS+OMxZsmO0QqAfWzJPP29FpHOTK +yeC2nOnOcXHebD8WpHk= +-----END CERTIFICATE----- +=== /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P256 Certification Authority +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 0d:6a:5f:08:3f:28:5c:3e:51:95:df:5d + Signature Algorithm: ecdsa-with-SHA256 + Validity + Not Before: Aug 23 19:35:10 2017 GMT + Not After : Aug 23 19:35:10 2042 GMT + Subject: C=US, ST=Illinois, L=Chicago, O=Trustwave Holdings, Inc., CN=Trustwave Global ECC P256 Certification Authority + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + A3:41:06:AC:90:6D:D1:4A:EB:75:A5:4A:10:99:B3:B1:A1:8B:4A:F7 +SHA1 Fingerprint=B4:90:82:DD:45:0C:BE:8B:5B:B1:66:D3:E2:A4:08:26:CD:ED:42:CF +SHA256 Fingerprint=94:5B:BC:82:5E:A5:54:F4:89:D1:FD:51:A7:3D:DF:2E:A6:24:AC:70:19:A0:52:05:22:5C:22:A7:8C:CF:A8:B4 +-----BEGIN CERTIFICATE----- +MIICYDCCAgegAwIBAgIMDWpfCD8oXD5Rld9dMAoGCCqGSM49BAMCMIGRMQswCQYD +VQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAf +BgNVBAoTGFRydXN0d2F2ZSBIb2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3 +YXZlIEdsb2JhbCBFQ0MgUDI1NiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0x +NzA4MjMxOTM1MTBaFw00MjA4MjMxOTM1MTBaMIGRMQswCQYDVQQGEwJVUzERMA8G +A1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAfBgNVBAoTGFRydXN0 +d2F2ZSBIb2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3YXZlIEdsb2JhbCBF +Q0MgUDI1NiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTBZMBMGByqGSM49AgEGCCqG +SM49AwEHA0IABH77bOYj43MyCMpg5lOcunSNGLB4kFKA3TjASh3RqMyTpJcGOMoN +FWLGjgEqZZ2q3zSRLoHB5DOSMcT9CTqmP62jQzBBMA8GA1UdEwEB/wQFMAMBAf8w +DwYDVR0PAQH/BAUDAwcGADAdBgNVHQ4EFgQUo0EGrJBt0UrrdaVKEJmzsaGLSvcw +CgYIKoZIzj0EAwIDRwAwRAIgB+ZU2g6gWrKuEZ+Hxbb/ad4lvvigtwjzRM4q3wgh +DDcCIC0mA6AFvWvR9lz4ZcyGbbOcNEhjhAnFjXca4syc4XR7 +-----END CERTIFICATE----- +=== /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P384 Certification Authority +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 08:bd:85:97:6c:99:27:a4:80:68:47:3b + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: Aug 23 19:36:43 2017 GMT + Not After : Aug 23 19:36:43 2042 GMT + Subject: C=US, ST=Illinois, L=Chicago, O=Trustwave Holdings, Inc., CN=Trustwave Global ECC P384 Certification Authority + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 55:A9:84:89:D2:C1:32:BD:18:CB:6C:A6:07:4E:C8:E7:9D:BE:82:90 +SHA1 Fingerprint=E7:F3:A3:C8:CF:6F:C3:04:2E:6D:0E:67:32:C5:9E:68:95:0D:5E:D2 +SHA256 Fingerprint=55:90:38:59:C8:C0:C3:EB:B8:75:9E:CE:4E:25:57:22:5F:F5:75:8B:BD:38:EB:D4:82:76:60:1E:1B:D5:80:97 +-----BEGIN CERTIFICATE----- +MIICnTCCAiSgAwIBAgIMCL2Fl2yZJ6SAaEc7MAoGCCqGSM49BAMDMIGRMQswCQYD +VQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAf +BgNVBAoTGFRydXN0d2F2ZSBIb2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3 +YXZlIEdsb2JhbCBFQ0MgUDM4NCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0x +NzA4MjMxOTM2NDNaFw00MjA4MjMxOTM2NDNaMIGRMQswCQYDVQQGEwJVUzERMA8G +A1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAfBgNVBAoTGFRydXN0 +d2F2ZSBIb2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3YXZlIEdsb2JhbCBF +Q0MgUDM4NCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTB2MBAGByqGSM49AgEGBSuB +BAAiA2IABGvaDXU1CDFHBa5FmVXxERMuSvgQMSOjfoPTfygIOiYaOs+Xgh+AtycJ +j9GOMMQKmw6sWASr9zZ9lCOkmwqKi6vr/TklZvFe/oyujUF5nQlgziip04pt89ZF +1PKYhDhloKNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwYAMB0G +A1UdDgQWBBRVqYSJ0sEyvRjLbKYHTsjnnb6CkDAKBggqhkjOPQQDAwNnADBkAjA3 +AZKXRRJ+oPM+rRk6ct30UJMDEr5E0k9BpIycnR+j9sKS50gU/k6bpZFXrsY3crsC +MGclCrEMXu6pY5Jv5ZAL/mYiykf9ijH3g/56vxC+GCsej/YpHpRZ744hN8tRmKVu +Sw== +-----END CERTIFICATE----- + ### Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK === /C=TR/L=Gebze - Kocaeli/O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK/OU=Kamu Sertifikasyon Merkezi - Kamu SM/CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 @@ -6164,136 +6113,6 @@ VoNzcOSGGtIxQbovvi0TWnZvTuhOgQ4/WwMioBK+ZlgRSssDxLQqKi2WF+A5VLxI ### VeriSign, Inc. -=== /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G3 -Certificate: - Data: - Version: 1 (0x0) - Serial Number: - 9b:7e:06:49:a3:3e:62:b9:d5:ee:90:48:71:29:ef:57 - Signature Algorithm: sha1WithRSAEncryption - Validity - Not Before: Oct 1 00:00:00 1999 GMT - Not After : Jul 16 23:59:59 2036 GMT - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 1999 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G3 -SHA1 Fingerprint=13:2D:0D:45:53:4B:69:97:CD:B2:D5:C3:39:E2:55:76:60:9B:5C:C6 -SHA256 Fingerprint=EB:04:CF:5E:B1:F3:9A:FA:76:2F:2B:B1:20:F2:96:CB:A5:20:C1:B9:7D:B1:58:95:65:B8:1C:B9:A1:7B:72:44 ------BEGIN CERTIFICATE----- -MIIEGjCCAwICEQCbfgZJoz5iudXukEhxKe9XMA0GCSqGSIb3DQEBBQUAMIHKMQsw -CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZl -cmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWdu -LCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlT -aWduIENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3Jp -dHkgLSBHMzAeFw05OTEwMDEwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMIHKMQswCQYD -VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT -aWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWduLCBJ -bmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlTaWdu -IENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg -LSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMu6nFL8eB8aHm8b -N3O9+MlrlBIwT/A2R/XQkQr1F8ilYcEWQE37imGQ5XYgwREGfassbqb1EUGO+i2t -KmFZpGcmTNDovFJbcCAEWNF6yaRpvIMXZK0Fi7zQWM6NjPXr8EJJC52XJ2cybuGu -kxUccLwgTS8Y3pKI6GyFVxEa6X7jJhFUokWWVYPKMIno3Nij7SqAP395ZVc+FSBm -CC+Vk7+qRy+oRpfwEuL+wgorUeZ25rdGt+INpsyow0xZVYnm6FNcHOqd8GIWC6fJ -Xwzw3sJ2zq/3avL6QaaiMxTJ5Xpj055iN9WFZZ4O5lMkdBteHRJTW8cs54NJOxWu -imi5V5cCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAERSWwauSCPc/L8my/uRan2Te -2yFPhpk0djZX3dAVL8WtfxUfN2JzPtTnX84XA9s1+ivbrmAJXx5fj267Cz3qWhMe -DGBvtcC1IyIuBwvLqXTLR7sdwdela8wv0kL9Sd2nic9TutoAWii/gt/4uhMdUIaC -/Y4wjylGsB49Ndo4YhYYSq3mtlFs3q9i6wHQHiT+eo8SGhJouPtmmRQURVyu565p -F4ErWjfJXir0xuKhXFSbplQAz/DxwceYMBo7Nhbbo27q/a2ywtrvAkcTisDxszGt -TxzhT5yvDwyd93gN2PQ1VoDat20Xj50egWTh/sVFuq1ruQp6Tk9LhO5L8X3dEQ== ------END CERTIFICATE----- -=== /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - 18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a - Signature Algorithm: sha1WithRSAEncryption - Validity - Not Before: Nov 8 00:00:00 2006 GMT - Not After : Jul 16 23:59:59 2036 GMT - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5 - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - 1.3.6.1.5.5.7.1.12: - 0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif - X509v3 Subject Key Identifier: - 7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33 -SHA1 Fingerprint=4E:B6:D5:78:49:9B:1C:CF:5F:58:1E:AD:56:BE:3D:9B:67:44:A5:E5 -SHA256 Fingerprint=9A:CF:AB:7E:43:C8:D8:80:D0:6B:26:2A:94:DE:EE:E4:B4:65:99:89:C3:D0:CA:F1:9B:AF:64:05:E4:1A:B7:DF ------BEGIN CERTIFICATE----- -MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB -yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL -ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp -U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW -ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0 -aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL -MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW -ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln -biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp -U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y -aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1 -nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex -t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz -SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG -BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+ -rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/ -NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E -BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH -BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy -aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv -MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE -p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y -5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK -WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ -4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N -hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq ------END CERTIFICATE----- -=== /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2007 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G4 -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - 2f:80:fe:23:8c:0e:22:0f:48:67:12:28:91:87:ac:b3 - Signature Algorithm: ecdsa-with-SHA384 - Validity - Not Before: Nov 5 00:00:00 2007 GMT - Not After : Jan 18 23:59:59 2038 GMT - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2007 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G4 - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - 1.3.6.1.5.5.7.1.12: - 0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif - X509v3 Subject Key Identifier: - B3:16:91:FD:EE:A6:6E:E4:B5:2E:49:8F:87:78:81:80:EC:E5:B1:B5 -SHA1 Fingerprint=22:D5:D8:DF:8F:02:31:D1:8D:F7:9D:B7:CF:8A:2D:64:C9:3F:6C:3A -SHA256 Fingerprint=69:DD:D7:EA:90:BB:57:C9:3E:13:5D:C8:5E:A6:FC:D5:48:0B:60:32:39:BD:C4:54:FC:75:8B:2A:26:CF:7F:79 ------BEGIN CERTIFICATE----- -MIIDhDCCAwqgAwIBAgIQL4D+I4wOIg9IZxIokYesszAKBggqhkjOPQQDAzCByjEL -MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW -ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNyBWZXJpU2ln -biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp -U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y -aXR5IC0gRzQwHhcNMDcxMTA1MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCByjELMAkG -A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJp -U2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNyBWZXJpU2lnbiwg -SW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2ln -biBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5 -IC0gRzQwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASnVnp8Utpkmw4tXNherJI9/gHm -GUo9FANL+mAnINmDiWn6VMaaGF5VKmTeBvaNSjutEDxlPZCIBIngMGGzrl0Bp3ve -fLK+ymVhAIau2o970ImtTR1ZmkGxvEeA3J5iw/mjgbIwga8wDwYDVR0TAQH/BAUw -AwEB/zAOBgNVHQ8BAf8EBAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJ -aW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYj -aHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFLMW -kf3upm7ktS5Jj4d4gYDs5bG1MAoGCCqGSM49BAMDA2gAMGUCMGYhDBgmYFo4e1ZC -4Kf8NoRRkSAsdk1DPcQdhCPQrNZ8NQbOzWm9kA3bbEhCHQ6qQgIxAJw9SDkjOVga -FRJZap7v1VmyHVIsmXHNxynfGyphe3HR3vPA5Q06Sqotp9iGKt0uEA== ------END CERTIFICATE----- === /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2008 VeriSign, Inc. - For authorized use only/CN=VeriSign Universal Root Certification Authority Certificate: Data: @@ -6347,52 +6166,6 @@ lRQOfc2VNNnSj3BzgXucfr2YYdhFh5iQxeuGMMY1v/D/w1WIg0vvBZIGcfK4mJO3 ### WISeKey -=== /C=CH/O=WISeKey/OU=Copyright (c) 2005/OU=OISTE Foundation Endorsed/CN=OISTE WISeKey Global Root GA CA -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - 41:3d:72:c7:f4:6b:1f:81:43:7d:f1:d2:28:54:df:9a - Signature Algorithm: sha1WithRSAEncryption - Validity - Not Before: Dec 11 16:03:44 2005 GMT - Not After : Dec 11 16:09:51 2037 GMT - Subject: C=CH, O=WISeKey, OU=Copyright (c) 2005, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GA CA - X509v3 extensions: - X509v3 Key Usage: - Digital Signature, Certificate Sign, CRL Sign - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Subject Key Identifier: - B3:03:7E:AE:36:BC:B0:79:D1:DC:94:26:B6:11:BE:21:B2:69:86:94 - 1.3.6.1.4.1.311.21.1: - ... -SHA1 Fingerprint=59:22:A1:E1:5A:EA:16:35:21:F8:98:39:6A:46:46:B0:44:1B:0F:A9 -SHA256 Fingerprint=41:C9:23:86:6A:B4:CA:D6:B7:AD:57:80:81:58:2E:02:07:97:A6:CB:DF:4F:FF:78:CE:83:96:B3:89:37:D7:F5 ------BEGIN CERTIFICATE----- -MIID8TCCAtmgAwIBAgIQQT1yx/RrH4FDffHSKFTfmjANBgkqhkiG9w0BAQUFADCB -ijELMAkGA1UEBhMCQ0gxEDAOBgNVBAoTB1dJU2VLZXkxGzAZBgNVBAsTEkNvcHly -aWdodCAoYykgMjAwNTEiMCAGA1UECxMZT0lTVEUgRm91bmRhdGlvbiBFbmRvcnNl -ZDEoMCYGA1UEAxMfT0lTVEUgV0lTZUtleSBHbG9iYWwgUm9vdCBHQSBDQTAeFw0w -NTEyMTExNjAzNDRaFw0zNzEyMTExNjA5NTFaMIGKMQswCQYDVQQGEwJDSDEQMA4G -A1UEChMHV0lTZUtleTEbMBkGA1UECxMSQ29weXJpZ2h0IChjKSAyMDA1MSIwIAYD -VQQLExlPSVNURSBGb3VuZGF0aW9uIEVuZG9yc2VkMSgwJgYDVQQDEx9PSVNURSBX -SVNlS2V5IEdsb2JhbCBSb290IEdBIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A -MIIBCgKCAQEAy0+zAJs9Nt350UlqaxBJH+zYK7LG+DKBKUOVTJoZIyEVRd7jyBxR -VVuuk+g3/ytr6dTqvirdqFEr12bDYVxgAsj1znJ7O7jyTmUIms2kahnBAbtzptf2 -w93NvKSLtZlhuAGio9RN1AU9ka34tAhxZK9w8RxrfvbDd50kc3vkDIzh2TbhmYsF -mQvtRTEJysIA2/dyoJaqlYfQjse2YXMNdmaM3Bu0Y6Kff5MTMPGhJ9vZ/yxViJGg -4E8HsChWjBgbl0SOid3gF27nKu+POQoxhILYQBRJLnpB5Kf+42TMwVlxSywhp1t9 -4B3RLoGbw9ho972WG6xwsRYUC9tguSYBBQIDAQABo1EwTzALBgNVHQ8EBAMCAYYw -DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUswN+rja8sHnR3JQmthG+IbJphpQw -EAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBAEuh/wuHbrP5wUOx -SPMowB0uyQlB+pQAHKSkq0lPjz0e701vvbyk9vImMMkQyh2I+3QZH4VFvbBsUfk2 -ftv1TDI6QU9bR8/oCy22xBmddMVHxjtqD6wU2zz0c5ypBd8A3HR4+vg1YFkCExh8 -vPtNsCBtQ7tgMHpnM1zFmdH4LTlSc/uMqpclXHLZCB6rTjzjgTGfA6b7wP4piFXa -hNVQA7bihKOmNqoROgHhGEvWRGizPflTdISzRpFGlgC3gCy24eMQ4tui5yiPAZZi -Fj4A4xylNoEYokxSdsARo27mHbrjWr42U8U+dY+GaSlYU7Wcu2+fXMUY7N0v4ZjJ -/L7fCg0= ------END CERTIFICATE----- === /C=CH/O=WISeKey/OU=OISTE Foundation Endorsed/CN=OISTE WISeKey Global Root GB CA Certificate: Data: diff --git a/compile b/compile index 99e50524..23fcba01 100644 --- a/compile +++ b/compile @@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1999-2018 Free Software Foundation, Inc. +# Copyright (C) 1999-2020 Free Software Foundation, Inc. # Written by Tom Tromey . # # This program is free software; you can redistribute it and/or modify @@ -53,7 +53,7 @@ func_file_conv () MINGW*) file_conv=mingw ;; - CYGWIN*) + CYGWIN* | MSYS*) file_conv=cygwin ;; *) @@ -67,7 +67,7 @@ func_file_conv () mingw/*) file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'` ;; - cygwin/*) + cygwin/* | msys/*) file=`cygpath -m "$file" || echo "$file"` ;; wine/*) diff --git a/configure b/configure index 789c8327..1672822e 100644 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for libressl 3.0.2. +# Generated by GNU Autoconf 2.69 for libressl 3.3.3. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='libressl' PACKAGE_TARNAME='libressl' -PACKAGE_VERSION='3.0.2' -PACKAGE_STRING='libressl 3.0.2' +PACKAGE_VERSION='3.3.3' +PACKAGE_STRING='libressl 3.3.3' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -632,8 +632,12 @@ ac_subst_vars='am__EXEEXT_FALSE am__EXEEXT_TRUE LTLIBOBJS LIBOBJS -SMALL_TIME_T_FALSE -SMALL_TIME_T_TRUE +ENABLE_LIBTLS_ONLY_FALSE +ENABLE_LIBTLS_ONLY_TRUE +BUILD_NC_FALSE +BUILD_NC_TRUE +ENABLE_NC_FALSE +ENABLE_NC_TRUE HOST_ASM_MINGW64_X86_64_FALSE HOST_ASM_MINGW64_X86_64_TRUE HOST_ASM_MASM_X86_64_FALSE @@ -648,6 +652,8 @@ OPENSSL_NO_ASM_FALSE OPENSSL_NO_ASM_TRUE HOST_CPU_IS_INTEL_FALSE HOST_CPU_IS_INTEL_TRUE +ENABLE_TESTS_FALSE +ENABLE_TESTS_TRUE ENABLE_EXTRATESTS_FALSE ENABLE_EXTRATESTS_TRUE OPENSSLDIR_DEFINED_FALSE @@ -730,6 +736,8 @@ HOST_OPENBSD_FALSE HOST_OPENBSD_TRUE HOST_NETBSD_FALSE HOST_NETBSD_TRUE +HOST_MIDIPIX_FALSE +HOST_MIDIPIX_TRUE HOST_LINUX_FALSE HOST_LINUX_TRUE HOST_HPUX_FALSE @@ -742,10 +750,8 @@ HOST_CYGWIN_FALSE HOST_CYGWIN_TRUE HOST_AIX_FALSE HOST_AIX_TRUE -BUILD_NC_FALSE -BUILD_NC_TRUE -ENABLE_NC_FALSE -ENABLE_NC_TRUE +SMALL_TIME_T_FALSE +SMALL_TIME_T_TRUE PROG_LDADD PLATFORM_LDADD CPP @@ -843,6 +849,7 @@ infodir docdir oldincludedir includedir +runstatedir localstatedir sharedstatedir sysconfdir @@ -868,19 +875,21 @@ ac_user_opts=' enable_option_checking enable_silent_rules enable_dependency_tracking +with_pic enable_shared enable_static -with_pic enable_fast_install with_gnu_ld with_sysroot enable_libtool_lock -enable_nc enable_hardening enable_windows_ssp with_openssldir enable_extratests +enable_tests enable_asm +enable_nc +enable_libtls_only ' ac_precious_vars='build_alias host_alias @@ -931,6 +940,7 @@ datadir='${datarootdir}' sysconfdir='${prefix}/etc' sharedstatedir='${prefix}/com' localstatedir='${prefix}/var' +runstatedir='${localstatedir}/run' includedir='${prefix}/include' oldincludedir='/usr/include' docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' @@ -1183,6 +1193,15 @@ do | -silent | --silent | --silen | --sile | --sil) silent=yes ;; + -runstatedir | --runstatedir | --runstatedi | --runstated \ + | --runstate | --runstat | --runsta | --runst | --runs \ + | --run | --ru | --r) + ac_prev=runstatedir ;; + -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ + | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ + | --run=* | --ru=* | --r=*) + runstatedir=$ac_optarg ;; + -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) ac_prev=sbindir ;; -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ @@ -1320,7 +1339,7 @@ fi for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ datadir sysconfdir sharedstatedir localstatedir includedir \ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ - libdir localedir mandir + libdir localedir mandir runstatedir do eval ac_val=\$$ac_var # Remove trailing slashes. @@ -1433,7 +1452,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures libressl 3.0.2 to adapt to many kinds of systems. +\`configure' configures libressl 3.3.3 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1473,6 +1492,7 @@ Fine tuning of the installation directories: --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] + --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIR C header files for non-gcc [/usr/include] @@ -1503,7 +1523,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of libressl 3.0.2:";; + short | recursive ) echo "Configuration of libressl 3.3.3:";; esac cat <<\_ACEOF @@ -1522,14 +1542,16 @@ Optional Features: --enable-fast-install[=PKGS] optimize for fast installation [default=yes] --disable-libtool-lock avoid locking (might break parallel builds) - --enable-nc Enable installing TLS-enabled nc(1) --disable-hardening Disable options to frustrate memory corruption exploits --enable-windows-ssp Enable building the stack smashing protection on Windows. This currently distributing libssp-0.dll. --enable-extratests Enable extra tests that may be unreliable on some platforms + --disable-tests Disable tests [default=enabled] --disable-asm Disable assembly + --enable-nc Enable installing TLS-enabled nc(1) + --enable-libtls-only Enable installing libtls only Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] @@ -1619,7 +1641,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -libressl configure 3.0.2 +libressl configure 3.3.3 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2167,7 +2189,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by libressl $as_me 3.0.2, which was +It was created by libressl $as_me 3.3.3, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2515,11 +2537,11 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $ ac_compiler_gnu=$ac_cv_c_compiler_gnu -LIBCRYPTO_VERSION=45:5:0 +LIBCRYPTO_VERSION=46:2:0 -LIBSSL_VERSION=47:6:0 +LIBSSL_VERSION=48:2:0 -LIBTLS_VERSION=19:7:0 +LIBTLS_VERSION=20:3:0 ac_aux_dir= @@ -2798,12 +2820,7 @@ program_transform_name=`$as_echo "$program_transform_name" | sed "$ac_script"` am_aux_dir=`cd "$ac_aux_dir" && pwd` if test x"${MISSING+set}" != xset; then - case $am_aux_dir in - *\ * | *\ *) - MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;; - *) - MISSING="\${SHELL} $am_aux_dir/missing" ;; - esac + MISSING="\${SHELL} '$am_aux_dir/missing'" fi # Use eval to expand $SHELL if eval "$MISSING --is-lightweight"; then @@ -3108,7 +3125,7 @@ fi # Define the identity of the package. PACKAGE='libressl' - VERSION='3.0.2' + VERSION='3.3.3' cat >>confdefs.h <<_ACEOF @@ -7895,6 +7912,36 @@ done # Set options +# Check whether --with-pic was given. +if test "${with_pic+set}" = set; then : + withval=$with_pic; lt_p=${PACKAGE-default} + case $withval in + yes|no) pic_mode=$withval ;; + *) + pic_mode=default + # Look at the argument we got. We use all the common list separators. + lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," + for lt_pkg in $withval; do + IFS="$lt_save_ifs" + if test "X$lt_pkg" = "X$lt_p"; then + pic_mode=yes + fi + done + IFS="$lt_save_ifs" + ;; + esac +else + pic_mode=default +fi + + +test -z "$pic_mode" && pic_mode=yes + + + + + + enable_dlopen=no @@ -7966,37 +8013,6 @@ fi -# Check whether --with-pic was given. -if test "${with_pic+set}" = set; then : - withval=$with_pic; lt_p=${PACKAGE-default} - case $withval in - yes|no) pic_mode=$withval ;; - *) - pic_mode=default - # Look at the argument we got. We use all the common list separators. - lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," - for lt_pkg in $withval; do - IFS="$lt_save_ifs" - if test "X$lt_pkg" = "X$lt_p"; then - pic_mode=yes - fi - done - IFS="$lt_save_ifs" - ;; - esac -else - pic_mode=default -fi - - -test -z "$pic_mode" && pic_mode=default - - - - - - - # Check whether --enable-fast-install was given. if test "${enable_fast_install+set}" = set; then : enableval=$enable_fast_install; p=${PACKAGE-default} @@ -11900,7 +11916,6 @@ CC="$lt_save_CC" - CFLAGS="$CFLAGS -Wall -std=gnu99 -fno-strict-aliasing" BUILD_NC=yes @@ -12006,6 +12021,10 @@ fi HOST_ABI=elf CPPFLAGS="$CPPFLAGS -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE" ;; + *midipix*) + HOST_OS=midipix + CPPFLAGS="$CPPFLAGS -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE" + ;; *netbsd*) HOST_OS=netbsd HOST_ABI=elf @@ -12052,7 +12071,7 @@ $as_echo "#define HAVE_ATTRIBUTE__DEAD 1" >>confdefs.h CPPFLAGS="$CPPFLAGS -D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS" CPPFLAGS="$CPPFLAGS -DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0600" CPPFLAGS="$CPPFLAGS" - PLATFORM_LDADD='-lws2_32' + PLATFORM_LDADD='-lws2_32 -lbcrypt' ;; *solaris*) @@ -12065,27 +12084,60 @@ $as_echo "#define HAVE_ATTRIBUTE__DEAD 1" >>confdefs.h *) ;; esac -# Check whether --enable-nc was given. -if test "${enable_nc+set}" = set; then : - enableval=$enable_nc; -fi +# Check if time_t is sized correctly +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of time_t" >&5 +$as_echo_n "checking size of time_t... " >&6; } +if ${ac_cv_sizeof_time_t+:} false; then : + $as_echo_n "(cached) " >&6 +else + if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (time_t))" "ac_cv_sizeof_time_t" "$ac_includes_default"; then : - if test "x$enable_nc" = xyes; then - ENABLE_NC_TRUE= - ENABLE_NC_FALSE='#' else - ENABLE_NC_TRUE='#' - ENABLE_NC_FALSE= + if test "$ac_cv_type_time_t" = yes; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error 77 "cannot compute sizeof (time_t) +See \`config.log' for more details" "$LINENO" 5; } + else + ac_cv_sizeof_time_t=0 + fi fi - if test x$BUILD_NC = xyes -o "x$enable_nc" = xyes; then - BUILD_NC_TRUE= - BUILD_NC_FALSE='#' +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_time_t" >&5 +$as_echo "$ac_cv_sizeof_time_t" >&6; } + + + +cat >>confdefs.h <<_ACEOF +#define SIZEOF_TIME_T $ac_cv_sizeof_time_t +_ACEOF + + + if test "$ac_cv_sizeof_time_t" = "4"; then + SMALL_TIME_T_TRUE= + SMALL_TIME_T_FALSE='#' else - BUILD_NC_TRUE='#' - BUILD_NC_FALSE= + SMALL_TIME_T_TRUE='#' + SMALL_TIME_T_FALSE= fi +if test "$ac_cv_sizeof_time_t" = "4"; then + $as_echo "#define SMALL_TIME_T 1" >>confdefs.h + + echo " ** Warning, this system is unable to represent times past 2038" + echo " ** It will behave incorrectly when handling valid RFC5280 dates" + + if test "$host_os" = "mingw32" ; then + echo " **" + echo " ** You can solve this by adjusting the build flags in your" + echo " ** mingw-w64 toolchain. Refer to README.windows for details." + fi +fi if test x$HOST_OS = xaix; then HOST_AIX_TRUE= @@ -12135,6 +12187,14 @@ else HOST_LINUX_FALSE= fi + if test x$HOST_OS = xmidipix; then + HOST_MIDIPIX_TRUE= + HOST_MIDIPIX_FALSE='#' +else + HOST_MIDIPIX_TRUE='#' + HOST_MIDIPIX_FALSE= +fi + if test x$HOST_OS = xnetbsd; then HOST_NETBSD_TRUE= HOST_NETBSD_FALSE='#' @@ -12233,33 +12293,100 @@ rm -f core conftest.err conftest.$ac_objext \ # _FORTIFY_SOURCE replaces builtin functions with safer versions. + ac_save_cflags=$CFLAGS + ac_cwerror_flag=yes + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -Werror" >&5 +$as_echo_n "checking whether C compiler accepts -Werror... " >&6; } +if ${ax_cv_check_cflags___Werror+:} false; then : + $as_echo_n "(cached) " >&6 +else - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $saved_CC supports \"-D_FORTIFY_SOURCE=2\"" >&5 -$as_echo_n "checking if $saved_CC supports \"-D_FORTIFY_SOURCE=2\"... " >&6; } - old_cflags="$CFLAGS" - CFLAGS="-D_FORTIFY_SOURCE=2 -Wall -Werror" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS -Werror" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ax_cv_check_cflags___Werror=yes +else + ax_cv_check_cflags___Werror=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___Werror" >&5 +$as_echo "$ax_cv_check_cflags___Werror" >&6; } +if test "x$ax_cv_check_cflags___Werror" = xyes; then : + CFLAGS="$CFLAGS -Werror" +else + : +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to add -D_FORTIFY_SOURCE=2 to CPPFLAGS" >&5 +$as_echo_n "checking whether to add -D_FORTIFY_SOURCE=2 to CPPFLAGS... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ - #include int main () { -printf("Hello") + + #ifndef _FORTIFY_SOURCE + return 0; + #else + this_is_an_error; + #endif + + ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + + #define _FORTIFY_SOURCE 2 + #include + int main() { + char *s = " "; + strcpy(s, "x"); + return strlen(s)-1; + } + + +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } - CFLAGS=$old_cflags - HARDEN_CFLAGS="$HARDEN_CFLAGS -D_FORTIFY_SOURCE=2" + CFLAGS=$ac_save_cflags + CPPFLAGS="$CPPFLAGS -D_FORTIFY_SOURCE=2" + else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } - CFLAGS=$old_cflags + CFLAGS=$ac_save_cflags + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS=$ac_save_cflags fi rm -f core conftest.err conftest.$ac_objext \ @@ -13851,37 +13978,26 @@ else fi -# Add CPU-specific alignment flags -old_cflags=$CFLAGS -CFLAGS="$CFLAGS -I$srcdir/include" -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if BSWAP4 builds without __STRICT_ALIGNMENT" >&5 -$as_echo_n "checking if BSWAP4 builds without __STRICT_ALIGNMENT... " >&6; } -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include "$srcdir/crypto/modes/modes_lcl.h" -int -main () -{ -int a = 0; BSWAP4(a); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } - BSWAP4=yes +# Check whether --enable-tests was given. +if test "${enable_tests+set}" = set; then : + enableval=$enable_tests; + if ! test "x${enable_tests}" = "xyes"; then + enable_tests="no" + fi else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - BSWAP4=no + enable_tests="yes" +fi + + if test "x$enable_tests" = xyes; then + ENABLE_TESTS_TRUE= + ENABLE_TESTS_FALSE='#' +else + ENABLE_TESTS_TRUE='#' + ENABLE_TESTS_FALSE= fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -CFLAGS="$old_cflags" + case $host_cpu in #( - *sparc*) : - CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT" ;; #( *arm*) : host_cpu=arm ;; #( *amd64*) : @@ -13894,11 +14010,6 @@ case $host_cpu in #( *) : ;; esac -if test "x$BSWAP4" = "xyes" -a "$host_cpu" = "arm" ; then : - -else - CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT" -fi if test "x$HOSTARCH" = "xintel"; then HOST_CPU_IS_INTEL_TRUE= HOST_CPU_IS_INTEL_FALSE='#' @@ -13991,67 +14102,47 @@ else fi -# Check if time_t is sized correctly -# The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of time_t" >&5 -$as_echo_n "checking size of time_t... " >&6; } -if ${ac_cv_sizeof_time_t+:} false; then : - $as_echo_n "(cached) " >&6 -else - if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (time_t))" "ac_cv_sizeof_time_t" "$ac_includes_default"; then : +ac_config_files="$ac_config_files Makefile include/Makefile include/openssl/Makefile crypto/Makefile ssl/Makefile tls/Makefile tests/Makefile apps/Makefile apps/ocspcheck/Makefile apps/openssl/Makefile apps/nc/Makefile man/Makefile libcrypto.pc libssl.pc libtls.pc openssl.pc" -else - if test "$ac_cv_type_time_t" = yes; then - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "cannot compute sizeof (time_t) -See \`config.log' for more details" "$LINENO" 5; } - else - ac_cv_sizeof_time_t=0 - fi -fi +# Check whether --enable-nc was given. +if test "${enable_nc+set}" = set; then : + enableval=$enable_nc; fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_time_t" >&5 -$as_echo "$ac_cv_sizeof_time_t" >&6; } - - - -cat >>confdefs.h <<_ACEOF -#define SIZEOF_TIME_T $ac_cv_sizeof_time_t -_ACEOF - - - -ac_config_files="$ac_config_files Makefile include/Makefile include/openssl/Makefile crypto/Makefile ssl/Makefile tls/Makefile tests/Makefile apps/Makefile apps/ocspcheck/Makefile apps/openssl/Makefile apps/nc/Makefile man/Makefile libcrypto.pc libssl.pc libtls.pc openssl.pc" + if test "x$enable_nc" = xyes; then + ENABLE_NC_TRUE= + ENABLE_NC_FALSE='#' +else + ENABLE_NC_TRUE='#' + ENABLE_NC_FALSE= +fi - if test "$ac_cv_sizeof_time_t" = "4"; then - SMALL_TIME_T_TRUE= - SMALL_TIME_T_FALSE='#' + if test x$BUILD_NC = xyes -o "x$enable_nc" = xyes; then + BUILD_NC_TRUE= + BUILD_NC_FALSE='#' else - SMALL_TIME_T_TRUE='#' - SMALL_TIME_T_FALSE= + BUILD_NC_TRUE='#' + BUILD_NC_FALSE= fi -if test "$ac_cv_sizeof_time_t" = "4"; then - $as_echo "#define SMALL_TIME_T 1" >>confdefs.h - echo " ** Warning, this system is unable to represent times past 2038" - echo " ** It will behave incorrectly when handling valid RFC5280 dates" +# Check whether --enable-libtls-only was given. +if test "${enable_libtls_only+set}" = set; then : + enableval=$enable_libtls_only; +fi - if test "$host_os" = "mingw32" ; then - echo " **" - echo " ** You can solve this by adjusting the build flags in your" - echo " ** mingw-w64 toolchain. Refer to README.windows for details." - fi + if test "x$enable_libtls_only" = xyes; then + ENABLE_LIBTLS_ONLY_TRUE= + ENABLE_LIBTLS_ONLY_FALSE='#' +else + ENABLE_LIBTLS_ONLY_TRUE='#' + ENABLE_LIBTLS_ONLY_FALSE= fi + cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure # tests run on this system so they can be shared between configure @@ -14221,12 +14312,8 @@ if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then as_fn_error $? "conditional \"am__fastdepCC\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi -if test -z "${ENABLE_NC_TRUE}" && test -z "${ENABLE_NC_FALSE}"; then - as_fn_error $? "conditional \"ENABLE_NC\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 -fi -if test -z "${BUILD_NC_TRUE}" && test -z "${BUILD_NC_FALSE}"; then - as_fn_error $? "conditional \"BUILD_NC\" was never defined. +if test -z "${SMALL_TIME_T_TRUE}" && test -z "${SMALL_TIME_T_FALSE}"; then + as_fn_error $? "conditional \"SMALL_TIME_T\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi if test -z "${HOST_AIX_TRUE}" && test -z "${HOST_AIX_FALSE}"; then @@ -14253,6 +14340,10 @@ if test -z "${HOST_LINUX_TRUE}" && test -z "${HOST_LINUX_FALSE}"; then as_fn_error $? "conditional \"HOST_LINUX\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${HOST_MIDIPIX_TRUE}" && test -z "${HOST_MIDIPIX_FALSE}"; then + as_fn_error $? "conditional \"HOST_MIDIPIX\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${HOST_NETBSD_TRUE}" && test -z "${HOST_NETBSD_FALSE}"; then as_fn_error $? "conditional \"HOST_NETBSD\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -14413,6 +14504,10 @@ if test -z "${ENABLE_EXTRATESTS_TRUE}" && test -z "${ENABLE_EXTRATESTS_FALSE}"; as_fn_error $? "conditional \"ENABLE_EXTRATESTS\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${ENABLE_TESTS_TRUE}" && test -z "${ENABLE_TESTS_FALSE}"; then + as_fn_error $? "conditional \"ENABLE_TESTS\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${HOST_CPU_IS_INTEL_TRUE}" && test -z "${HOST_CPU_IS_INTEL_FALSE}"; then as_fn_error $? "conditional \"HOST_CPU_IS_INTEL\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -14441,8 +14536,16 @@ if test -z "${HOST_ASM_MINGW64_X86_64_TRUE}" && test -z "${HOST_ASM_MINGW64_X86_ as_fn_error $? "conditional \"HOST_ASM_MINGW64_X86_64\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi -if test -z "${SMALL_TIME_T_TRUE}" && test -z "${SMALL_TIME_T_FALSE}"; then - as_fn_error $? "conditional \"SMALL_TIME_T\" was never defined. +if test -z "${ENABLE_NC_TRUE}" && test -z "${ENABLE_NC_FALSE}"; then + as_fn_error $? "conditional \"ENABLE_NC\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${BUILD_NC_TRUE}" && test -z "${BUILD_NC_FALSE}"; then + as_fn_error $? "conditional \"BUILD_NC\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${ENABLE_LIBTLS_ONLY_TRUE}" && test -z "${ENABLE_LIBTLS_ONLY_FALSE}"; then + as_fn_error $? "conditional \"ENABLE_LIBTLS_ONLY\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi @@ -14842,7 +14945,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by libressl $as_me 3.0.2, which was +This file was extended by libressl $as_me 3.3.3, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -14899,7 +15002,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -libressl config.status 3.0.2 +libressl config.status 3.3.3 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -15019,9 +15122,9 @@ double_quote_subst='$double_quote_subst' delay_variable_subst='$delay_variable_subst' macro_version='`$ECHO "$macro_version" | $SED "$delay_single_quote_subst"`' macro_revision='`$ECHO "$macro_revision" | $SED "$delay_single_quote_subst"`' +pic_mode='`$ECHO "$pic_mode" | $SED "$delay_single_quote_subst"`' enable_shared='`$ECHO "$enable_shared" | $SED "$delay_single_quote_subst"`' enable_static='`$ECHO "$enable_static" | $SED "$delay_single_quote_subst"`' -pic_mode='`$ECHO "$pic_mode" | $SED "$delay_single_quote_subst"`' enable_fast_install='`$ECHO "$enable_fast_install" | $SED "$delay_single_quote_subst"`' SHELL='`$ECHO "$SHELL" | $SED "$delay_single_quote_subst"`' ECHO='`$ECHO "$ECHO" | $SED "$delay_single_quote_subst"`' @@ -15823,7 +15926,9 @@ $as_echo X/"$am_mf" | { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "Something went wrong bootstrapping makefile fragments - for automatic dependency tracking. Try re-running configure with the + for automatic dependency tracking. If GNU make was not used, consider + re-running the configure script with MAKE=\"gmake\" (or whatever is + necessary). You can also try re-running configure with the '--disable-dependency-tracking' option to at least be able to build the package (albeit without support for automatic dependency tracking). See \`config.log' for more details" "$LINENO" 5; } @@ -15893,15 +15998,15 @@ available_tags="" macro_version=$macro_version macro_revision=$macro_revision +# What type of objects to build. +pic_mode=$pic_mode + # Whether or not to build shared libraries. build_libtool_libs=$enable_shared # Whether or not to build static libraries. build_old_libs=$enable_static -# What type of objects to build. -pic_mode=$pic_mode - # Whether or not to optimize for fast installation. fast_install=$enable_fast_install diff --git a/configure.ac b/configure.ac index e584113d..fdf72eeb 100644 --- a/configure.ac +++ b/configure.ac @@ -29,8 +29,7 @@ USER_CFLAGS="$CFLAGS" AC_PROG_CC([cc gcc]) AC_PROG_CC_STDC AM_PROG_CC_C_O -AC_PROG_LIBTOOL -LT_INIT +LT_INIT([pic-only]) CHECK_OS_OPTIONS @@ -66,26 +65,21 @@ AC_ARG_ENABLE([extratests], AS_HELP_STRING([--enable-extratests], [Enable extra tests that may be unreliable on some platforms])) AM_CONDITIONAL([ENABLE_EXTRATESTS], [test "x$enable_extratests" = xyes]) -# Add CPU-specific alignment flags -old_cflags=$CFLAGS -CFLAGS="$CFLAGS -I$srcdir/include" -AC_MSG_CHECKING([if BSWAP4 builds without __STRICT_ALIGNMENT]) -AC_TRY_COMPILE([#include "$srcdir/crypto/modes/modes_lcl.h"], - [int a = 0; BSWAP4(a);], - AC_MSG_RESULT([yes]) - BSWAP4=yes, - AC_MSG_RESULT([no]) - BSWAP4=no) -CFLAGS="$old_cflags" +AC_ARG_ENABLE([tests], + [AS_HELP_STRING([--disable-tests], [Disable tests @<:@default=enabled@:>@])], + [ + if ! test "x${enable_tests}" = "xyes"; then + enable_tests="no" + fi], + [enable_tests="yes"]) +AM_CONDITIONAL([ENABLE_TESTS], [test "x$enable_tests" = xyes]) AS_CASE([$host_cpu], - [*sparc*], [CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT"], [*arm*], [host_cpu=arm], [*amd64*], [host_cpu=x86_64 HOSTARCH=intel], [i?86], [HOSTARCH=intel], [x86_64], [HOSTARCH=intel] ) -AS_IF([test "x$BSWAP4" = "xyes" -a "$host_cpu" = "arm" ],,CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT") AM_CONDITIONAL([HOST_CPU_IS_INTEL], [test "x$HOSTARCH" = "xintel"]) AC_MSG_CHECKING([if .gnu.warning accepts long strings]) @@ -116,9 +110,6 @@ AM_CONDITIONAL([HOST_ASM_MASM_X86_64], AM_CONDITIONAL([HOST_ASM_MINGW64_X86_64], [test "x$HOST_ABI" = "xmingw64" -a "$host_cpu" = "x86_64" -a "x$enable_asm" != "xno"]) -# Check if time_t is sized correctly -AC_CHECK_SIZEOF([time_t], [time.h]) - AC_CONFIG_FILES([ Makefile include/Makefile @@ -138,18 +129,14 @@ AC_CONFIG_FILES([ openssl.pc ]) -AM_CONDITIONAL([SMALL_TIME_T], [test "$ac_cv_sizeof_time_t" = "4"]) -if test "$ac_cv_sizeof_time_t" = "4"; then - AC_DEFINE([SMALL_TIME_T]) - echo " ** Warning, this system is unable to represent times past 2038" - echo " ** It will behave incorrectly when handling valid RFC5280 dates" - - if test "$host_os" = "mingw32" ; then - echo " **" - echo " ** You can solve this by adjusting the build flags in your" - echo " ** mingw-w64 toolchain. Refer to README.windows for details." - fi -fi +AC_ARG_ENABLE([nc], + AS_HELP_STRING([--enable-nc], [Enable installing TLS-enabled nc(1)])) +AM_CONDITIONAL([ENABLE_NC], [test "x$enable_nc" = xyes]) +AM_CONDITIONAL([BUILD_NC], [test x$BUILD_NC = xyes -o "x$enable_nc" = xyes]) + +AC_ARG_ENABLE([libtls-only], + AS_HELP_STRING([--enable-libtls-only], [Enable installing libtls only])) +AM_CONDITIONAL([ENABLE_LIBTLS_ONLY], [test "x$enable_libtls_only" = xyes]) AC_REQUIRE_AUX_FILE([tap-driver.sh]) diff --git a/crypto/CMakeLists.txt b/crypto/CMakeLists.txt index 9509c336..7066cc8d 100644 --- a/crypto/CMakeLists.txt +++ b/crypto/CMakeLists.txt @@ -384,6 +384,20 @@ set( cmac/cm_ameth.c cmac/cm_pmeth.c cmac/cmac.c + cms/cms_asn1.c + cms/cms_att.c + cms/cms_cd.c + cms/cms_dd.c + cms/cms_enc.c + cms/cms_env.c + cms/cms_err.c + cms/cms_ess.c + cms/cms_io.c + cms/cms_kari.c + cms/cms_lib.c + cms/cms_pwri.c + cms/cms_sd.c + cms/cms_smime.c comp/c_rle.c comp/c_zlib.c comp/comp_err.c @@ -706,20 +720,56 @@ set( x509/by_dir.c x509/by_file.c x509/by_mem.c + x509/pcy_cache.c + x509/pcy_data.c + x509/pcy_lib.c + x509/pcy_map.c + x509/pcy_node.c + x509/pcy_tree.c + x509/x509_akey.c + x509/x509_akeya.c + x509/x509_alt.c x509/x509_att.c + x509/x509_bcons.c + x509/x509_bitst.c x509/x509_cmp.c + x509/x509_conf.c + x509/x509_constraints.c + x509/x509_cpols.c + x509/x509_crld.c x509/x509_d2.c x509/x509_def.c + x509/x509_enum.c x509/x509_err.c x509/x509_ext.c + x509/x509_extku.c + x509/x509_genn.c + x509/x509_ia5.c + x509/x509_info.c + x509/x509_int.c + x509/x509_issuer_cache.c + x509/x509_lib.c x509/x509_lu.c + x509/x509_ncons.c x509/x509_obj.c + x509/x509_ocsp.c + x509/x509_pci.c + x509/x509_pcia.c + x509/x509_pcons.c + x509/x509_pku.c + x509/x509_pmaps.c + x509/x509_prn.c + x509/x509_purp.c x509/x509_r2x.c x509/x509_req.c x509/x509_set.c + x509/x509_skey.c + x509/x509_sxnet.c x509/x509_trs.c x509/x509_txt.c + x509/x509_utl.c x509/x509_v3.c + x509/x509_verify.c x509/x509_vfy.c x509/x509_vpm.c x509/x509cset.c @@ -728,40 +778,6 @@ set( x509/x509spki.c x509/x509type.c x509/x_all.c - x509v3/pcy_cache.c - x509v3/pcy_data.c - x509v3/pcy_lib.c - x509v3/pcy_map.c - x509v3/pcy_node.c - x509v3/pcy_tree.c - x509v3/v3_akey.c - x509v3/v3_akeya.c - x509v3/v3_alt.c - x509v3/v3_bcons.c - x509v3/v3_bitst.c - x509v3/v3_conf.c - x509v3/v3_cpols.c - x509v3/v3_crld.c - x509v3/v3_enum.c - x509v3/v3_extku.c - x509v3/v3_genn.c - x509v3/v3_ia5.c - x509v3/v3_info.c - x509v3/v3_int.c - x509v3/v3_lib.c - x509v3/v3_ncons.c - x509v3/v3_ocsp.c - x509v3/v3_pci.c - x509v3/v3_pcia.c - x509v3/v3_pcons.c - x509v3/v3_pku.c - x509v3/v3_pmaps.c - x509v3/v3_prn.c - x509v3/v3_purp.c - x509v3/v3_skey.c - x509v3/v3_sxnet.c - x509v3/v3_utl.c - x509v3/v3err.c ) if(UNIX) @@ -793,7 +809,6 @@ if(WIN32) set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_write) set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_getsockopt) set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_setsockopt) - set(EXTRA_EXPORT ${EXTRA_EXPORT} sleep) endif() if(NOT HAVE_ASPRINTF) @@ -922,7 +937,8 @@ if(NOT ENABLE_ASM) add_definitions(-DOPENSSL_NO_ASM) else() if(MSVC) - if(NOT "${CMAKE_GENERATOR}" MATCHES "Win64") + if((NOT "${CMAKE_GENERATOR}" MATCHES "Win64") AND + (NOT "${CMAKE_GENERATOR_PLATFORM}" STREQUAL "x64")) add_definitions(-DOPENSSL_NO_ASM) endif() elseif(WIN32) @@ -968,18 +984,16 @@ target_include_directories(crypto PUBLIC ../include) -if (BUILD_SHARED_LIBS) - export_symbol(crypto ${CMAKE_CURRENT_BINARY_DIR}/crypto_p.sym) - target_link_libraries(crypto ${PLATFORM_LIBS}) - if (WIN32) - set(CRYPTO_POSTFIX -${CRYPTO_MAJOR_VERSION}) - endif() - set_target_properties(crypto PROPERTIES - OUTPUT_NAME crypto${CRYPTO_POSTFIX} - ARCHIVE_OUTPUT_NAME crypto${CRYPTO_POSTFIX}) - set_target_properties(crypto PROPERTIES VERSION - ${CRYPTO_VERSION} SOVERSION ${CRYPTO_MAJOR_VERSION}) +export_symbol(crypto ${CMAKE_CURRENT_BINARY_DIR}/crypto_p.sym) +target_link_libraries(crypto ${PLATFORM_LIBS}) +if (WIN32) + set(CRYPTO_POSTFIX -${CRYPTO_MAJOR_VERSION}) endif() +set_target_properties(crypto PROPERTIES + OUTPUT_NAME crypto${CRYPTO_POSTFIX} + ARCHIVE_OUTPUT_NAME crypto${CRYPTO_POSTFIX}) +set_target_properties(crypto PROPERTIES VERSION + ${CRYPTO_VERSION} SOVERSION ${CRYPTO_MAJOR_VERSION}) if(ENABLE_LIBRESSL_INSTALL) install( diff --git a/crypto/Makefile.am b/crypto/Makefile.am index f66bb73c..8552a4d2 100644 --- a/crypto/Makefile.am +++ b/crypto/Makefile.am @@ -9,7 +9,13 @@ AM_CPPFLAGS += -I$(top_srcdir)/crypto/evp AM_CPPFLAGS += -I$(top_srcdir)/crypto/modes AM_CPPFLAGS += -I$(top_srcdir)/crypto +noinst_LTLIBRARIES = libcompat.la + +if ENABLE_LIBTLS_ONLY +noinst_LTLIBRARIES += libcrypto.la +else lib_LTLIBRARIES = libcrypto.la +endif EXTRA_DIST = VERSION EXTRA_DIST += CMakeLists.txt @@ -20,8 +26,9 @@ EXTRA_DIST += compat/strcasecmp.c BUILT_SOURCES = crypto_portable.sym CLEANFILES = crypto_portable.sym +CLEANFILES += libcrypto_la_objects.mk -crypto_portable.sym: +crypto_portable.sym: crypto.sym Makefile -echo "generating crypto_portable.sym ..." -cp $(top_srcdir)/crypto/crypto.sym crypto_portable.sym -chmod u+w crypto_portable.sym @@ -93,7 +100,20 @@ if HOST_WIN -mv crypto_portable.sym.tmp crypto_portable.sym endif +libcrypto_la_objects.mk: Makefile + @echo "libcrypto_la_objects= $(libcrypto_la_OBJECTS)" \ + | sed 's/ */ $$\(abs_top_builddir\)\/crypto\//g' \ + > libcrypto_la_objects.mk + @echo "libcompat_la_objects= $(libcompat_la_OBJECTS)" \ + | sed 's/compat\// $$\(abs_top_builddir\)\/crypto\/&/g' \ + >> libcrypto_la_objects.mk + @echo "libcompatnoopt_la_objects= $(libcompatnoopt_la_OBJECTS)" \ + | sed 's/compat\// $$\(abs_top_builddir\)\/crypto\/&/g' \ + >> libcrypto_la_objects.mk + libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined -export-symbols crypto_portable.sym +EXTRA_libcrypto_la_DEPENDENCIES = crypto_portable.sym +EXTRA_libcrypto_la_DEPENDENCIES += libcrypto_la_objects.mk libcrypto_la_LIBADD = libcompat.la if !HAVE_EXPLICIT_BZERO libcrypto_la_LIBADD += libcompatnoopt.la @@ -112,8 +132,6 @@ else libcrypto_la_CPPFLAGS += -DOPENSSLDIR=\"$(sysconfdir)/ssl\" endif -noinst_LTLIBRARIES = libcompat.la - # compatibility functions that need to be built without optimizations if !HAVE_EXPLICIT_BZERO noinst_LTLIBRARIES += libcompatnoopt.la @@ -447,6 +465,23 @@ libcrypto_la_SOURCES += cmac/cm_ameth.c libcrypto_la_SOURCES += cmac/cm_pmeth.c libcrypto_la_SOURCES += cmac/cmac.c +# cms +libcrypto_la_SOURCES += cms/cms_asn1.c +libcrypto_la_SOURCES += cms/cms_att.c +libcrypto_la_SOURCES += cms/cms_cd.c +libcrypto_la_SOURCES += cms/cms_dd.c +libcrypto_la_SOURCES += cms/cms_enc.c +libcrypto_la_SOURCES += cms/cms_env.c +libcrypto_la_SOURCES += cms/cms_err.c +libcrypto_la_SOURCES += cms/cms_ess.c +libcrypto_la_SOURCES += cms/cms_io.c +libcrypto_la_SOURCES += cms/cms_kari.c +libcrypto_la_SOURCES += cms/cms_lib.c +libcrypto_la_SOURCES += cms/cms_pwri.c +libcrypto_la_SOURCES += cms/cms_sd.c +libcrypto_la_SOURCES += cms/cms_smime.c +noinst_HEADERS += cms/cms_lcl.h + # comp libcrypto_la_SOURCES += comp/c_rle.c libcrypto_la_SOURCES += comp/c_zlib.c @@ -680,7 +715,6 @@ libcrypto_la_SOURCES += gost/gostr341001_params.c libcrypto_la_SOURCES += gost/gostr341001_pmeth.c libcrypto_la_SOURCES += gost/gostr341194.c libcrypto_la_SOURCES += gost/streebog.c -noinst_HEADERS += gost/gost.h noinst_HEADERS += gost/gost_asn1.h noinst_HEADERS += gost/gost_locl.h @@ -887,20 +921,56 @@ noinst_HEADERS += whrlpool/wp_locl.h libcrypto_la_SOURCES += x509/by_dir.c libcrypto_la_SOURCES += x509/by_file.c libcrypto_la_SOURCES += x509/by_mem.c +libcrypto_la_SOURCES += x509/pcy_cache.c +libcrypto_la_SOURCES += x509/pcy_data.c +libcrypto_la_SOURCES += x509/pcy_lib.c +libcrypto_la_SOURCES += x509/pcy_map.c +libcrypto_la_SOURCES += x509/pcy_node.c +libcrypto_la_SOURCES += x509/pcy_tree.c +libcrypto_la_SOURCES += x509/x509_akey.c +libcrypto_la_SOURCES += x509/x509_akeya.c +libcrypto_la_SOURCES += x509/x509_alt.c libcrypto_la_SOURCES += x509/x509_att.c +libcrypto_la_SOURCES += x509/x509_bcons.c +libcrypto_la_SOURCES += x509/x509_bitst.c libcrypto_la_SOURCES += x509/x509_cmp.c +libcrypto_la_SOURCES += x509/x509_conf.c +libcrypto_la_SOURCES += x509/x509_constraints.c +libcrypto_la_SOURCES += x509/x509_cpols.c +libcrypto_la_SOURCES += x509/x509_crld.c libcrypto_la_SOURCES += x509/x509_d2.c libcrypto_la_SOURCES += x509/x509_def.c +libcrypto_la_SOURCES += x509/x509_enum.c libcrypto_la_SOURCES += x509/x509_err.c libcrypto_la_SOURCES += x509/x509_ext.c +libcrypto_la_SOURCES += x509/x509_extku.c +libcrypto_la_SOURCES += x509/x509_genn.c +libcrypto_la_SOURCES += x509/x509_ia5.c +libcrypto_la_SOURCES += x509/x509_info.c +libcrypto_la_SOURCES += x509/x509_int.c +libcrypto_la_SOURCES += x509/x509_issuer_cache.c +libcrypto_la_SOURCES += x509/x509_lib.c libcrypto_la_SOURCES += x509/x509_lu.c +libcrypto_la_SOURCES += x509/x509_ncons.c libcrypto_la_SOURCES += x509/x509_obj.c +libcrypto_la_SOURCES += x509/x509_ocsp.c +libcrypto_la_SOURCES += x509/x509_pci.c +libcrypto_la_SOURCES += x509/x509_pcia.c +libcrypto_la_SOURCES += x509/x509_pcons.c +libcrypto_la_SOURCES += x509/x509_pku.c +libcrypto_la_SOURCES += x509/x509_pmaps.c +libcrypto_la_SOURCES += x509/x509_prn.c +libcrypto_la_SOURCES += x509/x509_purp.c libcrypto_la_SOURCES += x509/x509_r2x.c libcrypto_la_SOURCES += x509/x509_req.c libcrypto_la_SOURCES += x509/x509_set.c +libcrypto_la_SOURCES += x509/x509_skey.c +libcrypto_la_SOURCES += x509/x509_sxnet.c libcrypto_la_SOURCES += x509/x509_trs.c libcrypto_la_SOURCES += x509/x509_txt.c +libcrypto_la_SOURCES += x509/x509_utl.c libcrypto_la_SOURCES += x509/x509_v3.c +libcrypto_la_SOURCES += x509/x509_verify.c libcrypto_la_SOURCES += x509/x509_vfy.c libcrypto_la_SOURCES += x509/x509_vpm.c libcrypto_la_SOURCES += x509/x509cset.c @@ -909,43 +979,9 @@ libcrypto_la_SOURCES += x509/x509rset.c libcrypto_la_SOURCES += x509/x509spki.c libcrypto_la_SOURCES += x509/x509type.c libcrypto_la_SOURCES += x509/x_all.c -noinst_HEADERS += x509/x509_lcl.h +noinst_HEADERS += x509/ext_dat.h +noinst_HEADERS += x509/pcy_int.h noinst_HEADERS += x509/vpm_int.h - -# x509v3 -libcrypto_la_SOURCES += x509v3/pcy_cache.c -libcrypto_la_SOURCES += x509v3/pcy_data.c -libcrypto_la_SOURCES += x509v3/pcy_lib.c -libcrypto_la_SOURCES += x509v3/pcy_map.c -libcrypto_la_SOURCES += x509v3/pcy_node.c -libcrypto_la_SOURCES += x509v3/pcy_tree.c -libcrypto_la_SOURCES += x509v3/v3_akey.c -libcrypto_la_SOURCES += x509v3/v3_akeya.c -libcrypto_la_SOURCES += x509v3/v3_alt.c -libcrypto_la_SOURCES += x509v3/v3_bcons.c -libcrypto_la_SOURCES += x509v3/v3_bitst.c -libcrypto_la_SOURCES += x509v3/v3_conf.c -libcrypto_la_SOURCES += x509v3/v3_cpols.c -libcrypto_la_SOURCES += x509v3/v3_crld.c -libcrypto_la_SOURCES += x509v3/v3_enum.c -libcrypto_la_SOURCES += x509v3/v3_extku.c -libcrypto_la_SOURCES += x509v3/v3_genn.c -libcrypto_la_SOURCES += x509v3/v3_ia5.c -libcrypto_la_SOURCES += x509v3/v3_info.c -libcrypto_la_SOURCES += x509v3/v3_int.c -libcrypto_la_SOURCES += x509v3/v3_lib.c -libcrypto_la_SOURCES += x509v3/v3_ncons.c -libcrypto_la_SOURCES += x509v3/v3_ocsp.c -libcrypto_la_SOURCES += x509v3/v3_pci.c -libcrypto_la_SOURCES += x509v3/v3_pcia.c -libcrypto_la_SOURCES += x509v3/v3_pcons.c -libcrypto_la_SOURCES += x509v3/v3_pku.c -libcrypto_la_SOURCES += x509v3/v3_pmaps.c -libcrypto_la_SOURCES += x509v3/v3_prn.c -libcrypto_la_SOURCES += x509v3/v3_purp.c -libcrypto_la_SOURCES += x509v3/v3_skey.c -libcrypto_la_SOURCES += x509v3/v3_sxnet.c -libcrypto_la_SOURCES += x509v3/v3_utl.c -libcrypto_la_SOURCES += x509v3/v3err.c -noinst_HEADERS += x509v3/ext_dat.h -noinst_HEADERS += x509v3/pcy_int.h +noinst_HEADERS += x509/x509_internal.h +noinst_HEADERS += x509/x509_issuer_cache.h +noinst_HEADERS += x509/x509_lcl.h diff --git a/crypto/Makefile.in b/crypto/Makefile.in index bc8407d4..4d098f46 100644 --- a/crypto/Makefile.in +++ b/crypto/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -89,50 +89,51 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -@HAVE_EXPLICIT_BZERO_FALSE@am__append_1 = libcompatnoopt.la -@OPENSSL_NO_ASM_TRUE@am__append_2 = -DOPENSSL_NO_ASM -@OPENSSLDIR_DEFINED_TRUE@am__append_3 = -DOPENSSLDIR=\"@OPENSSLDIR@\" -@OPENSSLDIR_DEFINED_FALSE@am__append_4 = -DOPENSSLDIR=\"$(sysconfdir)/ssl\" +@ENABLE_LIBTLS_ONLY_TRUE@am__append_1 = libcrypto.la +@HAVE_EXPLICIT_BZERO_FALSE@am__append_2 = libcompatnoopt.la +@OPENSSL_NO_ASM_TRUE@am__append_3 = -DOPENSSL_NO_ASM +@OPENSSLDIR_DEFINED_TRUE@am__append_4 = -DOPENSSLDIR=\"@OPENSSLDIR@\" +@OPENSSLDIR_DEFINED_FALSE@am__append_5 = -DOPENSSLDIR=\"$(sysconfdir)/ssl\" # compatibility functions that need to be built without optimizations -@HAVE_EXPLICIT_BZERO_FALSE@am__append_5 = libcompatnoopt.la -@HAVE_EXPLICIT_BZERO_FALSE@@HOST_WIN_TRUE@am__append_6 = compat/explicit_bzero_win.c -@HAVE_EXPLICIT_BZERO_FALSE@@HOST_WIN_FALSE@am__append_7 = compat/explicit_bzero.c -@HAVE_STRLCAT_FALSE@am__append_8 = compat/strlcat.c -@HAVE_STRLCPY_FALSE@am__append_9 = compat/strlcpy.c -@HAVE_STRNDUP_FALSE@am__append_10 = compat/strndup.c +@HAVE_EXPLICIT_BZERO_FALSE@am__append_6 = libcompatnoopt.la +@HAVE_EXPLICIT_BZERO_FALSE@@HOST_WIN_TRUE@am__append_7 = compat/explicit_bzero_win.c +@HAVE_EXPLICIT_BZERO_FALSE@@HOST_WIN_FALSE@am__append_8 = compat/explicit_bzero.c +@HAVE_STRLCAT_FALSE@am__append_9 = compat/strlcat.c +@HAVE_STRLCPY_FALSE@am__append_10 = compat/strlcpy.c +@HAVE_STRNDUP_FALSE@am__append_11 = compat/strndup.c # the only user of strnlen is strndup, so only build it if needed -@HAVE_STRNDUP_FALSE@@HAVE_STRNLEN_FALSE@am__append_11 = compat/strnlen.c -@HAVE_STRSEP_FALSE@am__append_12 = compat/strsep.c -@HAVE_ASPRINTF_FALSE@am__append_13 = compat/bsd-asprintf.c -@HAVE_FREEZERO_FALSE@am__append_14 = compat/freezero.c -@HAVE_GETPAGESIZE_FALSE@am__append_15 = compat/getpagesize.c -@HAVE_GETPROGNAME_FALSE@@HOST_LINUX_TRUE@am__append_16 = compat/getprogname_linux.c -@HAVE_GETPROGNAME_FALSE@@HOST_LINUX_FALSE@@HOST_WIN_TRUE@am__append_17 = compat/getprogname_windows.c -@HAVE_GETPROGNAME_FALSE@@HOST_LINUX_FALSE@@HOST_WIN_FALSE@am__append_18 = compat/getprogname_unimpl.c -@HAVE_TIMEGM_FALSE@am__append_19 = compat/timegm.c -@HAVE_REALLOCARRAY_FALSE@am__append_20 = compat/reallocarray.c -@HAVE_RECALLOCARRAY_FALSE@am__append_21 = compat/recallocarray.c -@HAVE_SYSLOG_R_FALSE@am__append_22 = compat/syslog_r.c -@HAVE_TIMINGSAFE_MEMCMP_FALSE@am__append_23 = compat/timingsafe_memcmp.c -@HAVE_TIMINGSAFE_BCMP_FALSE@am__append_24 = compat/timingsafe_bcmp.c -@HOST_WIN_TRUE@am__append_25 = compat/posix_win.c -@HAVE_ARC4RANDOM_BUF_FALSE@am__append_26 = compat/arc4random.c \ +@HAVE_STRNDUP_FALSE@@HAVE_STRNLEN_FALSE@am__append_12 = compat/strnlen.c +@HAVE_STRSEP_FALSE@am__append_13 = compat/strsep.c +@HAVE_ASPRINTF_FALSE@am__append_14 = compat/bsd-asprintf.c +@HAVE_FREEZERO_FALSE@am__append_15 = compat/freezero.c +@HAVE_GETPAGESIZE_FALSE@am__append_16 = compat/getpagesize.c +@HAVE_GETPROGNAME_FALSE@@HOST_LINUX_TRUE@am__append_17 = compat/getprogname_linux.c +@HAVE_GETPROGNAME_FALSE@@HOST_LINUX_FALSE@@HOST_WIN_TRUE@am__append_18 = compat/getprogname_windows.c +@HAVE_GETPROGNAME_FALSE@@HOST_LINUX_FALSE@@HOST_WIN_FALSE@am__append_19 = compat/getprogname_unimpl.c +@HAVE_TIMEGM_FALSE@am__append_20 = compat/timegm.c +@HAVE_REALLOCARRAY_FALSE@am__append_21 = compat/reallocarray.c +@HAVE_RECALLOCARRAY_FALSE@am__append_22 = compat/recallocarray.c +@HAVE_SYSLOG_R_FALSE@am__append_23 = compat/syslog_r.c +@HAVE_TIMINGSAFE_MEMCMP_FALSE@am__append_24 = compat/timingsafe_memcmp.c +@HAVE_TIMINGSAFE_BCMP_FALSE@am__append_25 = compat/timingsafe_bcmp.c +@HOST_WIN_TRUE@am__append_26 = compat/posix_win.c +@HAVE_ARC4RANDOM_BUF_FALSE@am__append_27 = compat/arc4random.c \ @HAVE_ARC4RANDOM_BUF_FALSE@ compat/arc4random_uniform.c -@HAVE_ARC4RANDOM_BUF_FALSE@@HAVE_GETENTROPY_FALSE@@HOST_AIX_TRUE@am__append_27 = compat/getentropy_aix.c -@HAVE_ARC4RANDOM_BUF_FALSE@@HAVE_GETENTROPY_FALSE@@HOST_FREEBSD_TRUE@am__append_28 = compat/getentropy_freebsd.c -@HAVE_ARC4RANDOM_BUF_FALSE@@HAVE_GETENTROPY_FALSE@@HOST_HPUX_TRUE@am__append_29 = compat/getentropy_hpux.c -@HAVE_ARC4RANDOM_BUF_FALSE@@HAVE_GETENTROPY_FALSE@@HOST_LINUX_TRUE@am__append_30 = compat/getentropy_linux.c -@HAVE_ARC4RANDOM_BUF_FALSE@@HAVE_GETENTROPY_FALSE@@HOST_NETBSD_TRUE@am__append_31 = compat/getentropy_netbsd.c -@HAVE_ARC4RANDOM_BUF_FALSE@@HAVE_GETENTROPY_FALSE@@HOST_DARWIN_TRUE@am__append_32 = compat/getentropy_osx.c -@HAVE_ARC4RANDOM_BUF_FALSE@@HAVE_GETENTROPY_FALSE@@HOST_SOLARIS_TRUE@am__append_33 = compat/getentropy_solaris.c -@HAVE_ARC4RANDOM_BUF_FALSE@@HAVE_GETENTROPY_FALSE@@HOST_WIN_TRUE@am__append_34 = compat/getentropy_win.c -@HOST_ASM_ELF_ARM_TRUE@am__append_35 = -DAES_ASM -DOPENSSL_BN_ASM_MONT \ +@HAVE_ARC4RANDOM_BUF_FALSE@@HAVE_GETENTROPY_FALSE@@HOST_AIX_TRUE@am__append_28 = compat/getentropy_aix.c +@HAVE_ARC4RANDOM_BUF_FALSE@@HAVE_GETENTROPY_FALSE@@HOST_FREEBSD_TRUE@am__append_29 = compat/getentropy_freebsd.c +@HAVE_ARC4RANDOM_BUF_FALSE@@HAVE_GETENTROPY_FALSE@@HOST_HPUX_TRUE@am__append_30 = compat/getentropy_hpux.c +@HAVE_ARC4RANDOM_BUF_FALSE@@HAVE_GETENTROPY_FALSE@@HOST_LINUX_TRUE@am__append_31 = compat/getentropy_linux.c +@HAVE_ARC4RANDOM_BUF_FALSE@@HAVE_GETENTROPY_FALSE@@HOST_NETBSD_TRUE@am__append_32 = compat/getentropy_netbsd.c +@HAVE_ARC4RANDOM_BUF_FALSE@@HAVE_GETENTROPY_FALSE@@HOST_DARWIN_TRUE@am__append_33 = compat/getentropy_osx.c +@HAVE_ARC4RANDOM_BUF_FALSE@@HAVE_GETENTROPY_FALSE@@HOST_SOLARIS_TRUE@am__append_34 = compat/getentropy_solaris.c +@HAVE_ARC4RANDOM_BUF_FALSE@@HAVE_GETENTROPY_FALSE@@HOST_WIN_TRUE@am__append_35 = compat/getentropy_win.c +@HOST_ASM_ELF_ARM_TRUE@am__append_36 = -DAES_ASM -DOPENSSL_BN_ASM_MONT \ @HOST_ASM_ELF_ARM_TRUE@ -DOPENSSL_BN_ASM_GF2m -DGHASH_ASM \ @HOST_ASM_ELF_ARM_TRUE@ -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM \ @HOST_ASM_ELF_ARM_TRUE@ -DOPENSSL_CPUID_OBJ -@HOST_ASM_ELF_ARM_TRUE@am__append_36 = $(ASM_ARM_ELF) -@HOST_ASM_ELF_X86_64_TRUE@am__append_37 = -DAES_ASM -DBSAES_ASM \ +@HOST_ASM_ELF_ARM_TRUE@am__append_37 = $(ASM_ARM_ELF) +@HOST_ASM_ELF_X86_64_TRUE@am__append_38 = -DAES_ASM -DBSAES_ASM \ @HOST_ASM_ELF_X86_64_TRUE@ -DVPAES_ASM -DOPENSSL_IA32_SSE2 \ @HOST_ASM_ELF_X86_64_TRUE@ -DOPENSSL_BN_ASM_MONT \ @HOST_ASM_ELF_X86_64_TRUE@ -DOPENSSL_BN_ASM_MONT5 \ @@ -140,8 +141,8 @@ host_triplet = @host@ @HOST_ASM_ELF_X86_64_TRUE@ -DGHASH_ASM -DRSA_ASM -DSHA1_ASM \ @HOST_ASM_ELF_X86_64_TRUE@ -DSHA256_ASM -DSHA512_ASM \ @HOST_ASM_ELF_X86_64_TRUE@ -DWHIRLPOOL_ASM -DOPENSSL_CPUID_OBJ -@HOST_ASM_ELF_X86_64_TRUE@am__append_38 = $(ASM_X86_64_ELF) -@HOST_ASM_MACOSX_X86_64_TRUE@am__append_39 = -DAES_ASM -DBSAES_ASM \ +@HOST_ASM_ELF_X86_64_TRUE@am__append_39 = $(ASM_X86_64_ELF) +@HOST_ASM_MACOSX_X86_64_TRUE@am__append_40 = -DAES_ASM -DBSAES_ASM \ @HOST_ASM_MACOSX_X86_64_TRUE@ -DVPAES_ASM -DOPENSSL_IA32_SSE2 \ @HOST_ASM_MACOSX_X86_64_TRUE@ -DOPENSSL_BN_ASM_MONT \ @HOST_ASM_MACOSX_X86_64_TRUE@ -DOPENSSL_BN_ASM_MONT5 \ @@ -150,8 +151,8 @@ host_triplet = @host@ @HOST_ASM_MACOSX_X86_64_TRUE@ -DSHA256_ASM -DSHA512_ASM \ @HOST_ASM_MACOSX_X86_64_TRUE@ -DWHIRLPOOL_ASM \ @HOST_ASM_MACOSX_X86_64_TRUE@ -DOPENSSL_CPUID_OBJ -@HOST_ASM_MACOSX_X86_64_TRUE@am__append_40 = $(ASM_X86_64_MACOSX) -@HOST_ASM_MASM_X86_64_TRUE@am__append_41 = -DAES_ASM -DBSAES_ASM \ +@HOST_ASM_MACOSX_X86_64_TRUE@am__append_41 = $(ASM_X86_64_MACOSX) +@HOST_ASM_MASM_X86_64_TRUE@am__append_42 = -DAES_ASM -DBSAES_ASM \ @HOST_ASM_MASM_X86_64_TRUE@ -DVPAES_ASM -DOPENSSL_IA32_SSE2 \ @HOST_ASM_MASM_X86_64_TRUE@ -DOPENSSL_BN_ASM_MONT \ @HOST_ASM_MASM_X86_64_TRUE@ -DOPENSSL_BN_ASM_MONT5 \ @@ -159,34 +160,36 @@ host_triplet = @host@ @HOST_ASM_MASM_X86_64_TRUE@ -DGHASH_ASM -DRSA_ASM -DSHA1_ASM \ @HOST_ASM_MASM_X86_64_TRUE@ -DSHA256_ASM -DSHA512_ASM \ @HOST_ASM_MASM_X86_64_TRUE@ -DWHIRLPOOL_ASM -DOPENSSL_CPUID_OBJ -@HOST_ASM_MASM_X86_64_TRUE@am__append_42 = $(ASM_X86_64_MASM) +@HOST_ASM_MASM_X86_64_TRUE@am__append_43 = $(ASM_X86_64_MASM) #libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_MONT #libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_MONT5 #libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_GF2m -@HOST_ASM_MINGW64_X86_64_TRUE@am__append_43 = -DAES_ASM -DBSAES_ASM \ +@HOST_ASM_MINGW64_X86_64_TRUE@am__append_44 = -DAES_ASM -DBSAES_ASM \ @HOST_ASM_MINGW64_X86_64_TRUE@ -DVPAES_ASM -DOPENSSL_IA32_SSE2 \ @HOST_ASM_MINGW64_X86_64_TRUE@ -DMD5_ASM -DGHASH_ASM -DRSA_ASM \ @HOST_ASM_MINGW64_X86_64_TRUE@ -DSHA1_ASM -DSHA256_ASM \ @HOST_ASM_MINGW64_X86_64_TRUE@ -DSHA512_ASM -DWHIRLPOOL_ASM \ @HOST_ASM_MINGW64_X86_64_TRUE@ -DOPENSSL_CPUID_OBJ -@HOST_ASM_MINGW64_X86_64_TRUE@am__append_44 = $(ASM_X86_64_MINGW64) -@HOST_ASM_ELF_ARM_FALSE@@HOST_ASM_ELF_X86_64_FALSE@@HOST_ASM_MACOSX_X86_64_FALSE@@HOST_ASM_MASM_X86_64_FALSE@@HOST_ASM_MINGW64_X86_64_FALSE@am__append_45 = aes/aes_cbc.c \ +@HOST_ASM_MINGW64_X86_64_TRUE@am__append_45 = $(ASM_X86_64_MINGW64) +@HOST_ASM_ELF_ARM_FALSE@@HOST_ASM_ELF_X86_64_FALSE@@HOST_ASM_MACOSX_X86_64_FALSE@@HOST_ASM_MASM_X86_64_FALSE@@HOST_ASM_MINGW64_X86_64_FALSE@am__append_46 = aes/aes_cbc.c \ @HOST_ASM_ELF_ARM_FALSE@@HOST_ASM_ELF_X86_64_FALSE@@HOST_ASM_MACOSX_X86_64_FALSE@@HOST_ASM_MASM_X86_64_FALSE@@HOST_ASM_MINGW64_X86_64_FALSE@ aes/aes_core.c \ @HOST_ASM_ELF_ARM_FALSE@@HOST_ASM_ELF_X86_64_FALSE@@HOST_ASM_MACOSX_X86_64_FALSE@@HOST_ASM_MASM_X86_64_FALSE@@HOST_ASM_MINGW64_X86_64_FALSE@ camellia/camellia.c \ @HOST_ASM_ELF_ARM_FALSE@@HOST_ASM_ELF_X86_64_FALSE@@HOST_ASM_MACOSX_X86_64_FALSE@@HOST_ASM_MASM_X86_64_FALSE@@HOST_ASM_MINGW64_X86_64_FALSE@ camellia/cmll_cbc.c \ @HOST_ASM_ELF_ARM_FALSE@@HOST_ASM_ELF_X86_64_FALSE@@HOST_ASM_MACOSX_X86_64_FALSE@@HOST_ASM_MASM_X86_64_FALSE@@HOST_ASM_MINGW64_X86_64_FALSE@ rc4/rc4_enc.c \ @HOST_ASM_ELF_ARM_FALSE@@HOST_ASM_ELF_X86_64_FALSE@@HOST_ASM_MACOSX_X86_64_FALSE@@HOST_ASM_MASM_X86_64_FALSE@@HOST_ASM_MINGW64_X86_64_FALSE@ rc4/rc4_skey.c \ @HOST_ASM_ELF_ARM_FALSE@@HOST_ASM_ELF_X86_64_FALSE@@HOST_ASM_MACOSX_X86_64_FALSE@@HOST_ASM_MASM_X86_64_FALSE@@HOST_ASM_MINGW64_X86_64_FALSE@ whrlpool/wp_block.c -@HOST_WIN_FALSE@am__append_46 = crypto_lock.c -@HOST_WIN_TRUE@am__append_47 = compat/crypto_lock_win.c -@HOST_WIN_FALSE@am__append_48 = bio/b_posix.c -@HOST_WIN_TRUE@am__append_49 = bio/b_win.c -@HOST_WIN_FALSE@am__append_50 = bio/bss_log.c -@HOST_WIN_FALSE@am__append_51 = ui/ui_openssl.c -@HOST_WIN_TRUE@am__append_52 = ui/ui_openssl_win.c +@HOST_WIN_FALSE@am__append_47 = crypto_lock.c +@HOST_WIN_TRUE@am__append_48 = compat/crypto_lock_win.c +@HOST_WIN_FALSE@am__append_49 = bio/b_posix.c +@HOST_WIN_TRUE@am__append_50 = bio/b_win.c +@HOST_WIN_FALSE@am__append_51 = bio/bss_log.c +@HOST_WIN_FALSE@am__append_52 = ui/ui_openssl.c +@HOST_WIN_TRUE@am__append_53 = ui/ui_openssl_win.c subdir = crypto ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/check-hardening-options.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_add_fortify_source.m4 \ + $(top_srcdir)/m4/ax_check_compile_flag.m4 \ + $(top_srcdir)/m4/check-hardening-options.m4 \ $(top_srcdir)/m4/check-libc.m4 \ $(top_srcdir)/m4/check-os-options.m4 \ $(top_srcdir)/m4/disable-compiler-warnings.m4 \ @@ -304,7 +307,7 @@ libcompatnoopt_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(libcompatnoopt_la_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) \ -o $@ @HAVE_EXPLICIT_BZERO_FALSE@am_libcompatnoopt_la_rpath = -libcrypto_la_DEPENDENCIES = libcompat.la $(am__append_1) +libcrypto_la_DEPENDENCIES = libcompat.la $(am__append_2) am__libcrypto_la_SOURCES_DIST = aes/aes-elf-armv4.S \ bn/gf2m-elf-armv4.S bn/mont-elf-armv4.S sha/sha1-elf-armv4.S \ sha/sha512-elf-armv4.S sha/sha256-elf-armv4.S \ @@ -389,42 +392,46 @@ am__libcrypto_la_SOURCES_DIST = aes/aes-elf-armv4.S \ camellia/cmll_misc.c camellia/cmll_ofb.c cast/c_cfb64.c \ cast/c_ecb.c cast/c_enc.c cast/c_ofb64.c cast/c_skey.c \ chacha/chacha.c cmac/cm_ameth.c cmac/cm_pmeth.c cmac/cmac.c \ - comp/c_rle.c comp/c_zlib.c comp/comp_err.c comp/comp_lib.c \ - conf/conf_api.c conf/conf_def.c conf/conf_err.c \ - conf/conf_lib.c conf/conf_mall.c conf/conf_mod.c \ - conf/conf_sap.c curve25519/curve25519-generic.c \ - curve25519/curve25519.c des/cbc_cksm.c des/cbc_enc.c \ - des/cfb64ede.c des/cfb64enc.c des/cfb_enc.c des/des_enc.c \ - des/ecb3_enc.c des/ecb_enc.c des/ede_cbcm_enc.c des/enc_read.c \ - des/enc_writ.c des/fcrypt.c des/fcrypt_b.c des/ofb64ede.c \ - des/ofb64enc.c des/ofb_enc.c des/pcbc_enc.c des/qud_cksm.c \ - des/rand_key.c des/set_key.c des/str2key.c des/xcbc_enc.c \ - dh/dh_ameth.c dh/dh_asn1.c dh/dh_check.c dh/dh_depr.c \ - dh/dh_err.c dh/dh_gen.c dh/dh_key.c dh/dh_lib.c dh/dh_pmeth.c \ - dh/dh_prn.c dsa/dsa_ameth.c dsa/dsa_asn1.c dsa/dsa_depr.c \ - dsa/dsa_err.c dsa/dsa_gen.c dsa/dsa_key.c dsa/dsa_lib.c \ - dsa/dsa_meth.c dsa/dsa_ossl.c dsa/dsa_pmeth.c dsa/dsa_prn.c \ - dsa/dsa_sign.c dsa/dsa_vrf.c dso/dso_dlfcn.c dso/dso_err.c \ - dso/dso_lib.c dso/dso_null.c dso/dso_openssl.c ec/ec2_mult.c \ - ec/ec2_oct.c ec/ec2_smpl.c ec/ec_ameth.c ec/ec_asn1.c \ - ec/ec_check.c ec/ec_curve.c ec/ec_cvt.c ec/ec_err.c \ - ec/ec_key.c ec/ec_kmeth.c ec/ec_lib.c ec/ec_mult.c ec/ec_oct.c \ - ec/ec_pmeth.c ec/ec_print.c ec/eck_prn.c ec/ecp_mont.c \ - ec/ecp_nist.c ec/ecp_oct.c ec/ecp_smpl.c ecdh/ecdh_kdf.c \ - ecdh/ech_err.c ecdh/ech_key.c ecdh/ech_lib.c ecdsa/ecs_asn1.c \ - ecdsa/ecs_err.c ecdsa/ecs_lib.c ecdsa/ecs_ossl.c \ - ecdsa/ecs_sign.c ecdsa/ecs_vrf.c engine/eng_all.c \ - engine/eng_cnf.c engine/eng_ctrl.c engine/eng_dyn.c \ - engine/eng_err.c engine/eng_fat.c engine/eng_init.c \ - engine/eng_lib.c engine/eng_list.c engine/eng_openssl.c \ - engine/eng_pkey.c engine/eng_table.c engine/tb_asnmth.c \ - engine/tb_cipher.c engine/tb_dh.c engine/tb_digest.c \ - engine/tb_dsa.c engine/tb_ecdh.c engine/tb_ecdsa.c \ - engine/tb_eckey.c engine/tb_pkmeth.c engine/tb_rand.c \ - engine/tb_rsa.c engine/tb_store.c err/err.c err/err_all.c \ - err/err_prn.c evp/bio_b64.c evp/bio_enc.c evp/bio_md.c \ - evp/c_all.c evp/digest.c evp/e_aes.c evp/e_aes_cbc_hmac_sha1.c \ - evp/e_bf.c evp/e_camellia.c evp/e_cast.c evp/e_chacha.c \ + cms/cms_asn1.c cms/cms_att.c cms/cms_cd.c cms/cms_dd.c \ + cms/cms_enc.c cms/cms_env.c cms/cms_err.c cms/cms_ess.c \ + cms/cms_io.c cms/cms_kari.c cms/cms_lib.c cms/cms_pwri.c \ + cms/cms_sd.c cms/cms_smime.c comp/c_rle.c comp/c_zlib.c \ + comp/comp_err.c comp/comp_lib.c conf/conf_api.c \ + conf/conf_def.c conf/conf_err.c conf/conf_lib.c \ + conf/conf_mall.c conf/conf_mod.c conf/conf_sap.c \ + curve25519/curve25519-generic.c curve25519/curve25519.c \ + des/cbc_cksm.c des/cbc_enc.c des/cfb64ede.c des/cfb64enc.c \ + des/cfb_enc.c des/des_enc.c des/ecb3_enc.c des/ecb_enc.c \ + des/ede_cbcm_enc.c des/enc_read.c des/enc_writ.c des/fcrypt.c \ + des/fcrypt_b.c des/ofb64ede.c des/ofb64enc.c des/ofb_enc.c \ + des/pcbc_enc.c des/qud_cksm.c des/rand_key.c des/set_key.c \ + des/str2key.c des/xcbc_enc.c dh/dh_ameth.c dh/dh_asn1.c \ + dh/dh_check.c dh/dh_depr.c dh/dh_err.c dh/dh_gen.c dh/dh_key.c \ + dh/dh_lib.c dh/dh_pmeth.c dh/dh_prn.c dsa/dsa_ameth.c \ + dsa/dsa_asn1.c dsa/dsa_depr.c dsa/dsa_err.c dsa/dsa_gen.c \ + dsa/dsa_key.c dsa/dsa_lib.c dsa/dsa_meth.c dsa/dsa_ossl.c \ + dsa/dsa_pmeth.c dsa/dsa_prn.c dsa/dsa_sign.c dsa/dsa_vrf.c \ + dso/dso_dlfcn.c dso/dso_err.c dso/dso_lib.c dso/dso_null.c \ + dso/dso_openssl.c ec/ec2_mult.c ec/ec2_oct.c ec/ec2_smpl.c \ + ec/ec_ameth.c ec/ec_asn1.c ec/ec_check.c ec/ec_curve.c \ + ec/ec_cvt.c ec/ec_err.c ec/ec_key.c ec/ec_kmeth.c ec/ec_lib.c \ + ec/ec_mult.c ec/ec_oct.c ec/ec_pmeth.c ec/ec_print.c \ + ec/eck_prn.c ec/ecp_mont.c ec/ecp_nist.c ec/ecp_oct.c \ + ec/ecp_smpl.c ecdh/ecdh_kdf.c ecdh/ech_err.c ecdh/ech_key.c \ + ecdh/ech_lib.c ecdsa/ecs_asn1.c ecdsa/ecs_err.c \ + ecdsa/ecs_lib.c ecdsa/ecs_ossl.c ecdsa/ecs_sign.c \ + ecdsa/ecs_vrf.c engine/eng_all.c engine/eng_cnf.c \ + engine/eng_ctrl.c engine/eng_dyn.c engine/eng_err.c \ + engine/eng_fat.c engine/eng_init.c engine/eng_lib.c \ + engine/eng_list.c engine/eng_openssl.c engine/eng_pkey.c \ + engine/eng_table.c engine/tb_asnmth.c engine/tb_cipher.c \ + engine/tb_dh.c engine/tb_digest.c engine/tb_dsa.c \ + engine/tb_ecdh.c engine/tb_ecdsa.c engine/tb_eckey.c \ + engine/tb_pkmeth.c engine/tb_rand.c engine/tb_rsa.c \ + engine/tb_store.c err/err.c err/err_all.c err/err_prn.c \ + evp/bio_b64.c evp/bio_enc.c evp/bio_md.c evp/c_all.c \ + evp/digest.c evp/e_aes.c evp/e_aes_cbc_hmac_sha1.c evp/e_bf.c \ + evp/e_camellia.c evp/e_cast.c evp/e_chacha.c \ evp/e_chacha20poly1305.c evp/e_des.c evp/e_des3.c \ evp/e_gost2814789.c evp/e_idea.c evp/e_null.c evp/e_old.c \ evp/e_rc2.c evp/e_rc4.c evp/e_rc4_hmac_md5.c evp/e_sm4.c \ @@ -478,24 +485,25 @@ am__libcrypto_la_SOURCES_DIST = aes/aes-elf-armv4.S \ ts/ts_rsp_verify.c ts/ts_verify_ctx.c txt_db/txt_db.c \ ui/ui_err.c ui/ui_lib.c ui/ui_openssl.c ui/ui_openssl_win.c \ ui/ui_util.c whrlpool/wp_dgst.c x509/by_dir.c x509/by_file.c \ - x509/by_mem.c x509/x509_att.c x509/x509_cmp.c x509/x509_d2.c \ - x509/x509_def.c x509/x509_err.c x509/x509_ext.c x509/x509_lu.c \ - x509/x509_obj.c x509/x509_r2x.c x509/x509_req.c \ - x509/x509_set.c x509/x509_trs.c x509/x509_txt.c x509/x509_v3.c \ - x509/x509_vfy.c x509/x509_vpm.c x509/x509cset.c \ - x509/x509name.c x509/x509rset.c x509/x509spki.c \ - x509/x509type.c x509/x_all.c x509v3/pcy_cache.c \ - x509v3/pcy_data.c x509v3/pcy_lib.c x509v3/pcy_map.c \ - x509v3/pcy_node.c x509v3/pcy_tree.c x509v3/v3_akey.c \ - x509v3/v3_akeya.c x509v3/v3_alt.c x509v3/v3_bcons.c \ - x509v3/v3_bitst.c x509v3/v3_conf.c x509v3/v3_cpols.c \ - x509v3/v3_crld.c x509v3/v3_enum.c x509v3/v3_extku.c \ - x509v3/v3_genn.c x509v3/v3_ia5.c x509v3/v3_info.c \ - x509v3/v3_int.c x509v3/v3_lib.c x509v3/v3_ncons.c \ - x509v3/v3_ocsp.c x509v3/v3_pci.c x509v3/v3_pcia.c \ - x509v3/v3_pcons.c x509v3/v3_pku.c x509v3/v3_pmaps.c \ - x509v3/v3_prn.c x509v3/v3_purp.c x509v3/v3_skey.c \ - x509v3/v3_sxnet.c x509v3/v3_utl.c x509v3/v3err.c + x509/by_mem.c x509/pcy_cache.c x509/pcy_data.c x509/pcy_lib.c \ + x509/pcy_map.c x509/pcy_node.c x509/pcy_tree.c \ + x509/x509_akey.c x509/x509_akeya.c x509/x509_alt.c \ + x509/x509_att.c x509/x509_bcons.c x509/x509_bitst.c \ + x509/x509_cmp.c x509/x509_conf.c x509/x509_constraints.c \ + x509/x509_cpols.c x509/x509_crld.c x509/x509_d2.c \ + x509/x509_def.c x509/x509_enum.c x509/x509_err.c \ + x509/x509_ext.c x509/x509_extku.c x509/x509_genn.c \ + x509/x509_ia5.c x509/x509_info.c x509/x509_int.c \ + x509/x509_issuer_cache.c x509/x509_lib.c x509/x509_lu.c \ + x509/x509_ncons.c x509/x509_obj.c x509/x509_ocsp.c \ + x509/x509_pci.c x509/x509_pcia.c x509/x509_pcons.c \ + x509/x509_pku.c x509/x509_pmaps.c x509/x509_prn.c \ + x509/x509_purp.c x509/x509_r2x.c x509/x509_req.c \ + x509/x509_set.c x509/x509_skey.c x509/x509_sxnet.c \ + x509/x509_trs.c x509/x509_txt.c x509/x509_utl.c x509/x509_v3.c \ + x509/x509_verify.c x509/x509_vfy.c x509/x509_vpm.c \ + x509/x509cset.c x509/x509name.c x509/x509rset.c \ + x509/x509spki.c x509/x509type.c x509/x_all.c am__objects_30 = aes/libcrypto_la-aes-elf-armv4.lo \ bn/libcrypto_la-gf2m-elf-armv4.lo \ bn/libcrypto_la-mont-elf-armv4.lo \ @@ -686,6 +694,13 @@ am_libcrypto_la_OBJECTS = $(am__objects_31) $(am__objects_33) \ cast/libcrypto_la-c_ofb64.lo cast/libcrypto_la-c_skey.lo \ chacha/libcrypto_la-chacha.lo cmac/libcrypto_la-cm_ameth.lo \ cmac/libcrypto_la-cm_pmeth.lo cmac/libcrypto_la-cmac.lo \ + cms/libcrypto_la-cms_asn1.lo cms/libcrypto_la-cms_att.lo \ + cms/libcrypto_la-cms_cd.lo cms/libcrypto_la-cms_dd.lo \ + cms/libcrypto_la-cms_enc.lo cms/libcrypto_la-cms_env.lo \ + cms/libcrypto_la-cms_err.lo cms/libcrypto_la-cms_ess.lo \ + cms/libcrypto_la-cms_io.lo cms/libcrypto_la-cms_kari.lo \ + cms/libcrypto_la-cms_lib.lo cms/libcrypto_la-cms_pwri.lo \ + cms/libcrypto_la-cms_sd.lo cms/libcrypto_la-cms_smime.lo \ comp/libcrypto_la-c_rle.lo comp/libcrypto_la-c_zlib.lo \ comp/libcrypto_la-comp_err.lo comp/libcrypto_la-comp_lib.lo \ conf/libcrypto_la-conf_api.lo conf/libcrypto_la-conf_def.lo \ @@ -865,39 +880,43 @@ am_libcrypto_la_OBJECTS = $(am__objects_31) $(am__objects_33) \ $(am__objects_46) $(am__objects_47) ui/libcrypto_la-ui_util.lo \ whrlpool/libcrypto_la-wp_dgst.lo x509/libcrypto_la-by_dir.lo \ x509/libcrypto_la-by_file.lo x509/libcrypto_la-by_mem.lo \ - x509/libcrypto_la-x509_att.lo x509/libcrypto_la-x509_cmp.lo \ + x509/libcrypto_la-pcy_cache.lo x509/libcrypto_la-pcy_data.lo \ + x509/libcrypto_la-pcy_lib.lo x509/libcrypto_la-pcy_map.lo \ + x509/libcrypto_la-pcy_node.lo x509/libcrypto_la-pcy_tree.lo \ + x509/libcrypto_la-x509_akey.lo x509/libcrypto_la-x509_akeya.lo \ + x509/libcrypto_la-x509_alt.lo x509/libcrypto_la-x509_att.lo \ + x509/libcrypto_la-x509_bcons.lo \ + x509/libcrypto_la-x509_bitst.lo x509/libcrypto_la-x509_cmp.lo \ + x509/libcrypto_la-x509_conf.lo \ + x509/libcrypto_la-x509_constraints.lo \ + x509/libcrypto_la-x509_cpols.lo x509/libcrypto_la-x509_crld.lo \ x509/libcrypto_la-x509_d2.lo x509/libcrypto_la-x509_def.lo \ - x509/libcrypto_la-x509_err.lo x509/libcrypto_la-x509_ext.lo \ - x509/libcrypto_la-x509_lu.lo x509/libcrypto_la-x509_obj.lo \ + x509/libcrypto_la-x509_enum.lo x509/libcrypto_la-x509_err.lo \ + x509/libcrypto_la-x509_ext.lo x509/libcrypto_la-x509_extku.lo \ + x509/libcrypto_la-x509_genn.lo x509/libcrypto_la-x509_ia5.lo \ + x509/libcrypto_la-x509_info.lo x509/libcrypto_la-x509_int.lo \ + x509/libcrypto_la-x509_issuer_cache.lo \ + x509/libcrypto_la-x509_lib.lo x509/libcrypto_la-x509_lu.lo \ + x509/libcrypto_la-x509_ncons.lo x509/libcrypto_la-x509_obj.lo \ + x509/libcrypto_la-x509_ocsp.lo x509/libcrypto_la-x509_pci.lo \ + x509/libcrypto_la-x509_pcia.lo x509/libcrypto_la-x509_pcons.lo \ + x509/libcrypto_la-x509_pku.lo x509/libcrypto_la-x509_pmaps.lo \ + x509/libcrypto_la-x509_prn.lo x509/libcrypto_la-x509_purp.lo \ x509/libcrypto_la-x509_r2x.lo x509/libcrypto_la-x509_req.lo \ - x509/libcrypto_la-x509_set.lo x509/libcrypto_la-x509_trs.lo \ - x509/libcrypto_la-x509_txt.lo x509/libcrypto_la-x509_v3.lo \ + x509/libcrypto_la-x509_set.lo x509/libcrypto_la-x509_skey.lo \ + x509/libcrypto_la-x509_sxnet.lo x509/libcrypto_la-x509_trs.lo \ + x509/libcrypto_la-x509_txt.lo x509/libcrypto_la-x509_utl.lo \ + x509/libcrypto_la-x509_v3.lo x509/libcrypto_la-x509_verify.lo \ x509/libcrypto_la-x509_vfy.lo x509/libcrypto_la-x509_vpm.lo \ x509/libcrypto_la-x509cset.lo x509/libcrypto_la-x509name.lo \ x509/libcrypto_la-x509rset.lo x509/libcrypto_la-x509spki.lo \ - x509/libcrypto_la-x509type.lo x509/libcrypto_la-x_all.lo \ - x509v3/libcrypto_la-pcy_cache.lo \ - x509v3/libcrypto_la-pcy_data.lo x509v3/libcrypto_la-pcy_lib.lo \ - x509v3/libcrypto_la-pcy_map.lo x509v3/libcrypto_la-pcy_node.lo \ - x509v3/libcrypto_la-pcy_tree.lo x509v3/libcrypto_la-v3_akey.lo \ - x509v3/libcrypto_la-v3_akeya.lo x509v3/libcrypto_la-v3_alt.lo \ - x509v3/libcrypto_la-v3_bcons.lo \ - x509v3/libcrypto_la-v3_bitst.lo x509v3/libcrypto_la-v3_conf.lo \ - x509v3/libcrypto_la-v3_cpols.lo x509v3/libcrypto_la-v3_crld.lo \ - x509v3/libcrypto_la-v3_enum.lo x509v3/libcrypto_la-v3_extku.lo \ - x509v3/libcrypto_la-v3_genn.lo x509v3/libcrypto_la-v3_ia5.lo \ - x509v3/libcrypto_la-v3_info.lo x509v3/libcrypto_la-v3_int.lo \ - x509v3/libcrypto_la-v3_lib.lo x509v3/libcrypto_la-v3_ncons.lo \ - x509v3/libcrypto_la-v3_ocsp.lo x509v3/libcrypto_la-v3_pci.lo \ - x509v3/libcrypto_la-v3_pcia.lo x509v3/libcrypto_la-v3_pcons.lo \ - x509v3/libcrypto_la-v3_pku.lo x509v3/libcrypto_la-v3_pmaps.lo \ - x509v3/libcrypto_la-v3_prn.lo x509v3/libcrypto_la-v3_purp.lo \ - x509v3/libcrypto_la-v3_skey.lo x509v3/libcrypto_la-v3_sxnet.lo \ - x509v3/libcrypto_la-v3_utl.lo x509v3/libcrypto_la-v3err.lo + x509/libcrypto_la-x509type.lo x509/libcrypto_la-x_all.lo libcrypto_la_OBJECTS = $(am_libcrypto_la_OBJECTS) libcrypto_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(libcrypto_la_LDFLAGS) $(LDFLAGS) -o $@ +@ENABLE_LIBTLS_ONLY_FALSE@am_libcrypto_la_rpath = -rpath $(libdir) +@ENABLE_LIBTLS_ONLY_TRUE@am_libcrypto_la_rpath = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -1128,6 +1147,20 @@ am__depfiles_remade = ./$(DEPDIR)/libcrypto_la-armcap.Plo \ cmac/$(DEPDIR)/libcrypto_la-cm_ameth.Plo \ cmac/$(DEPDIR)/libcrypto_la-cm_pmeth.Plo \ cmac/$(DEPDIR)/libcrypto_la-cmac.Plo \ + cms/$(DEPDIR)/libcrypto_la-cms_asn1.Plo \ + cms/$(DEPDIR)/libcrypto_la-cms_att.Plo \ + cms/$(DEPDIR)/libcrypto_la-cms_cd.Plo \ + cms/$(DEPDIR)/libcrypto_la-cms_dd.Plo \ + cms/$(DEPDIR)/libcrypto_la-cms_enc.Plo \ + cms/$(DEPDIR)/libcrypto_la-cms_env.Plo \ + cms/$(DEPDIR)/libcrypto_la-cms_err.Plo \ + cms/$(DEPDIR)/libcrypto_la-cms_ess.Plo \ + cms/$(DEPDIR)/libcrypto_la-cms_io.Plo \ + cms/$(DEPDIR)/libcrypto_la-cms_kari.Plo \ + cms/$(DEPDIR)/libcrypto_la-cms_lib.Plo \ + cms/$(DEPDIR)/libcrypto_la-cms_pwri.Plo \ + cms/$(DEPDIR)/libcrypto_la-cms_sd.Plo \ + cms/$(DEPDIR)/libcrypto_la-cms_smime.Plo \ comp/$(DEPDIR)/libcrypto_la-c_rle.Plo \ comp/$(DEPDIR)/libcrypto_la-c_zlib.Plo \ comp/$(DEPDIR)/libcrypto_la-comp_err.Plo \ @@ -1521,20 +1554,56 @@ am__depfiles_remade = ./$(DEPDIR)/libcrypto_la-armcap.Plo \ x509/$(DEPDIR)/libcrypto_la-by_dir.Plo \ x509/$(DEPDIR)/libcrypto_la-by_file.Plo \ x509/$(DEPDIR)/libcrypto_la-by_mem.Plo \ + x509/$(DEPDIR)/libcrypto_la-pcy_cache.Plo \ + x509/$(DEPDIR)/libcrypto_la-pcy_data.Plo \ + x509/$(DEPDIR)/libcrypto_la-pcy_lib.Plo \ + x509/$(DEPDIR)/libcrypto_la-pcy_map.Plo \ + x509/$(DEPDIR)/libcrypto_la-pcy_node.Plo \ + x509/$(DEPDIR)/libcrypto_la-pcy_tree.Plo \ + x509/$(DEPDIR)/libcrypto_la-x509_akey.Plo \ + x509/$(DEPDIR)/libcrypto_la-x509_akeya.Plo \ + x509/$(DEPDIR)/libcrypto_la-x509_alt.Plo \ x509/$(DEPDIR)/libcrypto_la-x509_att.Plo \ + x509/$(DEPDIR)/libcrypto_la-x509_bcons.Plo \ + x509/$(DEPDIR)/libcrypto_la-x509_bitst.Plo \ x509/$(DEPDIR)/libcrypto_la-x509_cmp.Plo \ + x509/$(DEPDIR)/libcrypto_la-x509_conf.Plo \ + x509/$(DEPDIR)/libcrypto_la-x509_constraints.Plo \ + x509/$(DEPDIR)/libcrypto_la-x509_cpols.Plo \ + x509/$(DEPDIR)/libcrypto_la-x509_crld.Plo \ x509/$(DEPDIR)/libcrypto_la-x509_d2.Plo \ x509/$(DEPDIR)/libcrypto_la-x509_def.Plo \ + x509/$(DEPDIR)/libcrypto_la-x509_enum.Plo \ x509/$(DEPDIR)/libcrypto_la-x509_err.Plo \ x509/$(DEPDIR)/libcrypto_la-x509_ext.Plo \ + x509/$(DEPDIR)/libcrypto_la-x509_extku.Plo \ + x509/$(DEPDIR)/libcrypto_la-x509_genn.Plo \ + x509/$(DEPDIR)/libcrypto_la-x509_ia5.Plo \ + x509/$(DEPDIR)/libcrypto_la-x509_info.Plo \ + x509/$(DEPDIR)/libcrypto_la-x509_int.Plo \ + x509/$(DEPDIR)/libcrypto_la-x509_issuer_cache.Plo \ + x509/$(DEPDIR)/libcrypto_la-x509_lib.Plo \ x509/$(DEPDIR)/libcrypto_la-x509_lu.Plo \ + x509/$(DEPDIR)/libcrypto_la-x509_ncons.Plo \ x509/$(DEPDIR)/libcrypto_la-x509_obj.Plo \ + x509/$(DEPDIR)/libcrypto_la-x509_ocsp.Plo \ + x509/$(DEPDIR)/libcrypto_la-x509_pci.Plo \ + x509/$(DEPDIR)/libcrypto_la-x509_pcia.Plo \ + x509/$(DEPDIR)/libcrypto_la-x509_pcons.Plo \ + x509/$(DEPDIR)/libcrypto_la-x509_pku.Plo \ + x509/$(DEPDIR)/libcrypto_la-x509_pmaps.Plo \ + x509/$(DEPDIR)/libcrypto_la-x509_prn.Plo \ + x509/$(DEPDIR)/libcrypto_la-x509_purp.Plo \ x509/$(DEPDIR)/libcrypto_la-x509_r2x.Plo \ x509/$(DEPDIR)/libcrypto_la-x509_req.Plo \ x509/$(DEPDIR)/libcrypto_la-x509_set.Plo \ + x509/$(DEPDIR)/libcrypto_la-x509_skey.Plo \ + x509/$(DEPDIR)/libcrypto_la-x509_sxnet.Plo \ x509/$(DEPDIR)/libcrypto_la-x509_trs.Plo \ x509/$(DEPDIR)/libcrypto_la-x509_txt.Plo \ + x509/$(DEPDIR)/libcrypto_la-x509_utl.Plo \ x509/$(DEPDIR)/libcrypto_la-x509_v3.Plo \ + x509/$(DEPDIR)/libcrypto_la-x509_verify.Plo \ x509/$(DEPDIR)/libcrypto_la-x509_vfy.Plo \ x509/$(DEPDIR)/libcrypto_la-x509_vpm.Plo \ x509/$(DEPDIR)/libcrypto_la-x509cset.Plo \ @@ -1542,41 +1611,7 @@ am__depfiles_remade = ./$(DEPDIR)/libcrypto_la-armcap.Plo \ x509/$(DEPDIR)/libcrypto_la-x509rset.Plo \ x509/$(DEPDIR)/libcrypto_la-x509spki.Plo \ x509/$(DEPDIR)/libcrypto_la-x509type.Plo \ - x509/$(DEPDIR)/libcrypto_la-x_all.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-pcy_cache.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-pcy_data.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-pcy_lib.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-pcy_map.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-pcy_node.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-pcy_tree.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-v3_akey.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-v3_akeya.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-v3_alt.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-v3_bcons.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-v3_bitst.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-v3_conf.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-v3_cpols.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-v3_crld.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-v3_enum.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-v3_extku.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-v3_genn.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-v3_ia5.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-v3_info.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-v3_int.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-v3_lib.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-v3_ncons.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-v3_ocsp.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-v3_pci.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-v3_pcia.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-v3_pcons.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-v3_pku.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-v3_pmaps.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-v3_prn.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-v3_purp.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-v3_skey.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-v3_sxnet.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-v3_utl.Plo \ - x509v3/$(DEPDIR)/libcrypto_la-v3err.Plo + x509/$(DEPDIR)/libcrypto_la-x_all.Plo am__mv = mv -f CPPASCOMPILE = $(CCAS) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CCASFLAGS) $(CCASFLAGS) @@ -1758,6 +1793,7 @@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -1774,36 +1810,38 @@ AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat \ -I$(top_srcdir)/crypto/ecdh -I$(top_srcdir)/crypto/ecdsa \ -I$(top_srcdir)/crypto/evp -I$(top_srcdir)/crypto/modes \ -I$(top_srcdir)/crypto -lib_LTLIBRARIES = libcrypto.la +noinst_LTLIBRARIES = libcompat.la $(am__append_1) $(am__append_6) +@ENABLE_LIBTLS_ONLY_FALSE@lib_LTLIBRARIES = libcrypto.la # needed for a CMake target EXTRA_DIST = VERSION CMakeLists.txt crypto.sym compat/strcasecmp.c \ $(ASM_ARM_ELF) $(ASM_X86_64_ELF) $(ASM_X86_64_MACOSX) \ $(ASM_X86_64_MASM) $(ASM_X86_64_MINGW64) BUILT_SOURCES = crypto_portable.sym -CLEANFILES = crypto_portable.sym +CLEANFILES = crypto_portable.sym libcrypto_la_objects.mk libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined -export-symbols crypto_portable.sym -libcrypto_la_LIBADD = libcompat.la $(am__append_1) +EXTRA_libcrypto_la_DEPENDENCIES = crypto_portable.sym \ + libcrypto_la_objects.mk +libcrypto_la_LIBADD = libcompat.la $(am__append_2) libcrypto_la_CPPFLAGS = $(AM_CPPFLAGS) -DLIBRESSL_INTERNAL \ - -DOPENSSL_NO_HW_PADLOCK $(am__append_2) $(am__append_3) \ - $(am__append_4) $(am__append_35) $(am__append_37) \ - $(am__append_39) $(am__append_41) $(am__append_43) -noinst_LTLIBRARIES = libcompat.la $(am__append_5) + -DOPENSSL_NO_HW_PADLOCK $(am__append_3) $(am__append_4) \ + $(am__append_5) $(am__append_36) $(am__append_38) \ + $(am__append_40) $(am__append_42) $(am__append_44) @HAVE_EXPLICIT_BZERO_FALSE@libcompatnoopt_la_CFLAGS = -O0 @HAVE_EXPLICIT_BZERO_FALSE@libcompatnoopt_la_SOURCES = \ -@HAVE_EXPLICIT_BZERO_FALSE@ $(am__append_6) $(am__append_7) +@HAVE_EXPLICIT_BZERO_FALSE@ $(am__append_7) $(am__append_8) # other compatibility functions -libcompat_la_SOURCES = $(am__append_8) $(am__append_9) \ - $(am__append_10) $(am__append_11) $(am__append_12) \ - $(am__append_13) $(am__append_14) $(am__append_15) \ - $(am__append_16) $(am__append_17) $(am__append_18) \ - $(am__append_19) $(am__append_20) $(am__append_21) \ - $(am__append_22) $(am__append_23) $(am__append_24) \ - $(am__append_25) $(am__append_26) $(am__append_27) \ - $(am__append_28) $(am__append_29) $(am__append_30) \ - $(am__append_31) $(am__append_32) $(am__append_33) \ - $(am__append_34) +libcompat_la_SOURCES = $(am__append_9) $(am__append_10) \ + $(am__append_11) $(am__append_12) $(am__append_13) \ + $(am__append_14) $(am__append_15) $(am__append_16) \ + $(am__append_17) $(am__append_18) $(am__append_19) \ + $(am__append_20) $(am__append_21) $(am__append_22) \ + $(am__append_23) $(am__append_24) $(am__append_25) \ + $(am__append_26) $(am__append_27) $(am__append_28) \ + $(am__append_29) $(am__append_30) $(am__append_31) \ + $(am__append_32) $(am__append_33) $(am__append_34) \ + $(am__append_35) libcompat_la_LIBADD = $(PLATFORM_LDADD) # rc4 @@ -1816,16 +1854,17 @@ noinst_HEADERS = compat/arc4random.h compat/arc4random_aix.h \ x86_arch.h aes/aes_locl.h asn1/asn1_locl.h asn1/charmap.h \ bf/bf_locl.h bf/bf_pi.h bn/bn_lcl.h bn/bn_prime.h \ camellia/camellia.h camellia/cmll_locl.h cast/cast_lcl.h \ - cast/cast_s.h conf/conf_def.h curve25519/curve25519_internal.h \ - des/des_locl.h des/spr.h dsa/dsa_locl.h ec/ec_lcl.h \ - ecdh/ech_locl.h ecdsa/ecs_locl.h engine/eng_int.h \ - evp/evp_locl.h gost/gost.h gost/gost_asn1.h gost/gost_locl.h \ - idea/idea_lcl.h md4/md4_locl.h md5/md5_locl.h \ + cast/cast_s.h cms/cms_lcl.h conf/conf_def.h \ + curve25519/curve25519_internal.h des/des_locl.h des/spr.h \ + dsa/dsa_locl.h ec/ec_lcl.h ecdh/ech_locl.h ecdsa/ecs_locl.h \ + engine/eng_int.h evp/evp_locl.h gost/gost_asn1.h \ + gost/gost_locl.h idea/idea_lcl.h md4/md4_locl.h md5/md5_locl.h \ modes/modes_lcl.h objects/obj_dat.h objects/obj_xref.h \ rc2/rc2_locl.h rc4/rc4_locl.h ripemd/rmd_locl.h \ ripemd/rmdconst.h rsa/rsa_locl.h sha/sha_locl.h sm3/sm3_locl.h \ - ui/ui_locl.h whrlpool/wp_locl.h x509/x509_lcl.h x509/vpm_int.h \ - x509v3/ext_dat.h x509v3/pcy_int.h + ui/ui_locl.h whrlpool/wp_locl.h x509/ext_dat.h x509/pcy_int.h \ + x509/vpm_int.h x509/x509_internal.h x509/x509_issuer_cache.h \ + x509/x509_lcl.h # aes @@ -1845,6 +1884,8 @@ noinst_HEADERS = compat/arc4random.h compat/arc4random_aix.h \ # cmac +# cms + # comp # conf @@ -1922,12 +1963,10 @@ noinst_HEADERS = compat/arc4random.h compat/arc4random_aix.h \ # whrlpool # x509 - -# x509v3 -libcrypto_la_SOURCES = $(am__append_36) $(am__append_38) \ - $(am__append_40) $(am__append_42) $(am__append_44) \ - $(am__append_45) cpt_err.c cryptlib.c crypto_init.c \ - $(am__append_46) $(am__append_47) cversion.c ex_data.c \ +libcrypto_la_SOURCES = $(am__append_37) $(am__append_39) \ + $(am__append_41) $(am__append_43) $(am__append_45) \ + $(am__append_46) cpt_err.c cryptlib.c crypto_init.c \ + $(am__append_47) $(am__append_48) cversion.c ex_data.c \ malloc-wrapper.c mem_clr.c mem_dbg.c o_init.c o_str.c o_time.c \ aes/aes_cfb.c aes/aes_ctr.c aes/aes_ecb.c aes/aes_ige.c \ aes/aes_misc.c aes/aes_ofb.c aes/aes_wrap.c asn1/a_bitstr.c \ @@ -1951,11 +1990,11 @@ libcrypto_la_SOURCES = $(am__append_36) $(am__append_38) \ asn1/x_pkey.c asn1/x_pubkey.c asn1/x_req.c asn1/x_sig.c \ asn1/x_spki.c asn1/x_val.c asn1/x_x509.c asn1/x_x509a.c \ bf/bf_cfb64.c bf/bf_ecb.c bf/bf_enc.c bf/bf_ofb64.c \ - bf/bf_skey.c bio/b_dump.c $(am__append_48) bio/b_print.c \ - bio/b_sock.c $(am__append_49) bio/bf_buff.c bio/bf_nbio.c \ + bf/bf_skey.c bio/b_dump.c $(am__append_49) bio/b_print.c \ + bio/b_sock.c $(am__append_50) bio/bf_buff.c bio/bf_nbio.c \ bio/bf_null.c bio/bio_cb.c bio/bio_err.c bio/bio_lib.c \ bio/bio_meth.c bio/bss_acpt.c bio/bss_bio.c bio/bss_conn.c \ - bio/bss_dgram.c bio/bss_fd.c bio/bss_file.c $(am__append_50) \ + bio/bss_dgram.c bio/bss_fd.c bio/bss_file.c $(am__append_51) \ bio/bss_mem.c bio/bss_null.c bio/bss_sock.c bn/bn_add.c \ bn/bn_asm.c bn/bn_blind.c bn/bn_const.c bn/bn_ctx.c \ bn/bn_depr.c bn/bn_div.c bn/bn_err.c bn/bn_exp.c bn/bn_exp2.c \ @@ -1968,10 +2007,13 @@ libcrypto_la_SOURCES = $(am__append_36) $(am__append_38) \ camellia/cmll_ecb.c camellia/cmll_misc.c camellia/cmll_ofb.c \ cast/c_cfb64.c cast/c_ecb.c cast/c_enc.c cast/c_ofb64.c \ cast/c_skey.c chacha/chacha.c cmac/cm_ameth.c cmac/cm_pmeth.c \ - cmac/cmac.c comp/c_rle.c comp/c_zlib.c comp/comp_err.c \ - comp/comp_lib.c conf/conf_api.c conf/conf_def.c \ - conf/conf_err.c conf/conf_lib.c conf/conf_mall.c \ - conf/conf_mod.c conf/conf_sap.c \ + cmac/cmac.c cms/cms_asn1.c cms/cms_att.c cms/cms_cd.c \ + cms/cms_dd.c cms/cms_enc.c cms/cms_env.c cms/cms_err.c \ + cms/cms_ess.c cms/cms_io.c cms/cms_kari.c cms/cms_lib.c \ + cms/cms_pwri.c cms/cms_sd.c cms/cms_smime.c comp/c_rle.c \ + comp/c_zlib.c comp/comp_err.c comp/comp_lib.c conf/conf_api.c \ + conf/conf_def.c conf/conf_err.c conf/conf_lib.c \ + conf/conf_mall.c conf/conf_mod.c conf/conf_sap.c \ curve25519/curve25519-generic.c curve25519/curve25519.c \ des/cbc_cksm.c des/cbc_enc.c des/cfb64ede.c des/cfb64enc.c \ des/cfb_enc.c des/des_enc.c des/ecb3_enc.c des/ecb_enc.c \ @@ -2056,26 +2098,27 @@ libcrypto_la_SOURCES = $(am__append_36) $(am__append_38) \ ts/ts_err.c ts/ts_lib.c ts/ts_req_print.c ts/ts_req_utils.c \ ts/ts_rsp_print.c ts/ts_rsp_sign.c ts/ts_rsp_utils.c \ ts/ts_rsp_verify.c ts/ts_verify_ctx.c txt_db/txt_db.c \ - ui/ui_err.c ui/ui_lib.c $(am__append_51) $(am__append_52) \ + ui/ui_err.c ui/ui_lib.c $(am__append_52) $(am__append_53) \ ui/ui_util.c whrlpool/wp_dgst.c x509/by_dir.c x509/by_file.c \ - x509/by_mem.c x509/x509_att.c x509/x509_cmp.c x509/x509_d2.c \ - x509/x509_def.c x509/x509_err.c x509/x509_ext.c x509/x509_lu.c \ - x509/x509_obj.c x509/x509_r2x.c x509/x509_req.c \ - x509/x509_set.c x509/x509_trs.c x509/x509_txt.c x509/x509_v3.c \ - x509/x509_vfy.c x509/x509_vpm.c x509/x509cset.c \ - x509/x509name.c x509/x509rset.c x509/x509spki.c \ - x509/x509type.c x509/x_all.c x509v3/pcy_cache.c \ - x509v3/pcy_data.c x509v3/pcy_lib.c x509v3/pcy_map.c \ - x509v3/pcy_node.c x509v3/pcy_tree.c x509v3/v3_akey.c \ - x509v3/v3_akeya.c x509v3/v3_alt.c x509v3/v3_bcons.c \ - x509v3/v3_bitst.c x509v3/v3_conf.c x509v3/v3_cpols.c \ - x509v3/v3_crld.c x509v3/v3_enum.c x509v3/v3_extku.c \ - x509v3/v3_genn.c x509v3/v3_ia5.c x509v3/v3_info.c \ - x509v3/v3_int.c x509v3/v3_lib.c x509v3/v3_ncons.c \ - x509v3/v3_ocsp.c x509v3/v3_pci.c x509v3/v3_pcia.c \ - x509v3/v3_pcons.c x509v3/v3_pku.c x509v3/v3_pmaps.c \ - x509v3/v3_prn.c x509v3/v3_purp.c x509v3/v3_skey.c \ - x509v3/v3_sxnet.c x509v3/v3_utl.c x509v3/v3err.c + x509/by_mem.c x509/pcy_cache.c x509/pcy_data.c x509/pcy_lib.c \ + x509/pcy_map.c x509/pcy_node.c x509/pcy_tree.c \ + x509/x509_akey.c x509/x509_akeya.c x509/x509_alt.c \ + x509/x509_att.c x509/x509_bcons.c x509/x509_bitst.c \ + x509/x509_cmp.c x509/x509_conf.c x509/x509_constraints.c \ + x509/x509_cpols.c x509/x509_crld.c x509/x509_d2.c \ + x509/x509_def.c x509/x509_enum.c x509/x509_err.c \ + x509/x509_ext.c x509/x509_extku.c x509/x509_genn.c \ + x509/x509_ia5.c x509/x509_info.c x509/x509_int.c \ + x509/x509_issuer_cache.c x509/x509_lib.c x509/x509_lu.c \ + x509/x509_ncons.c x509/x509_obj.c x509/x509_ocsp.c \ + x509/x509_pci.c x509/x509_pcia.c x509/x509_pcons.c \ + x509/x509_pku.c x509/x509_pmaps.c x509/x509_prn.c \ + x509/x509_purp.c x509/x509_r2x.c x509/x509_req.c \ + x509/x509_set.c x509/x509_skey.c x509/x509_sxnet.c \ + x509/x509_trs.c x509/x509_txt.c x509/x509_utl.c x509/x509_v3.c \ + x509/x509_verify.c x509/x509_vfy.c x509/x509_vpm.c \ + x509/x509cset.c x509/x509name.c x509/x509rset.c \ + x509/x509spki.c x509/x509type.c x509/x_all.c # chacha @@ -2845,6 +2888,40 @@ cmac/libcrypto_la-cm_pmeth.lo: cmac/$(am__dirstamp) \ cmac/$(DEPDIR)/$(am__dirstamp) cmac/libcrypto_la-cmac.lo: cmac/$(am__dirstamp) \ cmac/$(DEPDIR)/$(am__dirstamp) +cms/$(am__dirstamp): + @$(MKDIR_P) cms + @: > cms/$(am__dirstamp) +cms/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) cms/$(DEPDIR) + @: > cms/$(DEPDIR)/$(am__dirstamp) +cms/libcrypto_la-cms_asn1.lo: cms/$(am__dirstamp) \ + cms/$(DEPDIR)/$(am__dirstamp) +cms/libcrypto_la-cms_att.lo: cms/$(am__dirstamp) \ + cms/$(DEPDIR)/$(am__dirstamp) +cms/libcrypto_la-cms_cd.lo: cms/$(am__dirstamp) \ + cms/$(DEPDIR)/$(am__dirstamp) +cms/libcrypto_la-cms_dd.lo: cms/$(am__dirstamp) \ + cms/$(DEPDIR)/$(am__dirstamp) +cms/libcrypto_la-cms_enc.lo: cms/$(am__dirstamp) \ + cms/$(DEPDIR)/$(am__dirstamp) +cms/libcrypto_la-cms_env.lo: cms/$(am__dirstamp) \ + cms/$(DEPDIR)/$(am__dirstamp) +cms/libcrypto_la-cms_err.lo: cms/$(am__dirstamp) \ + cms/$(DEPDIR)/$(am__dirstamp) +cms/libcrypto_la-cms_ess.lo: cms/$(am__dirstamp) \ + cms/$(DEPDIR)/$(am__dirstamp) +cms/libcrypto_la-cms_io.lo: cms/$(am__dirstamp) \ + cms/$(DEPDIR)/$(am__dirstamp) +cms/libcrypto_la-cms_kari.lo: cms/$(am__dirstamp) \ + cms/$(DEPDIR)/$(am__dirstamp) +cms/libcrypto_la-cms_lib.lo: cms/$(am__dirstamp) \ + cms/$(DEPDIR)/$(am__dirstamp) +cms/libcrypto_la-cms_pwri.lo: cms/$(am__dirstamp) \ + cms/$(DEPDIR)/$(am__dirstamp) +cms/libcrypto_la-cms_sd.lo: cms/$(am__dirstamp) \ + cms/$(DEPDIR)/$(am__dirstamp) +cms/libcrypto_la-cms_smime.lo: cms/$(am__dirstamp) \ + cms/$(DEPDIR)/$(am__dirstamp) comp/$(am__dirstamp): @$(MKDIR_P) comp @: > comp/$(am__dirstamp) @@ -3710,34 +3787,106 @@ x509/libcrypto_la-by_file.lo: x509/$(am__dirstamp) \ x509/$(DEPDIR)/$(am__dirstamp) x509/libcrypto_la-by_mem.lo: x509/$(am__dirstamp) \ x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-pcy_cache.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-pcy_data.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-pcy_lib.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-pcy_map.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-pcy_node.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-pcy_tree.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-x509_akey.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-x509_akeya.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-x509_alt.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) x509/libcrypto_la-x509_att.lo: x509/$(am__dirstamp) \ x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-x509_bcons.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-x509_bitst.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) x509/libcrypto_la-x509_cmp.lo: x509/$(am__dirstamp) \ x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-x509_conf.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-x509_constraints.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-x509_cpols.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-x509_crld.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) x509/libcrypto_la-x509_d2.lo: x509/$(am__dirstamp) \ x509/$(DEPDIR)/$(am__dirstamp) x509/libcrypto_la-x509_def.lo: x509/$(am__dirstamp) \ x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-x509_enum.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) x509/libcrypto_la-x509_err.lo: x509/$(am__dirstamp) \ x509/$(DEPDIR)/$(am__dirstamp) x509/libcrypto_la-x509_ext.lo: x509/$(am__dirstamp) \ x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-x509_extku.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-x509_genn.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-x509_ia5.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-x509_info.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-x509_int.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-x509_issuer_cache.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-x509_lib.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) x509/libcrypto_la-x509_lu.lo: x509/$(am__dirstamp) \ x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-x509_ncons.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) x509/libcrypto_la-x509_obj.lo: x509/$(am__dirstamp) \ x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-x509_ocsp.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-x509_pci.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-x509_pcia.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-x509_pcons.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-x509_pku.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-x509_pmaps.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-x509_prn.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-x509_purp.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) x509/libcrypto_la-x509_r2x.lo: x509/$(am__dirstamp) \ x509/$(DEPDIR)/$(am__dirstamp) x509/libcrypto_la-x509_req.lo: x509/$(am__dirstamp) \ x509/$(DEPDIR)/$(am__dirstamp) x509/libcrypto_la-x509_set.lo: x509/$(am__dirstamp) \ x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-x509_skey.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-x509_sxnet.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) x509/libcrypto_la-x509_trs.lo: x509/$(am__dirstamp) \ x509/$(DEPDIR)/$(am__dirstamp) x509/libcrypto_la-x509_txt.lo: x509/$(am__dirstamp) \ x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-x509_utl.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) x509/libcrypto_la-x509_v3.lo: x509/$(am__dirstamp) \ x509/$(DEPDIR)/$(am__dirstamp) +x509/libcrypto_la-x509_verify.lo: x509/$(am__dirstamp) \ + x509/$(DEPDIR)/$(am__dirstamp) x509/libcrypto_la-x509_vfy.lo: x509/$(am__dirstamp) \ x509/$(DEPDIR)/$(am__dirstamp) x509/libcrypto_la-x509_vpm.lo: x509/$(am__dirstamp) \ @@ -3754,80 +3903,6 @@ x509/libcrypto_la-x509type.lo: x509/$(am__dirstamp) \ x509/$(DEPDIR)/$(am__dirstamp) x509/libcrypto_la-x_all.lo: x509/$(am__dirstamp) \ x509/$(DEPDIR)/$(am__dirstamp) -x509v3/$(am__dirstamp): - @$(MKDIR_P) x509v3 - @: > x509v3/$(am__dirstamp) -x509v3/$(DEPDIR)/$(am__dirstamp): - @$(MKDIR_P) x509v3/$(DEPDIR) - @: > x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-pcy_cache.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-pcy_data.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-pcy_lib.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-pcy_map.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-pcy_node.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-pcy_tree.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-v3_akey.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-v3_akeya.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-v3_alt.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-v3_bcons.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-v3_bitst.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-v3_conf.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-v3_cpols.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-v3_crld.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-v3_enum.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-v3_extku.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-v3_genn.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-v3_ia5.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-v3_info.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-v3_int.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-v3_lib.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-v3_ncons.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-v3_ocsp.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-v3_pci.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-v3_pcia.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-v3_pcons.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-v3_pku.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-v3_pmaps.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-v3_prn.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-v3_purp.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-v3_skey.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-v3_sxnet.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-v3_utl.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) -x509v3/libcrypto_la-v3err.lo: x509v3/$(am__dirstamp) \ - x509v3/$(DEPDIR)/$(am__dirstamp) chacha/libcrypto_la-chacha-merged.lo: chacha/$(am__dirstamp) \ chacha/$(DEPDIR)/$(am__dirstamp) des/libcrypto_la-ncbc_enc.lo: des/$(am__dirstamp) \ @@ -3836,7 +3911,7 @@ poly1305/libcrypto_la-poly1305-donna.lo: poly1305/$(am__dirstamp) \ poly1305/$(DEPDIR)/$(am__dirstamp) libcrypto.la: $(libcrypto_la_OBJECTS) $(libcrypto_la_DEPENDENCIES) $(EXTRA_libcrypto_la_DEPENDENCIES) - $(AM_V_CCLD)$(libcrypto_la_LINK) -rpath $(libdir) $(libcrypto_la_OBJECTS) $(libcrypto_la_LIBADD) $(LIBS) + $(AM_V_CCLD)$(libcrypto_la_LINK) $(am_libcrypto_la_rpath) $(libcrypto_la_OBJECTS) $(libcrypto_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -3860,6 +3935,8 @@ mostlyclean-compile: -rm -f chacha/*.lo -rm -f cmac/*.$(OBJEXT) -rm -f cmac/*.lo + -rm -f cms/*.$(OBJEXT) + -rm -f cms/*.lo -rm -f comp/*.$(OBJEXT) -rm -f comp/*.lo -rm -f compat/*.$(OBJEXT) @@ -3944,8 +4021,6 @@ mostlyclean-compile: -rm -f whrlpool/*.lo -rm -f x509/*.$(OBJEXT) -rm -f x509/*.lo - -rm -f x509v3/*.$(OBJEXT) - -rm -f x509v3/*.lo distclean-compile: -rm -f *.tab.c @@ -4165,6 +4240,20 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@cmac/$(DEPDIR)/libcrypto_la-cm_ameth.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@cmac/$(DEPDIR)/libcrypto_la-cm_pmeth.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@cmac/$(DEPDIR)/libcrypto_la-cmac.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@cms/$(DEPDIR)/libcrypto_la-cms_asn1.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@cms/$(DEPDIR)/libcrypto_la-cms_att.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@cms/$(DEPDIR)/libcrypto_la-cms_cd.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@cms/$(DEPDIR)/libcrypto_la-cms_dd.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@cms/$(DEPDIR)/libcrypto_la-cms_enc.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@cms/$(DEPDIR)/libcrypto_la-cms_env.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@cms/$(DEPDIR)/libcrypto_la-cms_err.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@cms/$(DEPDIR)/libcrypto_la-cms_ess.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@cms/$(DEPDIR)/libcrypto_la-cms_io.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@cms/$(DEPDIR)/libcrypto_la-cms_kari.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@cms/$(DEPDIR)/libcrypto_la-cms_lib.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@cms/$(DEPDIR)/libcrypto_la-cms_pwri.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@cms/$(DEPDIR)/libcrypto_la-cms_sd.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@cms/$(DEPDIR)/libcrypto_la-cms_smime.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@comp/$(DEPDIR)/libcrypto_la-c_rle.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@comp/$(DEPDIR)/libcrypto_la-c_zlib.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@comp/$(DEPDIR)/libcrypto_la-comp_err.Plo@am__quote@ # am--include-marker @@ -4561,20 +4650,56 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-by_dir.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-by_file.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-by_mem.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-pcy_cache.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-pcy_data.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-pcy_lib.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-pcy_map.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-pcy_node.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-pcy_tree.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_akey.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_akeya.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_alt.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_att.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_bcons.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_bitst.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_cmp.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_conf.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_constraints.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_cpols.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_crld.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_d2.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_def.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_enum.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_err.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_ext.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_extku.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_genn.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_ia5.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_info.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_int.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_issuer_cache.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_lib.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_lu.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_ncons.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_obj.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_ocsp.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_pci.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_pcia.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_pcons.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_pku.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_pmaps.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_prn.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_purp.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_r2x.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_req.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_set.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_skey.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_sxnet.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_trs.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_txt.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_utl.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_v3.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_verify.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_vfy.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509_vpm.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509cset.Plo@am__quote@ # am--include-marker @@ -4583,40 +4708,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509spki.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x509type.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@x509/$(DEPDIR)/libcrypto_la-x_all.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-pcy_cache.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-pcy_data.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-pcy_lib.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-pcy_map.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-pcy_node.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-pcy_tree.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-v3_akey.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-v3_akeya.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-v3_alt.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-v3_bcons.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-v3_bitst.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-v3_conf.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-v3_cpols.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-v3_crld.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-v3_enum.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-v3_extku.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-v3_genn.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-v3_ia5.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-v3_info.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-v3_int.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-v3_lib.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-v3_ncons.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-v3_ocsp.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-v3_pci.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-v3_pcia.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-v3_pcons.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-v3_pku.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-v3_pmaps.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-v3_prn.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-v3_purp.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-v3_skey.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-v3_sxnet.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-v3_utl.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@x509v3/$(DEPDIR)/libcrypto_la-v3err.Plo@am__quote@ # am--include-marker $(am__depfiles_remade): @$(MKDIR_P) $(@D) @@ -6464,6 +6555,104 @@ cmac/libcrypto_la-cmac.lo: cmac/cmac.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cmac/libcrypto_la-cmac.lo `test -f 'cmac/cmac.c' || echo '$(srcdir)/'`cmac/cmac.c +cms/libcrypto_la-cms_asn1.lo: cms/cms_asn1.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cms/libcrypto_la-cms_asn1.lo -MD -MP -MF cms/$(DEPDIR)/libcrypto_la-cms_asn1.Tpo -c -o cms/libcrypto_la-cms_asn1.lo `test -f 'cms/cms_asn1.c' || echo '$(srcdir)/'`cms/cms_asn1.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) cms/$(DEPDIR)/libcrypto_la-cms_asn1.Tpo cms/$(DEPDIR)/libcrypto_la-cms_asn1.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='cms/cms_asn1.c' object='cms/libcrypto_la-cms_asn1.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cms/libcrypto_la-cms_asn1.lo `test -f 'cms/cms_asn1.c' || echo '$(srcdir)/'`cms/cms_asn1.c + +cms/libcrypto_la-cms_att.lo: cms/cms_att.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cms/libcrypto_la-cms_att.lo -MD -MP -MF cms/$(DEPDIR)/libcrypto_la-cms_att.Tpo -c -o cms/libcrypto_la-cms_att.lo `test -f 'cms/cms_att.c' || echo '$(srcdir)/'`cms/cms_att.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) cms/$(DEPDIR)/libcrypto_la-cms_att.Tpo cms/$(DEPDIR)/libcrypto_la-cms_att.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='cms/cms_att.c' object='cms/libcrypto_la-cms_att.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cms/libcrypto_la-cms_att.lo `test -f 'cms/cms_att.c' || echo '$(srcdir)/'`cms/cms_att.c + +cms/libcrypto_la-cms_cd.lo: cms/cms_cd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cms/libcrypto_la-cms_cd.lo -MD -MP -MF cms/$(DEPDIR)/libcrypto_la-cms_cd.Tpo -c -o cms/libcrypto_la-cms_cd.lo `test -f 'cms/cms_cd.c' || echo '$(srcdir)/'`cms/cms_cd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) cms/$(DEPDIR)/libcrypto_la-cms_cd.Tpo cms/$(DEPDIR)/libcrypto_la-cms_cd.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='cms/cms_cd.c' object='cms/libcrypto_la-cms_cd.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cms/libcrypto_la-cms_cd.lo `test -f 'cms/cms_cd.c' || echo '$(srcdir)/'`cms/cms_cd.c + +cms/libcrypto_la-cms_dd.lo: cms/cms_dd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cms/libcrypto_la-cms_dd.lo -MD -MP -MF cms/$(DEPDIR)/libcrypto_la-cms_dd.Tpo -c -o cms/libcrypto_la-cms_dd.lo `test -f 'cms/cms_dd.c' || echo '$(srcdir)/'`cms/cms_dd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) cms/$(DEPDIR)/libcrypto_la-cms_dd.Tpo cms/$(DEPDIR)/libcrypto_la-cms_dd.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='cms/cms_dd.c' object='cms/libcrypto_la-cms_dd.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cms/libcrypto_la-cms_dd.lo `test -f 'cms/cms_dd.c' || echo '$(srcdir)/'`cms/cms_dd.c + +cms/libcrypto_la-cms_enc.lo: cms/cms_enc.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cms/libcrypto_la-cms_enc.lo -MD -MP -MF cms/$(DEPDIR)/libcrypto_la-cms_enc.Tpo -c -o cms/libcrypto_la-cms_enc.lo `test -f 'cms/cms_enc.c' || echo '$(srcdir)/'`cms/cms_enc.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) cms/$(DEPDIR)/libcrypto_la-cms_enc.Tpo cms/$(DEPDIR)/libcrypto_la-cms_enc.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='cms/cms_enc.c' object='cms/libcrypto_la-cms_enc.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cms/libcrypto_la-cms_enc.lo `test -f 'cms/cms_enc.c' || echo '$(srcdir)/'`cms/cms_enc.c + +cms/libcrypto_la-cms_env.lo: cms/cms_env.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cms/libcrypto_la-cms_env.lo -MD -MP -MF cms/$(DEPDIR)/libcrypto_la-cms_env.Tpo -c -o cms/libcrypto_la-cms_env.lo `test -f 'cms/cms_env.c' || echo '$(srcdir)/'`cms/cms_env.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) cms/$(DEPDIR)/libcrypto_la-cms_env.Tpo cms/$(DEPDIR)/libcrypto_la-cms_env.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='cms/cms_env.c' object='cms/libcrypto_la-cms_env.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cms/libcrypto_la-cms_env.lo `test -f 'cms/cms_env.c' || echo '$(srcdir)/'`cms/cms_env.c + +cms/libcrypto_la-cms_err.lo: cms/cms_err.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cms/libcrypto_la-cms_err.lo -MD -MP -MF cms/$(DEPDIR)/libcrypto_la-cms_err.Tpo -c -o cms/libcrypto_la-cms_err.lo `test -f 'cms/cms_err.c' || echo '$(srcdir)/'`cms/cms_err.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) cms/$(DEPDIR)/libcrypto_la-cms_err.Tpo cms/$(DEPDIR)/libcrypto_la-cms_err.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='cms/cms_err.c' object='cms/libcrypto_la-cms_err.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cms/libcrypto_la-cms_err.lo `test -f 'cms/cms_err.c' || echo '$(srcdir)/'`cms/cms_err.c + +cms/libcrypto_la-cms_ess.lo: cms/cms_ess.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cms/libcrypto_la-cms_ess.lo -MD -MP -MF cms/$(DEPDIR)/libcrypto_la-cms_ess.Tpo -c -o cms/libcrypto_la-cms_ess.lo `test -f 'cms/cms_ess.c' || echo '$(srcdir)/'`cms/cms_ess.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) cms/$(DEPDIR)/libcrypto_la-cms_ess.Tpo cms/$(DEPDIR)/libcrypto_la-cms_ess.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='cms/cms_ess.c' object='cms/libcrypto_la-cms_ess.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cms/libcrypto_la-cms_ess.lo `test -f 'cms/cms_ess.c' || echo '$(srcdir)/'`cms/cms_ess.c + +cms/libcrypto_la-cms_io.lo: cms/cms_io.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cms/libcrypto_la-cms_io.lo -MD -MP -MF cms/$(DEPDIR)/libcrypto_la-cms_io.Tpo -c -o cms/libcrypto_la-cms_io.lo `test -f 'cms/cms_io.c' || echo '$(srcdir)/'`cms/cms_io.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) cms/$(DEPDIR)/libcrypto_la-cms_io.Tpo cms/$(DEPDIR)/libcrypto_la-cms_io.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='cms/cms_io.c' object='cms/libcrypto_la-cms_io.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cms/libcrypto_la-cms_io.lo `test -f 'cms/cms_io.c' || echo '$(srcdir)/'`cms/cms_io.c + +cms/libcrypto_la-cms_kari.lo: cms/cms_kari.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cms/libcrypto_la-cms_kari.lo -MD -MP -MF cms/$(DEPDIR)/libcrypto_la-cms_kari.Tpo -c -o cms/libcrypto_la-cms_kari.lo `test -f 'cms/cms_kari.c' || echo '$(srcdir)/'`cms/cms_kari.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) cms/$(DEPDIR)/libcrypto_la-cms_kari.Tpo cms/$(DEPDIR)/libcrypto_la-cms_kari.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='cms/cms_kari.c' object='cms/libcrypto_la-cms_kari.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cms/libcrypto_la-cms_kari.lo `test -f 'cms/cms_kari.c' || echo '$(srcdir)/'`cms/cms_kari.c + +cms/libcrypto_la-cms_lib.lo: cms/cms_lib.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cms/libcrypto_la-cms_lib.lo -MD -MP -MF cms/$(DEPDIR)/libcrypto_la-cms_lib.Tpo -c -o cms/libcrypto_la-cms_lib.lo `test -f 'cms/cms_lib.c' || echo '$(srcdir)/'`cms/cms_lib.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) cms/$(DEPDIR)/libcrypto_la-cms_lib.Tpo cms/$(DEPDIR)/libcrypto_la-cms_lib.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='cms/cms_lib.c' object='cms/libcrypto_la-cms_lib.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cms/libcrypto_la-cms_lib.lo `test -f 'cms/cms_lib.c' || echo '$(srcdir)/'`cms/cms_lib.c + +cms/libcrypto_la-cms_pwri.lo: cms/cms_pwri.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cms/libcrypto_la-cms_pwri.lo -MD -MP -MF cms/$(DEPDIR)/libcrypto_la-cms_pwri.Tpo -c -o cms/libcrypto_la-cms_pwri.lo `test -f 'cms/cms_pwri.c' || echo '$(srcdir)/'`cms/cms_pwri.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) cms/$(DEPDIR)/libcrypto_la-cms_pwri.Tpo cms/$(DEPDIR)/libcrypto_la-cms_pwri.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='cms/cms_pwri.c' object='cms/libcrypto_la-cms_pwri.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cms/libcrypto_la-cms_pwri.lo `test -f 'cms/cms_pwri.c' || echo '$(srcdir)/'`cms/cms_pwri.c + +cms/libcrypto_la-cms_sd.lo: cms/cms_sd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cms/libcrypto_la-cms_sd.lo -MD -MP -MF cms/$(DEPDIR)/libcrypto_la-cms_sd.Tpo -c -o cms/libcrypto_la-cms_sd.lo `test -f 'cms/cms_sd.c' || echo '$(srcdir)/'`cms/cms_sd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) cms/$(DEPDIR)/libcrypto_la-cms_sd.Tpo cms/$(DEPDIR)/libcrypto_la-cms_sd.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='cms/cms_sd.c' object='cms/libcrypto_la-cms_sd.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cms/libcrypto_la-cms_sd.lo `test -f 'cms/cms_sd.c' || echo '$(srcdir)/'`cms/cms_sd.c + +cms/libcrypto_la-cms_smime.lo: cms/cms_smime.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cms/libcrypto_la-cms_smime.lo -MD -MP -MF cms/$(DEPDIR)/libcrypto_la-cms_smime.Tpo -c -o cms/libcrypto_la-cms_smime.lo `test -f 'cms/cms_smime.c' || echo '$(srcdir)/'`cms/cms_smime.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) cms/$(DEPDIR)/libcrypto_la-cms_smime.Tpo cms/$(DEPDIR)/libcrypto_la-cms_smime.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='cms/cms_smime.c' object='cms/libcrypto_la-cms_smime.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cms/libcrypto_la-cms_smime.lo `test -f 'cms/cms_smime.c' || echo '$(srcdir)/'`cms/cms_smime.c + comp/libcrypto_la-c_rle.lo: comp/c_rle.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT comp/libcrypto_la-c_rle.lo -MD -MP -MF comp/$(DEPDIR)/libcrypto_la-c_rle.Tpo -c -o comp/libcrypto_la-c_rle.lo `test -f 'comp/c_rle.c' || echo '$(srcdir)/'`comp/c_rle.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) comp/$(DEPDIR)/libcrypto_la-c_rle.Tpo comp/$(DEPDIR)/libcrypto_la-c_rle.Plo @@ -8732,6 +8921,69 @@ x509/libcrypto_la-by_mem.lo: x509/by_mem.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-by_mem.lo `test -f 'x509/by_mem.c' || echo '$(srcdir)/'`x509/by_mem.c +x509/libcrypto_la-pcy_cache.lo: x509/pcy_cache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-pcy_cache.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-pcy_cache.Tpo -c -o x509/libcrypto_la-pcy_cache.lo `test -f 'x509/pcy_cache.c' || echo '$(srcdir)/'`x509/pcy_cache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-pcy_cache.Tpo x509/$(DEPDIR)/libcrypto_la-pcy_cache.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/pcy_cache.c' object='x509/libcrypto_la-pcy_cache.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-pcy_cache.lo `test -f 'x509/pcy_cache.c' || echo '$(srcdir)/'`x509/pcy_cache.c + +x509/libcrypto_la-pcy_data.lo: x509/pcy_data.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-pcy_data.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-pcy_data.Tpo -c -o x509/libcrypto_la-pcy_data.lo `test -f 'x509/pcy_data.c' || echo '$(srcdir)/'`x509/pcy_data.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-pcy_data.Tpo x509/$(DEPDIR)/libcrypto_la-pcy_data.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/pcy_data.c' object='x509/libcrypto_la-pcy_data.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-pcy_data.lo `test -f 'x509/pcy_data.c' || echo '$(srcdir)/'`x509/pcy_data.c + +x509/libcrypto_la-pcy_lib.lo: x509/pcy_lib.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-pcy_lib.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-pcy_lib.Tpo -c -o x509/libcrypto_la-pcy_lib.lo `test -f 'x509/pcy_lib.c' || echo '$(srcdir)/'`x509/pcy_lib.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-pcy_lib.Tpo x509/$(DEPDIR)/libcrypto_la-pcy_lib.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/pcy_lib.c' object='x509/libcrypto_la-pcy_lib.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-pcy_lib.lo `test -f 'x509/pcy_lib.c' || echo '$(srcdir)/'`x509/pcy_lib.c + +x509/libcrypto_la-pcy_map.lo: x509/pcy_map.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-pcy_map.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-pcy_map.Tpo -c -o x509/libcrypto_la-pcy_map.lo `test -f 'x509/pcy_map.c' || echo '$(srcdir)/'`x509/pcy_map.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-pcy_map.Tpo x509/$(DEPDIR)/libcrypto_la-pcy_map.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/pcy_map.c' object='x509/libcrypto_la-pcy_map.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-pcy_map.lo `test -f 'x509/pcy_map.c' || echo '$(srcdir)/'`x509/pcy_map.c + +x509/libcrypto_la-pcy_node.lo: x509/pcy_node.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-pcy_node.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-pcy_node.Tpo -c -o x509/libcrypto_la-pcy_node.lo `test -f 'x509/pcy_node.c' || echo '$(srcdir)/'`x509/pcy_node.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-pcy_node.Tpo x509/$(DEPDIR)/libcrypto_la-pcy_node.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/pcy_node.c' object='x509/libcrypto_la-pcy_node.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-pcy_node.lo `test -f 'x509/pcy_node.c' || echo '$(srcdir)/'`x509/pcy_node.c + +x509/libcrypto_la-pcy_tree.lo: x509/pcy_tree.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-pcy_tree.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-pcy_tree.Tpo -c -o x509/libcrypto_la-pcy_tree.lo `test -f 'x509/pcy_tree.c' || echo '$(srcdir)/'`x509/pcy_tree.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-pcy_tree.Tpo x509/$(DEPDIR)/libcrypto_la-pcy_tree.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/pcy_tree.c' object='x509/libcrypto_la-pcy_tree.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-pcy_tree.lo `test -f 'x509/pcy_tree.c' || echo '$(srcdir)/'`x509/pcy_tree.c + +x509/libcrypto_la-x509_akey.lo: x509/x509_akey.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_akey.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_akey.Tpo -c -o x509/libcrypto_la-x509_akey.lo `test -f 'x509/x509_akey.c' || echo '$(srcdir)/'`x509/x509_akey.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_akey.Tpo x509/$(DEPDIR)/libcrypto_la-x509_akey.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/x509_akey.c' object='x509/libcrypto_la-x509_akey.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_akey.lo `test -f 'x509/x509_akey.c' || echo '$(srcdir)/'`x509/x509_akey.c + +x509/libcrypto_la-x509_akeya.lo: x509/x509_akeya.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_akeya.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_akeya.Tpo -c -o x509/libcrypto_la-x509_akeya.lo `test -f 'x509/x509_akeya.c' || echo '$(srcdir)/'`x509/x509_akeya.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_akeya.Tpo x509/$(DEPDIR)/libcrypto_la-x509_akeya.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/x509_akeya.c' object='x509/libcrypto_la-x509_akeya.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_akeya.lo `test -f 'x509/x509_akeya.c' || echo '$(srcdir)/'`x509/x509_akeya.c + +x509/libcrypto_la-x509_alt.lo: x509/x509_alt.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_alt.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_alt.Tpo -c -o x509/libcrypto_la-x509_alt.lo `test -f 'x509/x509_alt.c' || echo '$(srcdir)/'`x509/x509_alt.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_alt.Tpo x509/$(DEPDIR)/libcrypto_la-x509_alt.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/x509_alt.c' object='x509/libcrypto_la-x509_alt.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_alt.lo `test -f 'x509/x509_alt.c' || echo '$(srcdir)/'`x509/x509_alt.c + x509/libcrypto_la-x509_att.lo: x509/x509_att.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_att.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_att.Tpo -c -o x509/libcrypto_la-x509_att.lo `test -f 'x509/x509_att.c' || echo '$(srcdir)/'`x509/x509_att.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_att.Tpo x509/$(DEPDIR)/libcrypto_la-x509_att.Plo @@ -8739,6 +8991,20 @@ x509/libcrypto_la-x509_att.lo: x509/x509_att.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_att.lo `test -f 'x509/x509_att.c' || echo '$(srcdir)/'`x509/x509_att.c +x509/libcrypto_la-x509_bcons.lo: x509/x509_bcons.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_bcons.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_bcons.Tpo -c -o x509/libcrypto_la-x509_bcons.lo `test -f 'x509/x509_bcons.c' || echo '$(srcdir)/'`x509/x509_bcons.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_bcons.Tpo x509/$(DEPDIR)/libcrypto_la-x509_bcons.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/x509_bcons.c' object='x509/libcrypto_la-x509_bcons.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_bcons.lo `test -f 'x509/x509_bcons.c' || echo '$(srcdir)/'`x509/x509_bcons.c + +x509/libcrypto_la-x509_bitst.lo: x509/x509_bitst.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_bitst.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_bitst.Tpo -c -o x509/libcrypto_la-x509_bitst.lo `test -f 'x509/x509_bitst.c' || echo '$(srcdir)/'`x509/x509_bitst.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_bitst.Tpo x509/$(DEPDIR)/libcrypto_la-x509_bitst.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/x509_bitst.c' object='x509/libcrypto_la-x509_bitst.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_bitst.lo `test -f 'x509/x509_bitst.c' || echo '$(srcdir)/'`x509/x509_bitst.c + x509/libcrypto_la-x509_cmp.lo: x509/x509_cmp.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_cmp.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_cmp.Tpo -c -o x509/libcrypto_la-x509_cmp.lo `test -f 'x509/x509_cmp.c' || echo '$(srcdir)/'`x509/x509_cmp.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_cmp.Tpo x509/$(DEPDIR)/libcrypto_la-x509_cmp.Plo @@ -8746,6 +9012,34 @@ x509/libcrypto_la-x509_cmp.lo: x509/x509_cmp.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_cmp.lo `test -f 'x509/x509_cmp.c' || echo '$(srcdir)/'`x509/x509_cmp.c +x509/libcrypto_la-x509_conf.lo: x509/x509_conf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_conf.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_conf.Tpo -c -o x509/libcrypto_la-x509_conf.lo `test -f 'x509/x509_conf.c' || echo '$(srcdir)/'`x509/x509_conf.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_conf.Tpo x509/$(DEPDIR)/libcrypto_la-x509_conf.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/x509_conf.c' object='x509/libcrypto_la-x509_conf.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_conf.lo `test -f 'x509/x509_conf.c' || echo '$(srcdir)/'`x509/x509_conf.c + +x509/libcrypto_la-x509_constraints.lo: x509/x509_constraints.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_constraints.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_constraints.Tpo -c -o x509/libcrypto_la-x509_constraints.lo `test -f 'x509/x509_constraints.c' || echo '$(srcdir)/'`x509/x509_constraints.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_constraints.Tpo x509/$(DEPDIR)/libcrypto_la-x509_constraints.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/x509_constraints.c' object='x509/libcrypto_la-x509_constraints.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_constraints.lo `test -f 'x509/x509_constraints.c' || echo '$(srcdir)/'`x509/x509_constraints.c + +x509/libcrypto_la-x509_cpols.lo: x509/x509_cpols.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_cpols.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_cpols.Tpo -c -o x509/libcrypto_la-x509_cpols.lo `test -f 'x509/x509_cpols.c' || echo '$(srcdir)/'`x509/x509_cpols.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_cpols.Tpo x509/$(DEPDIR)/libcrypto_la-x509_cpols.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/x509_cpols.c' object='x509/libcrypto_la-x509_cpols.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_cpols.lo `test -f 'x509/x509_cpols.c' || echo '$(srcdir)/'`x509/x509_cpols.c + +x509/libcrypto_la-x509_crld.lo: x509/x509_crld.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_crld.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_crld.Tpo -c -o x509/libcrypto_la-x509_crld.lo `test -f 'x509/x509_crld.c' || echo '$(srcdir)/'`x509/x509_crld.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_crld.Tpo x509/$(DEPDIR)/libcrypto_la-x509_crld.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/x509_crld.c' object='x509/libcrypto_la-x509_crld.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_crld.lo `test -f 'x509/x509_crld.c' || echo '$(srcdir)/'`x509/x509_crld.c + x509/libcrypto_la-x509_d2.lo: x509/x509_d2.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_d2.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_d2.Tpo -c -o x509/libcrypto_la-x509_d2.lo `test -f 'x509/x509_d2.c' || echo '$(srcdir)/'`x509/x509_d2.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_d2.Tpo x509/$(DEPDIR)/libcrypto_la-x509_d2.Plo @@ -8760,6 +9054,13 @@ x509/libcrypto_la-x509_def.lo: x509/x509_def.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_def.lo `test -f 'x509/x509_def.c' || echo '$(srcdir)/'`x509/x509_def.c +x509/libcrypto_la-x509_enum.lo: x509/x509_enum.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_enum.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_enum.Tpo -c -o x509/libcrypto_la-x509_enum.lo `test -f 'x509/x509_enum.c' || echo '$(srcdir)/'`x509/x509_enum.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_enum.Tpo x509/$(DEPDIR)/libcrypto_la-x509_enum.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/x509_enum.c' object='x509/libcrypto_la-x509_enum.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_enum.lo `test -f 'x509/x509_enum.c' || echo '$(srcdir)/'`x509/x509_enum.c + x509/libcrypto_la-x509_err.lo: x509/x509_err.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_err.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_err.Tpo -c -o x509/libcrypto_la-x509_err.lo `test -f 'x509/x509_err.c' || echo '$(srcdir)/'`x509/x509_err.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_err.Tpo x509/$(DEPDIR)/libcrypto_la-x509_err.Plo @@ -8774,6 +9075,55 @@ x509/libcrypto_la-x509_ext.lo: x509/x509_ext.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_ext.lo `test -f 'x509/x509_ext.c' || echo '$(srcdir)/'`x509/x509_ext.c +x509/libcrypto_la-x509_extku.lo: x509/x509_extku.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_extku.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_extku.Tpo -c -o x509/libcrypto_la-x509_extku.lo `test -f 'x509/x509_extku.c' || echo '$(srcdir)/'`x509/x509_extku.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_extku.Tpo x509/$(DEPDIR)/libcrypto_la-x509_extku.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/x509_extku.c' object='x509/libcrypto_la-x509_extku.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_extku.lo `test -f 'x509/x509_extku.c' || echo '$(srcdir)/'`x509/x509_extku.c + +x509/libcrypto_la-x509_genn.lo: x509/x509_genn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_genn.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_genn.Tpo -c -o x509/libcrypto_la-x509_genn.lo `test -f 'x509/x509_genn.c' || echo '$(srcdir)/'`x509/x509_genn.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_genn.Tpo x509/$(DEPDIR)/libcrypto_la-x509_genn.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/x509_genn.c' object='x509/libcrypto_la-x509_genn.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_genn.lo `test -f 'x509/x509_genn.c' || echo '$(srcdir)/'`x509/x509_genn.c + +x509/libcrypto_la-x509_ia5.lo: x509/x509_ia5.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_ia5.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_ia5.Tpo -c -o x509/libcrypto_la-x509_ia5.lo `test -f 'x509/x509_ia5.c' || echo '$(srcdir)/'`x509/x509_ia5.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_ia5.Tpo x509/$(DEPDIR)/libcrypto_la-x509_ia5.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/x509_ia5.c' object='x509/libcrypto_la-x509_ia5.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_ia5.lo `test -f 'x509/x509_ia5.c' || echo '$(srcdir)/'`x509/x509_ia5.c + +x509/libcrypto_la-x509_info.lo: x509/x509_info.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_info.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_info.Tpo -c -o x509/libcrypto_la-x509_info.lo `test -f 'x509/x509_info.c' || echo '$(srcdir)/'`x509/x509_info.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_info.Tpo x509/$(DEPDIR)/libcrypto_la-x509_info.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/x509_info.c' object='x509/libcrypto_la-x509_info.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_info.lo `test -f 'x509/x509_info.c' || echo '$(srcdir)/'`x509/x509_info.c + +x509/libcrypto_la-x509_int.lo: x509/x509_int.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_int.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_int.Tpo -c -o x509/libcrypto_la-x509_int.lo `test -f 'x509/x509_int.c' || echo '$(srcdir)/'`x509/x509_int.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_int.Tpo x509/$(DEPDIR)/libcrypto_la-x509_int.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/x509_int.c' object='x509/libcrypto_la-x509_int.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_int.lo `test -f 'x509/x509_int.c' || echo '$(srcdir)/'`x509/x509_int.c + +x509/libcrypto_la-x509_issuer_cache.lo: x509/x509_issuer_cache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_issuer_cache.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_issuer_cache.Tpo -c -o x509/libcrypto_la-x509_issuer_cache.lo `test -f 'x509/x509_issuer_cache.c' || echo '$(srcdir)/'`x509/x509_issuer_cache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_issuer_cache.Tpo x509/$(DEPDIR)/libcrypto_la-x509_issuer_cache.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/x509_issuer_cache.c' object='x509/libcrypto_la-x509_issuer_cache.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_issuer_cache.lo `test -f 'x509/x509_issuer_cache.c' || echo '$(srcdir)/'`x509/x509_issuer_cache.c + +x509/libcrypto_la-x509_lib.lo: x509/x509_lib.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_lib.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_lib.Tpo -c -o x509/libcrypto_la-x509_lib.lo `test -f 'x509/x509_lib.c' || echo '$(srcdir)/'`x509/x509_lib.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_lib.Tpo x509/$(DEPDIR)/libcrypto_la-x509_lib.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/x509_lib.c' object='x509/libcrypto_la-x509_lib.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_lib.lo `test -f 'x509/x509_lib.c' || echo '$(srcdir)/'`x509/x509_lib.c + x509/libcrypto_la-x509_lu.lo: x509/x509_lu.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_lu.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_lu.Tpo -c -o x509/libcrypto_la-x509_lu.lo `test -f 'x509/x509_lu.c' || echo '$(srcdir)/'`x509/x509_lu.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_lu.Tpo x509/$(DEPDIR)/libcrypto_la-x509_lu.Plo @@ -8781,6 +9131,13 @@ x509/libcrypto_la-x509_lu.lo: x509/x509_lu.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_lu.lo `test -f 'x509/x509_lu.c' || echo '$(srcdir)/'`x509/x509_lu.c +x509/libcrypto_la-x509_ncons.lo: x509/x509_ncons.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_ncons.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_ncons.Tpo -c -o x509/libcrypto_la-x509_ncons.lo `test -f 'x509/x509_ncons.c' || echo '$(srcdir)/'`x509/x509_ncons.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_ncons.Tpo x509/$(DEPDIR)/libcrypto_la-x509_ncons.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/x509_ncons.c' object='x509/libcrypto_la-x509_ncons.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_ncons.lo `test -f 'x509/x509_ncons.c' || echo '$(srcdir)/'`x509/x509_ncons.c + x509/libcrypto_la-x509_obj.lo: x509/x509_obj.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_obj.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_obj.Tpo -c -o x509/libcrypto_la-x509_obj.lo `test -f 'x509/x509_obj.c' || echo '$(srcdir)/'`x509/x509_obj.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_obj.Tpo x509/$(DEPDIR)/libcrypto_la-x509_obj.Plo @@ -8788,6 +9145,62 @@ x509/libcrypto_la-x509_obj.lo: x509/x509_obj.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_obj.lo `test -f 'x509/x509_obj.c' || echo '$(srcdir)/'`x509/x509_obj.c +x509/libcrypto_la-x509_ocsp.lo: x509/x509_ocsp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_ocsp.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_ocsp.Tpo -c -o x509/libcrypto_la-x509_ocsp.lo `test -f 'x509/x509_ocsp.c' || echo '$(srcdir)/'`x509/x509_ocsp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_ocsp.Tpo x509/$(DEPDIR)/libcrypto_la-x509_ocsp.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/x509_ocsp.c' object='x509/libcrypto_la-x509_ocsp.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_ocsp.lo `test -f 'x509/x509_ocsp.c' || echo '$(srcdir)/'`x509/x509_ocsp.c + +x509/libcrypto_la-x509_pci.lo: x509/x509_pci.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_pci.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_pci.Tpo -c -o x509/libcrypto_la-x509_pci.lo `test -f 'x509/x509_pci.c' || echo '$(srcdir)/'`x509/x509_pci.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_pci.Tpo x509/$(DEPDIR)/libcrypto_la-x509_pci.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/x509_pci.c' object='x509/libcrypto_la-x509_pci.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_pci.lo `test -f 'x509/x509_pci.c' || echo '$(srcdir)/'`x509/x509_pci.c + +x509/libcrypto_la-x509_pcia.lo: x509/x509_pcia.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_pcia.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_pcia.Tpo -c -o x509/libcrypto_la-x509_pcia.lo `test -f 'x509/x509_pcia.c' || echo '$(srcdir)/'`x509/x509_pcia.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_pcia.Tpo x509/$(DEPDIR)/libcrypto_la-x509_pcia.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/x509_pcia.c' object='x509/libcrypto_la-x509_pcia.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_pcia.lo `test -f 'x509/x509_pcia.c' || echo '$(srcdir)/'`x509/x509_pcia.c + +x509/libcrypto_la-x509_pcons.lo: x509/x509_pcons.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_pcons.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_pcons.Tpo -c -o x509/libcrypto_la-x509_pcons.lo `test -f 'x509/x509_pcons.c' || echo '$(srcdir)/'`x509/x509_pcons.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_pcons.Tpo x509/$(DEPDIR)/libcrypto_la-x509_pcons.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/x509_pcons.c' object='x509/libcrypto_la-x509_pcons.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_pcons.lo `test -f 'x509/x509_pcons.c' || echo '$(srcdir)/'`x509/x509_pcons.c + +x509/libcrypto_la-x509_pku.lo: x509/x509_pku.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_pku.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_pku.Tpo -c -o x509/libcrypto_la-x509_pku.lo `test -f 'x509/x509_pku.c' || echo '$(srcdir)/'`x509/x509_pku.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_pku.Tpo x509/$(DEPDIR)/libcrypto_la-x509_pku.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/x509_pku.c' object='x509/libcrypto_la-x509_pku.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_pku.lo `test -f 'x509/x509_pku.c' || echo '$(srcdir)/'`x509/x509_pku.c + +x509/libcrypto_la-x509_pmaps.lo: x509/x509_pmaps.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_pmaps.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_pmaps.Tpo -c -o x509/libcrypto_la-x509_pmaps.lo `test -f 'x509/x509_pmaps.c' || echo '$(srcdir)/'`x509/x509_pmaps.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_pmaps.Tpo x509/$(DEPDIR)/libcrypto_la-x509_pmaps.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/x509_pmaps.c' object='x509/libcrypto_la-x509_pmaps.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_pmaps.lo `test -f 'x509/x509_pmaps.c' || echo '$(srcdir)/'`x509/x509_pmaps.c + +x509/libcrypto_la-x509_prn.lo: x509/x509_prn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_prn.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_prn.Tpo -c -o x509/libcrypto_la-x509_prn.lo `test -f 'x509/x509_prn.c' || echo '$(srcdir)/'`x509/x509_prn.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_prn.Tpo x509/$(DEPDIR)/libcrypto_la-x509_prn.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/x509_prn.c' object='x509/libcrypto_la-x509_prn.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_prn.lo `test -f 'x509/x509_prn.c' || echo '$(srcdir)/'`x509/x509_prn.c + +x509/libcrypto_la-x509_purp.lo: x509/x509_purp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_purp.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_purp.Tpo -c -o x509/libcrypto_la-x509_purp.lo `test -f 'x509/x509_purp.c' || echo '$(srcdir)/'`x509/x509_purp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_purp.Tpo x509/$(DEPDIR)/libcrypto_la-x509_purp.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/x509_purp.c' object='x509/libcrypto_la-x509_purp.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_purp.lo `test -f 'x509/x509_purp.c' || echo '$(srcdir)/'`x509/x509_purp.c + x509/libcrypto_la-x509_r2x.lo: x509/x509_r2x.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_r2x.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_r2x.Tpo -c -o x509/libcrypto_la-x509_r2x.lo `test -f 'x509/x509_r2x.c' || echo '$(srcdir)/'`x509/x509_r2x.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_r2x.Tpo x509/$(DEPDIR)/libcrypto_la-x509_r2x.Plo @@ -8809,6 +9222,20 @@ x509/libcrypto_la-x509_set.lo: x509/x509_set.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_set.lo `test -f 'x509/x509_set.c' || echo '$(srcdir)/'`x509/x509_set.c +x509/libcrypto_la-x509_skey.lo: x509/x509_skey.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_skey.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_skey.Tpo -c -o x509/libcrypto_la-x509_skey.lo `test -f 'x509/x509_skey.c' || echo '$(srcdir)/'`x509/x509_skey.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_skey.Tpo x509/$(DEPDIR)/libcrypto_la-x509_skey.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/x509_skey.c' object='x509/libcrypto_la-x509_skey.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_skey.lo `test -f 'x509/x509_skey.c' || echo '$(srcdir)/'`x509/x509_skey.c + +x509/libcrypto_la-x509_sxnet.lo: x509/x509_sxnet.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_sxnet.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_sxnet.Tpo -c -o x509/libcrypto_la-x509_sxnet.lo `test -f 'x509/x509_sxnet.c' || echo '$(srcdir)/'`x509/x509_sxnet.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_sxnet.Tpo x509/$(DEPDIR)/libcrypto_la-x509_sxnet.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/x509_sxnet.c' object='x509/libcrypto_la-x509_sxnet.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_sxnet.lo `test -f 'x509/x509_sxnet.c' || echo '$(srcdir)/'`x509/x509_sxnet.c + x509/libcrypto_la-x509_trs.lo: x509/x509_trs.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_trs.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_trs.Tpo -c -o x509/libcrypto_la-x509_trs.lo `test -f 'x509/x509_trs.c' || echo '$(srcdir)/'`x509/x509_trs.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_trs.Tpo x509/$(DEPDIR)/libcrypto_la-x509_trs.Plo @@ -8823,6 +9250,13 @@ x509/libcrypto_la-x509_txt.lo: x509/x509_txt.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_txt.lo `test -f 'x509/x509_txt.c' || echo '$(srcdir)/'`x509/x509_txt.c +x509/libcrypto_la-x509_utl.lo: x509/x509_utl.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_utl.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_utl.Tpo -c -o x509/libcrypto_la-x509_utl.lo `test -f 'x509/x509_utl.c' || echo '$(srcdir)/'`x509/x509_utl.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_utl.Tpo x509/$(DEPDIR)/libcrypto_la-x509_utl.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/x509_utl.c' object='x509/libcrypto_la-x509_utl.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_utl.lo `test -f 'x509/x509_utl.c' || echo '$(srcdir)/'`x509/x509_utl.c + x509/libcrypto_la-x509_v3.lo: x509/x509_v3.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_v3.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_v3.Tpo -c -o x509/libcrypto_la-x509_v3.lo `test -f 'x509/x509_v3.c' || echo '$(srcdir)/'`x509/x509_v3.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_v3.Tpo x509/$(DEPDIR)/libcrypto_la-x509_v3.Plo @@ -8830,6 +9264,13 @@ x509/libcrypto_la-x509_v3.lo: x509/x509_v3.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_v3.lo `test -f 'x509/x509_v3.c' || echo '$(srcdir)/'`x509/x509_v3.c +x509/libcrypto_la-x509_verify.lo: x509/x509_verify.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_verify.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_verify.Tpo -c -o x509/libcrypto_la-x509_verify.lo `test -f 'x509/x509_verify.c' || echo '$(srcdir)/'`x509/x509_verify.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_verify.Tpo x509/$(DEPDIR)/libcrypto_la-x509_verify.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509/x509_verify.c' object='x509/libcrypto_la-x509_verify.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_verify.lo `test -f 'x509/x509_verify.c' || echo '$(srcdir)/'`x509/x509_verify.c + x509/libcrypto_la-x509_vfy.lo: x509/x509_vfy.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_vfy.lo -MD -MP -MF x509/$(DEPDIR)/libcrypto_la-x509_vfy.Tpo -c -o x509/libcrypto_la-x509_vfy.lo `test -f 'x509/x509_vfy.c' || echo '$(srcdir)/'`x509/x509_vfy.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509/$(DEPDIR)/libcrypto_la-x509_vfy.Tpo x509/$(DEPDIR)/libcrypto_la-x509_vfy.Plo @@ -8886,244 +9327,6 @@ x509/libcrypto_la-x_all.lo: x509/x_all.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x_all.lo `test -f 'x509/x_all.c' || echo '$(srcdir)/'`x509/x_all.c -x509v3/libcrypto_la-pcy_cache.lo: x509v3/pcy_cache.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-pcy_cache.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-pcy_cache.Tpo -c -o x509v3/libcrypto_la-pcy_cache.lo `test -f 'x509v3/pcy_cache.c' || echo '$(srcdir)/'`x509v3/pcy_cache.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-pcy_cache.Tpo x509v3/$(DEPDIR)/libcrypto_la-pcy_cache.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/pcy_cache.c' object='x509v3/libcrypto_la-pcy_cache.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-pcy_cache.lo `test -f 'x509v3/pcy_cache.c' || echo '$(srcdir)/'`x509v3/pcy_cache.c - -x509v3/libcrypto_la-pcy_data.lo: x509v3/pcy_data.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-pcy_data.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-pcy_data.Tpo -c -o x509v3/libcrypto_la-pcy_data.lo `test -f 'x509v3/pcy_data.c' || echo '$(srcdir)/'`x509v3/pcy_data.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-pcy_data.Tpo x509v3/$(DEPDIR)/libcrypto_la-pcy_data.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/pcy_data.c' object='x509v3/libcrypto_la-pcy_data.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-pcy_data.lo `test -f 'x509v3/pcy_data.c' || echo '$(srcdir)/'`x509v3/pcy_data.c - -x509v3/libcrypto_la-pcy_lib.lo: x509v3/pcy_lib.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-pcy_lib.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-pcy_lib.Tpo -c -o x509v3/libcrypto_la-pcy_lib.lo `test -f 'x509v3/pcy_lib.c' || echo '$(srcdir)/'`x509v3/pcy_lib.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-pcy_lib.Tpo x509v3/$(DEPDIR)/libcrypto_la-pcy_lib.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/pcy_lib.c' object='x509v3/libcrypto_la-pcy_lib.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-pcy_lib.lo `test -f 'x509v3/pcy_lib.c' || echo '$(srcdir)/'`x509v3/pcy_lib.c - -x509v3/libcrypto_la-pcy_map.lo: x509v3/pcy_map.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-pcy_map.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-pcy_map.Tpo -c -o x509v3/libcrypto_la-pcy_map.lo `test -f 'x509v3/pcy_map.c' || echo '$(srcdir)/'`x509v3/pcy_map.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-pcy_map.Tpo x509v3/$(DEPDIR)/libcrypto_la-pcy_map.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/pcy_map.c' object='x509v3/libcrypto_la-pcy_map.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-pcy_map.lo `test -f 'x509v3/pcy_map.c' || echo '$(srcdir)/'`x509v3/pcy_map.c - -x509v3/libcrypto_la-pcy_node.lo: x509v3/pcy_node.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-pcy_node.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-pcy_node.Tpo -c -o x509v3/libcrypto_la-pcy_node.lo `test -f 'x509v3/pcy_node.c' || echo '$(srcdir)/'`x509v3/pcy_node.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-pcy_node.Tpo x509v3/$(DEPDIR)/libcrypto_la-pcy_node.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/pcy_node.c' object='x509v3/libcrypto_la-pcy_node.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-pcy_node.lo `test -f 'x509v3/pcy_node.c' || echo '$(srcdir)/'`x509v3/pcy_node.c - -x509v3/libcrypto_la-pcy_tree.lo: x509v3/pcy_tree.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-pcy_tree.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-pcy_tree.Tpo -c -o x509v3/libcrypto_la-pcy_tree.lo `test -f 'x509v3/pcy_tree.c' || echo '$(srcdir)/'`x509v3/pcy_tree.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-pcy_tree.Tpo x509v3/$(DEPDIR)/libcrypto_la-pcy_tree.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/pcy_tree.c' object='x509v3/libcrypto_la-pcy_tree.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-pcy_tree.lo `test -f 'x509v3/pcy_tree.c' || echo '$(srcdir)/'`x509v3/pcy_tree.c - -x509v3/libcrypto_la-v3_akey.lo: x509v3/v3_akey.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-v3_akey.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-v3_akey.Tpo -c -o x509v3/libcrypto_la-v3_akey.lo `test -f 'x509v3/v3_akey.c' || echo '$(srcdir)/'`x509v3/v3_akey.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-v3_akey.Tpo x509v3/$(DEPDIR)/libcrypto_la-v3_akey.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/v3_akey.c' object='x509v3/libcrypto_la-v3_akey.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-v3_akey.lo `test -f 'x509v3/v3_akey.c' || echo '$(srcdir)/'`x509v3/v3_akey.c - -x509v3/libcrypto_la-v3_akeya.lo: x509v3/v3_akeya.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-v3_akeya.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-v3_akeya.Tpo -c -o x509v3/libcrypto_la-v3_akeya.lo `test -f 'x509v3/v3_akeya.c' || echo '$(srcdir)/'`x509v3/v3_akeya.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-v3_akeya.Tpo x509v3/$(DEPDIR)/libcrypto_la-v3_akeya.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/v3_akeya.c' object='x509v3/libcrypto_la-v3_akeya.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-v3_akeya.lo `test -f 'x509v3/v3_akeya.c' || echo '$(srcdir)/'`x509v3/v3_akeya.c - -x509v3/libcrypto_la-v3_alt.lo: x509v3/v3_alt.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-v3_alt.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-v3_alt.Tpo -c -o x509v3/libcrypto_la-v3_alt.lo `test -f 'x509v3/v3_alt.c' || echo '$(srcdir)/'`x509v3/v3_alt.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-v3_alt.Tpo x509v3/$(DEPDIR)/libcrypto_la-v3_alt.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/v3_alt.c' object='x509v3/libcrypto_la-v3_alt.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-v3_alt.lo `test -f 'x509v3/v3_alt.c' || echo '$(srcdir)/'`x509v3/v3_alt.c - -x509v3/libcrypto_la-v3_bcons.lo: x509v3/v3_bcons.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-v3_bcons.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-v3_bcons.Tpo -c -o x509v3/libcrypto_la-v3_bcons.lo `test -f 'x509v3/v3_bcons.c' || echo '$(srcdir)/'`x509v3/v3_bcons.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-v3_bcons.Tpo x509v3/$(DEPDIR)/libcrypto_la-v3_bcons.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/v3_bcons.c' object='x509v3/libcrypto_la-v3_bcons.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-v3_bcons.lo `test -f 'x509v3/v3_bcons.c' || echo '$(srcdir)/'`x509v3/v3_bcons.c - -x509v3/libcrypto_la-v3_bitst.lo: x509v3/v3_bitst.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-v3_bitst.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-v3_bitst.Tpo -c -o x509v3/libcrypto_la-v3_bitst.lo `test -f 'x509v3/v3_bitst.c' || echo '$(srcdir)/'`x509v3/v3_bitst.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-v3_bitst.Tpo x509v3/$(DEPDIR)/libcrypto_la-v3_bitst.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/v3_bitst.c' object='x509v3/libcrypto_la-v3_bitst.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-v3_bitst.lo `test -f 'x509v3/v3_bitst.c' || echo '$(srcdir)/'`x509v3/v3_bitst.c - -x509v3/libcrypto_la-v3_conf.lo: x509v3/v3_conf.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-v3_conf.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-v3_conf.Tpo -c -o x509v3/libcrypto_la-v3_conf.lo `test -f 'x509v3/v3_conf.c' || echo '$(srcdir)/'`x509v3/v3_conf.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-v3_conf.Tpo x509v3/$(DEPDIR)/libcrypto_la-v3_conf.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/v3_conf.c' object='x509v3/libcrypto_la-v3_conf.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-v3_conf.lo `test -f 'x509v3/v3_conf.c' || echo '$(srcdir)/'`x509v3/v3_conf.c - -x509v3/libcrypto_la-v3_cpols.lo: x509v3/v3_cpols.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-v3_cpols.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-v3_cpols.Tpo -c -o x509v3/libcrypto_la-v3_cpols.lo `test -f 'x509v3/v3_cpols.c' || echo '$(srcdir)/'`x509v3/v3_cpols.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-v3_cpols.Tpo x509v3/$(DEPDIR)/libcrypto_la-v3_cpols.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/v3_cpols.c' object='x509v3/libcrypto_la-v3_cpols.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-v3_cpols.lo `test -f 'x509v3/v3_cpols.c' || echo '$(srcdir)/'`x509v3/v3_cpols.c - -x509v3/libcrypto_la-v3_crld.lo: x509v3/v3_crld.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-v3_crld.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-v3_crld.Tpo -c -o x509v3/libcrypto_la-v3_crld.lo `test -f 'x509v3/v3_crld.c' || echo '$(srcdir)/'`x509v3/v3_crld.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-v3_crld.Tpo x509v3/$(DEPDIR)/libcrypto_la-v3_crld.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/v3_crld.c' object='x509v3/libcrypto_la-v3_crld.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-v3_crld.lo `test -f 'x509v3/v3_crld.c' || echo '$(srcdir)/'`x509v3/v3_crld.c - -x509v3/libcrypto_la-v3_enum.lo: x509v3/v3_enum.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-v3_enum.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-v3_enum.Tpo -c -o x509v3/libcrypto_la-v3_enum.lo `test -f 'x509v3/v3_enum.c' || echo '$(srcdir)/'`x509v3/v3_enum.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-v3_enum.Tpo x509v3/$(DEPDIR)/libcrypto_la-v3_enum.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/v3_enum.c' object='x509v3/libcrypto_la-v3_enum.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-v3_enum.lo `test -f 'x509v3/v3_enum.c' || echo '$(srcdir)/'`x509v3/v3_enum.c - -x509v3/libcrypto_la-v3_extku.lo: x509v3/v3_extku.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-v3_extku.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-v3_extku.Tpo -c -o x509v3/libcrypto_la-v3_extku.lo `test -f 'x509v3/v3_extku.c' || echo '$(srcdir)/'`x509v3/v3_extku.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-v3_extku.Tpo x509v3/$(DEPDIR)/libcrypto_la-v3_extku.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/v3_extku.c' object='x509v3/libcrypto_la-v3_extku.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-v3_extku.lo `test -f 'x509v3/v3_extku.c' || echo '$(srcdir)/'`x509v3/v3_extku.c - -x509v3/libcrypto_la-v3_genn.lo: x509v3/v3_genn.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-v3_genn.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-v3_genn.Tpo -c -o x509v3/libcrypto_la-v3_genn.lo `test -f 'x509v3/v3_genn.c' || echo '$(srcdir)/'`x509v3/v3_genn.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-v3_genn.Tpo x509v3/$(DEPDIR)/libcrypto_la-v3_genn.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/v3_genn.c' object='x509v3/libcrypto_la-v3_genn.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-v3_genn.lo `test -f 'x509v3/v3_genn.c' || echo '$(srcdir)/'`x509v3/v3_genn.c - -x509v3/libcrypto_la-v3_ia5.lo: x509v3/v3_ia5.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-v3_ia5.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-v3_ia5.Tpo -c -o x509v3/libcrypto_la-v3_ia5.lo `test -f 'x509v3/v3_ia5.c' || echo '$(srcdir)/'`x509v3/v3_ia5.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-v3_ia5.Tpo x509v3/$(DEPDIR)/libcrypto_la-v3_ia5.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/v3_ia5.c' object='x509v3/libcrypto_la-v3_ia5.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-v3_ia5.lo `test -f 'x509v3/v3_ia5.c' || echo '$(srcdir)/'`x509v3/v3_ia5.c - -x509v3/libcrypto_la-v3_info.lo: x509v3/v3_info.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-v3_info.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-v3_info.Tpo -c -o x509v3/libcrypto_la-v3_info.lo `test -f 'x509v3/v3_info.c' || echo '$(srcdir)/'`x509v3/v3_info.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-v3_info.Tpo x509v3/$(DEPDIR)/libcrypto_la-v3_info.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/v3_info.c' object='x509v3/libcrypto_la-v3_info.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-v3_info.lo `test -f 'x509v3/v3_info.c' || echo '$(srcdir)/'`x509v3/v3_info.c - -x509v3/libcrypto_la-v3_int.lo: x509v3/v3_int.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-v3_int.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-v3_int.Tpo -c -o x509v3/libcrypto_la-v3_int.lo `test -f 'x509v3/v3_int.c' || echo '$(srcdir)/'`x509v3/v3_int.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-v3_int.Tpo x509v3/$(DEPDIR)/libcrypto_la-v3_int.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/v3_int.c' object='x509v3/libcrypto_la-v3_int.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-v3_int.lo `test -f 'x509v3/v3_int.c' || echo '$(srcdir)/'`x509v3/v3_int.c - -x509v3/libcrypto_la-v3_lib.lo: x509v3/v3_lib.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-v3_lib.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-v3_lib.Tpo -c -o x509v3/libcrypto_la-v3_lib.lo `test -f 'x509v3/v3_lib.c' || echo '$(srcdir)/'`x509v3/v3_lib.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-v3_lib.Tpo x509v3/$(DEPDIR)/libcrypto_la-v3_lib.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/v3_lib.c' object='x509v3/libcrypto_la-v3_lib.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-v3_lib.lo `test -f 'x509v3/v3_lib.c' || echo '$(srcdir)/'`x509v3/v3_lib.c - -x509v3/libcrypto_la-v3_ncons.lo: x509v3/v3_ncons.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-v3_ncons.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-v3_ncons.Tpo -c -o x509v3/libcrypto_la-v3_ncons.lo `test -f 'x509v3/v3_ncons.c' || echo '$(srcdir)/'`x509v3/v3_ncons.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-v3_ncons.Tpo x509v3/$(DEPDIR)/libcrypto_la-v3_ncons.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/v3_ncons.c' object='x509v3/libcrypto_la-v3_ncons.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-v3_ncons.lo `test -f 'x509v3/v3_ncons.c' || echo '$(srcdir)/'`x509v3/v3_ncons.c - -x509v3/libcrypto_la-v3_ocsp.lo: x509v3/v3_ocsp.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-v3_ocsp.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-v3_ocsp.Tpo -c -o x509v3/libcrypto_la-v3_ocsp.lo `test -f 'x509v3/v3_ocsp.c' || echo '$(srcdir)/'`x509v3/v3_ocsp.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-v3_ocsp.Tpo x509v3/$(DEPDIR)/libcrypto_la-v3_ocsp.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/v3_ocsp.c' object='x509v3/libcrypto_la-v3_ocsp.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-v3_ocsp.lo `test -f 'x509v3/v3_ocsp.c' || echo '$(srcdir)/'`x509v3/v3_ocsp.c - -x509v3/libcrypto_la-v3_pci.lo: x509v3/v3_pci.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-v3_pci.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-v3_pci.Tpo -c -o x509v3/libcrypto_la-v3_pci.lo `test -f 'x509v3/v3_pci.c' || echo '$(srcdir)/'`x509v3/v3_pci.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-v3_pci.Tpo x509v3/$(DEPDIR)/libcrypto_la-v3_pci.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/v3_pci.c' object='x509v3/libcrypto_la-v3_pci.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-v3_pci.lo `test -f 'x509v3/v3_pci.c' || echo '$(srcdir)/'`x509v3/v3_pci.c - -x509v3/libcrypto_la-v3_pcia.lo: x509v3/v3_pcia.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-v3_pcia.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-v3_pcia.Tpo -c -o x509v3/libcrypto_la-v3_pcia.lo `test -f 'x509v3/v3_pcia.c' || echo '$(srcdir)/'`x509v3/v3_pcia.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-v3_pcia.Tpo x509v3/$(DEPDIR)/libcrypto_la-v3_pcia.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/v3_pcia.c' object='x509v3/libcrypto_la-v3_pcia.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-v3_pcia.lo `test -f 'x509v3/v3_pcia.c' || echo '$(srcdir)/'`x509v3/v3_pcia.c - -x509v3/libcrypto_la-v3_pcons.lo: x509v3/v3_pcons.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-v3_pcons.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-v3_pcons.Tpo -c -o x509v3/libcrypto_la-v3_pcons.lo `test -f 'x509v3/v3_pcons.c' || echo '$(srcdir)/'`x509v3/v3_pcons.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-v3_pcons.Tpo x509v3/$(DEPDIR)/libcrypto_la-v3_pcons.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/v3_pcons.c' object='x509v3/libcrypto_la-v3_pcons.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-v3_pcons.lo `test -f 'x509v3/v3_pcons.c' || echo '$(srcdir)/'`x509v3/v3_pcons.c - -x509v3/libcrypto_la-v3_pku.lo: x509v3/v3_pku.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-v3_pku.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-v3_pku.Tpo -c -o x509v3/libcrypto_la-v3_pku.lo `test -f 'x509v3/v3_pku.c' || echo '$(srcdir)/'`x509v3/v3_pku.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-v3_pku.Tpo x509v3/$(DEPDIR)/libcrypto_la-v3_pku.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/v3_pku.c' object='x509v3/libcrypto_la-v3_pku.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-v3_pku.lo `test -f 'x509v3/v3_pku.c' || echo '$(srcdir)/'`x509v3/v3_pku.c - -x509v3/libcrypto_la-v3_pmaps.lo: x509v3/v3_pmaps.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-v3_pmaps.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-v3_pmaps.Tpo -c -o x509v3/libcrypto_la-v3_pmaps.lo `test -f 'x509v3/v3_pmaps.c' || echo '$(srcdir)/'`x509v3/v3_pmaps.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-v3_pmaps.Tpo x509v3/$(DEPDIR)/libcrypto_la-v3_pmaps.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/v3_pmaps.c' object='x509v3/libcrypto_la-v3_pmaps.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-v3_pmaps.lo `test -f 'x509v3/v3_pmaps.c' || echo '$(srcdir)/'`x509v3/v3_pmaps.c - -x509v3/libcrypto_la-v3_prn.lo: x509v3/v3_prn.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-v3_prn.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-v3_prn.Tpo -c -o x509v3/libcrypto_la-v3_prn.lo `test -f 'x509v3/v3_prn.c' || echo '$(srcdir)/'`x509v3/v3_prn.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-v3_prn.Tpo x509v3/$(DEPDIR)/libcrypto_la-v3_prn.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/v3_prn.c' object='x509v3/libcrypto_la-v3_prn.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-v3_prn.lo `test -f 'x509v3/v3_prn.c' || echo '$(srcdir)/'`x509v3/v3_prn.c - -x509v3/libcrypto_la-v3_purp.lo: x509v3/v3_purp.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-v3_purp.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-v3_purp.Tpo -c -o x509v3/libcrypto_la-v3_purp.lo `test -f 'x509v3/v3_purp.c' || echo '$(srcdir)/'`x509v3/v3_purp.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-v3_purp.Tpo x509v3/$(DEPDIR)/libcrypto_la-v3_purp.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/v3_purp.c' object='x509v3/libcrypto_la-v3_purp.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-v3_purp.lo `test -f 'x509v3/v3_purp.c' || echo '$(srcdir)/'`x509v3/v3_purp.c - -x509v3/libcrypto_la-v3_skey.lo: x509v3/v3_skey.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-v3_skey.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-v3_skey.Tpo -c -o x509v3/libcrypto_la-v3_skey.lo `test -f 'x509v3/v3_skey.c' || echo '$(srcdir)/'`x509v3/v3_skey.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-v3_skey.Tpo x509v3/$(DEPDIR)/libcrypto_la-v3_skey.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/v3_skey.c' object='x509v3/libcrypto_la-v3_skey.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-v3_skey.lo `test -f 'x509v3/v3_skey.c' || echo '$(srcdir)/'`x509v3/v3_skey.c - -x509v3/libcrypto_la-v3_sxnet.lo: x509v3/v3_sxnet.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-v3_sxnet.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-v3_sxnet.Tpo -c -o x509v3/libcrypto_la-v3_sxnet.lo `test -f 'x509v3/v3_sxnet.c' || echo '$(srcdir)/'`x509v3/v3_sxnet.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-v3_sxnet.Tpo x509v3/$(DEPDIR)/libcrypto_la-v3_sxnet.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/v3_sxnet.c' object='x509v3/libcrypto_la-v3_sxnet.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-v3_sxnet.lo `test -f 'x509v3/v3_sxnet.c' || echo '$(srcdir)/'`x509v3/v3_sxnet.c - -x509v3/libcrypto_la-v3_utl.lo: x509v3/v3_utl.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-v3_utl.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-v3_utl.Tpo -c -o x509v3/libcrypto_la-v3_utl.lo `test -f 'x509v3/v3_utl.c' || echo '$(srcdir)/'`x509v3/v3_utl.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-v3_utl.Tpo x509v3/$(DEPDIR)/libcrypto_la-v3_utl.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/v3_utl.c' object='x509v3/libcrypto_la-v3_utl.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-v3_utl.lo `test -f 'x509v3/v3_utl.c' || echo '$(srcdir)/'`x509v3/v3_utl.c - -x509v3/libcrypto_la-v3err.lo: x509v3/v3err.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509v3/libcrypto_la-v3err.lo -MD -MP -MF x509v3/$(DEPDIR)/libcrypto_la-v3err.Tpo -c -o x509v3/libcrypto_la-v3err.lo `test -f 'x509v3/v3err.c' || echo '$(srcdir)/'`x509v3/v3err.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) x509v3/$(DEPDIR)/libcrypto_la-v3err.Tpo x509v3/$(DEPDIR)/libcrypto_la-v3err.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='x509v3/v3err.c' object='x509v3/libcrypto_la-v3err.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509v3/libcrypto_la-v3err.lo `test -f 'x509v3/v3err.c' || echo '$(srcdir)/'`x509v3/v3err.c - chacha/libcrypto_la-chacha-merged.lo: chacha/chacha-merged.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT chacha/libcrypto_la-chacha-merged.lo -MD -MP -MF chacha/$(DEPDIR)/libcrypto_la-chacha-merged.Tpo -c -o chacha/libcrypto_la-chacha-merged.lo `test -f 'chacha/chacha-merged.c' || echo '$(srcdir)/'`chacha/chacha-merged.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) chacha/$(DEPDIR)/libcrypto_la-chacha-merged.Tpo chacha/$(DEPDIR)/libcrypto_la-chacha-merged.Plo @@ -9160,6 +9363,7 @@ clean-libtool: -rm -rf cast/.libs cast/_libs -rm -rf chacha/.libs chacha/_libs -rm -rf cmac/.libs cmac/_libs + -rm -rf cms/.libs cms/_libs -rm -rf comp/.libs comp/_libs -rm -rf compat/.libs compat/_libs -rm -rf conf/.libs conf/_libs @@ -9202,7 +9406,6 @@ clean-libtool: -rm -rf ui/.libs ui/_libs -rm -rf whrlpool/.libs whrlpool/_libs -rm -rf x509/.libs x509/_libs - -rm -rf x509v3/.libs x509v3/_libs ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique @@ -9299,7 +9502,8 @@ installdirs: done install: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) install-am -install-exec: install-exec-am +install-exec: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data: install-data-am uninstall: uninstall-am @@ -9345,6 +9549,8 @@ distclean-generic: -rm -f chacha/$(am__dirstamp) -rm -f cmac/$(DEPDIR)/$(am__dirstamp) -rm -f cmac/$(am__dirstamp) + -rm -f cms/$(DEPDIR)/$(am__dirstamp) + -rm -f cms/$(am__dirstamp) -rm -f comp/$(DEPDIR)/$(am__dirstamp) -rm -f comp/$(am__dirstamp) -rm -f compat/$(DEPDIR)/$(am__dirstamp) @@ -9429,8 +9635,6 @@ distclean-generic: -rm -f whrlpool/$(am__dirstamp) -rm -f x509/$(DEPDIR)/$(am__dirstamp) -rm -f x509/$(am__dirstamp) - -rm -f x509v3/$(DEPDIR)/$(am__dirstamp) - -rm -f x509v3/$(am__dirstamp) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -9657,6 +9861,20 @@ distclean: distclean-am -rm -f cmac/$(DEPDIR)/libcrypto_la-cm_ameth.Plo -rm -f cmac/$(DEPDIR)/libcrypto_la-cm_pmeth.Plo -rm -f cmac/$(DEPDIR)/libcrypto_la-cmac.Plo + -rm -f cms/$(DEPDIR)/libcrypto_la-cms_asn1.Plo + -rm -f cms/$(DEPDIR)/libcrypto_la-cms_att.Plo + -rm -f cms/$(DEPDIR)/libcrypto_la-cms_cd.Plo + -rm -f cms/$(DEPDIR)/libcrypto_la-cms_dd.Plo + -rm -f cms/$(DEPDIR)/libcrypto_la-cms_enc.Plo + -rm -f cms/$(DEPDIR)/libcrypto_la-cms_env.Plo + -rm -f cms/$(DEPDIR)/libcrypto_la-cms_err.Plo + -rm -f cms/$(DEPDIR)/libcrypto_la-cms_ess.Plo + -rm -f cms/$(DEPDIR)/libcrypto_la-cms_io.Plo + -rm -f cms/$(DEPDIR)/libcrypto_la-cms_kari.Plo + -rm -f cms/$(DEPDIR)/libcrypto_la-cms_lib.Plo + -rm -f cms/$(DEPDIR)/libcrypto_la-cms_pwri.Plo + -rm -f cms/$(DEPDIR)/libcrypto_la-cms_sd.Plo + -rm -f cms/$(DEPDIR)/libcrypto_la-cms_smime.Plo -rm -f comp/$(DEPDIR)/libcrypto_la-c_rle.Plo -rm -f comp/$(DEPDIR)/libcrypto_la-c_zlib.Plo -rm -f comp/$(DEPDIR)/libcrypto_la-comp_err.Plo @@ -10053,20 +10271,56 @@ distclean: distclean-am -rm -f x509/$(DEPDIR)/libcrypto_la-by_dir.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-by_file.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-by_mem.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-pcy_cache.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-pcy_data.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-pcy_lib.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-pcy_map.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-pcy_node.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-pcy_tree.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_akey.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_akeya.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_alt.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_att.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_bcons.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_bitst.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_cmp.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_conf.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_constraints.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_cpols.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_crld.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_d2.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_def.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_enum.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_err.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_ext.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_extku.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_genn.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_ia5.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_info.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_int.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_issuer_cache.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_lib.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_lu.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_ncons.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_obj.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_ocsp.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_pci.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_pcia.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_pcons.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_pku.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_pmaps.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_prn.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_purp.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_r2x.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_req.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_set.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_skey.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_sxnet.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_trs.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_txt.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_utl.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_v3.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_verify.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_vfy.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_vpm.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509cset.Plo @@ -10075,40 +10329,6 @@ distclean: distclean-am -rm -f x509/$(DEPDIR)/libcrypto_la-x509spki.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509type.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x_all.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-pcy_cache.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-pcy_data.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-pcy_lib.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-pcy_map.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-pcy_node.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-pcy_tree.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_akey.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_akeya.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_alt.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_bcons.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_bitst.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_conf.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_cpols.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_crld.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_enum.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_extku.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_genn.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_ia5.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_info.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_int.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_lib.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_ncons.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_ocsp.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_pci.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_pcia.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_pcons.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_pku.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_pmaps.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_prn.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_purp.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_skey.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_sxnet.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_utl.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3err.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -10369,6 +10589,20 @@ maintainer-clean: maintainer-clean-am -rm -f cmac/$(DEPDIR)/libcrypto_la-cm_ameth.Plo -rm -f cmac/$(DEPDIR)/libcrypto_la-cm_pmeth.Plo -rm -f cmac/$(DEPDIR)/libcrypto_la-cmac.Plo + -rm -f cms/$(DEPDIR)/libcrypto_la-cms_asn1.Plo + -rm -f cms/$(DEPDIR)/libcrypto_la-cms_att.Plo + -rm -f cms/$(DEPDIR)/libcrypto_la-cms_cd.Plo + -rm -f cms/$(DEPDIR)/libcrypto_la-cms_dd.Plo + -rm -f cms/$(DEPDIR)/libcrypto_la-cms_enc.Plo + -rm -f cms/$(DEPDIR)/libcrypto_la-cms_env.Plo + -rm -f cms/$(DEPDIR)/libcrypto_la-cms_err.Plo + -rm -f cms/$(DEPDIR)/libcrypto_la-cms_ess.Plo + -rm -f cms/$(DEPDIR)/libcrypto_la-cms_io.Plo + -rm -f cms/$(DEPDIR)/libcrypto_la-cms_kari.Plo + -rm -f cms/$(DEPDIR)/libcrypto_la-cms_lib.Plo + -rm -f cms/$(DEPDIR)/libcrypto_la-cms_pwri.Plo + -rm -f cms/$(DEPDIR)/libcrypto_la-cms_sd.Plo + -rm -f cms/$(DEPDIR)/libcrypto_la-cms_smime.Plo -rm -f comp/$(DEPDIR)/libcrypto_la-c_rle.Plo -rm -f comp/$(DEPDIR)/libcrypto_la-c_zlib.Plo -rm -f comp/$(DEPDIR)/libcrypto_la-comp_err.Plo @@ -10765,20 +10999,56 @@ maintainer-clean: maintainer-clean-am -rm -f x509/$(DEPDIR)/libcrypto_la-by_dir.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-by_file.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-by_mem.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-pcy_cache.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-pcy_data.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-pcy_lib.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-pcy_map.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-pcy_node.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-pcy_tree.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_akey.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_akeya.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_alt.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_att.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_bcons.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_bitst.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_cmp.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_conf.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_constraints.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_cpols.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_crld.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_d2.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_def.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_enum.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_err.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_ext.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_extku.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_genn.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_ia5.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_info.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_int.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_issuer_cache.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_lib.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_lu.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_ncons.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_obj.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_ocsp.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_pci.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_pcia.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_pcons.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_pku.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_pmaps.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_prn.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_purp.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_r2x.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_req.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_set.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_skey.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_sxnet.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_trs.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_txt.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_utl.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_v3.Plo + -rm -f x509/$(DEPDIR)/libcrypto_la-x509_verify.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_vfy.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509_vpm.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509cset.Plo @@ -10787,40 +11057,6 @@ maintainer-clean: maintainer-clean-am -rm -f x509/$(DEPDIR)/libcrypto_la-x509spki.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x509type.Plo -rm -f x509/$(DEPDIR)/libcrypto_la-x_all.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-pcy_cache.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-pcy_data.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-pcy_lib.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-pcy_map.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-pcy_node.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-pcy_tree.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_akey.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_akeya.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_alt.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_bcons.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_bitst.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_conf.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_cpols.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_crld.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_enum.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_extku.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_genn.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_ia5.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_info.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_int.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_lib.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_ncons.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_ocsp.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_pci.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_pcia.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_pcons.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_pku.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_pmaps.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_prn.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_purp.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_skey.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_sxnet.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3_utl.Plo - -rm -f x509v3/$(DEPDIR)/libcrypto_la-v3err.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -10839,7 +11075,7 @@ ps-am: uninstall-am: uninstall-libLTLIBRARIES -.MAKE: all check install install-am install-strip +.MAKE: all check install install-am install-exec install-strip .PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-am clean \ clean-generic clean-libLTLIBRARIES clean-libtool \ @@ -10859,7 +11095,7 @@ uninstall-am: uninstall-libLTLIBRARIES .PRECIOUS: Makefile -crypto_portable.sym: +crypto_portable.sym: crypto.sym Makefile -echo "generating crypto_portable.sym ..." -cp $(top_srcdir)/crypto/crypto.sym crypto_portable.sym -chmod u+w crypto_portable.sym @@ -10897,6 +11133,17 @@ crypto_portable.sym: @HOST_WIN_TRUE@ -grep -v BIO_s_log crypto_portable.sym > crypto_portable.sym.tmp @HOST_WIN_TRUE@ -mv crypto_portable.sym.tmp crypto_portable.sym +libcrypto_la_objects.mk: Makefile + @echo "libcrypto_la_objects= $(libcrypto_la_OBJECTS)" \ + | sed 's/ */ $$\(abs_top_builddir\)\/crypto\//g' \ + > libcrypto_la_objects.mk + @echo "libcompat_la_objects= $(libcompat_la_OBJECTS)" \ + | sed 's/compat\// $$\(abs_top_builddir\)\/crypto\/&/g' \ + >> libcrypto_la_objects.mk + @echo "libcompatnoopt_la_objects= $(libcompatnoopt_la_OBJECTS)" \ + | sed 's/compat\// $$\(abs_top_builddir\)\/crypto\/&/g' \ + >> libcrypto_la_objects.mk + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/crypto/VERSION b/crypto/VERSION index a7136111..033e5621 100644 --- a/crypto/VERSION +++ b/crypto/VERSION @@ -1 +1 @@ -45:5:0 +46:2:0 diff --git a/crypto/aes/aes-masm-x86_64.S b/crypto/aes/aes-masm-x86_64.S index ff814c60..9094c729 100644 --- a/crypto/aes/aes-masm-x86_64.S +++ b/crypto/aes/aes-masm-x86_64.S @@ -1,7 +1,7 @@ ; 1 "crypto/aes/aes-masm-x86_64.S.tmp" ; 1 "" 1 ; 1 "" 3 -; 349 "" 3 +; 340 "" 3 ; 1 "" 1 ; 1 "" 2 ; 1 "crypto/aes/aes-masm-x86_64.S.tmp" 2 diff --git a/crypto/aes/aesni-masm-x86_64.S b/crypto/aes/aesni-masm-x86_64.S index 7cd2d81a..f2a2490a 100644 --- a/crypto/aes/aesni-masm-x86_64.S +++ b/crypto/aes/aesni-masm-x86_64.S @@ -1,7 +1,7 @@ ; 1 "crypto/aes/aesni-masm-x86_64.S.tmp" ; 1 "" 1 ; 1 "" 3 -; 349 "" 3 +; 340 "" 3 ; 1 "" 1 ; 1 "" 2 ; 1 "crypto/aes/aesni-masm-x86_64.S.tmp" 2 diff --git a/crypto/aes/aesni-sha1-masm-x86_64.S b/crypto/aes/aesni-sha1-masm-x86_64.S index 6890d7a8..db95881b 100644 --- a/crypto/aes/aesni-sha1-masm-x86_64.S +++ b/crypto/aes/aesni-sha1-masm-x86_64.S @@ -1,7 +1,7 @@ ; 1 "crypto/aes/aesni-sha1-masm-x86_64.S.tmp" ; 1 "" 1 ; 1 "" 3 -; 349 "" 3 +; 340 "" 3 ; 1 "" 1 ; 1 "" 2 ; 1 "crypto/aes/aesni-sha1-masm-x86_64.S.tmp" 2 diff --git a/crypto/aes/bsaes-masm-x86_64.S b/crypto/aes/bsaes-masm-x86_64.S index 061caf74..6b1a97d5 100644 --- a/crypto/aes/bsaes-masm-x86_64.S +++ b/crypto/aes/bsaes-masm-x86_64.S @@ -1,7 +1,7 @@ ; 1 "crypto/aes/bsaes-masm-x86_64.S.tmp" ; 1 "" 1 ; 1 "" 3 -; 349 "" 3 +; 340 "" 3 ; 1 "" 1 ; 1 "" 2 ; 1 "crypto/aes/bsaes-masm-x86_64.S.tmp" 2 diff --git a/crypto/aes/vpaes-masm-x86_64.S b/crypto/aes/vpaes-masm-x86_64.S index 0da0c0ba..e10d98d0 100644 --- a/crypto/aes/vpaes-masm-x86_64.S +++ b/crypto/aes/vpaes-masm-x86_64.S @@ -1,7 +1,7 @@ ; 1 "crypto/aes/vpaes-masm-x86_64.S.tmp" ; 1 "" 1 ; 1 "" 3 -; 349 "" 3 +; 340 "" 3 ; 1 "" 1 ; 1 "" 2 ; 1 "crypto/aes/vpaes-masm-x86_64.S.tmp" 2 diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c index 7fd40d8a..f217f13d 100644 --- a/crypto/asn1/a_bitstr.c +++ b/crypto/asn1/a_bitstr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_bitstr.c,v 1.29 2018/10/20 16:07:09 tb Exp $ */ +/* $OpenBSD: a_bitstr.c,v 1.30 2020/09/03 17:19:27 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -215,8 +215,6 @@ ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value) ASN1error(ERR_R_MALLOC_FAILURE); return 0; } - if (w + 1 - a->length > 0) - memset(c + a->length, 0, w + 1 - a->length); a->data = c; a->length = w + 1; } diff --git a/crypto/asn1/a_time_tm.c b/crypto/asn1/a_time_tm.c index b6e22cbd..a1cc6f88 100644 --- a/crypto/asn1/a_time_tm.c +++ b/crypto/asn1/a_time_tm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_time_tm.c,v 1.15 2018/04/25 11:48:21 tb Exp $ */ +/* $OpenBSD: a_time_tm.c,v 1.17 2020/12/16 18:46:29 tb Exp $ */ /* * Copyright (c) 2015 Bob Beck * @@ -163,10 +163,9 @@ ASN1_time_parse(const char *bytes, size_t len, struct tm *tm, int mode) return (-1); lt = tm; - if (lt == NULL) { - memset(<m, 0, sizeof(ltm)); + if (lt == NULL) lt = <m; - } + memset(lt, 0, sizeof(*lt)); /* Timezone is required and must be GMT (Zulu). */ if (bytes[len - 1] != 'Z') @@ -354,7 +353,6 @@ ASN1_TIME_to_generalizedtime(const ASN1_TIME *t, ASN1_GENERALIZEDTIME **out) if (t->type != V_ASN1_GENERALIZEDTIME && t->type != V_ASN1_UTCTIME) return (NULL); - memset(&tm, 0, sizeof(tm)); if (t->type != ASN1_time_parse(t->data, t->length, &tm, t->type)) return (NULL); if ((str = gentime_string_from_tm(&tm)) == NULL) diff --git a/crypto/asn1/a_type.c b/crypto/asn1/a_type.c index 11d38300..a18ffe66 100644 --- a/crypto/asn1/a_type.c +++ b/crypto/asn1/a_type.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_type.c,v 1.20 2018/04/25 11:48:21 tb Exp $ */ +/* $OpenBSD: a_type.c,v 1.21 2019/10/24 16:36:10 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -154,3 +154,34 @@ ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b) return result; } + +ASN1_TYPE * +ASN1_TYPE_pack_sequence(const ASN1_ITEM *it, void *s, ASN1_TYPE **t) +{ + ASN1_OCTET_STRING *oct; + ASN1_TYPE *rt; + + if ((oct = ASN1_item_pack(s, it, NULL)) == NULL) + return NULL; + + if (t != NULL && *t != NULL) { + rt = *t; + } else { + if ((rt = ASN1_TYPE_new()) == NULL) { + ASN1_OCTET_STRING_free(oct); + return NULL; + } + if (t != NULL) + *t = rt; + } + ASN1_TYPE_set(rt, V_ASN1_SEQUENCE, oct); + return rt; +} + +void * +ASN1_TYPE_unpack_sequence(const ASN1_ITEM *it, const ASN1_TYPE *t) +{ + if (t == NULL || t->type != V_ASN1_SEQUENCE || t->value.sequence == NULL) + return NULL; + return ASN1_item_unpack(t->value.sequence, it); +} diff --git a/crypto/asn1/ameth_lib.c b/crypto/asn1/ameth_lib.c index 505e9869..8be82060 100644 --- a/crypto/asn1/ameth_lib.c +++ b/crypto/asn1/ameth_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ameth_lib.c,v 1.19 2018/08/24 20:22:15 tb Exp $ */ +/* $OpenBSD: ameth_lib.c,v 1.21 2019/11/02 16:06:25 inoguchi Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -71,6 +71,7 @@ #include "asn1_locl.h" extern const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[]; +extern const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth; extern const EVP_PKEY_ASN1_METHOD dsa_asn1_meths[]; extern const EVP_PKEY_ASN1_METHOD dh_asn1_meth; extern const EVP_PKEY_ASN1_METHOD eckey_asn1_meth; @@ -104,6 +105,9 @@ static const EVP_PKEY_ASN1_METHOD *standard_methods[] = { #endif &hmac_asn1_meth, &cmac_asn1_meth, +#ifndef OPENSSL_NO_RSA + &rsa_pss_asn1_meth, +#endif #ifndef OPENSSL_NO_GOST &gostr01_asn1_meths[1], &gostr01_asn1_meths[2], diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c index 5cc35508..e2c56deb 100644 --- a/crypto/asn1/asn1_err.c +++ b/crypto/asn1/asn1_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1_err.c,v 1.21 2018/03/29 02:29:24 inoguchi Exp $ */ +/* $OpenBSD: asn1_err.c,v 1.22 2020/12/08 15:06:42 tb Exp $ */ /* ==================================================================== * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * @@ -85,6 +85,7 @@ static ERR_STRING_DATA ASN1_str_reasons[] = { {ERR_REASON(ASN1_R_BAD_OBJECT_HEADER) , "bad object header"}, {ERR_REASON(ASN1_R_BAD_PASSWORD_READ) , "bad password read"}, {ERR_REASON(ASN1_R_BAD_TAG) , "bad tag"}, + {ERR_REASON(ASN1_R_BAD_TEMPLATE) , "bad template"}, {ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH), "bmpstring is wrong length"}, {ERR_REASON(ASN1_R_BN_LIB) , "bn lib"}, {ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH), "boolean is wrong length"}, diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c index 5dc520c4..d760cccd 100644 --- a/crypto/asn1/asn1_lib.c +++ b/crypto/asn1/asn1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1_lib.c,v 1.44 2018/11/17 09:34:11 tb Exp $ */ +/* $OpenBSD: asn1_lib.c,v 1.45 2020/12/08 15:06:42 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -388,6 +388,8 @@ ASN1_STRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b) { int i; + if (a == NULL || b == NULL) + return -1; i = (a->length - b->length); if (i == 0) { i = memcmp(a->data, b->data, a->length); diff --git a/crypto/asn1/asn1_locl.h b/crypto/asn1/asn1_locl.h index 5ade6c7e..39779d93 100644 --- a/crypto/asn1/asn1_locl.h +++ b/crypto/asn1/asn1_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1_locl.h,v 1.11 2018/08/24 20:22:15 tb Exp $ */ +/* $OpenBSD: asn1_locl.h,v 1.12 2019/10/24 16:36:10 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -60,6 +60,9 @@ __BEGIN_HIDDEN_DECLS /* Internal ASN1 structures and functions: not for application use */ +ASN1_TYPE *ASN1_TYPE_pack_sequence(const ASN1_ITEM *it, void *s, ASN1_TYPE **t); +void *ASN1_TYPE_unpack_sequence(const ASN1_ITEM *it, const ASN1_TYPE *t); + /* ASN1 print context structure */ struct asn1_pctx_st { diff --git a/crypto/asn1/asn1_par.c b/crypto/asn1/asn1_par.c index 21f92d29..1ec9b1ac 100644 --- a/crypto/asn1/asn1_par.c +++ b/crypto/asn1/asn1_par.c @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1_par.c,v 1.27 2019/03/24 16:07:25 beck Exp $ */ +/* $OpenBSD: asn1_par.c,v 1.28 2020/01/09 11:27:21 inoguchi Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -123,6 +123,8 @@ asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offset, int nl, hl, j, r; ASN1_OBJECT *o = NULL; ASN1_OCTET_STRING *os = NULL; + ASN1_INTEGER *ai = NULL; + ASN1_ENUMERATED *ae = NULL; /* ASN1_BMPSTRING *bmp=NULL;*/ int dump_indent; @@ -296,23 +298,22 @@ asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offset, ASN1_OCTET_STRING_free(os); os = NULL; } else if (tag == V_ASN1_INTEGER) { - ASN1_INTEGER *bs; int i; opp = op; - bs = d2i_ASN1_INTEGER(NULL, &opp, len + hl); - if (bs != NULL) { + ai = d2i_ASN1_INTEGER(NULL, &opp, len + hl); + if (ai != NULL) { if (BIO_write(bp, ":", 1) <= 0) goto end; - if (bs->type == V_ASN1_NEG_INTEGER) + if (ai->type == V_ASN1_NEG_INTEGER) if (BIO_write(bp, "-", 1) <= 0) goto end; - for (i = 0; i < bs->length; i++) { + for (i = 0; i < ai->length; i++) { if (BIO_printf(bp, "%02X", - bs->data[i]) <= 0) + ai->data[i]) <= 0) goto end; } - if (bs->length == 0) { + if (ai->length == 0) { if (BIO_write(bp, "00", 2) <= 0) goto end; } @@ -320,25 +321,25 @@ asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offset, if (BIO_write(bp, "BAD INTEGER", 11) <= 0) goto end; } - ASN1_INTEGER_free(bs); + ASN1_INTEGER_free(ai); + ai = NULL; } else if (tag == V_ASN1_ENUMERATED) { - ASN1_ENUMERATED *bs; int i; opp = op; - bs = d2i_ASN1_ENUMERATED(NULL, &opp, len + hl); - if (bs != NULL) { + ae = d2i_ASN1_ENUMERATED(NULL, &opp, len + hl); + if (ae != NULL) { if (BIO_write(bp, ":", 1) <= 0) goto end; - if (bs->type == V_ASN1_NEG_ENUMERATED) + if (ae->type == V_ASN1_NEG_ENUMERATED) if (BIO_write(bp, "-", 1) <= 0) goto end; - for (i = 0; i < bs->length; i++) { + for (i = 0; i < ae->length; i++) { if (BIO_printf(bp, "%02X", - bs->data[i]) <= 0) + ae->data[i]) <= 0) goto end; } - if (bs->length == 0) { + if (ae->length == 0) { if (BIO_write(bp, "00", 2) <= 0) goto end; } @@ -346,7 +347,8 @@ asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offset, if (BIO_write(bp, "BAD ENUMERATED", 14) <= 0) goto end; } - ASN1_ENUMERATED_free(bs); + ASN1_ENUMERATED_free(ae); + ae = NULL; } else if (len > 0 && dump) { if (!nl) { if (BIO_write(bp, "\n", 1) <= 0) @@ -377,6 +379,8 @@ asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offset, if (o != NULL) ASN1_OBJECT_free(o); ASN1_OCTET_STRING_free(os); + ASN1_INTEGER_free(ai); + ASN1_ENUMERATED_free(ae); *pp = p; return (ret); } diff --git a/crypto/asn1/t_x509.c b/crypto/asn1/t_x509.c index e287a6cf..73a0491c 100644 --- a/crypto/asn1/t_x509.c +++ b/crypto/asn1/t_x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t_x509.c,v 1.31 2018/05/18 18:23:24 tb Exp $ */ +/* $OpenBSD: t_x509.c,v 1.32 2020/04/10 07:05:24 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -145,8 +145,10 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag) goto err; bs = X509_get_serialNumber(x); - if (bs->length <= (int)sizeof(long)) { + l = -1; + if (bs->length <= (int)sizeof(long)) l = ASN1_INTEGER_get(bs); + if (l != -1) { if (bs->type == V_ASN1_NEG_INTEGER) { l = -l; neg = "-"; diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c index 70dc355c..4b08e904 100644 --- a/crypto/asn1/tasn_dec.c +++ b/crypto/asn1/tasn_dec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tasn_dec.c,v 1.37 2019/04/01 15:48:04 jsing Exp $ */ +/* $OpenBSD: tasn_dec.c,v 1.38 2020/12/08 15:06:42 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -210,6 +210,16 @@ asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, break; case ASN1_ITYPE_MSTRING: + /* + * It never makes sense for multi-strings to have implicit + * tagging, so if tag != -1, then this looks like an error in + * the template. + */ + if (tag != -1) { + ASN1error(ASN1_R_BAD_TEMPLATE); + goto err; + } + p = *in; /* Just read in tag and class */ ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL, @@ -245,6 +255,16 @@ asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, it, tag, aclass, opt, ctx); case ASN1_ITYPE_CHOICE: + /* + * It never makes sense for CHOICE types to have implicit + * tagging, so if tag != -1, then this looks like an error in + * the template. + */ + if (tag != -1) { + ASN1error(ASN1_R_BAD_TEMPLATE); + goto err; + } + if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) goto auxerr; diff --git a/crypto/asn1/tasn_enc.c b/crypto/asn1/tasn_enc.c index d103c4d0..5d95f035 100644 --- a/crypto/asn1/tasn_enc.c +++ b/crypto/asn1/tasn_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tasn_enc.c,v 1.22 2019/04/01 15:48:04 jsing Exp $ */ +/* $OpenBSD: tasn_enc.c,v 1.23 2020/12/08 15:06:42 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -61,6 +61,7 @@ #include #include +#include #include static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out, @@ -152,9 +153,27 @@ ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, break; case ASN1_ITYPE_MSTRING: + /* + * It never makes sense for multi-strings to have implicit + * tagging, so if tag != -1, then this looks like an error in + * the template. + */ + if (tag != -1) { + ASN1error(ASN1_R_BAD_TEMPLATE); + return 0; + } return asn1_i2d_ex_primitive(pval, out, it, -1, aclass); case ASN1_ITYPE_CHOICE: + /* + * It never makes sense for CHOICE types to have implicit + * tagging, so if tag != -1, then this looks like an error in + * the template. + */ + if (tag != -1) { + ASN1error(ASN1_R_BAD_TEMPLATE); + return 0; + } if (asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it, NULL)) return 0; i = asn1_get_choice_selector(pval, it); diff --git a/crypto/asn1/tasn_prn.c b/crypto/asn1/tasn_prn.c index ab898531..4c676d8c 100644 --- a/crypto/asn1/tasn_prn.c +++ b/crypto/asn1/tasn_prn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tasn_prn.c,v 1.20 2019/04/07 16:35:50 jsing Exp $ */ +/* $OpenBSD: tasn_prn.c,v 1.21 2020/03/24 10:46:38 inoguchi Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -216,7 +216,8 @@ asn1_item_print_ctx(BIO *out, ASN1_VALUE **fld, int indent, const ASN1_ITEM *it, } else asn1_cb = NULL; - if (*fld == NULL) { + if ((it->itype != ASN1_ITYPE_PRIMITIVE || + it->utype != V_ASN1_BOOLEAN) && *fld == NULL) { if (pctx->flags & ASN1_PCTX_FLAGS_SHOW_ABSENT) { if (!nohdr && !asn1_print_fsname(out, indent, fname, sname, pctx)) @@ -454,7 +455,8 @@ asn1_print_integer_ctx(BIO *out, ASN1_INTEGER *str, const ASN1_PCTX *pctx) { char *s; int ret = 1; - s = i2s_ASN1_INTEGER(NULL, str); + if ((s = i2s_ASN1_INTEGER(NULL, str)) == NULL) + return 0; if (BIO_puts(out, s) <= 0) ret = 0; free(s); @@ -512,11 +514,16 @@ asn1_primitive_print(BIO *out, ASN1_VALUE **fld, const ASN1_ITEM *it, return pf->prim_print(out, fld, it, indent, pctx); } - str = (ASN1_STRING *)*fld; - if (it->itype == ASN1_ITYPE_MSTRING) + if (it->itype == ASN1_ITYPE_MSTRING) { + str = (ASN1_STRING *)*fld; utype = str->type & ~V_ASN1_NEG; - else + } else { utype = it->utype; + if (utype == V_ASN1_BOOLEAN) + str = NULL; + else + str = (ASN1_STRING *)*fld; + } if (utype == V_ASN1_ANY) { ASN1_TYPE *atype = (ASN1_TYPE *)*fld; utype = atype->type; diff --git a/crypto/asn1/x_attrib.c b/crypto/asn1/x_attrib.c index bb74a1b6..04816eab 100644 --- a/crypto/asn1/x_attrib.c +++ b/crypto/asn1/x_attrib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_attrib.c,v 1.13 2015/02/14 14:56:45 jsing Exp $ */ +/* $OpenBSD: x_attrib.c,v 1.14 2020/06/04 21:21:03 schwarze Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -174,10 +174,13 @@ X509_ATTRIBUTE_create(int nid, int atrtype, void *value) { X509_ATTRIBUTE *ret = NULL; ASN1_TYPE *val = NULL; + ASN1_OBJECT *oid; + if ((oid = OBJ_nid2obj(nid)) == NULL) + return (NULL); if ((ret = X509_ATTRIBUTE_new()) == NULL) return (NULL); - ret->object = OBJ_nid2obj(nid); + ret->object = oid; ret->single = 0; if ((ret->value.set = sk_ASN1_TYPE_new_null()) == NULL) goto err; diff --git a/crypto/asn1/x_info.c b/crypto/asn1/x_info.c index c4769231..9285e3e2 100644 --- a/crypto/asn1/x_info.c +++ b/crypto/asn1/x_info.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_info.c,v 1.17 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: x_info.c,v 1.18 2020/09/03 17:29:05 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -60,48 +60,35 @@ #include #include -#include #include X509_INFO * X509_INFO_new(void) { - X509_INFO *ret = NULL; + X509_INFO *ret; - ret = malloc(sizeof(X509_INFO)); - if (ret == NULL) { + if ((ret = calloc(1, sizeof(X509_INFO))) == NULL) { ASN1error(ERR_R_MALLOC_FAILURE); return (NULL); } - - ret->enc_cipher.cipher = NULL; - ret->enc_len = 0; - ret->enc_data = NULL; - ret->references = 1; - ret->x509 = NULL; - ret->crl = NULL; - ret->x_pkey = NULL; - return (ret); + + return ret; } void X509_INFO_free(X509_INFO *x) { - int i; - if (x == NULL) return; - i = CRYPTO_add(&x->references, -1, CRYPTO_LOCK_X509_INFO); - if (i > 0) + if (CRYPTO_add(&x->references, -1, CRYPTO_LOCK_X509_INFO) > 0) return; X509_free(x->x509); - if (x->crl != NULL) - X509_CRL_free(x->crl); - if (x->x_pkey != NULL) - X509_PKEY_free(x->x_pkey); + X509_CRL_free(x->crl); + X509_PKEY_free(x->x_pkey); free(x->enc_data); + free(x); } diff --git a/crypto/bio/bio_cb.c b/crypto/bio/bio_cb.c index ab0e3a92..52cdd241 100644 --- a/crypto/bio/bio_cb.c +++ b/crypto/bio/bio_cb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bio_cb.c,v 1.16 2014/12/08 03:54:19 bcook Exp $ */ +/* $OpenBSD: bio_cb.c,v 1.17 2021/03/25 09:26:17 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -70,15 +70,22 @@ BIO_debug_callback(BIO *bio, int cmd, const char *argp, int argi, long argl, BIO *b; char buf[256]; char *p; + int nbuf; long r = 1; size_t p_maxlen; if (BIO_CB_RETURN & cmd) r = ret; - snprintf(buf, sizeof buf, "BIO[%p]:", bio); - p = &(buf[14]); - p_maxlen = sizeof buf - 14; + nbuf = snprintf(buf, sizeof(buf), "BIO[%p]: ", bio); + if (nbuf < 0) + nbuf = 0; /* Ignore error; continue printing. */ + if (nbuf >= sizeof(buf)) + goto out; + + p = buf + nbuf; + p_maxlen = sizeof(buf) - nbuf; + switch (cmd) { case BIO_CB_FREE: snprintf(p, p_maxlen, "Free - %s\n", bio->method->name); @@ -136,6 +143,7 @@ BIO_debug_callback(BIO *bio, int cmd, const char *argp, int argi, long argl, break; } + out: b = (BIO *)bio->cb_arg; if (b != NULL) BIO_write(b, buf, strlen(buf)); diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index df798f41..f94ce1dc 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_rand.c,v 1.22 2018/11/06 06:49:45 tb Exp $ */ +/* $OpenBSD: bn_rand.c,v 1.24 2020/09/12 17:16:36 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -129,6 +129,11 @@ bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) return (0); } + if (bits < 0 || (bits == 1 && top > 0)) { + BNerror(BN_R_BITS_TOO_SMALL); + return (0); + } + if (bits == 0) { BN_zero(rnd); return (1); @@ -166,18 +171,16 @@ bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) } #endif - if (top != -1) { - if (top) { - if (bit == 0) { - buf[0] = 1; - buf[1] |= 0x80; - } else { - buf[0] |= (3 << (bit - 1)); - } + if (top > 0) { + if (bit == 0) { + buf[0] = 1; + buf[1] |= 0x80; } else { - buf[0] |= (1 << bit); + buf[0] |= (3 << (bit - 1)); } } + if (top == 0) + buf[0] |= (1 << bit); buf[0] &= ~mask; if (bottom) /* set bottom bit if requested */ buf[bytes - 1] |= 1; diff --git a/crypto/bn/gf2m-masm-x86_64.S b/crypto/bn/gf2m-masm-x86_64.S index 5430de91..8fcaa2d4 100644 --- a/crypto/bn/gf2m-masm-x86_64.S +++ b/crypto/bn/gf2m-masm-x86_64.S @@ -1,7 +1,7 @@ ; 1 "crypto/bn/gf2m-masm-x86_64.S.tmp" ; 1 "" 1 ; 1 "" 3 -; 349 "" 3 +; 340 "" 3 ; 1 "" 1 ; 1 "" 2 ; 1 "crypto/bn/gf2m-masm-x86_64.S.tmp" 2 diff --git a/crypto/bn/modexp512-masm-x86_64.S b/crypto/bn/modexp512-masm-x86_64.S index 84d57480..453cfacf 100644 --- a/crypto/bn/modexp512-masm-x86_64.S +++ b/crypto/bn/modexp512-masm-x86_64.S @@ -1,7 +1,7 @@ ; 1 "crypto/bn/modexp512-masm-x86_64.S.tmp" ; 1 "" 1 ; 1 "" 3 -; 349 "" 3 +; 340 "" 3 ; 1 "" 1 ; 1 "" 2 ; 1 "crypto/bn/modexp512-masm-x86_64.S.tmp" 2 diff --git a/crypto/bn/mont-masm-x86_64.S b/crypto/bn/mont-masm-x86_64.S index 56dc14a7..c943f154 100644 --- a/crypto/bn/mont-masm-x86_64.S +++ b/crypto/bn/mont-masm-x86_64.S @@ -1,7 +1,7 @@ ; 1 "crypto/bn/mont-masm-x86_64.S.tmp" ; 1 "" 1 ; 1 "" 3 -; 349 "" 3 +; 340 "" 3 ; 1 "" 1 ; 1 "" 2 ; 1 "crypto/bn/mont-masm-x86_64.S.tmp" 2 diff --git a/crypto/bn/mont5-masm-x86_64.S b/crypto/bn/mont5-masm-x86_64.S index a3fb3fe1..dbbbe35b 100644 --- a/crypto/bn/mont5-masm-x86_64.S +++ b/crypto/bn/mont5-masm-x86_64.S @@ -1,7 +1,7 @@ ; 1 "crypto/bn/mont5-masm-x86_64.S.tmp" ; 1 "" 1 ; 1 "" 3 -; 349 "" 3 +; 340 "" 3 ; 1 "" 1 ; 1 "" 2 ; 1 "crypto/bn/mont5-masm-x86_64.S.tmp" 2 diff --git a/crypto/camellia/cmll-masm-x86_64.S b/crypto/camellia/cmll-masm-x86_64.S index d78a9938..9941bb95 100644 --- a/crypto/camellia/cmll-masm-x86_64.S +++ b/crypto/camellia/cmll-masm-x86_64.S @@ -1,7 +1,7 @@ ; 1 "crypto/camellia/cmll-masm-x86_64.S.tmp" ; 1 "" 1 ; 1 "" 3 -; 349 "" 3 +; 340 "" 3 ; 1 "" 1 ; 1 "" 2 ; 1 "crypto/camellia/cmll-masm-x86_64.S.tmp" 2 diff --git a/crypto/cast/cast_lcl.h b/crypto/cast/cast_lcl.h index ad4e2fed..100ff1f2 100644 --- a/crypto/cast/cast_lcl.h +++ b/crypto/cast/cast_lcl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: cast_lcl.h,v 1.11 2015/11/05 21:46:51 miod Exp $ */ +/* $OpenBSD: cast_lcl.h,v 1.12 2020/01/26 11:49:21 inoguchi Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -145,7 +145,7 @@ *((c)++)=(unsigned char)(((l) )&0xff)) /* only invoked with 0 <= n <= 31 */ -#define ROTL(a,n) ((((a)<<(n))&0xffffffffL)|((a)>>(32-(n)))) +#define ROTL(a,n) ((((a)<<(n))&0xffffffffL)|((a)>>((32-(n))&31))) #define C_M 0x3fc #define C_0 22L diff --git a/crypto/cms/cms_asn1.c b/crypto/cms/cms_asn1.c new file mode 100644 index 00000000..ac53fec1 --- /dev/null +++ b/crypto/cms/cms_asn1.c @@ -0,0 +1,1627 @@ +/* $OpenBSD: cms_asn1.c,v 1.18 2019/08/11 10:43:57 jsing Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include +#include +#include +#include +#include "cms_lcl.h" + + +static const ASN1_TEMPLATE CMS_IssuerAndSerialNumber_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_IssuerAndSerialNumber, issuer), + .field_name = "issuer", + .item = &X509_NAME_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_IssuerAndSerialNumber, serialNumber), + .field_name = "serialNumber", + .item = &ASN1_INTEGER_it, + }, +}; + +const ASN1_ITEM CMS_IssuerAndSerialNumber_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_IssuerAndSerialNumber_seq_tt, + .tcount = sizeof(CMS_IssuerAndSerialNumber_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_IssuerAndSerialNumber), + .sname = "CMS_IssuerAndSerialNumber", +}; + +static const ASN1_TEMPLATE CMS_OtherCertificateFormat_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_OtherCertificateFormat, otherCertFormat), + .field_name = "otherCertFormat", + .item = &ASN1_OBJECT_it, + }, + { + .flags = ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_OtherCertificateFormat, otherCert), + .field_name = "otherCert", + .item = &ASN1_ANY_it, + }, +}; + +static const ASN1_ITEM CMS_OtherCertificateFormat_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_OtherCertificateFormat_seq_tt, + .tcount = sizeof(CMS_OtherCertificateFormat_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_OtherCertificateFormat), + .sname = "CMS_OtherCertificateFormat", +}; + +static const ASN1_TEMPLATE CMS_CertificateChoices_ch_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_CertificateChoices, d.certificate), + .field_name = "d.certificate", + .item = &X509_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT, + .tag = 0, + .offset = offsetof(CMS_CertificateChoices, d.extendedCertificate), + .field_name = "d.extendedCertificate", + .item = &ASN1_SEQUENCE_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT, + .tag = 1, + .offset = offsetof(CMS_CertificateChoices, d.v1AttrCert), + .field_name = "d.v1AttrCert", + .item = &ASN1_SEQUENCE_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT, + .tag = 2, + .offset = offsetof(CMS_CertificateChoices, d.v2AttrCert), + .field_name = "d.v2AttrCert", + .item = &ASN1_SEQUENCE_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT, + .tag = 3, + .offset = offsetof(CMS_CertificateChoices, d.other), + .field_name = "d.other", + .item = &CMS_OtherCertificateFormat_it, + }, +}; + +const ASN1_ITEM CMS_CertificateChoices_it = { + .itype = ASN1_ITYPE_CHOICE, + .utype = offsetof(CMS_CertificateChoices, type), + .templates = CMS_CertificateChoices_ch_tt, + .tcount = sizeof(CMS_CertificateChoices_ch_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_CertificateChoices), + .sname = "CMS_CertificateChoices", +}; + +static const ASN1_TEMPLATE CMS_SignerIdentifier_ch_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_SignerIdentifier, d.issuerAndSerialNumber), + .field_name = "d.issuerAndSerialNumber", + .item = &CMS_IssuerAndSerialNumber_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT, + .tag = 0, + .offset = offsetof(CMS_SignerIdentifier, d.subjectKeyIdentifier), + .field_name = "d.subjectKeyIdentifier", + .item = &ASN1_OCTET_STRING_it, + }, +}; + +static const ASN1_ITEM CMS_SignerIdentifier_it = { + .itype = ASN1_ITYPE_CHOICE, + .utype = offsetof(CMS_SignerIdentifier, type), + .templates = CMS_SignerIdentifier_ch_tt, + .tcount = sizeof(CMS_SignerIdentifier_ch_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_SignerIdentifier), + .sname = "CMS_SignerIdentifier", +}; + +static const ASN1_TEMPLATE CMS_EncapsulatedContentInfo_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_EncapsulatedContentInfo, eContentType), + .field_name = "eContentType", + .item = &ASN1_OBJECT_it, + }, + { + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL | ASN1_TFLG_NDEF, + .tag = 0, + .offset = offsetof(CMS_EncapsulatedContentInfo, eContent), + .field_name = "eContent", + .item = &ASN1_OCTET_STRING_NDEF_it, + }, +}; + +static const ASN1_ITEM CMS_EncapsulatedContentInfo_it = { + .itype = ASN1_ITYPE_NDEF_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_EncapsulatedContentInfo_seq_tt, + .tcount = sizeof(CMS_EncapsulatedContentInfo_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_EncapsulatedContentInfo), + .sname = "CMS_EncapsulatedContentInfo", +}; + +/* Minor tweak to operation: free up signer key, cert */ +static int +cms_si_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) +{ + if (operation == ASN1_OP_FREE_POST) { + CMS_SignerInfo *si = (CMS_SignerInfo *)*pval; + EVP_PKEY_free(si->pkey); + X509_free(si->signer); + EVP_MD_CTX_free(si->mctx); + } + return 1; +} + +static const ASN1_AUX CMS_SignerInfo_aux = { + .app_data = NULL, + .flags = 0, + .ref_offset = 0, + .ref_lock = 0, + .asn1_cb = cms_si_cb, + .enc_offset = 0, +}; +static const ASN1_TEMPLATE CMS_SignerInfo_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_SignerInfo, version), + .field_name = "version", + .item = &LONG_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_SignerInfo, sid), + .field_name = "sid", + .item = &CMS_SignerIdentifier_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_SignerInfo, digestAlgorithm), + .field_name = "digestAlgorithm", + .item = &X509_ALGOR_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_SignerInfo, signedAttrs), + .field_name = "signedAttrs", + .item = &X509_ATTRIBUTE_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_SignerInfo, signatureAlgorithm), + .field_name = "signatureAlgorithm", + .item = &X509_ALGOR_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_SignerInfo, signature), + .field_name = "signature", + .item = &ASN1_OCTET_STRING_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL, + .tag = 1, + .offset = offsetof(CMS_SignerInfo, unsignedAttrs), + .field_name = "unsignedAttrs", + .item = &X509_ATTRIBUTE_it, + }, +}; + +const ASN1_ITEM CMS_SignerInfo_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_SignerInfo_seq_tt, + .tcount = sizeof(CMS_SignerInfo_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = &CMS_SignerInfo_aux, + .size = sizeof(CMS_SignerInfo), + .sname = "CMS_SignerInfo", +}; + +static const ASN1_TEMPLATE CMS_OtherRevocationInfoFormat_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_OtherRevocationInfoFormat, otherRevInfoFormat), + .field_name = "otherRevInfoFormat", + .item = &ASN1_OBJECT_it, + }, + { + .flags = ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_OtherRevocationInfoFormat, otherRevInfo), + .field_name = "otherRevInfo", + .item = &ASN1_ANY_it, + }, +}; + +static const ASN1_ITEM CMS_OtherRevocationInfoFormat_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_OtherRevocationInfoFormat_seq_tt, + .tcount = sizeof(CMS_OtherRevocationInfoFormat_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_OtherRevocationInfoFormat), + .sname = "CMS_OtherRevocationInfoFormat", +}; + +static const ASN1_TEMPLATE CMS_RevocationInfoChoice_ch_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_RevocationInfoChoice, d.crl), + .field_name = "d.crl", + .item = &X509_CRL_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT, + .tag = 1, + .offset = offsetof(CMS_RevocationInfoChoice, d.other), + .field_name = "d.other", + .item = &CMS_OtherRevocationInfoFormat_it, + }, +}; + +const ASN1_ITEM CMS_RevocationInfoChoice_it = { + .itype = ASN1_ITYPE_CHOICE, + .utype = offsetof(CMS_RevocationInfoChoice, type), + .templates = CMS_RevocationInfoChoice_ch_tt, + .tcount = sizeof(CMS_RevocationInfoChoice_ch_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_RevocationInfoChoice), + .sname = "CMS_RevocationInfoChoice", +}; + +static const ASN1_TEMPLATE CMS_SignedData_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_SignedData, version), + .field_name = "version", + .item = &LONG_it, + }, + { + .flags = ASN1_TFLG_SET_OF, + .tag = 0, + .offset = offsetof(CMS_SignedData, digestAlgorithms), + .field_name = "digestAlgorithms", + .item = &X509_ALGOR_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_SignedData, encapContentInfo), + .field_name = "encapContentInfo", + .item = &CMS_EncapsulatedContentInfo_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_SignedData, certificates), + .field_name = "certificates", + .item = &CMS_CertificateChoices_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL, + .tag = 1, + .offset = offsetof(CMS_SignedData, crls), + .field_name = "crls", + .item = &CMS_RevocationInfoChoice_it, + }, + { + .flags = ASN1_TFLG_SET_OF, + .tag = 0, + .offset = offsetof(CMS_SignedData, signerInfos), + .field_name = "signerInfos", + .item = &CMS_SignerInfo_it, + }, +}; + +const ASN1_ITEM CMS_SignedData_it = { + .itype = ASN1_ITYPE_NDEF_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_SignedData_seq_tt, + .tcount = sizeof(CMS_SignedData_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_SignedData), + .sname = "CMS_SignedData", +}; + +static const ASN1_TEMPLATE CMS_OriginatorInfo_seq_tt[] = { + { + .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_OriginatorInfo, certificates), + .field_name = "certificates", + .item = &CMS_CertificateChoices_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL, + .tag = 1, + .offset = offsetof(CMS_OriginatorInfo, crls), + .field_name = "crls", + .item = &CMS_RevocationInfoChoice_it, + }, +}; + +static const ASN1_ITEM CMS_OriginatorInfo_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_OriginatorInfo_seq_tt, + .tcount = sizeof(CMS_OriginatorInfo_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_OriginatorInfo), + .sname = "CMS_OriginatorInfo", +}; + +static const ASN1_TEMPLATE CMS_EncryptedContentInfo_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_EncryptedContentInfo, contentType), + .field_name = "contentType", + .item = &ASN1_OBJECT_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_EncryptedContentInfo, contentEncryptionAlgorithm), + .field_name = "contentEncryptionAlgorithm", + .item = &X509_ALGOR_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_EncryptedContentInfo, encryptedContent), + .field_name = "encryptedContent", + .item = &ASN1_OCTET_STRING_NDEF_it, + }, +}; + +static const ASN1_ITEM CMS_EncryptedContentInfo_it = { + .itype = ASN1_ITYPE_NDEF_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_EncryptedContentInfo_seq_tt, + .tcount = sizeof(CMS_EncryptedContentInfo_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_EncryptedContentInfo), + .sname = "CMS_EncryptedContentInfo", +}; + +static const ASN1_TEMPLATE CMS_KeyTransRecipientInfo_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_KeyTransRecipientInfo, version), + .field_name = "version", + .item = &LONG_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_KeyTransRecipientInfo, rid), + .field_name = "rid", + .item = &CMS_SignerIdentifier_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_KeyTransRecipientInfo, keyEncryptionAlgorithm), + .field_name = "keyEncryptionAlgorithm", + .item = &X509_ALGOR_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_KeyTransRecipientInfo, encryptedKey), + .field_name = "encryptedKey", + .item = &ASN1_OCTET_STRING_it, + }, +}; + +const ASN1_ITEM CMS_KeyTransRecipientInfo_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_KeyTransRecipientInfo_seq_tt, + .tcount = sizeof(CMS_KeyTransRecipientInfo_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_KeyTransRecipientInfo), + .sname = "CMS_KeyTransRecipientInfo", +}; + +static const ASN1_TEMPLATE CMS_OtherKeyAttribute_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_OtherKeyAttribute, keyAttrId), + .field_name = "keyAttrId", + .item = &ASN1_OBJECT_it, + }, + { + .flags = ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_OtherKeyAttribute, keyAttr), + .field_name = "keyAttr", + .item = &ASN1_ANY_it, + }, +}; + +const ASN1_ITEM CMS_OtherKeyAttribute_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_OtherKeyAttribute_seq_tt, + .tcount = sizeof(CMS_OtherKeyAttribute_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_OtherKeyAttribute), + .sname = "CMS_OtherKeyAttribute", +}; + +static const ASN1_TEMPLATE CMS_RecipientKeyIdentifier_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_RecipientKeyIdentifier, subjectKeyIdentifier), + .field_name = "subjectKeyIdentifier", + .item = &ASN1_OCTET_STRING_it, + }, + { + .flags = ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_RecipientKeyIdentifier, date), + .field_name = "date", + .item = &ASN1_GENERALIZEDTIME_it, + }, + { + .flags = ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_RecipientKeyIdentifier, other), + .field_name = "other", + .item = &CMS_OtherKeyAttribute_it, + }, +}; + +const ASN1_ITEM CMS_RecipientKeyIdentifier_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_RecipientKeyIdentifier_seq_tt, + .tcount = sizeof(CMS_RecipientKeyIdentifier_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_RecipientKeyIdentifier), + .sname = "CMS_RecipientKeyIdentifier", +}; + +static const ASN1_TEMPLATE CMS_KeyAgreeRecipientIdentifier_ch_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_KeyAgreeRecipientIdentifier, d.issuerAndSerialNumber), + .field_name = "d.issuerAndSerialNumber", + .item = &CMS_IssuerAndSerialNumber_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT, + .tag = 0, + .offset = offsetof(CMS_KeyAgreeRecipientIdentifier, d.rKeyId), + .field_name = "d.rKeyId", + .item = &CMS_RecipientKeyIdentifier_it, + }, +}; + +static const ASN1_ITEM CMS_KeyAgreeRecipientIdentifier_it = { + .itype = ASN1_ITYPE_CHOICE, + .utype = offsetof(CMS_KeyAgreeRecipientIdentifier, type), + .templates = CMS_KeyAgreeRecipientIdentifier_ch_tt, + .tcount = sizeof(CMS_KeyAgreeRecipientIdentifier_ch_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_KeyAgreeRecipientIdentifier), + .sname = "CMS_KeyAgreeRecipientIdentifier", +}; + +static int +cms_rek_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) +{ + CMS_RecipientEncryptedKey *rek = (CMS_RecipientEncryptedKey *)*pval; + if (operation == ASN1_OP_FREE_POST) { + EVP_PKEY_free(rek->pkey); + } + return 1; +} + +static const ASN1_AUX CMS_RecipientEncryptedKey_aux = { + .app_data = NULL, + .flags = 0, + .ref_offset = 0, + .ref_lock = 0, + .asn1_cb = cms_rek_cb, + .enc_offset = 0, +}; +static const ASN1_TEMPLATE CMS_RecipientEncryptedKey_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_RecipientEncryptedKey, rid), + .field_name = "rid", + .item = &CMS_KeyAgreeRecipientIdentifier_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_RecipientEncryptedKey, encryptedKey), + .field_name = "encryptedKey", + .item = &ASN1_OCTET_STRING_it, + }, +}; + +const ASN1_ITEM CMS_RecipientEncryptedKey_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_RecipientEncryptedKey_seq_tt, + .tcount = sizeof(CMS_RecipientEncryptedKey_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = &CMS_RecipientEncryptedKey_aux, + .size = sizeof(CMS_RecipientEncryptedKey), + .sname = "CMS_RecipientEncryptedKey", +}; + +static const ASN1_TEMPLATE CMS_OriginatorPublicKey_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_OriginatorPublicKey, algorithm), + .field_name = "algorithm", + .item = &X509_ALGOR_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_OriginatorPublicKey, publicKey), + .field_name = "publicKey", + .item = &ASN1_BIT_STRING_it, + }, +}; + +const ASN1_ITEM CMS_OriginatorPublicKey_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_OriginatorPublicKey_seq_tt, + .tcount = sizeof(CMS_OriginatorPublicKey_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_OriginatorPublicKey), + .sname = "CMS_OriginatorPublicKey", +}; + +static const ASN1_TEMPLATE CMS_OriginatorIdentifierOrKey_ch_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_OriginatorIdentifierOrKey, d.issuerAndSerialNumber), + .field_name = "d.issuerAndSerialNumber", + .item = &CMS_IssuerAndSerialNumber_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT, + .tag = 0, + .offset = offsetof(CMS_OriginatorIdentifierOrKey, d.subjectKeyIdentifier), + .field_name = "d.subjectKeyIdentifier", + .item = &ASN1_OCTET_STRING_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT, + .tag = 1, + .offset = offsetof(CMS_OriginatorIdentifierOrKey, d.originatorKey), + .field_name = "d.originatorKey", + .item = &CMS_OriginatorPublicKey_it, + }, +}; + +static const ASN1_ITEM CMS_OriginatorIdentifierOrKey_it = { + .itype = ASN1_ITYPE_CHOICE, + .utype = offsetof(CMS_OriginatorIdentifierOrKey, type), + .templates = CMS_OriginatorIdentifierOrKey_ch_tt, + .tcount = sizeof(CMS_OriginatorIdentifierOrKey_ch_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_OriginatorIdentifierOrKey), + .sname = "CMS_OriginatorIdentifierOrKey", +}; + +static int +cms_kari_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) +{ + CMS_KeyAgreeRecipientInfo *kari = (CMS_KeyAgreeRecipientInfo *)*pval; + if (operation == ASN1_OP_NEW_POST) { + kari->ctx = EVP_CIPHER_CTX_new(); + if (kari->ctx == NULL) + return 0; + EVP_CIPHER_CTX_set_flags(kari->ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW); + kari->pctx = NULL; + } else if (operation == ASN1_OP_FREE_POST) { + EVP_PKEY_CTX_free(kari->pctx); + EVP_CIPHER_CTX_free(kari->ctx); + } + return 1; +} + +static const ASN1_AUX CMS_KeyAgreeRecipientInfo_aux = { + .app_data = NULL, + .flags = 0, + .ref_offset = 0, + .ref_lock = 0, + .asn1_cb = cms_kari_cb, + .enc_offset = 0, +}; +static const ASN1_TEMPLATE CMS_KeyAgreeRecipientInfo_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_KeyAgreeRecipientInfo, version), + .field_name = "version", + .item = &LONG_it, + }, + { + .flags = ASN1_TFLG_EXPLICIT, + .tag = 0, + .offset = offsetof(CMS_KeyAgreeRecipientInfo, originator), + .field_name = "originator", + .item = &CMS_OriginatorIdentifierOrKey_it, + }, + { + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL, + .tag = 1, + .offset = offsetof(CMS_KeyAgreeRecipientInfo, ukm), + .field_name = "ukm", + .item = &ASN1_OCTET_STRING_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_KeyAgreeRecipientInfo, keyEncryptionAlgorithm), + .field_name = "keyEncryptionAlgorithm", + .item = &X509_ALGOR_it, + }, + { + .flags = ASN1_TFLG_SEQUENCE_OF, + .tag = 0, + .offset = offsetof(CMS_KeyAgreeRecipientInfo, recipientEncryptedKeys), + .field_name = "recipientEncryptedKeys", + .item = &CMS_RecipientEncryptedKey_it, + }, +}; + +const ASN1_ITEM CMS_KeyAgreeRecipientInfo_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_KeyAgreeRecipientInfo_seq_tt, + .tcount = sizeof(CMS_KeyAgreeRecipientInfo_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = &CMS_KeyAgreeRecipientInfo_aux, + .size = sizeof(CMS_KeyAgreeRecipientInfo), + .sname = "CMS_KeyAgreeRecipientInfo", +}; + +static const ASN1_TEMPLATE CMS_KEKIdentifier_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_KEKIdentifier, keyIdentifier), + .field_name = "keyIdentifier", + .item = &ASN1_OCTET_STRING_it, + }, + { + .flags = ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_KEKIdentifier, date), + .field_name = "date", + .item = &ASN1_GENERALIZEDTIME_it, + }, + { + .flags = ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_KEKIdentifier, other), + .field_name = "other", + .item = &CMS_OtherKeyAttribute_it, + }, +}; + +static const ASN1_ITEM CMS_KEKIdentifier_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_KEKIdentifier_seq_tt, + .tcount = sizeof(CMS_KEKIdentifier_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_KEKIdentifier), + .sname = "CMS_KEKIdentifier", +}; + +static const ASN1_TEMPLATE CMS_KEKRecipientInfo_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_KEKRecipientInfo, version), + .field_name = "version", + .item = &LONG_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_KEKRecipientInfo, kekid), + .field_name = "kekid", + .item = &CMS_KEKIdentifier_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_KEKRecipientInfo, keyEncryptionAlgorithm), + .field_name = "keyEncryptionAlgorithm", + .item = &X509_ALGOR_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_KEKRecipientInfo, encryptedKey), + .field_name = "encryptedKey", + .item = &ASN1_OCTET_STRING_it, + }, +}; + +const ASN1_ITEM CMS_KEKRecipientInfo_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_KEKRecipientInfo_seq_tt, + .tcount = sizeof(CMS_KEKRecipientInfo_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_KEKRecipientInfo), + .sname = "CMS_KEKRecipientInfo", +}; + +static const ASN1_TEMPLATE CMS_PasswordRecipientInfo_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_PasswordRecipientInfo, version), + .field_name = "version", + .item = &LONG_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_PasswordRecipientInfo, keyDerivationAlgorithm), + .field_name = "keyDerivationAlgorithm", + .item = &X509_ALGOR_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_PasswordRecipientInfo, keyEncryptionAlgorithm), + .field_name = "keyEncryptionAlgorithm", + .item = &X509_ALGOR_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_PasswordRecipientInfo, encryptedKey), + .field_name = "encryptedKey", + .item = &ASN1_OCTET_STRING_it, + }, +}; + +const ASN1_ITEM CMS_PasswordRecipientInfo_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_PasswordRecipientInfo_seq_tt, + .tcount = sizeof(CMS_PasswordRecipientInfo_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_PasswordRecipientInfo), + .sname = "CMS_PasswordRecipientInfo", +}; + +static const ASN1_TEMPLATE CMS_OtherRecipientInfo_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_OtherRecipientInfo, oriType), + .field_name = "oriType", + .item = &ASN1_OBJECT_it, + }, + { + .flags = ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_OtherRecipientInfo, oriValue), + .field_name = "oriValue", + .item = &ASN1_ANY_it, + }, +}; + +static const ASN1_ITEM CMS_OtherRecipientInfo_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_OtherRecipientInfo_seq_tt, + .tcount = sizeof(CMS_OtherRecipientInfo_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_OtherRecipientInfo), + .sname = "CMS_OtherRecipientInfo", +}; + +/* Free up RecipientInfo additional data */ +static int +cms_ri_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) +{ + if (operation == ASN1_OP_FREE_PRE) { + CMS_RecipientInfo *ri = (CMS_RecipientInfo *)*pval; + if (ri->type == CMS_RECIPINFO_TRANS) { + CMS_KeyTransRecipientInfo *ktri = ri->d.ktri; + EVP_PKEY_free(ktri->pkey); + X509_free(ktri->recip); + EVP_PKEY_CTX_free(ktri->pctx); + } else if (ri->type == CMS_RECIPINFO_KEK) { + CMS_KEKRecipientInfo *kekri = ri->d.kekri; + freezero(kekri->key, kekri->keylen); + } else if (ri->type == CMS_RECIPINFO_PASS) { + CMS_PasswordRecipientInfo *pwri = ri->d.pwri; + freezero(pwri->pass, pwri->passlen); + } + } + return 1; +} + +static const ASN1_AUX CMS_RecipientInfo_aux = { + .app_data = NULL, + .flags = 0, + .ref_offset = 0, + .ref_lock = 0, + .asn1_cb = cms_ri_cb, + .enc_offset = 0, +}; +static const ASN1_TEMPLATE CMS_RecipientInfo_ch_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_RecipientInfo, d.ktri), + .field_name = "d.ktri", + .item = &CMS_KeyTransRecipientInfo_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT, + .tag = 1, + .offset = offsetof(CMS_RecipientInfo, d.kari), + .field_name = "d.kari", + .item = &CMS_KeyAgreeRecipientInfo_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT, + .tag = 2, + .offset = offsetof(CMS_RecipientInfo, d.kekri), + .field_name = "d.kekri", + .item = &CMS_KEKRecipientInfo_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT, + .tag = 3, + .offset = offsetof(CMS_RecipientInfo, d.pwri), + .field_name = "d.pwri", + .item = &CMS_PasswordRecipientInfo_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT, + .tag = 4, + .offset = offsetof(CMS_RecipientInfo, d.ori), + .field_name = "d.ori", + .item = &CMS_OtherRecipientInfo_it, + }, +}; + +const ASN1_ITEM CMS_RecipientInfo_it = { + .itype = ASN1_ITYPE_CHOICE, + .utype = offsetof(CMS_RecipientInfo, type), + .templates = CMS_RecipientInfo_ch_tt, + .tcount = sizeof(CMS_RecipientInfo_ch_tt) / sizeof(ASN1_TEMPLATE), + .funcs = &CMS_RecipientInfo_aux, + .size = sizeof(CMS_RecipientInfo), + .sname = "CMS_RecipientInfo", +}; + +static const ASN1_TEMPLATE CMS_EnvelopedData_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_EnvelopedData, version), + .field_name = "version", + .item = &LONG_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_EnvelopedData, originatorInfo), + .field_name = "originatorInfo", + .item = &CMS_OriginatorInfo_it, + }, + { + .flags = ASN1_TFLG_SET_OF, + .tag = 0, + .offset = offsetof(CMS_EnvelopedData, recipientInfos), + .field_name = "recipientInfos", + .item = &CMS_RecipientInfo_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_EnvelopedData, encryptedContentInfo), + .field_name = "encryptedContentInfo", + .item = &CMS_EncryptedContentInfo_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL, + .tag = 1, + .offset = offsetof(CMS_EnvelopedData, unprotectedAttrs), + .field_name = "unprotectedAttrs", + .item = &X509_ATTRIBUTE_it, + }, +}; + +const ASN1_ITEM CMS_EnvelopedData_it = { + .itype = ASN1_ITYPE_NDEF_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_EnvelopedData_seq_tt, + .tcount = sizeof(CMS_EnvelopedData_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_EnvelopedData), + .sname = "CMS_EnvelopedData", +}; + +static const ASN1_TEMPLATE CMS_DigestedData_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_DigestedData, version), + .field_name = "version", + .item = &LONG_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_DigestedData, digestAlgorithm), + .field_name = "digestAlgorithm", + .item = &X509_ALGOR_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_DigestedData, encapContentInfo), + .field_name = "encapContentInfo", + .item = &CMS_EncapsulatedContentInfo_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_DigestedData, digest), + .field_name = "digest", + .item = &ASN1_OCTET_STRING_it, + }, +}; + +const ASN1_ITEM CMS_DigestedData_it = { + .itype = ASN1_ITYPE_NDEF_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_DigestedData_seq_tt, + .tcount = sizeof(CMS_DigestedData_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_DigestedData), + .sname = "CMS_DigestedData", +}; + +static const ASN1_TEMPLATE CMS_EncryptedData_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_EncryptedData, version), + .field_name = "version", + .item = &LONG_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_EncryptedData, encryptedContentInfo), + .field_name = "encryptedContentInfo", + .item = &CMS_EncryptedContentInfo_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL, + .tag = 1, + .offset = offsetof(CMS_EncryptedData, unprotectedAttrs), + .field_name = "unprotectedAttrs", + .item = &X509_ATTRIBUTE_it, + }, +}; + +const ASN1_ITEM CMS_EncryptedData_it = { + .itype = ASN1_ITYPE_NDEF_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_EncryptedData_seq_tt, + .tcount = sizeof(CMS_EncryptedData_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_EncryptedData), + .sname = "CMS_EncryptedData", +}; + +static const ASN1_TEMPLATE CMS_AuthenticatedData_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_AuthenticatedData, version), + .field_name = "version", + .item = &LONG_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_AuthenticatedData, originatorInfo), + .field_name = "originatorInfo", + .item = &CMS_OriginatorInfo_it, + }, + { + .flags = ASN1_TFLG_SET_OF, + .tag = 0, + .offset = offsetof(CMS_AuthenticatedData, recipientInfos), + .field_name = "recipientInfos", + .item = &CMS_RecipientInfo_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_AuthenticatedData, macAlgorithm), + .field_name = "macAlgorithm", + .item = &X509_ALGOR_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT, + .tag = 1, + .offset = offsetof(CMS_AuthenticatedData, digestAlgorithm), + .field_name = "digestAlgorithm", + .item = &X509_ALGOR_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_AuthenticatedData, encapContentInfo), + .field_name = "encapContentInfo", + .item = &CMS_EncapsulatedContentInfo_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL, + .tag = 2, + .offset = offsetof(CMS_AuthenticatedData, authAttrs), + .field_name = "authAttrs", + .item = &X509_ALGOR_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_AuthenticatedData, mac), + .field_name = "mac", + .item = &ASN1_OCTET_STRING_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL, + .tag = 3, + .offset = offsetof(CMS_AuthenticatedData, unauthAttrs), + .field_name = "unauthAttrs", + .item = &X509_ALGOR_it, + }, +}; + +static const ASN1_ITEM CMS_AuthenticatedData_it = { + .itype = ASN1_ITYPE_NDEF_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_AuthenticatedData_seq_tt, + .tcount = sizeof(CMS_AuthenticatedData_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_AuthenticatedData), + .sname = "CMS_AuthenticatedData", +}; + +static const ASN1_TEMPLATE CMS_CompressedData_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_CompressedData, version), + .field_name = "version", + .item = &LONG_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_CompressedData, compressionAlgorithm), + .field_name = "compressionAlgorithm", + .item = &X509_ALGOR_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_CompressedData, encapContentInfo), + .field_name = "encapContentInfo", + .item = &CMS_EncapsulatedContentInfo_it, + }, +}; + +const ASN1_ITEM CMS_CompressedData_it = { + .itype = ASN1_ITYPE_NDEF_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_CompressedData_seq_tt, + .tcount = sizeof(CMS_CompressedData_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_CompressedData), + .sname = "CMS_CompressedData", +}; + +/* This is the ANY DEFINED BY table for the top level ContentInfo structure */ + +static const ASN1_TEMPLATE cms_default_tt = { + .flags = ASN1_TFLG_EXPLICIT, + .tag = 0, + .offset = offsetof(CMS_ContentInfo, d.other), + .field_name = "d.other", + .item = &ASN1_ANY_it, +}; + +static const ASN1_ADB_TABLE CMS_ContentInfo_adbtbl[] = { + { + .value = NID_pkcs7_data, + .tt = { + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_NDEF, + .tag = 0, + .offset = offsetof(CMS_ContentInfo, d.data), + .field_name = "d.data", + .item = &ASN1_OCTET_STRING_NDEF_it, + }, + + }, + { + .value = NID_pkcs7_signed, + .tt = { + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_NDEF, + .tag = 0, + .offset = offsetof(CMS_ContentInfo, d.signedData), + .field_name = "d.signedData", + .item = &CMS_SignedData_it, + }, + + }, + { + .value = NID_pkcs7_enveloped, + .tt = { + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_NDEF, + .tag = 0, + .offset = offsetof(CMS_ContentInfo, d.envelopedData), + .field_name = "d.envelopedData", + .item = &CMS_EnvelopedData_it, + }, + + }, + { + .value = NID_pkcs7_digest, + .tt = { + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_NDEF, + .tag = 0, + .offset = offsetof(CMS_ContentInfo, d.digestedData), + .field_name = "d.digestedData", + .item = &CMS_DigestedData_it, + }, + + }, + { + .value = NID_pkcs7_encrypted, + .tt = { + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_NDEF, + .tag = 0, + .offset = offsetof(CMS_ContentInfo, d.encryptedData), + .field_name = "d.encryptedData", + .item = &CMS_EncryptedData_it, + }, + + }, + { + .value = NID_id_smime_ct_authData, + .tt = { + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_NDEF, + .tag = 0, + .offset = offsetof(CMS_ContentInfo, d.authenticatedData), + .field_name = "d.authenticatedData", + .item = &CMS_AuthenticatedData_it, + }, + + }, + { + .value = NID_id_smime_ct_compressedData, + .tt = { + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_NDEF, + .tag = 0, + .offset = offsetof(CMS_ContentInfo, d.compressedData), + .field_name = "d.compressedData", + .item = &CMS_CompressedData_it, + }, + + }, +}; + +static const ASN1_ADB CMS_ContentInfo_adb = { + .flags = 0, + .offset = offsetof(CMS_ContentInfo, contentType), + .app_items = 0, + .tbl = CMS_ContentInfo_adbtbl, + .tblcount = sizeof(CMS_ContentInfo_adbtbl) / sizeof(ASN1_ADB_TABLE), + .default_tt = &cms_default_tt, + .null_tt = NULL, +}; + +/* CMS streaming support */ +static int +cms_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) +{ + ASN1_STREAM_ARG *sarg = exarg; + CMS_ContentInfo *cms = NULL; + if (pval) + cms = (CMS_ContentInfo *)*pval; + else + return 1; + switch (operation) { + + case ASN1_OP_STREAM_PRE: + if (CMS_stream(&sarg->boundary, cms) <= 0) + return 0; + /* fall thru */ + case ASN1_OP_DETACHED_PRE: + sarg->ndef_bio = CMS_dataInit(cms, sarg->out); + if (!sarg->ndef_bio) + return 0; + break; + + case ASN1_OP_STREAM_POST: + case ASN1_OP_DETACHED_POST: + if (CMS_dataFinal(cms, sarg->ndef_bio) <= 0) + return 0; + break; + + } + return 1; +} + +static const ASN1_AUX CMS_ContentInfo_aux = { + .app_data = NULL, + .flags = 0, + .ref_offset = 0, + .ref_lock = 0, + .asn1_cb = cms_cb, + .enc_offset = 0, +}; +static const ASN1_TEMPLATE CMS_ContentInfo_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_ContentInfo, contentType), + .field_name = "contentType", + .item = &ASN1_OBJECT_it, + }, + { + .flags = ASN1_TFLG_ADB_OID, + .tag = -1, + .offset = 0, + .field_name = "CMS_ContentInfo", + .item = (const ASN1_ITEM *)&CMS_ContentInfo_adb, + }, +}; + +const ASN1_ITEM CMS_ContentInfo_it = { + .itype = ASN1_ITYPE_NDEF_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_ContentInfo_seq_tt, + .tcount = sizeof(CMS_ContentInfo_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = &CMS_ContentInfo_aux, + .size = sizeof(CMS_ContentInfo), + .sname = "CMS_ContentInfo", +}; + +/* Specials for signed attributes */ + +/* + * When signing attributes we want to reorder them to match the sorted + * encoding. + */ + +static const ASN1_TEMPLATE CMS_Attributes_Sign_item_tt = { + .flags = ASN1_TFLG_SET_ORDER, + .tag = 0, + .offset = 0, + .field_name = "CMS_ATTRIBUTES", + .item = &X509_ATTRIBUTE_it, +}; + +const ASN1_ITEM CMS_Attributes_Sign_it = { + .itype = ASN1_ITYPE_PRIMITIVE, + .utype = -1, + .templates = &CMS_Attributes_Sign_item_tt, + .tcount = 0, + .funcs = NULL, + .size = 0, + .sname = "CMS_Attributes_Sign", +}; + +/* + * When verifying attributes we need to use the received order. So we use + * SEQUENCE OF and tag it to SET OF + */ + +static const ASN1_TEMPLATE CMS_Attributes_Verify_item_tt = { + .flags = ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_IMPTAG | ASN1_TFLG_UNIVERSAL, + .tag = V_ASN1_SET, + .offset = 0, + .field_name = "CMS_ATTRIBUTES", + .item = &X509_ATTRIBUTE_it, +}; + +const ASN1_ITEM CMS_Attributes_Verify_it = { + .itype = ASN1_ITYPE_PRIMITIVE, + .utype = -1, + .templates = &CMS_Attributes_Verify_item_tt, + .tcount = 0, + .funcs = NULL, + .size = 0, + .sname = "CMS_Attributes_Verify", +}; + + + +static const ASN1_TEMPLATE CMS_ReceiptsFrom_ch_tt[] = { + { + .flags = ASN1_TFLG_IMPLICIT, + .tag = 0, + .offset = offsetof(CMS_ReceiptsFrom, d.allOrFirstTier), + .field_name = "d.allOrFirstTier", + .item = &LONG_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SEQUENCE_OF, + .tag = 1, + .offset = offsetof(CMS_ReceiptsFrom, d.receiptList), + .field_name = "d.receiptList", + .item = &GENERAL_NAMES_it, + }, +}; + +static const ASN1_ITEM CMS_ReceiptsFrom_it = { + .itype = ASN1_ITYPE_CHOICE, + .utype = offsetof(CMS_ReceiptsFrom, type), + .templates = CMS_ReceiptsFrom_ch_tt, + .tcount = sizeof(CMS_ReceiptsFrom_ch_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_ReceiptsFrom), + .sname = "CMS_ReceiptsFrom", +}; + +static const ASN1_TEMPLATE CMS_ReceiptRequest_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_ReceiptRequest, signedContentIdentifier), + .field_name = "signedContentIdentifier", + .item = &ASN1_OCTET_STRING_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_ReceiptRequest, receiptsFrom), + .field_name = "receiptsFrom", + .item = &CMS_ReceiptsFrom_it, + }, + { + .flags = ASN1_TFLG_SEQUENCE_OF, + .tag = 0, + .offset = offsetof(CMS_ReceiptRequest, receiptsTo), + .field_name = "receiptsTo", + .item = &GENERAL_NAMES_it, + }, +}; + +const ASN1_ITEM CMS_ReceiptRequest_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_ReceiptRequest_seq_tt, + .tcount = sizeof(CMS_ReceiptRequest_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_ReceiptRequest), + .sname = "CMS_ReceiptRequest", +}; + +static const ASN1_TEMPLATE CMS_Receipt_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_Receipt, version), + .field_name = "version", + .item = &LONG_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_Receipt, contentType), + .field_name = "contentType", + .item = &ASN1_OBJECT_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_Receipt, signedContentIdentifier), + .field_name = "signedContentIdentifier", + .item = &ASN1_OCTET_STRING_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_Receipt, originatorSignatureValue), + .field_name = "originatorSignatureValue", + .item = &ASN1_OCTET_STRING_it, + }, +}; + +const ASN1_ITEM CMS_Receipt_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_Receipt_seq_tt, + .tcount = sizeof(CMS_Receipt_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_Receipt), + .sname = "CMS_Receipt", +}; + +/* + * Utilities to encode the CMS_SharedInfo structure used during key + * derivation. + */ + +typedef struct { + X509_ALGOR *keyInfo; + ASN1_OCTET_STRING *entityUInfo; + ASN1_OCTET_STRING *suppPubInfo; +} CMS_SharedInfo; + +static const ASN1_TEMPLATE CMS_SharedInfo_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_SharedInfo, keyInfo), + .field_name = "keyInfo", + .item = &X509_ALGOR_it, + }, + { + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_SharedInfo, entityUInfo), + .field_name = "entityUInfo", + .item = &ASN1_OCTET_STRING_it, + }, + { + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL, + .tag = 2, + .offset = offsetof(CMS_SharedInfo, suppPubInfo), + .field_name = "suppPubInfo", + .item = &ASN1_OCTET_STRING_it, + }, +}; + +static const ASN1_ITEM CMS_SharedInfo_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_SharedInfo_seq_tt, + .tcount = sizeof(CMS_SharedInfo_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_SharedInfo), + .sname = "CMS_SharedInfo", +}; + +int +CMS_SharedInfo_encode(unsigned char **pder, X509_ALGOR *kekalg, + ASN1_OCTET_STRING *ukm, int keylen) +{ + union { + CMS_SharedInfo *pecsi; + ASN1_VALUE *a; + } intsi = { + NULL + }; + + ASN1_OCTET_STRING oklen; + unsigned char kl[4]; + CMS_SharedInfo ecsi; + + keylen <<= 3; + kl[0] = (keylen >> 24) & 0xff; + kl[1] = (keylen >> 16) & 0xff; + kl[2] = (keylen >> 8) & 0xff; + kl[3] = keylen & 0xff; + oklen.length = 4; + oklen.data = kl; + oklen.type = V_ASN1_OCTET_STRING; + oklen.flags = 0; + ecsi.keyInfo = kekalg; + ecsi.entityUInfo = ukm; + ecsi.suppPubInfo = &oklen; + intsi.pecsi = &ecsi; + + return ASN1_item_i2d(intsi.a, pder, &CMS_SharedInfo_it); +} diff --git a/crypto/cms/cms_att.c b/crypto/cms/cms_att.c new file mode 100644 index 00000000..b03c7437 --- /dev/null +++ b/crypto/cms/cms_att.c @@ -0,0 +1,211 @@ +/* $OpenBSD: cms_att.c,v 1.9 2019/08/10 18:15:52 jsing Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include +#include +#include +#include +#include +#include "cms_lcl.h" + +/* CMS SignedData Attribute utilities */ + +int +CMS_signed_get_attr_count(const CMS_SignerInfo *si) +{ + return X509at_get_attr_count(si->signedAttrs); +} + +int +CMS_signed_get_attr_by_NID(const CMS_SignerInfo *si, int nid, int lastpos) +{ + return X509at_get_attr_by_NID(si->signedAttrs, nid, lastpos); +} + +int +CMS_signed_get_attr_by_OBJ(const CMS_SignerInfo *si, const ASN1_OBJECT *obj, + int lastpos) +{ + return X509at_get_attr_by_OBJ(si->signedAttrs, obj, lastpos); +} + +X509_ATTRIBUTE * +CMS_signed_get_attr(const CMS_SignerInfo *si, int loc) +{ + return X509at_get_attr(si->signedAttrs, loc); +} + +X509_ATTRIBUTE * +CMS_signed_delete_attr(CMS_SignerInfo *si, int loc) +{ + return X509at_delete_attr(si->signedAttrs, loc); +} + +int +CMS_signed_add1_attr(CMS_SignerInfo *si, X509_ATTRIBUTE *attr) +{ + if (X509at_add1_attr(&si->signedAttrs, attr)) + return 1; + return 0; +} + +int +CMS_signed_add1_attr_by_OBJ(CMS_SignerInfo *si, const ASN1_OBJECT *obj, int type, + const void *bytes, int len) +{ + if (X509at_add1_attr_by_OBJ(&si->signedAttrs, obj, type, bytes, len)) + return 1; + return 0; +} + +int +CMS_signed_add1_attr_by_NID(CMS_SignerInfo *si, int nid, int type, + const void *bytes, int len) +{ + if (X509at_add1_attr_by_NID(&si->signedAttrs, nid, type, bytes, len)) + return 1; + return 0; +} + +int +CMS_signed_add1_attr_by_txt(CMS_SignerInfo *si, const char *attrname, int type, + const void *bytes, int len) +{ + if (X509at_add1_attr_by_txt(&si->signedAttrs, attrname, type, bytes, len)) + return 1; + return 0; +} + +void * +CMS_signed_get0_data_by_OBJ(CMS_SignerInfo *si, const ASN1_OBJECT *oid, + int lastpos, int type) +{ + return X509at_get0_data_by_OBJ(si->signedAttrs, oid, lastpos, type); +} + +int +CMS_unsigned_get_attr_count(const CMS_SignerInfo *si) +{ + return X509at_get_attr_count(si->unsignedAttrs); +} + +int +CMS_unsigned_get_attr_by_NID(const CMS_SignerInfo *si, int nid, int lastpos) +{ + return X509at_get_attr_by_NID(si->unsignedAttrs, nid, lastpos); +} + +int +CMS_unsigned_get_attr_by_OBJ(const CMS_SignerInfo *si, const ASN1_OBJECT *obj, + int lastpos) +{ + return X509at_get_attr_by_OBJ(si->unsignedAttrs, obj, lastpos); +} + +X509_ATTRIBUTE * +CMS_unsigned_get_attr(const CMS_SignerInfo *si, int loc) +{ + return X509at_get_attr(si->unsignedAttrs, loc); +} + +X509_ATTRIBUTE * +CMS_unsigned_delete_attr(CMS_SignerInfo *si, int loc) +{ + return X509at_delete_attr(si->unsignedAttrs, loc); +} + +int +CMS_unsigned_add1_attr(CMS_SignerInfo *si, X509_ATTRIBUTE *attr) +{ + if (X509at_add1_attr(&si->unsignedAttrs, attr)) + return 1; + return 0; +} + +int +CMS_unsigned_add1_attr_by_OBJ(CMS_SignerInfo *si, const ASN1_OBJECT *obj, + int type, const void *bytes, int len) +{ + if (X509at_add1_attr_by_OBJ(&si->unsignedAttrs, obj, type, bytes, len)) + return 1; + return 0; +} + +int +CMS_unsigned_add1_attr_by_NID(CMS_SignerInfo *si, int nid, int type, + const void *bytes, int len) +{ + if (X509at_add1_attr_by_NID(&si->unsignedAttrs, nid, type, bytes, len)) + return 1; + return 0; +} + +int +CMS_unsigned_add1_attr_by_txt(CMS_SignerInfo *si, const char *attrname, + int type, const void *bytes, int len) +{ + if (X509at_add1_attr_by_txt(&si->unsignedAttrs, attrname, type, + bytes, len)) + return 1; + return 0; +} + +void * +CMS_unsigned_get0_data_by_OBJ(CMS_SignerInfo *si, ASN1_OBJECT *oid, int lastpos, + int type) +{ + return X509at_get0_data_by_OBJ(si->unsignedAttrs, oid, lastpos, type); +} + +/* Specific attribute cases */ diff --git a/crypto/cms/cms_cd.c b/crypto/cms/cms_cd.c new file mode 100644 index 00000000..ec67cf11 --- /dev/null +++ b/crypto/cms/cms_cd.c @@ -0,0 +1,128 @@ +/* $OpenBSD: cms_cd.c,v 1.15 2019/08/11 11:04:18 jsing Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include "cryptlib.h" +#include +#include +#include +#include +#include +#include +#include +#include "cms_lcl.h" + +#ifdef ZLIB + +/* CMS CompressedData Utilities */ + +CMS_ContentInfo * +cms_CompressedData_create(int comp_nid) +{ + CMS_ContentInfo *cms; + CMS_CompressedData *cd; + + /* + * Will need something cleverer if there is ever more than one + * compression algorithm or parameters have some meaning... + */ + if (comp_nid != NID_zlib_compression) { + CMSerror(CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM); + return NULL; + } + cms = CMS_ContentInfo_new(); + if (cms == NULL) + return NULL; + + cd = (CMS_CompressedData *)ASN1_item_new(&CMS_CompressedData_it); + + if (cd == NULL) + goto err; + + cms->contentType = OBJ_nid2obj(NID_id_smime_ct_compressedData); + cms->d.compressedData = cd; + + cd->version = 0; + + X509_ALGOR_set0(cd->compressionAlgorithm, + OBJ_nid2obj(NID_zlib_compression), V_ASN1_UNDEF, NULL); + + cd->encapContentInfo->eContentType = OBJ_nid2obj(NID_pkcs7_data); + + return cms; + + err: + CMS_ContentInfo_free(cms); + return NULL; +} + +BIO * +cms_CompressedData_init_bio(CMS_ContentInfo *cms) +{ + CMS_CompressedData *cd; + const ASN1_OBJECT *compoid; + + if (OBJ_obj2nid(cms->contentType) != NID_id_smime_ct_compressedData) { + CMSerror(CMS_R_CONTENT_TYPE_NOT_COMPRESSED_DATA); + return NULL; + } + cd = cms->d.compressedData; + X509_ALGOR_get0(&compoid, NULL, NULL, cd->compressionAlgorithm); + if (OBJ_obj2nid(compoid) != NID_zlib_compression) { + CMSerror(CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM); + return NULL; + } + return BIO_new(BIO_f_zlib()); +} + +#endif diff --git a/crypto/cms/cms_dd.c b/crypto/cms/cms_dd.c new file mode 100644 index 00000000..f1aafe39 --- /dev/null +++ b/crypto/cms/cms_dd.c @@ -0,0 +1,150 @@ +/* $OpenBSD: cms_dd.c,v 1.14 2019/08/11 11:04:18 jsing Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include + +#include "cryptlib.h" +#include +#include +#include +#include +#include +#include "cms_lcl.h" + +/* CMS DigestedData Utilities */ + +CMS_ContentInfo * +cms_DigestedData_create(const EVP_MD *md) +{ + CMS_ContentInfo *cms; + CMS_DigestedData *dd; + + cms = CMS_ContentInfo_new(); + if (cms == NULL) + return NULL; + + dd = (CMS_DigestedData *)ASN1_item_new(&CMS_DigestedData_it); + + if (dd == NULL) + goto err; + + cms->contentType = OBJ_nid2obj(NID_pkcs7_digest); + cms->d.digestedData = dd; + + dd->version = 0; + dd->encapContentInfo->eContentType = OBJ_nid2obj(NID_pkcs7_data); + + X509_ALGOR_set_md(dd->digestAlgorithm, md); + + return cms; + + err: + CMS_ContentInfo_free(cms); + + return NULL; +} + +BIO * +cms_DigestedData_init_bio(CMS_ContentInfo *cms) +{ + CMS_DigestedData *dd; + + dd = cms->d.digestedData; + + return cms_DigestAlgorithm_init_bio(dd->digestAlgorithm); +} + +int +cms_DigestedData_do_final(CMS_ContentInfo *cms, BIO *chain, int verify) +{ + EVP_MD_CTX *mctx = EVP_MD_CTX_new(); + unsigned char md[EVP_MAX_MD_SIZE]; + unsigned int mdlen; + int r = 0; + CMS_DigestedData *dd; + + if (mctx == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + + dd = cms->d.digestedData; + + if (!cms_DigestAlgorithm_find_ctx(mctx, chain, dd->digestAlgorithm)) + goto err; + + if (EVP_DigestFinal_ex(mctx, md, &mdlen) <= 0) + goto err; + + if (verify) { + if (mdlen != (unsigned int)dd->digest->length) { + CMSerror(CMS_R_MESSAGEDIGEST_WRONG_LENGTH); + goto err; + } + + if (memcmp(md, dd->digest->data, mdlen)) + CMSerror(CMS_R_VERIFICATION_FAILURE); + else + r = 1; + } else { + if (!ASN1_STRING_set(dd->digest, md, mdlen)) + goto err; + r = 1; + } + + err: + EVP_MD_CTX_free(mctx); + + return r; +} diff --git a/crypto/cms/cms_enc.c b/crypto/cms/cms_enc.c new file mode 100644 index 00000000..fd2df99c --- /dev/null +++ b/crypto/cms/cms_enc.c @@ -0,0 +1,262 @@ +/* $OpenBSD: cms_enc.c,v 1.20 2019/08/11 11:04:18 jsing Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include + +#include "cryptlib.h" +#include +#include +#include +#include +#include +#include +#include "cms_lcl.h" + +/* CMS EncryptedData Utilities */ + +/* Return BIO based on EncryptedContentInfo and key */ + +BIO * +cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec) +{ + BIO *b; + EVP_CIPHER_CTX *ctx; + const EVP_CIPHER *ciph; + X509_ALGOR *calg = ec->contentEncryptionAlgorithm; + unsigned char iv[EVP_MAX_IV_LENGTH], *piv = NULL; + unsigned char *tkey = NULL; + size_t tkeylen = 0; + + int ok = 0; + + int enc, keep_key = 0; + + enc = ec->cipher ? 1 : 0; + + b = BIO_new(BIO_f_cipher()); + if (b == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + return NULL; + } + + BIO_get_cipher_ctx(b, &ctx); + + if (enc) { + ciph = ec->cipher; + /* + * If not keeping key set cipher to NULL so subsequent calls decrypt. + */ + if (ec->key) + ec->cipher = NULL; + } else { + ciph = EVP_get_cipherbyobj(calg->algorithm); + + if (!ciph) { + CMSerror(CMS_R_UNKNOWN_CIPHER); + goto err; + } + } + + if (EVP_CipherInit_ex(ctx, ciph, NULL, NULL, NULL, enc) <= 0) { + CMSerror(CMS_R_CIPHER_INITIALISATION_ERROR); + goto err; + } + + if (enc) { + int ivlen; + calg->algorithm = OBJ_nid2obj(EVP_CIPHER_CTX_type(ctx)); + /* Generate a random IV if we need one */ + ivlen = EVP_CIPHER_CTX_iv_length(ctx); + if (ivlen > 0) { + arc4random_buf(iv, ivlen); + piv = iv; + } + } else if (EVP_CIPHER_asn1_to_param(ctx, calg->parameter) <= 0) { + CMSerror(CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR); + goto err; + } + tkeylen = EVP_CIPHER_CTX_key_length(ctx); + /* Generate random session key */ + if (!enc || !ec->key) { + tkey = malloc(tkeylen); + if (tkey == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + if (EVP_CIPHER_CTX_rand_key(ctx, tkey) <= 0) + goto err; + } + + if (!ec->key) { + ec->key = tkey; + ec->keylen = tkeylen; + tkey = NULL; + if (enc) + keep_key = 1; + else + ERR_clear_error(); + + } + + if (ec->keylen != tkeylen) { + /* If necessary set key length */ + if (EVP_CIPHER_CTX_set_key_length(ctx, ec->keylen) <= 0) { + /* + * Only reveal failure if debugging so we don't leak information + * which may be useful in MMA. + */ + if (enc || ec->debug) { + CMSerror(CMS_R_INVALID_KEY_LENGTH); + goto err; + } else { + /* Use random key */ + freezero(ec->key, ec->keylen); + ec->key = tkey; + ec->keylen = tkeylen; + tkey = NULL; + ERR_clear_error(); + } + } + } + + if (EVP_CipherInit_ex(ctx, NULL, NULL, ec->key, piv, enc) <= 0) { + CMSerror(CMS_R_CIPHER_INITIALISATION_ERROR); + goto err; + } + if (enc) { + calg->parameter = ASN1_TYPE_new(); + if (calg->parameter == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + if (EVP_CIPHER_param_to_asn1(ctx, calg->parameter) <= 0) { + CMSerror(CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR); + goto err; + } + /* If parameter type not set omit parameter */ + if (calg->parameter->type == V_ASN1_UNDEF) { + ASN1_TYPE_free(calg->parameter); + calg->parameter = NULL; + } + } + ok = 1; + + err: + if (!keep_key || !ok) { + freezero(ec->key, ec->keylen); + ec->key = NULL; + } + freezero(tkey, tkeylen); + if (ok) + return b; + BIO_free(b); + return NULL; +} + +int +cms_EncryptedContent_init(CMS_EncryptedContentInfo *ec, + const EVP_CIPHER *cipher, const unsigned char *key, size_t keylen) +{ + ec->cipher = cipher; + if (key) { + if ((ec->key = malloc(keylen)) == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + return 0; + } + memcpy(ec->key, key, keylen); + } + ec->keylen = keylen; + if (cipher) + ec->contentType = OBJ_nid2obj(NID_pkcs7_data); + + return 1; +} + +int +CMS_EncryptedData_set1_key(CMS_ContentInfo *cms, const EVP_CIPHER *ciph, + const unsigned char *key, size_t keylen) +{ + CMS_EncryptedContentInfo *ec; + + if (!key || !keylen) { + CMSerror(CMS_R_NO_KEY); + return 0; + } + if (ciph) { + cms->d.encryptedData = (CMS_EncryptedData *)ASN1_item_new(&CMS_EncryptedData_it); + if (!cms->d.encryptedData) { + CMSerror(ERR_R_MALLOC_FAILURE); + return 0; + } + cms->contentType = OBJ_nid2obj(NID_pkcs7_encrypted); + cms->d.encryptedData->version = 0; + } else if (OBJ_obj2nid(cms->contentType) != NID_pkcs7_encrypted) { + CMSerror(CMS_R_NOT_ENCRYPTED_DATA); + return 0; + } + ec = cms->d.encryptedData->encryptedContentInfo; + + return cms_EncryptedContent_init(ec, ciph, key, keylen); +} + +BIO * +cms_EncryptedData_init_bio(CMS_ContentInfo *cms) +{ + CMS_EncryptedData *enc = cms->d.encryptedData; + + if (enc->encryptedContentInfo->cipher && enc->unprotectedAttrs) + enc->version = 2; + + return cms_EncryptedContent_init_bio(enc->encryptedContentInfo); +} diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c new file mode 100644 index 00000000..74d957ee --- /dev/null +++ b/crypto/cms/cms_env.c @@ -0,0 +1,978 @@ +/* $OpenBSD: cms_env.c,v 1.23 2019/10/04 18:03:56 tb Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include + +#include "cryptlib.h" +#include +#include +#include +#include +#include +#include +#include "cms_lcl.h" +#include "asn1/asn1_locl.h" +#include "evp/evp_locl.h" + +/* CMS EnvelopedData Utilities */ + +CMS_EnvelopedData * +cms_get0_enveloped(CMS_ContentInfo *cms) +{ + if (OBJ_obj2nid(cms->contentType) != NID_pkcs7_enveloped) { + CMSerror(CMS_R_CONTENT_TYPE_NOT_ENVELOPED_DATA); + return NULL; + } + return cms->d.envelopedData; +} + +static CMS_EnvelopedData * +cms_enveloped_data_init(CMS_ContentInfo *cms) +{ + if (cms->d.other == NULL) { + cms->d.envelopedData = (CMS_EnvelopedData *)ASN1_item_new(&CMS_EnvelopedData_it); + if (!cms->d.envelopedData) { + CMSerror(ERR_R_MALLOC_FAILURE); + return NULL; + } + cms->d.envelopedData->version = 0; + cms->d.envelopedData->encryptedContentInfo->contentType = + OBJ_nid2obj(NID_pkcs7_data); + ASN1_OBJECT_free(cms->contentType); + cms->contentType = OBJ_nid2obj(NID_pkcs7_enveloped); + return cms->d.envelopedData; + } + return cms_get0_enveloped(cms); +} + +int +cms_env_asn1_ctrl(CMS_RecipientInfo *ri, int cmd) +{ + EVP_PKEY *pkey; + int i; + + if (ri->type == CMS_RECIPINFO_TRANS) + pkey = ri->d.ktri->pkey; + else if (ri->type == CMS_RECIPINFO_AGREE) { + EVP_PKEY_CTX *pctx = ri->d.kari->pctx; + if (!pctx) + return 0; + pkey = EVP_PKEY_CTX_get0_pkey(pctx); + if (!pkey) + return 0; + } else + return 0; + if (!pkey->ameth || !pkey->ameth->pkey_ctrl) + return 1; + i = pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_CMS_ENVELOPE, cmd, ri); + if (i == -2) { + CMSerror(CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE); + return 0; + } + if (i <= 0) { + CMSerror(CMS_R_CTRL_FAILURE); + return 0; + } + + return 1; +} + +STACK_OF(CMS_RecipientInfo) * +CMS_get0_RecipientInfos(CMS_ContentInfo *cms) +{ + CMS_EnvelopedData *env; + + env = cms_get0_enveloped(cms); + if (!env) + return NULL; + + return env->recipientInfos; +} + +int +CMS_RecipientInfo_type(CMS_RecipientInfo *ri) +{ + return ri->type; +} + +EVP_PKEY_CTX * +CMS_RecipientInfo_get0_pkey_ctx(CMS_RecipientInfo *ri) +{ + if (ri->type == CMS_RECIPINFO_TRANS) + return ri->d.ktri->pctx; + else if (ri->type == CMS_RECIPINFO_AGREE) + return ri->d.kari->pctx; + + return NULL; +} + +CMS_ContentInfo * +CMS_EnvelopedData_create(const EVP_CIPHER *cipher) +{ + CMS_ContentInfo *cms; + CMS_EnvelopedData *env; + + cms = CMS_ContentInfo_new(); + if (cms == NULL) + goto merr; + env = cms_enveloped_data_init(cms); + if (env == NULL) + goto merr; + if (!cms_EncryptedContent_init(env->encryptedContentInfo, cipher, + NULL, 0)) + goto merr; + + return cms; + + merr: + CMS_ContentInfo_free(cms); + CMSerror(ERR_R_MALLOC_FAILURE); + return NULL; +} + +/* Key Transport Recipient Info (KTRI) routines */ + +/* Initialise a ktri based on passed certificate and key */ + +static int +cms_RecipientInfo_ktri_init(CMS_RecipientInfo *ri, X509 *recip, EVP_PKEY *pk, + unsigned int flags) +{ + CMS_KeyTransRecipientInfo *ktri; + int idtype; + + ri->d.ktri = (CMS_KeyTransRecipientInfo *)ASN1_item_new(&CMS_KeyTransRecipientInfo_it); + if (!ri->d.ktri) + return 0; + ri->type = CMS_RECIPINFO_TRANS; + + ktri = ri->d.ktri; + + if (flags & CMS_USE_KEYID) { + ktri->version = 2; + idtype = CMS_RECIPINFO_KEYIDENTIFIER; + } else { + ktri->version = 0; + idtype = CMS_RECIPINFO_ISSUER_SERIAL; + } + + /* + * Not a typo: RecipientIdentifier and SignerIdentifier are the same + * structure. + */ + + if (!cms_set1_SignerIdentifier(ktri->rid, recip, idtype)) + return 0; + + X509_up_ref(recip); + EVP_PKEY_up_ref(pk); + + ktri->pkey = pk; + ktri->recip = recip; + + if (flags & CMS_KEY_PARAM) { + ktri->pctx = EVP_PKEY_CTX_new(ktri->pkey, NULL); + if (ktri->pctx == NULL) + return 0; + if (EVP_PKEY_encrypt_init(ktri->pctx) <= 0) + return 0; + } else if (!cms_env_asn1_ctrl(ri, 0)) + return 0; + + return 1; +} + +/* + * Add a recipient certificate using appropriate type of RecipientInfo + */ + +CMS_RecipientInfo * +CMS_add1_recipient_cert(CMS_ContentInfo *cms, X509 *recip, unsigned int flags) +{ + CMS_RecipientInfo *ri = NULL; + CMS_EnvelopedData *env; + EVP_PKEY *pk = NULL; + + env = cms_get0_enveloped(cms); + if (!env) + goto err; + + /* Initialize recipient info */ + ri = (CMS_RecipientInfo *)ASN1_item_new(&CMS_RecipientInfo_it); + if (!ri) + goto merr; + + pk = X509_get0_pubkey(recip); + if (!pk) { + CMSerror(CMS_R_ERROR_GETTING_PUBLIC_KEY); + goto err; + } + + switch (cms_pkey_get_ri_type(pk)) { + + case CMS_RECIPINFO_TRANS: + if (!cms_RecipientInfo_ktri_init(ri, recip, pk, flags)) + goto err; + break; + + case CMS_RECIPINFO_AGREE: + if (!cms_RecipientInfo_kari_init(ri, recip, pk, flags)) + goto err; + break; + + default: + CMSerror(CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE); + goto err; + + } + + if (!sk_CMS_RecipientInfo_push(env->recipientInfos, ri)) + goto merr; + + return ri; + + merr: + CMSerror(ERR_R_MALLOC_FAILURE); + err: + ASN1_item_free((ASN1_VALUE *)ri, &CMS_RecipientInfo_it); + return NULL; +} + +int +CMS_RecipientInfo_ktri_get0_algs(CMS_RecipientInfo *ri, EVP_PKEY **pk, + X509 **recip, X509_ALGOR **palg) +{ + CMS_KeyTransRecipientInfo *ktri; + + if (ri->type != CMS_RECIPINFO_TRANS) { + CMSerror(CMS_R_NOT_KEY_TRANSPORT); + return 0; + } + + ktri = ri->d.ktri; + + if (pk) + *pk = ktri->pkey; + if (recip) + *recip = ktri->recip; + if (palg) + *palg = ktri->keyEncryptionAlgorithm; + + return 1; +} + +int +CMS_RecipientInfo_ktri_get0_signer_id(CMS_RecipientInfo *ri, + ASN1_OCTET_STRING **keyid, X509_NAME **issuer, ASN1_INTEGER **sno) +{ + CMS_KeyTransRecipientInfo *ktri; + + if (ri->type != CMS_RECIPINFO_TRANS) { + CMSerror(CMS_R_NOT_KEY_TRANSPORT); + return 0; + } + ktri = ri->d.ktri; + + return cms_SignerIdentifier_get0_signer_id(ktri->rid, keyid, issuer, sno); +} + +int +CMS_RecipientInfo_ktri_cert_cmp(CMS_RecipientInfo *ri, X509 *cert) +{ + if (ri->type != CMS_RECIPINFO_TRANS) { + CMSerror(CMS_R_NOT_KEY_TRANSPORT); + return -2; + } + + return cms_SignerIdentifier_cert_cmp(ri->d.ktri->rid, cert); +} + +int +CMS_RecipientInfo_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pkey) +{ + if (ri->type != CMS_RECIPINFO_TRANS) { + CMSerror(CMS_R_NOT_KEY_TRANSPORT); + return 0; + } + EVP_PKEY_free(ri->d.ktri->pkey); + ri->d.ktri->pkey = pkey; + + return 1; +} + +/* Encrypt content key in key transport recipient info */ + +static int +cms_RecipientInfo_ktri_encrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri) +{ + CMS_KeyTransRecipientInfo *ktri; + CMS_EncryptedContentInfo *ec; + EVP_PKEY_CTX *pctx; + unsigned char *ek = NULL; + size_t eklen; + + int ret = 0; + + if (ri->type != CMS_RECIPINFO_TRANS) { + CMSerror(CMS_R_NOT_KEY_TRANSPORT); + return 0; + } + ktri = ri->d.ktri; + ec = cms->d.envelopedData->encryptedContentInfo; + + pctx = ktri->pctx; + + if (pctx) { + if (!cms_env_asn1_ctrl(ri, 0)) + goto err; + } else { + pctx = EVP_PKEY_CTX_new(ktri->pkey, NULL); + if (pctx == NULL) + return 0; + + if (EVP_PKEY_encrypt_init(pctx) <= 0) + goto err; + } + + if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_ENCRYPT, + EVP_PKEY_CTRL_CMS_ENCRYPT, 0, ri) <= 0) { + CMSerror(CMS_R_CTRL_ERROR); + goto err; + } + + if (EVP_PKEY_encrypt(pctx, NULL, &eklen, ec->key, ec->keylen) <= 0) + goto err; + + ek = malloc(eklen); + + if (ek == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + + if (EVP_PKEY_encrypt(pctx, ek, &eklen, ec->key, ec->keylen) <= 0) + goto err; + + ASN1_STRING_set0(ktri->encryptedKey, ek, eklen); + ek = NULL; + + ret = 1; + + err: + EVP_PKEY_CTX_free(pctx); + ktri->pctx = NULL; + free(ek); + + return ret; +} + +/* Decrypt content key from KTRI */ + +static int +cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri) +{ + CMS_KeyTransRecipientInfo *ktri = ri->d.ktri; + EVP_PKEY *pkey = ktri->pkey; + unsigned char *ek = NULL; + size_t eklen; + size_t fixlen = 0; + int ret = 0; + CMS_EncryptedContentInfo *ec; + + ec = cms->d.envelopedData->encryptedContentInfo; + + if (ktri->pkey == NULL) { + CMSerror(CMS_R_NO_PRIVATE_KEY); + return 0; + } + + if (cms->d.envelopedData->encryptedContentInfo->havenocert && + !cms->d.envelopedData->encryptedContentInfo->debug) { + X509_ALGOR *calg = ec->contentEncryptionAlgorithm; + const EVP_CIPHER *ciph; + + if ((ciph = EVP_get_cipherbyobj(calg->algorithm)) == NULL) { + CMSerror(CMS_R_UNKNOWN_CIPHER); + return 0; + } + + fixlen = EVP_CIPHER_key_length(ciph); + } + + ktri->pctx = EVP_PKEY_CTX_new(pkey, NULL); + if (ktri->pctx == NULL) + return 0; + + if (EVP_PKEY_decrypt_init(ktri->pctx) <= 0) + goto err; + + if (!cms_env_asn1_ctrl(ri, 1)) + goto err; + + if (EVP_PKEY_CTX_ctrl(ktri->pctx, -1, EVP_PKEY_OP_DECRYPT, + EVP_PKEY_CTRL_CMS_DECRYPT, 0, ri) <= 0) { + CMSerror(CMS_R_CTRL_ERROR); + goto err; + } + + if (EVP_PKEY_decrypt(ktri->pctx, NULL, &eklen, ktri->encryptedKey->data, + ktri->encryptedKey->length) <= 0 || eklen == 0 || + (fixlen != 0 && eklen != fixlen)) { + CMSerror(CMS_R_CMS_LIB); + goto err; + } + + ek = malloc(eklen); + + if (ek == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + + if (EVP_PKEY_decrypt(ktri->pctx, ek, &eklen, ktri->encryptedKey->data, + ktri->encryptedKey->length) <= 0) { + CMSerror(CMS_R_CMS_LIB); + goto err; + } + + ret = 1; + + freezero(ec->key, ec->keylen); + ec->key = ek; + ec->keylen = eklen; + + err: + EVP_PKEY_CTX_free(ktri->pctx); + ktri->pctx = NULL; + if (!ret) + free(ek); + + return ret; +} + +/* Key Encrypted Key (KEK) RecipientInfo routines */ + +int +CMS_RecipientInfo_kekri_id_cmp(CMS_RecipientInfo *ri, const unsigned char *id, + size_t idlen) +{ + ASN1_OCTET_STRING tmp_os; + CMS_KEKRecipientInfo *kekri; + + if (ri->type != CMS_RECIPINFO_KEK) { + CMSerror(CMS_R_NOT_KEK); + return -2; + } + kekri = ri->d.kekri; + tmp_os.type = V_ASN1_OCTET_STRING; + tmp_os.flags = 0; + tmp_os.data = (unsigned char *)id; + tmp_os.length = (int)idlen; + + return ASN1_OCTET_STRING_cmp(&tmp_os, kekri->kekid->keyIdentifier); +} + +/* For now hard code AES key wrap info */ + +static size_t +aes_wrap_keylen(int nid) +{ + switch (nid) { + case NID_id_aes128_wrap: + return 16; + + case NID_id_aes192_wrap: + return 24; + + case NID_id_aes256_wrap: + return 32; + + default: + return 0; + } +} + +CMS_RecipientInfo * +CMS_add0_recipient_key(CMS_ContentInfo *cms, int nid, unsigned char *key, + size_t keylen, unsigned char *id, size_t idlen, ASN1_GENERALIZEDTIME *date, + ASN1_OBJECT *otherTypeId, ASN1_TYPE *otherType) +{ + CMS_RecipientInfo *ri = NULL; + CMS_EnvelopedData *env; + CMS_KEKRecipientInfo *kekri; + + env = cms_get0_enveloped(cms); + if (!env) + goto err; + + if (nid == NID_undef) { + switch (keylen) { + case 16: + nid = NID_id_aes128_wrap; + break; + + case 24: + nid = NID_id_aes192_wrap; + break; + + case 32: + nid = NID_id_aes256_wrap; + break; + + default: + CMSerror(CMS_R_INVALID_KEY_LENGTH); + goto err; + } + + } else { + + size_t exp_keylen = aes_wrap_keylen(nid); + + if (!exp_keylen) { + CMSerror(CMS_R_UNSUPPORTED_KEK_ALGORITHM); + goto err; + } + + if (keylen != exp_keylen) { + CMSerror(CMS_R_INVALID_KEY_LENGTH); + goto err; + } + + } + + /* Initialize recipient info */ + ri = (CMS_RecipientInfo *)ASN1_item_new(&CMS_RecipientInfo_it); + if (!ri) + goto merr; + + ri->d.kekri = (CMS_KEKRecipientInfo *)ASN1_item_new(&CMS_KEKRecipientInfo_it); + if (!ri->d.kekri) + goto merr; + ri->type = CMS_RECIPINFO_KEK; + + kekri = ri->d.kekri; + + if (otherTypeId) { + kekri->kekid->other = (CMS_OtherKeyAttribute *)ASN1_item_new(&CMS_OtherKeyAttribute_it); + if (kekri->kekid->other == NULL) + goto merr; + } + + if (!sk_CMS_RecipientInfo_push(env->recipientInfos, ri)) + goto merr; + + /* After this point no calls can fail */ + + kekri->version = 4; + + kekri->key = key; + kekri->keylen = keylen; + + ASN1_STRING_set0(kekri->kekid->keyIdentifier, id, idlen); + + kekri->kekid->date = date; + + if (kekri->kekid->other) { + kekri->kekid->other->keyAttrId = otherTypeId; + kekri->kekid->other->keyAttr = otherType; + } + + X509_ALGOR_set0(kekri->keyEncryptionAlgorithm, + OBJ_nid2obj(nid), V_ASN1_UNDEF, NULL); + + return ri; + + merr: + CMSerror(ERR_R_MALLOC_FAILURE); + err: + ASN1_item_free((ASN1_VALUE *)ri, &CMS_RecipientInfo_it); + return NULL; +} + +int +CMS_RecipientInfo_kekri_get0_id(CMS_RecipientInfo *ri, X509_ALGOR **palg, + ASN1_OCTET_STRING **pid, ASN1_GENERALIZEDTIME **pdate, + ASN1_OBJECT **potherid, ASN1_TYPE **pothertype) +{ + CMS_KEKIdentifier *rkid; + + if (ri->type != CMS_RECIPINFO_KEK) { + CMSerror(CMS_R_NOT_KEK); + return 0; + } + rkid = ri->d.kekri->kekid; + if (palg) + *palg = ri->d.kekri->keyEncryptionAlgorithm; + if (pid) + *pid = rkid->keyIdentifier; + if (pdate) + *pdate = rkid->date; + if (potherid) { + if (rkid->other) + *potherid = rkid->other->keyAttrId; + else + *potherid = NULL; + } + if (pothertype) { + if (rkid->other) + *pothertype = rkid->other->keyAttr; + else + *pothertype = NULL; + } + + return 1; +} + +int +CMS_RecipientInfo_set0_key(CMS_RecipientInfo *ri, unsigned char *key, + size_t keylen) +{ + CMS_KEKRecipientInfo *kekri; + + if (ri->type != CMS_RECIPINFO_KEK) { + CMSerror(CMS_R_NOT_KEK); + return 0; + } + + kekri = ri->d.kekri; + kekri->key = key; + kekri->keylen = keylen; + return 1; +} + +/* Encrypt content key in KEK recipient info */ + +static int +cms_RecipientInfo_kekri_encrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri) +{ + CMS_EncryptedContentInfo *ec; + CMS_KEKRecipientInfo *kekri; + AES_KEY actx; + unsigned char *wkey = NULL; + int wkeylen; + int r = 0; + + ec = cms->d.envelopedData->encryptedContentInfo; + kekri = ri->d.kekri; + + if (!kekri->key) { + CMSerror(CMS_R_NO_KEY); + return 0; + } + + if (AES_set_encrypt_key(kekri->key, kekri->keylen << 3, &actx)) { + CMSerror(CMS_R_ERROR_SETTING_KEY); + goto err; + } + + wkey = malloc(ec->keylen + 8); + if (wkey == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + + wkeylen = AES_wrap_key(&actx, NULL, wkey, ec->key, ec->keylen); + if (wkeylen <= 0) { + CMSerror(CMS_R_WRAP_ERROR); + goto err; + } + + ASN1_STRING_set0(kekri->encryptedKey, wkey, wkeylen); + + r = 1; + + err: + if (!r) + free(wkey); + explicit_bzero(&actx, sizeof(actx)); + + return r; +} + +/* Decrypt content key in KEK recipient info */ + +static int +cms_RecipientInfo_kekri_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri) +{ + CMS_EncryptedContentInfo *ec; + CMS_KEKRecipientInfo *kekri; + AES_KEY actx; + unsigned char *ukey = NULL; + int ukeylen; + int r = 0, wrap_nid; + + ec = cms->d.envelopedData->encryptedContentInfo; + kekri = ri->d.kekri; + + if (!kekri->key) { + CMSerror(CMS_R_NO_KEY); + return 0; + } + + wrap_nid = OBJ_obj2nid(kekri->keyEncryptionAlgorithm->algorithm); + if (aes_wrap_keylen(wrap_nid) != kekri->keylen) { + CMSerror(CMS_R_INVALID_KEY_LENGTH); + return 0; + } + + /* If encrypted key length is invalid don't bother */ + + if (kekri->encryptedKey->length < 16) { + CMSerror(CMS_R_INVALID_ENCRYPTED_KEY_LENGTH); + goto err; + } + + if (AES_set_decrypt_key(kekri->key, kekri->keylen << 3, &actx)) { + CMSerror(CMS_R_ERROR_SETTING_KEY); + goto err; + } + + ukey = malloc(kekri->encryptedKey->length - 8); + if (ukey == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + + ukeylen = AES_unwrap_key(&actx, NULL, ukey, kekri->encryptedKey->data, + kekri->encryptedKey->length); + + if (ukeylen <= 0) { + CMSerror(CMS_R_UNWRAP_ERROR); + goto err; + } + + ec->key = ukey; + ec->keylen = ukeylen; + + r = 1; + + err: + + if (!r) + free(ukey); + explicit_bzero(&actx, sizeof(actx)); + + return r; +} + +int +CMS_RecipientInfo_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri) +{ + switch (ri->type) { + case CMS_RECIPINFO_TRANS: + return cms_RecipientInfo_ktri_decrypt(cms, ri); + + case CMS_RECIPINFO_KEK: + return cms_RecipientInfo_kekri_decrypt(cms, ri); + + case CMS_RECIPINFO_PASS: + return cms_RecipientInfo_pwri_crypt(cms, ri, 0); + + default: + CMSerror(CMS_R_UNSUPPORTED_RECIPIENTINFO_TYPE); + return 0; + } +} + +int +CMS_RecipientInfo_encrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri) +{ + switch (ri->type) { + case CMS_RECIPINFO_TRANS: + return cms_RecipientInfo_ktri_encrypt(cms, ri); + + case CMS_RECIPINFO_AGREE: + return cms_RecipientInfo_kari_encrypt(cms, ri); + + case CMS_RECIPINFO_KEK: + return cms_RecipientInfo_kekri_encrypt(cms, ri); + + case CMS_RECIPINFO_PASS: + return cms_RecipientInfo_pwri_crypt(cms, ri, 1); + + default: + CMSerror(CMS_R_UNSUPPORTED_RECIPIENT_TYPE); + return 0; + } +} + +/* Check structures and fixup version numbers (if necessary) */ + +static void +cms_env_set_originfo_version(CMS_EnvelopedData *env) +{ + CMS_OriginatorInfo *org = env->originatorInfo; + int i; + + if (org == NULL) + return; + for (i = 0; i < sk_CMS_CertificateChoices_num(org->certificates); i++) { + CMS_CertificateChoices *cch; + + cch = sk_CMS_CertificateChoices_value(org->certificates, i); + if (cch->type == CMS_CERTCHOICE_OTHER) { + env->version = 4; + return; + } else if (cch->type == CMS_CERTCHOICE_V2ACERT) { + if (env->version < 3) + env->version = 3; + } + } + + for (i = 0; i < sk_CMS_RevocationInfoChoice_num(org->crls); i++) { + CMS_RevocationInfoChoice *rch; + + rch = sk_CMS_RevocationInfoChoice_value(org->crls, i); + if (rch->type == CMS_REVCHOICE_OTHER) { + env->version = 4; + return; + } + } +} + +static void +cms_env_set_version(CMS_EnvelopedData *env) +{ + int i; + CMS_RecipientInfo *ri; + + /* + * Can't set version higher than 4 so if 4 or more already nothing to do. + */ + if (env->version >= 4) + return; + + cms_env_set_originfo_version(env); + + if (env->version >= 3) + return; + + for (i = 0; i < sk_CMS_RecipientInfo_num(env->recipientInfos); i++) { + ri = sk_CMS_RecipientInfo_value(env->recipientInfos, i); + if (ri->type == CMS_RECIPINFO_PASS || ri->type == CMS_RECIPINFO_OTHER) { + env->version = 3; + return; + } else if (ri->type != CMS_RECIPINFO_TRANS + || ri->d.ktri->version != 0) { + env->version = 2; + } + } + if (env->originatorInfo || env->unprotectedAttrs) + env->version = 2; + if (env->version == 2) + return; + env->version = 0; +} + +BIO * +cms_EnvelopedData_init_bio(CMS_ContentInfo *cms) +{ + CMS_EncryptedContentInfo *ec; + STACK_OF(CMS_RecipientInfo) *rinfos; + CMS_RecipientInfo *ri; + int i, ok = 0; + BIO *ret; + + /* Get BIO first to set up key */ + + ec = cms->d.envelopedData->encryptedContentInfo; + ret = cms_EncryptedContent_init_bio(ec); + + /* If error or no cipher end of processing */ + + if (!ret || !ec->cipher) + return ret; + + /* Now encrypt content key according to each RecipientInfo type */ + + rinfos = cms->d.envelopedData->recipientInfos; + + for (i = 0; i < sk_CMS_RecipientInfo_num(rinfos); i++) { + ri = sk_CMS_RecipientInfo_value(rinfos, i); + if (CMS_RecipientInfo_encrypt(cms, ri) <= 0) { + CMSerror(CMS_R_ERROR_SETTING_RECIPIENTINFO); + goto err; + } + } + cms_env_set_version(cms->d.envelopedData); + + ok = 1; + + err: + ec->cipher = NULL; + freezero(ec->key, ec->keylen); + ec->key = NULL; + ec->keylen = 0; + if (ok) + return ret; + BIO_free(ret); + return NULL; +} + +/* + * Get RecipientInfo type (if any) supported by a key (public or private). To + * retain compatibility with previous behaviour if the ctrl value isn't + * supported we assume key transport. + */ +int +cms_pkey_get_ri_type(EVP_PKEY *pk) +{ + if (pk->ameth && pk->ameth->pkey_ctrl) { + int i, r; + i = pk->ameth->pkey_ctrl(pk, ASN1_PKEY_CTRL_CMS_RI_TYPE, 0, &r); + if (i > 0) + return r; + } + return CMS_RECIPINFO_TRANS; +} diff --git a/crypto/cms/cms_err.c b/crypto/cms/cms_err.c new file mode 100644 index 00000000..2fd550ca --- /dev/null +++ b/crypto/cms/cms_err.c @@ -0,0 +1,164 @@ +/* $OpenBSD: cms_err.c,v 1.12 2020/06/05 16:51:12 jsing Exp $ */ +/* + * Generated by util/mkerr.pl DO NOT EDIT + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include + +#ifndef OPENSSL_NO_ERR + +#define ERR_FUNC(func) ERR_PACK(ERR_LIB_CMS,func,0) +#define ERR_REASON(reason) ERR_PACK(ERR_LIB_CMS,0,reason) + +static ERR_STRING_DATA CMS_str_functs[] = { + {ERR_FUNC(0xfff), "CRYPTO_internal"}, + {0, NULL} +}; + +static ERR_STRING_DATA CMS_str_reasons[] = { + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_ADD_SIGNER_ERROR), "add signer error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CERTIFICATE_ALREADY_PRESENT), + "certificate already present"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CERTIFICATE_HAS_NO_KEYID), + "certificate has no keyid"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CERTIFICATE_VERIFY_ERROR), + "certificate verify error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CIPHER_INITIALISATION_ERROR), + "cipher initialisation error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR), + "cipher parameter initialisation error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CMS_DATAFINAL_ERROR), + "cms datafinal error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CMS_LIB), "cms lib"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CONTENTIDENTIFIER_MISMATCH), + "contentidentifier mismatch"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CONTENT_NOT_FOUND), "content not found"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CONTENT_TYPE_MISMATCH), + "content type mismatch"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CONTENT_TYPE_NOT_COMPRESSED_DATA), + "content type not compressed data"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CONTENT_TYPE_NOT_ENVELOPED_DATA), + "content type not enveloped data"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CONTENT_TYPE_NOT_SIGNED_DATA), + "content type not signed data"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CONTENT_VERIFY_ERROR), + "content verify error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CTRL_ERROR), "ctrl error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CTRL_FAILURE), "ctrl failure"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_DECRYPT_ERROR), "decrypt error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_ERROR_GETTING_PUBLIC_KEY), + "error getting public key"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_ERROR_READING_MESSAGEDIGEST_ATTRIBUTE), + "error reading messagedigest attribute"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_ERROR_SETTING_KEY), "error setting key"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_ERROR_SETTING_RECIPIENTINFO), + "error setting recipientinfo"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_INVALID_ENCRYPTED_KEY_LENGTH), + "invalid encrypted key length"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_INVALID_KEY_ENCRYPTION_PARAMETER), + "invalid key encryption parameter"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_INVALID_KEY_LENGTH), "invalid key length"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_MD_BIO_INIT_ERROR), "md bio init error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_MESSAGEDIGEST_ATTRIBUTE_WRONG_LENGTH), + "messagedigest attribute wrong length"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_MESSAGEDIGEST_WRONG_LENGTH), + "messagedigest wrong length"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_MSGSIGDIGEST_ERROR), "msgsigdigest error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_MSGSIGDIGEST_VERIFICATION_FAILURE), + "msgsigdigest verification failure"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_MSGSIGDIGEST_WRONG_LENGTH), + "msgsigdigest wrong length"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NEED_ONE_SIGNER), "need one signer"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_A_SIGNED_RECEIPT), + "not a signed receipt"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_ENCRYPTED_DATA), "not encrypted data"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_KEK), "not kek"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_KEY_AGREEMENT), "not key agreement"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_KEY_TRANSPORT), "not key transport"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_PWRI), "not pwri"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE), + "not supported for this key type"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_CIPHER), "no cipher"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_CONTENT), "no content"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_CONTENT_TYPE), "no content type"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_DEFAULT_DIGEST), "no default digest"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_DIGEST_SET), "no digest set"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_KEY), "no key"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_KEY_OR_CERT), "no key or cert"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_MATCHING_DIGEST), "no matching digest"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_MATCHING_RECIPIENT), + "no matching recipient"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_MATCHING_SIGNATURE), + "no matching signature"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_MSGSIGDIGEST), "no msgsigdigest"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_PASSWORD), "no password"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_PRIVATE_KEY), "no private key"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_PUBLIC_KEY), "no public key"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_RECEIPT_REQUEST), "no receipt request"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_SIGNERS), "no signers"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE), + "private key does not match certificate"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_RECEIPT_DECODE_ERROR), + "receipt decode error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_RECIPIENT_ERROR), "recipient error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_SIGNER_CERTIFICATE_NOT_FOUND), + "signer certificate not found"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_SIGNFINAL_ERROR), "signfinal error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_SMIME_TEXT_ERROR), "smime text error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_STORE_INIT_ERROR), "store init error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_TYPE_NOT_COMPRESSED_DATA), + "type not compressed data"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_TYPE_NOT_DATA), "type not data"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_TYPE_NOT_DIGESTED_DATA), + "type not digested data"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_TYPE_NOT_ENCRYPTED_DATA), + "type not encrypted data"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_TYPE_NOT_ENVELOPED_DATA), + "type not enveloped data"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNABLE_TO_FINALIZE_CONTEXT), + "unable to finalize context"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNKNOWN_CIPHER), "unknown cipher"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNKNOWN_DIGEST_ALGORITHM), + "unknown digest algorithm"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNKNOWN_ID), "unknown id"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM), + "unsupported compression algorithm"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_CONTENT_TYPE), + "unsupported content type"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_KEK_ALGORITHM), + "unsupported kek algorithm"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM), + "unsupported key encryption algorithm"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_RECIPIENTINFO_TYPE), + "unsupported recipientinfo type"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_RECIPIENT_TYPE), + "unsupported recipient type"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_TYPE), "unsupported type"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNWRAP_ERROR), "unwrap error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNWRAP_FAILURE), "unwrap failure"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_VERIFICATION_FAILURE), + "verification failure"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_WRAP_ERROR), "wrap error"}, + {0, NULL} +}; + +#endif + +int +ERR_load_CMS_strings(void) +{ +#ifndef OPENSSL_NO_ERR + if (ERR_func_error_string(CMS_str_functs[0].error) == NULL) { + ERR_load_strings(ERR_LIB_CMS, CMS_str_functs); + ERR_load_strings(ERR_LIB_CMS, CMS_str_reasons); + } +#endif + return 1; +} diff --git a/crypto/cms/cms_ess.c b/crypto/cms/cms_ess.c new file mode 100644 index 00000000..9420405d --- /dev/null +++ b/crypto/cms/cms_ess.c @@ -0,0 +1,404 @@ +/* $OpenBSD: cms_ess.c,v 1.21 2019/08/11 14:19:09 jsing Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include + +#include "cryptlib.h" +#include +#include +#include +#include +#include +#include +#include "cms_lcl.h" + + +CMS_ReceiptRequest * +d2i_CMS_ReceiptRequest(CMS_ReceiptRequest **a, const unsigned char **in, long len) +{ + return (CMS_ReceiptRequest *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, + &CMS_ReceiptRequest_it); +} + +int +i2d_CMS_ReceiptRequest(CMS_ReceiptRequest *a, unsigned char **out) +{ + return ASN1_item_i2d((ASN1_VALUE *)a, out, &CMS_ReceiptRequest_it); +} + +CMS_ReceiptRequest * +CMS_ReceiptRequest_new(void) +{ + return (CMS_ReceiptRequest *)ASN1_item_new(&CMS_ReceiptRequest_it); +} + +void +CMS_ReceiptRequest_free(CMS_ReceiptRequest *a) +{ + ASN1_item_free((ASN1_VALUE *)a, &CMS_ReceiptRequest_it); +} + +/* ESS services: for now just Signed Receipt related */ + +int +CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr) +{ + ASN1_STRING *str; + CMS_ReceiptRequest *rr = NULL; + + if (prr) + *prr = NULL; + str = CMS_signed_get0_data_by_OBJ(si, + OBJ_nid2obj(NID_id_smime_aa_receiptRequest), -3, V_ASN1_SEQUENCE); + if (!str) + return 0; + + rr = ASN1_item_unpack(str, &CMS_ReceiptRequest_it); + if (!rr) + return -1; + if (prr) + *prr = rr; + else + CMS_ReceiptRequest_free(rr); + + return 1; +} + +CMS_ReceiptRequest * +CMS_ReceiptRequest_create0(unsigned char *id, int idlen, int allorfirst, + STACK_OF(GENERAL_NAMES) *receiptList, STACK_OF(GENERAL_NAMES) *receiptsTo) +{ + CMS_ReceiptRequest *rr = NULL; + + rr = CMS_ReceiptRequest_new(); + if (rr == NULL) + goto merr; + if (id) + ASN1_STRING_set0(rr->signedContentIdentifier, id, idlen); + else { + if (!ASN1_STRING_set(rr->signedContentIdentifier, NULL, 32)) + goto merr; + arc4random_buf(rr->signedContentIdentifier->data, 32); + } + + sk_GENERAL_NAMES_pop_free(rr->receiptsTo, GENERAL_NAMES_free); + rr->receiptsTo = receiptsTo; + + if (receiptList) { + rr->receiptsFrom->type = 1; + rr->receiptsFrom->d.receiptList = receiptList; + } else { + rr->receiptsFrom->type = 0; + rr->receiptsFrom->d.allOrFirstTier = allorfirst; + } + + return rr; + + merr: + CMSerror(ERR_R_MALLOC_FAILURE); + CMS_ReceiptRequest_free(rr); + + return NULL; +} + +int +CMS_add1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest *rr) +{ + unsigned char *rrder = NULL; + int rrderlen, r = 0; + + rrderlen = i2d_CMS_ReceiptRequest(rr, &rrder); + if (rrderlen < 0) + goto merr; + + if (!CMS_signed_add1_attr_by_NID(si, NID_id_smime_aa_receiptRequest, + V_ASN1_SEQUENCE, rrder, rrderlen)) + goto merr; + + r = 1; + + merr: + if (!r) + CMSerror(ERR_R_MALLOC_FAILURE); + + free(rrder); + + return r; +} + +void +CMS_ReceiptRequest_get0_values(CMS_ReceiptRequest *rr, ASN1_STRING **pcid, + int *pallorfirst, STACK_OF(GENERAL_NAMES) **plist, + STACK_OF(GENERAL_NAMES) **prto) +{ + if (pcid) + *pcid = rr->signedContentIdentifier; + if (rr->receiptsFrom->type == 0) { + if (pallorfirst) + *pallorfirst = (int)rr->receiptsFrom->d.allOrFirstTier; + if (plist) + *plist = NULL; + } else { + if (pallorfirst) + *pallorfirst = -1; + if (plist) + *plist = rr->receiptsFrom->d.receiptList; + } + if (prto) + *prto = rr->receiptsTo; +} + +/* Digest a SignerInfo structure for msgSigDigest attribute processing */ + +static int +cms_msgSigDigest(CMS_SignerInfo *si, unsigned char *dig, unsigned int *diglen) +{ + const EVP_MD *md; + + md = EVP_get_digestbyobj(si->digestAlgorithm->algorithm); + if (md == NULL) + return 0; + if (!ASN1_item_digest(&CMS_Attributes_Verify_it, md, + si->signedAttrs, dig, diglen)) + return 0; + + return 1; +} + +/* Add a msgSigDigest attribute to a SignerInfo */ + +int +cms_msgSigDigest_add1(CMS_SignerInfo *dest, CMS_SignerInfo *src) +{ + unsigned char dig[EVP_MAX_MD_SIZE]; + unsigned int diglen; + + if (!cms_msgSigDigest(src, dig, &diglen)) { + CMSerror(CMS_R_MSGSIGDIGEST_ERROR); + return 0; + } + if (!CMS_signed_add1_attr_by_NID(dest, NID_id_smime_aa_msgSigDigest, + V_ASN1_OCTET_STRING, dig, diglen)) { + CMSerror(ERR_R_MALLOC_FAILURE); + return 0; + } + + return 1; +} + +/* Verify signed receipt after it has already passed normal CMS verify */ + +int +cms_Receipt_verify(CMS_ContentInfo *cms, CMS_ContentInfo *req_cms) +{ + int r = 0, i; + CMS_ReceiptRequest *rr = NULL; + CMS_Receipt *rct = NULL; + STACK_OF(CMS_SignerInfo) *sis, *osis; + CMS_SignerInfo *si, *osi = NULL; + ASN1_OCTET_STRING *msig, **pcont; + ASN1_OBJECT *octype; + unsigned char dig[EVP_MAX_MD_SIZE]; + unsigned int diglen; + + /* Get SignerInfos, also checks SignedData content type */ + osis = CMS_get0_SignerInfos(req_cms); + sis = CMS_get0_SignerInfos(cms); + if (!osis || !sis) + goto err; + + if (sk_CMS_SignerInfo_num(sis) != 1) { + CMSerror(CMS_R_NEED_ONE_SIGNER); + goto err; + } + + /* Check receipt content type */ + if (OBJ_obj2nid(CMS_get0_eContentType(cms)) != NID_id_smime_ct_receipt) { + CMSerror(CMS_R_NOT_A_SIGNED_RECEIPT); + goto err; + } + + /* Extract and decode receipt content */ + pcont = CMS_get0_content(cms); + if (!pcont || !*pcont) { + CMSerror(CMS_R_NO_CONTENT); + goto err; + } + + rct = ASN1_item_unpack(*pcont, &CMS_Receipt_it); + + if (!rct) { + CMSerror(CMS_R_RECEIPT_DECODE_ERROR); + goto err; + } + + /* Locate original request */ + + for (i = 0; i < sk_CMS_SignerInfo_num(osis); i++) { + osi = sk_CMS_SignerInfo_value(osis, i); + if (!ASN1_STRING_cmp(osi->signature, rct->originatorSignatureValue)) + break; + } + + if (i == sk_CMS_SignerInfo_num(osis)) { + CMSerror(CMS_R_NO_MATCHING_SIGNATURE); + goto err; + } + + si = sk_CMS_SignerInfo_value(sis, 0); + + /* Get msgSigDigest value and compare */ + + msig = CMS_signed_get0_data_by_OBJ(si, + OBJ_nid2obj(NID_id_smime_aa_msgSigDigest), -3, V_ASN1_OCTET_STRING); + + if (!msig) { + CMSerror(CMS_R_NO_MSGSIGDIGEST); + goto err; + } + + if (!cms_msgSigDigest(osi, dig, &diglen)) { + CMSerror(CMS_R_MSGSIGDIGEST_ERROR); + goto err; + } + + if (diglen != (unsigned int)msig->length) { + CMSerror(CMS_R_MSGSIGDIGEST_WRONG_LENGTH); + goto err; + } + + if (memcmp(dig, msig->data, diglen)) { + CMSerror(CMS_R_MSGSIGDIGEST_VERIFICATION_FAILURE); + goto err; + } + + /* Compare content types */ + + octype = CMS_signed_get0_data_by_OBJ(osi, + OBJ_nid2obj(NID_pkcs9_contentType), -3, V_ASN1_OBJECT); + if (!octype) { + CMSerror(CMS_R_NO_CONTENT_TYPE); + goto err; + } + + /* Compare details in receipt request */ + + if (OBJ_cmp(octype, rct->contentType)) { + CMSerror(CMS_R_CONTENT_TYPE_MISMATCH); + goto err; + } + + /* Get original receipt request details */ + + if (CMS_get1_ReceiptRequest(osi, &rr) <= 0) { + CMSerror(CMS_R_NO_RECEIPT_REQUEST); + goto err; + } + + if (ASN1_STRING_cmp(rr->signedContentIdentifier, + rct->signedContentIdentifier)) { + CMSerror(CMS_R_CONTENTIDENTIFIER_MISMATCH); + goto err; + } + + r = 1; + + err: + CMS_ReceiptRequest_free(rr); + ASN1_item_free((ASN1_VALUE *)rct, &CMS_Receipt_it); + return r; +} + +/* + * Encode a Receipt into an OCTET STRING read for including into content of a + * SignedData ContentInfo. + */ + +ASN1_OCTET_STRING * +cms_encode_Receipt(CMS_SignerInfo *si) +{ + CMS_Receipt rct; + CMS_ReceiptRequest *rr = NULL; + ASN1_OBJECT *ctype; + ASN1_OCTET_STRING *os = NULL; + + /* Get original receipt request */ + + /* Get original receipt request details */ + + if (CMS_get1_ReceiptRequest(si, &rr) <= 0) { + CMSerror(CMS_R_NO_RECEIPT_REQUEST); + goto err; + } + + /* Get original content type */ + + ctype = CMS_signed_get0_data_by_OBJ(si, + OBJ_nid2obj(NID_pkcs9_contentType), -3, V_ASN1_OBJECT); + if (!ctype) { + CMSerror(CMS_R_NO_CONTENT_TYPE); + goto err; + } + + rct.version = 1; + rct.contentType = ctype; + rct.signedContentIdentifier = rr->signedContentIdentifier; + rct.originatorSignatureValue = si->signature; + + os = ASN1_item_pack(&rct, &CMS_Receipt_it, NULL); + + err: + CMS_ReceiptRequest_free(rr); + return os; +} diff --git a/crypto/cms/cms_io.c b/crypto/cms/cms_io.c new file mode 100644 index 00000000..4466d6ac --- /dev/null +++ b/crypto/cms/cms_io.c @@ -0,0 +1,166 @@ +/* $OpenBSD: cms_io.c,v 1.11 2019/08/11 10:38:27 jsing Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include +#include +#include +#include +#include +#include "cms_lcl.h" + +int +CMS_stream(unsigned char ***boundary, CMS_ContentInfo *cms) +{ + ASN1_OCTET_STRING **pos; + + pos = CMS_get0_content(cms); + if (pos == NULL) + return 0; + if (*pos == NULL) + *pos = ASN1_OCTET_STRING_new(); + if (*pos != NULL) { + (*pos)->flags |= ASN1_STRING_FLAG_NDEF; + (*pos)->flags &= ~ASN1_STRING_FLAG_CONT; + *boundary = &(*pos)->data; + return 1; + } + CMSerror(ERR_R_MALLOC_FAILURE); + return 0; +} + +CMS_ContentInfo * +d2i_CMS_bio(BIO *bp, CMS_ContentInfo **cms) +{ + return ASN1_item_d2i_bio(&CMS_ContentInfo_it, bp, cms); +} + +int +i2d_CMS_bio(BIO *bp, CMS_ContentInfo *cms) +{ + return ASN1_item_i2d_bio(&CMS_ContentInfo_it, bp, cms); +} + + +CMS_ContentInfo * +PEM_read_bio_CMS(BIO *bp, CMS_ContentInfo **x, pem_password_cb *cb, void *u) +{ + return PEM_ASN1_read_bio((d2i_of_void *)d2i_CMS_ContentInfo, PEM_STRING_CMS, bp, + (void **)x, cb, u); +} + +CMS_ContentInfo * +PEM_read_CMS(FILE *fp, CMS_ContentInfo **x, pem_password_cb *cb, void *u) +{ + return PEM_ASN1_read((d2i_of_void *)d2i_CMS_ContentInfo, PEM_STRING_CMS, fp, + (void **)x, cb, u); +} + +int +PEM_write_bio_CMS(BIO *bp, const CMS_ContentInfo *x) +{ + return PEM_ASN1_write_bio((i2d_of_void *)i2d_CMS_ContentInfo, PEM_STRING_CMS, bp, + (void *)x, NULL, NULL, 0, NULL, NULL); +} + +int +PEM_write_CMS(FILE *fp, const CMS_ContentInfo *x) +{ + return PEM_ASN1_write((i2d_of_void *)i2d_CMS_ContentInfo, PEM_STRING_CMS, fp, + (void *)x, NULL, NULL, 0, NULL, NULL); +} + +BIO * +BIO_new_CMS(BIO *out, CMS_ContentInfo *cms) +{ + return BIO_new_NDEF(out, (ASN1_VALUE *)cms, + &CMS_ContentInfo_it); +} + +/* CMS wrappers round generalised stream and MIME routines */ + +int i2d_CMS_bio_stream(BIO *out, CMS_ContentInfo *cms, BIO *in, int flags) +{ + return i2d_ASN1_bio_stream(out, (ASN1_VALUE *)cms, in, flags, + &CMS_ContentInfo_it); +} + +int +PEM_write_bio_CMS_stream(BIO *out, CMS_ContentInfo *cms, BIO *in, int flags) +{ + return PEM_write_bio_ASN1_stream(out, (ASN1_VALUE *)cms, in, flags, + "CMS", &CMS_ContentInfo_it); +} + +int +SMIME_write_CMS(BIO *bio, CMS_ContentInfo *cms, BIO *data, int flags) +{ + STACK_OF(X509_ALGOR) *mdalgs; + int ctype_nid = OBJ_obj2nid(cms->contentType); + int econt_nid = OBJ_obj2nid(CMS_get0_eContentType(cms)); + + if (ctype_nid == NID_pkcs7_signed) + mdalgs = cms->d.signedData->digestAlgorithms; + else + mdalgs = NULL; + + return SMIME_write_ASN1(bio, (ASN1_VALUE *)cms, data, flags, ctype_nid, + econt_nid, mdalgs, &CMS_ContentInfo_it); +} + +CMS_ContentInfo * +SMIME_read_CMS(BIO *bio, BIO **bcont) +{ + return (CMS_ContentInfo *)SMIME_read_ASN1(bio, bcont, + &CMS_ContentInfo_it); +} diff --git a/crypto/cms/cms_kari.c b/crypto/cms/cms_kari.c new file mode 100644 index 00000000..21e3ce82 --- /dev/null +++ b/crypto/cms/cms_kari.c @@ -0,0 +1,483 @@ +/* $OpenBSD: cms_kari.c,v 1.13 2019/08/11 14:27:01 jsing Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2013 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include + +#include "cryptlib.h" +#include +#include +#include +#include +#include +#include +#include "cms_lcl.h" +#include "asn1/asn1_locl.h" + +/* Key Agreement Recipient Info (KARI) routines */ + +int +CMS_RecipientInfo_kari_get0_alg(CMS_RecipientInfo *ri, X509_ALGOR **palg, + ASN1_OCTET_STRING **pukm) +{ + if (ri->type != CMS_RECIPINFO_AGREE) { + CMSerror(CMS_R_NOT_KEY_AGREEMENT); + return 0; + } + if (palg) + *palg = ri->d.kari->keyEncryptionAlgorithm; + if (pukm) + *pukm = ri->d.kari->ukm; + + return 1; +} + +/* Retrieve recipient encrypted keys from a kari */ + +STACK_OF(CMS_RecipientEncryptedKey) * +CMS_RecipientInfo_kari_get0_reks(CMS_RecipientInfo *ri) +{ + if (ri->type != CMS_RECIPINFO_AGREE) { + CMSerror(CMS_R_NOT_KEY_AGREEMENT); + return NULL; + } + return ri->d.kari->recipientEncryptedKeys; +} + +int +CMS_RecipientInfo_kari_get0_orig_id(CMS_RecipientInfo *ri, X509_ALGOR **pubalg, + ASN1_BIT_STRING **pubkey, ASN1_OCTET_STRING **keyid, X509_NAME **issuer, + ASN1_INTEGER **sno) +{ + CMS_OriginatorIdentifierOrKey *oik; + + if (ri->type != CMS_RECIPINFO_AGREE) { + CMSerror(CMS_R_NOT_KEY_AGREEMENT); + return 0; + } + oik = ri->d.kari->originator; + if (issuer) + *issuer = NULL; + if (sno) + *sno = NULL; + if (keyid) + *keyid = NULL; + if (pubalg) + *pubalg = NULL; + if (pubkey) + *pubkey = NULL; + if (oik->type == CMS_OIK_ISSUER_SERIAL) { + if (issuer) + *issuer = oik->d.issuerAndSerialNumber->issuer; + if (sno) + *sno = oik->d.issuerAndSerialNumber->serialNumber; + } else if (oik->type == CMS_OIK_KEYIDENTIFIER) { + if (keyid) + *keyid = oik->d.subjectKeyIdentifier; + } else if (oik->type == CMS_OIK_PUBKEY) { + if (pubalg) + *pubalg = oik->d.originatorKey->algorithm; + if (pubkey) + *pubkey = oik->d.originatorKey->publicKey; + } else + return 0; + + return 1; +} + +int +CMS_RecipientInfo_kari_orig_id_cmp(CMS_RecipientInfo *ri, X509 *cert) +{ + CMS_OriginatorIdentifierOrKey *oik; + + if (ri->type != CMS_RECIPINFO_AGREE) { + CMSerror(CMS_R_NOT_KEY_AGREEMENT); + return -2; + } + oik = ri->d.kari->originator; + if (oik->type == CMS_OIK_ISSUER_SERIAL) + return cms_ias_cert_cmp(oik->d.issuerAndSerialNumber, cert); + else if (oik->type == CMS_OIK_KEYIDENTIFIER) + return cms_keyid_cert_cmp(oik->d.subjectKeyIdentifier, cert); + + return -1; +} + +int +CMS_RecipientEncryptedKey_get0_id(CMS_RecipientEncryptedKey *rek, + ASN1_OCTET_STRING **keyid, ASN1_GENERALIZEDTIME **tm, + CMS_OtherKeyAttribute **other, X509_NAME **issuer, ASN1_INTEGER **sno) +{ + CMS_KeyAgreeRecipientIdentifier *rid = rek->rid; + + if (rid->type == CMS_REK_ISSUER_SERIAL) { + if (issuer) + *issuer = rid->d.issuerAndSerialNumber->issuer; + if (sno) + *sno = rid->d.issuerAndSerialNumber->serialNumber; + if (keyid) + *keyid = NULL; + if (tm) + *tm = NULL; + if (other) + *other = NULL; + } else if (rid->type == CMS_REK_KEYIDENTIFIER) { + if (keyid) + *keyid = rid->d.rKeyId->subjectKeyIdentifier; + if (tm) + *tm = rid->d.rKeyId->date; + if (other) + *other = rid->d.rKeyId->other; + if (issuer) + *issuer = NULL; + if (sno) + *sno = NULL; + } else + return 0; + + return 1; +} + +int +CMS_RecipientEncryptedKey_cert_cmp(CMS_RecipientEncryptedKey *rek, X509 *cert) +{ + CMS_KeyAgreeRecipientIdentifier *rid = rek->rid; + + if (rid->type == CMS_REK_ISSUER_SERIAL) + return cms_ias_cert_cmp(rid->d.issuerAndSerialNumber, cert); + else if (rid->type == CMS_REK_KEYIDENTIFIER) + return cms_keyid_cert_cmp(rid->d.rKeyId->subjectKeyIdentifier, cert); + else + return -1; +} + +int +CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk) +{ + EVP_PKEY_CTX *pctx; + CMS_KeyAgreeRecipientInfo *kari = ri->d.kari; + + EVP_PKEY_CTX_free(kari->pctx); + kari->pctx = NULL; + if (!pk) + return 1; + pctx = EVP_PKEY_CTX_new(pk, NULL); + if (!pctx || !EVP_PKEY_derive_init(pctx)) + goto err; + kari->pctx = pctx; + return 1; + + err: + EVP_PKEY_CTX_free(pctx); + return 0; +} + +EVP_CIPHER_CTX * +CMS_RecipientInfo_kari_get0_ctx(CMS_RecipientInfo *ri) +{ + if (ri->type == CMS_RECIPINFO_AGREE) + return ri->d.kari->ctx; + return NULL; +} + +/* + * Derive KEK and decrypt/encrypt with it to produce either the original CEK + * or the encrypted CEK. + */ + +static int +cms_kek_cipher(unsigned char **pout, size_t *poutlen, const unsigned char *in, + size_t inlen, CMS_KeyAgreeRecipientInfo *kari, int enc) +{ + /* Key encryption key */ + unsigned char kek[EVP_MAX_KEY_LENGTH]; + size_t keklen; + int rv = 0; + unsigned char *out = NULL; + int outlen; + + keklen = EVP_CIPHER_CTX_key_length(kari->ctx); + if (keklen > EVP_MAX_KEY_LENGTH) + return 0; + /* Derive KEK */ + if (EVP_PKEY_derive(kari->pctx, kek, &keklen) <= 0) + goto err; + /* Set KEK in context */ + if (!EVP_CipherInit_ex(kari->ctx, NULL, NULL, kek, NULL, enc)) + goto err; + /* obtain output length of ciphered key */ + if (!EVP_CipherUpdate(kari->ctx, NULL, &outlen, in, inlen)) + goto err; + out = malloc(outlen); + if (out == NULL) + goto err; + if (!EVP_CipherUpdate(kari->ctx, out, &outlen, in, inlen)) + goto err; + *pout = out; + *poutlen = (size_t)outlen; + rv = 1; + + err: + explicit_bzero(kek, keklen); + if (!rv) + free(out); + EVP_CIPHER_CTX_reset(kari->ctx); + /* FIXME: WHY IS kari->pctx freed here? /RL */ + EVP_PKEY_CTX_free(kari->pctx); + kari->pctx = NULL; + + return rv; +} + +int +CMS_RecipientInfo_kari_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri, + CMS_RecipientEncryptedKey *rek) +{ + int rv = 0; + unsigned char *enckey = NULL, *cek = NULL; + size_t enckeylen; + size_t ceklen; + CMS_EncryptedContentInfo *ec; + + enckeylen = rek->encryptedKey->length; + enckey = rek->encryptedKey->data; + /* Setup all parameters to derive KEK */ + if (!cms_env_asn1_ctrl(ri, 1)) + goto err; + /* Attempt to decrypt CEK */ + if (!cms_kek_cipher(&cek, &ceklen, enckey, enckeylen, ri->d.kari, 0)) + goto err; + ec = cms->d.envelopedData->encryptedContentInfo; + freezero(ec->key, ec->keylen); + ec->key = cek; + ec->keylen = ceklen; + cek = NULL; + rv = 1; + + err: + free(cek); + + return rv; +} + +/* Create ephemeral key and initialise context based on it */ +static int +cms_kari_create_ephemeral_key(CMS_KeyAgreeRecipientInfo *kari, EVP_PKEY *pk) +{ + EVP_PKEY_CTX *pctx = NULL; + EVP_PKEY *ekey = NULL; + int rv = 0; + + pctx = EVP_PKEY_CTX_new(pk, NULL); + if (!pctx) + goto err; + if (EVP_PKEY_keygen_init(pctx) <= 0) + goto err; + if (EVP_PKEY_keygen(pctx, &ekey) <= 0) + goto err; + EVP_PKEY_CTX_free(pctx); + pctx = EVP_PKEY_CTX_new(ekey, NULL); + if (!pctx) + goto err; + if (EVP_PKEY_derive_init(pctx) <= 0) + goto err; + kari->pctx = pctx; + rv = 1; + + err: + if (!rv) + EVP_PKEY_CTX_free(pctx); + EVP_PKEY_free(ekey); + + return rv; +} + +/* Initialise a kari based on passed certificate and key */ + +int +cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip, EVP_PKEY *pk, + unsigned int flags) +{ + CMS_KeyAgreeRecipientInfo *kari; + CMS_RecipientEncryptedKey *rek = NULL; + + ri->d.kari = (CMS_KeyAgreeRecipientInfo *)ASN1_item_new(&CMS_KeyAgreeRecipientInfo_it); + if (!ri->d.kari) + return 0; + ri->type = CMS_RECIPINFO_AGREE; + + kari = ri->d.kari; + kari->version = 3; + + rek = (CMS_RecipientEncryptedKey *)ASN1_item_new(&CMS_RecipientEncryptedKey_it); + if (rek == NULL) + return 0; + + if (!sk_CMS_RecipientEncryptedKey_push(kari->recipientEncryptedKeys, rek)) { + ASN1_item_free((ASN1_VALUE *)rek, &CMS_RecipientEncryptedKey_it); + return 0; + } + + if (flags & CMS_USE_KEYID) { + rek->rid->type = CMS_REK_KEYIDENTIFIER; + rek->rid->d.rKeyId = (CMS_RecipientKeyIdentifier *)ASN1_item_new(&CMS_RecipientKeyIdentifier_it); + if (rek->rid->d.rKeyId == NULL) + return 0; + if (!cms_set1_keyid(&rek->rid->d.rKeyId->subjectKeyIdentifier, recip)) + return 0; + } else { + rek->rid->type = CMS_REK_ISSUER_SERIAL; + if (!cms_set1_ias(&rek->rid->d.issuerAndSerialNumber, recip)) + return 0; + } + + /* Create ephemeral key */ + if (!cms_kari_create_ephemeral_key(kari, pk)) + return 0; + + EVP_PKEY_up_ref(pk); + rek->pkey = pk; + + return 1; +} + +static int +cms_wrap_init(CMS_KeyAgreeRecipientInfo *kari, const EVP_CIPHER *cipher) +{ + EVP_CIPHER_CTX *ctx = kari->ctx; + const EVP_CIPHER *kekcipher; + int keylen = EVP_CIPHER_key_length(cipher); + + /* If a suitable wrap algorithm is already set nothing to do */ + kekcipher = EVP_CIPHER_CTX_cipher(ctx); + + if (kekcipher) { + if (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_WRAP_MODE) + return 0; + return 1; + } + /* + * Pick a cipher based on content encryption cipher. If it is DES3 use + * DES3 wrap otherwise use AES wrap similar to key size. + */ +#ifndef OPENSSL_NO_DES +#if 0 + /* + * XXX - we do not currently support DES3 wrap and probably should just + * drop this code. + */ + if (EVP_CIPHER_type(cipher) == NID_des_ede3_cbc) + kekcipher = EVP_des_ede3_wrap(); + else +#endif +#endif + if (keylen <= 16) + kekcipher = EVP_aes_128_wrap(); + else if (keylen <= 24) + kekcipher = EVP_aes_192_wrap(); + else + kekcipher = EVP_aes_256_wrap(); + + return EVP_EncryptInit_ex(ctx, kekcipher, NULL, NULL, NULL); +} + +/* Encrypt content key in key agreement recipient info */ + +int +cms_RecipientInfo_kari_encrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri) +{ + CMS_KeyAgreeRecipientInfo *kari; + CMS_EncryptedContentInfo *ec; + CMS_RecipientEncryptedKey *rek; + STACK_OF(CMS_RecipientEncryptedKey) *reks; + int i; + + if (ri->type != CMS_RECIPINFO_AGREE) { + CMSerror(CMS_R_NOT_KEY_AGREEMENT); + return 0; + } + kari = ri->d.kari; + reks = kari->recipientEncryptedKeys; + ec = cms->d.envelopedData->encryptedContentInfo; + /* Initialise wrap algorithm parameters */ + if (!cms_wrap_init(kari, ec->cipher)) + return 0; + /* + * If no originator key set up initialise for ephemeral key the public key + * ASN1 structure will set the actual public key value. + */ + if (kari->originator->type == -1) { + CMS_OriginatorIdentifierOrKey *oik = kari->originator; + oik->type = CMS_OIK_PUBKEY; + oik->d.originatorKey = (CMS_OriginatorPublicKey *)ASN1_item_new(&CMS_OriginatorPublicKey_it); + if (!oik->d.originatorKey) + return 0; + } + /* Initialise KDF algorithm */ + if (!cms_env_asn1_ctrl(ri, 0)) + return 0; + /* For each rek, derive KEK, encrypt CEK */ + for (i = 0; i < sk_CMS_RecipientEncryptedKey_num(reks); i++) { + unsigned char *enckey; + size_t enckeylen; + rek = sk_CMS_RecipientEncryptedKey_value(reks, i); + if (EVP_PKEY_derive_set_peer(kari->pctx, rek->pkey) <= 0) + return 0; + if (!cms_kek_cipher(&enckey, &enckeylen, ec->key, ec->keylen, + kari, 1)) + return 0; + ASN1_STRING_set0(rek->encryptedKey, enckey, enckeylen); + } + + return 1; +} diff --git a/crypto/cms/cms_lcl.h b/crypto/cms/cms_lcl.h new file mode 100644 index 00000000..8083e553 --- /dev/null +++ b/crypto/cms/cms_lcl.h @@ -0,0 +1,484 @@ +/* $OpenBSD: cms_lcl.h,v 1.12 2019/10/04 18:03:56 tb Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#ifndef HEADER_CMS_LCL_H +#define HEADER_CMS_LCL_H + +#include + +/* + * Cryptographic message syntax (CMS) structures: taken from RFC3852 + */ + +/* Forward references */ + +typedef struct CMS_IssuerAndSerialNumber_st CMS_IssuerAndSerialNumber; +typedef struct CMS_EncapsulatedContentInfo_st CMS_EncapsulatedContentInfo; +typedef struct CMS_SignerIdentifier_st CMS_SignerIdentifier; +typedef struct CMS_SignedData_st CMS_SignedData; +typedef struct CMS_OtherRevocationInfoFormat_st CMS_OtherRevocationInfoFormat; +typedef struct CMS_OriginatorInfo_st CMS_OriginatorInfo; +typedef struct CMS_EncryptedContentInfo_st CMS_EncryptedContentInfo; +typedef struct CMS_EnvelopedData_st CMS_EnvelopedData; +typedef struct CMS_DigestedData_st CMS_DigestedData; +typedef struct CMS_EncryptedData_st CMS_EncryptedData; +typedef struct CMS_AuthenticatedData_st CMS_AuthenticatedData; +typedef struct CMS_CompressedData_st CMS_CompressedData; +typedef struct CMS_OtherCertificateFormat_st CMS_OtherCertificateFormat; +typedef struct CMS_KeyTransRecipientInfo_st CMS_KeyTransRecipientInfo; +typedef struct CMS_OriginatorPublicKey_st CMS_OriginatorPublicKey; +typedef struct CMS_OriginatorIdentifierOrKey_st CMS_OriginatorIdentifierOrKey; +typedef struct CMS_KeyAgreeRecipientInfo_st CMS_KeyAgreeRecipientInfo; +typedef struct CMS_RecipientKeyIdentifier_st CMS_RecipientKeyIdentifier; +typedef struct CMS_KeyAgreeRecipientIdentifier_st + CMS_KeyAgreeRecipientIdentifier; +typedef struct CMS_KEKIdentifier_st CMS_KEKIdentifier; +typedef struct CMS_KEKRecipientInfo_st CMS_KEKRecipientInfo; +typedef struct CMS_PasswordRecipientInfo_st CMS_PasswordRecipientInfo; +typedef struct CMS_OtherRecipientInfo_st CMS_OtherRecipientInfo; +typedef struct CMS_ReceiptsFrom_st CMS_ReceiptsFrom; + +struct CMS_ContentInfo_st { + ASN1_OBJECT *contentType; + union { + ASN1_OCTET_STRING *data; + CMS_SignedData *signedData; + CMS_EnvelopedData *envelopedData; + CMS_DigestedData *digestedData; + CMS_EncryptedData *encryptedData; + CMS_AuthenticatedData *authenticatedData; + CMS_CompressedData *compressedData; + ASN1_TYPE *other; + /* Other types ... */ + void *otherData; + } d; +}; + +DECLARE_STACK_OF(CMS_CertificateChoices) + +struct CMS_SignedData_st { + long version; + STACK_OF(X509_ALGOR) *digestAlgorithms; + CMS_EncapsulatedContentInfo *encapContentInfo; + STACK_OF(CMS_CertificateChoices) *certificates; + STACK_OF(CMS_RevocationInfoChoice) *crls; + STACK_OF(CMS_SignerInfo) *signerInfos; +}; + +struct CMS_EncapsulatedContentInfo_st { + ASN1_OBJECT *eContentType; + ASN1_OCTET_STRING *eContent; + /* Set to 1 if incomplete structure only part set up */ + int partial; +}; + +struct CMS_SignerInfo_st { + long version; + CMS_SignerIdentifier *sid; + X509_ALGOR *digestAlgorithm; + STACK_OF(X509_ATTRIBUTE) *signedAttrs; + X509_ALGOR *signatureAlgorithm; + ASN1_OCTET_STRING *signature; + STACK_OF(X509_ATTRIBUTE) *unsignedAttrs; + /* Signing certificate and key */ + X509 *signer; + EVP_PKEY *pkey; + /* Digest and public key context for alternative parameters */ + EVP_MD_CTX *mctx; + EVP_PKEY_CTX *pctx; +}; + +struct CMS_SignerIdentifier_st { + int type; + union { + CMS_IssuerAndSerialNumber *issuerAndSerialNumber; + ASN1_OCTET_STRING *subjectKeyIdentifier; + } d; +}; + +struct CMS_EnvelopedData_st { + long version; + CMS_OriginatorInfo *originatorInfo; + STACK_OF(CMS_RecipientInfo) *recipientInfos; + CMS_EncryptedContentInfo *encryptedContentInfo; + STACK_OF(X509_ATTRIBUTE) *unprotectedAttrs; +}; + +struct CMS_OriginatorInfo_st { + STACK_OF(CMS_CertificateChoices) *certificates; + STACK_OF(CMS_RevocationInfoChoice) *crls; +}; + +struct CMS_EncryptedContentInfo_st { + ASN1_OBJECT *contentType; + X509_ALGOR *contentEncryptionAlgorithm; + ASN1_OCTET_STRING *encryptedContent; + /* Content encryption algorithm and key */ + const EVP_CIPHER *cipher; + unsigned char *key; + size_t keylen; + /* Set to 1 if we are debugging decrypt and don't fake keys for MMA */ + int debug; + /* Set to 1 if we have no cert and need exta safety measures for MMA */ + int havenocert; +}; + +struct CMS_RecipientInfo_st { + int type; + union { + CMS_KeyTransRecipientInfo *ktri; + CMS_KeyAgreeRecipientInfo *kari; + CMS_KEKRecipientInfo *kekri; + CMS_PasswordRecipientInfo *pwri; + CMS_OtherRecipientInfo *ori; + } d; +}; + +typedef CMS_SignerIdentifier CMS_RecipientIdentifier; + +struct CMS_KeyTransRecipientInfo_st { + long version; + CMS_RecipientIdentifier *rid; + X509_ALGOR *keyEncryptionAlgorithm; + ASN1_OCTET_STRING *encryptedKey; + /* Recipient Key and cert */ + X509 *recip; + EVP_PKEY *pkey; + /* Public key context for this operation */ + EVP_PKEY_CTX *pctx; +}; + +struct CMS_KeyAgreeRecipientInfo_st { + long version; + CMS_OriginatorIdentifierOrKey *originator; + ASN1_OCTET_STRING *ukm; + X509_ALGOR *keyEncryptionAlgorithm; + STACK_OF(CMS_RecipientEncryptedKey) *recipientEncryptedKeys; + /* Public key context associated with current operation */ + EVP_PKEY_CTX *pctx; + /* Cipher context for CEK wrapping */ + EVP_CIPHER_CTX *ctx; +}; + +struct CMS_OriginatorIdentifierOrKey_st { + int type; + union { + CMS_IssuerAndSerialNumber *issuerAndSerialNumber; + ASN1_OCTET_STRING *subjectKeyIdentifier; + CMS_OriginatorPublicKey *originatorKey; + } d; +}; + +struct CMS_OriginatorPublicKey_st { + X509_ALGOR *algorithm; + ASN1_BIT_STRING *publicKey; +}; + +struct CMS_RecipientEncryptedKey_st { + CMS_KeyAgreeRecipientIdentifier *rid; + ASN1_OCTET_STRING *encryptedKey; + /* Public key associated with this recipient */ + EVP_PKEY *pkey; +}; + +struct CMS_KeyAgreeRecipientIdentifier_st { + int type; + union { + CMS_IssuerAndSerialNumber *issuerAndSerialNumber; + CMS_RecipientKeyIdentifier *rKeyId; + } d; +}; + +struct CMS_RecipientKeyIdentifier_st { + ASN1_OCTET_STRING *subjectKeyIdentifier; + ASN1_GENERALIZEDTIME *date; + CMS_OtherKeyAttribute *other; +}; + +struct CMS_KEKRecipientInfo_st { + long version; + CMS_KEKIdentifier *kekid; + X509_ALGOR *keyEncryptionAlgorithm; + ASN1_OCTET_STRING *encryptedKey; + /* Extra info: symmetric key to use */ + unsigned char *key; + size_t keylen; +}; + +struct CMS_KEKIdentifier_st { + ASN1_OCTET_STRING *keyIdentifier; + ASN1_GENERALIZEDTIME *date; + CMS_OtherKeyAttribute *other; +}; + +struct CMS_PasswordRecipientInfo_st { + long version; + X509_ALGOR *keyDerivationAlgorithm; + X509_ALGOR *keyEncryptionAlgorithm; + ASN1_OCTET_STRING *encryptedKey; + /* Extra info: password to use */ + unsigned char *pass; + size_t passlen; +}; + +struct CMS_OtherRecipientInfo_st { + ASN1_OBJECT *oriType; + ASN1_TYPE *oriValue; +}; + +struct CMS_DigestedData_st { + long version; + X509_ALGOR *digestAlgorithm; + CMS_EncapsulatedContentInfo *encapContentInfo; + ASN1_OCTET_STRING *digest; +}; + +struct CMS_EncryptedData_st { + long version; + CMS_EncryptedContentInfo *encryptedContentInfo; + STACK_OF(X509_ATTRIBUTE) *unprotectedAttrs; +}; + +struct CMS_AuthenticatedData_st { + long version; + CMS_OriginatorInfo *originatorInfo; + STACK_OF(CMS_RecipientInfo) *recipientInfos; + X509_ALGOR *macAlgorithm; + X509_ALGOR *digestAlgorithm; + CMS_EncapsulatedContentInfo *encapContentInfo; + STACK_OF(X509_ATTRIBUTE) *authAttrs; + ASN1_OCTET_STRING *mac; + STACK_OF(X509_ATTRIBUTE) *unauthAttrs; +}; + +struct CMS_CompressedData_st { + long version; + X509_ALGOR *compressionAlgorithm; + STACK_OF(CMS_RecipientInfo) *recipientInfos; + CMS_EncapsulatedContentInfo *encapContentInfo; +}; + +struct CMS_RevocationInfoChoice_st { + int type; + union { + X509_CRL *crl; + CMS_OtherRevocationInfoFormat *other; + } d; +}; + +#define CMS_REVCHOICE_CRL 0 +#define CMS_REVCHOICE_OTHER 1 + +struct CMS_OtherRevocationInfoFormat_st { + ASN1_OBJECT *otherRevInfoFormat; + ASN1_TYPE *otherRevInfo; +}; + +struct CMS_CertificateChoices { + int type; + union { + X509 *certificate; + ASN1_STRING *extendedCertificate; /* Obsolete */ + ASN1_STRING *v1AttrCert; /* Left encoded for now */ + ASN1_STRING *v2AttrCert; /* Left encoded for now */ + CMS_OtherCertificateFormat *other; + } d; +}; + +#define CMS_CERTCHOICE_CERT 0 +#define CMS_CERTCHOICE_EXCERT 1 +#define CMS_CERTCHOICE_V1ACERT 2 +#define CMS_CERTCHOICE_V2ACERT 3 +#define CMS_CERTCHOICE_OTHER 4 + +struct CMS_OtherCertificateFormat_st { + ASN1_OBJECT *otherCertFormat; + ASN1_TYPE *otherCert; +}; + +/* + * This is also defined in pkcs7.h but we duplicate it to allow the CMS code + * to be independent of PKCS#7 + */ + +struct CMS_IssuerAndSerialNumber_st { + X509_NAME *issuer; + ASN1_INTEGER *serialNumber; +}; + +struct CMS_OtherKeyAttribute_st { + ASN1_OBJECT *keyAttrId; + ASN1_TYPE *keyAttr; +}; + +/* ESS structures */ + +#ifdef HEADER_X509V3_H + +struct CMS_ReceiptRequest_st { + ASN1_OCTET_STRING *signedContentIdentifier; + CMS_ReceiptsFrom *receiptsFrom; + STACK_OF(GENERAL_NAMES) *receiptsTo; +}; + +struct CMS_ReceiptsFrom_st { + int type; + union { + long allOrFirstTier; + STACK_OF(GENERAL_NAMES) *receiptList; + } d; +}; +#endif + +struct CMS_Receipt_st { + long version; + ASN1_OBJECT *contentType; + ASN1_OCTET_STRING *signedContentIdentifier; + ASN1_OCTET_STRING *originatorSignatureValue; +}; + +CMS_ContentInfo *CMS_ContentInfo_new(void); +void CMS_ContentInfo_free(CMS_ContentInfo *a); +CMS_ContentInfo *d2i_CMS_ContentInfo(CMS_ContentInfo **a, const unsigned char **in, long len); +int i2d_CMS_ContentInfo(CMS_ContentInfo *a, unsigned char **out); +extern const ASN1_ITEM CMS_ContentInfo_it; +extern const ASN1_ITEM CMS_SignerInfo_it; +extern const ASN1_ITEM CMS_IssuerAndSerialNumber_it; +extern const ASN1_ITEM CMS_Attributes_Sign_it; +extern const ASN1_ITEM CMS_Attributes_Verify_it; +extern const ASN1_ITEM CMS_RecipientInfo_it; +extern const ASN1_ITEM CMS_PasswordRecipientInfo_it; +CMS_IssuerAndSerialNumber *CMS_IssuerAndSerialNumber_new(void); +void CMS_IssuerAndSerialNumber_free(CMS_IssuerAndSerialNumber *a); + +#define CMS_SIGNERINFO_ISSUER_SERIAL 0 +#define CMS_SIGNERINFO_KEYIDENTIFIER 1 + +#define CMS_RECIPINFO_ISSUER_SERIAL 0 +#define CMS_RECIPINFO_KEYIDENTIFIER 1 + +#define CMS_REK_ISSUER_SERIAL 0 +#define CMS_REK_KEYIDENTIFIER 1 + +#define CMS_OIK_ISSUER_SERIAL 0 +#define CMS_OIK_KEYIDENTIFIER 1 +#define CMS_OIK_PUBKEY 2 + +BIO *cms_content_bio(CMS_ContentInfo *cms); + +CMS_ContentInfo *cms_Data_create(void); + +CMS_ContentInfo *cms_DigestedData_create(const EVP_MD *md); +BIO *cms_DigestedData_init_bio(CMS_ContentInfo *cms); +int cms_DigestedData_do_final(CMS_ContentInfo *cms, BIO *chain, int verify); + +BIO *cms_SignedData_init_bio(CMS_ContentInfo *cms); +int cms_SignedData_final(CMS_ContentInfo *cms, BIO *chain); +int cms_set1_SignerIdentifier(CMS_SignerIdentifier *sid, X509 *cert, int type); +int cms_SignerIdentifier_get0_signer_id(CMS_SignerIdentifier *sid, + ASN1_OCTET_STRING **keyid, X509_NAME **issuer, ASN1_INTEGER **sno); +int cms_SignerIdentifier_cert_cmp(CMS_SignerIdentifier *sid, X509 *cert); + +CMS_ContentInfo *cms_CompressedData_create(int comp_nid); +BIO *cms_CompressedData_init_bio(CMS_ContentInfo *cms); + +BIO *cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm); +int cms_DigestAlgorithm_find_ctx(EVP_MD_CTX *mctx, BIO *chain, + X509_ALGOR *mdalg); + +int cms_ias_cert_cmp(CMS_IssuerAndSerialNumber *ias, X509 *cert); +int cms_keyid_cert_cmp(ASN1_OCTET_STRING *keyid, X509 *cert); +int cms_set1_ias(CMS_IssuerAndSerialNumber **pias, X509 *cert); +int cms_set1_keyid(ASN1_OCTET_STRING **pkeyid, X509 *cert); + +BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec); +BIO *cms_EncryptedData_init_bio(CMS_ContentInfo *cms); +int cms_EncryptedContent_init(CMS_EncryptedContentInfo *ec, + const EVP_CIPHER *cipher, const unsigned char *key, size_t keylen); + +int cms_Receipt_verify(CMS_ContentInfo *cms, CMS_ContentInfo *req_cms); +int cms_msgSigDigest_add1(CMS_SignerInfo *dest, CMS_SignerInfo *src); +ASN1_OCTET_STRING *cms_encode_Receipt(CMS_SignerInfo *si); + +BIO *cms_EnvelopedData_init_bio(CMS_ContentInfo *cms); +CMS_EnvelopedData *cms_get0_enveloped(CMS_ContentInfo *cms); +int cms_env_asn1_ctrl(CMS_RecipientInfo *ri, int cmd); +int cms_pkey_get_ri_type(EVP_PKEY *pk); +/* KARI routines */ +int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip, + EVP_PKEY *pk, unsigned int flags); +int cms_RecipientInfo_kari_encrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri); + +/* PWRI routines */ +int cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri, + int en_de); + +extern const ASN1_ITEM CMS_CertificateChoices_it; +extern const ASN1_ITEM CMS_DigestedData_it; +extern const ASN1_ITEM CMS_EncryptedData_it; +extern const ASN1_ITEM CMS_EnvelopedData_it; +extern const ASN1_ITEM CMS_KEKRecipientInfo_it; +extern const ASN1_ITEM CMS_KeyAgreeRecipientInfo_it; +extern const ASN1_ITEM CMS_KeyTransRecipientInfo_it; +extern const ASN1_ITEM CMS_OriginatorPublicKey_it; +extern const ASN1_ITEM CMS_OtherKeyAttribute_it; +extern const ASN1_ITEM CMS_Receipt_it; +extern const ASN1_ITEM CMS_ReceiptRequest_it; +extern const ASN1_ITEM CMS_RecipientEncryptedKey_it; +extern const ASN1_ITEM CMS_RecipientKeyIdentifier_it; +extern const ASN1_ITEM CMS_RevocationInfoChoice_it; +extern const ASN1_ITEM CMS_SignedData_it; +extern const ASN1_ITEM CMS_CompressedData_it; + +#endif diff --git a/crypto/cms/cms_lib.c b/crypto/cms/cms_lib.c new file mode 100644 index 00000000..b6580dd6 --- /dev/null +++ b/crypto/cms/cms_lib.c @@ -0,0 +1,720 @@ +/* $OpenBSD: cms_lib.c,v 1.14 2019/08/12 18:13:13 jsing Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include +#include +#include +#include +#include +#include +#include +#include "cms_lcl.h" + + +CMS_ContentInfo * +d2i_CMS_ContentInfo(CMS_ContentInfo **a, const unsigned char **in, long len) +{ + return (CMS_ContentInfo *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, + &CMS_ContentInfo_it); +} + +int +i2d_CMS_ContentInfo(CMS_ContentInfo *a, unsigned char **out) +{ + return ASN1_item_i2d((ASN1_VALUE *)a, out, &CMS_ContentInfo_it); +} + +CMS_ContentInfo * +CMS_ContentInfo_new(void) +{ + return (CMS_ContentInfo *)ASN1_item_new(&CMS_ContentInfo_it); +} + +void +CMS_ContentInfo_free(CMS_ContentInfo *a) +{ + ASN1_item_free((ASN1_VALUE *)a, &CMS_ContentInfo_it); +} + +int +CMS_ContentInfo_print_ctx(BIO *out, CMS_ContentInfo *x, int indent, const ASN1_PCTX *pctx) +{ + return ASN1_item_print(out, (ASN1_VALUE *)x, indent, + &CMS_ContentInfo_it, pctx); +} + +const ASN1_OBJECT * +CMS_get0_type(const CMS_ContentInfo *cms) +{ + return cms->contentType; +} + +CMS_ContentInfo * +cms_Data_create(void) +{ + CMS_ContentInfo *cms; + + cms = CMS_ContentInfo_new(); + if (cms != NULL) { + cms->contentType = OBJ_nid2obj(NID_pkcs7_data); + /* Never detached */ + CMS_set_detached(cms, 0); + } + return cms; +} + +BIO * +cms_content_bio(CMS_ContentInfo *cms) +{ + ASN1_OCTET_STRING **pos = CMS_get0_content(cms); + + if (!pos) + return NULL; + /* If content detached data goes nowhere: create NULL BIO */ + if (!*pos) + return BIO_new(BIO_s_null()); + /* + * If content not detached and created return memory BIO + */ + if (!*pos || ((*pos)->flags == ASN1_STRING_FLAG_CONT)) + return BIO_new(BIO_s_mem()); + + /* Else content was read in: return read only BIO for it */ + return BIO_new_mem_buf((*pos)->data, (*pos)->length); +} + +BIO * +CMS_dataInit(CMS_ContentInfo *cms, BIO *icont) +{ + BIO *cmsbio, *cont; + + if (icont) + cont = icont; + else + cont = cms_content_bio(cms); + if (!cont) { + CMSerror(CMS_R_NO_CONTENT); + return NULL; + } + switch (OBJ_obj2nid(cms->contentType)) { + + case NID_pkcs7_data: + return cont; + + case NID_pkcs7_signed: + cmsbio = cms_SignedData_init_bio(cms); + break; + + case NID_pkcs7_digest: + cmsbio = cms_DigestedData_init_bio(cms); + break; +#ifdef ZLIB + case NID_id_smime_ct_compressedData: + cmsbio = cms_CompressedData_init_bio(cms); + break; +#endif + + case NID_pkcs7_encrypted: + cmsbio = cms_EncryptedData_init_bio(cms); + break; + + case NID_pkcs7_enveloped: + cmsbio = cms_EnvelopedData_init_bio(cms); + break; + + default: + CMSerror(CMS_R_UNSUPPORTED_TYPE); + return NULL; + } + + if (cmsbio) + return BIO_push(cmsbio, cont); + + if (!icont) + BIO_free(cont); + + return NULL; +} + +int +CMS_dataFinal(CMS_ContentInfo *cms, BIO *cmsbio) +{ + ASN1_OCTET_STRING **pos = CMS_get0_content(cms); + + if (!pos) + return 0; + /* If embedded content find memory BIO and set content */ + if (*pos && ((*pos)->flags & ASN1_STRING_FLAG_CONT)) { + BIO *mbio; + unsigned char *cont; + long contlen; + mbio = BIO_find_type(cmsbio, BIO_TYPE_MEM); + if (!mbio) { + CMSerror(CMS_R_CONTENT_NOT_FOUND); + return 0; + } + contlen = BIO_get_mem_data(mbio, &cont); + /* Set bio as read only so its content can't be clobbered */ + BIO_set_flags(mbio, BIO_FLAGS_MEM_RDONLY); + BIO_set_mem_eof_return(mbio, 0); + ASN1_STRING_set0(*pos, cont, contlen); + (*pos)->flags &= ~ASN1_STRING_FLAG_CONT; + } + + switch (OBJ_obj2nid(cms->contentType)) { + + case NID_pkcs7_data: + case NID_pkcs7_enveloped: + case NID_pkcs7_encrypted: + case NID_id_smime_ct_compressedData: + /* Nothing to do */ + return 1; + + case NID_pkcs7_signed: + return cms_SignedData_final(cms, cmsbio); + + case NID_pkcs7_digest: + return cms_DigestedData_do_final(cms, cmsbio, 0); + + default: + CMSerror(CMS_R_UNSUPPORTED_TYPE); + return 0; + } +} + +/* + * Return an OCTET STRING pointer to content. This allows it to be accessed + * or set later. + */ + +ASN1_OCTET_STRING ** +CMS_get0_content(CMS_ContentInfo *cms) +{ + switch (OBJ_obj2nid(cms->contentType)) { + case NID_pkcs7_data: + return &cms->d.data; + + case NID_pkcs7_signed: + return &cms->d.signedData->encapContentInfo->eContent; + + case NID_pkcs7_enveloped: + return &cms->d.envelopedData->encryptedContentInfo->encryptedContent; + + case NID_pkcs7_digest: + return &cms->d.digestedData->encapContentInfo->eContent; + + case NID_pkcs7_encrypted: + return &cms->d.encryptedData->encryptedContentInfo->encryptedContent; + + case NID_id_smime_ct_authData: + return &cms->d.authenticatedData->encapContentInfo->eContent; + + case NID_id_smime_ct_compressedData: + return &cms->d.compressedData->encapContentInfo->eContent; + + default: + if (cms->d.other->type == V_ASN1_OCTET_STRING) + return &cms->d.other->value.octet_string; + CMSerror(CMS_R_UNSUPPORTED_CONTENT_TYPE); + return NULL; + } +} + +/* + * Return an ASN1_OBJECT pointer to content type. This allows it to be + * accessed or set later. + */ + +static ASN1_OBJECT ** +cms_get0_econtent_type(CMS_ContentInfo *cms) +{ + switch (OBJ_obj2nid(cms->contentType)) { + case NID_pkcs7_signed: + return &cms->d.signedData->encapContentInfo->eContentType; + + case NID_pkcs7_enveloped: + return &cms->d.envelopedData->encryptedContentInfo->contentType; + + case NID_pkcs7_digest: + return &cms->d.digestedData->encapContentInfo->eContentType; + + case NID_pkcs7_encrypted: + return &cms->d.encryptedData->encryptedContentInfo->contentType; + + case NID_id_smime_ct_authData: + return &cms->d.authenticatedData->encapContentInfo->eContentType; + + case NID_id_smime_ct_compressedData: + return &cms->d.compressedData->encapContentInfo->eContentType; + + default: + CMSerror(CMS_R_UNSUPPORTED_CONTENT_TYPE); + return NULL; + } +} + +const ASN1_OBJECT * +CMS_get0_eContentType(CMS_ContentInfo *cms) +{ + ASN1_OBJECT **petype; + + petype = cms_get0_econtent_type(cms); + if (petype) + return *petype; + + return NULL; +} + +int +CMS_set1_eContentType(CMS_ContentInfo *cms, const ASN1_OBJECT *oid) +{ + ASN1_OBJECT **petype, *etype; + + petype = cms_get0_econtent_type(cms); + if (!petype) + return 0; + if (!oid) + return 1; + etype = OBJ_dup(oid); + if (!etype) + return 0; + ASN1_OBJECT_free(*petype); + *petype = etype; + + return 1; +} + +int +CMS_is_detached(CMS_ContentInfo *cms) +{ + ASN1_OCTET_STRING **pos; + + pos = CMS_get0_content(cms); + if (!pos) + return -1; + if (*pos) + return 0; + + return 1; +} + +int +CMS_set_detached(CMS_ContentInfo *cms, int detached) +{ + ASN1_OCTET_STRING **pos; + + pos = CMS_get0_content(cms); + if (!pos) + return 0; + if (detached) { + ASN1_OCTET_STRING_free(*pos); + *pos = NULL; + return 1; + } + if (*pos == NULL) + *pos = ASN1_OCTET_STRING_new(); + if (*pos != NULL) { + /* + * NB: special flag to show content is created and not read in. + */ + (*pos)->flags |= ASN1_STRING_FLAG_CONT; + return 1; + } + CMSerror(ERR_R_MALLOC_FAILURE); + + return 0; +} + +/* Create a digest BIO from an X509_ALGOR structure */ + +BIO * +cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm) +{ + BIO *mdbio = NULL; + const ASN1_OBJECT *digestoid; + const EVP_MD *digest; + + X509_ALGOR_get0(&digestoid, NULL, NULL, digestAlgorithm); + digest = EVP_get_digestbyobj(digestoid); + if (!digest) { + CMSerror(CMS_R_UNKNOWN_DIGEST_ALGORITHM); + goto err; + } + mdbio = BIO_new(BIO_f_md()); + if (mdbio == NULL || !BIO_set_md(mdbio, digest)) { + CMSerror(CMS_R_MD_BIO_INIT_ERROR); + goto err; + } + return mdbio; + + err: + BIO_free(mdbio); + + return NULL; +} + +/* Locate a message digest content from a BIO chain based on SignerInfo */ + +int +cms_DigestAlgorithm_find_ctx(EVP_MD_CTX *mctx, BIO *chain, X509_ALGOR *mdalg) +{ + int nid; + const ASN1_OBJECT *mdoid; + + X509_ALGOR_get0(&mdoid, NULL, NULL, mdalg); + nid = OBJ_obj2nid(mdoid); + /* Look for digest type to match signature */ + for (;;) { + EVP_MD_CTX *mtmp; + chain = BIO_find_type(chain, BIO_TYPE_MD); + if (chain == NULL) { + CMSerror(CMS_R_NO_MATCHING_DIGEST); + return 0; + } + BIO_get_md_ctx(chain, &mtmp); + if (EVP_MD_CTX_type(mtmp) == nid + /* + * Workaround for broken implementations that use signature + * algorithm OID instead of digest. + */ + || EVP_MD_pkey_type(EVP_MD_CTX_md(mtmp)) == nid) + return EVP_MD_CTX_copy_ex(mctx, mtmp); + chain = BIO_next(chain); + } +} + +static STACK_OF(CMS_CertificateChoices) ** +cms_get0_certificate_choices(CMS_ContentInfo *cms) +{ + switch (OBJ_obj2nid(cms->contentType)) { + case NID_pkcs7_signed: + return &cms->d.signedData->certificates; + + case NID_pkcs7_enveloped: + if (cms->d.envelopedData->originatorInfo == NULL) + return NULL; + return &cms->d.envelopedData->originatorInfo->certificates; + + default: + CMSerror(CMS_R_UNSUPPORTED_CONTENT_TYPE); + return NULL; + } +} + +CMS_CertificateChoices * +CMS_add0_CertificateChoices(CMS_ContentInfo *cms) +{ + STACK_OF(CMS_CertificateChoices) **pcerts; + CMS_CertificateChoices *cch; + + pcerts = cms_get0_certificate_choices(cms); + if (!pcerts) + return NULL; + if (!*pcerts) + *pcerts = sk_CMS_CertificateChoices_new_null(); + if (!*pcerts) + return NULL; + cch = (CMS_CertificateChoices *)ASN1_item_new(&CMS_CertificateChoices_it); + if (!cch) + return NULL; + if (!sk_CMS_CertificateChoices_push(*pcerts, cch)) { + ASN1_item_free((ASN1_VALUE *)cch, &CMS_CertificateChoices_it); + return NULL; + } + + return cch; +} + +int +CMS_add0_cert(CMS_ContentInfo *cms, X509 *cert) +{ + CMS_CertificateChoices *cch; + STACK_OF(CMS_CertificateChoices) **pcerts; + int i; + + pcerts = cms_get0_certificate_choices(cms); + if (!pcerts) + return 0; + for (i = 0; i < sk_CMS_CertificateChoices_num(*pcerts); i++) { + cch = sk_CMS_CertificateChoices_value(*pcerts, i); + if (cch->type == CMS_CERTCHOICE_CERT) { + if (!X509_cmp(cch->d.certificate, cert)) { + CMSerror(CMS_R_CERTIFICATE_ALREADY_PRESENT); + return 0; + } + } + } + cch = CMS_add0_CertificateChoices(cms); + if (!cch) + return 0; + cch->type = CMS_CERTCHOICE_CERT; + cch->d.certificate = cert; + + return 1; +} + +int +CMS_add1_cert(CMS_ContentInfo *cms, X509 *cert) +{ + int r; + + r = CMS_add0_cert(cms, cert); + if (r > 0) + X509_up_ref(cert); + + return r; +} + +static STACK_OF(CMS_RevocationInfoChoice) ** +cms_get0_revocation_choices(CMS_ContentInfo *cms) +{ + switch (OBJ_obj2nid(cms->contentType)) { + case NID_pkcs7_signed: + return &cms->d.signedData->crls; + + case NID_pkcs7_enveloped: + if (cms->d.envelopedData->originatorInfo == NULL) + return NULL; + return &cms->d.envelopedData->originatorInfo->crls; + + default: + CMSerror(CMS_R_UNSUPPORTED_CONTENT_TYPE); + return NULL; + } +} + +CMS_RevocationInfoChoice * +CMS_add0_RevocationInfoChoice(CMS_ContentInfo *cms) +{ + STACK_OF(CMS_RevocationInfoChoice) **pcrls; + CMS_RevocationInfoChoice *rch; + + pcrls = cms_get0_revocation_choices(cms); + if (!pcrls) + return NULL; + if (!*pcrls) + *pcrls = sk_CMS_RevocationInfoChoice_new_null(); + if (!*pcrls) + return NULL; + rch = (CMS_RevocationInfoChoice *)ASN1_item_new(&CMS_RevocationInfoChoice_it); + if (!rch) + return NULL; + if (!sk_CMS_RevocationInfoChoice_push(*pcrls, rch)) { + ASN1_item_free((ASN1_VALUE *)rch, &CMS_RevocationInfoChoice_it); + return NULL; + } + + return rch; +} + +int +CMS_add0_crl(CMS_ContentInfo *cms, X509_CRL *crl) +{ + CMS_RevocationInfoChoice *rch; + + rch = CMS_add0_RevocationInfoChoice(cms); + if (!rch) + return 0; + rch->type = CMS_REVCHOICE_CRL; + rch->d.crl = crl; + + return 1; +} + +int +CMS_add1_crl(CMS_ContentInfo *cms, X509_CRL *crl) +{ + int r; + + r = CMS_add0_crl(cms, crl); + if (r > 0) + X509_CRL_up_ref(crl); + + return r; +} + +STACK_OF(X509) * +CMS_get1_certs(CMS_ContentInfo *cms) +{ + STACK_OF(X509) *certs = NULL; + CMS_CertificateChoices *cch; + STACK_OF(CMS_CertificateChoices) **pcerts; + int i; + + pcerts = cms_get0_certificate_choices(cms); + if (!pcerts) + return NULL; + for (i = 0; i < sk_CMS_CertificateChoices_num(*pcerts); i++) { + cch = sk_CMS_CertificateChoices_value(*pcerts, i); + if (cch->type == 0) { + if (!certs) { + certs = sk_X509_new_null(); + if (!certs) + return NULL; + } + if (!sk_X509_push(certs, cch->d.certificate)) { + sk_X509_pop_free(certs, X509_free); + return NULL; + } + X509_up_ref(cch->d.certificate); + } + } + return certs; +} + +STACK_OF(X509_CRL) * +CMS_get1_crls(CMS_ContentInfo *cms) +{ + STACK_OF(X509_CRL) *crls = NULL; + STACK_OF(CMS_RevocationInfoChoice) **pcrls; + CMS_RevocationInfoChoice *rch; + int i; + + pcrls = cms_get0_revocation_choices(cms); + if (!pcrls) + return NULL; + for (i = 0; i < sk_CMS_RevocationInfoChoice_num(*pcrls); i++) { + rch = sk_CMS_RevocationInfoChoice_value(*pcrls, i); + if (rch->type == 0) { + if (!crls) { + crls = sk_X509_CRL_new_null(); + if (!crls) + return NULL; + } + if (!sk_X509_CRL_push(crls, rch->d.crl)) { + sk_X509_CRL_pop_free(crls, X509_CRL_free); + return NULL; + } + X509_CRL_up_ref(rch->d.crl); + } + } + return crls; +} + +static const ASN1_OCTET_STRING * +cms_X509_get0_subject_key_id(X509 *x) +{ + /* Call for side-effect of computing hash and caching extensions */ + X509_check_purpose(x, -1, -1); + return x->skid; +} + +int +cms_ias_cert_cmp(CMS_IssuerAndSerialNumber *ias, X509 *cert) +{ + int ret; + + ret = X509_NAME_cmp(ias->issuer, X509_get_issuer_name(cert)); + if (ret) + return ret; + + return ASN1_INTEGER_cmp(ias->serialNumber, X509_get_serialNumber(cert)); +} + +int +cms_keyid_cert_cmp(ASN1_OCTET_STRING *keyid, X509 *cert) +{ + const ASN1_OCTET_STRING *cert_keyid = cms_X509_get0_subject_key_id(cert); + + if (cert_keyid == NULL) + return -1; + + return ASN1_OCTET_STRING_cmp(keyid, cert_keyid); +} + +int +cms_set1_ias(CMS_IssuerAndSerialNumber **pias, X509 *cert) +{ + CMS_IssuerAndSerialNumber *ias; + + ias = (CMS_IssuerAndSerialNumber *)ASN1_item_new(&CMS_IssuerAndSerialNumber_it); + if (!ias) + goto err; + if (!X509_NAME_set(&ias->issuer, X509_get_issuer_name(cert))) + goto err; + if (!ASN1_STRING_copy(ias->serialNumber, X509_get_serialNumber(cert))) + goto err; + ASN1_item_free((ASN1_VALUE *)*pias, &CMS_IssuerAndSerialNumber_it); + *pias = ias; + + return 1; + + err: + ASN1_item_free((ASN1_VALUE *)ias, &CMS_IssuerAndSerialNumber_it); + CMSerror(ERR_R_MALLOC_FAILURE); + + return 0; +} + +int +cms_set1_keyid(ASN1_OCTET_STRING **pkeyid, X509 *cert) +{ + ASN1_OCTET_STRING *keyid = NULL; + const ASN1_OCTET_STRING *cert_keyid; + + cert_keyid = cms_X509_get0_subject_key_id(cert); + if (cert_keyid == NULL) { + CMSerror(CMS_R_CERTIFICATE_HAS_NO_KEYID); + return 0; + } + keyid = ASN1_STRING_dup(cert_keyid); + if (!keyid) { + CMSerror(ERR_R_MALLOC_FAILURE); + return 0; + } + ASN1_OCTET_STRING_free(*pkeyid); + *pkeyid = keyid; + + return 1; +} diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c new file mode 100644 index 00000000..cf28dfc8 --- /dev/null +++ b/crypto/cms/cms_pwri.c @@ -0,0 +1,431 @@ +/* $OpenBSD: cms_pwri.c,v 1.26 2019/08/12 18:04:57 jsing Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2009 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include + +#include "cryptlib.h" +#include +#include +#include +#include +#include +#include +#include +#include "cms_lcl.h" +#include "asn1/asn1_locl.h" + +int +CMS_RecipientInfo_set0_password(CMS_RecipientInfo *ri, unsigned char *pass, + ssize_t passlen) +{ + CMS_PasswordRecipientInfo *pwri; + + if (ri->type != CMS_RECIPINFO_PASS) { + CMSerror(CMS_R_NOT_PWRI); + return 0; + } + + pwri = ri->d.pwri; + pwri->pass = pass; + if (pass && passlen < 0) + passlen = strlen((char *)pass); + pwri->passlen = passlen; + + return 1; +} + +CMS_RecipientInfo * +CMS_add0_recipient_password(CMS_ContentInfo *cms, int iter, int wrap_nid, + int pbe_nid, unsigned char *pass, ssize_t passlen, + const EVP_CIPHER *kekciph) +{ + CMS_RecipientInfo *ri = NULL; + CMS_EnvelopedData *env; + CMS_PasswordRecipientInfo *pwri; + EVP_CIPHER_CTX *ctx = NULL; + X509_ALGOR *encalg = NULL; + unsigned char iv[EVP_MAX_IV_LENGTH]; + int ivlen; + + env = cms_get0_enveloped(cms); + if (!env) + return NULL; + + if (wrap_nid <= 0) + wrap_nid = NID_id_alg_PWRI_KEK; + + if (pbe_nid <= 0) + pbe_nid = NID_id_pbkdf2; + + /* Get from enveloped data */ + if (kekciph == NULL) + kekciph = env->encryptedContentInfo->cipher; + + if (kekciph == NULL) { + CMSerror(CMS_R_NO_CIPHER); + return NULL; + } + if (wrap_nid != NID_id_alg_PWRI_KEK) { + CMSerror(CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM); + return NULL; + } + + /* Setup algorithm identifier for cipher */ + encalg = X509_ALGOR_new(); + if (encalg == NULL) { + goto merr; + } + ctx = EVP_CIPHER_CTX_new(); + + if (EVP_EncryptInit_ex(ctx, kekciph, NULL, NULL, NULL) <= 0) { + CMSerror(ERR_R_EVP_LIB); + goto err; + } + + ivlen = EVP_CIPHER_CTX_iv_length(ctx); + + if (ivlen > 0) { + arc4random_buf(iv, ivlen); + if (EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv) <= 0) { + CMSerror(ERR_R_EVP_LIB); + goto err; + } + encalg->parameter = ASN1_TYPE_new(); + if (!encalg->parameter) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + if (EVP_CIPHER_param_to_asn1(ctx, encalg->parameter) <= 0) { + CMSerror(CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR); + goto err; + } + } + + encalg->algorithm = OBJ_nid2obj(EVP_CIPHER_CTX_type(ctx)); + + EVP_CIPHER_CTX_free(ctx); + ctx = NULL; + + /* Initialize recipient info */ + ri = (CMS_RecipientInfo *)ASN1_item_new(&CMS_RecipientInfo_it); + if (ri == NULL) + goto merr; + + ri->d.pwri = (CMS_PasswordRecipientInfo *)ASN1_item_new(&CMS_PasswordRecipientInfo_it); + if (ri->d.pwri == NULL) + goto merr; + ri->type = CMS_RECIPINFO_PASS; + + pwri = ri->d.pwri; + /* Since this is overwritten, free up empty structure already there */ + X509_ALGOR_free(pwri->keyEncryptionAlgorithm); + pwri->keyEncryptionAlgorithm = X509_ALGOR_new(); + if (pwri->keyEncryptionAlgorithm == NULL) + goto merr; + pwri->keyEncryptionAlgorithm->algorithm = OBJ_nid2obj(wrap_nid); + pwri->keyEncryptionAlgorithm->parameter = ASN1_TYPE_new(); + if (pwri->keyEncryptionAlgorithm->parameter == NULL) + goto merr; + + if (!ASN1_item_pack(encalg, &X509_ALGOR_it, + &pwri->keyEncryptionAlgorithm->parameter->value.sequence)) + goto merr; + pwri->keyEncryptionAlgorithm->parameter->type = V_ASN1_SEQUENCE; + + X509_ALGOR_free(encalg); + encalg = NULL; + + /* Setup PBE algorithm */ + + pwri->keyDerivationAlgorithm = PKCS5_pbkdf2_set(iter, NULL, 0, -1, -1); + + if (!pwri->keyDerivationAlgorithm) + goto err; + + CMS_RecipientInfo_set0_password(ri, pass, passlen); + pwri->version = 0; + + if (!sk_CMS_RecipientInfo_push(env->recipientInfos, ri)) + goto merr; + + return ri; + + merr: + CMSerror(ERR_R_MALLOC_FAILURE); + err: + EVP_CIPHER_CTX_free(ctx); + if (ri) + ASN1_item_free((ASN1_VALUE *)ri, &CMS_RecipientInfo_it); + X509_ALGOR_free(encalg); + + return NULL; +} + +/* + * This is an implementation of the key wrapping mechanism in RFC3211, at + * some point this should go into EVP. + */ + +static int +kek_unwrap_key(unsigned char *out, size_t *outlen, const unsigned char *in, + size_t inlen, EVP_CIPHER_CTX *ctx) +{ + size_t blocklen = EVP_CIPHER_CTX_block_size(ctx); + unsigned char *tmp; + int outl, rv = 0; + + if (inlen < 2 * blocklen) { + /* too small */ + return 0; + } + if (inlen % blocklen) { + /* Invalid size */ + return 0; + } + if ((tmp = malloc(inlen)) == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + return 0; + } + + /* setup IV by decrypting last two blocks */ + if (!EVP_DecryptUpdate(ctx, tmp + inlen - 2 * blocklen, &outl, + in + inlen - 2 * blocklen, blocklen * 2) + /* + * Do a decrypt of last decrypted block to set IV to correct value + * output it to start of buffer so we don't corrupt decrypted block + * this works because buffer is at least two block lengths long. + */ + || !EVP_DecryptUpdate(ctx, tmp, &outl, tmp + inlen - blocklen, blocklen) + /* Can now decrypt first n - 1 blocks */ + || !EVP_DecryptUpdate(ctx, tmp, &outl, in, inlen - blocklen) + + /* Reset IV to original value */ + || !EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, NULL) + /* Decrypt again */ + || !EVP_DecryptUpdate(ctx, tmp, &outl, tmp, inlen)) + goto err; + /* Check check bytes */ + if (((tmp[1] ^ tmp[4]) & (tmp[2] ^ tmp[5]) & (tmp[3] ^ tmp[6])) != 0xff) { + /* Check byte failure */ + goto err; + } + if (inlen < (size_t)(tmp[0] - 4)) { + /* Invalid length value */ + goto err; + } + *outlen = (size_t)tmp[0]; + memcpy(out, tmp + 4, *outlen); + rv = 1; + + err: + freezero(tmp, inlen); + + return rv; +} + +static int +kek_wrap_key(unsigned char *out, size_t *outlen, const unsigned char *in, + size_t inlen, EVP_CIPHER_CTX *ctx) +{ + size_t blocklen = EVP_CIPHER_CTX_block_size(ctx); + size_t olen; + int dummy; + + /* + * First decide length of output buffer: need header and round up to + * multiple of block length. + */ + olen = (inlen + 4 + blocklen - 1) / blocklen; + olen *= blocklen; + if (olen < 2 * blocklen) { + /* Key too small */ + return 0; + } + if (inlen > 0xFF) { + /* Key too large */ + return 0; + } + if (out) { + /* Set header */ + out[0] = (unsigned char)inlen; + out[1] = in[0] ^ 0xFF; + out[2] = in[1] ^ 0xFF; + out[3] = in[2] ^ 0xFF; + memcpy(out + 4, in, inlen); + /* Add random padding to end */ + if (olen > inlen + 4) + arc4random_buf(out + 4 + inlen, olen - 4 - inlen); + /* Encrypt twice */ + if (!EVP_EncryptUpdate(ctx, out, &dummy, out, olen) || + !EVP_EncryptUpdate(ctx, out, &dummy, out, olen)) + return 0; + } + + *outlen = olen; + + return 1; +} + +/* Encrypt/Decrypt content key in PWRI recipient info */ + +int +cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri, + int en_de) +{ + CMS_EncryptedContentInfo *ec; + CMS_PasswordRecipientInfo *pwri; + int r = 0; + X509_ALGOR *algtmp, *kekalg = NULL; + EVP_CIPHER_CTX *kekctx = NULL; + const EVP_CIPHER *kekcipher; + unsigned char *key = NULL; + size_t keylen; + + ec = cms->d.envelopedData->encryptedContentInfo; + + pwri = ri->d.pwri; + + if (!pwri->pass) { + CMSerror(CMS_R_NO_PASSWORD); + return 0; + } + algtmp = pwri->keyEncryptionAlgorithm; + + if (!algtmp || OBJ_obj2nid(algtmp->algorithm) != NID_id_alg_PWRI_KEK) { + CMSerror(CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM); + return 0; + } + + if (algtmp->parameter != NULL && + algtmp->parameter->type == V_ASN1_SEQUENCE && + algtmp->parameter->value.sequence != NULL) + kekalg = ASN1_item_unpack(algtmp->parameter->value.sequence, + &X509_ALGOR_it); + + if (kekalg == NULL) { + CMSerror(CMS_R_INVALID_KEY_ENCRYPTION_PARAMETER); + return 0; + } + + kekcipher = EVP_get_cipherbyobj(kekalg->algorithm); + if (!kekcipher) { + CMSerror(CMS_R_UNKNOWN_CIPHER); + return 0; + } + + kekctx = EVP_CIPHER_CTX_new(); + if (kekctx == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + return 0; + } + /* Fixup cipher based on AlgorithmIdentifier to set IV etc */ + if (!EVP_CipherInit_ex(kekctx, kekcipher, NULL, NULL, NULL, en_de)) + goto err; + EVP_CIPHER_CTX_set_padding(kekctx, 0); + if (EVP_CIPHER_asn1_to_param(kekctx, kekalg->parameter) <= 0) { + CMSerror(CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR); + goto err; + } + + algtmp = pwri->keyDerivationAlgorithm; + + /* Finish password based key derivation to setup key in "ctx" */ + + if (EVP_PBE_CipherInit(algtmp->algorithm, (char *)pwri->pass, + pwri->passlen, algtmp->parameter, kekctx, en_de) < 0) { + CMSerror(ERR_R_EVP_LIB); + goto err; + } + + /* Finally wrap/unwrap the key */ + + if (en_de) { + if (!kek_wrap_key(NULL, &keylen, ec->key, ec->keylen, kekctx)) + goto err; + + key = malloc(keylen); + if (key == NULL) + goto err; + + if (!kek_wrap_key(key, &keylen, ec->key, ec->keylen, kekctx)) + goto err; + pwri->encryptedKey->data = key; + pwri->encryptedKey->length = keylen; + } else { + key = malloc(pwri->encryptedKey->length); + if (key == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + if (!kek_unwrap_key(key, &keylen, pwri->encryptedKey->data, + pwri->encryptedKey->length, kekctx)) { + CMSerror(CMS_R_UNWRAP_FAILURE); + goto err; + } + + freezero(ec->key, ec->keylen); + ec->key = key; + ec->keylen = keylen; + } + + r = 1; + + err: + EVP_CIPHER_CTX_free(kekctx); + if (!r) + free(key); + X509_ALGOR_free(kekalg); + + return r; +} diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c new file mode 100644 index 00000000..95343d08 --- /dev/null +++ b/crypto/cms/cms_sd.c @@ -0,0 +1,1014 @@ +/* $OpenBSD: cms_sd.c,v 1.23 2019/08/11 14:35:57 jsing Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include + +#include "cryptlib.h" +#include +#include +#include +#include +#include +#include +#include "cms_lcl.h" +#include "asn1/asn1_locl.h" +#include "evp/evp_locl.h" + +/* CMS SignedData Utilities */ + +static CMS_SignedData * +cms_get0_signed(CMS_ContentInfo *cms) +{ + if (OBJ_obj2nid(cms->contentType) != NID_pkcs7_signed) { + CMSerror(CMS_R_CONTENT_TYPE_NOT_SIGNED_DATA); + return NULL; + } + return cms->d.signedData; +} + +static CMS_SignedData * +cms_signed_data_init(CMS_ContentInfo *cms) +{ + if (cms->d.other == NULL) { + cms->d.signedData = (CMS_SignedData *)ASN1_item_new(&CMS_SignedData_it); + if (!cms->d.signedData) { + CMSerror(ERR_R_MALLOC_FAILURE); + return NULL; + } + cms->d.signedData->version = 1; + cms->d.signedData->encapContentInfo->eContentType = + OBJ_nid2obj(NID_pkcs7_data); + cms->d.signedData->encapContentInfo->partial = 1; + ASN1_OBJECT_free(cms->contentType); + cms->contentType = OBJ_nid2obj(NID_pkcs7_signed); + return cms->d.signedData; + } + return cms_get0_signed(cms); +} + +/* Just initialise SignedData e.g. for certs only structure */ + +int +CMS_SignedData_init(CMS_ContentInfo *cms) +{ + if (cms_signed_data_init(cms)) + return 1; + else + return 0; +} + +/* Check structures and fixup version numbers (if necessary) */ + +static void +cms_sd_set_version(CMS_SignedData *sd) +{ + int i; + CMS_CertificateChoices *cch; + CMS_RevocationInfoChoice *rch; + CMS_SignerInfo *si; + + for (i = 0; i < sk_CMS_CertificateChoices_num(sd->certificates); i++) { + cch = sk_CMS_CertificateChoices_value(sd->certificates, i); + if (cch->type == CMS_CERTCHOICE_OTHER) { + if (sd->version < 5) + sd->version = 5; + } else if (cch->type == CMS_CERTCHOICE_V2ACERT) { + if (sd->version < 4) + sd->version = 4; + } else if (cch->type == CMS_CERTCHOICE_V1ACERT) { + if (sd->version < 3) + sd->version = 3; + } + } + + for (i = 0; i < sk_CMS_RevocationInfoChoice_num(sd->crls); i++) { + rch = sk_CMS_RevocationInfoChoice_value(sd->crls, i); + if (rch->type == CMS_REVCHOICE_OTHER) { + if (sd->version < 5) + sd->version = 5; + } + } + + if ((OBJ_obj2nid(sd->encapContentInfo->eContentType) != NID_pkcs7_data) + && (sd->version < 3)) + sd->version = 3; + + for (i = 0; i < sk_CMS_SignerInfo_num(sd->signerInfos); i++) { + si = sk_CMS_SignerInfo_value(sd->signerInfos, i); + if (si->sid->type == CMS_SIGNERINFO_KEYIDENTIFIER) { + if (si->version < 3) + si->version = 3; + if (sd->version < 3) + sd->version = 3; + } else if (si->version < 1) + si->version = 1; + } + + if (sd->version < 1) + sd->version = 1; +} + +/* Copy an existing messageDigest value */ + +static int +cms_copy_messageDigest(CMS_ContentInfo *cms, CMS_SignerInfo *si) +{ + STACK_OF(CMS_SignerInfo) *sinfos; + CMS_SignerInfo *sitmp; + int i; + + sinfos = CMS_get0_SignerInfos(cms); + for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) { + ASN1_OCTET_STRING *messageDigest; + sitmp = sk_CMS_SignerInfo_value(sinfos, i); + if (sitmp == si) + continue; + if (CMS_signed_get_attr_count(sitmp) < 0) + continue; + if (OBJ_cmp(si->digestAlgorithm->algorithm, + sitmp->digestAlgorithm->algorithm)) + continue; + messageDigest = CMS_signed_get0_data_by_OBJ(sitmp, + OBJ_nid2obj(NID_pkcs9_messageDigest), -3, V_ASN1_OCTET_STRING); + if (!messageDigest) { + CMSerror(CMS_R_ERROR_READING_MESSAGEDIGEST_ATTRIBUTE); + return 0; + } + + if (CMS_signed_add1_attr_by_NID(si, NID_pkcs9_messageDigest, + V_ASN1_OCTET_STRING, messageDigest, -1)) + return 1; + else + return 0; + } + + CMSerror(CMS_R_NO_MATCHING_DIGEST); + + return 0; +} + +int +cms_set1_SignerIdentifier(CMS_SignerIdentifier *sid, X509 *cert, int type) +{ + switch (type) { + case CMS_SIGNERINFO_ISSUER_SERIAL: + if (!cms_set1_ias(&sid->d.issuerAndSerialNumber, cert)) + return 0; + break; + + case CMS_SIGNERINFO_KEYIDENTIFIER: + if (!cms_set1_keyid(&sid->d.subjectKeyIdentifier, cert)) + return 0; + break; + + default: + CMSerror(CMS_R_UNKNOWN_ID); + return 0; + } + + sid->type = type; + + return 1; +} + +int +cms_SignerIdentifier_get0_signer_id(CMS_SignerIdentifier *sid, + ASN1_OCTET_STRING **keyid, X509_NAME **issuer, ASN1_INTEGER **sno) +{ + if (sid->type == CMS_SIGNERINFO_ISSUER_SERIAL) { + if (issuer) + *issuer = sid->d.issuerAndSerialNumber->issuer; + if (sno) + *sno = sid->d.issuerAndSerialNumber->serialNumber; + } else if (sid->type == CMS_SIGNERINFO_KEYIDENTIFIER) { + if (keyid) + *keyid = sid->d.subjectKeyIdentifier; + } else + return 0; + + return 1; +} + +int +cms_SignerIdentifier_cert_cmp(CMS_SignerIdentifier *sid, X509 *cert) +{ + if (sid->type == CMS_SIGNERINFO_ISSUER_SERIAL) + return cms_ias_cert_cmp(sid->d.issuerAndSerialNumber, cert); + else if (sid->type == CMS_SIGNERINFO_KEYIDENTIFIER) + return cms_keyid_cert_cmp(sid->d.subjectKeyIdentifier, cert); + else + return -1; +} + +static int +cms_sd_asn1_ctrl(CMS_SignerInfo *si, int cmd) +{ + EVP_PKEY *pkey = si->pkey; + int i; + + if (!pkey->ameth || !pkey->ameth->pkey_ctrl) + return 1; + i = pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_CMS_SIGN, cmd, si); + if (i == -2) { + CMSerror(CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE); + return 0; + } + if (i <= 0) { + CMSerror(CMS_R_CTRL_FAILURE); + return 0; + } + + return 1; +} + +CMS_SignerInfo * +CMS_add1_signer(CMS_ContentInfo *cms, X509 *signer, EVP_PKEY *pk, + const EVP_MD *md, unsigned int flags) +{ + CMS_SignedData *sd; + CMS_SignerInfo *si = NULL; + X509_ALGOR *alg; + int i, type; + + if (!X509_check_private_key(signer, pk)) { + CMSerror(CMS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE); + return NULL; + } + sd = cms_signed_data_init(cms); + if (!sd) + goto err; + si = (CMS_SignerInfo *)ASN1_item_new(&CMS_SignerInfo_it); + if (!si) + goto merr; + /* Call for side-effect of computing hash and caching extensions */ + X509_check_purpose(signer, -1, -1); + + X509_up_ref(signer); + EVP_PKEY_up_ref(pk); + + si->pkey = pk; + si->signer = signer; + si->mctx = EVP_MD_CTX_new(); + si->pctx = NULL; + + if (si->mctx == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + + if (flags & CMS_USE_KEYID) { + si->version = 3; + if (sd->version < 3) + sd->version = 3; + type = CMS_SIGNERINFO_KEYIDENTIFIER; + } else { + type = CMS_SIGNERINFO_ISSUER_SERIAL; + si->version = 1; + } + + if (!cms_set1_SignerIdentifier(si->sid, signer, type)) + goto err; + + if (md == NULL) { + int def_nid; + if (EVP_PKEY_get_default_digest_nid(pk, &def_nid) <= 0) + goto err; + md = EVP_get_digestbynid(def_nid); + if (md == NULL) { + CMSerror(CMS_R_NO_DEFAULT_DIGEST); + goto err; + } + } + + if (!md) { + CMSerror(CMS_R_NO_DIGEST_SET); + goto err; + } + + X509_ALGOR_set_md(si->digestAlgorithm, md); + + /* See if digest is present in digestAlgorithms */ + for (i = 0; i < sk_X509_ALGOR_num(sd->digestAlgorithms); i++) { + const ASN1_OBJECT *aoid; + alg = sk_X509_ALGOR_value(sd->digestAlgorithms, i); + X509_ALGOR_get0(&aoid, NULL, NULL, alg); + if (OBJ_obj2nid(aoid) == EVP_MD_type(md)) + break; + } + + if (i == sk_X509_ALGOR_num(sd->digestAlgorithms)) { + alg = X509_ALGOR_new(); + if (alg == NULL) + goto merr; + X509_ALGOR_set_md(alg, md); + if (!sk_X509_ALGOR_push(sd->digestAlgorithms, alg)) { + X509_ALGOR_free(alg); + goto merr; + } + } + + if (!(flags & CMS_KEY_PARAM) && !cms_sd_asn1_ctrl(si, 0)) + goto err; + if (!(flags & CMS_NOATTR)) { + /* + * Initialize signed attributes structure so other attributes + * such as signing time etc are added later even if we add none here. + */ + if (!si->signedAttrs) { + si->signedAttrs = sk_X509_ATTRIBUTE_new_null(); + if (!si->signedAttrs) + goto merr; + } + + if (!(flags & CMS_NOSMIMECAP)) { + STACK_OF(X509_ALGOR) *smcap = NULL; + + i = CMS_add_standard_smimecap(&smcap); + if (i) + i = CMS_add_smimecap(si, smcap); + sk_X509_ALGOR_pop_free(smcap, X509_ALGOR_free); + if (!i) + goto merr; + } + if (flags & CMS_REUSE_DIGEST) { + if (!cms_copy_messageDigest(cms, si)) + goto err; + if (!(flags & (CMS_PARTIAL | CMS_KEY_PARAM)) && + !CMS_SignerInfo_sign(si)) + goto err; + } + } + + if (!(flags & CMS_NOCERTS)) { + /* NB ignore -1 return for duplicate cert */ + if (!CMS_add1_cert(cms, signer)) + goto merr; + } + + if (flags & CMS_KEY_PARAM) { + if (flags & CMS_NOATTR) { + si->pctx = EVP_PKEY_CTX_new(si->pkey, NULL); + if (si->pctx == NULL) + goto err; + if (EVP_PKEY_sign_init(si->pctx) <= 0) + goto err; + if (EVP_PKEY_CTX_set_signature_md(si->pctx, md) <= 0) + goto err; + } else if (EVP_DigestSignInit(si->mctx, &si->pctx, md, + NULL, pk) <= 0) + goto err; + } + + if (!sd->signerInfos) + sd->signerInfos = sk_CMS_SignerInfo_new_null(); + if (!sd->signerInfos || !sk_CMS_SignerInfo_push(sd->signerInfos, si)) + goto merr; + + return si; + + merr: + CMSerror(ERR_R_MALLOC_FAILURE); + err: + ASN1_item_free((ASN1_VALUE *)si, &CMS_SignerInfo_it); + + return NULL; +} + +static int +cms_add1_signingTime(CMS_SignerInfo *si, ASN1_TIME *t) +{ + ASN1_TIME *tt; + int r = 0; + + if (t) + tt = t; + else + tt = X509_gmtime_adj(NULL, 0); + + if (!tt) + goto merr; + + if (CMS_signed_add1_attr_by_NID(si, NID_pkcs9_signingTime, + tt->type, tt, -1) <= 0) + goto merr; + + r = 1; + + merr: + if (!t) + ASN1_TIME_free(tt); + if (!r) + CMSerror(ERR_R_MALLOC_FAILURE); + + return r; +} + +EVP_PKEY_CTX * +CMS_SignerInfo_get0_pkey_ctx(CMS_SignerInfo *si) +{ + return si->pctx; +} + +EVP_MD_CTX * +CMS_SignerInfo_get0_md_ctx(CMS_SignerInfo *si) +{ + return si->mctx; +} + +STACK_OF(CMS_SignerInfo) * +CMS_get0_SignerInfos(CMS_ContentInfo *cms) +{ + CMS_SignedData *sd; + + sd = cms_get0_signed(cms); + if (!sd) + return NULL; + + return sd->signerInfos; +} + +STACK_OF(X509) * +CMS_get0_signers(CMS_ContentInfo *cms) +{ + STACK_OF(X509) *signers = NULL; + STACK_OF(CMS_SignerInfo) *sinfos; + CMS_SignerInfo *si; + int i; + + sinfos = CMS_get0_SignerInfos(cms); + for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) { + si = sk_CMS_SignerInfo_value(sinfos, i); + if (si->signer) { + if (!signers) { + signers = sk_X509_new_null(); + if (!signers) + return NULL; + } + if (!sk_X509_push(signers, si->signer)) { + sk_X509_free(signers); + return NULL; + } + } + } + + return signers; +} + +void +CMS_SignerInfo_set1_signer_cert(CMS_SignerInfo *si, X509 *signer) +{ + if (signer) { + X509_up_ref(signer); + EVP_PKEY_free(si->pkey); + si->pkey = X509_get_pubkey(signer); + } + X509_free(si->signer); + si->signer = signer; +} + +int +CMS_SignerInfo_get0_signer_id(CMS_SignerInfo *si, ASN1_OCTET_STRING **keyid, + X509_NAME **issuer, ASN1_INTEGER **sno) +{ + return cms_SignerIdentifier_get0_signer_id(si->sid, keyid, issuer, sno); +} + +int +CMS_SignerInfo_cert_cmp(CMS_SignerInfo *si, X509 *cert) +{ + return cms_SignerIdentifier_cert_cmp(si->sid, cert); +} + +int +CMS_set1_signers_certs(CMS_ContentInfo *cms, STACK_OF(X509) *scerts, + unsigned int flags) +{ + CMS_SignedData *sd; + CMS_SignerInfo *si; + CMS_CertificateChoices *cch; + STACK_OF(CMS_CertificateChoices) *certs; + X509 *x; + int i, j; + int ret = 0; + + sd = cms_get0_signed(cms); + if (!sd) + return -1; + certs = sd->certificates; + for (i = 0; i < sk_CMS_SignerInfo_num(sd->signerInfos); i++) { + si = sk_CMS_SignerInfo_value(sd->signerInfos, i); + if (si->signer) + continue; + + for (j = 0; j < sk_X509_num(scerts); j++) { + x = sk_X509_value(scerts, j); + if (CMS_SignerInfo_cert_cmp(si, x) == 0) { + CMS_SignerInfo_set1_signer_cert(si, x); + ret++; + break; + } + } + + if (si->signer || (flags & CMS_NOINTERN)) + continue; + + for (j = 0; j < sk_CMS_CertificateChoices_num(certs); j++) { + cch = sk_CMS_CertificateChoices_value(certs, j); + if (cch->type != 0) + continue; + x = cch->d.certificate; + if (CMS_SignerInfo_cert_cmp(si, x) == 0) { + CMS_SignerInfo_set1_signer_cert(si, x); + ret++; + break; + } + } + } + return ret; +} + +void +CMS_SignerInfo_get0_algs(CMS_SignerInfo *si, EVP_PKEY **pk, X509 **signer, +X509_ALGOR **pdig, X509_ALGOR **psig) +{ + if (pk) + *pk = si->pkey; + if (signer) + *signer = si->signer; + if (pdig) + *pdig = si->digestAlgorithm; + if (psig) + *psig = si->signatureAlgorithm; +} + +ASN1_OCTET_STRING * +CMS_SignerInfo_get0_signature(CMS_SignerInfo *si) +{ + return si->signature; +} + +static int +cms_SignerInfo_content_sign(CMS_ContentInfo *cms, CMS_SignerInfo *si, BIO *chain) +{ + EVP_MD_CTX *mctx = EVP_MD_CTX_new(); + int r = 0; + EVP_PKEY_CTX *pctx = NULL; + + if (mctx == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + return 0; + } + + if (!si->pkey) { + CMSerror(CMS_R_NO_PRIVATE_KEY); + goto err; + } + + if (!cms_DigestAlgorithm_find_ctx(mctx, chain, si->digestAlgorithm)) + goto err; + /* Set SignerInfo algorithm details if we used custom parameter */ + if (si->pctx && !cms_sd_asn1_ctrl(si, 0)) + goto err; + + /* + * If any signed attributes calculate and add messageDigest attribute + */ + + if (CMS_signed_get_attr_count(si) >= 0) { + ASN1_OBJECT *ctype = + cms->d.signedData->encapContentInfo->eContentType; + unsigned char md[EVP_MAX_MD_SIZE]; + unsigned int mdlen; + + if (!EVP_DigestFinal_ex(mctx, md, &mdlen)) + goto err; + if (!CMS_signed_add1_attr_by_NID(si, NID_pkcs9_messageDigest, + V_ASN1_OCTET_STRING, md, mdlen)) + goto err; + /* Copy content type across */ + if (CMS_signed_add1_attr_by_NID(si, NID_pkcs9_contentType, + V_ASN1_OBJECT, ctype, -1) <= 0) + goto err; + if (!CMS_SignerInfo_sign(si)) + goto err; + } else if (si->pctx) { + unsigned char *sig; + size_t siglen; + unsigned char md[EVP_MAX_MD_SIZE]; + unsigned int mdlen; + + pctx = si->pctx; + if (!EVP_DigestFinal_ex(mctx, md, &mdlen)) + goto err; + siglen = EVP_PKEY_size(si->pkey); + sig = malloc(siglen); + if (sig == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + if (EVP_PKEY_sign(pctx, sig, &siglen, md, mdlen) <= 0) { + free(sig); + goto err; + } + ASN1_STRING_set0(si->signature, sig, siglen); + } else { + unsigned char *sig; + unsigned int siglen; + + sig = malloc(EVP_PKEY_size(si->pkey)); + if (sig == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + if (!EVP_SignFinal(mctx, sig, &siglen, si->pkey)) { + CMSerror(CMS_R_SIGNFINAL_ERROR); + free(sig); + goto err; + } + ASN1_STRING_set0(si->signature, sig, siglen); + } + + r = 1; + + err: + EVP_MD_CTX_free(mctx); + EVP_PKEY_CTX_free(pctx); + + return r; +} + +int +cms_SignedData_final(CMS_ContentInfo *cms, BIO *chain) +{ + STACK_OF(CMS_SignerInfo) *sinfos; + CMS_SignerInfo *si; + int i; + + sinfos = CMS_get0_SignerInfos(cms); + for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) { + si = sk_CMS_SignerInfo_value(sinfos, i); + if (!cms_SignerInfo_content_sign(cms, si, chain)) + return 0; + } + cms->d.signedData->encapContentInfo->partial = 0; + + return 1; +} + +int +CMS_SignerInfo_sign(CMS_SignerInfo *si) +{ + EVP_MD_CTX *mctx = si->mctx; + EVP_PKEY_CTX *pctx = NULL; + unsigned char *abuf = NULL; + int alen; + size_t siglen; + const EVP_MD *md = NULL; + + md = EVP_get_digestbyobj(si->digestAlgorithm->algorithm); + if (md == NULL) + return 0; + + if (CMS_signed_get_attr_by_NID(si, NID_pkcs9_signingTime, -1) < 0) { + if (!cms_add1_signingTime(si, NULL)) + goto err; + } + + if (si->pctx) + pctx = si->pctx; + else { + EVP_MD_CTX_reset(mctx); + if (EVP_DigestSignInit(mctx, &pctx, md, NULL, si->pkey) <= 0) + goto err; + si->pctx = pctx; + } + + if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, + EVP_PKEY_CTRL_CMS_SIGN, 0, si) <= 0) { + CMSerror(CMS_R_CTRL_ERROR); + goto err; + } + + alen = ASN1_item_i2d((ASN1_VALUE *)si->signedAttrs, &abuf, + &CMS_Attributes_Sign_it); + if (!abuf) + goto err; + if (EVP_DigestSignUpdate(mctx, abuf, alen) <= 0) + goto err; + if (EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) + goto err; + free(abuf); + abuf = malloc(siglen); + if (abuf == NULL) + goto err; + if (EVP_DigestSignFinal(mctx, abuf, &siglen) <= 0) + goto err; + + if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, + EVP_PKEY_CTRL_CMS_SIGN, 1, si) <= 0) { + CMSerror(CMS_R_CTRL_ERROR); + goto err; + } + + EVP_MD_CTX_reset(mctx); + + ASN1_STRING_set0(si->signature, abuf, siglen); + + return 1; + + err: + free(abuf); + EVP_MD_CTX_reset(mctx); + + return 0; +} + +int +CMS_SignerInfo_verify(CMS_SignerInfo *si) +{ + EVP_MD_CTX *mctx = NULL; + unsigned char *abuf = NULL; + int alen, r = -1; + const EVP_MD *md = NULL; + + if (!si->pkey) { + CMSerror(CMS_R_NO_PUBLIC_KEY); + return -1; + } + + md = EVP_get_digestbyobj(si->digestAlgorithm->algorithm); + if (md == NULL) + return -1; + if (si->mctx == NULL && (si->mctx = EVP_MD_CTX_new()) == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + return -1; + } + mctx = si->mctx; + if (EVP_DigestVerifyInit(mctx, &si->pctx, md, NULL, si->pkey) <= 0) + goto err; + + if (!cms_sd_asn1_ctrl(si, 1)) + goto err; + + alen = ASN1_item_i2d((ASN1_VALUE *)si->signedAttrs, &abuf, + &CMS_Attributes_Verify_it); + if (!abuf) + goto err; + r = EVP_DigestVerifyUpdate(mctx, abuf, alen); + free(abuf); + if (r <= 0) { + r = -1; + goto err; + } + + r = EVP_DigestVerifyFinal(mctx, si->signature->data, + si->signature->length); + if (r <= 0) + CMSerror(CMS_R_VERIFICATION_FAILURE); + + err: + EVP_MD_CTX_reset(mctx); + + return r; +} + +/* Create a chain of digest BIOs from a CMS ContentInfo */ + +BIO * +cms_SignedData_init_bio(CMS_ContentInfo *cms) +{ + int i; + CMS_SignedData *sd; + BIO *chain = NULL; + + sd = cms_get0_signed(cms); + if (!sd) + return NULL; + if (cms->d.signedData->encapContentInfo->partial) + cms_sd_set_version(sd); + for (i = 0; i < sk_X509_ALGOR_num(sd->digestAlgorithms); i++) { + X509_ALGOR *digestAlgorithm; + BIO *mdbio; + digestAlgorithm = sk_X509_ALGOR_value(sd->digestAlgorithms, i); + mdbio = cms_DigestAlgorithm_init_bio(digestAlgorithm); + if (!mdbio) + goto err; + if (chain) + BIO_push(chain, mdbio); + else + chain = mdbio; + } + + return chain; + + err: + BIO_free_all(chain); + + return NULL; +} + +int +CMS_SignerInfo_verify_content(CMS_SignerInfo *si, BIO *chain) +{ + ASN1_OCTET_STRING *os = NULL; + EVP_MD_CTX *mctx = EVP_MD_CTX_new(); + EVP_PKEY_CTX *pkctx = NULL; + int r = -1; + unsigned char mval[EVP_MAX_MD_SIZE]; + unsigned int mlen; + + if (mctx == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + /* If we have any signed attributes look for messageDigest value */ + if (CMS_signed_get_attr_count(si) >= 0) { + os = CMS_signed_get0_data_by_OBJ(si, + OBJ_nid2obj(NID_pkcs9_messageDigest), -3, + V_ASN1_OCTET_STRING); + if (!os) { + CMSerror(CMS_R_ERROR_READING_MESSAGEDIGEST_ATTRIBUTE); + goto err; + } + } + + if (!cms_DigestAlgorithm_find_ctx(mctx, chain, si->digestAlgorithm)) + goto err; + + if (EVP_DigestFinal_ex(mctx, mval, &mlen) <= 0) { + CMSerror(CMS_R_UNABLE_TO_FINALIZE_CONTEXT); + goto err; + } + + /* If messageDigest found compare it */ + + if (os) { + if (mlen != (unsigned int)os->length) { + CMSerror(CMS_R_MESSAGEDIGEST_ATTRIBUTE_WRONG_LENGTH); + goto err; + } + + if (memcmp(mval, os->data, mlen)) { + CMSerror(CMS_R_VERIFICATION_FAILURE); + r = 0; + } else + r = 1; + } else { + const EVP_MD *md = EVP_MD_CTX_md(mctx); + + pkctx = EVP_PKEY_CTX_new(si->pkey, NULL); + if (pkctx == NULL) + goto err; + if (EVP_PKEY_verify_init(pkctx) <= 0) + goto err; + if (EVP_PKEY_CTX_set_signature_md(pkctx, md) <= 0) + goto err; + si->pctx = pkctx; + if (!cms_sd_asn1_ctrl(si, 1)) + goto err; + r = EVP_PKEY_verify(pkctx, si->signature->data, + si->signature->length, mval, mlen); + if (r <= 0) { + CMSerror(CMS_R_VERIFICATION_FAILURE); + r = 0; + } + } + + err: + EVP_PKEY_CTX_free(pkctx); + EVP_MD_CTX_free(mctx); + + return r; +} + +int +CMS_add_smimecap(CMS_SignerInfo *si, STACK_OF(X509_ALGOR) *algs) +{ + unsigned char *smder = NULL; + int smderlen, r; + + smderlen = i2d_X509_ALGORS(algs, &smder); + if (smderlen <= 0) + return 0; + r = CMS_signed_add1_attr_by_NID(si, NID_SMIMECapabilities, + V_ASN1_SEQUENCE, smder, smderlen); + free(smder); + + return r; +} + +int +CMS_add_simple_smimecap(STACK_OF(X509_ALGOR) **algs, int algnid, int keysize) +{ + X509_ALGOR *alg; + ASN1_INTEGER *key = NULL; + + if (keysize > 0) { + key = ASN1_INTEGER_new(); + if (key == NULL || !ASN1_INTEGER_set(key, keysize)) + return 0; + } + alg = X509_ALGOR_new(); + if (alg == NULL) { + ASN1_INTEGER_free(key); + return 0; + } + + X509_ALGOR_set0(alg, OBJ_nid2obj(algnid), + key ? V_ASN1_INTEGER : V_ASN1_UNDEF, key); + if (*algs == NULL) + *algs = sk_X509_ALGOR_new_null(); + if (*algs == NULL || !sk_X509_ALGOR_push(*algs, alg)) { + X509_ALGOR_free(alg); + return 0; + } + + return 1; +} + +/* Check to see if a cipher exists and if so add S/MIME capabilities */ + +static int +cms_add_cipher_smcap(STACK_OF(X509_ALGOR) **sk, int nid, int arg) +{ + if (EVP_get_cipherbynid(nid)) + return CMS_add_simple_smimecap(sk, nid, arg); + return 1; +} + +static int +cms_add_digest_smcap(STACK_OF(X509_ALGOR) **sk, int nid, int arg) +{ + if (EVP_get_digestbynid(nid)) + return CMS_add_simple_smimecap(sk, nid, arg); + return 1; +} + +int +CMS_add_standard_smimecap(STACK_OF(X509_ALGOR) **smcap) +{ + if (!cms_add_cipher_smcap(smcap, NID_aes_256_cbc, -1) || + !cms_add_digest_smcap(smcap, NID_id_GostR3411_94, -1) || + !cms_add_cipher_smcap(smcap, NID_id_Gost28147_89, -1) || + !cms_add_cipher_smcap(smcap, NID_aes_192_cbc, -1) || + !cms_add_cipher_smcap(smcap, NID_aes_128_cbc, -1) || + !cms_add_cipher_smcap(smcap, NID_des_ede3_cbc, -1) || + !cms_add_cipher_smcap(smcap, NID_rc2_cbc, 128) || + !cms_add_cipher_smcap(smcap, NID_rc2_cbc, 64) || + !cms_add_cipher_smcap(smcap, NID_des_cbc, -1) || + !cms_add_cipher_smcap(smcap, NID_rc2_cbc, 40)) + return 0; + + return 1; +} diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c new file mode 100644 index 00000000..367810f4 --- /dev/null +++ b/crypto/cms/cms_smime.c @@ -0,0 +1,934 @@ +/* $OpenBSD: cms_smime.c,v 1.24 2019/10/04 18:03:56 tb Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include "cryptlib.h" +#include +#include +#include +#include +#include +#include "cms_lcl.h" +#include "asn1/asn1_locl.h" + +static BIO * +cms_get_text_bio(BIO *out, unsigned int flags) +{ + BIO *rbio; + + if (out == NULL) + rbio = BIO_new(BIO_s_null()); + else if (flags & CMS_TEXT) { + rbio = BIO_new(BIO_s_mem()); + BIO_set_mem_eof_return(rbio, 0); + } else + rbio = out; + + return rbio; +} + +static int +cms_copy_content(BIO *out, BIO *in, unsigned int flags) +{ + unsigned char buf[4096]; + int r = 0, i; + BIO *tmpout; + + tmpout = cms_get_text_bio(out, flags); + + if (tmpout == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + + /* Read all content through chain to process digest, decrypt etc */ + for (;;) { + i = BIO_read(in, buf, sizeof(buf)); + if (i <= 0) { + if (BIO_method_type(in) == BIO_TYPE_CIPHER) { + if (!BIO_get_cipher_status(in)) + goto err; + } + if (i < 0) + goto err; + break; + } + + if (tmpout && (BIO_write(tmpout, buf, i) != i)) + goto err; + } + + if (flags & CMS_TEXT) { + if (!SMIME_text(tmpout, out)) { + CMSerror(CMS_R_SMIME_TEXT_ERROR); + goto err; + } + } + + r = 1; + + err: + if (tmpout != out) + BIO_free(tmpout); + + return r; +} + +static int +check_content(CMS_ContentInfo *cms) +{ + ASN1_OCTET_STRING **pos = CMS_get0_content(cms); + + if (!pos || !*pos) { + CMSerror(CMS_R_NO_CONTENT); + return 0; + } + + return 1; +} + +static void +do_free_upto(BIO *f, BIO *upto) +{ + if (upto) { + BIO *tbio; + do { + tbio = BIO_pop(f); + BIO_free(f); + f = tbio; + } + while (f && f != upto); + } else + BIO_free_all(f); +} + +int +CMS_data(CMS_ContentInfo *cms, BIO *out, unsigned int flags) +{ + BIO *cont; + int r; + + if (OBJ_obj2nid(CMS_get0_type(cms)) != NID_pkcs7_data) { + CMSerror(CMS_R_TYPE_NOT_DATA); + return 0; + } + cont = CMS_dataInit(cms, NULL); + if (!cont) + return 0; + r = cms_copy_content(out, cont, flags); + BIO_free_all(cont); + + return r; +} + +CMS_ContentInfo * +CMS_data_create(BIO *in, unsigned int flags) +{ + CMS_ContentInfo *cms; + + cms = cms_Data_create(); + if (!cms) + return NULL; + + if ((flags & CMS_STREAM) || CMS_final(cms, in, NULL, flags)) + return cms; + + CMS_ContentInfo_free(cms); + + return NULL; +} + +int +CMS_digest_verify(CMS_ContentInfo *cms, BIO *dcont, BIO *out, unsigned int flags) +{ + BIO *cont; + int r; + + if (OBJ_obj2nid(CMS_get0_type(cms)) != NID_pkcs7_digest) { + CMSerror(CMS_R_TYPE_NOT_DIGESTED_DATA); + return 0; + } + + if (!dcont && !check_content(cms)) + return 0; + + cont = CMS_dataInit(cms, dcont); + if (!cont) + return 0; + r = cms_copy_content(out, cont, flags); + if (r) + r = cms_DigestedData_do_final(cms, cont, 1); + do_free_upto(cont, dcont); + + return r; +} + +CMS_ContentInfo * +CMS_digest_create(BIO *in, const EVP_MD *md, unsigned int flags) +{ + CMS_ContentInfo *cms; + + if (!md) + md = EVP_sha1(); + cms = cms_DigestedData_create(md); + if (!cms) + return NULL; + + if (!(flags & CMS_DETACHED)) + CMS_set_detached(cms, 0); + + if ((flags & CMS_STREAM) || CMS_final(cms, in, NULL, flags)) + return cms; + + CMS_ContentInfo_free(cms); + + return NULL; +} + +int +CMS_EncryptedData_decrypt(CMS_ContentInfo *cms, const unsigned char *key, + size_t keylen, BIO *dcont, BIO *out, unsigned int flags) +{ + BIO *cont; + int r; + + if (OBJ_obj2nid(CMS_get0_type(cms)) != NID_pkcs7_encrypted) { + CMSerror(CMS_R_TYPE_NOT_ENCRYPTED_DATA); + return 0; + } + + if (!dcont && !check_content(cms)) + return 0; + + if (CMS_EncryptedData_set1_key(cms, NULL, key, keylen) <= 0) + return 0; + cont = CMS_dataInit(cms, dcont); + if (!cont) + return 0; + r = cms_copy_content(out, cont, flags); + do_free_upto(cont, dcont); + + return r; +} + +CMS_ContentInfo * +CMS_EncryptedData_encrypt(BIO *in, const EVP_CIPHER *cipher, + const unsigned char *key, size_t keylen, unsigned int flags) +{ + CMS_ContentInfo *cms; + + if (!cipher) { + CMSerror(CMS_R_NO_CIPHER); + return NULL; + } + cms = CMS_ContentInfo_new(); + if (cms == NULL) + return NULL; + if (!CMS_EncryptedData_set1_key(cms, cipher, key, keylen)) + return NULL; + + if (!(flags & CMS_DETACHED)) + CMS_set_detached(cms, 0); + + if ((flags & (CMS_STREAM | CMS_PARTIAL)) || + CMS_final(cms, in, NULL, flags)) + return cms; + + CMS_ContentInfo_free(cms); + + return NULL; +} + +static int +cms_signerinfo_verify_cert(CMS_SignerInfo *si, X509_STORE *store, + STACK_OF(X509) *certs, STACK_OF(X509_CRL) *crls) +{ + X509_STORE_CTX *ctx = X509_STORE_CTX_new(); + X509 *signer; + int i, j, r = 0; + + if (ctx == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + CMS_SignerInfo_get0_algs(si, NULL, &signer, NULL, NULL); + if (!X509_STORE_CTX_init(ctx, store, signer, certs)) { + CMSerror(CMS_R_STORE_INIT_ERROR); + goto err; + } + X509_STORE_CTX_set_default(ctx, "smime_sign"); + if (crls) + X509_STORE_CTX_set0_crls(ctx, crls); + + i = X509_verify_cert(ctx); + if (i <= 0) { + j = X509_STORE_CTX_get_error(ctx); + CMSerror(CMS_R_CERTIFICATE_VERIFY_ERROR); + ERR_asprintf_error_data("Verify error: %s", + X509_verify_cert_error_string(j)); + goto err; + } + r = 1; + + err: + X509_STORE_CTX_free(ctx); + + return r; +} + +int +CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs, X509_STORE *store, + BIO *dcont, BIO *out, unsigned int flags) +{ + CMS_SignerInfo *si; + STACK_OF(CMS_SignerInfo) *sinfos; + STACK_OF(X509) *cms_certs = NULL; + STACK_OF(X509_CRL) *crls = NULL; + X509 *signer; + int i, scount = 0, ret = 0; + BIO *cmsbio = NULL, *tmpin = NULL, *tmpout = NULL; + + if (!dcont && !check_content(cms)) + return 0; + if (dcont && !(flags & CMS_BINARY)) { + const ASN1_OBJECT *coid = CMS_get0_eContentType(cms); + if (OBJ_obj2nid(coid) == NID_id_ct_asciiTextWithCRLF) + flags |= CMS_ASCIICRLF; + } + + /* Attempt to find all signer certificates */ + + sinfos = CMS_get0_SignerInfos(cms); + if (sk_CMS_SignerInfo_num(sinfos) <= 0) { + CMSerror(CMS_R_NO_SIGNERS); + goto err; + } + + for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) { + si = sk_CMS_SignerInfo_value(sinfos, i); + CMS_SignerInfo_get0_algs(si, NULL, &signer, NULL, NULL); + if (signer) + scount++; + } + + if (scount != sk_CMS_SignerInfo_num(sinfos)) + scount += CMS_set1_signers_certs(cms, certs, flags); + + if (scount != sk_CMS_SignerInfo_num(sinfos)) { + CMSerror(CMS_R_SIGNER_CERTIFICATE_NOT_FOUND); + goto err; + } + + /* Attempt to verify all signers certs */ + + if (!(flags & CMS_NO_SIGNER_CERT_VERIFY)) { + cms_certs = CMS_get1_certs(cms); + if (!(flags & CMS_NOCRL)) + crls = CMS_get1_crls(cms); + for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) { + si = sk_CMS_SignerInfo_value(sinfos, i); + if (!cms_signerinfo_verify_cert(si, store, cms_certs, crls)) + goto err; + } + } + + /* Attempt to verify all SignerInfo signed attribute signatures */ + + if (!(flags & CMS_NO_ATTR_VERIFY)) { + for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) { + si = sk_CMS_SignerInfo_value(sinfos, i); + if (CMS_signed_get_attr_count(si) < 0) + continue; + if (CMS_SignerInfo_verify(si) <= 0) + goto err; + } + } + + /* + * Performance optimization: if the content is a memory BIO then store + * its contents in a temporary read only memory BIO. This avoids + * potentially large numbers of slow copies of data which will occur when + * reading from a read write memory BIO when signatures are calculated. + */ + + if (dcont && (BIO_method_type(dcont) == BIO_TYPE_MEM)) { + char *ptr; + long len; + + len = BIO_get_mem_data(dcont, &ptr); + tmpin = BIO_new_mem_buf(ptr, len); + if (tmpin == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err2; + } + } else + tmpin = dcont; + + /* + * If not binary mode and detached generate digests by *writing* through + * the BIO. That makes it possible to canonicalise the input. + */ + if (!(flags & SMIME_BINARY) && dcont) { + /* + * Create output BIO so we can either handle text or to ensure + * included content doesn't override detached content. + */ + tmpout = cms_get_text_bio(out, flags); + if (!tmpout) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + cmsbio = CMS_dataInit(cms, tmpout); + if (!cmsbio) + goto err; + /* + * Don't use SMIME_TEXT for verify: it adds headers and we want to + * remove them. + */ + SMIME_crlf_copy(dcont, cmsbio, flags & ~SMIME_TEXT); + + if (flags & CMS_TEXT) { + if (!SMIME_text(tmpout, out)) { + CMSerror(CMS_R_SMIME_TEXT_ERROR); + goto err; + } + } + } else { + cmsbio = CMS_dataInit(cms, tmpin); + if (!cmsbio) + goto err; + + if (!cms_copy_content(out, cmsbio, flags)) + goto err; + + } + if (!(flags & CMS_NO_CONTENT_VERIFY)) { + for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) { + si = sk_CMS_SignerInfo_value(sinfos, i); + if (CMS_SignerInfo_verify_content(si, cmsbio) <= 0) { + CMSerror(CMS_R_CONTENT_VERIFY_ERROR); + goto err; + } + } + } + + ret = 1; + + err: + if (!(flags & SMIME_BINARY) && dcont) { + do_free_upto(cmsbio, tmpout); + if (tmpin != dcont) + BIO_free(tmpin); + } else { + if (dcont && (tmpin == dcont)) + do_free_upto(cmsbio, dcont); + else + BIO_free_all(cmsbio); + } + + if (out != tmpout) + BIO_free_all(tmpout); + + err2: + sk_X509_pop_free(cms_certs, X509_free); + sk_X509_CRL_pop_free(crls, X509_CRL_free); + + return ret; +} + +int +CMS_verify_receipt(CMS_ContentInfo *rcms, CMS_ContentInfo *ocms, + STACK_OF(X509) *certs, X509_STORE *store, unsigned int flags) +{ + int r; + + flags &= ~(CMS_DETACHED | CMS_TEXT); + r = CMS_verify(rcms, certs, store, NULL, NULL, flags); + if (r <= 0) + return r; + + return cms_Receipt_verify(rcms, ocms); +} + +CMS_ContentInfo * +CMS_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, BIO *data, + unsigned int flags) +{ + CMS_ContentInfo *cms; + int i; + + cms = CMS_ContentInfo_new(); + if (cms == NULL || !CMS_SignedData_init(cms)) + goto merr; + if (flags & CMS_ASCIICRLF && + !CMS_set1_eContentType(cms, OBJ_nid2obj(NID_id_ct_asciiTextWithCRLF))) + goto err; + + if (pkey && !CMS_add1_signer(cms, signcert, pkey, NULL, flags)) { + CMSerror(CMS_R_ADD_SIGNER_ERROR); + goto err; + } + + for (i = 0; i < sk_X509_num(certs); i++) { + X509 *x = sk_X509_value(certs, i); + if (!CMS_add1_cert(cms, x)) + goto merr; + } + + if (!(flags & CMS_DETACHED)) + CMS_set_detached(cms, 0); + + if ((flags & (CMS_STREAM | CMS_PARTIAL)) || + CMS_final(cms, data, NULL, flags)) + return cms; + else + goto err; + + merr: + CMSerror(ERR_R_MALLOC_FAILURE); + + err: + CMS_ContentInfo_free(cms); + + return NULL; +} + +CMS_ContentInfo * +CMS_sign_receipt(CMS_SignerInfo *si, X509 *signcert, EVP_PKEY *pkey, + STACK_OF(X509) *certs, unsigned int flags) +{ + CMS_SignerInfo *rct_si; + CMS_ContentInfo *cms = NULL; + ASN1_OCTET_STRING **pos, *os; + BIO *rct_cont = NULL; + int r = 0; + + flags &= ~(CMS_STREAM | CMS_TEXT); + /* Not really detached but avoids content being allocated */ + flags |= CMS_PARTIAL | CMS_BINARY | CMS_DETACHED; + if (!pkey || !signcert) { + CMSerror(CMS_R_NO_KEY_OR_CERT); + return NULL; + } + + /* Initialize signed data */ + + cms = CMS_sign(NULL, NULL, certs, NULL, flags); + if (!cms) + goto err; + + /* Set inner content type to signed receipt */ + if (!CMS_set1_eContentType(cms, OBJ_nid2obj(NID_id_smime_ct_receipt))) + goto err; + + rct_si = CMS_add1_signer(cms, signcert, pkey, NULL, flags); + if (!rct_si) { + CMSerror(CMS_R_ADD_SIGNER_ERROR); + goto err; + } + + os = cms_encode_Receipt(si); + if (!os) + goto err; + + /* Set content to digest */ + rct_cont = BIO_new_mem_buf(os->data, os->length); + if (!rct_cont) + goto err; + + /* Add msgSigDigest attribute */ + + if (!cms_msgSigDigest_add1(rct_si, si)) + goto err; + + /* Finalize structure */ + if (!CMS_final(cms, rct_cont, NULL, flags)) + goto err; + + /* Set embedded content */ + pos = CMS_get0_content(cms); + *pos = os; + + r = 1; + + err: + BIO_free(rct_cont); + if (r) + return cms; + CMS_ContentInfo_free(cms); + + return NULL; +} + +CMS_ContentInfo * +CMS_encrypt(STACK_OF(X509) *certs, BIO *data, const EVP_CIPHER *cipher, + unsigned int flags) +{ + CMS_ContentInfo *cms; + int i; + X509 *recip; + + cms = CMS_EnvelopedData_create(cipher); + if (!cms) + goto merr; + for (i = 0; i < sk_X509_num(certs); i++) { + recip = sk_X509_value(certs, i); + if (!CMS_add1_recipient_cert(cms, recip, flags)) { + CMSerror(CMS_R_RECIPIENT_ERROR); + goto err; + } + } + + if (!(flags & CMS_DETACHED)) + CMS_set_detached(cms, 0); + + if ((flags & (CMS_STREAM | CMS_PARTIAL)) || + CMS_final(cms, data, NULL, flags)) + return cms; + else + goto err; + + merr: + CMSerror(ERR_R_MALLOC_FAILURE); + err: + CMS_ContentInfo_free(cms); + + return NULL; +} + +static int +cms_kari_set1_pkey(CMS_ContentInfo *cms, CMS_RecipientInfo *ri, EVP_PKEY *pk, + X509 *cert) +{ + int i; + STACK_OF(CMS_RecipientEncryptedKey) *reks; + CMS_RecipientEncryptedKey *rek; + + reks = CMS_RecipientInfo_kari_get0_reks(ri); + for (i = 0; i < sk_CMS_RecipientEncryptedKey_num(reks); i++) { + int rv; + + rek = sk_CMS_RecipientEncryptedKey_value(reks, i); + if (cert != NULL && CMS_RecipientEncryptedKey_cert_cmp(rek, cert)) + continue; + CMS_RecipientInfo_kari_set0_pkey(ri, pk); + rv = CMS_RecipientInfo_kari_decrypt(cms, ri, rek); + CMS_RecipientInfo_kari_set0_pkey(ri, NULL); + if (rv > 0) + return 1; + return cert == NULL ? 0 : -1; + } + + return 0; +} + +int +CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert) +{ + STACK_OF(CMS_RecipientInfo) *ris; + CMS_RecipientInfo *ri; + int i, r, ri_type; + int debug = 0, match_ri = 0; + + ris = CMS_get0_RecipientInfos(cms); + if (ris) + debug = cms->d.envelopedData->encryptedContentInfo->debug; + ri_type = cms_pkey_get_ri_type(pk); + if (ri_type == CMS_RECIPINFO_NONE) { + CMSerror(CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE); + return 0; + } + + for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++) { + ri = sk_CMS_RecipientInfo_value(ris, i); + if (CMS_RecipientInfo_type(ri) != ri_type) + continue; + match_ri = 1; + if (ri_type == CMS_RECIPINFO_AGREE) { + r = cms_kari_set1_pkey(cms, ri, pk, cert); + if (r > 0) + return 1; + if (r < 0) + return 0; + } + /* + * If we have a cert try matching RecipientInfo otherwise try them + * all. + */ + else if (!cert || !CMS_RecipientInfo_ktri_cert_cmp(ri, cert)) { + EVP_PKEY_up_ref(pk); + CMS_RecipientInfo_set0_pkey(ri, pk); + r = CMS_RecipientInfo_decrypt(cms, ri); + CMS_RecipientInfo_set0_pkey(ri, NULL); + if (cert) { + /* + * If not debugging clear any error and return success to + * avoid leaking of information useful to MMA + */ + if (!debug) { + ERR_clear_error(); + return 1; + } + if (r > 0) + return 1; + CMSerror(CMS_R_DECRYPT_ERROR); + return 0; + } + /* + * If no cert and not debugging don't leave loop after first + * successful decrypt. Always attempt to decrypt all recipients + * to avoid leaking timing of a successful decrypt. + */ + else if (r > 0 && debug) + return 1; + } + } + /* If no cert, key transport and not debugging always return success */ + if (cert == NULL && ri_type == CMS_RECIPINFO_TRANS && match_ri && !debug) { + ERR_clear_error(); + return 1; + } + + CMSerror(CMS_R_NO_MATCHING_RECIPIENT); + + return 0; +} + +int +CMS_decrypt_set1_key(CMS_ContentInfo *cms, unsigned char *key, size_t keylen, + const unsigned char *id, size_t idlen) +{ + STACK_OF(CMS_RecipientInfo) *ris; + CMS_RecipientInfo *ri; + int i, r; + + ris = CMS_get0_RecipientInfos(cms); + for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++) { + ri = sk_CMS_RecipientInfo_value(ris, i); + if (CMS_RecipientInfo_type(ri) != CMS_RECIPINFO_KEK) + continue; + + /* + * If we have an id try matching RecipientInfo otherwise try them + * all. + */ + if (!id || (CMS_RecipientInfo_kekri_id_cmp(ri, id, idlen) == 0)) { + CMS_RecipientInfo_set0_key(ri, key, keylen); + r = CMS_RecipientInfo_decrypt(cms, ri); + CMS_RecipientInfo_set0_key(ri, NULL, 0); + if (r > 0) + return 1; + if (id) { + CMSerror(CMS_R_DECRYPT_ERROR); + return 0; + } + ERR_clear_error(); + } + } + + CMSerror(CMS_R_NO_MATCHING_RECIPIENT); + + return 0; +} + +int +CMS_decrypt_set1_password(CMS_ContentInfo *cms, unsigned char *pass, + ssize_t passlen) +{ + STACK_OF(CMS_RecipientInfo) *ris; + CMS_RecipientInfo *ri; + int i, r; + + ris = CMS_get0_RecipientInfos(cms); + for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++) { + ri = sk_CMS_RecipientInfo_value(ris, i); + if (CMS_RecipientInfo_type(ri) != CMS_RECIPINFO_PASS) + continue; + CMS_RecipientInfo_set0_password(ri, pass, passlen); + r = CMS_RecipientInfo_decrypt(cms, ri); + CMS_RecipientInfo_set0_password(ri, NULL, 0); + if (r > 0) + return 1; + } + + CMSerror(CMS_R_NO_MATCHING_RECIPIENT); + + return 0; +} + +int +CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert, BIO *dcont, + BIO *out, unsigned int flags) +{ + int r; + BIO *cont; + + if (OBJ_obj2nid(CMS_get0_type(cms)) != NID_pkcs7_enveloped) { + CMSerror(CMS_R_TYPE_NOT_ENVELOPED_DATA); + return 0; + } + if (!dcont && !check_content(cms)) + return 0; + if (flags & CMS_DEBUG_DECRYPT) + cms->d.envelopedData->encryptedContentInfo->debug = 1; + else + cms->d.envelopedData->encryptedContentInfo->debug = 0; + if (!cert) + cms->d.envelopedData->encryptedContentInfo->havenocert = 1; + else + cms->d.envelopedData->encryptedContentInfo->havenocert = 0; + if (!pk && !cert && !dcont && !out) + return 1; + if (pk && !CMS_decrypt_set1_pkey(cms, pk, cert)) + return 0; + cont = CMS_dataInit(cms, dcont); + if (!cont) + return 0; + r = cms_copy_content(out, cont, flags); + do_free_upto(cont, dcont); + + return r; +} + +int +CMS_final(CMS_ContentInfo *cms, BIO *data, BIO *dcont, unsigned int flags) +{ + BIO *cmsbio; + int ret = 0; + + if ((cmsbio = CMS_dataInit(cms, dcont)) == NULL) { + CMSerror(CMS_R_CMS_LIB); + return 0; + } + + SMIME_crlf_copy(data, cmsbio, flags); + + (void)BIO_flush(cmsbio); + + if (!CMS_dataFinal(cms, cmsbio)) { + CMSerror(CMS_R_CMS_DATAFINAL_ERROR); + goto err; + } + + ret = 1; + + err: + do_free_upto(cmsbio, dcont); + + return ret; +} + +#ifdef ZLIB + +int +CMS_uncompress(CMS_ContentInfo *cms, BIO *dcont, BIO *out, unsigned int flags) +{ + BIO *cont; + int r; + + if (OBJ_obj2nid(CMS_get0_type(cms)) != NID_id_smime_ct_compressedData) { + CMSerror(CMS_R_TYPE_NOT_COMPRESSED_DATA); + return 0; + } + + if (!dcont && !check_content(cms)) + return 0; + + cont = CMS_dataInit(cms, dcont); + if (!cont) + return 0; + r = cms_copy_content(out, cont, flags); + do_free_upto(cont, dcont); + + return r; +} + +CMS_ContentInfo * +CMS_compress(BIO *in, int comp_nid, unsigned int flags) +{ + CMS_ContentInfo *cms; + + if (comp_nid <= 0) + comp_nid = NID_zlib_compression; + cms = cms_CompressedData_create(comp_nid); + if (!cms) + return NULL; + + if (!(flags & CMS_DETACHED)) + CMS_set_detached(cms, 0); + + if ((flags & CMS_STREAM) || CMS_final(cms, in, NULL, flags)) + return cms; + + CMS_ContentInfo_free(cms); + + return NULL; +} + +#else + +int +CMS_uncompress(CMS_ContentInfo *cms, BIO *dcont, BIO *out, unsigned int flags) +{ + CMSerror(CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM); + return 0; +} + +CMS_ContentInfo * +CMS_compress(BIO *in, int comp_nid, unsigned int flags) +{ + CMSerror(CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM); + return NULL; +} + +#endif diff --git a/crypto/compat/arc4random.h b/crypto/compat/arc4random.h index 762aec23..ffa32398 100644 --- a/crypto/compat/arc4random.h +++ b/crypto/compat/arc4random.h @@ -15,6 +15,9 @@ #elif defined(__linux__) #include "arc4random_linux.h" +#elif defined(__midipix__) +#include "arc4random_linux.h" + #elif defined(__NetBSD__) #include "arc4random_netbsd.h" diff --git a/crypto/compat/getentropy_aix.c b/crypto/compat/getentropy_aix.c index bd8818f2..422e685d 100644 --- a/crypto/compat/getentropy_aix.c +++ b/crypto/compat/getentropy_aix.c @@ -1,4 +1,4 @@ -/* $OpenBSD: getentropy_aix.c,v 1.6 2018/11/20 08:04:28 deraadt Exp $ */ +/* $OpenBSD: getentropy_aix.c,v 1.7 2020/05/17 14:44:20 deraadt Exp $ */ /* * Copyright (c) 2015 Michael Felt @@ -44,7 +44,7 @@ #include #define REPEAT 5 -#define min(a, b) (((a) < (b)) ? (a) : (b)) +#define MINIMUM(a, b) (((a) < (b)) ? (a) : (b)) #define HX(a, b) \ do { \ @@ -392,8 +392,8 @@ getentropy_fallback(void *buf, size_t len) HD(cnt); } SHA512_Final(results, &ctx); - memcpy((char *)buf + i, results, min(sizeof(results), len - i)); - i += min(sizeof(results), len - i); + memcpy((char *)buf + i, results, MINIMUM(sizeof(results), len - i)); + i += MINIMUM(sizeof(results), len - i); } explicit_bzero(&ctx, sizeof ctx); explicit_bzero(results, sizeof results); diff --git a/crypto/compat/getentropy_freebsd.c b/crypto/compat/getentropy_freebsd.c index 30cd68e9..ea90ffe2 100644 --- a/crypto/compat/getentropy_freebsd.c +++ b/crypto/compat/getentropy_freebsd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: getentropy_freebsd.c,v 1.3 2016/08/07 03:27:21 tb Exp $ */ +/* $OpenBSD: getentropy_freebsd.c,v 1.4 2020/10/12 22:08:33 deraadt Exp $ */ /* * Copyright (c) 2014 Pawel Jakub Dawidek @@ -32,11 +32,9 @@ static size_t getentropy_sysctl(u_char *buf, size_t size) { - int mib[2]; + const int mib[2] = { CTL_KERN, KERN_ARND }; size_t len, done; - mib[0] = CTL_KERN; - mib[1] = KERN_ARND; done = 0; do { diff --git a/crypto/compat/getentropy_hpux.c b/crypto/compat/getentropy_hpux.c index 7208aa44..c981880a 100644 --- a/crypto/compat/getentropy_hpux.c +++ b/crypto/compat/getentropy_hpux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: getentropy_hpux.c,v 1.6 2018/11/20 08:04:28 deraadt Exp $ */ +/* $OpenBSD: getentropy_hpux.c,v 1.7 2020/05/17 14:44:20 deraadt Exp $ */ /* * Copyright (c) 2014 Theo de Raadt @@ -48,7 +48,7 @@ #include #define REPEAT 5 -#define min(a, b) (((a) < (b)) ? (a) : (b)) +#define MINIMUM(a, b) (((a) < (b)) ? (a) : (b)) #define HX(a, b) \ do { \ @@ -386,8 +386,8 @@ getentropy_fallback(void *buf, size_t len) HD(cnt); } SHA512_Final(results, &ctx); - memcpy((char *)buf + i, results, min(sizeof(results), len - i)); - i += min(sizeof(results), len - i); + memcpy((char *)buf + i, results, MINIMUM(sizeof(results), len - i)); + i += MINIMUM(sizeof(results), len - i); } explicit_bzero(&ctx, sizeof ctx); explicit_bzero(results, sizeof results); diff --git a/crypto/compat/getentropy_linux.c b/crypto/compat/getentropy_linux.c index 6b220be3..bc7a6bef 100644 --- a/crypto/compat/getentropy_linux.c +++ b/crypto/compat/getentropy_linux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: getentropy_linux.c,v 1.46 2018/11/20 08:04:28 deraadt Exp $ */ +/* $OpenBSD: getentropy_linux.c,v 1.47 2020/05/17 14:44:20 deraadt Exp $ */ /* * Copyright (c) 2014 Theo de Raadt @@ -57,7 +57,7 @@ #include #define REPEAT 5 -#define min(a, b) (((a) < (b)) ? (a) : (b)) +#define MINIMUM(a, b) (((a) < (b)) ? (a) : (b)) #define HX(a, b) \ do { \ @@ -260,7 +260,7 @@ getentropy_sysctl(void *buf, size_t len) int save_errno = errno; for (i = 0; i < len; ) { - size_t chunk = min(len - i, 16); + size_t chunk = MINIMUM(len - i, 16); /* SYS__sysctl because some systems already removed sysctl() */ struct __sysctl_args args = { @@ -515,8 +515,8 @@ getentropy_fallback(void *buf, size_t len) #endif SHA512_Final(results, &ctx); - memcpy((char *)buf + i, results, min(sizeof(results), len - i)); - i += min(sizeof(results), len - i); + memcpy((char *)buf + i, results, MINIMUM(sizeof(results), len - i)); + i += MINIMUM(sizeof(results), len - i); } explicit_bzero(&ctx, sizeof ctx); explicit_bzero(results, sizeof results); diff --git a/crypto/compat/getentropy_netbsd.c b/crypto/compat/getentropy_netbsd.c index 45d68c9f..5dc89594 100644 --- a/crypto/compat/getentropy_netbsd.c +++ b/crypto/compat/getentropy_netbsd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: getentropy_netbsd.c,v 1.3 2016/08/07 03:27:21 tb Exp $ */ +/* $OpenBSD: getentropy_netbsd.c,v 1.4 2020/10/12 22:08:33 deraadt Exp $ */ /* * Copyright (c) 2014 Pawel Jakub Dawidek @@ -32,11 +32,9 @@ static size_t getentropy_sysctl(u_char *buf, size_t size) { - int mib[2]; + const int mib[2] = { CTL_KERN, KERN_ARND }; size_t len, done; - mib[0] = CTL_KERN; - mib[1] = KERN_ARND; done = 0; do { diff --git a/crypto/compat/getentropy_osx.c b/crypto/compat/getentropy_osx.c index 26dcc824..5d4067bb 100644 --- a/crypto/compat/getentropy_osx.c +++ b/crypto/compat/getentropy_osx.c @@ -1,4 +1,4 @@ -/* $OpenBSD: getentropy_osx.c,v 1.12 2018/11/20 08:04:28 deraadt Exp $ */ +/* $OpenBSD: getentropy_osx.c,v 1.13 2020/05/17 14:44:20 deraadt Exp $ */ /* * Copyright (c) 2014 Theo de Raadt @@ -66,7 +66,7 @@ #define SHA512_DIGEST_LENGTH CC_SHA512_DIGEST_LENGTH #define REPEAT 5 -#define min(a, b) (((a) < (b)) ? (a) : (b)) +#define MINIMUM(a, b) (((a) < (b)) ? (a) : (b)) #define HX(a, b) \ do { \ @@ -407,8 +407,8 @@ getentropy_fallback(void *buf, size_t len) } SHA512_Final(results, &ctx); - memcpy((char *)buf + i, results, min(sizeof(results), len - i)); - i += min(sizeof(results), len - i); + memcpy((char *)buf + i, results, MINIMUM(sizeof(results), len - i)); + i += MINIMUM(sizeof(results), len - i); } explicit_bzero(&ctx, sizeof ctx); explicit_bzero(results, sizeof results); diff --git a/crypto/compat/getentropy_solaris.c b/crypto/compat/getentropy_solaris.c index b80c84de..cf5b9bff 100644 --- a/crypto/compat/getentropy_solaris.c +++ b/crypto/compat/getentropy_solaris.c @@ -1,4 +1,4 @@ -/* $OpenBSD: getentropy_solaris.c,v 1.13 2018/11/20 08:04:28 deraadt Exp $ */ +/* $OpenBSD: getentropy_solaris.c,v 1.14 2020/05/17 14:44:20 deraadt Exp $ */ /* * Copyright (c) 2014 Theo de Raadt @@ -52,7 +52,7 @@ #include #define REPEAT 5 -#define min(a, b) (((a) < (b)) ? (a) : (b)) +#define MINIMUM(a, b) (((a) < (b)) ? (a) : (b)) #define HX(a, b) \ do { \ @@ -412,8 +412,8 @@ getentropy_fallback(void *buf, size_t len) HD(cnt); } SHA512_Final(results, &ctx); - memcpy((char *)buf + i, results, min(sizeof(results), len - i)); - i += min(sizeof(results), len - i); + memcpy((char *)buf + i, results, MINIMUM(sizeof(results), len - i)); + i += MINIMUM(sizeof(results), len - i); } explicit_bzero(&ctx, sizeof ctx); explicit_bzero(results, sizeof results); diff --git a/crypto/compat/getentropy_win.c b/crypto/compat/getentropy_win.c index 2abeb27b..64514b3a 100644 --- a/crypto/compat/getentropy_win.c +++ b/crypto/compat/getentropy_win.c @@ -1,4 +1,4 @@ -/* $OpenBSD: getentropy_win.c,v 1.5 2016/08/07 03:27:21 tb Exp $ */ +/* $OpenBSD: getentropy_win.c,v 1.6 2020/11/11 10:41:24 bcook Exp $ */ /* * Copyright (c) 2014, Theo de Raadt @@ -21,39 +21,30 @@ */ #include +#include #include #include #include -#include -#include int getentropy(void *buf, size_t len); /* - * On Windows, CryptGenRandom is supposed to be a well-seeded - * cryptographically strong random number generator. + * On Windows, BCryptGenRandom with BCRYPT_USE_SYSTEM_PREFERRED_RNG is supposed + * to be a well-seeded, cryptographically strong random number generator. + * https://docs.microsoft.com/en-us/windows/win32/api/bcrypt/nf-bcrypt-bcryptgenrandom */ int getentropy(void *buf, size_t len) { - HCRYPTPROV provider; - if (len > 256) { errno = EIO; return (-1); } - if (CryptAcquireContext(&provider, NULL, NULL, PROV_RSA_FULL, - CRYPT_VERIFYCONTEXT) == 0) - goto fail; - if (CryptGenRandom(provider, len, buf) == 0) { - CryptReleaseContext(provider, 0); - goto fail; + if (FAILED(BCryptGenRandom(NULL, buf, len, BCRYPT_USE_SYSTEM_PREFERRED_RNG))) { + errno = EIO; + return (-1); } - CryptReleaseContext(provider, 0); - return (0); -fail: - errno = EIO; - return (-1); + return (0); } diff --git a/crypto/compat/posix_win.c b/crypto/compat/posix_win.c index 4b4b5f58..30c93cd1 100644 --- a/crypto/compat/posix_win.c +++ b/crypto/compat/posix_win.c @@ -242,10 +242,4 @@ int gettimeofday(struct timeval * tp, struct timezone * tzp) return 0; } -unsigned int sleep(unsigned int seconds) -{ - Sleep(seconds * 1000); - return seconds; -} - #endif diff --git a/crypto/compat/recallocarray.c b/crypto/compat/recallocarray.c index d93abd2d..7ab2ec5c 100644 --- a/crypto/compat/recallocarray.c +++ b/crypto/compat/recallocarray.c @@ -1,4 +1,4 @@ -/* $OpenBSD: recallocarray.c,v 1.1 2017/03/06 18:44:21 otto Exp $ */ +/* $OpenBSD: recallocarray.c,v 1.2 2021/03/18 11:16:58 claudio Exp $ */ /* * Copyright (c) 2008, 2017 Otto Moerbeek * @@ -57,7 +57,7 @@ recallocarray(void *ptr, size_t oldnmemb, size_t newnmemb, size_t size) if (newsize <= oldsize) { size_t d = oldsize - newsize; - if (d < oldsize / 2 && d < getpagesize()) { + if (d < oldsize / 2 && d < (size_t)getpagesize()) { memset((char *)ptr + newsize, 0, d); return ptr; } diff --git a/crypto/conf/conf_def.c b/crypto/conf/conf_def.c index 4099ffc6..f2b2c947 100644 --- a/crypto/conf/conf_def.c +++ b/crypto/conf/conf_def.c @@ -1,4 +1,4 @@ -/* $OpenBSD: conf_def.c,v 1.32 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: conf_def.c,v 1.33 2020/02/17 12:51:48 inoguchi Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -70,6 +70,8 @@ #include "conf_def.h" +#define MAX_CONF_VALUE_LENGTH 65536 + static char *eat_ws(CONF *conf, char *p); static char *eat_alpha_numeric(CONF *conf, char *p); static void clear_comments(CONF *conf, char *p); @@ -455,6 +457,7 @@ str_copy(CONF *conf, char *section, char **pto, char *from) { int q, r,rr = 0, to = 0, len = 0; char *s, *e, *rp, *p, *rrp, *np, *cp, v; + size_t newsize; BUF_MEM *buf; if ((buf = BUF_MEM_new()) == NULL) @@ -563,8 +566,12 @@ str_copy(CONF *conf, char *section, char **pto, char *from) CONFerror(CONF_R_VARIABLE_HAS_NO_VALUE); goto err; } - if (!BUF_MEM_grow_clean(buf, - (strlen(p) + buf->length - (e - from)))) { + newsize = strlen(p) + buf->length - (e - from); + if (newsize > MAX_CONF_VALUE_LENGTH) { + CONFerror(CONF_R_VARIABLE_EXPANSION_TOO_LONG); + goto err; + } + if (!BUF_MEM_grow_clean(buf, newsize)) { CONFerror(CONF_R_MODULE_INITIALIZATION_ERROR); goto err; } diff --git a/crypto/conf/conf_err.c b/crypto/conf/conf_err.c index dbb373ae..1e5eaff6 100644 --- a/crypto/conf/conf_err.c +++ b/crypto/conf/conf_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: conf_err.c,v 1.13 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: conf_err.c,v 1.14 2020/02/17 12:51:48 inoguchi Exp $ */ /* ==================================================================== * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. * @@ -92,6 +92,7 @@ static ERR_STRING_DATA CONF_str_reasons[]= { {ERR_REASON(CONF_R_NO_VALUE) , "no value"}, {ERR_REASON(CONF_R_UNABLE_TO_CREATE_NEW_SECTION), "unable to create new section"}, {ERR_REASON(CONF_R_UNKNOWN_MODULE_NAME) , "unknown module name"}, + {ERR_REASON(CONF_R_VARIABLE_EXPANSION_TOO_LONG), "variable expansion too long"}, {ERR_REASON(CONF_R_VARIABLE_HAS_NO_VALUE), "variable has no value"}, {0, NULL} }; diff --git a/crypto/constant_time_locl.h b/crypto/constant_time_locl.h index 2cabfb46..2d511cc0 100644 --- a/crypto/constant_time_locl.h +++ b/crypto/constant_time_locl.h @@ -200,6 +200,8 @@ static inline int constant_time_select_int(unsigned int mask, int a, int b) return (int)(constant_time_select(mask, (unsigned)(a), (unsigned)(b))); } +void err_clear_last_constant_time(int clear); + __END_HIDDEN_DECLS #endif /* HEADER_CONSTANT_TIME_LOCL_H */ diff --git a/crypto/cpuid-masm-x86_64.S b/crypto/cpuid-masm-x86_64.S index 2722b858..d6468210 100644 --- a/crypto/cpuid-masm-x86_64.S +++ b/crypto/cpuid-masm-x86_64.S @@ -1,7 +1,7 @@ ; 1 "crypto/cpuid-masm-x86_64.S.tmp" ; 1 "" 1 ; 1 "" 3 -; 349 "" 3 +; 340 "" 3 ; 1 "" 1 ; 1 "" 2 ; 1 "crypto/cpuid-masm-x86_64.S.tmp" 2 diff --git a/crypto/crypto.sym b/crypto/crypto.sym index da759791..99daf54d 100644 --- a/crypto/crypto.sym +++ b/crypto/crypto.sym @@ -306,6 +306,7 @@ BIO_meth_set_write BIO_method_name BIO_method_type BIO_new +BIO_new_CMS BIO_new_NDEF BIO_new_PKCS7 BIO_new_accept @@ -558,6 +559,118 @@ CMAC_Final CMAC_Init CMAC_Update CMAC_resume +CMS_ContentInfo_free +CMS_ContentInfo_it +CMS_ContentInfo_new +CMS_ContentInfo_print_ctx +CMS_EncryptedData_decrypt +CMS_EncryptedData_encrypt +CMS_EncryptedData_set1_key +CMS_EnvelopedData_create +CMS_ReceiptRequest_create0 +CMS_ReceiptRequest_free +CMS_ReceiptRequest_get0_values +CMS_ReceiptRequest_it +CMS_ReceiptRequest_new +CMS_RecipientEncryptedKey_cert_cmp +CMS_RecipientEncryptedKey_get0_id +CMS_RecipientInfo_decrypt +CMS_RecipientInfo_encrypt +CMS_RecipientInfo_get0_pkey_ctx +CMS_RecipientInfo_kari_decrypt +CMS_RecipientInfo_kari_get0_alg +CMS_RecipientInfo_kari_get0_ctx +CMS_RecipientInfo_kari_get0_orig_id +CMS_RecipientInfo_kari_get0_reks +CMS_RecipientInfo_kari_orig_id_cmp +CMS_RecipientInfo_kari_set0_pkey +CMS_RecipientInfo_kekri_get0_id +CMS_RecipientInfo_kekri_id_cmp +CMS_RecipientInfo_ktri_cert_cmp +CMS_RecipientInfo_ktri_get0_algs +CMS_RecipientInfo_ktri_get0_signer_id +CMS_RecipientInfo_set0_key +CMS_RecipientInfo_set0_password +CMS_RecipientInfo_set0_pkey +CMS_RecipientInfo_type +CMS_SharedInfo_encode +CMS_SignedData_init +CMS_SignerInfo_cert_cmp +CMS_SignerInfo_get0_algs +CMS_SignerInfo_get0_md_ctx +CMS_SignerInfo_get0_pkey_ctx +CMS_SignerInfo_get0_signature +CMS_SignerInfo_get0_signer_id +CMS_SignerInfo_set1_signer_cert +CMS_SignerInfo_sign +CMS_SignerInfo_verify +CMS_SignerInfo_verify_content +CMS_add0_CertificateChoices +CMS_add0_RevocationInfoChoice +CMS_add0_cert +CMS_add0_crl +CMS_add0_recipient_key +CMS_add0_recipient_password +CMS_add1_ReceiptRequest +CMS_add1_cert +CMS_add1_crl +CMS_add1_recipient_cert +CMS_add1_signer +CMS_add_simple_smimecap +CMS_add_smimecap +CMS_add_standard_smimecap +CMS_compress +CMS_data +CMS_dataFinal +CMS_dataInit +CMS_data_create +CMS_decrypt +CMS_decrypt_set1_key +CMS_decrypt_set1_password +CMS_decrypt_set1_pkey +CMS_digest_create +CMS_digest_verify +CMS_encrypt +CMS_final +CMS_get0_RecipientInfos +CMS_get0_SignerInfos +CMS_get0_content +CMS_get0_eContentType +CMS_get0_signers +CMS_get0_type +CMS_get1_ReceiptRequest +CMS_get1_certs +CMS_get1_crls +CMS_is_detached +CMS_set1_eContentType +CMS_set1_signers_certs +CMS_set_detached +CMS_sign +CMS_sign_receipt +CMS_signed_add1_attr +CMS_signed_add1_attr_by_NID +CMS_signed_add1_attr_by_OBJ +CMS_signed_add1_attr_by_txt +CMS_signed_delete_attr +CMS_signed_get0_data_by_OBJ +CMS_signed_get_attr +CMS_signed_get_attr_by_NID +CMS_signed_get_attr_by_OBJ +CMS_signed_get_attr_count +CMS_stream +CMS_uncompress +CMS_unsigned_add1_attr +CMS_unsigned_add1_attr_by_NID +CMS_unsigned_add1_attr_by_OBJ +CMS_unsigned_add1_attr_by_txt +CMS_unsigned_delete_attr +CMS_unsigned_get0_data_by_OBJ +CMS_unsigned_get_attr +CMS_unsigned_get_attr_by_NID +CMS_unsigned_get_attr_by_OBJ +CMS_unsigned_get_attr_count +CMS_verify +CMS_verify_receipt COMP_CTX_free COMP_CTX_new COMP_compress_block @@ -1211,6 +1324,7 @@ ERR_load_ASN1_strings ERR_load_BIO_strings ERR_load_BN_strings ERR_load_BUF_strings +ERR_load_CMS_strings ERR_load_COMP_strings ERR_load_CONF_strings ERR_load_CRYPTO_strings @@ -1473,6 +1587,7 @@ EVP_PKEY_meth_set_verify_recover EVP_PKEY_meth_set_verifyctx EVP_PKEY_missing_parameters EVP_PKEY_new +EVP_PKEY_new_CMAC_key EVP_PKEY_new_mac_key EVP_PKEY_paramgen EVP_PKEY_paramgen_init @@ -1980,6 +2095,7 @@ PEM_do_header PEM_get_EVP_CIPHER_INFO PEM_proc_type PEM_read +PEM_read_CMS PEM_read_DHparams PEM_read_DSAPrivateKey PEM_read_DSA_PUBKEY @@ -2002,6 +2118,7 @@ PEM_read_X509_CERT_PAIR PEM_read_X509_CRL PEM_read_X509_REQ PEM_read_bio +PEM_read_bio_CMS PEM_read_bio_DHparams PEM_read_bio_DSAPrivateKey PEM_read_bio_DSA_PUBKEY @@ -2025,6 +2142,7 @@ PEM_read_bio_X509_CERT_PAIR PEM_read_bio_X509_CRL PEM_read_bio_X509_REQ PEM_write +PEM_write_CMS PEM_write_DHparams PEM_write_DSAPrivateKey PEM_write_DSA_PUBKEY @@ -2051,6 +2169,8 @@ PEM_write_X509_REQ PEM_write_X509_REQ_NEW PEM_write_bio PEM_write_bio_ASN1_stream +PEM_write_bio_CMS +PEM_write_bio_CMS_stream PEM_write_bio_DHparams PEM_write_bio_DSAPrivateKey PEM_write_bio_DSA_PUBKEY @@ -2289,6 +2409,10 @@ RSAPrivateKey_dup RSAPrivateKey_it RSAPublicKey_dup RSAPublicKey_it +RSA_OAEP_PARAMS_free +RSA_OAEP_PARAMS_it +RSA_OAEP_PARAMS_new +RSA_PKCS1_OpenSSL RSA_PKCS1_SSLeay RSA_PSS_PARAMS_free RSA_PSS_PARAMS_it @@ -2344,6 +2468,7 @@ RSA_meth_set_verify RSA_new RSA_new_method RSA_padding_add_PKCS1_OAEP +RSA_padding_add_PKCS1_OAEP_mgf1 RSA_padding_add_PKCS1_PSS RSA_padding_add_PKCS1_PSS_mgf1 RSA_padding_add_PKCS1_type_1 @@ -2351,10 +2476,12 @@ RSA_padding_add_PKCS1_type_2 RSA_padding_add_X931 RSA_padding_add_none RSA_padding_check_PKCS1_OAEP +RSA_padding_check_PKCS1_OAEP_mgf1 RSA_padding_check_PKCS1_type_1 RSA_padding_check_PKCS1_type_2 RSA_padding_check_X931 RSA_padding_check_none +RSA_pkey_ctx_ctrl RSA_print RSA_print_fp RSA_private_decrypt @@ -2409,9 +2536,11 @@ SM4_encrypt SM4_set_key SMIME_crlf_copy SMIME_read_ASN1 +SMIME_read_CMS SMIME_read_PKCS7 SMIME_text SMIME_write_ASN1 +SMIME_write_CMS SMIME_write_PKCS7 SSLeay SSLeay_version @@ -3239,6 +3368,9 @@ d2i_AUTHORITY_KEYID d2i_AutoPrivateKey d2i_BASIC_CONSTRAINTS d2i_CERTIFICATEPOLICIES +d2i_CMS_ContentInfo +d2i_CMS_ReceiptRequest +d2i_CMS_bio d2i_CRL_DIST_POINTS d2i_DHparams d2i_DHparams_bio @@ -3351,6 +3483,7 @@ d2i_RSAPublicKey d2i_RSAPublicKey_bio d2i_RSAPublicKey_fp d2i_RSA_NET +d2i_RSA_OAEP_PARAMS d2i_RSA_PSS_PARAMS d2i_RSA_PUBKEY d2i_RSA_PUBKEY_bio @@ -3445,6 +3578,10 @@ i2d_AUTHORITY_INFO_ACCESS i2d_AUTHORITY_KEYID i2d_BASIC_CONSTRAINTS i2d_CERTIFICATEPOLICIES +i2d_CMS_ContentInfo +i2d_CMS_ReceiptRequest +i2d_CMS_bio +i2d_CMS_bio_stream i2d_CRL_DIST_POINTS i2d_DHparams i2d_DHparams_bio @@ -3563,6 +3700,7 @@ i2d_RSAPublicKey i2d_RSAPublicKey_bio i2d_RSAPublicKey_fp i2d_RSA_NET +i2d_RSA_OAEP_PARAMS i2d_RSA_PSS_PARAMS i2d_RSA_PUBKEY i2d_RSA_PUBKEY_bio diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c index 5054d17a..af15fb2c 100644 --- a/crypto/dh/dh_ameth.c +++ b/crypto/dh/dh_ameth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh_ameth.c,v 1.17 2018/08/24 20:22:15 tb Exp $ */ +/* $OpenBSD: dh_ameth.c,v 1.18 2020/01/04 13:57:43 inoguchi Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -225,6 +225,7 @@ dh_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8) decerr: DHerror(EVP_R_DECODE_ERROR); dherr: + ASN1_INTEGER_free(privkey); DH_free(dh); return 0; } diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c index 85ef234b..cfb33237 100644 --- a/crypto/dsa/dsa_ameth.c +++ b/crypto/dsa/dsa_ameth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dsa_ameth.c,v 1.27 2019/01/20 01:56:59 tb Exp $ */ +/* $OpenBSD: dsa_ameth.c,v 1.28 2019/11/01 15:15:35 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -62,6 +62,7 @@ #include #include +#include #include #include #include @@ -604,6 +605,29 @@ dsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) } return 1; +#ifndef OPENSSL_NO_CMS + case ASN1_PKEY_CTRL_CMS_SIGN: + if (arg1 == 0) { + int snid, hnid; + X509_ALGOR *alg1, *alg2; + + CMS_SignerInfo_get0_algs(arg2, NULL, NULL, &alg1, &alg2); + if (alg1 == NULL || alg1->algorithm == NULL) + return -1; + hnid = OBJ_obj2nid(alg1->algorithm); + if (hnid == NID_undef) + return -1; + if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey))) + return -1; + X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0); + } + return 1; + + case ASN1_PKEY_CTRL_CMS_RI_TYPE: + *(int *)arg2 = CMS_RECIPINFO_NONE; + return 1; +#endif + case ASN1_PKEY_CTRL_DEFAULT_MD_NID: *(int *)arg2 = NID_sha1; return 2; diff --git a/crypto/ec/ec2_oct.c b/crypto/ec/ec2_oct.c index 268eccf4..5f7f7e3c 100644 --- a/crypto/ec/ec2_oct.c +++ b/crypto/ec/ec2_oct.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec2_oct.c,v 1.11 2018/07/15 16:27:39 tb Exp $ */ +/* $OpenBSD: ec2_oct.c,v 1.12 2020/12/04 08:55:30 tb Exp $ */ /* ==================================================================== * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. * @@ -346,6 +346,10 @@ ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point, goto err; } if (form == POINT_CONVERSION_COMPRESSED) { + /* + * EC_POINT_set_compressed_coordinates_GF2m checks that the + * point is on the curve as required by X9.62. + */ if (!EC_POINT_set_compressed_coordinates_GF2m(group, point, x, y_bit, ctx)) goto err; } else { @@ -363,15 +367,14 @@ ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point, goto err; } } + /* + * EC_POINT_set_affine_coordinates_GF2m checks that the + * point is on the curve as required by X9.62. + */ if (!EC_POINT_set_affine_coordinates_GF2m(group, point, x, y, ctx)) goto err; } - /* test required by X9.62 */ - if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { - ECerror(EC_R_POINT_IS_NOT_ON_CURVE); - goto err; - } ret = 1; err: diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c index e075b1ed..84a565d4 100644 --- a/crypto/ec/ec_curve.c +++ b/crypto/ec/ec_curve.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_curve.c,v 1.19 2018/07/15 16:27:39 tb Exp $ */ +/* $OpenBSD: ec_curve.c,v 1.20 2020/06/05 17:12:09 jsing Exp $ */ /* * Written by Nils Larsch for the OpenSSL project. */ @@ -2900,11 +2900,105 @@ static const struct { } }; +/* + * This curve is defined in two birationally equal forms: canonical and Twisted + * Edwards. We do calculations in canonical (Weierstrass) form. + */ +static const struct { + EC_CURVE_DATA h; + unsigned char data[0 + 32 * 6]; +} + _EC_GOST_2012_256_TC26_A = { + { + NID_X9_62_prime_field, 0, 32, 4 + }, + { /* no seed */ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFD, 0x97, + 0xc2, 0x17, 0x3f, 0x15, 0x13, 0x98, 0x16, 0x73, 0xaf, 0x48, /* a */ + 0x92, 0xc2, 0x30, 0x35, 0xa2, 0x7c, 0xe2, 0x5e, 0x20, 0x13, + 0xbf, 0x95, 0xaa, 0x33, 0xb2, 0x2c, 0x65, 0x6f, 0x27, 0x7e, + 0x73, 0x35, + 0x29, 0x5f, 0x9b, 0xae, 0x74, 0x28, 0xed, 0x9c, 0xcc, 0x20, /* b */ + 0xe7, 0xc3, 0x59, 0xa9, 0xd4, 0x1a, 0x22, 0xfc, 0xcd, 0x91, + 0x08, 0xe1, 0x7b, 0xf7, 0xba, 0x93, 0x37, 0xa6, 0xf8, 0xae, + 0x95, 0x13, + 0x91, 0xe3, 0x84, 0x43, 0xa5, 0xe8, 0x2c, 0x0d, 0x88, 0x09, /* x */ + 0x23, 0x42, 0x57, 0x12, 0xb2, 0xbb, 0x65, 0x8b, 0x91, 0x96, + 0x93, 0x2e, 0x02, 0xc7, 0x8b, 0x25, 0x82, 0xfe, 0x74, 0x2d, + 0xaa, 0x28, + 0x32, 0x87, 0x94, 0x23, 0xab, 0x1a, 0x03, 0x75, 0x89, 0x57, /* y */ + 0x86, 0xc4, 0xbb, 0x46, 0xe9, 0x56, 0x5f, 0xde, 0x0b, 0x53, + 0x44, 0x76, 0x67, 0x40, 0xaf, 0x26, 0x8a, 0xdb, 0x32, 0x32, + 0x2e, 0x5c, + 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0xd8, 0xcd, 0xdf, + 0xc8, 0x7b, 0x66, 0x35, 0xc1, 0x15, 0xaf, 0x55, 0x6c, 0x36, + 0x0c, 0x67, + } +}; + static const struct { EC_CURVE_DATA h; unsigned char data[0 + 64 * 6]; } - _EC_GOST_2012_TC26_A = { + _EC_GOST_2012_512_Test = { + { + NID_X9_62_prime_field, 0, 64, 1 + }, + { /* no seed */ + 0x45, 0x31, 0xac, 0xd1, 0xfe, 0x00, 0x23, 0xc7, 0x55, 0x0d, /* p */ + 0x26, 0x7b, 0x6b, 0x2f, 0xee, 0x80, 0x92, 0x2b, 0x14, 0xb2, + 0xff, 0xb9, 0x0f, 0x04, 0xd4, 0xeb, 0x7c, 0x09, 0xb5, 0xd2, + 0xd1, 0x5d, 0xf1, 0xd8, 0x52, 0x74, 0x1a, 0xf4, 0x70, 0x4a, + 0x04, 0x58, 0x04, 0x7e, 0x80, 0xe4, 0x54, 0x6d, 0x35, 0xb8, + 0x33, 0x6f, 0xac, 0x22, 0x4d, 0xd8, 0x16, 0x64, 0xbb, 0xf5, + 0x28, 0xbe, 0x63, 0x73, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x07, + 0x1c, 0xff, 0x08, 0x06, 0xa3, 0x11, 0x16, 0xda, 0x29, 0xd8, /* b */ + 0xcf, 0xa5, 0x4e, 0x57, 0xeb, 0x74, 0x8b, 0xc5, 0xf3, 0x77, + 0xe4, 0x94, 0x00, 0xfd, 0xd7, 0x88, 0xb6, 0x49, 0xec, 0xa1, + 0xac, 0x43, 0x61, 0x83, 0x40, 0x13, 0xb2, 0xad, 0x73, 0x22, + 0x48, 0x0a, 0x89, 0xca, 0x58, 0xe0, 0xcf, 0x74, 0xbc, 0x9e, + 0x54, 0x0c, 0x2a, 0xdd, 0x68, 0x97, 0xfa, 0xd0, 0xa3, 0x08, + 0x4f, 0x30, 0x2a, 0xdc, + 0x24, 0xd1, 0x9c, 0xc6, 0x45, 0x72, 0xee, 0x30, 0xf3, 0x96, /* x */ + 0xbf, 0x6e, 0xbb, 0xfd, 0x7a, 0x6c, 0x52, 0x13, 0xb3, 0xb3, + 0xd7, 0x05, 0x7c, 0xc8, 0x25, 0xf9, 0x10, 0x93, 0xa6, 0x8c, + 0xd7, 0x62, 0xfd, 0x60, 0x61, 0x12, 0x62, 0xcd, 0x83, 0x8d, + 0xc6, 0xb6, 0x0a, 0xa7, 0xee, 0xe8, 0x04, 0xe2, 0x8b, 0xc8, + 0x49, 0x97, 0x7f, 0xac, 0x33, 0xb4, 0xb5, 0x30, 0xf1, 0xb1, + 0x20, 0x24, 0x8a, 0x9a, + 0x2b, 0xb3, 0x12, 0xa4, 0x3b, 0xd2, 0xce, 0x6e, 0x0d, 0x02, /* y */ + 0x06, 0x13, 0xc8, 0x57, 0xac, 0xdd, 0xcf, 0xbf, 0x06, 0x1e, + 0x91, 0xe5, 0xf2, 0xc3, 0xf3, 0x24, 0x47, 0xc2, 0x59, 0xf3, + 0x9b, 0x2c, 0x83, 0xab, 0x15, 0x6d, 0x77, 0xf1, 0x49, 0x6b, + 0xf7, 0xeb, 0x33, 0x51, 0xe1, 0xee, 0x4e, 0x43, 0xdc, 0x1a, + 0x18, 0xb9, 0x1b, 0x24, 0x64, 0x0b, 0x6d, 0xbb, 0x92, 0xcb, + 0x1a, 0xdd, 0x37, 0x1e, + 0x45, 0x31, 0xac, 0xd1, 0xfe, 0x00, 0x23, 0xc7, 0x55, 0x0d, /* order */ + 0x26, 0x7b, 0x6b, 0x2f, 0xee, 0x80, 0x92, 0x2b, 0x14, 0xb2, + 0xff, 0xb9, 0x0f, 0x04, 0xd4, 0xeb, 0x7c, 0x09, 0xb5, 0xd2, + 0xd1, 0x5d, 0xa8, 0x2f, 0x2d, 0x7e, 0xcb, 0x1d, 0xba, 0xc7, + 0x19, 0x90, 0x5c, 0x5e, 0xec, 0xc4, 0x23, 0xf1, 0xd8, 0x6e, + 0x25, 0xed, 0xbe, 0x23, 0xc5, 0x95, 0xd6, 0x44, 0xaa, 0xf1, + 0x87, 0xe6, 0xe6, 0xdf, + } +}; + +static const struct { + EC_CURVE_DATA h; + unsigned char data[0 + 64 * 6]; +} + _EC_GOST_2012_512_TC26_A = { { NID_X9_62_prime_field, 0, 64, 1 }, @@ -2958,7 +3052,7 @@ static const struct { EC_CURVE_DATA h; unsigned char data[0 + 64 * 6]; } - _EC_GOST_2012_TC26_B = { + _EC_GOST_2012_512_TC26_B = { { NID_X9_62_prime_field, 0, 64, 1 }, @@ -3008,6 +3102,64 @@ static const struct { } }; +/* + * This curve is defined in two birationally equal forms: canonical and Twisted + * Edwards. We do calculations in canonical (Weierstrass) form. + */ +static const struct { + EC_CURVE_DATA h; + unsigned char data[0 + 64 * 6]; +} + _EC_GOST_2012_512_TC26_C = { + { + NID_X9_62_prime_field, 0, 64, 4 + }, + { /* no seed */ + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, /* p */ + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xfd, 0xc7, + 0xdc, 0x92, 0x03, 0xe5, 0x14, 0xa7, 0x21, 0x87, 0x54, 0x85, /* a */ + 0xa5, 0x29, 0xd2, 0xc7, 0x22, 0xfb, 0x18, 0x7b, 0xc8, 0x98, + 0x0e, 0xb8, 0x66, 0x64, 0x4d, 0xe4, 0x1c, 0x68, 0xe1, 0x43, + 0x06, 0x45, 0x46, 0xe8, 0x61, 0xc0, 0xe2, 0xc9, 0xed, 0xd9, + 0x2a, 0xde, 0x71, 0xf4, 0x6f, 0xcf, 0x50, 0xff, 0x2a, 0xd9, + 0x7f, 0x95, 0x1f, 0xda, 0x9f, 0x2a, 0x2e, 0xb6, 0x54, 0x6f, + 0x39, 0x68, 0x9b, 0xd3, + 0xb4, 0xc4, 0xee, 0x28, 0xce, 0xbc, 0x6c, 0x2c, 0x8a, 0xc1, /* b */ + 0x29, 0x52, 0xcf, 0x37, 0xf1, 0x6a, 0xc7, 0xef, 0xb6, 0xa9, + 0xf6, 0x9f, 0x4b, 0x57, 0xff, 0xda, 0x2e, 0x4f, 0x0d, 0xe5, + 0xad, 0xe0, 0x38, 0xcb, 0xc2, 0xff, 0xf7, 0x19, 0xd2, 0xc1, + 0x8d, 0xe0, 0x28, 0x4b, 0x8b, 0xfe, 0xf3, 0xb5, 0x2b, 0x8c, + 0xc7, 0xa5, 0xf5, 0xbf, 0x0a, 0x3c, 0x8d, 0x23, 0x19, 0xa5, + 0x31, 0x25, 0x57, 0xe1, + 0xe2, 0xe3, 0x1e, 0xdf, 0xc2, 0x3d, 0xe7, 0xbd, 0xeb, 0xe2, /* x */ + 0x41, 0xce, 0x59, 0x3e, 0xf5, 0xde, 0x22, 0x95, 0xb7, 0xa9, + 0xcb, 0xae, 0xf0, 0x21, 0xd3, 0x85, 0xf7, 0x07, 0x4c, 0xea, + 0x04, 0x3a, 0xa2, 0x72, 0x72, 0xa7, 0xae, 0x60, 0x2b, 0xf2, + 0xa7, 0xb9, 0x03, 0x3d, 0xb9, 0xed, 0x36, 0x10, 0xc6, 0xfb, + 0x85, 0x48, 0x7e, 0xae, 0x97, 0xaa, 0xc5, 0xbc, 0x79, 0x28, + 0xc1, 0x95, 0x01, 0x48, + 0xf5, 0xce, 0x40, 0xd9, 0x5b, 0x5e, 0xb8, 0x99, 0xab, 0xbc, /* y */ + 0xcf, 0xf5, 0x91, 0x1c, 0xb8, 0x57, 0x79, 0x39, 0x80, 0x4d, + 0x65, 0x27, 0x37, 0x8b, 0x8c, 0x10, 0x8c, 0x3d, 0x20, 0x90, + 0xff, 0x9b, 0xe1, 0x8e, 0x2d, 0x33, 0xe3, 0x02, 0x1e, 0xd2, + 0xef, 0x32, 0xd8, 0x58, 0x22, 0x42, 0x3b, 0x63, 0x04, 0xf7, + 0x26, 0xaa, 0x85, 0x4b, 0xae, 0x07, 0xd0, 0x39, 0x6e, 0x9a, + 0x9a, 0xdd, 0xc4, 0x0f, + 0x3f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, /* order */ + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xc9, 0x8c, 0xdb, 0xa4, 0x65, 0x06, 0xab, 0x00, + 0x4c, 0x33, 0xa9, 0xff, 0x51, 0x47, 0x50, 0x2c, 0xc8, 0xed, + 0xa9, 0xe7, 0xa7, 0x69, 0xa1, 0x26, 0x94, 0x62, 0x3c, 0xef, + 0x47, 0xf0, 0x23, 0xed, + } +}; + #endif typedef struct _ec_list_element_st { @@ -3147,8 +3299,14 @@ static const ec_list_element curve_list[] = { {NID_id_GostR3410_2001_CryptoPro_C_ParamSet, &_EC_GOST_2001_CryptoPro_C.h, 0, "GOST R 34.10-2001 CryptoPro-C"}, {NID_id_GostR3410_2001_CryptoPro_XchA_ParamSet, &_EC_GOST_2001_CryptoPro_A.h, 0, "GOST R 34.10-2001 CryptoPro-XchA"}, {NID_id_GostR3410_2001_CryptoPro_XchB_ParamSet, &_EC_GOST_2001_CryptoPro_C.h, 0, "GOST R 34.10-2001 CryptoPro-XchB"}, - {NID_id_tc26_gost_3410_2012_512_paramSetA, &_EC_GOST_2012_TC26_A.h, 0, "GOST R 34.10-2012 TC26-A"}, - {NID_id_tc26_gost_3410_2012_512_paramSetB, &_EC_GOST_2012_TC26_B.h, 0, "GOST R 34.10-2012 TC26-B"}, + {NID_id_tc26_gost_3410_12_256_paramSetA, &_EC_GOST_2012_256_TC26_A.h, 0, "GOST R 34.10-2012 256 TC26-A"}, + {NID_id_tc26_gost_3410_12_256_paramSetB, &_EC_GOST_2001_CryptoPro_A.h, 0, "GOST R 34.10-2012 256 TC26-B"}, + {NID_id_tc26_gost_3410_12_256_paramSetC, &_EC_GOST_2001_CryptoPro_B.h, 0, "GOST R 34.10-2012 256 TC26-C"}, + {NID_id_tc26_gost_3410_12_256_paramSetD, &_EC_GOST_2001_CryptoPro_C.h, 0, "GOST R 34.10-2012 256 TC26-D"}, + {NID_id_tc26_gost_3410_12_512_paramSetTest, &_EC_GOST_2012_512_Test.h, 0, "GOST R 34.10-2012 512 Test Curve"}, + {NID_id_tc26_gost_3410_12_512_paramSetA, &_EC_GOST_2012_512_TC26_A.h, 0, "GOST R 34.10-2012 512 TC26-A"}, + {NID_id_tc26_gost_3410_12_512_paramSetB, &_EC_GOST_2012_512_TC26_B.h, 0, "GOST R 34.10-2012 512 TC26-B"}, + {NID_id_tc26_gost_3410_12_512_paramSetC, &_EC_GOST_2012_512_TC26_C.h, 0, "GOST R 34.10-2012 512 TC26-C"}, #endif }; diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c index df906162..3442c7a3 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_lib.c,v 1.32 2019/09/29 10:09:09 tb Exp $ */ +/* $OpenBSD: ec_lib.c,v 1.33 2020/12/04 08:55:30 tb Exp $ */ /* * Originally written by Bodo Moeller for the OpenSSL project. */ @@ -964,7 +964,13 @@ EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point, ECerror(EC_R_INCOMPATIBLE_OBJECTS); return 0; } - return group->meth->point_set_affine_coordinates(group, point, x, y, ctx); + if (!group->meth->point_set_affine_coordinates(group, point, x, y, ctx)) + return 0; + if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { + ECerror(EC_R_POINT_IS_NOT_ON_CURVE); + return 0; + } + return 1; } #ifndef OPENSSL_NO_EC2M @@ -980,7 +986,13 @@ EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group, EC_POINT *point, ECerror(EC_R_INCOMPATIBLE_OBJECTS); return 0; } - return group->meth->point_set_affine_coordinates(group, point, x, y, ctx); + if (!group->meth->point_set_affine_coordinates(group, point, x, y, ctx)) + return 0; + if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { + ECerror(EC_R_POINT_IS_NOT_ON_CURVE); + return 0; + } + return 1; } #endif diff --git a/crypto/ec/ec_oct.c b/crypto/ec/ec_oct.c index f44b174f..a285c814 100644 --- a/crypto/ec/ec_oct.c +++ b/crypto/ec/ec_oct.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_oct.c,v 1.5 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ec_oct.c,v 1.6 2020/12/04 08:55:30 tb Exp $ */ /* * Originally written by Bodo Moeller for the OpenSSL project. */ @@ -98,7 +98,14 @@ EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP * group, EC_POINT * point group, point, x, y_bit, ctx); #endif } - return group->meth->point_set_compressed_coordinates(group, point, x, y_bit, ctx); + if (!group->meth->point_set_compressed_coordinates(group, point, x, + y_bit, ctx)) + return 0; + if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { + ECerror(EC_R_POINT_IS_NOT_ON_CURVE); + return 0; + } + return 1; } #ifndef OPENSSL_NO_EC2M @@ -123,7 +130,14 @@ EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP * group, EC_POINT * poin return ec_GF2m_simple_set_compressed_coordinates( group, point, x, y_bit, ctx); } - return group->meth->point_set_compressed_coordinates(group, point, x, y_bit, ctx); + if (!group->meth->point_set_compressed_coordinates(group, point, x, + y_bit, ctx)) + return 0; + if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { + ECerror(EC_R_POINT_IS_NOT_ON_CURVE); + return 0; + } + return 1; } #endif diff --git a/crypto/ec/ecp_oct.c b/crypto/ec/ecp_oct.c index 90c5ca2e..29d99905 100644 --- a/crypto/ec/ecp_oct.c +++ b/crypto/ec/ecp_oct.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecp_oct.c,v 1.11 2018/07/15 16:27:39 tb Exp $ */ +/* $OpenBSD: ecp_oct.c,v 1.12 2020/12/04 08:55:30 tb Exp $ */ /* Includes code written by Lenka Fibikova * for the OpenSSL project. * Includes code written by Bodo Moeller for the OpenSSL project. @@ -362,6 +362,10 @@ ec_GFp_simple_oct2point(const EC_GROUP * group, EC_POINT * point, goto err; } if (form == POINT_CONVERSION_COMPRESSED) { + /* + * EC_POINT_set_compressed_coordinates_GFp checks that the point + * is on the curve as required by X9.62. + */ if (!EC_POINT_set_compressed_coordinates_GFp(group, point, x, y_bit, ctx)) goto err; } else { @@ -377,15 +381,14 @@ ec_GFp_simple_oct2point(const EC_GROUP * group, EC_POINT * point, goto err; } } + /* + * EC_POINT_set_affine_coordinates_GFp checks that the point is + * on the curve as required by X9.62. + */ if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err; } - /* test required by X9.62 */ - if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { - ECerror(EC_R_POINT_IS_NOT_ON_CURVE); - goto err; - } ret = 1; err: diff --git a/crypto/err/err.c b/crypto/err/err.c index caabfe01..f05567e1 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: err.c,v 1.47 2018/04/03 21:59:37 tb Exp $ */ +/* $OpenBSD: err.c,v 1.48 2019/10/17 14:28:53 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1184,3 +1184,24 @@ ERR_pop_to_mark(void) es->err_flags[es->top]&=~ERR_FLAG_MARK; return 1; } + +void +err_clear_last_constant_time(int clear) +{ + ERR_STATE *es; + int top; + + es = ERR_get_state(); + if (es == NULL) + return; + + top = es->top; + + es->err_flags[top] &= ~(0 - clear); + es->err_buffer[top] &= ~(0UL - clear); + es->err_file[top] = (const char *)((uintptr_t)es->err_file[top] & + ~((uintptr_t)0 - clear)); + es->err_line[top] |= 0 - clear; + + es->top = (top + ERR_NUM_ERRORS - clear) % ERR_NUM_ERRORS; +} diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c index 8fddeaaa..05ed0029 100644 --- a/crypto/evp/e_aes.c +++ b/crypto/evp/e_aes.c @@ -1,4 +1,4 @@ -/* $OpenBSD: e_aes.c,v 1.39 2019/05/12 15:52:46 tb Exp $ */ +/* $OpenBSD: e_aes.c,v 1.42 2020/06/05 18:44:42 tb Exp $ */ /* ==================================================================== * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. * @@ -721,6 +721,10 @@ aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) case EVP_CTRL_INIT: gctx->key_set = 0; gctx->iv_set = 0; + if (c->cipher->iv_len == 0) { + EVPerror(EVP_R_INVALID_IV_LENGTH); + return 0; + } gctx->ivlen = c->cipher->iv_len; gctx->iv = c->iv; gctx->taglen = -1; @@ -1441,6 +1445,11 @@ aead_aes_gcm_seal(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len, } memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm)); + + if (nonce_len == 0) { + EVPerror(EVP_R_INVALID_IV_LENGTH); + return 0; + } CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len); if (ad_len > 0 && CRYPTO_gcm128_aad(&gcm, ad, ad_len)) @@ -1487,6 +1496,11 @@ aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len, } memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm)); + + if (nonce_len == 0) { + EVPerror(EVP_R_INVALID_IV_LENGTH); + return 0; + } CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len); if (CRYPTO_gcm128_aad(&gcm, ad, ad_len)) @@ -1622,9 +1636,35 @@ aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, return ret != 0 ? ret : -1; } +static int +aes_wrap_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) +{ + EVP_AES_WRAP_CTX *wctx = c->cipher_data; + + switch (type) { + case EVP_CTRL_COPY: + { + EVP_CIPHER_CTX *out = ptr; + EVP_AES_WRAP_CTX *wctx_out = out->cipher_data; + + if (wctx->iv != NULL) { + if (c->iv != wctx->iv) + return 0; + + wctx_out->iv = out->iv; + } + + return 1; + } + } + + return -1; +} + #define WRAP_FLAGS \ ( EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER | \ - EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1 ) + EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1 | \ + EVP_CIPH_CUSTOM_COPY ) static const EVP_CIPHER aes_128_wrap = { .nid = NID_id_aes128_wrap, @@ -1638,7 +1678,7 @@ static const EVP_CIPHER aes_128_wrap = { .ctx_size = sizeof(EVP_AES_WRAP_CTX), .set_asn1_parameters = NULL, .get_asn1_parameters = NULL, - .ctrl = NULL, + .ctrl = aes_wrap_ctrl, .app_data = NULL, }; @@ -1660,7 +1700,7 @@ static const EVP_CIPHER aes_192_wrap = { .ctx_size = sizeof(EVP_AES_WRAP_CTX), .set_asn1_parameters = NULL, .get_asn1_parameters = NULL, - .ctrl = NULL, + .ctrl = aes_wrap_ctrl, .app_data = NULL, }; @@ -1682,7 +1722,7 @@ static const EVP_CIPHER aes_256_wrap = { .ctx_size = sizeof(EVP_AES_WRAP_CTX), .set_asn1_parameters = NULL, .get_asn1_parameters = NULL, - .ctrl = NULL, + .ctrl = aes_wrap_ctrl, .app_data = NULL, }; diff --git a/crypto/evp/e_chacha.c b/crypto/evp/e_chacha.c index b63f586b..a27a3c64 100644 --- a/crypto/evp/e_chacha.c +++ b/crypto/evp/e_chacha.c @@ -1,4 +1,4 @@ -/* $OpenBSD: e_chacha.c,v 1.5 2014/08/04 04:16:11 miod Exp $ */ +/* $OpenBSD: e_chacha.c,v 1.8 2020/01/26 07:47:26 tb Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -34,8 +34,17 @@ static const EVP_CIPHER chacha20_cipher = { .nid = NID_chacha20, .block_size = 1, .key_len = 32, - .iv_len = 8, - .flags = EVP_CIPH_STREAM_CIPHER, + /* + * The 128 bit EVP IV is split for ChaCha into four 32 bit pieces: + * counter[0] counter[1] iv[0] iv[1] + * OpenSSL exposes these as: + * openssl_iv = counter[0] iv[0] iv[1] iv[2] + * Due to the cipher internal state's symmetry, these are functionally + * equivalent. + */ + .iv_len = 16, + .flags = EVP_CIPH_STREAM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | + EVP_CIPH_CUSTOM_IV, .init = chacha_init, .do_cipher = chacha_cipher, .ctx_size = sizeof(ChaCha_ctx) @@ -49,12 +58,17 @@ EVP_chacha20(void) static int chacha_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc) + const unsigned char *openssl_iv, int enc) { - ChaCha_set_key((ChaCha_ctx *)ctx->cipher_data, key, - EVP_CIPHER_CTX_key_length(ctx) * 8); - if (iv != NULL) - ChaCha_set_iv((ChaCha_ctx *)ctx->cipher_data, iv, NULL); + if (key != NULL) + ChaCha_set_key((ChaCha_ctx *)ctx->cipher_data, key, + EVP_CIPHER_CTX_key_length(ctx) * 8); + if (openssl_iv != NULL) { + const unsigned char *iv = openssl_iv + 8; + const unsigned char *counter = openssl_iv; + + ChaCha_set_iv((ChaCha_ctx *)ctx->cipher_data, iv, counter); + } return 1; } diff --git a/crypto/evp/encode.c b/crypto/evp/encode.c index ae107abb..2f942a03 100644 --- a/crypto/evp/encode.c +++ b/crypto/evp/encode.c @@ -1,4 +1,4 @@ -/* $OpenBSD: encode.c,v 1.26 2019/01/19 01:24:18 tb Exp $ */ +/* $OpenBSD: encode.c,v 1.28 2020/03/04 11:53:21 inoguchi Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -62,8 +62,8 @@ #include +static unsigned char conv_ascii2bin(unsigned char a); #define conv_bin2ascii(a) (data_bin2ascii[(a)&0x3f]) -#define conv_ascii2bin(a) (data_ascii2bin[(a)&0x7f]) /* 64 char lines * pad input with 0 @@ -92,6 +92,7 @@ abcdefghijklmnopqrstuvwxyz0123456789+/"; #define B64_WS 0xE0 #define B64_ERROR 0xFF #define B64_NOT_BASE64(a) (((a)|0x13) == 0xF3) +#define B64_BASE64(a) !B64_NOT_BASE64(a) static const unsigned char data_ascii2bin[128] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, @@ -112,6 +113,14 @@ static const unsigned char data_ascii2bin[128] = { 0x31, 0x32, 0x33, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, }; +static unsigned char +conv_ascii2bin(unsigned char a) +{ + if (a & 0x80) + return B64_ERROR; + return data_ascii2bin[a]; +} + EVP_ENCODE_CTX * EVP_ENCODE_CTX_new(void) { @@ -231,151 +240,117 @@ EVP_EncodeBlock(unsigned char *t, const unsigned char *f, int dlen) void EVP_DecodeInit(EVP_ENCODE_CTX *ctx) { - ctx->length = 30; ctx->num = 0; + ctx->length = 0; ctx->line_num = 0; ctx->expect_nl = 0; } -/* -1 for error - * 0 for last line - * 1 for full line - */ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, const unsigned char *in, int inl) { - int seof = -1, eof = 0, rv = -1, ret = 0, i, v, tmp, n, ln, exp_nl; + int seof = 0, eof = 0, rv = -1, ret = 0, i, v, tmp, n, decoded_len; unsigned char *d; n = ctx->num; d = ctx->enc_data; - ln = ctx->line_num; - exp_nl = ctx->expect_nl; - /* last line of input. */ - if ((inl == 0) || ((n == 0) && (conv_ascii2bin(in[0]) == B64_EOF))) { + if (n > 0 && d[n - 1] == '=') { + eof++; + if (n > 1 && d[n - 2] == '=') + eof++; + } + + /* Legacy behaviour: an empty input chunk signals end of input. */ + if (inl == 0) { rv = 0; goto end; } - /* We parse the input data */ for (i = 0; i < inl; i++) { - /* If the current line is > 80 characters, scream alot */ - if (ln >= 80) { - rv = -1; - goto end; - } - - /* Get char and put it into the buffer */ - tmp= *(in++); + tmp = *(in++); v = conv_ascii2bin(tmp); - /* only save the good data :-) */ - if (!B64_NOT_BASE64(v)) { - OPENSSL_assert(n < (int)sizeof(ctx->enc_data)); - d[n++] = tmp; - ln++; - } else if (v == B64_ERROR) { - rv = -1; - goto end; - } - - /* There should not be base64 data after padding. */ - if (eof && tmp != '=' && tmp != '\r' && tmp != '\n' && - v != B64_EOF) { + if (v == B64_ERROR) { rv = -1; goto end; } - /* have we seen a '=' which is 'definitely' the last - * input line. seof will point to the character that - * holds it. and eof will hold how many characters to - * chop off. */ if (tmp == '=') { - if (seof == -1) - seof = n; eof++; + } else if (eof > 0 && B64_BASE64(v)) { + /* More data after padding. */ + rv = -1; + goto end; } - /* There should be no more than two padding markers. */ if (eof > 2) { rv = -1; goto end; } - if (v == B64_CR) { - ln = 0; - if (exp_nl) - continue; + if (v == B64_EOF) { + seof = 1; + goto tail; } - /* eoln */ - if (v == B64_EOLN) { - ln = 0; - if (exp_nl) { - exp_nl = 0; - continue; + /* Only save valid base64 characters. */ + if (B64_BASE64(v)) { + if (n >= 64) { + /* + * We increment n once per loop, and empty the + * buffer as soon as we reach 64 characters, so + * this can only happen if someone's manually + * messed with the ctx. Refuse to write any + * more data. + */ + rv = -1; + goto end; } - } - exp_nl = 0; - - /* If we are at the end of input and it looks like a - * line, process it. */ - if (((i + 1) == inl) && (((n&3) == 0) || eof)) { - v = B64_EOF; - /* In case things were given us in really small - records (so two '=' were given in separate - updates), eof may contain the incorrect number - of ending bytes to skip, so let's redo the count */ - eof = 0; - if (d[n-1] == '=') - eof++; - if (d[n-2] == '=') - eof++; - /* There will never be more than two '=' */ + OPENSSL_assert(n < (int)sizeof(ctx->enc_data)); + d[n++] = tmp; } - if ((v == B64_EOF && (n&3) == 0) || (n >= 64)) { - /* This is needed to work correctly on 64 byte input - * lines. We process the line and then need to - * accept the '\n' */ - if ((v != B64_EOF) && (n >= 64)) - exp_nl = 1; - if (n > 0) { - v = EVP_DecodeBlock(out, d, n); - n = 0; - if (v < 0) { - rv = 0; - goto end; - } - ret += (v - eof); - } else { - eof = 1; - v = 0; - } - - /* This is the case where we have had a short - * but valid input line */ - if ((v < ctx->length) && eof) { - rv = 0; + if (n == 64) { + decoded_len = EVP_DecodeBlock(out, d, n); + n = 0; + if (decoded_len < 0 || eof > decoded_len) { + rv = -1; goto end; - } else - ctx->length = v; + } + ret += decoded_len - eof; + out += decoded_len - eof; + } + } - if (seof >= 0) { - rv = 0; + /* + * Legacy behaviour: if the current line is a full base64-block (i.e., + * has 0 mod 4 base64 characters), it is processed immediately. We keep + * this behaviour as applications may not be calling EVP_DecodeFinal + * properly. + */ + tail: + if (n > 0) { + if ((n & 3) == 0) { + decoded_len = EVP_DecodeBlock(out, d, n); + n = 0; + if (decoded_len < 0 || eof > decoded_len) { + rv = -1; goto end; } - out += v; + ret += (decoded_len - eof); + } else if (seof) { + /* EOF in the middle of a base64 block. */ + rv = -1; + goto end; } } - rv = 1; -end: + rv = seof || (n == 0 && eof) ? 0 : 1; + end: + /* Legacy behaviour. This should probably rather be zeroed on error. */ *outl = ret; ctx->num = n; - ctx->line_num = ln; - ctx->expect_nl = exp_nl; return (rv); } diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index bb49e282..896b9e1a 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_enc.c,v 1.43 2019/04/14 17:16:57 jsing Exp $ */ +/* $OpenBSD: evp_enc.c,v 1.44 2021/02/18 19:12:29 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,6 +56,7 @@ * [including the GNU Public Licence.] */ +#include #include #include #include @@ -337,6 +338,17 @@ EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, return 1; } else { j = bl - i; + + /* + * Once we've processed the first j bytes from in, the + * amount of data left that is a multiple of the block + * length is (inl - j) & ~(bl - 1). Ensure this plus + * the block processed from ctx-buf doesn't overflow. + */ + if (((inl - j) & ~(bl - 1)) > INT_MAX - bl) { + EVPerror(EVP_R_TOO_LARGE); + return 0; + } memcpy(&(ctx->buf[i]), in, j); if (!M_do_cipher(ctx, out, ctx->buf, bl)) return 0; @@ -451,6 +463,16 @@ EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, } if (ctx->final_used) { + /* + * final_used is only ever set if buf_len is 0. Therefore the + * maximum length output we will ever see from EVP_EncryptUpdate + * is inl & ~(b - 1). Since final_used is set, the final output + * length is (inl & ~(b - 1)) + b. Ensure it doesn't overflow. + */ + if ((inl & ~(b - 1)) > INT_MAX - b) { + EVPerror(EVP_R_TOO_LARGE); + return 0; + } memcpy(out, ctx->final, b); out += b; fix_len = 1; diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c index 89f980b7..07ece82c 100644 --- a/crypto/evp/evp_err.c +++ b/crypto/evp/evp_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_err.c,v 1.25 2019/03/18 05:34:29 tb Exp $ */ +/* $OpenBSD: evp_err.c,v 1.27 2021/03/29 15:57:23 tb Exp $ */ /* ==================================================================== * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * @@ -111,10 +111,12 @@ static ERR_STRING_DATA EVP_str_reasons[] = { {ERR_REASON(EVP_R_INPUT_NOT_INITIALIZED) , "input not initialized"}, {ERR_REASON(EVP_R_INVALID_DIGEST) , "invalid digest"}, {ERR_REASON(EVP_R_INVALID_FIPS_MODE) , "invalid fips mode"}, + {ERR_REASON(EVP_R_INVALID_IV_LENGTH) , "invalid iv length"}, {ERR_REASON(EVP_R_INVALID_KEY_LENGTH) , "invalid key length"}, {ERR_REASON(EVP_R_INVALID_OPERATION) , "invalid operation"}, {ERR_REASON(EVP_R_IV_TOO_LARGE) , "iv too large"}, {ERR_REASON(EVP_R_KEYGEN_FAILURE) , "keygen failure"}, + {ERR_REASON(EVP_R_KEY_SETUP_FAILED) , "key setup failed"}, {ERR_REASON(EVP_R_MESSAGE_DIGEST_IS_NULL), "message digest is null"}, {ERR_REASON(EVP_R_METHOD_NOT_SUPPORTED) , "method not supported"}, {ERR_REASON(EVP_R_MISSING_PARAMETERS) , "missing parameters"}, diff --git a/crypto/evp/evp_locl.h b/crypto/evp/evp_locl.h index 0b1bea95..8df61354 100644 --- a/crypto/evp/evp_locl.h +++ b/crypto/evp/evp_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_locl.h,v 1.15 2018/11/24 11:16:44 tb Exp $ */ +/* $OpenBSD: evp_locl.h,v 1.16 2019/10/29 07:52:17 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -367,4 +367,6 @@ struct evp_aead_st { const unsigned char *ad, size_t ad_len); }; +int EVP_PKEY_CTX_md(EVP_PKEY_CTX *ctx, int optype, int cmd, const char *md_name); + __END_HIDDEN_DECLS diff --git a/crypto/evp/evp_pbe.c b/crypto/evp/evp_pbe.c index de08c8d7..65e9e45e 100644 --- a/crypto/evp/evp_pbe.c +++ b/crypto/evp/evp_pbe.c @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_pbe.c,v 1.25 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: evp_pbe.c,v 1.26 2020/06/05 17:30:41 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -114,6 +114,8 @@ static const EVP_PBE_CTL builtin_pbe[] = { {EVP_PBE_TYPE_PRF, NID_hmacWithSHA384, -1, NID_sha384, 0}, {EVP_PBE_TYPE_PRF, NID_hmacWithSHA512, -1, NID_sha512, 0}, {EVP_PBE_TYPE_PRF, NID_id_HMACGostR3411_94, -1, NID_id_GostR3411_94, 0}, + {EVP_PBE_TYPE_PRF, NID_id_tc26_hmac_gost_3411_12_256, -1, NID_id_tc26_gost3411_2012_256, 0}, + {EVP_PBE_TYPE_PRF, NID_id_tc26_hmac_gost_3411_12_512, -1, NID_id_tc26_gost3411_2012_512, 0}, }; int diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c index 9e313c36..f7dcaff4 100644 --- a/crypto/evp/m_sigver.c +++ b/crypto/evp/m_sigver.c @@ -1,4 +1,4 @@ -/* $OpenBSD: m_sigver.c,v 1.7 2018/05/13 06:35:10 tb Exp $ */ +/* $OpenBSD: m_sigver.c,v 1.8 2021/03/29 15:57:23 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -74,15 +74,17 @@ do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, if (ctx->pctx == NULL) return 0; - if (type == NULL) { - int def_nid; - if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) > 0) - type = EVP_get_digestbynid(def_nid); - } + if (!(ctx->pctx->pmeth->flags & EVP_PKEY_FLAG_SIGCTX_CUSTOM)) { + if (type == NULL) { + int def_nid; + if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) > 0) + type = EVP_get_digestbynid(def_nid); + } - if (type == NULL) { - EVPerror(EVP_R_NO_DEFAULT_DIGEST); - return 0; + if (type == NULL) { + EVPerror(EVP_R_NO_DEFAULT_DIGEST); + return 0; + } } if (ver) { @@ -105,6 +107,8 @@ do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, return 0; if (pctx) *pctx = ctx->pctx; + if (ctx->pctx->pmeth->flags & EVP_PKEY_FLAG_SIGCTX_CUSTOM) + return 1; if (!EVP_DigestInit_ex(ctx, type, e)) return 0; return 1; @@ -127,7 +131,24 @@ EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen) { - int sctx, r = 0; + EVP_PKEY_CTX *pctx = ctx->pctx; + int sctx; + int r = 0; + + if (pctx->pmeth->flags & EVP_PKEY_FLAG_SIGCTX_CUSTOM) { + EVP_PKEY_CTX *dctx; + + if (sigret == NULL) + return pctx->pmeth->signctx(pctx, sigret, siglen, ctx); + + /* XXX - support EVP_MD_CTX_FLAG_FINALISE? */ + if ((dctx = EVP_PKEY_CTX_dup(ctx->pctx)) == NULL) + return 0; + r = dctx->pmeth->signctx(dctx, sigret, siglen, ctx); + EVP_PKEY_CTX_free(dctx); + + return r; + } if (ctx->pctx->pmeth->signctx) sctx = 1; diff --git a/crypto/evp/p5_crpt.c b/crypto/evp/p5_crpt.c index 75a631bf..98e4549d 100644 --- a/crypto/evp/p5_crpt.c +++ b/crypto/evp/p5_crpt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p5_crpt.c,v 1.18 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: p5_crpt.c,v 1.19 2020/01/12 07:11:13 inoguchi Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -108,6 +108,7 @@ PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen, iter = 1; else if ((iter = ASN1_INTEGER_get(pbe->iter)) <= 0) { EVPerror(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS); + PBEPARAM_free(pbe); return 0; } salt = pbe->salt->data; diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index 13a9d65f..9577b10e 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p_lib.c,v 1.25 2019/03/17 18:17:45 tb Exp $ */ +/* $OpenBSD: p_lib.c,v 1.26 2021/03/29 15:57:23 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -61,6 +61,7 @@ #include #include +#include #include #include #include @@ -216,10 +217,14 @@ EVP_PKEY_up_ref(EVP_PKEY *pkey) */ static int -pkey_set_type(EVP_PKEY *pkey, int type, const char *str, int len) +pkey_set_type(EVP_PKEY *pkey, ENGINE *e, int type, const char *str, int len) { const EVP_PKEY_ASN1_METHOD *ameth; - ENGINE *e = NULL; + ENGINE **eptr = NULL; + + if (e == NULL) + eptr = &e; + if (pkey) { if (pkey->pkey.ptr) EVP_PKEY_free_it(pkey); @@ -234,11 +239,11 @@ pkey_set_type(EVP_PKEY *pkey, int type, const char *str, int len) #endif } if (str) - ameth = EVP_PKEY_asn1_find_str(&e, str, len); + ameth = EVP_PKEY_asn1_find_str(eptr, str, len); else - ameth = EVP_PKEY_asn1_find(&e, type); + ameth = EVP_PKEY_asn1_find(eptr, type); #ifndef OPENSSL_NO_ENGINE - if (pkey == NULL) + if (pkey == NULL && eptr != NULL) ENGINE_finish(e); #endif if (!ameth) { @@ -258,13 +263,43 @@ pkey_set_type(EVP_PKEY *pkey, int type, const char *str, int len) int EVP_PKEY_set_type(EVP_PKEY *pkey, int type) { - return pkey_set_type(pkey, type, NULL, -1); + return pkey_set_type(pkey, NULL, type, NULL, -1); +} + +EVP_PKEY * +EVP_PKEY_new_CMAC_key(ENGINE *e, const unsigned char *priv, size_t len, + const EVP_CIPHER *cipher) +{ + EVP_PKEY *ret = NULL; + CMAC_CTX *cmctx = NULL; + + if ((ret = EVP_PKEY_new()) == NULL) + goto err; + if ((cmctx = CMAC_CTX_new()) == NULL) + goto err; + + if (!pkey_set_type(ret, e, EVP_PKEY_CMAC, NULL, -1)) + goto err; + + if (!CMAC_Init(cmctx, priv, len, cipher, e)) { + EVPerror(EVP_R_KEY_SETUP_FAILED); + goto err; + } + + ret->pkey.ptr = (char *)cmctx; + + return ret; + + err: + EVP_PKEY_free(ret); + CMAC_CTX_free(cmctx); + return NULL; } int EVP_PKEY_set_type_str(EVP_PKEY *pkey, const char *str, int len) { - return pkey_set_type(pkey, EVP_PKEY_NONE, str, len); + return pkey_set_type(pkey, NULL, EVP_PKEY_NONE, str, len); } int diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index 6b86a0ec..36bfe8d9 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pmeth_lib.c,v 1.14 2018/04/14 07:09:21 tb Exp $ */ +/* $OpenBSD: pmeth_lib.c,v 1.16 2019/11/01 15:08:57 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -78,7 +78,8 @@ typedef int sk_cmp_fn_type(const char * const *a, const char * const *b); DECLARE_STACK_OF(EVP_PKEY_METHOD) STACK_OF(EVP_PKEY_METHOD) *app_pkey_methods = NULL; -extern const EVP_PKEY_METHOD rsa_pkey_meth, dh_pkey_meth, dsa_pkey_meth; +extern const EVP_PKEY_METHOD rsa_pkey_meth, rsa_pss_pkey_meth; +extern const EVP_PKEY_METHOD dh_pkey_meth, dsa_pkey_meth; extern const EVP_PKEY_METHOD ec_pkey_meth, hmac_pkey_meth, cmac_pkey_meth; extern const EVP_PKEY_METHOD gostimit_pkey_meth, gostr01_pkey_meth; @@ -101,6 +102,9 @@ static const EVP_PKEY_METHOD *standard_methods[] = { #endif &hmac_pkey_meth, &cmac_pkey_meth, +#ifndef OPENSSL_NO_RSA + &rsa_pss_pkey_meth, +#endif }; static int pmeth_cmp_BSEARCH_CMP_FN(const void *, const void *); @@ -438,16 +442,24 @@ EVP_PKEY_CTX_ctrl_str(EVP_PKEY_CTX *ctx, const char *name, const char *value) return -2; } if (!strcmp(name, "digest")) { - const EVP_MD *md; - if (!value || !(md = EVP_get_digestbyname(value))) { - EVPerror(EVP_R_INVALID_DIGEST); - return 0; - } - return EVP_PKEY_CTX_set_signature_md(ctx, md); + return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_SIG, + EVP_PKEY_CTRL_MD, value); } return ctx->pmeth->ctrl_str(ctx, name, value); } +int +EVP_PKEY_CTX_md(EVP_PKEY_CTX *ctx, int optype, int cmd, const char *md_name) +{ + const EVP_MD *md; + + if ((md = EVP_get_digestbyname(md_name)) == NULL) { + EVPerror(EVP_R_INVALID_DIGEST); + return 0; + } + return EVP_PKEY_CTX_ctrl(ctx, -1, optype, cmd, 0, (void *)md); +} + int EVP_PKEY_CTX_get_operation(EVP_PKEY_CTX *ctx) { diff --git a/crypto/gost/gost.h b/crypto/gost/gost.h deleted file mode 100644 index 092f96fb..00000000 --- a/crypto/gost/gost.h +++ /dev/null @@ -1,266 +0,0 @@ -/* $OpenBSD: gost.h,v 1.3 2016/09/04 17:02:31 jsing Exp $ */ -/* - * Copyright (c) 2014 Dmitry Eremin-Solenikov - * Copyright (c) 2005-2006 Cryptocom LTD - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - */ - -#ifndef HEADER_GOST_H -#define HEADER_GOST_H - -#include - -#ifdef OPENSSL_NO_GOST -#error GOST is disabled. -#endif - -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif - -typedef struct gost2814789_key_st { - unsigned int key[8]; - unsigned int k87[256],k65[256],k43[256],k21[256]; - unsigned int count; - unsigned key_meshing : 1; -} GOST2814789_KEY; - -int Gost2814789_set_sbox(GOST2814789_KEY *key, int nid); -int Gost2814789_set_key(GOST2814789_KEY *key, - const unsigned char *userKey, const int bits); -void Gost2814789_ecb_encrypt(const unsigned char *in, unsigned char *out, - GOST2814789_KEY *key, const int enc); -void Gost2814789_cfb64_encrypt(const unsigned char *in, unsigned char *out, - size_t length, GOST2814789_KEY *key, - unsigned char *ivec, int *num, const int enc); -void Gost2814789_cnt_encrypt(const unsigned char *in, unsigned char *out, - size_t length, GOST2814789_KEY *key, - unsigned char *ivec, unsigned char *cnt_buf, int *num); - -typedef struct { - ASN1_OCTET_STRING *iv; - ASN1_OBJECT *enc_param_set; -} GOST_CIPHER_PARAMS; - -GOST_CIPHER_PARAMS *GOST_CIPHER_PARAMS_new(void); -void GOST_CIPHER_PARAMS_free(GOST_CIPHER_PARAMS *a); -GOST_CIPHER_PARAMS *d2i_GOST_CIPHER_PARAMS(GOST_CIPHER_PARAMS **a, const unsigned char **in, long len); -int i2d_GOST_CIPHER_PARAMS(GOST_CIPHER_PARAMS *a, unsigned char **out); -extern const ASN1_ITEM GOST_CIPHER_PARAMS_it; - -#define GOST2814789IMIT_LENGTH 4 -#define GOST2814789IMIT_CBLOCK 8 -#define GOST2814789IMIT_LONG unsigned int - -typedef struct GOST2814789IMITstate_st { - GOST2814789IMIT_LONG Nl, Nh; - unsigned char data[GOST2814789IMIT_CBLOCK]; - unsigned int num; - - GOST2814789_KEY cipher; - unsigned char mac[GOST2814789IMIT_CBLOCK]; -} GOST2814789IMIT_CTX; - -/* Note, also removed second parameter and removed dctx->cipher setting */ -int GOST2814789IMIT_Init(GOST2814789IMIT_CTX *c, int nid); -int GOST2814789IMIT_Update(GOST2814789IMIT_CTX *c, const void *data, size_t len); -int GOST2814789IMIT_Final(unsigned char *md, GOST2814789IMIT_CTX *c); -void GOST2814789IMIT_Transform(GOST2814789IMIT_CTX *c, const unsigned char *data); -unsigned char *GOST2814789IMIT(const unsigned char *d, size_t n, - unsigned char *md, int nid, - const unsigned char *key, const unsigned char *iv); - -#define GOSTR341194_LONG unsigned int - -#define GOSTR341194_LENGTH 32 -#define GOSTR341194_CBLOCK 32 -#define GOSTR341194_LBLOCK (GOSTR341194_CBLOCK/4) - -typedef struct GOSTR341194state_st { - GOSTR341194_LONG Nl, Nh; - GOSTR341194_LONG data[GOSTR341194_LBLOCK]; - unsigned int num; - - GOST2814789_KEY cipher; - unsigned char H[GOSTR341194_CBLOCK]; - unsigned char S[GOSTR341194_CBLOCK]; -} GOSTR341194_CTX; - -/* Note, also removed second parameter and removed dctx->cipher setting */ -int GOSTR341194_Init(GOSTR341194_CTX *c, int nid); -int GOSTR341194_Update(GOSTR341194_CTX *c, const void *data, size_t len); -int GOSTR341194_Final(unsigned char *md, GOSTR341194_CTX *c); -void GOSTR341194_Transform(GOSTR341194_CTX *c, const unsigned char *data); -unsigned char *GOSTR341194(const unsigned char *d, size_t n,unsigned char *md, int nid); - -#if defined(_LP64) -#define STREEBOG_LONG64 unsigned long -#define U64(C) C##UL -#else -#define STREEBOG_LONG64 unsigned long long -#define U64(C) C##ULL -#endif - -#define STREEBOG_LBLOCK 8 -#define STREEBOG_CBLOCK 64 -#define STREEBOG256_LENGTH 32 -#define STREEBOG512_LENGTH 64 - -typedef struct STREEBOGstate_st { - STREEBOG_LONG64 data[STREEBOG_LBLOCK]; - unsigned int num; - unsigned int md_len; - STREEBOG_LONG64 h[STREEBOG_LBLOCK]; - STREEBOG_LONG64 N[STREEBOG_LBLOCK]; - STREEBOG_LONG64 Sigma[STREEBOG_LBLOCK]; -} STREEBOG_CTX; - -int STREEBOG256_Init(STREEBOG_CTX *c); -int STREEBOG256_Update(STREEBOG_CTX *c, const void *data, size_t len); -int STREEBOG256_Final(unsigned char *md, STREEBOG_CTX *c); -void STREEBOG256_Transform(STREEBOG_CTX *c, const unsigned char *data); -unsigned char *STREEBOG256(const unsigned char *d, size_t n,unsigned char *md); - -int STREEBOG512_Init(STREEBOG_CTX *c); -int STREEBOG512_Update(STREEBOG_CTX *c, const void *data, size_t len); -int STREEBOG512_Final(unsigned char *md, STREEBOG_CTX *c); -void STREEBOG512_Transform(STREEBOG_CTX *c, const unsigned char *data); -unsigned char *STREEBOG512(const unsigned char *d, size_t n,unsigned char *md); - -typedef struct gost_key_st GOST_KEY; -GOST_KEY *GOST_KEY_new(void); -void GOST_KEY_free(GOST_KEY * r); -int GOST_KEY_check_key(const GOST_KEY * eckey); -int GOST_KEY_set_public_key_affine_coordinates(GOST_KEY * key, BIGNUM * x, BIGNUM * y); -const EC_GROUP * GOST_KEY_get0_group(const GOST_KEY * key); -int GOST_KEY_set_group(GOST_KEY * key, const EC_GROUP * group); -int GOST_KEY_get_digest(const GOST_KEY * key); -int GOST_KEY_set_digest(GOST_KEY * key, int digest_nid); -const BIGNUM * GOST_KEY_get0_private_key(const GOST_KEY * key); -int GOST_KEY_set_private_key(GOST_KEY * key, const BIGNUM * priv_key); -const EC_POINT * GOST_KEY_get0_public_key(const GOST_KEY * key); -int GOST_KEY_set_public_key(GOST_KEY * key, const EC_POINT * pub_key); -size_t GOST_KEY_get_size(const GOST_KEY * r); - -/* Gost-specific pmeth control-function parameters */ -/* For GOST R34.10 parameters */ -#define EVP_PKEY_CTRL_GOST_PARAMSET (EVP_PKEY_ALG_CTRL+1) -#define EVP_PKEY_CTRL_GOST_SIG_FORMAT (EVP_PKEY_ALG_CTRL+2) -#define EVP_PKEY_CTRL_GOST_SET_DIGEST (EVP_PKEY_ALG_CTRL+3) -#define EVP_PKEY_CTRL_GOST_GET_DIGEST (EVP_PKEY_ALG_CTRL+4) - -#define GOST_SIG_FORMAT_SR_BE 0 -#define GOST_SIG_FORMAT_RS_LE 1 - -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ -void ERR_load_GOST_strings(void); - -/* Error codes for the GOST functions. */ - -/* Function codes. */ -#define GOST_F_DECODE_GOST01_ALGOR_PARAMS 104 -#define GOST_F_ENCODE_GOST01_ALGOR_PARAMS 105 -#define GOST_F_GOST2001_COMPUTE_PUBLIC 106 -#define GOST_F_GOST2001_DO_SIGN 107 -#define GOST_F_GOST2001_DO_VERIFY 108 -#define GOST_F_GOST2001_KEYGEN 109 -#define GOST_F_GOST89_GET_ASN1_PARAMETERS 102 -#define GOST_F_GOST89_SET_ASN1_PARAMETERS 103 -#define GOST_F_GOST_KEY_CHECK_KEY 124 -#define GOST_F_GOST_KEY_NEW 125 -#define GOST_F_GOST_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES 126 -#define GOST_F_PARAM_COPY_GOST01 110 -#define GOST_F_PARAM_DECODE_GOST01 111 -#define GOST_F_PKEY_GOST01_CTRL 116 -#define GOST_F_PKEY_GOST01_DECRYPT 112 -#define GOST_F_PKEY_GOST01_DERIVE 113 -#define GOST_F_PKEY_GOST01_ENCRYPT 114 -#define GOST_F_PKEY_GOST01_PARAMGEN 115 -#define GOST_F_PKEY_GOST01_SIGN 123 -#define GOST_F_PKEY_GOST_MAC_CTRL 100 -#define GOST_F_PKEY_GOST_MAC_KEYGEN 101 -#define GOST_F_PRIV_DECODE_GOST01 117 -#define GOST_F_PUB_DECODE_GOST01 118 -#define GOST_F_PUB_ENCODE_GOST01 119 -#define GOST_F_PUB_PRINT_GOST01 120 -#define GOST_F_UNPACK_SIGNATURE_CP 121 -#define GOST_F_UNPACK_SIGNATURE_LE 122 - -/* Reason codes. */ -#define GOST_R_BAD_KEY_PARAMETERS_FORMAT 104 -#define GOST_R_BAD_PKEY_PARAMETERS_FORMAT 105 -#define GOST_R_CANNOT_PACK_EPHEMERAL_KEY 106 -#define GOST_R_CTRL_CALL_FAILED 107 -#define GOST_R_ERROR_COMPUTING_SHARED_KEY 108 -#define GOST_R_ERROR_PARSING_KEY_TRANSPORT_INFO 109 -#define GOST_R_INCOMPATIBLE_ALGORITHMS 110 -#define GOST_R_INCOMPATIBLE_PEER_KEY 111 -#define GOST_R_INVALID_DIGEST_TYPE 100 -#define GOST_R_INVALID_IV_LENGTH 103 -#define GOST_R_INVALID_MAC_KEY_LENGTH 101 -#define GOST_R_KEY_IS_NOT_INITIALIZED 112 -#define GOST_R_KEY_PARAMETERS_MISSING 113 -#define GOST_R_MAC_KEY_NOT_SET 102 -#define GOST_R_NO_PARAMETERS_SET 115 -#define GOST_R_NO_PEER_KEY 116 -#define GOST_R_NO_PRIVATE_PART_OF_NON_EPHEMERAL_KEYPAIR 117 -#define GOST_R_PUBLIC_KEY_UNDEFINED 118 -#define GOST_R_RANDOM_NUMBER_GENERATOR_FAILED 120 -#define GOST_R_SIGNATURE_MISMATCH 121 -#define GOST_R_SIGNATURE_PARTS_GREATER_THAN_Q 122 -#define GOST_R_UKM_NOT_SET 123 - -#ifdef __cplusplus -} -#endif -#endif diff --git a/crypto/gost/gost2814789.c b/crypto/gost/gost2814789.c index e285413e..f1066f24 100644 --- a/crypto/gost/gost2814789.c +++ b/crypto/gost/gost2814789.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gost2814789.c,v 1.5 2015/09/10 15:56:25 jsing Exp $ */ +/* $OpenBSD: gost2814789.c,v 1.6 2020/09/12 02:45:05 inoguchi Exp $ */ /* * Copyright (c) 2014 Dmitry Eremin-Solenikov * Copyright (c) 2005-2006 Cryptocom LTD @@ -49,6 +49,8 @@ * ==================================================================== */ +#include + #include #include diff --git a/crypto/gost/gost_err.c b/crypto/gost/gost_err.c index 3bf60ff0..e7111dd3 100644 --- a/crypto/gost/gost_err.c +++ b/crypto/gost/gost_err.c @@ -73,43 +73,39 @@ static ERR_STRING_DATA GOST_str_functs[]= { {0, NULL} }; -static ERR_STRING_DATA GOST_str_reasons[]= - { -{ERR_REASON(GOST_R_BAD_KEY_PARAMETERS_FORMAT),"bad key parameters format"}, -{ERR_REASON(GOST_R_BAD_PKEY_PARAMETERS_FORMAT),"bad pkey parameters format"}, -{ERR_REASON(GOST_R_CANNOT_PACK_EPHEMERAL_KEY),"cannot pack ephemeral key"}, -{ERR_REASON(GOST_R_CTRL_CALL_FAILED) ,"ctrl call failed"}, -{ERR_REASON(GOST_R_ERROR_COMPUTING_SHARED_KEY),"error computing shared key"}, -{ERR_REASON(GOST_R_ERROR_PARSING_KEY_TRANSPORT_INFO),"error parsing key transport info"}, -{ERR_REASON(GOST_R_INCOMPATIBLE_ALGORITHMS),"incompatible algorithms"}, -{ERR_REASON(GOST_R_INCOMPATIBLE_PEER_KEY),"incompatible peer key"}, -{ERR_REASON(GOST_R_INVALID_DIGEST_TYPE) ,"invalid digest type"}, -{ERR_REASON(GOST_R_INVALID_IV_LENGTH) ,"invalid iv length"}, -{ERR_REASON(GOST_R_INVALID_MAC_KEY_LENGTH),"invalid mac key length"}, -{ERR_REASON(GOST_R_KEY_IS_NOT_INITIALIZED),"key is not initialized"}, -{ERR_REASON(GOST_R_KEY_PARAMETERS_MISSING),"key parameters missing"}, -{ERR_REASON(GOST_R_MAC_KEY_NOT_SET) ,"mac key not set"}, -{ERR_REASON(GOST_R_NO_PARAMETERS_SET) ,"no parameters set"}, -{ERR_REASON(GOST_R_NO_PEER_KEY) ,"no peer key"}, -{ERR_REASON(GOST_R_NO_PRIVATE_PART_OF_NON_EPHEMERAL_KEYPAIR),"no private part of non ephemeral keypair"}, -{ERR_REASON(GOST_R_PUBLIC_KEY_UNDEFINED) ,"public key undefined"}, -{ERR_REASON(GOST_R_RANDOM_NUMBER_GENERATOR_FAILED),"random number generator failed"}, -{ERR_REASON(GOST_R_SIGNATURE_MISMATCH) ,"signature mismatch"}, -{ERR_REASON(GOST_R_SIGNATURE_PARTS_GREATER_THAN_Q),"signature parts greater than q"}, -{ERR_REASON(GOST_R_UKM_NOT_SET) ,"ukm not set"}, -{0,NULL} - }; - +static ERR_STRING_DATA GOST_str_reasons[] = { + {ERR_REASON(GOST_R_BAD_KEY_PARAMETERS_FORMAT),"bad key parameters format"}, + {ERR_REASON(GOST_R_BAD_PKEY_PARAMETERS_FORMAT),"bad pkey parameters format"}, + {ERR_REASON(GOST_R_CANNOT_PACK_EPHEMERAL_KEY),"cannot pack ephemeral key"}, + {ERR_REASON(GOST_R_CTRL_CALL_FAILED) ,"ctrl call failed"}, + {ERR_REASON(GOST_R_ERROR_COMPUTING_SHARED_KEY),"error computing shared key"}, + {ERR_REASON(GOST_R_ERROR_PARSING_KEY_TRANSPORT_INFO),"error parsing key transport info"}, + {ERR_REASON(GOST_R_INCOMPATIBLE_ALGORITHMS),"incompatible algorithms"}, + {ERR_REASON(GOST_R_INCOMPATIBLE_PEER_KEY),"incompatible peer key"}, + {ERR_REASON(GOST_R_INVALID_DIGEST_TYPE) ,"invalid digest type"}, + {ERR_REASON(GOST_R_INVALID_IV_LENGTH) ,"invalid iv length"}, + {ERR_REASON(GOST_R_INVALID_MAC_KEY_LENGTH),"invalid mac key length"}, + {ERR_REASON(GOST_R_KEY_IS_NOT_INITIALIZED),"key is not initialized"}, + {ERR_REASON(GOST_R_KEY_PARAMETERS_MISSING),"key parameters missing"}, + {ERR_REASON(GOST_R_MAC_KEY_NOT_SET) ,"mac key not set"}, + {ERR_REASON(GOST_R_NO_PARAMETERS_SET) ,"no parameters set"}, + {ERR_REASON(GOST_R_NO_PEER_KEY) ,"no peer key"}, + {ERR_REASON(GOST_R_NO_PRIVATE_PART_OF_NON_EPHEMERAL_KEYPAIR),"no private part of non ephemeral keypair"}, + {ERR_REASON(GOST_R_PUBLIC_KEY_UNDEFINED) ,"public key undefined"}, + {ERR_REASON(GOST_R_RANDOM_NUMBER_GENERATOR_FAILED),"random number generator failed"}, + {ERR_REASON(GOST_R_SIGNATURE_MISMATCH) ,"signature mismatch"}, + {ERR_REASON(GOST_R_SIGNATURE_PARTS_GREATER_THAN_Q),"signature parts greater than q"}, + {ERR_REASON(GOST_R_UKM_NOT_SET) ,"ukm not set"}, + {0, NULL} +}; #endif -void ERR_load_GOST_strings(void) - { +void +ERR_load_GOST_strings(void) { #ifndef OPENSSL_NO_ERR - - if (ERR_func_error_string(GOST_str_functs[0].error) == NULL) - { + if (ERR_func_error_string(GOST_str_functs[0].error) == NULL) { ERR_load_strings(0,GOST_str_functs); ERR_load_strings(0,GOST_str_reasons); - } -#endif } +#endif +} diff --git a/crypto/gost/gostr341001_ameth.c b/crypto/gost/gostr341001_ameth.c index 16295996..27a95f20 100644 --- a/crypto/gost/gostr341001_ameth.c +++ b/crypto/gost/gostr341001_ameth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gostr341001_ameth.c,v 1.15 2018/08/24 20:22:15 tb Exp $ */ +/* $OpenBSD: gostr341001_ameth.c,v 1.16 2020/06/05 17:17:22 jsing Exp $ */ /* * Copyright (c) 2014 Dmitry Eremin-Solenikov * Copyright (c) 2005-2006 Cryptocom LTD @@ -96,15 +96,19 @@ decode_gost01_algor_params(EVP_PKEY *pkey, const unsigned char **p, int len) ec = pkey->pkey.gost; if (ec == NULL) { ec = GOST_KEY_new(); - if (ec == NULL) + if (ec == NULL) { + GOSTerror(ERR_R_MALLOC_FAILURE); return 0; + } if (EVP_PKEY_assign_GOST(pkey, ec) == 0) return 0; } group = EC_GROUP_new_by_curve_name(param_nid); - if (group == NULL) + if (group == NULL) { + GOSTerror(EC_R_EC_GROUP_NEW_BY_NAME_FAILURE); return 0; + } EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE); if (GOST_KEY_set_group(ec, group) == 0) { EC_GROUP_free(group); @@ -207,8 +211,10 @@ pub_decode_gost01(EVP_PKEY *pk, X509_PUBKEY *pub) return 0; } p = pval->data; - if (decode_gost01_algor_params(pk, &p, pval->length) == 0) + if (decode_gost01_algor_params(pk, &p, pval->length) == 0) { + GOSTerror(GOST_R_BAD_KEY_PARAMETERS_FORMAT); return 0; + } octet = d2i_ASN1_OCTET_STRING(NULL, &pubkey_buf, pub_len); if (octet == NULL) { @@ -407,8 +413,10 @@ priv_decode_gost01(EVP_PKEY *pk, const PKCS8_PRIV_KEY_INFO *p8inf) int ptype = V_ASN1_UNDEF; ASN1_STRING *pval = NULL; - if (PKCS8_pkey_get0(&palg_obj, &pkey_buf, &priv_len, &palg, p8inf) == 0) + if (PKCS8_pkey_get0(&palg_obj, &pkey_buf, &priv_len, &palg, p8inf) == 0) { + GOSTerror(GOST_R_BAD_KEY_PARAMETERS_FORMAT); return 0; + } (void)EVP_PKEY_assign_GOST(pk, NULL); X509_ALGOR_get0(NULL, &ptype, (const void **)&pval, palg); if (ptype != V_ASN1_SEQUENCE) { @@ -416,8 +424,10 @@ priv_decode_gost01(EVP_PKEY *pk, const PKCS8_PRIV_KEY_INFO *p8inf) return 0; } p = pval->data; - if (decode_gost01_algor_params(pk, &p, pval->length) == 0) + if (decode_gost01_algor_params(pk, &p, pval->length) == 0) { + GOSTerror(GOST_R_BAD_KEY_PARAMETERS_FORMAT); return 0; + } p = pkey_buf; if (V_ASN1_OCTET_STRING == *p) { /* New format - Little endian octet string */ diff --git a/crypto/gost/gostr341001_params.c b/crypto/gost/gostr341001_params.c index 6500c30f..282a2104 100644 --- a/crypto/gost/gostr341001_params.c +++ b/crypto/gost/gostr341001_params.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gostr341001_params.c,v 1.3 2015/07/20 22:42:56 bcook Exp $ */ +/* $OpenBSD: gostr341001_params.c,v 1.4 2020/06/05 17:12:09 jsing Exp $ */ /* * Copyright (c) 2014 Dmitry Eremin-Solenikov * Copyright (c) 2005-2006 Cryptocom LTD @@ -98,8 +98,8 @@ static const GostR3410_params GostR3410_256_params[] = { }; static const GostR3410_params GostR3410_512_params[] = { - { "A", NID_id_tc26_gost_3410_2012_512_paramSetA }, - { "B", NID_id_tc26_gost_3410_2012_512_paramSetB }, + { "A", NID_id_tc26_gost_3410_12_512_paramSetA }, + { "B", NID_id_tc26_gost_3410_12_512_paramSetB }, { NULL, NID_undef }, }; diff --git a/crypto/hkdf/hkdf.c b/crypto/hkdf/hkdf.c index fa1dfeb0..b8be10bf 100644 --- a/crypto/hkdf/hkdf.c +++ b/crypto/hkdf/hkdf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: hkdf.c,v 1.2 2018/04/03 13:33:53 tb Exp $ */ +/* $OpenBSD: hkdf.c,v 1.4 2019/11/21 20:02:20 tim Exp $ */ /* Copyright (c) 2014, Google Inc. * * Permission to use, copy, modify, and/or distribute this software for any @@ -32,10 +32,10 @@ HKDF(uint8_t *out_key, size_t out_len, const EVP_MD *digest, size_t prk_len; if (!HKDF_extract(prk, &prk_len, digest, secret, secret_len, salt, - salt_len)) + salt_len)) return 0; if (!HKDF_expand(out_key, out_len, digest, prk, prk_len, info, - info_len)) + info_len)) return 0; return 1; @@ -50,8 +50,8 @@ HKDF_extract(uint8_t *out_key, size_t *out_len, unsigned int len; /* - * If salt is not given, HashLength zeros are used. However, HMAC does that - * internally already so we can ignore it. + * If salt is not given, HashLength zeros are used. However, HMAC does + * that internally already so we can ignore it. */ if (HMAC(digest, salt, salt_len, secret, secret_len, out_key, &len) == NULL) { @@ -91,7 +91,7 @@ HKDF_expand(uint8_t *out_key, size_t out_len, size_t todo; if (i != 0 && (!HMAC_Init_ex(&hmac, NULL, 0, NULL, NULL) || - !HMAC_Update(&hmac, previous, digest_len))) + !HMAC_Update(&hmac, previous, digest_len))) goto out; if (!HMAC_Update(&hmac, info, info_len) || @@ -111,6 +111,7 @@ HKDF_expand(uint8_t *out_key, size_t out_len, out: HMAC_CTX_cleanup(&hmac); + explicit_bzero(previous, sizeof(previous)); if (ret != 1) CRYPTOerror(ERR_R_CRYPTO_LIB); return ret; diff --git a/crypto/md5/md5-masm-x86_64.S b/crypto/md5/md5-masm-x86_64.S index 61cbebed..40019cd5 100644 --- a/crypto/md5/md5-masm-x86_64.S +++ b/crypto/md5/md5-masm-x86_64.S @@ -1,7 +1,7 @@ ; 1 "crypto/md5/md5-masm-x86_64.S.tmp" ; 1 "" 1 ; 1 "" 3 -; 349 "" 3 +; 340 "" 3 ; 1 "" 1 ; 1 "" 2 ; 1 "crypto/md5/md5-masm-x86_64.S.tmp" 2 diff --git a/crypto/modes/ghash-masm-x86_64.S b/crypto/modes/ghash-masm-x86_64.S index edde6019..ffdc1b51 100644 --- a/crypto/modes/ghash-masm-x86_64.S +++ b/crypto/modes/ghash-masm-x86_64.S @@ -1,7 +1,7 @@ ; 1 "crypto/modes/ghash-masm-x86_64.S.tmp" ; 1 "" 1 ; 1 "" 3 -; 349 "" 3 +; 340 "" 3 ; 1 "" 1 ; 1 "" 2 ; 1 "crypto/modes/ghash-masm-x86_64.S.tmp" 2 diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index 7a430c24..2f55740a 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -62,12 +62,12 @@ * [including the GNU Public Licence.] */ -#define NUM_NID 992 -#define NUM_SN 985 -#define NUM_LN 985 -#define NUM_OBJ 915 +#define NUM_NID 1014 +#define NUM_SN 1007 +#define NUM_LN 1007 +#define NUM_OBJ 937 -static const unsigned char lvalues[6402]={ +static const unsigned char lvalues[6599]={ 0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 0] OBJ_rsadsi */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 6] OBJ_pkcs */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02, /* [ 13] OBJ_md2 */ @@ -939,8 +939,8 @@ static const unsigned char lvalues[6402]={ 0x2A,0x85,0x03,0x07,0x01, /* [6118] OBJ_tc26 */ 0x2A,0x85,0x03,0x07,0x01,0x01,0x02,0x02, /* [6123] OBJ_id_tc26_gost3411_2012_256 */ 0x2A,0x85,0x03,0x07,0x01,0x01,0x02,0x03, /* [6131] OBJ_id_tc26_gost3411_2012_512 */ -0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x02,0x01,/* [6139] OBJ_id_tc26_gost_3410_2012_512_paramSetA */ -0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x02,0x02,/* [6148] OBJ_id_tc26_gost_3410_2012_512_paramSetB */ +0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x02,0x01,/* [6139] OBJ_id_tc26_gost_3410_12_512_paramSetA */ +0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x02,0x02,/* [6148] OBJ_id_tc26_gost_3410_12_512_paramSetB */ 0x2A,0x85,0x03,0x07,0x01,0x02,0x05,0x01,0x01,/* [6157] OBJ_id_tc26_gost_28147_param_Z */ 0x2A,0x85,0x03,0x07,0x01,0x01,0x01,0x01, /* [6166] OBJ_id_tc26_gost3410_2012_256 */ 0x2A,0x85,0x03,0x07,0x01,0x01,0x01,0x02, /* [6174] OBJ_id_tc26_gost3410_2012_512 */ @@ -977,6 +977,28 @@ static const unsigned char lvalues[6402]={ 0x2B,0x81,0x04,0x01,0x0E,0x01, /* [6383] OBJ_dhSinglePass_cofactorDH_sha256kdf_scheme */ 0x2B,0x81,0x04,0x01,0x0E,0x02, /* [6389] OBJ_dhSinglePass_cofactorDH_sha384kdf_scheme */ 0x2B,0x81,0x04,0x01,0x0E,0x03, /* [6395] OBJ_dhSinglePass_cofactorDH_sha512kdf_scheme */ +0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x09,/* [6401] OBJ_pSpecified */ +0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x01,0x01,/* [6410] OBJ_id_tc26_gost_3410_12_256_paramSetA */ +0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x01,0x02,/* [6419] OBJ_id_tc26_gost_3410_12_256_paramSetB */ +0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x01,0x03,/* [6428] OBJ_id_tc26_gost_3410_12_256_paramSetC */ +0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x01,0x04,/* [6437] OBJ_id_tc26_gost_3410_12_256_paramSetD */ +0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x02,0x00,/* [6446] OBJ_id_tc26_gost_3410_12_512_paramSetTest */ +0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x02,0x03,/* [6455] OBJ_id_tc26_gost_3410_12_512_paramSetC */ +0x2A,0x85,0x03,0x07,0x01,0x01,0x04,0x01, /* [6464] OBJ_id_tc26_hmac_gost_3411_12_256 */ +0x2A,0x85,0x03,0x07,0x01,0x01,0x04,0x02, /* [6472] OBJ_id_tc26_hmac_gost_3411_12_512 */ +0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x18,/* [6480] OBJ_id_ct_routeOriginAuthz */ +0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x1A,/* [6491] OBJ_id_ct_rpkiManifest */ +0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x23,/* [6502] OBJ_id_ct_rpkiGhostbusters */ +0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x24,/* [6513] OBJ_id_ct_resourceTaggedAttest */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x0E, /* [6524] OBJ_id_cp */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x1C, /* [6531] OBJ_sbgp_ipAddrBlockv2 */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x1D, /* [6539] OBJ_sbgp_autonomousSysNumv2 */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x0E,0x02, /* [6547] OBJ_ipAddr_asNumber */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x0E,0x03, /* [6555] OBJ_ipAddr_asNumberv2 */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x0A, /* [6563] OBJ_rpkiManifest */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x0B, /* [6571] OBJ_signedObject */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x0D, /* [6579] OBJ_rpkiNotify */ +0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x2F,/* [6587] OBJ_id_ct_geofeedCSVwithCRLF */ }; static const ASN1_OBJECT nid_objs[NUM_NID]={ @@ -2496,12 +2518,12 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={ NID_id_tc26_gost3411_2012_256,8,&(lvalues[6123]),0}, {"streebog512","GOST R 34-11-2012 (512 bit)", NID_id_tc26_gost3411_2012_512,8,&(lvalues[6131]),0}, -{"id-tc26-gost-3410-2012-512-paramSetA", - "id-tc26-gost-3410-2012-512-paramSetA", - NID_id_tc26_gost_3410_2012_512_paramSetA,9,&(lvalues[6139]),0}, -{"id-tc26-gost-3410-2012-512-paramSetB", - "id-tc26-gost-3410-2012-512-paramSetB", - NID_id_tc26_gost_3410_2012_512_paramSetB,9,&(lvalues[6148]),0}, +{"id-tc26-gost-3410-12-512-paramSetA", + "GOST R 34.10-2012 (512 bit) ParamSet A", + NID_id_tc26_gost_3410_12_512_paramSetA,9,&(lvalues[6139]),0}, +{"id-tc26-gost-3410-12-512-paramSetB", + "GOST R 34.10-2012 (512 bit) ParamSet B", + NID_id_tc26_gost_3410_12_512_paramSetB,9,&(lvalues[6148]),0}, {"id-tc26-gost-28147-param-Z","id-tc26-gost-28147-param-Z", NID_id_tc26_gost_28147_param_Z,9,&(lvalues[6157]),0}, {"id-tc26-gost3410-2012-256","GOST R 34.10-2012 (256 bit)", @@ -2580,6 +2602,51 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={ NID_dhSinglePass_cofactorDH_sha512kdf_scheme,6,&(lvalues[6395]),0}, {"dh-std-kdf","dh-std-kdf",NID_dh_std_kdf,0,NULL,0}, {"dh-cofactor-kdf","dh-cofactor-kdf",NID_dh_cofactor_kdf,0,NULL,0}, +{"PSPECIFIED","pSpecified",NID_pSpecified,9,&(lvalues[6401]),0}, +{"id-tc26-gost-3410-12-256-paramSetA", + "GOST R 34.10-2012 (256 bit) ParamSet A", + NID_id_tc26_gost_3410_12_256_paramSetA,9,&(lvalues[6410]),0}, +{"id-tc26-gost-3410-12-256-paramSetB", + "GOST R 34.10-2012 (256 bit) ParamSet B", + NID_id_tc26_gost_3410_12_256_paramSetB,9,&(lvalues[6419]),0}, +{"id-tc26-gost-3410-12-256-paramSetC", + "GOST R 34.10-2012 (256 bit) ParamSet C", + NID_id_tc26_gost_3410_12_256_paramSetC,9,&(lvalues[6428]),0}, +{"id-tc26-gost-3410-12-256-paramSetD", + "GOST R 34.10-2012 (256 bit) ParamSet D", + NID_id_tc26_gost_3410_12_256_paramSetD,9,&(lvalues[6437]),0}, +{"id-tc26-gost-3410-12-512-paramSetTest", + "GOST R 34.10-2012 (512 bit) testing parameter set", + NID_id_tc26_gost_3410_12_512_paramSetTest,9,&(lvalues[6446]),0}, +{"id-tc26-gost-3410-12-512-paramSetC", + "GOST R 34.10-2012 (512 bit) ParamSet C", + NID_id_tc26_gost_3410_12_512_paramSetC,9,&(lvalues[6455]),0}, +{"id-tc26-hmac-gost-3411-12-256","HMAC STREEBOG 256", + NID_id_tc26_hmac_gost_3411_12_256,8,&(lvalues[6464]),0}, +{"id-tc26-hmac-gost-3411-12-512","HMAC STREEBOG 512", + NID_id_tc26_hmac_gost_3411_12_512,8,&(lvalues[6472]),0}, +{"id-ct-routeOriginAuthz","id-ct-routeOriginAuthz", + NID_id_ct_routeOriginAuthz,11,&(lvalues[6480]),0}, +{"id-ct-rpkiManifest","id-ct-rpkiManifest",NID_id_ct_rpkiManifest,11, + &(lvalues[6491]),0}, +{"id-ct-rpkiGhostbusters","id-ct-rpkiGhostbusters", + NID_id_ct_rpkiGhostbusters,11,&(lvalues[6502]),0}, +{"id-ct-resourceTaggedAttest","id-ct-resourceTaggedAttest", + NID_id_ct_resourceTaggedAttest,11,&(lvalues[6513]),0}, +{"id-cp","id-cp",NID_id_cp,7,&(lvalues[6524]),0}, +{"sbgp-ipAddrBlockv2","sbgp-ipAddrBlockv2",NID_sbgp_ipAddrBlockv2,8, + &(lvalues[6531]),0}, +{"sbgp-autonomousSysNumv2","sbgp-autonomousSysNumv2", + NID_sbgp_autonomousSysNumv2,8,&(lvalues[6539]),0}, +{"ipAddr-asNumber","ipAddr-asNumber",NID_ipAddr_asNumber,8, + &(lvalues[6547]),0}, +{"ipAddr-asNumberv2","ipAddr-asNumberv2",NID_ipAddr_asNumberv2,8, + &(lvalues[6555]),0}, +{"rpkiManifest","RPKI Manifest",NID_rpkiManifest,8,&(lvalues[6563]),0}, +{"signedObject","Signed Object",NID_signedObject,8,&(lvalues[6571]),0}, +{"rpkiNotify","RPKI Notify",NID_rpkiNotify,8,&(lvalues[6579]),0}, +{"id-ct-geofeedCSVwithCRLF","id-ct-geofeedCSVwithCRLF", + NID_id_ct_geofeedCSVwithCRLF,11,&(lvalues[6587]),0}, }; static const unsigned int sn_objs[NUM_SN]={ @@ -2734,6 +2801,7 @@ static const unsigned int sn_objs[NUM_SN]={ 69, /* "PBKDF2" */ 162, /* "PBMAC1" */ 127, /* "PKIX" */ +992, /* "PSPECIFIED" */ 98, /* "RC2-40-CBC" */ 166, /* "RC2-64-CBC" */ 37, /* "RC2-CBC" */ @@ -3063,7 +3131,13 @@ static const unsigned int sn_objs[NUM_SN]={ 332, /* "id-cmc-senderNonce" */ 327, /* "id-cmc-statusInfo" */ 331, /* "id-cmc-transactionId" */ +1005, /* "id-cp" */ 787, /* "id-ct-asciiTextWithCRLF" */ +1013, /* "id-ct-geofeedCSVwithCRLF" */ +1004, /* "id-ct-resourceTaggedAttest" */ +1001, /* "id-ct-routeOriginAuthz" */ +1003, /* "id-ct-rpkiGhostbusters" */ +1002, /* "id-ct-rpkiManifest" */ 408, /* "id-ecPublicKey" */ 508, /* "id-hex-multipart-message" */ 507, /* "id-hex-partial-message" */ @@ -3203,10 +3277,18 @@ static const unsigned int sn_objs[NUM_SN]={ 250, /* "id-smime-spq-ets-sqt-unotice" */ 249, /* "id-smime-spq-ets-sqt-uri" */ 945, /* "id-tc26-gost-28147-param-Z" */ -943, /* "id-tc26-gost-3410-2012-512-paramSetA" */ -944, /* "id-tc26-gost-3410-2012-512-paramSetB" */ +993, /* "id-tc26-gost-3410-12-256-paramSetA" */ +994, /* "id-tc26-gost-3410-12-256-paramSetB" */ +995, /* "id-tc26-gost-3410-12-256-paramSetC" */ +996, /* "id-tc26-gost-3410-12-256-paramSetD" */ +943, /* "id-tc26-gost-3410-12-512-paramSetA" */ +944, /* "id-tc26-gost-3410-12-512-paramSetB" */ +998, /* "id-tc26-gost-3410-12-512-paramSetC" */ +997, /* "id-tc26-gost-3410-12-512-paramSetTest" */ 946, /* "id-tc26-gost3410-2012-256" */ 947, /* "id-tc26-gost3410-2012-512" */ +999, /* "id-tc26-hmac-gost-3411-12-256" */ +1000, /* "id-tc26-hmac-gost-3411-12-512" */ 948, /* "id-tc26-signwithdigest-gost3410-2012-256" */ 949, /* "id-tc26-signwithdigest-gost3410-2012-512" */ 676, /* "identified-organization" */ @@ -3216,6 +3298,8 @@ static const unsigned int sn_objs[NUM_SN]={ 647, /* "international-organizations" */ 869, /* "internationaliSDNNumber" */ 142, /* "invalidityDate" */ +1008, /* "ipAddr-asNumber" */ +1009, /* "ipAddr-asNumberv2" */ 294, /* "ipsecEndSystem" */ 295, /* "ipsecTunnel" */ 296, /* "ipsecUser" */ @@ -3334,6 +3418,8 @@ static const unsigned int sn_objs[NUM_SN]={ 877, /* "roleOccupant" */ 448, /* "room" */ 463, /* "roomNumber" */ +1010, /* "rpkiManifest" */ +1012, /* "rpkiNotify" */ 6, /* "rsaEncryption" */ 644, /* "rsaOAEPEncryptionSET" */ 377, /* "rsaSignature" */ @@ -3341,7 +3427,9 @@ static const unsigned int sn_objs[NUM_SN]={ 482, /* "sOARecord" */ 155, /* "safeContentsBag" */ 291, /* "sbgp-autonomousSysNum" */ +1007, /* "sbgp-autonomousSysNumv2" */ 290, /* "sbgp-ipAddrBlock" */ +1006, /* "sbgp-ipAddrBlockv2" */ 292, /* "sbgp-routerIdentifier" */ 159, /* "sdsiCertificate" */ 859, /* "searchGuide" */ @@ -3514,6 +3602,7 @@ static const unsigned int sn_objs[NUM_SN]={ 604, /* "setext-pinAny" */ 603, /* "setext-pinSecure" */ 605, /* "setext-track2" */ +1011, /* "signedObject" */ 52, /* "signingTime" */ 454, /* "simpleSecurityObject" */ 496, /* "singleLevelQuality" */ @@ -3604,7 +3693,15 @@ static const unsigned int ln_objs[NUM_LN]={ 811, /* "GOST R 34.10-2001" */ 817, /* "GOST R 34.10-2001 DH" */ 946, /* "GOST R 34.10-2012 (256 bit)" */ +993, /* "GOST R 34.10-2012 (256 bit) ParamSet A" */ +994, /* "GOST R 34.10-2012 (256 bit) ParamSet B" */ +995, /* "GOST R 34.10-2012 (256 bit) ParamSet C" */ +996, /* "GOST R 34.10-2012 (256 bit) ParamSet D" */ 947, /* "GOST R 34.10-2012 (512 bit)" */ +943, /* "GOST R 34.10-2012 (512 bit) ParamSet A" */ +944, /* "GOST R 34.10-2012 (512 bit) ParamSet B" */ +998, /* "GOST R 34.10-2012 (512 bit) ParamSet C" */ +997, /* "GOST R 34.10-2012 (512 bit) testing parameter set" */ 812, /* "GOST R 34.10-94" */ 818, /* "GOST R 34.10-94 DH" */ 941, /* "GOST R 34.11-2012 (256 bit)" */ @@ -3618,6 +3715,8 @@ static const unsigned int ln_objs[NUM_LN]={ 852, /* "GOST R 34.11-94 with GOST R 34.10-94 Cryptocom" */ 854, /* "GOST R 3410-2001 Parameter Set Cryptocom" */ 810, /* "HMAC GOST 34.11-94" */ +999, /* "HMAC STREEBOG 256" */ +1000, /* "HMAC STREEBOG 512" */ 432, /* "Hold Instruction Call Issuer" */ 430, /* "Hold Instruction Code" */ 431, /* "Hold Instruction None" */ @@ -3677,6 +3776,8 @@ static const unsigned int ln_objs[NUM_LN]={ 165, /* "Policy Qualifier User Notice" */ 385, /* "Private" */ 663, /* "Proxy Certificate Information" */ +1010, /* "RPKI Manifest" */ +1012, /* "RPKI Notify" */ 1, /* "RSA Data Security, Inc." */ 2, /* "RSA Data Security, Inc. PKCS" */ 188, /* "S/MIME" */ @@ -3685,6 +3786,7 @@ static const unsigned int ln_objs[NUM_LN]={ 512, /* "Secure Electronic Transactions" */ 386, /* "Security" */ 394, /* "Selected Attribute Types" */ +1011, /* "Signed Object" */ 143, /* "Strong Extranet ID" */ 398, /* "Subject Information Access" */ 130, /* "TLS Web Client Authentication" */ @@ -4036,7 +4138,13 @@ static const unsigned int ln_objs[NUM_LN]={ 332, /* "id-cmc-senderNonce" */ 327, /* "id-cmc-statusInfo" */ 331, /* "id-cmc-transactionId" */ +1005, /* "id-cp" */ 787, /* "id-ct-asciiTextWithCRLF" */ +1013, /* "id-ct-geofeedCSVwithCRLF" */ +1004, /* "id-ct-resourceTaggedAttest" */ +1001, /* "id-ct-routeOriginAuthz" */ +1003, /* "id-ct-rpkiGhostbusters" */ +1002, /* "id-ct-rpkiManifest" */ 408, /* "id-ecPublicKey" */ 508, /* "id-hex-multipart-message" */ 507, /* "id-hex-partial-message" */ @@ -4169,8 +4277,6 @@ static const unsigned int ln_objs[NUM_LN]={ 250, /* "id-smime-spq-ets-sqt-unotice" */ 249, /* "id-smime-spq-ets-sqt-uri" */ 945, /* "id-tc26-gost-28147-param-Z" */ -943, /* "id-tc26-gost-3410-2012-512-paramSetA" */ -944, /* "id-tc26-gost-3410-2012-512-paramSetB" */ 34, /* "idea-cbc" */ 35, /* "idea-cfb" */ 36, /* "idea-ecb" */ @@ -4179,6 +4285,8 @@ static const unsigned int ln_objs[NUM_LN]={ 461, /* "info" */ 101, /* "initials" */ 869, /* "internationaliSDNNumber" */ +1008, /* "ipAddr-asNumber" */ +1009, /* "ipAddr-asNumberv2" */ 749, /* "ipsec3" */ 750, /* "ipsec4" */ 181, /* "iso" */ @@ -4230,6 +4338,7 @@ static const unsigned int ln_objs[NUM_LN]={ 971, /* "oscca" */ 475, /* "otherMailbox" */ 876, /* "owner" */ +992, /* "pSpecified" */ 489, /* "pagerTelephoneNumber" */ 782, /* "password based MAC" */ 374, /* "path" */ @@ -4324,7 +4433,9 @@ static const unsigned int ln_objs[NUM_LN]={ 482, /* "sOARecord" */ 155, /* "safeContentsBag" */ 291, /* "sbgp-autonomousSysNum" */ +1007, /* "sbgp-autonomousSysNumv2" */ 290, /* "sbgp-ipAddrBlock" */ +1006, /* "sbgp-ipAddrBlockv2" */ 292, /* "sbgp-routerIdentifier" */ 159, /* "sdsiCertificate" */ 859, /* "searchGuide" */ @@ -4965,6 +5076,7 @@ static const unsigned int obj_objs[NUM_OBJ]={ 266, /* OBJ_id_aca 1 3 6 1 5 5 7 10 */ 267, /* OBJ_id_qcs 1 3 6 1 5 5 7 11 */ 268, /* OBJ_id_cct 1 3 6 1 5 5 7 12 */ +1005, /* OBJ_id_cp 1 3 6 1 5 5 7 14 */ 662, /* OBJ_id_ppl 1 3 6 1 5 5 7 21 */ 176, /* OBJ_id_ad 1 3 6 1 5 5 7 48 */ 507, /* OBJ_id_hex_partial_message 1 3 6 1 7 1 1 1 */ @@ -5006,6 +5118,8 @@ static const unsigned int obj_objs[NUM_OBJ]={ 942, /* OBJ_id_tc26_gost3411_2012_512 1 2 643 7 1 1 2 3 */ 948, /* OBJ_id_tc26_signwithdigest_gost3410_2012_256 1 2 643 7 1 1 3 2 */ 949, /* OBJ_id_tc26_signwithdigest_gost3410_2012_512 1 2 643 7 1 1 3 3 */ +999, /* OBJ_id_tc26_hmac_gost_3411_12_256 1 2 643 7 1 1 4 1 */ +1000, /* OBJ_id_tc26_hmac_gost_3411_12_512 1 2 643 7 1 1 4 2 */ 186, /* OBJ_pkcs1 1 2 840 113549 1 1 */ 27, /* OBJ_pkcs3 1 2 840 113549 1 3 */ 187, /* OBJ_pkcs5 1 2 840 113549 1 5 */ @@ -5085,6 +5199,8 @@ static const unsigned int obj_objs[NUM_OBJ]={ 397, /* OBJ_ac_proxying 1 3 6 1 5 5 7 1 10 */ 398, /* OBJ_sinfo_access 1 3 6 1 5 5 7 1 11 */ 663, /* OBJ_proxyCertInfo 1 3 6 1 5 5 7 1 14 */ +1006, /* OBJ_sbgp_ipAddrBlockv2 1 3 6 1 5 5 7 1 28 */ +1007, /* OBJ_sbgp_autonomousSysNumv2 1 3 6 1 5 5 7 1 29 */ 164, /* OBJ_id_qt_cps 1 3 6 1 5 5 7 2 1 */ 165, /* OBJ_id_qt_unotice 1 3 6 1 5 5 7 2 2 */ 293, /* OBJ_textNotice 1 3 6 1 5 5 7 2 3 */ @@ -5157,6 +5273,8 @@ static const unsigned int obj_objs[NUM_OBJ]={ 360, /* OBJ_id_cct_crs 1 3 6 1 5 5 7 12 1 */ 361, /* OBJ_id_cct_PKIData 1 3 6 1 5 5 7 12 2 */ 362, /* OBJ_id_cct_PKIResponse 1 3 6 1 5 5 7 12 3 */ +1008, /* OBJ_ipAddr_asNumber 1 3 6 1 5 5 7 14 2 */ +1009, /* OBJ_ipAddr_asNumberv2 1 3 6 1 5 5 7 14 3 */ 664, /* OBJ_id_ppl_anyLanguage 1 3 6 1 5 5 7 21 0 */ 665, /* OBJ_id_ppl_inheritAll 1 3 6 1 5 5 7 21 1 */ 667, /* OBJ_Independent 1 3 6 1 5 5 7 21 2 */ @@ -5165,6 +5283,9 @@ static const unsigned int obj_objs[NUM_OBJ]={ 363, /* OBJ_ad_timeStamping 1 3 6 1 5 5 7 48 3 */ 364, /* OBJ_ad_dvcs 1 3 6 1 5 5 7 48 4 */ 785, /* OBJ_caRepository 1 3 6 1 5 5 7 48 5 */ +1010, /* OBJ_rpkiManifest 1 3 6 1 5 5 7 48 10 */ +1011, /* OBJ_signedObject 1 3 6 1 5 5 7 48 11 */ +1012, /* OBJ_rpkiNotify 1 3 6 1 5 5 7 48 13 */ 780, /* OBJ_hmac_md5 1 3 6 1 5 5 8 1 1 */ 781, /* OBJ_hmac_sha1 1 3 6 1 5 5 8 1 2 */ 58, /* OBJ_netscape_cert_extension 2 16 840 1 113730 1 */ @@ -5173,8 +5294,14 @@ static const unsigned int obj_objs[NUM_OBJ]={ 439, /* OBJ_pilotAttributeSyntax 0 9 2342 19200300 100 3 */ 440, /* OBJ_pilotObjectClass 0 9 2342 19200300 100 4 */ 441, /* OBJ_pilotGroups 0 9 2342 19200300 100 10 */ -943, /* OBJ_id_tc26_gost_3410_2012_512_paramSetA 1 2 643 7 1 2 1 2 1 */ -944, /* OBJ_id_tc26_gost_3410_2012_512_paramSetB 1 2 643 7 1 2 1 2 2 */ +993, /* OBJ_id_tc26_gost_3410_12_256_paramSetA 1 2 643 7 1 2 1 1 1 */ +994, /* OBJ_id_tc26_gost_3410_12_256_paramSetB 1 2 643 7 1 2 1 1 2 */ +995, /* OBJ_id_tc26_gost_3410_12_256_paramSetC 1 2 643 7 1 2 1 1 3 */ +996, /* OBJ_id_tc26_gost_3410_12_256_paramSetD 1 2 643 7 1 2 1 1 4 */ +997, /* OBJ_id_tc26_gost_3410_12_512_paramSetTest 1 2 643 7 1 2 1 2 0 */ +943, /* OBJ_id_tc26_gost_3410_12_512_paramSetA 1 2 643 7 1 2 1 2 1 */ +944, /* OBJ_id_tc26_gost_3410_12_512_paramSetB 1 2 643 7 1 2 1 2 2 */ +998, /* OBJ_id_tc26_gost_3410_12_512_paramSetC 1 2 643 7 1 2 1 2 3 */ 945, /* OBJ_id_tc26_gost_28147_param_Z 1 2 643 7 1 2 5 1 1 */ 108, /* OBJ_cast5_cbc 1 2 840 113533 7 66 10 */ 112, /* OBJ_pbeWithMD5AndCast5_CBC 1 2 840 113533 7 66 12 */ @@ -5188,6 +5315,7 @@ static const unsigned int obj_objs[NUM_OBJ]={ 644, /* OBJ_rsaOAEPEncryptionSET 1 2 840 113549 1 1 6 */ 919, /* OBJ_rsaesOaep 1 2 840 113549 1 1 7 */ 911, /* OBJ_mgf1 1 2 840 113549 1 1 8 */ +992, /* OBJ_pSpecified 1 2 840 113549 1 1 9 */ 912, /* OBJ_rsassaPss 1 2 840 113549 1 1 10 */ 668, /* OBJ_sha256WithRSAEncryption 1 2 840 113549 1 1 11 */ 669, /* OBJ_sha384WithRSAEncryption 1 2 840 113549 1 1 12 */ @@ -5416,7 +5544,12 @@ static const unsigned int obj_objs[NUM_OBJ]={ 210, /* OBJ_id_smime_ct_DVCSRequestData 1 2 840 113549 1 9 16 1 7 */ 211, /* OBJ_id_smime_ct_DVCSResponseData 1 2 840 113549 1 9 16 1 8 */ 786, /* OBJ_id_smime_ct_compressedData 1 2 840 113549 1 9 16 1 9 */ +1001, /* OBJ_id_ct_routeOriginAuthz 1 2 840 113549 1 9 16 1 24 */ +1002, /* OBJ_id_ct_rpkiManifest 1 2 840 113549 1 9 16 1 26 */ 787, /* OBJ_id_ct_asciiTextWithCRLF 1 2 840 113549 1 9 16 1 27 */ +1003, /* OBJ_id_ct_rpkiGhostbusters 1 2 840 113549 1 9 16 1 35 */ +1004, /* OBJ_id_ct_resourceTaggedAttest 1 2 840 113549 1 9 16 1 36 */ +1013, /* OBJ_id_ct_geofeedCSVwithCRLF 1 2 840 113549 1 9 16 1 47 */ 212, /* OBJ_id_smime_aa_receiptRequest 1 2 840 113549 1 9 16 2 1 */ 213, /* OBJ_id_smime_aa_securityLabel 1 2 840 113549 1 9 16 2 2 */ 214, /* OBJ_id_smime_aa_mlExpandHistory 1 2 840 113549 1 9 16 2 3 */ diff --git a/crypto/ocsp/ocsp_cl.c b/crypto/ocsp/ocsp_cl.c index 0ed816cd..cb5a2f3d 100644 --- a/crypto/ocsp/ocsp_cl.c +++ b/crypto/ocsp/ocsp_cl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp_cl.c,v 1.16 2018/11/25 19:48:43 jmc Exp $ */ +/* $OpenBSD: ocsp_cl.c,v 1.17 2020/10/09 17:19:35 tb Exp $ */ /* Written by Tom Titchener for the OpenSSL * project. */ @@ -81,18 +81,19 @@ OCSP_ONEREQ * OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid) { - OCSP_ONEREQ *one = NULL; + OCSP_ONEREQ *one; - if (!(one = OCSP_ONEREQ_new())) + if ((one = OCSP_ONEREQ_new()) == NULL) goto err; - if (one->reqCert) - OCSP_CERTID_free(one->reqCert); + if (req != NULL) { + if (!sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one)) + goto err; + } + OCSP_CERTID_free(one->reqCert); one->reqCert = cid; - if (req && !sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one)) - goto err; return one; -err: + err: OCSP_ONEREQ_free(one); return NULL; } diff --git a/crypto/pem/pem_info.c b/crypto/pem/pem_info.c index f02aaa8b..33c1de43 100644 --- a/crypto/pem/pem_info.c +++ b/crypto/pem/pem_info.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pem_info.c,v 1.22 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: pem_info.c,v 1.24 2020/07/25 11:53:37 schwarze Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -101,35 +101,33 @@ PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb, void *pp; unsigned char *data = NULL; const unsigned char *p; - long len, error = 0; + long len; int ok = 0; - STACK_OF(X509_INFO) *ret = NULL; - unsigned int i, raw, ptype; - d2i_of_void *d2i = 0; + int num_in, ptype, raw; + STACK_OF(X509_INFO) *ret = sk; + d2i_of_void *d2i = NULL; - if (sk == NULL) { + if (ret == NULL) { if ((ret = sk_X509_INFO_new_null()) == NULL) { PEMerror(ERR_R_MALLOC_FAILURE); - return 0; + return NULL; } - } else - ret = sk; + } + num_in = sk_X509_INFO_num(ret); if ((xi = X509_INFO_new()) == NULL) goto err; for (;;) { raw = 0; ptype = 0; - i = PEM_read_bio(bp, &name, &header, &data, &len); - if (i == 0) { - error = ERR_GET_REASON(ERR_peek_last_error()); - if (error == PEM_R_NO_START_LINE) { + if (!PEM_read_bio(bp, &name, &header, &data, &len)) { + if (ERR_GET_REASON(ERR_peek_last_error()) == + PEM_R_NO_START_LINE) { ERR_clear_error(); break; } goto err; } -start: if ((strcmp(name, PEM_STRING_X509) == 0) || (strcmp(name, PEM_STRING_X509_OLD) == 0)) { d2i = (D2I_OF(void))d2i_X509; @@ -138,7 +136,6 @@ PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb, goto err; if ((xi = X509_INFO_new()) == NULL) goto err; - goto start; } pp = &(xi->x509); } else if ((strcmp(name, PEM_STRING_X509_TRUSTED) == 0)) { @@ -148,7 +145,6 @@ PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb, goto err; if ((xi = X509_INFO_new()) == NULL) goto err; - goto start; } pp = &(xi->x509); } else if (strcmp(name, PEM_STRING_X509_CRL) == 0) { @@ -158,7 +154,6 @@ PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb, goto err; if ((xi = X509_INFO_new()) == NULL) goto err; - goto start; } pp = &(xi->crl); } else @@ -170,12 +165,9 @@ PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb, goto err; if ((xi = X509_INFO_new()) == NULL) goto err; - goto start; } - xi->enc_data = NULL; xi->enc_len = 0; - xi->x_pkey = X509_PKEY_new(); if (xi->x_pkey == NULL) goto err; @@ -193,12 +185,9 @@ PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb, goto err; if ((xi = X509_INFO_new()) == NULL) goto err; - goto start; } - xi->enc_data = NULL; xi->enc_len = 0; - xi->x_pkey = X509_PKEY_new(); if (xi->x_pkey == NULL) goto err; @@ -216,12 +205,9 @@ PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb, goto err; if ((xi = X509_INFO_new()) == NULL) goto err; - goto start; } - xi->enc_data = NULL; xi->enc_len = 0; - xi->x_pkey = X509_PKEY_new(); if (xi->x_pkey == NULL) goto err; @@ -286,22 +272,19 @@ PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb, ok = 1; err: - if (xi != NULL) - X509_INFO_free(xi); if (!ok) { - for (i = 0; ((int)i) < sk_X509_INFO_num(ret); i++) { - xi = sk_X509_INFO_value(ret, i); - X509_INFO_free(xi); - } + while (sk_X509_INFO_num(ret) > num_in) + X509_INFO_free(sk_X509_INFO_pop(ret)); if (ret != sk) sk_X509_INFO_free(ret); ret = NULL; } - + X509_INFO_free(xi); free(name); free(header); free(data); - return (ret); + + return ret; } diff --git a/crypto/pkcs12/pk12err.c b/crypto/pkcs12/pk12err.c index 0464a830..c1d075a0 100644 --- a/crypto/pkcs12/pk12err.c +++ b/crypto/pkcs12/pk12err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pk12err.c,v 1.10 2014/07/10 22:45:57 jsing Exp $ */ +/* $OpenBSD: pk12err.c,v 1.11 2020/06/05 16:51:12 jsing Exp $ */ /* ==================================================================== * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved. * @@ -72,35 +72,7 @@ #define ERR_REASON(reason) ERR_PACK(ERR_LIB_PKCS12,0,reason) static ERR_STRING_DATA PKCS12_str_functs[]= { - {ERR_FUNC(PKCS12_F_PARSE_BAG), "PARSE_BAG"}, - {ERR_FUNC(PKCS12_F_PARSE_BAGS), "PARSE_BAGS"}, - {ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME), "PKCS12_ADD_FRIENDLYNAME"}, - {ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC), "PKCS12_add_friendlyname_asc"}, - {ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI), "PKCS12_add_friendlyname_uni"}, - {ERR_FUNC(PKCS12_F_PKCS12_ADD_LOCALKEYID), "PKCS12_add_localkeyid"}, - {ERR_FUNC(PKCS12_F_PKCS12_CREATE), "PKCS12_create"}, - {ERR_FUNC(PKCS12_F_PKCS12_GEN_MAC), "PKCS12_gen_mac"}, - {ERR_FUNC(PKCS12_F_PKCS12_INIT), "PKCS12_init"}, - {ERR_FUNC(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I), "PKCS12_item_decrypt_d2i"}, - {ERR_FUNC(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT), "PKCS12_item_i2d_encrypt"}, - {ERR_FUNC(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG), "PKCS12_item_pack_safebag"}, - {ERR_FUNC(PKCS12_F_PKCS12_KEY_GEN_ASC), "PKCS12_key_gen_asc"}, - {ERR_FUNC(PKCS12_F_PKCS12_KEY_GEN_UNI), "PKCS12_key_gen_uni"}, - {ERR_FUNC(PKCS12_F_PKCS12_MAKE_KEYBAG), "PKCS12_MAKE_KEYBAG"}, - {ERR_FUNC(PKCS12_F_PKCS12_MAKE_SHKEYBAG), "PKCS12_MAKE_SHKEYBAG"}, - {ERR_FUNC(PKCS12_F_PKCS12_NEWPASS), "PKCS12_newpass"}, - {ERR_FUNC(PKCS12_F_PKCS12_PACK_P7DATA), "PKCS12_pack_p7data"}, - {ERR_FUNC(PKCS12_F_PKCS12_PACK_P7ENCDATA), "PKCS12_pack_p7encdata"}, - {ERR_FUNC(PKCS12_F_PKCS12_PARSE), "PKCS12_parse"}, - {ERR_FUNC(PKCS12_F_PKCS12_PBE_CRYPT), "PKCS12_pbe_crypt"}, - {ERR_FUNC(PKCS12_F_PKCS12_PBE_KEYIVGEN), "PKCS12_PBE_keyivgen"}, - {ERR_FUNC(PKCS12_F_PKCS12_SETUP_MAC), "PKCS12_setup_mac"}, - {ERR_FUNC(PKCS12_F_PKCS12_SET_MAC), "PKCS12_set_mac"}, - {ERR_FUNC(PKCS12_F_PKCS12_UNPACK_AUTHSAFES), "PKCS12_unpack_authsafes"}, - {ERR_FUNC(PKCS12_F_PKCS12_UNPACK_P7DATA), "PKCS12_unpack_p7data"}, - {ERR_FUNC(PKCS12_F_PKCS12_VERIFY_MAC), "PKCS12_verify_mac"}, - {ERR_FUNC(PKCS12_F_PKCS8_ADD_KEYUSAGE), "PKCS8_add_keyusage"}, - {ERR_FUNC(PKCS12_F_PKCS8_ENCRYPT), "PKCS8_encrypt"}, + {ERR_FUNC(0xfff), "CRYPTO_internal"}, {0, NULL} }; diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c index 28f812a8..afcc1792 100644 --- a/crypto/pkcs7/pk7_lib.c +++ b/crypto/pkcs7/pk7_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pk7_lib.c,v 1.20 2019/03/13 20:34:00 tb Exp $ */ +/* $OpenBSD: pk7_lib.c,v 1.21 2020/01/21 10:18:52 inoguchi Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -186,7 +186,6 @@ PKCS7_set_type(PKCS7 *p7, int type) if ((p7->d.signed_and_enveloped = PKCS7_SIGN_ENVELOPE_new()) == NULL) goto err; - ASN1_INTEGER_set(p7->d.signed_and_enveloped->version, 1); if (!ASN1_INTEGER_set(p7->d.signed_and_enveloped->version, 1)) goto err; p7->d.signed_and_enveloped->enc_data->content_type = diff --git a/crypto/pkcs7/pkcs7err.c b/crypto/pkcs7/pkcs7err.c index 8a67bf52..251e7816 100644 --- a/crypto/pkcs7/pkcs7err.c +++ b/crypto/pkcs7/pkcs7err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pkcs7err.c,v 1.11 2014/07/10 22:45:57 jsing Exp $ */ +/* $OpenBSD: pkcs7err.c,v 1.12 2020/06/05 16:51:12 jsing Exp $ */ /* ==================================================================== * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. * @@ -72,46 +72,7 @@ #define ERR_REASON(reason) ERR_PACK(ERR_LIB_PKCS7,0,reason) static ERR_STRING_DATA PKCS7_str_functs[]= { - {ERR_FUNC(PKCS7_F_B64_READ_PKCS7), "B64_READ_PKCS7"}, - {ERR_FUNC(PKCS7_F_B64_WRITE_PKCS7), "B64_WRITE_PKCS7"}, - {ERR_FUNC(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB), "DO_PKCS7_SIGNED_ATTRIB"}, - {ERR_FUNC(PKCS7_F_I2D_PKCS7_BIO_STREAM), "i2d_PKCS7_bio_stream"}, - {ERR_FUNC(PKCS7_F_PKCS7_ADD0_ATTRIB_SIGNING_TIME), "PKCS7_add0_attrib_signing_time"}, - {ERR_FUNC(PKCS7_F_PKCS7_ADD_ATTRIB_SMIMECAP), "PKCS7_add_attrib_smimecap"}, - {ERR_FUNC(PKCS7_F_PKCS7_ADD_CERTIFICATE), "PKCS7_add_certificate"}, - {ERR_FUNC(PKCS7_F_PKCS7_ADD_CRL), "PKCS7_add_crl"}, - {ERR_FUNC(PKCS7_F_PKCS7_ADD_RECIPIENT_INFO), "PKCS7_add_recipient_info"}, - {ERR_FUNC(PKCS7_F_PKCS7_ADD_SIGNATURE), "PKCS7_add_signature"}, - {ERR_FUNC(PKCS7_F_PKCS7_ADD_SIGNER), "PKCS7_add_signer"}, - {ERR_FUNC(PKCS7_F_PKCS7_BIO_ADD_DIGEST), "PKCS7_BIO_ADD_DIGEST"}, - {ERR_FUNC(PKCS7_F_PKCS7_COPY_EXISTING_DIGEST), "PKCS7_COPY_EXISTING_DIGEST"}, - {ERR_FUNC(PKCS7_F_PKCS7_CTRL), "PKCS7_ctrl"}, - {ERR_FUNC(PKCS7_F_PKCS7_DATADECODE), "PKCS7_dataDecode"}, - {ERR_FUNC(PKCS7_F_PKCS7_DATAFINAL), "PKCS7_dataFinal"}, - {ERR_FUNC(PKCS7_F_PKCS7_DATAINIT), "PKCS7_dataInit"}, - {ERR_FUNC(PKCS7_F_PKCS7_DATASIGN), "PKCS7_DATASIGN"}, - {ERR_FUNC(PKCS7_F_PKCS7_DATAVERIFY), "PKCS7_dataVerify"}, - {ERR_FUNC(PKCS7_F_PKCS7_DECRYPT), "PKCS7_decrypt"}, - {ERR_FUNC(PKCS7_F_PKCS7_DECRYPT_RINFO), "PKCS7_DECRYPT_RINFO"}, - {ERR_FUNC(PKCS7_F_PKCS7_ENCODE_RINFO), "PKCS7_ENCODE_RINFO"}, - {ERR_FUNC(PKCS7_F_PKCS7_ENCRYPT), "PKCS7_encrypt"}, - {ERR_FUNC(PKCS7_F_PKCS7_FINAL), "PKCS7_final"}, - {ERR_FUNC(PKCS7_F_PKCS7_FIND_DIGEST), "PKCS7_FIND_DIGEST"}, - {ERR_FUNC(PKCS7_F_PKCS7_GET0_SIGNERS), "PKCS7_get0_signers"}, - {ERR_FUNC(PKCS7_F_PKCS7_RECIP_INFO_SET), "PKCS7_RECIP_INFO_set"}, - {ERR_FUNC(PKCS7_F_PKCS7_SET_CIPHER), "PKCS7_set_cipher"}, - {ERR_FUNC(PKCS7_F_PKCS7_SET_CONTENT), "PKCS7_set_content"}, - {ERR_FUNC(PKCS7_F_PKCS7_SET_DIGEST), "PKCS7_set_digest"}, - {ERR_FUNC(PKCS7_F_PKCS7_SET_TYPE), "PKCS7_set_type"}, - {ERR_FUNC(PKCS7_F_PKCS7_SIGN), "PKCS7_sign"}, - {ERR_FUNC(PKCS7_F_PKCS7_SIGNATUREVERIFY), "PKCS7_signatureVerify"}, - {ERR_FUNC(PKCS7_F_PKCS7_SIGNER_INFO_SET), "PKCS7_SIGNER_INFO_set"}, - {ERR_FUNC(PKCS7_F_PKCS7_SIGNER_INFO_SIGN), "PKCS7_SIGNER_INFO_sign"}, - {ERR_FUNC(PKCS7_F_PKCS7_SIGN_ADD_SIGNER), "PKCS7_sign_add_signer"}, - {ERR_FUNC(PKCS7_F_PKCS7_SIMPLE_SMIMECAP), "PKCS7_simple_smimecap"}, - {ERR_FUNC(PKCS7_F_PKCS7_VERIFY), "PKCS7_verify"}, - {ERR_FUNC(PKCS7_F_SMIME_READ_PKCS7), "SMIME_read_PKCS7"}, - {ERR_FUNC(PKCS7_F_SMIME_TEXT), "SMIME_text"}, + {ERR_FUNC(0xfff), "CRYPTO_internal"}, {0, NULL} }; diff --git a/crypto/rc4/rc4-masm-x86_64.S b/crypto/rc4/rc4-masm-x86_64.S index 5982d15a..b930d98a 100644 --- a/crypto/rc4/rc4-masm-x86_64.S +++ b/crypto/rc4/rc4-masm-x86_64.S @@ -1,7 +1,7 @@ ; 1 "crypto/rc4/rc4-masm-x86_64.S.tmp" ; 1 "" 1 ; 1 "" 3 -; 349 "" 3 +; 340 "" 3 ; 1 "" 1 ; 1 "" 2 ; 1 "crypto/rc4/rc4-masm-x86_64.S.tmp" 2 diff --git a/crypto/rc4/rc4-md5-masm-x86_64.S b/crypto/rc4/rc4-md5-masm-x86_64.S index 205df3cb..3357567b 100644 --- a/crypto/rc4/rc4-md5-masm-x86_64.S +++ b/crypto/rc4/rc4-md5-masm-x86_64.S @@ -1,7 +1,7 @@ ; 1 "crypto/rc4/rc4-md5-masm-x86_64.S.tmp" ; 1 "" 1 ; 1 "" 3 -; 349 "" 3 +; 340 "" 3 ; 1 "" 1 ; 1 "" 2 ; 1 "crypto/rc4/rc4-md5-masm-x86_64.S.tmp" 2 diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index ce3e9b35..d373d7c1 100644 --- a/crypto/rsa/rsa_ameth.c +++ b/crypto/rsa/rsa_ameth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_ameth.c,v 1.19 2018/08/24 20:22:15 tb Exp $ */ +/* $OpenBSD: rsa_ameth.c,v 1.24 2019/11/20 10:46:17 inoguchi Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -62,27 +62,94 @@ #include #include +#include #include -#include #include - #include "asn1_locl.h" +#include "cryptlib.h" +#include "evp_locl.h" +#include "rsa_locl.h" + +#ifndef OPENSSL_NO_CMS +static int rsa_cms_sign(CMS_SignerInfo *si); +static int rsa_cms_verify(CMS_SignerInfo *si); +static int rsa_cms_decrypt(CMS_RecipientInfo *ri); +static int rsa_cms_encrypt(CMS_RecipientInfo *ri); +#endif + +static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg); + +/* Set any parameters associated with pkey */ +static int +rsa_param_encode(const EVP_PKEY *pkey, ASN1_STRING **pstr, int *pstrtype) +{ + const RSA *rsa = pkey->pkey.rsa; + + *pstr = NULL; + + /* If RSA it's just NULL type */ + if (pkey->ameth->pkey_id != EVP_PKEY_RSA_PSS) { + *pstrtype = V_ASN1_NULL; + return 1; + } + + /* If no PSS parameters we omit parameters entirely */ + if (rsa->pss == NULL) { + *pstrtype = V_ASN1_UNDEF; + return 1; + } + + /* Encode PSS parameters */ + if (ASN1_item_pack(rsa->pss, &RSA_PSS_PARAMS_it, pstr) == NULL) + return 0; + + *pstrtype = V_ASN1_SEQUENCE; + return 1; +} + +/* Decode any parameters and set them in RSA structure */ +static int +rsa_param_decode(RSA *rsa, const X509_ALGOR *alg) +{ + const ASN1_OBJECT *algoid; + const void *algp; + int algptype; + + X509_ALGOR_get0(&algoid, &algptype, &algp, alg); + if (OBJ_obj2nid(algoid) != EVP_PKEY_RSA_PSS) + return 1; + if (algptype == V_ASN1_UNDEF) + return 1; + if (algptype != V_ASN1_SEQUENCE) { + RSAerror(RSA_R_INVALID_PSS_PARAMETERS); + return 0; + } + rsa->pss = rsa_pss_decode(alg); + if (rsa->pss == NULL) + return 0; + return 1; +} static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) { unsigned char *penc = NULL; int penclen; + ASN1_STRING *str; + int strtype; + if (!rsa_param_encode(pkey, &str, &strtype)) + return 0; penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc); if (penclen <= 0) return 0; - if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_RSA), - V_ASN1_NULL, NULL, penc, penclen)) + if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id), + strtype, str, penc, penclen)) return 1; free(penc); + return 0; } @@ -91,15 +158,23 @@ rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) { const unsigned char *p; int pklen; + X509_ALGOR *alg; RSA *rsa = NULL; - if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, NULL, pubkey)) + if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &alg, pubkey)) return 0; - if (!(rsa = d2i_RSAPublicKey(NULL, &p, pklen))) { + if ((rsa = d2i_RSAPublicKey(NULL, &p, pklen)) == NULL) { RSAerror(ERR_R_RSA_LIB); return 0; } - EVP_PKEY_assign_RSA (pkey, rsa); + if (!rsa_param_decode(rsa, alg)) { + RSA_free(rsa); + return 0; + } + if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa)) { + RSA_free(rsa); + return 0; + } return 1; } @@ -109,6 +184,7 @@ rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0 || BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0) return 0; + return 1; } @@ -117,11 +193,11 @@ old_rsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen) { RSA *rsa; - if (!(rsa = d2i_RSAPrivateKey (NULL, pder, derlen))) { + if ((rsa = d2i_RSAPrivateKey(NULL, pder, derlen)) == NULL) { RSAerror(ERR_R_RSA_LIB); return 0; } - EVP_PKEY_assign_RSA(pkey, rsa); + EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa); return 1; } @@ -136,17 +212,23 @@ rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) { unsigned char *rk = NULL; int rklen; + ASN1_STRING *str; + int strtype; - rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk); + if (!rsa_param_encode(pkey, &str, &strtype)) + return 0; + rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk); if (rklen <= 0) { RSAerror(ERR_R_MALLOC_FAILURE); + ASN1_STRING_free(str); return 0; } - if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_rsaEncryption), 0, - V_ASN1_NULL, NULL, rk, rklen)) { + if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(pkey->ameth->pkey_id), 0, + strtype, str, rk, rklen)) { RSAerror(ERR_R_MALLOC_FAILURE); + ASN1_STRING_free(str); return 0; } @@ -157,11 +239,24 @@ static int rsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8) { const unsigned char *p; + RSA *rsa; int pklen; + const X509_ALGOR *alg; - if (!PKCS8_pkey_get0(NULL, &p, &pklen, NULL, p8)) + if (!PKCS8_pkey_get0(NULL, &p, &pklen, &alg, p8)) return 0; - return old_rsa_priv_decode(pkey, &p, pklen); + rsa = d2i_RSAPrivateKey(NULL, &p, pklen); + if (rsa == NULL) { + RSAerror(ERR_R_RSA_LIB); + return 0; + } + if (!rsa_param_decode(rsa, alg)) { + RSA_free(rsa); + return 0; + } + EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa); + + return 1; } static int @@ -182,6 +277,130 @@ int_rsa_free(EVP_PKEY *pkey) RSA_free(pkey->pkey.rsa); } +static X509_ALGOR * +rsa_mgf1_decode(X509_ALGOR *alg) +{ + if (OBJ_obj2nid(alg->algorithm) != NID_mgf1) + return NULL; + + return ASN1_TYPE_unpack_sequence(&X509_ALGOR_it, alg->parameter); +} + +static RSA_PSS_PARAMS * +rsa_pss_decode(const X509_ALGOR *alg) +{ + RSA_PSS_PARAMS *pss; + + pss = ASN1_TYPE_unpack_sequence(&RSA_PSS_PARAMS_it, alg->parameter); + if (pss == NULL) + return NULL; + + if (pss->maskGenAlgorithm != NULL) { + pss->maskHash = rsa_mgf1_decode(pss->maskGenAlgorithm); + if (pss->maskHash == NULL) { + RSA_PSS_PARAMS_free(pss); + return NULL; + } + } + + return pss; +} + +static int +rsa_pss_param_print(BIO *bp, int pss_key, RSA_PSS_PARAMS *pss, int indent) +{ + int rv = 0; + X509_ALGOR *maskHash = NULL; + + if (!BIO_indent(bp, indent, 128)) + goto err; + if (pss_key) { + if (pss == NULL) { + if (BIO_puts(bp, "No PSS parameter restrictions\n") <= 0) + return 0; + return 1; + } else { + if (BIO_puts(bp, "PSS parameter restrictions:") <= 0) + return 0; + } + } else if (pss == NULL) { + if (BIO_puts(bp,"(INVALID PSS PARAMETERS)\n") <= 0) + return 0; + return 1; + } + if (BIO_puts(bp, "\n") <= 0) + goto err; + if (pss_key) + indent += 2; + if (!BIO_indent(bp, indent, 128)) + goto err; + if (BIO_puts(bp, "Hash Algorithm: ") <= 0) + goto err; + + if (pss->hashAlgorithm) { + if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0) + goto err; + } else if (BIO_puts(bp, "sha1 (default)") <= 0) { + goto err; + } + + if (BIO_puts(bp, "\n") <= 0) + goto err; + + if (!BIO_indent(bp, indent, 128)) + goto err; + + if (BIO_puts(bp, "Mask Algorithm: ") <= 0) + goto err; + if (pss->maskGenAlgorithm) { + if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0) + goto err; + if (BIO_puts(bp, " with ") <= 0) + goto err; + maskHash = rsa_mgf1_decode(pss->maskGenAlgorithm); + if (maskHash != NULL) { + if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0) + goto err; + } else if (BIO_puts(bp, "INVALID") <= 0) { + goto err; + } + } else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0) { + goto err; + } + BIO_puts(bp, "\n"); + + if (!BIO_indent(bp, indent, 128)) + goto err; + if (BIO_printf(bp, "%s Salt Length: 0x", pss_key ? "Minimum" : "") <= 0) + goto err; + if (pss->saltLength) { + if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0) + goto err; + } else if (BIO_puts(bp, "14 (default)") <= 0) { + goto err; + } + BIO_puts(bp, "\n"); + + if (!BIO_indent(bp, indent, 128)) + goto err; + if (BIO_puts(bp, "Trailer Field: 0x") <= 0) + goto err; + if (pss->trailerField) { + if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0) + goto err; + } else if (BIO_puts(bp, "BC (default)") <= 0) { + goto err; + } + BIO_puts(bp, "\n"); + + rv = 1; + + err: + X509_ALGOR_free(maskHash); + return rv; + +} + static void update_buflen(const BIGNUM *b, size_t *pbuflen) { @@ -194,11 +413,12 @@ update_buflen(const BIGNUM *b, size_t *pbuflen) } static int -do_rsa_print(BIO *bp, const RSA *x, int off, int priv) +pkey_rsa_print(BIO *bp, const EVP_PKEY *pkey, int off, int priv) { + const RSA *x = pkey->pkey.rsa; + unsigned char *m = NULL; char *str; const char *s; - unsigned char *m = NULL; int ret = 0, mod_len = 0; size_t buf_len = 0; @@ -226,7 +446,10 @@ do_rsa_print(BIO *bp, const RSA *x, int off, int priv) if (!BIO_indent(bp, off, 128)) goto err; - if (priv && x->d) { + if (BIO_printf(bp, "%s ", pkey_is_pss(pkey) ? "RSA-PSS" : "RSA") <= 0) + goto err; + + if (priv && x->d != NULL) { if (BIO_printf(bp, "Private-Key: (%d bit)\n", mod_len) <= 0) goto err; str = "modulus:"; @@ -235,14 +458,14 @@ do_rsa_print(BIO *bp, const RSA *x, int off, int priv) if (BIO_printf(bp, "Public-Key: (%d bit)\n", mod_len) <= 0) goto err; str = "Modulus:"; - s= "Exponent:"; + s = "Exponent:"; } if (!ASN1_bn_print(bp, str, x->n, m, off)) goto err; if (!ASN1_bn_print(bp, s, x->e, m, off)) goto err; if (priv) { - if (!ASN1_bn_print(bp, "privateExponent:", x->d,m, off)) + if (!ASN1_bn_print(bp, "privateExponent:", x->d, m, off)) goto err; if (!ASN1_bn_print(bp, "prime1:", x->p, m, off)) goto err; @@ -255,148 +478,41 @@ do_rsa_print(BIO *bp, const RSA *x, int off, int priv) if (!ASN1_bn_print(bp, "coefficient:", x->iqmp, m, off)) goto err; } + if (pkey_is_pss(pkey) && !rsa_pss_param_print(bp, 1, x->pss, off)) + goto err; ret = 1; -err: + err: free(m); - return (ret); + return ret; } static int rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx) { - return do_rsa_print(bp, pkey->pkey.rsa, indent, 0); + return pkey_rsa_print(bp, pkey, indent, 0); } static int rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx) { - return do_rsa_print(bp, pkey->pkey.rsa, indent, 1); -} - -static RSA_PSS_PARAMS * -rsa_pss_decode(const X509_ALGOR *alg, X509_ALGOR **pmaskHash) -{ - const unsigned char *p; - int plen; - RSA_PSS_PARAMS *pss; - - *pmaskHash = NULL; - - if (!alg->parameter || alg->parameter->type != V_ASN1_SEQUENCE) - return NULL; - - p = alg->parameter->value.sequence->data; - plen = alg->parameter->value.sequence->length; - pss = d2i_RSA_PSS_PARAMS(NULL, &p, plen); - - if (!pss) - return NULL; - - if (pss->maskGenAlgorithm) { - ASN1_TYPE *param = pss->maskGenAlgorithm->parameter; - if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1 && - param && param->type == V_ASN1_SEQUENCE) { - p = param->value.sequence->data; - plen = param->value.sequence->length; - *pmaskHash = d2i_X509_ALGOR(NULL, &p, plen); - } - } - - return pss; -} - -static int -rsa_pss_param_print(BIO *bp, RSA_PSS_PARAMS *pss, X509_ALGOR *maskHash, - int indent) -{ - int rv = 0; - - if (!pss) { - if (BIO_puts(bp, " (INVALID PSS PARAMETERS)\n") <= 0) - return 0; - return 1; - } - if (BIO_puts(bp, "\n") <= 0) - goto err; - if (!BIO_indent(bp, indent, 128)) - goto err; - if (BIO_puts(bp, "Hash Algorithm: ") <= 0) - goto err; - - if (pss->hashAlgorithm) { - if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0) - goto err; - } else if (BIO_puts(bp, "sha1 (default)") <= 0) - goto err; - - if (BIO_puts(bp, "\n") <= 0) - goto err; - - if (!BIO_indent(bp, indent, 128)) - goto err; - - if (BIO_puts(bp, "Mask Algorithm: ") <= 0) - goto err; - if (pss->maskGenAlgorithm) { - if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0) - goto err; - if (BIO_puts(bp, " with ") <= 0) - goto err; - if (maskHash) { - if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0) - goto err; - } else if (BIO_puts(bp, "INVALID") <= 0) - goto err; - } else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0) - goto err; - BIO_puts(bp, "\n"); - - if (!BIO_indent(bp, indent, 128)) - goto err; - if (BIO_puts(bp, "Salt Length: 0x") <= 0) - goto err; - if (pss->saltLength) { - if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0) - goto err; - } else if (BIO_puts(bp, "14 (default)") <= 0) - goto err; - BIO_puts(bp, "\n"); - - if (!BIO_indent(bp, indent, 128)) - goto err; - if (BIO_puts(bp, "Trailer Field: 0x") <= 0) - goto err; - if (pss->trailerField) { - if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0) - goto err; - } else if (BIO_puts(bp, "BC (default)") <= 0) - goto err; - BIO_puts(bp, "\n"); - - rv = 1; - -err: - return rv; + return pkey_rsa_print(bp, pkey, indent, 1); } static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, const ASN1_STRING *sig, int indent, ASN1_PCTX *pctx) { - if (OBJ_obj2nid(sigalg->algorithm) == NID_rsassaPss) { + if (OBJ_obj2nid(sigalg->algorithm) == EVP_PKEY_RSA_PSS) { int rv; - RSA_PSS_PARAMS *pss; - X509_ALGOR *maskHash; - pss = rsa_pss_decode(sigalg, &maskHash); - rv = rsa_pss_param_print(bp, pss, maskHash, indent); - if (pss) - RSA_PSS_PARAMS_free(pss); - if (maskHash) - X509_ALGOR_free(maskHash); + RSA_PSS_PARAMS *pss = rsa_pss_decode(sigalg); + + rv = rsa_pss_param_print(bp, 0, pss, indent); + RSA_PSS_PARAMS_free(pss); if (!rv) return 0; - } else if (!sig && BIO_puts(bp, "\n") <= 0) + } else if (!sig && BIO_puts(bp, "\n") <= 0) { return 0; + } if (sig) return X509_signature_dump(bp, sig, indent); return 1; @@ -406,6 +522,9 @@ static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) { X509_ALGOR *alg = NULL; + const EVP_MD *md; + const EVP_MD *mgf1md; + int min_saltlen; switch (op) { case ASN1_PKEY_CTRL_PKCS7_SIGN: @@ -414,12 +533,47 @@ rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) break; case ASN1_PKEY_CTRL_PKCS7_ENCRYPT: + if (pkey_is_pss(pkey)) + return -2; if (arg1 == 0) PKCS7_RECIP_INFO_get0_alg(arg2, &alg); break; +#ifndef OPENSSL_NO_CMS + case ASN1_PKEY_CTRL_CMS_SIGN: + if (arg1 == 0) + return rsa_cms_sign(arg2); + else if (arg1 == 1) + return rsa_cms_verify(arg2); + break; + + case ASN1_PKEY_CTRL_CMS_ENVELOPE: + if (pkey_is_pss(pkey)) + return -2; + if (arg1 == 0) + return rsa_cms_encrypt(arg2); + else if (arg1 == 1) + return rsa_cms_decrypt(arg2); + break; + + case ASN1_PKEY_CTRL_CMS_RI_TYPE: + if (pkey_is_pss(pkey)) + return -2; + *(int *)arg2 = CMS_RECIPINFO_TRANS; + return 1; +#endif case ASN1_PKEY_CTRL_DEFAULT_MD_NID: - *(int *)arg2 = NID_sha1; + if (pkey->pkey.rsa->pss != NULL) { + if (!rsa_pss_get_param(pkey->pkey.rsa->pss, &md, &mgf1md, + &min_saltlen)) { + RSAerror(ERR_R_INTERNAL_ERROR); + return 0; + } + *(int *)arg2 = EVP_MD_type(md); + /* Return of 2 indicates this MD is mandatory */ + return 2; + } + *(int *)arg2 = NID_sha256; return 1; default: @@ -433,87 +587,175 @@ rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) return 1; } -/* Customised RSA item verification routine. This is called - * when a signature is encountered requiring special handling. We - * currently only handle PSS. +/* Allocate and set algorithm ID from EVP_MD, defaults to SHA1. */ +static int +rsa_md_to_algor(X509_ALGOR **palg, const EVP_MD *md) +{ + if (md == NULL || EVP_MD_type(md) == NID_sha1) + return 1; + *palg = X509_ALGOR_new(); + if (*palg == NULL) + return 0; + X509_ALGOR_set_md(*palg, md); + return 1; +} + +/* Allocate and set MGF1 algorithm ID from EVP_MD. */ +static int +rsa_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md) +{ + X509_ALGOR *algtmp = NULL; + ASN1_STRING *stmp = NULL; + + *palg = NULL; + if (mgf1md == NULL || EVP_MD_type(mgf1md) == NID_sha1) + return 1; + /* need to embed algorithm ID inside another */ + if (!rsa_md_to_algor(&algtmp, mgf1md)) + goto err; + if (ASN1_item_pack(algtmp, &X509_ALGOR_it, &stmp) == NULL) + goto err; + *palg = X509_ALGOR_new(); + if (*palg == NULL) + goto err; + X509_ALGOR_set0(*palg, OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp); + stmp = NULL; + err: + ASN1_STRING_free(stmp); + X509_ALGOR_free(algtmp); + if (*palg) + return 1; + return 0; +} + +/* Convert algorithm ID to EVP_MD, defaults to SHA1. */ +static const EVP_MD * +rsa_algor_to_md(X509_ALGOR *alg) +{ + const EVP_MD *md; + + if (!alg) + return EVP_sha1(); + md = EVP_get_digestbyobj(alg->algorithm); + if (md == NULL) + RSAerror(RSA_R_UNKNOWN_DIGEST); + return md; +} + +/* + * Convert EVP_PKEY_CTX in PSS mode into corresponding algorithm parameter, + * suitable for setting an AlgorithmIdentifier. + */ +static RSA_PSS_PARAMS * +rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx) +{ + const EVP_MD *sigmd, *mgf1md; + EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx); + int saltlen; + + if (EVP_PKEY_CTX_get_signature_md(pkctx, &sigmd) <= 0) + return NULL; + if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0) + return NULL; + if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen)) + return NULL; + if (saltlen == -1) { + saltlen = EVP_MD_size(sigmd); + } else if (saltlen == -2 || saltlen == -3) { + saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2; + if ((EVP_PKEY_bits(pk) & 0x7) == 1) + saltlen--; + if (saltlen < 0) + return NULL; + } + + return rsa_pss_params_create(sigmd, mgf1md, saltlen); +} + +RSA_PSS_PARAMS * +rsa_pss_params_create(const EVP_MD *sigmd, const EVP_MD *mgf1md, int saltlen) +{ + RSA_PSS_PARAMS *pss = RSA_PSS_PARAMS_new(); + + if (pss == NULL) + goto err; + if (saltlen != 20) { + pss->saltLength = ASN1_INTEGER_new(); + if (pss->saltLength == NULL) + goto err; + if (!ASN1_INTEGER_set(pss->saltLength, saltlen)) + goto err; + } + if (!rsa_md_to_algor(&pss->hashAlgorithm, sigmd)) + goto err; + if (mgf1md == NULL) + mgf1md = sigmd; + if (!rsa_md_to_mgf1(&pss->maskGenAlgorithm, mgf1md)) + goto err; + if (!rsa_md_to_algor(&pss->maskHash, mgf1md)) + goto err; + return pss; + err: + RSA_PSS_PARAMS_free(pss); + return NULL; +} + +static ASN1_STRING * +rsa_ctx_to_pss_string(EVP_PKEY_CTX *pkctx) +{ + RSA_PSS_PARAMS *pss = rsa_ctx_to_pss(pkctx); + ASN1_STRING *os; + + if (pss == NULL) + return NULL; + + os = ASN1_item_pack(pss, &RSA_PSS_PARAMS_it, NULL); + RSA_PSS_PARAMS_free(pss); + return os; +} + +/* + * From PSS AlgorithmIdentifier set public key parameters. If pkey isn't NULL + * then the EVP_MD_CTX is setup and initialised. If it is NULL parameters are + * passed to pkctx instead. */ + static int -rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, - X509_ALGOR *sigalg, ASN1_BIT_STRING *sig, EVP_PKEY *pkey) +rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkctx, + X509_ALGOR *sigalg, EVP_PKEY *pkey) { int rv = -1; int saltlen; const EVP_MD *mgf1md = NULL, *md = NULL; RSA_PSS_PARAMS *pss; - X509_ALGOR *maskHash; - EVP_PKEY_CTX *pkctx; /* Sanity check: make sure it is PSS */ - if (OBJ_obj2nid(sigalg->algorithm) != NID_rsassaPss) { + if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) { RSAerror(RSA_R_UNSUPPORTED_SIGNATURE_TYPE); return -1; } - /* Decode PSS parameters */ - pss = rsa_pss_decode(sigalg, &maskHash); + pss = rsa_pss_decode(sigalg); - if (pss == NULL) { + if (!rsa_pss_get_param(pss, &md, &mgf1md, &saltlen)) { RSAerror(RSA_R_INVALID_PSS_PARAMETERS); goto err; } - /* Check mask and lookup mask hash algorithm */ - if (pss->maskGenAlgorithm) { - if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) != NID_mgf1) { - RSAerror(RSA_R_UNSUPPORTED_MASK_ALGORITHM); - goto err; - } - if (!maskHash) { - RSAerror(RSA_R_UNSUPPORTED_MASK_PARAMETER); - goto err; - } - mgf1md = EVP_get_digestbyobj(maskHash->algorithm); - if (mgf1md == NULL) { - RSAerror(RSA_R_UNKNOWN_MASK_DIGEST); - goto err; - } - } else - mgf1md = EVP_sha1(); - if (pss->hashAlgorithm) { - md = EVP_get_digestbyobj(pss->hashAlgorithm->algorithm); - if (md == NULL) { - RSAerror(RSA_R_UNKNOWN_PSS_DIGEST); + /* We have all parameters now set up context */ + if (pkey) { + if (!EVP_DigestVerifyInit(ctx, &pkctx, md, NULL, pkey)) goto err; - } - } else - md = EVP_sha1(); - - if (pss->saltLength) { - saltlen = ASN1_INTEGER_get(pss->saltLength); - - /* Could perform more salt length sanity checks but the main - * RSA routines will trap other invalid values anyway. - */ - if (saltlen < 0) { - RSAerror(RSA_R_INVALID_SALT_LENGTH); + } else { + const EVP_MD *checkmd; + if (EVP_PKEY_CTX_get_signature_md(pkctx, &checkmd) <= 0) + goto err; + if (EVP_MD_type(md) != EVP_MD_type(checkmd)) { + RSAerror(RSA_R_DIGEST_DOES_NOT_MATCH); goto err; } - } else - saltlen = 20; - - /* low-level routines support only trailer field 0xbc (value 1) - * and PKCS#1 says we should reject any other value anyway. - */ - if (pss->trailerField && ASN1_INTEGER_get(pss->trailerField) != 1) { - RSAerror(RSA_R_INVALID_TRAILER); - goto err; } - /* We have all parameters now set up context */ - - if (!EVP_DigestVerifyInit(ctx, &pkctx, md, NULL, pkey)) - goto err; - if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0) goto err; @@ -523,100 +765,317 @@ rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0) goto err; /* Carry on */ - rv = 2; + rv = 1; -err: + err: RSA_PSS_PARAMS_free(pss); - if (maskHash) - X509_ALGOR_free(maskHash); return rv; } +int +rsa_pss_get_param(const RSA_PSS_PARAMS *pss, const EVP_MD **pmd, + const EVP_MD **pmgf1md, int *psaltlen) +{ + if (pss == NULL) + return 0; + *pmd = rsa_algor_to_md(pss->hashAlgorithm); + if (*pmd == NULL) + return 0; + *pmgf1md = rsa_algor_to_md(pss->maskHash); + if (*pmgf1md == NULL) + return 0; + if (pss->saltLength) { + *psaltlen = ASN1_INTEGER_get(pss->saltLength); + if (*psaltlen < 0) { + RSAerror(RSA_R_INVALID_SALT_LENGTH); + return 0; + } + } else { + *psaltlen = 20; + } + + /* + * low-level routines support only trailer field 0xbc (value 1) and + * PKCS#1 says we should reject any other value anyway. + */ + if (pss->trailerField && ASN1_INTEGER_get(pss->trailerField) != 1) { + RSAerror(RSA_R_INVALID_TRAILER); + return 0; + } + + return 1; +} + +#ifndef OPENSSL_NO_CMS +static int +rsa_cms_verify(CMS_SignerInfo *si) +{ + int nid, nid2; + X509_ALGOR *alg; + EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si); + + CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg); + nid = OBJ_obj2nid(alg->algorithm); + if (nid == EVP_PKEY_RSA_PSS) + return rsa_pss_to_ctx(NULL, pkctx, alg, NULL); + /* Only PSS allowed for PSS keys */ + if (pkey_ctx_is_pss(pkctx)) { + RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); + return 0; + } + if (nid == NID_rsaEncryption) + return 1; + /* Workaround for some implementation that use a signature OID */ + if (OBJ_find_sigid_algs(nid, NULL, &nid2)) { + if (nid2 == NID_rsaEncryption) + return 1; + } + return 0; +} +#endif + +/* + * Customised RSA item verification routine. This is called when a signature + * is encountered requiring special handling. We currently only handle PSS. + */ +static int +rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, + X509_ALGOR *sigalg, ASN1_BIT_STRING *sig, EVP_PKEY *pkey) +{ + /* Sanity check: make sure it is PSS */ + if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) { + RSAerror(RSA_R_UNSUPPORTED_SIGNATURE_TYPE); + return -1; + } + if (rsa_pss_to_ctx(ctx, NULL, sigalg, pkey) > 0) { + /* Carry on */ + return 2; + } + return -1; +} + +#ifndef OPENSSL_NO_CMS +static int +rsa_cms_sign(CMS_SignerInfo *si) +{ + int pad_mode = RSA_PKCS1_PADDING; + X509_ALGOR *alg; + EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si); + ASN1_STRING *os = NULL; + + CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg); + if (pkctx) { + if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0) + return 0; + } + if (pad_mode == RSA_PKCS1_PADDING) { + X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0); + return 1; + } + /* We don't support it */ + if (pad_mode != RSA_PKCS1_PSS_PADDING) + return 0; + os = rsa_ctx_to_pss_string(pkctx); + if (!os) + return 0; + X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_PKEY_RSA_PSS), V_ASN1_SEQUENCE, os); + return 1; +} +#endif + static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, X509_ALGOR *alg1, X509_ALGOR *alg2, ASN1_BIT_STRING *sig) { - int pad_mode; EVP_PKEY_CTX *pkctx = ctx->pctx; + int pad_mode; if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0) return 0; if (pad_mode == RSA_PKCS1_PADDING) return 2; if (pad_mode == RSA_PKCS1_PSS_PADDING) { - const EVP_MD *sigmd, *mgf1md; - RSA_PSS_PARAMS *pss = NULL; - X509_ALGOR *mgf1alg = NULL; - ASN1_STRING *os1 = NULL, *os2 = NULL; - EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx); - int saltlen, rv = 0; - - sigmd = EVP_MD_CTX_md(ctx); - if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0) - goto err; - if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen)) - goto err; - if (saltlen == -1) - saltlen = EVP_MD_size(sigmd); - else if (saltlen == -2) { - saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2; - if (((EVP_PKEY_bits(pk) - 1) & 0x7) == 0) - saltlen--; + ASN1_STRING *os1 = NULL; + os1 = rsa_ctx_to_pss_string(pkctx); + if (!os1) + return 0; + /* Duplicate parameters if we have to */ + if (alg2) { + ASN1_STRING *os2 = ASN1_STRING_dup(os1); + if (!os2) { + ASN1_STRING_free(os1); + return 0; + } + X509_ALGOR_set0(alg2, OBJ_nid2obj(EVP_PKEY_RSA_PSS), + V_ASN1_SEQUENCE, os2); } - pss = RSA_PSS_PARAMS_new(); - if (!pss) - goto err; - if (saltlen != 20) { - pss->saltLength = ASN1_INTEGER_new(); - if (!pss->saltLength) - goto err; - if (!ASN1_INTEGER_set(pss->saltLength, saltlen)) - goto err; + X509_ALGOR_set0(alg1, OBJ_nid2obj(EVP_PKEY_RSA_PSS), + V_ASN1_SEQUENCE, os1); + return 3; + } + return 2; +} + +#ifndef OPENSSL_NO_CMS +static RSA_OAEP_PARAMS * +rsa_oaep_decode(const X509_ALGOR *alg) +{ + RSA_OAEP_PARAMS *oaep; + + oaep = ASN1_TYPE_unpack_sequence(&RSA_OAEP_PARAMS_it, alg->parameter); + if (oaep == NULL) + return NULL; + + if (oaep->maskGenFunc != NULL) { + oaep->maskHash = rsa_mgf1_decode(oaep->maskGenFunc); + if (oaep->maskHash == NULL) { + RSA_OAEP_PARAMS_free(oaep); + return NULL; } - if (EVP_MD_type(sigmd) != NID_sha1) { - pss->hashAlgorithm = X509_ALGOR_new(); - if (!pss->hashAlgorithm) - goto err; - X509_ALGOR_set_md(pss->hashAlgorithm, sigmd); + } + return oaep; +} + +static int +rsa_cms_decrypt(CMS_RecipientInfo *ri) +{ + EVP_PKEY_CTX *pkctx; + X509_ALGOR *cmsalg; + int nid; + int rv = -1; + unsigned char *label = NULL; + int labellen = 0; + const EVP_MD *mgf1md = NULL, *md = NULL; + RSA_OAEP_PARAMS *oaep; + + pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri); + if (pkctx == NULL) + return 0; + if (!CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &cmsalg)) + return -1; + nid = OBJ_obj2nid(cmsalg->algorithm); + if (nid == NID_rsaEncryption) + return 1; + if (nid != NID_rsaesOaep) { + RSAerror(RSA_R_UNSUPPORTED_ENCRYPTION_TYPE); + return -1; + } + /* Decode OAEP parameters */ + oaep = rsa_oaep_decode(cmsalg); + + if (oaep == NULL) { + RSAerror(RSA_R_INVALID_OAEP_PARAMETERS); + goto err; + } + + mgf1md = rsa_algor_to_md(oaep->maskHash); + if (mgf1md == NULL) + goto err; + md = rsa_algor_to_md(oaep->hashFunc); + if (md == NULL) + goto err; + + if (oaep->pSourceFunc != NULL) { + X509_ALGOR *plab = oaep->pSourceFunc; + + if (OBJ_obj2nid(plab->algorithm) != NID_pSpecified) { + RSAerror(RSA_R_UNSUPPORTED_LABEL_SOURCE); + goto err; } - if (EVP_MD_type(mgf1md) != NID_sha1) { - ASN1_STRING *stmp = NULL; - /* need to embed algorithm ID inside another */ - mgf1alg = X509_ALGOR_new(); - X509_ALGOR_set_md(mgf1alg, mgf1md); - if (!ASN1_item_pack(mgf1alg, &X509_ALGOR_it, - &stmp)) - goto err; - pss->maskGenAlgorithm = X509_ALGOR_new(); - if (!pss->maskGenAlgorithm) - goto err; - X509_ALGOR_set0(pss->maskGenAlgorithm, - OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp); + if (plab->parameter->type != V_ASN1_OCTET_STRING) { + RSAerror(RSA_R_INVALID_LABEL); + goto err; } - /* Finally create string with pss parameter encoding. */ - if (!ASN1_item_pack(pss, &RSA_PSS_PARAMS_it, &os1)) + + label = plab->parameter->value.octet_string->data; + + /* Stop label being freed when OAEP parameters are freed */ + /* XXX - this leaks label on error... */ + plab->parameter->value.octet_string->data = NULL; + labellen = plab->parameter->value.octet_string->length; + } + + if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0) + goto err; + if (EVP_PKEY_CTX_set_rsa_oaep_md(pkctx, md) <= 0) + goto err; + if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0) + goto err; + if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0) + goto err; + + rv = 1; + + err: + RSA_OAEP_PARAMS_free(oaep); + return rv; +} + +static int +rsa_cms_encrypt(CMS_RecipientInfo *ri) +{ + const EVP_MD *md, *mgf1md; + RSA_OAEP_PARAMS *oaep = NULL; + ASN1_STRING *os = NULL; + X509_ALGOR *alg; + EVP_PKEY_CTX *pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri); + int pad_mode = RSA_PKCS1_PADDING, rv = 0, labellen; + unsigned char *label; + + if (CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &alg) <= 0) + return 0; + if (pkctx) { + if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0) + return 0; + } + if (pad_mode == RSA_PKCS1_PADDING) { + X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0); + return 1; + } + /* Not supported */ + if (pad_mode != RSA_PKCS1_OAEP_PADDING) + return 0; + if (EVP_PKEY_CTX_get_rsa_oaep_md(pkctx, &md) <= 0) + goto err; + if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0) + goto err; + labellen = EVP_PKEY_CTX_get0_rsa_oaep_label(pkctx, &label); + if (labellen < 0) + goto err; + oaep = RSA_OAEP_PARAMS_new(); + if (oaep == NULL) + goto err; + if (!rsa_md_to_algor(&oaep->hashFunc, md)) + goto err; + if (!rsa_md_to_mgf1(&oaep->maskGenFunc, mgf1md)) + goto err; + if (labellen > 0) { + ASN1_OCTET_STRING *los; + oaep->pSourceFunc = X509_ALGOR_new(); + if (oaep->pSourceFunc == NULL) + goto err; + los = ASN1_OCTET_STRING_new(); + if (los == NULL) + goto err; + if (!ASN1_OCTET_STRING_set(los, label, labellen)) { + ASN1_OCTET_STRING_free(los); goto err; - if (alg2) { - os2 = ASN1_STRING_dup(os1); - if (!os2) - goto err; - X509_ALGOR_set0(alg2, OBJ_nid2obj(NID_rsassaPss), - V_ASN1_SEQUENCE, os2); } - X509_ALGOR_set0(alg1, OBJ_nid2obj(NID_rsassaPss), - V_ASN1_SEQUENCE, os1); - os1 = os2 = NULL; - rv = 3; -err: - if (mgf1alg) - X509_ALGOR_free(mgf1alg); - if (pss) - RSA_PSS_PARAMS_free(pss); - ASN1_STRING_free(os1); - return rv; + X509_ALGOR_set0(oaep->pSourceFunc, OBJ_nid2obj(NID_pSpecified), + V_ASN1_OCTET_STRING, los); } - return 2; + /* create string with pss parameter encoding. */ + if (!ASN1_item_pack(oaep, &RSA_OAEP_PARAMS_it, &os)) + goto err; + X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaesOaep), V_ASN1_SEQUENCE, os); + os = NULL; + rv = 1; + err: + RSA_OAEP_PARAMS_free(oaep); + ASN1_STRING_free(os); + return rv; } +#endif const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = { { @@ -655,3 +1114,31 @@ const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = { .pkey_flags = ASN1_PKEY_ALIAS } }; + +const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth = { + .pkey_id = EVP_PKEY_RSA_PSS, + .pkey_base_id = EVP_PKEY_RSA_PSS, + .pkey_flags = ASN1_PKEY_SIGPARAM_NULL, + + .pem_str = "RSA-PSS", + .info = "OpenSSL RSA-PSS method", + + .pub_decode = rsa_pub_decode, + .pub_encode = rsa_pub_encode, + .pub_cmp = rsa_pub_cmp, + .pub_print = rsa_pub_print, + + .priv_decode = rsa_priv_decode, + .priv_encode = rsa_priv_encode, + .priv_print = rsa_priv_print, + + .pkey_size = int_rsa_size, + .pkey_bits = rsa_bits, + + .sig_print = rsa_sig_print, + + .pkey_free = int_rsa_free, + .pkey_ctrl = rsa_pkey_ctrl, + .item_verify = rsa_item_verify, + .item_sign = rsa_item_sign +}; diff --git a/crypto/rsa/rsa_asn1.c b/crypto/rsa/rsa_asn1.c index f931a93e..4b8eda24 100644 --- a/crypto/rsa/rsa_asn1.c +++ b/crypto/rsa/rsa_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_asn1.c,v 1.13 2016/12/30 15:47:07 jsing Exp $ */ +/* $OpenBSD: rsa_asn1.c,v 1.15 2019/10/25 14:40:18 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -63,6 +63,8 @@ #include #include +#include "rsa_locl.h" + /* Override the default free and new methods */ static int rsa_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) @@ -200,6 +202,26 @@ const ASN1_ITEM RSAPublicKey_it = { .sname = "RSA", }; +static int +rsa_pss_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) +{ + /* Free up maskHash */ + if (operation == ASN1_OP_FREE_PRE) { + RSA_PSS_PARAMS *pss = (RSA_PSS_PARAMS *)*pval; + X509_ALGOR_free(pss->maskHash); + } + return 1; +} + +static const ASN1_AUX RSA_PSS_PARAMS_aux = { + .app_data = NULL, + .flags = 0, + .ref_offset = 0, + .ref_lock = 0, + .asn1_cb = rsa_pss_cb, + .enc_offset = 0, +}; + static const ASN1_TEMPLATE RSA_PSS_PARAMS_seq_tt[] = { { .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL, @@ -236,12 +258,11 @@ const ASN1_ITEM RSA_PSS_PARAMS_it = { .utype = V_ASN1_SEQUENCE, .templates = RSA_PSS_PARAMS_seq_tt, .tcount = sizeof(RSA_PSS_PARAMS_seq_tt) / sizeof(ASN1_TEMPLATE), - .funcs = NULL, + .funcs = &RSA_PSS_PARAMS_aux, .size = sizeof(RSA_PSS_PARAMS), .sname = "RSA_PSS_PARAMS", }; - RSA_PSS_PARAMS * d2i_RSA_PSS_PARAMS(RSA_PSS_PARAMS **a, const unsigned char **in, long len) { @@ -267,6 +288,85 @@ RSA_PSS_PARAMS_free(RSA_PSS_PARAMS *a) ASN1_item_free((ASN1_VALUE *)a, &RSA_PSS_PARAMS_it); } +static int +rsa_oaep_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) +{ + /* Free up maskHash */ + if (operation == ASN1_OP_FREE_PRE) { + RSA_OAEP_PARAMS *oaep = (RSA_OAEP_PARAMS *)*pval; + X509_ALGOR_free(oaep->maskHash); + } + return 1; +} + +static const ASN1_AUX RSA_OAEP_PARAMS_aux = { + .app_data = NULL, + .flags = 0, + .ref_offset = 0, + .ref_lock = 0, + .asn1_cb = rsa_oaep_cb, + .enc_offset = 0, +}; + +static const ASN1_TEMPLATE RSA_OAEP_PARAMS_seq_tt[] = { + { + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(RSA_OAEP_PARAMS, hashFunc), + .field_name = "hashFunc", + .item = &X509_ALGOR_it, + }, + { + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL, + .tag = 1, + .offset = offsetof(RSA_OAEP_PARAMS, maskGenFunc), + .field_name = "maskGenFunc", + .item = &X509_ALGOR_it, + }, + { + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL, + .tag = 2, + .offset = offsetof(RSA_OAEP_PARAMS, pSourceFunc), + .field_name = "pSourceFunc", + .item = &X509_ALGOR_it, + }, +}; + +const ASN1_ITEM RSA_OAEP_PARAMS_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = RSA_OAEP_PARAMS_seq_tt, + .tcount = sizeof(RSA_OAEP_PARAMS_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = &RSA_OAEP_PARAMS_aux, + .size = sizeof(RSA_OAEP_PARAMS), + .sname = "RSA_OAEP_PARAMS", +}; + + +RSA_OAEP_PARAMS * +d2i_RSA_OAEP_PARAMS(RSA_OAEP_PARAMS **a, const unsigned char **in, long len) +{ + return (RSA_OAEP_PARAMS *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, + &RSA_OAEP_PARAMS_it); +} + +int +i2d_RSA_OAEP_PARAMS(RSA_OAEP_PARAMS *a, unsigned char **out) +{ + return ASN1_item_i2d((ASN1_VALUE *)a, out, &RSA_OAEP_PARAMS_it); +} + +RSA_OAEP_PARAMS * +RSA_OAEP_PARAMS_new(void) +{ + return (RSA_OAEP_PARAMS *)ASN1_item_new(&RSA_OAEP_PARAMS_it); +} + +void +RSA_OAEP_PARAMS_free(RSA_OAEP_PARAMS *a) +{ + ASN1_item_free((ASN1_VALUE *)a, &RSA_OAEP_PARAMS_it); +} RSA * d2i_RSAPrivateKey(RSA **a, const unsigned char **in, long len) diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c index 8e8c6d52..33201a8a 100644 --- a/crypto/rsa/rsa_eay.c +++ b/crypto/rsa/rsa_eay.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_eay.c,v 1.50 2017/08/28 17:41:59 jsing Exp $ */ +/* $OpenBSD: rsa_eay.c,v 1.51 2019/11/02 13:52:31 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -144,6 +144,12 @@ static RSA_METHOD rsa_pkcs1_eay_meth = { .finish = RSA_eay_finish, }; +const RSA_METHOD * +RSA_PKCS1_OpenSSL(void) +{ + return &rsa_pkcs1_eay_meth; +} + const RSA_METHOD * RSA_PKCS1_SSLeay(void) { diff --git a/crypto/rsa/rsa_err.c b/crypto/rsa/rsa_err.c index c2b197c5..46149370 100644 --- a/crypto/rsa/rsa_err.c +++ b/crypto/rsa/rsa_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_err.c,v 1.17 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: rsa_err.c,v 1.20 2019/11/01 15:13:05 jsing Exp $ */ /* ==================================================================== * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * @@ -90,17 +90,22 @@ static ERR_STRING_DATA RSA_str_reasons[] = { {ERR_REASON(RSA_R_DATA_TOO_LARGE_FOR_MODULUS), "data too large for modulus"}, {ERR_REASON(RSA_R_DATA_TOO_SMALL) , "data too small"}, {ERR_REASON(RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE), "data too small for key size"}, + {ERR_REASON(RSA_R_DIGEST_DOES_NOT_MATCH) , "digest does not match"}, + {ERR_REASON(RSA_R_DIGEST_NOT_ALLOWED) , "digest not allowed"}, {ERR_REASON(RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY), "digest too big for rsa key"}, {ERR_REASON(RSA_R_DMP1_NOT_CONGRUENT_TO_D), "dmp1 not congruent to d"}, {ERR_REASON(RSA_R_DMQ1_NOT_CONGRUENT_TO_D), "dmq1 not congruent to d"}, {ERR_REASON(RSA_R_D_E_NOT_CONGRUENT_TO_1), "d e not congruent to 1"}, {ERR_REASON(RSA_R_FIRST_OCTET_INVALID) , "first octet invalid"}, {ERR_REASON(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE), "illegal or unsupported padding mode"}, + {ERR_REASON(RSA_R_INVALID_DIGEST) , "invalid digest"}, {ERR_REASON(RSA_R_INVALID_DIGEST_LENGTH) , "invalid digest length"}, {ERR_REASON(RSA_R_INVALID_HEADER) , "invalid header"}, + {ERR_REASON(RSA_R_INVALID_LABEL) , "invalid label"}, {ERR_REASON(RSA_R_INVALID_KEYBITS) , "invalid keybits"}, {ERR_REASON(RSA_R_INVALID_MESSAGE_LENGTH), "invalid message length"}, {ERR_REASON(RSA_R_INVALID_MGF1_MD) , "invalid mgf1 md"}, + {ERR_REASON(RSA_R_INVALID_OAEP_PARAMETERS), "invalid oaep parameters"}, {ERR_REASON(RSA_R_INVALID_PADDING) , "invalid padding"}, {ERR_REASON(RSA_R_INVALID_PADDING_MODE) , "invalid padding mode"}, {ERR_REASON(RSA_R_INVALID_PSS_PARAMETERS), "invalid pss parameters"}, @@ -111,6 +116,7 @@ static ERR_STRING_DATA RSA_str_reasons[] = { {ERR_REASON(RSA_R_IQMP_NOT_INVERSE_OF_Q) , "iqmp not inverse of q"}, {ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL) , "key size too small"}, {ERR_REASON(RSA_R_LAST_OCTET_INVALID) , "last octet invalid"}, + {ERR_REASON(RSA_R_MGF1_DIGEST_NOT_ALLOWED), "mgf1 digest not allowed"}, {ERR_REASON(RSA_R_MODULUS_TOO_LARGE) , "modulus too large"}, {ERR_REASON(RSA_R_NON_FIPS_RSA_METHOD) , "non fips rsa method"}, {ERR_REASON(RSA_R_NO_PUBLIC_EXPONENT) , "no public exponent"}, @@ -120,6 +126,7 @@ static ERR_STRING_DATA RSA_str_reasons[] = { {ERR_REASON(RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE), "operation not allowed in fips mode"}, {ERR_REASON(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE), "operation not supported for this keytype"}, {ERR_REASON(RSA_R_PADDING_CHECK_FAILED) , "padding check failed"}, + {ERR_REASON(RSA_R_PSS_SALTLEN_TOO_SMALL) , "pss saltlen too small"}, {ERR_REASON(RSA_R_P_NOT_PRIME) , "p not prime"}, {ERR_REASON(RSA_R_Q_NOT_PRIME) , "q not prime"}, {ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED), "rsa operations not supported"}, @@ -128,9 +135,12 @@ static ERR_STRING_DATA RSA_str_reasons[] = { {ERR_REASON(RSA_R_SSLV3_ROLLBACK_ATTACK) , "sslv3 rollback attack"}, {ERR_REASON(RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD), "the asn1 object identifier is not known for this md"}, {ERR_REASON(RSA_R_UNKNOWN_ALGORITHM_TYPE), "unknown algorithm type"}, + {ERR_REASON(RSA_R_UNKNOWN_DIGEST) , "unknown digest"}, {ERR_REASON(RSA_R_UNKNOWN_MASK_DIGEST) , "unknown mask digest"}, {ERR_REASON(RSA_R_UNKNOWN_PADDING_TYPE) , "unknown padding type"}, {ERR_REASON(RSA_R_UNKNOWN_PSS_DIGEST) , "unknown pss digest"}, + {ERR_REASON(RSA_R_UNSUPPORTED_ENCRYPTION_TYPE), "unsupported encryption type"}, + {ERR_REASON(RSA_R_UNSUPPORTED_LABEL_SOURCE), "unsupported label source"}, {ERR_REASON(RSA_R_UNSUPPORTED_MASK_ALGORITHM), "unsupported mask algorithm"}, {ERR_REASON(RSA_R_UNSUPPORTED_MASK_PARAMETER), "unsupported mask parameter"}, {ERR_REASON(RSA_R_UNSUPPORTED_SIGNATURE_TYPE), "unsupported signature type"}, diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c index 84e1dc7e..0b76aae3 100644 --- a/crypto/rsa/rsa_lib.c +++ b/crypto/rsa/rsa_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_lib.c,v 1.37 2018/04/14 07:09:21 tb Exp $ */ +/* $OpenBSD: rsa_lib.c,v 1.40 2020/01/17 10:40:03 inoguchi Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -63,9 +63,12 @@ #include #include #include +#include #include #include +#include "evp_locl.h" + #ifndef OPENSSL_NO_ENGINE #include #endif @@ -128,68 +131,52 @@ RSA_new_method(ENGINE *engine) { RSA *ret; - ret = malloc(sizeof(RSA)); - if (ret == NULL) { + if ((ret = calloc(1, sizeof(RSA))) == NULL) { RSAerror(ERR_R_MALLOC_FAILURE); return NULL; } ret->meth = RSA_get_default_method(); + #ifndef OPENSSL_NO_ENGINE - if (engine) { + if (engine != NULL) { if (!ENGINE_init(engine)) { RSAerror(ERR_R_ENGINE_LIB); - free(ret); - return NULL; + goto err; } ret->engine = engine; - } else + } else { ret->engine = ENGINE_get_default_RSA(); - if (ret->engine) { - ret->meth = ENGINE_get_RSA(ret->engine); - if (ret->meth == NULL) { + } + + if (ret->engine != NULL) { + if ((ret->meth = ENGINE_get_RSA(ret->engine)) == NULL) { RSAerror(ERR_R_ENGINE_LIB); - ENGINE_finish(ret->engine); - free(ret); - return NULL; + goto err; } } #endif - ret->pad = 0; - ret->version = 0; - ret->n = NULL; - ret->e = NULL; - ret->d = NULL; - ret->p = NULL; - ret->q = NULL; - ret->dmp1 = NULL; - ret->dmq1 = NULL; - ret->iqmp = NULL; ret->references = 1; - ret->_method_mod_n = NULL; - ret->_method_mod_p = NULL; - ret->_method_mod_q = NULL; - ret->blinding = NULL; - ret->mt_blinding = NULL; ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW; - if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) { -#ifndef OPENSSL_NO_ENGINE - ENGINE_finish(ret->engine); -#endif - free(ret); - return NULL; - } + + if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) + goto err; if (ret->meth->init != NULL && !ret->meth->init(ret)) { -#ifndef OPENSSL_NO_ENGINE - ENGINE_finish(ret->engine); -#endif CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data); - free(ret); - ret = NULL; + goto err; } + return ret; + + err: +#ifndef OPENSSL_NO_ENGINE + ENGINE_finish(ret->engine); +#endif + free(ret); + + return NULL; } void @@ -222,6 +209,7 @@ RSA_free(RSA *r) BN_clear_free(r->iqmp); BN_BLINDING_free(r->blinding); BN_BLINDING_free(r->mt_blinding); + RSA_PSS_PARAMS_free(r->pss); free(r); } @@ -365,3 +353,15 @@ RSA_set_flags(RSA *r, int flags) { r->flags |= flags; } + +int +RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2) +{ + /* Return an error if the key type is not RSA or RSA-PSS. */ + if (ctx != NULL && ctx->pmeth != NULL && + ctx->pmeth->pkey_id != EVP_PKEY_RSA && + ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) + return -1; + + return EVP_PKEY_CTX_ctrl(ctx, -1, optype, cmd, p1, p2); +} diff --git a/crypto/rsa/rsa_locl.h b/crypto/rsa/rsa_locl.h index 28bf4110..7036449c 100644 --- a/crypto/rsa/rsa_locl.h +++ b/crypto/rsa/rsa_locl.h @@ -1,16 +1,20 @@ -/* $OpenBSD: rsa_locl.h,v 1.5 2019/10/04 16:51:31 jsing Exp $ */ +/* $OpenBSD: rsa_locl.h,v 1.11 2019/11/02 13:47:41 jsing Exp $ */ __BEGIN_HIDDEN_DECLS +#define RSA_MIN_MODULUS_BITS 512 + +/* Macros to test if a pkey or ctx is for a PSS key */ +#define pkey_is_pss(pkey) (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS) +#define pkey_ctx_is_pss(ctx) (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) + +RSA_PSS_PARAMS *rsa_pss_params_create(const EVP_MD *sigmd, const EVP_MD *mgf1md, + int saltlen); +int rsa_pss_get_param(const RSA_PSS_PARAMS *pss, const EVP_MD **pmd, + const EVP_MD **pmgf1md, int *psaltlen); + extern int int_rsa_verify(int dtype, const unsigned char *m, unsigned int m_len, unsigned char *rm, size_t *prm_len, const unsigned char *sigbuf, size_t siglen, RSA *rsa); -int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, - const unsigned char *from, int flen, const unsigned char *param, int plen, - const EVP_MD *md, const EVP_MD *mgf1md); -int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, - const unsigned char *from, int flen, int num, const unsigned char *param, - int plen, const EVP_MD *md, const EVP_MD *mgf1md); - __END_HIDDEN_DECLS diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index 6b1760da..e54600b0 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_oaep.c,v 1.32 2019/10/09 16:17:59 jsing Exp $ */ +/* $OpenBSD: rsa_oaep.c,v 1.33 2019/10/17 14:31:56 jsing Exp $ */ /* * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. * @@ -79,6 +79,7 @@ #include #include +#include "constant_time_locl.h" #include "rsa_locl.h" int @@ -169,13 +170,11 @@ RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, const unsigned char *from, int flen, int num, const unsigned char *param, int plen, const EVP_MD *md, const EVP_MD *mgf1md) { - int i, dblen, mlen = -1; - const unsigned char *maskeddb; - int lzero; - unsigned char *db = NULL; + int i, dblen = 0, mlen = -1, one_index = 0, msg_index; + unsigned int good = 0, found_one_byte, mask; + const unsigned char *maskedseed, *maskeddb; unsigned char seed[EVP_MAX_MD_SIZE], phash[EVP_MAX_MD_SIZE]; - unsigned char *padded_from; - int bad = 0; + unsigned char *db = NULL, *em = NULL; int mdlen; if (md == NULL) @@ -184,88 +183,136 @@ RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, mgf1md = md; if ((mdlen = EVP_MD_size(md)) <= 0) - goto err; + return -1; - if (--num < 2 * mdlen + 1) - /* - * 'num' is the length of the modulus, i.e. does not depend - * on the particular ciphertext. - */ - goto decoding_err; + if (tlen <= 0 || flen <= 0) + return -1; - lzero = num - flen; - if (lzero < 0) { - /* - * signalling this error immediately after detection might allow - * for side-channel attacks (e.g. timing if 'plen' is huge - * -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA - * Optimal Asymmetric Encryption Padding (OAEP) [...]", - * CRYPTO 2001), so we use a 'bad' flag - */ - bad = 1; - lzero = 0; - flen = num; /* don't overflow the memcpy to padded_from */ + /* + * |num| is the length of the modulus; |flen| is the length of the + * encoded message. Therefore, for any |from| that was obtained by + * decrypting a ciphertext, we must have |flen| <= |num|. Similarly, + * |num| >= 2 * |mdlen| + 2 must hold for the modulus irrespective + * of the ciphertext, see PKCS #1 v2.2, section 7.1.2. + * This does not leak any side-channel information. + */ + if (num < flen || num < 2 * mdlen + 2) { + RSAerror(RSA_R_OAEP_DECODING_ERROR); + return -1; } - dblen = num - mdlen; - if ((db = malloc(dblen + num)) == NULL) { + dblen = num - mdlen - 1; + if ((db = malloc(dblen)) == NULL) { RSAerror(ERR_R_MALLOC_FAILURE); - return -1; + goto cleanup; + } + if ((em = malloc(num)) == NULL) { + RSAerror(ERR_R_MALLOC_FAILURE); + goto cleanup; + } + + /* + * Caller is encouraged to pass zero-padded message created with + * BN_bn2binpad. Trouble is that since we can't read out of |from|'s + * bounds, it's impossible to have an invariant memory access pattern + * in case |from| was not zero-padded in advance. + */ + for (from += flen, em += num, i = 0; i < num; i++) { + mask = ~constant_time_is_zero(flen); + flen -= 1 & mask; + from -= 1 & mask; + *--em = *from & mask; } + from = em; /* - * Always do this zero-padding copy (even when lzero == 0) - * to avoid leaking timing info about the value of lzero. + * The first byte must be zero, however we must not leak if this is + * true. See James H. Manger, "A Chosen Ciphertext Attack on RSA + * Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001). */ - padded_from = db + dblen; - memset(padded_from, 0, lzero); - memcpy(padded_from + lzero, from, flen); + good = constant_time_is_zero(from[0]); - maskeddb = padded_from + mdlen; + maskedseed = from + 1; + maskeddb = from + 1 + mdlen; if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) - goto err; + goto cleanup; for (i = 0; i < mdlen; i++) - seed[i] ^= padded_from[i]; + seed[i] ^= maskedseed[i]; + if (PKCS1_MGF1(db, dblen, seed, mdlen, mgf1md)) - goto err; + goto cleanup; for (i = 0; i < dblen; i++) db[i] ^= maskeddb[i]; if (!EVP_Digest((void *)param, plen, phash, NULL, md, NULL)) - goto err; + goto cleanup; - if (timingsafe_memcmp(db, phash, mdlen) != 0 || bad) - goto decoding_err; - else { - for (i = mdlen; i < dblen; i++) - if (db[i] != 0x00) - break; - if (i == dblen || db[i] != 0x01) - goto decoding_err; - else { - /* everything looks OK */ - - mlen = dblen - ++i; - if (tlen < mlen) { - RSAerror(RSA_R_DATA_TOO_LARGE); - mlen = -1; - } else - memcpy(to, db + i, mlen); - } + good &= constant_time_is_zero(timingsafe_memcmp(db, phash, mdlen)); + + found_one_byte = 0; + for (i = mdlen; i < dblen; i++) { + /* + * Padding consists of a number of 0-bytes, followed by a 1. + */ + unsigned int equals1 = constant_time_eq(db[i], 1); + unsigned int equals0 = constant_time_is_zero(db[i]); + + one_index = constant_time_select_int(~found_one_byte & equals1, + i, one_index); + found_one_byte |= equals1; + good &= (found_one_byte | equals0); + } + + good &= found_one_byte; + + /* + * At this point |good| is zero unless the plaintext was valid, + * so plaintext-awareness ensures timing side-channels are no longer a + * concern. + */ + msg_index = one_index + 1; + mlen = dblen - msg_index; + + /* + * For good measure, do this check in constant time as well. + */ + good &= constant_time_ge(tlen, mlen); + + /* + * Even though we can't fake result's length, we can pretend copying + * |tlen| bytes where |mlen| bytes would be real. The last |tlen| of + * |dblen| bytes are viewed as a circular buffer starting at |tlen|-|mlen'|, + * where |mlen'| is the "saturated" |mlen| value. Deducing information + * about failure or |mlen| would require an attacker to observe + * memory access patterns with byte granularity *as it occurs*. It + * should be noted that failure is indistinguishable from normal + * operation if |tlen| is fixed by protocol. + */ + tlen = constant_time_select_int(constant_time_lt(dblen, tlen), dblen, tlen); + msg_index = constant_time_select_int(good, msg_index, dblen - tlen); + mlen = dblen - msg_index; + for (from = db + msg_index, mask = good, i = 0; i < tlen; i++) { + unsigned int equals = constant_time_eq(i, mlen); + + from -= dblen & equals; /* if (i == mlen) rewind */ + mask &= mask ^ equals; /* if (i == mlen) mask = 0 */ + to[i] = constant_time_select_8(mask, from[i], to[i]); } - free(db); - return mlen; - decoding_err: /* * To avoid chosen ciphertext attacks, the error message should not - * reveal which kind of decoding error happened + * reveal which kind of decoding error happened. */ RSAerror(RSA_R_OAEP_DECODING_ERROR); - err: - free(db); - return -1; + err_clear_last_constant_time(1 & good); + + cleanup: + explicit_bzero(seed, sizeof(seed)); + freezero(db, dblen); + freezero(em, num); + + return constant_time_select_int(good, mlen, -1); } int diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c index d0cc50cd..008d425b 100644 --- a/crypto/rsa/rsa_pmeth.c +++ b/crypto/rsa/rsa_pmeth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_pmeth.c,v 1.22 2019/09/09 18:06:26 jsing Exp $ */ +/* $OpenBSD: rsa_pmeth.c,v 1.32 2019/10/31 14:05:30 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -68,7 +68,7 @@ #include #include #include - +#include #include "evp_locl.h" #include "rsa_locl.h" @@ -87,28 +87,38 @@ typedef struct { const EVP_MD *md; /* message digest for MGF1 */ const EVP_MD *mgf1md; - /* PSS/OAEP salt length */ + /* PSS salt length */ int saltlen; + /* Minimum salt length or -1 if no PSS parameter restriction */ + int min_saltlen; /* Temp buffer */ unsigned char *tbuf; + /* OAEP label */ + unsigned char *oaep_label; + size_t oaep_labellen; } RSA_PKEY_CTX; +/* True if PSS parameters are restricted */ +#define rsa_pss_restricted(rctx) (rctx->min_saltlen != -1) + static int pkey_rsa_init(EVP_PKEY_CTX *ctx) { RSA_PKEY_CTX *rctx; - rctx = malloc(sizeof(RSA_PKEY_CTX)); - if (!rctx) + if ((rctx = calloc(1, sizeof(RSA_PKEY_CTX))) == NULL) return 0; + rctx->nbits = 2048; - rctx->pub_exp = NULL; - rctx->pad_mode = RSA_PKCS1_PADDING; - rctx->md = NULL; - rctx->mgf1md = NULL; - rctx->tbuf = NULL; - rctx->saltlen = -2; + if (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) + rctx->pad_mode = RSA_PKCS1_PSS_PADDING; + else + rctx->pad_mode = RSA_PKCS1_PADDING; + + /* Maximum for sign, auto for verify */ + rctx->saltlen = RSA_PSS_SALTLEN_AUTO; + rctx->min_saltlen = -1; ctx->data = rctx; ctx->keygen_info = rctx->gentmp; @@ -124,27 +134,38 @@ pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) if (!pkey_rsa_init(dst)) return 0; + sctx = src->data; dctx = dst->data; dctx->nbits = sctx->nbits; - if (sctx->pub_exp) { - dctx->pub_exp = BN_dup(sctx->pub_exp); - if (!dctx->pub_exp) + if (sctx->pub_exp != NULL) { + BN_free(dctx->pub_exp); + if ((dctx->pub_exp = BN_dup(sctx->pub_exp)) == NULL) return 0; } dctx->pad_mode = sctx->pad_mode; dctx->md = sctx->md; + dctx->mgf1md = sctx->mgf1md; + if (sctx->oaep_label != NULL) { + free(dctx->oaep_label); + if ((dctx->oaep_label = calloc(1, sctx->oaep_labellen)) == NULL) + return 0; + memcpy(dctx->oaep_label, sctx->oaep_label, sctx->oaep_labellen); + dctx->oaep_labellen = sctx->oaep_labellen; + } + return 1; } static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk) { - if (ctx->tbuf) + if (ctx->tbuf != NULL) return 1; - ctx->tbuf = malloc(EVP_PKEY_size(pk->pkey)); - if (!ctx->tbuf) + if ((ctx->tbuf = calloc(1, EVP_PKEY_size(pk->pkey))) == NULL) { + RSAerror(ERR_R_MALLOC_FAILURE); return 0; + } return 1; } @@ -156,6 +177,7 @@ pkey_rsa_cleanup(EVP_PKEY_CTX *ctx) if (rctx) { BN_free(rctx->pub_exp); free(rctx->tbuf); + free(rctx->oaep_label); free(rctx); } } @@ -175,8 +197,14 @@ pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, } if (rctx->pad_mode == RSA_X931_PADDING) { - if (!setup_tbuf(rctx, ctx)) + if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) { + RSAerror(RSA_R_KEY_SIZE_TOO_SMALL); + return -1; + } + if (!setup_tbuf(rctx, ctx)) { + RSAerror(ERR_R_MALLOC_FAILURE); return -1; + } memcpy(rctx->tbuf, tbs, tbslen); rctx->tbuf[tbslen] = RSA_X931_hash_id(EVP_MD_type(rctx->md)); @@ -198,11 +226,13 @@ pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, return -1; ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf, sig, rsa, RSA_NO_PADDING); - } else + } else { return -1; - } else + } + } else { ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa, rctx->pad_mode); + } if (ret < 0) return ret; *siglen = ret; @@ -226,7 +256,7 @@ pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, unsigned char *rout, size_t *routlen, return 0; ret--; if (rctx->tbuf[ret] != - RSA_X931_hash_id(EVP_MD_type(rctx->md))) { + RSA_X931_hash_id(EVP_MD_type(rctx->md))) { RSAerror(RSA_R_ALGORITHM_MISMATCH); return 0; } @@ -244,11 +274,13 @@ pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, unsigned char *rout, size_t *routlen, if (ret <= 0) return 0; ret = sltmp; - } else + } else { return -1; - } else + } + } else { ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa, rctx->pad_mode); + } if (ret < 0) return ret; *routlen = ret; @@ -267,6 +299,10 @@ pkey_rsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen, if (rctx->pad_mode == RSA_PKCS1_PADDING) return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, sig, siglen, rsa); + if (tbslen != (size_t)EVP_MD_size(rctx->md)) { + RSAerror(RSA_R_INVALID_DIGEST_LENGTH); + return -1; + } if (rctx->pad_mode == RSA_X931_PADDING) { if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig, siglen) <= 0) @@ -285,8 +321,9 @@ pkey_rsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen, if (ret <= 0) return 0; return 1; - } else + } else { return -1; + } } else { if (!setup_tbuf(rctx, ctx)) return -1; @@ -306,11 +343,23 @@ static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen, const unsigned char *in, size_t inlen) { - int ret; RSA_PKEY_CTX *rctx = ctx->data; + int ret; - ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa, - rctx->pad_mode); + if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { + int klen = RSA_size(ctx->pkey->pkey.rsa); + if (!setup_tbuf(rctx, ctx)) + return -1; + if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen, + in, inlen, rctx->oaep_label, rctx->oaep_labellen, + rctx->md, rctx->mgf1md)) + return -1; + ret = RSA_public_encrypt(klen, rctx->tbuf, out, + ctx->pkey->pkey.rsa, RSA_NO_PADDING); + } else { + ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa, + rctx->pad_mode); + } if (ret < 0) return ret; *outlen = ret; @@ -324,8 +373,20 @@ pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen, int ret; RSA_PKEY_CTX *rctx = ctx->data; - ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa, - rctx->pad_mode); + if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { + if (!setup_tbuf(rctx, ctx)) + return -1; + ret = RSA_private_decrypt(inlen, in, rctx->tbuf, + ctx->pkey->pkey.rsa, RSA_NO_PADDING); + if (ret <= 0) + return ret; + ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf, + ret, ret, rctx->oaep_label, rctx->oaep_labellen, rctx->md, + rctx->mgf1md); + } else { + ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa, + rctx->pad_mode); + } if (ret < 0) return ret; *outlen = ret; @@ -335,7 +396,7 @@ pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen, static int check_padding_md(const EVP_MD *md, int padding) { - if (!md) + if (md == NULL) return 1; if (padding == RSA_NO_PADDING) { @@ -348,7 +409,24 @@ check_padding_md(const EVP_MD *md, int padding) RSAerror(RSA_R_INVALID_X931_DIGEST); return 0; } - return 1; + } else { + /* List of all supported RSA digests. */ + switch(EVP_MD_type(md)) { + case NID_sha1: + case NID_sha224: + case NID_sha256: + case NID_sha384: + case NID_sha512: + case NID_md5: + case NID_md5_sha1: + case NID_md4: + case NID_ripemd160: + return 1; + + default: + RSAerror(RSA_R_INVALID_DIGEST); + return 0; + } } return 1; @@ -370,6 +448,8 @@ pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) goto bad_pad; if (!rctx->md) rctx->md = EVP_sha1(); + } else if (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) { + goto bad_pad; } if (p1 == RSA_PKCS1_OAEP_PADDING) { if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT)) @@ -380,7 +460,7 @@ pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) rctx->pad_mode = p1; return 1; } -bad_pad: + bad_pad: RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); return -2; @@ -394,32 +474,67 @@ pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) RSAerror(RSA_R_INVALID_PSS_SALTLEN); return -2; } - if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) + if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) { *(int *)p2 = rctx->saltlen; - else { - if (p1 < -2) + } else { + if (p1 < RSA_PSS_SALTLEN_MAX) return -2; + if (rsa_pss_restricted(rctx)) { + if (p1 == RSA_PSS_SALTLEN_AUTO && + ctx->operation == EVP_PKEY_OP_VERIFY) { + RSAerror(RSA_R_INVALID_PSS_SALTLEN); + return -2; + } + if ((p1 == RSA_PSS_SALTLEN_DIGEST && + rctx->min_saltlen > EVP_MD_size(rctx->md)) || + (p1 >= 0 && p1 < rctx->min_saltlen)) { + RSAerror(RSA_R_PSS_SALTLEN_TOO_SMALL); + return 0; + } + } rctx->saltlen = p1; } return 1; case EVP_PKEY_CTRL_RSA_KEYGEN_BITS: - if (p1 < 256) { - RSAerror(RSA_R_INVALID_KEYBITS); + if (p1 < RSA_MIN_MODULUS_BITS) { + RSAerror(RSA_R_KEY_SIZE_TOO_SMALL); return -2; } rctx->nbits = p1; return 1; case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP: - if (!p2) + if (p2 == NULL || !BN_is_odd((BIGNUM *)p2) || + BN_is_one((BIGNUM *)p2)) { + RSAerror(RSA_R_BAD_E_VALUE); return -2; + } + BN_free(rctx->pub_exp); rctx->pub_exp = p2; return 1; + case EVP_PKEY_CTRL_RSA_OAEP_MD: + case EVP_PKEY_CTRL_GET_RSA_OAEP_MD: + if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { + RSAerror(RSA_R_INVALID_PADDING_MODE); + return -2; + } + if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD) + *(const EVP_MD **)p2 = rctx->md; + else + rctx->md = p2; + return 1; + case EVP_PKEY_CTRL_MD: if (!check_padding_md(p2, rctx->pad_mode)) return 0; + if (rsa_pss_restricted(rctx)) { + if (EVP_MD_type(rctx->md) == EVP_MD_type(p2)) + return 1; + RSAerror(RSA_R_DIGEST_NOT_ALLOWED); + return 0; + } rctx->md = p2; return 1; @@ -429,7 +544,8 @@ pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) case EVP_PKEY_CTRL_RSA_MGF1_MD: case EVP_PKEY_CTRL_GET_RSA_MGF1_MD: - if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) { + if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING && + rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { RSAerror(RSA_R_INVALID_MGF1_MD); return -2; } @@ -438,30 +554,70 @@ pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) *(const EVP_MD **)p2 = rctx->mgf1md; else *(const EVP_MD **)p2 = rctx->md; - } else + } else { + if (rsa_pss_restricted(rctx)) { + if (EVP_MD_type(rctx->mgf1md) == EVP_MD_type(p2)) + return 1; + RSAerror(RSA_R_MGF1_DIGEST_NOT_ALLOWED); + return 0; + } rctx->mgf1md = p2; + } + return 1; + + case EVP_PKEY_CTRL_RSA_OAEP_LABEL: + if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { + RSAerror(RSA_R_INVALID_PADDING_MODE); + return -2; + } + free(rctx->oaep_label); + if (p2 != NULL && p1 > 0) { + rctx->oaep_label = p2; + rctx->oaep_labellen = p1; + } else { + rctx->oaep_label = NULL; + rctx->oaep_labellen = 0; + } return 1; + case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL: + if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { + RSAerror(RSA_R_INVALID_PADDING_MODE); + return -2; + } + *(unsigned char **)p2 = rctx->oaep_label; + return rctx->oaep_labellen; + case EVP_PKEY_CTRL_DIGESTINIT: - case EVP_PKEY_CTRL_PKCS7_ENCRYPT: - case EVP_PKEY_CTRL_PKCS7_DECRYPT: case EVP_PKEY_CTRL_PKCS7_SIGN: +#ifndef OPENSSL_NO_CMS + case EVP_PKEY_CTRL_CMS_SIGN: +#endif return 1; + + case EVP_PKEY_CTRL_PKCS7_ENCRYPT: + case EVP_PKEY_CTRL_PKCS7_DECRYPT: +#ifndef OPENSSL_NO_CMS + case EVP_PKEY_CTRL_CMS_DECRYPT: + case EVP_PKEY_CTRL_CMS_ENCRYPT: +#endif + if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) + return 1; + + /* fall through */ case EVP_PKEY_CTRL_PEER_KEY: RSAerror(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); return -2; default: return -2; + } } static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value) { - long lval; - char *ep; - if (!value) { RSAerror(RSA_R_VALUE_MISSING); return 0; @@ -487,39 +643,29 @@ pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value) return EVP_PKEY_CTX_set_rsa_padding(ctx, pm); } - if (!strcmp(type, "rsa_pss_saltlen")) { + if (strcmp(type, "rsa_pss_saltlen") == 0) { int saltlen; - errno = 0; - lval = strtol(value, &ep, 10); - if (value[0] == '\0' || *ep != '\0') - goto not_a_number; - if ((errno == ERANGE && - (lval == LONG_MAX || lval == LONG_MIN)) || - (lval > INT_MAX || lval < INT_MIN)) - goto out_of_range; - saltlen = lval; + if (!strcmp(value, "digest")) + saltlen = RSA_PSS_SALTLEN_DIGEST; + else if (!strcmp(value, "max")) + saltlen = RSA_PSS_SALTLEN_MAX; + else if (!strcmp(value, "auto")) + saltlen = RSA_PSS_SALTLEN_AUTO; + else + saltlen = atoi(value); return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen); } - if (!strcmp(type, "rsa_keygen_bits")) { - int nbits; - - errno = 0; - lval = strtol(value, &ep, 10); - if (value[0] == '\0' || *ep != '\0') - goto not_a_number; - if ((errno == ERANGE && - (lval == LONG_MAX || lval == LONG_MIN)) || - (lval > INT_MAX || lval < INT_MIN)) - goto out_of_range; - nbits = lval; + if (strcmp(type, "rsa_keygen_bits") == 0) { + int nbits = atoi(value); + return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits); } - if (!strcmp(type, "rsa_keygen_pubexp")) { - int ret; + if (strcmp(type, "rsa_keygen_pubexp") == 0) { BIGNUM *pubexp = NULL; + int ret; if (!BN_asc2bn(&pubexp, value)) return 0; @@ -529,11 +675,70 @@ pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value) return ret; } -not_a_number: -out_of_range: + if (strcmp(type, "rsa_mgf1_md") == 0) + return EVP_PKEY_CTX_md(ctx, + EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, + EVP_PKEY_CTRL_RSA_MGF1_MD, value); + + if (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) { + if (strcmp(type, "rsa_pss_keygen_mgf1_md") == 0) + return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN, + EVP_PKEY_CTRL_RSA_MGF1_MD, value); + + if (strcmp(type, "rsa_pss_keygen_md") == 0) + return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN, + EVP_PKEY_CTRL_MD, value); + + if (strcmp(type, "rsa_pss_keygen_saltlen") == 0) { + int saltlen = atoi(value); + + return EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(ctx, saltlen); + } + } + + if (strcmp(type, "rsa_oaep_md") == 0) + return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_CRYPT, + EVP_PKEY_CTRL_RSA_OAEP_MD, value); + + if (strcmp(type, "rsa_oaep_label") == 0) { + unsigned char *lab; + long lablen; + int ret; + + if ((lab = string_to_hex(value, &lablen)) == NULL) + return 0; + ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen); + if (ret <= 0) + free(lab); + + return ret; + } + return -2; } +/* Set PSS parameters when generating a key, if necessary. */ +static int +rsa_set_pss_param(RSA *rsa, EVP_PKEY_CTX *ctx) +{ + RSA_PKEY_CTX *rctx = ctx->data; + + if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) + return 1; + + /* If all parameters are default values then do not set PSS. */ + if (rctx->md == NULL && rctx->mgf1md == NULL && + rctx->saltlen == RSA_PSS_SALTLEN_AUTO) + return 1; + + rsa->pss = rsa_pss_params_create(rctx->md, rctx->mgf1md, + rctx->saltlen == RSA_PSS_SALTLEN_AUTO ? 0 : rctx->saltlen); + if (rsa->pss == NULL) + return 0; + + return 1; +} + static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) { @@ -542,22 +747,27 @@ pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) BN_GENCB *pcb, cb; int ret; - if (!rctx->pub_exp) { - rctx->pub_exp = BN_new(); - if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4)) + if (rctx->pub_exp == NULL) { + if ((rctx->pub_exp = BN_new()) == NULL) + return 0; + if (!BN_set_word(rctx->pub_exp, RSA_F4)) return 0; } - rsa = RSA_new(); - if (!rsa) + if ((rsa = RSA_new()) == NULL) return 0; - if (ctx->pkey_gencb) { + if (ctx->pkey_gencb != NULL) { pcb = &cb; evp_pkey_set_cb_translate(pcb, ctx); - } else + } else { pcb = NULL; + } ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb); + if (ret > 0 && !rsa_set_pss_param(rsa, ctx)) { + RSA_free(rsa); + return 0; + } if (ret > 0) - EVP_PKEY_assign_RSA(pkey, rsa); + EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, rsa); else RSA_free(rsa); return ret; @@ -586,3 +796,73 @@ const EVP_PKEY_METHOD rsa_pkey_meth = { .ctrl = pkey_rsa_ctrl, .ctrl_str = pkey_rsa_ctrl_str }; + +/* + * Called for PSS sign or verify initialisation: checks PSS parameter + * sanity and sets any restrictions on key usage. + */ + +static int +pkey_pss_init(EVP_PKEY_CTX *ctx) +{ + RSA *rsa; + RSA_PKEY_CTX *rctx = ctx->data; + const EVP_MD *md; + const EVP_MD *mgf1md; + int min_saltlen, max_saltlen; + + /* Should never happen */ + if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) + return 0; + rsa = ctx->pkey->pkey.rsa; + + /* If no restrictions just return */ + if (rsa->pss == NULL) + return 1; + + /* Get and check parameters */ + if (!rsa_pss_get_param(rsa->pss, &md, &mgf1md, &min_saltlen)) + return 0; + + /* See if minimum salt length exceeds maximum possible */ + max_saltlen = RSA_size(rsa) - EVP_MD_size(md); + if ((RSA_bits(rsa) & 0x7) == 1) + max_saltlen--; + if (min_saltlen > max_saltlen) { + RSAerror(RSA_R_INVALID_SALT_LENGTH); + return 0; + } + rctx->min_saltlen = min_saltlen; + + /* + * Set PSS restrictions as defaults: we can then block any attempt to + * use invalid values in pkey_rsa_ctrl + */ + + rctx->md = md; + rctx->mgf1md = mgf1md; + rctx->saltlen = min_saltlen; + + return 1; +} + +const EVP_PKEY_METHOD rsa_pss_pkey_meth = { + .pkey_id = EVP_PKEY_RSA_PSS, + .flags = EVP_PKEY_FLAG_AUTOARGLEN, + + .init = pkey_rsa_init, + .copy = pkey_rsa_copy, + .cleanup = pkey_rsa_cleanup, + + .keygen = pkey_rsa_keygen, + + .sign_init = pkey_pss_init, + .sign = pkey_rsa_sign, + + .verify_init = pkey_pss_init, + .verify = pkey_rsa_verify, + + .ctrl = pkey_rsa_ctrl, + .ctrl_str = pkey_rsa_ctrl_str +}; + diff --git a/crypto/sha/sha1-masm-x86_64.S b/crypto/sha/sha1-masm-x86_64.S index ef7b0412..36d8732e 100644 --- a/crypto/sha/sha1-masm-x86_64.S +++ b/crypto/sha/sha1-masm-x86_64.S @@ -1,7 +1,7 @@ ; 1 "crypto/sha/sha1-masm-x86_64.S.tmp" ; 1 "" 1 ; 1 "" 3 -; 349 "" 3 +; 340 "" 3 ; 1 "" 1 ; 1 "" 2 ; 1 "crypto/sha/sha1-masm-x86_64.S.tmp" 2 diff --git a/crypto/sha/sha256-masm-x86_64.S b/crypto/sha/sha256-masm-x86_64.S index 955b7d78..33c705d3 100644 --- a/crypto/sha/sha256-masm-x86_64.S +++ b/crypto/sha/sha256-masm-x86_64.S @@ -1,7 +1,7 @@ ; 1 "crypto/sha/sha256-masm-x86_64.S.tmp" ; 1 "" 1 ; 1 "" 3 -; 349 "" 3 +; 340 "" 3 ; 1 "" 1 ; 1 "" 2 ; 1 "crypto/sha/sha256-masm-x86_64.S.tmp" 2 diff --git a/crypto/sha/sha512-masm-x86_64.S b/crypto/sha/sha512-masm-x86_64.S index 050f9701..4a2b9afb 100644 --- a/crypto/sha/sha512-masm-x86_64.S +++ b/crypto/sha/sha512-masm-x86_64.S @@ -1,7 +1,7 @@ ; 1 "crypto/sha/sha512-masm-x86_64.S.tmp" ; 1 "" 1 ; 1 "" 3 -; 349 "" 3 +; 340 "" 3 ; 1 "" 1 ; 1 "" 2 ; 1 "crypto/sha/sha512-masm-x86_64.S.tmp" 2 diff --git a/crypto/ui/ui_lib.c b/crypto/ui/ui_lib.c index 06b29b8c..09522e71 100644 --- a/crypto/ui/ui_lib.c +++ b/crypto/ui/ui_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ui_lib.c,v 1.34 2018/06/02 04:45:21 tb Exp $ */ +/* $OpenBSD: ui_lib.c,v 1.44 2020/09/25 11:25:31 tb Exp $ */ /* Written by Richard Levitte (richard@levitte.org) for the OpenSSL * project 2001. */ @@ -79,26 +79,22 @@ UI_new_method(const UI_METHOD *method) { UI *ret; - ret = malloc(sizeof(UI)); - if (ret == NULL) { + if ((ret = calloc(1, sizeof(UI))) == NULL) { UIerror(ERR_R_MALLOC_FAILURE); return NULL; } - if (method == NULL) + if ((ret->meth = method) == NULL) ret->meth = UI_get_default_method(); - else - ret->meth = method; - - ret->strings = NULL; - ret->user_data = NULL; - ret->flags = 0; CRYPTO_new_ex_data(CRYPTO_EX_INDEX_UI, ret, &ret->ex_data); + return ret; } static void free_string(UI_STRING *uis) { + if (uis == NULL) + return; if (uis->flags & OUT_STRING_FREEABLE) { free((char *) uis->out_string); switch (uis->type) { @@ -128,8 +124,8 @@ static int allocate_string_stack(UI *ui) { if (ui->strings == NULL) { - ui->strings = sk_UI_STRING_new_null(); - if (ui->strings == NULL) { + if ((ui->strings = sk_UI_STRING_new_null()) == NULL) { + UIerror(ERR_R_MALLOC_FAILURE); return -1; } } @@ -137,94 +133,131 @@ allocate_string_stack(UI *ui) } static UI_STRING * -general_allocate_prompt(UI *ui, const char *prompt, int prompt_freeable, +general_allocate_prompt(const char *prompt, int dup_prompt, enum UI_string_types type, int input_flags, char *result_buf) { - UI_STRING *ret = NULL; + UI_STRING *uis = NULL; if (prompt == NULL) { UIerror(ERR_R_PASSED_NULL_PARAMETER); - } else if ((type == UIT_PROMPT || type == UIT_VERIFY || - type == UIT_BOOLEAN) && result_buf == NULL) { + goto err; + } + if ((type == UIT_PROMPT || type == UIT_VERIFY || type == UIT_BOOLEAN) && + result_buf == NULL) { UIerror(UI_R_NO_RESULT_BUFFER); - } else if ((ret = malloc(sizeof(UI_STRING)))) { - ret->out_string = prompt; - ret->flags = prompt_freeable ? OUT_STRING_FREEABLE : 0; - ret->input_flags = input_flags; - ret->type = type; - ret->result_buf = result_buf; + goto err; } - return ret; + + if ((uis = calloc(1, sizeof(UI_STRING))) == NULL) { + UIerror(ERR_R_MALLOC_FAILURE); + goto err; + } + uis->out_string = prompt; + if (dup_prompt) { + if ((uis->out_string = strdup(prompt)) == NULL) { + UIerror(ERR_R_MALLOC_FAILURE); + goto err; + } + uis->flags = OUT_STRING_FREEABLE; + } + uis->input_flags = input_flags; + uis->type = type; + uis->result_buf = result_buf; + + return uis; + + err: + free_string(uis); + return NULL; } static int -general_allocate_string(UI *ui, const char *prompt, int prompt_freeable, +general_allocate_string(UI *ui, const char *prompt, int dup_prompt, enum UI_string_types type, int input_flags, char *result_buf, int minsize, int maxsize, const char *test_buf) { - int ret = -1; - UI_STRING *s = general_allocate_prompt(ui, prompt, prompt_freeable, - type, input_flags, result_buf); - - if (s) { - if (allocate_string_stack(ui) >= 0) { - s->_.string_data.result_minsize = minsize; - s->_.string_data.result_maxsize = maxsize; - s->_.string_data.test_buf = test_buf; - ret = sk_UI_STRING_push(ui->strings, s); - /* sk_push() returns 0 on error. Let's adapt that */ - if (ret <= 0) - ret--; - } else - free_string(s); - } + UI_STRING *s; + int ret; + + if ((s = general_allocate_prompt(prompt, dup_prompt, type, input_flags, + result_buf)) == NULL) + goto err; + s->_.string_data.result_minsize = minsize; + s->_.string_data.result_maxsize = maxsize; + s->_.string_data.test_buf = test_buf; + + if (allocate_string_stack(ui) < 0) + goto err; + if ((ret = sk_UI_STRING_push(ui->strings, s)) <= 0) + goto err; + return ret; + + err: + free_string(s); + return -1; } static int general_allocate_boolean(UI *ui, const char *prompt, const char *action_desc, - const char *ok_chars, const char *cancel_chars, int prompt_freeable, + const char *ok_chars, const char *cancel_chars, int dup_strings, enum UI_string_types type, int input_flags, char *result_buf) { - int ret = -1; - UI_STRING *s; - const char *p; + UI_STRING *s = NULL; + int ret; - if (ok_chars == NULL) { + if (ok_chars == NULL || cancel_chars == NULL) { UIerror(ERR_R_PASSED_NULL_PARAMETER); - } else if (cancel_chars == NULL) { - UIerror(ERR_R_PASSED_NULL_PARAMETER); - } else { - for (p = ok_chars; *p; p++) { - if (strchr(cancel_chars, *p)) { - UIerror(UI_R_COMMON_OK_AND_CANCEL_CHARACTERS); + goto err; + } + if (ok_chars[strcspn(ok_chars, cancel_chars)] != '\0') { + UIerror(UI_R_COMMON_OK_AND_CANCEL_CHARACTERS); + goto err; + } + + if ((s = general_allocate_prompt(prompt, dup_strings, type, input_flags, + result_buf)) == NULL) + goto err; + + if (dup_strings) { + if (action_desc != NULL) { + if ((s->_.boolean_data.action_desc = + strdup(action_desc)) == NULL) { + UIerror(ERR_R_MALLOC_FAILURE); + goto err; } } - - s = general_allocate_prompt(ui, prompt, prompt_freeable, - type, input_flags, result_buf); - - if (s) { - if (allocate_string_stack(ui) >= 0) { - s->_.boolean_data.action_desc = action_desc; - s->_.boolean_data.ok_chars = ok_chars; - s->_.boolean_data.cancel_chars = cancel_chars; - ret = sk_UI_STRING_push(ui->strings, s); - /* - * sk_push() returns 0 on error. Let's adapt - * that - */ - if (ret <= 0) - ret--; - } else - free_string(s); + if ((s->_.boolean_data.ok_chars = strdup(ok_chars)) == NULL) { + UIerror(ERR_R_MALLOC_FAILURE); + goto err; + } + if ((s->_.boolean_data.cancel_chars = strdup(cancel_chars)) == + NULL) { + UIerror(ERR_R_MALLOC_FAILURE); + goto err; } + } else { + s->_.boolean_data.action_desc = action_desc; + s->_.boolean_data.ok_chars = ok_chars; + s->_.boolean_data.cancel_chars = cancel_chars; } + + if (allocate_string_stack(ui) < 0) + goto err; + if ((ret = sk_UI_STRING_push(ui->strings, s)) <= 0) + goto err; + return ret; + + err: + free_string(s); + return -1; } -/* Returns the index to the place in the stack or -1 for error. Uses a - direct reference to the prompt. */ +/* + * Returns the index to the place in the stack or -1 for error. Uses a + * direct reference to the prompt. + */ int UI_add_input_string(UI *ui, const char *prompt, int flags, char *result_buf, int minsize, int maxsize) @@ -233,21 +266,12 @@ UI_add_input_string(UI *ui, const char *prompt, int flags, char *result_buf, result_buf, minsize, maxsize, NULL); } -/* Same as UI_add_input_string(), excepts it takes a copy of the prompt */ +/* Same as UI_add_input_string(), excepts it takes a copy of the prompt. */ int UI_dup_input_string(UI *ui, const char *prompt, int flags, char *result_buf, int minsize, int maxsize) { - char *prompt_copy = NULL; - - if (prompt) { - prompt_copy = strdup(prompt); - if (prompt_copy == NULL) { - UIerror(ERR_R_MALLOC_FAILURE); - return 0; - } - } - return general_allocate_string(ui, prompt_copy, 1, UIT_PROMPT, flags, + return general_allocate_string(ui, prompt, 1, UIT_PROMPT, flags, result_buf, minsize, maxsize, NULL); } @@ -263,16 +287,7 @@ int UI_dup_verify_string(UI *ui, const char *prompt, int flags, char *result_buf, int minsize, int maxsize, const char *test_buf) { - char *prompt_copy = NULL; - - if (prompt) { - prompt_copy = strdup(prompt); - if (prompt_copy == NULL) { - UIerror(ERR_R_MALLOC_FAILURE); - return -1; - } - } - return general_allocate_string(ui, prompt_copy, 1, UIT_VERIFY, flags, + return general_allocate_string(ui, prompt, 1, UIT_VERIFY, flags, result_buf, minsize, maxsize, test_buf); } @@ -288,49 +303,8 @@ int UI_dup_input_boolean(UI *ui, const char *prompt, const char *action_desc, const char *ok_chars, const char *cancel_chars, int flags, char *result_buf) { - char *prompt_copy = NULL; - char *action_desc_copy = NULL; - char *ok_chars_copy = NULL; - char *cancel_chars_copy = NULL; - - if (prompt) { - prompt_copy = strdup(prompt); - if (prompt_copy == NULL) { - UIerror(ERR_R_MALLOC_FAILURE); - goto err; - } - } - if (action_desc) { - action_desc_copy = strdup(action_desc); - if (action_desc_copy == NULL) { - UIerror(ERR_R_MALLOC_FAILURE); - goto err; - } - } - if (ok_chars) { - ok_chars_copy = strdup(ok_chars); - if (ok_chars_copy == NULL) { - UIerror(ERR_R_MALLOC_FAILURE); - goto err; - } - } - if (cancel_chars) { - cancel_chars_copy = strdup(cancel_chars); - if (cancel_chars_copy == NULL) { - UIerror(ERR_R_MALLOC_FAILURE); - goto err; - } - } - return general_allocate_boolean(ui, prompt_copy, action_desc_copy, - ok_chars_copy, cancel_chars_copy, 1, UIT_BOOLEAN, flags, - result_buf); - -err: - free(prompt_copy); - free(action_desc_copy); - free(ok_chars_copy); - free(cancel_chars_copy); - return -1; + return general_allocate_boolean(ui, prompt, action_desc, ok_chars, + cancel_chars, 1, UIT_BOOLEAN, flags, result_buf); } int @@ -343,17 +317,8 @@ UI_add_info_string(UI *ui, const char *text) int UI_dup_info_string(UI *ui, const char *text) { - char *text_copy = NULL; - - if (text) { - text_copy = strdup(text); - if (text_copy == NULL) { - UIerror(ERR_R_MALLOC_FAILURE); - return -1; - } - } - return general_allocate_string(ui, text_copy, 1, UIT_INFO, 0, NULL, - 0, 0, NULL); + return general_allocate_string(ui, text, 1, UIT_INFO, 0, NULL, 0, 0, + NULL); } int @@ -366,17 +331,8 @@ UI_add_error_string(UI *ui, const char *text) int UI_dup_error_string(UI *ui, const char *text) { - char *text_copy = NULL; - - if (text) { - text_copy = strdup(text); - if (text_copy == NULL) { - UIerror(ERR_R_MALLOC_FAILURE); - return -1; - } - } - return general_allocate_string(ui, text_copy, 1, UIT_ERROR, 0, NULL, - 0, 0, NULL); + return general_allocate_string(ui, text, 1, UIT_ERROR, 0, NULL, 0, 0, + NULL); } char * @@ -433,8 +389,9 @@ UI_get0_result(UI *ui, int i) } static int -print_error(const char *str, size_t len, UI *ui) +print_error(const char *str, size_t len, void *arg) { + UI *ui = arg; UI_STRING uis; memset(&uis, 0, sizeof(uis)); @@ -456,9 +413,7 @@ UI_process(UI *ui) return -1; if (ui->flags & UI_FLAG_PRINT_ERRORS) - ERR_print_errors_cb( - (int (*)(const char *, size_t, void *)) print_error, - (void *)ui); + ERR_print_errors_cb(print_error, ui); for (i = 0; i < sk_UI_STRING_num(ui->strings); i++) { if (ui->meth->ui_write_string && @@ -500,7 +455,7 @@ UI_process(UI *ui) } } -err: + err: if (ui->meth->ui_close_session && !ui->meth->ui_close_session(ui)) return -1; return ok; @@ -592,9 +547,11 @@ UI_create_method(const char *name) return ui_method; } -/* BIG FSCKING WARNING!!!! If you use this on a statically allocated method - (that is, it hasn't been allocated using UI_create_method(), you deserve - anything Murphy can throw at you and more! You have been warned. */ +/* + * BIG FSCKING WARNING!!!! If you use this on a statically allocated method + * (that is, it hasn't been allocated using UI_create_method(), you deserve + * anything Murphy can throw at you and more! You have been warned. + */ void UI_destroy_method(UI_METHOD *ui_method) { @@ -609,8 +566,8 @@ UI_method_set_opener(UI_METHOD *method, int (*opener)(UI *ui)) if (method) { method->ui_open_session = opener; return 0; - } else - return -1; + } + return -1; } int @@ -619,8 +576,8 @@ UI_method_set_writer(UI_METHOD *method, int (*writer)(UI *ui, UI_STRING *uis)) if (method) { method->ui_write_string = writer; return 0; - } else - return -1; + } + return -1; } int @@ -629,8 +586,8 @@ UI_method_set_flusher(UI_METHOD *method, int (*flusher)(UI *ui)) if (method) { method->ui_flush = flusher; return 0; - } else - return -1; + } + return -1; } int @@ -639,8 +596,8 @@ UI_method_set_reader(UI_METHOD *method, int (*reader)(UI *ui, UI_STRING *uis)) if (method) { method->ui_read_string = reader; return 0; - } else - return -1; + } + return -1; } int @@ -649,8 +606,8 @@ UI_method_set_closer(UI_METHOD *method, int (*closer)(UI *ui)) if (method) { method->ui_close_session = closer; return 0; - } else - return -1; + } + return -1; } int @@ -661,8 +618,8 @@ UI_method_set_prompt_constructor(UI_METHOD *method, if (method) { method->ui_construct_prompt = prompt_constructor; return 0; - } else - return -1; + } + return -1; } int @@ -670,8 +627,7 @@ int { if (method) return method->ui_open_session; - else - return NULL; + return NULL; } int @@ -679,8 +635,7 @@ int { if (method) return method->ui_write_string; - else - return NULL; + return NULL; } int @@ -688,8 +643,7 @@ int { if (method) return method->ui_flush; - else - return NULL; + return NULL; } int @@ -697,8 +651,7 @@ int { if (method) return method->ui_read_string; - else - return NULL; + return NULL; } int @@ -706,8 +659,7 @@ int { if (method) return method->ui_close_session; - else - return NULL; + return NULL; } char * @@ -716,8 +668,7 @@ char * { if (method) return method->ui_construct_prompt; - else - return NULL; + return NULL; } enum UI_string_types @@ -816,6 +767,7 @@ UI_get_result_maxsize(UI_STRING *uis) int UI_set_result(UI *ui, UI_STRING *uis, const char *result) { + const char *p; int l = strlen(result); ui->flags &= ~UI_FLAG_REDOABLE; @@ -851,29 +803,25 @@ UI_set_result(UI *ui, UI_STRING *uis, const char *result) uis->_.string_data.result_maxsize + 1); break; case UIT_BOOLEAN: - { - const char *p; - - if (!uis->result_buf) { - UIerror(UI_R_NO_RESULT_BUFFER); - return -1; + if (!uis->result_buf) { + UIerror(UI_R_NO_RESULT_BUFFER); + return -1; + } + uis->result_buf[0] = '\0'; + for (p = result; *p; p++) { + if (strchr(uis->_.boolean_data.ok_chars, *p)) { + uis->result_buf[0] = + uis->_.boolean_data.ok_chars[0]; + break; } - uis->result_buf[0] = '\0'; - for (p = result; *p; p++) { - if (strchr(uis->_.boolean_data.ok_chars, *p)) { - uis->result_buf[0] = - uis->_.boolean_data.ok_chars[0]; - break; - } - if (strchr(uis->_.boolean_data.cancel_chars, *p)) { - uis->result_buf[0] = - uis->_.boolean_data.cancel_chars[0]; - break; - } + if (strchr(uis->_.boolean_data.cancel_chars, *p)) { + uis->result_buf[0] = + uis->_.boolean_data.cancel_chars[0]; + break; } - default: - break; } + default: + break; } return 0; } diff --git a/crypto/whrlpool/wp-masm-x86_64.S b/crypto/whrlpool/wp-masm-x86_64.S index 1775ae19..78cf97c1 100644 --- a/crypto/whrlpool/wp-masm-x86_64.S +++ b/crypto/whrlpool/wp-masm-x86_64.S @@ -1,7 +1,7 @@ ; 1 "crypto/whrlpool/wp-masm-x86_64.S.tmp" ; 1 "" 1 ; 1 "" 3 -; 349 "" 3 +; 340 "" 3 ; 1 "" 1 ; 1 "" 2 ; 1 "crypto/whrlpool/wp-masm-x86_64.S.tmp" 2 diff --git a/crypto/x509v3/ext_dat.h b/crypto/x509/ext_dat.h similarity index 98% rename from crypto/x509v3/ext_dat.h rename to crypto/x509/ext_dat.h index 1bacb0d5..1a7ae6e1 100644 --- a/crypto/x509v3/ext_dat.h +++ b/crypto/x509/ext_dat.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ext_dat.h,v 1.13 2016/12/21 15:49:29 jsing Exp $ */ +/* $OpenBSD: ext_dat.h,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ diff --git a/crypto/x509v3/pcy_cache.c b/crypto/x509/pcy_cache.c similarity index 99% rename from crypto/x509v3/pcy_cache.c rename to crypto/x509/pcy_cache.c index 9c8ba829..896ba7d5 100644 --- a/crypto/x509v3/pcy_cache.c +++ b/crypto/x509/pcy_cache.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pcy_cache.c,v 1.5 2014/07/11 08:44:49 jsing Exp $ */ +/* $OpenBSD: pcy_cache.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ diff --git a/crypto/x509v3/pcy_data.c b/crypto/x509/pcy_data.c similarity index 98% rename from crypto/x509v3/pcy_data.c rename to crypto/x509/pcy_data.c index b3699b02..dadacb52 100644 --- a/crypto/x509v3/pcy_data.c +++ b/crypto/x509/pcy_data.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pcy_data.c,v 1.9 2015/07/15 16:53:42 miod Exp $ */ +/* $OpenBSD: pcy_data.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ diff --git a/crypto/x509v3/pcy_int.h b/crypto/x509/pcy_int.h similarity index 99% rename from crypto/x509v3/pcy_int.h rename to crypto/x509/pcy_int.h index 92b94e29..6632b787 100644 --- a/crypto/x509v3/pcy_int.h +++ b/crypto/x509/pcy_int.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pcy_int.h,v 1.5 2016/12/21 15:49:29 jsing Exp $ */ +/* $OpenBSD: pcy_int.h,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ diff --git a/crypto/x509v3/pcy_lib.c b/crypto/x509/pcy_lib.c similarity index 98% rename from crypto/x509v3/pcy_lib.c rename to crypto/x509/pcy_lib.c index 6f370640..3d5c58d7 100644 --- a/crypto/x509v3/pcy_lib.c +++ b/crypto/x509/pcy_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pcy_lib.c,v 1.5 2015/02/07 13:19:15 doug Exp $ */ +/* $OpenBSD: pcy_lib.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ diff --git a/crypto/x509v3/pcy_map.c b/crypto/x509/pcy_map.c similarity index 98% rename from crypto/x509v3/pcy_map.c rename to crypto/x509/pcy_map.c index 6ee1ffe8..287a430c 100644 --- a/crypto/x509v3/pcy_map.c +++ b/crypto/x509/pcy_map.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pcy_map.c,v 1.4 2014/07/11 08:44:49 jsing Exp $ */ +/* $OpenBSD: pcy_map.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ diff --git a/crypto/x509v3/pcy_node.c b/crypto/x509/pcy_node.c similarity index 98% rename from crypto/x509v3/pcy_node.c rename to crypto/x509/pcy_node.c index c9664636..3a0f230b 100644 --- a/crypto/x509v3/pcy_node.c +++ b/crypto/x509/pcy_node.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pcy_node.c,v 1.7 2019/04/21 16:25:40 tb Exp $ */ +/* $OpenBSD: pcy_node.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509/pcy_tree.c similarity index 99% rename from crypto/x509v3/pcy_tree.c rename to crypto/x509/pcy_tree.c index a56c183b..d0f7cd1a 100644 --- a/crypto/x509v3/pcy_tree.c +++ b/crypto/x509/pcy_tree.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pcy_tree.c,v 1.17 2016/11/05 15:21:20 miod Exp $ */ +/* $OpenBSD: pcy_tree.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ diff --git a/crypto/x509v3/v3_akey.c b/crypto/x509/x509_akey.c similarity index 99% rename from crypto/x509v3/v3_akey.c rename to crypto/x509/x509_akey.c index e49f45fe..f8c71133 100644 --- a/crypto/x509v3/v3_akey.c +++ b/crypto/x509/x509_akey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_akey.c,v 1.22 2019/04/22 17:10:01 tb Exp $ */ +/* $OpenBSD: x509_akey.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ diff --git a/crypto/x509v3/v3_akeya.c b/crypto/x509/x509_akeya.c similarity index 98% rename from crypto/x509v3/v3_akeya.c rename to crypto/x509/x509_akeya.c index 83ef1b58..aba8923c 100644 --- a/crypto/x509v3/v3_akeya.c +++ b/crypto/x509/x509_akeya.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_akeya.c,v 1.7 2015/07/25 16:00:14 jsing Exp $ */ +/* $OpenBSD: x509_akeya.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ diff --git a/crypto/x509v3/v3_alt.c b/crypto/x509/x509_alt.c similarity index 99% rename from crypto/x509v3/v3_alt.c rename to crypto/x509/x509_alt.c index 0f0177ff..45aaec24 100644 --- a/crypto/x509v3/v3_alt.c +++ b/crypto/x509/x509_alt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_alt.c,v 1.30 2019/04/22 17:10:01 tb Exp $ */ +/* $OpenBSD: x509_alt.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ diff --git a/crypto/x509v3/v3_bcons.c b/crypto/x509/x509_bcons.c similarity index 98% rename from crypto/x509v3/v3_bcons.c rename to crypto/x509/x509_bcons.c index 1626d4e7..48ce7d60 100644 --- a/crypto/x509v3/v3_bcons.c +++ b/crypto/x509/x509_bcons.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_bcons.c,v 1.17 2019/05/08 21:53:10 bcook Exp $ */ +/* $OpenBSD: x509_bcons.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ diff --git a/crypto/x509v3/v3_bitst.c b/crypto/x509/x509_bitst.c similarity index 98% rename from crypto/x509v3/v3_bitst.c rename to crypto/x509/x509_bitst.c index 67444617..3d998188 100644 --- a/crypto/x509v3/v3_bitst.c +++ b/crypto/x509/x509_bitst.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_bitst.c,v 1.16 2019/05/08 21:53:10 bcook Exp $ */ +/* $OpenBSD: x509_bitst.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ diff --git a/crypto/x509v3/v3_conf.c b/crypto/x509/x509_conf.c similarity index 99% rename from crypto/x509v3/v3_conf.c rename to crypto/x509/x509_conf.c index 78ff1980..8bf2d10b 100644 --- a/crypto/x509v3/v3_conf.c +++ b/crypto/x509/x509_conf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_conf.c,v 1.23 2018/05/18 19:34:37 tb Exp $ */ +/* $OpenBSD: x509_conf.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ diff --git a/crypto/x509/x509_constraints.c b/crypto/x509/x509_constraints.c new file mode 100644 index 00000000..5fbcef30 --- /dev/null +++ b/crypto/x509/x509_constraints.c @@ -0,0 +1,1186 @@ +/* $OpenBSD: x509_constraints.c,v 1.15 2021/03/12 15:57:30 tb Exp $ */ +/* + * Copyright (c) 2020 Bob Beck + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include +#include +#include +#include +#include + +#include +#include + +#include +#include +#include + +#include "x509_internal.h" + +/* RFC 2821 section 4.5.3.1 */ +#define LOCAL_PART_MAX_LEN 64 +#define DOMAIN_PART_MAX_LEN 255 + +struct x509_constraints_name * +x509_constraints_name_new(void) +{ + return (calloc(1, sizeof(struct x509_constraints_name))); +} + +void +x509_constraints_name_clear(struct x509_constraints_name *name) +{ + free(name->name); + free(name->local); + free(name->der); + memset(name, 0, sizeof(*name)); +} + +void +x509_constraints_name_free(struct x509_constraints_name *name) +{ + if (name == NULL) + return; + x509_constraints_name_clear(name); + free(name); +} + +struct x509_constraints_name * +x509_constraints_name_dup(struct x509_constraints_name *name) +{ + struct x509_constraints_name *new; + + if ((new = x509_constraints_name_new()) == NULL) + goto err; + new->type = name->type; + new->af = name->af; + new->der_len = name->der_len; + if (name->der_len > 0) { + if ((new->der = malloc(name->der_len)) == NULL) + goto err; + memcpy(new->der, name->der, name->der_len); + } + if (name->name != NULL && (new->name = strdup(name->name)) == NULL) + goto err; + if (name->local != NULL && (new->local = strdup(name->local)) == NULL) + goto err; + memcpy(new->address, name->address, sizeof(name->address)); + return new; + err: + x509_constraints_name_free(new); + return NULL; +} + +struct x509_constraints_names * +x509_constraints_names_new(size_t names_max) +{ + struct x509_constraints_names *new; + + if ((new = calloc(1, sizeof(struct x509_constraints_names))) == NULL) + return NULL; + + new->names_max = names_max; + + return new; +} + +void +x509_constraints_names_clear(struct x509_constraints_names *names) +{ + size_t i; + + for (i = 0; i < names->names_count; i++) + x509_constraints_name_free(names->names[i]); + free(names->names); + memset(names, 0, sizeof(*names)); +} + +void +x509_constraints_names_free(struct x509_constraints_names *names) +{ + if (names == NULL) + return; + + x509_constraints_names_clear(names); + free(names); +} + +int +x509_constraints_names_add(struct x509_constraints_names *names, + struct x509_constraints_name *name) +{ + if (names->names_count >= names->names_max) + return 0; + if (names->names_count == names->names_len) { + struct x509_constraints_name **tmp; + if ((tmp = recallocarray(names->names, names->names_len, + names->names_len + 32, sizeof(*tmp))) == NULL) + return 0; + names->names_len += 32; + names->names = tmp; + } + names->names[names->names_count] = name; + names->names_count++; + return 1; +} + +struct x509_constraints_names * +x509_constraints_names_dup(struct x509_constraints_names *names) +{ + struct x509_constraints_names *new = NULL; + struct x509_constraints_name *name = NULL; + size_t i; + + if (names == NULL) + return NULL; + + if ((new = x509_constraints_names_new(names->names_max)) == NULL) + goto err; + + for (i = 0; i < names->names_count; i++) { + if ((name = x509_constraints_name_dup(names->names[i])) == NULL) + goto err; + if (!x509_constraints_names_add(new, name)) + goto err; + } + + return new; + err: + x509_constraints_names_free(new); + x509_constraints_name_free(name); + return NULL; +} + + +/* + * Validate that the name contains only a hostname consisting of RFC + * 5890 compliant A-labels (see RFC 6066 section 3). This is more + * permissive to allow for a leading '*' for a SAN DNSname wildcard, + * or a leading '.' for a subdomain based constraint, as well as + * allowing for '_' which is commonly accepted by nonconformant + * DNS implementaitons. + */ +static int +x509_constraints_valid_domain_internal(uint8_t *name, size_t len) +{ + uint8_t prev, c = 0; + int component = 0; + int first; + size_t i; + + if (len > DOMAIN_PART_MAX_LEN) + return 0; + + for (i = 0; i < len; i++) { + prev = c; + c = name[i]; + + first = (i == 0); + + /* Everything has to be ASCII, with no NUL byte */ + if (!isascii(c) || c == '\0') + return 0; + /* It must be alphanumeric, a '-', '.', '_' or '*' */ + if (!isalnum(c) && c != '-' && c != '.' && c != '_' && c != '*') + return 0; + + /* '*' can only be the first thing. */ + if (c == '*' && !first) + return 0; + + /* '-' must not start a component or be at the end. */ + if (c == '-' && (component == 0 || i == len - 1)) + return 0; + + /* + * '.' must not be at the end. It may be first overall + * but must not otherwise start a component. + */ + if (c == '.' && ((component == 0 && !first) || i == len - 1)) + return 0; + + if (c == '.') { + /* Components can not end with a dash. */ + if (prev == '-') + return 0; + /* Start new component */ + component = 0; + continue; + } + /* Components must be 63 chars or less. */ + if (++component > 63) + return 0; + } + return 1; +} + +int +x509_constraints_valid_domain(uint8_t *name, size_t len) +{ + if (len == 0) + return 0; + if (name[0] == '*') /* wildcard not allowed in a domain name */ + return 0; + /* + * A domain may not be less than two characters, so you can't + * have a require subdomain name with less than that. + */ + if (len < 3 && name[0] == '.') + return 0; + return x509_constraints_valid_domain_internal(name, len); +} + +int +x509_constraints_valid_host(uint8_t *name, size_t len) +{ + struct sockaddr_in sin4; + struct sockaddr_in6 sin6; + + if (len == 0) + return 0; + if (name[0] == '*') /* wildcard not allowed in a host name */ + return 0; + if (name[0] == '.') /* leading . not allowed in a host name*/ + return 0; + if (inet_pton(AF_INET, name, &sin4) == 1) + return 0; + if (inet_pton(AF_INET6, name, &sin6) == 1) + return 0; + return x509_constraints_valid_domain_internal(name, len); +} + +int +x509_constraints_valid_sandns(uint8_t *name, size_t len) +{ + if (len == 0) + return 0; + + if (name[0] == '.') /* leading . not allowed in a SAN DNS name */ + return 0; + /* + * A domain may not be less than two characters, so you + * can't wildcard a single domain of less than that + */ + if (len < 4 && name[0] == '*') + return 0; + /* + * A wildcard may only be followed by a '.' + */ + if (len >= 4 && name[0] == '*' && name[1] != '.') + return 0; + + return x509_constraints_valid_domain_internal(name, len); +} + +static inline int +local_part_ok(char c) +{ + return (('0' <= c && c <= '9') || ('a' <= c && c <= 'z') || + ('A' <= c && c <= 'Z') || c == '!' || c == '#' || c == '$' || + c == '%' || c == '&' || c == '\'' || c == '*' || c == '+' || + c == '-' || c == '/' || c == '=' || c == '?' || c == '^' || + c == '_' || c == '`' || c == '{' || c == '|' || c == '}' || + c == '~' || c == '.'); +} + +/* + * Parse "candidate" as an RFC 2821 mailbox. + * Returns 0 if candidate is not a valid mailbox or if an error occurs. + * Returns 1 if candidate is a mailbox and adds newly allocated + * local and domain parts of the mailbox to "name->local" and name->name" + */ +int +x509_constraints_parse_mailbox(uint8_t *candidate, size_t len, + struct x509_constraints_name *name) +{ + char working[DOMAIN_PART_MAX_LEN + 1] = { 0 }; + char *candidate_local = NULL; + char *candidate_domain = NULL; + size_t i, wi = 0; + int accept = 0; + int quoted = 0; + + if (candidate == NULL) + return 0; + + /* It can't be bigger than the local part, domain part and the '@' */ + if (len > LOCAL_PART_MAX_LEN + DOMAIN_PART_MAX_LEN + 1) + return 0; + + for (i = 0; i < len; i++) { + char c = candidate[i]; + /* non ascii, cr, lf, or nul is never allowed */ + if (!isascii(c) || c == '\r' || c == '\n' || c == '\0') + goto bad; + if (i == 0) { + /* local part is quoted part */ + if (c == '"') + quoted = 1; + /* can not start with a . */ + if (c == '.') + goto bad; + } + if (wi > DOMAIN_PART_MAX_LEN) + goto bad; + if (accept) { + working[wi++] = c; + accept = 0; + continue; + } + if (candidate_local != NULL) { + /* We are looking for the domain part */ + if (wi > DOMAIN_PART_MAX_LEN) + goto bad; + working[wi++] = c; + if (i == len - 1) { + if (wi == 0) + goto bad; + if (candidate_domain != NULL) + goto bad; + candidate_domain = strdup(working); + if (candidate_domain == NULL) + goto bad; + } + continue; + } + /* We are looking for the local part */ + if (wi > LOCAL_PART_MAX_LEN) + break; + + if (quoted) { + if (c == '\\') { + accept = 1; + continue; + } + if (c == '"' && i != 0) { + /* end the quoted part. @ must be next */ + if (i + 1 == len || candidate[i + 1] != '@') + goto bad; + quoted = 0; + } + /* + * XXX Go strangely permits sp but forbids ht + * mimic that for now + */ + if (c == 9) + goto bad; + working[wi++] = c; + continue; /* all's good inside our quoted string */ + } + if (c == '@') { + if (wi == 0) + goto bad;; + if (candidate_local != NULL) + goto bad; + candidate_local = strdup(working); + if (candidate_local == NULL) + goto bad; + memset(working, 0, sizeof(working)); + wi = 0; + continue; + } + if (c == '\\') { + /* + * RFC 3936 hints these can happen outside of + * quotend string. don't include the \ but + * next character must be ok. + */ + if (i + 1 == len) + goto bad; + if (!local_part_ok(candidate[i + 1])) + goto bad; + accept = 1; + } + if (!local_part_ok(c)) + goto bad; + working[wi++] = c; + } + if (candidate_local == NULL || candidate_domain == NULL) + goto bad; + if (!x509_constraints_valid_host(candidate_domain, + strlen(candidate_domain))) + goto bad; + + name->local = candidate_local; + name->name = candidate_domain; + name->type = GEN_EMAIL; + return 1; + bad: + free(candidate_local); + free(candidate_domain); + return 0; +} + +int +x509_constraints_valid_domain_constraint(uint8_t *constraint, size_t len) +{ + if (len == 0) + return 1; /* empty constraints match */ + + if (constraint[0] == '*') /* wildcard not allowed in a constraint */ + return 0; + + /* + * A domain may not be less than two characters, so you + * can't match a single domain of less than that + */ + if (len < 3 && constraint[0] == '.') + return 0; + return x509_constraints_valid_domain_internal(constraint, len); +} + +/* + * Extract the host part of a URI, returns the host part as a c string + * the caller must free, or or NULL if it could not be found or is + * invalid. + * + * RFC 3986: + * the authority part of a uri starts with // and is terminated with + * the next '/', '?', '#' or end of the URI. + * + * The authority itself contains [userinfo '@'] host [: port] + * + * so the host starts at the start or after the '@', and ends + * with end of URI, '/', '?', "#', or ':'. + */ +int +x509_constraints_uri_host(uint8_t *uri, size_t len, char **hostpart) +{ + size_t i, hostlen = 0; + uint8_t *authority = NULL; + char *host = NULL; + + /* + * Find first '//'. there must be at least a '//' and + * something else. + */ + if (len < 3) + return 0; + for (i = 0; i < len - 1; i++) { + if (!isascii(uri[i])) + return 0; + if (uri[i] == '/' && uri[i + 1] == '/') { + authority = uri + i + 2; + break; + } + } + if (authority == NULL) + return 0; + for (i = authority - uri; i < len; i++) { + if (!isascii(uri[i])) + return 0; + /* it has a userinfo part */ + if (uri[i] == '@') { + hostlen = 0; + /* it can only have one */ + if (host != NULL) + break; + /* start after the userinfo part */ + host = uri + i + 1; + continue; + } + /* did we find the end? */ + if (uri[i] == ':' || uri[i] == '/' || uri[i] == '?' || + uri[i] == '#') + break; + hostlen++; + } + if (hostlen == 0) + return 0; + if (host == NULL) + host = authority; + if (!x509_constraints_valid_host(host, hostlen)) + return 0; + *hostpart = strndup(host, hostlen); + return 1; +} + +int +x509_constraints_sandns(char *sandns, size_t dlen, char *constraint, size_t len) +{ + char *suffix; + + if (len == 0) + return 1; /* an empty constraint matches everything */ + + /* match the end of the domain */ + if (dlen < len) + return 0; + suffix = sandns + (dlen - len); + return (strncasecmp(suffix, constraint, len) == 0); +} + +/* + * Validate a pre-validated domain of length dlen against a pre-validated + * constraint of length len. + * + * returns 1 if the domain and constraint match. + * returns 0 otherwise. + * + * an empty constraint matches everyting. + * constraint will be matched against the domain as a suffix if it + * starts with a '.'. + * domain will be matched against the constraint as a suffix if it + * starts with a '.'. + */ +int +x509_constraints_domain(char *domain, size_t dlen, char *constraint, size_t len) +{ + if (len == 0) + return 1; /* an empty constraint matches everything */ + + if (constraint[0] == '.') { + /* match the end of the domain */ + char *suffix; + if (dlen < len) + return 0; + suffix = domain + (dlen - len); + return (strncasecmp(suffix, constraint, len) == 0); + } + if (domain[0] == '.') { + /* match the end of the constraint */ + char *suffix; + if (len < dlen) + return 0; + suffix = constraint + (len - dlen); + return (strncasecmp(suffix, domain, dlen) == 0); + } + /* otherwise we must exactly match the constraint */ + if (dlen != len) + return 0; + return (strncasecmp(domain, constraint, len) == 0); +} + +int +x509_constraints_uri(uint8_t *uri, size_t ulen, uint8_t *constraint, size_t len, + int *error) +{ + int ret = 0; + char *hostpart = NULL; + + if (!x509_constraints_uri_host(uri, ulen, &hostpart)) { + *error = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; + goto err; + } + if (hostpart == NULL) { + *error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + if (!x509_constraints_valid_domain_constraint(constraint, len)) { + *error = X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX; + goto err; + } + ret = x509_constraints_domain(hostpart, strlen(hostpart), constraint, + len); + err: + free(hostpart); + return ret; +} + +/* + * Verify a validated address of size alen with a validated contraint + * of size constraint_len. returns 1 if matching, 0 if not. + * Addresses are assumed to be pre-validated for a length of 4 and 8 + * respectively for ipv4 addreses and constraints, and a length of + * 16 and 32 respectively for ipv6 address constraints by the caller. + */ +int +x509_constraints_ipaddr(uint8_t *address, size_t alen, uint8_t *constraint, + size_t len) +{ + uint8_t *mask; + size_t i; + + if (alen * 2 != len) + return 0; + + mask = constraint + alen; + for (i = 0; i < alen; i++) { + if ((address[i] & mask[i]) != (constraint[i] & mask[i])) + return 0; + } + return 1; +} + +/* + * Verify a canonicalized der encoded constraint dirname + * a canonicalized der encoded constraint. + */ +int +x509_constraints_dirname(uint8_t *dirname, size_t dlen, + uint8_t *constraint, size_t len) +{ + if (len != dlen) + return 0; + return (memcmp(constraint, dirname, len) == 0); +} + +/* + * De-obfuscate a GENERAL_NAME into useful bytes for a name or constraint. + */ +int +x509_constraints_general_to_bytes(GENERAL_NAME *name, uint8_t **bytes, + size_t *len) +{ + *bytes = NULL; + *len = 0; + + if (name->type == GEN_DNS) { + ASN1_IA5STRING *aname = name->d.dNSName; + *bytes = aname->data; + *len = strlen(aname->data); + return name->type; + } + if (name->type == GEN_EMAIL) { + ASN1_IA5STRING *aname = name->d.rfc822Name; + *bytes = aname->data; + *len = strlen(aname->data); + return name->type; + } + if (name->type == GEN_URI) { + ASN1_IA5STRING *aname = name->d.uniformResourceIdentifier; + *bytes = aname->data; + *len = strlen(aname->data); + return name->type; + } + if (name->type == GEN_DIRNAME) { + X509_NAME *dname = name->d.directoryName; + if (!dname->modified || i2d_X509_NAME(dname, NULL) >= 0) { + *bytes = dname->canon_enc; + *len = dname->canon_enclen; + return name->type; + } + } + if (name->type == GEN_IPADD) { + *bytes = name->d.ip->data; + *len = name->d.ip->length; + return name->type; + } + return 0; +} + + +/* + * Extract the relevant names for constraint checking from "cert", + * validate them, and add them to the list of cert names for "chain". + * returns 1 on success sets error and returns 0 on failure. + */ +int +x509_constraints_extract_names(struct x509_constraints_names *names, + X509 *cert, int is_leaf, int *error) +{ + struct x509_constraints_name *vname = NULL; + X509_NAME *subject_name; + GENERAL_NAME *name; + ssize_t i = 0; + int name_type, include_cn = is_leaf, include_email = is_leaf; + + /* first grab the altnames */ + while ((name = sk_GENERAL_NAME_value(cert->altname, i++)) != NULL) { + uint8_t *bytes = NULL; + size_t len = 0; + + if ((vname = x509_constraints_name_new()) == NULL) { + *error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + + name_type = x509_constraints_general_to_bytes(name, &bytes, + &len); + switch(name_type) { + case GEN_DNS: + if (!x509_constraints_valid_sandns(bytes, len)) { + *error = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; + goto err; + } + if ((vname->name = strdup(bytes)) == NULL) { + *error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + vname->type = GEN_DNS; + include_cn = 0; /* don't use cn from subject */ + break; + case GEN_EMAIL: + if (!x509_constraints_parse_mailbox(bytes, len, + vname)) { + *error = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; + goto err; + } + vname->type = GEN_EMAIL; + include_email = 0; /* don't use email from subject */ + break; + case GEN_URI: + if (!x509_constraints_uri_host(bytes, len, &vname->name)) { + *error = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; + goto err; + } + if (vname->name == NULL) { + *error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + vname->type = GEN_URI; + break; + case GEN_DIRNAME: + if (bytes == NULL || ((vname->der = malloc(len)) == + NULL)) { + *error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + if (len == 0) { + *error = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; + goto err; + } + memcpy(vname->der, bytes, len); + vname->der_len = len; + vname->type = GEN_DIRNAME; + break; + case GEN_IPADD: + if (len == 4) + vname->af = AF_INET; + if (len == 16) + vname->af = AF_INET6; + if (vname->af != AF_INET && vname->af != + AF_INET6) { + *error = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; + goto err; + } + memcpy(vname->address, bytes, len); + vname->type = GEN_IPADD; + break; + default: + /* Ignore this name */ + x509_constraints_name_free(vname); + vname = NULL; + continue; + } + if (!x509_constraints_names_add(names, vname)) { + *error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + vname = NULL; + } + + x509_constraints_name_free(vname); + vname = NULL; + + subject_name = X509_get_subject_name(cert); + if (X509_NAME_entry_count(subject_name) > 0) { + X509_NAME_ENTRY *email; + X509_NAME_ENTRY *cn; + /* + * This cert has a non-empty subject, so we must add + * the subject as a dirname to be compared against + * any dirname constraints + */ + if ((subject_name->modified && + i2d_X509_NAME(subject_name, NULL) < 0) || + (vname = x509_constraints_name_new()) == NULL || + (vname->der = malloc(subject_name->canon_enclen)) == NULL) { + *error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + + memcpy(vname->der, subject_name->canon_enc, + subject_name->canon_enclen); + vname->der_len = subject_name->canon_enclen; + vname->type = GEN_DIRNAME; + if (!x509_constraints_names_add(names, vname)) { + *error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + vname = NULL; + /* + * Get any email addresses from the subject line, and + * add them as mbox names to be compared against any + * email constraints + */ + while (include_email && + (i = X509_NAME_get_index_by_NID(subject_name, + NID_pkcs9_emailAddress, i)) >= 0) { + ASN1_STRING *aname; + if ((email = X509_NAME_get_entry(subject_name, i)) == NULL || + (aname = X509_NAME_ENTRY_get_data(email)) == NULL) { + *error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + if ((vname = x509_constraints_name_new()) == NULL) { + *error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + if (!x509_constraints_parse_mailbox(aname->data, + aname->length, vname)) { + *error = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; + goto err; + } + vname->type = GEN_EMAIL; + if (!x509_constraints_names_add(names, vname)) { + *error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + vname = NULL; + } + /* + * Include the CN as a hostname to be checked againt + * name constraints if it looks like a hostname. + */ + while (include_cn && + (i = X509_NAME_get_index_by_NID(subject_name, + NID_commonName, i)) >= 0) { + ASN1_STRING *aname; + if ((cn = X509_NAME_get_entry(subject_name, i)) == NULL || + (aname = X509_NAME_ENTRY_get_data(cn)) == NULL) { + *error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + if (!x509_constraints_valid_host(aname->data, + aname->length)) + continue; /* ignore it if not a hostname */ + if ((vname = x509_constraints_name_new()) == NULL) { + *error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + if ((vname->name = strndup(aname->data, + aname->length)) == NULL) { + *error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + vname->type = GEN_DNS; + if (!x509_constraints_names_add(names, vname)) { + *error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + vname = NULL; + } + } + return 1; + err: + x509_constraints_name_free(vname); + return 0; +} + +/* + * Validate a constraint in a general name, putting the relevant data + * into "name" if valid. returns 0, and sets error if the constraint is + * not valid. returns 1 if the constraint validated. name->type will be + * set to a valid type if there is constraint data in name, or unmodified + * if the GENERAL_NAME had a valid type but was ignored. + */ +int +x509_constraints_validate(GENERAL_NAME *constraint, + struct x509_constraints_name *name, int *error) +{ + uint8_t *bytes = NULL; + size_t len = 0; + int name_type; + + name_type = x509_constraints_general_to_bytes(constraint, &bytes, &len); + switch (name_type) { + case GEN_DIRNAME: + if (bytes == NULL || (name->der = malloc(len)) == NULL) { + *error = X509_V_ERR_OUT_OF_MEM; + return 0; + } + if (len == 0) + goto err; /* XXX The RFCs are delightfully vague */ + memcpy(name->der, bytes, len); + name->der_len = len; + name->type = GEN_DIRNAME; + break; + case GEN_DNS: + if (!x509_constraints_valid_domain_constraint(bytes, len)) + goto err; + if ((name->name = strdup(bytes)) == NULL) { + *error = X509_V_ERR_OUT_OF_MEM; + return 0; + } + name->type = GEN_DNS; + break; + case GEN_EMAIL: + if (memchr(bytes, '@', len) != NULL) { + if (!x509_constraints_parse_mailbox(bytes, len, name)) + goto err; + } else { + if (!x509_constraints_valid_domain_constraint(bytes, + len)) + goto err; + if ((name->name = strdup(bytes)) == NULL) { + *error = X509_V_ERR_OUT_OF_MEM; + return 0; + } + } + name->type = GEN_EMAIL; + break; + case GEN_IPADD: + /* Constraints are ip then mask */ + if (len == 8) + name->af = AF_INET; + else if (len == 32) + name->af = AF_INET6; + else + goto err; + memcpy(&name->address[0], bytes, len); + name->type = GEN_IPADD; + break; + case GEN_URI: + if (!x509_constraints_valid_domain_constraint(bytes, len)) + goto err; + name->name = strdup(bytes); + name->type = GEN_URI; + break; + default: + break; + } + return 1; + err: + *error = X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX; + return 0; +} + +int +x509_constraints_extract_constraints(X509 *cert, + struct x509_constraints_names *permitted, + struct x509_constraints_names *excluded, + int *error) +{ + struct x509_constraints_name *vname; + NAME_CONSTRAINTS *nc = cert->nc; + GENERAL_SUBTREE *subtree; + int i; + + if (nc == NULL) + return 1; + + for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) { + + subtree = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i); + if (subtree->minimum || subtree->maximum) { + *error = X509_V_ERR_SUBTREE_MINMAX; + return 0; + } + if ((vname = x509_constraints_name_new()) == NULL) { + *error = X509_V_ERR_OUT_OF_MEM; + return 0; + } + if (x509_constraints_validate(subtree->base, vname, error) == + 0) { + x509_constraints_name_free(vname); + return 0; + } + if (vname->type == 0) { + x509_constraints_name_free(vname); + continue; + } + if (!x509_constraints_names_add(permitted, vname)) { + x509_constraints_name_free(vname); + *error = X509_V_ERR_OUT_OF_MEM; + return 0; + } + } + + for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) { + subtree = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i); + if (subtree->minimum || subtree->maximum) { + *error = X509_V_ERR_SUBTREE_MINMAX; + return 0; + } + if ((vname = x509_constraints_name_new()) == NULL) { + *error = X509_V_ERR_OUT_OF_MEM; + return 0; + } + if (x509_constraints_validate(subtree->base, vname, error) == + 0) { + x509_constraints_name_free(vname); + return 0; + } + if (vname->type == 0) { + x509_constraints_name_free(vname); + continue; + } + if (!x509_constraints_names_add(excluded, vname)) { + x509_constraints_name_free(vname); + *error = X509_V_ERR_OUT_OF_MEM; + return 0; + } + } + + return 1; +} + +/* + * Match a validated name in "name" against a validated constraint in + * "constraint" return 1 if then name matches, 0 otherwise. + */ +int +x509_constraints_match(struct x509_constraints_name *name, + struct x509_constraints_name *constraint) +{ + if (name->type != constraint->type) + return 0; + if (name->type == GEN_DNS) + return x509_constraints_sandns(name->name, strlen(name->name), + constraint->name, strlen(constraint->name)); + if (name->type == GEN_URI) + return x509_constraints_domain(name->name, strlen(name->name), + constraint->name, strlen(constraint->name)); + if (name->type == GEN_IPADD) { + size_t nlen = name->af == AF_INET ? 4 : 16; + size_t clen = name->af == AF_INET ? 8 : 32; + if (name->af != AF_INET && name->af != AF_INET6) + return 0; + if (constraint->af != AF_INET && constraint->af != AF_INET6) + return 0; + if (name->af != constraint->af) + return 0; + return x509_constraints_ipaddr(name->address, nlen, + constraint->address, clen); + } + if (name->type == GEN_EMAIL) { + if (constraint->local) { + /* mailbox local and domain parts must exactly match */ + return (strcmp(name->local, constraint->local) == 0 && + strcmp(name->name, constraint->name) == 0); + } + /* otherwise match the constraint to the domain part */ + return x509_constraints_domain(name->name, strlen(name->name), + constraint->name, strlen(constraint->name)); + } + if (name->type == GEN_DIRNAME) + return x509_constraints_dirname(name->der, name->der_len, + constraint->der, constraint->der_len); + return 0; +} + +/* + * Make sure every name in names does not match any excluded + * constraints, and does match at least one permitted constraint if + * any are present. Returns 1 if ok, 0, and sets error if not. + */ +int +x509_constraints_check(struct x509_constraints_names *names, + struct x509_constraints_names *permitted, + struct x509_constraints_names *excluded, int *error) +{ + size_t i, j; + + for (i = 0; i < names->names_count; i++) { + int permitted_seen = 0; + int permitted_matched = 0; + + for (j = 0; j < excluded->names_count; j++) { + if (x509_constraints_match(names->names[i], + excluded->names[j])) { + *error = X509_V_ERR_EXCLUDED_VIOLATION; + return 0; + } + } + for (j = 0; j < permitted->names_count; j++) { + if (permitted->names[j]->type == names->names[i]->type) + permitted_seen++; + if (x509_constraints_match(names->names[i], + permitted->names[j])) { + permitted_matched++; + break; + } + } + if (permitted_seen && !permitted_matched) { + *error = X509_V_ERR_PERMITTED_VIOLATION; + return 0; + } + } + return 1; +} + +/* + * Walk a validated chain of X509 certs, starting at the leaf, and + * validate the name constraints in the chain. Intended for use with + * the legacy X509 validtion code in x509_vfy.c + * + * returns 1 if the constraints are ok, 0 otherwise, setting error and + * depth + */ +int +x509_constraints_chain(STACK_OF(X509) *chain, int *error, int *depth) +{ + int chain_length, verify_err = X509_V_ERR_UNSPECIFIED, i = 0; + struct x509_constraints_names *names = NULL; + struct x509_constraints_names *excluded = NULL; + struct x509_constraints_names *permitted = NULL; + size_t constraints_count = 0; + X509 *cert; + + if (chain == NULL || (chain_length = sk_X509_num(chain)) == 0) + goto err; + if (chain_length == 1) + return 1; + if ((names = x509_constraints_names_new( + X509_VERIFY_MAX_CHAIN_NAMES)) == NULL) { + verify_err = X509_V_ERR_OUT_OF_MEM; + goto err; + } + + if ((cert = sk_X509_value(chain, 0)) == NULL) + goto err; + if (!x509_constraints_extract_names(names, cert, 1, &verify_err)) + goto err; + for (i = 1; i < chain_length; i++) { + if ((cert = sk_X509_value(chain, i)) == NULL) + goto err; + if (cert->nc != NULL) { + if ((permitted = x509_constraints_names_new( + X509_VERIFY_MAX_CHAIN_CONSTRAINTS)) == NULL) { + verify_err = X509_V_ERR_OUT_OF_MEM; + goto err; + } + if ((excluded = x509_constraints_names_new( + X509_VERIFY_MAX_CHAIN_CONSTRAINTS)) == NULL) { + verify_err = X509_V_ERR_OUT_OF_MEM; + goto err; + } + if (!x509_constraints_extract_constraints(cert, + permitted, excluded, &verify_err)) + goto err; + constraints_count += permitted->names_count; + constraints_count += excluded->names_count; + if (constraints_count > + X509_VERIFY_MAX_CHAIN_CONSTRAINTS) { + verify_err = X509_V_ERR_OUT_OF_MEM; + goto err; + } + if (!x509_constraints_check(names, permitted, excluded, + &verify_err)) + goto err; + x509_constraints_names_free(excluded); + excluded = NULL; + x509_constraints_names_free(permitted); + permitted = NULL; + } + if (!x509_constraints_extract_names(names, cert, 0, + &verify_err)) + goto err; + } + + x509_constraints_names_free(names); + return 1; + + err: + *error = verify_err; + *depth = i; + x509_constraints_names_free(excluded); + x509_constraints_names_free(permitted); + x509_constraints_names_free(names); + return 0; +} diff --git a/crypto/x509v3/v3_cpols.c b/crypto/x509/x509_cpols.c similarity index 99% rename from crypto/x509v3/v3_cpols.c rename to crypto/x509/x509_cpols.c index 4359327b..4b6c13cf 100644 --- a/crypto/x509v3/v3_cpols.c +++ b/crypto/x509/x509_cpols.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_cpols.c,v 1.26 2019/04/21 16:25:40 tb Exp $ */ +/* $OpenBSD: x509_cpols.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ diff --git a/crypto/x509v3/v3_crld.c b/crypto/x509/x509_crld.c similarity index 99% rename from crypto/x509v3/v3_crld.c rename to crypto/x509/x509_crld.c index 039435f1..ff60a880 100644 --- a/crypto/x509v3/v3_crld.c +++ b/crypto/x509/x509_crld.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_crld.c,v 1.23 2019/04/21 16:25:40 tb Exp $ */ +/* $OpenBSD: x509_crld.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ diff --git a/crypto/x509v3/v3_enum.c b/crypto/x509/x509_enum.c similarity index 98% rename from crypto/x509v3/v3_enum.c rename to crypto/x509/x509_enum.c index 2ef3ea3e..f18eea53 100644 --- a/crypto/x509v3/v3_enum.c +++ b/crypto/x509/x509_enum.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_enum.c,v 1.13 2018/05/19 10:37:02 tb Exp $ */ +/* $OpenBSD: x509_enum.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ diff --git a/crypto/x509/x509_err.c b/crypto/x509/x509_err.c index 3b321376..cac734dd 100644 --- a/crypto/x509/x509_err.c +++ b/crypto/x509/x509_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_err.c,v 1.13 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: x509_err.c,v 1.15 2020/06/05 16:51:12 jsing Exp $ */ /* ==================================================================== * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved. * @@ -64,6 +64,7 @@ #include #include +#include /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR @@ -76,6 +77,11 @@ static ERR_STRING_DATA X509_str_functs[] = { {0, NULL} }; +static ERR_STRING_DATA X509V3_str_functs[] = { + {ERR_FUNC(0xfff), "CRYPTO_internal"}, + {0, NULL} +}; + static ERR_STRING_DATA X509_str_reasons[] = { {ERR_REASON(X509_R_BAD_X509_FILETYPE) , "bad x509 filetype"}, {ERR_REASON(X509_R_BASE64_DECODE_ERROR) , "base64 decode error"}, @@ -106,6 +112,78 @@ static ERR_STRING_DATA X509_str_reasons[] = { {0, NULL} }; +static ERR_STRING_DATA X509V3_str_reasons[] = { + {ERR_REASON(X509V3_R_BAD_IP_ADDRESS) , "bad ip address"}, + {ERR_REASON(X509V3_R_BAD_OBJECT) , "bad object"}, + {ERR_REASON(X509V3_R_BN_DEC2BN_ERROR) , "bn dec2bn error"}, + {ERR_REASON(X509V3_R_BN_TO_ASN1_INTEGER_ERROR), "bn to asn1 integer error"}, + {ERR_REASON(X509V3_R_DIRNAME_ERROR) , "dirname error"}, + {ERR_REASON(X509V3_R_DISTPOINT_ALREADY_SET), "distpoint already set"}, + {ERR_REASON(X509V3_R_DUPLICATE_ZONE_ID) , "duplicate zone id"}, + {ERR_REASON(X509V3_R_ERROR_CONVERTING_ZONE), "error converting zone"}, + {ERR_REASON(X509V3_R_ERROR_CREATING_EXTENSION), "error creating extension"}, + {ERR_REASON(X509V3_R_ERROR_IN_EXTENSION) , "error in extension"}, + {ERR_REASON(X509V3_R_EXPECTED_A_SECTION_NAME), "expected a section name"}, + {ERR_REASON(X509V3_R_EXTENSION_EXISTS) , "extension exists"}, + {ERR_REASON(X509V3_R_EXTENSION_NAME_ERROR), "extension name error"}, + {ERR_REASON(X509V3_R_EXTENSION_NOT_FOUND), "extension not found"}, + {ERR_REASON(X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED), "extension setting not supported"}, + {ERR_REASON(X509V3_R_EXTENSION_VALUE_ERROR), "extension value error"}, + {ERR_REASON(X509V3_R_ILLEGAL_EMPTY_EXTENSION), "illegal empty extension"}, + {ERR_REASON(X509V3_R_ILLEGAL_HEX_DIGIT) , "illegal hex digit"}, + {ERR_REASON(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG), "incorrect policy syntax tag"}, + {ERR_REASON(X509V3_R_INVALID_MULTIPLE_RDNS), "invalid multiple rdns"}, + {ERR_REASON(X509V3_R_INVALID_ASNUMBER) , "invalid asnumber"}, + {ERR_REASON(X509V3_R_INVALID_ASRANGE) , "invalid asrange"}, + {ERR_REASON(X509V3_R_INVALID_BOOLEAN_STRING), "invalid boolean string"}, + {ERR_REASON(X509V3_R_INVALID_EXTENSION_STRING), "invalid extension string"}, + {ERR_REASON(X509V3_R_INVALID_INHERITANCE), "invalid inheritance"}, + {ERR_REASON(X509V3_R_INVALID_IPADDRESS) , "invalid ipaddress"}, + {ERR_REASON(X509V3_R_INVALID_NAME) , "invalid name"}, + {ERR_REASON(X509V3_R_INVALID_NULL_ARGUMENT), "invalid null argument"}, + {ERR_REASON(X509V3_R_INVALID_NULL_NAME) , "invalid null name"}, + {ERR_REASON(X509V3_R_INVALID_NULL_VALUE) , "invalid null value"}, + {ERR_REASON(X509V3_R_INVALID_NUMBER) , "invalid number"}, + {ERR_REASON(X509V3_R_INVALID_NUMBERS) , "invalid numbers"}, + {ERR_REASON(X509V3_R_INVALID_OBJECT_IDENTIFIER), "invalid object identifier"}, + {ERR_REASON(X509V3_R_INVALID_OPTION) , "invalid option"}, + {ERR_REASON(X509V3_R_INVALID_POLICY_IDENTIFIER), "invalid policy identifier"}, + {ERR_REASON(X509V3_R_INVALID_PROXY_POLICY_SETTING), "invalid proxy policy setting"}, + {ERR_REASON(X509V3_R_INVALID_PURPOSE) , "invalid purpose"}, + {ERR_REASON(X509V3_R_INVALID_SAFI) , "invalid safi"}, + {ERR_REASON(X509V3_R_INVALID_SECTION) , "invalid section"}, + {ERR_REASON(X509V3_R_INVALID_SYNTAX) , "invalid syntax"}, + {ERR_REASON(X509V3_R_ISSUER_DECODE_ERROR), "issuer decode error"}, + {ERR_REASON(X509V3_R_MISSING_VALUE) , "missing value"}, + {ERR_REASON(X509V3_R_NEED_ORGANIZATION_AND_NUMBERS), "need organization and numbers"}, + {ERR_REASON(X509V3_R_NO_CONFIG_DATABASE) , "no config database"}, + {ERR_REASON(X509V3_R_NO_ISSUER_CERTIFICATE), "no issuer certificate"}, + {ERR_REASON(X509V3_R_NO_ISSUER_DETAILS) , "no issuer details"}, + {ERR_REASON(X509V3_R_NO_POLICY_IDENTIFIER), "no policy identifier"}, + {ERR_REASON(X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED), "no proxy cert policy language defined"}, + {ERR_REASON(X509V3_R_NO_PUBLIC_KEY) , "no public key"}, + {ERR_REASON(X509V3_R_NO_SUBJECT_DETAILS) , "no subject details"}, + {ERR_REASON(X509V3_R_ODD_NUMBER_OF_DIGITS), "odd number of digits"}, + {ERR_REASON(X509V3_R_OPERATION_NOT_DEFINED), "operation not defined"}, + {ERR_REASON(X509V3_R_OTHERNAME_ERROR) , "othername error"}, + {ERR_REASON(X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED), "policy language already defined"}, + {ERR_REASON(X509V3_R_POLICY_PATH_LENGTH) , "policy path length"}, + {ERR_REASON(X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED), "policy path length already defined"}, + {ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED), "policy syntax not currently supported"}, + {ERR_REASON(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY), "policy when proxy language requires no policy"}, + {ERR_REASON(X509V3_R_SECTION_NOT_FOUND) , "section not found"}, + {ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS), "unable to get issuer details"}, + {ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_KEYID), "unable to get issuer keyid"}, + {ERR_REASON(X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT), "unknown bit string argument"}, + {ERR_REASON(X509V3_R_UNKNOWN_EXTENSION) , "unknown extension"}, + {ERR_REASON(X509V3_R_UNKNOWN_EXTENSION_NAME), "unknown extension name"}, + {ERR_REASON(X509V3_R_UNKNOWN_OPTION) , "unknown option"}, + {ERR_REASON(X509V3_R_UNSUPPORTED_OPTION) , "unsupported option"}, + {ERR_REASON(X509V3_R_UNSUPPORTED_TYPE) , "unsupported type"}, + {ERR_REASON(X509V3_R_USER_TOO_LONG) , "user too long"}, + {0, NULL} +}; + #endif void @@ -118,3 +196,15 @@ ERR_load_X509_strings(void) } #endif } + + +void +ERR_load_X509V3_strings(void) +{ +#ifndef OPENSSL_NO_ERR + if (ERR_func_error_string(X509V3_str_functs[0].error) == NULL) { + ERR_load_strings(0, X509V3_str_functs); + ERR_load_strings(0, X509V3_str_reasons); + } +#endif +} diff --git a/crypto/x509v3/v3_extku.c b/crypto/x509/x509_extku.c similarity index 98% rename from crypto/x509v3/v3_extku.c rename to crypto/x509/x509_extku.c index 59185c9b..09bec675 100644 --- a/crypto/x509v3/v3_extku.c +++ b/crypto/x509/x509_extku.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_extku.c,v 1.16 2019/04/22 17:26:34 tb Exp $ */ +/* $OpenBSD: x509_extku.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ diff --git a/crypto/x509v3/v3_genn.c b/crypto/x509/x509_genn.c similarity index 88% rename from crypto/x509v3/v3_genn.c rename to crypto/x509/x509_genn.c index a6b7a18b..dadf6f1e 100644 --- a/crypto/x509v3/v3_genn.c +++ b/crypto/x509/x509_genn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_genn.c,v 1.12 2015/09/26 17:38:41 jsing Exp $ */ +/* $OpenBSD: x509_genn.c,v 1.2 2020/12/08 15:06:42 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -117,16 +117,17 @@ OTHERNAME_free(OTHERNAME *a) ASN1_item_free((ASN1_VALUE *)a, &OTHERNAME_it); } +/* Uses explicit tagging since DIRECTORYSTRING is a CHOICE type */ static const ASN1_TEMPLATE EDIPARTYNAME_seq_tt[] = { { - .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL, + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL, .tag = 0, .offset = offsetof(EDIPARTYNAME, nameAssigner), .field_name = "nameAssigner", .item = &DIRECTORYSTRING_it, }, { - .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL, + .flags = ASN1_TFLG_EXPLICIT, .tag = 1, .offset = offsetof(EDIPARTYNAME, partyName), .field_name = "partyName", @@ -324,6 +325,37 @@ GENERAL_NAME_dup(GENERAL_NAME *a) return ASN1_item_dup(&GENERAL_NAME_it, a); } +static int +EDIPARTYNAME_cmp(const EDIPARTYNAME *a, const EDIPARTYNAME *b) +{ + int res; + + /* + * Shouldn't be possible in a valid GENERAL_NAME, but we handle it + * anyway. OTHERNAME_cmp treats NULL != NULL, so we do the same here. + */ + if (a == NULL || b == NULL) + return -1; + if (a->nameAssigner == NULL && b->nameAssigner != NULL) + return -1; + if (a->nameAssigner != NULL && b->nameAssigner == NULL) + return 1; + /* If we get here, both have nameAssigner set or both unset. */ + if (a->nameAssigner != NULL) { + res = ASN1_STRING_cmp(a->nameAssigner, b->nameAssigner); + if (res != 0) + return res; + } + /* + * partyName is required, so these should never be NULL. We treat it in + * the same way as the a == NULL || b == NULL case above. + */ + if (a->partyName == NULL || b->partyName == NULL) + return -1; + + return ASN1_STRING_cmp(a->partyName, b->partyName); +} + /* Returns 0 if they are equal, != 0 otherwise. */ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) @@ -334,8 +366,11 @@ GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) return -1; switch (a->type) { case GEN_X400: + result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address); + break; + case GEN_EDIPARTY: - result = ASN1_TYPE_cmp(a->d.other, b->d.other); + result = EDIPARTYNAME_cmp(a->d.ediPartyName, b->d.ediPartyName); break; case GEN_OTHERNAME: @@ -384,8 +419,11 @@ GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value) { switch (type) { case GEN_X400: + a->d.x400Address = value; + break; + case GEN_EDIPARTY: - a->d.other = value; + a->d.ediPartyName = value; break; case GEN_OTHERNAME: @@ -420,8 +458,10 @@ GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype) *ptype = a->type; switch (a->type) { case GEN_X400: + return a->d.x400Address; + case GEN_EDIPARTY: - return a->d.other; + return a->d.ediPartyName; case GEN_OTHERNAME: return a->d.otherName; diff --git a/crypto/x509v3/v3_ia5.c b/crypto/x509/x509_ia5.c similarity index 98% rename from crypto/x509v3/v3_ia5.c rename to crypto/x509/x509_ia5.c index a92041e6..4113c3d3 100644 --- a/crypto/x509v3/v3_ia5.c +++ b/crypto/x509/x509_ia5.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_ia5.c,v 1.17 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: x509_ia5.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ diff --git a/crypto/x509v3/v3_info.c b/crypto/x509/x509_info.c similarity index 99% rename from crypto/x509v3/v3_info.c rename to crypto/x509/x509_info.c index a8959855..86ed6fad 100644 --- a/crypto/x509v3/v3_info.c +++ b/crypto/x509/x509_info.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_info.c,v 1.27 2019/04/22 17:18:30 tb Exp $ */ +/* $OpenBSD: x509_info.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ diff --git a/crypto/x509v3/v3_int.c b/crypto/x509/x509_int.c similarity index 98% rename from crypto/x509v3/v3_int.c rename to crypto/x509/x509_int.c index f8a5e7df..35c8853c 100644 --- a/crypto/x509v3/v3_int.c +++ b/crypto/x509/x509_int.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_int.c,v 1.11 2016/12/30 15:54:49 jsing Exp $ */ +/* $OpenBSD: x509_int.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ diff --git a/crypto/x509/x509_internal.h b/crypto/x509/x509_internal.h new file mode 100644 index 00000000..fe403512 --- /dev/null +++ b/crypto/x509/x509_internal.h @@ -0,0 +1,131 @@ +/* $OpenBSD: x509_internal.h,v 1.7 2021/03/12 15:53:38 tb Exp $ */ +/* + * Copyright (c) 2020 Bob Beck + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ +#ifndef HEADER_X509_INTERNAL_H +#define HEADER_X509_INTERNAL_H + +/* Internal use only, not public API */ +#include + +#include + +/* Hard limits on structure size and number of signature checks. */ +#define X509_VERIFY_MAX_CHAINS 8 /* Max validated chains */ +#define X509_VERIFY_MAX_CHAIN_CERTS 32 /* Max depth of a chain */ +#define X509_VERIFY_MAX_SIGCHECKS 256 /* Max signature checks */ + +/* + * Limit the number of names and constraints we will check in a chain + * to avoid a hostile input DOS + */ +#define X509_VERIFY_MAX_CHAIN_NAMES 512 +#define X509_VERIFY_MAX_CHAIN_CONSTRAINTS 512 + +/* + * Hold the parsed and validated result of names from a certificate. + * these typically come from a GENERALNAME, but we store the parsed + * and validated results, not the ASN1 bytes. + */ +struct x509_constraints_name { + int type; /* GEN_* types from GENERAL_NAME */ + char *name; /* Name to check */ + char *local; /* holds the local part of GEN_EMAIL */ + uint8_t *der; /* DER encoded value or NULL*/ + size_t der_len; + int af; /* INET and INET6 are supported */ + uint8_t address[32]; /* Must hold ipv6 + mask */ +}; + +struct x509_constraints_names { + struct x509_constraints_name **names; + size_t names_count; + size_t names_len; + size_t names_max; +}; + +struct x509_verify_chain { + STACK_OF(X509) *certs; /* Kept in chain order, includes leaf */ + int *cert_errors; /* Verify error for each cert in chain. */ + struct x509_constraints_names *names; /* All names from all certs */ +}; + +struct x509_verify_ctx { + X509_STORE_CTX *xsc; + struct x509_verify_chain **chains; /* Validated chains */ + size_t chains_count; + int dump_chain; /* Dump current chain without erroring */ + STACK_OF(X509) *roots; /* Trusted roots for this validation */ + STACK_OF(X509) *intermediates; /* Intermediates provided by peer */ + time_t *check_time; /* Time for validity checks */ + int purpose; /* Cert purpose we are validating */ + size_t max_chains; /* Max chains to return */ + size_t max_depth; /* Max chain depth for validation */ + size_t max_sigs; /* Max number of signature checks */ + size_t sig_checks; /* Number of signature checks done */ + size_t error_depth; /* Depth of last error seen */ + int error; /* Last error seen */ +}; + +int ASN1_time_tm_clamp_notafter(struct tm *tm); + +__BEGIN_HIDDEN_DECLS + +int x509_vfy_check_id(X509_STORE_CTX *ctx); +int x509_vfy_check_revocation(X509_STORE_CTX *ctx); +int x509_vfy_check_policy(X509_STORE_CTX *ctx); +int x509_vfy_check_trust(X509_STORE_CTX *ctx); +int x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx); +void x509v3_cache_extensions(X509 *x); + +int x509_verify_asn1_time_to_tm(const ASN1_TIME *atime, struct tm *tm, + int notafter); + +struct x509_verify_ctx *x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc, + STACK_OF(X509) *roots); + +void x509_constraints_name_clear(struct x509_constraints_name *name); +int x509_constraints_names_add(struct x509_constraints_names *names, + struct x509_constraints_name *name); +struct x509_constraints_names *x509_constraints_names_dup( + struct x509_constraints_names *names); +void x509_constraints_names_clear(struct x509_constraints_names *names); +struct x509_constraints_names *x509_constraints_names_new(size_t names_max); +void x509_constraints_names_free(struct x509_constraints_names *names); +int x509_constraints_valid_host(uint8_t *name, size_t len); +int x509_constraints_valid_sandns(uint8_t *name, size_t len); +int x509_constraints_domain(char *domain, size_t dlen, char *constraint, + size_t len); +int x509_constraints_parse_mailbox(uint8_t *candidate, size_t len, + struct x509_constraints_name *name); +int x509_constraints_valid_domain_constraint(uint8_t *constraint, + size_t len); +int x509_constraints_uri_host(uint8_t *uri, size_t len, char **hostp); +int x509_constraints_uri(uint8_t *uri, size_t ulen, uint8_t *constraint, + size_t len, int *error); +int x509_constraints_extract_names(struct x509_constraints_names *names, + X509 *cert, int include_cn, int *error); +int x509_constraints_extract_constraints(X509 *cert, + struct x509_constraints_names *permitted, + struct x509_constraints_names *excluded, int *error); +int x509_constraints_check(struct x509_constraints_names *names, + struct x509_constraints_names *permitted, + struct x509_constraints_names *excluded, int *error); +int x509_constraints_chain(STACK_OF(X509) *chain, int *error, + int *depth); + +__END_HIDDEN_DECLS + +#endif diff --git a/crypto/x509/x509_issuer_cache.c b/crypto/x509/x509_issuer_cache.c new file mode 100644 index 00000000..26cde172 --- /dev/null +++ b/crypto/x509/x509_issuer_cache.c @@ -0,0 +1,167 @@ +/* $OpenBSD: x509_issuer_cache.c,v 1.2 2020/11/18 17:00:59 tb Exp $ */ +/* + * Copyright (c) 2020 Bob Beck + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* x509_issuer_cache */ + +/* + * The issuer cache is a cache of parent and child x509 certificate + * hashes with a signature validation result. + * + * Entries should only be added to the cache with a validation result + * from checking the public key math that "parent" signed "child". + * + * Finding an entry in the cache gets us the result of a previously + * performed validation of the signature of "parent" signing for the + * validity of "child". It allows us to skip doing the public key math + * when validating a certificate chain. It does not allow us to skip + * any other steps of validation (times, names, key usage, etc.) + */ + +#include +#include + +#include "x509_issuer_cache.h" + +static int +x509_issuer_cmp(struct x509_issuer *x1, struct x509_issuer *x2) +{ + int pcmp; + if ((pcmp = memcmp(x1->parent_md, x2->parent_md, EVP_MAX_MD_SIZE)) != 0) + return pcmp; + return memcmp(x1->child_md, x2->child_md, EVP_MAX_MD_SIZE); +} + +static size_t x509_issuer_cache_count; +static size_t x509_issuer_cache_max = X509_ISSUER_CACHE_MAX; +static RB_HEAD(x509_issuer_tree, x509_issuer) x509_issuer_cache = + RB_INITIALIZER(&x509_issuer_cache); +static TAILQ_HEAD(lruqueue, x509_issuer) x509_issuer_lru = + TAILQ_HEAD_INITIALIZER(x509_issuer_lru); +static pthread_mutex_t x509_issuer_tree_mutex = PTHREAD_MUTEX_INITIALIZER; + +RB_PROTOTYPE(x509_issuer_tree, x509_issuer, entry, x509_issuer_cmp); +RB_GENERATE(x509_issuer_tree, x509_issuer, entry, x509_issuer_cmp); + +/* + * Set the maximum number of cached entries. On additions to the cache + * the least recently used entries will be discarded so that the cache + * stays under the maximum number of entries. Setting a maximum of 0 + * disables the cache. + */ +int +x509_issuer_cache_set_max(size_t max) +{ + if (pthread_mutex_lock(&x509_issuer_tree_mutex) != 0) + return 0; + x509_issuer_cache_max = max; + (void) pthread_mutex_unlock(&x509_issuer_tree_mutex); + + return 1; +} + +/* + * Find a previous result of checking if parent signed child + * + * Returns: + * -1 : No entry exists in the cache. signature must be checked. + * 0 : The signature of parent signing child is invalid. + * 1 : The signature of parent signing child is valid. + */ +int +x509_issuer_cache_find(unsigned char *parent_md, unsigned char *child_md) +{ + struct x509_issuer candidate, *found; + int ret = -1; + + memset(&candidate, 0, sizeof(candidate)); + candidate.parent_md = parent_md; + candidate.child_md = child_md; + + if (x509_issuer_cache_max == 0) + return -1; + + if (pthread_mutex_lock(&x509_issuer_tree_mutex) != 0) + return -1; + if ((found = RB_FIND(x509_issuer_tree, &x509_issuer_cache, + &candidate)) != NULL) { + TAILQ_REMOVE(&x509_issuer_lru, found, queue); + TAILQ_INSERT_HEAD(&x509_issuer_lru, found, queue); + ret = found->valid; + } + (void) pthread_mutex_unlock(&x509_issuer_tree_mutex); + + return ret; +} + +/* + * Attempt to add a validation result to the cache. + * + * valid must be: + * 0: The signature of parent signing child is invalid. + * 1: The signature of parent signing child is valid. + * + * Previously added entries for the same parent and child are *not* replaced. + */ +void +x509_issuer_cache_add(unsigned char *parent_md, unsigned char *child_md, + int valid) +{ + struct x509_issuer *new; + + if (x509_issuer_cache_max == 0) + return; + if (valid != 0 && valid != 1) + return; + + if ((new = calloc(1, sizeof(struct x509_issuer))) == NULL) + return; + if ((new->parent_md = calloc(1, EVP_MAX_MD_SIZE)) == NULL) + goto err; + memcpy(new->parent_md, parent_md, EVP_MAX_MD_SIZE); + if ((new->child_md = calloc(1, EVP_MAX_MD_SIZE)) == NULL) + goto err; + memcpy(new->child_md, child_md, EVP_MAX_MD_SIZE); + + new->valid = valid; + + if (pthread_mutex_lock(&x509_issuer_tree_mutex) != 0) + goto err; + while (x509_issuer_cache_count >= x509_issuer_cache_max) { + struct x509_issuer *old; + if ((old = TAILQ_LAST(&x509_issuer_lru, lruqueue)) == NULL) + goto err; + TAILQ_REMOVE(&x509_issuer_lru, old, queue); + RB_REMOVE(x509_issuer_tree, &x509_issuer_cache, old); + free(old->parent_md); + free(old->child_md); + free(old); + x509_issuer_cache_count--; + } + if (RB_INSERT(x509_issuer_tree, &x509_issuer_cache, new) == NULL) { + TAILQ_INSERT_HEAD(&x509_issuer_lru, new, queue); + x509_issuer_cache_count++; + new = NULL; + } + err: + (void) pthread_mutex_unlock(&x509_issuer_tree_mutex); + if (new != NULL) { + free(new->parent_md); + free(new->child_md); + } + free(new); + return; +} diff --git a/crypto/x509/x509_issuer_cache.h b/crypto/x509/x509_issuer_cache.h new file mode 100644 index 00000000..6dedde75 --- /dev/null +++ b/crypto/x509/x509_issuer_cache.h @@ -0,0 +1,47 @@ +/* $OpenBSD: x509_issuer_cache.h,v 1.1 2020/09/11 14:30:51 beck Exp $ */ +/* + * Copyright (c) 2020 Bob Beck + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* x509_issuer_cache */ +#ifndef HEADER_X509_ISSUER_CACHE_H +#define HEADER_X509_ISSUER_CACHE_H + +#include +#include + +#include + +__BEGIN_HIDDEN_DECLS + +struct x509_issuer { + RB_ENTRY(x509_issuer) entry; + TAILQ_ENTRY(x509_issuer) queue; /* LRU of entries */ + /* parent_md and child_md must point to EVP_MAX_MD_SIZE of memory */ + unsigned char *parent_md; + unsigned char *child_md; + int valid; /* Result of signature validation. */ +}; + +#define X509_ISSUER_CACHE_MAX 40000 /* Approx 7.5 MB, entries 200 bytes */ + +int x509_issuer_cache_set_max(size_t max); +int x509_issuer_cache_find(unsigned char *parent_md, unsigned char *child_md); +void x509_issuer_cache_add(unsigned char *parent_md, unsigned char *child_md, + int valid); + +__END_HIDDEN_DECLS + +#endif diff --git a/crypto/x509v3/v3_lib.c b/crypto/x509/x509_lib.c similarity index 98% rename from crypto/x509v3/v3_lib.c rename to crypto/x509/x509_lib.c index 84e6c017..211d0adf 100644 --- a/crypto/x509v3/v3_lib.c +++ b/crypto/x509/x509_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_lib.c,v 1.19 2019/04/21 16:29:57 tb Exp $ */ +/* $OpenBSD: x509_lib.c,v 1.2 2020/09/14 11:35:32 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -168,7 +168,11 @@ X509V3_EXT_add_alias(int nid_to, int nid_from) *tmpext = *ext; tmpext->ext_nid = nid_to; tmpext->ext_flags |= X509V3_EXT_DYNAMIC; - return X509V3_EXT_add(tmpext); + if (!X509V3_EXT_add(tmpext)) { + free(tmpext); + return 0; + } + return 1; } void diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509/x509_ncons.c similarity index 99% rename from crypto/x509v3/v3_ncons.c rename to crypto/x509/x509_ncons.c index 4913135c..1621f986 100644 --- a/crypto/x509v3/v3_ncons.c +++ b/crypto/x509/x509_ncons.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_ncons.c,v 1.13 2017/07/20 19:45:08 tedu Exp $ */ +/* $OpenBSD: x509_ncons.c,v 1.4 2020/09/16 18:12:06 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -345,10 +345,8 @@ NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc) if (r != X509_V_OK) return r; } - return X509_V_OK; } - static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) { diff --git a/crypto/x509v3/v3_ocsp.c b/crypto/x509/x509_ocsp.c similarity index 99% rename from crypto/x509v3/v3_ocsp.c rename to crypto/x509/x509_ocsp.c index 8ebda2e7..59a2e972 100644 --- a/crypto/x509v3/v3_ocsp.c +++ b/crypto/x509/x509_ocsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_ocsp.c,v 1.15 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: x509_ocsp.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ diff --git a/crypto/x509v3/v3_pci.c b/crypto/x509/x509_pci.c similarity index 99% rename from crypto/x509v3/v3_pci.c rename to crypto/x509/x509_pci.c index 437b3aee..8997f0ce 100644 --- a/crypto/x509v3/v3_pci.c +++ b/crypto/x509/x509_pci.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_pci.c,v 1.13 2017/05/02 04:11:08 deraadt Exp $ */ +/* $OpenBSD: x509_pci.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Contributed to the OpenSSL Project 2004 * by Richard Levitte (richard@levitte.org) */ diff --git a/crypto/x509v3/v3_pcia.c b/crypto/x509/x509_pcia.c similarity index 98% rename from crypto/x509v3/v3_pcia.c rename to crypto/x509/x509_pcia.c index f9ec02c0..b639aa33 100644 --- a/crypto/x509v3/v3_pcia.c +++ b/crypto/x509/x509_pcia.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_pcia.c,v 1.6 2015/07/25 16:00:14 jsing Exp $ */ +/* $OpenBSD: x509_pcia.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */ /* Contributed to the OpenSSL Project 2004 * by Richard Levitte (richard@levitte.org) */ diff --git a/crypto/x509v3/v3_pcons.c b/crypto/x509/x509_pcons.c similarity index 98% rename from crypto/x509v3/v3_pcons.c rename to crypto/x509/x509_pcons.c index 8c490a19..69bf4337 100644 --- a/crypto/x509v3/v3_pcons.c +++ b/crypto/x509/x509_pcons.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_pcons.c,v 1.12 2019/04/22 17:29:13 tb Exp $ */ +/* $OpenBSD: x509_pcons.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ diff --git a/crypto/x509v3/v3_pku.c b/crypto/x509/x509_pku.c similarity index 98% rename from crypto/x509v3/v3_pku.c rename to crypto/x509/x509_pku.c index ce6b8a0c..9b82ad3d 100644 --- a/crypto/x509v3/v3_pku.c +++ b/crypto/x509/x509_pku.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_pku.c,v 1.14 2019/04/21 16:38:01 tb Exp $ */ +/* $OpenBSD: x509_pku.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ diff --git a/crypto/x509v3/v3_pmaps.c b/crypto/x509/x509_pmaps.c similarity index 99% rename from crypto/x509v3/v3_pmaps.c rename to crypto/x509/x509_pmaps.c index 37264649..352f85a0 100644 --- a/crypto/x509v3/v3_pmaps.c +++ b/crypto/x509/x509_pmaps.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_pmaps.c,v 1.13 2019/05/08 21:53:10 bcook Exp $ */ +/* $OpenBSD: x509_pmaps.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ diff --git a/crypto/x509v3/v3_prn.c b/crypto/x509/x509_prn.c similarity index 99% rename from crypto/x509v3/v3_prn.c rename to crypto/x509/x509_prn.c index f294c36b..5c15cc39 100644 --- a/crypto/x509v3/v3_prn.c +++ b/crypto/x509/x509_prn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_prn.c,v 1.20 2018/05/19 10:41:53 tb Exp $ */ +/* $OpenBSD: x509_prn.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509/x509_purp.c similarity index 93% rename from crypto/x509v3/v3_purp.c rename to crypto/x509/x509_purp.c index 0fdec224..c81e043f 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509/x509_purp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_purp.c,v 1.31 2018/05/18 18:30:03 tb Exp $ */ +/* $OpenBSD: x509_purp.c,v 1.4 2021/03/19 18:52:14 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2001. */ @@ -73,7 +73,7 @@ #define ns_reject(x, usage) \ (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) -static void x509v3_cache_extensions(X509 *x); +void x509v3_cache_extensions(X509 *x); static int check_ssl_ca(const X509 *x); static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, @@ -132,6 +132,8 @@ X509_check_purpose(X509 *x, int id, int ca) CRYPTO_w_lock(CRYPTO_LOCK_X509); x509v3_cache_extensions(x); CRYPTO_w_unlock(CRYPTO_LOCK_X509); + if (x->ex_flags & EXFLAG_INVALID) + return X509_V_ERR_UNSPECIFIED; } if (id == -1) return 1; @@ -421,12 +423,17 @@ setup_crldp(X509 *x) { int i; - x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL); + x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, &i, NULL); + if (x->crldp == NULL && i != -1) { + x->ex_flags |= EXFLAG_INVALID; + return; + } + for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) setup_dp(x, sk_DIST_POINT_value(x->crldp, i)); } -static void +void x509v3_cache_extensions(X509 *x) { BASIC_CONSTRAINTS *bs; @@ -449,7 +456,7 @@ x509v3_cache_extensions(X509 *x) x->ex_flags |= EXFLAG_V1; /* Handle basic constraints */ - if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) { + if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, &i, NULL))) { if (bs->ca) x->ex_flags |= EXFLAG_CA; if (bs->pathlen) { @@ -463,10 +470,12 @@ x509v3_cache_extensions(X509 *x) x->ex_pathlen = -1; BASIC_CONSTRAINTS_free(bs); x->ex_flags |= EXFLAG_BCONS; + } else if (i != -1) { + x->ex_flags |= EXFLAG_INVALID; } /* Handle proxy certificates */ - if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) { + if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, &i, NULL))) { if (x->ex_flags & EXFLAG_CA || X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 || X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) { @@ -485,10 +494,12 @@ x509v3_cache_extensions(X509 *x) x->ex_pcpathlen = -1; PROXY_CERT_INFO_EXTENSION_free(pci); x->ex_flags |= EXFLAG_PROXY; + } else if (i != -1) { + x->ex_flags |= EXFLAG_INVALID; } /* Handle key usage */ - if ((usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) { + if ((usage = X509_get_ext_d2i(x, NID_key_usage, &i, NULL))) { if (usage->length > 0) { x->ex_kusage = usage->data[0]; if (usage->length > 1) @@ -497,9 +508,12 @@ x509v3_cache_extensions(X509 *x) x->ex_kusage = 0; x->ex_flags |= EXFLAG_KUSAGE; ASN1_BIT_STRING_free(usage); + } else if (i != -1) { + x->ex_flags |= EXFLAG_INVALID; } + x->ex_xkusage = 0; - if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) { + if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, &i, NULL))) { x->ex_flags |= EXFLAG_XKUSAGE; for (i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) { switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage, i))) { @@ -538,19 +552,27 @@ x509v3_cache_extensions(X509 *x) } } sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free); + } else if (i != -1) { + x->ex_flags |= EXFLAG_INVALID; } - if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) { + if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, &i, NULL))) { if (ns->length > 0) x->ex_nscert = ns->data[0]; else x->ex_nscert = 0; x->ex_flags |= EXFLAG_NSCERT; ASN1_BIT_STRING_free(ns); + } else if (i != -1) { + x->ex_flags |= EXFLAG_INVALID; } - x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL); - x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL); + x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, &i, NULL); + if (x->skid == NULL && i != -1) + x->ex_flags |= EXFLAG_INVALID; + x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, &i, NULL); + if (x->akid == NULL && i != -1) + x->ex_flags |= EXFLAG_INVALID; /* Does subject name match issuer? */ if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) { @@ -561,7 +583,9 @@ x509v3_cache_extensions(X509 *x) x->ex_flags |= EXFLAG_SS; } - x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); + x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, &i, NULL); + if (x->altname == NULL && i != -1) + x->ex_flags |= EXFLAG_INVALID; x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL); if (!x->nc && (i != -1)) x->ex_flags |= EXFLAG_INVALID; @@ -626,6 +650,8 @@ X509_check_ca(X509 *x) CRYPTO_w_lock(CRYPTO_LOCK_X509); x509v3_cache_extensions(x); CRYPTO_w_unlock(CRYPTO_LOCK_X509); + if (x->ex_flags & EXFLAG_INVALID) + return X509_V_ERR_UNSPECIFIED; } return check_ca(x); @@ -837,7 +863,11 @@ X509_check_issued(X509 *issuer, X509 *subject) X509_get_issuer_name(subject))) return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; x509v3_cache_extensions(issuer); + if (issuer->ex_flags & EXFLAG_INVALID) + return X509_V_ERR_UNSPECIFIED; x509v3_cache_extensions(subject); + if (subject->ex_flags & EXFLAG_INVALID) + return X509_V_ERR_UNSPECIFIED; if (subject->akid) { int ret = X509_check_akid(issuer, subject->akid); diff --git a/crypto/x509v3/v3_skey.c b/crypto/x509/x509_skey.c similarity index 98% rename from crypto/x509v3/v3_skey.c rename to crypto/x509/x509_skey.c index aec2d5b7..a9064273 100644 --- a/crypto/x509v3/v3_skey.c +++ b/crypto/x509/x509_skey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_skey.c,v 1.16 2018/05/19 10:37:02 tb Exp $ */ +/* $OpenBSD: x509_skey.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ diff --git a/crypto/x509v3/v3_sxnet.c b/crypto/x509/x509_sxnet.c similarity index 99% rename from crypto/x509v3/v3_sxnet.c rename to crypto/x509/x509_sxnet.c index 400bc263..e5e98bce 100644 --- a/crypto/x509v3/v3_sxnet.c +++ b/crypto/x509/x509_sxnet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_sxnet.c,v 1.22 2019/03/13 20:34:00 tb Exp $ */ +/* $OpenBSD: x509_sxnet.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509/x509_utl.c similarity index 99% rename from crypto/x509v3/v3_utl.c rename to crypto/x509/x509_utl.c index a051baae..0fa6ea6d 100644 --- a/crypto/x509v3/v3_utl.c +++ b/crypto/x509/x509_utl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_utl.c,v 1.37 2019/04/16 19:42:20 tb Exp $ */ +/* $OpenBSD: x509_utl.c,v 1.2 2020/09/13 15:06:17 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -988,7 +988,8 @@ do_x509_check(X509 *x, const char *chk, size_t chklen, unsigned int flags, alt_type = V_ASN1_IA5STRING; equal = equal_email; } else if (check_type == GEN_DNS) { - cnid = NID_commonName; + if (!(flags & X509_CHECK_FLAG_NEVER_CHECK_SUBJECT)) + cnid = NID_commonName; /* Implicit client-side DNS sub-domain pattern */ if (chklen > 1 && chk[0] == '.') flags |= _X509_CHECK_FLAG_DOT_SUBDOMAINS; diff --git a/crypto/x509/x509_verify.c b/crypto/x509/x509_verify.c new file mode 100644 index 00000000..9c34e31e --- /dev/null +++ b/crypto/x509/x509_verify.c @@ -0,0 +1,1070 @@ +/* $OpenBSD: x509_verify.c,v 1.36 2021/03/13 23:01:49 tobhe Exp $ */ +/* + * Copyright (c) 2020-2021 Bob Beck + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* x509_verify - inspired by golang's crypto/x509.Verify */ + +#include +#include +#include +#include +#include + +#include +#include +#include + +#include "x509_internal.h" +#include "x509_issuer_cache.h" + +static int x509_verify_cert_valid(struct x509_verify_ctx *ctx, X509 *cert, + struct x509_verify_chain *current_chain); +static void x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, + struct x509_verify_chain *current_chain); +static int x509_verify_cert_error(struct x509_verify_ctx *ctx, X509 *cert, + size_t depth, int error, int ok); +static void x509_verify_chain_free(struct x509_verify_chain *chain); + +#define X509_VERIFY_CERT_HASH (EVP_sha512()) + +struct x509_verify_chain * +x509_verify_chain_new(void) +{ + struct x509_verify_chain *chain; + + if ((chain = calloc(1, sizeof(*chain))) == NULL) + goto err; + if ((chain->certs = sk_X509_new_null()) == NULL) + goto err; + if ((chain->cert_errors = calloc(X509_VERIFY_MAX_CHAIN_CERTS, + sizeof(int))) == NULL) + goto err; + if ((chain->names = + x509_constraints_names_new(X509_VERIFY_MAX_CHAIN_NAMES)) == NULL) + goto err; + + return chain; + err: + x509_verify_chain_free(chain); + return NULL; +} + +static void +x509_verify_chain_clear(struct x509_verify_chain *chain) +{ + sk_X509_pop_free(chain->certs, X509_free); + chain->certs = NULL; + free(chain->cert_errors); + chain->cert_errors = NULL; + x509_constraints_names_free(chain->names); + chain->names = NULL; +} + +static void +x509_verify_chain_free(struct x509_verify_chain *chain) +{ + if (chain == NULL) + return; + x509_verify_chain_clear(chain); + free(chain); +} + +static struct x509_verify_chain * +x509_verify_chain_dup(struct x509_verify_chain *chain) +{ + struct x509_verify_chain *new_chain; + + if ((new_chain = calloc(1, sizeof(*chain))) == NULL) + goto err; + if ((new_chain->certs = X509_chain_up_ref(chain->certs)) == NULL) + goto err; + if ((new_chain->cert_errors = calloc(X509_VERIFY_MAX_CHAIN_CERTS, + sizeof(int))) == NULL) + goto err; + memcpy(new_chain->cert_errors, chain->cert_errors, + X509_VERIFY_MAX_CHAIN_CERTS * sizeof(int)); + if ((new_chain->names = + x509_constraints_names_dup(chain->names)) == NULL) + goto err; + return(new_chain); + err: + x509_verify_chain_free(new_chain); + return NULL; +} + +static int +x509_verify_chain_append(struct x509_verify_chain *chain, X509 *cert, + int *error) +{ + int verify_err = X509_V_ERR_UNSPECIFIED; + size_t idx; + + if (!x509_constraints_extract_names(chain->names, cert, + sk_X509_num(chain->certs) == 0, &verify_err)) { + *error = verify_err; + return 0; + } + + X509_up_ref(cert); + if (!sk_X509_push(chain->certs, cert)) { + X509_free(cert); + *error = X509_V_ERR_OUT_OF_MEM; + return 0; + } + + idx = sk_X509_num(chain->certs) - 1; + chain->cert_errors[idx] = *error; + + /* + * We've just added the issuer for the previous certificate, + * clear its error if appropriate. + */ + if (idx > 1 && chain->cert_errors[idx - 1] == + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) + chain->cert_errors[idx - 1] = X509_V_OK; + + return 1; +} + +static X509 * +x509_verify_chain_last(struct x509_verify_chain *chain) +{ + int last; + + if (chain->certs == NULL) + return NULL; + if ((last = sk_X509_num(chain->certs) - 1) < 0) + return NULL; + return sk_X509_value(chain->certs, last); +} + +X509 * +x509_verify_chain_leaf(struct x509_verify_chain *chain) +{ + if (chain->certs == NULL) + return NULL; + return sk_X509_value(chain->certs, 0); +} + +static void +x509_verify_ctx_reset(struct x509_verify_ctx *ctx) +{ + size_t i; + + for (i = 0; i < ctx->chains_count; i++) + x509_verify_chain_free(ctx->chains[i]); + ctx->error = 0; + ctx->error_depth = 0; + ctx->chains_count = 0; + ctx->sig_checks = 0; + ctx->check_time = NULL; +} + +static void +x509_verify_ctx_clear(struct x509_verify_ctx *ctx) +{ + x509_verify_ctx_reset(ctx); + sk_X509_pop_free(ctx->intermediates, X509_free); + free(ctx->chains); + memset(ctx, 0, sizeof(*ctx)); +} + +static int +x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert) +{ + int i; + + for (i = 0; i < sk_X509_num(ctx->roots); i++) { + if (X509_cmp(sk_X509_value(ctx->roots, i), cert) == 0) + return 1; + } + return 0; +} + +static int +x509_verify_ctx_set_xsc_chain(struct x509_verify_ctx *ctx, + struct x509_verify_chain *chain, int set_error, int is_trusted) +{ + size_t num_untrusted; + int i; + + if (ctx->xsc == NULL) + return 1; + + /* + * XXX last_untrusted is actually the number of untrusted certs at the + * bottom of the chain. This works now since we stop at the first + * trusted cert. This will need fixing once we allow more than one + * trusted certificate. + */ + num_untrusted = sk_X509_num(chain->certs); + if (is_trusted && num_untrusted > 0) + num_untrusted--; + ctx->xsc->last_untrusted = num_untrusted; + + sk_X509_pop_free(ctx->xsc->chain, X509_free); + ctx->xsc->chain = X509_chain_up_ref(chain->certs); + if (ctx->xsc->chain == NULL) + return x509_verify_cert_error(ctx, NULL, 0, + X509_V_ERR_OUT_OF_MEM, 0); + + if (set_error) { + ctx->xsc->error = X509_V_OK; + ctx->xsc->error_depth = 0; + for (i = 0; i < sk_X509_num(chain->certs); i++) { + if (chain->cert_errors[i] != X509_V_OK) { + ctx->xsc->error = chain->cert_errors[i]; + ctx->xsc->error_depth = i; + break; + } + } + } + + return 1; +} + +/* Add a validated chain to our list of valid chains */ +static int +x509_verify_ctx_add_chain(struct x509_verify_ctx *ctx, + struct x509_verify_chain *chain) +{ + size_t depth; + X509 *last = x509_verify_chain_last(chain); + + depth = sk_X509_num(chain->certs); + if (depth > 0) + depth--; + + if (ctx->chains_count >= ctx->max_chains) + return x509_verify_cert_error(ctx, last, depth, + X509_V_ERR_CERT_CHAIN_TOO_LONG, 0); + + /* Clear a get issuer failure for a root certificate. */ + if (chain->cert_errors[depth] == + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) + chain->cert_errors[depth] = X509_V_OK; + + /* + * If we have a legacy xsc, choose a validated chain, + * and apply the extensions, revocation, and policy checks + * just like the legacy code did. We do this here instead + * of as building the chains to more easily support the + * callback and the bewildering array of VERIFY_PARAM + * knobs that are there for the fiddling. + */ + if (ctx->xsc != NULL) { + /* These may be set in one of the following calls. */ + ctx->xsc->error = X509_V_OK; + ctx->xsc->error_depth = 0; + + if (!x509_verify_ctx_set_xsc_chain(ctx, chain, 0, 1)) + return 0; + + /* + * XXX currently this duplicates some work done + * in chain build, but we keep it here until + * we have feature parity + */ + if (!x509_vfy_check_chain_extensions(ctx->xsc)) + return 0; + + if (!x509_constraints_chain(ctx->xsc->chain, + &ctx->xsc->error, &ctx->xsc->error_depth)) { + X509 *cert = sk_X509_value(ctx->xsc->chain, depth); + if (!x509_verify_cert_error(ctx, cert, + ctx->xsc->error_depth, ctx->xsc->error, 0)) + return 0; + } + + if (!x509_vfy_check_revocation(ctx->xsc)) + return 0; + + if (!x509_vfy_check_policy(ctx->xsc)) + return 0; + + /* + * The above checks may have set ctx->xsc->error and + * ctx->xsc->error_depth - save these for later on. + */ + if (ctx->xsc->error != X509_V_OK) { + if (ctx->xsc->error_depth < 0 || + ctx->xsc->error_depth >= X509_VERIFY_MAX_CHAIN_CERTS) + return 0; + chain->cert_errors[ctx->xsc->error_depth] = + ctx->xsc->error; + } + } + /* + * no xsc means we are being called from the non-legacy API, + * extensions and purpose are dealt with as the chain is built. + * + * The non-legacy api returns multiple chains but does not do + * any revocation checking (it must be done by the caller on + * any chain they wish to use) + */ + + if ((ctx->chains[ctx->chains_count] = x509_verify_chain_dup(chain)) == + NULL) { + return x509_verify_cert_error(ctx, last, depth, + X509_V_ERR_OUT_OF_MEM, 0); + } + ctx->chains_count++; + ctx->error = X509_V_OK; + ctx->error_depth = depth; + return 1; +} + +static int +x509_verify_potential_parent(struct x509_verify_ctx *ctx, X509 *parent, + X509 *child) +{ + if (ctx->xsc != NULL) + return (ctx->xsc->check_issued(ctx->xsc, child, parent)); + + /* XXX key usage */ + return X509_check_issued(child, parent) != X509_V_OK; +} + +static int +x509_verify_parent_signature(X509 *parent, X509 *child, + unsigned char *child_md, int *error) +{ + unsigned char parent_md[EVP_MAX_MD_SIZE] = { 0 }; + EVP_PKEY *pkey; + int cached; + int ret = 0; + + /* Use cached value if we have it */ + if (child_md != NULL) { + if (!X509_digest(parent, X509_VERIFY_CERT_HASH, parent_md, + NULL)) + return 0; + if ((cached = x509_issuer_cache_find(parent_md, child_md)) >= 0) + return cached; + } + + /* Check signature. Did parent sign child? */ + if ((pkey = X509_get_pubkey(parent)) == NULL) { + *error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; + return 0; + } + if (X509_verify(child, pkey) <= 0) + *error = X509_V_ERR_CERT_SIGNATURE_FAILURE; + else + ret = 1; + + /* Add result to cache */ + if (child_md != NULL) + x509_issuer_cache_add(parent_md, child_md, ret); + + EVP_PKEY_free(pkey); + + return ret; +} + +static int +x509_verify_consider_candidate(struct x509_verify_ctx *ctx, X509 *cert, + unsigned char *cert_md, int is_root_cert, X509 *candidate, + struct x509_verify_chain *current_chain) +{ + int depth = sk_X509_num(current_chain->certs); + struct x509_verify_chain *new_chain; + int i; + + /* Fail if the certificate is already in the chain */ + for (i = 0; i < sk_X509_num(current_chain->certs); i++) { + if (X509_cmp(sk_X509_value(current_chain->certs, i), + candidate) == 0) { + if (is_root_cert) { + /* + * Someone made a boo-boo and put their root + * in with their intermediates - handle this + * gracefully as we'll have already picked + * this up as a shorter chain. + */ + ctx->dump_chain = 1; + } + return 0; + } + } + + if (ctx->sig_checks++ > X509_VERIFY_MAX_SIGCHECKS) { + /* don't allow callback to override safety check */ + (void) x509_verify_cert_error(ctx, candidate, depth, + X509_V_ERR_CERT_CHAIN_TOO_LONG, 0); + return 0; + } + + if (!x509_verify_parent_signature(candidate, cert, cert_md, + &ctx->error)) { + if (!x509_verify_cert_error(ctx, candidate, depth, + ctx->error, 0)) + return 0; + } + + if (!x509_verify_cert_valid(ctx, candidate, current_chain)) + return 0; + + /* candidate is good, add it to a copy of the current chain */ + if ((new_chain = x509_verify_chain_dup(current_chain)) == NULL) { + x509_verify_cert_error(ctx, candidate, depth, + X509_V_ERR_OUT_OF_MEM, 0); + return 0; + } + if (!x509_verify_chain_append(new_chain, candidate, &ctx->error)) { + x509_verify_cert_error(ctx, candidate, depth, ctx->error, 0); + x509_verify_chain_free(new_chain); + return 0; + } + + /* + * If candidate is a trusted root, we have a validated chain, + * so we save it. Otherwise, recurse until we find a root or + * give up. + */ + if (is_root_cert) { + if (!x509_verify_ctx_set_xsc_chain(ctx, new_chain, 0, 1)) { + x509_verify_chain_free(new_chain); + return 0; + } + if (x509_verify_cert_error(ctx, candidate, depth, X509_V_OK, 1)) { + (void) x509_verify_ctx_add_chain(ctx, new_chain); + goto done; + } + } + + x509_verify_build_chains(ctx, candidate, new_chain); + + done: + x509_verify_chain_free(new_chain); + return 1; +} + +static int +x509_verify_cert_error(struct x509_verify_ctx *ctx, X509 *cert, size_t depth, + int error, int ok) +{ + ctx->error = error; + ctx->error_depth = depth; + if (ctx->xsc != NULL) { + ctx->xsc->error = error; + ctx->xsc->error_depth = depth; + ctx->xsc->current_cert = cert; + return ctx->xsc->verify_cb(ok, ctx->xsc); + } + return ok; +} + +static void +x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, + struct x509_verify_chain *current_chain) +{ + unsigned char cert_md[EVP_MAX_MD_SIZE] = { 0 }; + X509 *candidate; + int i, depth, count, ret; + + /* + * If we are finding chains with an xsc, just stop after we have + * one chain, there's no point in finding more, it just exercises + * the potentially buggy callback processing in the calling software. + */ + if (ctx->xsc != NULL && ctx->chains_count > 0) + return; + + depth = sk_X509_num(current_chain->certs); + if (depth > 0) + depth--; + + if (depth >= ctx->max_depth && + !x509_verify_cert_error(ctx, cert, depth, + X509_V_ERR_CERT_CHAIN_TOO_LONG, 0)) + return; + + if (!X509_digest(cert, X509_VERIFY_CERT_HASH, cert_md, NULL) && + !x509_verify_cert_error(ctx, cert, depth, + X509_V_ERR_UNSPECIFIED, 0)) + return; + + count = ctx->chains_count; + ctx->dump_chain = 0; + ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; + ctx->error_depth = depth; + if (ctx->xsc != NULL) { + /* + * Long ago experiments at Muppet labs resulted in a + * situation where software not only sees these errors + * but forced developers to expect them in certain cases. + * so we must mimic this awfulness for the legacy case. + */ + if (cert->ex_flags & EXFLAG_SS) + ctx->error = (depth == 0) ? + X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: + X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; + } + + /* Check to see if we have a trusted root issuer. */ + for (i = 0; i < sk_X509_num(ctx->roots); i++) { + candidate = sk_X509_value(ctx->roots, i); + if (x509_verify_potential_parent(ctx, candidate, cert)) { + x509_verify_consider_candidate(ctx, cert, + cert_md, 1, candidate, current_chain); + } + } + /* Check for legacy mode roots */ + if (ctx->xsc != NULL) { + if ((ret = ctx->xsc->get_issuer(&candidate, ctx->xsc, cert)) < 0) { + x509_verify_cert_error(ctx, cert, depth, + X509_V_ERR_STORE_LOOKUP, 0); + return; + } + if (ret > 0) { + if (x509_verify_potential_parent(ctx, candidate, cert)) { + x509_verify_consider_candidate(ctx, cert, + cert_md, 1, candidate, current_chain); + } + X509_free(candidate); + } + } + + /* Check intermediates after checking roots */ + if (ctx->intermediates != NULL) { + for (i = 0; i < sk_X509_num(ctx->intermediates); i++) { + candidate = sk_X509_value(ctx->intermediates, i); + if (x509_verify_potential_parent(ctx, candidate, cert)) { + x509_verify_consider_candidate(ctx, cert, + cert_md, 0, candidate, current_chain); + } + } + } + + if (ctx->chains_count > count) { + if (ctx->xsc != NULL) { + ctx->xsc->error = X509_V_OK; + ctx->xsc->error_depth = depth; + ctx->xsc->current_cert = cert; + (void) ctx->xsc->verify_cb(1, ctx->xsc); + } + } else if (ctx->error_depth == depth && !ctx->dump_chain) { + if (depth == 0 && + ctx->error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) + ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; + if (!x509_verify_ctx_set_xsc_chain(ctx, current_chain, 0, 0)) + return; + (void) x509_verify_cert_error(ctx, cert, depth, + ctx->error, 0); + } +} + +static int +x509_verify_cert_hostname(struct x509_verify_ctx *ctx, X509 *cert, char *name) +{ + char *candidate; + size_t len; + + if (name == NULL) { + if (ctx->xsc != NULL) { + int ret; + + if ((ret = x509_vfy_check_id(ctx->xsc)) == 0) + ctx->error = ctx->xsc->error; + return ret; + } + return 1; + } + if ((candidate = strdup(name)) == NULL) { + ctx->error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + if ((len = strlen(candidate)) < 1) { + ctx->error = X509_V_ERR_UNSPECIFIED; /* XXX */ + goto err; + } + + /* IP addresses may be written in [ ]. */ + if (candidate[0] == '[' && candidate[len - 1] == ']') { + candidate[len - 1] = '\0'; + if (X509_check_ip_asc(cert, candidate + 1, 0) <= 0) { + ctx->error = X509_V_ERR_IP_ADDRESS_MISMATCH; + goto err; + } + } else { + int flags = 0; + + if (ctx->xsc == NULL) + flags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT; + + if (X509_check_host(cert, candidate, len, flags, NULL) <= 0) { + ctx->error = X509_V_ERR_HOSTNAME_MISMATCH; + goto err; + } + } + free(candidate); + return 1; + err: + free(candidate); + return x509_verify_cert_error(ctx, cert, 0, ctx->error, 0); +} + +static int +x509_verify_set_check_time(struct x509_verify_ctx *ctx) { + if (ctx->xsc != NULL) { + if (ctx->xsc->param->flags & X509_V_FLAG_USE_CHECK_TIME) { + ctx->check_time = &ctx->xsc->param->check_time; + return 1; + } + if (ctx->xsc->param->flags & X509_V_FLAG_NO_CHECK_TIME) + return 0; + } + + ctx->check_time = NULL; + return 1; +} + +int +x509_verify_asn1_time_to_tm(const ASN1_TIME *atime, struct tm *tm, int notafter) +{ + int type; + + type = ASN1_time_parse(atime->data, atime->length, tm, atime->type); + if (type == -1) + return 0; + + /* RFC 5280 section 4.1.2.5 */ + if (tm->tm_year < 150 && type != V_ASN1_UTCTIME) + return 0; + if (tm->tm_year >= 150 && type != V_ASN1_GENERALIZEDTIME) + return 0; + + if (notafter) { + /* + * If we are a completely broken operating system with a + * 32 bit time_t, and we have been told this is a notafter + * date, limit the date to a 32 bit representable value. + */ + if (!ASN1_time_tm_clamp_notafter(tm)) + return 0; + } + + /* + * Defensively fail if the time string is not representable as + * a time_t. A time_t must be sane if you care about times after + * Jan 19 2038. + */ + if (timegm(tm) == -1) + return 0; + + return 1; +} + +static int +x509_verify_cert_time(int is_notafter, const ASN1_TIME *cert_asn1, + time_t *cmp_time, int *error) +{ + struct tm cert_tm, when_tm; + time_t when; + + if (cmp_time == NULL) + when = time(NULL); + else + when = *cmp_time; + + if (!x509_verify_asn1_time_to_tm(cert_asn1, &cert_tm, + is_notafter)) { + *error = is_notafter ? + X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD : + X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; + return 0; + } + + if (gmtime_r(&when, &when_tm) == NULL) { + *error = X509_V_ERR_UNSPECIFIED; + return 0; + } + + if (is_notafter) { + if (ASN1_time_tm_cmp(&cert_tm, &when_tm) == -1) { + *error = X509_V_ERR_CERT_HAS_EXPIRED; + return 0; + } + } else { + if (ASN1_time_tm_cmp(&cert_tm, &when_tm) == 1) { + *error = X509_V_ERR_CERT_NOT_YET_VALID; + return 0; + } + } + + return 1; +} + +static int +x509_verify_validate_constraints(X509 *cert, + struct x509_verify_chain *current_chain, int *error) +{ + struct x509_constraints_names *excluded = NULL; + struct x509_constraints_names *permitted = NULL; + int err = X509_V_ERR_UNSPECIFIED; + + if (current_chain == NULL) + return 1; + + if (cert->nc != NULL) { + if ((permitted = x509_constraints_names_new( + X509_VERIFY_MAX_CHAIN_CONSTRAINTS)) == NULL) { + err = X509_V_ERR_OUT_OF_MEM; + goto err; + } + if ((excluded = x509_constraints_names_new( + X509_VERIFY_MAX_CHAIN_CONSTRAINTS)) == NULL) { + err = X509_V_ERR_OUT_OF_MEM; + goto err; + } + if (!x509_constraints_extract_constraints(cert, + permitted, excluded, &err)) + goto err; + if (!x509_constraints_check(current_chain->names, + permitted, excluded, &err)) + goto err; + x509_constraints_names_free(excluded); + x509_constraints_names_free(permitted); + } + + return 1; + err: + *error = err; + x509_constraints_names_free(excluded); + x509_constraints_names_free(permitted); + return 0; +} + +static int +x509_verify_cert_extensions(struct x509_verify_ctx *ctx, X509 *cert, int need_ca) +{ + if (!(cert->ex_flags & EXFLAG_SET)) { + CRYPTO_w_lock(CRYPTO_LOCK_X509); + x509v3_cache_extensions(cert); + CRYPTO_w_unlock(CRYPTO_LOCK_X509); + if (cert->ex_flags & EXFLAG_INVALID) { + ctx->error = X509_V_ERR_UNSPECIFIED; + return 0; + } + } + + if (ctx->xsc != NULL) + return 1; /* legacy is checked after chain is built */ + + if (cert->ex_flags & EXFLAG_CRITICAL) { + ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; + return 0; + } + /* No we don't care about v1, netscape, and other ancient silliness */ + if (need_ca && (!(cert->ex_flags & EXFLAG_BCONS) && + (cert->ex_flags & EXFLAG_CA))) { + ctx->error = X509_V_ERR_INVALID_CA; + return 0; + } + if (ctx->purpose > 0 && X509_check_purpose(cert, ctx->purpose, need_ca)) { + ctx->error = X509_V_ERR_INVALID_PURPOSE; + return 0; + } + + /* XXX support proxy certs later in new api */ + if (ctx->xsc == NULL && cert->ex_flags & EXFLAG_PROXY) { + ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; + return 0; + } + + return 1; +} + +/* Validate that cert is a possible candidate to append to current_chain */ +static int +x509_verify_cert_valid(struct x509_verify_ctx *ctx, X509 *cert, + struct x509_verify_chain *current_chain) +{ + X509 *issuer_candidate; + int should_be_ca = current_chain != NULL; + size_t depth = 0; + + if (current_chain != NULL) + depth = sk_X509_num(current_chain->certs); + + if (!x509_verify_cert_extensions(ctx, cert, should_be_ca)) + return 0; + + if (should_be_ca) { + issuer_candidate = x509_verify_chain_last(current_chain); + if (issuer_candidate != NULL && + !X509_check_issued(issuer_candidate, cert)) + if (!x509_verify_cert_error(ctx, cert, depth, + X509_V_ERR_SUBJECT_ISSUER_MISMATCH, 0)) + return 0; + } + + if (x509_verify_set_check_time(ctx)) { + if (!x509_verify_cert_time(0, X509_get_notBefore(cert), + ctx->check_time, &ctx->error)) { + if (!x509_verify_cert_error(ctx, cert, depth, + ctx->error, 0)) + return 0; + } + + if (!x509_verify_cert_time(1, X509_get_notAfter(cert), + ctx->check_time, &ctx->error)) { + if (!x509_verify_cert_error(ctx, cert, depth, + ctx->error, 0)) + return 0; + } + } + + if (!x509_verify_validate_constraints(cert, current_chain, + &ctx->error) && !x509_verify_cert_error(ctx, cert, depth, + ctx->error, 0)) + return 0; + + return 1; +} + +struct x509_verify_ctx * +x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc, STACK_OF(X509) *roots) +{ + struct x509_verify_ctx *ctx; + size_t max_depth; + + if (xsc == NULL) + return NULL; + + if ((ctx = x509_verify_ctx_new(roots)) == NULL) + return NULL; + + ctx->xsc = xsc; + + if (xsc->untrusted && + (ctx->intermediates = X509_chain_up_ref(xsc->untrusted)) == NULL) + goto err; + + max_depth = X509_VERIFY_MAX_CHAIN_CERTS; + if (xsc->param->depth > 0 && xsc->param->depth < X509_VERIFY_MAX_CHAIN_CERTS) + max_depth = xsc->param->depth; + if (!x509_verify_ctx_set_max_depth(ctx, max_depth)) + goto err; + + return ctx; + err: + x509_verify_ctx_free(ctx); + return NULL; +} + +/* Public API */ + +struct x509_verify_ctx * +x509_verify_ctx_new(STACK_OF(X509) *roots) +{ + struct x509_verify_ctx *ctx; + + if (roots == NULL) + return NULL; + + if ((ctx = calloc(1, sizeof(struct x509_verify_ctx))) == NULL) + return NULL; + + if ((ctx->roots = X509_chain_up_ref(roots)) == NULL) + goto err; + + ctx->max_depth = X509_VERIFY_MAX_CHAIN_CERTS; + ctx->max_chains = X509_VERIFY_MAX_CHAINS; + ctx->max_sigs = X509_VERIFY_MAX_SIGCHECKS; + + if ((ctx->chains = calloc(X509_VERIFY_MAX_CHAINS, + sizeof(*ctx->chains))) == NULL) + goto err; + + return ctx; + err: + x509_verify_ctx_free(ctx); + return NULL; +} + +void +x509_verify_ctx_free(struct x509_verify_ctx *ctx) +{ + if (ctx == NULL) + return; + sk_X509_pop_free(ctx->roots, X509_free); + x509_verify_ctx_clear(ctx); + free(ctx); +} + +int +x509_verify_ctx_set_max_depth(struct x509_verify_ctx *ctx, size_t max) +{ + if (max < 1 || max > X509_VERIFY_MAX_CHAIN_CERTS) + return 0; + ctx->max_depth = max; + return 1; +} + +int +x509_verify_ctx_set_max_chains(struct x509_verify_ctx *ctx, size_t max) +{ + if (max < 1 || max > X509_VERIFY_MAX_CHAINS) + return 0; + ctx->max_chains = max; + return 1; +} + +int +x509_verify_ctx_set_max_signatures(struct x509_verify_ctx *ctx, size_t max) +{ + if (max < 1 || max > 100000) + return 0; + ctx->max_sigs = max; + return 1; +} + +int +x509_verify_ctx_set_purpose(struct x509_verify_ctx *ctx, int purpose) +{ + if (purpose < X509_PURPOSE_MIN || purpose > X509_PURPOSE_MAX) + return 0; + ctx->purpose = purpose; + return 1; +} + +int +x509_verify_ctx_set_intermediates(struct x509_verify_ctx *ctx, + STACK_OF(X509) *intermediates) +{ + if ((ctx->intermediates = X509_chain_up_ref(intermediates)) == NULL) + return 0; + return 1; +} + +const char * +x509_verify_ctx_error_string(struct x509_verify_ctx *ctx) +{ + return X509_verify_cert_error_string(ctx->error); +} + +size_t +x509_verify_ctx_error_depth(struct x509_verify_ctx *ctx) +{ + return ctx->error_depth; +} + +STACK_OF(X509) * +x509_verify_ctx_chain(struct x509_verify_ctx *ctx, size_t i) +{ + if (i >= ctx->chains_count) + return NULL; + return ctx->chains[i]->certs; +} + +size_t +x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name) +{ + struct x509_verify_chain *current_chain; + + if (ctx->roots == NULL || ctx->max_depth == 0) { + ctx->error = X509_V_ERR_INVALID_CALL; + goto err; + } + + if (ctx->xsc != NULL) { + if (leaf != NULL || name != NULL) { + ctx->error = X509_V_ERR_INVALID_CALL; + goto err; + } + leaf = ctx->xsc->cert; + + /* + * XXX + * The legacy code expects the top level cert to be + * there, even if we didn't find a chain. So put it + * there, we will clobber it later if we find a valid + * chain. + */ + if ((ctx->xsc->chain = sk_X509_new_null()) == NULL) { + ctx->error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + if (!X509_up_ref(leaf)) { + ctx->error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + if (!sk_X509_push(ctx->xsc->chain, leaf)) { + X509_free(leaf); + ctx->error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + ctx->xsc->error_depth = 0; + ctx->xsc->current_cert = leaf; + } + + if (!x509_verify_cert_valid(ctx, leaf, NULL)) + goto err; + + if (!x509_verify_cert_hostname(ctx, leaf, name)) + goto err; + + if ((current_chain = x509_verify_chain_new()) == NULL) { + ctx->error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + if (!x509_verify_chain_append(current_chain, leaf, &ctx->error)) { + x509_verify_chain_free(current_chain); + goto err; + } + if (x509_verify_ctx_cert_is_root(ctx, leaf)) + x509_verify_ctx_add_chain(ctx, current_chain); + else + x509_verify_build_chains(ctx, leaf, current_chain); + + x509_verify_chain_free(current_chain); + + /* + * Safety net: + * We could not find a validated chain, and for some reason do not + * have an error set. + */ + if (ctx->chains_count == 0 && ctx->error == X509_V_OK) { + ctx->error = X509_V_ERR_UNSPECIFIED; + if (ctx->xsc != NULL && ctx->xsc->error != X509_V_OK) + ctx->error = ctx->xsc->error; + } + + /* Clear whatever errors happened if we have any validated chain */ + if (ctx->chains_count > 0) + ctx->error = X509_V_OK; + + if (ctx->xsc != NULL) { + ctx->xsc->error = ctx->error; + if (ctx->chains_count > 0) { + /* Take the first chain we found. */ + if (!x509_verify_ctx_set_xsc_chain(ctx, ctx->chains[0], + 1, 1)) + goto err; + } + return ctx->xsc->verify_cb(ctx->chains_count > 0, ctx->xsc); + } + return (ctx->chains_count); + + err: + if (ctx->error == X509_V_OK) + ctx->error = X509_V_ERR_UNSPECIFIED; + if (ctx->xsc != NULL) + ctx->xsc->error = ctx->error; + return 0; +} diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index ea35ce79..9577040d 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.72 2019/03/06 05:06:58 tb Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.86 2021/02/25 17:29:22 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -75,7 +75,9 @@ #include #include "asn1_locl.h" #include "vpm_int.h" +#include "x509_internal.h" #include "x509_lcl.h" +#include "x509_internal.h" /* CRL score values */ @@ -117,12 +119,13 @@ static int null_callback(int ok, X509_STORE_CTX *e); static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); -static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x); +static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x, + int allow_expired); static int check_chain_extensions(X509_STORE_CTX *ctx); static int check_name_constraints(X509_STORE_CTX *ctx); static int check_trust(X509_STORE_CTX *ctx); static int check_revocation(X509_STORE_CTX *ctx); -static int check_cert(X509_STORE_CTX *ctx); +static int check_cert(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, int depth); static int check_policy(X509_STORE_CTX *ctx); static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, @@ -142,6 +145,7 @@ static int X509_cmp_time_internal(const ASN1_TIME *ctm, time_t *cmp_time, int clamp_notafter); static int internal_verify(X509_STORE_CTX *ctx); +static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); int ASN1_time_tm_clamp_notafter(struct tm *tm); @@ -222,49 +226,31 @@ check_id(X509_STORE_CTX *ctx) } int -X509_verify_cert(X509_STORE_CTX *ctx) +x509_vfy_check_id(X509_STORE_CTX *ctx) { + return check_id(ctx); +} + +/* + * This is the effectively broken legacy OpenSSL chain builder. It + * might find an unvalidated chain and leave it sitting in + * ctx->chain. It does not correctly handle many cases where multiple + * chains could exist. + * + * Oh no.. I know a dirty word... + * Oooooooh.. + */ +static int +X509_verify_cert_legacy_build_chain(X509_STORE_CTX *ctx, int *bad, int *out_ok) { X509 *x, *xtmp, *xtmp2, *chain_ss = NULL; int bad_chain = 0; X509_VERIFY_PARAM *param = ctx->param; - int depth, i, ok = 0; + int ok = 0, ret = 0; + int depth, i; int num, j, retry, trust; int (*cb) (int xok, X509_STORE_CTX *xctx); STACK_OF(X509) *sktmp = NULL; - if (ctx->cert == NULL) { - X509error(X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); - ctx->error = X509_V_ERR_INVALID_CALL; - return -1; - } - if (ctx->chain != NULL) { - /* - * This X509_STORE_CTX has already been used to verify - * a cert. We cannot do another one. - */ - X509error(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - ctx->error = X509_V_ERR_INVALID_CALL; - return -1; - } - if (ctx->param->id->poisoned) { - /* - * This X509_STORE_CTX had failures setting - * up verify parameters. We can not use it. - */ - X509error(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - ctx->error = X509_V_ERR_INVALID_CALL; - return -1; - } - if (ctx->error != X509_V_ERR_INVALID_CALL) { - /* - * This X509_STORE_CTX has not been properly initialized. - */ - X509error(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - ctx->error = X509_V_ERR_INVALID_CALL; - return -1; - } - ctx->error = X509_V_OK; /* Initialize to OK */ - cb = ctx->verify_cb; /* @@ -324,7 +310,25 @@ X509_verify_cert(X509_STORE_CTX *ctx) } /* If we were passed a cert chain, use it first */ if (ctx->untrusted != NULL) { - xtmp = find_issuer(ctx, sktmp, x); + /* + * If we do not find a non-expired untrusted cert, peek + * ahead and see if we can satisify this from the trusted + * store. If not, see if we have an expired untrusted cert. + */ + xtmp = find_issuer(ctx, sktmp, x, 0); + if (xtmp == NULL && + !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)) { + ok = ctx->get_issuer(&xtmp, ctx, x); + if (ok < 0) { + ctx->error = X509_V_ERR_STORE_LOOKUP; + goto end; + } + if (ok > 0) { + X509_free(xtmp); + break; + } + xtmp = find_issuer(ctx, sktmp, x, 1); + } if (xtmp != NULL) { if (!sk_X509_push(ctx->chain, xtmp)) { X509error(ERR_R_MALLOC_FAILURE); @@ -515,6 +519,26 @@ X509_verify_cert(X509_STORE_CTX *ctx) goto end; } + ret = 1; + end: + sk_X509_free(sktmp); + X509_free(chain_ss); + *bad = bad_chain; + *out_ok = ok; + + return ret; +} + +static int +X509_verify_cert_legacy(X509_STORE_CTX *ctx) +{ + int ok = 0, bad_chain; + + ctx->error = X509_V_OK; /* Initialize to OK */ + + if (!X509_verify_cert_legacy_build_chain(ctx, &bad_chain, &ok)) + goto end; + /* We have the chain complete: now we need to check its purpose */ ok = check_chain_extensions(ctx); if (!ok) @@ -528,6 +552,7 @@ X509_verify_cert(X509_STORE_CTX *ctx) ok = check_id(ctx); if (!ok) goto end; + /* * Check revocation status: we do this after copying parameters because * they may be needed for CRL signature verification. @@ -549,20 +574,131 @@ X509_verify_cert(X509_STORE_CTX *ctx) ok = ctx->check_policy(ctx); end: - sk_X509_free(sktmp); - X509_free(chain_ss); - /* Safety net, error returns must set ctx->error */ if (ok <= 0 && ctx->error == X509_V_OK) ctx->error = X509_V_ERR_UNSPECIFIED; + return ok; } +int +X509_verify_cert(X509_STORE_CTX *ctx) +{ + STACK_OF(X509) *roots = NULL; + struct x509_verify_ctx *vctx = NULL; + int chain_count = 0; + + if (ctx->cert == NULL) { + X509error(X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); + ctx->error = X509_V_ERR_INVALID_CALL; + return -1; + } + if (ctx->chain != NULL) { + /* + * This X509_STORE_CTX has already been used to verify + * a cert. We cannot do another one. + */ + X509error(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + ctx->error = X509_V_ERR_INVALID_CALL; + return -1; + } + if (ctx->param->id->poisoned) { + /* + * This X509_STORE_CTX had failures setting + * up verify parameters. We can not use it. + */ + X509error(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + ctx->error = X509_V_ERR_INVALID_CALL; + return -1; + } + if (ctx->error != X509_V_ERR_INVALID_CALL) { + /* + * This X509_STORE_CTX has not been properly initialized. + */ + X509error(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + ctx->error = X509_V_ERR_INVALID_CALL; + return -1; + } + + /* + * If flags request legacy, use the legacy verifier. If we + * requested "no alt chains" from the age of hammer pants, use + * the legacy verifier because the multi chain verifier really + * does find all the "alt chains". + * + * XXX deprecate the NO_ALT_CHAINS flag? + */ + if ((ctx->param->flags & X509_V_FLAG_LEGACY_VERIFY) || + (ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) + return X509_verify_cert_legacy(ctx); + + /* Use the modern multi-chain verifier from x509_verify_cert */ + + /* Find our trusted roots */ + ctx->error = X509_V_ERR_OUT_OF_MEM; + + if (ctx->get_issuer == get_issuer_sk) { + /* + * We are using the trusted stack method. so + * the roots are in the aptly named "ctx->other_ctx" + * pointer. (It could have been called "al") + */ + if ((roots = X509_chain_up_ref(ctx->other_ctx)) == NULL) + return -1; + } else { + /* + * We have a X509_STORE and need to pull out the roots. + * Don't look Ethel... + */ + STACK_OF(X509_OBJECT) *objs; + size_t i, good = 1; + + if ((roots = sk_X509_new_null()) == NULL) + return -1; + + CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); + if ((objs = X509_STORE_get0_objects(ctx->ctx)) == NULL) + good = 0; + for (i = 0; good && i < sk_X509_OBJECT_num(objs); i++) { + X509_OBJECT *obj; + X509 *root; + obj = sk_X509_OBJECT_value(objs, i); + if (obj->type != X509_LU_X509) + continue; + root = obj->data.x509; + if (X509_up_ref(root) == 0) + good = 0; + if (sk_X509_push(roots, root) == 0) { + X509_free(root); + good = 0; + } + } + CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); + + if (!good) { + sk_X509_pop_free(roots, X509_free); + return -1; + } + } + + if ((vctx = x509_verify_ctx_new_from_xsc(ctx, roots)) != NULL) { + ctx->error = X509_V_OK; /* Initialize to OK */ + chain_count = x509_verify(vctx, NULL, NULL); + } + x509_verify_ctx_free(vctx); + + sk_X509_pop_free(roots, X509_free); + + /* if we succeed we have a chain in ctx->chain */ + return (chain_count > 0 && ctx->chain != NULL); +} + /* Given a STACK_OF(X509) find the issuer of cert (if any) */ static X509 * -find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) +find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x, + int allow_expired) { int i; X509 *issuer, *rv = NULL; @@ -570,9 +706,10 @@ find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) for (i = 0; i < sk_X509_num(sk); i++) { issuer = sk_X509_value(sk, i); if (ctx->check_issued(ctx, x, issuer)) { - rv = issuer; - if (x509_check_cert_time(ctx, rv, -1)) - break; + if (x509_check_cert_time(ctx, issuer, -1)) + return issuer; + if (allow_expired) + rv = issuer; } } return rv; @@ -603,7 +740,7 @@ check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) { - *issuer = find_issuer(ctx, ctx->other_ctx, x); + *issuer = find_issuer(ctx, ctx->other_ctx, x, 1); if (*issuer) { CRYPTO_add(&(*issuer)->references, 1, CRYPTO_LOCK_X509); return 1; @@ -615,8 +752,8 @@ get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) * with the supplied purpose */ -static int -check_chain_extensions(X509_STORE_CTX *ctx) +int +x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx) { #ifdef OPENSSL_NO_CHAIN_VERIFY return 1; @@ -758,43 +895,27 @@ check_chain_extensions(X509_STORE_CTX *ctx) #endif } +static int +check_chain_extensions(X509_STORE_CTX *ctx) { + return x509_vfy_check_chain_extensions(ctx); +} + static int check_name_constraints(X509_STORE_CTX *ctx) { - X509 *x; - int i, j, rv; - - /* Check name constraints for all certificates */ - for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) { - x = sk_X509_value(ctx->chain, i); - /* Ignore self issued certs unless last in chain */ - if (i && (x->ex_flags & EXFLAG_SI)) - continue; - /* Check against constraints for all certificates higher in - * chain including trust anchor. Trust anchor not strictly - * speaking needed but if it includes constraints it is to be - * assumed it expects them to be obeyed. - */ - for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) { - NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc; - if (nc) { - rv = NAME_CONSTRAINTS_check(x, nc); - if (rv != X509_V_OK) { - ctx->error = rv; - ctx->error_depth = i; - ctx->current_cert = x; - if (!ctx->verify_cb(0, ctx)) - return 0; - } - } - } + if (!x509_constraints_chain(ctx->chain, &ctx->error, + &ctx->error_depth)) { + ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth); + if (!ctx->verify_cb(0, ctx)) + return 0; } return 1; } /* Given a certificate try and find an exact match in the store */ -static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) +static X509 * +lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) { STACK_OF(X509) *certs; X509 *xtmp = NULL; @@ -821,7 +942,8 @@ static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) return xtmp; } -static int check_trust(X509_STORE_CTX *ctx) +static int +check_trust(X509_STORE_CTX *ctx) { size_t i; int ok; @@ -875,6 +997,12 @@ static int check_trust(X509_STORE_CTX *ctx) return X509_TRUST_UNTRUSTED; } +int +x509_vfy_check_trust(X509_STORE_CTX *ctx) +{ + return check_trust(ctx); +} + static int check_revocation(X509_STORE_CTX *ctx) { @@ -891,24 +1019,29 @@ check_revocation(X509_STORE_CTX *ctx) last = 0; } for (i = 0; i <= last; i++) { - ctx->error_depth = i; - ok = check_cert(ctx); + ok = check_cert(ctx, ctx->chain, i); if (!ok) return ok; } return 1; } +int +x509_vfy_check_revocation(X509_STORE_CTX *ctx) +{ + return check_revocation(ctx); +} + static int -check_cert(X509_STORE_CTX *ctx) +check_cert(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, int depth) { X509_CRL *crl = NULL, *dcrl = NULL; X509 *x; int ok = 0, cnum; unsigned int last_reasons; - cnum = ctx->error_depth; - x = sk_X509_value(ctx->chain, cnum); + cnum = ctx->error_depth = depth; + x = sk_X509_value(chain, cnum); ctx->current_cert = x; ctx->current_issuer = NULL; ctx->current_crl_score = 0; @@ -1538,9 +1671,10 @@ check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) if (ctx->current_issuer) { issuer = ctx->current_issuer; } else if (cnum < chnum) { - /* Else find CRL issuer: if not last certificate then issuer - * is next certificate in chain. - */ + /* + * Else find CRL issuer: if not last certificate then issuer + * is next certificate in chain. + */ issuer = sk_X509_value(ctx->chain, cnum + 1); } else { issuer = sk_X509_value(ctx->chain, chnum); @@ -1660,13 +1794,18 @@ cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) return 1; } -static int -check_policy(X509_STORE_CTX *ctx) +int +x509_vfy_check_policy(X509_STORE_CTX *ctx) { int ret; if (ctx->parent) return 1; + + /* X509_policy_check always allocates a new tree. */ + X509_policy_tree_free(ctx->tree); + ctx->tree = NULL; + ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain, ctx->param->policies, ctx->param->flags); if (ret == 0) { @@ -1707,6 +1846,12 @@ check_policy(X509_STORE_CTX *ctx) return 1; } +static int +check_policy(X509_STORE_CTX *ctx) +{ + return x509_vfy_check_policy(ctx); +} + /* * Inform the verify callback of an error. * @@ -1756,7 +1901,7 @@ x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth) X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD)) return 0; if (i > 0 && !verify_cb_cert(ctx, x, depth, - X509_V_ERR_CERT_NOT_YET_VALID)) + X509_V_ERR_CERT_NOT_YET_VALID)) return 0; i = X509_cmp_time_internal(X509_get_notAfter(x), ptime, 1); @@ -1808,16 +1953,16 @@ internal_verify(X509_STORE_CTX *ctx) * certificate and its depth (rather than the depth of * the subject). */ - if (xs != xi || (ctx->param->flags & - X509_V_FLAG_CHECK_SS_SIGNATURE)) { + if (xs != xi || + (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) { EVP_PKEY *pkey; if ((pkey = X509_get_pubkey(xi)) == NULL) { if (!verify_cb_cert(ctx, xi, xi != xs ? n+1 : n, - X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY)) + X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY)) return 0; } else if (X509_verify(xs, pkey) <= 0) { if (!verify_cb_cert(ctx, xs, n, - X509_V_ERR_CERT_SIGNATURE_FAILURE)) { + X509_V_ERR_CERT_SIGNATURE_FAILURE)) { EVP_PKEY_free(pkey); return 0; } @@ -1869,43 +2014,21 @@ X509_cmp_current_time(const ASN1_TIME *ctm) static int X509_cmp_time_internal(const ASN1_TIME *ctm, time_t *cmp_time, int clamp_notafter) { - time_t time1, time2; + time_t compare; struct tm tm1, tm2; int ret = 0; - int type; if (cmp_time == NULL) - time2 = time(NULL); + compare = time(NULL); else - time2 = *cmp_time; + compare = *cmp_time; memset(&tm1, 0, sizeof(tm1)); - type = ASN1_time_parse(ctm->data, ctm->length, &tm1, ctm->type); - if (type == -1) + if (!x509_verify_asn1_time_to_tm(ctm, &tm1, clamp_notafter)) goto out; /* invalid time */ - /* RFC 5280 section 4.1.2.5 */ - if (tm1.tm_year < 150 && type != V_ASN1_UTCTIME) - goto out; - if (tm1.tm_year >= 150 && type != V_ASN1_GENERALIZEDTIME) - goto out; - - if (clamp_notafter) { - /* Allow for completely broken operating systems. */ - if (!ASN1_time_tm_clamp_notafter(&tm1)) - goto out; - } - - /* - * Defensively fail if the time string is not representable as - * a time_t. A time_t must be sane if you care about times after - * Jan 19 2038. - */ - if ((time1 = timegm(&tm1)) == -1) - goto out; - - if (gmtime_r(&time2, &tm2) == NULL) + if (gmtime_r(&compare, &tm2) == NULL) goto out; ret = ASN1_time_tm_cmp(&tm1, &tm2); diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c index baebcf7b..2907448d 100644 --- a/crypto/x509/x509_vpm.c +++ b/crypto/x509/x509_vpm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vpm.c,v 1.18 2018/04/06 07:08:20 beck Exp $ */ +/* $OpenBSD: x509_vpm.c,v 1.25 2021/04/15 14:15:03 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ @@ -172,12 +172,13 @@ x509_verify_param_zero(X509_VERIFY_PARAM *param) X509_VERIFY_PARAM_ID *paramid; if (!param) return; + free(param->name); param->name = NULL; param->purpose = 0; param->trust = 0; /*param->inh_flags = X509_VP_FLAG_DEFAULT;*/ param->inh_flags = 0; - param->flags = 0; + param->flags = X509_V_FLAG_LEGACY_VERIFY; param->depth = -1; if (param->policies) { sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free); @@ -207,7 +208,7 @@ X509_VERIFY_PARAM_new(void) param = calloc(1, sizeof(X509_VERIFY_PARAM)); if (param == NULL) return NULL; - paramid = calloc (1, sizeof(X509_VERIFY_PARAM_ID)); + paramid = calloc(1, sizeof(X509_VERIFY_PARAM_ID)); if (paramid == NULL) { free(param); return NULL; @@ -227,7 +228,8 @@ X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) free(param); } -/* This function determines how parameters are "inherited" from one structure +/* + * This function determines how parameters are "inherited" from one structure * to another. There are several different ways this can happen. * * 1. If a child structure needs to have its values initialized from a parent @@ -673,8 +675,8 @@ X509_VERIFY_PARAM_get_count(void) return num; } -const -X509_VERIFY_PARAM *X509_VERIFY_PARAM_get0(int id) +const X509_VERIFY_PARAM * +X509_VERIFY_PARAM_get0(int id) { int num = sizeof(default_table) / sizeof(X509_VERIFY_PARAM); if (id < num) @@ -682,8 +684,8 @@ X509_VERIFY_PARAM *X509_VERIFY_PARAM_get0(int id) return sk_X509_VERIFY_PARAM_value(param_table, id - num); } -const -X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name) +const X509_VERIFY_PARAM * +X509_VERIFY_PARAM_lookup(const char *name) { X509_VERIFY_PARAM pm; unsigned int i, limit; diff --git a/crypto/x509v3/v3err.c b/crypto/x509v3/v3err.c deleted file mode 100644 index a49632a0..00000000 --- a/crypto/x509v3/v3err.c +++ /dev/null @@ -1,226 +0,0 @@ -/* $OpenBSD: v3err.c,v 1.11 2014/07/10 22:45:58 jsing Exp $ */ -/* ==================================================================== - * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - -#include - -#include - -#include -#include - -/* BEGIN ERROR CODES */ -#ifndef OPENSSL_NO_ERR - -#define ERR_FUNC(func) ERR_PACK(ERR_LIB_X509V3,func,0) -#define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509V3,0,reason) - -static ERR_STRING_DATA X509V3_str_functs[] = { - {ERR_FUNC(X509V3_F_A2I_GENERAL_NAME), "A2I_GENERAL_NAME"}, - {ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE), "ASIDENTIFIERCHOICE_CANONIZE"}, - {ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL), "ASIDENTIFIERCHOICE_IS_CANONICAL"}, - {ERR_FUNC(X509V3_F_COPY_EMAIL), "COPY_EMAIL"}, - {ERR_FUNC(X509V3_F_COPY_ISSUER), "COPY_ISSUER"}, - {ERR_FUNC(X509V3_F_DO_DIRNAME), "DO_DIRNAME"}, - {ERR_FUNC(X509V3_F_DO_EXT_CONF), "DO_EXT_CONF"}, - {ERR_FUNC(X509V3_F_DO_EXT_I2D), "DO_EXT_I2D"}, - {ERR_FUNC(X509V3_F_DO_EXT_NCONF), "DO_EXT_NCONF"}, - {ERR_FUNC(X509V3_F_DO_I2V_NAME_CONSTRAINTS), "DO_I2V_NAME_CONSTRAINTS"}, - {ERR_FUNC(X509V3_F_GNAMES_FROM_SECTNAME), "GNAMES_FROM_SECTNAME"}, - {ERR_FUNC(X509V3_F_HEX_TO_STRING), "hex_to_string"}, - {ERR_FUNC(X509V3_F_I2S_ASN1_ENUMERATED), "i2s_ASN1_ENUMERATED"}, - {ERR_FUNC(X509V3_F_I2S_ASN1_IA5STRING), "I2S_ASN1_IA5STRING"}, - {ERR_FUNC(X509V3_F_I2S_ASN1_INTEGER), "i2s_ASN1_INTEGER"}, - {ERR_FUNC(X509V3_F_I2V_AUTHORITY_INFO_ACCESS), "I2V_AUTHORITY_INFO_ACCESS"}, - {ERR_FUNC(X509V3_F_NOTICE_SECTION), "NOTICE_SECTION"}, - {ERR_FUNC(X509V3_F_NREF_NOS), "NREF_NOS"}, - {ERR_FUNC(X509V3_F_POLICY_SECTION), "POLICY_SECTION"}, - {ERR_FUNC(X509V3_F_PROCESS_PCI_VALUE), "PROCESS_PCI_VALUE"}, - {ERR_FUNC(X509V3_F_R2I_CERTPOL), "R2I_CERTPOL"}, - {ERR_FUNC(X509V3_F_R2I_PCI), "R2I_PCI"}, - {ERR_FUNC(X509V3_F_S2I_ASN1_IA5STRING), "S2I_ASN1_IA5STRING"}, - {ERR_FUNC(X509V3_F_S2I_ASN1_INTEGER), "s2i_ASN1_INTEGER"}, - {ERR_FUNC(X509V3_F_S2I_ASN1_OCTET_STRING), "s2i_ASN1_OCTET_STRING"}, - {ERR_FUNC(X509V3_F_S2I_ASN1_SKEY_ID), "S2I_ASN1_SKEY_ID"}, - {ERR_FUNC(X509V3_F_S2I_SKEY_ID), "S2I_SKEY_ID"}, - {ERR_FUNC(X509V3_F_SET_DIST_POINT_NAME), "SET_DIST_POINT_NAME"}, - {ERR_FUNC(X509V3_F_STRING_TO_HEX), "string_to_hex"}, - {ERR_FUNC(X509V3_F_SXNET_ADD_ID_ASC), "SXNET_add_id_asc"}, - {ERR_FUNC(X509V3_F_SXNET_ADD_ID_INTEGER), "SXNET_add_id_INTEGER"}, - {ERR_FUNC(X509V3_F_SXNET_ADD_ID_ULONG), "SXNET_add_id_ulong"}, - {ERR_FUNC(X509V3_F_SXNET_GET_ID_ASC), "SXNET_get_id_asc"}, - {ERR_FUNC(X509V3_F_SXNET_GET_ID_ULONG), "SXNET_get_id_ulong"}, - {ERR_FUNC(X509V3_F_V2I_ASIDENTIFIERS), "V2I_ASIDENTIFIERS"}, - {ERR_FUNC(X509V3_F_V2I_ASN1_BIT_STRING), "v2i_ASN1_BIT_STRING"}, - {ERR_FUNC(X509V3_F_V2I_AUTHORITY_INFO_ACCESS), "V2I_AUTHORITY_INFO_ACCESS"}, - {ERR_FUNC(X509V3_F_V2I_AUTHORITY_KEYID), "V2I_AUTHORITY_KEYID"}, - {ERR_FUNC(X509V3_F_V2I_BASIC_CONSTRAINTS), "V2I_BASIC_CONSTRAINTS"}, - {ERR_FUNC(X509V3_F_V2I_CRLD), "V2I_CRLD"}, - {ERR_FUNC(X509V3_F_V2I_EXTENDED_KEY_USAGE), "V2I_EXTENDED_KEY_USAGE"}, - {ERR_FUNC(X509V3_F_V2I_GENERAL_NAMES), "v2i_GENERAL_NAMES"}, - {ERR_FUNC(X509V3_F_V2I_GENERAL_NAME_EX), "v2i_GENERAL_NAME_ex"}, - {ERR_FUNC(X509V3_F_V2I_IDP), "V2I_IDP"}, - {ERR_FUNC(X509V3_F_V2I_IPADDRBLOCKS), "V2I_IPADDRBLOCKS"}, - {ERR_FUNC(X509V3_F_V2I_ISSUER_ALT), "V2I_ISSUER_ALT"}, - {ERR_FUNC(X509V3_F_V2I_NAME_CONSTRAINTS), "V2I_NAME_CONSTRAINTS"}, - {ERR_FUNC(X509V3_F_V2I_POLICY_CONSTRAINTS), "V2I_POLICY_CONSTRAINTS"}, - {ERR_FUNC(X509V3_F_V2I_POLICY_MAPPINGS), "V2I_POLICY_MAPPINGS"}, - {ERR_FUNC(X509V3_F_V2I_SUBJECT_ALT), "V2I_SUBJECT_ALT"}, - {ERR_FUNC(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL), "V3_ADDR_VALIDATE_PATH_INTERNAL"}, - {ERR_FUNC(X509V3_F_V3_GENERIC_EXTENSION), "V3_GENERIC_EXTENSION"}, - {ERR_FUNC(X509V3_F_X509V3_ADD1_I2D), "X509V3_add1_i2d"}, - {ERR_FUNC(X509V3_F_X509V3_ADD_VALUE), "X509V3_add_value"}, - {ERR_FUNC(X509V3_F_X509V3_EXT_ADD), "X509V3_EXT_add"}, - {ERR_FUNC(X509V3_F_X509V3_EXT_ADD_ALIAS), "X509V3_EXT_add_alias"}, - {ERR_FUNC(X509V3_F_X509V3_EXT_CONF), "X509V3_EXT_conf"}, - {ERR_FUNC(X509V3_F_X509V3_EXT_I2D), "X509V3_EXT_i2d"}, - {ERR_FUNC(X509V3_F_X509V3_EXT_NCONF), "X509V3_EXT_nconf"}, - {ERR_FUNC(X509V3_F_X509V3_GET_SECTION), "X509V3_get_section"}, - {ERR_FUNC(X509V3_F_X509V3_GET_STRING), "X509V3_get_string"}, - {ERR_FUNC(X509V3_F_X509V3_GET_VALUE_BOOL), "X509V3_get_value_bool"}, - {ERR_FUNC(X509V3_F_X509V3_PARSE_LIST), "X509V3_parse_list"}, - {ERR_FUNC(X509V3_F_X509_PURPOSE_ADD), "X509_PURPOSE_add"}, - {ERR_FUNC(X509V3_F_X509_PURPOSE_SET), "X509_PURPOSE_set"}, - {0, NULL} -}; - -static ERR_STRING_DATA X509V3_str_reasons[] = { - {ERR_REASON(X509V3_R_BAD_IP_ADDRESS) , "bad ip address"}, - {ERR_REASON(X509V3_R_BAD_OBJECT) , "bad object"}, - {ERR_REASON(X509V3_R_BN_DEC2BN_ERROR) , "bn dec2bn error"}, - {ERR_REASON(X509V3_R_BN_TO_ASN1_INTEGER_ERROR), "bn to asn1 integer error"}, - {ERR_REASON(X509V3_R_DIRNAME_ERROR) , "dirname error"}, - {ERR_REASON(X509V3_R_DISTPOINT_ALREADY_SET), "distpoint already set"}, - {ERR_REASON(X509V3_R_DUPLICATE_ZONE_ID) , "duplicate zone id"}, - {ERR_REASON(X509V3_R_ERROR_CONVERTING_ZONE), "error converting zone"}, - {ERR_REASON(X509V3_R_ERROR_CREATING_EXTENSION), "error creating extension"}, - {ERR_REASON(X509V3_R_ERROR_IN_EXTENSION) , "error in extension"}, - {ERR_REASON(X509V3_R_EXPECTED_A_SECTION_NAME), "expected a section name"}, - {ERR_REASON(X509V3_R_EXTENSION_EXISTS) , "extension exists"}, - {ERR_REASON(X509V3_R_EXTENSION_NAME_ERROR), "extension name error"}, - {ERR_REASON(X509V3_R_EXTENSION_NOT_FOUND), "extension not found"}, - {ERR_REASON(X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED), "extension setting not supported"}, - {ERR_REASON(X509V3_R_EXTENSION_VALUE_ERROR), "extension value error"}, - {ERR_REASON(X509V3_R_ILLEGAL_EMPTY_EXTENSION), "illegal empty extension"}, - {ERR_REASON(X509V3_R_ILLEGAL_HEX_DIGIT) , "illegal hex digit"}, - {ERR_REASON(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG), "incorrect policy syntax tag"}, - {ERR_REASON(X509V3_R_INVALID_MULTIPLE_RDNS), "invalid multiple rdns"}, - {ERR_REASON(X509V3_R_INVALID_ASNUMBER) , "invalid asnumber"}, - {ERR_REASON(X509V3_R_INVALID_ASRANGE) , "invalid asrange"}, - {ERR_REASON(X509V3_R_INVALID_BOOLEAN_STRING), "invalid boolean string"}, - {ERR_REASON(X509V3_R_INVALID_EXTENSION_STRING), "invalid extension string"}, - {ERR_REASON(X509V3_R_INVALID_INHERITANCE), "invalid inheritance"}, - {ERR_REASON(X509V3_R_INVALID_IPADDRESS) , "invalid ipaddress"}, - {ERR_REASON(X509V3_R_INVALID_NAME) , "invalid name"}, - {ERR_REASON(X509V3_R_INVALID_NULL_ARGUMENT), "invalid null argument"}, - {ERR_REASON(X509V3_R_INVALID_NULL_NAME) , "invalid null name"}, - {ERR_REASON(X509V3_R_INVALID_NULL_VALUE) , "invalid null value"}, - {ERR_REASON(X509V3_R_INVALID_NUMBER) , "invalid number"}, - {ERR_REASON(X509V3_R_INVALID_NUMBERS) , "invalid numbers"}, - {ERR_REASON(X509V3_R_INVALID_OBJECT_IDENTIFIER), "invalid object identifier"}, - {ERR_REASON(X509V3_R_INVALID_OPTION) , "invalid option"}, - {ERR_REASON(X509V3_R_INVALID_POLICY_IDENTIFIER), "invalid policy identifier"}, - {ERR_REASON(X509V3_R_INVALID_PROXY_POLICY_SETTING), "invalid proxy policy setting"}, - {ERR_REASON(X509V3_R_INVALID_PURPOSE) , "invalid purpose"}, - {ERR_REASON(X509V3_R_INVALID_SAFI) , "invalid safi"}, - {ERR_REASON(X509V3_R_INVALID_SECTION) , "invalid section"}, - {ERR_REASON(X509V3_R_INVALID_SYNTAX) , "invalid syntax"}, - {ERR_REASON(X509V3_R_ISSUER_DECODE_ERROR), "issuer decode error"}, - {ERR_REASON(X509V3_R_MISSING_VALUE) , "missing value"}, - {ERR_REASON(X509V3_R_NEED_ORGANIZATION_AND_NUMBERS), "need organization and numbers"}, - {ERR_REASON(X509V3_R_NO_CONFIG_DATABASE) , "no config database"}, - {ERR_REASON(X509V3_R_NO_ISSUER_CERTIFICATE), "no issuer certificate"}, - {ERR_REASON(X509V3_R_NO_ISSUER_DETAILS) , "no issuer details"}, - {ERR_REASON(X509V3_R_NO_POLICY_IDENTIFIER), "no policy identifier"}, - {ERR_REASON(X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED), "no proxy cert policy language defined"}, - {ERR_REASON(X509V3_R_NO_PUBLIC_KEY) , "no public key"}, - {ERR_REASON(X509V3_R_NO_SUBJECT_DETAILS) , "no subject details"}, - {ERR_REASON(X509V3_R_ODD_NUMBER_OF_DIGITS), "odd number of digits"}, - {ERR_REASON(X509V3_R_OPERATION_NOT_DEFINED), "operation not defined"}, - {ERR_REASON(X509V3_R_OTHERNAME_ERROR) , "othername error"}, - {ERR_REASON(X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED), "policy language already defined"}, - {ERR_REASON(X509V3_R_POLICY_PATH_LENGTH) , "policy path length"}, - {ERR_REASON(X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED), "policy path length already defined"}, - {ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED), "policy syntax not currently supported"}, - {ERR_REASON(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY), "policy when proxy language requires no policy"}, - {ERR_REASON(X509V3_R_SECTION_NOT_FOUND) , "section not found"}, - {ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS), "unable to get issuer details"}, - {ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_KEYID), "unable to get issuer keyid"}, - {ERR_REASON(X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT), "unknown bit string argument"}, - {ERR_REASON(X509V3_R_UNKNOWN_EXTENSION) , "unknown extension"}, - {ERR_REASON(X509V3_R_UNKNOWN_EXTENSION_NAME), "unknown extension name"}, - {ERR_REASON(X509V3_R_UNKNOWN_OPTION) , "unknown option"}, - {ERR_REASON(X509V3_R_UNSUPPORTED_OPTION) , "unsupported option"}, - {ERR_REASON(X509V3_R_UNSUPPORTED_TYPE) , "unsupported type"}, - {ERR_REASON(X509V3_R_USER_TOO_LONG) , "user too long"}, - {0, NULL} -}; - -#endif - -void -ERR_load_X509V3_strings(void) -{ -#ifndef OPENSSL_NO_ERR - if (ERR_func_error_string(X509V3_str_functs[0].error) == NULL) { - ERR_load_strings(0, X509V3_str_functs); - ERR_load_strings(0, X509V3_str_reasons); - } -#endif -} diff --git a/depcomp b/depcomp index 65cbf709..6b391623 100644 --- a/depcomp +++ b/depcomp @@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1999-2018 Free Software Foundation, Inc. +# Copyright (C) 1999-2020 Free Software Foundation, Inc. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/include/Makefile.am b/include/Makefile.am index 6d808cc9..4184cf88 100644 --- a/include/Makefile.am +++ b/include/Makefile.am @@ -32,12 +32,15 @@ noinst_HEADERS += compat/netinet/in.h noinst_HEADERS += compat/netinet/ip.h noinst_HEADERS += compat/netinet/tcp.h +noinst_HEADERS += compat/sys/_null.h noinst_HEADERS += compat/sys/ioctl.h noinst_HEADERS += compat/sys/mman.h noinst_HEADERS += compat/sys/param.h +noinst_HEADERS += compat/sys/queue.h noinst_HEADERS += compat/sys/select.h noinst_HEADERS += compat/sys/socket.h noinst_HEADERS += compat/sys/stat.h +noinst_HEADERS += compat/sys/tree.h noinst_HEADERS += compat/sys/time.h noinst_HEADERS += compat/sys/types.h noinst_HEADERS += compat/sys/uio.h diff --git a/include/Makefile.in b/include/Makefile.in index 5ae873c1..c13e3f8e 100644 --- a/include/Makefile.in +++ b/include/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -90,7 +90,9 @@ build_triplet = @build@ host_triplet = @host@ subdir = include ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/check-hardening-options.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_add_fortify_source.m4 \ + $(top_srcdir)/m4/ax_check_compile_flag.m4 \ + $(top_srcdir)/m4/check-hardening-options.m4 \ $(top_srcdir)/m4/check-libc.m4 \ $(top_srcdir)/m4/check-os-options.m4 \ $(top_srcdir)/m4/disable-compiler-warnings.m4 \ @@ -331,6 +333,7 @@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -353,8 +356,9 @@ noinst_HEADERS = pqueue.h compat/dirent.h compat/dirent_msvc.h \ compat/win32netcompat.h compat/arpa/inet.h \ compat/arpa/nameser.h compat/machine/endian.h \ compat/netinet/in.h compat/netinet/ip.h compat/netinet/tcp.h \ - compat/sys/ioctl.h compat/sys/mman.h compat/sys/param.h \ - compat/sys/select.h compat/sys/socket.h compat/sys/stat.h \ + compat/sys/_null.h compat/sys/ioctl.h compat/sys/mman.h \ + compat/sys/param.h compat/sys/queue.h compat/sys/select.h \ + compat/sys/socket.h compat/sys/stat.h compat/sys/tree.h \ compat/sys/time.h compat/sys/types.h compat/sys/uio.h include_HEADERS = tls.h all: all-recursive diff --git a/include/compat/machine/endian.h b/include/compat/machine/endian.h index 5ec39af0..4dcb60d3 100644 --- a/include/compat/machine/endian.h +++ b/include/compat/machine/endian.h @@ -21,7 +21,7 @@ #define BYTE_ORDER BIG_ENDIAN #endif -#elif defined(__linux__) +#elif defined(__linux__) || defined(__midipix__) #include #elif defined(__sun) || defined(_AIX) || defined(__hpux) @@ -37,4 +37,15 @@ #endif +#ifndef __STRICT_ALIGNMENT +#define __STRICT_ALIGNMENT +#if defined(__i386) || defined(__i386__) || \ + defined(__x86_64) || defined(__x86_64__) || \ + defined(__s390__) || defined(__s390x__) || \ + defined(__aarch64__) || \ + ((defined(__arm__) || defined(__arm)) && __ARM_ARCH >= 6) +#undef __STRICT_ALIGNMENT +#endif +#endif + #endif diff --git a/include/compat/pthread.h b/include/compat/pthread.h index 8b8c3c67..1ab011c3 100644 --- a/include/compat/pthread.h +++ b/include/compat/pthread.h @@ -8,6 +8,8 @@ #ifdef _WIN32 +#include +#include #include /* @@ -15,6 +17,11 @@ */ #define PTHREAD_ONCE_INIT { INIT_ONCE_STATIC_INIT } +/* + * Static mutex initialization values. + */ +#define PTHREAD_MUTEX_INITIALIZER { .lock = NULL } + /* * Once definitions. */ @@ -55,27 +62,51 @@ pthread_equal(pthread_t t1, pthread_t t2) return t1 == t2; } -typedef CRITICAL_SECTION pthread_mutex_t; +struct pthread_mutex { + volatile LPCRITICAL_SECTION lock; +}; +typedef struct pthread_mutex pthread_mutex_t; typedef void pthread_mutexattr_t; static inline int pthread_mutex_init(pthread_mutex_t *mutex, const pthread_mutexattr_t *attr) { - InitializeCriticalSection(mutex); + if ((mutex->lock = malloc(sizeof(CRITICAL_SECTION))) == NULL) + exit(ENOMEM); + InitializeCriticalSection(mutex->lock); return 0; } static inline int pthread_mutex_lock(pthread_mutex_t *mutex) { - EnterCriticalSection(mutex); + if (mutex->lock == NULL) { + LPCRITICAL_SECTION lcs; + + if ((lcs = malloc(sizeof(CRITICAL_SECTION))) == NULL) + exit(ENOMEM); + InitializeCriticalSection(lcs); + if (InterlockedCompareExchangePointer((PVOID*)&mutex->lock, (PVOID)lcs, NULL) != NULL) { + DeleteCriticalSection(lcs); + free(lcs); + } + } + EnterCriticalSection(mutex->lock); return 0; } static inline int pthread_mutex_unlock(pthread_mutex_t *mutex) { - LeaveCriticalSection(mutex); + LeaveCriticalSection(mutex->lock); + return 0; +} + +static inline int +pthread_mutex_destroy(pthread_mutex_t *mutex) +{ + DeleteCriticalSection(mutex->lock); + free(mutex->lock); return 0; } diff --git a/include/compat/sys/_null.h b/include/compat/sys/_null.h new file mode 100644 index 00000000..5d154019 --- /dev/null +++ b/include/compat/sys/_null.h @@ -0,0 +1,18 @@ +/* $OpenBSD: _null.h,v 1.2 2016/09/09 22:07:58 millert Exp $ */ + +/* + * Written by Todd C. Miller, September 9, 2016 + * Public domain. + */ + +#ifndef NULL +#if !defined(__cplusplus) +#define NULL ((void *)0) +#elif __cplusplus >= 201103L +#define NULL nullptr +#elif defined(__GNUG__) +#define NULL __null +#else +#define NULL 0L +#endif +#endif diff --git a/include/compat/sys/queue.h b/include/compat/sys/queue.h new file mode 100644 index 00000000..f28ba894 --- /dev/null +++ b/include/compat/sys/queue.h @@ -0,0 +1,536 @@ +/* $OpenBSD: queue.h,v 1.45 2018/07/12 14:22:54 sashan Exp $ */ +/* $NetBSD: queue.h,v 1.11 1996/05/16 05:17:14 mycroft Exp $ */ + +/* + * Copyright (c) 1991, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * @(#)queue.h 8.5 (Berkeley) 8/20/94 + */ + +#ifndef _SYS_QUEUE_H_ +#define _SYS_QUEUE_H_ + +#include + +/* + * This file defines five types of data structures: singly-linked lists, + * lists, simple queues, tail queues and XOR simple queues. + * + * + * A singly-linked list is headed by a single forward pointer. The elements + * are singly linked for minimum space and pointer manipulation overhead at + * the expense of O(n) removal for arbitrary elements. New elements can be + * added to the list after an existing element or at the head of the list. + * Elements being removed from the head of the list should use the explicit + * macro for this purpose for optimum efficiency. A singly-linked list may + * only be traversed in the forward direction. Singly-linked lists are ideal + * for applications with large datasets and few or no removals or for + * implementing a LIFO queue. + * + * A list is headed by a single forward pointer (or an array of forward + * pointers for a hash table header). The elements are doubly linked + * so that an arbitrary element can be removed without a need to + * traverse the list. New elements can be added to the list before + * or after an existing element or at the head of the list. A list + * may only be traversed in the forward direction. + * + * A simple queue is headed by a pair of pointers, one to the head of the + * list and the other to the tail of the list. The elements are singly + * linked to save space, so elements can only be removed from the + * head of the list. New elements can be added to the list before or after + * an existing element, at the head of the list, or at the end of the + * list. A simple queue may only be traversed in the forward direction. + * + * A tail queue is headed by a pair of pointers, one to the head of the + * list and the other to the tail of the list. The elements are doubly + * linked so that an arbitrary element can be removed without a need to + * traverse the list. New elements can be added to the list before or + * after an existing element, at the head of the list, or at the end of + * the list. A tail queue may be traversed in either direction. + * + * An XOR simple queue is used in the same way as a regular simple queue. + * The difference is that the head structure also includes a "cookie" that + * is XOR'd with the queue pointer (first, last or next) to generate the + * real pointer value. + * + * For details on the use of these macros, see the queue(3) manual page. + */ + +#if defined(QUEUE_MACRO_DEBUG) || (defined(_KERNEL) && defined(DIAGNOSTIC)) +#define _Q_INVALID ((void *)-1) +#define _Q_INVALIDATE(a) (a) = _Q_INVALID +#else +#define _Q_INVALIDATE(a) +#endif + +/* + * Singly-linked List definitions. + */ +#define SLIST_HEAD(name, type) \ +struct name { \ + struct type *slh_first; /* first element */ \ +} + +#define SLIST_HEAD_INITIALIZER(head) \ + { NULL } + +#define SLIST_ENTRY(type) \ +struct { \ + struct type *sle_next; /* next element */ \ +} + +/* + * Singly-linked List access methods. + */ +#define SLIST_FIRST(head) ((head)->slh_first) +#define SLIST_END(head) NULL +#define SLIST_EMPTY(head) (SLIST_FIRST(head) == SLIST_END(head)) +#define SLIST_NEXT(elm, field) ((elm)->field.sle_next) + +#define SLIST_FOREACH(var, head, field) \ + for((var) = SLIST_FIRST(head); \ + (var) != SLIST_END(head); \ + (var) = SLIST_NEXT(var, field)) + +#define SLIST_FOREACH_SAFE(var, head, field, tvar) \ + for ((var) = SLIST_FIRST(head); \ + (var) && ((tvar) = SLIST_NEXT(var, field), 1); \ + (var) = (tvar)) + +/* + * Singly-linked List functions. + */ +#define SLIST_INIT(head) { \ + SLIST_FIRST(head) = SLIST_END(head); \ +} + +#define SLIST_INSERT_AFTER(slistelm, elm, field) do { \ + (elm)->field.sle_next = (slistelm)->field.sle_next; \ + (slistelm)->field.sle_next = (elm); \ +} while (0) + +#define SLIST_INSERT_HEAD(head, elm, field) do { \ + (elm)->field.sle_next = (head)->slh_first; \ + (head)->slh_first = (elm); \ +} while (0) + +#define SLIST_REMOVE_AFTER(elm, field) do { \ + (elm)->field.sle_next = (elm)->field.sle_next->field.sle_next; \ +} while (0) + +#define SLIST_REMOVE_HEAD(head, field) do { \ + (head)->slh_first = (head)->slh_first->field.sle_next; \ +} while (0) + +#define SLIST_REMOVE(head, elm, type, field) do { \ + if ((head)->slh_first == (elm)) { \ + SLIST_REMOVE_HEAD((head), field); \ + } else { \ + struct type *curelm = (head)->slh_first; \ + \ + while (curelm->field.sle_next != (elm)) \ + curelm = curelm->field.sle_next; \ + curelm->field.sle_next = \ + curelm->field.sle_next->field.sle_next; \ + } \ + _Q_INVALIDATE((elm)->field.sle_next); \ +} while (0) + +/* + * List definitions. + */ +#define LIST_HEAD(name, type) \ +struct name { \ + struct type *lh_first; /* first element */ \ +} + +#define LIST_HEAD_INITIALIZER(head) \ + { NULL } + +#define LIST_ENTRY(type) \ +struct { \ + struct type *le_next; /* next element */ \ + struct type **le_prev; /* address of previous next element */ \ +} + +/* + * List access methods. + */ +#define LIST_FIRST(head) ((head)->lh_first) +#define LIST_END(head) NULL +#define LIST_EMPTY(head) (LIST_FIRST(head) == LIST_END(head)) +#define LIST_NEXT(elm, field) ((elm)->field.le_next) + +#define LIST_FOREACH(var, head, field) \ + for((var) = LIST_FIRST(head); \ + (var)!= LIST_END(head); \ + (var) = LIST_NEXT(var, field)) + +#define LIST_FOREACH_SAFE(var, head, field, tvar) \ + for ((var) = LIST_FIRST(head); \ + (var) && ((tvar) = LIST_NEXT(var, field), 1); \ + (var) = (tvar)) + +/* + * List functions. + */ +#define LIST_INIT(head) do { \ + LIST_FIRST(head) = LIST_END(head); \ +} while (0) + +#define LIST_INSERT_AFTER(listelm, elm, field) do { \ + if (((elm)->field.le_next = (listelm)->field.le_next) != NULL) \ + (listelm)->field.le_next->field.le_prev = \ + &(elm)->field.le_next; \ + (listelm)->field.le_next = (elm); \ + (elm)->field.le_prev = &(listelm)->field.le_next; \ +} while (0) + +#define LIST_INSERT_BEFORE(listelm, elm, field) do { \ + (elm)->field.le_prev = (listelm)->field.le_prev; \ + (elm)->field.le_next = (listelm); \ + *(listelm)->field.le_prev = (elm); \ + (listelm)->field.le_prev = &(elm)->field.le_next; \ +} while (0) + +#define LIST_INSERT_HEAD(head, elm, field) do { \ + if (((elm)->field.le_next = (head)->lh_first) != NULL) \ + (head)->lh_first->field.le_prev = &(elm)->field.le_next;\ + (head)->lh_first = (elm); \ + (elm)->field.le_prev = &(head)->lh_first; \ +} while (0) + +#define LIST_REMOVE(elm, field) do { \ + if ((elm)->field.le_next != NULL) \ + (elm)->field.le_next->field.le_prev = \ + (elm)->field.le_prev; \ + *(elm)->field.le_prev = (elm)->field.le_next; \ + _Q_INVALIDATE((elm)->field.le_prev); \ + _Q_INVALIDATE((elm)->field.le_next); \ +} while (0) + +#define LIST_REPLACE(elm, elm2, field) do { \ + if (((elm2)->field.le_next = (elm)->field.le_next) != NULL) \ + (elm2)->field.le_next->field.le_prev = \ + &(elm2)->field.le_next; \ + (elm2)->field.le_prev = (elm)->field.le_prev; \ + *(elm2)->field.le_prev = (elm2); \ + _Q_INVALIDATE((elm)->field.le_prev); \ + _Q_INVALIDATE((elm)->field.le_next); \ +} while (0) + +/* + * Simple queue definitions. + */ +#define SIMPLEQ_HEAD(name, type) \ +struct name { \ + struct type *sqh_first; /* first element */ \ + struct type **sqh_last; /* addr of last next element */ \ +} + +#define SIMPLEQ_HEAD_INITIALIZER(head) \ + { NULL, &(head).sqh_first } + +#define SIMPLEQ_ENTRY(type) \ +struct { \ + struct type *sqe_next; /* next element */ \ +} + +/* + * Simple queue access methods. + */ +#define SIMPLEQ_FIRST(head) ((head)->sqh_first) +#define SIMPLEQ_END(head) NULL +#define SIMPLEQ_EMPTY(head) (SIMPLEQ_FIRST(head) == SIMPLEQ_END(head)) +#define SIMPLEQ_NEXT(elm, field) ((elm)->field.sqe_next) + +#define SIMPLEQ_FOREACH(var, head, field) \ + for((var) = SIMPLEQ_FIRST(head); \ + (var) != SIMPLEQ_END(head); \ + (var) = SIMPLEQ_NEXT(var, field)) + +#define SIMPLEQ_FOREACH_SAFE(var, head, field, tvar) \ + for ((var) = SIMPLEQ_FIRST(head); \ + (var) && ((tvar) = SIMPLEQ_NEXT(var, field), 1); \ + (var) = (tvar)) + +/* + * Simple queue functions. + */ +#define SIMPLEQ_INIT(head) do { \ + (head)->sqh_first = NULL; \ + (head)->sqh_last = &(head)->sqh_first; \ +} while (0) + +#define SIMPLEQ_INSERT_HEAD(head, elm, field) do { \ + if (((elm)->field.sqe_next = (head)->sqh_first) == NULL) \ + (head)->sqh_last = &(elm)->field.sqe_next; \ + (head)->sqh_first = (elm); \ +} while (0) + +#define SIMPLEQ_INSERT_TAIL(head, elm, field) do { \ + (elm)->field.sqe_next = NULL; \ + *(head)->sqh_last = (elm); \ + (head)->sqh_last = &(elm)->field.sqe_next; \ +} while (0) + +#define SIMPLEQ_INSERT_AFTER(head, listelm, elm, field) do { \ + if (((elm)->field.sqe_next = (listelm)->field.sqe_next) == NULL)\ + (head)->sqh_last = &(elm)->field.sqe_next; \ + (listelm)->field.sqe_next = (elm); \ +} while (0) + +#define SIMPLEQ_REMOVE_HEAD(head, field) do { \ + if (((head)->sqh_first = (head)->sqh_first->field.sqe_next) == NULL) \ + (head)->sqh_last = &(head)->sqh_first; \ +} while (0) + +#define SIMPLEQ_REMOVE_AFTER(head, elm, field) do { \ + if (((elm)->field.sqe_next = (elm)->field.sqe_next->field.sqe_next) \ + == NULL) \ + (head)->sqh_last = &(elm)->field.sqe_next; \ +} while (0) + +#define SIMPLEQ_CONCAT(head1, head2) do { \ + if (!SIMPLEQ_EMPTY((head2))) { \ + *(head1)->sqh_last = (head2)->sqh_first; \ + (head1)->sqh_last = (head2)->sqh_last; \ + SIMPLEQ_INIT((head2)); \ + } \ +} while (0) + +/* + * XOR Simple queue definitions. + */ +#define XSIMPLEQ_HEAD(name, type) \ +struct name { \ + struct type *sqx_first; /* first element */ \ + struct type **sqx_last; /* addr of last next element */ \ + unsigned long sqx_cookie; \ +} + +#define XSIMPLEQ_ENTRY(type) \ +struct { \ + struct type *sqx_next; /* next element */ \ +} + +/* + * XOR Simple queue access methods. + */ +#define XSIMPLEQ_XOR(head, ptr) ((__typeof(ptr))((head)->sqx_cookie ^ \ + (unsigned long)(ptr))) +#define XSIMPLEQ_FIRST(head) XSIMPLEQ_XOR(head, ((head)->sqx_first)) +#define XSIMPLEQ_END(head) NULL +#define XSIMPLEQ_EMPTY(head) (XSIMPLEQ_FIRST(head) == XSIMPLEQ_END(head)) +#define XSIMPLEQ_NEXT(head, elm, field) XSIMPLEQ_XOR(head, ((elm)->field.sqx_next)) + + +#define XSIMPLEQ_FOREACH(var, head, field) \ + for ((var) = XSIMPLEQ_FIRST(head); \ + (var) != XSIMPLEQ_END(head); \ + (var) = XSIMPLEQ_NEXT(head, var, field)) + +#define XSIMPLEQ_FOREACH_SAFE(var, head, field, tvar) \ + for ((var) = XSIMPLEQ_FIRST(head); \ + (var) && ((tvar) = XSIMPLEQ_NEXT(head, var, field), 1); \ + (var) = (tvar)) + +/* + * XOR Simple queue functions. + */ +#define XSIMPLEQ_INIT(head) do { \ + arc4random_buf(&(head)->sqx_cookie, sizeof((head)->sqx_cookie)); \ + (head)->sqx_first = XSIMPLEQ_XOR(head, NULL); \ + (head)->sqx_last = XSIMPLEQ_XOR(head, &(head)->sqx_first); \ +} while (0) + +#define XSIMPLEQ_INSERT_HEAD(head, elm, field) do { \ + if (((elm)->field.sqx_next = (head)->sqx_first) == \ + XSIMPLEQ_XOR(head, NULL)) \ + (head)->sqx_last = XSIMPLEQ_XOR(head, &(elm)->field.sqx_next); \ + (head)->sqx_first = XSIMPLEQ_XOR(head, (elm)); \ +} while (0) + +#define XSIMPLEQ_INSERT_TAIL(head, elm, field) do { \ + (elm)->field.sqx_next = XSIMPLEQ_XOR(head, NULL); \ + *(XSIMPLEQ_XOR(head, (head)->sqx_last)) = XSIMPLEQ_XOR(head, (elm)); \ + (head)->sqx_last = XSIMPLEQ_XOR(head, &(elm)->field.sqx_next); \ +} while (0) + +#define XSIMPLEQ_INSERT_AFTER(head, listelm, elm, field) do { \ + if (((elm)->field.sqx_next = (listelm)->field.sqx_next) == \ + XSIMPLEQ_XOR(head, NULL)) \ + (head)->sqx_last = XSIMPLEQ_XOR(head, &(elm)->field.sqx_next); \ + (listelm)->field.sqx_next = XSIMPLEQ_XOR(head, (elm)); \ +} while (0) + +#define XSIMPLEQ_REMOVE_HEAD(head, field) do { \ + if (((head)->sqx_first = XSIMPLEQ_XOR(head, \ + (head)->sqx_first)->field.sqx_next) == XSIMPLEQ_XOR(head, NULL)) \ + (head)->sqx_last = XSIMPLEQ_XOR(head, &(head)->sqx_first); \ +} while (0) + +#define XSIMPLEQ_REMOVE_AFTER(head, elm, field) do { \ + if (((elm)->field.sqx_next = XSIMPLEQ_XOR(head, \ + (elm)->field.sqx_next)->field.sqx_next) \ + == XSIMPLEQ_XOR(head, NULL)) \ + (head)->sqx_last = \ + XSIMPLEQ_XOR(head, &(elm)->field.sqx_next); \ +} while (0) + + +/* + * Tail queue definitions. + */ +#define TAILQ_HEAD(name, type) \ +struct name { \ + struct type *tqh_first; /* first element */ \ + struct type **tqh_last; /* addr of last next element */ \ +} + +#define TAILQ_HEAD_INITIALIZER(head) \ + { NULL, &(head).tqh_first } + +#define TAILQ_ENTRY(type) \ +struct { \ + struct type *tqe_next; /* next element */ \ + struct type **tqe_prev; /* address of previous next element */ \ +} + +/* + * Tail queue access methods. + */ +#define TAILQ_FIRST(head) ((head)->tqh_first) +#define TAILQ_END(head) NULL +#define TAILQ_NEXT(elm, field) ((elm)->field.tqe_next) +#define TAILQ_LAST(head, headname) \ + (*(((struct headname *)((head)->tqh_last))->tqh_last)) +/* XXX */ +#define TAILQ_PREV(elm, headname, field) \ + (*(((struct headname *)((elm)->field.tqe_prev))->tqh_last)) +#define TAILQ_EMPTY(head) \ + (TAILQ_FIRST(head) == TAILQ_END(head)) + +#define TAILQ_FOREACH(var, head, field) \ + for((var) = TAILQ_FIRST(head); \ + (var) != TAILQ_END(head); \ + (var) = TAILQ_NEXT(var, field)) + +#define TAILQ_FOREACH_SAFE(var, head, field, tvar) \ + for ((var) = TAILQ_FIRST(head); \ + (var) != TAILQ_END(head) && \ + ((tvar) = TAILQ_NEXT(var, field), 1); \ + (var) = (tvar)) + + +#define TAILQ_FOREACH_REVERSE(var, head, headname, field) \ + for((var) = TAILQ_LAST(head, headname); \ + (var) != TAILQ_END(head); \ + (var) = TAILQ_PREV(var, headname, field)) + +#define TAILQ_FOREACH_REVERSE_SAFE(var, head, headname, field, tvar) \ + for ((var) = TAILQ_LAST(head, headname); \ + (var) != TAILQ_END(head) && \ + ((tvar) = TAILQ_PREV(var, headname, field), 1); \ + (var) = (tvar)) + +/* + * Tail queue functions. + */ +#define TAILQ_INIT(head) do { \ + (head)->tqh_first = NULL; \ + (head)->tqh_last = &(head)->tqh_first; \ +} while (0) + +#define TAILQ_INSERT_HEAD(head, elm, field) do { \ + if (((elm)->field.tqe_next = (head)->tqh_first) != NULL) \ + (head)->tqh_first->field.tqe_prev = \ + &(elm)->field.tqe_next; \ + else \ + (head)->tqh_last = &(elm)->field.tqe_next; \ + (head)->tqh_first = (elm); \ + (elm)->field.tqe_prev = &(head)->tqh_first; \ +} while (0) + +#define TAILQ_INSERT_TAIL(head, elm, field) do { \ + (elm)->field.tqe_next = NULL; \ + (elm)->field.tqe_prev = (head)->tqh_last; \ + *(head)->tqh_last = (elm); \ + (head)->tqh_last = &(elm)->field.tqe_next; \ +} while (0) + +#define TAILQ_INSERT_AFTER(head, listelm, elm, field) do { \ + if (((elm)->field.tqe_next = (listelm)->field.tqe_next) != NULL)\ + (elm)->field.tqe_next->field.tqe_prev = \ + &(elm)->field.tqe_next; \ + else \ + (head)->tqh_last = &(elm)->field.tqe_next; \ + (listelm)->field.tqe_next = (elm); \ + (elm)->field.tqe_prev = &(listelm)->field.tqe_next; \ +} while (0) + +#define TAILQ_INSERT_BEFORE(listelm, elm, field) do { \ + (elm)->field.tqe_prev = (listelm)->field.tqe_prev; \ + (elm)->field.tqe_next = (listelm); \ + *(listelm)->field.tqe_prev = (elm); \ + (listelm)->field.tqe_prev = &(elm)->field.tqe_next; \ +} while (0) + +#define TAILQ_REMOVE(head, elm, field) do { \ + if (((elm)->field.tqe_next) != NULL) \ + (elm)->field.tqe_next->field.tqe_prev = \ + (elm)->field.tqe_prev; \ + else \ + (head)->tqh_last = (elm)->field.tqe_prev; \ + *(elm)->field.tqe_prev = (elm)->field.tqe_next; \ + _Q_INVALIDATE((elm)->field.tqe_prev); \ + _Q_INVALIDATE((elm)->field.tqe_next); \ +} while (0) + +#define TAILQ_REPLACE(head, elm, elm2, field) do { \ + if (((elm2)->field.tqe_next = (elm)->field.tqe_next) != NULL) \ + (elm2)->field.tqe_next->field.tqe_prev = \ + &(elm2)->field.tqe_next; \ + else \ + (head)->tqh_last = &(elm2)->field.tqe_next; \ + (elm2)->field.tqe_prev = (elm)->field.tqe_prev; \ + *(elm2)->field.tqe_prev = (elm2); \ + _Q_INVALIDATE((elm)->field.tqe_prev); \ + _Q_INVALIDATE((elm)->field.tqe_next); \ +} while (0) + +#define TAILQ_CONCAT(head1, head2, field) do { \ + if (!TAILQ_EMPTY(head2)) { \ + *(head1)->tqh_last = (head2)->tqh_first; \ + (head2)->tqh_first->field.tqe_prev = (head1)->tqh_last; \ + (head1)->tqh_last = (head2)->tqh_last; \ + TAILQ_INIT((head2)); \ + } \ +} while (0) + +#endif /* !_SYS_QUEUE_H_ */ diff --git a/include/compat/sys/tree.h b/include/compat/sys/tree.h new file mode 100644 index 00000000..ffcac902 --- /dev/null +++ b/include/compat/sys/tree.h @@ -0,0 +1,1006 @@ +/* $OpenBSD: tree.h,v 1.29 2017/07/30 19:27:20 deraadt Exp $ */ +/* + * Copyright 2002 Niels Provos + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _SYS_TREE_H_ +#define _SYS_TREE_H_ + +#include + +/* + * This file defines data structures for different types of trees: + * splay trees and red-black trees. + * + * A splay tree is a self-organizing data structure. Every operation + * on the tree causes a splay to happen. The splay moves the requested + * node to the root of the tree and partly rebalances it. + * + * This has the benefit that request locality causes faster lookups as + * the requested nodes move to the top of the tree. On the other hand, + * every lookup causes memory writes. + * + * The Balance Theorem bounds the total access time for m operations + * and n inserts on an initially empty tree as O((m + n)lg n). The + * amortized cost for a sequence of m accesses to a splay tree is O(lg n); + * + * A red-black tree is a binary search tree with the node color as an + * extra attribute. It fulfills a set of conditions: + * - every search path from the root to a leaf consists of the + * same number of black nodes, + * - each red node (except for the root) has a black parent, + * - each leaf node is black. + * + * Every operation on a red-black tree is bounded as O(lg n). + * The maximum height of a red-black tree is 2lg (n+1). + */ + +#define SPLAY_HEAD(name, type) \ +struct name { \ + struct type *sph_root; /* root of the tree */ \ +} + +#define SPLAY_INITIALIZER(root) \ + { NULL } + +#define SPLAY_INIT(root) do { \ + (root)->sph_root = NULL; \ +} while (0) + +#define SPLAY_ENTRY(type) \ +struct { \ + struct type *spe_left; /* left element */ \ + struct type *spe_right; /* right element */ \ +} + +#define SPLAY_LEFT(elm, field) (elm)->field.spe_left +#define SPLAY_RIGHT(elm, field) (elm)->field.spe_right +#define SPLAY_ROOT(head) (head)->sph_root +#define SPLAY_EMPTY(head) (SPLAY_ROOT(head) == NULL) + +/* SPLAY_ROTATE_{LEFT,RIGHT} expect that tmp hold SPLAY_{RIGHT,LEFT} */ +#define SPLAY_ROTATE_RIGHT(head, tmp, field) do { \ + SPLAY_LEFT((head)->sph_root, field) = SPLAY_RIGHT(tmp, field); \ + SPLAY_RIGHT(tmp, field) = (head)->sph_root; \ + (head)->sph_root = tmp; \ +} while (0) + +#define SPLAY_ROTATE_LEFT(head, tmp, field) do { \ + SPLAY_RIGHT((head)->sph_root, field) = SPLAY_LEFT(tmp, field); \ + SPLAY_LEFT(tmp, field) = (head)->sph_root; \ + (head)->sph_root = tmp; \ +} while (0) + +#define SPLAY_LINKLEFT(head, tmp, field) do { \ + SPLAY_LEFT(tmp, field) = (head)->sph_root; \ + tmp = (head)->sph_root; \ + (head)->sph_root = SPLAY_LEFT((head)->sph_root, field); \ +} while (0) + +#define SPLAY_LINKRIGHT(head, tmp, field) do { \ + SPLAY_RIGHT(tmp, field) = (head)->sph_root; \ + tmp = (head)->sph_root; \ + (head)->sph_root = SPLAY_RIGHT((head)->sph_root, field); \ +} while (0) + +#define SPLAY_ASSEMBLE(head, node, left, right, field) do { \ + SPLAY_RIGHT(left, field) = SPLAY_LEFT((head)->sph_root, field); \ + SPLAY_LEFT(right, field) = SPLAY_RIGHT((head)->sph_root, field);\ + SPLAY_LEFT((head)->sph_root, field) = SPLAY_RIGHT(node, field); \ + SPLAY_RIGHT((head)->sph_root, field) = SPLAY_LEFT(node, field); \ +} while (0) + +/* Generates prototypes and inline functions */ + +#define SPLAY_PROTOTYPE(name, type, field, cmp) \ +void name##_SPLAY(struct name *, struct type *); \ +void name##_SPLAY_MINMAX(struct name *, int); \ +struct type *name##_SPLAY_INSERT(struct name *, struct type *); \ +struct type *name##_SPLAY_REMOVE(struct name *, struct type *); \ + \ +/* Finds the node with the same key as elm */ \ +static __unused __inline struct type * \ +name##_SPLAY_FIND(struct name *head, struct type *elm) \ +{ \ + if (SPLAY_EMPTY(head)) \ + return(NULL); \ + name##_SPLAY(head, elm); \ + if ((cmp)(elm, (head)->sph_root) == 0) \ + return (head->sph_root); \ + return (NULL); \ +} \ + \ +static __unused __inline struct type * \ +name##_SPLAY_NEXT(struct name *head, struct type *elm) \ +{ \ + name##_SPLAY(head, elm); \ + if (SPLAY_RIGHT(elm, field) != NULL) { \ + elm = SPLAY_RIGHT(elm, field); \ + while (SPLAY_LEFT(elm, field) != NULL) { \ + elm = SPLAY_LEFT(elm, field); \ + } \ + } else \ + elm = NULL; \ + return (elm); \ +} \ + \ +static __unused __inline struct type * \ +name##_SPLAY_MIN_MAX(struct name *head, int val) \ +{ \ + name##_SPLAY_MINMAX(head, val); \ + return (SPLAY_ROOT(head)); \ +} + +/* Main splay operation. + * Moves node close to the key of elm to top + */ +#define SPLAY_GENERATE(name, type, field, cmp) \ +struct type * \ +name##_SPLAY_INSERT(struct name *head, struct type *elm) \ +{ \ + if (SPLAY_EMPTY(head)) { \ + SPLAY_LEFT(elm, field) = SPLAY_RIGHT(elm, field) = NULL; \ + } else { \ + int __comp; \ + name##_SPLAY(head, elm); \ + __comp = (cmp)(elm, (head)->sph_root); \ + if(__comp < 0) { \ + SPLAY_LEFT(elm, field) = SPLAY_LEFT((head)->sph_root, field);\ + SPLAY_RIGHT(elm, field) = (head)->sph_root; \ + SPLAY_LEFT((head)->sph_root, field) = NULL; \ + } else if (__comp > 0) { \ + SPLAY_RIGHT(elm, field) = SPLAY_RIGHT((head)->sph_root, field);\ + SPLAY_LEFT(elm, field) = (head)->sph_root; \ + SPLAY_RIGHT((head)->sph_root, field) = NULL; \ + } else \ + return ((head)->sph_root); \ + } \ + (head)->sph_root = (elm); \ + return (NULL); \ +} \ + \ +struct type * \ +name##_SPLAY_REMOVE(struct name *head, struct type *elm) \ +{ \ + struct type *__tmp; \ + if (SPLAY_EMPTY(head)) \ + return (NULL); \ + name##_SPLAY(head, elm); \ + if ((cmp)(elm, (head)->sph_root) == 0) { \ + if (SPLAY_LEFT((head)->sph_root, field) == NULL) { \ + (head)->sph_root = SPLAY_RIGHT((head)->sph_root, field);\ + } else { \ + __tmp = SPLAY_RIGHT((head)->sph_root, field); \ + (head)->sph_root = SPLAY_LEFT((head)->sph_root, field);\ + name##_SPLAY(head, elm); \ + SPLAY_RIGHT((head)->sph_root, field) = __tmp; \ + } \ + return (elm); \ + } \ + return (NULL); \ +} \ + \ +void \ +name##_SPLAY(struct name *head, struct type *elm) \ +{ \ + struct type __node, *__left, *__right, *__tmp; \ + int __comp; \ +\ + SPLAY_LEFT(&__node, field) = SPLAY_RIGHT(&__node, field) = NULL;\ + __left = __right = &__node; \ +\ + while ((__comp = (cmp)(elm, (head)->sph_root))) { \ + if (__comp < 0) { \ + __tmp = SPLAY_LEFT((head)->sph_root, field); \ + if (__tmp == NULL) \ + break; \ + if ((cmp)(elm, __tmp) < 0){ \ + SPLAY_ROTATE_RIGHT(head, __tmp, field); \ + if (SPLAY_LEFT((head)->sph_root, field) == NULL)\ + break; \ + } \ + SPLAY_LINKLEFT(head, __right, field); \ + } else if (__comp > 0) { \ + __tmp = SPLAY_RIGHT((head)->sph_root, field); \ + if (__tmp == NULL) \ + break; \ + if ((cmp)(elm, __tmp) > 0){ \ + SPLAY_ROTATE_LEFT(head, __tmp, field); \ + if (SPLAY_RIGHT((head)->sph_root, field) == NULL)\ + break; \ + } \ + SPLAY_LINKRIGHT(head, __left, field); \ + } \ + } \ + SPLAY_ASSEMBLE(head, &__node, __left, __right, field); \ +} \ + \ +/* Splay with either the minimum or the maximum element \ + * Used to find minimum or maximum element in tree. \ + */ \ +void name##_SPLAY_MINMAX(struct name *head, int __comp) \ +{ \ + struct type __node, *__left, *__right, *__tmp; \ +\ + SPLAY_LEFT(&__node, field) = SPLAY_RIGHT(&__node, field) = NULL;\ + __left = __right = &__node; \ +\ + while (1) { \ + if (__comp < 0) { \ + __tmp = SPLAY_LEFT((head)->sph_root, field); \ + if (__tmp == NULL) \ + break; \ + if (__comp < 0){ \ + SPLAY_ROTATE_RIGHT(head, __tmp, field); \ + if (SPLAY_LEFT((head)->sph_root, field) == NULL)\ + break; \ + } \ + SPLAY_LINKLEFT(head, __right, field); \ + } else if (__comp > 0) { \ + __tmp = SPLAY_RIGHT((head)->sph_root, field); \ + if (__tmp == NULL) \ + break; \ + if (__comp > 0) { \ + SPLAY_ROTATE_LEFT(head, __tmp, field); \ + if (SPLAY_RIGHT((head)->sph_root, field) == NULL)\ + break; \ + } \ + SPLAY_LINKRIGHT(head, __left, field); \ + } \ + } \ + SPLAY_ASSEMBLE(head, &__node, __left, __right, field); \ +} + +#define SPLAY_NEGINF -1 +#define SPLAY_INF 1 + +#define SPLAY_INSERT(name, x, y) name##_SPLAY_INSERT(x, y) +#define SPLAY_REMOVE(name, x, y) name##_SPLAY_REMOVE(x, y) +#define SPLAY_FIND(name, x, y) name##_SPLAY_FIND(x, y) +#define SPLAY_NEXT(name, x, y) name##_SPLAY_NEXT(x, y) +#define SPLAY_MIN(name, x) (SPLAY_EMPTY(x) ? NULL \ + : name##_SPLAY_MIN_MAX(x, SPLAY_NEGINF)) +#define SPLAY_MAX(name, x) (SPLAY_EMPTY(x) ? NULL \ + : name##_SPLAY_MIN_MAX(x, SPLAY_INF)) + +#define SPLAY_FOREACH(x, name, head) \ + for ((x) = SPLAY_MIN(name, head); \ + (x) != NULL; \ + (x) = SPLAY_NEXT(name, head, x)) + +/* Macros that define a red-black tree */ +#define RB_HEAD(name, type) \ +struct name { \ + struct type *rbh_root; /* root of the tree */ \ +} + +#define RB_INITIALIZER(root) \ + { NULL } + +#define RB_INIT(root) do { \ + (root)->rbh_root = NULL; \ +} while (0) + +#define RB_BLACK 0 +#define RB_RED 1 +#define RB_ENTRY(type) \ +struct { \ + struct type *rbe_left; /* left element */ \ + struct type *rbe_right; /* right element */ \ + struct type *rbe_parent; /* parent element */ \ + int rbe_color; /* node color */ \ +} + +#define RB_LEFT(elm, field) (elm)->field.rbe_left +#define RB_RIGHT(elm, field) (elm)->field.rbe_right +#define RB_PARENT(elm, field) (elm)->field.rbe_parent +#define RB_COLOR(elm, field) (elm)->field.rbe_color +#define RB_ROOT(head) (head)->rbh_root +#define RB_EMPTY(head) (RB_ROOT(head) == NULL) + +#define RB_SET(elm, parent, field) do { \ + RB_PARENT(elm, field) = parent; \ + RB_LEFT(elm, field) = RB_RIGHT(elm, field) = NULL; \ + RB_COLOR(elm, field) = RB_RED; \ +} while (0) + +#define RB_SET_BLACKRED(black, red, field) do { \ + RB_COLOR(black, field) = RB_BLACK; \ + RB_COLOR(red, field) = RB_RED; \ +} while (0) + +#ifndef RB_AUGMENT +#define RB_AUGMENT(x) do {} while (0) +#endif + +#define RB_ROTATE_LEFT(head, elm, tmp, field) do { \ + (tmp) = RB_RIGHT(elm, field); \ + if ((RB_RIGHT(elm, field) = RB_LEFT(tmp, field))) { \ + RB_PARENT(RB_LEFT(tmp, field), field) = (elm); \ + } \ + RB_AUGMENT(elm); \ + if ((RB_PARENT(tmp, field) = RB_PARENT(elm, field))) { \ + if ((elm) == RB_LEFT(RB_PARENT(elm, field), field)) \ + RB_LEFT(RB_PARENT(elm, field), field) = (tmp); \ + else \ + RB_RIGHT(RB_PARENT(elm, field), field) = (tmp); \ + } else \ + (head)->rbh_root = (tmp); \ + RB_LEFT(tmp, field) = (elm); \ + RB_PARENT(elm, field) = (tmp); \ + RB_AUGMENT(tmp); \ + if ((RB_PARENT(tmp, field))) \ + RB_AUGMENT(RB_PARENT(tmp, field)); \ +} while (0) + +#define RB_ROTATE_RIGHT(head, elm, tmp, field) do { \ + (tmp) = RB_LEFT(elm, field); \ + if ((RB_LEFT(elm, field) = RB_RIGHT(tmp, field))) { \ + RB_PARENT(RB_RIGHT(tmp, field), field) = (elm); \ + } \ + RB_AUGMENT(elm); \ + if ((RB_PARENT(tmp, field) = RB_PARENT(elm, field))) { \ + if ((elm) == RB_LEFT(RB_PARENT(elm, field), field)) \ + RB_LEFT(RB_PARENT(elm, field), field) = (tmp); \ + else \ + RB_RIGHT(RB_PARENT(elm, field), field) = (tmp); \ + } else \ + (head)->rbh_root = (tmp); \ + RB_RIGHT(tmp, field) = (elm); \ + RB_PARENT(elm, field) = (tmp); \ + RB_AUGMENT(tmp); \ + if ((RB_PARENT(tmp, field))) \ + RB_AUGMENT(RB_PARENT(tmp, field)); \ +} while (0) + +/* Generates prototypes and inline functions */ +#define RB_PROTOTYPE(name, type, field, cmp) \ + RB_PROTOTYPE_INTERNAL(name, type, field, cmp,) +#define RB_PROTOTYPE_STATIC(name, type, field, cmp) \ + RB_PROTOTYPE_INTERNAL(name, type, field, cmp, __attribute__((__unused__)) static) +#define RB_PROTOTYPE_INTERNAL(name, type, field, cmp, attr) \ +attr void name##_RB_INSERT_COLOR(struct name *, struct type *); \ +attr void name##_RB_REMOVE_COLOR(struct name *, struct type *, struct type *);\ +attr struct type *name##_RB_REMOVE(struct name *, struct type *); \ +attr struct type *name##_RB_INSERT(struct name *, struct type *); \ +attr struct type *name##_RB_FIND(struct name *, struct type *); \ +attr struct type *name##_RB_NFIND(struct name *, struct type *); \ +attr struct type *name##_RB_NEXT(struct type *); \ +attr struct type *name##_RB_PREV(struct type *); \ +attr struct type *name##_RB_MINMAX(struct name *, int); \ + \ + +/* Main rb operation. + * Moves node close to the key of elm to top + */ +#define RB_GENERATE(name, type, field, cmp) \ + RB_GENERATE_INTERNAL(name, type, field, cmp,) +#define RB_GENERATE_STATIC(name, type, field, cmp) \ + RB_GENERATE_INTERNAL(name, type, field, cmp, __attribute__((__unused__)) static) +#define RB_GENERATE_INTERNAL(name, type, field, cmp, attr) \ +attr void \ +name##_RB_INSERT_COLOR(struct name *head, struct type *elm) \ +{ \ + struct type *parent, *gparent, *tmp; \ + while ((parent = RB_PARENT(elm, field)) && \ + RB_COLOR(parent, field) == RB_RED) { \ + gparent = RB_PARENT(parent, field); \ + if (parent == RB_LEFT(gparent, field)) { \ + tmp = RB_RIGHT(gparent, field); \ + if (tmp && RB_COLOR(tmp, field) == RB_RED) { \ + RB_COLOR(tmp, field) = RB_BLACK; \ + RB_SET_BLACKRED(parent, gparent, field);\ + elm = gparent; \ + continue; \ + } \ + if (RB_RIGHT(parent, field) == elm) { \ + RB_ROTATE_LEFT(head, parent, tmp, field);\ + tmp = parent; \ + parent = elm; \ + elm = tmp; \ + } \ + RB_SET_BLACKRED(parent, gparent, field); \ + RB_ROTATE_RIGHT(head, gparent, tmp, field); \ + } else { \ + tmp = RB_LEFT(gparent, field); \ + if (tmp && RB_COLOR(tmp, field) == RB_RED) { \ + RB_COLOR(tmp, field) = RB_BLACK; \ + RB_SET_BLACKRED(parent, gparent, field);\ + elm = gparent; \ + continue; \ + } \ + if (RB_LEFT(parent, field) == elm) { \ + RB_ROTATE_RIGHT(head, parent, tmp, field);\ + tmp = parent; \ + parent = elm; \ + elm = tmp; \ + } \ + RB_SET_BLACKRED(parent, gparent, field); \ + RB_ROTATE_LEFT(head, gparent, tmp, field); \ + } \ + } \ + RB_COLOR(head->rbh_root, field) = RB_BLACK; \ +} \ + \ +attr void \ +name##_RB_REMOVE_COLOR(struct name *head, struct type *parent, struct type *elm) \ +{ \ + struct type *tmp; \ + while ((elm == NULL || RB_COLOR(elm, field) == RB_BLACK) && \ + elm != RB_ROOT(head)) { \ + if (RB_LEFT(parent, field) == elm) { \ + tmp = RB_RIGHT(parent, field); \ + if (RB_COLOR(tmp, field) == RB_RED) { \ + RB_SET_BLACKRED(tmp, parent, field); \ + RB_ROTATE_LEFT(head, parent, tmp, field);\ + tmp = RB_RIGHT(parent, field); \ + } \ + if ((RB_LEFT(tmp, field) == NULL || \ + RB_COLOR(RB_LEFT(tmp, field), field) == RB_BLACK) &&\ + (RB_RIGHT(tmp, field) == NULL || \ + RB_COLOR(RB_RIGHT(tmp, field), field) == RB_BLACK)) {\ + RB_COLOR(tmp, field) = RB_RED; \ + elm = parent; \ + parent = RB_PARENT(elm, field); \ + } else { \ + if (RB_RIGHT(tmp, field) == NULL || \ + RB_COLOR(RB_RIGHT(tmp, field), field) == RB_BLACK) {\ + struct type *oleft; \ + if ((oleft = RB_LEFT(tmp, field)))\ + RB_COLOR(oleft, field) = RB_BLACK;\ + RB_COLOR(tmp, field) = RB_RED; \ + RB_ROTATE_RIGHT(head, tmp, oleft, field);\ + tmp = RB_RIGHT(parent, field); \ + } \ + RB_COLOR(tmp, field) = RB_COLOR(parent, field);\ + RB_COLOR(parent, field) = RB_BLACK; \ + if (RB_RIGHT(tmp, field)) \ + RB_COLOR(RB_RIGHT(tmp, field), field) = RB_BLACK;\ + RB_ROTATE_LEFT(head, parent, tmp, field);\ + elm = RB_ROOT(head); \ + break; \ + } \ + } else { \ + tmp = RB_LEFT(parent, field); \ + if (RB_COLOR(tmp, field) == RB_RED) { \ + RB_SET_BLACKRED(tmp, parent, field); \ + RB_ROTATE_RIGHT(head, parent, tmp, field);\ + tmp = RB_LEFT(parent, field); \ + } \ + if ((RB_LEFT(tmp, field) == NULL || \ + RB_COLOR(RB_LEFT(tmp, field), field) == RB_BLACK) &&\ + (RB_RIGHT(tmp, field) == NULL || \ + RB_COLOR(RB_RIGHT(tmp, field), field) == RB_BLACK)) {\ + RB_COLOR(tmp, field) = RB_RED; \ + elm = parent; \ + parent = RB_PARENT(elm, field); \ + } else { \ + if (RB_LEFT(tmp, field) == NULL || \ + RB_COLOR(RB_LEFT(tmp, field), field) == RB_BLACK) {\ + struct type *oright; \ + if ((oright = RB_RIGHT(tmp, field)))\ + RB_COLOR(oright, field) = RB_BLACK;\ + RB_COLOR(tmp, field) = RB_RED; \ + RB_ROTATE_LEFT(head, tmp, oright, field);\ + tmp = RB_LEFT(parent, field); \ + } \ + RB_COLOR(tmp, field) = RB_COLOR(parent, field);\ + RB_COLOR(parent, field) = RB_BLACK; \ + if (RB_LEFT(tmp, field)) \ + RB_COLOR(RB_LEFT(tmp, field), field) = RB_BLACK;\ + RB_ROTATE_RIGHT(head, parent, tmp, field);\ + elm = RB_ROOT(head); \ + break; \ + } \ + } \ + } \ + if (elm) \ + RB_COLOR(elm, field) = RB_BLACK; \ +} \ + \ +attr struct type * \ +name##_RB_REMOVE(struct name *head, struct type *elm) \ +{ \ + struct type *child, *parent, *old = elm; \ + int color; \ + if (RB_LEFT(elm, field) == NULL) \ + child = RB_RIGHT(elm, field); \ + else if (RB_RIGHT(elm, field) == NULL) \ + child = RB_LEFT(elm, field); \ + else { \ + struct type *left; \ + elm = RB_RIGHT(elm, field); \ + while ((left = RB_LEFT(elm, field))) \ + elm = left; \ + child = RB_RIGHT(elm, field); \ + parent = RB_PARENT(elm, field); \ + color = RB_COLOR(elm, field); \ + if (child) \ + RB_PARENT(child, field) = parent; \ + if (parent) { \ + if (RB_LEFT(parent, field) == elm) \ + RB_LEFT(parent, field) = child; \ + else \ + RB_RIGHT(parent, field) = child; \ + RB_AUGMENT(parent); \ + } else \ + RB_ROOT(head) = child; \ + if (RB_PARENT(elm, field) == old) \ + parent = elm; \ + (elm)->field = (old)->field; \ + if (RB_PARENT(old, field)) { \ + if (RB_LEFT(RB_PARENT(old, field), field) == old)\ + RB_LEFT(RB_PARENT(old, field), field) = elm;\ + else \ + RB_RIGHT(RB_PARENT(old, field), field) = elm;\ + RB_AUGMENT(RB_PARENT(old, field)); \ + } else \ + RB_ROOT(head) = elm; \ + RB_PARENT(RB_LEFT(old, field), field) = elm; \ + if (RB_RIGHT(old, field)) \ + RB_PARENT(RB_RIGHT(old, field), field) = elm; \ + if (parent) { \ + left = parent; \ + do { \ + RB_AUGMENT(left); \ + } while ((left = RB_PARENT(left, field))); \ + } \ + goto color; \ + } \ + parent = RB_PARENT(elm, field); \ + color = RB_COLOR(elm, field); \ + if (child) \ + RB_PARENT(child, field) = parent; \ + if (parent) { \ + if (RB_LEFT(parent, field) == elm) \ + RB_LEFT(parent, field) = child; \ + else \ + RB_RIGHT(parent, field) = child; \ + RB_AUGMENT(parent); \ + } else \ + RB_ROOT(head) = child; \ +color: \ + if (color == RB_BLACK) \ + name##_RB_REMOVE_COLOR(head, parent, child); \ + return (old); \ +} \ + \ +/* Inserts a node into the RB tree */ \ +attr struct type * \ +name##_RB_INSERT(struct name *head, struct type *elm) \ +{ \ + struct type *tmp; \ + struct type *parent = NULL; \ + int comp = 0; \ + tmp = RB_ROOT(head); \ + while (tmp) { \ + parent = tmp; \ + comp = (cmp)(elm, parent); \ + if (comp < 0) \ + tmp = RB_LEFT(tmp, field); \ + else if (comp > 0) \ + tmp = RB_RIGHT(tmp, field); \ + else \ + return (tmp); \ + } \ + RB_SET(elm, parent, field); \ + if (parent != NULL) { \ + if (comp < 0) \ + RB_LEFT(parent, field) = elm; \ + else \ + RB_RIGHT(parent, field) = elm; \ + RB_AUGMENT(parent); \ + } else \ + RB_ROOT(head) = elm; \ + name##_RB_INSERT_COLOR(head, elm); \ + return (NULL); \ +} \ + \ +/* Finds the node with the same key as elm */ \ +attr struct type * \ +name##_RB_FIND(struct name *head, struct type *elm) \ +{ \ + struct type *tmp = RB_ROOT(head); \ + int comp; \ + while (tmp) { \ + comp = cmp(elm, tmp); \ + if (comp < 0) \ + tmp = RB_LEFT(tmp, field); \ + else if (comp > 0) \ + tmp = RB_RIGHT(tmp, field); \ + else \ + return (tmp); \ + } \ + return (NULL); \ +} \ + \ +/* Finds the first node greater than or equal to the search key */ \ +attr struct type * \ +name##_RB_NFIND(struct name *head, struct type *elm) \ +{ \ + struct type *tmp = RB_ROOT(head); \ + struct type *res = NULL; \ + int comp; \ + while (tmp) { \ + comp = cmp(elm, tmp); \ + if (comp < 0) { \ + res = tmp; \ + tmp = RB_LEFT(tmp, field); \ + } \ + else if (comp > 0) \ + tmp = RB_RIGHT(tmp, field); \ + else \ + return (tmp); \ + } \ + return (res); \ +} \ + \ +/* ARGSUSED */ \ +attr struct type * \ +name##_RB_NEXT(struct type *elm) \ +{ \ + if (RB_RIGHT(elm, field)) { \ + elm = RB_RIGHT(elm, field); \ + while (RB_LEFT(elm, field)) \ + elm = RB_LEFT(elm, field); \ + } else { \ + if (RB_PARENT(elm, field) && \ + (elm == RB_LEFT(RB_PARENT(elm, field), field))) \ + elm = RB_PARENT(elm, field); \ + else { \ + while (RB_PARENT(elm, field) && \ + (elm == RB_RIGHT(RB_PARENT(elm, field), field)))\ + elm = RB_PARENT(elm, field); \ + elm = RB_PARENT(elm, field); \ + } \ + } \ + return (elm); \ +} \ + \ +/* ARGSUSED */ \ +attr struct type * \ +name##_RB_PREV(struct type *elm) \ +{ \ + if (RB_LEFT(elm, field)) { \ + elm = RB_LEFT(elm, field); \ + while (RB_RIGHT(elm, field)) \ + elm = RB_RIGHT(elm, field); \ + } else { \ + if (RB_PARENT(elm, field) && \ + (elm == RB_RIGHT(RB_PARENT(elm, field), field))) \ + elm = RB_PARENT(elm, field); \ + else { \ + while (RB_PARENT(elm, field) && \ + (elm == RB_LEFT(RB_PARENT(elm, field), field)))\ + elm = RB_PARENT(elm, field); \ + elm = RB_PARENT(elm, field); \ + } \ + } \ + return (elm); \ +} \ + \ +attr struct type * \ +name##_RB_MINMAX(struct name *head, int val) \ +{ \ + struct type *tmp = RB_ROOT(head); \ + struct type *parent = NULL; \ + while (tmp) { \ + parent = tmp; \ + if (val < 0) \ + tmp = RB_LEFT(tmp, field); \ + else \ + tmp = RB_RIGHT(tmp, field); \ + } \ + return (parent); \ +} + +#define RB_NEGINF -1 +#define RB_INF 1 + +#define RB_INSERT(name, x, y) name##_RB_INSERT(x, y) +#define RB_REMOVE(name, x, y) name##_RB_REMOVE(x, y) +#define RB_FIND(name, x, y) name##_RB_FIND(x, y) +#define RB_NFIND(name, x, y) name##_RB_NFIND(x, y) +#define RB_NEXT(name, x, y) name##_RB_NEXT(y) +#define RB_PREV(name, x, y) name##_RB_PREV(y) +#define RB_MIN(name, x) name##_RB_MINMAX(x, RB_NEGINF) +#define RB_MAX(name, x) name##_RB_MINMAX(x, RB_INF) + +#define RB_FOREACH(x, name, head) \ + for ((x) = RB_MIN(name, head); \ + (x) != NULL; \ + (x) = name##_RB_NEXT(x)) + +#define RB_FOREACH_SAFE(x, name, head, y) \ + for ((x) = RB_MIN(name, head); \ + ((x) != NULL) && ((y) = name##_RB_NEXT(x), 1); \ + (x) = (y)) + +#define RB_FOREACH_REVERSE(x, name, head) \ + for ((x) = RB_MAX(name, head); \ + (x) != NULL; \ + (x) = name##_RB_PREV(x)) + +#define RB_FOREACH_REVERSE_SAFE(x, name, head, y) \ + for ((x) = RB_MAX(name, head); \ + ((x) != NULL) && ((y) = name##_RB_PREV(x), 1); \ + (x) = (y)) + + +/* + * Copyright (c) 2016 David Gwynne + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +struct rb_type { + int (*t_compare)(const void *, const void *); + void (*t_augment)(void *); + unsigned int t_offset; /* offset of rb_entry in type */ +}; + +struct rb_tree { + struct rb_entry *rbt_root; +}; + +struct rb_entry { + struct rb_entry *rbt_parent; + struct rb_entry *rbt_left; + struct rb_entry *rbt_right; + unsigned int rbt_color; +}; + +#define RBT_HEAD(_name, _type) \ +struct _name { \ + struct rb_tree rbh_root; \ +} + +#define RBT_ENTRY(_type) struct rb_entry + +static inline void +_rb_init(struct rb_tree *rbt) +{ + rbt->rbt_root = NULL; +} + +static inline int +_rb_empty(struct rb_tree *rbt) +{ + return (rbt->rbt_root == NULL); +} + +void *_rb_insert(const struct rb_type *, struct rb_tree *, void *); +void *_rb_remove(const struct rb_type *, struct rb_tree *, void *); +void *_rb_find(const struct rb_type *, struct rb_tree *, const void *); +void *_rb_nfind(const struct rb_type *, struct rb_tree *, const void *); +void *_rb_root(const struct rb_type *, struct rb_tree *); +void *_rb_min(const struct rb_type *, struct rb_tree *); +void *_rb_max(const struct rb_type *, struct rb_tree *); +void *_rb_next(const struct rb_type *, void *); +void *_rb_prev(const struct rb_type *, void *); +void *_rb_left(const struct rb_type *, void *); +void *_rb_right(const struct rb_type *, void *); +void *_rb_parent(const struct rb_type *, void *); +void _rb_set_left(const struct rb_type *, void *, void *); +void _rb_set_right(const struct rb_type *, void *, void *); +void _rb_set_parent(const struct rb_type *, void *, void *); +void _rb_poison(const struct rb_type *, void *, unsigned long); +int _rb_check(const struct rb_type *, void *, unsigned long); + +#define RBT_INITIALIZER(_head) { { NULL } } + +#define RBT_PROTOTYPE(_name, _type, _field, _cmp) \ +extern const struct rb_type *const _name##_RBT_TYPE; \ + \ +__unused static inline void \ +_name##_RBT_INIT(struct _name *head) \ +{ \ + _rb_init(&head->rbh_root); \ +} \ + \ +__unused static inline struct _type * \ +_name##_RBT_INSERT(struct _name *head, struct _type *elm) \ +{ \ + return _rb_insert(_name##_RBT_TYPE, &head->rbh_root, elm); \ +} \ + \ +__unused static inline struct _type * \ +_name##_RBT_REMOVE(struct _name *head, struct _type *elm) \ +{ \ + return _rb_remove(_name##_RBT_TYPE, &head->rbh_root, elm); \ +} \ + \ +__unused static inline struct _type * \ +_name##_RBT_FIND(struct _name *head, const struct _type *key) \ +{ \ + return _rb_find(_name##_RBT_TYPE, &head->rbh_root, key); \ +} \ + \ +__unused static inline struct _type * \ +_name##_RBT_NFIND(struct _name *head, const struct _type *key) \ +{ \ + return _rb_nfind(_name##_RBT_TYPE, &head->rbh_root, key); \ +} \ + \ +__unused static inline struct _type * \ +_name##_RBT_ROOT(struct _name *head) \ +{ \ + return _rb_root(_name##_RBT_TYPE, &head->rbh_root); \ +} \ + \ +__unused static inline int \ +_name##_RBT_EMPTY(struct _name *head) \ +{ \ + return _rb_empty(&head->rbh_root); \ +} \ + \ +__unused static inline struct _type * \ +_name##_RBT_MIN(struct _name *head) \ +{ \ + return _rb_min(_name##_RBT_TYPE, &head->rbh_root); \ +} \ + \ +__unused static inline struct _type * \ +_name##_RBT_MAX(struct _name *head) \ +{ \ + return _rb_max(_name##_RBT_TYPE, &head->rbh_root); \ +} \ + \ +__unused static inline struct _type * \ +_name##_RBT_NEXT(struct _type *elm) \ +{ \ + return _rb_next(_name##_RBT_TYPE, elm); \ +} \ + \ +__unused static inline struct _type * \ +_name##_RBT_PREV(struct _type *elm) \ +{ \ + return _rb_prev(_name##_RBT_TYPE, elm); \ +} \ + \ +__unused static inline struct _type * \ +_name##_RBT_LEFT(struct _type *elm) \ +{ \ + return _rb_left(_name##_RBT_TYPE, elm); \ +} \ + \ +__unused static inline struct _type * \ +_name##_RBT_RIGHT(struct _type *elm) \ +{ \ + return _rb_right(_name##_RBT_TYPE, elm); \ +} \ + \ +__unused static inline struct _type * \ +_name##_RBT_PARENT(struct _type *elm) \ +{ \ + return _rb_parent(_name##_RBT_TYPE, elm); \ +} \ + \ +__unused static inline void \ +_name##_RBT_SET_LEFT(struct _type *elm, struct _type *left) \ +{ \ + return _rb_set_left(_name##_RBT_TYPE, elm, left); \ +} \ + \ +__unused static inline void \ +_name##_RBT_SET_RIGHT(struct _type *elm, struct _type *right) \ +{ \ + return _rb_set_right(_name##_RBT_TYPE, elm, right); \ +} \ + \ +__unused static inline void \ +_name##_RBT_SET_PARENT(struct _type *elm, struct _type *parent) \ +{ \ + return _rb_set_parent(_name##_RBT_TYPE, elm, parent); \ +} \ + \ +__unused static inline void \ +_name##_RBT_POISON(struct _type *elm, unsigned long poison) \ +{ \ + return _rb_poison(_name##_RBT_TYPE, elm, poison); \ +} \ + \ +__unused static inline int \ +_name##_RBT_CHECK(struct _type *elm, unsigned long poison) \ +{ \ + return _rb_check(_name##_RBT_TYPE, elm, poison); \ +} + +#define RBT_GENERATE_INTERNAL(_name, _type, _field, _cmp, _aug) \ +static int \ +_name##_RBT_COMPARE(const void *lptr, const void *rptr) \ +{ \ + const struct _type *l = lptr, *r = rptr; \ + return _cmp(l, r); \ +} \ +static const struct rb_type _name##_RBT_INFO = { \ + _name##_RBT_COMPARE, \ + _aug, \ + offsetof(struct _type, _field), \ +}; \ +const struct rb_type *const _name##_RBT_TYPE = &_name##_RBT_INFO + +#define RBT_GENERATE_AUGMENT(_name, _type, _field, _cmp, _aug) \ +static void \ +_name##_RBT_AUGMENT(void *ptr) \ +{ \ + struct _type *p = ptr; \ + return _aug(p); \ +} \ +RBT_GENERATE_INTERNAL(_name, _type, _field, _cmp, _name##_RBT_AUGMENT) + +#define RBT_GENERATE(_name, _type, _field, _cmp) \ + RBT_GENERATE_INTERNAL(_name, _type, _field, _cmp, NULL) + +#define RBT_INIT(_name, _head) _name##_RBT_INIT(_head) +#define RBT_INSERT(_name, _head, _elm) _name##_RBT_INSERT(_head, _elm) +#define RBT_REMOVE(_name, _head, _elm) _name##_RBT_REMOVE(_head, _elm) +#define RBT_FIND(_name, _head, _key) _name##_RBT_FIND(_head, _key) +#define RBT_NFIND(_name, _head, _key) _name##_RBT_NFIND(_head, _key) +#define RBT_ROOT(_name, _head) _name##_RBT_ROOT(_head) +#define RBT_EMPTY(_name, _head) _name##_RBT_EMPTY(_head) +#define RBT_MIN(_name, _head) _name##_RBT_MIN(_head) +#define RBT_MAX(_name, _head) _name##_RBT_MAX(_head) +#define RBT_NEXT(_name, _elm) _name##_RBT_NEXT(_elm) +#define RBT_PREV(_name, _elm) _name##_RBT_PREV(_elm) +#define RBT_LEFT(_name, _elm) _name##_RBT_LEFT(_elm) +#define RBT_RIGHT(_name, _elm) _name##_RBT_RIGHT(_elm) +#define RBT_PARENT(_name, _elm) _name##_RBT_PARENT(_elm) +#define RBT_SET_LEFT(_name, _elm, _l) _name##_RBT_SET_LEFT(_elm, _l) +#define RBT_SET_RIGHT(_name, _elm, _r) _name##_RBT_SET_RIGHT(_elm, _r) +#define RBT_SET_PARENT(_name, _elm, _p) _name##_RBT_SET_PARENT(_elm, _p) +#define RBT_POISON(_name, _elm, _p) _name##_RBT_POISON(_elm, _p) +#define RBT_CHECK(_name, _elm, _p) _name##_RBT_CHECK(_elm, _p) + +#define RBT_FOREACH(_e, _name, _head) \ + for ((_e) = RBT_MIN(_name, (_head)); \ + (_e) != NULL; \ + (_e) = RBT_NEXT(_name, (_e))) + +#define RBT_FOREACH_SAFE(_e, _name, _head, _n) \ + for ((_e) = RBT_MIN(_name, (_head)); \ + (_e) != NULL && ((_n) = RBT_NEXT(_name, (_e)), 1); \ + (_e) = (_n)) + +#define RBT_FOREACH_REVERSE(_e, _name, _head) \ + for ((_e) = RBT_MAX(_name, (_head)); \ + (_e) != NULL; \ + (_e) = RBT_PREV(_name, (_e))) + +#define RBT_FOREACH_REVERSE_SAFE(_e, _name, _head, _n) \ + for ((_e) = RBT_MAX(_name, (_head)); \ + (_e) != NULL && ((_n) = RBT_PREV(_name, (_e)), 1); \ + (_e) = (_n)) + +#endif /* _SYS_TREE_H_ */ diff --git a/include/compat/unistd.h b/include/compat/unistd.h index f521b943..5e6ab1d8 100644 --- a/include/compat/unistd.h +++ b/include/compat/unistd.h @@ -37,7 +37,14 @@ ssize_t pwrite(int d, const void *buf, size_t nbytes, off_t offset); #define access _access -unsigned int sleep(unsigned int seconds); +#ifdef _MSC_VER +#include +static inline unsigned int sleep(unsigned int seconds) +{ + Sleep(seconds * 1000); + return seconds; +} +#endif int ftruncate(int fd, off_t length); uid_t getuid(void); diff --git a/include/openssl/Makefile.am b/include/openssl/Makefile.am index 54f7f818..3e307acf 100644 --- a/include/openssl/Makefile.am +++ b/include/openssl/Makefile.am @@ -1,5 +1,6 @@ include $(top_srcdir)/Makefile.am.common +if !ENABLE_LIBTLS_ONLY opensslincludedir=$(includedir)/openssl opensslinclude_HEADERS = @@ -73,5 +74,7 @@ opensslinclude_HEADERS += ui.h opensslinclude_HEADERS += ui_compat.h opensslinclude_HEADERS += whrlpool.h opensslinclude_HEADERS += x509.h +opensslinclude_HEADERS += x509_verify.h opensslinclude_HEADERS += x509_vfy.h opensslinclude_HEADERS += x509v3.h +endif diff --git a/include/openssl/Makefile.in b/include/openssl/Makefile.in index e79be502..6b2d9cc7 100644 --- a/include/openssl/Makefile.in +++ b/include/openssl/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -90,7 +90,9 @@ build_triplet = @build@ host_triplet = @host@ subdir = include/openssl ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/check-hardening-options.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_add_fortify_source.m4 \ + $(top_srcdir)/m4/ax_check_compile_flag.m4 \ + $(top_srcdir)/m4/check-hardening-options.m4 \ $(top_srcdir)/m4/check-libc.m4 \ $(top_srcdir)/m4/check-os-options.m4 \ $(top_srcdir)/m4/disable-compiler-warnings.m4 \ @@ -99,7 +101,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/check-hardening-options.m4 \ $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) -DIST_COMMON = $(srcdir)/Makefile.am $(opensslinclude_HEADERS) \ +DIST_COMMON = $(srcdir)/Makefile.am $(am__opensslinclude_HEADERS_DIST) \ $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_CLEAN_FILES = @@ -123,6 +125,17 @@ am__can_run_installinfo = \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac +am__opensslinclude_HEADERS_DIST = aes.h asn1.h asn1t.h bio.h \ + blowfish.h bn.h buffer.h camellia.h cast.h chacha.h cmac.h \ + cms.h comp.h conf.h conf_api.h crypto.h curve25519.h des.h \ + dh.h dsa.h dso.h dtls1.h ec.h ecdh.h ecdsa.h engine.h err.h \ + evp.h gost.h hkdf.h hmac.h idea.h lhash.h md4.h md5.h modes.h \ + obj_mac.h objects.h ocsp.h opensslconf.h opensslfeatures.h \ + opensslv.h ossl_typ.h pem.h pem2.h pkcs12.h pkcs7.h poly1305.h \ + rand.h rc2.h rc4.h ripemd.h rsa.h safestack.h sha.h sm3.h \ + sm4.h srtp.h ssl.h ssl2.h ssl23.h ssl3.h stack.h tls1.h ts.h \ + txt_db.h ui.h ui_compat.h whrlpool.h x509.h x509_verify.h \ + x509_vfy.h x509v3.h am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ @@ -289,6 +302,7 @@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -301,17 +315,26 @@ AM_CFLAGS = AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat \ -DLIBRESSL_INTERNAL -D__BEGIN_HIDDEN_DECLS= \ -D__END_HIDDEN_DECLS= -opensslincludedir = $(includedir)/openssl -opensslinclude_HEADERS = aes.h asn1.h asn1t.h bio.h blowfish.h bn.h \ - buffer.h camellia.h cast.h chacha.h cmac.h cms.h comp.h conf.h \ - conf_api.h crypto.h curve25519.h des.h dh.h dsa.h dso.h \ - dtls1.h ec.h ecdh.h ecdsa.h engine.h err.h evp.h gost.h hkdf.h \ - hmac.h idea.h lhash.h md4.h md5.h modes.h obj_mac.h objects.h \ - ocsp.h opensslconf.h opensslfeatures.h opensslv.h ossl_typ.h \ - pem.h pem2.h pkcs12.h pkcs7.h poly1305.h rand.h rc2.h rc4.h \ - ripemd.h rsa.h safestack.h sha.h sm3.h sm4.h srtp.h ssl.h \ - ssl2.h ssl23.h ssl3.h stack.h tls1.h ts.h txt_db.h ui.h \ - ui_compat.h whrlpool.h x509.h x509_vfy.h x509v3.h +@ENABLE_LIBTLS_ONLY_FALSE@opensslincludedir = $(includedir)/openssl +@ENABLE_LIBTLS_ONLY_FALSE@opensslinclude_HEADERS = aes.h asn1.h \ +@ENABLE_LIBTLS_ONLY_FALSE@ asn1t.h bio.h blowfish.h bn.h \ +@ENABLE_LIBTLS_ONLY_FALSE@ buffer.h camellia.h cast.h chacha.h \ +@ENABLE_LIBTLS_ONLY_FALSE@ cmac.h cms.h comp.h conf.h \ +@ENABLE_LIBTLS_ONLY_FALSE@ conf_api.h crypto.h curve25519.h \ +@ENABLE_LIBTLS_ONLY_FALSE@ des.h dh.h dsa.h dso.h dtls1.h ec.h \ +@ENABLE_LIBTLS_ONLY_FALSE@ ecdh.h ecdsa.h engine.h err.h evp.h \ +@ENABLE_LIBTLS_ONLY_FALSE@ gost.h hkdf.h hmac.h idea.h lhash.h \ +@ENABLE_LIBTLS_ONLY_FALSE@ md4.h md5.h modes.h obj_mac.h \ +@ENABLE_LIBTLS_ONLY_FALSE@ objects.h ocsp.h opensslconf.h \ +@ENABLE_LIBTLS_ONLY_FALSE@ opensslfeatures.h opensslv.h \ +@ENABLE_LIBTLS_ONLY_FALSE@ ossl_typ.h pem.h pem2.h pkcs12.h \ +@ENABLE_LIBTLS_ONLY_FALSE@ pkcs7.h poly1305.h rand.h rc2.h \ +@ENABLE_LIBTLS_ONLY_FALSE@ rc4.h ripemd.h rsa.h safestack.h \ +@ENABLE_LIBTLS_ONLY_FALSE@ sha.h sm3.h sm4.h srtp.h ssl.h \ +@ENABLE_LIBTLS_ONLY_FALSE@ ssl2.h ssl23.h ssl3.h stack.h tls1.h \ +@ENABLE_LIBTLS_ONLY_FALSE@ ts.h txt_db.h ui.h ui_compat.h \ +@ENABLE_LIBTLS_ONLY_FALSE@ whrlpool.h x509.h x509_verify.h \ +@ENABLE_LIBTLS_ONLY_FALSE@ x509_vfy.h x509v3.h all: all-am .SUFFIXES: diff --git a/include/openssl/asn1.h b/include/openssl/asn1.h index 0a8da415..76c294ad 100644 --- a/include/openssl/asn1.h +++ b/include/openssl/asn1.h @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1.h,v 1.53 2018/11/30 04:51:19 jeremy Exp $ */ +/* $OpenBSD: asn1.h,v 1.54 2020/12/08 15:06:42 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1137,6 +1137,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_BAD_OBJECT_HEADER 102 #define ASN1_R_BAD_PASSWORD_READ 103 #define ASN1_R_BAD_TAG 104 +#define ASN1_R_BAD_TEMPLATE 230 #define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 214 #define ASN1_R_BN_LIB 105 #define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106 diff --git a/include/openssl/conf.h b/include/openssl/conf.h index 095066d3..bea6a871 100644 --- a/include/openssl/conf.h +++ b/include/openssl/conf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: conf.h,v 1.14 2015/02/07 13:19:15 doug Exp $ */ +/* $OpenBSD: conf.h,v 1.15 2020/02/17 12:51:48 inoguchi Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -241,6 +241,7 @@ void ERR_load_CONF_strings(void); #define CONF_R_NO_VALUE 108 #define CONF_R_UNABLE_TO_CREATE_NEW_SECTION 103 #define CONF_R_UNKNOWN_MODULE_NAME 113 +#define CONF_R_VARIABLE_EXPANSION_TOO_LONG 116 #define CONF_R_VARIABLE_HAS_NO_VALUE 104 #ifdef __cplusplus diff --git a/include/openssl/dtls1.h b/include/openssl/dtls1.h index a0018f2a..3b38f34d 100644 --- a/include/openssl/dtls1.h +++ b/include/openssl/dtls1.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dtls1.h,v 1.22 2018/08/24 19:35:05 jsing Exp $ */ +/* $OpenBSD: dtls1.h,v 1.25 2021/03/31 16:59:32 tb Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -78,6 +78,8 @@ extern "C" { #endif #define DTLS1_VERSION 0xFEFF +#define DTLS1_2_VERSION 0xFEFD +#define DTLS1_VERSION_MAJOR 0xFE /* lengths of messages */ #define DTLS1_COOKIE_LENGTH 256 @@ -165,6 +167,8 @@ typedef struct dtls1_state_st { struct dtls1_state_internal_st *internal; } DTLS1_STATE; +#ifndef LIBRESSL_INTERNAL + typedef struct dtls1_record_data_st { unsigned char *packet; unsigned int packet_length; @@ -174,6 +178,8 @@ typedef struct dtls1_record_data_st { #endif +#endif + /* Timeout multipliers (timeout slice is defined in apps/timeouts.h */ #define DTLS1_TMO_READ_COUNT 2 #define DTLS1_TMO_WRITE_COUNT 2 diff --git a/include/openssl/evp.h b/include/openssl/evp.h index b49fc613..e8a6eea0 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: evp.h,v 1.77 2019/09/09 18:06:25 jsing Exp $ */ +/* $OpenBSD: evp.h,v 1.81 2021/03/31 16:47:01 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -99,6 +99,7 @@ #define EVP_PKEY_NONE NID_undef #define EVP_PKEY_RSA NID_rsaEncryption +#define EVP_PKEY_RSA_PSS NID_rsassaPss #define EVP_PKEY_RSA2 NID_rsa #define EVP_PKEY_DSA NID_dsa #define EVP_PKEY_DSA1 NID_dsa_2 @@ -1148,6 +1149,8 @@ void EVP_PKEY_CTX_set0_keygen_info(EVP_PKEY_CTX *ctx, int *dat, int datlen); EVP_PKEY *EVP_PKEY_new_mac_key(int type, ENGINE *e, const unsigned char *key, int keylen); +EVP_PKEY *EVP_PKEY_new_CMAC_key(ENGINE *e, const unsigned char *priv, + size_t len, const EVP_CIPHER *cipher); void EVP_PKEY_CTX_set_data(EVP_PKEY_CTX *ctx, void *data); void *EVP_PKEY_CTX_get_data(EVP_PKEY_CTX *ctx); @@ -1506,10 +1509,12 @@ void ERR_load_EVP_strings(void); #define EVP_R_INPUT_NOT_INITIALIZED 111 #define EVP_R_INVALID_DIGEST 152 #define EVP_R_INVALID_FIPS_MODE 168 +#define EVP_R_INVALID_IV_LENGTH 194 #define EVP_R_INVALID_KEY_LENGTH 130 #define EVP_R_INVALID_OPERATION 148 #define EVP_R_IV_TOO_LARGE 102 #define EVP_R_KEYGEN_FAILURE 120 +#define EVP_R_KEY_SETUP_FAILED 180 #define EVP_R_MESSAGE_DIGEST_IS_NULL 159 #define EVP_R_METHOD_NOT_SUPPORTED 144 #define EVP_R_MISSING_PARAMETERS 103 diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h index 2699111e..61718f1b 100644 --- a/include/openssl/obj_mac.h +++ b/include/openssl/obj_mac.h @@ -590,6 +590,11 @@ #define NID_mgf1 911 #define OBJ_mgf1 OBJ_pkcs1,8L +#define SN_pSpecified "PSPECIFIED" +#define LN_pSpecified "pSpecified" +#define NID_pSpecified 992 +#define OBJ_pSpecified OBJ_pkcs1,9L + #define SN_rsassaPss "RSASSA-PSS" #define LN_rsassaPss "rsassaPss" #define NID_rsassaPss 912 @@ -848,10 +853,30 @@ #define NID_id_smime_ct_compressedData 786 #define OBJ_id_smime_ct_compressedData OBJ_id_smime_ct,9L +#define SN_id_ct_routeOriginAuthz "id-ct-routeOriginAuthz" +#define NID_id_ct_routeOriginAuthz 1001 +#define OBJ_id_ct_routeOriginAuthz OBJ_id_smime_ct,24L + +#define SN_id_ct_rpkiManifest "id-ct-rpkiManifest" +#define NID_id_ct_rpkiManifest 1002 +#define OBJ_id_ct_rpkiManifest OBJ_id_smime_ct,26L + #define SN_id_ct_asciiTextWithCRLF "id-ct-asciiTextWithCRLF" #define NID_id_ct_asciiTextWithCRLF 787 #define OBJ_id_ct_asciiTextWithCRLF OBJ_id_smime_ct,27L +#define SN_id_ct_rpkiGhostbusters "id-ct-rpkiGhostbusters" +#define NID_id_ct_rpkiGhostbusters 1003 +#define OBJ_id_ct_rpkiGhostbusters OBJ_id_smime_ct,35L + +#define SN_id_ct_resourceTaggedAttest "id-ct-resourceTaggedAttest" +#define NID_id_ct_resourceTaggedAttest 1004 +#define OBJ_id_ct_resourceTaggedAttest OBJ_id_smime_ct,36L + +#define SN_id_ct_geofeedCSVwithCRLF "id-ct-geofeedCSVwithCRLF" +#define NID_id_ct_geofeedCSVwithCRLF 1013 +#define OBJ_id_ct_geofeedCSVwithCRLF OBJ_id_smime_ct,47L + #define SN_id_smime_aa_receiptRequest "id-smime-aa-receiptRequest" #define NID_id_smime_aa_receiptRequest 212 #define OBJ_id_smime_aa_receiptRequest OBJ_id_smime_aa,1L @@ -1361,6 +1386,10 @@ #define NID_id_cct 268 #define OBJ_id_cct OBJ_id_pkix,12L +#define SN_id_cp "id-cp" +#define NID_id_cp 1005 +#define OBJ_id_cp OBJ_id_pkix,14L + #define SN_id_ppl "id-ppl" #define NID_id_ppl 662 #define OBJ_id_ppl OBJ_id_pkix,21L @@ -1485,6 +1514,14 @@ #define NID_proxyCertInfo 663 #define OBJ_proxyCertInfo OBJ_id_pe,14L +#define SN_sbgp_ipAddrBlockv2 "sbgp-ipAddrBlockv2" +#define NID_sbgp_ipAddrBlockv2 1006 +#define OBJ_sbgp_ipAddrBlockv2 OBJ_id_pe,28L + +#define SN_sbgp_autonomousSysNumv2 "sbgp-autonomousSysNumv2" +#define NID_sbgp_autonomousSysNumv2 1007 +#define OBJ_sbgp_autonomousSysNumv2 OBJ_id_pe,29L + #define SN_id_qt_cps "id-qt-cps" #define LN_id_qt_cps "Policy Qualifier CPS" #define NID_id_qt_cps 164 @@ -1818,6 +1855,14 @@ #define NID_id_cct_PKIResponse 362 #define OBJ_id_cct_PKIResponse OBJ_id_cct,3L +#define SN_ipAddr_asNumber "ipAddr-asNumber" +#define NID_ipAddr_asNumber 1008 +#define OBJ_ipAddr_asNumber OBJ_id_cp,2L + +#define SN_ipAddr_asNumberv2 "ipAddr-asNumberv2" +#define NID_ipAddr_asNumberv2 1009 +#define OBJ_ipAddr_asNumberv2 OBJ_id_cp,3L + #define SN_id_ppl_anyLanguage "id-ppl-anyLanguage" #define LN_id_ppl_anyLanguage "Any language" #define NID_id_ppl_anyLanguage 664 @@ -1858,6 +1903,21 @@ #define NID_caRepository 785 #define OBJ_caRepository OBJ_id_ad,5L +#define SN_rpkiManifest "rpkiManifest" +#define LN_rpkiManifest "RPKI Manifest" +#define NID_rpkiManifest 1010 +#define OBJ_rpkiManifest OBJ_id_ad,10L + +#define SN_signedObject "signedObject" +#define LN_signedObject "Signed Object" +#define NID_signedObject 1011 +#define OBJ_signedObject OBJ_id_ad,11L + +#define SN_rpkiNotify "rpkiNotify" +#define LN_rpkiNotify "RPKI Notify" +#define NID_rpkiNotify 1012 +#define OBJ_rpkiNotify OBJ_id_ad,13L + #define OBJ_id_pkix_OCSP OBJ_ad_OCSP #define SN_id_pkix_OCSP_basic "basicOCSPResponse" @@ -4248,13 +4308,55 @@ #define NID_id_tc26_gost3411_2012_512 942 #define OBJ_id_tc26_gost3411_2012_512 OBJ_tc26,1L,2L,3L -#define SN_id_tc26_gost_3410_2012_512_paramSetA "id-tc26-gost-3410-2012-512-paramSetA" -#define NID_id_tc26_gost_3410_2012_512_paramSetA 943 -#define OBJ_id_tc26_gost_3410_2012_512_paramSetA OBJ_tc26,2L,1L,2L,1L - -#define SN_id_tc26_gost_3410_2012_512_paramSetB "id-tc26-gost-3410-2012-512-paramSetB" -#define NID_id_tc26_gost_3410_2012_512_paramSetB 944 -#define OBJ_id_tc26_gost_3410_2012_512_paramSetB OBJ_tc26,2L,1L,2L,2L +#define SN_id_tc26_hmac_gost_3411_12_256 "id-tc26-hmac-gost-3411-12-256" +#define LN_id_tc26_hmac_gost_3411_12_256 "HMAC STREEBOG 256" +#define NID_id_tc26_hmac_gost_3411_12_256 999 +#define OBJ_id_tc26_hmac_gost_3411_12_256 OBJ_tc26,1L,4L,1L + +#define SN_id_tc26_hmac_gost_3411_12_512 "id-tc26-hmac-gost-3411-12-512" +#define LN_id_tc26_hmac_gost_3411_12_512 "HMAC STREEBOG 512" +#define NID_id_tc26_hmac_gost_3411_12_512 1000 +#define OBJ_id_tc26_hmac_gost_3411_12_512 OBJ_tc26,1L,4L,2L + +#define SN_id_tc26_gost_3410_12_256_paramSetA "id-tc26-gost-3410-12-256-paramSetA" +#define LN_id_tc26_gost_3410_12_256_paramSetA "GOST R 34.10-2012 (256 bit) ParamSet A" +#define NID_id_tc26_gost_3410_12_256_paramSetA 993 +#define OBJ_id_tc26_gost_3410_12_256_paramSetA OBJ_tc26,2L,1L,1L,1L + +#define SN_id_tc26_gost_3410_12_256_paramSetB "id-tc26-gost-3410-12-256-paramSetB" +#define LN_id_tc26_gost_3410_12_256_paramSetB "GOST R 34.10-2012 (256 bit) ParamSet B" +#define NID_id_tc26_gost_3410_12_256_paramSetB 994 +#define OBJ_id_tc26_gost_3410_12_256_paramSetB OBJ_tc26,2L,1L,1L,2L + +#define SN_id_tc26_gost_3410_12_256_paramSetC "id-tc26-gost-3410-12-256-paramSetC" +#define LN_id_tc26_gost_3410_12_256_paramSetC "GOST R 34.10-2012 (256 bit) ParamSet C" +#define NID_id_tc26_gost_3410_12_256_paramSetC 995 +#define OBJ_id_tc26_gost_3410_12_256_paramSetC OBJ_tc26,2L,1L,1L,3L + +#define SN_id_tc26_gost_3410_12_256_paramSetD "id-tc26-gost-3410-12-256-paramSetD" +#define LN_id_tc26_gost_3410_12_256_paramSetD "GOST R 34.10-2012 (256 bit) ParamSet D" +#define NID_id_tc26_gost_3410_12_256_paramSetD 996 +#define OBJ_id_tc26_gost_3410_12_256_paramSetD OBJ_tc26,2L,1L,1L,4L + +#define SN_id_tc26_gost_3410_12_512_paramSetTest "id-tc26-gost-3410-12-512-paramSetTest" +#define LN_id_tc26_gost_3410_12_512_paramSetTest "GOST R 34.10-2012 (512 bit) testing parameter set" +#define NID_id_tc26_gost_3410_12_512_paramSetTest 997 +#define OBJ_id_tc26_gost_3410_12_512_paramSetTest OBJ_tc26,2L,1L,2L,0L + +#define SN_id_tc26_gost_3410_12_512_paramSetA "id-tc26-gost-3410-12-512-paramSetA" +#define LN_id_tc26_gost_3410_12_512_paramSetA "GOST R 34.10-2012 (512 bit) ParamSet A" +#define NID_id_tc26_gost_3410_12_512_paramSetA 943 +#define OBJ_id_tc26_gost_3410_12_512_paramSetA OBJ_tc26,2L,1L,2L,1L + +#define SN_id_tc26_gost_3410_12_512_paramSetB "id-tc26-gost-3410-12-512-paramSetB" +#define LN_id_tc26_gost_3410_12_512_paramSetB "GOST R 34.10-2012 (512 bit) ParamSet B" +#define NID_id_tc26_gost_3410_12_512_paramSetB 944 +#define OBJ_id_tc26_gost_3410_12_512_paramSetB OBJ_tc26,2L,1L,2L,2L + +#define SN_id_tc26_gost_3410_12_512_paramSetC "id-tc26-gost-3410-12-512-paramSetC" +#define LN_id_tc26_gost_3410_12_512_paramSetC "GOST R 34.10-2012 (512 bit) ParamSet C" +#define NID_id_tc26_gost_3410_12_512_paramSetC 998 +#define OBJ_id_tc26_gost_3410_12_512_paramSetC OBJ_tc26,2L,1L,2L,3L #define SN_id_tc26_gost_28147_param_Z "id-tc26-gost-28147-param-Z" #define NID_id_tc26_gost_28147_param_Z 945 diff --git a/include/openssl/opensslfeatures.h b/include/openssl/opensslfeatures.h index 688d478d..20696d3d 100644 --- a/include/openssl/opensslfeatures.h +++ b/include/openssl/opensslfeatures.h @@ -4,6 +4,7 @@ * enabled (or possibly not yet not implemented, or removed!). */ /* #define LIBRESSL_HAS_TLS1_3 */ +/* #define LIBRESSL_HAS_DTLS1_2 */ #define OPENSSL_THREADS @@ -31,16 +32,18 @@ /* #define OPENSSL_NO_BF */ /* #define OPENSSL_NO_BLAKE2 */ /* #define OPENSSL_NO_CAMELLIA */ +/* #define OPENSSL_NO_CAPIENG */ /* #define OPENSSL_NO_CAST */ /* #define OPENSSL_NO_CHACHA */ /* #define OPENSSL_NO_CMAC */ -#define OPENSSL_NO_CMS +/* #define OPENSSL_NO_CMS */ #define OPENSSL_NO_COMP /* XXX */ /* #define OPENSSL_NO_CRYPTO_MDEBUG */ /* #define OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE */ /* #define OPENSSL_NO_CT */ /* #define OPENSSL_NO_DECC_INIT */ /* #define OPENSSL_NO_DES */ +/* #define OPENSSL_NO_DEVCRYPTOENG */ /* #define OPENSSL_NO_DGRAM */ /* #define OPENSSL_NO_DH */ /* #define OPENSSL_NO_DSA */ @@ -57,12 +60,14 @@ #define OPENSSL_NO_EGD /* #define OPENSSL_NO_ENGINE */ /* #define OPENSSL_NO_ERR */ +/* #define OPENSSL_NO_FUZZ_AFL */ /* #define OPENSSL_NO_FUZZ_LIBFUZZER */ /* #define OPENSSL_NO_GOST */ #define OPENSSL_NO_HEARTBEATS /* #define OPENSSL_NO_HW */ /* #define OPENSSL_NO_HW_PADLOCK */ /* #define OPENSSL_NO_IDEA */ +/* #define OPENSSL_NO_INLINE_ASM */ #define OPENSSL_NO_MD2 /* #define OPENSSL_NO_MD4 */ /* #define OPENSSL_NO_MD5 */ @@ -71,17 +76,20 @@ /* #define OPENSSL_NO_NEXTPROTONEG */ /* #define OPENSSL_NO_OCB */ /* #define OPENSSL_NO_OCSP */ +/* #define OPENSSL_NO_PINSHARED */ /* #define OPENSSL_NO_POLY1305 */ /* #define OPENSSL_NO_POSIX_IO */ #define OPENSSL_NO_PSK /* #define OPENSSL_NO_RC2 */ /* #define OPENSSL_NO_RC4 */ #define OPENSSL_NO_RC5 +/* #define OPENSSL_NO_RDRAND */ #define OPENSSL_NO_RFC3779 /* #define OPENSSL_NO_RMD160 */ /* #define OPENSSL_NO_RSA */ /* #define OPENSSL_NO_SCRYPT */ #define OPENSSL_NO_SCTP +/* #define OPENSSL_NO_SECURE_MEMORY */ #define OPENSSL_NO_SEED /* #define OPENSSL_NO_SIPHASH */ /* #define OPENSSL_NO_SM2 */ @@ -92,7 +100,8 @@ /* #define OPENSSL_NO_SRTP */ #define OPENSSL_NO_SSL3 #define OPENSSL_NO_SSL3_METHOD -/* #define OPENSSL_NO_SSL_TRACE */ +#define OPENSSL_NO_SSL_TRACE +/* #define OPENSSL_NO_STATIC_ENGINE */ /* #define OPENSSL_NO_STDIO */ /* #define OPENSSL_NO_TLS */ /* #define OPENSSL_NO_TLS1 */ diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h index a32b0b25..cc5fe4da 100644 --- a/include/openssl/opensslv.h +++ b/include/openssl/opensslv.h @@ -1,11 +1,11 @@ -/* $OpenBSD: opensslv.h,v 1.55 2019/10/10 14:29:20 bcook Exp $ */ +/* $OpenBSD: opensslv.h,v 1.61 2020/09/25 11:31:39 bcook Exp $ */ #ifndef HEADER_OPENSSLV_H #define HEADER_OPENSSLV_H /* These will change with each release of LibreSSL-portable */ -#define LIBRESSL_VERSION_NUMBER 0x3000200fL +#define LIBRESSL_VERSION_NUMBER 0x3030300fL /* ^ Patch starts here */ -#define LIBRESSL_VERSION_TEXT "LibreSSL 3.0.2" +#define LIBRESSL_VERSION_TEXT "LibreSSL 3.3.3" /* These will never change */ #define OPENSSL_VERSION_NUMBER 0x20000000L diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h index 2aa472f5..78ac04cf 100644 --- a/include/openssl/rsa.h +++ b/include/openssl/rsa.h @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa.h,v 1.40 2019/06/05 15:41:33 gilles Exp $ */ +/* $OpenBSD: rsa.h,v 1.51 2019/11/04 12:30:56 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -84,6 +84,25 @@ extern "C" { /* typedef struct rsa_st RSA; */ /* typedef struct rsa_meth_st RSA_METHOD; */ +typedef struct rsa_pss_params_st { + X509_ALGOR *hashAlgorithm; + X509_ALGOR *maskGenAlgorithm; + ASN1_INTEGER *saltLength; + ASN1_INTEGER *trailerField; + + /* Hash algorithm decoded from maskGenAlgorithm. */ + X509_ALGOR *maskHash; +} RSA_PSS_PARAMS; + +typedef struct rsa_oaep_params_st { + X509_ALGOR *hashFunc; + X509_ALGOR *maskGenFunc; + X509_ALGOR *pSourceFunc; + + /* Hash algorithm decoded from maskGenFunc. */ + X509_ALGOR *maskHash; +} RSA_OAEP_PARAMS; + struct rsa_meth_st { const char *name; int (*rsa_pub_enc)(int flen, const unsigned char *from, @@ -127,6 +146,7 @@ struct rsa_st { int pad; long version; const RSA_METHOD *meth; + /* functional reference if 'meth' is ENGINE-provided */ ENGINE *engine; BIGNUM *n; @@ -137,6 +157,10 @@ struct rsa_st { BIGNUM *dmp1; BIGNUM *dmq1; BIGNUM *iqmp; + + /* Parameter restrictions for PSS only keys. */ + RSA_PSS_PARAMS *pss; + /* be careful using this if the RSA structure is shared */ CRYPTO_EX_DATA ex_data; int references; @@ -194,53 +218,88 @@ struct rsa_st { */ #define RSA_FLAG_NO_BLINDING 0x0080 +/* Salt length matches digest */ +#define RSA_PSS_SALTLEN_DIGEST -1 +/* Verify only: auto detect salt length */ +#define RSA_PSS_SALTLEN_AUTO -2 +/* Set salt length to maximum possible */ +#define RSA_PSS_SALTLEN_MAX -3 + #define EVP_PKEY_CTX_set_rsa_padding(ctx, pad) \ - EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING, \ - pad, NULL) + RSA_pkey_ctx_ctrl(ctx, -1, EVP_PKEY_CTRL_RSA_PADDING, pad, NULL) #define EVP_PKEY_CTX_get_rsa_padding(ctx, ppad) \ - EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, \ - EVP_PKEY_CTRL_GET_RSA_PADDING, 0, ppad) + RSA_pkey_ctx_ctrl(ctx, -1, EVP_PKEY_CTRL_GET_RSA_PADDING, 0, ppad) #define EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, len) \ - EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, \ - (EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY), \ - EVP_PKEY_CTRL_RSA_PSS_SALTLEN, \ - len, NULL) + RSA_pkey_ctx_ctrl(ctx, (EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY), \ + EVP_PKEY_CTRL_RSA_PSS_SALTLEN, len, NULL) + +#define EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(ctx, len) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, \ + EVP_PKEY_CTRL_RSA_PSS_SALTLEN, len, NULL) #define EVP_PKEY_CTX_get_rsa_pss_saltlen(ctx, plen) \ - EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, \ - (EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY), \ - EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, \ - 0, plen) + RSA_pkey_ctx_ctrl(ctx, (EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY), \ + EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, 0, plen) #define EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, bits) \ - EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, \ - EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL) + RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_KEYGEN, \ + EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL) #define EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp) \ - EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, \ - EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp) + RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_KEYGEN, \ + EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp) + +#define EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, md) \ + RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, \ + EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)(md)) -#define EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, md) \ - EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_SIG, \ - EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)md) +#define EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(ctx, md) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, \ + EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)(md)) -#define EVP_PKEY_CTX_get_rsa_mgf1_md(ctx, pmd) \ - EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_SIG, \ - EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)pmd) +#define EVP_PKEY_CTX_set_rsa_oaep_md(ctx, md) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \ + EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)(md)) -#define EVP_PKEY_CTRL_RSA_PADDING (EVP_PKEY_ALG_CTRL + 1) -#define EVP_PKEY_CTRL_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 2) +#define EVP_PKEY_CTX_get_rsa_mgf1_md(ctx, pmd) \ + RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, \ + EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)(pmd)) -#define EVP_PKEY_CTRL_RSA_KEYGEN_BITS (EVP_PKEY_ALG_CTRL + 3) -#define EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP (EVP_PKEY_ALG_CTRL + 4) -#define EVP_PKEY_CTRL_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 5) +#define EVP_PKEY_CTX_get_rsa_oaep_md(ctx, pmd) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \ + EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void *)(pmd)) + +#define EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, l, llen) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \ + EVP_PKEY_CTRL_RSA_OAEP_LABEL, llen, (void *)(l)) + +#define EVP_PKEY_CTX_get0_rsa_oaep_label(ctx, l) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \ + EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, 0, (void *)(l)) + +#define EVP_PKEY_CTX_set_rsa_pss_keygen_md(ctx, md) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, \ + EVP_PKEY_OP_KEYGEN, EVP_PKEY_CTRL_MD, 0, (void *)(md)) + +#define EVP_PKEY_CTRL_RSA_PADDING (EVP_PKEY_ALG_CTRL + 1) +#define EVP_PKEY_CTRL_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 2) + +#define EVP_PKEY_CTRL_RSA_KEYGEN_BITS (EVP_PKEY_ALG_CTRL + 3) +#define EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP (EVP_PKEY_ALG_CTRL + 4) +#define EVP_PKEY_CTRL_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 5) #define EVP_PKEY_CTRL_GET_RSA_PADDING (EVP_PKEY_ALG_CTRL + 6) #define EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 7) #define EVP_PKEY_CTRL_GET_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 8) +#define EVP_PKEY_CTRL_RSA_OAEP_MD (EVP_PKEY_ALG_CTRL + 9) +#define EVP_PKEY_CTRL_RSA_OAEP_LABEL (EVP_PKEY_ALG_CTRL + 10) + +#define EVP_PKEY_CTRL_GET_RSA_OAEP_MD (EVP_PKEY_ALG_CTRL + 11) +#define EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL (EVP_PKEY_ALG_CTRL + 12) + #define RSA_PKCS1_PADDING 1 #define RSA_SSLV23_PADDING 2 #define RSA_NO_PADDING 3 @@ -289,11 +348,13 @@ const RSA_METHOD *RSA_get_default_method(void); const RSA_METHOD *RSA_get_method(const RSA *rsa); int RSA_set_method(RSA *rsa, const RSA_METHOD *meth); -/* these are the actual SSLeay RSA functions */ +const RSA_METHOD *RSA_PKCS1_OpenSSL(void); const RSA_METHOD *RSA_PKCS1_SSLeay(void); const RSA_METHOD *RSA_null_method(void); +int RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2); + RSA *d2i_RSAPublicKey(RSA **a, const unsigned char **in, long len); int i2d_RSAPublicKey(const RSA *a, unsigned char **out); extern const ASN1_ITEM RSAPublicKey_it; @@ -301,19 +362,18 @@ RSA *d2i_RSAPrivateKey(RSA **a, const unsigned char **in, long len); int i2d_RSAPrivateKey(const RSA *a, unsigned char **out); extern const ASN1_ITEM RSAPrivateKey_it; -typedef struct rsa_pss_params_st { - X509_ALGOR *hashAlgorithm; - X509_ALGOR *maskGenAlgorithm; - ASN1_INTEGER *saltLength; - ASN1_INTEGER *trailerField; -} RSA_PSS_PARAMS; - RSA_PSS_PARAMS *RSA_PSS_PARAMS_new(void); void RSA_PSS_PARAMS_free(RSA_PSS_PARAMS *a); RSA_PSS_PARAMS *d2i_RSA_PSS_PARAMS(RSA_PSS_PARAMS **a, const unsigned char **in, long len); int i2d_RSA_PSS_PARAMS(RSA_PSS_PARAMS *a, unsigned char **out); extern const ASN1_ITEM RSA_PSS_PARAMS_it; +RSA_OAEP_PARAMS *RSA_OAEP_PARAMS_new(void); +void RSA_OAEP_PARAMS_free(RSA_OAEP_PARAMS *a); +RSA_OAEP_PARAMS *d2i_RSA_OAEP_PARAMS(RSA_OAEP_PARAMS **a, const unsigned char **in, long len); +int i2d_RSA_OAEP_PARAMS(RSA_OAEP_PARAMS *a, unsigned char **out); +extern const ASN1_ITEM RSA_OAEP_PARAMS_it; + int RSA_print_fp(FILE *fp, const RSA *r, int offset); #ifndef OPENSSL_NO_BIO @@ -368,6 +428,12 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, const unsigned char *f, int fl, int rsa_len, const unsigned char *p, int pl); +int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, + const unsigned char *from, int flen, const unsigned char *param, int plen, + const EVP_MD *md, const EVP_MD *mgf1md); +int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, + const unsigned char *from, int flen, int num, const unsigned char *param, + int plen, const EVP_MD *md, const EVP_MD *mgf1md); int RSA_padding_add_none(unsigned char *to, int tlen, const unsigned char *f, int fl); int RSA_padding_check_none(unsigned char *to, int tlen, @@ -568,17 +634,22 @@ void ERR_load_RSA_strings(void); #define RSA_R_DATA_TOO_LARGE_FOR_MODULUS 132 #define RSA_R_DATA_TOO_SMALL 111 #define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE 122 +#define RSA_R_DIGEST_DOES_NOT_MATCH 158 +#define RSA_R_DIGEST_NOT_ALLOWED 145 #define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY 112 #define RSA_R_DMP1_NOT_CONGRUENT_TO_D 124 #define RSA_R_DMQ1_NOT_CONGRUENT_TO_D 125 #define RSA_R_D_E_NOT_CONGRUENT_TO_1 123 #define RSA_R_FIRST_OCTET_INVALID 133 #define RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE 144 +#define RSA_R_INVALID_DIGEST 157 #define RSA_R_INVALID_DIGEST_LENGTH 143 #define RSA_R_INVALID_HEADER 137 #define RSA_R_INVALID_KEYBITS 145 +#define RSA_R_INVALID_LABEL 160 #define RSA_R_INVALID_MESSAGE_LENGTH 131 #define RSA_R_INVALID_MGF1_MD 156 +#define RSA_R_INVALID_OAEP_PARAMETERS 161 #define RSA_R_INVALID_PADDING 138 #define RSA_R_INVALID_PADDING_MODE 141 #define RSA_R_INVALID_PSS_PARAMETERS 149 @@ -590,6 +661,7 @@ void ERR_load_RSA_strings(void); #define RSA_R_KEY_SIZE_TOO_SMALL 120 #define RSA_R_LAST_OCTET_INVALID 134 #define RSA_R_MODULUS_TOO_LARGE 105 +#define RSA_R_MGF1_DIGEST_NOT_ALLOWED 152 #define RSA_R_NON_FIPS_RSA_METHOD 157 #define RSA_R_NO_PUBLIC_EXPONENT 140 #define RSA_R_NULL_BEFORE_BLOCK_MISSING 113 @@ -598,6 +670,7 @@ void ERR_load_RSA_strings(void); #define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 158 #define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148 #define RSA_R_PADDING_CHECK_FAILED 114 +#define RSA_R_PSS_SALTLEN_TOO_SMALL 164 #define RSA_R_P_NOT_PRIME 128 #define RSA_R_Q_NOT_PRIME 129 #define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED 130 @@ -606,9 +679,12 @@ void ERR_load_RSA_strings(void); #define RSA_R_SSLV3_ROLLBACK_ATTACK 115 #define RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 116 #define RSA_R_UNKNOWN_ALGORITHM_TYPE 117 +#define RSA_R_UNKNOWN_DIGEST 166 #define RSA_R_UNKNOWN_MASK_DIGEST 151 #define RSA_R_UNKNOWN_PADDING_TYPE 118 #define RSA_R_UNKNOWN_PSS_DIGEST 152 +#define RSA_R_UNSUPPORTED_ENCRYPTION_TYPE 162 +#define RSA_R_UNSUPPORTED_LABEL_SOURCE 163 #define RSA_R_UNSUPPORTED_MASK_ALGORITHM 153 #define RSA_R_UNSUPPORTED_MASK_PARAMETER 154 #define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155 diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index fc89b0ef..5ed2198b 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.166 2019/04/04 15:03:21 jsing Exp $ */ +/* $OpenBSD: ssl.h,v 1.186 2021/03/31 16:59:32 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -301,6 +301,7 @@ extern "C" { #define SSL_TXT_STREEBOG512 "STREEBOG512" #define SSL_TXT_DTLS1 "DTLSv1" +#define SSL_TXT_DTLS1_2 "DTLSv1.2" #define SSL_TXT_SSLV2 "SSLv2" #define SSL_TXT_SSLV3 "SSLv3" #define SSL_TXT_TLSV1 "TLSv1" @@ -403,7 +404,7 @@ struct ssl_method_internal_st; struct ssl_method_st { int (*ssl_dispatch_alert)(SSL *s); int (*num_ciphers)(void); - const SSL_CIPHER *(*get_cipher)(unsigned ncipher); + const SSL_CIPHER *(*get_cipher)(unsigned int ncipher); const SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr); int (*put_cipher_by_char)(const SSL_CIPHER *cipher, unsigned char *ptr); @@ -520,6 +521,9 @@ struct ssl_session_st { #define SSL_OP_NO_TLSv1_3 0x20000000L #endif +#define SSL_OP_NO_DTLSv1 0x40000000L +#define SSL_OP_NO_DTLSv1_2 0x80000000L + /* SSL_OP_ALL: various bug workarounds that should be rather harmless. */ #define SSL_OP_ALL \ (SSL_OP_LEGACY_SERVER_CONNECT) @@ -766,7 +770,7 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, const unsigned char *client, unsigned int client_len); void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, - unsigned *len); + unsigned int *len); #define OPENSSL_NPN_UNSUPPORTED 0 #define OPENSSL_NPN_NEGOTIATED 1 @@ -1126,7 +1130,12 @@ int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x); #define SSL_CTRL_SET_ECDH_AUTO 94 +#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) +#define SSL_CTRL_GET_PEER_TMP_KEY 109 +#define SSL_CTRL_GET_SERVER_TMP_KEY SSL_CTRL_GET_PEER_TMP_KEY +#else #define SSL_CTRL_GET_SERVER_TMP_KEY 109 +#endif #define SSL_CTRL_GET_CHAIN_CERTS 115 @@ -1219,16 +1228,23 @@ int SSL_set_max_proto_version(SSL *ssl, uint16_t version); #define SSL_set1_curves_list SSL_set1_groups_list #endif -#define SSL_CTX_add_extra_chain_cert(ctx,x509) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509) -#define SSL_CTX_get_extra_chain_certs(ctx,px509) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_GET_EXTRA_CHAIN_CERTS,0,px509) +#define SSL_CTX_add_extra_chain_cert(ctx, x509) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, (char *)x509) +#define SSL_CTX_get_extra_chain_certs(ctx, px509) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_GET_EXTRA_CHAIN_CERTS, 0, px509) +#define SSL_CTX_get_extra_chain_certs_only(ctx, px509) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_GET_EXTRA_CHAIN_CERTS, 1, px509) #define SSL_CTX_clear_extra_chain_certs(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL) + SSL_CTX_ctrl(ctx, SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS, 0, NULL) #define SSL_get_server_tmp_key(s, pk) \ SSL_ctrl(s,SSL_CTRL_GET_SERVER_TMP_KEY,0,pk) +#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) +#define SSL_get_peer_tmp_key(s, pk) \ + SSL_ctrl(s, SSL_CTRL_GET_PEER_TMP_KEY, 0, pk) +#endif /* LIBRESSL_HAS_TLS1_3 || LIBRESSL_INTERNAL */ + #ifndef LIBRESSL_INTERNAL /* * Also provide those functions as macros for compatibility with @@ -1273,6 +1289,9 @@ void BIO_ssl_shutdown(BIO *ssl_bio); STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx); int SSL_CTX_set_cipher_list(SSL_CTX *, const char *str); +#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) +int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str); +#endif SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth); void SSL_CTX_free(SSL_CTX *); int SSL_CTX_up_ref(SSL_CTX *ctx); @@ -1314,6 +1333,9 @@ void SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio); BIO * SSL_get_rbio(const SSL *s); BIO * SSL_get_wbio(const SSL *s); int SSL_set_cipher_list(SSL *s, const char *str); +#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) +int SSL_set_ciphersuites(SSL *s, const char *str); +#endif void SSL_set_read_ahead(SSL *s, int yes); int SSL_get_verify_mode(const SSL *s); int SSL_get_verify_depth(const SSL *s); @@ -1331,6 +1353,7 @@ int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len); int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type); int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type); int SSL_use_certificate_file(SSL *ssl, const char *file, int type); +int SSL_use_certificate_chain_file(SSL *ssl, const char *file); int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type); int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type); int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type); @@ -1368,6 +1391,10 @@ const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *ss, unsigned int *len); const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *ss, unsigned int *len); +#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) +uint32_t SSL_SESSION_get_max_early_data(const SSL_SESSION *sess); +int SSL_SESSION_set_max_early_data(SSL_SESSION *sess, uint32_t max_early_data); +#endif unsigned long SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s); int SSL_SESSION_has_ticket(const SSL_SESSION *s); unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *ss); @@ -1421,6 +1448,8 @@ int SSL_set_purpose(SSL *s, int purpose); int SSL_CTX_set_trust(SSL_CTX *s, int trust); int SSL_set_trust(SSL *s, int trust); int SSL_set1_host(SSL *s, const char *hostname); +void SSL_set_hostflags(SSL *s, unsigned int flags); +const char *SSL_get0_peername(SSL *s); X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx); int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm); @@ -1432,10 +1461,31 @@ void SSL_free(SSL *ssl); int SSL_up_ref(SSL *ssl); int SSL_accept(SSL *ssl); int SSL_connect(SSL *ssl); +int SSL_is_dtls(const SSL *s); int SSL_is_server(const SSL *s); int SSL_read(SSL *ssl, void *buf, int num); int SSL_peek(SSL *ssl, void *buf, int num); int SSL_write(SSL *ssl, const void *buf, int num); + +#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) +uint32_t SSL_CTX_get_max_early_data(const SSL_CTX *ctx); +int SSL_CTX_set_max_early_data(SSL_CTX *ctx, uint32_t max_early_data); + +uint32_t SSL_get_max_early_data(const SSL *s); +int SSL_set_max_early_data(SSL *s, uint32_t max_early_data); + +#define SSL_EARLY_DATA_NOT_SENT 0 +#define SSL_EARLY_DATA_REJECTED 1 +#define SSL_EARLY_DATA_ACCEPTED 2 +int SSL_get_early_data_status(const SSL *s); + +#define SSL_READ_EARLY_DATA_ERROR 0 +#define SSL_READ_EARLY_DATA_SUCCESS 1 +#define SSL_READ_EARLY_DATA_FINISH 2 +int SSL_read_early_data(SSL *s, void *buf, size_t num, size_t *readbytes); +int SSL_write_early_data(SSL *s, const void *buf, size_t num, size_t *written); +#endif + long SSL_ctrl(SSL *ssl, int cmd, long larg, void *parg); long SSL_callback_ctrl(SSL *, int, void (*)(void)); long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg); @@ -1471,6 +1521,10 @@ const SSL_METHOD *DTLSv1_method(void); /* DTLSv1.0 */ const SSL_METHOD *DTLSv1_server_method(void); /* DTLSv1.0 */ const SSL_METHOD *DTLSv1_client_method(void); /* DTLSv1.0 */ +const SSL_METHOD *DTLSv1_2_method(void); /* DTLSv1.2 */ +const SSL_METHOD *DTLSv1_2_server_method(void); /* DTLSv1.2 */ +const SSL_METHOD *DTLSv1_2_client_method(void); /* DTLSv1.2 */ + const SSL_METHOD *DTLS_method(void); /* DTLS v1.0 or later */ const SSL_METHOD *DTLS_server_method(void); /* DTLS v1.0 or later */ const SSL_METHOD *DTLS_client_method(void); /* DTLS v1.0 or later */ @@ -2160,6 +2214,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_X509_LIB 268 #define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 269 #define SSL_R_PEER_BEHAVING_BADLY 666 +#define SSL_R_UNKNOWN 999 /* * OpenSSL compatible OPENSSL_INIT options diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h index cadf7fd3..a102d114 100644 --- a/include/openssl/ssl3.h +++ b/include/openssl/ssl3.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl3.h,v 1.49 2018/11/08 22:28:52 jsing Exp $ */ +/* $OpenBSD: ssl3.h,v 1.51 2020/06/05 18:14:05 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -314,6 +314,7 @@ extern "C" { #define TLS1_HB_RESPONSE 2 #ifndef OPENSSL_NO_SSL_INTERN +#ifndef LIBRESSL_INTERNAL typedef struct ssl3_record_st { /*r */ int type; /* type of record */ @@ -333,6 +334,7 @@ typedef struct ssl3_buffer_st { int left; /* how many bytes left */ } SSL3_BUFFER; +#endif #endif #define SSL3_CT_RSA_SIGN 1 @@ -346,7 +348,7 @@ typedef struct ssl3_buffer_st { * enough to contain all of the cert types defined either for * SSLv3 and TLSv1. */ -#define SSL3_CT_NUMBER 11 +#define SSL3_CT_NUMBER 13 #define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001 #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h index cb68bbb5..628a6b2f 100644 --- a/include/openssl/tls1.h +++ b/include/openssl/tls1.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls1.h,v 1.39 2019/03/19 16:53:03 jsing Exp $ */ +/* $OpenBSD: tls1.h,v 1.42 2021/03/10 18:32:38 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -177,11 +177,13 @@ extern "C" { #define TLS1_VERSION_MAJOR 0x03 #define TLS1_VERSION_MINOR 0x01 +#ifndef LIBRESSL_INTERNAL #define TLS1_get_version(s) \ ((s->version >> 8) == TLS1_VERSION_MAJOR ? s->version : 0) #define TLS1_get_client_version(s) \ ((s->client_version >> 8) == TLS1_VERSION_MAJOR ? s->client_version : 0) +#endif /* * TLS Alert codes. @@ -280,6 +282,15 @@ extern "C" { #define TLSEXT_TYPE_key_share 51 #endif +/* + * TLS 1.3 extension names from OpenSSL, where they decided to use a different + * name from that given in RFC 8446. + */ +#if defined(LIBRESSL_HAS_TLS1_3) +#define TLSEXT_TYPE_psk TLSEXT_TYPE_pre_shared_key +#define TLSEXT_TYPE_psk_kex_modes TLSEXT_TYPE_psk_key_exchange_modes +#endif + /* Temporary extension type */ #define TLSEXT_TYPE_renegotiate 0xff01 @@ -726,16 +737,18 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb) #define TLS_CT_DSS_SIGN 2 #define TLS_CT_RSA_FIXED_DH 3 #define TLS_CT_DSS_FIXED_DH 4 +#define TLS_CT_GOST94_SIGN 21 +#define TLS_CT_GOST01_SIGN 22 #define TLS_CT_ECDSA_SIGN 64 #define TLS_CT_RSA_FIXED_ECDH 65 #define TLS_CT_ECDSA_FIXED_ECDH 66 -#define TLS_CT_GOST94_SIGN 21 -#define TLS_CT_GOST01_SIGN 22 -#define TLS_CT_GOST12_256_SIGN 238 /* FIXME: IANA */ -#define TLS_CT_GOST12_512_SIGN 239 /* FIXME: IANA */ +#define TLS_CT_GOST12_256_SIGN 67 +#define TLS_CT_GOST12_512_SIGN 68 +#define TLS_CT_GOST12_256_SIGN_COMPAT 238 /* pre-IANA, for compat */ +#define TLS_CT_GOST12_512_SIGN_COMPAT 239 /* pre-IANA, for compat */ /* when correcting this number, correct also SSL3_CT_NUMBER in ssl3.h (see * comment there) */ -#define TLS_CT_NUMBER 11 +#define TLS_CT_NUMBER 13 #define TLS1_FINISH_MAC_LENGTH 12 diff --git a/include/openssl/ui.h b/include/openssl/ui.h index 8035fc2b..5ca65b0a 100644 --- a/include/openssl/ui.h +++ b/include/openssl/ui.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ui.h,v 1.11 2018/06/02 04:45:21 tb Exp $ */ +/* $OpenBSD: ui.h,v 1.12 2020/09/24 19:20:32 tb Exp $ */ /* Written by Richard Levitte (richard@levitte.org) for the OpenSSL * project 2001. */ @@ -76,59 +76,62 @@ extern "C" { /* typedef struct ui_method_st UI_METHOD; */ -/* All the following functions return -1 or NULL on error and in some cases - (UI_process()) -2 if interrupted or in some other way cancelled. - When everything is fine, they return 0, a positive value or a non-NULL - pointer, all depending on their purpose. */ +/* + * All the following functions return -1 or NULL on error and in some cases + * (UI_process()) -2 if interrupted or in some other way cancelled. + * When everything is fine, they return 0, a positive value or a non-NULL + * pointer, all depending on their purpose. + */ /* Creators and destructor. */ UI *UI_new(void); UI *UI_new_method(const UI_METHOD *method); void UI_free(UI *ui); -/* The following functions are used to add strings to be printed and prompt - strings to prompt for data. The names are UI_{add,dup}__string - and UI_{add,dup}_input_boolean. - - UI_{add,dup}__string have the following meanings: - add add a text or prompt string. The pointers given to these - functions are used verbatim, no copying is done. - dup make a copy of the text or prompt string, then add the copy - to the collection of strings in the user interface. - - The function is a name for the functionality that the given - string shall be used for. It can be one of: - input use the string as data prompt. - verify use the string as verification prompt. This - is used to verify a previous input. - info use the string for informational output. - error use the string for error output. - Honestly, there's currently no difference between info and error for the - moment. - - UI_{add,dup}_input_boolean have the same semantics for "add" and "dup", - and are typically used when one wants to prompt for a yes/no response. - - - All of the functions in this group take a UI and a prompt string. - The string input and verify addition functions also take a flag argument, - a buffer for the result to end up with, a minimum input size and a maximum - input size (the result buffer MUST be large enough to be able to contain - the maximum number of characters). Additionally, the verify addition - functions takes another buffer to compare the result against. - The boolean input functions take an action description string (which should - be safe to ignore if the expected user action is obvious, for example with - a dialog box with an OK button and a Cancel button), a string of acceptable - characters to mean OK and to mean Cancel. The two last strings are checked - to make sure they don't have common characters. Additionally, the same - flag argument as for the string input is taken, as well as a result buffer. - The result buffer is required to be at least one byte long. Depending on - the answer, the first character from the OK or the Cancel character strings - will be stored in the first byte of the result buffer. No NUL will be - added, so the result is *not* a string. - - On success, the all return an index of the added information. That index - is usefull when retrieving results with UI_get0_result(). */ +/* + * The following functions are used to add strings to be printed and prompt + * strings to prompt for data. The names are UI_{add,dup}__string + * and UI_{add,dup}_input_boolean. + * + * UI_{add,dup}__string have the following meanings: + * add add a text or prompt string. The pointers given to these + * functions are used verbatim, no copying is done. + * dup make a copy of the text or prompt string, then add the copy + * to the collection of strings in the user interface. + * + * The function is a name for the functionality that the given + * string shall be used for. It can be one of: + * input use the string as data prompt. + * verify use the string as verification prompt. This + * is used to verify a previous input. + * info use the string for informational output. + * error use the string for error output. + * Honestly, there's currently no difference between info and error for the + * moment. + * + * UI_{add,dup}_input_boolean have the same semantics for "add" and "dup", + * and are typically used when one wants to prompt for a yes/no response. + * + * All of the functions in this group take a UI and a prompt string. + * The string input and verify addition functions also take a flag argument, + * a buffer for the result to end up in, a minimum input size and a maximum + * input size (the result buffer MUST be large enough to be able to contain + * the maximum number of characters). Additionally, the verify addition + * functions takes another buffer to compare the result against. + * The boolean input functions take an action description string (which should + * be safe to ignore if the expected user action is obvious, for example with + * a dialog box with an OK button and a Cancel button), a string of acceptable + * characters to mean OK and to mean Cancel. The two last strings are checked + * to make sure they don't have common characters. Additionally, the same + * flag argument as for the string input is taken, as well as a result buffer. + * The result buffer is required to be at least one byte long. Depending on + * the answer, the first character from the OK or the Cancel character strings + * will be stored in the first byte of the result buffer. No NUL will be + * added, so the result is *not* a string. + * + * On success, the functions all return an index of the added information. + * That index is useful when retrieving results with UI_get0_result(). + */ int UI_add_input_string(UI *ui, const char *prompt, int flags, char *result_buf, int minsize, int maxsize); int UI_dup_input_string(UI *ui, const char *prompt, int flags, @@ -151,55 +154,60 @@ int UI_dup_error_string(UI *ui, const char *text); /* These are the possible flags. They can be or'ed together. */ /* Use to have echoing of input */ #define UI_INPUT_FLAG_ECHO 0x01 -/* Use a default password. Where that password is found is completely - up to the application, it might for example be in the user data set - with UI_add_user_data(). It is not recommended to have more than - one input in each UI being marked with this flag, or the application - might get confused. */ +/* + * Use a default password. Where that password is found is completely + * up to the application, it might for example be in the user data set + * with UI_add_user_data(). It is not recommended to have more than + * one input in each UI being marked with this flag, or the application + * might get confused. + */ #define UI_INPUT_FLAG_DEFAULT_PWD 0x02 -/* The user of these routines may want to define flags of their own. The core - UI won't look at those, but will pass them on to the method routines. They - must use higher bits so they don't get confused with the UI bits above. - UI_INPUT_FLAG_USER_BASE tells which is the lowest bit to use. A good - example of use is this: - - #define MY_UI_FLAG1 (0x01 << UI_INPUT_FLAG_USER_BASE) - -*/ +/* + * Users of these routines may want to define flags of their own. The core + * UI won't look at those, but will pass them on to the method routines. They + * must use higher bits so they don't get confused with the UI bits above. + * UI_INPUT_FLAG_USER_BASE tells which is the lowest bit to use. A good + * example of use is this: + * + * #define MY_UI_FLAG1 (0x01 << UI_INPUT_FLAG_USER_BASE) + */ #define UI_INPUT_FLAG_USER_BASE 16 -/* The following function helps construct a prompt. object_desc is a - textual short description of the object, for example "pass phrase", - and object_name is the name of the object (might be a card name or - a file name. - The returned string shall always be allocated on the heap with - malloc(), and need to be free'd with free(). - - If the ui_method doesn't contain a pointer to a user-defined prompt - constructor, a default string is built, looking like this: - - "Enter {object_desc} for {object_name}:" - - So, if object_desc has the value "pass phrase" and object_name has - the value "foo.key", the resulting string is: - - "Enter pass phrase for foo.key:" -*/ +/* + * The following function helps construct a prompt. object_desc is a + * textual short description of the object, for example "pass phrase", + * and object_name is the name of the object (might be a card name or + * a file name. + * The returned string shall always be allocated on the heap with + * malloc(), and need to be free'd with free(). + * + * If the ui_method doesn't contain a pointer to a user-defined prompt + * constructor, a default string is built, looking like this: + * + * "Enter {object_desc} for {object_name}:" + * + * So, if object_desc has the value "pass phrase" and object_name has + * the value "foo.key", the resulting string is: + * + * "Enter pass phrase for foo.key:" + */ char *UI_construct_prompt(UI *ui_method, const char *object_desc, const char *object_name); -/* The following function is used to store a pointer to user-specific data. - Any previous such pointer will be returned and replaced. - - For callback purposes, this function makes a lot more sense than using - ex_data, since the latter requires that different parts of OpenSSL or - applications share the same ex_data index. - - Note that the UI_OpenSSL() method completely ignores the user data. - Other methods may not, however. */ +/* + * The following function is used to store a pointer to user-specific data. + * Any previous such pointer will be returned and replaced. + * + * For callback purposes, this function makes a lot more sense than using + * ex_data, since the latter requires that different parts of OpenSSL or + * applications share the same ex_data index. + * + * Note that the UI_OpenSSL() method completely ignores the user data. + * Other methods may not, however. + */ void *UI_add_user_data(UI *ui, void *user_data); /* We need a user data retrieving function as well. */ void *UI_get0_user_data(UI *ui); @@ -210,19 +218,25 @@ const char *UI_get0_result(UI *ui, int i); /* When all strings have been added, process the whole thing. */ int UI_process(UI *ui); -/* Give a user interface parametrised control commands. This can be used to - send down an integer, a data pointer or a function pointer, as well as - be used to get information from a UI. */ +/* + * Give a user interface parametrised control commands. This can be used to + * send down an integer, a data pointer or a function pointer, as well as + * be used to get information from a UI. + */ int UI_ctrl(UI *ui, int cmd, long i, void *p, void (*f)(void)); /* The commands */ -/* Use UI_CONTROL_PRINT_ERRORS with the value 1 to have UI_process print the - OpenSSL error stack before printing any info or added error messages and - before any prompting. */ +/* + * Use UI_CONTROL_PRINT_ERRORS with the value 1 to have UI_process print the + * OpenSSL error stack before printing any info or added error messages and + * before any prompting. + */ #define UI_CTRL_PRINT_ERRORS 1 -/* Check if a UI_process() is possible to do again with the same instance of - a user interface. This makes UI_ctrl() return 1 if it is redoable, and 0 - if not. */ +/* + * Check if a UI_process() is possible to do again with the same instance of + * a user interface. This makes UI_ctrl() return 1 if it is redoable, and 0 + * if not. + */ #define UI_CTRL_IS_REDOABLE 2 @@ -244,56 +258,60 @@ const UI_METHOD *UI_set_method(UI *ui, const UI_METHOD *meth); UI_METHOD *UI_OpenSSL(void); -/* ---------- For method writers ---------- */ -/* A method contains a number of functions that implement the low level - of the User Interface. The functions are: - - an opener This function starts a session, maybe by opening - a channel to a tty, or by opening a window. - a writer This function is called to write a given string, - maybe to the tty, maybe as a field label in a - window. - a flusher This function is called to flush everything that - has been output so far. It can be used to actually - display a dialog box after it has been built. - a reader This function is called to read a given prompt, - maybe from the tty, maybe from a field in a - window. Note that it's called wth all string - structures, not only the prompt ones, so it must - check such things itself. - a closer This function closes the session, maybe by closing - the channel to the tty, or closing the window. - - All these functions are expected to return: - - 0 on error. - 1 on success. - -1 on out-of-band events, for example if some prompting has - been canceled (by pressing Ctrl-C, for example). This is - only checked when returned by the flusher or the reader. - - The way this is used, the opener is first called, then the writer for all - strings, then the flusher, then the reader for all strings and finally the - closer. Note that if you want to prompt from a terminal or other command - line interface, the best is to have the reader also write the prompts - instead of having the writer do it. If you want to prompt from a dialog - box, the writer can be used to build up the contents of the box, and the - flusher to actually display the box and run the event loop until all data - has been given, after which the reader only grabs the given data and puts - them back into the UI strings. - - All method functions take a UI as argument. Additionally, the writer and - the reader take a UI_STRING. -*/ - -/* The UI_STRING type is the data structure that contains all the needed info - about a string or a prompt, including test data for a verification prompt. -*/ +/* + * ---------- For method writers ---------- + * A method contains a number of functions that implement the low level + * of the User Interface. The functions are: + * + * an opener This function starts a session, maybe by opening + * a channel to a tty, or by opening a window. + * a writer This function is called to write a given string, + * maybe to the tty, maybe as a field label in a + * window. + * a flusher This function is called to flush everything that + * has been output so far. It can be used to actually + * display a dialog box after it has been built. + * a reader This function is called to read a given prompt, + * maybe from the tty, maybe from a field in a + * window. Note that it's called wth all string + * structures, not only the prompt ones, so it must + * check such things itself. + * a closer This function closes the session, maybe by closing + * the channel to the tty, or closing the window. + * + * All these functions are expected to return: + * + * 0 on error. + * 1 on success. + * -1 on out-of-band events, for example if some prompting has + * been canceled (by pressing Ctrl-C, for example). This is + * only checked when returned by the flusher or the reader. + * + * The way this is used, the opener is first called, then the writer for all + * strings, then the flusher, then the reader for all strings and finally the + * closer. Note that if you want to prompt from a terminal or other command + * line interface, the best is to have the reader also write the prompts + * instead of having the writer do it. If you want to prompt from a dialog + * box, the writer can be used to build up the contents of the box, and the + * flusher to actually display the box and run the event loop until all data + * has been given, after which the reader only grabs the given data and puts + * them back into the UI strings. + * + * All method functions take a UI as argument. Additionally, the writer and + * the reader take a UI_STRING. + */ + +/* + * The UI_STRING type is the data structure that contains all the needed info + * about a string or a prompt, including test data for a verification prompt. + */ typedef struct ui_string_st UI_STRING; DECLARE_STACK_OF(UI_STRING) -/* The different types of strings that are currently supported. - This is only needed by method authors. */ +/* + * The different types of strings that are currently supported. + * This is only needed by method authors. + */ enum UI_string_types { UIT_NONE = 0, UIT_PROMPT, /* Prompt for a string */ @@ -307,28 +325,34 @@ enum UI_string_types { UI_METHOD *UI_create_method(const char *name); void UI_destroy_method(UI_METHOD *ui_method); int UI_method_set_opener(UI_METHOD *method, int (*opener)(UI *ui)); -int UI_method_set_writer(UI_METHOD *method, int (*writer)(UI *ui, UI_STRING *uis)); +int UI_method_set_writer(UI_METHOD *method, + int (*writer)(UI *ui, UI_STRING *uis)); int UI_method_set_flusher(UI_METHOD *method, int (*flusher)(UI *ui)); -int UI_method_set_reader(UI_METHOD *method, int (*reader)(UI *ui, UI_STRING *uis)); +int UI_method_set_reader(UI_METHOD *method, + int (*reader)(UI *ui, UI_STRING *uis)); int UI_method_set_closer(UI_METHOD *method, int (*closer)(UI *ui)); -int UI_method_set_prompt_constructor(UI_METHOD *method, char *(*prompt_constructor)(UI* ui, const char* object_desc, const char* object_name)); -int (*UI_method_get_opener(const UI_METHOD *method))(UI*); -int (*UI_method_get_writer(const UI_METHOD *method))(UI*, UI_STRING*); -int (*UI_method_get_flusher(const UI_METHOD *method))(UI*); -int (*UI_method_get_reader(const UI_METHOD *method))(UI*, UI_STRING*); -int (*UI_method_get_closer(const UI_METHOD *method))(UI*); -char * (*UI_method_get_prompt_constructor(const UI_METHOD *method))(UI*, const char*, const char*); - -/* The following functions are helpers for method writers to access relevant - data from a UI_STRING. */ - +int UI_method_set_prompt_constructor(UI_METHOD *method, + char *(*prompt_constructor)(UI *ui, const char *object_desc, + const char *object_name)); +int (*UI_method_get_opener(const UI_METHOD *method))(UI *); +int (*UI_method_get_writer(const UI_METHOD *method))(UI *, UI_STRING *); +int (*UI_method_get_flusher(const UI_METHOD *method))(UI *); +int (*UI_method_get_reader(const UI_METHOD *method))(UI *, UI_STRING *); +int (*UI_method_get_closer(const UI_METHOD *method))(UI *); +char *(*UI_method_get_prompt_constructor(const UI_METHOD *method))(UI *, + const char *, const char *); + +/* + * The following functions are helpers for method writers to access relevant + * data from a UI_STRING. + */ /* Return type of the UI_STRING */ enum UI_string_types UI_get_string_type(UI_STRING *uis); /* Return input flags of the UI_STRING */ int UI_get_input_flags(UI_STRING *uis); /* Return the actual string to output (the prompt, info or error) */ const char *UI_get0_output_string(UI_STRING *uis); -/* Return the optional action string to output (the boolean promtp instruction) */ +/* Return the optional action string to output (boolean prompt instruction) */ const char *UI_get0_action_string(UI_STRING *uis); /* Return the result of a prompt */ const char *UI_get0_result_string(UI_STRING *uis); @@ -341,14 +365,15 @@ int UI_get_result_maxsize(UI_STRING *uis); /* Set the result of a UI_STRING. */ int UI_set_result(UI *ui, UI_STRING *uis, const char *result); - /* A couple of popular utility functions */ -int UI_UTIL_read_pw_string(char *buf, int length, const char *prompt, int verify); -int UI_UTIL_read_pw(char *buf, char *buff, int size, const char *prompt, int verify); - +int UI_UTIL_read_pw_string(char *buf, int length, const char *prompt, + int verify); +int UI_UTIL_read_pw(char *buf, char *buff, int size, const char *prompt, + int verify); /* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes +/* + * The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. */ void ERR_load_UI_strings(void); diff --git a/include/openssl/x509.h b/include/openssl/x509.h index e30cbc0f..27a0cf09 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.h,v 1.74 2018/08/24 20:26:03 tb Exp $ */ +/* $OpenBSD: x509.h,v 1.75 2021/03/31 16:51:06 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -692,6 +692,7 @@ int i2d_RSA_PUBKEY_fp(FILE *fp,RSA *rsa); #ifndef OPENSSL_NO_DSA DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa); int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa); +DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa); int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa); #endif #ifndef OPENSSL_NO_EC diff --git a/include/openssl/x509_verify.h b/include/openssl/x509_verify.h new file mode 100644 index 00000000..a097404f --- /dev/null +++ b/include/openssl/x509_verify.h @@ -0,0 +1,42 @@ +/* $OpenBSD: x509_verify.h,v 1.1 2020/09/13 15:06:17 beck Exp $ */ +/* + * Copyright (c) 2020 Bob Beck + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ +#ifndef HEADER_X509_VERIFY_H +#define HEADER_X509_VERIFY_H + +#ifdef LIBRESSL_INTERNAL +struct x509_verify_ctx; +typedef struct x509_verify_ctx X509_VERIFY_CTX; + +X509_VERIFY_CTX *x509_verify_ctx_new(STACK_OF(X509) *roots); +void x509_verify_ctx_free(struct x509_verify_ctx *ctx); + +int x509_verify_ctx_set_max_depth(X509_VERIFY_CTX *ctx, size_t max); +int x509_verify_ctx_set_max_chains(X509_VERIFY_CTX *ctx, size_t max); +int x509_verify_ctx_set_max_signatures(X509_VERIFY_CTX *ctx, size_t max); +int x509_verify_ctx_set_purpose(X509_VERIFY_CTX *ctx, int purpose_id); +int x509_verify_ctx_set_intermediates(X509_VERIFY_CTX *ctx, + STACK_OF(X509) *intermediates); + +const char *x509_verify_ctx_error_string(X509_VERIFY_CTX *ctx); +size_t x509_verify_ctx_error_depth(X509_VERIFY_CTX *ctx); + +STACK_OF(X509) *x509_verify_ctx_chain(X509_VERIFY_CTX *ctx, size_t chain); + +size_t x509_verify(X509_VERIFY_CTX *ctx, X509 *leaf, char *name); +#endif + +#endif diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h index c5eae9d3..57189b9d 100644 --- a/include/openssl/x509_vfy.h +++ b/include/openssl/x509_vfy.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.h,v 1.30 2018/08/24 19:21:09 tb Exp $ */ +/* $OpenBSD: x509_vfy.h,v 1.32 2021/02/24 18:01:31 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -247,7 +247,7 @@ struct x509_store_ctx_st /* X509_STORE_CTX */ /* The following is built up */ int valid; /* if 0, rebuild chain */ - int last_untrusted; /* index of last untrusted cert */ + int last_untrusted; /* XXX: number of untrusted certs in chain!!! */ STACK_OF(X509) *chain; /* chain of X509s - built up and trusted */ X509_POLICY_TREE *tree; /* Valid policy tree */ @@ -407,6 +407,9 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); /* Do not check certificate or CRL validity against current time. */ #define X509_V_FLAG_NO_CHECK_TIME 0x200000 +/* Force the use of the legacy certificate verifcation */ +#define X509_V_FLAG_LEGACY_VERIFY 0x400000 + #define X509_VP_FLAG_DEFAULT 0x1 #define X509_VP_FLAG_OVERWRITE 0x2 #define X509_VP_FLAG_RESET_FLAGS 0x4 diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h index 5d6c5887..d2754fa6 100644 --- a/include/openssl/x509v3.h +++ b/include/openssl/x509v3.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509v3.h,v 1.30 2018/05/19 10:50:08 tb Exp $ */ +/* $OpenBSD: x509v3.h,v 1.2 2020/09/13 15:06:17 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -815,6 +815,8 @@ STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x); #define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0x8 /* Constraint verifier subdomain patterns to match a single labels. */ #define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10 +/* Disable checking the CN for a hostname, to support modern validation */ +#define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20 /* * Match reference identifiers starting with "." to any sub-domain. diff --git a/include/tls.h b/include/tls.h index e4829699..de6d257c 100644 --- a/include/tls.h +++ b/include/tls.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.h,v 1.55 2018/11/29 14:24:23 tedu Exp $ */ +/* $OpenBSD: tls.h,v 1.58 2020/01/22 06:44:02 beck Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -34,16 +34,19 @@ typedef SSIZE_T ssize_t; #include #include -#define TLS_API 20180210 +#define TLS_API 20200120 #define TLS_PROTOCOL_TLSv1_0 (1 << 1) #define TLS_PROTOCOL_TLSv1_1 (1 << 2) #define TLS_PROTOCOL_TLSv1_2 (1 << 3) +#define TLS_PROTOCOL_TLSv1_3 (1 << 4) + #define TLS_PROTOCOL_TLSv1 \ - (TLS_PROTOCOL_TLSv1_0|TLS_PROTOCOL_TLSv1_1|TLS_PROTOCOL_TLSv1_2) + (TLS_PROTOCOL_TLSv1_0|TLS_PROTOCOL_TLSv1_1|\ + TLS_PROTOCOL_TLSv1_2|TLS_PROTOCOL_TLSv1_3) #define TLS_PROTOCOLS_ALL TLS_PROTOCOL_TLSv1 -#define TLS_PROTOCOLS_DEFAULT TLS_PROTOCOL_TLSv1_2 +#define TLS_PROTOCOLS_DEFAULT (TLS_PROTOCOL_TLSv1_2|TLS_PROTOCOL_TLSv1_3) #define TLS_WANT_POLLIN -2 #define TLS_WANT_POLLOUT -3 @@ -197,6 +200,7 @@ const uint8_t *tls_peer_cert_chain_pem(struct tls *_ctx, size_t *_len); const char *tls_conn_alpn_selected(struct tls *_ctx); const char *tls_conn_cipher(struct tls *_ctx); +int tls_conn_cipher_strength(struct tls *_ctx); const char *tls_conn_servername(struct tls *_ctx); int tls_conn_session_resumed(struct tls *_ctx); const char *tls_conn_version(struct tls *_ctx); diff --git a/install-sh b/install-sh index 8175c640..ec298b53 100644 --- a/install-sh +++ b/install-sh @@ -1,7 +1,7 @@ #!/bin/sh # install - install a program, script, or datafile -scriptversion=2018-03-11.20; # UTC +scriptversion=2020-11-14.01; # UTC # This originates from X11R5 (mit/util/scripts/install.sh), which was # later released in X11R6 (xc/config/util/install.sh) with the @@ -69,6 +69,11 @@ posix_mkdir= # Desired mode of installed file. mode=0755 +# Create dirs (including intermediate dirs) using mode 755. +# This is like GNU 'install' as of coreutils 8.32 (2020). +mkdir_umask=22 + +backupsuffix= chgrpcmd= chmodcmd=$chmodprog chowncmd= @@ -99,18 +104,28 @@ Options: --version display version info and exit. -c (ignored) - -C install only if different (preserve the last data modification time) + -C install only if different (preserve data modification time) -d create directories instead of installing files. -g GROUP $chgrpprog installed files to GROUP. -m MODE $chmodprog installed files to MODE. -o USER $chownprog installed files to USER. + -p pass -p to $cpprog. -s $stripprog installed files. + -S SUFFIX attempt to back up existing files, with suffix SUFFIX. -t DIRECTORY install into DIRECTORY. -T report an error if DSTFILE is a directory. Environment variables override the default commands: CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG RMPROG STRIPPROG + +By default, rm is invoked with -f; when overridden with RMPROG, +it's up to you to specify -f if you want it. + +If -S is not specified, no backups are attempted. + +Email bug reports to bug-automake@gnu.org. +Automake home page: https://www.gnu.org/software/automake/ " while test $# -ne 0; do @@ -137,8 +152,13 @@ while test $# -ne 0; do -o) chowncmd="$chownprog $2" shift;; + -p) cpprog="$cpprog -p";; + -s) stripcmd=$stripprog;; + -S) backupsuffix="$2" + shift;; + -t) is_target_a_directory=always dst_arg=$2 @@ -255,6 +275,10 @@ do dstdir=$dst test -d "$dstdir" dstdir_status=$? + # Don't chown directories that already exist. + if test $dstdir_status = 0; then + chowncmd="" + fi else # Waiting for this to be detected by the "$cpprog $src $dsttmp" command @@ -301,22 +325,6 @@ do if test $dstdir_status != 0; then case $posix_mkdir in '') - # Create intermediate dirs using mode 755 as modified by the umask. - # This is like FreeBSD 'install' as of 1997-10-28. - umask=`umask` - case $stripcmd.$umask in - # Optimize common cases. - *[2367][2367]) mkdir_umask=$umask;; - .*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;; - - *[0-7]) - mkdir_umask=`expr $umask + 22 \ - - $umask % 100 % 40 + $umask % 20 \ - - $umask % 10 % 4 + $umask % 2 - `;; - *) mkdir_umask=$umask,go-w;; - esac - # With -d, create the new directory with the user-specified mode. # Otherwise, rely on $mkdir_umask. if test -n "$dir_arg"; then @@ -326,52 +334,49 @@ do fi posix_mkdir=false - case $umask in - *[123567][0-7][0-7]) - # POSIX mkdir -p sets u+wx bits regardless of umask, which - # is incompatible with FreeBSD 'install' when (umask & 300) != 0. - ;; - *) - # Note that $RANDOM variable is not portable (e.g. dash); Use it - # here however when possible just to lower collision chance. - tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ - - trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0 - - # Because "mkdir -p" follows existing symlinks and we likely work - # directly in world-writeable /tmp, make sure that the '$tmpdir' - # directory is successfully created first before we actually test - # 'mkdir -p' feature. - if (umask $mkdir_umask && - $mkdirprog $mkdir_mode "$tmpdir" && - exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1 - then - if test -z "$dir_arg" || { - # Check for POSIX incompatibilities with -m. - # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or - # other-writable bit of parent directory when it shouldn't. - # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. - test_tmpdir="$tmpdir/a" - ls_ld_tmpdir=`ls -ld "$test_tmpdir"` - case $ls_ld_tmpdir in - d????-?r-*) different_mode=700;; - d????-?--*) different_mode=755;; - *) false;; - esac && - $mkdirprog -m$different_mode -p -- "$test_tmpdir" && { - ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"` - test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" - } - } - then posix_mkdir=: - fi - rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" - else - # Remove any dirs left behind by ancient mkdir implementations. - rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null - fi - trap '' 0;; - esac;; + # The $RANDOM variable is not portable (e.g., dash). Use it + # here however when possible just to lower collision chance. + tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ + + trap ' + ret=$? + rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null + exit $ret + ' 0 + + # Because "mkdir -p" follows existing symlinks and we likely work + # directly in world-writeable /tmp, make sure that the '$tmpdir' + # directory is successfully created first before we actually test + # 'mkdir -p'. + if (umask $mkdir_umask && + $mkdirprog $mkdir_mode "$tmpdir" && + exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1 + then + if test -z "$dir_arg" || { + # Check for POSIX incompatibilities with -m. + # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or + # other-writable bit of parent directory when it shouldn't. + # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. + test_tmpdir="$tmpdir/a" + ls_ld_tmpdir=`ls -ld "$test_tmpdir"` + case $ls_ld_tmpdir in + d????-?r-*) different_mode=700;; + d????-?--*) different_mode=755;; + *) false;; + esac && + $mkdirprog -m$different_mode -p -- "$test_tmpdir" && { + ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"` + test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" + } + } + then posix_mkdir=: + fi + rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" + else + # Remove any dirs left behind by ancient mkdir implementations. + rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null + fi + trap '' 0;; esac if @@ -382,7 +387,7 @@ do then : else - # The umask is ridiculous, or mkdir does not conform to POSIX, + # mkdir does not conform to POSIX, # or it failed possibly due to a race condition. Create the # directory the slow way, step by step, checking for races as we go. @@ -411,7 +416,7 @@ do prefixes= else if $posix_mkdir; then - (umask=$mkdir_umask && + (umask $mkdir_umask && $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break # Don't fail if two instances are running concurrently. test -d "$prefix" || exit 1 @@ -451,7 +456,18 @@ do trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0 # Copy the file name to the temp name. - (umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") && + (umask $cp_umask && + { test -z "$stripcmd" || { + # Create $dsttmp read-write so that cp doesn't create it read-only, + # which would cause strip to fail. + if test -z "$doit"; then + : >"$dsttmp" # No need to fork-exec 'touch'. + else + $doit touch "$dsttmp" + fi + } + } && + $doit_exec $cpprog "$src" "$dsttmp") && # and set any options; do chmod last to preserve setuid bits. # @@ -477,6 +493,13 @@ do then rm -f "$dsttmp" else + # If $backupsuffix is set, and the file being installed + # already exists, attempt a backup. Don't worry if it fails, + # e.g., if mv doesn't support -f. + if test -n "$backupsuffix" && test -f "$dst"; then + $doit $mvcmd -f "$dst" "$dst$backupsuffix" 2>/dev/null + fi + # Rename the file to the real destination. $doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null || @@ -491,9 +514,9 @@ do # file should still install successfully. { test ! -f "$dst" || - $doit $rmcmd -f "$dst" 2>/dev/null || + $doit $rmcmd "$dst" 2>/dev/null || { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null && - { $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; } + { $doit $rmcmd "$rmtmp" 2>/dev/null; :; } } || { echo "$0: cannot unlink or rename $dst" >&2 (exit 1); exit 1 diff --git a/libtls.pc.in b/libtls.pc.in index 82a6a715..0d4e625f 100644 --- a/libtls.pc.in +++ b/libtls.pc.in @@ -9,8 +9,7 @@ Name: LibreSSL-libtls Description: Secure communications using the TLS socket protocol. Version: @VERSION@ Requires: -Requires.private: libcrypto libssl Conflicts: Libs: -L${libdir} -ltls -Libs.private: @LIBS@ -lcrypto -lssl @PLATFORM_LDADD@ +Libs.private: @LIBS@ @PLATFORM_LDADD@ Cflags: -I${includedir} diff --git a/m4/ax_add_fortify_source.m4 b/m4/ax_add_fortify_source.m4 new file mode 100644 index 00000000..7e153127 --- /dev/null +++ b/m4/ax_add_fortify_source.m4 @@ -0,0 +1,80 @@ +# =========================================================================== +# https://www.gnu.org/software/autoconf-archive/ax_add_fortify_source.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_ADD_FORTIFY_SOURCE +# +# DESCRIPTION +# +# Check whether -D_FORTIFY_SOURCE=2 can be added to CPPFLAGS without macro +# redefinition warnings, other cpp warnings or linker. Some distributions +# (such as Gentoo Linux) enable _FORTIFY_SOURCE globally in their +# compilers, leading to unnecessary warnings in the form of +# +# :0:0: error: "_FORTIFY_SOURCE" redefined [-Werror] +# : note: this is the location of the previous definition +# +# which is a problem if -Werror is enabled. This macro checks whether +# _FORTIFY_SOURCE is already defined, and if not, adds -D_FORTIFY_SOURCE=2 +# to CPPFLAGS. +# +# Newer mingw-w64 msys2 package comes with a bug in +# headers-git-7.0.0.5546.d200317d-1. It broke -D_FORTIFY_SOURCE support, +# and would need -lssp or -fstack-protector. See +# https://github.com/msys2/MINGW-packages/issues/5803. Try to actually +# link it. +# +# LICENSE +# +# Copyright (c) 2017 David Seifert +# Copyright (c) 2019 Reini Urban +# +# Copying and distribution of this file, with or without modification, are +# permitted in any medium without royalty provided the copyright notice +# and this notice are preserved. This file is offered as-is, without any +# warranty. + +#serial 4 + +AC_DEFUN([AX_ADD_FORTIFY_SOURCE],[ + ac_save_cflags=$CFLAGS + ac_cwerror_flag=yes + AX_CHECK_COMPILE_FLAG([-Werror],[CFLAGS="$CFLAGS -Werror"]) + AC_MSG_CHECKING([whether to add -D_FORTIFY_SOURCE=2 to CPPFLAGS]) + AC_LINK_IFELSE([ + AC_LANG_PROGRAM([], + [[ + #ifndef _FORTIFY_SOURCE + return 0; + #else + this_is_an_error; + #endif + ]] + )], + AC_LINK_IFELSE([ + AC_LANG_SOURCE([[ + #define _FORTIFY_SOURCE 2 + #include + int main() { + char *s = " "; + strcpy(s, "x"); + return strlen(s)-1; + } + ]] + )], + [ + AC_MSG_RESULT([yes]) + CFLAGS=$ac_save_cflags + CPPFLAGS="$CPPFLAGS -D_FORTIFY_SOURCE=2" + ], [ + AC_MSG_RESULT([no]) + CFLAGS=$ac_save_cflags + ], + ), + [ + AC_MSG_RESULT([no]) + CFLAGS=$ac_save_cflags + ]) +]) diff --git a/m4/ax_check_compile_flag.m4 b/m4/ax_check_compile_flag.m4 new file mode 100644 index 00000000..bd753b34 --- /dev/null +++ b/m4/ax_check_compile_flag.m4 @@ -0,0 +1,53 @@ +# =========================================================================== +# https://www.gnu.org/software/autoconf-archive/ax_check_compile_flag.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_CHECK_COMPILE_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS], [INPUT]) +# +# DESCRIPTION +# +# Check whether the given FLAG works with the current language's compiler +# or gives an error. (Warnings, however, are ignored) +# +# ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on +# success/failure. +# +# If EXTRA-FLAGS is defined, it is added to the current language's default +# flags (e.g. CFLAGS) when the check is done. The check is thus made with +# the flags: "CFLAGS EXTRA-FLAGS FLAG". This can for example be used to +# force the compiler to issue an error when a bad flag is given. +# +# INPUT gives an alternative input source to AC_COMPILE_IFELSE. +# +# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this +# macro in sync with AX_CHECK_{PREPROC,LINK}_FLAG. +# +# LICENSE +# +# Copyright (c) 2008 Guido U. Draheim +# Copyright (c) 2011 Maarten Bosmans +# +# Copying and distribution of this file, with or without modification, are +# permitted in any medium without royalty provided the copyright notice +# and this notice are preserved. This file is offered as-is, without any +# warranty. + +#serial 6 + +AC_DEFUN([AX_CHECK_COMPILE_FLAG], +[AC_PREREQ(2.64)dnl for _AC_LANG_PREFIX and AS_VAR_IF +AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_[]_AC_LANG_ABBREV[]flags_$4_$1])dnl +AC_CACHE_CHECK([whether _AC_LANG compiler accepts $1], CACHEVAR, [ + ax_check_save_flags=$[]_AC_LANG_PREFIX[]FLAGS + _AC_LANG_PREFIX[]FLAGS="$[]_AC_LANG_PREFIX[]FLAGS $4 $1" + AC_COMPILE_IFELSE([m4_default([$5],[AC_LANG_PROGRAM()])], + [AS_VAR_SET(CACHEVAR,[yes])], + [AS_VAR_SET(CACHEVAR,[no])]) + _AC_LANG_PREFIX[]FLAGS=$ax_check_save_flags]) +AS_VAR_IF(CACHEVAR,yes, + [m4_default([$2], :)], + [m4_default([$3], :)]) +AS_VAR_POPDEF([CACHEVAR])dnl +])dnl AX_CHECK_COMPILE_FLAGS diff --git a/m4/check-hardening-options.m4 b/m4/check-hardening-options.m4 index 3ffdb1a9..869f00b5 100644 --- a/m4/check-hardening-options.m4 +++ b/m4/check-hardening-options.m4 @@ -73,7 +73,7 @@ AC_DEFUN([CHECK_C_HARDENING_OPTIONS], [ CHECK_CFLAG([[-fno-strict-overflow]]) # _FORTIFY_SOURCE replaces builtin functions with safer versions. - CHECK_CFLAG([[-D_FORTIFY_SOURCE=2]]) + AX_ADD_FORTIFY_SOURCE # Enable read only relocations CHECK_LDFLAG([[-Wl,-z,relro]]) diff --git a/m4/check-os-options.m4 b/m4/check-os-options.m4 index 6483c893..644bf714 100644 --- a/m4/check-os-options.m4 +++ b/m4/check-os-options.m4 @@ -80,6 +80,10 @@ char buf[1]; getentropy(buf, 1); HOST_ABI=elf CPPFLAGS="$CPPFLAGS -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE" ;; + *midipix*) + HOST_OS=midipix + CPPFLAGS="$CPPFLAGS -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE" + ;; *netbsd*) HOST_OS=netbsd HOST_ABI=elf @@ -108,7 +112,7 @@ char buf[1]; getentropy(buf, 1); CPPFLAGS="$CPPFLAGS -D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS" CPPFLAGS="$CPPFLAGS -DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0600" CPPFLAGS="$CPPFLAGS" - AC_SUBST([PLATFORM_LDADD], ['-lws2_32']) + AC_SUBST([PLATFORM_LDADD], ['-lws2_32 -lbcrypt']) ;; *solaris*) HOST_OS=solaris @@ -119,10 +123,20 @@ char buf[1]; getentropy(buf, 1); *) ;; esac -AC_ARG_ENABLE([nc], - AS_HELP_STRING([--enable-nc], [Enable installing TLS-enabled nc(1)])) -AM_CONDITIONAL([ENABLE_NC], [test "x$enable_nc" = xyes]) -AM_CONDITIONAL([BUILD_NC], [test x$BUILD_NC = xyes -o "x$enable_nc" = xyes]) +# Check if time_t is sized correctly +AC_CHECK_SIZEOF([time_t], [time.h]) +AM_CONDITIONAL([SMALL_TIME_T], [test "$ac_cv_sizeof_time_t" = "4"]) +if test "$ac_cv_sizeof_time_t" = "4"; then + AC_DEFINE([SMALL_TIME_T]) + echo " ** Warning, this system is unable to represent times past 2038" + echo " ** It will behave incorrectly when handling valid RFC5280 dates" + + if test "$host_os" = "mingw32" ; then + echo " **" + echo " ** You can solve this by adjusting the build flags in your" + echo " ** mingw-w64 toolchain. Refer to README.windows for details." + fi +fi AM_CONDITIONAL([HOST_AIX], [test x$HOST_OS = xaix]) AM_CONDITIONAL([HOST_CYGWIN], [test x$HOST_OS = xcygwin]) @@ -130,6 +144,7 @@ AM_CONDITIONAL([HOST_DARWIN], [test x$HOST_OS = xdarwin]) AM_CONDITIONAL([HOST_FREEBSD], [test x$HOST_OS = xfreebsd]) AM_CONDITIONAL([HOST_HPUX], [test x$HOST_OS = xhpux]) AM_CONDITIONAL([HOST_LINUX], [test x$HOST_OS = xlinux]) +AM_CONDITIONAL([HOST_MIDIPIX], [test x$HOST_OS = xmidipix]) AM_CONDITIONAL([HOST_NETBSD], [test x$HOST_OS = xnetbsd]) AM_CONDITIONAL([HOST_OPENBSD], [test x$HOST_OS = xopenbsd]) AM_CONDITIONAL([HOST_SOLARIS], [test x$HOST_OS = xsolaris]) diff --git a/man/ASN1_item_d2i.3 b/man/ASN1_item_d2i.3 index 705deedd..429bbd8c 100644 --- a/man/ASN1_item_d2i.3 +++ b/man/ASN1_item_d2i.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ASN1_item_d2i.3,v 1.8 2018/03/27 17:35:50 schwarze Exp $ +.\" $OpenBSD: ASN1_item_d2i.3,v 1.9 2021/03/12 05:18:00 jsg Exp $ .\" OpenSSL doc/man3/d2i_X509.pod b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file is a derived work. @@ -65,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 27 2018 $ +.Dd $Mdocdate: March 12 2021 $ .Dt ASN1_ITEM_D2I 3 .Os .Sh NAME @@ -154,7 +154,7 @@ is a serialized encoding, suitable for transfer over the network and for storage in a file. .Pp .Fn ASN1_item_d2i -interpretes +interprets .Pf * Fa der_in as a DER- or BER-encoded byte array and decodes one value of type .Fa it @@ -225,7 +225,7 @@ and increments it to point after the data just written. In this case, it is the responsibility of the user to make sure that the buffer pointed to by .Pf * Fa der_out -is long enough, such that no buffer owerflow can occur. +is long enough, such that no buffer overflow can occur. .Pp If .Pf * Fa der_out diff --git a/man/ASN1_time_parse.3 b/man/ASN1_time_parse.3 index b97c75fa..6ec45e5d 100644 --- a/man/ASN1_time_parse.3 +++ b/man/ASN1_time_parse.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ASN1_time_parse.3,v 1.8 2019/06/06 01:06:58 schwarze Exp $ +.\" $OpenBSD: ASN1_time_parse.3,v 1.9 2020/11/02 17:45:35 tb Exp $ .\" .\" Copyright (c) 2016 Bob Beck .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: June 6 2019 $ +.Dd $Mdocdate: November 2 2020 $ .Dt ASN1_TIME_PARSE 3 .Os .Sh NAME @@ -84,7 +84,7 @@ a new .Vt ASN1_TIME structure is allocated and returned. .Sh RETURN VALUES -.Fn ASN1_parse_time +.Fn ASN1_time_parse returns .Bl -bullet -offset four .It diff --git a/man/BIO_ctrl.3 b/man/BIO_ctrl.3 index 98c78be1..24265c03 100644 --- a/man/BIO_ctrl.3 +++ b/man/BIO_ctrl.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BIO_ctrl.3,v 1.14 2018/03/27 17:35:50 schwarze Exp $ +.\" $OpenBSD: BIO_ctrl.3,v 1.15 2020/12/03 22:47:21 jmc Exp $ .\" OpenSSL b055fceb Thu Oct 20 09:56:18 2016 +0100 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 27 2018 $ +.Dd $Mdocdate: December 3 2020 $ .Dt BIO_CTRL 3 .Os .Sh NAME @@ -304,7 +304,7 @@ For example no current filter BIOs implement but this may still succeed if the chain ends in a FILE or file descriptor BIO. .Pp -Source/sink BIOs return an 0 if they do not recognize the +Source/sink BIOs return a 0 if they do not recognize the .Fn BIO_ctrl operation. .Sh SEE ALSO diff --git a/man/BIO_new.3 b/man/BIO_new.3 index 8cc586e9..a2bc40d3 100644 --- a/man/BIO_new.3 +++ b/man/BIO_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BIO_new.3,v 1.18 2019/06/10 09:49:48 schwarze Exp $ +.\" $OpenBSD: BIO_new.3,v 1.20 2021/03/12 07:05:35 jmc Exp $ .\" full merge up to: .\" OpenSSL man3/BIO_new.pod fb46be03 Feb 26 11:51:31 2016 +0000 .\" OpenSSL man7/bio.pod 631c37be Dec 12 16:56:50 2017 +0100 @@ -52,7 +52,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 10 2019 $ +.Dd $Mdocdate: March 12 2021 $ .Dt BIO_NEW 3 .Os .Sh NAME @@ -156,7 +156,7 @@ and .Fn BIO_vfree decrement the reference count of .Fa a -by 1, and if the refenece count reaches 0, they destruct the single +by 1, and if the reference count reaches 0, they destruct the single .Vt BIO .Fa a , which may also have some effect on the @@ -238,6 +238,7 @@ Create a memory BIO: .Xr BIO_find_type 3 , .Xr BIO_get_ex_new_index 3 , .Xr BIO_meth_new 3 , +.Xr BIO_new_CMS 3 , .Xr BIO_printf 3 , .Xr BIO_push 3 , .Xr BIO_read 3 , diff --git a/man/BIO_new_CMS.3 b/man/BIO_new_CMS.3 index 1298f9bb..a7c2c1b2 100644 --- a/man/BIO_new_CMS.3 +++ b/man/BIO_new_CMS.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BIO_new_CMS.3,v 1.6 2019/08/18 21:44:10 schwarze Exp $ +.\" $OpenBSD: BIO_new_CMS.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $ .\" full merge up to: OpenSSL df75c2bfc Dec 9 01:02:36 2018 +0100 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 18 2019 $ +.Dd $Mdocdate: November 2 2019 $ .Dt BIO_NEW_CMS 3 .Os .Sh NAME @@ -135,7 +135,7 @@ The error can be obtained from .Fn BIO_new_CMS first appeared in OpenSSL 1.0.0 and has been available since -.Ox 6.6 . +.Ox 6.7 . .Sh BUGS There is currently no corresponding inverse BIO which can decode a CMS structure on the fly. diff --git a/man/BN_generate_prime.3 b/man/BN_generate_prime.3 index 7db27fd6..764ea6f8 100644 --- a/man/BN_generate_prime.3 +++ b/man/BN_generate_prime.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BN_generate_prime.3,v 1.18 2019/08/25 19:24:00 schwarze Exp $ +.\" $OpenBSD: BN_generate_prime.3,v 1.19 2020/06/24 18:15:00 jmc Exp $ .\" full merge up to: OpenSSL f987a4dd Jun 27 10:12:08 2019 +0200 .\" .\" This file was written by Ulf Moeller @@ -50,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 25 2019 $ +.Dd $Mdocdate: June 24 2020 $ .Dt BN_GENERATE_PRIME 3 .Os .Sh NAME @@ -262,7 +262,7 @@ When the source of the prime is not random or not trusted, the number of checks needs to be much higher to reach the same level of assurance: It should equal half of the targeted security level in bits (rounded up to the next integer if necessary). -For instance, to reach the 128 bit security level, +For instance, to reach the 128-bit security level, .Fa nchecks should be set to 64. .Pp diff --git a/man/BN_set_flags.3 b/man/BN_set_flags.3 index 9b1647cd..8b2c4044 100644 --- a/man/BN_set_flags.3 +++ b/man/BN_set_flags.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BN_set_flags.3,v 1.3 2018/04/29 15:58:21 schwarze Exp $ +.\" $OpenBSD: BN_set_flags.3,v 1.4 2021/03/12 05:18:00 jsg Exp $ .\" .\" Copyright (c) 2017 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: April 29 2018 $ +.Dd $Mdocdate: March 12 2021 $ .Dt BN_SET_FLAGS 3 .Os .Sh NAME @@ -103,7 +103,7 @@ and by the functions documented in .El .Pp .Fn BN_get_flags -interpretes +interprets .Fa flags as a bitmask and returns those of the given flags that are set in .Fa b , diff --git a/man/CMAC_Init.3 b/man/CMAC_Init.3 new file mode 100644 index 00000000..a938c0db --- /dev/null +++ b/man/CMAC_Init.3 @@ -0,0 +1,293 @@ +.\" $OpenBSD: CMAC_Init.3,v 1.4 2020/08/06 22:17:49 schwarze Exp $ +.\" +.\" Copyright (c) 2020 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: August 6 2020 $ +.Dt CMAC_INIT 3 +.Os +.Sh NAME +.Nm CMAC_CTX_new , +.Nm CMAC_Init , +.Nm CMAC_Update , +.Nm CMAC_Final , +.Nm CMAC_resume , +.Nm CMAC_CTX_copy , +.Nm CMAC_CTX_get0_cipher_ctx , +.Nm CMAC_CTX_cleanup , +.Nm CMAC_CTX_free +.Nd Cipher-based message authentication code +.Sh SYNOPSIS +.In openssl/cmac.h +.Ft CMAC_CTX * +.Fn CMAC_CTX_new void +.Ft int +.Fo CMAC_Init +.Fa "CMAC_CTX *ctx" +.Fa "const void *key" +.Fa "size_t key_len" +.Fa "const EVP_CIPHER *cipher" +.Fa "ENGINE *impl" +.Fc +.Ft int +.Fo CMAC_Update +.Fa "CMAC_CTX *ctx" +.Fa "const void *in_data" +.Fa "size_t in_len" +.Fc +.Ft int +.Fo CMAC_Final +.Fa "CMAC_CTX *ctx" +.Fa "unsigned char *out_mac" +.Fa "size_t *out_len" +.Fc +.Ft int +.Fn CMAC_resume "CMAC_CTX *ctx" +.Ft int +.Fo CMAC_CTX_copy +.Fa "CMAC_CTX *out_ctx" +.Fa "CMAC_CTX *in_ctx" +.Fc +.Ft EVP_CIPHER_CTX * +.Fn CMAC_CTX_get0_cipher_ctx "CMAC_CTX *ctx" +.Ft void +.Fn CMAC_CTX_cleanup "CMAC_CTX *ctx" +.Ft void +.Fn CMAC_CTX_free "CMAC_CTX *ctx" +.Sh DESCRIPTION +CMAC is a message authentication code algorithm that can employ an +arbitrary block cipher using a symmetric key. +.Pp +The present manual page describes low-level functions implementing CMAC. +Instead of using these functions directly, +application programs normally call +.Xr EVP_PKEY_CTX_new_id 3 +with an argument of +.Dv EVP_PKEY_CMAC +and then pass the resulting +.Vt EVP_MD_CTX +object to +.Xr EVP_DigestInit_ex 3 . +.Pp +The CMAC API is object-oriented. +Calculating a message authentication code requires a +.Vt CMAC_CTX +object. +Usually, the functions +.Fn CMAC_CTX_new , +.Fn CMAC_Init , +.Fn CMAC_Update , +.Fn CMAC_Final , +and +.Fn CMAC_CTX_free +need to be called in this order. +.Pp +.Fn CMAC_CTX_new +allocates a new +.Vt CMAC_CTX +object, initializes the embedded +.Vt EVP_CIPHER_CTX +object, and marks the object itself as uninitialized. +.Pp +.Fn CMAC_Init +selects the given block +.Fa cipher +for use by +.Fa ctx . +Functions to obtain suitable +.Vt EVP_CIPHER +objects are listed in the CIPHER LISTING section of the +.Xr EVP_Cipher 3 +manual page. +Unless +.Fa key +is +.Dv NULL , +.Fn CMAC_Init +also initializes +.Fa ctx +for use with the given symmetric +.Fa key +that is +.Fa key_len +bytes long. +In particular, it calculates and internally stores the two subkeys +and initializes +.Fa ctx +for subsequently feeding in data with +.Fn CMAC_Update . +To use the default cipher implementations provided by the library, pass +.Dv NULL +as the +.Fa impl +argument. +.Pp +If +.Fa ctx +is already initialized, +.Fn CMAC_Init +can be called again with +.Fa key , +.Fa cipher , +and +.Fa impl +all set to +.Dv NULL +and +.Fa key_len +set to 0. +In that case, any data already processed is discarded and +.Fa ctx +is re-initialized to start reading data anew. +.Pp +.Fn CMAC_Update +processes +.Fa in_len +bytes of input data pointed to by +.Fa in_data . +Depending on the number of input bytes already cached in +.Fa ctx , +on +.Fa in_len , +and on the block size, this may encrypt zero or more blocks. +Unless +.Fa in_len +is zero, this function leaves at least one byte and at most one +block of input cached but unprocessed inside the +.Fa ctx +object. +.Fn CMAC_Update +can be called multiple times +to concatenate several chunks of input data of varying sizes. +.Pp +.Fn CMAC_Final +stores the length of the message authentication code in bytes, +which equals the cipher block size, into +.Pf * Fa out_len . +Unless +.Fa out_mac +is +.Dv NULL , +it encrypts the last block, padding it if required, and copies the +resulting message authentication code to +.Fa out_mac . +The caller is responsible for providing a buffer of sufficient size. +.Pp +Calling +.Fn CMAC_resume +after +.Fn CMAC_Final +allows the user to subsequently append additional data with +.Fn CMAC_Update . +Otherwise, unless +.Fn CMAC_Init +is called to start from scratch, +.Fn CMAC_Update +can no longer be used after +.Fn CMAC_Final . +.Pp +.Fn CMAC_CTX_copy +performs a deep copy of the already initialized +.Fa in_ctx +into +.Fa out_ctx . +.Pp +.Fn CMAC_CTX_cleanup +zeros out both subkeys and all temporary data in +.Fa ctx +and in the embedded +.Vt EVP_CIPHER_CTX +object, frees all allocated memory associated with it, +except for +.Fa ctx +itself, and marks it as uninitialized, +such that it can be reused for subsequent +.Fn CMAC_Init . +.Pp +.Fn CMAC_CTX_free +calls +.Fn CMAC_CTX_cleanup , +then frees +.Fa ctx +itself. +If +.Fa ctx +is +.Dv NULL , +no action occurs. +.Sh RETURN VALUES +.Fn CMAC_CTX_new +returns the new context object or +.Dv NULL +in case of failure. +It succeeds unless memory is exhausted. +.Pp +.Fn CMAC_Init , +.Fn CMAC_Update , +.Fn CMAC_Final , +.Fn CMAC_resume , +and +.Fn CMAC_CTX_copy +return 1 on success or 0 on failure. +.Fn CMAC_Init +fails if initializing the embedded +.Vt EVP_CIPHER_CTX +object fails. +The others fail if +.Fa in_ctx +is uninitialized. +.Fn CMAC_Update +and +.Fn CMAC_Final +also fail if encrypting a block fails, and +.Fn CMAC_CTX_copy +if copying the embedded +.Vt EVP_CIPHER_CTX +object fails, which can for example happen when memory is exhausted. +.Pp +.Fn CMAC_CTX_get0_cipher_ctx +returns an internal pointer to the +.Vt EVP_CIPHER_CTX +object that is embedded in +.Fa ctx . +.Sh ERRORS +The CMAC code itself does not use the +.In openssl/err.h +framework, so in general, the reasons for failure cannot be found out with +.Xr ERR_get_error 3 . +However, since the +.Xr EVP_Cipher 3 +functions are used internally, entries may still get pushed onto +the error stack in some cases of failure. +.Sh SEE ALSO +.Xr EVP_aes_128_cbc 3 , +.Xr EVP_Cipher 3 , +.Xr EVP_DigestInit 3 , +.Xr EVP_PKEY_CTX_new_id 3 , +.Xr HMAC 3 +.Sh STANDARDS +.Rs +.%A Morris Dworkin +.%T "Recommendation for Block Cipher Modes of Operation:\ + The CMAC Mode for Authentication" +.%I National Institute of Standards and Technology +.%R NIST Special Publication 800-38B +.%U https://doi.org/10.6028/NIST.SP.800-38B +.%C Gaithersburg, Maryland +.%D May 2005, updated October 6, 2016 +.Re +.Sh HISTORY +These functions first appeared in OpenSSL 1.0.1 +and have been available since +.Ox 5.3 . diff --git a/man/CMS_ContentInfo_new.3 b/man/CMS_ContentInfo_new.3 index 38a29da1..ff641794 100644 --- a/man/CMS_ContentInfo_new.3 +++ b/man/CMS_ContentInfo_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: CMS_ContentInfo_new.3,v 1.2 2019/08/18 21:44:10 schwarze Exp $ +.\" $OpenBSD: CMS_ContentInfo_new.3,v 1.3 2019/11/02 15:39:46 schwarze Exp $ .\" Copyright (c) 2019 Ingo Schwarze .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,7 +13,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: August 18 2019 $ +.Dd $Mdocdate: November 2 2019 $ .Dt CMS_CONTENTINFO_NEW 3 .Os .Sh NAME @@ -131,4 +131,4 @@ first appeared in OpenSSL 0.9.8h and .Fn CMS_ContentInfo_print_ctx in OpenSSL 1.0.0. This functions have been available since -.Ox 6.6 . +.Ox 6.7 . diff --git a/man/CMS_add0_cert.3 b/man/CMS_add0_cert.3 index 1cc93628..c5a7367d 100644 --- a/man/CMS_add0_cert.3 +++ b/man/CMS_add0_cert.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: CMS_add0_cert.3,v 1.6 2019/08/18 21:44:10 schwarze Exp $ +.\" $OpenBSD: CMS_add0_cert.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $ .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100 .\" .\" This file is a derived work. @@ -65,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 18 2019 $ +.Dd $Mdocdate: November 2 2019 $ .Dt CMS_ADD0_CERT 3 .Os .Sh NAME @@ -211,4 +211,4 @@ first appeared in OpenSSL 0.9.8h and .Fn CMS_add1_crl in OpenSSL 1.0.0. These functions have been available since -.Ox 6.6 . +.Ox 6.7 . diff --git a/man/CMS_add1_recipient_cert.3 b/man/CMS_add1_recipient_cert.3 index 0bfb6ac8..46511939 100644 --- a/man/CMS_add1_recipient_cert.3 +++ b/man/CMS_add1_recipient_cert.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: CMS_add1_recipient_cert.3,v 1.6 2019/08/18 21:44:10 schwarze Exp $ +.\" $OpenBSD: CMS_add1_recipient_cert.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $ .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100 .\" .\" This file is a derived work. @@ -65,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 18 2019 $ +.Dd $Mdocdate: November 2 2019 $ .Dt CMS_ADD1_RECIPIENT_CERT 3 .Os .Sh NAME @@ -197,4 +197,4 @@ and .Fn CMS_add0_recipient_key first appeared in OpenSSL 0.9.8h and have been available since -.Ox 6.6 . +.Ox 6.7 . diff --git a/man/CMS_add1_signer.3 b/man/CMS_add1_signer.3 index e7152cfe..9ee97dfa 100644 --- a/man/CMS_add1_signer.3 +++ b/man/CMS_add1_signer.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: CMS_add1_signer.3,v 1.6 2019/08/18 21:44:10 schwarze Exp $ +.\" $OpenBSD: CMS_add1_signer.3,v 1.8 2020/06/24 18:15:00 jmc Exp $ .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100 .\" .\" This file is a derived work. @@ -65,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 18 2019 $ +.Dd $Mdocdate: June 24 2020 $ .Dt CMS_ADD1_SIGNER 3 .Os .Sh NAME @@ -196,9 +196,9 @@ By default, issuer name and serial number are used instead. If present, the .Vt SMIMECapabilities attribute indicates support for the -following algorithms in preference order: 256 bit AES, Gost R3411-94, -Gost 28147-89, 192 bit AES, 128 bit AES, triple DES, 128 bit RC2, 64 bit -RC2, DES and 40 bit RC2. +following algorithms in preference order: 256-bit AES, Gost R3411-94, +Gost 28147-89, 192-bit AES, 128-bit AES, triple DES, 128-bit RC2, 64-bit +RC2, DES and 40-bit RC2. If any of these algorithms is not available then it will not be included. .Pp @@ -243,4 +243,4 @@ and .Fn CMS_SignerInfo_sign first appeared in OpenSSL 0.9.8h and have been available since -.Ox 6.6 . +.Ox 6.7 . diff --git a/man/CMS_compress.3 b/man/CMS_compress.3 index f29a1342..242e4e96 100644 --- a/man/CMS_compress.3 +++ b/man/CMS_compress.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: CMS_compress.3,v 1.6 2019/08/18 21:44:10 schwarze Exp $ +.\" $OpenBSD: CMS_compress.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $ .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file is a derived work. @@ -65,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 18 2019 $ +.Dd $Mdocdate: November 2 2019 $ .Dt CMS_COMPRESS 3 .Os .Sh NAME @@ -163,7 +163,7 @@ RFC 3274: Compressed Data Content Type for Cryptographic Message Syntax (CMS) .Fn CMS_compress first appeared in OpenSSL 0.9.8h and has been available since -.Ox 6.6 . +.Ox 6.7 . .Pp The .Dv CMS_STREAM diff --git a/man/CMS_decrypt.3 b/man/CMS_decrypt.3 index 495bdaaf..243ab2f3 100644 --- a/man/CMS_decrypt.3 +++ b/man/CMS_decrypt.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: CMS_decrypt.3,v 1.7 2019/08/18 21:44:10 schwarze Exp $ +.\" $OpenBSD: CMS_decrypt.3,v 1.8 2019/11/02 15:39:46 schwarze Exp $ .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100 .\" .\" This file is a derived work. @@ -65,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 18 2019 $ +.Dd $Mdocdate: November 2 2019 $ .Dt CMS_DECRYPT 3 .Os .Sh NAME @@ -217,7 +217,7 @@ and .Fn CMS_decrypt_set1_key first appeared in OpenSSL 0.9.8h and have been available since -.Ox 6.6 . +.Ox 6.7 . .Sh BUGS The lack of single pass processing and the need to hold all data in memory as mentioned in diff --git a/man/CMS_encrypt.3 b/man/CMS_encrypt.3 index bb0d0445..03d8b4ed 100644 --- a/man/CMS_encrypt.3 +++ b/man/CMS_encrypt.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: CMS_encrypt.3,v 1.6 2019/08/18 21:44:10 schwarze Exp $ +.\" $OpenBSD: CMS_encrypt.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $ .\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 18 2019 $ +.Dd $Mdocdate: November 2 2019 $ .Dt CMS_ENCRYPT 3 .Os .Sh NAME @@ -184,7 +184,7 @@ section 6.2.1: KeyTransRecipientInfo Type .Fn CMS_encrypt first appeared in OpenSSL 0.9.8h and has been available since -.Ox 6.6 . +.Ox 6.7 . .Pp The .Dv CMS_STREAM diff --git a/man/CMS_final.3 b/man/CMS_final.3 index ded92307..4ca89459 100644 --- a/man/CMS_final.3 +++ b/man/CMS_final.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: CMS_final.3,v 1.5 2019/08/18 21:44:10 schwarze Exp $ +.\" $OpenBSD: CMS_final.3,v 1.6 2019/11/02 15:39:46 schwarze Exp $ .\" full merge up to: OpenSSL 25ccb589 Jul 1 02:02:06 2019 +0800 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 18 2019 $ +.Dd $Mdocdate: November 2 2019 $ .Dt CMS_FINAL 3 .Os .Sh NAME @@ -98,4 +98,4 @@ returns 1 for success or 0 for failure. .Fn CMS_final first appeared in OpenSSL 0.9.8h and has been available since -.Ox 6.6 . +.Ox 6.7 . diff --git a/man/CMS_get0_RecipientInfos.3 b/man/CMS_get0_RecipientInfos.3 index 783e8e17..e431b2cb 100644 --- a/man/CMS_get0_RecipientInfos.3 +++ b/man/CMS_get0_RecipientInfos.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: CMS_get0_RecipientInfos.3,v 1.6 2019/08/18 21:44:10 schwarze Exp $ +.\" $OpenBSD: CMS_get0_RecipientInfos.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $ .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 18 2019 $ +.Dd $Mdocdate: November 2 2019 $ .Dt CMS_GET0_RECIPIENTINFOS 3 .Os .Sh NAME @@ -325,4 +325,4 @@ except that .Fn CMS_RecipientInfo_encrypt first appeared in OpenSSL 1.0.2. They have been available since -.Ox 6.6 . +.Ox 6.7 . diff --git a/man/CMS_get0_SignerInfos.3 b/man/CMS_get0_SignerInfos.3 index 50e80ae4..faf20c49 100644 --- a/man/CMS_get0_SignerInfos.3 +++ b/man/CMS_get0_SignerInfos.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: CMS_get0_SignerInfos.3,v 1.6 2019/08/18 21:44:10 schwarze Exp $ +.\" $OpenBSD: CMS_get0_SignerInfos.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $ .\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 18 2019 $ +.Dd $Mdocdate: November 2 2019 $ .Dt CMS_GET0_SIGNERINFOS 3 .Os .Sh NAME @@ -189,4 +189,4 @@ first appeared in OpenSSL 0.9.8h and .Fn CMS_SignerInfo_get0_signature in OpenSSL 1.0.2. These functions have been available since -.Ox 6.6 . +.Ox 6.7 . diff --git a/man/CMS_get0_type.3 b/man/CMS_get0_type.3 index ddafddf7..45ed3167 100644 --- a/man/CMS_get0_type.3 +++ b/man/CMS_get0_type.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: CMS_get0_type.3,v 1.6 2019/08/18 21:44:10 schwarze Exp $ +.\" $OpenBSD: CMS_get0_type.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $ .\" full merge up to: OpenSSL 72a7a702 Feb 26 14:05:09 2019 +0000 .\" .\" This file is a derived work. @@ -65,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 18 2019 $ +.Dd $Mdocdate: November 2 2019 $ .Dt CMS_GET0_TYPE 3 .Os .Sh NAME @@ -195,4 +195,4 @@ RFC 3274: Compressed Data Content Type for Cryptographic Message Syntax (CMS) .Sh HISTORY These functions first appeared in OpenSSL 0.9.8h and have been available since -.Ox 6.6 . +.Ox 6.7 . diff --git a/man/CMS_get1_ReceiptRequest.3 b/man/CMS_get1_ReceiptRequest.3 index 1b737ea5..9feedd13 100644 --- a/man/CMS_get1_ReceiptRequest.3 +++ b/man/CMS_get1_ReceiptRequest.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: CMS_get1_ReceiptRequest.3,v 1.6 2019/08/18 21:44:10 schwarze Exp $ +.\" $OpenBSD: CMS_get1_ReceiptRequest.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $ .\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 18 2019 $ +.Dd $Mdocdate: November 2 2019 $ .Dt CMS_GET1_RECEIPTREQUEST 3 .Os .Sh NAME @@ -195,4 +195,4 @@ and .Fn CMS_ReceiptRequest_get0_values first appeared in OpenSSL 0.9.8h and have been available since -.Ox 6.6 . +.Ox 6.7 . diff --git a/man/CMS_sign.3 b/man/CMS_sign.3 index 33797b98..64461959 100644 --- a/man/CMS_sign.3 +++ b/man/CMS_sign.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: CMS_sign.3,v 1.7 2019/08/18 21:44:10 schwarze Exp $ +.\" $OpenBSD: CMS_sign.3,v 1.9 2020/06/24 18:15:00 jmc Exp $ .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 18 2019 $ +.Dd $Mdocdate: June 24 2020 $ .Dt CMS_SIGN 3 .Os .Sh NAME @@ -127,9 +127,9 @@ attribute. Omit just the .Vt SMIMECapabilities . If present, the SMIMECapabilities attribute indicates support for the -following algorithms in preference order: 256 bit AES, Gost R3411-94, -Gost 28147-89, 192 bit AES, 128 bit AES, triple DES, 128 bit RC2, 64 bit -RC2, DES and 40 bit RC2. +following algorithms in preference order: 256-bit AES, Gost R3411-94, +Gost 28147-89, 192-bit AES, 128-bit AES, triple DES, 128-bit RC2, 64-bit +RC2, DES and 40-bit RC2. If any of these algorithms is not available, then it will not be included. .It Dv CMS_USE_KEYID @@ -238,6 +238,6 @@ section 2.5.2: SMIMECapabilities Attribute .Fn CMS_sign first appeared in OpenSSL 0.9.8h and has been available since -.Ox 6.6 . +.Ox 6.7 . .Sh BUGS Some attributes such as counter signatures are not supported. diff --git a/man/CMS_sign_receipt.3 b/man/CMS_sign_receipt.3 index 6419ae4b..63949578 100644 --- a/man/CMS_sign_receipt.3 +++ b/man/CMS_sign_receipt.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: CMS_sign_receipt.3,v 1.6 2019/08/18 21:44:10 schwarze Exp $ +.\" $OpenBSD: CMS_sign_receipt.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $ .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 18 2019 $ +.Dd $Mdocdate: November 2 2019 $ .Dt CMS_SIGN_RECEIPT 3 .Os .Sh NAME @@ -116,4 +116,4 @@ RFC 2634: Enhanced Security Services for S/MIME, section 2.8: Receipt Syntax .Fn CMS_sign_receipt first appeared in OpenSSL 0.9.8h and has been available since -.Ox 6.6 . +.Ox 6.7 . diff --git a/man/CMS_uncompress.3 b/man/CMS_uncompress.3 index d93c49c2..ed217252 100644 --- a/man/CMS_uncompress.3 +++ b/man/CMS_uncompress.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: CMS_uncompress.3,v 1.6 2019/08/18 21:44:10 schwarze Exp $ +.\" $OpenBSD: CMS_uncompress.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $ .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 18 2019 $ +.Dd $Mdocdate: November 2 2019 $ .Dt CMS_UNCOMPRESS 3 .Os .Sh NAME @@ -106,7 +106,7 @@ RFC 3274: Compressed Data Content Type for Cryptographic Message Syntax (CMS) .Fn CMS_uncompress first appeared in OpenSSL 0.9.8h and has been available since -.Ox 6.6 . +.Ox 6.7 . .Sh BUGS The lack of single pass processing and the need to hold all data in memory as mentioned in diff --git a/man/CMS_verify.3 b/man/CMS_verify.3 index a7b95bca..6bee927f 100644 --- a/man/CMS_verify.3 +++ b/man/CMS_verify.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: CMS_verify.3,v 1.6 2019/08/18 21:44:10 schwarze Exp $ +.\" $OpenBSD: CMS_verify.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $ .\" full merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 18 2019 $ +.Dd $Mdocdate: November 2 2019 $ .Dt CMS_VERIFY 3 .Os .Sh NAME @@ -212,7 +212,7 @@ section 5.1: SignedData Type .Sh HISTORY These functions first appeared in OpenSSL 0.9.8h and have been available since -.Ox 6.6 . +.Ox 6.7 . .Sh BUGS The trusted certificate store is not searched for the signing certificate. This is primarily due to the inadequacies of the current diff --git a/man/CMS_verify_receipt.3 b/man/CMS_verify_receipt.3 index 7fd9e00d..ac50087a 100644 --- a/man/CMS_verify_receipt.3 +++ b/man/CMS_verify_receipt.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: CMS_verify_receipt.3,v 1.6 2019/08/18 21:44:10 schwarze Exp $ +.\" $OpenBSD: CMS_verify_receipt.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $ .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 18 2019 $ +.Dd $Mdocdate: November 2 2019 $ .Dt CMS_VERIFY_RECEIPT 3 .Os .Sh NAME @@ -107,4 +107,4 @@ RFC 2634: Enhanced Security Services for S/MIME, section 2.8: Receipt Syntax .Fn CMS_verify_receipt first appeared in OpenSSL 0.9.8h and has been available since -.Ox 6.6 . +.Ox 6.7 . diff --git a/man/ChaCha.3 b/man/ChaCha.3 new file mode 100644 index 00000000..6b037f80 --- /dev/null +++ b/man/ChaCha.3 @@ -0,0 +1,253 @@ +.\" $OpenBSD: ChaCha.3,v 1.2 2020/06/24 18:15:00 jmc Exp $ +.\" +.\" Copyright (c) 2020 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: June 24 2020 $ +.Dt CHACHA 3 +.Os +.Sh NAME +.Nm ChaCha_set_key , +.Nm ChaCha_set_iv , +.Nm ChaCha , +.Nm CRYPTO_chacha_20 , +.Nm CRYPTO_hchacha_20 , +.Nm CRYPTO_xchacha_20 +.Nd ChaCha20 stream cipher +.Sh SYNOPSIS +.In openssl/chacha.h +.Ft void +.Fo ChaCha_set_key +.Fa "ChaCha_ctx *ctx" +.Fa "const unsigned char *key" +.Fa "unsigned int keybits" +.Fc +.Ft void +.Fo ChaCha_set_iv +.Fa "ChaCha_ctx *ctx" +.Fa "const unsigned char *iv" +.Fa "const unsigned char *counter" +.Fc +.Ft void +.Fo ChaCha +.Fa "ChaCha_ctx *ctx" +.Fa "unsigned char *out" +.Fa "const unsigned char *in" +.Fa "size_t len" +.Fc +.Ft void +.Fo CRYPTO_chacha_20 +.Fa "unsigned char *out" +.Fa "const unsigned char *in" +.Fa "size_t len" +.Fa "const unsigned char key[32]" +.Fa "const unsigned char iv[8]" +.Fa "uint64_t counter" +.Fc +.Ft void +.Fo CRYPTO_hchacha_20 +.Fa "unsigned char out[32]" +.Fa "const unsigned char key[32]" +.Fa "const unsigned char iv[16]" +.Fc +.Ft void +.Fo CRYPTO_xchacha_20 +.Fa "unsigned char *out" +.Fa "const unsigned char *in" +.Fa "size_t len" +.Fa "const unsigned char key[32]" +.Fa "const unsigned char iv[24]" +.Fc +.Sh DESCRIPTION +These functions provide a low-level implementation +of the ChaCha stream cipher with 256 and 128-bit keys. +The number of rounds is hardcoded to 20; +variants with 8 or 12 rounds are not supported. +.Pp +Instead of using these functions directly, +application programs normally use the more portable +.Xr EVP_chacha20 3 +high-level interface. +.Pp +The ChaCha state is contained in the +.Vt ChaCha_ctx +structure and consists of sixteen 32-bit unsigned integers. +.Pp +For the recommended value of 256 +.Fa keybits , +.Fn ChaCha_set_key +copies 32 bytes (256 bits) from +.Fa key +to the middle eight integers of the ChaCha state, +using little endian order for each integer. +For the alternative value of 128 +.Fa keybits , +only 16 bytes (128 bits) are copied from +.Fa key +to the ChaCha state, but they are copied twice, +once to the second quarter and once to the third quarter. +The first quarter of the ChaCha state is set to four constant integers; +these constants differ depending on whether +.Fa keybits +is 128 or 256. +The last quarter of the ChaCha state remains unchanged. +.Pp +.Fn ChaCha_set_iv +copies eight bytes (64 bits) from +.Fa counter +and eight bytes (64 bits) from +.Fa iv +to the last quarter of the ChaCha state, the counter to the first +two integers and the initialization vector to the last two integers, +again in little endian order. +If +.Fa counter +is +.Dv NULL , +the two respective integers are set to 0 instead. +The first three quarters of the ChaCha state remain unchanged. +.Pp +.Fn ChaCha +encrypts +.Fa len +bytes of data from +.Fa in +to +.Fa out +using the +.Fa ctx +that was previously set up with +.Fn ChaCha_set_key +and +.Fn ChaCha_set_iv . +Providing an +.Fa out +buffer of at least +.Fa len +bytes is the responsibility of the caller. +This function can be called multiple times in a row with varying +.Fa len +arguments. +The +.Fa len +does not need to be a multiple of 64. +.Pp +.Fn CRYPTO_chacha_20 +encrypts +.Fa len +bytes of data from +.Fa in +to +.Fa out +in a one-shot operation, using the given +.Fa key +and +.Fa iv +as described for +.Fn ChaCha_set_key +and +.Fn ChaCha_set_iv +and copying the less significant half of +.Fa counter +to the first counter integer in the initial ChaCha state +and the more significant half to the second integer. +Providing an +.Fa out +buffer of at least +.Fa len +bytes is again the responsibility of the caller. +The maximum supported value for +.Fa len +is 2^32 \- 1. +.Pp +XChaCha is a variant of ChaCha designed to support longer nonces, +just like XSalsa20 is a variant of Salsa20 supporting longer nonces. +.Pp +.Fn CRYPTO_xchacha_20 +encrypts +.Fa len +bytes of data from +.Fa in +to +.Fa out +in a one-shot operation with the XChaCha algorithm, using the given +.Fa key +and +.Fa iv . +It is equivalent to +.Fn CRYPTO_chacha_20 +with the last third of +.Fa iv , +a +.Fa counter +of 0, and a key generated with +.Fn CRYPTO_hchacha_20 +from the first two thirds of +.Fa iv . +.Sh SEE ALSO +.Xr crypto 3 , +.Xr EVP_chacha20 3 +.Rs +.%A Daniel J. Bernstein +.%T ChaCha, a variant of Salsa20 +.%U http://cr.yp.to/chacha/chacha-20080128.pdf +.%C Chicago +.%D January 28, 2008 +.Re +.Rs +.%A Daniel J. Bernstein +.%T Extending the Salsa20 nonce +.%U https://cr.yp.to/snuffle/xsalsa-20110204.pdf +.%C Chicago +.%D August 22, 2017 +.Re +.Sh STANDARDS +RFC 8439: ChaCha20 and Poly1305 for IETF Protocols +.Pp +Note that the standard specifies +a 32-bit counter and a 96-bit initialization vector whereas +this implementation follows Bernstein's original specification +and uses a 64-bit counter and a 64-bit initialization vector. +.Pp +These functions are specific to LibreSSL and not provided by OpenSSL. +BoringSSL does provide +.Fn CRYPTO_chacha_20 , +but with an incompatible interface, taking a 96-bit +.Fa iv +and a 32-bit +.Fa counter . +.Sh HISTORY +.Fn ChaCha_set_key , +.Fn ChaCha_set_iv , +.Fn ChaCha , +and +.Fn CRYPTO_chacha_20 +first appeared in +.Ox 5.6 . +.\" Committed on May 1, 2014. +.\" BoringSSL added CRYPTO_chacha_20 on June 20, 2014. +.Pp +.Fn CRYPTO_hchacha_20 +and +.Fn CRYPTO_xchacha_20 +first appeared in +.Ox 6.5 . +.Sh AUTHORS +.An -nosplit +This implementation was written by +.An Daniel J. Bernstein Aq Mt djb@cr.yp.to . +The API layer was added by +.An Joel Sing Aq Mt jsing@openbsd.org +for ChaCha, and for XChaCha by +.An David Gwynne Aq Mt dlg@openbsd.org . diff --git a/man/ECDH_compute_key.3 b/man/ECDH_compute_key.3 index 973ce428..ba67098c 100644 --- a/man/ECDH_compute_key.3 +++ b/man/ECDH_compute_key.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ECDH_compute_key.3,v 1.1 2019/08/19 13:08:26 schwarze Exp $ +.\" $OpenBSD: ECDH_compute_key.3,v 1.2 2021/03/12 05:18:00 jsg Exp $ .\" Copyright (c) 2019 Ingo Schwarze .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,7 +13,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: August 19 2019 $ +.Dd $Mdocdate: March 12 2021 $ .Dt ECDH_COMPUTE_KEY 3 .Os .Sh NAME @@ -63,7 +63,7 @@ must be at least returns the number of bytes needed to store an affine coordinate of a point on the elliptic curve used by .Fa ecdh , -which is one eigth of the degree of the finite field underlying +which is one eighth of the degree of the finite field underlying that elliptic curve, rounded up to the next integer number. .Sh RETURN VALUES .Fn ECDH_compute_key diff --git a/man/EC_KEY_new.3 b/man/EC_KEY_new.3 index ba0774cc..ef3028c4 100644 --- a/man/EC_KEY_new.3 +++ b/man/EC_KEY_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EC_KEY_new.3,v 1.15 2019/08/19 13:08:26 schwarze Exp $ +.\" $OpenBSD: EC_KEY_new.3,v 1.16 2020/09/08 03:25:15 tb Exp $ .\" full merge up to: OpenSSL 3aef36ff Jan 5 13:06:03 2016 -0500 .\" partial merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100 .\" @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 19 2019 $ +.Dd $Mdocdate: September 8 2020 $ .Dt EC_KEY_NEW 3 .Os .Sh NAME @@ -509,7 +509,9 @@ associated with the .Vt EC_KEY . .Pp .Fn EC_KEY_get0_private_key -returns the private key associated with the +and +.Fn EC_KEY_get0_public_key +return the private or public keys, respectively, associated with the .Vt EC_KEY . .Pp .Fn EC_KEY_get_enc_flags diff --git a/man/ENGINE_new.3 b/man/ENGINE_new.3 index ce740903..eaab08d1 100644 --- a/man/ENGINE_new.3 +++ b/man/ENGINE_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ENGINE_new.3,v 1.4 2019/06/10 09:49:48 schwarze Exp $ +.\" $OpenBSD: ENGINE_new.3,v 1.5 2021/03/12 05:18:00 jsg Exp $ .\" content checked up to: .\" OpenSSL ENGINE_add 1f13ad31 Dec 25 17:50:39 2017 +0800 .\" @@ -16,7 +16,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: June 10 2019 $ +.Dd $Mdocdate: March 12 2021 $ .Dt ENGINE_NEW 3 .Os .Sh NAME @@ -89,7 +89,7 @@ and the and .Xr ENGINE_set_default 3 families of functions -do so when they store a structural refence internally. +do so when they store a structural reference internally. .Pp .Fn ENGINE_up_ref explicitly increment the structural reference count by 1. diff --git a/man/ERR_load_crypto_strings.3 b/man/ERR_load_crypto_strings.3 index e3d60527..4ad12659 100644 --- a/man/ERR_load_crypto_strings.3 +++ b/man/ERR_load_crypto_strings.3 @@ -1,5 +1,6 @@ -.\" $OpenBSD: ERR_load_crypto_strings.3,v 1.8 2019/06/14 13:41:31 schwarze Exp $ -.\" OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400 +.\" $OpenBSD: ERR_load_crypto_strings.3,v 1.9 2020/06/04 20:06:04 schwarze Exp $ +.\" full merge up to: OpenSSL f672aee4 Feb 9 11:52:40 2016 -0500 +.\" selective merge up to: OpenSSL b3696a55 Sep 2 09:35:50 2017 -0400 .\" .\" This file is a derived work. .\" The changes are covered by the following Copyright and license: @@ -65,7 +66,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 14 2019 $ +.Dd $Mdocdate: June 4 2020 $ .Dt ERR_LOAD_CRYPTO_STRINGS 3 .Os .Sh NAME @@ -73,6 +74,10 @@ .Nm ERR_free_strings , .Nm SSL_load_error_strings .Nd load and free OpenSSL error strings +.\" The function ERR_load_ERR_strings() is intentionally undocumented +.\" because it is merely a subroutine of ERR_load_crypto_strings(3) +.\" and should not have been made a part of the API. +.\" The same applies to the other ERR_load_*_strings() functions. .Sh SYNOPSIS .In openssl/err.h .Ft void @@ -102,7 +107,8 @@ If the error strings were already loaded before, no action occurs. frees all previously loaded error strings. .Sh SEE ALSO .Xr ERR 3 , -.Xr ERR_error_string 3 +.Xr ERR_error_string 3 , +.Xr OPENSSL_config 3 .Sh HISTORY .Fn ERR_load_crypto_strings and diff --git a/man/ERR_print_errors.3 b/man/ERR_print_errors.3 index a6fdbc0c..a5c7c032 100644 --- a/man/ERR_print_errors.3 +++ b/man/ERR_print_errors.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ERR_print_errors.3,v 1.7 2018/03/27 17:35:50 schwarze Exp $ +.\" $OpenBSD: ERR_print_errors.3,v 1.8 2020/03/28 22:40:58 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Ulf Moeller , @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 27 2018 $ +.Dd $Mdocdate: March 28 2020 $ .Dt ERR_PRINT_ERRORS 3 .Os .Sh NAME @@ -103,11 +103,6 @@ respective error code. .Pp If there is no text string registered for the given error code, the error string will contain the numeric code. -.Sh RETURN VALUES -.Fn ERR_print_errors -and -.Fn ERR_print_errors_fp -return no values. .Sh SEE ALSO .Xr ERR 3 , .Xr ERR_error_string 3 , diff --git a/man/ERR_remove_state.3 b/man/ERR_remove_state.3 index 0a879782..bc28f15d 100644 --- a/man/ERR_remove_state.3 +++ b/man/ERR_remove_state.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ERR_remove_state.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $ +.\" $OpenBSD: ERR_remove_state.3,v 1.7 2020/03/28 22:40:58 schwarze Exp $ .\" OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400 .\" .\" This file was written by Ulf Moeller and @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 27 2018 $ +.Dd $Mdocdate: March 28 2020 $ .Dt ERR_REMOVE_STATE 3 .Os .Sh NAME @@ -92,11 +92,6 @@ Calling .Fn ERR_remove_state is equivalent to .Fn ERR_remove_thread_state NULL . -.Sh RETURN VALUES -.Fn ERR_remove_thread_state -and -.Fn ERR_remove_state -return no value. .Sh SEE ALSO .Xr ERR 3 .Sh HISTORY diff --git a/man/EVP_DigestInit.3 b/man/EVP_DigestInit.3 index cefd546a..ca36ece5 100644 --- a/man/EVP_DigestInit.3 +++ b/man/EVP_DigestInit.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_DigestInit.3,v 1.18 2019/08/25 17:08:20 schwarze Exp $ +.\" $OpenBSD: EVP_DigestInit.3,v 1.20 2021/01/05 06:51:31 jmc Exp $ .\" full merge up to: OpenSSL 7f572e95 Dec 2 13:57:04 2015 +0000 .\" selective merge up to: OpenSSL a95d7574 Jul 2 12:16:38 2017 -0400 .\" @@ -68,7 +68,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 25 2019 $ +.Dd $Mdocdate: January 5 2021 $ .Dt EVP_DIGESTINIT 3 .Os .Sh NAME @@ -286,7 +286,7 @@ is a deprecated function to clear a digest context on the stack before use. Do not use it on a digest context returned from .Fn EVP_MD_CTX_new -or one one that was already used. +or one that was already used. .Pp .Fn EVP_MD_CTX_create , .Fn EVP_MD_CTX_cleanup , @@ -671,6 +671,7 @@ main(int argc, char *argv[]) .Ed .Sh SEE ALSO .Xr BIO_f_md 3 , +.Xr CMAC_Init 3 , .Xr evp 3 , .Xr EVP_BytesToKey 3 , .Xr EVP_DigestSignInit 3 , diff --git a/man/EVP_EncryptInit.3 b/man/EVP_EncryptInit.3 index 873a09aa..bcfe2360 100644 --- a/man/EVP_EncryptInit.3 +++ b/man/EVP_EncryptInit.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_EncryptInit.3,v 1.36 2019/08/15 09:36:29 schwarze Exp $ +.\" $OpenBSD: EVP_EncryptInit.3,v 1.41 2021/01/05 06:51:31 jmc Exp $ .\" full merge up to: OpenSSL 5211e094 Nov 11 14:39:11 2014 -0800 .\" EVP_bf_cbc.pod EVP_cast5_cbc.pod EVP_idea_cbc.pod EVP_rc2_cbc.pod .\" 7c6d372a Nov 20 13:20:01 2018 +0000 @@ -71,7 +71,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 15 2019 $ +.Dd $Mdocdate: January 5 2021 $ .Dt EVP_ENCRYPTINIT 3 .Os .Sh NAME @@ -454,7 +454,7 @@ is a deprecated function to clear a cipher context on the stack before use. Do not use it on a cipher context returned from .Fn EVP_CIPHER_CTX_new -or one one that was already used. +or one that was already used. .Pp .Fn EVP_CIPHER_CTX_free clears all information from @@ -1029,7 +1029,9 @@ is an alias for implemented as a macro. .It Fn EVP_chacha20 The ChaCha20 stream cipher. -The key length is 256 bits, the IV is 96 bits long. +The key length is 256 bits. +The first 32 bits of the 128-bit IV are used as a counter, +and the remaining 96 bits as a nonce. .El .Pp See also @@ -1195,7 +1197,7 @@ openssl bf -in cipher.bin -K 000102030405060708090A0B0C0D0E0F \e .Ed .Pp General encryption, decryption function example using FILE I/O and AES128 -with an 128-bit key: +with a 128-bit key: .Bd -literal int do_crypt(FILE *in, FILE *out, int do_encrypt) diff --git a/man/EVP_PKEY_CTX_ctrl.3 b/man/EVP_PKEY_CTX_ctrl.3 index 52892459..7714cb05 100644 --- a/man/EVP_PKEY_CTX_ctrl.3 +++ b/man/EVP_PKEY_CTX_ctrl.3 @@ -1,8 +1,10 @@ -.\" $OpenBSD: EVP_PKEY_CTX_ctrl.3,v 1.14 2019/09/10 19:44:32 schwarze Exp $ -.\" full merge up to: OpenSSL e03af178 Dec 11 17:05:57 2014 -0500 +.\" $OpenBSD: EVP_PKEY_CTX_ctrl.3,v 1.22 2019/11/01 13:53:25 schwarze Exp $ +.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100 +.\" Parts were split out into RSA_pkey_ctx_ctrl(3). .\" -.\" This file was written by Dr. Stephen Henson . +.\" This file was written by Dr. Stephen Henson +.\" and Antoine Salon . .\" Copyright (c) 2006, 2009, 2013, 2014, 2015, 2018 The OpenSSL Project. .\" All rights reserved. .\" @@ -50,7 +52,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: September 10 2019 $ +.Dd $Mdocdate: November 1 2019 $ .Dt EVP_PKEY_CTX_CTRL 3 .Os .Sh NAME @@ -58,18 +60,24 @@ .Nm EVP_PKEY_CTX_ctrl_str , .Nm EVP_PKEY_CTX_set_signature_md , .Nm EVP_PKEY_CTX_get_signature_md , -.Nm EVP_PKEY_CTX_set_rsa_padding , -.Nm EVP_PKEY_CTX_get_rsa_padding , -.Nm EVP_PKEY_CTX_set_rsa_pss_saltlen , -.Nm EVP_PKEY_CTX_get_rsa_pss_saltlen , -.Nm EVP_PKEY_CTX_set_rsa_keygen_bits , -.Nm EVP_PKEY_CTX_set_rsa_keygen_pubexp , -.Nm EVP_PKEY_CTX_set_rsa_mgf1_md , -.Nm EVP_PKEY_CTX_get_rsa_mgf1_md , .Nm EVP_PKEY_CTX_set_dsa_paramgen_bits , .Nm EVP_PKEY_CTX_set_dh_paramgen_prime_len , .Nm EVP_PKEY_CTX_set_dh_paramgen_generator , -.Nm EVP_PKEY_CTX_set_ec_paramgen_curve_nid +.Nm EVP_PKEY_CTX_set_ec_paramgen_curve_nid , +.Nm EVP_PKEY_CTX_set_ec_param_enc , +.Nm EVP_PKEY_CTX_set_ecdh_cofactor_mode , +.Nm EVP_PKEY_CTX_get_ecdh_cofactor_mode , +.Nm EVP_PKEY_CTX_set_ecdh_kdf_type , +.Nm EVP_PKEY_CTX_get_ecdh_kdf_type , +.Nm EVP_PKEY_CTX_set_ecdh_kdf_md , +.Nm EVP_PKEY_CTX_get_ecdh_kdf_md , +.Nm EVP_PKEY_CTX_set_ecdh_kdf_outlen , +.Nm EVP_PKEY_CTX_get_ecdh_kdf_outlen , +.Nm EVP_PKEY_CTX_set0_ecdh_kdf_ukm , +.Nm EVP_PKEY_CTX_get0_ecdh_kdf_ukm , +.Nm EVP_PKEY_CTX_set1_id , +.Nm EVP_PKEY_CTX_get1_id , +.Nm EVP_PKEY_CTX_get1_id_len .Nd algorithm specific control operations .Sh SYNOPSIS .In openssl/evp.h @@ -98,69 +106,98 @@ .Fa "EVP_PKEY_CTX *ctx" .Fa "const EVP_MD **pmd" .Fc -.In openssl/rsa.h +.In openssl/dsa.h .Ft int -.Fo EVP_PKEY_CTX_set_rsa_padding +.Fo EVP_PKEY_CTX_set_dsa_paramgen_bits .Fa "EVP_PKEY_CTX *ctx" -.Fa "int pad" +.Fa "int nbits" .Fc +.In openssl/dh.h .Ft int -.Fo EVP_PKEY_CTX_get_rsa_padding +.Fo EVP_PKEY_CTX_set_dh_paramgen_prime_len .Fa "EVP_PKEY_CTX *ctx" -.Fa "int *ppad" +.Fa "int len" .Fc .Ft int -.Fo EVP_PKEY_CTX_set_rsa_pss_saltlen +.Fo EVP_PKEY_CTX_set_dh_paramgen_generator .Fa "EVP_PKEY_CTX *ctx" -.Fa "int len" +.Fa "int gen" .Fc +.In openssl/ec.h .Ft int -.Fo EVP_PKEY_CTX_get_rsa_pss_saltlen +.Fo EVP_PKEY_CTX_set_ec_paramgen_curve_nid +.Fa "EVP_PKEY_CTX *ctx" +.Fa "int nid" +.Fc +.Fa int +.Fo EVP_PKEY_CTX_set_ec_param_enc +.Fa "EVP_PKEY_CTX *ctx" +.Fa "int param_enc" +.Fc +.Ft int +.Fo EVP_PKEY_CTX_set_ecdh_cofactor_mode +.Fa "EVP_PKEY_CTX *ctx" +.Fa "int cofactor_mode" +.Fc +.Ft int +.Fo EVP_PKEY_CTX_get_ecdh_cofactor_mode .Fa "EVP_PKEY_CTX *ctx" -.Fa "int *plen" .Fc .Ft int -.Fo EVP_PKEY_CTX_set_rsa_keygen_bits +.Fo EVP_PKEY_CTX_set_ecdh_kdf_type .Fa "EVP_PKEY_CTX *ctx" -.Fa "int mbits" +.Fa "int kdf" .Fc .Ft int -.Fo EVP_PKEY_CTX_set_rsa_keygen_pubexp +.Fo EVP_PKEY_CTX_get_ecdh_kdf_type .Fa "EVP_PKEY_CTX *ctx" -.Fa "BIGNUM *pubexp" .Fc .Ft int -.Fo EVP_PKEY_CTX_set_rsa_mgf1_md +.Fo EVP_PKEY_CTX_set_ecdh_kdf_md .Fa "EVP_PKEY_CTX *ctx" .Fa "const EVP_MD *md" .Fc .Ft int -.Fo EVP_PKEY_CTX_get_rsa_mgf1_md +.Fo EVP_PKEY_CTX_get_ecdh_kdf_md .Fa "EVP_PKEY_CTX *ctx" .Fa "const EVP_MD **pmd" .Fc -.In openssl/dsa.h .Ft int -.Fo EVP_PKEY_CTX_set_dsa_paramgen_bits +.Fo EVP_PKEY_CTX_set_ecdh_kdf_outlen .Fa "EVP_PKEY_CTX *ctx" -.Fa "int nbits" +.Fa "int len" .Fc -.In openssl/dh.h .Ft int -.Fo EVP_PKEY_CTX_set_dh_paramgen_prime_len +.Fo EVP_PKEY_CTX_get_ecdh_kdf_outlen .Fa "EVP_PKEY_CTX *ctx" +.Fa "int *plen" +.Fc +.Ft int +.Fo EVP_PKEY_CTX_set0_ecdh_kdf_ukm +.Fa "EVP_PKEY_CTX *ctx" +.Fa "unsigned char *ukm" .Fa "int len" .Fc .Ft int -.Fo EVP_PKEY_CTX_set_dh_paramgen_generator +.Fo EVP_PKEY_CTX_get0_ecdh_kdf_ukm .Fa "EVP_PKEY_CTX *ctx" -.Fa "int gen" +.Fa "unsigned char **pukm" .Fc -.In openssl/ec.h .Ft int -.Fo EVP_PKEY_CTX_set_ec_paramgen_curve_nid +.Fo EVP_PKEY_CTX_set1_id .Fa "EVP_PKEY_CTX *ctx" -.Fa "int nid" +.Fa "void *id" +.Fa "size_t id_len" +.Fc +.Ft int +.Fo EVP_PKEY_CTX_get1_id +.Fa "EVP_PKEY_CTX *ctx" +.Fa "void *id" +.Fc +.Ft int +.Fo EVP_PKEY_CTX_get1_id_len +.Fa "EVP_PKEY_CTX *ctx" +.Fa "size_t *pid_len" .Fc .Sh DESCRIPTION The function @@ -183,7 +220,8 @@ and Applications will not normally call .Fn EVP_PKEY_CTX_ctrl directly but will instead call one of the algorithm specific macros -below. +described below and in +.Xr RSA_pkey_ctx_ctrl 3 . .Pp The function .Fn EVP_PKEY_CTX_ctrl_str @@ -212,101 +250,10 @@ and .Fn EVP_PKEY_CTX_get_signature_md macros set and get the message digest type used in a signature. They can be used with the RSA, DSA, and ECDSA algorithms. -.Ss RSA parameters -The -.Fn EVP_PKEY_CTX_set_rsa_padding -macro sets the RSA padding mode for -.Fa ctx . -The -.Fa pad -parameter can take the value -.Dv RSA_PKCS1_PADDING -for PKCS#1 padding, -.Dv RSA_NO_PADDING -for no padding, -.Dv RSA_PKCS1_OAEP_PADDING -for OAEP padding (encrypt and decrypt only), -.Dv RSA_X931_PADDING -for X9.31 padding (signature operations only) and -.Dv RSA_PKCS1_PSS_PADDING -(sign and verify only). -.Pp -Two RSA padding modes behave differently if -.Fn EVP_PKEY_CTX_set_signature_md -is used. -If this macro is called for PKCS#1 padding, the plaintext buffer is an -actual digest value and is encapsulated in a -.Vt DigestInfo -structure according to PKCS#1 when signing and this structure is -expected (and stripped off) when verifying. -If this control is not used with RSA and PKCS#1 padding then the -supplied data is used directly and not encapsulated. -In the case of X9.31 padding for RSA the algorithm identifier byte is -added or checked and removed if this control is called. -If it is not called then the first byte of the plaintext buffer is -expected to be the algorithm identifier byte. -.Pp -The -.Fn EVP_PKEY_CTX_get_rsa_padding -macro retrieves the RSA padding mode for -.Fa ctx . -.Pp -The -.Fn EVP_PKEY_CTX_set_rsa_pss_saltlen -macro sets the RSA PSS salt length to -.Fa len . -As its name implies, it is only supported for PSS padding. -Two special values are supported: -1 sets the salt length to the digest -length. -When signing -2 sets the salt length to the maximum permissible value. -When verifying -2 causes the salt length to be automatically determined -based on the PSS block structure. -If this macro is not called a salt length value of -2 is used by -default. -.Pp -The -.Fn EVP_PKEY_CTX_get_rsa_pss_saltlen -macro retrieves the RSA PSS salt length for -.Fa ctx . -The padding mode must have been set to -.Dv RSA_PKCS1_PSS_PADDING . -.Pp -The -.Fn EVP_PKEY_CTX_set_rsa_keygen_bits -macro sets the RSA key length for RSA key generation to -.Fa mbits . -If not specified, 1024 bits is used. -.Pp -The -.Fn EVP_PKEY_CTX_set_rsa_keygen_pubexp -macro sets the public exponent value for RSA key generation to -.Fa pubexp . -Currently, it should be an odd integer. -The -.Fa pubexp -pointer is used internally by this function, so it should not be modified -or freed after the call. -If this macro is not called, then 65537 is used. -.Pp -The -.Fn EVP_PKEY_CTX_set_rsa_mgf1_md -macro sets the MGF1 digest for RSA padding schemes to -.Fa md . -Unless explicitly specified, the signing digest is used. -The padding mode must have been set to -.Dv RSA_PKCS1_OAEP_PADDING -or -.Dv RSA_PKCS1_PSS_PADDING . -.Pp -The -.Fn EVP_PKEY_CTX_get_rsa_mgf1_md -macro retrieves the MGF1 digest for -.Fa ctx . -Unless explicitly specified, the signing digest is used. -The padding mode must have been set to -.Dv RSA_PKCS1_OAEP_PADDING -or -.Dv RSA_PKCS1_PSS_PADDING . +If the key is of the type +.Dv EVP_PKEY_RSA_PSS +and has usage restrictions, an error occurs if an attempt is made +to set the digest to anything other than the restricted value. .Ss DSA parameters The macro .Fn EVP_PKEY_CTX_set_dsa_paramgen_bits @@ -331,10 +278,135 @@ If not specified, 2 is used. .Ss EC parameters The .Fn EVP_PKEY_CTX_set_ec_paramgen_curve_nid -sets the EC curve for EC parameter generation to +macro sets the EC curve for EC parameter generation to .Fa nid . For EC parameter generation, this macro must be called or an error occurs because there is no default curve. +.Pp +The +.Fn EVP_PKEY_CTX_set_ec_param_enc +macro sets the EC parameter encoding to +.Fa param_enc +when generating EC parameters or an EC key. +The encoding can be set to 0 for explicit parameters or to +.Dv OPENSSL_EC_NAMED_CURVE +to use named curve form. +.Ss ECDH parameters +The +.Fn EVP_PKEY_CTX_set_ecdh_cofactor_mode +macro sets the cofactor mode to +.Fa cofactor_mode +for ECDH key derivation. +Possible values are 1 to enable cofactor key derivation, 0 to disable +it, or -1 to clear the stored cofactor mode and fall back to the +private key cofactor mode. +.Pp +The +.Fn EVP_PKEY_CTX_get_ecdh_cofactor_mode +macro returns the cofactor mode for +.Fa ctx +used for ECDH key derivation. +Possible return values are 1 when cofactor key derivation is enabled +or 0 otherwise. +.Ss ECDH key derivation function parameters +The +.Fn EVP_PKEY_CTX_set_ecdh_kdf_type +macro sets the key derivation function type to +.Fa kdf +for ECDH key derivation. +Possible values are +.Dv EVP_PKEY_ECDH_KDF_NONE +or +.Dv EVP_PKEY_ECDH_KDF_X9_63 +which uses the key derivation specified in X9.63. +When using key derivation, the +.Fa kdf_md +and +.Fa kdf_outlen +parameters must also be specified. +.Pp +The +.Fn EVP_PKEY_CTX_get_ecdh_kdf_type +macro returns the key derivation function type for +.Fa ctx +used for ECDH key derivation. +Possible return values are +.Dv EVP_PKEY_ECDH_KDF_NONE +or +.Dv EVP_PKEY_ECDH_KDF_X9_63 . +.Pp +The +.Fn EVP_PKEY_CTX_set_ecdh_kdf_md +macro sets the key derivation function message digest to +.Fa md +for ECDH key derivation. +Note that X9.63 specifies that this digest should be SHA1, +but OpenSSL tolerates other digests. +.Pp +The +.Fn EVP_PKEY_CTX_get_ecdh_kdf_md +macro gets the key derivation function message digest for +.Fa ctx +used for ECDH key derivation. +.Pp +The +.Fn EVP_PKEY_CTX_set_ecdh_kdf_outlen +macro sets the key derivation function output length to +.Fa len +for ECDH key derivation. +.Pp +The +.Fn EVP_PKEY_CTX_get_ecdh_kdf_outlen +macro gets the key derivation function output length for +.Fa ctx +used for ECDH key derivation. +.Pp +The +.Fn EVP_PKEY_CTX_set0_ecdh_kdf_ukm +macro sets the user key material to +.Fa ukm +for ECDH key derivation. +This parameter is optional and corresponds to the shared info +in X9.63 terms. +The library takes ownership of the user key material, so the caller +should not free the original memory pointed to by +.Fa ukm . +.Pp +The +.Fn EVP_PKEY_CTX_get0_ecdh_kdf_ukm +macro gets the user key material for +.Fa ctx . +The return value is the user key material length. +The resulting pointer is owned by the library and should not be +freed by the caller. +.Ss Other parameters +The +.Fn EVP_PKEY_CTX_set1_id , +.Fn EVP_PKEY_CTX_get1_id , +and +.Fn EVP_PKEY_CTX_get1_id_len +macros manipulate a special identifier field used for some specific +signature algorithms such as SM2. +The +.Fn EVP_PKEY_set1_id +macro sets the ID to a copy of +.Fa id +with the length +.Fa id_len . +The caller can safely free the original memory pointed to by +.Fa id . +The +.Fn EVP_PKEY_CTX_get1_id_len +macro returns the length of the ID set via a previous call to +.Fn EVP_PKEY_set1_id . +That length is typically used to allocate memory for a subsequent call to +.Fn EVP_PKEY_CTX_get1_id , +which copies the previously set ID into +.Pf * Fa id . +The caller is responsible for allocating sufficient memory for +.Fa id +before calling +.Fn EVP_PKEY_CTX_get1_id . .Sh RETURN VALUES .Fn EVP_PKEY_CTX_ctrl and its macros return a positive value for success and 0 or a negative @@ -353,13 +425,42 @@ supported by the public key algorithm. .Xr EVP_PKEY_meth_set_ctrl 3 , .Xr EVP_PKEY_sign 3 , .Xr EVP_PKEY_verify 3 , -.Xr EVP_PKEY_verify_recover 3 +.Xr EVP_PKEY_verify_recover 3 , +.Xr RSA_pkey_ctx_ctrl 3 .Sh HISTORY -These functions first appeared in OpenSSL 1.0.0 -and have been available since +The functions +.Fn EVP_PKEY_CTX_ctrl , +.Fn EVP_PKEY_CTX_ctrl_str , +.Fn EVP_PKEY_CTX_set_signature_md , +.Fn EVP_PKEY_CTX_set_dsa_paramgen_bits , +.Fn EVP_PKEY_CTX_set_dh_paramgen_prime_len , +.Fn EVP_PKEY_CTX_set_dh_paramgen_generator , +and +.Fn EVP_PKEY_CTX_set_ec_paramgen_curve_nid +first appeared in OpenSSL 1.0.0 and have been available since .Ox 4.9 . .Pp -As an exception, -.Fn EVP_PKEY_CTX_get_signature_md -first appeared in OpenSSL 1.0.2 and has been available since +The functions +.Fn EVP_PKEY_CTX_get_signature_md , +.Fn EVP_PKEY_CTX_set_ec_param_enc , +.Fn EVP_PKEY_CTX_set_ecdh_cofactor_mode , +.Fn EVP_PKEY_CTX_get_ecdh_cofactor_mode , +.Fn EVP_PKEY_CTX_set_ecdh_kdf_type , +.Fn EVP_PKEY_CTX_get_ecdh_kdf_type , +.Fn EVP_PKEY_CTX_set_ecdh_kdf_md , +.Fn EVP_PKEY_CTX_get_ecdh_kdf_md , +.Fn EVP_PKEY_CTX_set_ecdh_kdf_outlen , +.Fn EVP_PKEY_CTX_get_ecdh_kdf_outlen , +.Fn EVP_PKEY_CTX_set0_ecdh_kdf_ukm , +and +.Fn EVP_PKEY_CTX_get0_ecdh_kdf_ukm +first appeared in OpenSSL 1.0.2 and have been available since +.Ox 6.6 . +.Pp +The functions +.Fn EVP_PKEY_CTX_set1_id , +.Fn EVP_PKEY_CTX_get1_id , +and +.Fn EVP_PKEY_CTX_get1_id_len +first appeared in OpenSSL 1.1.1 and have been available since .Ox 6.6 . diff --git a/man/EVP_PKEY_CTX_new.3 b/man/EVP_PKEY_CTX_new.3 index e2f18ccb..8f6a0a65 100644 --- a/man/EVP_PKEY_CTX_new.3 +++ b/man/EVP_PKEY_CTX_new.3 @@ -1,7 +1,24 @@ -.\" $OpenBSD: EVP_PKEY_CTX_new.3,v 1.8 2019/06/06 01:06:58 schwarze Exp $ -.\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" $OpenBSD: EVP_PKEY_CTX_new.3,v 1.11 2020/06/24 19:55:55 schwarze Exp $ +.\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100 .\" -.\" This file was written by Dr. Stephen Henson . +.\" This file is a derived work. +.\" The changes are covered by the following Copyright and license: +.\" +.\" Copyright (c) 2019, 2020 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.\" The original file was written by Dr. Stephen Henson . .\" Copyright (c) 2006, 2009, 2015 The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -48,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 6 2019 $ +.Dd $Mdocdate: June 24 2020 $ .Dt EVP_PKEY_CTX_NEW 3 .Os .Sh NAME @@ -83,22 +100,36 @@ The function allocates a public key algorithm context using the algorithm specified in .Fa pkey -and the -.Vt ENGINE -.Fa e . +and using +.Fa e +unless it is +.Dv NULL . +If +.Fa pkey +is associated with an engine, that engine is used and +.Fa e +is ignored. .Pp The .Fn EVP_PKEY_CTX_new_id function allocates a public key algorithm context using the algorithm specified by .Fa id -and -.Vt ENGINE -.Fa e . +and using +.Fa e +unless it is +.Dv NULL . It is normally used when no .Vt EVP_PKEY structure is associated with the operations, for example during parameter generation of key generation for some algorithms. +The +.Fa id +argument can be any of the constants that +.Xr EVP_PKEY_base_id 3 +and +.Xr EVP_PKEY_id 3 +may return. .Pp .Fn EVP_PKEY_CTX_dup duplicates the context @@ -125,6 +156,7 @@ if an error occurred. .Sh SEE ALSO .Xr EVP_DigestSignInit 3 , .Xr EVP_DigestVerifyInit 3 , +.Xr EVP_PKEY_base_id 3 , .Xr EVP_PKEY_CTX_ctrl 3 , .Xr EVP_PKEY_decrypt 3 , .Xr EVP_PKEY_derive 3 , @@ -135,6 +167,7 @@ if an error occurred. .Xr EVP_PKEY_sign 3 , .Xr EVP_PKEY_verify 3 , .Xr EVP_PKEY_verify_recover 3 , +.Xr RSA_pkey_ctx_ctrl 3 , .Xr X25519 3 .Sh HISTORY These functions first appeared in OpenSSL 1.0.0 diff --git a/man/EVP_PKEY_asn1_get_count.3 b/man/EVP_PKEY_asn1_get_count.3 index 11692ffd..c14420ba 100644 --- a/man/EVP_PKEY_asn1_get_count.3 +++ b/man/EVP_PKEY_asn1_get_count.3 @@ -1,7 +1,24 @@ -.\" $OpenBSD: EVP_PKEY_asn1_get_count.3,v 1.4 2019/06/06 01:06:58 schwarze Exp $ -.\" full merge up to: OpenSSL 751148e2 Oct 27 00:11:11 2017 +0200 +.\" $OpenBSD: EVP_PKEY_asn1_get_count.3,v 1.5 2020/06/24 19:55:54 schwarze Exp $ +.\" full merge up to: OpenSSL 72a7a702 Feb 26 14:05:09 2019 +0000 .\" -.\" This file was written by Richard Levitte . +.\" This file is a derived work. +.\" The changes are covered by the following Copyright and license: +.\" +.\" Copyright (c) 2020 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.\" The original file was written by Richard Levitte . .\" Copyright (c) 2017 The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -48,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 6 2019 $ +.Dd $Mdocdate: June 24 2020 $ .Dt EVP_PKEY_ASN1_GET_COUNT 3 .Os .Sh NAME @@ -93,7 +110,7 @@ .Fc .Sh DESCRIPTION .Fn EVP_PKEY_asn1_get_count -returns a count of the number of public key ASN.1 methods available. +returns the number of public key ASN.1 methods available. It includes standard methods and any methods added by the application. .Pp .Fn EVP_PKEY_asn1_get0 @@ -107,7 +124,12 @@ must be in the range from zero to .Pp .Fn EVP_PKEY_asn1_find looks up the method with NID -.Fa type . +.Fa type , +which can be any of the values that +.Xr EVP_PKEY_base_id 3 +and +.Xr EVP_PKEY_id 3 +may return. If .Fa pe is not @@ -121,6 +143,9 @@ is set to that engine and the method from that engine is returned instead. .Fn EVP_PKEY_asn1_find_str looks up the method with PEM type string .Fa str . +The PEM type strings supported by default are listed in the +.Xr EVP_PKEY_base_id 3 +manual page. Just like .Fn EVP_PKEY_asn1_find , if @@ -130,10 +155,14 @@ is not methods from engines are preferred. .Pp .Fn EVP_PKEY_asn1_get0_info -retrieves the public key ID, the base public key ID (both NIDs), any flags, -the method description and the PEM type string associated with the public -key ASN.1 method -.Sy *ameth . +retrieves the public key ID as returned by +.Xr EVP_PKEY_id 3 , +the base public key ID as returned by +.Xr EVP_PKEY_base_id 3 +.Pq both NIDs , +any flags, the method description, +and the PEM type string associated with +.Fa ameth . .Pp .Fn EVP_PKEY_asn1_get_count , .Fn EVP_PKEY_asn1_get0 , diff --git a/man/EVP_PKEY_new.3 b/man/EVP_PKEY_new.3 index 00ffbce9..939d5f0d 100644 --- a/man/EVP_PKEY_new.3 +++ b/man/EVP_PKEY_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_PKEY_new.3,v 1.11 2019/06/07 19:59:11 schwarze Exp $ +.\" $OpenBSD: EVP_PKEY_new.3,v 1.13 2021/03/31 16:48:43 tb Exp $ .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100 .\" @@ -50,13 +50,14 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 7 2019 $ +.Dd $Mdocdate: March 31 2021 $ .Dt EVP_PKEY_NEW 3 .Os .Sh NAME .Nm EVP_PKEY_new , .Nm EVP_PKEY_up_ref , .Nm EVP_PKEY_free , +.Nm EVP_PKEY_new_CMAC_key , .Nm EVP_PKEY_new_mac_key .Nd private key allocation functions .Sh SYNOPSIS @@ -72,6 +73,13 @@ .Fa "EVP_PKEY *key" .Fc .Ft EVP_PKEY * +.Fo EVP_PKEY_new_CMAC_key +.Fa "ENGINE *e" +.Fa "const unsigned char *priv" +.Fa "size_t len" +.Fa "const EVP_CIPHER *cipher" +.Fc +.Ft EVP_PKEY * .Fo EVP_PKEY_new_mac_key .Fa "int type" .Fa "ENGINE *e" @@ -108,6 +116,32 @@ is a .Dv NULL pointer, no action occurs. .Pp +.Fn EVP_PKEY_new_CMAC_key +allocates a new +.Vt EVP_PKEY +for the +.Dv EVP_PKEY_CMAC +algorithm type. +If +.Fa e +is +.Pf non- Dv NULL , +then the new +.Vt EVP_PKEY +is associated with the engine +.Fa e . +.Fa priv +points to the raw private key data +of length +.Fa len +for this +.Vt EVP_PKEY . +.Fa cipher +specifies a cipher algorithm to be used during creation of the CMAC. +.Fa cipher +should be a standard encryption only cipher. +For example, AEAD and XTS ciphers should not be used. +.Pp .Fn EVP_PKEY_new_mac_key allocates a new .Vt EVP_PKEY . @@ -134,7 +168,8 @@ The length should be appropriate for the type of the key. The public key data will be automatically derived from the given private key data (if appropriate for the algorithm type). .Sh RETURN VALUES -.Fn EVP_PKEY_new +.Fn EVP_PKEY_new , +.Fn EVP_PKEY_new_CMAC_key , and .Fn EVP_PKEY_new_mac_key return either the newly allocated @@ -146,6 +181,7 @@ if an error occurred. .Fn EVP_PKEY_up_ref returns 1 for success or 0 for failure. .Sh SEE ALSO +.Xr CMAC_Init 3 , .Xr d2i_PrivateKey 3 , .Xr evp 3 , .Xr EVP_PKEY_asn1_new 3 , @@ -162,6 +198,10 @@ and first appeared in SSLeay 0.6.0 and have been available since .Ox 2.4 . .Pp +.Fn EVP_PKEY_new_CMAC_key +first appeared in OpenSSL 1.1.1 and has been available since +.Ox 6.9 . +.Pp .Fn EVP_PKEY_new_mac_key first appeared in OpenSSL 1.0.0 and has been available since .Ox 4.9 . diff --git a/man/EVP_PKEY_set1_RSA.3 b/man/EVP_PKEY_set1_RSA.3 index 9851538c..99faf8da 100644 --- a/man/EVP_PKEY_set1_RSA.3 +++ b/man/EVP_PKEY_set1_RSA.3 @@ -1,10 +1,10 @@ -.\" $OpenBSD: EVP_PKEY_set1_RSA.3,v 1.16 2019/09/01 09:10:09 schwarze Exp $ +.\" $OpenBSD: EVP_PKEY_set1_RSA.3,v 1.17 2020/06/24 19:55:54 schwarze Exp $ .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file is a derived work. .\" The changes are covered by the following Copyright and license: .\" -.\" Copyright (c) 2019 Ingo Schwarze +.\" Copyright (c) 2019, 2020 Ingo Schwarze .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -65,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: September 1 2019 $ +.Dd $Mdocdate: June 24 2020 $ .Dt EVP_PKEY_SET1_RSA 3 .Os .Sh NAME @@ -89,10 +89,10 @@ .Nm EVP_PKEY_assign_EC_KEY , .Nm EVP_PKEY_assign_GOST , .Nm EVP_PKEY_assign , -.Nm EVP_PKEY_set_type , .Nm EVP_PKEY_base_id , .Nm EVP_PKEY_id , -.Nm EVP_PKEY_type +.Nm EVP_PKEY_type , +.Nm EVP_PKEY_set_type .Nd EVP_PKEY assignment functions .Sh SYNOPSIS .In openssl/evp.h @@ -189,11 +189,6 @@ .Fa "void *key" .Fc .Ft int -.Fo EVP_PKEY_set_type -.Fa "EVP_PKEY *pkey" -.Fa "int type" -.Fc -.Ft int .Fo EVP_PKEY_base_id .Fa "EVP_PKEY *pkey" .Fc @@ -205,6 +200,11 @@ .Fo EVP_PKEY_type .Fa "int type" .Fc +.Ft int +.Fo EVP_PKEY_set_type +.Fa "EVP_PKEY *pkey" +.Fa "int type" +.Fc .Sh DESCRIPTION .Fn EVP_PKEY_set1_RSA , .Fn EVP_PKEY_set1_DSA , @@ -286,38 +286,51 @@ The following types are supported: and .Dv EVP_PKEY_GOSTR01 . .Pp -.Fn EVP_PKEY_set_type -frees the key referenced in -.Fa pkey , -if any, and sets the key type of -.Fa pkey -to -.Fa type -without referencing a new key from -.Fa pkey -yet. -.Pp .Fn EVP_PKEY_base_id returns the type of -.Fa pkey . -For example, an RSA key will return -.Dv EVP_PKEY_RSA . +.Fa pkey +according to the following table: +.Pp +.Bl -column -compact -offset 2n EVP_PKEY_GOSTR NID_X9_62_id_ecPublicKey +.It Sy return value Ta Ta Sy PEM type string +.It Dv EVP_PKEY_CMAC Ta = Dv NID_cmac Ta CMAC +.It Dv EVP_PKEY_DH Ta = Dv NID_dhKeyAgreement Ta DH +.It Dv EVP_PKEY_DSA Ta = Dv NID_dsa Ta DSA +.It Dv EVP_PKEY_EC Ta = Dv NID_X9_62_id_ecPublicKey Ta EC +.It Dv EVP_PKEY_GOSTIMIT Ta = Dv NID_id_Gost28147_89_MAC Ta GOST-MAC +.It Dv EVP_PKEY_GOSTR01 Ta = Dv NID_id_GostR3410_2001 Ta GOST2001 +.It Dv EVP_PKEY_HMAC Ta = Dv NID_hmac Ta HMAC +.It Dv EVP_PKEY_RSA Ta = Dv NID_rsaEncryption Ta RSA +.It Dv EVP_PKEY_RSA_PSS Ta = Dv NID_rsassaPss Ta RSA-PSS +.El +.Pp +Application programs can support additional key types by calling +.Xr EVP_PKEY_asn1_add0 3 . .Pp .Fn EVP_PKEY_id returns the actual OID associated with .Fa pkey . Historically keys using the same algorithm could use different OIDs. -For example, an RSA key could use the OIDs corresponding to the NIDs -.Dv NID_rsaEncryption -(equivalent to -.Dv EVP_PKEY_RSA ) -or -.Dv NID_rsa -(equivalent to -.Dv EVP_PKEY_RSA2 ) . -The use of alternative non-standard OIDs is now rare, so -.Dv EVP_PKEY_RSA2 -et al. are not often seen in practice. +The following deprecated aliases are still supported: +.Pp +.Bl -column -compact -offset 2n EVP_PKEY_GOSTR12_ NID_id_tc26_gost3410_2012_512 +.It Sy return value Ta Ta Sy alias for +.It Dv EVP_PKEY_DSA1 Ta = Dv NID_dsa_2 Ta DSA +.It Dv EVP_PKEY_DSA2 Ta = Dv NID_dsaWithSHA Ta DSA +.It Dv EVP_PKEY_DSA3 Ta = Dv NID_dsaWithSHA1 Ta DSA +.It Dv EVP_PKEY_DSA4 Ta = Dv NID_dsaWithSHA1_2 Ta DSA +.It Dv EVP_PKEY_GOSTR12_256 Ta = Dv NID_id_tc26_gost3410_2012_256 Ta GOST2001 +.It Dv EVP_PKEY_GOSTR12_512 Ta = Dv NID_id_tc26_gost3410_2012_512 Ta GOST2001 +.It Dv EVP_PKEY_RSA2 Ta = Dv NID_rsa Ta RSA +.El +.Pp +Application programs can support additional alternative OIDs by calling +.Xr EVP_PKEY_asn1_add_alias 3 . +.Pp +Most applications wishing to know a key type will simply call +.Fn EVP_PKEY_base_id +and will not care about the actual type, +which will be identical in almost all cases. .Pp .Fn EVP_PKEY_type returns the underlying type of the NID @@ -327,10 +340,23 @@ For example, will return .Dv EVP_PKEY_RSA . .Pp -Most applications wishing to know a key type will simply call +.Fn EVP_PKEY_set_type +frees the key referenced in +.Fa pkey , +if any, and sets the key type of +.Fa pkey +to +.Fa type +without referencing a new key from +.Fa pkey +yet. +For +.Fa type , +any of the possible return values of .Fn EVP_PKEY_base_id -and will not care about the actual type, -which will be identical in almost all cases. +and +.Fn EVP_PKEY_id +can be passed. .Pp In accordance with the OpenSSL naming convention, the key obtained from or assigned to diff --git a/man/EVP_aes_128_cbc.3 b/man/EVP_aes_128_cbc.3 index f25df8c7..ac63f7f1 100644 --- a/man/EVP_aes_128_cbc.3 +++ b/man/EVP_aes_128_cbc.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_aes_128_cbc.3,v 1.3 2019/08/28 10:37:42 schwarze Exp $ +.\" $OpenBSD: EVP_aes_128_cbc.3,v 1.4 2020/06/24 18:15:00 jmc Exp $ .\" selective merge up to: OpenSSL 7c6d372a Nov 20 13:20:01 2018 +0000 .\" .\" This file was written by Ronald Tse @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 28 2019 $ +.Dd $Mdocdate: June 24 2020 $ .Dt EVP_AES_128_CBC 3 .Os .Sh NAME @@ -193,7 +193,7 @@ framework. .Fn EVP_aes_192_ofb , and .Fn EVP_aes_256_ofb -provide AES for 128, 192, and 256 bit keys in the following modes: +provide AES for 128, 192, and 256-bit keys in the following modes: CBC, CFB with 1-bit shift, CFB with 8-bit shift, CFB with 128-bit shift, CTR, ECB, and OFB. .Pp @@ -211,7 +211,7 @@ and and .Fn EVP_aes_256_cbc_hmac_sha1 provide authenticated encryption with AES in CBC mode using SHA-1 as HMAC, -with keys of 128 and 256 bits length respectively. +with keys of 128 and 256-bit length respectively. The authentication tag is 160 bits long. This is not intended for usage outside of TLS and requires calling of some undocumented control functions. @@ -224,7 +224,7 @@ These ciphers do not conform to the EVP AEAD interface. .Fn EVP_aes_192_gcm , and .Fn EVP_aes_256_gcm -provide AES for 128, 192 and 256 bit keys in CBC-MAC Mode (CCM) +provide AES for 128, 192 and 256-bit keys in CBC-MAC Mode (CCM) and Galois Counter Mode (GCM), respectively. These ciphers require additional control operations to function correctly; see @@ -235,7 +235,7 @@ for details. .Fn EVP_aes_192_wrap , and .Fn EVP_aes_256_wrap -provide AES key wrap with 128, 192 and 256 bit keys +provide AES key wrap with 128, 192 and 256-bit keys according to RFC 3394 section 2.2.1 ("wrap"). When the returned .Vt EVP_CIPHER diff --git a/man/EVP_camellia_128_cbc.3 b/man/EVP_camellia_128_cbc.3 index dd7f15d8..190247a6 100644 --- a/man/EVP_camellia_128_cbc.3 +++ b/man/EVP_camellia_128_cbc.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_camellia_128_cbc.3,v 1.1 2019/03/21 14:15:13 schwarze Exp $ +.\" $OpenBSD: EVP_camellia_128_cbc.3,v 1.2 2020/06/24 18:15:00 jmc Exp $ .\" selective merge up to: OpenSSL 7c6d372a Nov 20 13:20:01 2018 +0000 .\" .\" This file was written by Ronald Tse @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 21 2019 $ +.Dd $Mdocdate: June 24 2020 $ .Dt EVP_CAMELLIA_128_CBC 3 .Os .Sh NAME @@ -122,7 +122,7 @@ These functions provide the Camellia encryption algorithm in the .Xr evp 3 framework. -They use 128, 192, and 256 bit keys in the following modes, respectively: +They use 128, 192, and 256-bit keys in the following modes, respectively: CBC, CFB with 1-bit shift, CFB with 8-bit shift, CFB with 128-bit shift, ECB, and OFB. .Pp diff --git a/man/HMAC.3 b/man/HMAC.3 index 2f9f45c6..b76d8b28 100644 --- a/man/HMAC.3 +++ b/man/HMAC.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: HMAC.3,v 1.15 2019/06/07 19:40:35 schwarze Exp $ +.\" $OpenBSD: HMAC.3,v 1.17 2020/06/24 16:06:27 schwarze Exp $ .\" full merge up to: OpenSSL crypto/hmac a528d4f0 Oct 27 13:40:11 2015 -0400 .\" selective merge up to: OpenSSL man3/HMAC b3696a55 Sep 2 09:35:50 2017 -0400 .\" @@ -52,7 +52,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 7 2019 $ +.Dd $Mdocdate: June 24 2020 $ .Dt HMAC 3 .Os .Sh NAME @@ -80,7 +80,7 @@ .Fa "const void *key" .Fa "int key_len" .Fa "const unsigned char *d" -.Fa "int n" +.Fa "size_t n" .Fa "unsigned char *md" .Fa "unsigned int *md_len" .Fc @@ -125,7 +125,7 @@ .Fo HMAC_Update .Fa "HMAC_CTX *ctx" .Fa "const unsigned char *data" -.Fa "int len" +.Fa "size_t len" .Fc .Ft int .Fo HMAC_Final @@ -365,6 +365,7 @@ if none was set. returns the length in bytes of the underlying hash function output or 0 on error. .Sh SEE ALSO +.Xr CMAC_Init 3 , .Xr EVP_DigestInit 3 .Sh STANDARDS RFC 2104 diff --git a/man/Makefile.am b/man/Makefile.am index 5dd6a184..90ececdc 100644 --- a/man/Makefile.am +++ b/man/Makefile.am @@ -1,4 +1,5 @@ EXTRA_DIST = CMakeLists.txt +if !ENABLE_LIBTLS_ONLY dist_man3_MANS = dist_man5_MANS = dist_man3_MANS += BIO_f_ssl.3 @@ -83,6 +84,7 @@ dist_man3_MANS += SSL_get_error.3 dist_man3_MANS += SSL_get_ex_data_X509_STORE_CTX_idx.3 dist_man3_MANS += SSL_get_ex_new_index.3 dist_man3_MANS += SSL_get_fd.3 +dist_man3_MANS += SSL_get_finished.3 dist_man3_MANS += SSL_get_peer_cert_chain.3 dist_man3_MANS += SSL_get_peer_certificate.3 dist_man3_MANS += SSL_get_rbio.3 @@ -98,10 +100,13 @@ dist_man3_MANS += SSL_new.3 dist_man3_MANS += SSL_num_renegotiations.3 dist_man3_MANS += SSL_pending.3 dist_man3_MANS += SSL_read.3 +dist_man3_MANS += SSL_read_early_data.3 dist_man3_MANS += SSL_renegotiate.3 dist_man3_MANS += SSL_rstate_string.3 dist_man3_MANS += SSL_session_reused.3 +dist_man3_MANS += SSL_set1_host.3 dist_man3_MANS += SSL_set1_param.3 +dist_man3_MANS += SSL_set_SSL_CTX.3 dist_man3_MANS += SSL_set_bio.3 dist_man3_MANS += SSL_set_connect_state.3 dist_man3_MANS += SSL_set_fd.3 @@ -181,6 +186,7 @@ dist_man3_MANS += BN_set_negative.3 dist_man3_MANS += BN_swap.3 dist_man3_MANS += BN_zero.3 dist_man3_MANS += BUF_MEM_new.3 +dist_man3_MANS += CMAC_Init.3 dist_man3_MANS += CMS_ContentInfo_new.3 dist_man3_MANS += CMS_add0_cert.3 dist_man3_MANS += CMS_add1_recipient_cert.3 @@ -204,6 +210,7 @@ dist_man3_MANS += CRYPTO_get_mem_functions.3 dist_man3_MANS += CRYPTO_lock.3 dist_man3_MANS += CRYPTO_memcmp.3 dist_man3_MANS += CRYPTO_set_ex_data.3 +dist_man3_MANS += ChaCha.3 dist_man3_MANS += DES_set_key.3 dist_man3_MANS += DH_generate_key.3 dist_man3_MANS += DH_generate_parameters.3 @@ -316,6 +323,8 @@ dist_man3_MANS += OPENSSL_load_builtin_modules.3 dist_man3_MANS += OPENSSL_malloc.3 dist_man3_MANS += OPENSSL_sk_new.3 dist_man3_MANS += OpenSSL_add_all_algorithms.3 +dist_man3_MANS += PEM_ASN1_read.3 +dist_man3_MANS += PEM_X509_INFO_read.3 dist_man3_MANS += PEM_bytes_read_bio.3 dist_man3_MANS += PEM_read.3 dist_man3_MANS += PEM_read_bio_PrivateKey.3 @@ -327,9 +336,16 @@ dist_man3_MANS += PKCS12_new.3 dist_man3_MANS += PKCS12_newpass.3 dist_man3_MANS += PKCS12_parse.3 dist_man3_MANS += PKCS5_PBKDF2_HMAC.3 +dist_man3_MANS += PKCS7_add_attribute.3 +dist_man3_MANS += PKCS7_dataFinal.3 +dist_man3_MANS += PKCS7_dataInit.3 dist_man3_MANS += PKCS7_decrypt.3 dist_man3_MANS += PKCS7_encrypt.3 +dist_man3_MANS += PKCS7_final.3 +dist_man3_MANS += PKCS7_get_signer_info.3 dist_man3_MANS += PKCS7_new.3 +dist_man3_MANS += PKCS7_set_content.3 +dist_man3_MANS += PKCS7_set_type.3 dist_man3_MANS += PKCS7_sign.3 dist_man3_MANS += PKCS7_sign_add_signer.3 dist_man3_MANS += PKCS7_verify.3 @@ -352,6 +368,7 @@ dist_man3_MANS += RSA_get_ex_new_index.3 dist_man3_MANS += RSA_meth_new.3 dist_man3_MANS += RSA_new.3 dist_man3_MANS += RSA_padding_add_PKCS1_type_1.3 +dist_man3_MANS += RSA_pkey_ctx_ctrl.3 dist_man3_MANS += RSA_print.3 dist_man3_MANS += RSA_private_encrypt.3 dist_man3_MANS += RSA_public_encrypt.3 @@ -461,6 +478,7 @@ dist_man3_MANS += i2d_CMS_bio_stream.3 dist_man3_MANS += i2d_PKCS7_bio_stream.3 dist_man3_MANS += lh_new.3 dist_man3_MANS += lh_stats.3 +dist_man3_MANS += x509_verify.3 dist_man3_MANS += tls_accept_socket.3 dist_man3_MANS += tls_client.3 dist_man3_MANS += tls_config_ocsp_require_stapling.3 @@ -851,6 +869,14 @@ install-data-hook: ln -sf "BUF_MEM_new.3" "$(DESTDIR)$(mandir)/man3/BUF_MEM_grow_clean.3" ln -sf "BUF_MEM_new.3" "$(DESTDIR)$(mandir)/man3/BUF_reverse.3" ln -sf "BUF_MEM_new.3" "$(DESTDIR)$(mandir)/man3/BUF_strdup.3" + ln -sf "CMAC_Init.3" "$(DESTDIR)$(mandir)/man3/CMAC_CTX_cleanup.3" + ln -sf "CMAC_Init.3" "$(DESTDIR)$(mandir)/man3/CMAC_CTX_copy.3" + ln -sf "CMAC_Init.3" "$(DESTDIR)$(mandir)/man3/CMAC_CTX_free.3" + ln -sf "CMAC_Init.3" "$(DESTDIR)$(mandir)/man3/CMAC_CTX_get0_cipher_ctx.3" + ln -sf "CMAC_Init.3" "$(DESTDIR)$(mandir)/man3/CMAC_CTX_new.3" + ln -sf "CMAC_Init.3" "$(DESTDIR)$(mandir)/man3/CMAC_Final.3" + ln -sf "CMAC_Init.3" "$(DESTDIR)$(mandir)/man3/CMAC_Update.3" + ln -sf "CMAC_Init.3" "$(DESTDIR)$(mandir)/man3/CMAC_resume.3" ln -sf "CMS_ContentInfo_new.3" "$(DESTDIR)$(mandir)/man3/CMS_ContentInfo_free.3" ln -sf "CMS_ContentInfo_new.3" "$(DESTDIR)$(mandir)/man3/CMS_ContentInfo_print_ctx.3" ln -sf "CMS_ContentInfo_new.3" "$(DESTDIR)$(mandir)/man3/CMS_ReceiptRequest_free.3" @@ -909,6 +935,11 @@ install-data-hook: ln -sf "CRYPTO_set_ex_data.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_get_ex_data.3" ln -sf "CRYPTO_set_ex_data.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_get_ex_new_index.3" ln -sf "CRYPTO_set_ex_data.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_new_ex_data.3" + ln -sf "ChaCha.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_chacha_20.3" + ln -sf "ChaCha.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_hchacha_20.3" + ln -sf "ChaCha.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_xchacha_20.3" + ln -sf "ChaCha.3" "$(DESTDIR)$(mandir)/man3/ChaCha_set_iv.3" + ln -sf "ChaCha.3" "$(DESTDIR)$(mandir)/man3/ChaCha_set_key.3" ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_cbc_cksum.3" ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_cfb64_encrypt.3" ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_cfb_encrypt.3" @@ -1393,19 +1424,25 @@ install-data-hook: ln -sf "EVP_OpenInit.3" "$(DESTDIR)$(mandir)/man3/EVP_OpenFinal.3" ln -sf "EVP_OpenInit.3" "$(DESTDIR)$(mandir)/man3/EVP_OpenUpdate.3" ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_ctrl_str.3" - ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_rsa_mgf1_md.3" - ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_rsa_padding.3" - ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_rsa_pss_saltlen.3" + ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get0_ecdh_kdf_ukm.3" + ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get1_id.3" + ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get1_id_len.3" + ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_ecdh_cofactor_mode.3" + ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_ecdh_kdf_md.3" + ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_ecdh_kdf_outlen.3" + ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_ecdh_kdf_type.3" ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_signature_md.3" + ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set0_ecdh_kdf_ukm.3" + ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set1_id.3" ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_dh_paramgen_generator.3" ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_dh_paramgen_prime_len.3" ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_dsa_paramgen_bits.3" + ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_ec_param_enc.3" ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_ec_paramgen_curve_nid.3" - ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_keygen_bits.3" - ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_keygen_pubexp.3" - ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_mgf1_md.3" - ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_padding.3" - ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_pss_saltlen.3" + ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_ecdh_cofactor_mode.3" + ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_ecdh_kdf_md.3" + ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_ecdh_kdf_outlen.3" + ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_ecdh_kdf_type.3" ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_signature_md.3" ln -sf "EVP_PKEY_CTX_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_dup.3" ln -sf "EVP_PKEY_CTX_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_free.3" @@ -1459,6 +1496,7 @@ install-data-hook: ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_verify_recover.3" ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_verifyctx.3" ln -sf "EVP_PKEY_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_free.3" + ln -sf "EVP_PKEY_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_new_CMAC_key.3" ln -sf "EVP_PKEY_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_new_mac_key.3" ln -sf "EVP_PKEY_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_up_ref.3" ln -sf "EVP_PKEY_print_private.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_print_params.3" @@ -1694,6 +1732,7 @@ install-data-hook: ln -sf "OPENSSL_VERSION_NUMBER.3" "$(DESTDIR)$(mandir)/man3/SSLeay.3" ln -sf "OPENSSL_VERSION_NUMBER.3" "$(DESTDIR)$(mandir)/man3/SSLeay_version.3" ln -sf "OPENSSL_config.3" "$(DESTDIR)$(mandir)/man3/OPENSSL_no_config.3" + ln -sf "OPENSSL_init_crypto.3" "$(DESTDIR)$(mandir)/man3/OPENSSL_init.3" ln -sf "OPENSSL_load_builtin_modules.3" "$(DESTDIR)$(mandir)/man3/ASN1_add_oid_module.3" ln -sf "OPENSSL_load_builtin_modules.3" "$(DESTDIR)$(mandir)/man3/ENGINE_add_conf_module.3" ln -sf "OPENSSL_malloc.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_free.3" @@ -1727,14 +1766,20 @@ install-data-hook: ln -sf "OpenSSL_add_all_algorithms.3" "$(DESTDIR)$(mandir)/man3/EVP_cleanup.3" ln -sf "OpenSSL_add_all_algorithms.3" "$(DESTDIR)$(mandir)/man3/OpenSSL_add_all_ciphers.3" ln -sf "OpenSSL_add_all_algorithms.3" "$(DESTDIR)$(mandir)/man3/OpenSSL_add_all_digests.3" + ln -sf "PEM_ASN1_read.3" "$(DESTDIR)$(mandir)/man3/PEM_ASN1_read_bio.3" + ln -sf "PEM_ASN1_read.3" "$(DESTDIR)$(mandir)/man3/d2i_of_void.3" + ln -sf "PEM_X509_INFO_read.3" "$(DESTDIR)$(mandir)/man3/PEM_X509_INFO_read_bio.3" + ln -sf "PEM_read.3" "$(DESTDIR)$(mandir)/man3/PEM_def_callback.3" ln -sf "PEM_read.3" "$(DESTDIR)$(mandir)/man3/PEM_do_header.3" ln -sf "PEM_read.3" "$(DESTDIR)$(mandir)/man3/PEM_get_EVP_CIPHER_INFO.3" ln -sf "PEM_read.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio.3" ln -sf "PEM_read.3" "$(DESTDIR)$(mandir)/man3/PEM_write.3" ln -sf "PEM_read.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio.3" + ln -sf "PEM_read.3" "$(DESTDIR)$(mandir)/man3/pem_password_cb.3" ln -sf "PEM_read_SSL_SESSION.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_SSL_SESSION.3" ln -sf "PEM_read_SSL_SESSION.3" "$(DESTDIR)$(mandir)/man3/PEM_write_SSL_SESSION.3" ln -sf "PEM_read_SSL_SESSION.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_SSL_SESSION.3" + ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_CMS.3" ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_DHparams.3" ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_DSAPrivateKey.3" ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_DSA_PUBKEY.3" @@ -1755,6 +1800,7 @@ install-data-hook: ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_X509_AUX.3" ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_X509_CRL.3" ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_X509_REQ.3" + ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_CMS.3" ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_DHparams.3" ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_DSAPrivateKey.3" ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_DSA_PUBKEY.3" @@ -1774,6 +1820,7 @@ install-data-hook: ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_X509_AUX.3" ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_X509_CRL.3" ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_X509_REQ.3" + ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_CMS.3" ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_DHparams.3" ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_DSAPrivateKey.3" ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_DSA_PUBKEY.3" @@ -1797,6 +1844,7 @@ install-data-hook: ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_X509_CRL.3" ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_X509_REQ.3" ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_X509_REQ_NEW.3" + ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_CMS.3" ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_DHparams.3" ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_DSAPrivateKey.3" ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_DSA_PUBKEY.3" @@ -1820,7 +1868,6 @@ install-data-hook: ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_X509_CRL.3" ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_X509_REQ.3" ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_X509_REQ_NEW.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/pem_password_cb.3" ln -sf "PKCS12_SAFEBAG_new.3" "$(DESTDIR)$(mandir)/man3/PKCS12_BAGS_free.3" ln -sf "PKCS12_SAFEBAG_new.3" "$(DESTDIR)$(mandir)/man3/PKCS12_BAGS_new.3" ln -sf "PKCS12_SAFEBAG_new.3" "$(DESTDIR)$(mandir)/man3/PKCS12_SAFEBAG_free.3" @@ -1828,6 +1875,15 @@ install-data-hook: ln -sf "PKCS12_new.3" "$(DESTDIR)$(mandir)/man3/PKCS12_MAC_DATA_new.3" ln -sf "PKCS12_new.3" "$(DESTDIR)$(mandir)/man3/PKCS12_free.3" ln -sf "PKCS5_PBKDF2_HMAC.3" "$(DESTDIR)$(mandir)/man3/PKCS5_PBKDF2_HMAC_SHA1.3" + ln -sf "PKCS7_add_attribute.3" "$(DESTDIR)$(mandir)/man3/PKCS7_add0_attrib_signing_time.3" + ln -sf "PKCS7_add_attribute.3" "$(DESTDIR)$(mandir)/man3/PKCS7_add1_attrib_digest.3" + ln -sf "PKCS7_add_attribute.3" "$(DESTDIR)$(mandir)/man3/PKCS7_add_attrib_content_type.3" + ln -sf "PKCS7_add_attribute.3" "$(DESTDIR)$(mandir)/man3/PKCS7_add_attrib_smimecap.3" + ln -sf "PKCS7_add_attribute.3" "$(DESTDIR)$(mandir)/man3/PKCS7_add_signed_attribute.3" + ln -sf "PKCS7_add_attribute.3" "$(DESTDIR)$(mandir)/man3/PKCS7_get_attribute.3" + ln -sf "PKCS7_add_attribute.3" "$(DESTDIR)$(mandir)/man3/PKCS7_get_signed_attribute.3" + ln -sf "PKCS7_add_attribute.3" "$(DESTDIR)$(mandir)/man3/PKCS7_set_attributes.3" + ln -sf "PKCS7_add_attribute.3" "$(DESTDIR)$(mandir)/man3/PKCS7_set_signed_attributes.3" ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_DIGEST_free.3" ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_DIGEST_new.3" ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_ENCRYPT_free.3" @@ -1847,6 +1903,8 @@ install-data-hook: ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_SIGN_ENVELOPE_free.3" ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_SIGN_ENVELOPE_new.3" ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_free.3" + ln -sf "PKCS7_set_content.3" "$(DESTDIR)$(mandir)/man3/PKCS7_content_new.3" + ln -sf "PKCS7_set_type.3" "$(DESTDIR)$(mandir)/man3/PKCS7_set0_type_other.3" ln -sf "PKCS7_verify.3" "$(DESTDIR)$(mandir)/man3/PKCS7_get0_signers.3" ln -sf "PKCS8_PRIV_KEY_INFO_new.3" "$(DESTDIR)$(mandir)/man3/PKCS8_PRIV_KEY_INFO_free.3" ln -sf "PKEY_USAGE_PERIOD_new.3" "$(DESTDIR)$(mandir)/man3/PKEY_USAGE_PERIOD_free.3" @@ -1936,6 +1994,21 @@ install-data-hook: ln -sf "RSA_padding_add_PKCS1_type_1.3" "$(DESTDIR)$(mandir)/man3/RSA_padding_check_PKCS1_type_1.3" ln -sf "RSA_padding_add_PKCS1_type_1.3" "$(DESTDIR)$(mandir)/man3/RSA_padding_check_PKCS1_type_2.3" ln -sf "RSA_padding_add_PKCS1_type_1.3" "$(DESTDIR)$(mandir)/man3/RSA_padding_check_none.3" + ln -sf "RSA_pkey_ctx_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get0_rsa_oaep_label.3" + ln -sf "RSA_pkey_ctx_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_rsa_mgf1_md.3" + ln -sf "RSA_pkey_ctx_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_rsa_oaep_md.3" + ln -sf "RSA_pkey_ctx_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_rsa_padding.3" + ln -sf "RSA_pkey_ctx_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_rsa_pss_saltlen.3" + ln -sf "RSA_pkey_ctx_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set0_rsa_oaep_label.3" + ln -sf "RSA_pkey_ctx_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_keygen_bits.3" + ln -sf "RSA_pkey_ctx_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_keygen_pubexp.3" + ln -sf "RSA_pkey_ctx_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_mgf1_md.3" + ln -sf "RSA_pkey_ctx_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_oaep_md.3" + ln -sf "RSA_pkey_ctx_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_padding.3" + ln -sf "RSA_pkey_ctx_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.3" + ln -sf "RSA_pkey_ctx_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md.3" + ln -sf "RSA_pkey_ctx_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen.3" + ln -sf "RSA_pkey_ctx_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_pss_saltlen.3" ln -sf "RSA_print.3" "$(DESTDIR)$(mandir)/man3/DHparams_print.3" ln -sf "RSA_print.3" "$(DESTDIR)$(mandir)/man3/DHparams_print_fp.3" ln -sf "RSA_print.3" "$(DESTDIR)$(mandir)/man3/DSA_print.3" @@ -1996,6 +2069,7 @@ install-data-hook: ln -sf "SSL_CTX_add1_chain_cert.3" "$(DESTDIR)$(mandir)/man3/SSL_set1_chain.3" ln -sf "SSL_CTX_add_extra_chain_cert.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_clear_extra_chain_certs.3" ln -sf "SSL_CTX_add_extra_chain_cert.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_extra_chain_certs.3" + ln -sf "SSL_CTX_add_extra_chain_cert.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_extra_chain_certs_only.3" ln -sf "SSL_CTX_add_session.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_remove_session.3" ln -sf "SSL_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_callback_ctrl.3" ln -sf "SSL_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/SSL_callback_ctrl.3" @@ -2011,6 +2085,9 @@ install-data-hook: ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/DTLS_client_method.3" ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/DTLS_method.3" ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/DTLS_server_method.3" + ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/DTLSv1_2_client_method.3" + ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/DTLSv1_2_method.3" + ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/DTLSv1_2_server_method.3" ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/DTLSv1_client_method.3" ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/DTLSv1_method.3" ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/DTLSv1_server_method.3" @@ -2159,6 +2236,7 @@ install-data-hook: ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_use_RSAPrivateKey_file.3" ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_use_certificate.3" ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_use_certificate_ASN1.3" + ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_use_certificate_chain_file.3" ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_use_certificate_file.3" ln -sf "SSL_SESSION_free.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_up_ref.3" ln -sf "SSL_SESSION_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get_ex_data.3" @@ -2193,6 +2271,7 @@ install-data-hook: ln -sf "SSL_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/SSL_set_ex_data.3" ln -sf "SSL_get_fd.3" "$(DESTDIR)$(mandir)/man3/SSL_get_rfd.3" ln -sf "SSL_get_fd.3" "$(DESTDIR)$(mandir)/man3/SSL_get_wfd.3" + ln -sf "SSL_get_finished.3" "$(DESTDIR)$(mandir)/man3/SSL_get_peer_finished.3" ln -sf "SSL_get_rbio.3" "$(DESTDIR)$(mandir)/man3/SSL_get_wbio.3" ln -sf "SSL_get_session.3" "$(DESTDIR)$(mandir)/man3/SSL_get0_session.3" ln -sf "SSL_get_session.3" "$(DESTDIR)$(mandir)/man3/SSL_get1_session.3" @@ -2202,6 +2281,7 @@ install-data-hook: ln -sf "SSL_get_state.3" "$(DESTDIR)$(mandir)/man3/SSL_in_init.3" ln -sf "SSL_get_state.3" "$(DESTDIR)$(mandir)/man3/SSL_is_init_finished.3" ln -sf "SSL_get_state.3" "$(DESTDIR)$(mandir)/man3/SSL_state.3" + ln -sf "SSL_get_version.3" "$(DESTDIR)$(mandir)/man3/SSL_is_dtls.3" ln -sf "SSL_get_version.3" "$(DESTDIR)$(mandir)/man3/SSL_version.3" ln -sf "SSL_library_init.3" "$(DESTDIR)$(mandir)/man3/OpenSSL_add_ssl_algorithms.3" ln -sf "SSL_library_init.3" "$(DESTDIR)$(mandir)/man3/SSLeay_add_ssl_algorithms.3" @@ -2211,9 +2291,19 @@ install-data-hook: ln -sf "SSL_num_renegotiations.3" "$(DESTDIR)$(mandir)/man3/SSL_clear_num_renegotiations.3" ln -sf "SSL_num_renegotiations.3" "$(DESTDIR)$(mandir)/man3/SSL_total_renegotiations.3" ln -sf "SSL_read.3" "$(DESTDIR)$(mandir)/man3/SSL_peek.3" + ln -sf "SSL_read_early_data.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_max_early_data.3" + ln -sf "SSL_read_early_data.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_max_early_data.3" + ln -sf "SSL_read_early_data.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get_max_early_data.3" + ln -sf "SSL_read_early_data.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_set_max_early_data.3" + ln -sf "SSL_read_early_data.3" "$(DESTDIR)$(mandir)/man3/SSL_get_early_data_status.3" + ln -sf "SSL_read_early_data.3" "$(DESTDIR)$(mandir)/man3/SSL_get_max_early_data.3" + ln -sf "SSL_read_early_data.3" "$(DESTDIR)$(mandir)/man3/SSL_set_max_early_data.3" + ln -sf "SSL_read_early_data.3" "$(DESTDIR)$(mandir)/man3/SSL_write_early_data.3" ln -sf "SSL_renegotiate.3" "$(DESTDIR)$(mandir)/man3/SSL_renegotiate_abbreviated.3" ln -sf "SSL_renegotiate.3" "$(DESTDIR)$(mandir)/man3/SSL_renegotiate_pending.3" ln -sf "SSL_rstate_string.3" "$(DESTDIR)$(mandir)/man3/SSL_rstate_string_long.3" + ln -sf "SSL_set1_host.3" "$(DESTDIR)$(mandir)/man3/SSL_get0_peername.3" + ln -sf "SSL_set1_host.3" "$(DESTDIR)$(mandir)/man3/SSL_set_hostflags.3" ln -sf "SSL_set1_param.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get0_param.3" ln -sf "SSL_set1_param.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set1_param.3" ln -sf "SSL_set1_param.3" "$(DESTDIR)$(mandir)/man3/SSL_get0_param.3" @@ -2416,6 +2506,7 @@ install-data-hook: ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set_cert.3" ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set_chain.3" ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set_default.3" + ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set_flags.3" ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_trusted_stack.3" ln -sf "X509_STORE_load_locations.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_set_default_paths.3" ln -sf "X509_STORE_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_free.3" @@ -2477,26 +2568,37 @@ install-data-hook: ln -sf "X509_digest.3" "$(DESTDIR)$(mandir)/man3/X509_pubkey_digest.3" ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get0_lastUpdate.3" ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get0_nextUpdate.3" + ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get_lastUpdate.3" + ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get_nextUpdate.3" ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_set1_lastUpdate.3" ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_set1_nextUpdate.3" + ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_set_lastUpdate.3" + ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_set_nextUpdate.3" ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_get0_notAfter.3" + ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_get_notAfter.3" + ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_get_notBefore.3" ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_getm_notAfter.3" ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_getm_notBefore.3" ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_set1_notAfter.3" ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_set1_notBefore.3" + ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_set_notAfter.3" + ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_set_notBefore.3" ln -sf "X509_get0_signature.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get0_signature.3" ln -sf "X509_get0_signature.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get_signature_nid.3" ln -sf "X509_get0_signature.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_get0_signature.3" ln -sf "X509_get0_signature.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_get_signature_nid.3" ln -sf "X509_get0_signature.3" "$(DESTDIR)$(mandir)/man3/X509_get0_tbs_sigalg.3" ln -sf "X509_get0_signature.3" "$(DESTDIR)$(mandir)/man3/X509_get_signature_nid.3" + ln -sf "X509_get0_signature.3" "$(DESTDIR)$(mandir)/man3/X509_get_signature_type.3" ln -sf "X509_get1_email.3" "$(DESTDIR)$(mandir)/man3/X509_email_free.3" ln -sf "X509_get1_email.3" "$(DESTDIR)$(mandir)/man3/X509_get1_ocsp.3" ln -sf "X509_get_pubkey.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_get_pubkey.3" ln -sf "X509_get_pubkey.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_set_pubkey.3" ln -sf "X509_get_pubkey.3" "$(DESTDIR)$(mandir)/man3/X509_get0_pubkey.3" + ln -sf "X509_get_pubkey.3" "$(DESTDIR)$(mandir)/man3/X509_get0_pubkey_bitstr.3" ln -sf "X509_get_pubkey.3" "$(DESTDIR)$(mandir)/man3/X509_get_X509_PUBKEY.3" ln -sf "X509_get_pubkey.3" "$(DESTDIR)$(mandir)/man3/X509_set_pubkey.3" + ln -sf "X509_get_serialNumber.3" "$(DESTDIR)$(mandir)/man3/X509_get0_serialNumber.3" ln -sf "X509_get_serialNumber.3" "$(DESTDIR)$(mandir)/man3/X509_set_serialNumber.3" ln -sf "X509_get_subject_name.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get_issuer.3" ln -sf "X509_get_subject_name.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_set_issuer_name.3" @@ -2891,6 +2993,7 @@ install-data-hook: ln -sf "d2i_X509_SIG.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS8_fp.3" ln -sf "d2i_X509_SIG.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_SIG.3" ln -sf "des_read_pw.3" "$(DESTDIR)$(mandir)/man3/EVP_read_pw_string.3" + ln -sf "des_read_pw.3" "$(DESTDIR)$(mandir)/man3/EVP_read_pw_string_min.3" ln -sf "des_read_pw.3" "$(DESTDIR)$(mandir)/man3/des_read_pw_string.3" ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/BN_get_rfc2409_prime_1024.3" ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/BN_get_rfc2409_prime_768.3" @@ -2953,6 +3056,7 @@ install-data-hook: ln -sf "tls_config_verify.3" "$(DESTDIR)$(mandir)/man3/tls_config_insecure_noverifytime.3" ln -sf "tls_conn_version.3" "$(DESTDIR)$(mandir)/man3/tls_conn_alpn_selected.3" ln -sf "tls_conn_version.3" "$(DESTDIR)$(mandir)/man3/tls_conn_cipher.3" + ln -sf "tls_conn_version.3" "$(DESTDIR)$(mandir)/man3/tls_conn_cipher_strength.3" ln -sf "tls_conn_version.3" "$(DESTDIR)$(mandir)/man3/tls_conn_servername.3" ln -sf "tls_conn_version.3" "$(DESTDIR)$(mandir)/man3/tls_conn_session_resumed.3" ln -sf "tls_conn_version.3" "$(DESTDIR)$(mandir)/man3/tls_peer_cert_chain_pem.3" @@ -3008,6 +3112,16 @@ install-data-hook: ln -sf "tls_read.3" "$(DESTDIR)$(mandir)/man3/tls_handshake.3" ln -sf "tls_read.3" "$(DESTDIR)$(mandir)/man3/tls_reset.3" ln -sf "tls_read.3" "$(DESTDIR)$(mandir)/man3/tls_write.3" + ln -sf "x509_verify.3" "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_chain.3" + ln -sf "x509_verify.3" "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_error_depth.3" + ln -sf "x509_verify.3" "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_error_string.3" + ln -sf "x509_verify.3" "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_free.3" + ln -sf "x509_verify.3" "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_new.3" + ln -sf "x509_verify.3" "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_set_intermediates.3" + ln -sf "x509_verify.3" "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_set_max_chains.3" + ln -sf "x509_verify.3" "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_set_max_depth.3" + ln -sf "x509_verify.3" "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_set_max_signatures.3" + ln -sf "x509_verify.3" "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_set_purpose.3" uninstall-local: -rm -f "$(DESTDIR)$(mandir)/man3/ACCESS_DESCRIPTION_free.3" @@ -3385,6 +3499,14 @@ uninstall-local: -rm -f "$(DESTDIR)$(mandir)/man3/BUF_MEM_grow_clean.3" -rm -f "$(DESTDIR)$(mandir)/man3/BUF_reverse.3" -rm -f "$(DESTDIR)$(mandir)/man3/BUF_strdup.3" + -rm -f "$(DESTDIR)$(mandir)/man3/CMAC_CTX_cleanup.3" + -rm -f "$(DESTDIR)$(mandir)/man3/CMAC_CTX_copy.3" + -rm -f "$(DESTDIR)$(mandir)/man3/CMAC_CTX_free.3" + -rm -f "$(DESTDIR)$(mandir)/man3/CMAC_CTX_get0_cipher_ctx.3" + -rm -f "$(DESTDIR)$(mandir)/man3/CMAC_CTX_new.3" + -rm -f "$(DESTDIR)$(mandir)/man3/CMAC_Final.3" + -rm -f "$(DESTDIR)$(mandir)/man3/CMAC_Update.3" + -rm -f "$(DESTDIR)$(mandir)/man3/CMAC_resume.3" -rm -f "$(DESTDIR)$(mandir)/man3/CMS_ContentInfo_free.3" -rm -f "$(DESTDIR)$(mandir)/man3/CMS_ContentInfo_print_ctx.3" -rm -f "$(DESTDIR)$(mandir)/man3/CMS_ReceiptRequest_free.3" @@ -3443,6 +3565,11 @@ uninstall-local: -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_get_ex_data.3" -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_get_ex_new_index.3" -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_new_ex_data.3" + -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_chacha_20.3" + -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_hchacha_20.3" + -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_xchacha_20.3" + -rm -f "$(DESTDIR)$(mandir)/man3/ChaCha_set_iv.3" + -rm -f "$(DESTDIR)$(mandir)/man3/ChaCha_set_key.3" -rm -f "$(DESTDIR)$(mandir)/man3/DES_cbc_cksum.3" -rm -f "$(DESTDIR)$(mandir)/man3/DES_cfb64_encrypt.3" -rm -f "$(DESTDIR)$(mandir)/man3/DES_cfb_encrypt.3" @@ -3927,19 +4054,25 @@ uninstall-local: -rm -f "$(DESTDIR)$(mandir)/man3/EVP_OpenFinal.3" -rm -f "$(DESTDIR)$(mandir)/man3/EVP_OpenUpdate.3" -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_ctrl_str.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_rsa_mgf1_md.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_rsa_padding.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_rsa_pss_saltlen.3" + -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get0_ecdh_kdf_ukm.3" + -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get1_id.3" + -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get1_id_len.3" + -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_ecdh_cofactor_mode.3" + -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_ecdh_kdf_md.3" + -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_ecdh_kdf_outlen.3" + -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_ecdh_kdf_type.3" -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_signature_md.3" + -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set0_ecdh_kdf_ukm.3" + -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set1_id.3" -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_dh_paramgen_generator.3" -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_dh_paramgen_prime_len.3" -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_dsa_paramgen_bits.3" + -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_ec_param_enc.3" -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_ec_paramgen_curve_nid.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_keygen_bits.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_keygen_pubexp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_mgf1_md.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_padding.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_pss_saltlen.3" + -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_ecdh_cofactor_mode.3" + -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_ecdh_kdf_md.3" + -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_ecdh_kdf_outlen.3" + -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_ecdh_kdf_type.3" -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_signature_md.3" -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_dup.3" -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_free.3" @@ -3993,6 +4126,7 @@ uninstall-local: -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_verify_recover.3" -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_verifyctx.3" -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_free.3" + -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_new_CMAC_key.3" -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_new_mac_key.3" -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_up_ref.3" -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_print_params.3" @@ -4228,6 +4362,7 @@ uninstall-local: -rm -f "$(DESTDIR)$(mandir)/man3/SSLeay.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSLeay_version.3" -rm -f "$(DESTDIR)$(mandir)/man3/OPENSSL_no_config.3" + -rm -f "$(DESTDIR)$(mandir)/man3/OPENSSL_init.3" -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_add_oid_module.3" -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_add_conf_module.3" -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_free.3" @@ -4261,14 +4396,20 @@ uninstall-local: -rm -f "$(DESTDIR)$(mandir)/man3/EVP_cleanup.3" -rm -f "$(DESTDIR)$(mandir)/man3/OpenSSL_add_all_ciphers.3" -rm -f "$(DESTDIR)$(mandir)/man3/OpenSSL_add_all_digests.3" + -rm -f "$(DESTDIR)$(mandir)/man3/PEM_ASN1_read_bio.3" + -rm -f "$(DESTDIR)$(mandir)/man3/d2i_of_void.3" + -rm -f "$(DESTDIR)$(mandir)/man3/PEM_X509_INFO_read_bio.3" + -rm -f "$(DESTDIR)$(mandir)/man3/PEM_def_callback.3" -rm -f "$(DESTDIR)$(mandir)/man3/PEM_do_header.3" -rm -f "$(DESTDIR)$(mandir)/man3/PEM_get_EVP_CIPHER_INFO.3" -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio.3" -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write.3" -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio.3" + -rm -f "$(DESTDIR)$(mandir)/man3/pem_password_cb.3" -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_SSL_SESSION.3" -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_SSL_SESSION.3" -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_SSL_SESSION.3" + -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_CMS.3" -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_DHparams.3" -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_DSAPrivateKey.3" -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_DSA_PUBKEY.3" @@ -4289,6 +4430,7 @@ uninstall-local: -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_X509_AUX.3" -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_X509_CRL.3" -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_X509_REQ.3" + -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_CMS.3" -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_DHparams.3" -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_DSAPrivateKey.3" -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_DSA_PUBKEY.3" @@ -4308,6 +4450,7 @@ uninstall-local: -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_X509_AUX.3" -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_X509_CRL.3" -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_X509_REQ.3" + -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_CMS.3" -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_DHparams.3" -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_DSAPrivateKey.3" -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_DSA_PUBKEY.3" @@ -4331,6 +4474,7 @@ uninstall-local: -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_X509_CRL.3" -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_X509_REQ.3" -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_X509_REQ_NEW.3" + -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_CMS.3" -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_DHparams.3" -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_DSAPrivateKey.3" -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_DSA_PUBKEY.3" @@ -4354,7 +4498,6 @@ uninstall-local: -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_X509_CRL.3" -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_X509_REQ.3" -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_X509_REQ_NEW.3" - -rm -f "$(DESTDIR)$(mandir)/man3/pem_password_cb.3" -rm -f "$(DESTDIR)$(mandir)/man3/PKCS12_BAGS_free.3" -rm -f "$(DESTDIR)$(mandir)/man3/PKCS12_BAGS_new.3" -rm -f "$(DESTDIR)$(mandir)/man3/PKCS12_SAFEBAG_free.3" @@ -4362,6 +4505,15 @@ uninstall-local: -rm -f "$(DESTDIR)$(mandir)/man3/PKCS12_MAC_DATA_new.3" -rm -f "$(DESTDIR)$(mandir)/man3/PKCS12_free.3" -rm -f "$(DESTDIR)$(mandir)/man3/PKCS5_PBKDF2_HMAC_SHA1.3" + -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_add0_attrib_signing_time.3" + -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_add1_attrib_digest.3" + -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_add_attrib_content_type.3" + -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_add_attrib_smimecap.3" + -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_add_signed_attribute.3" + -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_get_attribute.3" + -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_get_signed_attribute.3" + -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_set_attributes.3" + -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_set_signed_attributes.3" -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_DIGEST_free.3" -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_DIGEST_new.3" -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_ENCRYPT_free.3" @@ -4381,6 +4533,8 @@ uninstall-local: -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_SIGN_ENVELOPE_free.3" -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_SIGN_ENVELOPE_new.3" -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_free.3" + -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_content_new.3" + -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_set0_type_other.3" -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_get0_signers.3" -rm -f "$(DESTDIR)$(mandir)/man3/PKCS8_PRIV_KEY_INFO_free.3" -rm -f "$(DESTDIR)$(mandir)/man3/PKEY_USAGE_PERIOD_free.3" @@ -4470,6 +4624,21 @@ uninstall-local: -rm -f "$(DESTDIR)$(mandir)/man3/RSA_padding_check_PKCS1_type_1.3" -rm -f "$(DESTDIR)$(mandir)/man3/RSA_padding_check_PKCS1_type_2.3" -rm -f "$(DESTDIR)$(mandir)/man3/RSA_padding_check_none.3" + -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get0_rsa_oaep_label.3" + -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_rsa_mgf1_md.3" + -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_rsa_oaep_md.3" + -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_rsa_padding.3" + -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_rsa_pss_saltlen.3" + -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set0_rsa_oaep_label.3" + -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_keygen_bits.3" + -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_keygen_pubexp.3" + -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_mgf1_md.3" + -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_oaep_md.3" + -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_padding.3" + -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.3" + -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md.3" + -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen.3" + -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_pss_saltlen.3" -rm -f "$(DESTDIR)$(mandir)/man3/DHparams_print.3" -rm -f "$(DESTDIR)$(mandir)/man3/DHparams_print_fp.3" -rm -f "$(DESTDIR)$(mandir)/man3/DSA_print.3" @@ -4530,6 +4699,7 @@ uninstall-local: -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set1_chain.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_clear_extra_chain_certs.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_extra_chain_certs.3" + -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_extra_chain_certs_only.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_remove_session.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_callback_ctrl.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSL_callback_ctrl.3" @@ -4545,6 +4715,9 @@ uninstall-local: -rm -f "$(DESTDIR)$(mandir)/man3/DTLS_client_method.3" -rm -f "$(DESTDIR)$(mandir)/man3/DTLS_method.3" -rm -f "$(DESTDIR)$(mandir)/man3/DTLS_server_method.3" + -rm -f "$(DESTDIR)$(mandir)/man3/DTLSv1_2_client_method.3" + -rm -f "$(DESTDIR)$(mandir)/man3/DTLSv1_2_method.3" + -rm -f "$(DESTDIR)$(mandir)/man3/DTLSv1_2_server_method.3" -rm -f "$(DESTDIR)$(mandir)/man3/DTLSv1_client_method.3" -rm -f "$(DESTDIR)$(mandir)/man3/DTLSv1_method.3" -rm -f "$(DESTDIR)$(mandir)/man3/DTLSv1_server_method.3" @@ -4693,6 +4866,7 @@ uninstall-local: -rm -f "$(DESTDIR)$(mandir)/man3/SSL_use_RSAPrivateKey_file.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSL_use_certificate.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSL_use_certificate_ASN1.3" + -rm -f "$(DESTDIR)$(mandir)/man3/SSL_use_certificate_chain_file.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSL_use_certificate_file.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_up_ref.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get_ex_data.3" @@ -4727,6 +4901,7 @@ uninstall-local: -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_ex_data.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_rfd.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_wfd.3" + -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_peer_finished.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_wbio.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get0_session.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get1_session.3" @@ -4736,6 +4911,7 @@ uninstall-local: -rm -f "$(DESTDIR)$(mandir)/man3/SSL_in_init.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSL_is_init_finished.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSL_state.3" + -rm -f "$(DESTDIR)$(mandir)/man3/SSL_is_dtls.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSL_version.3" -rm -f "$(DESTDIR)$(mandir)/man3/OpenSSL_add_ssl_algorithms.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSLeay_add_ssl_algorithms.3" @@ -4745,9 +4921,19 @@ uninstall-local: -rm -f "$(DESTDIR)$(mandir)/man3/SSL_clear_num_renegotiations.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSL_total_renegotiations.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSL_peek.3" + -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_max_early_data.3" + -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_max_early_data.3" + -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get_max_early_data.3" + -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_set_max_early_data.3" + -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_early_data_status.3" + -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_max_early_data.3" + -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_max_early_data.3" + -rm -f "$(DESTDIR)$(mandir)/man3/SSL_write_early_data.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSL_renegotiate_abbreviated.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSL_renegotiate_pending.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSL_rstate_string_long.3" + -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get0_peername.3" + -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_hostflags.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get0_param.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set1_param.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get0_param.3" @@ -4950,6 +5136,7 @@ uninstall-local: -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set_cert.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set_chain.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set_default.3" + -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set_flags.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_trusted_stack.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_set_default_paths.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_free.3" @@ -5011,26 +5198,37 @@ uninstall-local: -rm -f "$(DESTDIR)$(mandir)/man3/X509_pubkey_digest.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get0_lastUpdate.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get0_nextUpdate.3" + -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get_lastUpdate.3" + -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get_nextUpdate.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_set1_lastUpdate.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_set1_nextUpdate.3" + -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_set_lastUpdate.3" + -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_set_nextUpdate.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_get0_notAfter.3" + -rm -f "$(DESTDIR)$(mandir)/man3/X509_get_notAfter.3" + -rm -f "$(DESTDIR)$(mandir)/man3/X509_get_notBefore.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_getm_notAfter.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_getm_notBefore.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_set1_notAfter.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_set1_notBefore.3" + -rm -f "$(DESTDIR)$(mandir)/man3/X509_set_notAfter.3" + -rm -f "$(DESTDIR)$(mandir)/man3/X509_set_notBefore.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get0_signature.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get_signature_nid.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_get0_signature.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_get_signature_nid.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_get0_tbs_sigalg.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_get_signature_nid.3" + -rm -f "$(DESTDIR)$(mandir)/man3/X509_get_signature_type.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_email_free.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_get1_ocsp.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_get_pubkey.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_set_pubkey.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_get0_pubkey.3" + -rm -f "$(DESTDIR)$(mandir)/man3/X509_get0_pubkey_bitstr.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_get_X509_PUBKEY.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_set_pubkey.3" + -rm -f "$(DESTDIR)$(mandir)/man3/X509_get0_serialNumber.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_set_serialNumber.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get_issuer.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_set_issuer_name.3" @@ -5425,6 +5623,7 @@ uninstall-local: -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS8_fp.3" -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_SIG.3" -rm -f "$(DESTDIR)$(mandir)/man3/EVP_read_pw_string.3" + -rm -f "$(DESTDIR)$(mandir)/man3/EVP_read_pw_string_min.3" -rm -f "$(DESTDIR)$(mandir)/man3/des_read_pw_string.3" -rm -f "$(DESTDIR)$(mandir)/man3/BN_get_rfc2409_prime_1024.3" -rm -f "$(DESTDIR)$(mandir)/man3/BN_get_rfc2409_prime_768.3" @@ -5487,6 +5686,7 @@ uninstall-local: -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_insecure_noverifytime.3" -rm -f "$(DESTDIR)$(mandir)/man3/tls_conn_alpn_selected.3" -rm -f "$(DESTDIR)$(mandir)/man3/tls_conn_cipher.3" + -rm -f "$(DESTDIR)$(mandir)/man3/tls_conn_cipher_strength.3" -rm -f "$(DESTDIR)$(mandir)/man3/tls_conn_servername.3" -rm -f "$(DESTDIR)$(mandir)/man3/tls_conn_session_resumed.3" -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_cert_chain_pem.3" @@ -5542,3 +5742,14 @@ uninstall-local: -rm -f "$(DESTDIR)$(mandir)/man3/tls_handshake.3" -rm -f "$(DESTDIR)$(mandir)/man3/tls_reset.3" -rm -f "$(DESTDIR)$(mandir)/man3/tls_write.3" + -rm -f "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_chain.3" + -rm -f "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_error_depth.3" + -rm -f "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_error_string.3" + -rm -f "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_free.3" + -rm -f "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_new.3" + -rm -f "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_set_intermediates.3" + -rm -f "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_set_max_chains.3" + -rm -f "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_set_max_depth.3" + -rm -f "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_set_max_signatures.3" + -rm -f "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_set_purpose.3" +endif diff --git a/man/Makefile.in b/man/Makefile.in index 9f26a620..4ccbf2da 100644 --- a/man/Makefile.in +++ b/man/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -89,7 +89,9 @@ build_triplet = @build@ host_triplet = @host@ subdir = man ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/check-hardening-options.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_add_fortify_source.m4 \ + $(top_srcdir)/m4/ax_check_compile_flag.m4 \ + $(top_srcdir)/m4/check-hardening-options.m4 \ $(top_srcdir)/m4/check-libc.m4 \ $(top_srcdir)/m4/check-os-options.m4 \ $(top_srcdir)/m4/disable-compiler-warnings.m4 \ @@ -272,6 +274,7 @@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -281,177 +284,352 @@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ EXTRA_DIST = CMakeLists.txt -dist_man3_MANS = BIO_f_ssl.3 DTLSv1_listen.3 OPENSSL_init_ssl.3 \ - PEM_read_SSL_SESSION.3 SSL_CIPHER_get_name.3 \ - SSL_COMP_add_compression_method.3 SSL_CTX_add1_chain_cert.3 \ - SSL_CTX_add_extra_chain_cert.3 SSL_CTX_add_session.3 \ - SSL_CTX_ctrl.3 SSL_CTX_flush_sessions.3 SSL_CTX_free.3 \ - SSL_CTX_get0_certificate.3 SSL_CTX_get_ex_new_index.3 \ - SSL_CTX_get_verify_mode.3 SSL_CTX_load_verify_locations.3 \ - SSL_CTX_new.3 SSL_CTX_sess_number.3 \ - SSL_CTX_sess_set_cache_size.3 SSL_CTX_sess_set_get_cb.3 \ - SSL_CTX_sessions.3 SSL_CTX_set1_groups.3 \ - SSL_CTX_set_alpn_select_cb.3 SSL_CTX_set_cert_store.3 \ - SSL_CTX_set_cert_verify_callback.3 SSL_CTX_set_cipher_list.3 \ - SSL_CTX_set_client_CA_list.3 SSL_CTX_set_client_cert_cb.3 \ - SSL_CTX_set_default_passwd_cb.3 \ - SSL_CTX_set_generate_session_id.3 SSL_CTX_set_info_callback.3 \ - SSL_CTX_set_max_cert_list.3 SSL_CTX_set_min_proto_version.3 \ - SSL_CTX_set_mode.3 SSL_CTX_set_msg_callback.3 \ - SSL_CTX_set_options.3 SSL_CTX_set_quiet_shutdown.3 \ - SSL_CTX_set_read_ahead.3 SSL_CTX_set_session_cache_mode.3 \ - SSL_CTX_set_session_id_context.3 SSL_CTX_set_ssl_version.3 \ - SSL_CTX_set_timeout.3 SSL_CTX_set_tlsext_servername_callback.3 \ - SSL_CTX_set_tlsext_status_cb.3 \ - SSL_CTX_set_tlsext_ticket_key_cb.3 \ - SSL_CTX_set_tlsext_use_srtp.3 SSL_CTX_set_tmp_dh_callback.3 \ - SSL_CTX_set_tmp_rsa_callback.3 SSL_CTX_set_verify.3 \ - SSL_CTX_use_certificate.3 SSL_SESSION_free.3 \ - SSL_SESSION_get0_peer.3 SSL_SESSION_get_compress_id.3 \ - SSL_SESSION_get_ex_new_index.3 SSL_SESSION_get_id.3 \ - SSL_SESSION_get_protocol_version.3 SSL_SESSION_get_time.3 \ - SSL_SESSION_has_ticket.3 SSL_SESSION_new.3 SSL_SESSION_print.3 \ - SSL_SESSION_set1_id_context.3 SSL_accept.3 \ - SSL_alert_type_string.3 SSL_clear.3 SSL_connect.3 \ - SSL_copy_session_id.3 SSL_do_handshake.3 SSL_dup.3 \ - SSL_dup_CA_list.3 SSL_export_keying_material.3 SSL_free.3 \ - SSL_get_SSL_CTX.3 SSL_get_certificate.3 SSL_get_ciphers.3 \ - SSL_get_client_CA_list.3 SSL_get_client_random.3 \ - SSL_get_current_cipher.3 SSL_get_default_timeout.3 \ - SSL_get_error.3 SSL_get_ex_data_X509_STORE_CTX_idx.3 \ - SSL_get_ex_new_index.3 SSL_get_fd.3 SSL_get_peer_cert_chain.3 \ - SSL_get_peer_certificate.3 SSL_get_rbio.3 \ - SSL_get_server_tmp_key.3 SSL_get_session.3 \ - SSL_get_shared_ciphers.3 SSL_get_state.3 \ - SSL_get_verify_result.3 SSL_get_version.3 SSL_library_init.3 \ - SSL_load_client_CA_file.3 SSL_new.3 SSL_num_renegotiations.3 \ - SSL_pending.3 SSL_read.3 SSL_renegotiate.3 SSL_rstate_string.3 \ - SSL_session_reused.3 SSL_set1_param.3 SSL_set_bio.3 \ - SSL_set_connect_state.3 SSL_set_fd.3 \ - SSL_set_max_send_fragment.3 SSL_set_session.3 \ - SSL_set_shutdown.3 SSL_set_tmp_ecdh.3 SSL_set_verify_result.3 \ - SSL_shutdown.3 SSL_state_string.3 SSL_want.3 SSL_write.3 \ - d2i_SSL_SESSION.3 ssl.3 ACCESS_DESCRIPTION_new.3 AES_encrypt.3 \ - ASN1_INTEGER_get.3 ASN1_OBJECT_new.3 ASN1_STRING_TABLE_add.3 \ - ASN1_STRING_length.3 ASN1_STRING_new.3 ASN1_STRING_print_ex.3 \ - ASN1_TIME_set.3 ASN1_TYPE_get.3 ASN1_generate_nconf.3 \ - ASN1_item_d2i.3 ASN1_item_new.3 ASN1_put_object.3 \ - ASN1_time_parse.3 AUTHORITY_KEYID_new.3 \ - BASIC_CONSTRAINTS_new.3 BF_set_key.3 BIO_ctrl.3 BIO_f_base64.3 \ - BIO_f_buffer.3 BIO_f_cipher.3 BIO_f_md.3 BIO_f_null.3 \ - BIO_find_type.3 BIO_get_data.3 BIO_get_ex_new_index.3 \ - BIO_meth_new.3 BIO_new.3 BIO_new_CMS.3 BIO_printf.3 BIO_push.3 \ - BIO_read.3 BIO_s_accept.3 BIO_s_bio.3 BIO_s_connect.3 \ - BIO_s_fd.3 BIO_s_file.3 BIO_s_mem.3 BIO_s_null.3 \ - BIO_s_socket.3 BIO_set_callback.3 BIO_should_retry.3 \ - BN_BLINDING_new.3 BN_CTX_new.3 BN_CTX_start.3 BN_add.3 \ - BN_add_word.3 BN_bn2bin.3 BN_cmp.3 BN_copy.3 \ - BN_generate_prime.3 BN_get0_nist_prime_521.3 BN_mod_inverse.3 \ - BN_mod_mul_montgomery.3 BN_mod_mul_reciprocal.3 BN_new.3 \ - BN_num_bytes.3 BN_rand.3 BN_set_bit.3 BN_set_flags.3 \ - BN_set_negative.3 BN_swap.3 BN_zero.3 BUF_MEM_new.3 \ - CMS_ContentInfo_new.3 CMS_add0_cert.3 \ - CMS_add1_recipient_cert.3 CMS_add1_signer.3 CMS_compress.3 \ - CMS_decrypt.3 CMS_encrypt.3 CMS_final.3 \ - CMS_get0_RecipientInfos.3 CMS_get0_SignerInfos.3 \ - CMS_get0_type.3 CMS_get1_ReceiptRequest.3 CMS_sign.3 \ - CMS_sign_receipt.3 CMS_uncompress.3 CMS_verify.3 \ - CMS_verify_receipt.3 CONF_modules_free.3 \ - CONF_modules_load_file.3 CRYPTO_get_mem_functions.3 \ - CRYPTO_lock.3 CRYPTO_memcmp.3 CRYPTO_set_ex_data.3 \ - DES_set_key.3 DH_generate_key.3 DH_generate_parameters.3 \ - DH_get0_pqg.3 DH_get_ex_new_index.3 DH_new.3 DH_set_method.3 \ - DH_size.3 DIST_POINT_new.3 DSA_SIG_new.3 DSA_do_sign.3 \ - DSA_dup_DH.3 DSA_generate_key.3 DSA_generate_parameters.3 \ - DSA_get0_pqg.3 DSA_get_ex_new_index.3 DSA_meth_new.3 DSA_new.3 \ - DSA_set_method.3 DSA_sign.3 DSA_size.3 ECDH_compute_key.3 \ - ECDSA_SIG_new.3 EC_GFp_simple_method.3 EC_GROUP_copy.3 \ - EC_GROUP_new.3 EC_KEY_METHOD_new.3 EC_KEY_new.3 EC_POINT_add.3 \ - EC_POINT_new.3 ENGINE_add.3 ENGINE_ctrl.3 \ - ENGINE_get_default_RSA.3 ENGINE_init.3 ENGINE_new.3 \ - ENGINE_register_RSA.3 ENGINE_register_all_RSA.3 \ - ENGINE_set_RSA.3 ENGINE_set_default.3 ENGINE_set_flags.3 \ - ENGINE_unregister_RSA.3 ERR.3 ERR_GET_LIB.3 \ - ERR_asprintf_error_data.3 ERR_clear_error.3 ERR_error_string.3 \ - ERR_get_error.3 ERR_load_crypto_strings.3 ERR_load_strings.3 \ - ERR_print_errors.3 ERR_put_error.3 ERR_remove_state.3 \ - ERR_set_mark.3 ESS_SIGNING_CERT_new.3 EVP_AEAD_CTX_init.3 \ - EVP_BytesToKey.3 EVP_DigestInit.3 EVP_DigestSignInit.3 \ - EVP_DigestVerifyInit.3 EVP_EncodeInit.3 EVP_EncryptInit.3 \ - EVP_OpenInit.3 EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_new.3 \ - EVP_PKEY_asn1_get_count.3 EVP_PKEY_asn1_new.3 EVP_PKEY_cmp.3 \ - EVP_PKEY_decrypt.3 EVP_PKEY_derive.3 EVP_PKEY_encrypt.3 \ - EVP_PKEY_get_default_digest_nid.3 EVP_PKEY_keygen.3 \ - EVP_PKEY_meth_get0_info.3 EVP_PKEY_meth_new.3 EVP_PKEY_new.3 \ - EVP_PKEY_print_private.3 EVP_PKEY_set1_RSA.3 EVP_PKEY_sign.3 \ - EVP_PKEY_verify.3 EVP_PKEY_verify_recover.3 EVP_SealInit.3 \ - EVP_SignInit.3 EVP_VerifyInit.3 EVP_aes_128_cbc.3 \ - EVP_camellia_128_cbc.3 EVP_des_cbc.3 EVP_rc4.3 EVP_sm3.3 \ - EVP_sm4_cbc.3 EVP_whirlpool.3 EXTENDED_KEY_USAGE_new.3 \ - GENERAL_NAME_new.3 HMAC.3 MD5.3 NAME_CONSTRAINTS_new.3 \ - OBJ_nid2obj.3 OCSP_CRLID_new.3 OCSP_REQUEST_new.3 \ - OCSP_SERVICELOC_new.3 OCSP_cert_to_id.3 \ - OCSP_request_add1_nonce.3 OCSP_resp_find_status.3 \ - OCSP_response_status.3 OCSP_sendreq_new.3 \ - OPENSSL_VERSION_NUMBER.3 OPENSSL_cleanse.3 OPENSSL_config.3 \ - OPENSSL_init_crypto.3 OPENSSL_load_builtin_modules.3 \ - OPENSSL_malloc.3 OPENSSL_sk_new.3 OpenSSL_add_all_algorithms.3 \ - PEM_bytes_read_bio.3 PEM_read.3 PEM_read_bio_PrivateKey.3 \ - PEM_write_bio_CMS_stream.3 PEM_write_bio_PKCS7_stream.3 \ - PKCS12_SAFEBAG_new.3 PKCS12_create.3 PKCS12_new.3 \ - PKCS12_newpass.3 PKCS12_parse.3 PKCS5_PBKDF2_HMAC.3 \ - PKCS7_decrypt.3 PKCS7_encrypt.3 PKCS7_new.3 PKCS7_sign.3 \ - PKCS7_sign_add_signer.3 PKCS7_verify.3 \ - PKCS8_PRIV_KEY_INFO_new.3 PKEY_USAGE_PERIOD_new.3 \ - POLICYINFO_new.3 PROXY_POLICY_new.3 RAND_add.3 RAND_bytes.3 \ - RAND_load_file.3 RAND_set_rand_method.3 RC4.3 RIPEMD160.3 \ - RSA_PSS_PARAMS_new.3 RSA_blinding_on.3 RSA_check_key.3 \ - RSA_generate_key.3 RSA_get0_key.3 RSA_get_ex_new_index.3 \ - RSA_meth_new.3 RSA_new.3 RSA_padding_add_PKCS1_type_1.3 \ - RSA_print.3 RSA_private_encrypt.3 RSA_public_encrypt.3 \ - RSA_set_method.3 RSA_sign.3 RSA_sign_ASN1_OCTET_STRING.3 \ - RSA_size.3 SHA1.3 SMIME_read_CMS.3 SMIME_read_PKCS7.3 \ - SMIME_write_CMS.3 SMIME_write_PKCS7.3 STACK_OF.3 SXNET_new.3 \ - TS_REQ_new.3 UI_UTIL_read_pw.3 UI_create_method.3 \ - UI_get_string_type.3 UI_new.3 X25519.3 X509V3_get_d2i.3 \ - X509_ALGOR_dup.3 X509_ATTRIBUTE_new.3 X509_CINF_new.3 \ - X509_CRL_get0_by_serial.3 X509_CRL_new.3 \ - X509_EXTENSION_set_object.3 X509_INFO_new.3 \ - X509_LOOKUP_hash_dir.3 X509_NAME_ENTRY_get_object.3 \ - X509_NAME_add_entry_by_txt.3 X509_NAME_get_index_by_NID.3 \ - X509_NAME_new.3 X509_NAME_print_ex.3 X509_OBJECT_get0_X509.3 \ - X509_PUBKEY_new.3 X509_REQ_new.3 X509_REVOKED_new.3 \ - X509_SIG_new.3 X509_STORE_CTX_get_error.3 \ - X509_STORE_CTX_get_ex_new_index.3 X509_STORE_CTX_new.3 \ - X509_STORE_CTX_set_verify_cb.3 X509_STORE_load_locations.3 \ - X509_STORE_new.3 X509_STORE_set1_param.3 \ - X509_STORE_set_verify_cb_func.3 X509_VERIFY_PARAM_set_flags.3 \ - X509_check_ca.3 X509_check_host.3 X509_check_issued.3 \ - X509_check_private_key.3 X509_check_purpose.3 X509_cmp.3 \ - X509_cmp_time.3 X509_digest.3 X509_get0_notBefore.3 \ - X509_get0_signature.3 X509_get1_email.3 X509_get_pubkey.3 \ - X509_get_serialNumber.3 X509_get_subject_name.3 \ - X509_get_version.3 X509_new.3 X509_sign.3 X509_verify_cert.3 \ - X509v3_get_ext_by_NID.3 bn_dump.3 crypto.3 d2i_ASN1_NULL.3 \ - d2i_ASN1_OBJECT.3 d2i_ASN1_OCTET_STRING.3 \ - d2i_ASN1_SEQUENCE_ANY.3 d2i_AUTHORITY_KEYID.3 \ - d2i_BASIC_CONSTRAINTS.3 d2i_CMS_ContentInfo.3 d2i_DHparams.3 \ - d2i_DIST_POINT.3 d2i_DSAPublicKey.3 d2i_ECPKParameters.3 \ - d2i_ESS_SIGNING_CERT.3 d2i_GENERAL_NAME.3 d2i_OCSP_REQUEST.3 \ - d2i_OCSP_RESPONSE.3 d2i_PKCS12.3 d2i_PKCS7.3 \ - d2i_PKCS8PrivateKey_bio.3 d2i_PKCS8_PRIV_KEY_INFO.3 \ - d2i_PKEY_USAGE_PERIOD.3 d2i_POLICYINFO.3 d2i_PROXY_POLICY.3 \ - d2i_PrivateKey.3 d2i_RSAPublicKey.3 d2i_TS_REQ.3 d2i_X509.3 \ - d2i_X509_ALGOR.3 d2i_X509_ATTRIBUTE.3 d2i_X509_CRL.3 \ - d2i_X509_EXTENSION.3 d2i_X509_NAME.3 d2i_X509_REQ.3 \ - d2i_X509_SIG.3 des_read_pw.3 evp.3 get_rfc3526_prime_8192.3 \ - i2d_CMS_bio_stream.3 i2d_PKCS7_bio_stream.3 lh_new.3 \ - lh_stats.3 tls_accept_socket.3 tls_client.3 \ - tls_config_ocsp_require_stapling.3 tls_config_set_protocols.3 \ - tls_config_set_session_id.3 tls_config_verify.3 \ - tls_conn_version.3 tls_connect.3 tls_init.3 tls_load_file.3 \ - tls_ocsp_process_response.3 tls_read.3 -dist_man5_MANS = openssl.cnf.5 x509v3.cnf.5 +@ENABLE_LIBTLS_ONLY_FALSE@dist_man3_MANS = BIO_f_ssl.3 DTLSv1_listen.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ OPENSSL_init_ssl.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ PEM_read_SSL_SESSION.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CIPHER_get_name.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_COMP_add_compression_method.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_add1_chain_cert.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_add_extra_chain_cert.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_add_session.3 SSL_CTX_ctrl.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_flush_sessions.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_free.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_get0_certificate.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_get_ex_new_index.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_get_verify_mode.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_load_verify_locations.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_new.3 SSL_CTX_sess_number.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_sess_set_cache_size.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_sess_set_get_cb.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_sessions.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_set1_groups.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_set_alpn_select_cb.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_set_cert_store.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_set_cert_verify_callback.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_set_cipher_list.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_set_client_CA_list.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_set_client_cert_cb.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_set_default_passwd_cb.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_set_generate_session_id.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_set_info_callback.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_set_max_cert_list.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_set_min_proto_version.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_set_mode.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_set_msg_callback.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_set_options.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_set_quiet_shutdown.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_set_read_ahead.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_set_session_cache_mode.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_set_session_id_context.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_set_ssl_version.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_set_timeout.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_set_tlsext_servername_callback.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_set_tlsext_status_cb.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_set_tlsext_ticket_key_cb.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_set_tlsext_use_srtp.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_set_tmp_dh_callback.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_set_tmp_rsa_callback.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_set_verify.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_CTX_use_certificate.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_SESSION_free.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_SESSION_get0_peer.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_SESSION_get_compress_id.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_SESSION_get_ex_new_index.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_SESSION_get_id.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_SESSION_get_protocol_version.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_SESSION_get_time.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_SESSION_has_ticket.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_SESSION_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_SESSION_print.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_SESSION_set1_id_context.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_accept.3 SSL_alert_type_string.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_clear.3 SSL_connect.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_copy_session_id.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_do_handshake.3 SSL_dup.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_dup_CA_list.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_export_keying_material.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_free.3 SSL_get_SSL_CTX.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_get_certificate.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_get_ciphers.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_get_client_CA_list.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_get_client_random.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_get_current_cipher.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_get_default_timeout.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_get_error.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_get_ex_data_X509_STORE_CTX_idx.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_get_ex_new_index.3 SSL_get_fd.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_get_finished.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_get_peer_cert_chain.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_get_peer_certificate.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_get_rbio.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_get_server_tmp_key.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_get_session.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_get_shared_ciphers.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_get_state.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_get_verify_result.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_get_version.3 SSL_library_init.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_load_client_CA_file.3 SSL_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_num_renegotiations.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_pending.3 SSL_read.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_read_early_data.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_renegotiate.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_rstate_string.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_session_reused.3 SSL_set1_host.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_set1_param.3 SSL_set_SSL_CTX.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_set_bio.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_set_connect_state.3 SSL_set_fd.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_set_max_send_fragment.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_set_session.3 SSL_set_shutdown.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_set_tmp_ecdh.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_set_verify_result.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_shutdown.3 SSL_state_string.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SSL_want.3 SSL_write.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ d2i_SSL_SESSION.3 ssl.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ ACCESS_DESCRIPTION_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ AES_encrypt.3 ASN1_INTEGER_get.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ ASN1_OBJECT_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ ASN1_STRING_TABLE_add.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ ASN1_STRING_length.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ ASN1_STRING_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ ASN1_STRING_print_ex.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ ASN1_TIME_set.3 ASN1_TYPE_get.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ ASN1_generate_nconf.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ ASN1_item_d2i.3 ASN1_item_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ ASN1_put_object.3 ASN1_time_parse.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ AUTHORITY_KEYID_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ BASIC_CONSTRAINTS_new.3 BF_set_key.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ BIO_ctrl.3 BIO_f_base64.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ BIO_f_buffer.3 BIO_f_cipher.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ BIO_f_md.3 BIO_f_null.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ BIO_find_type.3 BIO_get_data.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ BIO_get_ex_new_index.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ BIO_meth_new.3 BIO_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ BIO_new_CMS.3 BIO_printf.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ BIO_push.3 BIO_read.3 BIO_s_accept.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ BIO_s_bio.3 BIO_s_connect.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ BIO_s_fd.3 BIO_s_file.3 BIO_s_mem.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ BIO_s_null.3 BIO_s_socket.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ BIO_set_callback.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ BIO_should_retry.3 BN_BLINDING_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ BN_CTX_new.3 BN_CTX_start.3 BN_add.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ BN_add_word.3 BN_bn2bin.3 BN_cmp.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ BN_copy.3 BN_generate_prime.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ BN_get0_nist_prime_521.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ BN_mod_inverse.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ BN_mod_mul_montgomery.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ BN_mod_mul_reciprocal.3 BN_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ BN_num_bytes.3 BN_rand.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ BN_set_bit.3 BN_set_flags.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ BN_set_negative.3 BN_swap.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ BN_zero.3 BUF_MEM_new.3 CMAC_Init.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ CMS_ContentInfo_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ CMS_add0_cert.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ CMS_add1_recipient_cert.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ CMS_add1_signer.3 CMS_compress.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ CMS_decrypt.3 CMS_encrypt.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ CMS_final.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ CMS_get0_RecipientInfos.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ CMS_get0_SignerInfos.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ CMS_get0_type.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ CMS_get1_ReceiptRequest.3 CMS_sign.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ CMS_sign_receipt.3 CMS_uncompress.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ CMS_verify.3 CMS_verify_receipt.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ CONF_modules_free.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ CONF_modules_load_file.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ CRYPTO_get_mem_functions.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ CRYPTO_lock.3 CRYPTO_memcmp.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ CRYPTO_set_ex_data.3 ChaCha.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ DES_set_key.3 DH_generate_key.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ DH_generate_parameters.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ DH_get0_pqg.3 DH_get_ex_new_index.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ DH_new.3 DH_set_method.3 DH_size.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ DIST_POINT_new.3 DSA_SIG_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ DSA_do_sign.3 DSA_dup_DH.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ DSA_generate_key.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ DSA_generate_parameters.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ DSA_get0_pqg.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ DSA_get_ex_new_index.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ DSA_meth_new.3 DSA_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ DSA_set_method.3 DSA_sign.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ DSA_size.3 ECDH_compute_key.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ ECDSA_SIG_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ EC_GFp_simple_method.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ EC_GROUP_copy.3 EC_GROUP_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ EC_KEY_METHOD_new.3 EC_KEY_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ EC_POINT_add.3 EC_POINT_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ ENGINE_add.3 ENGINE_ctrl.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ ENGINE_get_default_RSA.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ ENGINE_init.3 ENGINE_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ ENGINE_register_RSA.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ ENGINE_register_all_RSA.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ ENGINE_set_RSA.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ ENGINE_set_default.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ ENGINE_set_flags.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ ENGINE_unregister_RSA.3 ERR.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ ERR_GET_LIB.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ ERR_asprintf_error_data.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ ERR_clear_error.3 ERR_error_string.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ ERR_get_error.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ ERR_load_crypto_strings.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ ERR_load_strings.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ ERR_print_errors.3 ERR_put_error.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ ERR_remove_state.3 ERR_set_mark.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ ESS_SIGNING_CERT_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ EVP_AEAD_CTX_init.3 EVP_BytesToKey.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ EVP_DigestInit.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ EVP_DigestSignInit.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ EVP_DigestVerifyInit.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ EVP_EncodeInit.3 EVP_EncryptInit.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ EVP_OpenInit.3 EVP_PKEY_CTX_ctrl.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ EVP_PKEY_CTX_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ EVP_PKEY_asn1_get_count.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ EVP_PKEY_asn1_new.3 EVP_PKEY_cmp.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ EVP_PKEY_decrypt.3 EVP_PKEY_derive.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ EVP_PKEY_encrypt.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ EVP_PKEY_get_default_digest_nid.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ EVP_PKEY_keygen.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ EVP_PKEY_meth_get0_info.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ EVP_PKEY_meth_new.3 EVP_PKEY_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ EVP_PKEY_print_private.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ EVP_PKEY_set1_RSA.3 EVP_PKEY_sign.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ EVP_PKEY_verify.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ EVP_PKEY_verify_recover.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ EVP_SealInit.3 EVP_SignInit.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ EVP_VerifyInit.3 EVP_aes_128_cbc.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ EVP_camellia_128_cbc.3 EVP_des_cbc.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ EVP_rc4.3 EVP_sm3.3 EVP_sm4_cbc.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ EVP_whirlpool.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ EXTENDED_KEY_USAGE_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ GENERAL_NAME_new.3 HMAC.3 MD5.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ NAME_CONSTRAINTS_new.3 OBJ_nid2obj.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ OCSP_CRLID_new.3 OCSP_REQUEST_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ OCSP_SERVICELOC_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ OCSP_cert_to_id.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ OCSP_request_add1_nonce.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ OCSP_resp_find_status.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ OCSP_response_status.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ OCSP_sendreq_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ OPENSSL_VERSION_NUMBER.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ OPENSSL_cleanse.3 OPENSSL_config.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ OPENSSL_init_crypto.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ OPENSSL_load_builtin_modules.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ OPENSSL_malloc.3 OPENSSL_sk_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ OpenSSL_add_all_algorithms.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ PEM_ASN1_read.3 PEM_X509_INFO_read.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ PEM_bytes_read_bio.3 PEM_read.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ PEM_read_bio_PrivateKey.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ PEM_write_bio_CMS_stream.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ PEM_write_bio_PKCS7_stream.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ PKCS12_SAFEBAG_new.3 PKCS12_create.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ PKCS12_new.3 PKCS12_newpass.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ PKCS12_parse.3 PKCS5_PBKDF2_HMAC.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ PKCS7_add_attribute.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ PKCS7_dataFinal.3 PKCS7_dataInit.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ PKCS7_decrypt.3 PKCS7_encrypt.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ PKCS7_final.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ PKCS7_get_signer_info.3 PKCS7_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ PKCS7_set_content.3 PKCS7_set_type.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ PKCS7_sign.3 PKCS7_sign_add_signer.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ PKCS7_verify.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ PKCS8_PRIV_KEY_INFO_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ PKEY_USAGE_PERIOD_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ POLICYINFO_new.3 PROXY_POLICY_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ RAND_add.3 RAND_bytes.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ RAND_load_file.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ RAND_set_rand_method.3 RC4.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ RIPEMD160.3 RSA_PSS_PARAMS_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ RSA_blinding_on.3 RSA_check_key.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ RSA_generate_key.3 RSA_get0_key.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ RSA_get_ex_new_index.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ RSA_meth_new.3 RSA_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ RSA_padding_add_PKCS1_type_1.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ RSA_pkey_ctx_ctrl.3 RSA_print.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ RSA_private_encrypt.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ RSA_public_encrypt.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ RSA_set_method.3 RSA_sign.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ RSA_sign_ASN1_OCTET_STRING.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ RSA_size.3 SHA1.3 SMIME_read_CMS.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SMIME_read_PKCS7.3 SMIME_write_CMS.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SMIME_write_PKCS7.3 STACK_OF.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ SXNET_new.3 TS_REQ_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ UI_UTIL_read_pw.3 UI_create_method.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ UI_get_string_type.3 UI_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X25519.3 X509V3_get_d2i.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_ALGOR_dup.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_ATTRIBUTE_new.3 X509_CINF_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_CRL_get0_by_serial.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_CRL_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_EXTENSION_set_object.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_INFO_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_LOOKUP_hash_dir.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_NAME_ENTRY_get_object.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_NAME_add_entry_by_txt.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_NAME_get_index_by_NID.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_NAME_new.3 X509_NAME_print_ex.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_OBJECT_get0_X509.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_PUBKEY_new.3 X509_REQ_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_REVOKED_new.3 X509_SIG_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_STORE_CTX_get_error.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_STORE_CTX_get_ex_new_index.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_STORE_CTX_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_STORE_CTX_set_verify_cb.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_STORE_load_locations.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_STORE_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_STORE_set1_param.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_STORE_set_verify_cb_func.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_VERIFY_PARAM_set_flags.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_check_ca.3 X509_check_host.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_check_issued.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_check_private_key.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_check_purpose.3 X509_cmp.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_cmp_time.3 X509_digest.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_get0_notBefore.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_get0_signature.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_get1_email.3 X509_get_pubkey.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_get_serialNumber.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_get_subject_name.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_get_version.3 X509_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509_sign.3 X509_verify_cert.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ X509v3_get_ext_by_NID.3 bn_dump.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ crypto.3 d2i_ASN1_NULL.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ d2i_ASN1_OBJECT.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ d2i_ASN1_OCTET_STRING.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ d2i_ASN1_SEQUENCE_ANY.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ d2i_AUTHORITY_KEYID.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ d2i_BASIC_CONSTRAINTS.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ d2i_CMS_ContentInfo.3 d2i_DHparams.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ d2i_DIST_POINT.3 d2i_DSAPublicKey.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ d2i_ECPKParameters.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ d2i_ESS_SIGNING_CERT.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ d2i_GENERAL_NAME.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ d2i_OCSP_REQUEST.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ d2i_OCSP_RESPONSE.3 d2i_PKCS12.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ d2i_PKCS7.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ d2i_PKCS8PrivateKey_bio.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ d2i_PKCS8_PRIV_KEY_INFO.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ d2i_PKEY_USAGE_PERIOD.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ d2i_POLICYINFO.3 d2i_PROXY_POLICY.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ d2i_PrivateKey.3 d2i_RSAPublicKey.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ d2i_TS_REQ.3 d2i_X509.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ d2i_X509_ALGOR.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ d2i_X509_ATTRIBUTE.3 d2i_X509_CRL.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ d2i_X509_EXTENSION.3 d2i_X509_NAME.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ d2i_X509_REQ.3 d2i_X509_SIG.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ des_read_pw.3 evp.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ get_rfc3526_prime_8192.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ i2d_CMS_bio_stream.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ i2d_PKCS7_bio_stream.3 lh_new.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ lh_stats.3 x509_verify.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ tls_accept_socket.3 tls_client.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ tls_config_ocsp_require_stapling.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ tls_config_set_protocols.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ tls_config_set_session_id.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ tls_config_verify.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ tls_conn_version.3 tls_connect.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ tls_init.3 tls_load_file.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ tls_ocsp_process_response.3 \ +@ENABLE_LIBTLS_ONLY_FALSE@ tls_read.3 +@ENABLE_LIBTLS_ONLY_FALSE@dist_man5_MANS = openssl.cnf.5 x509v3.cnf.5 all: all-am .SUFFIXES: @@ -649,6 +827,8 @@ distclean-generic: maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." +@ENABLE_LIBTLS_ONLY_TRUE@uninstall-local: +@ENABLE_LIBTLS_ONLY_TRUE@install-data-hook: clean: clean-am clean-am: clean-generic clean-libtool mostlyclean-am @@ -736,5073 +916,5265 @@ uninstall-man: uninstall-man3 uninstall-man5 .PRECIOUS: Makefile -install-data-hook: - ln -sf "ACCESS_DESCRIPTION_new.3" "$(DESTDIR)$(mandir)/man3/ACCESS_DESCRIPTION_free.3" - ln -sf "ACCESS_DESCRIPTION_new.3" "$(DESTDIR)$(mandir)/man3/AUTHORITY_INFO_ACCESS_free.3" - ln -sf "ACCESS_DESCRIPTION_new.3" "$(DESTDIR)$(mandir)/man3/AUTHORITY_INFO_ACCESS_new.3" - ln -sf "AES_encrypt.3" "$(DESTDIR)$(mandir)/man3/AES_cbc_encrypt.3" - ln -sf "AES_encrypt.3" "$(DESTDIR)$(mandir)/man3/AES_decrypt.3" - ln -sf "AES_encrypt.3" "$(DESTDIR)$(mandir)/man3/AES_set_decrypt_key.3" - ln -sf "AES_encrypt.3" "$(DESTDIR)$(mandir)/man3/AES_set_encrypt_key.3" - ln -sf "ASN1_INTEGER_get.3" "$(DESTDIR)$(mandir)/man3/ASN1_ENUMERATED_get.3" - ln -sf "ASN1_INTEGER_get.3" "$(DESTDIR)$(mandir)/man3/ASN1_ENUMERATED_set.3" - ln -sf "ASN1_INTEGER_get.3" "$(DESTDIR)$(mandir)/man3/ASN1_ENUMERATED_to_BN.3" - ln -sf "ASN1_INTEGER_get.3" "$(DESTDIR)$(mandir)/man3/ASN1_INTEGER_set.3" - ln -sf "ASN1_INTEGER_get.3" "$(DESTDIR)$(mandir)/man3/ASN1_INTEGER_to_BN.3" - ln -sf "ASN1_INTEGER_get.3" "$(DESTDIR)$(mandir)/man3/BN_to_ASN1_ENUMERATED.3" - ln -sf "ASN1_INTEGER_get.3" "$(DESTDIR)$(mandir)/man3/BN_to_ASN1_INTEGER.3" - ln -sf "ASN1_INTEGER_get.3" "$(DESTDIR)$(mandir)/man3/i2a_ASN1_INTEGER.3" - ln -sf "ASN1_OBJECT_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_OBJECT_free.3" - ln -sf "ASN1_STRING_TABLE_add.3" "$(DESTDIR)$(mandir)/man3/ASN1_STRING_TABLE_cleanup.3" - ln -sf "ASN1_STRING_TABLE_add.3" "$(DESTDIR)$(mandir)/man3/ASN1_STRING_TABLE_get.3" - ln -sf "ASN1_STRING_length.3" "$(DESTDIR)$(mandir)/man3/ASN1_OCTET_STRING_cmp.3" - ln -sf "ASN1_STRING_length.3" "$(DESTDIR)$(mandir)/man3/ASN1_OCTET_STRING_dup.3" - ln -sf "ASN1_STRING_length.3" "$(DESTDIR)$(mandir)/man3/ASN1_OCTET_STRING_set.3" - ln -sf "ASN1_STRING_length.3" "$(DESTDIR)$(mandir)/man3/ASN1_STRING_cmp.3" - ln -sf "ASN1_STRING_length.3" "$(DESTDIR)$(mandir)/man3/ASN1_STRING_data.3" - ln -sf "ASN1_STRING_length.3" "$(DESTDIR)$(mandir)/man3/ASN1_STRING_dup.3" - ln -sf "ASN1_STRING_length.3" "$(DESTDIR)$(mandir)/man3/ASN1_STRING_get0_data.3" - ln -sf "ASN1_STRING_length.3" "$(DESTDIR)$(mandir)/man3/ASN1_STRING_length_set.3" - ln -sf "ASN1_STRING_length.3" "$(DESTDIR)$(mandir)/man3/ASN1_STRING_set.3" - ln -sf "ASN1_STRING_length.3" "$(DESTDIR)$(mandir)/man3/ASN1_STRING_to_UTF8.3" - ln -sf "ASN1_STRING_length.3" "$(DESTDIR)$(mandir)/man3/ASN1_STRING_type.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_BIT_STRING_free.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_BIT_STRING_new.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_BMPSTRING_free.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_BMPSTRING_new.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_ENUMERATED_free.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_ENUMERATED_new.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_GENERALIZEDTIME_free.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_GENERALIZEDTIME_new.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_GENERALSTRING_free.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_GENERALSTRING_new.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_IA5STRING_free.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_IA5STRING_new.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_INTEGER_free.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_INTEGER_new.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_OCTET_STRING_free.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_OCTET_STRING_new.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_PRINTABLESTRING_free.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_PRINTABLESTRING_new.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_PRINTABLE_free.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_PRINTABLE_new.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_STRING_free.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_STRING_type_new.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_T61STRING_free.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_T61STRING_new.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_TIME_free.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_TIME_new.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_UNIVERSALSTRING_free.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_UNIVERSALSTRING_new.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_free.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_new.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_UTF8STRING_free.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_UTF8STRING_new.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_VISIBLESTRING_free.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_VISIBLESTRING_new.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/DIRECTORYSTRING_free.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/DIRECTORYSTRING_new.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/DISPLAYTEXT_free.3" - ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/DISPLAYTEXT_new.3" - ln -sf "ASN1_STRING_print_ex.3" "$(DESTDIR)$(mandir)/man3/ASN1_STRING_print.3" - ln -sf "ASN1_STRING_print_ex.3" "$(DESTDIR)$(mandir)/man3/ASN1_STRING_print_ex_fp.3" - ln -sf "ASN1_STRING_print_ex.3" "$(DESTDIR)$(mandir)/man3/ASN1_tag2str.3" - ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_GENERALIZEDTIME_adj.3" - ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_GENERALIZEDTIME_check.3" - ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_GENERALIZEDTIME_print.3" - ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_GENERALIZEDTIME_set.3" - ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_GENERALIZEDTIME_set_string.3" - ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_TIME_adj.3" - ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_TIME_check.3" - ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_TIME_print.3" - ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_TIME_set_string.3" - ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_TIME_to_generalizedtime.3" - ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_adj.3" - ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_check.3" - ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_cmp_time_t.3" - ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_print.3" - ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_set.3" - ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_set_string.3" - ln -sf "ASN1_TYPE_get.3" "$(DESTDIR)$(mandir)/man3/ASN1_TYPE_cmp.3" - ln -sf "ASN1_TYPE_get.3" "$(DESTDIR)$(mandir)/man3/ASN1_TYPE_free.3" - ln -sf "ASN1_TYPE_get.3" "$(DESTDIR)$(mandir)/man3/ASN1_TYPE_new.3" - ln -sf "ASN1_TYPE_get.3" "$(DESTDIR)$(mandir)/man3/ASN1_TYPE_set.3" - ln -sf "ASN1_TYPE_get.3" "$(DESTDIR)$(mandir)/man3/ASN1_TYPE_set1.3" - ln -sf "ASN1_generate_nconf.3" "$(DESTDIR)$(mandir)/man3/ASN1_generate_v3.3" - ln -sf "ASN1_item_d2i.3" "$(DESTDIR)$(mandir)/man3/ASN1_item_d2i_bio.3" - ln -sf "ASN1_item_d2i.3" "$(DESTDIR)$(mandir)/man3/ASN1_item_d2i_fp.3" - ln -sf "ASN1_item_d2i.3" "$(DESTDIR)$(mandir)/man3/ASN1_item_dup.3" - ln -sf "ASN1_item_d2i.3" "$(DESTDIR)$(mandir)/man3/ASN1_item_i2d.3" - ln -sf "ASN1_item_d2i.3" "$(DESTDIR)$(mandir)/man3/ASN1_item_i2d_bio.3" - ln -sf "ASN1_item_d2i.3" "$(DESTDIR)$(mandir)/man3/ASN1_item_i2d_fp.3" - ln -sf "ASN1_item_d2i.3" "$(DESTDIR)$(mandir)/man3/ASN1_item_print.3" - ln -sf "ASN1_item_d2i.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_TYPE.3" - ln -sf "ASN1_item_d2i.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_TYPE.3" - ln -sf "ASN1_item_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_item_free.3" - ln -sf "ASN1_put_object.3" "$(DESTDIR)$(mandir)/man3/ASN1_put_eoc.3" - ln -sf "ASN1_time_parse.3" "$(DESTDIR)$(mandir)/man3/ASN1_TIME_set_tm.3" - ln -sf "ASN1_time_parse.3" "$(DESTDIR)$(mandir)/man3/ASN1_time_tm_cmp.3" - ln -sf "AUTHORITY_KEYID_new.3" "$(DESTDIR)$(mandir)/man3/AUTHORITY_KEYID_free.3" - ln -sf "BASIC_CONSTRAINTS_new.3" "$(DESTDIR)$(mandir)/man3/BASIC_CONSTRAINTS_free.3" - ln -sf "BF_set_key.3" "$(DESTDIR)$(mandir)/man3/BF_cbc_encrypt.3" - ln -sf "BF_set_key.3" "$(DESTDIR)$(mandir)/man3/BF_cfb64_encrypt.3" - ln -sf "BF_set_key.3" "$(DESTDIR)$(mandir)/man3/BF_decrypt.3" - ln -sf "BF_set_key.3" "$(DESTDIR)$(mandir)/man3/BF_ecb_encrypt.3" - ln -sf "BF_set_key.3" "$(DESTDIR)$(mandir)/man3/BF_encrypt.3" - ln -sf "BF_set_key.3" "$(DESTDIR)$(mandir)/man3/BF_ofb64_encrypt.3" - ln -sf "BF_set_key.3" "$(DESTDIR)$(mandir)/man3/BF_options.3" - ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_callback_ctrl.3" - ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_ctrl_pending.3" - ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_ctrl_wpending.3" - ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_eof.3" - ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_flush.3" - ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_get_close.3" - ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_get_info_callback.3" - ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_int_ctrl.3" - ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_pending.3" - ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_ptr_ctrl.3" - ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_reset.3" - ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_seek.3" - ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_set_close.3" - ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_set_info_callback.3" - ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_tell.3" - ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_wpending.3" - ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/bio_info_cb.3" - ln -sf "BIO_f_buffer.3" "$(DESTDIR)$(mandir)/man3/BIO_get_buffer_num_lines.3" - ln -sf "BIO_f_buffer.3" "$(DESTDIR)$(mandir)/man3/BIO_set_buffer_read_data.3" - ln -sf "BIO_f_buffer.3" "$(DESTDIR)$(mandir)/man3/BIO_set_buffer_size.3" - ln -sf "BIO_f_buffer.3" "$(DESTDIR)$(mandir)/man3/BIO_set_read_buffer_size.3" - ln -sf "BIO_f_buffer.3" "$(DESTDIR)$(mandir)/man3/BIO_set_write_buffer_size.3" - ln -sf "BIO_f_cipher.3" "$(DESTDIR)$(mandir)/man3/BIO_get_cipher_ctx.3" - ln -sf "BIO_f_cipher.3" "$(DESTDIR)$(mandir)/man3/BIO_get_cipher_status.3" - ln -sf "BIO_f_cipher.3" "$(DESTDIR)$(mandir)/man3/BIO_set_cipher.3" - ln -sf "BIO_f_md.3" "$(DESTDIR)$(mandir)/man3/BIO_get_md.3" - ln -sf "BIO_f_md.3" "$(DESTDIR)$(mandir)/man3/BIO_get_md_ctx.3" - ln -sf "BIO_f_md.3" "$(DESTDIR)$(mandir)/man3/BIO_set_md.3" - ln -sf "BIO_f_ssl.3" "$(DESTDIR)$(mandir)/man3/BIO_do_handshake.3" - ln -sf "BIO_f_ssl.3" "$(DESTDIR)$(mandir)/man3/BIO_get_num_renegotiates.3" - ln -sf "BIO_f_ssl.3" "$(DESTDIR)$(mandir)/man3/BIO_get_ssl.3" - ln -sf "BIO_f_ssl.3" "$(DESTDIR)$(mandir)/man3/BIO_new_buffer_ssl_connect.3" - ln -sf "BIO_f_ssl.3" "$(DESTDIR)$(mandir)/man3/BIO_new_ssl.3" - ln -sf "BIO_f_ssl.3" "$(DESTDIR)$(mandir)/man3/BIO_new_ssl_connect.3" - ln -sf "BIO_f_ssl.3" "$(DESTDIR)$(mandir)/man3/BIO_set_ssl.3" - ln -sf "BIO_f_ssl.3" "$(DESTDIR)$(mandir)/man3/BIO_set_ssl_mode.3" - ln -sf "BIO_f_ssl.3" "$(DESTDIR)$(mandir)/man3/BIO_set_ssl_renegotiate_bytes.3" - ln -sf "BIO_f_ssl.3" "$(DESTDIR)$(mandir)/man3/BIO_set_ssl_renegotiate_timeout.3" - ln -sf "BIO_f_ssl.3" "$(DESTDIR)$(mandir)/man3/BIO_ssl_copy_session_id.3" - ln -sf "BIO_f_ssl.3" "$(DESTDIR)$(mandir)/man3/BIO_ssl_shutdown.3" - ln -sf "BIO_find_type.3" "$(DESTDIR)$(mandir)/man3/BIO_method_type.3" - ln -sf "BIO_find_type.3" "$(DESTDIR)$(mandir)/man3/BIO_next.3" - ln -sf "BIO_get_data.3" "$(DESTDIR)$(mandir)/man3/BIO_get_shutdown.3" - ln -sf "BIO_get_data.3" "$(DESTDIR)$(mandir)/man3/BIO_set_data.3" - ln -sf "BIO_get_data.3" "$(DESTDIR)$(mandir)/man3/BIO_set_init.3" - ln -sf "BIO_get_data.3" "$(DESTDIR)$(mandir)/man3/BIO_set_shutdown.3" - ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/BIO_get_ex_data.3" - ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/BIO_set_ex_data.3" - ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/ECDH_get_ex_data.3" - ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/ECDH_get_ex_new_index.3" - ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/ECDH_set_ex_data.3" - ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/ECDSA_get_ex_data.3" - ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/ECDSA_get_ex_new_index.3" - ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/ECDSA_set_ex_data.3" - ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_get_ex_data.3" - ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_get_ex_new_index.3" - ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_set_ex_data.3" - ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_ex_data.3" - ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_ex_new_index.3" - ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_ex_data.3" - ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/TYPE_get_ex_data.3" - ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/TYPE_get_ex_new_index.3" - ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/TYPE_set_ex_data.3" - ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/UI_get_ex_data.3" - ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/UI_get_ex_new_index.3" - ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/UI_set_ex_data.3" - ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/X509_get_ex_data.3" - ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/X509_get_ex_new_index.3" - ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/X509_set_ex_data.3" - ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_get_new_index.3" - ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_free.3" - ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_get_callback_ctrl.3" - ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_get_create.3" - ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_get_ctrl.3" - ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_get_destroy.3" - ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_get_gets.3" - ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_get_puts.3" - ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_get_read.3" - ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_get_write.3" - ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_set_callback_ctrl.3" - ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_set_create.3" - ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_set_ctrl.3" - ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_set_destroy.3" - ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_set_gets.3" - ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_set_puts.3" - ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_set_read.3" - ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_set_write.3" - ln -sf "BIO_new.3" "$(DESTDIR)$(mandir)/man3/BIO_free.3" - ln -sf "BIO_new.3" "$(DESTDIR)$(mandir)/man3/BIO_free_all.3" - ln -sf "BIO_new.3" "$(DESTDIR)$(mandir)/man3/BIO_set.3" - ln -sf "BIO_new.3" "$(DESTDIR)$(mandir)/man3/BIO_up_ref.3" - ln -sf "BIO_new.3" "$(DESTDIR)$(mandir)/man3/BIO_vfree.3" - ln -sf "BIO_printf.3" "$(DESTDIR)$(mandir)/man3/BIO_snprintf.3" - ln -sf "BIO_printf.3" "$(DESTDIR)$(mandir)/man3/BIO_vprintf.3" - ln -sf "BIO_printf.3" "$(DESTDIR)$(mandir)/man3/BIO_vsnprintf.3" - ln -sf "BIO_push.3" "$(DESTDIR)$(mandir)/man3/BIO_pop.3" - ln -sf "BIO_read.3" "$(DESTDIR)$(mandir)/man3/BIO_gets.3" - ln -sf "BIO_read.3" "$(DESTDIR)$(mandir)/man3/BIO_puts.3" - ln -sf "BIO_read.3" "$(DESTDIR)$(mandir)/man3/BIO_write.3" - ln -sf "BIO_s_accept.3" "$(DESTDIR)$(mandir)/man3/BIO_do_accept.3" - ln -sf "BIO_s_accept.3" "$(DESTDIR)$(mandir)/man3/BIO_get_accept_port.3" - ln -sf "BIO_s_accept.3" "$(DESTDIR)$(mandir)/man3/BIO_get_bind_mode.3" - ln -sf "BIO_s_accept.3" "$(DESTDIR)$(mandir)/man3/BIO_new_accept.3" - ln -sf "BIO_s_accept.3" "$(DESTDIR)$(mandir)/man3/BIO_set_accept_bios.3" - ln -sf "BIO_s_accept.3" "$(DESTDIR)$(mandir)/man3/BIO_set_accept_port.3" - ln -sf "BIO_s_accept.3" "$(DESTDIR)$(mandir)/man3/BIO_set_bind_mode.3" - ln -sf "BIO_s_accept.3" "$(DESTDIR)$(mandir)/man3/BIO_set_nbio_accept.3" - ln -sf "BIO_s_bio.3" "$(DESTDIR)$(mandir)/man3/BIO_ctrl_get_read_request.3" - ln -sf "BIO_s_bio.3" "$(DESTDIR)$(mandir)/man3/BIO_ctrl_get_write_guarantee.3" - ln -sf "BIO_s_bio.3" "$(DESTDIR)$(mandir)/man3/BIO_ctrl_reset_read_request.3" - ln -sf "BIO_s_bio.3" "$(DESTDIR)$(mandir)/man3/BIO_destroy_bio_pair.3" - ln -sf "BIO_s_bio.3" "$(DESTDIR)$(mandir)/man3/BIO_get_read_request.3" - ln -sf "BIO_s_bio.3" "$(DESTDIR)$(mandir)/man3/BIO_get_write_buf_size.3" - ln -sf "BIO_s_bio.3" "$(DESTDIR)$(mandir)/man3/BIO_get_write_guarantee.3" - ln -sf "BIO_s_bio.3" "$(DESTDIR)$(mandir)/man3/BIO_make_bio_pair.3" - ln -sf "BIO_s_bio.3" "$(DESTDIR)$(mandir)/man3/BIO_new_bio_pair.3" - ln -sf "BIO_s_bio.3" "$(DESTDIR)$(mandir)/man3/BIO_set_write_buf_size.3" - ln -sf "BIO_s_bio.3" "$(DESTDIR)$(mandir)/man3/BIO_shutdown_wr.3" - ln -sf "BIO_s_connect.3" "$(DESTDIR)$(mandir)/man3/BIO_do_connect.3" - ln -sf "BIO_s_connect.3" "$(DESTDIR)$(mandir)/man3/BIO_get_conn_hostname.3" - ln -sf "BIO_s_connect.3" "$(DESTDIR)$(mandir)/man3/BIO_get_conn_int_port.3" - ln -sf "BIO_s_connect.3" "$(DESTDIR)$(mandir)/man3/BIO_get_conn_ip.3" - ln -sf "BIO_s_connect.3" "$(DESTDIR)$(mandir)/man3/BIO_get_conn_port.3" - ln -sf "BIO_s_connect.3" "$(DESTDIR)$(mandir)/man3/BIO_new_connect.3" - ln -sf "BIO_s_connect.3" "$(DESTDIR)$(mandir)/man3/BIO_set_conn_hostname.3" - ln -sf "BIO_s_connect.3" "$(DESTDIR)$(mandir)/man3/BIO_set_conn_int_port.3" - ln -sf "BIO_s_connect.3" "$(DESTDIR)$(mandir)/man3/BIO_set_conn_ip.3" - ln -sf "BIO_s_connect.3" "$(DESTDIR)$(mandir)/man3/BIO_set_conn_port.3" - ln -sf "BIO_s_connect.3" "$(DESTDIR)$(mandir)/man3/BIO_set_nbio.3" - ln -sf "BIO_s_fd.3" "$(DESTDIR)$(mandir)/man3/BIO_get_fd.3" - ln -sf "BIO_s_fd.3" "$(DESTDIR)$(mandir)/man3/BIO_new_fd.3" - ln -sf "BIO_s_fd.3" "$(DESTDIR)$(mandir)/man3/BIO_set_fd.3" - ln -sf "BIO_s_file.3" "$(DESTDIR)$(mandir)/man3/BIO_append_filename.3" - ln -sf "BIO_s_file.3" "$(DESTDIR)$(mandir)/man3/BIO_get_fp.3" - ln -sf "BIO_s_file.3" "$(DESTDIR)$(mandir)/man3/BIO_new_file.3" - ln -sf "BIO_s_file.3" "$(DESTDIR)$(mandir)/man3/BIO_new_fp.3" - ln -sf "BIO_s_file.3" "$(DESTDIR)$(mandir)/man3/BIO_read_filename.3" - ln -sf "BIO_s_file.3" "$(DESTDIR)$(mandir)/man3/BIO_rw_filename.3" - ln -sf "BIO_s_file.3" "$(DESTDIR)$(mandir)/man3/BIO_set_fp.3" - ln -sf "BIO_s_file.3" "$(DESTDIR)$(mandir)/man3/BIO_write_filename.3" - ln -sf "BIO_s_mem.3" "$(DESTDIR)$(mandir)/man3/BIO_get_mem_data.3" - ln -sf "BIO_s_mem.3" "$(DESTDIR)$(mandir)/man3/BIO_get_mem_ptr.3" - ln -sf "BIO_s_mem.3" "$(DESTDIR)$(mandir)/man3/BIO_new_mem_buf.3" - ln -sf "BIO_s_mem.3" "$(DESTDIR)$(mandir)/man3/BIO_set_mem_buf.3" - ln -sf "BIO_s_mem.3" "$(DESTDIR)$(mandir)/man3/BIO_set_mem_eof_return.3" - ln -sf "BIO_s_socket.3" "$(DESTDIR)$(mandir)/man3/BIO_new_socket.3" - ln -sf "BIO_set_callback.3" "$(DESTDIR)$(mandir)/man3/BIO_callback_fn.3" - ln -sf "BIO_set_callback.3" "$(DESTDIR)$(mandir)/man3/BIO_debug_callback.3" - ln -sf "BIO_set_callback.3" "$(DESTDIR)$(mandir)/man3/BIO_get_callback.3" - ln -sf "BIO_set_callback.3" "$(DESTDIR)$(mandir)/man3/BIO_get_callback_arg.3" - ln -sf "BIO_set_callback.3" "$(DESTDIR)$(mandir)/man3/BIO_set_callback_arg.3" - ln -sf "BIO_should_retry.3" "$(DESTDIR)$(mandir)/man3/BIO_get_retry_BIO.3" - ln -sf "BIO_should_retry.3" "$(DESTDIR)$(mandir)/man3/BIO_get_retry_reason.3" - ln -sf "BIO_should_retry.3" "$(DESTDIR)$(mandir)/man3/BIO_retry_type.3" - ln -sf "BIO_should_retry.3" "$(DESTDIR)$(mandir)/man3/BIO_should_io_special.3" - ln -sf "BIO_should_retry.3" "$(DESTDIR)$(mandir)/man3/BIO_should_read.3" - ln -sf "BIO_should_retry.3" "$(DESTDIR)$(mandir)/man3/BIO_should_write.3" - ln -sf "BN_BLINDING_new.3" "$(DESTDIR)$(mandir)/man3/BN_BLINDING_convert.3" - ln -sf "BN_BLINDING_new.3" "$(DESTDIR)$(mandir)/man3/BN_BLINDING_convert_ex.3" - ln -sf "BN_BLINDING_new.3" "$(DESTDIR)$(mandir)/man3/BN_BLINDING_create_param.3" - ln -sf "BN_BLINDING_new.3" "$(DESTDIR)$(mandir)/man3/BN_BLINDING_free.3" - ln -sf "BN_BLINDING_new.3" "$(DESTDIR)$(mandir)/man3/BN_BLINDING_get_flags.3" - ln -sf "BN_BLINDING_new.3" "$(DESTDIR)$(mandir)/man3/BN_BLINDING_get_thread_id.3" - ln -sf "BN_BLINDING_new.3" "$(DESTDIR)$(mandir)/man3/BN_BLINDING_invert.3" - ln -sf "BN_BLINDING_new.3" "$(DESTDIR)$(mandir)/man3/BN_BLINDING_invert_ex.3" - ln -sf "BN_BLINDING_new.3" "$(DESTDIR)$(mandir)/man3/BN_BLINDING_set_flags.3" - ln -sf "BN_BLINDING_new.3" "$(DESTDIR)$(mandir)/man3/BN_BLINDING_set_thread_id.3" - ln -sf "BN_BLINDING_new.3" "$(DESTDIR)$(mandir)/man3/BN_BLINDING_thread_id.3" - ln -sf "BN_BLINDING_new.3" "$(DESTDIR)$(mandir)/man3/BN_BLINDING_update.3" - ln -sf "BN_CTX_new.3" "$(DESTDIR)$(mandir)/man3/BN_CTX_free.3" - ln -sf "BN_CTX_new.3" "$(DESTDIR)$(mandir)/man3/BN_CTX_init.3" - ln -sf "BN_CTX_start.3" "$(DESTDIR)$(mandir)/man3/BN_CTX_end.3" - ln -sf "BN_CTX_start.3" "$(DESTDIR)$(mandir)/man3/BN_CTX_get.3" - ln -sf "BN_add.3" "$(DESTDIR)$(mandir)/man3/BN_div.3" - ln -sf "BN_add.3" "$(DESTDIR)$(mandir)/man3/BN_exp.3" - ln -sf "BN_add.3" "$(DESTDIR)$(mandir)/man3/BN_gcd.3" - ln -sf "BN_add.3" "$(DESTDIR)$(mandir)/man3/BN_mod.3" - ln -sf "BN_add.3" "$(DESTDIR)$(mandir)/man3/BN_mod_add.3" - ln -sf "BN_add.3" "$(DESTDIR)$(mandir)/man3/BN_mod_exp.3" - ln -sf "BN_add.3" "$(DESTDIR)$(mandir)/man3/BN_mod_mul.3" - ln -sf "BN_add.3" "$(DESTDIR)$(mandir)/man3/BN_mod_sqr.3" - ln -sf "BN_add.3" "$(DESTDIR)$(mandir)/man3/BN_mod_sub.3" - ln -sf "BN_add.3" "$(DESTDIR)$(mandir)/man3/BN_mul.3" - ln -sf "BN_add.3" "$(DESTDIR)$(mandir)/man3/BN_nnmod.3" - ln -sf "BN_add.3" "$(DESTDIR)$(mandir)/man3/BN_sqr.3" - ln -sf "BN_add.3" "$(DESTDIR)$(mandir)/man3/BN_sub.3" - ln -sf "BN_add_word.3" "$(DESTDIR)$(mandir)/man3/BN_div_word.3" - ln -sf "BN_add_word.3" "$(DESTDIR)$(mandir)/man3/BN_mod_word.3" - ln -sf "BN_add_word.3" "$(DESTDIR)$(mandir)/man3/BN_mul_word.3" - ln -sf "BN_add_word.3" "$(DESTDIR)$(mandir)/man3/BN_sub_word.3" - ln -sf "BN_bn2bin.3" "$(DESTDIR)$(mandir)/man3/BN_asc2bn.3" - ln -sf "BN_bn2bin.3" "$(DESTDIR)$(mandir)/man3/BN_bin2bn.3" - ln -sf "BN_bn2bin.3" "$(DESTDIR)$(mandir)/man3/BN_bn2dec.3" - ln -sf "BN_bn2bin.3" "$(DESTDIR)$(mandir)/man3/BN_bn2hex.3" - ln -sf "BN_bn2bin.3" "$(DESTDIR)$(mandir)/man3/BN_bn2mpi.3" - ln -sf "BN_bn2bin.3" "$(DESTDIR)$(mandir)/man3/BN_dec2bn.3" - ln -sf "BN_bn2bin.3" "$(DESTDIR)$(mandir)/man3/BN_hex2bn.3" - ln -sf "BN_bn2bin.3" "$(DESTDIR)$(mandir)/man3/BN_mpi2bn.3" - ln -sf "BN_bn2bin.3" "$(DESTDIR)$(mandir)/man3/BN_print.3" - ln -sf "BN_bn2bin.3" "$(DESTDIR)$(mandir)/man3/BN_print_fp.3" - ln -sf "BN_cmp.3" "$(DESTDIR)$(mandir)/man3/BN_is_odd.3" - ln -sf "BN_cmp.3" "$(DESTDIR)$(mandir)/man3/BN_is_one.3" - ln -sf "BN_cmp.3" "$(DESTDIR)$(mandir)/man3/BN_is_word.3" - ln -sf "BN_cmp.3" "$(DESTDIR)$(mandir)/man3/BN_is_zero.3" - ln -sf "BN_cmp.3" "$(DESTDIR)$(mandir)/man3/BN_ucmp.3" - ln -sf "BN_copy.3" "$(DESTDIR)$(mandir)/man3/BN_dup.3" - ln -sf "BN_copy.3" "$(DESTDIR)$(mandir)/man3/BN_with_flags.3" - ln -sf "BN_generate_prime.3" "$(DESTDIR)$(mandir)/man3/BN_GENCB_call.3" - ln -sf "BN_generate_prime.3" "$(DESTDIR)$(mandir)/man3/BN_GENCB_free.3" - ln -sf "BN_generate_prime.3" "$(DESTDIR)$(mandir)/man3/BN_GENCB_get_arg.3" - ln -sf "BN_generate_prime.3" "$(DESTDIR)$(mandir)/man3/BN_GENCB_new.3" - ln -sf "BN_generate_prime.3" "$(DESTDIR)$(mandir)/man3/BN_GENCB_set.3" - ln -sf "BN_generate_prime.3" "$(DESTDIR)$(mandir)/man3/BN_GENCB_set_old.3" - ln -sf "BN_generate_prime.3" "$(DESTDIR)$(mandir)/man3/BN_generate_prime_ex.3" - ln -sf "BN_generate_prime.3" "$(DESTDIR)$(mandir)/man3/BN_is_prime.3" - ln -sf "BN_generate_prime.3" "$(DESTDIR)$(mandir)/man3/BN_is_prime_ex.3" - ln -sf "BN_generate_prime.3" "$(DESTDIR)$(mandir)/man3/BN_is_prime_fasttest.3" - ln -sf "BN_generate_prime.3" "$(DESTDIR)$(mandir)/man3/BN_is_prime_fasttest_ex.3" - ln -sf "BN_get0_nist_prime_521.3" "$(DESTDIR)$(mandir)/man3/BN_get0_nist_prime_192.3" - ln -sf "BN_get0_nist_prime_521.3" "$(DESTDIR)$(mandir)/man3/BN_get0_nist_prime_224.3" - ln -sf "BN_get0_nist_prime_521.3" "$(DESTDIR)$(mandir)/man3/BN_get0_nist_prime_256.3" - ln -sf "BN_get0_nist_prime_521.3" "$(DESTDIR)$(mandir)/man3/BN_get0_nist_prime_384.3" - ln -sf "BN_mod_mul_montgomery.3" "$(DESTDIR)$(mandir)/man3/BN_MONT_CTX_copy.3" - ln -sf "BN_mod_mul_montgomery.3" "$(DESTDIR)$(mandir)/man3/BN_MONT_CTX_free.3" - ln -sf "BN_mod_mul_montgomery.3" "$(DESTDIR)$(mandir)/man3/BN_MONT_CTX_init.3" - ln -sf "BN_mod_mul_montgomery.3" "$(DESTDIR)$(mandir)/man3/BN_MONT_CTX_new.3" - ln -sf "BN_mod_mul_montgomery.3" "$(DESTDIR)$(mandir)/man3/BN_MONT_CTX_set.3" - ln -sf "BN_mod_mul_montgomery.3" "$(DESTDIR)$(mandir)/man3/BN_from_montgomery.3" - ln -sf "BN_mod_mul_montgomery.3" "$(DESTDIR)$(mandir)/man3/BN_to_montgomery.3" - ln -sf "BN_mod_mul_reciprocal.3" "$(DESTDIR)$(mandir)/man3/BN_RECP_CTX_free.3" - ln -sf "BN_mod_mul_reciprocal.3" "$(DESTDIR)$(mandir)/man3/BN_RECP_CTX_init.3" - ln -sf "BN_mod_mul_reciprocal.3" "$(DESTDIR)$(mandir)/man3/BN_RECP_CTX_new.3" - ln -sf "BN_mod_mul_reciprocal.3" "$(DESTDIR)$(mandir)/man3/BN_RECP_CTX_set.3" - ln -sf "BN_mod_mul_reciprocal.3" "$(DESTDIR)$(mandir)/man3/BN_div_recp.3" - ln -sf "BN_new.3" "$(DESTDIR)$(mandir)/man3/BN_clear.3" - ln -sf "BN_new.3" "$(DESTDIR)$(mandir)/man3/BN_clear_free.3" - ln -sf "BN_new.3" "$(DESTDIR)$(mandir)/man3/BN_free.3" - ln -sf "BN_new.3" "$(DESTDIR)$(mandir)/man3/BN_init.3" - ln -sf "BN_num_bytes.3" "$(DESTDIR)$(mandir)/man3/BN_num_bits.3" - ln -sf "BN_num_bytes.3" "$(DESTDIR)$(mandir)/man3/BN_num_bits_word.3" - ln -sf "BN_rand.3" "$(DESTDIR)$(mandir)/man3/BN_pseudo_rand.3" - ln -sf "BN_rand.3" "$(DESTDIR)$(mandir)/man3/BN_pseudo_rand_range.3" - ln -sf "BN_rand.3" "$(DESTDIR)$(mandir)/man3/BN_rand_range.3" - ln -sf "BN_set_bit.3" "$(DESTDIR)$(mandir)/man3/BN_clear_bit.3" - ln -sf "BN_set_bit.3" "$(DESTDIR)$(mandir)/man3/BN_is_bit_set.3" - ln -sf "BN_set_bit.3" "$(DESTDIR)$(mandir)/man3/BN_lshift.3" - ln -sf "BN_set_bit.3" "$(DESTDIR)$(mandir)/man3/BN_lshift1.3" - ln -sf "BN_set_bit.3" "$(DESTDIR)$(mandir)/man3/BN_mask_bits.3" - ln -sf "BN_set_bit.3" "$(DESTDIR)$(mandir)/man3/BN_rshift.3" - ln -sf "BN_set_bit.3" "$(DESTDIR)$(mandir)/man3/BN_rshift1.3" - ln -sf "BN_set_flags.3" "$(DESTDIR)$(mandir)/man3/BN_get_flags.3" - ln -sf "BN_set_negative.3" "$(DESTDIR)$(mandir)/man3/BN_is_negative.3" - ln -sf "BN_zero.3" "$(DESTDIR)$(mandir)/man3/BN_get_word.3" - ln -sf "BN_zero.3" "$(DESTDIR)$(mandir)/man3/BN_one.3" - ln -sf "BN_zero.3" "$(DESTDIR)$(mandir)/man3/BN_set_word.3" - ln -sf "BN_zero.3" "$(DESTDIR)$(mandir)/man3/BN_value_one.3" - ln -sf "BUF_MEM_new.3" "$(DESTDIR)$(mandir)/man3/BUF_MEM_free.3" - ln -sf "BUF_MEM_new.3" "$(DESTDIR)$(mandir)/man3/BUF_MEM_grow.3" - ln -sf "BUF_MEM_new.3" "$(DESTDIR)$(mandir)/man3/BUF_MEM_grow_clean.3" - ln -sf "BUF_MEM_new.3" "$(DESTDIR)$(mandir)/man3/BUF_reverse.3" - ln -sf "BUF_MEM_new.3" "$(DESTDIR)$(mandir)/man3/BUF_strdup.3" - ln -sf "CMS_ContentInfo_new.3" "$(DESTDIR)$(mandir)/man3/CMS_ContentInfo_free.3" - ln -sf "CMS_ContentInfo_new.3" "$(DESTDIR)$(mandir)/man3/CMS_ContentInfo_print_ctx.3" - ln -sf "CMS_ContentInfo_new.3" "$(DESTDIR)$(mandir)/man3/CMS_ReceiptRequest_free.3" - ln -sf "CMS_ContentInfo_new.3" "$(DESTDIR)$(mandir)/man3/CMS_ReceiptRequest_new.3" - ln -sf "CMS_add0_cert.3" "$(DESTDIR)$(mandir)/man3/CMS_add0_crl.3" - ln -sf "CMS_add0_cert.3" "$(DESTDIR)$(mandir)/man3/CMS_add1_cert.3" - ln -sf "CMS_add0_cert.3" "$(DESTDIR)$(mandir)/man3/CMS_add1_crl.3" - ln -sf "CMS_add0_cert.3" "$(DESTDIR)$(mandir)/man3/CMS_get1_certs.3" - ln -sf "CMS_add0_cert.3" "$(DESTDIR)$(mandir)/man3/CMS_get1_crls.3" - ln -sf "CMS_add1_recipient_cert.3" "$(DESTDIR)$(mandir)/man3/CMS_add0_recipient_key.3" - ln -sf "CMS_add1_signer.3" "$(DESTDIR)$(mandir)/man3/CMS_SignerInfo_sign.3" - ln -sf "CMS_decrypt.3" "$(DESTDIR)$(mandir)/man3/CMS_decrypt_set1_key.3" - ln -sf "CMS_decrypt.3" "$(DESTDIR)$(mandir)/man3/CMS_decrypt_set1_pkey.3" - ln -sf "CMS_get0_RecipientInfos.3" "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_decrypt.3" - ln -sf "CMS_get0_RecipientInfos.3" "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_encrypt.3" - ln -sf "CMS_get0_RecipientInfos.3" "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_kekri_get0_id.3" - ln -sf "CMS_get0_RecipientInfos.3" "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_kekri_id_cmp.3" - ln -sf "CMS_get0_RecipientInfos.3" "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_ktri_cert_cmp.3" - ln -sf "CMS_get0_RecipientInfos.3" "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_ktri_get0_signer_id.3" - ln -sf "CMS_get0_RecipientInfos.3" "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_set0_key.3" - ln -sf "CMS_get0_RecipientInfos.3" "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_set0_pkey.3" - ln -sf "CMS_get0_RecipientInfos.3" "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_type.3" - ln -sf "CMS_get0_SignerInfos.3" "$(DESTDIR)$(mandir)/man3/CMS_SignerInfo_cert_cmp.3" - ln -sf "CMS_get0_SignerInfos.3" "$(DESTDIR)$(mandir)/man3/CMS_SignerInfo_get0_signature.3" - ln -sf "CMS_get0_SignerInfos.3" "$(DESTDIR)$(mandir)/man3/CMS_SignerInfo_get0_signer_id.3" - ln -sf "CMS_get0_SignerInfos.3" "$(DESTDIR)$(mandir)/man3/CMS_SignerInfo_set1_signer_cert.3" - ln -sf "CMS_get0_type.3" "$(DESTDIR)$(mandir)/man3/CMS_get0_content.3" - ln -sf "CMS_get0_type.3" "$(DESTDIR)$(mandir)/man3/CMS_get0_eContentType.3" - ln -sf "CMS_get0_type.3" "$(DESTDIR)$(mandir)/man3/CMS_set1_eContentType.3" - ln -sf "CMS_get1_ReceiptRequest.3" "$(DESTDIR)$(mandir)/man3/CMS_ReceiptRequest_create0.3" - ln -sf "CMS_get1_ReceiptRequest.3" "$(DESTDIR)$(mandir)/man3/CMS_ReceiptRequest_get0_values.3" - ln -sf "CMS_get1_ReceiptRequest.3" "$(DESTDIR)$(mandir)/man3/CMS_add1_ReceiptRequest.3" - ln -sf "CMS_verify.3" "$(DESTDIR)$(mandir)/man3/CMS_get0_signers.3" - ln -sf "CONF_modules_free.3" "$(DESTDIR)$(mandir)/man3/CONF_modules_finish.3" - ln -sf "CONF_modules_free.3" "$(DESTDIR)$(mandir)/man3/CONF_modules_unload.3" - ln -sf "CONF_modules_load_file.3" "$(DESTDIR)$(mandir)/man3/CONF_modules_load.3" - ln -sf "CRYPTO_get_mem_functions.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_MEM_LEAK_CB.3" - ln -sf "CRYPTO_get_mem_functions.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_mem_ctrl.3" - ln -sf "CRYPTO_get_mem_functions.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_mem_leaks.3" - ln -sf "CRYPTO_get_mem_functions.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_mem_leaks_cb.3" - ln -sf "CRYPTO_get_mem_functions.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_mem_leaks_fp.3" - ln -sf "CRYPTO_get_mem_functions.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_set_mem_functions.3" - ln -sf "CRYPTO_lock.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_THREADID_cmp.3" - ln -sf "CRYPTO_lock.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_THREADID_cpy.3" - ln -sf "CRYPTO_lock.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_THREADID_current.3" - ln -sf "CRYPTO_lock.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_THREADID_hash.3" - ln -sf "CRYPTO_lock.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_add.3" - ln -sf "CRYPTO_lock.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_r_lock.3" - ln -sf "CRYPTO_lock.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_r_unlock.3" - ln -sf "CRYPTO_lock.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_w_lock.3" - ln -sf "CRYPTO_lock.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_w_unlock.3" - ln -sf "CRYPTO_set_ex_data.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_EX_dup.3" - ln -sf "CRYPTO_set_ex_data.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_EX_free.3" - ln -sf "CRYPTO_set_ex_data.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_EX_new.3" - ln -sf "CRYPTO_set_ex_data.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_free_ex_data.3" - ln -sf "CRYPTO_set_ex_data.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_get_ex_data.3" - ln -sf "CRYPTO_set_ex_data.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_get_ex_new_index.3" - ln -sf "CRYPTO_set_ex_data.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_new_ex_data.3" - ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_cbc_cksum.3" - ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_cfb64_encrypt.3" - ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_cfb_encrypt.3" - ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_crypt.3" - ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_ecb2_encrypt.3" - ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_ecb3_encrypt.3" - ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_ecb_encrypt.3" - ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_ede2_cbc_encrypt.3" - ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_ede2_cfb64_encrypt.3" - ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_ede2_ofb64_encrypt.3" - ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_ede3_cbc_encrypt.3" - ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_ede3_cbcm_encrypt.3" - ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_ede3_cfb64_encrypt.3" - ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_ede3_ofb64_encrypt.3" - ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_enc_read.3" - ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_enc_write.3" - ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_fcrypt.3" - ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_is_weak_key.3" - ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_key_sched.3" - ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_ncbc_encrypt.3" - ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_ofb64_encrypt.3" - ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_ofb_encrypt.3" - ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_pcbc_encrypt.3" - ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_quad_cksum.3" - ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_random_key.3" - ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_set_key_checked.3" - ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_set_key_unchecked.3" - ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_set_odd_parity.3" - ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_string_to_2keys.3" - ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_string_to_key.3" - ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_xcbc_encrypt.3" - ln -sf "DH_generate_key.3" "$(DESTDIR)$(mandir)/man3/DH_compute_key.3" - ln -sf "DH_generate_parameters.3" "$(DESTDIR)$(mandir)/man3/DH_check.3" - ln -sf "DH_generate_parameters.3" "$(DESTDIR)$(mandir)/man3/DH_generate_parameters_ex.3" - ln -sf "DH_get0_pqg.3" "$(DESTDIR)$(mandir)/man3/DH_clear_flags.3" - ln -sf "DH_get0_pqg.3" "$(DESTDIR)$(mandir)/man3/DH_get0_engine.3" - ln -sf "DH_get0_pqg.3" "$(DESTDIR)$(mandir)/man3/DH_get0_key.3" - ln -sf "DH_get0_pqg.3" "$(DESTDIR)$(mandir)/man3/DH_set0_key.3" - ln -sf "DH_get0_pqg.3" "$(DESTDIR)$(mandir)/man3/DH_set0_pqg.3" - ln -sf "DH_get0_pqg.3" "$(DESTDIR)$(mandir)/man3/DH_set_flags.3" - ln -sf "DH_get0_pqg.3" "$(DESTDIR)$(mandir)/man3/DH_set_length.3" - ln -sf "DH_get0_pqg.3" "$(DESTDIR)$(mandir)/man3/DH_test_flags.3" - ln -sf "DH_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/DH_get_ex_data.3" - ln -sf "DH_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/DH_set_ex_data.3" - ln -sf "DH_new.3" "$(DESTDIR)$(mandir)/man3/DH_free.3" - ln -sf "DH_new.3" "$(DESTDIR)$(mandir)/man3/DH_up_ref.3" - ln -sf "DH_set_method.3" "$(DESTDIR)$(mandir)/man3/DH_OpenSSL.3" - ln -sf "DH_set_method.3" "$(DESTDIR)$(mandir)/man3/DH_get_default_method.3" - ln -sf "DH_set_method.3" "$(DESTDIR)$(mandir)/man3/DH_new_method.3" - ln -sf "DH_set_method.3" "$(DESTDIR)$(mandir)/man3/DH_set_default_method.3" - ln -sf "DH_size.3" "$(DESTDIR)$(mandir)/man3/DH_bits.3" - ln -sf "DIST_POINT_new.3" "$(DESTDIR)$(mandir)/man3/CRL_DIST_POINTS_free.3" - ln -sf "DIST_POINT_new.3" "$(DESTDIR)$(mandir)/man3/CRL_DIST_POINTS_new.3" - ln -sf "DIST_POINT_new.3" "$(DESTDIR)$(mandir)/man3/DIST_POINT_NAME_free.3" - ln -sf "DIST_POINT_new.3" "$(DESTDIR)$(mandir)/man3/DIST_POINT_NAME_new.3" - ln -sf "DIST_POINT_new.3" "$(DESTDIR)$(mandir)/man3/DIST_POINT_free.3" - ln -sf "DIST_POINT_new.3" "$(DESTDIR)$(mandir)/man3/ISSUING_DIST_POINT_free.3" - ln -sf "DIST_POINT_new.3" "$(DESTDIR)$(mandir)/man3/ISSUING_DIST_POINT_new.3" - ln -sf "DSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/DSA_SIG_free.3" - ln -sf "DSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/DSA_SIG_get0.3" - ln -sf "DSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/DSA_SIG_set0.3" - ln -sf "DSA_do_sign.3" "$(DESTDIR)$(mandir)/man3/DSA_do_verify.3" - ln -sf "DSA_generate_parameters.3" "$(DESTDIR)$(mandir)/man3/DSA_generate_parameters_ex.3" - ln -sf "DSA_get0_pqg.3" "$(DESTDIR)$(mandir)/man3/DSA_clear_flags.3" - ln -sf "DSA_get0_pqg.3" "$(DESTDIR)$(mandir)/man3/DSA_get0_engine.3" - ln -sf "DSA_get0_pqg.3" "$(DESTDIR)$(mandir)/man3/DSA_get0_key.3" - ln -sf "DSA_get0_pqg.3" "$(DESTDIR)$(mandir)/man3/DSA_set0_key.3" - ln -sf "DSA_get0_pqg.3" "$(DESTDIR)$(mandir)/man3/DSA_set0_pqg.3" - ln -sf "DSA_get0_pqg.3" "$(DESTDIR)$(mandir)/man3/DSA_set_flags.3" - ln -sf "DSA_get0_pqg.3" "$(DESTDIR)$(mandir)/man3/DSA_test_flags.3" - ln -sf "DSA_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/DSA_get_ex_data.3" - ln -sf "DSA_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/DSA_set_ex_data.3" - ln -sf "DSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/DSA_meth_dup.3" - ln -sf "DSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/DSA_meth_free.3" - ln -sf "DSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/DSA_meth_set_finish.3" - ln -sf "DSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/DSA_meth_set_sign.3" - ln -sf "DSA_new.3" "$(DESTDIR)$(mandir)/man3/DSA_free.3" - ln -sf "DSA_new.3" "$(DESTDIR)$(mandir)/man3/DSA_up_ref.3" - ln -sf "DSA_set_method.3" "$(DESTDIR)$(mandir)/man3/DSA_OpenSSL.3" - ln -sf "DSA_set_method.3" "$(DESTDIR)$(mandir)/man3/DSA_get_default_method.3" - ln -sf "DSA_set_method.3" "$(DESTDIR)$(mandir)/man3/DSA_new_method.3" - ln -sf "DSA_set_method.3" "$(DESTDIR)$(mandir)/man3/DSA_set_default_method.3" - ln -sf "DSA_sign.3" "$(DESTDIR)$(mandir)/man3/DSA_sign_setup.3" - ln -sf "DSA_sign.3" "$(DESTDIR)$(mandir)/man3/DSA_verify.3" - ln -sf "ECDH_compute_key.3" "$(DESTDIR)$(mandir)/man3/ECDH_size.3" - ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/ECDSA_OpenSSL.3" - ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/ECDSA_SIG_free.3" - ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/ECDSA_SIG_get0.3" - ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/ECDSA_SIG_set0.3" - ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/ECDSA_do_sign.3" - ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/ECDSA_do_sign_ex.3" - ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/ECDSA_do_verify.3" - ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/ECDSA_get_default_method.3" - ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/ECDSA_set_default_method.3" - ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/ECDSA_set_method.3" - ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/ECDSA_sign.3" - ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/ECDSA_sign_ex.3" - ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/ECDSA_sign_setup.3" - ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/ECDSA_size.3" - ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/ECDSA_verify.3" - ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/d2i_ECDSA_SIG.3" - ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/i2d_ECDSA_SIG.3" - ln -sf "EC_GFp_simple_method.3" "$(DESTDIR)$(mandir)/man3/EC_GF2m_simple_method.3" - ln -sf "EC_GFp_simple_method.3" "$(DESTDIR)$(mandir)/man3/EC_GFp_mont_method.3" - ln -sf "EC_GFp_simple_method.3" "$(DESTDIR)$(mandir)/man3/EC_GFp_nist_method.3" - ln -sf "EC_GFp_simple_method.3" "$(DESTDIR)$(mandir)/man3/EC_GFp_nistp224_method.3" - ln -sf "EC_GFp_simple_method.3" "$(DESTDIR)$(mandir)/man3/EC_GFp_nistp256_method.3" - ln -sf "EC_GFp_simple_method.3" "$(DESTDIR)$(mandir)/man3/EC_GFp_nistp521_method.3" - ln -sf "EC_GFp_simple_method.3" "$(DESTDIR)$(mandir)/man3/EC_METHOD_get_field_type.3" - ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_check.3" - ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_check_discriminant.3" - ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_cmp.3" - ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_dup.3" - ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_get0_generator.3" - ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_get0_seed.3" - ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_asn1_flag.3" - ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_basis_type.3" - ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_cofactor.3" - ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_curve_name.3" - ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_degree.3" - ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_order.3" - ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_pentanomial_basis.3" - ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_point_conversion_form.3" - ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_seed_len.3" - ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_trinomial_basis.3" - ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_method_of.3" - ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_set_asn1_flag.3" - ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_set_curve_name.3" - ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_set_generator.3" - ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_set_point_conversion_form.3" - ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_set_seed.3" - ln -sf "EC_GROUP_new.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_clear_free.3" - ln -sf "EC_GROUP_new.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_free.3" - ln -sf "EC_GROUP_new.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_curve_GF2m.3" - ln -sf "EC_GROUP_new.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_curve_GFp.3" - ln -sf "EC_GROUP_new.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_new_by_curve_name.3" - ln -sf "EC_GROUP_new.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_new_curve_GF2m.3" - ln -sf "EC_GROUP_new.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_new_curve_GFp.3" - ln -sf "EC_GROUP_new.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_set_curve_GF2m.3" - ln -sf "EC_GROUP_new.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_set_curve_GFp.3" - ln -sf "EC_GROUP_new.3" "$(DESTDIR)$(mandir)/man3/EC_get_builtin_curves.3" - ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_free.3" - ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_get_compute_key.3" - ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_get_init.3" - ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_get_keygen.3" - ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_get_sign.3" - ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_get_verify.3" - ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_set_compute_key.3" - ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_set_init.3" - ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_set_keygen.3" - ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_set_sign.3" - ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_set_verify.3" - ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_OpenSSL.3" - ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_get_default_method.3" - ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_get_method.3" - ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_new_method.3" - ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_set_default_method.3" - ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_set_method.3" - ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_check_key.3" - ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_clear_flags.3" - ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_copy.3" - ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_dup.3" - ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_free.3" - ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_generate_key.3" - ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_get0_group.3" - ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_get0_private_key.3" - ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_get0_public_key.3" - ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_get_conv_form.3" - ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_get_enc_flags.3" - ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_get_flags.3" - ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_get_key_method_data.3" - ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_insert_key_method_data.3" - ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_new_by_curve_name.3" - ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_precompute_mult.3" - ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_print.3" - ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_print_fp.3" - ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_set_asn1_flag.3" - ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_set_conv_form.3" - ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_set_enc_flags.3" - ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_set_flags.3" - ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_set_group.3" - ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_set_private_key.3" - ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_set_public_key.3" - ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_set_public_key_affine_coordinates.3" - ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_up_ref.3" - ln -sf "EC_POINT_add.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_have_precompute_mult.3" - ln -sf "EC_POINT_add.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_precompute_mult.3" - ln -sf "EC_POINT_add.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_cmp.3" - ln -sf "EC_POINT_add.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_dbl.3" - ln -sf "EC_POINT_add.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_invert.3" - ln -sf "EC_POINT_add.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_is_at_infinity.3" - ln -sf "EC_POINT_add.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_is_on_curve.3" - ln -sf "EC_POINT_add.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_make_affine.3" - ln -sf "EC_POINT_add.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_mul.3" - ln -sf "EC_POINT_add.3" "$(DESTDIR)$(mandir)/man3/EC_POINTs_make_affine.3" - ln -sf "EC_POINT_add.3" "$(DESTDIR)$(mandir)/man3/EC_POINTs_mul.3" - ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_bn2point.3" - ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_clear_free.3" - ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_copy.3" - ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_dup.3" - ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_free.3" - ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_get_Jprojective_coordinates_GFp.3" - ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_get_affine_coordinates_GF2m.3" - ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_get_affine_coordinates_GFp.3" - ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_hex2point.3" - ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_method_of.3" - ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_oct2point.3" - ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_point2bn.3" - ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_point2hex.3" - ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_point2oct.3" - ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_set_Jprojective_coordinates_GFp.3" - ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_set_affine_coordinates_GF2m.3" - ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_set_affine_coordinates_GFp.3" - ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_set_compressed_coordinates_GF2m.3" - ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_set_compressed_coordinates_GFp.3" - ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_set_to_infinity.3" - ln -sf "ENGINE_add.3" "$(DESTDIR)$(mandir)/man3/ENGINE_by_id.3" - ln -sf "ENGINE_add.3" "$(DESTDIR)$(mandir)/man3/ENGINE_cleanup.3" - ln -sf "ENGINE_add.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_first.3" - ln -sf "ENGINE_add.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_id.3" - ln -sf "ENGINE_add.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_last.3" - ln -sf "ENGINE_add.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_name.3" - ln -sf "ENGINE_add.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_next.3" - ln -sf "ENGINE_add.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_prev.3" - ln -sf "ENGINE_add.3" "$(DESTDIR)$(mandir)/man3/ENGINE_remove.3" - ln -sf "ENGINE_add.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_id.3" - ln -sf "ENGINE_add.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_name.3" - ln -sf "ENGINE_ctrl.3" "$(DESTDIR)$(mandir)/man3/ENGINE_CTRL_FUNC_PTR.3" - ln -sf "ENGINE_ctrl.3" "$(DESTDIR)$(mandir)/man3/ENGINE_cmd_is_executable.3" - ln -sf "ENGINE_ctrl.3" "$(DESTDIR)$(mandir)/man3/ENGINE_ctrl_cmd.3" - ln -sf "ENGINE_ctrl.3" "$(DESTDIR)$(mandir)/man3/ENGINE_ctrl_cmd_string.3" - ln -sf "ENGINE_ctrl.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_cmd_defns.3" - ln -sf "ENGINE_ctrl.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_ctrl_function.3" - ln -sf "ENGINE_ctrl.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_cmd_defns.3" - ln -sf "ENGINE_ctrl.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_ctrl_function.3" - ln -sf "ENGINE_get_default_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_cipher_engine.3" - ln -sf "ENGINE_get_default_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_default_DH.3" - ln -sf "ENGINE_get_default_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_default_DSA.3" - ln -sf "ENGINE_get_default_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_default_ECDH.3" - ln -sf "ENGINE_get_default_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_default_ECDSA.3" - ln -sf "ENGINE_get_default_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_default_RAND.3" - ln -sf "ENGINE_get_default_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_digest_engine.3" - ln -sf "ENGINE_get_default_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_table_flags.3" - ln -sf "ENGINE_get_default_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_table_flags.3" - ln -sf "ENGINE_init.3" "$(DESTDIR)$(mandir)/man3/ENGINE_GEN_INT_FUNC_PTR.3" - ln -sf "ENGINE_init.3" "$(DESTDIR)$(mandir)/man3/ENGINE_finish.3" - ln -sf "ENGINE_init.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_finish_function.3" - ln -sf "ENGINE_init.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_init_function.3" - ln -sf "ENGINE_init.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_finish_function.3" - ln -sf "ENGINE_init.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_init_function.3" - ln -sf "ENGINE_new.3" "$(DESTDIR)$(mandir)/man3/ENGINE_GEN_INT_FUNC_PTR.3" - ln -sf "ENGINE_new.3" "$(DESTDIR)$(mandir)/man3/ENGINE_free.3" - ln -sf "ENGINE_new.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_destroy_function.3" - ln -sf "ENGINE_new.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_destroy_function.3" - ln -sf "ENGINE_new.3" "$(DESTDIR)$(mandir)/man3/ENGINE_up_ref.3" - ln -sf "ENGINE_register_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_DH.3" - ln -sf "ENGINE_register_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_DSA.3" - ln -sf "ENGINE_register_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_ECDH.3" - ln -sf "ENGINE_register_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_ECDSA.3" - ln -sf "ENGINE_register_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_RAND.3" - ln -sf "ENGINE_register_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_STORE.3" - ln -sf "ENGINE_register_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_ciphers.3" - ln -sf "ENGINE_register_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_complete.3" - ln -sf "ENGINE_register_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_digests.3" - ln -sf "ENGINE_register_all_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_load_builtin_engines.3" - ln -sf "ENGINE_register_all_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_load_dynamic.3" - ln -sf "ENGINE_register_all_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_DH.3" - ln -sf "ENGINE_register_all_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_DSA.3" - ln -sf "ENGINE_register_all_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_ECDH.3" - ln -sf "ENGINE_register_all_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_ECDSA.3" - ln -sf "ENGINE_register_all_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_RAND.3" - ln -sf "ENGINE_register_all_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_STORE.3" - ln -sf "ENGINE_register_all_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_ciphers.3" - ln -sf "ENGINE_register_all_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_complete.3" - ln -sf "ENGINE_register_all_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_digests.3" - ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_CIPHERS_PTR.3" - ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_DIGESTS_PTR.3" - ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_DH.3" - ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_DSA.3" - ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_ECDH.3" - ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_ECDSA.3" - ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_RAND.3" - ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_RSA.3" - ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_STORE.3" - ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_cipher.3" - ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_ciphers.3" - ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_digest.3" - ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_digests.3" - ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_DH.3" - ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_DSA.3" - ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_ECDH.3" - ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_ECDSA.3" - ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_RAND.3" - ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_STORE.3" - ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_ciphers.3" - ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_digests.3" - ln -sf "ENGINE_set_default.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_DH.3" - ln -sf "ENGINE_set_default.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_DSA.3" - ln -sf "ENGINE_set_default.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_ECDH.3" - ln -sf "ENGINE_set_default.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_ECDSA.3" - ln -sf "ENGINE_set_default.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_RAND.3" - ln -sf "ENGINE_set_default.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_RSA.3" - ln -sf "ENGINE_set_default.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_ciphers.3" - ln -sf "ENGINE_set_default.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_digests.3" - ln -sf "ENGINE_set_default.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_string.3" - ln -sf "ENGINE_set_flags.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_flags.3" - ln -sf "ENGINE_unregister_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_DH.3" - ln -sf "ENGINE_unregister_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_DSA.3" - ln -sf "ENGINE_unregister_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_ECDH.3" - ln -sf "ENGINE_unregister_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_ECDSA.3" - ln -sf "ENGINE_unregister_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_RAND.3" - ln -sf "ENGINE_unregister_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_STORE.3" - ln -sf "ENGINE_unregister_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_ciphers.3" - ln -sf "ENGINE_unregister_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_digests.3" - ln -sf "ERR_GET_LIB.3" "$(DESTDIR)$(mandir)/man3/ERR_FATAL_ERROR.3" - ln -sf "ERR_GET_LIB.3" "$(DESTDIR)$(mandir)/man3/ERR_GET_FUNC.3" - ln -sf "ERR_GET_LIB.3" "$(DESTDIR)$(mandir)/man3/ERR_GET_REASON.3" - ln -sf "ERR_error_string.3" "$(DESTDIR)$(mandir)/man3/ERR_error_string_n.3" - ln -sf "ERR_error_string.3" "$(DESTDIR)$(mandir)/man3/ERR_func_error_string.3" - ln -sf "ERR_error_string.3" "$(DESTDIR)$(mandir)/man3/ERR_lib_error_string.3" - ln -sf "ERR_error_string.3" "$(DESTDIR)$(mandir)/man3/ERR_reason_error_string.3" - ln -sf "ERR_get_error.3" "$(DESTDIR)$(mandir)/man3/ERR_get_error_line.3" - ln -sf "ERR_get_error.3" "$(DESTDIR)$(mandir)/man3/ERR_get_error_line_data.3" - ln -sf "ERR_get_error.3" "$(DESTDIR)$(mandir)/man3/ERR_peek_error.3" - ln -sf "ERR_get_error.3" "$(DESTDIR)$(mandir)/man3/ERR_peek_error_line.3" - ln -sf "ERR_get_error.3" "$(DESTDIR)$(mandir)/man3/ERR_peek_error_line_data.3" - ln -sf "ERR_get_error.3" "$(DESTDIR)$(mandir)/man3/ERR_peek_last_error.3" - ln -sf "ERR_get_error.3" "$(DESTDIR)$(mandir)/man3/ERR_peek_last_error_line.3" - ln -sf "ERR_get_error.3" "$(DESTDIR)$(mandir)/man3/ERR_peek_last_error_line_data.3" - ln -sf "ERR_load_crypto_strings.3" "$(DESTDIR)$(mandir)/man3/ERR_free_strings.3" - ln -sf "ERR_load_crypto_strings.3" "$(DESTDIR)$(mandir)/man3/SSL_load_error_strings.3" - ln -sf "ERR_load_strings.3" "$(DESTDIR)$(mandir)/man3/ERR_PACK.3" - ln -sf "ERR_load_strings.3" "$(DESTDIR)$(mandir)/man3/ERR_get_next_error_library.3" - ln -sf "ERR_print_errors.3" "$(DESTDIR)$(mandir)/man3/ERR_print_errors_cb.3" - ln -sf "ERR_print_errors.3" "$(DESTDIR)$(mandir)/man3/ERR_print_errors_fp.3" - ln -sf "ERR_put_error.3" "$(DESTDIR)$(mandir)/man3/ERR_add_error_data.3" - ln -sf "ERR_put_error.3" "$(DESTDIR)$(mandir)/man3/ERR_add_error_vdata.3" - ln -sf "ERR_remove_state.3" "$(DESTDIR)$(mandir)/man3/ERR_remove_thread_state.3" - ln -sf "ERR_set_mark.3" "$(DESTDIR)$(mandir)/man3/ERR_pop_to_mark.3" - ln -sf "ESS_SIGNING_CERT_new.3" "$(DESTDIR)$(mandir)/man3/ESS_CERT_ID_free.3" - ln -sf "ESS_SIGNING_CERT_new.3" "$(DESTDIR)$(mandir)/man3/ESS_CERT_ID_new.3" - ln -sf "ESS_SIGNING_CERT_new.3" "$(DESTDIR)$(mandir)/man3/ESS_ISSUER_SERIAL_free.3" - ln -sf "ESS_SIGNING_CERT_new.3" "$(DESTDIR)$(mandir)/man3/ESS_ISSUER_SERIAL_new.3" - ln -sf "ESS_SIGNING_CERT_new.3" "$(DESTDIR)$(mandir)/man3/ESS_SIGNING_CERT_free.3" - ln -sf "EVP_AEAD_CTX_init.3" "$(DESTDIR)$(mandir)/man3/EVP_AEAD_CTX_cleanup.3" - ln -sf "EVP_AEAD_CTX_init.3" "$(DESTDIR)$(mandir)/man3/EVP_AEAD_CTX_open.3" - ln -sf "EVP_AEAD_CTX_init.3" "$(DESTDIR)$(mandir)/man3/EVP_AEAD_CTX_seal.3" - ln -sf "EVP_AEAD_CTX_init.3" "$(DESTDIR)$(mandir)/man3/EVP_AEAD_key_length.3" - ln -sf "EVP_AEAD_CTX_init.3" "$(DESTDIR)$(mandir)/man3/EVP_AEAD_max_overhead.3" - ln -sf "EVP_AEAD_CTX_init.3" "$(DESTDIR)$(mandir)/man3/EVP_AEAD_max_tag_len.3" - ln -sf "EVP_AEAD_CTX_init.3" "$(DESTDIR)$(mandir)/man3/EVP_AEAD_nonce_length.3" - ln -sf "EVP_AEAD_CTX_init.3" "$(DESTDIR)$(mandir)/man3/EVP_aead_aes_128_gcm.3" - ln -sf "EVP_AEAD_CTX_init.3" "$(DESTDIR)$(mandir)/man3/EVP_aead_aes_256_gcm.3" - ln -sf "EVP_AEAD_CTX_init.3" "$(DESTDIR)$(mandir)/man3/EVP_aead_chacha20_poly1305.3" - ln -sf "EVP_AEAD_CTX_init.3" "$(DESTDIR)$(mandir)/man3/EVP_aead_xchacha20_poly1305.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_Digest.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DigestFinal.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DigestFinal_ex.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DigestInit_ex.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DigestUpdate.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MAX_MD_SIZE.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_block_size.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_cleanup.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_copy.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_copy_ex.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_create.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_ctrl.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_destroy.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_free.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_init.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_md.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_new.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_reset.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_size.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_type.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_block_size.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_pkey_type.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_size.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_type.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_dss.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_dss1.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_get_digestbyname.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_get_digestbynid.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_get_digestbyobj.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_md5.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_md5_sha1.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_md_null.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_ripemd160.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_sha1.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_sha224.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_sha256.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_sha384.3" - ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_sha512.3" - ln -sf "EVP_DigestSignInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DigestSignFinal.3" - ln -sf "EVP_DigestSignInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DigestSignUpdate.3" - ln -sf "EVP_DigestVerifyInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DigestVerifyFinal.3" - ln -sf "EVP_DigestVerifyInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DigestVerifyUpdate.3" - ln -sf "EVP_EncodeInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DecodeBlock.3" - ln -sf "EVP_EncodeInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DecodeFinal.3" - ln -sf "EVP_EncodeInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DecodeInit.3" - ln -sf "EVP_EncodeInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DecodeUpdate.3" - ln -sf "EVP_EncodeInit.3" "$(DESTDIR)$(mandir)/man3/EVP_ENCODE_CTX_free.3" - ln -sf "EVP_EncodeInit.3" "$(DESTDIR)$(mandir)/man3/EVP_ENCODE_CTX_new.3" - ln -sf "EVP_EncodeInit.3" "$(DESTDIR)$(mandir)/man3/EVP_EncodeBlock.3" - ln -sf "EVP_EncodeInit.3" "$(DESTDIR)$(mandir)/man3/EVP_EncodeFinal.3" - ln -sf "EVP_EncodeInit.3" "$(DESTDIR)$(mandir)/man3/EVP_EncodeUpdate.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_block_size.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_cipher.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_cleanup.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_clear_flags.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_ctrl.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_flags.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_free.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_get_app_data.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_get_iv.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_init.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_iv_length.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_key_length.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_mode.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_new.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_nid.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_rand_key.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_reset.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_set_app_data.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_set_flags.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_set_iv.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_set_key_length.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_set_padding.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_test_flags.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_type.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_asn1_to_param.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_block_size.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_flags.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_iv_length.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_key_length.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_mode.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_nid.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_param_to_asn1.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_type.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_Cipher.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CipherFinal.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CipherFinal_ex.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CipherInit.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CipherInit_ex.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CipherUpdate.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DecryptFinal.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DecryptFinal_ex.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DecryptInit.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DecryptInit_ex.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DecryptUpdate.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_EncryptFinal.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_EncryptFinal_ex.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_EncryptInit_ex.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_EncryptUpdate.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_bf_cbc.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_bf_cfb.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_bf_cfb64.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_bf_ecb.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_bf_ofb.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_cast5_cbc.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_cast5_cfb.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_cast5_cfb64.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_cast5_ecb.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_cast5_ofb.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_chacha20.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_enc_null.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_get_cipherbyname.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_get_cipherbynid.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_get_cipherbyobj.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_idea_cbc.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_idea_cfb.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_idea_cfb64.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_idea_ecb.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_idea_ofb.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_rc2_40_cbc.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_rc2_64_cbc.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_rc2_cbc.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_rc2_cfb.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_rc2_cfb64.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_rc2_ecb.3" - ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_rc2_ofb.3" - ln -sf "EVP_OpenInit.3" "$(DESTDIR)$(mandir)/man3/EVP_OpenFinal.3" - ln -sf "EVP_OpenInit.3" "$(DESTDIR)$(mandir)/man3/EVP_OpenUpdate.3" - ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_ctrl_str.3" - ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_rsa_mgf1_md.3" - ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_rsa_padding.3" - ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_rsa_pss_saltlen.3" - ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_signature_md.3" - ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_dh_paramgen_generator.3" - ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_dh_paramgen_prime_len.3" - ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_dsa_paramgen_bits.3" - ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_ec_paramgen_curve_nid.3" - ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_keygen_bits.3" - ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_keygen_pubexp.3" - ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_mgf1_md.3" - ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_padding.3" - ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_pss_saltlen.3" - ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_signature_md.3" - ln -sf "EVP_PKEY_CTX_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_dup.3" - ln -sf "EVP_PKEY_CTX_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_free.3" - ln -sf "EVP_PKEY_CTX_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_new_id.3" - ln -sf "EVP_PKEY_asn1_get_count.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_find.3" - ln -sf "EVP_PKEY_asn1_get_count.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_find_str.3" - ln -sf "EVP_PKEY_asn1_get_count.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_get0.3" - ln -sf "EVP_PKEY_asn1_get_count.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_get0_info.3" - ln -sf "EVP_PKEY_asn1_get_count.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get0_asn1.3" - ln -sf "EVP_PKEY_asn1_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_add0.3" - ln -sf "EVP_PKEY_asn1_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_add_alias.3" - ln -sf "EVP_PKEY_asn1_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_copy.3" - ln -sf "EVP_PKEY_asn1_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_free.3" - ln -sf "EVP_PKEY_asn1_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_set_ctrl.3" - ln -sf "EVP_PKEY_asn1_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_set_free.3" - ln -sf "EVP_PKEY_asn1_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_set_param.3" - ln -sf "EVP_PKEY_asn1_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_set_private.3" - ln -sf "EVP_PKEY_asn1_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_set_public.3" - ln -sf "EVP_PKEY_cmp.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_cmp_parameters.3" - ln -sf "EVP_PKEY_cmp.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_copy_parameters.3" - ln -sf "EVP_PKEY_cmp.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_missing_parameters.3" - ln -sf "EVP_PKEY_decrypt.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_decrypt_init.3" - ln -sf "EVP_PKEY_derive.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_derive_init.3" - ln -sf "EVP_PKEY_derive.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_derive_set_peer.3" - ln -sf "EVP_PKEY_encrypt.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_encrypt_init.3" - ln -sf "EVP_PKEY_keygen.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_app_data.3" - ln -sf "EVP_PKEY_keygen.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_cb.3" - ln -sf "EVP_PKEY_keygen.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_keygen_info.3" - ln -sf "EVP_PKEY_keygen.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_app_data.3" - ln -sf "EVP_PKEY_keygen.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_cb.3" - ln -sf "EVP_PKEY_keygen.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_gen_cb.3" - ln -sf "EVP_PKEY_keygen.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_keygen_init.3" - ln -sf "EVP_PKEY_keygen.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_paramgen.3" - ln -sf "EVP_PKEY_keygen.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_paramgen_init.3" - ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_add0.3" - ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_copy.3" - ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_find.3" - ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_free.3" - ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_cleanup.3" - ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_copy.3" - ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_ctrl.3" - ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_decrypt.3" - ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_derive.3" - ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_encrypt.3" - ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_init.3" - ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_keygen.3" - ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_paramgen.3" - ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_sign.3" - ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_signctx.3" - ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_verify.3" - ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_verify_recover.3" - ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_verifyctx.3" - ln -sf "EVP_PKEY_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_free.3" - ln -sf "EVP_PKEY_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_new_mac_key.3" - ln -sf "EVP_PKEY_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_up_ref.3" - ln -sf "EVP_PKEY_print_private.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_print_params.3" - ln -sf "EVP_PKEY_print_private.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_print_public.3" - ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_assign.3" - ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_assign_DH.3" - ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_assign_DSA.3" - ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_assign_EC_KEY.3" - ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_assign_GOST.3" - ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_assign_RSA.3" - ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_base_id.3" - ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get0.3" - ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get0_DH.3" - ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get0_DSA.3" - ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get0_EC_KEY.3" - ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get0_RSA.3" - ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get0_hmac.3" - ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get1_DH.3" - ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get1_DSA.3" - ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get1_EC_KEY.3" - ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get1_RSA.3" - ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_id.3" - ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_set1_DH.3" - ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_set1_DSA.3" - ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_set1_EC_KEY.3" - ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_set_type.3" - ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_type.3" - ln -sf "EVP_PKEY_sign.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_sign_init.3" - ln -sf "EVP_PKEY_verify.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_verify_init.3" - ln -sf "EVP_PKEY_verify_recover.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_verify_recover_init.3" - ln -sf "EVP_SealInit.3" "$(DESTDIR)$(mandir)/man3/EVP_SealFinal.3" - ln -sf "EVP_SealInit.3" "$(DESTDIR)$(mandir)/man3/EVP_SealUpdate.3" - ln -sf "EVP_SignInit.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_bits.3" - ln -sf "EVP_SignInit.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_size.3" - ln -sf "EVP_SignInit.3" "$(DESTDIR)$(mandir)/man3/EVP_SignFinal.3" - ln -sf "EVP_SignInit.3" "$(DESTDIR)$(mandir)/man3/EVP_SignInit_ex.3" - ln -sf "EVP_SignInit.3" "$(DESTDIR)$(mandir)/man3/EVP_SignUpdate.3" - ln -sf "EVP_VerifyInit.3" "$(DESTDIR)$(mandir)/man3/EVP_VerifyFinal.3" - ln -sf "EVP_VerifyInit.3" "$(DESTDIR)$(mandir)/man3/EVP_VerifyInit_ex.3" - ln -sf "EVP_VerifyInit.3" "$(DESTDIR)$(mandir)/man3/EVP_VerifyUpdate.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_128_cbc_hmac_sha1.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_128_ccm.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_128_cfb.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_128_cfb1.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_128_cfb128.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_128_cfb8.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_128_ctr.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_128_ecb.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_128_gcm.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_128_ofb.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_128_wrap.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_128_xts.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_192_cbc.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_192_ccm.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_192_cfb.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_192_cfb1.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_192_cfb128.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_192_cfb8.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_192_ctr.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_192_ecb.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_192_gcm.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_192_ofb.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_192_wrap.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_256_cbc.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_256_cbc_hmac_sha1.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_256_ccm.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_256_cfb.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_256_cfb1.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_256_cfb128.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_256_cfb8.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_256_ctr.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_256_ecb.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_256_gcm.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_256_ofb.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_256_wrap.3" - ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_256_xts.3" - ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_128_cfb.3" - ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_128_cfb1.3" - ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_128_cfb128.3" - ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_128_cfb8.3" - ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_128_ecb.3" - ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_128_ofb.3" - ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_192_cbc.3" - ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_192_cfb.3" - ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_192_cfb1.3" - ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_192_cfb128.3" - ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_192_cfb8.3" - ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_192_ecb.3" - ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_192_ofb.3" - ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_256_cbc.3" - ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_256_cfb.3" - ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_256_cfb1.3" - ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_256_cfb128.3" - ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_256_cfb8.3" - ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_256_ecb.3" - ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_256_ofb.3" - ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_cfb.3" - ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_cfb1.3" - ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_cfb64.3" - ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_cfb8.3" - ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ecb.3" - ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ede.3" - ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ede3.3" - ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ede3_cbc.3" - ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ede3_cfb.3" - ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ede3_cfb1.3" - ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ede3_cfb64.3" - ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ede3_cfb8.3" - ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ede3_ecb.3" - ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ede3_ofb.3" - ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ede_cbc.3" - ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ede_cfb.3" - ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ede_cfb64.3" - ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ede_ecb.3" - ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ede_ofb.3" - ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ofb.3" - ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_desx_cbc.3" - ln -sf "EVP_rc4.3" "$(DESTDIR)$(mandir)/man3/EVP_rc4_40.3" - ln -sf "EVP_rc4.3" "$(DESTDIR)$(mandir)/man3/EVP_rc4_hmac_md5.3" - ln -sf "EVP_sm4_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_sm4_cfb.3" - ln -sf "EVP_sm4_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_sm4_cfb128.3" - ln -sf "EVP_sm4_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_sm4_ctr.3" - ln -sf "EVP_sm4_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_sm4_ecb.3" - ln -sf "EVP_sm4_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_sm4_ofb.3" - ln -sf "EXTENDED_KEY_USAGE_new.3" "$(DESTDIR)$(mandir)/man3/EXTENDED_KEY_USAGE_free.3" - ln -sf "GENERAL_NAME_new.3" "$(DESTDIR)$(mandir)/man3/EDIPARTYNAME_free.3" - ln -sf "GENERAL_NAME_new.3" "$(DESTDIR)$(mandir)/man3/EDIPARTYNAME_new.3" - ln -sf "GENERAL_NAME_new.3" "$(DESTDIR)$(mandir)/man3/GENERAL_NAMES_free.3" - ln -sf "GENERAL_NAME_new.3" "$(DESTDIR)$(mandir)/man3/GENERAL_NAMES_new.3" - ln -sf "GENERAL_NAME_new.3" "$(DESTDIR)$(mandir)/man3/GENERAL_NAME_free.3" - ln -sf "GENERAL_NAME_new.3" "$(DESTDIR)$(mandir)/man3/OTHERNAME_free.3" - ln -sf "GENERAL_NAME_new.3" "$(DESTDIR)$(mandir)/man3/OTHERNAME_new.3" - ln -sf "HMAC.3" "$(DESTDIR)$(mandir)/man3/HMAC_CTX_cleanup.3" - ln -sf "HMAC.3" "$(DESTDIR)$(mandir)/man3/HMAC_CTX_copy.3" - ln -sf "HMAC.3" "$(DESTDIR)$(mandir)/man3/HMAC_CTX_free.3" - ln -sf "HMAC.3" "$(DESTDIR)$(mandir)/man3/HMAC_CTX_get_md.3" - ln -sf "HMAC.3" "$(DESTDIR)$(mandir)/man3/HMAC_CTX_init.3" - ln -sf "HMAC.3" "$(DESTDIR)$(mandir)/man3/HMAC_CTX_new.3" - ln -sf "HMAC.3" "$(DESTDIR)$(mandir)/man3/HMAC_CTX_reset.3" - ln -sf "HMAC.3" "$(DESTDIR)$(mandir)/man3/HMAC_CTX_set_flags.3" - ln -sf "HMAC.3" "$(DESTDIR)$(mandir)/man3/HMAC_Final.3" - ln -sf "HMAC.3" "$(DESTDIR)$(mandir)/man3/HMAC_Init.3" - ln -sf "HMAC.3" "$(DESTDIR)$(mandir)/man3/HMAC_Init_ex.3" - ln -sf "HMAC.3" "$(DESTDIR)$(mandir)/man3/HMAC_Update.3" - ln -sf "HMAC.3" "$(DESTDIR)$(mandir)/man3/HMAC_cleanup.3" - ln -sf "HMAC.3" "$(DESTDIR)$(mandir)/man3/HMAC_size.3" - ln -sf "MD5.3" "$(DESTDIR)$(mandir)/man3/MD4.3" - ln -sf "MD5.3" "$(DESTDIR)$(mandir)/man3/MD4_Final.3" - ln -sf "MD5.3" "$(DESTDIR)$(mandir)/man3/MD4_Init.3" - ln -sf "MD5.3" "$(DESTDIR)$(mandir)/man3/MD4_Update.3" - ln -sf "MD5.3" "$(DESTDIR)$(mandir)/man3/MD5_Final.3" - ln -sf "MD5.3" "$(DESTDIR)$(mandir)/man3/MD5_Init.3" - ln -sf "MD5.3" "$(DESTDIR)$(mandir)/man3/MD5_Update.3" - ln -sf "NAME_CONSTRAINTS_new.3" "$(DESTDIR)$(mandir)/man3/GENERAL_SUBTREE_free.3" - ln -sf "NAME_CONSTRAINTS_new.3" "$(DESTDIR)$(mandir)/man3/GENERAL_SUBTREE_new.3" - ln -sf "NAME_CONSTRAINTS_new.3" "$(DESTDIR)$(mandir)/man3/NAME_CONSTRAINTS_free.3" - ln -sf "OBJ_nid2obj.3" "$(DESTDIR)$(mandir)/man3/OBJ_cleanup.3" - ln -sf "OBJ_nid2obj.3" "$(DESTDIR)$(mandir)/man3/OBJ_cmp.3" - ln -sf "OBJ_nid2obj.3" "$(DESTDIR)$(mandir)/man3/OBJ_create.3" - ln -sf "OBJ_nid2obj.3" "$(DESTDIR)$(mandir)/man3/OBJ_dup.3" - ln -sf "OBJ_nid2obj.3" "$(DESTDIR)$(mandir)/man3/OBJ_ln2nid.3" - ln -sf "OBJ_nid2obj.3" "$(DESTDIR)$(mandir)/man3/OBJ_nid2ln.3" - ln -sf "OBJ_nid2obj.3" "$(DESTDIR)$(mandir)/man3/OBJ_nid2sn.3" - ln -sf "OBJ_nid2obj.3" "$(DESTDIR)$(mandir)/man3/OBJ_obj2nid.3" - ln -sf "OBJ_nid2obj.3" "$(DESTDIR)$(mandir)/man3/OBJ_obj2txt.3" - ln -sf "OBJ_nid2obj.3" "$(DESTDIR)$(mandir)/man3/OBJ_sn2nid.3" - ln -sf "OBJ_nid2obj.3" "$(DESTDIR)$(mandir)/man3/OBJ_txt2nid.3" - ln -sf "OBJ_nid2obj.3" "$(DESTDIR)$(mandir)/man3/OBJ_txt2obj.3" - ln -sf "OBJ_nid2obj.3" "$(DESTDIR)$(mandir)/man3/i2t_ASN1_OBJECT.3" - ln -sf "OCSP_CRLID_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_CRLID_free.3" - ln -sf "OCSP_REQUEST_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_ONEREQ_free.3" - ln -sf "OCSP_REQUEST_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_ONEREQ_new.3" - ln -sf "OCSP_REQUEST_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_REQINFO_free.3" - ln -sf "OCSP_REQUEST_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_REQINFO_new.3" - ln -sf "OCSP_REQUEST_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_REQUEST_free.3" - ln -sf "OCSP_REQUEST_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_SIGNATURE_free.3" - ln -sf "OCSP_REQUEST_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_SIGNATURE_new.3" - ln -sf "OCSP_REQUEST_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_request_add0_id.3" - ln -sf "OCSP_REQUEST_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_request_add1_cert.3" - ln -sf "OCSP_REQUEST_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_request_onereq_count.3" - ln -sf "OCSP_REQUEST_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_request_onereq_get0.3" - ln -sf "OCSP_REQUEST_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_request_sign.3" - ln -sf "OCSP_SERVICELOC_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_SERVICELOC_free.3" - ln -sf "OCSP_SERVICELOC_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_url_svcloc_new.3" - ln -sf "OCSP_cert_to_id.3" "$(DESTDIR)$(mandir)/man3/OCSP_CERTID_free.3" - ln -sf "OCSP_cert_to_id.3" "$(DESTDIR)$(mandir)/man3/OCSP_CERTID_new.3" - ln -sf "OCSP_cert_to_id.3" "$(DESTDIR)$(mandir)/man3/OCSP_cert_id_new.3" - ln -sf "OCSP_cert_to_id.3" "$(DESTDIR)$(mandir)/man3/OCSP_id_cmp.3" - ln -sf "OCSP_cert_to_id.3" "$(DESTDIR)$(mandir)/man3/OCSP_id_get0_info.3" - ln -sf "OCSP_cert_to_id.3" "$(DESTDIR)$(mandir)/man3/OCSP_id_issuer_cmp.3" - ln -sf "OCSP_request_add1_nonce.3" "$(DESTDIR)$(mandir)/man3/OCSP_basic_add1_nonce.3" - ln -sf "OCSP_request_add1_nonce.3" "$(DESTDIR)$(mandir)/man3/OCSP_check_nonce.3" - ln -sf "OCSP_request_add1_nonce.3" "$(DESTDIR)$(mandir)/man3/OCSP_copy_nonce.3" - ln -sf "OCSP_resp_find_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_CERTSTATUS_free.3" - ln -sf "OCSP_resp_find_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_CERTSTATUS_new.3" - ln -sf "OCSP_resp_find_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_REVOKEDINFO_free.3" - ln -sf "OCSP_resp_find_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_REVOKEDINFO_new.3" - ln -sf "OCSP_resp_find_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_SINGLERESP_free.3" - ln -sf "OCSP_resp_find_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_SINGLERESP_get0_id.3" - ln -sf "OCSP_resp_find_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_SINGLERESP_new.3" - ln -sf "OCSP_resp_find_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_basic_verify.3" - ln -sf "OCSP_resp_find_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_cert_status_str.3" - ln -sf "OCSP_resp_find_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_check_validity.3" - ln -sf "OCSP_resp_find_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_resp_count.3" - ln -sf "OCSP_resp_find_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_resp_find.3" - ln -sf "OCSP_resp_find_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_resp_get0.3" - ln -sf "OCSP_resp_find_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_single_get0_status.3" - ln -sf "OCSP_response_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_BASICRESP_free.3" - ln -sf "OCSP_response_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_BASICRESP_new.3" - ln -sf "OCSP_response_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_RESPBYTES_free.3" - ln -sf "OCSP_response_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_RESPBYTES_new.3" - ln -sf "OCSP_response_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_RESPDATA_free.3" - ln -sf "OCSP_response_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_RESPDATA_new.3" - ln -sf "OCSP_response_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_RESPID_free.3" - ln -sf "OCSP_response_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_RESPID_new.3" - ln -sf "OCSP_response_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_RESPONSE_free.3" - ln -sf "OCSP_response_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_RESPONSE_new.3" - ln -sf "OCSP_response_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_basic_sign.3" - ln -sf "OCSP_response_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_response_create.3" - ln -sf "OCSP_response_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_response_get1_basic.3" - ln -sf "OCSP_response_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_response_status_str.3" - ln -sf "OCSP_sendreq_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_REQ_CTX_add1_header.3" - ln -sf "OCSP_sendreq_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_REQ_CTX_free.3" - ln -sf "OCSP_sendreq_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_REQ_CTX_set1_req.3" - ln -sf "OCSP_sendreq_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_parse_url.3" - ln -sf "OCSP_sendreq_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_sendreq_bio.3" - ln -sf "OCSP_sendreq_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_sendreq_nbio.3" - ln -sf "OPENSSL_VERSION_NUMBER.3" "$(DESTDIR)$(mandir)/man3/LIBRESSL_VERSION_NUMBER.3" - ln -sf "OPENSSL_VERSION_NUMBER.3" "$(DESTDIR)$(mandir)/man3/LIBRESSL_VERSION_TEXT.3" - ln -sf "OPENSSL_VERSION_NUMBER.3" "$(DESTDIR)$(mandir)/man3/OPENSSL_VERSION_TEXT.3" - ln -sf "OPENSSL_VERSION_NUMBER.3" "$(DESTDIR)$(mandir)/man3/OpenSSL_version.3" - ln -sf "OPENSSL_VERSION_NUMBER.3" "$(DESTDIR)$(mandir)/man3/OpenSSL_version_num.3" - ln -sf "OPENSSL_VERSION_NUMBER.3" "$(DESTDIR)$(mandir)/man3/SSLeay.3" - ln -sf "OPENSSL_VERSION_NUMBER.3" "$(DESTDIR)$(mandir)/man3/SSLeay_version.3" - ln -sf "OPENSSL_config.3" "$(DESTDIR)$(mandir)/man3/OPENSSL_no_config.3" - ln -sf "OPENSSL_load_builtin_modules.3" "$(DESTDIR)$(mandir)/man3/ASN1_add_oid_module.3" - ln -sf "OPENSSL_load_builtin_modules.3" "$(DESTDIR)$(mandir)/man3/ENGINE_add_conf_module.3" - ln -sf "OPENSSL_malloc.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_free.3" - ln -sf "OPENSSL_malloc.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_malloc.3" - ln -sf "OPENSSL_malloc.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_realloc.3" - ln -sf "OPENSSL_malloc.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_strdup.3" - ln -sf "OPENSSL_malloc.3" "$(DESTDIR)$(mandir)/man3/OPENSSL_free.3" - ln -sf "OPENSSL_malloc.3" "$(DESTDIR)$(mandir)/man3/OPENSSL_realloc.3" - ln -sf "OPENSSL_malloc.3" "$(DESTDIR)$(mandir)/man3/OPENSSL_strdup.3" - ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_delete.3" - ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_delete_ptr.3" - ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_dup.3" - ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_find.3" - ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_find_ex.3" - ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_free.3" - ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_insert.3" - ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_is_sorted.3" - ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_new.3" - ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_new_null.3" - ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_num.3" - ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_pop.3" - ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_pop_free.3" - ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_push.3" - ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_set.3" - ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_set_cmp_func.3" - ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_shift.3" - ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_sort.3" - ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_unshift.3" - ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_value.3" - ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_zero.3" - ln -sf "OpenSSL_add_all_algorithms.3" "$(DESTDIR)$(mandir)/man3/EVP_cleanup.3" - ln -sf "OpenSSL_add_all_algorithms.3" "$(DESTDIR)$(mandir)/man3/OpenSSL_add_all_ciphers.3" - ln -sf "OpenSSL_add_all_algorithms.3" "$(DESTDIR)$(mandir)/man3/OpenSSL_add_all_digests.3" - ln -sf "PEM_read.3" "$(DESTDIR)$(mandir)/man3/PEM_do_header.3" - ln -sf "PEM_read.3" "$(DESTDIR)$(mandir)/man3/PEM_get_EVP_CIPHER_INFO.3" - ln -sf "PEM_read.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio.3" - ln -sf "PEM_read.3" "$(DESTDIR)$(mandir)/man3/PEM_write.3" - ln -sf "PEM_read.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio.3" - ln -sf "PEM_read_SSL_SESSION.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_SSL_SESSION.3" - ln -sf "PEM_read_SSL_SESSION.3" "$(DESTDIR)$(mandir)/man3/PEM_write_SSL_SESSION.3" - ln -sf "PEM_read_SSL_SESSION.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_SSL_SESSION.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_DHparams.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_DSAPrivateKey.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_DSA_PUBKEY.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_DSAparams.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_ECPKParameters.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_ECPrivateKey.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_EC_PUBKEY.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_NETSCAPE_CERT_SEQUENCE.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_PKCS7.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_PKCS8.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_PKCS8_PRIV_KEY_INFO.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_PUBKEY.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_PrivateKey.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_RSAPrivateKey.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_RSAPublicKey.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_RSA_PUBKEY.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_X509.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_X509_AUX.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_X509_CRL.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_X509_REQ.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_DHparams.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_DSAPrivateKey.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_DSA_PUBKEY.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_DSAparams.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_ECPKParameters.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_ECPrivateKey.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_EC_PUBKEY.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_NETSCAPE_CERT_SEQUENCE.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_PKCS7.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_PKCS8.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_PKCS8_PRIV_KEY_INFO.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_PUBKEY.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_RSAPrivateKey.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_RSAPublicKey.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_RSA_PUBKEY.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_X509.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_X509_AUX.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_X509_CRL.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_X509_REQ.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_DHparams.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_DSAPrivateKey.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_DSA_PUBKEY.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_DSAparams.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_ECPKParameters.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_ECPrivateKey.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_EC_PUBKEY.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_NETSCAPE_CERT_SEQUENCE.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_PKCS7.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_PKCS8.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_PKCS8PrivateKey.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_PKCS8PrivateKey_nid.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_PKCS8_PRIV_KEY_INFO.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_PUBKEY.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_PrivateKey.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_RSAPrivateKey.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_RSAPublicKey.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_RSA_PUBKEY.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_X509.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_X509_AUX.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_X509_CRL.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_X509_REQ.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_X509_REQ_NEW.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_DHparams.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_DSAPrivateKey.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_DSA_PUBKEY.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_DSAparams.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_ECPKParameters.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_ECPrivateKey.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_EC_PUBKEY.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_NETSCAPE_CERT_SEQUENCE.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_PKCS7.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_PKCS8.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_PKCS8PrivateKey.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_PKCS8PrivateKey_nid.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_PKCS8_PRIV_KEY_INFO.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_PUBKEY.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_PrivateKey.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_RSAPrivateKey.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_RSAPublicKey.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_RSA_PUBKEY.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_X509.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_X509_AUX.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_X509_CRL.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_X509_REQ.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_X509_REQ_NEW.3" - ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/pem_password_cb.3" - ln -sf "PKCS12_SAFEBAG_new.3" "$(DESTDIR)$(mandir)/man3/PKCS12_BAGS_free.3" - ln -sf "PKCS12_SAFEBAG_new.3" "$(DESTDIR)$(mandir)/man3/PKCS12_BAGS_new.3" - ln -sf "PKCS12_SAFEBAG_new.3" "$(DESTDIR)$(mandir)/man3/PKCS12_SAFEBAG_free.3" - ln -sf "PKCS12_new.3" "$(DESTDIR)$(mandir)/man3/PKCS12_MAC_DATA_free.3" - ln -sf "PKCS12_new.3" "$(DESTDIR)$(mandir)/man3/PKCS12_MAC_DATA_new.3" - ln -sf "PKCS12_new.3" "$(DESTDIR)$(mandir)/man3/PKCS12_free.3" - ln -sf "PKCS5_PBKDF2_HMAC.3" "$(DESTDIR)$(mandir)/man3/PKCS5_PBKDF2_HMAC_SHA1.3" - ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_DIGEST_free.3" - ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_DIGEST_new.3" - ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_ENCRYPT_free.3" - ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_ENCRYPT_new.3" - ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_ENC_CONTENT_free.3" - ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_ENC_CONTENT_new.3" - ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_ENVELOPE_free.3" - ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_ENVELOPE_new.3" - ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_ISSUER_AND_SERIAL_free.3" - ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_ISSUER_AND_SERIAL_new.3" - ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_RECIP_INFO_free.3" - ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_RECIP_INFO_new.3" - ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_SIGNED_free.3" - ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_SIGNED_new.3" - ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_SIGNER_INFO_free.3" - ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_SIGNER_INFO_new.3" - ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_SIGN_ENVELOPE_free.3" - ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_SIGN_ENVELOPE_new.3" - ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_free.3" - ln -sf "PKCS7_verify.3" "$(DESTDIR)$(mandir)/man3/PKCS7_get0_signers.3" - ln -sf "PKCS8_PRIV_KEY_INFO_new.3" "$(DESTDIR)$(mandir)/man3/PKCS8_PRIV_KEY_INFO_free.3" - ln -sf "PKEY_USAGE_PERIOD_new.3" "$(DESTDIR)$(mandir)/man3/PKEY_USAGE_PERIOD_free.3" - ln -sf "POLICYINFO_new.3" "$(DESTDIR)$(mandir)/man3/CERTIFICATEPOLICIES_free.3" - ln -sf "POLICYINFO_new.3" "$(DESTDIR)$(mandir)/man3/CERTIFICATEPOLICIES_new.3" - ln -sf "POLICYINFO_new.3" "$(DESTDIR)$(mandir)/man3/NOTICEREF_free.3" - ln -sf "POLICYINFO_new.3" "$(DESTDIR)$(mandir)/man3/NOTICEREF_new.3" - ln -sf "POLICYINFO_new.3" "$(DESTDIR)$(mandir)/man3/POLICYINFO_free.3" - ln -sf "POLICYINFO_new.3" "$(DESTDIR)$(mandir)/man3/POLICYQUALINFO_free.3" - ln -sf "POLICYINFO_new.3" "$(DESTDIR)$(mandir)/man3/POLICYQUALINFO_new.3" - ln -sf "POLICYINFO_new.3" "$(DESTDIR)$(mandir)/man3/POLICY_CONSTRAINTS_free.3" - ln -sf "POLICYINFO_new.3" "$(DESTDIR)$(mandir)/man3/POLICY_CONSTRAINTS_new.3" - ln -sf "POLICYINFO_new.3" "$(DESTDIR)$(mandir)/man3/POLICY_MAPPING_free.3" - ln -sf "POLICYINFO_new.3" "$(DESTDIR)$(mandir)/man3/POLICY_MAPPING_new.3" - ln -sf "POLICYINFO_new.3" "$(DESTDIR)$(mandir)/man3/USERNOTICE_free.3" - ln -sf "POLICYINFO_new.3" "$(DESTDIR)$(mandir)/man3/USERNOTICE_new.3" - ln -sf "PROXY_POLICY_new.3" "$(DESTDIR)$(mandir)/man3/PROXY_CERT_INFO_EXTENSION_free.3" - ln -sf "PROXY_POLICY_new.3" "$(DESTDIR)$(mandir)/man3/PROXY_CERT_INFO_EXTENSION_new.3" - ln -sf "PROXY_POLICY_new.3" "$(DESTDIR)$(mandir)/man3/PROXY_POLICY_free.3" - ln -sf "RAND_add.3" "$(DESTDIR)$(mandir)/man3/RAND_cleanup.3" - ln -sf "RAND_add.3" "$(DESTDIR)$(mandir)/man3/RAND_poll.3" - ln -sf "RAND_add.3" "$(DESTDIR)$(mandir)/man3/RAND_seed.3" - ln -sf "RAND_add.3" "$(DESTDIR)$(mandir)/man3/RAND_status.3" - ln -sf "RAND_bytes.3" "$(DESTDIR)$(mandir)/man3/RAND_pseudo_bytes.3" - ln -sf "RAND_load_file.3" "$(DESTDIR)$(mandir)/man3/RAND_file_name.3" - ln -sf "RAND_load_file.3" "$(DESTDIR)$(mandir)/man3/RAND_write_file.3" - ln -sf "RAND_set_rand_method.3" "$(DESTDIR)$(mandir)/man3/RAND_SSLeay.3" - ln -sf "RAND_set_rand_method.3" "$(DESTDIR)$(mandir)/man3/RAND_get_rand_method.3" - ln -sf "RC4.3" "$(DESTDIR)$(mandir)/man3/RC4_set_key.3" - ln -sf "RIPEMD160.3" "$(DESTDIR)$(mandir)/man3/RIPEMD160_Final.3" - ln -sf "RIPEMD160.3" "$(DESTDIR)$(mandir)/man3/RIPEMD160_Init.3" - ln -sf "RIPEMD160.3" "$(DESTDIR)$(mandir)/man3/RIPEMD160_Update.3" - ln -sf "RSA_PSS_PARAMS_new.3" "$(DESTDIR)$(mandir)/man3/RSA_PSS_PARAMS_free.3" - ln -sf "RSA_blinding_on.3" "$(DESTDIR)$(mandir)/man3/RSA_blinding_off.3" - ln -sf "RSA_generate_key.3" "$(DESTDIR)$(mandir)/man3/RSA_generate_key_ex.3" - ln -sf "RSA_get0_key.3" "$(DESTDIR)$(mandir)/man3/RSA_clear_flags.3" - ln -sf "RSA_get0_key.3" "$(DESTDIR)$(mandir)/man3/RSA_get0_crt_params.3" - ln -sf "RSA_get0_key.3" "$(DESTDIR)$(mandir)/man3/RSA_get0_factors.3" - ln -sf "RSA_get0_key.3" "$(DESTDIR)$(mandir)/man3/RSA_set0_crt_params.3" - ln -sf "RSA_get0_key.3" "$(DESTDIR)$(mandir)/man3/RSA_set0_factors.3" - ln -sf "RSA_get0_key.3" "$(DESTDIR)$(mandir)/man3/RSA_set0_key.3" - ln -sf "RSA_get0_key.3" "$(DESTDIR)$(mandir)/man3/RSA_set_flags.3" - ln -sf "RSA_get0_key.3" "$(DESTDIR)$(mandir)/man3/RSA_test_flags.3" - ln -sf "RSA_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_EX_dup.3" - ln -sf "RSA_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_EX_free.3" - ln -sf "RSA_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_EX_new.3" - ln -sf "RSA_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/RSA_get_ex_data.3" - ln -sf "RSA_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/RSA_set_ex_data.3" - ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_dup.3" - ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_free.3" - ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_get0_app_data.3" - ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_get0_name.3" - ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_get_bn_mod_exp.3" - ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_get_finish.3" - ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_get_flags.3" - ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_get_init.3" - ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_get_keygen.3" - ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_get_mod_exp.3" - ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_get_priv_dec.3" - ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_get_priv_enc.3" - ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_get_pub_dec.3" - ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_get_pub_enc.3" - ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_get_sign.3" - ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_get_verify.3" - ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_set0_app_data.3" - ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_set1_name.3" - ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_set_bn_mod_exp.3" - ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_set_finish.3" - ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_set_flags.3" - ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_set_init.3" - ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_set_keygen.3" - ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_set_mod_exp.3" - ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_set_priv_dec.3" - ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_set_priv_enc.3" - ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_set_pub_dec.3" - ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_set_pub_enc.3" - ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_set_sign.3" - ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_set_verify.3" - ln -sf "RSA_new.3" "$(DESTDIR)$(mandir)/man3/RSAPrivateKey_dup.3" - ln -sf "RSA_new.3" "$(DESTDIR)$(mandir)/man3/RSAPublicKey_dup.3" - ln -sf "RSA_new.3" "$(DESTDIR)$(mandir)/man3/RSA_free.3" - ln -sf "RSA_new.3" "$(DESTDIR)$(mandir)/man3/RSA_up_ref.3" - ln -sf "RSA_padding_add_PKCS1_type_1.3" "$(DESTDIR)$(mandir)/man3/RSA_padding_add_PKCS1_OAEP.3" - ln -sf "RSA_padding_add_PKCS1_type_1.3" "$(DESTDIR)$(mandir)/man3/RSA_padding_add_PKCS1_type_2.3" - ln -sf "RSA_padding_add_PKCS1_type_1.3" "$(DESTDIR)$(mandir)/man3/RSA_padding_add_none.3" - ln -sf "RSA_padding_add_PKCS1_type_1.3" "$(DESTDIR)$(mandir)/man3/RSA_padding_check_PKCS1_OAEP.3" - ln -sf "RSA_padding_add_PKCS1_type_1.3" "$(DESTDIR)$(mandir)/man3/RSA_padding_check_PKCS1_type_1.3" - ln -sf "RSA_padding_add_PKCS1_type_1.3" "$(DESTDIR)$(mandir)/man3/RSA_padding_check_PKCS1_type_2.3" - ln -sf "RSA_padding_add_PKCS1_type_1.3" "$(DESTDIR)$(mandir)/man3/RSA_padding_check_none.3" - ln -sf "RSA_print.3" "$(DESTDIR)$(mandir)/man3/DHparams_print.3" - ln -sf "RSA_print.3" "$(DESTDIR)$(mandir)/man3/DHparams_print_fp.3" - ln -sf "RSA_print.3" "$(DESTDIR)$(mandir)/man3/DSA_print.3" - ln -sf "RSA_print.3" "$(DESTDIR)$(mandir)/man3/DSA_print_fp.3" - ln -sf "RSA_print.3" "$(DESTDIR)$(mandir)/man3/DSAparams_print.3" - ln -sf "RSA_print.3" "$(DESTDIR)$(mandir)/man3/DSAparams_print_fp.3" - ln -sf "RSA_print.3" "$(DESTDIR)$(mandir)/man3/RSA_print_fp.3" - ln -sf "RSA_private_encrypt.3" "$(DESTDIR)$(mandir)/man3/RSA_public_decrypt.3" - ln -sf "RSA_public_encrypt.3" "$(DESTDIR)$(mandir)/man3/RSA_private_decrypt.3" - ln -sf "RSA_set_method.3" "$(DESTDIR)$(mandir)/man3/RSA_PKCS1_SSLeay.3" - ln -sf "RSA_set_method.3" "$(DESTDIR)$(mandir)/man3/RSA_flags.3" - ln -sf "RSA_set_method.3" "$(DESTDIR)$(mandir)/man3/RSA_get_default_method.3" - ln -sf "RSA_set_method.3" "$(DESTDIR)$(mandir)/man3/RSA_get_method.3" - ln -sf "RSA_set_method.3" "$(DESTDIR)$(mandir)/man3/RSA_new_method.3" - ln -sf "RSA_set_method.3" "$(DESTDIR)$(mandir)/man3/RSA_set_default_method.3" - ln -sf "RSA_sign.3" "$(DESTDIR)$(mandir)/man3/RSA_verify.3" - ln -sf "RSA_sign_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/RSA_verify_ASN1_OCTET_STRING.3" - ln -sf "RSA_size.3" "$(DESTDIR)$(mandir)/man3/RSA_bits.3" - ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA1_Final.3" - ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA1_Init.3" - ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA1_Update.3" - ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA224.3" - ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA224_Final.3" - ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA224_Init.3" - ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA224_Update.3" - ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA256.3" - ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA256_Final.3" - ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA256_Init.3" - ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA256_Update.3" - ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA384.3" - ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA384_Final.3" - ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA384_Init.3" - ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA384_Update.3" - ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA512.3" - ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA512_Final.3" - ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA512_Init.3" - ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA512_Update.3" - ln -sf "SSL_CIPHER_get_name.3" "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_description.3" - ln -sf "SSL_CIPHER_get_name.3" "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_get_auth_nid.3" - ln -sf "SSL_CIPHER_get_name.3" "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_get_bits.3" - ln -sf "SSL_CIPHER_get_name.3" "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_get_cipher_nid.3" - ln -sf "SSL_CIPHER_get_name.3" "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_get_digest_nid.3" - ln -sf "SSL_CIPHER_get_name.3" "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_get_id.3" - ln -sf "SSL_CIPHER_get_name.3" "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_get_kx_nid.3" - ln -sf "SSL_CIPHER_get_name.3" "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_get_version.3" - ln -sf "SSL_CIPHER_get_name.3" "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_is_aead.3" - ln -sf "SSL_COMP_add_compression_method.3" "$(DESTDIR)$(mandir)/man3/SSL_COMP_get_compression_methods.3" - ln -sf "SSL_CTX_add1_chain_cert.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_add0_chain_cert.3" - ln -sf "SSL_CTX_add1_chain_cert.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_clear_chain_certs.3" - ln -sf "SSL_CTX_add1_chain_cert.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get0_chain_certs.3" - ln -sf "SSL_CTX_add1_chain_cert.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set0_chain.3" - ln -sf "SSL_CTX_add1_chain_cert.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set1_chain.3" - ln -sf "SSL_CTX_add1_chain_cert.3" "$(DESTDIR)$(mandir)/man3/SSL_add0_chain_cert.3" - ln -sf "SSL_CTX_add1_chain_cert.3" "$(DESTDIR)$(mandir)/man3/SSL_add1_chain_cert.3" - ln -sf "SSL_CTX_add1_chain_cert.3" "$(DESTDIR)$(mandir)/man3/SSL_clear_chain_certs.3" - ln -sf "SSL_CTX_add1_chain_cert.3" "$(DESTDIR)$(mandir)/man3/SSL_get0_chain_certs.3" - ln -sf "SSL_CTX_add1_chain_cert.3" "$(DESTDIR)$(mandir)/man3/SSL_set0_chain.3" - ln -sf "SSL_CTX_add1_chain_cert.3" "$(DESTDIR)$(mandir)/man3/SSL_set1_chain.3" - ln -sf "SSL_CTX_add_extra_chain_cert.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_clear_extra_chain_certs.3" - ln -sf "SSL_CTX_add_extra_chain_cert.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_extra_chain_certs.3" - ln -sf "SSL_CTX_add_session.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_remove_session.3" - ln -sf "SSL_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_callback_ctrl.3" - ln -sf "SSL_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/SSL_callback_ctrl.3" - ln -sf "SSL_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/SSL_ctrl.3" - ln -sf "SSL_CTX_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_ex_data.3" - ln -sf "SSL_CTX_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_ex_data.3" - ln -sf "SSL_CTX_get_verify_mode.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_verify_callback.3" - ln -sf "SSL_CTX_get_verify_mode.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_verify_depth.3" - ln -sf "SSL_CTX_get_verify_mode.3" "$(DESTDIR)$(mandir)/man3/SSL_get_verify_callback.3" - ln -sf "SSL_CTX_get_verify_mode.3" "$(DESTDIR)$(mandir)/man3/SSL_get_verify_depth.3" - ln -sf "SSL_CTX_get_verify_mode.3" "$(DESTDIR)$(mandir)/man3/SSL_get_verify_mode.3" - ln -sf "SSL_CTX_load_verify_locations.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_default_verify_paths.3" - ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/DTLS_client_method.3" - ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/DTLS_method.3" - ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/DTLS_server_method.3" - ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/DTLSv1_client_method.3" - ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/DTLSv1_method.3" - ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/DTLSv1_server_method.3" - ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_up_ref.3" - ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/SSLv23_client_method.3" - ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/SSLv23_method.3" - ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/SSLv23_server_method.3" - ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/TLS_client_method.3" - ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/TLS_method.3" - ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/TLS_server_method.3" - ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/TLSv1_1_client_method.3" - ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/TLSv1_1_method.3" - ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/TLSv1_1_server_method.3" - ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/TLSv1_2_client_method.3" - ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/TLSv1_2_method.3" - ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/TLSv1_2_server_method.3" - ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/TLSv1_client_method.3" - ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/TLSv1_method.3" - ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/TLSv1_server_method.3" - ln -sf "SSL_CTX_sess_number.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_accept.3" - ln -sf "SSL_CTX_sess_number.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_accept_good.3" - ln -sf "SSL_CTX_sess_number.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_accept_renegotiate.3" - ln -sf "SSL_CTX_sess_number.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_cache_full.3" - ln -sf "SSL_CTX_sess_number.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_cb_hits.3" - ln -sf "SSL_CTX_sess_number.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_connect.3" - ln -sf "SSL_CTX_sess_number.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_connect_good.3" - ln -sf "SSL_CTX_sess_number.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_connect_renegotiate.3" - ln -sf "SSL_CTX_sess_number.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_hits.3" - ln -sf "SSL_CTX_sess_number.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_misses.3" - ln -sf "SSL_CTX_sess_number.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_timeouts.3" - ln -sf "SSL_CTX_sess_set_cache_size.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_get_cache_size.3" - ln -sf "SSL_CTX_sess_set_get_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_get_get_cb.3" - ln -sf "SSL_CTX_sess_set_get_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_get_new_cb.3" - ln -sf "SSL_CTX_sess_set_get_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_get_remove_cb.3" - ln -sf "SSL_CTX_sess_set_get_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_set_new_cb.3" - ln -sf "SSL_CTX_sess_set_get_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_set_remove_cb.3" - ln -sf "SSL_CTX_sess_set_get_cb.3" "$(DESTDIR)$(mandir)/man3/get_session_cb.3" - ln -sf "SSL_CTX_sess_set_get_cb.3" "$(DESTDIR)$(mandir)/man3/new_session_cb.3" - ln -sf "SSL_CTX_sess_set_get_cb.3" "$(DESTDIR)$(mandir)/man3/remove_session_cb.3" - ln -sf "SSL_CTX_set1_groups.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set1_curves.3" - ln -sf "SSL_CTX_set1_groups.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set1_curves_list.3" - ln -sf "SSL_CTX_set1_groups.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set1_groups_list.3" - ln -sf "SSL_CTX_set1_groups.3" "$(DESTDIR)$(mandir)/man3/SSL_set1_curves.3" - ln -sf "SSL_CTX_set1_groups.3" "$(DESTDIR)$(mandir)/man3/SSL_set1_curves_list.3" - ln -sf "SSL_CTX_set1_groups.3" "$(DESTDIR)$(mandir)/man3/SSL_set1_groups.3" - ln -sf "SSL_CTX_set1_groups.3" "$(DESTDIR)$(mandir)/man3/SSL_set1_groups_list.3" - ln -sf "SSL_CTX_set_alpn_select_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_alpn_protos.3" - ln -sf "SSL_CTX_set_alpn_select_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_get0_alpn_selected.3" - ln -sf "SSL_CTX_set_alpn_select_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_select_next_proto.3" - ln -sf "SSL_CTX_set_alpn_select_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_set_alpn_protos.3" - ln -sf "SSL_CTX_set_cert_store.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_cert_store.3" - ln -sf "SSL_CTX_set_cipher_list.3" "$(DESTDIR)$(mandir)/man3/SSL_set_cipher_list.3" - ln -sf "SSL_CTX_set_client_CA_list.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_add_client_CA.3" - ln -sf "SSL_CTX_set_client_CA_list.3" "$(DESTDIR)$(mandir)/man3/SSL_add_client_CA.3" - ln -sf "SSL_CTX_set_client_CA_list.3" "$(DESTDIR)$(mandir)/man3/SSL_set_client_CA_list.3" - ln -sf "SSL_CTX_set_client_cert_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_client_cert_cb.3" - ln -sf "SSL_CTX_set_client_cert_cb.3" "$(DESTDIR)$(mandir)/man3/client_cert_cb.3" - ln -sf "SSL_CTX_set_default_passwd_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_default_passwd_cb.3" - ln -sf "SSL_CTX_set_default_passwd_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_default_passwd_cb_userdata.3" - ln -sf "SSL_CTX_set_default_passwd_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_default_passwd_cb_userdata.3" - ln -sf "SSL_CTX_set_default_passwd_cb.3" "$(DESTDIR)$(mandir)/man3/pem_password_cb.3" - ln -sf "SSL_CTX_set_generate_session_id.3" "$(DESTDIR)$(mandir)/man3/GEN_SESSION_CB.3" - ln -sf "SSL_CTX_set_generate_session_id.3" "$(DESTDIR)$(mandir)/man3/SSL_has_matching_session_id.3" - ln -sf "SSL_CTX_set_generate_session_id.3" "$(DESTDIR)$(mandir)/man3/SSL_set_generate_session_id.3" - ln -sf "SSL_CTX_set_info_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_info_callback.3" - ln -sf "SSL_CTX_set_info_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_get_info_callback.3" - ln -sf "SSL_CTX_set_info_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_set_info_callback.3" - ln -sf "SSL_CTX_set_max_cert_list.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_max_cert_list.3" - ln -sf "SSL_CTX_set_max_cert_list.3" "$(DESTDIR)$(mandir)/man3/SSL_get_max_cert_list.3" - ln -sf "SSL_CTX_set_max_cert_list.3" "$(DESTDIR)$(mandir)/man3/SSL_set_max_cert_list.3" - ln -sf "SSL_CTX_set_min_proto_version.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_max_proto_version.3" - ln -sf "SSL_CTX_set_min_proto_version.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_min_proto_version.3" - ln -sf "SSL_CTX_set_min_proto_version.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_max_proto_version.3" - ln -sf "SSL_CTX_set_min_proto_version.3" "$(DESTDIR)$(mandir)/man3/SSL_get_max_proto_version.3" - ln -sf "SSL_CTX_set_min_proto_version.3" "$(DESTDIR)$(mandir)/man3/SSL_get_min_proto_version.3" - ln -sf "SSL_CTX_set_min_proto_version.3" "$(DESTDIR)$(mandir)/man3/SSL_set_max_proto_version.3" - ln -sf "SSL_CTX_set_min_proto_version.3" "$(DESTDIR)$(mandir)/man3/SSL_set_min_proto_version.3" - ln -sf "SSL_CTX_set_mode.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_clear_mode.3" - ln -sf "SSL_CTX_set_mode.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_mode.3" - ln -sf "SSL_CTX_set_mode.3" "$(DESTDIR)$(mandir)/man3/SSL_clear_mode.3" - ln -sf "SSL_CTX_set_mode.3" "$(DESTDIR)$(mandir)/man3/SSL_get_mode.3" - ln -sf "SSL_CTX_set_mode.3" "$(DESTDIR)$(mandir)/man3/SSL_set_mode.3" - ln -sf "SSL_CTX_set_msg_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_msg_callback_arg.3" - ln -sf "SSL_CTX_set_msg_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_set_msg_callback.3" - ln -sf "SSL_CTX_set_msg_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_set_msg_callback_arg.3" - ln -sf "SSL_CTX_set_options.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_clear_options.3" - ln -sf "SSL_CTX_set_options.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_options.3" - ln -sf "SSL_CTX_set_options.3" "$(DESTDIR)$(mandir)/man3/SSL_clear_options.3" - ln -sf "SSL_CTX_set_options.3" "$(DESTDIR)$(mandir)/man3/SSL_get_options.3" - ln -sf "SSL_CTX_set_options.3" "$(DESTDIR)$(mandir)/man3/SSL_get_secure_renegotiation_support.3" - ln -sf "SSL_CTX_set_options.3" "$(DESTDIR)$(mandir)/man3/SSL_set_options.3" - ln -sf "SSL_CTX_set_quiet_shutdown.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_quiet_shutdown.3" - ln -sf "SSL_CTX_set_quiet_shutdown.3" "$(DESTDIR)$(mandir)/man3/SSL_get_quiet_shutdown.3" - ln -sf "SSL_CTX_set_quiet_shutdown.3" "$(DESTDIR)$(mandir)/man3/SSL_set_quiet_shutdown.3" - ln -sf "SSL_CTX_set_read_ahead.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_default_read_ahead.3" - ln -sf "SSL_CTX_set_read_ahead.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_read_ahead.3" - ln -sf "SSL_CTX_set_read_ahead.3" "$(DESTDIR)$(mandir)/man3/SSL_get_read_ahead.3" - ln -sf "SSL_CTX_set_read_ahead.3" "$(DESTDIR)$(mandir)/man3/SSL_set_read_ahead.3" - ln -sf "SSL_CTX_set_session_cache_mode.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_session_cache_mode.3" - ln -sf "SSL_CTX_set_session_id_context.3" "$(DESTDIR)$(mandir)/man3/SSL_set_session_id_context.3" - ln -sf "SSL_CTX_set_ssl_version.3" "$(DESTDIR)$(mandir)/man3/SSL_get_ssl_method.3" - ln -sf "SSL_CTX_set_ssl_version.3" "$(DESTDIR)$(mandir)/man3/SSL_set_ssl_method.3" - ln -sf "SSL_CTX_set_timeout.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_timeout.3" - ln -sf "SSL_CTX_set_tlsext_servername_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_tlsext_servername_arg.3" - ln -sf "SSL_CTX_set_tlsext_servername_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_get_servername.3" - ln -sf "SSL_CTX_set_tlsext_servername_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_get_servername_type.3" - ln -sf "SSL_CTX_set_tlsext_servername_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_set_tlsext_host_name.3" - ln -sf "SSL_CTX_set_tlsext_status_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_tlsext_status_arg.3" - ln -sf "SSL_CTX_set_tlsext_status_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_tlsext_status_cb.3" - ln -sf "SSL_CTX_set_tlsext_status_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_tlsext_status_arg.3" - ln -sf "SSL_CTX_set_tlsext_status_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_get_tlsext_status_ocsp_resp.3" - ln -sf "SSL_CTX_set_tlsext_status_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_set_tlsext_status_ocsp_resp.3" - ln -sf "SSL_CTX_set_tlsext_status_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_set_tlsext_status_type.3" - ln -sf "SSL_CTX_set_tlsext_use_srtp.3" "$(DESTDIR)$(mandir)/man3/SSL_get_selected_srtp_profile.3" - ln -sf "SSL_CTX_set_tlsext_use_srtp.3" "$(DESTDIR)$(mandir)/man3/SSL_get_srtp_profiles.3" - ln -sf "SSL_CTX_set_tlsext_use_srtp.3" "$(DESTDIR)$(mandir)/man3/SSL_set_tlsext_use_srtp.3" - ln -sf "SSL_CTX_set_tmp_dh_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_tmp_dh.3" - ln -sf "SSL_CTX_set_tmp_dh_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_set_tmp_dh.3" - ln -sf "SSL_CTX_set_tmp_dh_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_set_tmp_dh_callback.3" - ln -sf "SSL_CTX_set_tmp_rsa_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_need_tmp_RSA.3" - ln -sf "SSL_CTX_set_tmp_rsa_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_tmp_rsa.3" - ln -sf "SSL_CTX_set_tmp_rsa_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_need_tmp_RSA.3" - ln -sf "SSL_CTX_set_tmp_rsa_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_set_tmp_rsa.3" - ln -sf "SSL_CTX_set_tmp_rsa_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_set_tmp_rsa_callback.3" - ln -sf "SSL_CTX_set_verify.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_verify_depth.3" - ln -sf "SSL_CTX_set_verify.3" "$(DESTDIR)$(mandir)/man3/SSL_set_verify.3" - ln -sf "SSL_CTX_set_verify.3" "$(DESTDIR)$(mandir)/man3/SSL_set_verify_depth.3" - ln -sf "SSL_CTX_set_verify.3" "$(DESTDIR)$(mandir)/man3/verify_callback.3" - ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_check_private_key.3" - ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_PrivateKey.3" - ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_PrivateKey_ASN1.3" - ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_PrivateKey_file.3" - ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_RSAPrivateKey.3" - ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_RSAPrivateKey_ASN1.3" - ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_RSAPrivateKey_file.3" - ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_certificate_ASN1.3" - ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_certificate_chain_file.3" - ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_certificate_chain_mem.3" - ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_certificate_file.3" - ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_check_private_key.3" - ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_use_PrivateKey.3" - ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_use_PrivateKey_ASN1.3" - ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_use_PrivateKey_file.3" - ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_use_RSAPrivateKey.3" - ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_use_RSAPrivateKey_ASN1.3" - ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_use_RSAPrivateKey_file.3" - ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_use_certificate.3" - ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_use_certificate_ASN1.3" - ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_use_certificate_file.3" - ln -sf "SSL_SESSION_free.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_up_ref.3" - ln -sf "SSL_SESSION_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get_ex_data.3" - ln -sf "SSL_SESSION_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_set_ex_data.3" - ln -sf "SSL_SESSION_get_id.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_set1_id.3" - ln -sf "SSL_SESSION_get_time.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get_timeout.3" - ln -sf "SSL_SESSION_get_time.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_set_time.3" - ln -sf "SSL_SESSION_get_time.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_set_timeout.3" - ln -sf "SSL_SESSION_get_time.3" "$(DESTDIR)$(mandir)/man3/SSL_get_time.3" - ln -sf "SSL_SESSION_get_time.3" "$(DESTDIR)$(mandir)/man3/SSL_get_timeout.3" - ln -sf "SSL_SESSION_get_time.3" "$(DESTDIR)$(mandir)/man3/SSL_set_time.3" - ln -sf "SSL_SESSION_get_time.3" "$(DESTDIR)$(mandir)/man3/SSL_set_timeout.3" - ln -sf "SSL_SESSION_has_ticket.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get_ticket_lifetime_hint.3" - ln -sf "SSL_SESSION_print.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_print_fp.3" - ln -sf "SSL_SESSION_set1_id_context.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get0_id_context.3" - ln -sf "SSL_alert_type_string.3" "$(DESTDIR)$(mandir)/man3/SSL_alert_desc_string.3" - ln -sf "SSL_alert_type_string.3" "$(DESTDIR)$(mandir)/man3/SSL_alert_desc_string_long.3" - ln -sf "SSL_alert_type_string.3" "$(DESTDIR)$(mandir)/man3/SSL_alert_type_string_long.3" - ln -sf "SSL_get_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_get_privatekey.3" - ln -sf "SSL_get_ciphers.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_ciphers.3" - ln -sf "SSL_get_ciphers.3" "$(DESTDIR)$(mandir)/man3/SSL_get1_supported_ciphers.3" - ln -sf "SSL_get_ciphers.3" "$(DESTDIR)$(mandir)/man3/SSL_get_cipher_list.3" - ln -sf "SSL_get_ciphers.3" "$(DESTDIR)$(mandir)/man3/SSL_get_client_ciphers.3" - ln -sf "SSL_get_client_CA_list.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_client_CA_list.3" - ln -sf "SSL_get_client_random.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get_master_key.3" - ln -sf "SSL_get_client_random.3" "$(DESTDIR)$(mandir)/man3/SSL_get_server_random.3" - ln -sf "SSL_get_current_cipher.3" "$(DESTDIR)$(mandir)/man3/SSL_get_cipher.3" - ln -sf "SSL_get_current_cipher.3" "$(DESTDIR)$(mandir)/man3/SSL_get_cipher_bits.3" - ln -sf "SSL_get_current_cipher.3" "$(DESTDIR)$(mandir)/man3/SSL_get_cipher_name.3" - ln -sf "SSL_get_current_cipher.3" "$(DESTDIR)$(mandir)/man3/SSL_get_cipher_version.3" - ln -sf "SSL_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/SSL_get_ex_data.3" - ln -sf "SSL_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/SSL_set_ex_data.3" - ln -sf "SSL_get_fd.3" "$(DESTDIR)$(mandir)/man3/SSL_get_rfd.3" - ln -sf "SSL_get_fd.3" "$(DESTDIR)$(mandir)/man3/SSL_get_wfd.3" - ln -sf "SSL_get_rbio.3" "$(DESTDIR)$(mandir)/man3/SSL_get_wbio.3" - ln -sf "SSL_get_session.3" "$(DESTDIR)$(mandir)/man3/SSL_get0_session.3" - ln -sf "SSL_get_session.3" "$(DESTDIR)$(mandir)/man3/SSL_get1_session.3" - ln -sf "SSL_get_state.3" "$(DESTDIR)$(mandir)/man3/SSL_in_accept_init.3" - ln -sf "SSL_get_state.3" "$(DESTDIR)$(mandir)/man3/SSL_in_before.3" - ln -sf "SSL_get_state.3" "$(DESTDIR)$(mandir)/man3/SSL_in_connect_init.3" - ln -sf "SSL_get_state.3" "$(DESTDIR)$(mandir)/man3/SSL_in_init.3" - ln -sf "SSL_get_state.3" "$(DESTDIR)$(mandir)/man3/SSL_is_init_finished.3" - ln -sf "SSL_get_state.3" "$(DESTDIR)$(mandir)/man3/SSL_state.3" - ln -sf "SSL_get_version.3" "$(DESTDIR)$(mandir)/man3/SSL_version.3" - ln -sf "SSL_library_init.3" "$(DESTDIR)$(mandir)/man3/OpenSSL_add_ssl_algorithms.3" - ln -sf "SSL_library_init.3" "$(DESTDIR)$(mandir)/man3/SSLeay_add_ssl_algorithms.3" - ln -sf "SSL_load_client_CA_file.3" "$(DESTDIR)$(mandir)/man3/SSL_add_dir_cert_subjects_to_stack.3" - ln -sf "SSL_load_client_CA_file.3" "$(DESTDIR)$(mandir)/man3/SSL_add_file_cert_subjects_to_stack.3" - ln -sf "SSL_new.3" "$(DESTDIR)$(mandir)/man3/SSL_up_ref.3" - ln -sf "SSL_num_renegotiations.3" "$(DESTDIR)$(mandir)/man3/SSL_clear_num_renegotiations.3" - ln -sf "SSL_num_renegotiations.3" "$(DESTDIR)$(mandir)/man3/SSL_total_renegotiations.3" - ln -sf "SSL_read.3" "$(DESTDIR)$(mandir)/man3/SSL_peek.3" - ln -sf "SSL_renegotiate.3" "$(DESTDIR)$(mandir)/man3/SSL_renegotiate_abbreviated.3" - ln -sf "SSL_renegotiate.3" "$(DESTDIR)$(mandir)/man3/SSL_renegotiate_pending.3" - ln -sf "SSL_rstate_string.3" "$(DESTDIR)$(mandir)/man3/SSL_rstate_string_long.3" - ln -sf "SSL_set1_param.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get0_param.3" - ln -sf "SSL_set1_param.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set1_param.3" - ln -sf "SSL_set1_param.3" "$(DESTDIR)$(mandir)/man3/SSL_get0_param.3" - ln -sf "SSL_set_connect_state.3" "$(DESTDIR)$(mandir)/man3/SSL_is_server.3" - ln -sf "SSL_set_connect_state.3" "$(DESTDIR)$(mandir)/man3/SSL_set_accept_state.3" - ln -sf "SSL_set_fd.3" "$(DESTDIR)$(mandir)/man3/SSL_set_rfd.3" - ln -sf "SSL_set_fd.3" "$(DESTDIR)$(mandir)/man3/SSL_set_wfd.3" - ln -sf "SSL_set_max_send_fragment.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_max_send_fragment.3" - ln -sf "SSL_set_shutdown.3" "$(DESTDIR)$(mandir)/man3/SSL_get_shutdown.3" - ln -sf "SSL_set_tmp_ecdh.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_ecdh_auto.3" - ln -sf "SSL_set_tmp_ecdh.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_tmp_ecdh.3" - ln -sf "SSL_set_tmp_ecdh.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_tmp_ecdh_callback.3" - ln -sf "SSL_set_tmp_ecdh.3" "$(DESTDIR)$(mandir)/man3/SSL_set_ecdh_auto.3" - ln -sf "SSL_set_tmp_ecdh.3" "$(DESTDIR)$(mandir)/man3/SSL_set_tmp_ecdh_callback.3" - ln -sf "SSL_state_string.3" "$(DESTDIR)$(mandir)/man3/SSL_state_string_long.3" - ln -sf "SSL_want.3" "$(DESTDIR)$(mandir)/man3/SSL_want_nothing.3" - ln -sf "SSL_want.3" "$(DESTDIR)$(mandir)/man3/SSL_want_read.3" - ln -sf "SSL_want.3" "$(DESTDIR)$(mandir)/man3/SSL_want_write.3" - ln -sf "SSL_want.3" "$(DESTDIR)$(mandir)/man3/SSL_want_x509_lookup.3" - ln -sf "SXNET_new.3" "$(DESTDIR)$(mandir)/man3/SXNETID_free.3" - ln -sf "SXNET_new.3" "$(DESTDIR)$(mandir)/man3/SXNETID_new.3" - ln -sf "SXNET_new.3" "$(DESTDIR)$(mandir)/man3/SXNET_free.3" - ln -sf "SXNET_new.3" "$(DESTDIR)$(mandir)/man3/d2i_SXNET.3" - ln -sf "SXNET_new.3" "$(DESTDIR)$(mandir)/man3/d2i_SXNETID.3" - ln -sf "SXNET_new.3" "$(DESTDIR)$(mandir)/man3/i2d_SXNET.3" - ln -sf "SXNET_new.3" "$(DESTDIR)$(mandir)/man3/i2d_SXNETID.3" - ln -sf "TS_REQ_new.3" "$(DESTDIR)$(mandir)/man3/TS_ACCURACY_free.3" - ln -sf "TS_REQ_new.3" "$(DESTDIR)$(mandir)/man3/TS_ACCURACY_new.3" - ln -sf "TS_REQ_new.3" "$(DESTDIR)$(mandir)/man3/TS_MSG_IMPRINT_free.3" - ln -sf "TS_REQ_new.3" "$(DESTDIR)$(mandir)/man3/TS_MSG_IMPRINT_new.3" - ln -sf "TS_REQ_new.3" "$(DESTDIR)$(mandir)/man3/TS_REQ_free.3" - ln -sf "TS_REQ_new.3" "$(DESTDIR)$(mandir)/man3/TS_RESP_free.3" - ln -sf "TS_REQ_new.3" "$(DESTDIR)$(mandir)/man3/TS_RESP_new.3" - ln -sf "TS_REQ_new.3" "$(DESTDIR)$(mandir)/man3/TS_STATUS_INFO_free.3" - ln -sf "TS_REQ_new.3" "$(DESTDIR)$(mandir)/man3/TS_STATUS_INFO_new.3" - ln -sf "TS_REQ_new.3" "$(DESTDIR)$(mandir)/man3/TS_TST_INFO_free.3" - ln -sf "TS_REQ_new.3" "$(DESTDIR)$(mandir)/man3/TS_TST_INFO_new.3" - ln -sf "UI_UTIL_read_pw.3" "$(DESTDIR)$(mandir)/man3/UI_UTIL_read_pw_string.3" - ln -sf "UI_create_method.3" "$(DESTDIR)$(mandir)/man3/UI_destroy_method.3" - ln -sf "UI_create_method.3" "$(DESTDIR)$(mandir)/man3/UI_method_get_closer.3" - ln -sf "UI_create_method.3" "$(DESTDIR)$(mandir)/man3/UI_method_get_flusher.3" - ln -sf "UI_create_method.3" "$(DESTDIR)$(mandir)/man3/UI_method_get_opener.3" - ln -sf "UI_create_method.3" "$(DESTDIR)$(mandir)/man3/UI_method_get_prompt_constructor.3" - ln -sf "UI_create_method.3" "$(DESTDIR)$(mandir)/man3/UI_method_get_reader.3" - ln -sf "UI_create_method.3" "$(DESTDIR)$(mandir)/man3/UI_method_get_writer.3" - ln -sf "UI_create_method.3" "$(DESTDIR)$(mandir)/man3/UI_method_set_closer.3" - ln -sf "UI_create_method.3" "$(DESTDIR)$(mandir)/man3/UI_method_set_flusher.3" - ln -sf "UI_create_method.3" "$(DESTDIR)$(mandir)/man3/UI_method_set_opener.3" - ln -sf "UI_create_method.3" "$(DESTDIR)$(mandir)/man3/UI_method_set_prompt_constructor.3" - ln -sf "UI_create_method.3" "$(DESTDIR)$(mandir)/man3/UI_method_set_reader.3" - ln -sf "UI_create_method.3" "$(DESTDIR)$(mandir)/man3/UI_method_set_writer.3" - ln -sf "UI_get_string_type.3" "$(DESTDIR)$(mandir)/man3/UI_get0_action_string.3" - ln -sf "UI_get_string_type.3" "$(DESTDIR)$(mandir)/man3/UI_get0_output_string.3" - ln -sf "UI_get_string_type.3" "$(DESTDIR)$(mandir)/man3/UI_get0_result_string.3" - ln -sf "UI_get_string_type.3" "$(DESTDIR)$(mandir)/man3/UI_get0_test_string.3" - ln -sf "UI_get_string_type.3" "$(DESTDIR)$(mandir)/man3/UI_get_input_flags.3" - ln -sf "UI_get_string_type.3" "$(DESTDIR)$(mandir)/man3/UI_get_result_maxsize.3" - ln -sf "UI_get_string_type.3" "$(DESTDIR)$(mandir)/man3/UI_get_result_minsize.3" - ln -sf "UI_get_string_type.3" "$(DESTDIR)$(mandir)/man3/UI_set_result.3" - ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_OpenSSL.3" - ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_add_error_string.3" - ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_add_info_string.3" - ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_add_input_boolean.3" - ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_add_input_string.3" - ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_add_user_data.3" - ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_add_verify_string.3" - ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_construct_prompt.3" - ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_ctrl.3" - ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_dup_error_string.3" - ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_dup_info_string.3" - ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_dup_input_boolean.3" - ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_dup_input_string.3" - ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_dup_verify_string.3" - ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_free.3" - ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_get0_result.3" - ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_get0_user_data.3" - ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_get_default_method.3" - ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_get_method.3" - ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_new_method.3" - ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_process.3" - ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_set_default_method.3" - ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_set_method.3" - ln -sf "X25519.3" "$(DESTDIR)$(mandir)/man3/X25519_keypair.3" - ln -sf "X509V3_get_d2i.3" "$(DESTDIR)$(mandir)/man3/X509V3_EXT_d2i.3" - ln -sf "X509V3_get_d2i.3" "$(DESTDIR)$(mandir)/man3/X509V3_EXT_i2d.3" - ln -sf "X509V3_get_d2i.3" "$(DESTDIR)$(mandir)/man3/X509V3_add1_i2d.3" - ln -sf "X509V3_get_d2i.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_add1_ext_i2d.3" - ln -sf "X509V3_get_d2i.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get0_extensions.3" - ln -sf "X509V3_get_d2i.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get_ext_d2i.3" - ln -sf "X509V3_get_d2i.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_add1_ext_i2d.3" - ln -sf "X509V3_get_d2i.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get0_extensions.3" - ln -sf "X509V3_get_d2i.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get_ext_d2i.3" - ln -sf "X509V3_get_d2i.3" "$(DESTDIR)$(mandir)/man3/X509_add1_ext_i2d.3" - ln -sf "X509V3_get_d2i.3" "$(DESTDIR)$(mandir)/man3/X509_get0_extensions.3" - ln -sf "X509V3_get_d2i.3" "$(DESTDIR)$(mandir)/man3/X509_get_ext_d2i.3" - ln -sf "X509_ALGOR_dup.3" "$(DESTDIR)$(mandir)/man3/X509_ALGOR_cmp.3" - ln -sf "X509_ALGOR_dup.3" "$(DESTDIR)$(mandir)/man3/X509_ALGOR_free.3" - ln -sf "X509_ALGOR_dup.3" "$(DESTDIR)$(mandir)/man3/X509_ALGOR_get0.3" - ln -sf "X509_ALGOR_dup.3" "$(DESTDIR)$(mandir)/man3/X509_ALGOR_new.3" - ln -sf "X509_ALGOR_dup.3" "$(DESTDIR)$(mandir)/man3/X509_ALGOR_set0.3" - ln -sf "X509_ALGOR_dup.3" "$(DESTDIR)$(mandir)/man3/X509_ALGOR_set_md.3" - ln -sf "X509_ATTRIBUTE_new.3" "$(DESTDIR)$(mandir)/man3/X509_ATTRIBUTE_free.3" - ln -sf "X509_CINF_new.3" "$(DESTDIR)$(mandir)/man3/X509_CERT_AUX_free.3" - ln -sf "X509_CINF_new.3" "$(DESTDIR)$(mandir)/man3/X509_CERT_AUX_new.3" - ln -sf "X509_CINF_new.3" "$(DESTDIR)$(mandir)/man3/X509_CINF_free.3" - ln -sf "X509_CINF_new.3" "$(DESTDIR)$(mandir)/man3/X509_VAL_free.3" - ln -sf "X509_CINF_new.3" "$(DESTDIR)$(mandir)/man3/X509_VAL_new.3" - ln -sf "X509_CRL_get0_by_serial.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_add0_revoked.3" - ln -sf "X509_CRL_get0_by_serial.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get0_by_cert.3" - ln -sf "X509_CRL_get0_by_serial.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get_REVOKED.3" - ln -sf "X509_CRL_get0_by_serial.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_sort.3" - ln -sf "X509_CRL_new.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_INFO_free.3" - ln -sf "X509_CRL_new.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_INFO_new.3" - ln -sf "X509_CRL_new.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_dup.3" - ln -sf "X509_CRL_new.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_free.3" - ln -sf "X509_CRL_new.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_up_ref.3" - ln -sf "X509_EXTENSION_set_object.3" "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_create_by_NID.3" - ln -sf "X509_EXTENSION_set_object.3" "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_create_by_OBJ.3" - ln -sf "X509_EXTENSION_set_object.3" "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_free.3" - ln -sf "X509_EXTENSION_set_object.3" "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_get_critical.3" - ln -sf "X509_EXTENSION_set_object.3" "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_get_data.3" - ln -sf "X509_EXTENSION_set_object.3" "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_get_object.3" - ln -sf "X509_EXTENSION_set_object.3" "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_new.3" - ln -sf "X509_EXTENSION_set_object.3" "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_set_critical.3" - ln -sf "X509_EXTENSION_set_object.3" "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_set_data.3" - ln -sf "X509_INFO_new.3" "$(DESTDIR)$(mandir)/man3/X509_INFO_free.3" - ln -sf "X509_LOOKUP_hash_dir.3" "$(DESTDIR)$(mandir)/man3/X509_LOOKUP_file.3" - ln -sf "X509_LOOKUP_hash_dir.3" "$(DESTDIR)$(mandir)/man3/X509_load_cert_crl_file.3" - ln -sf "X509_LOOKUP_hash_dir.3" "$(DESTDIR)$(mandir)/man3/X509_load_cert_file.3" - ln -sf "X509_LOOKUP_hash_dir.3" "$(DESTDIR)$(mandir)/man3/X509_load_crl_file.3" - ln -sf "X509_NAME_ENTRY_get_object.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_create_by_NID.3" - ln -sf "X509_NAME_ENTRY_get_object.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_create_by_OBJ.3" - ln -sf "X509_NAME_ENTRY_get_object.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_create_by_txt.3" - ln -sf "X509_NAME_ENTRY_get_object.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_free.3" - ln -sf "X509_NAME_ENTRY_get_object.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_get_data.3" - ln -sf "X509_NAME_ENTRY_get_object.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_new.3" - ln -sf "X509_NAME_ENTRY_get_object.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_set_data.3" - ln -sf "X509_NAME_ENTRY_get_object.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_set_object.3" - ln -sf "X509_NAME_add_entry_by_txt.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_add_entry.3" - ln -sf "X509_NAME_add_entry_by_txt.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_add_entry_by_NID.3" - ln -sf "X509_NAME_add_entry_by_txt.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_add_entry_by_OBJ.3" - ln -sf "X509_NAME_add_entry_by_txt.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_delete_entry.3" - ln -sf "X509_NAME_get_index_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_entry_count.3" - ln -sf "X509_NAME_get_index_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_get_entry.3" - ln -sf "X509_NAME_get_index_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_get_index_by_OBJ.3" - ln -sf "X509_NAME_get_index_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_get_text_by_NID.3" - ln -sf "X509_NAME_get_index_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_get_text_by_OBJ.3" - ln -sf "X509_NAME_new.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_free.3" - ln -sf "X509_NAME_print_ex.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_oneline.3" - ln -sf "X509_NAME_print_ex.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_print.3" - ln -sf "X509_NAME_print_ex.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_print_ex_fp.3" - ln -sf "X509_OBJECT_get0_X509.3" "$(DESTDIR)$(mandir)/man3/X509_OBJECT_free_contents.3" - ln -sf "X509_OBJECT_get0_X509.3" "$(DESTDIR)$(mandir)/man3/X509_OBJECT_get0_X509_CRL.3" - ln -sf "X509_OBJECT_get0_X509.3" "$(DESTDIR)$(mandir)/man3/X509_OBJECT_get_type.3" - ln -sf "X509_OBJECT_get0_X509.3" "$(DESTDIR)$(mandir)/man3/X509_OBJECT_idx_by_subject.3" - ln -sf "X509_OBJECT_get0_X509.3" "$(DESTDIR)$(mandir)/man3/X509_OBJECT_retrieve_by_subject.3" - ln -sf "X509_OBJECT_get0_X509.3" "$(DESTDIR)$(mandir)/man3/X509_OBJECT_retrieve_match.3" - ln -sf "X509_OBJECT_get0_X509.3" "$(DESTDIR)$(mandir)/man3/X509_OBJECT_up_ref_count.3" - ln -sf "X509_PUBKEY_new.3" "$(DESTDIR)$(mandir)/man3/X509_PUBKEY_free.3" - ln -sf "X509_PUBKEY_new.3" "$(DESTDIR)$(mandir)/man3/X509_PUBKEY_get.3" - ln -sf "X509_PUBKEY_new.3" "$(DESTDIR)$(mandir)/man3/X509_PUBKEY_get0.3" - ln -sf "X509_PUBKEY_new.3" "$(DESTDIR)$(mandir)/man3/X509_PUBKEY_get0_param.3" - ln -sf "X509_PUBKEY_new.3" "$(DESTDIR)$(mandir)/man3/X509_PUBKEY_set.3" - ln -sf "X509_PUBKEY_new.3" "$(DESTDIR)$(mandir)/man3/X509_PUBKEY_set0_param.3" - ln -sf "X509_PUBKEY_new.3" "$(DESTDIR)$(mandir)/man3/d2i_PUBKEY.3" - ln -sf "X509_PUBKEY_new.3" "$(DESTDIR)$(mandir)/man3/d2i_PUBKEY_bio.3" - ln -sf "X509_PUBKEY_new.3" "$(DESTDIR)$(mandir)/man3/d2i_PUBKEY_fp.3" - ln -sf "X509_PUBKEY_new.3" "$(DESTDIR)$(mandir)/man3/i2d_PUBKEY.3" - ln -sf "X509_PUBKEY_new.3" "$(DESTDIR)$(mandir)/man3/i2d_PUBKEY_bio.3" - ln -sf "X509_PUBKEY_new.3" "$(DESTDIR)$(mandir)/man3/i2d_PUBKEY_fp.3" - ln -sf "X509_REQ_new.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_INFO_free.3" - ln -sf "X509_REQ_new.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_INFO_new.3" - ln -sf "X509_REQ_new.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_free.3" - ln -sf "X509_REVOKED_new.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_dup.3" - ln -sf "X509_REVOKED_new.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_free.3" - ln -sf "X509_REVOKED_new.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get0_revocationDate.3" - ln -sf "X509_REVOKED_new.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get0_serialNumber.3" - ln -sf "X509_REVOKED_new.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_set_revocationDate.3" - ln -sf "X509_REVOKED_new.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_set_serialNumber.3" - ln -sf "X509_SIG_new.3" "$(DESTDIR)$(mandir)/man3/X509_SIG_free.3" - ln -sf "X509_STORE_CTX_get_error.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get0_cert.3" - ln -sf "X509_STORE_CTX_get_error.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get0_chain.3" - ln -sf "X509_STORE_CTX_get_error.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get1_chain.3" - ln -sf "X509_STORE_CTX_get_error.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get_current_cert.3" - ln -sf "X509_STORE_CTX_get_error.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get_error_depth.3" - ln -sf "X509_STORE_CTX_get_error.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set_error.3" - ln -sf "X509_STORE_CTX_get_error.3" "$(DESTDIR)$(mandir)/man3/X509_verify_cert_error_string.3" - ln -sf "X509_STORE_CTX_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get_ex_data.3" - ln -sf "X509_STORE_CTX_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set_ex_data.3" - ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_cleanup.3" - ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_free.3" - ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get0_param.3" - ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get0_store.3" - ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get0_untrusted.3" - ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_init.3" - ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set0_crls.3" - ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set0_param.3" - ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set0_trusted_stack.3" - ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set0_untrusted.3" - ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set_cert.3" - ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set_chain.3" - ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set_default.3" - ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_trusted_stack.3" - ln -sf "X509_STORE_load_locations.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_set_default_paths.3" - ln -sf "X509_STORE_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_free.3" - ln -sf "X509_STORE_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_up_ref.3" - ln -sf "X509_STORE_set1_param.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_add_cert.3" - ln -sf "X509_STORE_set1_param.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_add_crl.3" - ln -sf "X509_STORE_set1_param.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_get0_objects.3" - ln -sf "X509_STORE_set1_param.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_get0_param.3" - ln -sf "X509_STORE_set1_param.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_get_ex_data.3" - ln -sf "X509_STORE_set1_param.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_get_ex_new_index.3" - ln -sf "X509_STORE_set1_param.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_set_depth.3" - ln -sf "X509_STORE_set1_param.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_set_ex_data.3" - ln -sf "X509_STORE_set1_param.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_set_flags.3" - ln -sf "X509_STORE_set1_param.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_set_purpose.3" - ln -sf "X509_STORE_set1_param.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_set_trust.3" - ln -sf "X509_STORE_set_verify_cb_func.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_set_verify_cb.3" - ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_add0_policy.3" - ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_add0_table.3" - ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_add1_host.3" - ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_clear_flags.3" - ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_free.3" - ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get0.3" - ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get0_name.3" - ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get0_peername.3" - ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get_count.3" - ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get_depth.3" - ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get_flags.3" - ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_lookup.3" - ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_new.3" - ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set1_email.3" - ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set1_host.3" - ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set1_ip.3" - ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set1_ip_asc.3" - ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set1_name.3" - ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set1_policies.3" - ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set_depth.3" - ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set_hostflags.3" - ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set_purpose.3" - ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set_time.3" - ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set_trust.3" - ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_table_cleanup.3" - ln -sf "X509_check_host.3" "$(DESTDIR)$(mandir)/man3/X509_check_email.3" - ln -sf "X509_check_host.3" "$(DESTDIR)$(mandir)/man3/X509_check_ip.3" - ln -sf "X509_check_host.3" "$(DESTDIR)$(mandir)/man3/X509_check_ip_asc.3" - ln -sf "X509_check_private_key.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_check_private_key.3" - ln -sf "X509_cmp.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_cmp.3" - ln -sf "X509_cmp.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_match.3" - ln -sf "X509_cmp.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_cmp.3" - ln -sf "X509_cmp.3" "$(DESTDIR)$(mandir)/man3/X509_issuer_and_serial_cmp.3" - ln -sf "X509_cmp.3" "$(DESTDIR)$(mandir)/man3/X509_issuer_name_cmp.3" - ln -sf "X509_cmp.3" "$(DESTDIR)$(mandir)/man3/X509_subject_name_cmp.3" - ln -sf "X509_cmp_time.3" "$(DESTDIR)$(mandir)/man3/X509_cmp_current_time.3" - ln -sf "X509_cmp_time.3" "$(DESTDIR)$(mandir)/man3/X509_time_adj.3" - ln -sf "X509_cmp_time.3" "$(DESTDIR)$(mandir)/man3/X509_time_adj_ex.3" - ln -sf "X509_digest.3" "$(DESTDIR)$(mandir)/man3/PKCS7_ISSUER_AND_SERIAL_digest.3" - ln -sf "X509_digest.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_digest.3" - ln -sf "X509_digest.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_digest.3" - ln -sf "X509_digest.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_digest.3" - ln -sf "X509_digest.3" "$(DESTDIR)$(mandir)/man3/X509_pubkey_digest.3" - ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get0_lastUpdate.3" - ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get0_nextUpdate.3" - ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_set1_lastUpdate.3" - ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_set1_nextUpdate.3" - ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_get0_notAfter.3" - ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_getm_notAfter.3" - ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_getm_notBefore.3" - ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_set1_notAfter.3" - ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_set1_notBefore.3" - ln -sf "X509_get0_signature.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get0_signature.3" - ln -sf "X509_get0_signature.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get_signature_nid.3" - ln -sf "X509_get0_signature.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_get0_signature.3" - ln -sf "X509_get0_signature.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_get_signature_nid.3" - ln -sf "X509_get0_signature.3" "$(DESTDIR)$(mandir)/man3/X509_get0_tbs_sigalg.3" - ln -sf "X509_get0_signature.3" "$(DESTDIR)$(mandir)/man3/X509_get_signature_nid.3" - ln -sf "X509_get1_email.3" "$(DESTDIR)$(mandir)/man3/X509_email_free.3" - ln -sf "X509_get1_email.3" "$(DESTDIR)$(mandir)/man3/X509_get1_ocsp.3" - ln -sf "X509_get_pubkey.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_get_pubkey.3" - ln -sf "X509_get_pubkey.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_set_pubkey.3" - ln -sf "X509_get_pubkey.3" "$(DESTDIR)$(mandir)/man3/X509_get0_pubkey.3" - ln -sf "X509_get_pubkey.3" "$(DESTDIR)$(mandir)/man3/X509_get_X509_PUBKEY.3" - ln -sf "X509_get_pubkey.3" "$(DESTDIR)$(mandir)/man3/X509_set_pubkey.3" - ln -sf "X509_get_serialNumber.3" "$(DESTDIR)$(mandir)/man3/X509_set_serialNumber.3" - ln -sf "X509_get_subject_name.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get_issuer.3" - ln -sf "X509_get_subject_name.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_set_issuer_name.3" - ln -sf "X509_get_subject_name.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_get_subject_name.3" - ln -sf "X509_get_subject_name.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_set_subject_name.3" - ln -sf "X509_get_subject_name.3" "$(DESTDIR)$(mandir)/man3/X509_get_issuer_name.3" - ln -sf "X509_get_subject_name.3" "$(DESTDIR)$(mandir)/man3/X509_set_issuer_name.3" - ln -sf "X509_get_subject_name.3" "$(DESTDIR)$(mandir)/man3/X509_set_subject_name.3" - ln -sf "X509_get_version.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get_version.3" - ln -sf "X509_get_version.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_set_version.3" - ln -sf "X509_get_version.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_get_version.3" - ln -sf "X509_get_version.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_set_version.3" - ln -sf "X509_get_version.3" "$(DESTDIR)$(mandir)/man3/X509_set_version.3" - ln -sf "X509_new.3" "$(DESTDIR)$(mandir)/man3/X509_chain_up_ref.3" - ln -sf "X509_new.3" "$(DESTDIR)$(mandir)/man3/X509_dup.3" - ln -sf "X509_new.3" "$(DESTDIR)$(mandir)/man3/X509_free.3" - ln -sf "X509_new.3" "$(DESTDIR)$(mandir)/man3/X509_up_ref.3" - ln -sf "X509_sign.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_sign.3" - ln -sf "X509_sign.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_sign_ctx.3" - ln -sf "X509_sign.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_verify.3" - ln -sf "X509_sign.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_sign.3" - ln -sf "X509_sign.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_sign_ctx.3" - ln -sf "X509_sign.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_verify.3" - ln -sf "X509_sign.3" "$(DESTDIR)$(mandir)/man3/X509_sign_ctx.3" - ln -sf "X509_sign.3" "$(DESTDIR)$(mandir)/man3/X509_verify.3" - ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_add_ext.3" - ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_delete_ext.3" - ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get_ext.3" - ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get_ext_by_NID.3" - ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get_ext_by_OBJ.3" - ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get_ext_by_critical.3" - ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get_ext_count.3" - ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_add_ext.3" - ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_delete_ext.3" - ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get_ext.3" - ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get_ext_by_NID.3" - ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get_ext_by_OBJ.3" - ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get_ext_by_critical.3" - ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get_ext_count.3" - ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_add_ext.3" - ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_delete_ext.3" - ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_get_ext.3" - ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_get_ext_by_NID.3" - ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_get_ext_by_OBJ.3" - ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_get_ext_by_critical.3" - ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_get_ext_count.3" - ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509v3_add_ext.3" - ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509v3_delete_ext.3" - ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509v3_get_ext.3" - ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509v3_get_ext_by_OBJ.3" - ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509v3_get_ext_by_critical.3" - ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509v3_get_ext_count.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_add_words.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_check_top.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_cmp_words.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_div_words.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_expand.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_expand2.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_fix_top.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_mul_add_words.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_mul_comba4.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_mul_comba8.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_mul_high.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_mul_low_normal.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_mul_low_recursive.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_mul_normal.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_mul_part_recursive.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_mul_recursive.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_mul_words.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_set_high.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_set_low.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_set_max.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_sqr_comba4.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_sqr_comba8.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_sqr_normal.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_sqr_recursive.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_sqr_words.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_sub_words.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_wexpand.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/mul.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/mul_add.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/sqr.3" - ln -sf "d2i_ASN1_NULL.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_NULL.3" - ln -sf "d2i_ASN1_OBJECT.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_OBJECT.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_BIT_STRING.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_BMPSTRING.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_ENUMERATED.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_GENERALIZEDTIME.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_GENERALSTRING.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_IA5STRING.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_INTEGER.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_PRINTABLE.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_PRINTABLESTRING.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_T61STRING.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_TIME.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_UINTEGER.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_UNIVERSALSTRING.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_UTCTIME.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_UTF8STRING.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_VISIBLESTRING.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_DIRECTORYSTRING.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_DISPLAYTEXT.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_BIT_STRING.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_BMPSTRING.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_ENUMERATED.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_GENERALIZEDTIME.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_GENERALSTRING.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_IA5STRING.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_INTEGER.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_OCTET_STRING.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_PRINTABLE.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_PRINTABLESTRING.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_T61STRING.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_TIME.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_UNIVERSALSTRING.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_UTCTIME.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_UTF8STRING.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_VISIBLESTRING.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_DIRECTORYSTRING.3" - ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_DISPLAYTEXT.3" - ln -sf "d2i_ASN1_SEQUENCE_ANY.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_SET_ANY.3" - ln -sf "d2i_ASN1_SEQUENCE_ANY.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_SEQUENCE_ANY.3" - ln -sf "d2i_ASN1_SEQUENCE_ANY.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_SET_ANY.3" - ln -sf "d2i_AUTHORITY_KEYID.3" "$(DESTDIR)$(mandir)/man3/i2d_AUTHORITY_KEYID.3" - ln -sf "d2i_BASIC_CONSTRAINTS.3" "$(DESTDIR)$(mandir)/man3/d2i_EXTENDED_KEY_USAGE.3" - ln -sf "d2i_BASIC_CONSTRAINTS.3" "$(DESTDIR)$(mandir)/man3/i2d_BASIC_CONSTRAINTS.3" - ln -sf "d2i_BASIC_CONSTRAINTS.3" "$(DESTDIR)$(mandir)/man3/i2d_EXTENDED_KEY_USAGE.3" - ln -sf "d2i_CMS_ContentInfo.3" "$(DESTDIR)$(mandir)/man3/d2i_CMS_ReceiptRequest.3" - ln -sf "d2i_CMS_ContentInfo.3" "$(DESTDIR)$(mandir)/man3/d2i_CMS_bio.3" - ln -sf "d2i_CMS_ContentInfo.3" "$(DESTDIR)$(mandir)/man3/i2d_CMS_ContentInfo.3" - ln -sf "d2i_CMS_ContentInfo.3" "$(DESTDIR)$(mandir)/man3/i2d_CMS_ReceiptRequest.3" - ln -sf "d2i_CMS_ContentInfo.3" "$(DESTDIR)$(mandir)/man3/i2d_CMS_bio.3" - ln -sf "d2i_DHparams.3" "$(DESTDIR)$(mandir)/man3/i2d_DHparams.3" - ln -sf "d2i_DIST_POINT.3" "$(DESTDIR)$(mandir)/man3/d2i_ACCESS_DESCRIPTION.3" - ln -sf "d2i_DIST_POINT.3" "$(DESTDIR)$(mandir)/man3/d2i_AUTHORITY_INFO_ACCESS.3" - ln -sf "d2i_DIST_POINT.3" "$(DESTDIR)$(mandir)/man3/d2i_CRL_DIST_POINTS.3" - ln -sf "d2i_DIST_POINT.3" "$(DESTDIR)$(mandir)/man3/d2i_DIST_POINT_NAME.3" - ln -sf "d2i_DIST_POINT.3" "$(DESTDIR)$(mandir)/man3/d2i_ISSUING_DIST_POINT.3" - ln -sf "d2i_DIST_POINT.3" "$(DESTDIR)$(mandir)/man3/i2d_ACCESS_DESCRIPTION.3" - ln -sf "d2i_DIST_POINT.3" "$(DESTDIR)$(mandir)/man3/i2d_AUTHORITY_INFO_ACCESS.3" - ln -sf "d2i_DIST_POINT.3" "$(DESTDIR)$(mandir)/man3/i2d_CRL_DIST_POINTS.3" - ln -sf "d2i_DIST_POINT.3" "$(DESTDIR)$(mandir)/man3/i2d_DIST_POINT.3" - ln -sf "d2i_DIST_POINT.3" "$(DESTDIR)$(mandir)/man3/i2d_DIST_POINT_NAME.3" - ln -sf "d2i_DIST_POINT.3" "$(DESTDIR)$(mandir)/man3/i2d_ISSUING_DIST_POINT.3" - ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/DSAparams_dup.3" - ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_DSAPrivateKey.3" - ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_DSAPrivateKey_bio.3" - ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_DSAPrivateKey_fp.3" - ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_DSA_PUBKEY.3" - ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_DSA_PUBKEY_bio.3" - ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_DSA_PUBKEY_fp.3" - ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_DSA_SIG.3" - ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_DSAparams.3" - ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_DSAparams_bio.3" - ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_DSAparams_fp.3" - ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_DSAPrivateKey.3" - ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_DSAPrivateKey_bio.3" - ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_DSAPrivateKey_fp.3" - ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_DSAPublicKey.3" - ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_DSA_PUBKEY.3" - ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_DSA_PUBKEY_bio.3" - ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_DSA_PUBKEY_fp.3" - ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_DSA_SIG.3" - ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_DSAparams.3" - ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_DSAparams_bio.3" - ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_DSAparams_fp.3" - ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/ECPKParameters_print.3" - ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/ECPKParameters_print_fp.3" - ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/ECParameters_dup.3" - ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/ECParameters_print.3" - ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/ECParameters_print_fp.3" - ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/d2i_ECPKParameters_bio.3" - ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/d2i_ECPKParameters_fp.3" - ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/d2i_ECParameters.3" - ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/d2i_ECPrivateKey.3" - ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/d2i_ECPrivateKey_bio.3" - ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/d2i_ECPrivateKey_fp.3" - ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/d2i_EC_PUBKEY.3" - ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/d2i_EC_PUBKEY_bio.3" - ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/d2i_EC_PUBKEY_fp.3" - ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/i2d_ECPKParameters.3" - ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/i2d_ECPKParameters_bio.3" - ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/i2d_ECPKParameters_fp.3" - ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/i2d_ECParameters.3" - ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/i2d_ECPrivateKey.3" - ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/i2d_ECPrivateKey_bio.3" - ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/i2d_ECPrivateKey_fp.3" - ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/i2d_EC_PUBKEY.3" - ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/i2d_EC_PUBKEY_bio.3" - ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/i2d_EC_PUBKEY_fp.3" - ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/i2o_ECPublicKey.3" - ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/o2i_ECPublicKey.3" - ln -sf "d2i_ESS_SIGNING_CERT.3" "$(DESTDIR)$(mandir)/man3/d2i_ESS_CERT_ID.3" - ln -sf "d2i_ESS_SIGNING_CERT.3" "$(DESTDIR)$(mandir)/man3/d2i_ESS_ISSUER_SERIAL.3" - ln -sf "d2i_ESS_SIGNING_CERT.3" "$(DESTDIR)$(mandir)/man3/i2d_ESS_CERT_ID.3" - ln -sf "d2i_ESS_SIGNING_CERT.3" "$(DESTDIR)$(mandir)/man3/i2d_ESS_ISSUER_SERIAL.3" - ln -sf "d2i_ESS_SIGNING_CERT.3" "$(DESTDIR)$(mandir)/man3/i2d_ESS_SIGNING_CERT.3" - ln -sf "d2i_GENERAL_NAME.3" "$(DESTDIR)$(mandir)/man3/d2i_EDIPARTYNAME.3" - ln -sf "d2i_GENERAL_NAME.3" "$(DESTDIR)$(mandir)/man3/d2i_GENERAL_NAMES.3" - ln -sf "d2i_GENERAL_NAME.3" "$(DESTDIR)$(mandir)/man3/d2i_OTHERNAME.3" - ln -sf "d2i_GENERAL_NAME.3" "$(DESTDIR)$(mandir)/man3/i2d_EDIPARTYNAME.3" - ln -sf "d2i_GENERAL_NAME.3" "$(DESTDIR)$(mandir)/man3/i2d_GENERAL_NAME.3" - ln -sf "d2i_GENERAL_NAME.3" "$(DESTDIR)$(mandir)/man3/i2d_GENERAL_NAMES.3" - ln -sf "d2i_GENERAL_NAME.3" "$(DESTDIR)$(mandir)/man3/i2d_OTHERNAME.3" - ln -sf "d2i_OCSP_REQUEST.3" "$(DESTDIR)$(mandir)/man3/d2i_OCSP_CERTID.3" - ln -sf "d2i_OCSP_REQUEST.3" "$(DESTDIR)$(mandir)/man3/d2i_OCSP_ONEREQ.3" - ln -sf "d2i_OCSP_REQUEST.3" "$(DESTDIR)$(mandir)/man3/d2i_OCSP_REQINFO.3" - ln -sf "d2i_OCSP_REQUEST.3" "$(DESTDIR)$(mandir)/man3/d2i_OCSP_SERVICELOC.3" - ln -sf "d2i_OCSP_REQUEST.3" "$(DESTDIR)$(mandir)/man3/d2i_OCSP_SIGNATURE.3" - ln -sf "d2i_OCSP_REQUEST.3" "$(DESTDIR)$(mandir)/man3/i2d_OCSP_CERTID.3" - ln -sf "d2i_OCSP_REQUEST.3" "$(DESTDIR)$(mandir)/man3/i2d_OCSP_ONEREQ.3" - ln -sf "d2i_OCSP_REQUEST.3" "$(DESTDIR)$(mandir)/man3/i2d_OCSP_REQINFO.3" - ln -sf "d2i_OCSP_REQUEST.3" "$(DESTDIR)$(mandir)/man3/i2d_OCSP_REQUEST.3" - ln -sf "d2i_OCSP_REQUEST.3" "$(DESTDIR)$(mandir)/man3/i2d_OCSP_SERVICELOC.3" - ln -sf "d2i_OCSP_REQUEST.3" "$(DESTDIR)$(mandir)/man3/i2d_OCSP_SIGNATURE.3" - ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/d2i_OCSP_BASICRESP.3" - ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/d2i_OCSP_CERTSTATUS.3" - ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/d2i_OCSP_CRLID.3" - ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/d2i_OCSP_RESPBYTES.3" - ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/d2i_OCSP_RESPDATA.3" - ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/d2i_OCSP_RESPID.3" - ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/d2i_OCSP_REVOKEDINFO.3" - ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/d2i_OCSP_SINGLERESP.3" - ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/i2d_OCSP_BASICRESP.3" - ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/i2d_OCSP_CERTSTATUS.3" - ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/i2d_OCSP_CRLID.3" - ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/i2d_OCSP_RESPBYTES.3" - ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/i2d_OCSP_RESPDATA.3" - ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/i2d_OCSP_RESPID.3" - ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/i2d_OCSP_RESPONSE.3" - ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/i2d_OCSP_REVOKEDINFO.3" - ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/i2d_OCSP_SINGLERESP.3" - ln -sf "d2i_PKCS12.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS12_BAGS.3" - ln -sf "d2i_PKCS12.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS12_MAC_DATA.3" - ln -sf "d2i_PKCS12.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS12_SAFEBAG.3" - ln -sf "d2i_PKCS12.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS12_bio.3" - ln -sf "d2i_PKCS12.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS12_fp.3" - ln -sf "d2i_PKCS12.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS12.3" - ln -sf "d2i_PKCS12.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS12_BAGS.3" - ln -sf "d2i_PKCS12.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS12_MAC_DATA.3" - ln -sf "d2i_PKCS12.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS12_SAFEBAG.3" - ln -sf "d2i_PKCS12.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS12_bio.3" - ln -sf "d2i_PKCS12.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS12_fp.3" - ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_DIGEST.3" - ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_ENCRYPT.3" - ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_ENC_CONTENT.3" - ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_ENVELOPE.3" - ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_ISSUER_AND_SERIAL.3" - ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_RECIP_INFO.3" - ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_SIGNED.3" - ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_SIGNER_INFO.3" - ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_SIGN_ENVELOPE.3" - ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_bio.3" - ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_fp.3" - ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS7.3" - ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_DIGEST.3" - ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_ENCRYPT.3" - ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_ENC_CONTENT.3" - ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_ENVELOPE.3" - ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_ISSUER_AND_SERIAL.3" - ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_NDEF.3" - ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_RECIP_INFO.3" - ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_SIGNED.3" - ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_SIGNER_INFO.3" - ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_SIGN_ENVELOPE.3" - ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_bio.3" - ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_fp.3" - ln -sf "d2i_PKCS8PrivateKey_bio.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS8PrivateKey_fp.3" - ln -sf "d2i_PKCS8PrivateKey_bio.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS8PrivateKey_bio.3" - ln -sf "d2i_PKCS8PrivateKey_bio.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS8PrivateKey_fp.3" - ln -sf "d2i_PKCS8PrivateKey_bio.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS8PrivateKey_nid_bio.3" - ln -sf "d2i_PKCS8PrivateKey_bio.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS8PrivateKey_nid_fp.3" - ln -sf "d2i_PKCS8_PRIV_KEY_INFO.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS8_PRIV_KEY_INFO_bio.3" - ln -sf "d2i_PKCS8_PRIV_KEY_INFO.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS8_PRIV_KEY_INFO_fp.3" - ln -sf "d2i_PKCS8_PRIV_KEY_INFO.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS8_PRIV_KEY_INFO.3" - ln -sf "d2i_PKCS8_PRIV_KEY_INFO.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS8_PRIV_KEY_INFO_bio.3" - ln -sf "d2i_PKCS8_PRIV_KEY_INFO.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS8_PRIV_KEY_INFO_fp.3" - ln -sf "d2i_PKEY_USAGE_PERIOD.3" "$(DESTDIR)$(mandir)/man3/i2d_PKEY_USAGE_PERIOD.3" - ln -sf "d2i_POLICYINFO.3" "$(DESTDIR)$(mandir)/man3/d2i_CERTIFICATEPOLICIES.3" - ln -sf "d2i_POLICYINFO.3" "$(DESTDIR)$(mandir)/man3/d2i_NOTICEREF.3" - ln -sf "d2i_POLICYINFO.3" "$(DESTDIR)$(mandir)/man3/d2i_POLICYQUALINFO.3" - ln -sf "d2i_POLICYINFO.3" "$(DESTDIR)$(mandir)/man3/d2i_USERNOTICE.3" - ln -sf "d2i_POLICYINFO.3" "$(DESTDIR)$(mandir)/man3/i2d_CERTIFICATEPOLICIES.3" - ln -sf "d2i_POLICYINFO.3" "$(DESTDIR)$(mandir)/man3/i2d_NOTICEREF.3" - ln -sf "d2i_POLICYINFO.3" "$(DESTDIR)$(mandir)/man3/i2d_POLICYINFO.3" - ln -sf "d2i_POLICYINFO.3" "$(DESTDIR)$(mandir)/man3/i2d_POLICYQUALINFO.3" - ln -sf "d2i_POLICYINFO.3" "$(DESTDIR)$(mandir)/man3/i2d_USERNOTICE.3" - ln -sf "d2i_PROXY_POLICY.3" "$(DESTDIR)$(mandir)/man3/d2i_PROXY_CERT_INFO_EXTENSION.3" - ln -sf "d2i_PROXY_POLICY.3" "$(DESTDIR)$(mandir)/man3/i2d_PROXY_CERT_INFO_EXTENSION.3" - ln -sf "d2i_PROXY_POLICY.3" "$(DESTDIR)$(mandir)/man3/i2d_PROXY_POLICY.3" - ln -sf "d2i_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/d2i_AutoPrivateKey.3" - ln -sf "d2i_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/d2i_PrivateKey_bio.3" - ln -sf "d2i_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/d2i_PrivateKey_fp.3" - ln -sf "d2i_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/d2i_PublicKey.3" - ln -sf "d2i_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS8PrivateKeyInfo_bio.3" - ln -sf "d2i_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS8PrivateKeyInfo_fp.3" - ln -sf "d2i_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/i2d_PrivateKey.3" - ln -sf "d2i_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/i2d_PublicKey.3" - ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_Netscape_RSA.3" - ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_RSAPrivateKey.3" - ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_RSAPrivateKey_bio.3" - ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_RSAPrivateKey_fp.3" - ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_RSAPublicKey_bio.3" - ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_RSAPublicKey_fp.3" - ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_RSA_PSS_PARAMS.3" - ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_RSA_PUBKEY.3" - ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_RSA_PUBKEY_bio.3" - ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_RSA_PUBKEY_fp.3" - ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_Netscape_RSA.3" - ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_RSAPrivateKey.3" - ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_RSAPrivateKey_bio.3" - ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_RSAPrivateKey_fp.3" - ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_RSAPublicKey.3" - ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_RSAPublicKey_bio.3" - ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_RSAPublicKey_fp.3" - ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_RSA_PSS_PARAMS.3" - ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_RSA_PUBKEY.3" - ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_RSA_PUBKEY_bio.3" - ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_RSA_PUBKEY_fp.3" - ln -sf "d2i_SSL_SESSION.3" "$(DESTDIR)$(mandir)/man3/i2d_SSL_SESSION.3" - ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_TS_ACCURACY.3" - ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_TS_MSG_IMPRINT.3" - ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_TS_MSG_IMPRINT_bio.3" - ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_TS_MSG_IMPRINT_fp.3" - ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_TS_REQ_bio.3" - ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_TS_REQ_fp.3" - ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_TS_RESP.3" - ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_TS_RESP_bio.3" - ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_TS_RESP_fp.3" - ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_TS_STATUS_INFO.3" - ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_TS_TST_INFO.3" - ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_TS_TST_INFO_bio.3" - ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_TS_TST_INFO_fp.3" - ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_TS_ACCURACY.3" - ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_TS_MSG_IMPRINT.3" - ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_TS_MSG_IMPRINT_bio.3" - ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_TS_MSG_IMPRINT_fp.3" - ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_TS_REQ.3" - ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_TS_REQ_bio.3" - ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_TS_REQ_fp.3" - ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_TS_RESP.3" - ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_TS_RESP_bio.3" - ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_TS_RESP_fp.3" - ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_TS_STATUS_INFO.3" - ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_TS_TST_INFO.3" - ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_TS_TST_INFO_bio.3" - ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_TS_TST_INFO_fp.3" - ln -sf "d2i_X509.3" "$(DESTDIR)$(mandir)/man3/d2i_X509_AUX.3" - ln -sf "d2i_X509.3" "$(DESTDIR)$(mandir)/man3/d2i_X509_CERT_AUX.3" - ln -sf "d2i_X509.3" "$(DESTDIR)$(mandir)/man3/d2i_X509_CINF.3" - ln -sf "d2i_X509.3" "$(DESTDIR)$(mandir)/man3/d2i_X509_VAL.3" - ln -sf "d2i_X509.3" "$(DESTDIR)$(mandir)/man3/d2i_X509_bio.3" - ln -sf "d2i_X509.3" "$(DESTDIR)$(mandir)/man3/d2i_X509_fp.3" - ln -sf "d2i_X509.3" "$(DESTDIR)$(mandir)/man3/i2d_X509.3" - ln -sf "d2i_X509.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_AUX.3" - ln -sf "d2i_X509.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_CERT_AUX.3" - ln -sf "d2i_X509.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_CINF.3" - ln -sf "d2i_X509.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_VAL.3" - ln -sf "d2i_X509.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_bio.3" - ln -sf "d2i_X509.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_fp.3" - ln -sf "d2i_X509_ALGOR.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_ALGOR.3" - ln -sf "d2i_X509_ATTRIBUTE.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_ATTRIBUTE.3" - ln -sf "d2i_X509_CRL.3" "$(DESTDIR)$(mandir)/man3/d2i_X509_CRL_INFO.3" - ln -sf "d2i_X509_CRL.3" "$(DESTDIR)$(mandir)/man3/d2i_X509_CRL_bio.3" - ln -sf "d2i_X509_CRL.3" "$(DESTDIR)$(mandir)/man3/d2i_X509_CRL_fp.3" - ln -sf "d2i_X509_CRL.3" "$(DESTDIR)$(mandir)/man3/d2i_X509_REVOKED.3" - ln -sf "d2i_X509_CRL.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_CRL.3" - ln -sf "d2i_X509_CRL.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_CRL_INFO.3" - ln -sf "d2i_X509_CRL.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_CRL_bio.3" - ln -sf "d2i_X509_CRL.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_CRL_fp.3" - ln -sf "d2i_X509_CRL.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_REVOKED.3" - ln -sf "d2i_X509_EXTENSION.3" "$(DESTDIR)$(mandir)/man3/d2i_X509_EXTENSIONS.3" - ln -sf "d2i_X509_EXTENSION.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_EXTENSION.3" - ln -sf "d2i_X509_EXTENSION.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_EXTENSIONS.3" - ln -sf "d2i_X509_NAME.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_dup.3" - ln -sf "d2i_X509_NAME.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_dup.3" - ln -sf "d2i_X509_NAME.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_get0_der.3" - ln -sf "d2i_X509_NAME.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_hash.3" - ln -sf "d2i_X509_NAME.3" "$(DESTDIR)$(mandir)/man3/d2i_X509_NAME_ENTRY.3" - ln -sf "d2i_X509_NAME.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_NAME.3" - ln -sf "d2i_X509_NAME.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_NAME_ENTRY.3" - ln -sf "d2i_X509_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_X509_REQ_INFO.3" - ln -sf "d2i_X509_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_X509_REQ_bio.3" - ln -sf "d2i_X509_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_X509_REQ_fp.3" - ln -sf "d2i_X509_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_REQ.3" - ln -sf "d2i_X509_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_REQ_INFO.3" - ln -sf "d2i_X509_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_REQ_bio.3" - ln -sf "d2i_X509_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_REQ_fp.3" - ln -sf "d2i_X509_SIG.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS8_bio.3" - ln -sf "d2i_X509_SIG.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS8_fp.3" - ln -sf "d2i_X509_SIG.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS8_bio.3" - ln -sf "d2i_X509_SIG.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS8_fp.3" - ln -sf "d2i_X509_SIG.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_SIG.3" - ln -sf "des_read_pw.3" "$(DESTDIR)$(mandir)/man3/EVP_read_pw_string.3" - ln -sf "des_read_pw.3" "$(DESTDIR)$(mandir)/man3/des_read_pw_string.3" - ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/BN_get_rfc2409_prime_1024.3" - ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/BN_get_rfc2409_prime_768.3" - ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/BN_get_rfc3526_prime_1536.3" - ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/BN_get_rfc3526_prime_2048.3" - ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/BN_get_rfc3526_prime_3072.3" - ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/BN_get_rfc3526_prime_4096.3" - ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/BN_get_rfc3526_prime_6144.3" - ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/BN_get_rfc3526_prime_8192.3" - ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/get_rfc2409_prime_1024.3" - ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/get_rfc2409_prime_768.3" - ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/get_rfc3526_prime_1536.3" - ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/get_rfc3526_prime_2048.3" - ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/get_rfc3526_prime_3072.3" - ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/get_rfc3526_prime_4096.3" - ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/get_rfc3526_prime_6144.3" - ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/DECLARE_LHASH_OF.3" - ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/LHASH_COMP_FN_TYPE.3" - ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/LHASH_DOALL_ARG_FN_TYPE.3" - ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/LHASH_DOALL_FN_TYPE.3" - ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/LHASH_HASH_FN_TYPE.3" - ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/lh__delete.3" - ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/lh__doall.3" - ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/lh__doall_arg.3" - ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/lh__error.3" - ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/lh__free.3" - ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/lh__insert.3" - ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/lh__new.3" - ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/lh__retrieve.3" - ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/lh_delete.3" - ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/lh_doall.3" - ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/lh_doall_arg.3" - ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/lh_error.3" - ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/lh_free.3" - ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/lh_insert.3" - ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/lh_retrieve.3" - ln -sf "lh_stats.3" "$(DESTDIR)$(mandir)/man3/lh_node_stats.3" - ln -sf "lh_stats.3" "$(DESTDIR)$(mandir)/man3/lh_node_stats_bio.3" - ln -sf "lh_stats.3" "$(DESTDIR)$(mandir)/man3/lh_node_usage_stats.3" - ln -sf "lh_stats.3" "$(DESTDIR)$(mandir)/man3/lh_node_usage_stats_bio.3" - ln -sf "lh_stats.3" "$(DESTDIR)$(mandir)/man3/lh_stats_bio.3" - ln -sf "tls_accept_socket.3" "$(DESTDIR)$(mandir)/man3/tls_accept_cbs.3" - ln -sf "tls_accept_socket.3" "$(DESTDIR)$(mandir)/man3/tls_accept_fds.3" - ln -sf "tls_client.3" "$(DESTDIR)$(mandir)/man3/tls_configure.3" - ln -sf "tls_client.3" "$(DESTDIR)$(mandir)/man3/tls_free.3" - ln -sf "tls_client.3" "$(DESTDIR)$(mandir)/man3/tls_reset.3" - ln -sf "tls_client.3" "$(DESTDIR)$(mandir)/man3/tls_server.3" - ln -sf "tls_config_set_protocols.3" "$(DESTDIR)$(mandir)/man3/tls_config_parse_protocols.3" - ln -sf "tls_config_set_protocols.3" "$(DESTDIR)$(mandir)/man3/tls_config_prefer_ciphers_client.3" - ln -sf "tls_config_set_protocols.3" "$(DESTDIR)$(mandir)/man3/tls_config_prefer_ciphers_server.3" - ln -sf "tls_config_set_protocols.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_alpn.3" - ln -sf "tls_config_set_protocols.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_ciphers.3" - ln -sf "tls_config_set_protocols.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_dheparams.3" - ln -sf "tls_config_set_protocols.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_ecdhecurves.3" - ln -sf "tls_config_set_session_id.3" "$(DESTDIR)$(mandir)/man3/tls_config_add_ticket_key.3" - ln -sf "tls_config_set_session_id.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_session_fd.3" - ln -sf "tls_config_set_session_id.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_session_lifetime.3" - ln -sf "tls_config_verify.3" "$(DESTDIR)$(mandir)/man3/tls_config_insecure_noverifycert.3" - ln -sf "tls_config_verify.3" "$(DESTDIR)$(mandir)/man3/tls_config_insecure_noverifyname.3" - ln -sf "tls_config_verify.3" "$(DESTDIR)$(mandir)/man3/tls_config_insecure_noverifytime.3" - ln -sf "tls_conn_version.3" "$(DESTDIR)$(mandir)/man3/tls_conn_alpn_selected.3" - ln -sf "tls_conn_version.3" "$(DESTDIR)$(mandir)/man3/tls_conn_cipher.3" - ln -sf "tls_conn_version.3" "$(DESTDIR)$(mandir)/man3/tls_conn_servername.3" - ln -sf "tls_conn_version.3" "$(DESTDIR)$(mandir)/man3/tls_conn_session_resumed.3" - ln -sf "tls_conn_version.3" "$(DESTDIR)$(mandir)/man3/tls_peer_cert_chain_pem.3" - ln -sf "tls_conn_version.3" "$(DESTDIR)$(mandir)/man3/tls_peer_cert_contains_name.3" - ln -sf "tls_conn_version.3" "$(DESTDIR)$(mandir)/man3/tls_peer_cert_hash.3" - ln -sf "tls_conn_version.3" "$(DESTDIR)$(mandir)/man3/tls_peer_cert_issuer.3" - ln -sf "tls_conn_version.3" "$(DESTDIR)$(mandir)/man3/tls_peer_cert_notafter.3" - ln -sf "tls_conn_version.3" "$(DESTDIR)$(mandir)/man3/tls_peer_cert_notbefore.3" - ln -sf "tls_conn_version.3" "$(DESTDIR)$(mandir)/man3/tls_peer_cert_provided.3" - ln -sf "tls_conn_version.3" "$(DESTDIR)$(mandir)/man3/tls_peer_cert_subject.3" - ln -sf "tls_connect.3" "$(DESTDIR)$(mandir)/man3/tls_connect_cbs.3" - ln -sf "tls_connect.3" "$(DESTDIR)$(mandir)/man3/tls_connect_fds.3" - ln -sf "tls_connect.3" "$(DESTDIR)$(mandir)/man3/tls_connect_servername.3" - ln -sf "tls_connect.3" "$(DESTDIR)$(mandir)/man3/tls_connect_socket.3" - ln -sf "tls_init.3" "$(DESTDIR)$(mandir)/man3/tls_config_error.3" - ln -sf "tls_init.3" "$(DESTDIR)$(mandir)/man3/tls_config_free.3" - ln -sf "tls_init.3" "$(DESTDIR)$(mandir)/man3/tls_config_new.3" - ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_add_keypair_file.3" - ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_add_keypair_mem.3" - ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_add_keypair_ocsp_file.3" - ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_add_keypair_ocsp_mem.3" - ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_clear_keys.3" - ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_ca_file.3" - ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_ca_mem.3" - ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_ca_path.3" - ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_cert_file.3" - ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_cert_mem.3" - ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_crl_file.3" - ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_crl_mem.3" - ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_key_file.3" - ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_key_mem.3" - ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_keypair_file.3" - ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_keypair_mem.3" - ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_keypair_ocsp_file.3" - ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_keypair_ocsp_mem.3" - ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_ocsp_staple_file.3" - ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_ocsp_staple_mem.3" - ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_verify_depth.3" - ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_verify_client.3" - ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_verify_client_optional.3" - ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_default_ca_cert_file.3" - ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_unload_file.3" - ln -sf "tls_ocsp_process_response.3" "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_cert_status.3" - ln -sf "tls_ocsp_process_response.3" "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_crl_reason.3" - ln -sf "tls_ocsp_process_response.3" "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_next_update.3" - ln -sf "tls_ocsp_process_response.3" "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_response_status.3" - ln -sf "tls_ocsp_process_response.3" "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_result.3" - ln -sf "tls_ocsp_process_response.3" "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_revocation_time.3" - ln -sf "tls_ocsp_process_response.3" "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_this_update.3" - ln -sf "tls_ocsp_process_response.3" "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_url.3" - ln -sf "tls_read.3" "$(DESTDIR)$(mandir)/man3/tls_close.3" - ln -sf "tls_read.3" "$(DESTDIR)$(mandir)/man3/tls_error.3" - ln -sf "tls_read.3" "$(DESTDIR)$(mandir)/man3/tls_handshake.3" - ln -sf "tls_read.3" "$(DESTDIR)$(mandir)/man3/tls_reset.3" - ln -sf "tls_read.3" "$(DESTDIR)$(mandir)/man3/tls_write.3" +@ENABLE_LIBTLS_ONLY_FALSE@install-data-hook: +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ACCESS_DESCRIPTION_new.3" "$(DESTDIR)$(mandir)/man3/ACCESS_DESCRIPTION_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ACCESS_DESCRIPTION_new.3" "$(DESTDIR)$(mandir)/man3/AUTHORITY_INFO_ACCESS_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ACCESS_DESCRIPTION_new.3" "$(DESTDIR)$(mandir)/man3/AUTHORITY_INFO_ACCESS_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "AES_encrypt.3" "$(DESTDIR)$(mandir)/man3/AES_cbc_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "AES_encrypt.3" "$(DESTDIR)$(mandir)/man3/AES_decrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "AES_encrypt.3" "$(DESTDIR)$(mandir)/man3/AES_set_decrypt_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "AES_encrypt.3" "$(DESTDIR)$(mandir)/man3/AES_set_encrypt_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_INTEGER_get.3" "$(DESTDIR)$(mandir)/man3/ASN1_ENUMERATED_get.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_INTEGER_get.3" "$(DESTDIR)$(mandir)/man3/ASN1_ENUMERATED_set.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_INTEGER_get.3" "$(DESTDIR)$(mandir)/man3/ASN1_ENUMERATED_to_BN.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_INTEGER_get.3" "$(DESTDIR)$(mandir)/man3/ASN1_INTEGER_set.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_INTEGER_get.3" "$(DESTDIR)$(mandir)/man3/ASN1_INTEGER_to_BN.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_INTEGER_get.3" "$(DESTDIR)$(mandir)/man3/BN_to_ASN1_ENUMERATED.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_INTEGER_get.3" "$(DESTDIR)$(mandir)/man3/BN_to_ASN1_INTEGER.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_INTEGER_get.3" "$(DESTDIR)$(mandir)/man3/i2a_ASN1_INTEGER.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_OBJECT_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_OBJECT_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_TABLE_add.3" "$(DESTDIR)$(mandir)/man3/ASN1_STRING_TABLE_cleanup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_TABLE_add.3" "$(DESTDIR)$(mandir)/man3/ASN1_STRING_TABLE_get.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_length.3" "$(DESTDIR)$(mandir)/man3/ASN1_OCTET_STRING_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_length.3" "$(DESTDIR)$(mandir)/man3/ASN1_OCTET_STRING_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_length.3" "$(DESTDIR)$(mandir)/man3/ASN1_OCTET_STRING_set.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_length.3" "$(DESTDIR)$(mandir)/man3/ASN1_STRING_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_length.3" "$(DESTDIR)$(mandir)/man3/ASN1_STRING_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_length.3" "$(DESTDIR)$(mandir)/man3/ASN1_STRING_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_length.3" "$(DESTDIR)$(mandir)/man3/ASN1_STRING_get0_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_length.3" "$(DESTDIR)$(mandir)/man3/ASN1_STRING_length_set.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_length.3" "$(DESTDIR)$(mandir)/man3/ASN1_STRING_set.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_length.3" "$(DESTDIR)$(mandir)/man3/ASN1_STRING_to_UTF8.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_length.3" "$(DESTDIR)$(mandir)/man3/ASN1_STRING_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_BIT_STRING_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_BIT_STRING_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_BMPSTRING_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_BMPSTRING_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_ENUMERATED_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_ENUMERATED_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_GENERALIZEDTIME_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_GENERALIZEDTIME_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_GENERALSTRING_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_GENERALSTRING_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_IA5STRING_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_IA5STRING_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_INTEGER_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_INTEGER_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_OCTET_STRING_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_OCTET_STRING_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_PRINTABLESTRING_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_PRINTABLESTRING_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_PRINTABLE_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_PRINTABLE_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_STRING_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_STRING_type_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_T61STRING_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_T61STRING_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_TIME_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_TIME_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_UNIVERSALSTRING_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_UNIVERSALSTRING_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_UTF8STRING_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_UTF8STRING_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_VISIBLESTRING_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_VISIBLESTRING_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/DIRECTORYSTRING_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/DIRECTORYSTRING_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/DISPLAYTEXT_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_new.3" "$(DESTDIR)$(mandir)/man3/DISPLAYTEXT_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_print_ex.3" "$(DESTDIR)$(mandir)/man3/ASN1_STRING_print.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_print_ex.3" "$(DESTDIR)$(mandir)/man3/ASN1_STRING_print_ex_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_STRING_print_ex.3" "$(DESTDIR)$(mandir)/man3/ASN1_tag2str.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_GENERALIZEDTIME_adj.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_GENERALIZEDTIME_check.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_GENERALIZEDTIME_print.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_GENERALIZEDTIME_set.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_GENERALIZEDTIME_set_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_TIME_adj.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_TIME_check.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_TIME_print.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_TIME_set_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_TIME_to_generalizedtime.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_adj.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_check.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_cmp_time_t.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_print.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_set.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_TIME_set.3" "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_set_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_TYPE_get.3" "$(DESTDIR)$(mandir)/man3/ASN1_TYPE_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_TYPE_get.3" "$(DESTDIR)$(mandir)/man3/ASN1_TYPE_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_TYPE_get.3" "$(DESTDIR)$(mandir)/man3/ASN1_TYPE_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_TYPE_get.3" "$(DESTDIR)$(mandir)/man3/ASN1_TYPE_set.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_TYPE_get.3" "$(DESTDIR)$(mandir)/man3/ASN1_TYPE_set1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_generate_nconf.3" "$(DESTDIR)$(mandir)/man3/ASN1_generate_v3.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_item_d2i.3" "$(DESTDIR)$(mandir)/man3/ASN1_item_d2i_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_item_d2i.3" "$(DESTDIR)$(mandir)/man3/ASN1_item_d2i_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_item_d2i.3" "$(DESTDIR)$(mandir)/man3/ASN1_item_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_item_d2i.3" "$(DESTDIR)$(mandir)/man3/ASN1_item_i2d.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_item_d2i.3" "$(DESTDIR)$(mandir)/man3/ASN1_item_i2d_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_item_d2i.3" "$(DESTDIR)$(mandir)/man3/ASN1_item_i2d_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_item_d2i.3" "$(DESTDIR)$(mandir)/man3/ASN1_item_print.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_item_d2i.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_TYPE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_item_d2i.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_TYPE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_item_new.3" "$(DESTDIR)$(mandir)/man3/ASN1_item_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_put_object.3" "$(DESTDIR)$(mandir)/man3/ASN1_put_eoc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_time_parse.3" "$(DESTDIR)$(mandir)/man3/ASN1_TIME_set_tm.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ASN1_time_parse.3" "$(DESTDIR)$(mandir)/man3/ASN1_time_tm_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "AUTHORITY_KEYID_new.3" "$(DESTDIR)$(mandir)/man3/AUTHORITY_KEYID_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BASIC_CONSTRAINTS_new.3" "$(DESTDIR)$(mandir)/man3/BASIC_CONSTRAINTS_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BF_set_key.3" "$(DESTDIR)$(mandir)/man3/BF_cbc_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BF_set_key.3" "$(DESTDIR)$(mandir)/man3/BF_cfb64_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BF_set_key.3" "$(DESTDIR)$(mandir)/man3/BF_decrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BF_set_key.3" "$(DESTDIR)$(mandir)/man3/BF_ecb_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BF_set_key.3" "$(DESTDIR)$(mandir)/man3/BF_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BF_set_key.3" "$(DESTDIR)$(mandir)/man3/BF_ofb64_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BF_set_key.3" "$(DESTDIR)$(mandir)/man3/BF_options.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_callback_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_ctrl_pending.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_ctrl_wpending.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_eof.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_flush.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_get_close.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_get_info_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_int_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_pending.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_ptr_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_reset.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_seek.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_set_close.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_set_info_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_tell.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/BIO_wpending.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_ctrl.3" "$(DESTDIR)$(mandir)/man3/bio_info_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_f_buffer.3" "$(DESTDIR)$(mandir)/man3/BIO_get_buffer_num_lines.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_f_buffer.3" "$(DESTDIR)$(mandir)/man3/BIO_set_buffer_read_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_f_buffer.3" "$(DESTDIR)$(mandir)/man3/BIO_set_buffer_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_f_buffer.3" "$(DESTDIR)$(mandir)/man3/BIO_set_read_buffer_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_f_buffer.3" "$(DESTDIR)$(mandir)/man3/BIO_set_write_buffer_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_f_cipher.3" "$(DESTDIR)$(mandir)/man3/BIO_get_cipher_ctx.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_f_cipher.3" "$(DESTDIR)$(mandir)/man3/BIO_get_cipher_status.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_f_cipher.3" "$(DESTDIR)$(mandir)/man3/BIO_set_cipher.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_f_md.3" "$(DESTDIR)$(mandir)/man3/BIO_get_md.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_f_md.3" "$(DESTDIR)$(mandir)/man3/BIO_get_md_ctx.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_f_md.3" "$(DESTDIR)$(mandir)/man3/BIO_set_md.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_f_ssl.3" "$(DESTDIR)$(mandir)/man3/BIO_do_handshake.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_f_ssl.3" "$(DESTDIR)$(mandir)/man3/BIO_get_num_renegotiates.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_f_ssl.3" "$(DESTDIR)$(mandir)/man3/BIO_get_ssl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_f_ssl.3" "$(DESTDIR)$(mandir)/man3/BIO_new_buffer_ssl_connect.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_f_ssl.3" "$(DESTDIR)$(mandir)/man3/BIO_new_ssl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_f_ssl.3" "$(DESTDIR)$(mandir)/man3/BIO_new_ssl_connect.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_f_ssl.3" "$(DESTDIR)$(mandir)/man3/BIO_set_ssl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_f_ssl.3" "$(DESTDIR)$(mandir)/man3/BIO_set_ssl_mode.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_f_ssl.3" "$(DESTDIR)$(mandir)/man3/BIO_set_ssl_renegotiate_bytes.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_f_ssl.3" "$(DESTDIR)$(mandir)/man3/BIO_set_ssl_renegotiate_timeout.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_f_ssl.3" "$(DESTDIR)$(mandir)/man3/BIO_ssl_copy_session_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_f_ssl.3" "$(DESTDIR)$(mandir)/man3/BIO_ssl_shutdown.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_find_type.3" "$(DESTDIR)$(mandir)/man3/BIO_method_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_find_type.3" "$(DESTDIR)$(mandir)/man3/BIO_next.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_get_data.3" "$(DESTDIR)$(mandir)/man3/BIO_get_shutdown.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_get_data.3" "$(DESTDIR)$(mandir)/man3/BIO_set_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_get_data.3" "$(DESTDIR)$(mandir)/man3/BIO_set_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_get_data.3" "$(DESTDIR)$(mandir)/man3/BIO_set_shutdown.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/BIO_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/BIO_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/ECDH_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/ECDH_get_ex_new_index.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/ECDH_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/ECDSA_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/ECDSA_get_ex_new_index.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/ECDSA_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_get_ex_new_index.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_ex_new_index.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/TYPE_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/TYPE_get_ex_new_index.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/TYPE_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/UI_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/UI_get_ex_new_index.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/UI_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/X509_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/X509_get_ex_new_index.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/X509_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_get_new_index.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_get_callback_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_get_create.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_get_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_get_destroy.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_get_gets.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_get_puts.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_get_read.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_get_write.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_set_callback_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_set_create.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_set_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_set_destroy.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_set_gets.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_set_puts.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_set_read.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_meth_new.3" "$(DESTDIR)$(mandir)/man3/BIO_meth_set_write.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_new.3" "$(DESTDIR)$(mandir)/man3/BIO_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_new.3" "$(DESTDIR)$(mandir)/man3/BIO_free_all.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_new.3" "$(DESTDIR)$(mandir)/man3/BIO_set.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_new.3" "$(DESTDIR)$(mandir)/man3/BIO_up_ref.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_new.3" "$(DESTDIR)$(mandir)/man3/BIO_vfree.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_printf.3" "$(DESTDIR)$(mandir)/man3/BIO_snprintf.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_printf.3" "$(DESTDIR)$(mandir)/man3/BIO_vprintf.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_printf.3" "$(DESTDIR)$(mandir)/man3/BIO_vsnprintf.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_push.3" "$(DESTDIR)$(mandir)/man3/BIO_pop.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_read.3" "$(DESTDIR)$(mandir)/man3/BIO_gets.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_read.3" "$(DESTDIR)$(mandir)/man3/BIO_puts.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_read.3" "$(DESTDIR)$(mandir)/man3/BIO_write.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_accept.3" "$(DESTDIR)$(mandir)/man3/BIO_do_accept.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_accept.3" "$(DESTDIR)$(mandir)/man3/BIO_get_accept_port.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_accept.3" "$(DESTDIR)$(mandir)/man3/BIO_get_bind_mode.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_accept.3" "$(DESTDIR)$(mandir)/man3/BIO_new_accept.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_accept.3" "$(DESTDIR)$(mandir)/man3/BIO_set_accept_bios.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_accept.3" "$(DESTDIR)$(mandir)/man3/BIO_set_accept_port.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_accept.3" "$(DESTDIR)$(mandir)/man3/BIO_set_bind_mode.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_accept.3" "$(DESTDIR)$(mandir)/man3/BIO_set_nbio_accept.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_bio.3" "$(DESTDIR)$(mandir)/man3/BIO_ctrl_get_read_request.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_bio.3" "$(DESTDIR)$(mandir)/man3/BIO_ctrl_get_write_guarantee.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_bio.3" "$(DESTDIR)$(mandir)/man3/BIO_ctrl_reset_read_request.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_bio.3" "$(DESTDIR)$(mandir)/man3/BIO_destroy_bio_pair.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_bio.3" "$(DESTDIR)$(mandir)/man3/BIO_get_read_request.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_bio.3" "$(DESTDIR)$(mandir)/man3/BIO_get_write_buf_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_bio.3" "$(DESTDIR)$(mandir)/man3/BIO_get_write_guarantee.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_bio.3" "$(DESTDIR)$(mandir)/man3/BIO_make_bio_pair.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_bio.3" "$(DESTDIR)$(mandir)/man3/BIO_new_bio_pair.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_bio.3" "$(DESTDIR)$(mandir)/man3/BIO_set_write_buf_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_bio.3" "$(DESTDIR)$(mandir)/man3/BIO_shutdown_wr.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_connect.3" "$(DESTDIR)$(mandir)/man3/BIO_do_connect.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_connect.3" "$(DESTDIR)$(mandir)/man3/BIO_get_conn_hostname.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_connect.3" "$(DESTDIR)$(mandir)/man3/BIO_get_conn_int_port.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_connect.3" "$(DESTDIR)$(mandir)/man3/BIO_get_conn_ip.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_connect.3" "$(DESTDIR)$(mandir)/man3/BIO_get_conn_port.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_connect.3" "$(DESTDIR)$(mandir)/man3/BIO_new_connect.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_connect.3" "$(DESTDIR)$(mandir)/man3/BIO_set_conn_hostname.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_connect.3" "$(DESTDIR)$(mandir)/man3/BIO_set_conn_int_port.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_connect.3" "$(DESTDIR)$(mandir)/man3/BIO_set_conn_ip.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_connect.3" "$(DESTDIR)$(mandir)/man3/BIO_set_conn_port.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_connect.3" "$(DESTDIR)$(mandir)/man3/BIO_set_nbio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_fd.3" "$(DESTDIR)$(mandir)/man3/BIO_get_fd.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_fd.3" "$(DESTDIR)$(mandir)/man3/BIO_new_fd.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_fd.3" "$(DESTDIR)$(mandir)/man3/BIO_set_fd.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_file.3" "$(DESTDIR)$(mandir)/man3/BIO_append_filename.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_file.3" "$(DESTDIR)$(mandir)/man3/BIO_get_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_file.3" "$(DESTDIR)$(mandir)/man3/BIO_new_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_file.3" "$(DESTDIR)$(mandir)/man3/BIO_new_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_file.3" "$(DESTDIR)$(mandir)/man3/BIO_read_filename.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_file.3" "$(DESTDIR)$(mandir)/man3/BIO_rw_filename.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_file.3" "$(DESTDIR)$(mandir)/man3/BIO_set_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_file.3" "$(DESTDIR)$(mandir)/man3/BIO_write_filename.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_mem.3" "$(DESTDIR)$(mandir)/man3/BIO_get_mem_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_mem.3" "$(DESTDIR)$(mandir)/man3/BIO_get_mem_ptr.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_mem.3" "$(DESTDIR)$(mandir)/man3/BIO_new_mem_buf.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_mem.3" "$(DESTDIR)$(mandir)/man3/BIO_set_mem_buf.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_mem.3" "$(DESTDIR)$(mandir)/man3/BIO_set_mem_eof_return.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_s_socket.3" "$(DESTDIR)$(mandir)/man3/BIO_new_socket.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_set_callback.3" "$(DESTDIR)$(mandir)/man3/BIO_callback_fn.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_set_callback.3" "$(DESTDIR)$(mandir)/man3/BIO_debug_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_set_callback.3" "$(DESTDIR)$(mandir)/man3/BIO_get_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_set_callback.3" "$(DESTDIR)$(mandir)/man3/BIO_get_callback_arg.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_set_callback.3" "$(DESTDIR)$(mandir)/man3/BIO_set_callback_arg.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_should_retry.3" "$(DESTDIR)$(mandir)/man3/BIO_get_retry_BIO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_should_retry.3" "$(DESTDIR)$(mandir)/man3/BIO_get_retry_reason.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_should_retry.3" "$(DESTDIR)$(mandir)/man3/BIO_retry_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_should_retry.3" "$(DESTDIR)$(mandir)/man3/BIO_should_io_special.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_should_retry.3" "$(DESTDIR)$(mandir)/man3/BIO_should_read.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BIO_should_retry.3" "$(DESTDIR)$(mandir)/man3/BIO_should_write.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_BLINDING_new.3" "$(DESTDIR)$(mandir)/man3/BN_BLINDING_convert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_BLINDING_new.3" "$(DESTDIR)$(mandir)/man3/BN_BLINDING_convert_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_BLINDING_new.3" "$(DESTDIR)$(mandir)/man3/BN_BLINDING_create_param.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_BLINDING_new.3" "$(DESTDIR)$(mandir)/man3/BN_BLINDING_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_BLINDING_new.3" "$(DESTDIR)$(mandir)/man3/BN_BLINDING_get_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_BLINDING_new.3" "$(DESTDIR)$(mandir)/man3/BN_BLINDING_get_thread_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_BLINDING_new.3" "$(DESTDIR)$(mandir)/man3/BN_BLINDING_invert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_BLINDING_new.3" "$(DESTDIR)$(mandir)/man3/BN_BLINDING_invert_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_BLINDING_new.3" "$(DESTDIR)$(mandir)/man3/BN_BLINDING_set_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_BLINDING_new.3" "$(DESTDIR)$(mandir)/man3/BN_BLINDING_set_thread_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_BLINDING_new.3" "$(DESTDIR)$(mandir)/man3/BN_BLINDING_thread_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_BLINDING_new.3" "$(DESTDIR)$(mandir)/man3/BN_BLINDING_update.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_CTX_new.3" "$(DESTDIR)$(mandir)/man3/BN_CTX_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_CTX_new.3" "$(DESTDIR)$(mandir)/man3/BN_CTX_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_CTX_start.3" "$(DESTDIR)$(mandir)/man3/BN_CTX_end.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_CTX_start.3" "$(DESTDIR)$(mandir)/man3/BN_CTX_get.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_add.3" "$(DESTDIR)$(mandir)/man3/BN_div.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_add.3" "$(DESTDIR)$(mandir)/man3/BN_exp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_add.3" "$(DESTDIR)$(mandir)/man3/BN_gcd.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_add.3" "$(DESTDIR)$(mandir)/man3/BN_mod.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_add.3" "$(DESTDIR)$(mandir)/man3/BN_mod_add.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_add.3" "$(DESTDIR)$(mandir)/man3/BN_mod_exp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_add.3" "$(DESTDIR)$(mandir)/man3/BN_mod_mul.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_add.3" "$(DESTDIR)$(mandir)/man3/BN_mod_sqr.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_add.3" "$(DESTDIR)$(mandir)/man3/BN_mod_sub.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_add.3" "$(DESTDIR)$(mandir)/man3/BN_mul.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_add.3" "$(DESTDIR)$(mandir)/man3/BN_nnmod.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_add.3" "$(DESTDIR)$(mandir)/man3/BN_sqr.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_add.3" "$(DESTDIR)$(mandir)/man3/BN_sub.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_add_word.3" "$(DESTDIR)$(mandir)/man3/BN_div_word.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_add_word.3" "$(DESTDIR)$(mandir)/man3/BN_mod_word.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_add_word.3" "$(DESTDIR)$(mandir)/man3/BN_mul_word.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_add_word.3" "$(DESTDIR)$(mandir)/man3/BN_sub_word.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_bn2bin.3" "$(DESTDIR)$(mandir)/man3/BN_asc2bn.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_bn2bin.3" "$(DESTDIR)$(mandir)/man3/BN_bin2bn.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_bn2bin.3" "$(DESTDIR)$(mandir)/man3/BN_bn2dec.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_bn2bin.3" "$(DESTDIR)$(mandir)/man3/BN_bn2hex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_bn2bin.3" "$(DESTDIR)$(mandir)/man3/BN_bn2mpi.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_bn2bin.3" "$(DESTDIR)$(mandir)/man3/BN_dec2bn.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_bn2bin.3" "$(DESTDIR)$(mandir)/man3/BN_hex2bn.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_bn2bin.3" "$(DESTDIR)$(mandir)/man3/BN_mpi2bn.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_bn2bin.3" "$(DESTDIR)$(mandir)/man3/BN_print.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_bn2bin.3" "$(DESTDIR)$(mandir)/man3/BN_print_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_cmp.3" "$(DESTDIR)$(mandir)/man3/BN_is_odd.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_cmp.3" "$(DESTDIR)$(mandir)/man3/BN_is_one.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_cmp.3" "$(DESTDIR)$(mandir)/man3/BN_is_word.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_cmp.3" "$(DESTDIR)$(mandir)/man3/BN_is_zero.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_cmp.3" "$(DESTDIR)$(mandir)/man3/BN_ucmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_copy.3" "$(DESTDIR)$(mandir)/man3/BN_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_copy.3" "$(DESTDIR)$(mandir)/man3/BN_with_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_generate_prime.3" "$(DESTDIR)$(mandir)/man3/BN_GENCB_call.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_generate_prime.3" "$(DESTDIR)$(mandir)/man3/BN_GENCB_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_generate_prime.3" "$(DESTDIR)$(mandir)/man3/BN_GENCB_get_arg.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_generate_prime.3" "$(DESTDIR)$(mandir)/man3/BN_GENCB_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_generate_prime.3" "$(DESTDIR)$(mandir)/man3/BN_GENCB_set.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_generate_prime.3" "$(DESTDIR)$(mandir)/man3/BN_GENCB_set_old.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_generate_prime.3" "$(DESTDIR)$(mandir)/man3/BN_generate_prime_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_generate_prime.3" "$(DESTDIR)$(mandir)/man3/BN_is_prime.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_generate_prime.3" "$(DESTDIR)$(mandir)/man3/BN_is_prime_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_generate_prime.3" "$(DESTDIR)$(mandir)/man3/BN_is_prime_fasttest.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_generate_prime.3" "$(DESTDIR)$(mandir)/man3/BN_is_prime_fasttest_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_get0_nist_prime_521.3" "$(DESTDIR)$(mandir)/man3/BN_get0_nist_prime_192.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_get0_nist_prime_521.3" "$(DESTDIR)$(mandir)/man3/BN_get0_nist_prime_224.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_get0_nist_prime_521.3" "$(DESTDIR)$(mandir)/man3/BN_get0_nist_prime_256.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_get0_nist_prime_521.3" "$(DESTDIR)$(mandir)/man3/BN_get0_nist_prime_384.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_mod_mul_montgomery.3" "$(DESTDIR)$(mandir)/man3/BN_MONT_CTX_copy.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_mod_mul_montgomery.3" "$(DESTDIR)$(mandir)/man3/BN_MONT_CTX_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_mod_mul_montgomery.3" "$(DESTDIR)$(mandir)/man3/BN_MONT_CTX_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_mod_mul_montgomery.3" "$(DESTDIR)$(mandir)/man3/BN_MONT_CTX_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_mod_mul_montgomery.3" "$(DESTDIR)$(mandir)/man3/BN_MONT_CTX_set.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_mod_mul_montgomery.3" "$(DESTDIR)$(mandir)/man3/BN_from_montgomery.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_mod_mul_montgomery.3" "$(DESTDIR)$(mandir)/man3/BN_to_montgomery.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_mod_mul_reciprocal.3" "$(DESTDIR)$(mandir)/man3/BN_RECP_CTX_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_mod_mul_reciprocal.3" "$(DESTDIR)$(mandir)/man3/BN_RECP_CTX_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_mod_mul_reciprocal.3" "$(DESTDIR)$(mandir)/man3/BN_RECP_CTX_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_mod_mul_reciprocal.3" "$(DESTDIR)$(mandir)/man3/BN_RECP_CTX_set.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_mod_mul_reciprocal.3" "$(DESTDIR)$(mandir)/man3/BN_div_recp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_new.3" "$(DESTDIR)$(mandir)/man3/BN_clear.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_new.3" "$(DESTDIR)$(mandir)/man3/BN_clear_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_new.3" "$(DESTDIR)$(mandir)/man3/BN_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_new.3" "$(DESTDIR)$(mandir)/man3/BN_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_num_bytes.3" "$(DESTDIR)$(mandir)/man3/BN_num_bits.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_num_bytes.3" "$(DESTDIR)$(mandir)/man3/BN_num_bits_word.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_rand.3" "$(DESTDIR)$(mandir)/man3/BN_pseudo_rand.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_rand.3" "$(DESTDIR)$(mandir)/man3/BN_pseudo_rand_range.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_rand.3" "$(DESTDIR)$(mandir)/man3/BN_rand_range.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_set_bit.3" "$(DESTDIR)$(mandir)/man3/BN_clear_bit.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_set_bit.3" "$(DESTDIR)$(mandir)/man3/BN_is_bit_set.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_set_bit.3" "$(DESTDIR)$(mandir)/man3/BN_lshift.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_set_bit.3" "$(DESTDIR)$(mandir)/man3/BN_lshift1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_set_bit.3" "$(DESTDIR)$(mandir)/man3/BN_mask_bits.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_set_bit.3" "$(DESTDIR)$(mandir)/man3/BN_rshift.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_set_bit.3" "$(DESTDIR)$(mandir)/man3/BN_rshift1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_set_flags.3" "$(DESTDIR)$(mandir)/man3/BN_get_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_set_negative.3" "$(DESTDIR)$(mandir)/man3/BN_is_negative.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_zero.3" "$(DESTDIR)$(mandir)/man3/BN_get_word.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_zero.3" "$(DESTDIR)$(mandir)/man3/BN_one.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_zero.3" "$(DESTDIR)$(mandir)/man3/BN_set_word.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BN_zero.3" "$(DESTDIR)$(mandir)/man3/BN_value_one.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BUF_MEM_new.3" "$(DESTDIR)$(mandir)/man3/BUF_MEM_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BUF_MEM_new.3" "$(DESTDIR)$(mandir)/man3/BUF_MEM_grow.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BUF_MEM_new.3" "$(DESTDIR)$(mandir)/man3/BUF_MEM_grow_clean.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BUF_MEM_new.3" "$(DESTDIR)$(mandir)/man3/BUF_reverse.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "BUF_MEM_new.3" "$(DESTDIR)$(mandir)/man3/BUF_strdup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMAC_Init.3" "$(DESTDIR)$(mandir)/man3/CMAC_CTX_cleanup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMAC_Init.3" "$(DESTDIR)$(mandir)/man3/CMAC_CTX_copy.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMAC_Init.3" "$(DESTDIR)$(mandir)/man3/CMAC_CTX_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMAC_Init.3" "$(DESTDIR)$(mandir)/man3/CMAC_CTX_get0_cipher_ctx.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMAC_Init.3" "$(DESTDIR)$(mandir)/man3/CMAC_CTX_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMAC_Init.3" "$(DESTDIR)$(mandir)/man3/CMAC_Final.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMAC_Init.3" "$(DESTDIR)$(mandir)/man3/CMAC_Update.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMAC_Init.3" "$(DESTDIR)$(mandir)/man3/CMAC_resume.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_ContentInfo_new.3" "$(DESTDIR)$(mandir)/man3/CMS_ContentInfo_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_ContentInfo_new.3" "$(DESTDIR)$(mandir)/man3/CMS_ContentInfo_print_ctx.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_ContentInfo_new.3" "$(DESTDIR)$(mandir)/man3/CMS_ReceiptRequest_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_ContentInfo_new.3" "$(DESTDIR)$(mandir)/man3/CMS_ReceiptRequest_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_add0_cert.3" "$(DESTDIR)$(mandir)/man3/CMS_add0_crl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_add0_cert.3" "$(DESTDIR)$(mandir)/man3/CMS_add1_cert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_add0_cert.3" "$(DESTDIR)$(mandir)/man3/CMS_add1_crl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_add0_cert.3" "$(DESTDIR)$(mandir)/man3/CMS_get1_certs.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_add0_cert.3" "$(DESTDIR)$(mandir)/man3/CMS_get1_crls.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_add1_recipient_cert.3" "$(DESTDIR)$(mandir)/man3/CMS_add0_recipient_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_add1_signer.3" "$(DESTDIR)$(mandir)/man3/CMS_SignerInfo_sign.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_decrypt.3" "$(DESTDIR)$(mandir)/man3/CMS_decrypt_set1_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_decrypt.3" "$(DESTDIR)$(mandir)/man3/CMS_decrypt_set1_pkey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_get0_RecipientInfos.3" "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_decrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_get0_RecipientInfos.3" "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_get0_RecipientInfos.3" "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_kekri_get0_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_get0_RecipientInfos.3" "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_kekri_id_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_get0_RecipientInfos.3" "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_ktri_cert_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_get0_RecipientInfos.3" "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_ktri_get0_signer_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_get0_RecipientInfos.3" "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_set0_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_get0_RecipientInfos.3" "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_set0_pkey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_get0_RecipientInfos.3" "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_get0_SignerInfos.3" "$(DESTDIR)$(mandir)/man3/CMS_SignerInfo_cert_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_get0_SignerInfos.3" "$(DESTDIR)$(mandir)/man3/CMS_SignerInfo_get0_signature.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_get0_SignerInfos.3" "$(DESTDIR)$(mandir)/man3/CMS_SignerInfo_get0_signer_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_get0_SignerInfos.3" "$(DESTDIR)$(mandir)/man3/CMS_SignerInfo_set1_signer_cert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_get0_type.3" "$(DESTDIR)$(mandir)/man3/CMS_get0_content.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_get0_type.3" "$(DESTDIR)$(mandir)/man3/CMS_get0_eContentType.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_get0_type.3" "$(DESTDIR)$(mandir)/man3/CMS_set1_eContentType.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_get1_ReceiptRequest.3" "$(DESTDIR)$(mandir)/man3/CMS_ReceiptRequest_create0.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_get1_ReceiptRequest.3" "$(DESTDIR)$(mandir)/man3/CMS_ReceiptRequest_get0_values.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_get1_ReceiptRequest.3" "$(DESTDIR)$(mandir)/man3/CMS_add1_ReceiptRequest.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CMS_verify.3" "$(DESTDIR)$(mandir)/man3/CMS_get0_signers.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CONF_modules_free.3" "$(DESTDIR)$(mandir)/man3/CONF_modules_finish.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CONF_modules_free.3" "$(DESTDIR)$(mandir)/man3/CONF_modules_unload.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CONF_modules_load_file.3" "$(DESTDIR)$(mandir)/man3/CONF_modules_load.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CRYPTO_get_mem_functions.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_MEM_LEAK_CB.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CRYPTO_get_mem_functions.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_mem_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CRYPTO_get_mem_functions.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_mem_leaks.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CRYPTO_get_mem_functions.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_mem_leaks_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CRYPTO_get_mem_functions.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_mem_leaks_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CRYPTO_get_mem_functions.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_set_mem_functions.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CRYPTO_lock.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_THREADID_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CRYPTO_lock.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_THREADID_cpy.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CRYPTO_lock.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_THREADID_current.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CRYPTO_lock.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_THREADID_hash.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CRYPTO_lock.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_add.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CRYPTO_lock.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_r_lock.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CRYPTO_lock.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_r_unlock.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CRYPTO_lock.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_w_lock.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CRYPTO_lock.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_w_unlock.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CRYPTO_set_ex_data.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_EX_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CRYPTO_set_ex_data.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_EX_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CRYPTO_set_ex_data.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_EX_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CRYPTO_set_ex_data.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_free_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CRYPTO_set_ex_data.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CRYPTO_set_ex_data.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_get_ex_new_index.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "CRYPTO_set_ex_data.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_new_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ChaCha.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_chacha_20.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ChaCha.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_hchacha_20.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ChaCha.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_xchacha_20.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ChaCha.3" "$(DESTDIR)$(mandir)/man3/ChaCha_set_iv.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ChaCha.3" "$(DESTDIR)$(mandir)/man3/ChaCha_set_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_cbc_cksum.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_cfb64_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_cfb_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_crypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_ecb2_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_ecb3_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_ecb_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_ede2_cbc_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_ede2_cfb64_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_ede2_ofb64_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_ede3_cbc_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_ede3_cbcm_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_ede3_cfb64_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_ede3_ofb64_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_enc_read.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_enc_write.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_fcrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_is_weak_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_key_sched.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_ncbc_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_ofb64_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_ofb_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_pcbc_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_quad_cksum.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_random_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_set_key_checked.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_set_key_unchecked.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_set_odd_parity.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_string_to_2keys.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_string_to_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DES_set_key.3" "$(DESTDIR)$(mandir)/man3/DES_xcbc_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DH_generate_key.3" "$(DESTDIR)$(mandir)/man3/DH_compute_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DH_generate_parameters.3" "$(DESTDIR)$(mandir)/man3/DH_check.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DH_generate_parameters.3" "$(DESTDIR)$(mandir)/man3/DH_generate_parameters_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DH_get0_pqg.3" "$(DESTDIR)$(mandir)/man3/DH_clear_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DH_get0_pqg.3" "$(DESTDIR)$(mandir)/man3/DH_get0_engine.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DH_get0_pqg.3" "$(DESTDIR)$(mandir)/man3/DH_get0_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DH_get0_pqg.3" "$(DESTDIR)$(mandir)/man3/DH_set0_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DH_get0_pqg.3" "$(DESTDIR)$(mandir)/man3/DH_set0_pqg.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DH_get0_pqg.3" "$(DESTDIR)$(mandir)/man3/DH_set_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DH_get0_pqg.3" "$(DESTDIR)$(mandir)/man3/DH_set_length.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DH_get0_pqg.3" "$(DESTDIR)$(mandir)/man3/DH_test_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DH_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/DH_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DH_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/DH_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DH_new.3" "$(DESTDIR)$(mandir)/man3/DH_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DH_new.3" "$(DESTDIR)$(mandir)/man3/DH_up_ref.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DH_set_method.3" "$(DESTDIR)$(mandir)/man3/DH_OpenSSL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DH_set_method.3" "$(DESTDIR)$(mandir)/man3/DH_get_default_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DH_set_method.3" "$(DESTDIR)$(mandir)/man3/DH_new_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DH_set_method.3" "$(DESTDIR)$(mandir)/man3/DH_set_default_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DH_size.3" "$(DESTDIR)$(mandir)/man3/DH_bits.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DIST_POINT_new.3" "$(DESTDIR)$(mandir)/man3/CRL_DIST_POINTS_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DIST_POINT_new.3" "$(DESTDIR)$(mandir)/man3/CRL_DIST_POINTS_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DIST_POINT_new.3" "$(DESTDIR)$(mandir)/man3/DIST_POINT_NAME_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DIST_POINT_new.3" "$(DESTDIR)$(mandir)/man3/DIST_POINT_NAME_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DIST_POINT_new.3" "$(DESTDIR)$(mandir)/man3/DIST_POINT_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DIST_POINT_new.3" "$(DESTDIR)$(mandir)/man3/ISSUING_DIST_POINT_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DIST_POINT_new.3" "$(DESTDIR)$(mandir)/man3/ISSUING_DIST_POINT_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/DSA_SIG_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/DSA_SIG_get0.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/DSA_SIG_set0.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DSA_do_sign.3" "$(DESTDIR)$(mandir)/man3/DSA_do_verify.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DSA_generate_parameters.3" "$(DESTDIR)$(mandir)/man3/DSA_generate_parameters_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DSA_get0_pqg.3" "$(DESTDIR)$(mandir)/man3/DSA_clear_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DSA_get0_pqg.3" "$(DESTDIR)$(mandir)/man3/DSA_get0_engine.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DSA_get0_pqg.3" "$(DESTDIR)$(mandir)/man3/DSA_get0_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DSA_get0_pqg.3" "$(DESTDIR)$(mandir)/man3/DSA_set0_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DSA_get0_pqg.3" "$(DESTDIR)$(mandir)/man3/DSA_set0_pqg.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DSA_get0_pqg.3" "$(DESTDIR)$(mandir)/man3/DSA_set_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DSA_get0_pqg.3" "$(DESTDIR)$(mandir)/man3/DSA_test_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DSA_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/DSA_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DSA_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/DSA_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/DSA_meth_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/DSA_meth_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/DSA_meth_set_finish.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/DSA_meth_set_sign.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DSA_new.3" "$(DESTDIR)$(mandir)/man3/DSA_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DSA_new.3" "$(DESTDIR)$(mandir)/man3/DSA_up_ref.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DSA_set_method.3" "$(DESTDIR)$(mandir)/man3/DSA_OpenSSL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DSA_set_method.3" "$(DESTDIR)$(mandir)/man3/DSA_get_default_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DSA_set_method.3" "$(DESTDIR)$(mandir)/man3/DSA_new_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DSA_set_method.3" "$(DESTDIR)$(mandir)/man3/DSA_set_default_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DSA_sign.3" "$(DESTDIR)$(mandir)/man3/DSA_sign_setup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "DSA_sign.3" "$(DESTDIR)$(mandir)/man3/DSA_verify.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ECDH_compute_key.3" "$(DESTDIR)$(mandir)/man3/ECDH_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/ECDSA_OpenSSL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/ECDSA_SIG_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/ECDSA_SIG_get0.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/ECDSA_SIG_set0.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/ECDSA_do_sign.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/ECDSA_do_sign_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/ECDSA_do_verify.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/ECDSA_get_default_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/ECDSA_set_default_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/ECDSA_set_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/ECDSA_sign.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/ECDSA_sign_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/ECDSA_sign_setup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/ECDSA_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/ECDSA_verify.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/d2i_ECDSA_SIG.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ECDSA_SIG_new.3" "$(DESTDIR)$(mandir)/man3/i2d_ECDSA_SIG.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GFp_simple_method.3" "$(DESTDIR)$(mandir)/man3/EC_GF2m_simple_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GFp_simple_method.3" "$(DESTDIR)$(mandir)/man3/EC_GFp_mont_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GFp_simple_method.3" "$(DESTDIR)$(mandir)/man3/EC_GFp_nist_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GFp_simple_method.3" "$(DESTDIR)$(mandir)/man3/EC_GFp_nistp224_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GFp_simple_method.3" "$(DESTDIR)$(mandir)/man3/EC_GFp_nistp256_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GFp_simple_method.3" "$(DESTDIR)$(mandir)/man3/EC_GFp_nistp521_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GFp_simple_method.3" "$(DESTDIR)$(mandir)/man3/EC_METHOD_get_field_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_check.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_check_discriminant.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_get0_generator.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_get0_seed.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_asn1_flag.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_basis_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_cofactor.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_curve_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_degree.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_order.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_pentanomial_basis.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_point_conversion_form.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_seed_len.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_trinomial_basis.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_method_of.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_set_asn1_flag.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_set_curve_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_set_generator.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_set_point_conversion_form.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_copy.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_set_seed.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_new.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_clear_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_new.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_new.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_curve_GF2m.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_new.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_curve_GFp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_new.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_new_by_curve_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_new.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_new_curve_GF2m.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_new.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_new_curve_GFp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_new.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_set_curve_GF2m.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_new.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_set_curve_GFp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_GROUP_new.3" "$(DESTDIR)$(mandir)/man3/EC_get_builtin_curves.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_get_compute_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_get_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_get_keygen.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_get_sign.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_get_verify.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_set_compute_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_set_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_set_keygen.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_set_sign.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_set_verify.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_OpenSSL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_get_default_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_get_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_new_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_set_default_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_METHOD_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_set_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_check_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_clear_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_copy.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_generate_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_get0_group.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_get0_private_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_get0_public_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_get_conv_form.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_get_enc_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_get_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_get_key_method_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_insert_key_method_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_new_by_curve_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_precompute_mult.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_print.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_print_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_set_asn1_flag.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_set_conv_form.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_set_enc_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_set_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_set_group.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_set_private_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_set_public_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_set_public_key_affine_coordinates.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_KEY_new.3" "$(DESTDIR)$(mandir)/man3/EC_KEY_up_ref.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_POINT_add.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_have_precompute_mult.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_POINT_add.3" "$(DESTDIR)$(mandir)/man3/EC_GROUP_precompute_mult.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_POINT_add.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_POINT_add.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_dbl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_POINT_add.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_invert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_POINT_add.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_is_at_infinity.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_POINT_add.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_is_on_curve.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_POINT_add.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_make_affine.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_POINT_add.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_mul.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_POINT_add.3" "$(DESTDIR)$(mandir)/man3/EC_POINTs_make_affine.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_POINT_add.3" "$(DESTDIR)$(mandir)/man3/EC_POINTs_mul.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_bn2point.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_clear_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_copy.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_get_Jprojective_coordinates_GFp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_get_affine_coordinates_GF2m.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_get_affine_coordinates_GFp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_hex2point.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_method_of.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_oct2point.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_point2bn.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_point2hex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_point2oct.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_set_Jprojective_coordinates_GFp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_set_affine_coordinates_GF2m.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_set_affine_coordinates_GFp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_set_compressed_coordinates_GF2m.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_set_compressed_coordinates_GFp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EC_POINT_new.3" "$(DESTDIR)$(mandir)/man3/EC_POINT_set_to_infinity.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_add.3" "$(DESTDIR)$(mandir)/man3/ENGINE_by_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_add.3" "$(DESTDIR)$(mandir)/man3/ENGINE_cleanup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_add.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_first.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_add.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_add.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_last.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_add.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_add.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_next.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_add.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_prev.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_add.3" "$(DESTDIR)$(mandir)/man3/ENGINE_remove.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_add.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_add.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_ctrl.3" "$(DESTDIR)$(mandir)/man3/ENGINE_CTRL_FUNC_PTR.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_ctrl.3" "$(DESTDIR)$(mandir)/man3/ENGINE_cmd_is_executable.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_ctrl.3" "$(DESTDIR)$(mandir)/man3/ENGINE_ctrl_cmd.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_ctrl.3" "$(DESTDIR)$(mandir)/man3/ENGINE_ctrl_cmd_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_ctrl.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_cmd_defns.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_ctrl.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_ctrl_function.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_ctrl.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_cmd_defns.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_ctrl.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_ctrl_function.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_get_default_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_cipher_engine.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_get_default_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_default_DH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_get_default_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_default_DSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_get_default_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_default_ECDH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_get_default_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_default_ECDSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_get_default_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_default_RAND.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_get_default_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_digest_engine.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_get_default_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_table_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_get_default_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_table_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_init.3" "$(DESTDIR)$(mandir)/man3/ENGINE_GEN_INT_FUNC_PTR.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_init.3" "$(DESTDIR)$(mandir)/man3/ENGINE_finish.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_init.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_finish_function.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_init.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_init_function.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_init.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_finish_function.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_init.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_init_function.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_new.3" "$(DESTDIR)$(mandir)/man3/ENGINE_GEN_INT_FUNC_PTR.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_new.3" "$(DESTDIR)$(mandir)/man3/ENGINE_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_new.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_destroy_function.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_new.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_destroy_function.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_new.3" "$(DESTDIR)$(mandir)/man3/ENGINE_up_ref.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_register_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_DH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_register_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_DSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_register_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_ECDH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_register_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_ECDSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_register_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_RAND.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_register_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_STORE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_register_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_ciphers.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_register_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_complete.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_register_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_digests.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_register_all_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_load_builtin_engines.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_register_all_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_load_dynamic.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_register_all_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_DH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_register_all_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_DSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_register_all_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_ECDH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_register_all_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_ECDSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_register_all_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_RAND.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_register_all_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_STORE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_register_all_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_ciphers.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_register_all_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_complete.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_register_all_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_digests.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_CIPHERS_PTR.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_DIGESTS_PTR.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_DH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_DSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_ECDH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_ECDSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_RAND.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_RSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_STORE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_cipher.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_ciphers.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_digest.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_digests.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_DH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_DSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_ECDH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_ECDSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_RAND.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_STORE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_ciphers.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_set_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_digests.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_set_default.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_DH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_set_default.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_DSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_set_default.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_ECDH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_set_default.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_ECDSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_set_default.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_RAND.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_set_default.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_RSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_set_default.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_ciphers.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_set_default.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_digests.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_set_default.3" "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_set_flags.3" "$(DESTDIR)$(mandir)/man3/ENGINE_get_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_unregister_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_DH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_unregister_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_DSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_unregister_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_ECDH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_unregister_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_ECDSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_unregister_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_RAND.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_unregister_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_STORE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_unregister_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_ciphers.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ENGINE_unregister_RSA.3" "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_digests.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ERR_GET_LIB.3" "$(DESTDIR)$(mandir)/man3/ERR_FATAL_ERROR.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ERR_GET_LIB.3" "$(DESTDIR)$(mandir)/man3/ERR_GET_FUNC.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ERR_GET_LIB.3" "$(DESTDIR)$(mandir)/man3/ERR_GET_REASON.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ERR_error_string.3" "$(DESTDIR)$(mandir)/man3/ERR_error_string_n.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ERR_error_string.3" "$(DESTDIR)$(mandir)/man3/ERR_func_error_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ERR_error_string.3" "$(DESTDIR)$(mandir)/man3/ERR_lib_error_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ERR_error_string.3" "$(DESTDIR)$(mandir)/man3/ERR_reason_error_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ERR_get_error.3" "$(DESTDIR)$(mandir)/man3/ERR_get_error_line.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ERR_get_error.3" "$(DESTDIR)$(mandir)/man3/ERR_get_error_line_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ERR_get_error.3" "$(DESTDIR)$(mandir)/man3/ERR_peek_error.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ERR_get_error.3" "$(DESTDIR)$(mandir)/man3/ERR_peek_error_line.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ERR_get_error.3" "$(DESTDIR)$(mandir)/man3/ERR_peek_error_line_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ERR_get_error.3" "$(DESTDIR)$(mandir)/man3/ERR_peek_last_error.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ERR_get_error.3" "$(DESTDIR)$(mandir)/man3/ERR_peek_last_error_line.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ERR_get_error.3" "$(DESTDIR)$(mandir)/man3/ERR_peek_last_error_line_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ERR_load_crypto_strings.3" "$(DESTDIR)$(mandir)/man3/ERR_free_strings.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ERR_load_crypto_strings.3" "$(DESTDIR)$(mandir)/man3/SSL_load_error_strings.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ERR_load_strings.3" "$(DESTDIR)$(mandir)/man3/ERR_PACK.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ERR_load_strings.3" "$(DESTDIR)$(mandir)/man3/ERR_get_next_error_library.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ERR_print_errors.3" "$(DESTDIR)$(mandir)/man3/ERR_print_errors_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ERR_print_errors.3" "$(DESTDIR)$(mandir)/man3/ERR_print_errors_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ERR_put_error.3" "$(DESTDIR)$(mandir)/man3/ERR_add_error_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ERR_put_error.3" "$(DESTDIR)$(mandir)/man3/ERR_add_error_vdata.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ERR_remove_state.3" "$(DESTDIR)$(mandir)/man3/ERR_remove_thread_state.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ERR_set_mark.3" "$(DESTDIR)$(mandir)/man3/ERR_pop_to_mark.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ESS_SIGNING_CERT_new.3" "$(DESTDIR)$(mandir)/man3/ESS_CERT_ID_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ESS_SIGNING_CERT_new.3" "$(DESTDIR)$(mandir)/man3/ESS_CERT_ID_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ESS_SIGNING_CERT_new.3" "$(DESTDIR)$(mandir)/man3/ESS_ISSUER_SERIAL_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ESS_SIGNING_CERT_new.3" "$(DESTDIR)$(mandir)/man3/ESS_ISSUER_SERIAL_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "ESS_SIGNING_CERT_new.3" "$(DESTDIR)$(mandir)/man3/ESS_SIGNING_CERT_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_AEAD_CTX_init.3" "$(DESTDIR)$(mandir)/man3/EVP_AEAD_CTX_cleanup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_AEAD_CTX_init.3" "$(DESTDIR)$(mandir)/man3/EVP_AEAD_CTX_open.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_AEAD_CTX_init.3" "$(DESTDIR)$(mandir)/man3/EVP_AEAD_CTX_seal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_AEAD_CTX_init.3" "$(DESTDIR)$(mandir)/man3/EVP_AEAD_key_length.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_AEAD_CTX_init.3" "$(DESTDIR)$(mandir)/man3/EVP_AEAD_max_overhead.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_AEAD_CTX_init.3" "$(DESTDIR)$(mandir)/man3/EVP_AEAD_max_tag_len.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_AEAD_CTX_init.3" "$(DESTDIR)$(mandir)/man3/EVP_AEAD_nonce_length.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_AEAD_CTX_init.3" "$(DESTDIR)$(mandir)/man3/EVP_aead_aes_128_gcm.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_AEAD_CTX_init.3" "$(DESTDIR)$(mandir)/man3/EVP_aead_aes_256_gcm.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_AEAD_CTX_init.3" "$(DESTDIR)$(mandir)/man3/EVP_aead_chacha20_poly1305.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_AEAD_CTX_init.3" "$(DESTDIR)$(mandir)/man3/EVP_aead_xchacha20_poly1305.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_Digest.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DigestFinal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DigestFinal_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DigestInit_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DigestUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MAX_MD_SIZE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_block_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_cleanup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_copy.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_copy_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_create.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_destroy.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_md.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_reset.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_block_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_pkey_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_MD_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_dss.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_dss1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_get_digestbyname.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_get_digestbynid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_get_digestbyobj.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_md5.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_md5_sha1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_md_null.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_ripemd160.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_sha1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_sha224.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_sha256.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_sha384.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestInit.3" "$(DESTDIR)$(mandir)/man3/EVP_sha512.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestSignInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DigestSignFinal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestSignInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DigestSignUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestVerifyInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DigestVerifyFinal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_DigestVerifyInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DigestVerifyUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncodeInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DecodeBlock.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncodeInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DecodeFinal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncodeInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DecodeInit.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncodeInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DecodeUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncodeInit.3" "$(DESTDIR)$(mandir)/man3/EVP_ENCODE_CTX_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncodeInit.3" "$(DESTDIR)$(mandir)/man3/EVP_ENCODE_CTX_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncodeInit.3" "$(DESTDIR)$(mandir)/man3/EVP_EncodeBlock.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncodeInit.3" "$(DESTDIR)$(mandir)/man3/EVP_EncodeFinal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncodeInit.3" "$(DESTDIR)$(mandir)/man3/EVP_EncodeUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_block_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_cipher.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_cleanup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_clear_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_get_app_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_get_iv.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_iv_length.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_key_length.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_mode.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_rand_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_reset.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_set_app_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_set_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_set_iv.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_set_key_length.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_set_padding.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_test_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_asn1_to_param.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_block_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_iv_length.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_key_length.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_mode.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_param_to_asn1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_Cipher.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CipherFinal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CipherFinal_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CipherInit.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CipherInit_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_CipherUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DecryptFinal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DecryptFinal_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DecryptInit.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DecryptInit_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_DecryptUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_EncryptFinal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_EncryptFinal_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_EncryptInit_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_EncryptUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_bf_cbc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_bf_cfb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_bf_cfb64.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_bf_ecb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_bf_ofb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_cast5_cbc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_cast5_cfb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_cast5_cfb64.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_cast5_ecb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_cast5_ofb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_chacha20.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_enc_null.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_get_cipherbyname.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_get_cipherbynid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_get_cipherbyobj.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_idea_cbc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_idea_cfb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_idea_cfb64.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_idea_ecb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_idea_ofb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_rc2_40_cbc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_rc2_64_cbc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_rc2_cbc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_rc2_cfb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_rc2_cfb64.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_rc2_ecb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_EncryptInit.3" "$(DESTDIR)$(mandir)/man3/EVP_rc2_ofb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_OpenInit.3" "$(DESTDIR)$(mandir)/man3/EVP_OpenFinal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_OpenInit.3" "$(DESTDIR)$(mandir)/man3/EVP_OpenUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_ctrl_str.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get0_ecdh_kdf_ukm.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get1_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get1_id_len.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_ecdh_cofactor_mode.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_ecdh_kdf_md.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_ecdh_kdf_outlen.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_ecdh_kdf_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_signature_md.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set0_ecdh_kdf_ukm.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set1_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_dh_paramgen_generator.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_dh_paramgen_prime_len.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_dsa_paramgen_bits.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_ec_param_enc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_ec_paramgen_curve_nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_ecdh_cofactor_mode.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_ecdh_kdf_md.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_ecdh_kdf_outlen.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_ecdh_kdf_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_signature_md.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_CTX_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_CTX_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_CTX_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_new_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_asn1_get_count.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_find.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_asn1_get_count.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_find_str.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_asn1_get_count.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_get0.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_asn1_get_count.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_get0_info.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_asn1_get_count.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get0_asn1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_asn1_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_add0.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_asn1_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_add_alias.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_asn1_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_copy.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_asn1_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_asn1_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_set_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_asn1_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_set_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_asn1_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_set_param.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_asn1_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_set_private.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_asn1_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_set_public.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_cmp.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_cmp_parameters.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_cmp.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_copy_parameters.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_cmp.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_missing_parameters.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_decrypt.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_decrypt_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_derive.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_derive_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_derive.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_derive_set_peer.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_encrypt.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_encrypt_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_keygen.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_app_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_keygen.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_keygen.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_keygen_info.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_keygen.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_app_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_keygen.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_keygen.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_gen_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_keygen.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_keygen_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_keygen.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_paramgen.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_keygen.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_paramgen_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_add0.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_copy.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_find.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_cleanup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_copy.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_decrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_derive.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_keygen.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_paramgen.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_sign.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_signctx.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_verify.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_verify_recover.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_verifyctx.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_new_CMAC_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_new_mac_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_up_ref.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_print_private.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_print_params.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_print_private.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_print_public.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_assign.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_assign_DH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_assign_DSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_assign_EC_KEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_assign_GOST.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_assign_RSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_base_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get0.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get0_DH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get0_DSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get0_EC_KEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get0_RSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get0_hmac.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get1_DH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get1_DSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get1_EC_KEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get1_RSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_set1_DH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_set1_DSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_set1_EC_KEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_set_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_set1_RSA.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_sign.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_sign_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_verify.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_verify_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_PKEY_verify_recover.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_verify_recover_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_SealInit.3" "$(DESTDIR)$(mandir)/man3/EVP_SealFinal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_SealInit.3" "$(DESTDIR)$(mandir)/man3/EVP_SealUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_SignInit.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_bits.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_SignInit.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_SignInit.3" "$(DESTDIR)$(mandir)/man3/EVP_SignFinal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_SignInit.3" "$(DESTDIR)$(mandir)/man3/EVP_SignInit_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_SignInit.3" "$(DESTDIR)$(mandir)/man3/EVP_SignUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_VerifyInit.3" "$(DESTDIR)$(mandir)/man3/EVP_VerifyFinal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_VerifyInit.3" "$(DESTDIR)$(mandir)/man3/EVP_VerifyInit_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_VerifyInit.3" "$(DESTDIR)$(mandir)/man3/EVP_VerifyUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_128_cbc_hmac_sha1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_128_ccm.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_128_cfb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_128_cfb1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_128_cfb128.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_128_cfb8.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_128_ctr.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_128_ecb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_128_gcm.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_128_ofb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_128_wrap.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_128_xts.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_192_cbc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_192_ccm.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_192_cfb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_192_cfb1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_192_cfb128.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_192_cfb8.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_192_ctr.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_192_ecb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_192_gcm.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_192_ofb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_192_wrap.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_256_cbc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_256_cbc_hmac_sha1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_256_ccm.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_256_cfb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_256_cfb1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_256_cfb128.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_256_cfb8.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_256_ctr.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_256_ecb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_256_gcm.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_256_ofb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_256_wrap.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_aes_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_aes_256_xts.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_128_cfb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_128_cfb1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_128_cfb128.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_128_cfb8.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_128_ecb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_128_ofb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_192_cbc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_192_cfb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_192_cfb1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_192_cfb128.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_192_cfb8.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_192_ecb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_192_ofb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_256_cbc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_256_cfb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_256_cfb1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_256_cfb128.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_256_cfb8.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_256_ecb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_camellia_128_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_camellia_256_ofb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_cfb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_cfb1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_cfb64.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_cfb8.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ecb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ede.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ede3.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ede3_cbc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ede3_cfb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ede3_cfb1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ede3_cfb64.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ede3_cfb8.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ede3_ecb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ede3_ofb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ede_cbc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ede_cfb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ede_cfb64.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ede_ecb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ede_ofb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_des_ofb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_des_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_desx_cbc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_rc4.3" "$(DESTDIR)$(mandir)/man3/EVP_rc4_40.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_rc4.3" "$(DESTDIR)$(mandir)/man3/EVP_rc4_hmac_md5.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_sm4_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_sm4_cfb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_sm4_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_sm4_cfb128.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_sm4_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_sm4_ctr.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_sm4_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_sm4_ecb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EVP_sm4_cbc.3" "$(DESTDIR)$(mandir)/man3/EVP_sm4_ofb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "EXTENDED_KEY_USAGE_new.3" "$(DESTDIR)$(mandir)/man3/EXTENDED_KEY_USAGE_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "GENERAL_NAME_new.3" "$(DESTDIR)$(mandir)/man3/EDIPARTYNAME_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "GENERAL_NAME_new.3" "$(DESTDIR)$(mandir)/man3/EDIPARTYNAME_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "GENERAL_NAME_new.3" "$(DESTDIR)$(mandir)/man3/GENERAL_NAMES_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "GENERAL_NAME_new.3" "$(DESTDIR)$(mandir)/man3/GENERAL_NAMES_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "GENERAL_NAME_new.3" "$(DESTDIR)$(mandir)/man3/GENERAL_NAME_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "GENERAL_NAME_new.3" "$(DESTDIR)$(mandir)/man3/OTHERNAME_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "GENERAL_NAME_new.3" "$(DESTDIR)$(mandir)/man3/OTHERNAME_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "HMAC.3" "$(DESTDIR)$(mandir)/man3/HMAC_CTX_cleanup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "HMAC.3" "$(DESTDIR)$(mandir)/man3/HMAC_CTX_copy.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "HMAC.3" "$(DESTDIR)$(mandir)/man3/HMAC_CTX_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "HMAC.3" "$(DESTDIR)$(mandir)/man3/HMAC_CTX_get_md.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "HMAC.3" "$(DESTDIR)$(mandir)/man3/HMAC_CTX_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "HMAC.3" "$(DESTDIR)$(mandir)/man3/HMAC_CTX_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "HMAC.3" "$(DESTDIR)$(mandir)/man3/HMAC_CTX_reset.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "HMAC.3" "$(DESTDIR)$(mandir)/man3/HMAC_CTX_set_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "HMAC.3" "$(DESTDIR)$(mandir)/man3/HMAC_Final.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "HMAC.3" "$(DESTDIR)$(mandir)/man3/HMAC_Init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "HMAC.3" "$(DESTDIR)$(mandir)/man3/HMAC_Init_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "HMAC.3" "$(DESTDIR)$(mandir)/man3/HMAC_Update.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "HMAC.3" "$(DESTDIR)$(mandir)/man3/HMAC_cleanup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "HMAC.3" "$(DESTDIR)$(mandir)/man3/HMAC_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "MD5.3" "$(DESTDIR)$(mandir)/man3/MD4.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "MD5.3" "$(DESTDIR)$(mandir)/man3/MD4_Final.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "MD5.3" "$(DESTDIR)$(mandir)/man3/MD4_Init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "MD5.3" "$(DESTDIR)$(mandir)/man3/MD4_Update.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "MD5.3" "$(DESTDIR)$(mandir)/man3/MD5_Final.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "MD5.3" "$(DESTDIR)$(mandir)/man3/MD5_Init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "MD5.3" "$(DESTDIR)$(mandir)/man3/MD5_Update.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "NAME_CONSTRAINTS_new.3" "$(DESTDIR)$(mandir)/man3/GENERAL_SUBTREE_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "NAME_CONSTRAINTS_new.3" "$(DESTDIR)$(mandir)/man3/GENERAL_SUBTREE_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "NAME_CONSTRAINTS_new.3" "$(DESTDIR)$(mandir)/man3/NAME_CONSTRAINTS_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OBJ_nid2obj.3" "$(DESTDIR)$(mandir)/man3/OBJ_cleanup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OBJ_nid2obj.3" "$(DESTDIR)$(mandir)/man3/OBJ_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OBJ_nid2obj.3" "$(DESTDIR)$(mandir)/man3/OBJ_create.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OBJ_nid2obj.3" "$(DESTDIR)$(mandir)/man3/OBJ_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OBJ_nid2obj.3" "$(DESTDIR)$(mandir)/man3/OBJ_ln2nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OBJ_nid2obj.3" "$(DESTDIR)$(mandir)/man3/OBJ_nid2ln.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OBJ_nid2obj.3" "$(DESTDIR)$(mandir)/man3/OBJ_nid2sn.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OBJ_nid2obj.3" "$(DESTDIR)$(mandir)/man3/OBJ_obj2nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OBJ_nid2obj.3" "$(DESTDIR)$(mandir)/man3/OBJ_obj2txt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OBJ_nid2obj.3" "$(DESTDIR)$(mandir)/man3/OBJ_sn2nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OBJ_nid2obj.3" "$(DESTDIR)$(mandir)/man3/OBJ_txt2nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OBJ_nid2obj.3" "$(DESTDIR)$(mandir)/man3/OBJ_txt2obj.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OBJ_nid2obj.3" "$(DESTDIR)$(mandir)/man3/i2t_ASN1_OBJECT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_CRLID_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_CRLID_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_REQUEST_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_ONEREQ_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_REQUEST_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_ONEREQ_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_REQUEST_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_REQINFO_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_REQUEST_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_REQINFO_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_REQUEST_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_REQUEST_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_REQUEST_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_SIGNATURE_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_REQUEST_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_SIGNATURE_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_REQUEST_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_request_add0_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_REQUEST_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_request_add1_cert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_REQUEST_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_request_onereq_count.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_REQUEST_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_request_onereq_get0.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_REQUEST_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_request_sign.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_SERVICELOC_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_SERVICELOC_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_SERVICELOC_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_url_svcloc_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_cert_to_id.3" "$(DESTDIR)$(mandir)/man3/OCSP_CERTID_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_cert_to_id.3" "$(DESTDIR)$(mandir)/man3/OCSP_CERTID_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_cert_to_id.3" "$(DESTDIR)$(mandir)/man3/OCSP_cert_id_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_cert_to_id.3" "$(DESTDIR)$(mandir)/man3/OCSP_id_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_cert_to_id.3" "$(DESTDIR)$(mandir)/man3/OCSP_id_get0_info.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_cert_to_id.3" "$(DESTDIR)$(mandir)/man3/OCSP_id_issuer_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_request_add1_nonce.3" "$(DESTDIR)$(mandir)/man3/OCSP_basic_add1_nonce.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_request_add1_nonce.3" "$(DESTDIR)$(mandir)/man3/OCSP_check_nonce.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_request_add1_nonce.3" "$(DESTDIR)$(mandir)/man3/OCSP_copy_nonce.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_resp_find_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_CERTSTATUS_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_resp_find_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_CERTSTATUS_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_resp_find_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_REVOKEDINFO_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_resp_find_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_REVOKEDINFO_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_resp_find_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_SINGLERESP_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_resp_find_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_SINGLERESP_get0_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_resp_find_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_SINGLERESP_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_resp_find_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_basic_verify.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_resp_find_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_cert_status_str.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_resp_find_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_check_validity.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_resp_find_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_resp_count.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_resp_find_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_resp_find.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_resp_find_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_resp_get0.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_resp_find_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_single_get0_status.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_response_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_BASICRESP_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_response_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_BASICRESP_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_response_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_RESPBYTES_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_response_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_RESPBYTES_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_response_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_RESPDATA_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_response_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_RESPDATA_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_response_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_RESPID_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_response_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_RESPID_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_response_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_RESPONSE_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_response_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_RESPONSE_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_response_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_basic_sign.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_response_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_response_create.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_response_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_response_get1_basic.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_response_status.3" "$(DESTDIR)$(mandir)/man3/OCSP_response_status_str.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_sendreq_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_REQ_CTX_add1_header.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_sendreq_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_REQ_CTX_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_sendreq_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_REQ_CTX_set1_req.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_sendreq_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_parse_url.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_sendreq_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_sendreq_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OCSP_sendreq_new.3" "$(DESTDIR)$(mandir)/man3/OCSP_sendreq_nbio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_VERSION_NUMBER.3" "$(DESTDIR)$(mandir)/man3/LIBRESSL_VERSION_NUMBER.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_VERSION_NUMBER.3" "$(DESTDIR)$(mandir)/man3/LIBRESSL_VERSION_TEXT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_VERSION_NUMBER.3" "$(DESTDIR)$(mandir)/man3/OPENSSL_VERSION_TEXT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_VERSION_NUMBER.3" "$(DESTDIR)$(mandir)/man3/OpenSSL_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_VERSION_NUMBER.3" "$(DESTDIR)$(mandir)/man3/OpenSSL_version_num.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_VERSION_NUMBER.3" "$(DESTDIR)$(mandir)/man3/SSLeay.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_VERSION_NUMBER.3" "$(DESTDIR)$(mandir)/man3/SSLeay_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_config.3" "$(DESTDIR)$(mandir)/man3/OPENSSL_no_config.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_init_crypto.3" "$(DESTDIR)$(mandir)/man3/OPENSSL_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_load_builtin_modules.3" "$(DESTDIR)$(mandir)/man3/ASN1_add_oid_module.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_load_builtin_modules.3" "$(DESTDIR)$(mandir)/man3/ENGINE_add_conf_module.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_malloc.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_malloc.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_malloc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_malloc.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_realloc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_malloc.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_strdup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_malloc.3" "$(DESTDIR)$(mandir)/man3/OPENSSL_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_malloc.3" "$(DESTDIR)$(mandir)/man3/OPENSSL_realloc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_malloc.3" "$(DESTDIR)$(mandir)/man3/OPENSSL_strdup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_delete.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_delete_ptr.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_find.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_find_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_insert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_is_sorted.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_new_null.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_num.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_pop.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_pop_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_push.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_set.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_set_cmp_func.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_shift.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_sort.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_unshift.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_value.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OPENSSL_sk_new.3" "$(DESTDIR)$(mandir)/man3/sk_zero.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OpenSSL_add_all_algorithms.3" "$(DESTDIR)$(mandir)/man3/EVP_cleanup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OpenSSL_add_all_algorithms.3" "$(DESTDIR)$(mandir)/man3/OpenSSL_add_all_ciphers.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "OpenSSL_add_all_algorithms.3" "$(DESTDIR)$(mandir)/man3/OpenSSL_add_all_digests.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_ASN1_read.3" "$(DESTDIR)$(mandir)/man3/PEM_ASN1_read_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_ASN1_read.3" "$(DESTDIR)$(mandir)/man3/d2i_of_void.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_X509_INFO_read.3" "$(DESTDIR)$(mandir)/man3/PEM_X509_INFO_read_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read.3" "$(DESTDIR)$(mandir)/man3/PEM_def_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read.3" "$(DESTDIR)$(mandir)/man3/PEM_do_header.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read.3" "$(DESTDIR)$(mandir)/man3/PEM_get_EVP_CIPHER_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read.3" "$(DESTDIR)$(mandir)/man3/PEM_write.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read.3" "$(DESTDIR)$(mandir)/man3/pem_password_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_SSL_SESSION.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_SSL_SESSION.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_SSL_SESSION.3" "$(DESTDIR)$(mandir)/man3/PEM_write_SSL_SESSION.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_SSL_SESSION.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_SSL_SESSION.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_CMS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_DHparams.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_DSAPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_DSA_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_DSAparams.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_ECPKParameters.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_ECPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_EC_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_NETSCAPE_CERT_SEQUENCE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_PKCS7.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_PKCS8.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_PKCS8_PRIV_KEY_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_PrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_RSAPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_RSAPublicKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_RSA_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_X509.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_X509_AUX.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_X509_CRL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_X509_REQ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_CMS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_DHparams.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_DSAPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_DSA_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_DSAparams.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_ECPKParameters.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_ECPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_EC_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_NETSCAPE_CERT_SEQUENCE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_PKCS7.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_PKCS8.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_PKCS8_PRIV_KEY_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_RSAPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_RSAPublicKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_RSA_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_X509.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_X509_AUX.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_X509_CRL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_read_bio_X509_REQ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_CMS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_DHparams.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_DSAPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_DSA_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_DSAparams.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_ECPKParameters.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_ECPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_EC_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_NETSCAPE_CERT_SEQUENCE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_PKCS7.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_PKCS8.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_PKCS8PrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_PKCS8PrivateKey_nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_PKCS8_PRIV_KEY_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_PrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_RSAPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_RSAPublicKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_RSA_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_X509.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_X509_AUX.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_X509_CRL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_X509_REQ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_X509_REQ_NEW.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_CMS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_DHparams.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_DSAPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_DSA_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_DSAparams.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_ECPKParameters.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_ECPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_EC_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_NETSCAPE_CERT_SEQUENCE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_PKCS7.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_PKCS8.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_PKCS8PrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_PKCS8PrivateKey_nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_PKCS8_PRIV_KEY_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_PrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_RSAPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_RSAPublicKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_RSA_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_X509.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_X509_AUX.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_X509_CRL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_X509_REQ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PEM_read_bio_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/PEM_write_bio_X509_REQ_NEW.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS12_SAFEBAG_new.3" "$(DESTDIR)$(mandir)/man3/PKCS12_BAGS_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS12_SAFEBAG_new.3" "$(DESTDIR)$(mandir)/man3/PKCS12_BAGS_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS12_SAFEBAG_new.3" "$(DESTDIR)$(mandir)/man3/PKCS12_SAFEBAG_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS12_new.3" "$(DESTDIR)$(mandir)/man3/PKCS12_MAC_DATA_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS12_new.3" "$(DESTDIR)$(mandir)/man3/PKCS12_MAC_DATA_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS12_new.3" "$(DESTDIR)$(mandir)/man3/PKCS12_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS5_PBKDF2_HMAC.3" "$(DESTDIR)$(mandir)/man3/PKCS5_PBKDF2_HMAC_SHA1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS7_add_attribute.3" "$(DESTDIR)$(mandir)/man3/PKCS7_add0_attrib_signing_time.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS7_add_attribute.3" "$(DESTDIR)$(mandir)/man3/PKCS7_add1_attrib_digest.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS7_add_attribute.3" "$(DESTDIR)$(mandir)/man3/PKCS7_add_attrib_content_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS7_add_attribute.3" "$(DESTDIR)$(mandir)/man3/PKCS7_add_attrib_smimecap.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS7_add_attribute.3" "$(DESTDIR)$(mandir)/man3/PKCS7_add_signed_attribute.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS7_add_attribute.3" "$(DESTDIR)$(mandir)/man3/PKCS7_get_attribute.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS7_add_attribute.3" "$(DESTDIR)$(mandir)/man3/PKCS7_get_signed_attribute.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS7_add_attribute.3" "$(DESTDIR)$(mandir)/man3/PKCS7_set_attributes.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS7_add_attribute.3" "$(DESTDIR)$(mandir)/man3/PKCS7_set_signed_attributes.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_DIGEST_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_DIGEST_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_ENCRYPT_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_ENCRYPT_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_ENC_CONTENT_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_ENC_CONTENT_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_ENVELOPE_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_ENVELOPE_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_ISSUER_AND_SERIAL_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_ISSUER_AND_SERIAL_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_RECIP_INFO_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_RECIP_INFO_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_SIGNED_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_SIGNED_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_SIGNER_INFO_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_SIGNER_INFO_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_SIGN_ENVELOPE_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_SIGN_ENVELOPE_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS7_new.3" "$(DESTDIR)$(mandir)/man3/PKCS7_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS7_set_content.3" "$(DESTDIR)$(mandir)/man3/PKCS7_content_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS7_set_type.3" "$(DESTDIR)$(mandir)/man3/PKCS7_set0_type_other.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS7_verify.3" "$(DESTDIR)$(mandir)/man3/PKCS7_get0_signers.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKCS8_PRIV_KEY_INFO_new.3" "$(DESTDIR)$(mandir)/man3/PKCS8_PRIV_KEY_INFO_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PKEY_USAGE_PERIOD_new.3" "$(DESTDIR)$(mandir)/man3/PKEY_USAGE_PERIOD_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "POLICYINFO_new.3" "$(DESTDIR)$(mandir)/man3/CERTIFICATEPOLICIES_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "POLICYINFO_new.3" "$(DESTDIR)$(mandir)/man3/CERTIFICATEPOLICIES_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "POLICYINFO_new.3" "$(DESTDIR)$(mandir)/man3/NOTICEREF_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "POLICYINFO_new.3" "$(DESTDIR)$(mandir)/man3/NOTICEREF_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "POLICYINFO_new.3" "$(DESTDIR)$(mandir)/man3/POLICYINFO_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "POLICYINFO_new.3" "$(DESTDIR)$(mandir)/man3/POLICYQUALINFO_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "POLICYINFO_new.3" "$(DESTDIR)$(mandir)/man3/POLICYQUALINFO_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "POLICYINFO_new.3" "$(DESTDIR)$(mandir)/man3/POLICY_CONSTRAINTS_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "POLICYINFO_new.3" "$(DESTDIR)$(mandir)/man3/POLICY_CONSTRAINTS_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "POLICYINFO_new.3" "$(DESTDIR)$(mandir)/man3/POLICY_MAPPING_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "POLICYINFO_new.3" "$(DESTDIR)$(mandir)/man3/POLICY_MAPPING_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "POLICYINFO_new.3" "$(DESTDIR)$(mandir)/man3/USERNOTICE_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "POLICYINFO_new.3" "$(DESTDIR)$(mandir)/man3/USERNOTICE_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PROXY_POLICY_new.3" "$(DESTDIR)$(mandir)/man3/PROXY_CERT_INFO_EXTENSION_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PROXY_POLICY_new.3" "$(DESTDIR)$(mandir)/man3/PROXY_CERT_INFO_EXTENSION_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "PROXY_POLICY_new.3" "$(DESTDIR)$(mandir)/man3/PROXY_POLICY_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RAND_add.3" "$(DESTDIR)$(mandir)/man3/RAND_cleanup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RAND_add.3" "$(DESTDIR)$(mandir)/man3/RAND_poll.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RAND_add.3" "$(DESTDIR)$(mandir)/man3/RAND_seed.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RAND_add.3" "$(DESTDIR)$(mandir)/man3/RAND_status.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RAND_bytes.3" "$(DESTDIR)$(mandir)/man3/RAND_pseudo_bytes.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RAND_load_file.3" "$(DESTDIR)$(mandir)/man3/RAND_file_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RAND_load_file.3" "$(DESTDIR)$(mandir)/man3/RAND_write_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RAND_set_rand_method.3" "$(DESTDIR)$(mandir)/man3/RAND_SSLeay.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RAND_set_rand_method.3" "$(DESTDIR)$(mandir)/man3/RAND_get_rand_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RC4.3" "$(DESTDIR)$(mandir)/man3/RC4_set_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RIPEMD160.3" "$(DESTDIR)$(mandir)/man3/RIPEMD160_Final.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RIPEMD160.3" "$(DESTDIR)$(mandir)/man3/RIPEMD160_Init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RIPEMD160.3" "$(DESTDIR)$(mandir)/man3/RIPEMD160_Update.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_PSS_PARAMS_new.3" "$(DESTDIR)$(mandir)/man3/RSA_PSS_PARAMS_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_blinding_on.3" "$(DESTDIR)$(mandir)/man3/RSA_blinding_off.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_generate_key.3" "$(DESTDIR)$(mandir)/man3/RSA_generate_key_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_get0_key.3" "$(DESTDIR)$(mandir)/man3/RSA_clear_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_get0_key.3" "$(DESTDIR)$(mandir)/man3/RSA_get0_crt_params.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_get0_key.3" "$(DESTDIR)$(mandir)/man3/RSA_get0_factors.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_get0_key.3" "$(DESTDIR)$(mandir)/man3/RSA_set0_crt_params.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_get0_key.3" "$(DESTDIR)$(mandir)/man3/RSA_set0_factors.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_get0_key.3" "$(DESTDIR)$(mandir)/man3/RSA_set0_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_get0_key.3" "$(DESTDIR)$(mandir)/man3/RSA_set_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_get0_key.3" "$(DESTDIR)$(mandir)/man3/RSA_test_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_EX_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_EX_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/CRYPTO_EX_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/RSA_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/RSA_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_get0_app_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_get0_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_get_bn_mod_exp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_get_finish.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_get_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_get_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_get_keygen.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_get_mod_exp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_get_priv_dec.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_get_priv_enc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_get_pub_dec.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_get_pub_enc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_get_sign.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_get_verify.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_set0_app_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_set1_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_set_bn_mod_exp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_set_finish.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_set_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_set_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_set_keygen.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_set_mod_exp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_set_priv_dec.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_set_priv_enc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_set_pub_dec.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_set_pub_enc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_set_sign.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_meth_new.3" "$(DESTDIR)$(mandir)/man3/RSA_meth_set_verify.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_new.3" "$(DESTDIR)$(mandir)/man3/RSAPrivateKey_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_new.3" "$(DESTDIR)$(mandir)/man3/RSAPublicKey_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_new.3" "$(DESTDIR)$(mandir)/man3/RSA_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_new.3" "$(DESTDIR)$(mandir)/man3/RSA_up_ref.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_padding_add_PKCS1_type_1.3" "$(DESTDIR)$(mandir)/man3/RSA_padding_add_PKCS1_OAEP.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_padding_add_PKCS1_type_1.3" "$(DESTDIR)$(mandir)/man3/RSA_padding_add_PKCS1_type_2.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_padding_add_PKCS1_type_1.3" "$(DESTDIR)$(mandir)/man3/RSA_padding_add_none.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_padding_add_PKCS1_type_1.3" "$(DESTDIR)$(mandir)/man3/RSA_padding_check_PKCS1_OAEP.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_padding_add_PKCS1_type_1.3" "$(DESTDIR)$(mandir)/man3/RSA_padding_check_PKCS1_type_1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_padding_add_PKCS1_type_1.3" "$(DESTDIR)$(mandir)/man3/RSA_padding_check_PKCS1_type_2.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_padding_add_PKCS1_type_1.3" "$(DESTDIR)$(mandir)/man3/RSA_padding_check_none.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_pkey_ctx_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get0_rsa_oaep_label.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_pkey_ctx_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_rsa_mgf1_md.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_pkey_ctx_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_rsa_oaep_md.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_pkey_ctx_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_rsa_padding.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_pkey_ctx_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_rsa_pss_saltlen.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_pkey_ctx_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set0_rsa_oaep_label.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_pkey_ctx_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_keygen_bits.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_pkey_ctx_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_keygen_pubexp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_pkey_ctx_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_mgf1_md.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_pkey_ctx_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_oaep_md.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_pkey_ctx_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_padding.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_pkey_ctx_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_pkey_ctx_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_pkey_ctx_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_pkey_ctx_ctrl.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_pss_saltlen.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_print.3" "$(DESTDIR)$(mandir)/man3/DHparams_print.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_print.3" "$(DESTDIR)$(mandir)/man3/DHparams_print_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_print.3" "$(DESTDIR)$(mandir)/man3/DSA_print.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_print.3" "$(DESTDIR)$(mandir)/man3/DSA_print_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_print.3" "$(DESTDIR)$(mandir)/man3/DSAparams_print.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_print.3" "$(DESTDIR)$(mandir)/man3/DSAparams_print_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_print.3" "$(DESTDIR)$(mandir)/man3/RSA_print_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_private_encrypt.3" "$(DESTDIR)$(mandir)/man3/RSA_public_decrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_public_encrypt.3" "$(DESTDIR)$(mandir)/man3/RSA_private_decrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_set_method.3" "$(DESTDIR)$(mandir)/man3/RSA_PKCS1_SSLeay.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_set_method.3" "$(DESTDIR)$(mandir)/man3/RSA_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_set_method.3" "$(DESTDIR)$(mandir)/man3/RSA_get_default_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_set_method.3" "$(DESTDIR)$(mandir)/man3/RSA_get_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_set_method.3" "$(DESTDIR)$(mandir)/man3/RSA_new_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_set_method.3" "$(DESTDIR)$(mandir)/man3/RSA_set_default_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_sign.3" "$(DESTDIR)$(mandir)/man3/RSA_verify.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_sign_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/RSA_verify_ASN1_OCTET_STRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "RSA_size.3" "$(DESTDIR)$(mandir)/man3/RSA_bits.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA1_Final.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA1_Init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA1_Update.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA224.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA224_Final.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA224_Init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA224_Update.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA256.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA256_Final.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA256_Init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA256_Update.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA384.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA384_Final.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA384_Init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA384_Update.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA512.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA512_Final.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA512_Init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SHA1.3" "$(DESTDIR)$(mandir)/man3/SHA512_Update.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CIPHER_get_name.3" "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_description.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CIPHER_get_name.3" "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_get_auth_nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CIPHER_get_name.3" "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_get_bits.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CIPHER_get_name.3" "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_get_cipher_nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CIPHER_get_name.3" "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_get_digest_nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CIPHER_get_name.3" "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_get_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CIPHER_get_name.3" "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_get_kx_nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CIPHER_get_name.3" "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_get_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CIPHER_get_name.3" "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_is_aead.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_COMP_add_compression_method.3" "$(DESTDIR)$(mandir)/man3/SSL_COMP_get_compression_methods.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_add1_chain_cert.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_add0_chain_cert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_add1_chain_cert.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_clear_chain_certs.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_add1_chain_cert.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get0_chain_certs.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_add1_chain_cert.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set0_chain.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_add1_chain_cert.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set1_chain.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_add1_chain_cert.3" "$(DESTDIR)$(mandir)/man3/SSL_add0_chain_cert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_add1_chain_cert.3" "$(DESTDIR)$(mandir)/man3/SSL_add1_chain_cert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_add1_chain_cert.3" "$(DESTDIR)$(mandir)/man3/SSL_clear_chain_certs.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_add1_chain_cert.3" "$(DESTDIR)$(mandir)/man3/SSL_get0_chain_certs.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_add1_chain_cert.3" "$(DESTDIR)$(mandir)/man3/SSL_set0_chain.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_add1_chain_cert.3" "$(DESTDIR)$(mandir)/man3/SSL_set1_chain.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_add_extra_chain_cert.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_clear_extra_chain_certs.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_add_extra_chain_cert.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_extra_chain_certs.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_add_extra_chain_cert.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_extra_chain_certs_only.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_add_session.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_remove_session.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_callback_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/SSL_callback_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_ctrl.3" "$(DESTDIR)$(mandir)/man3/SSL_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_get_verify_mode.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_verify_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_get_verify_mode.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_verify_depth.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_get_verify_mode.3" "$(DESTDIR)$(mandir)/man3/SSL_get_verify_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_get_verify_mode.3" "$(DESTDIR)$(mandir)/man3/SSL_get_verify_depth.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_get_verify_mode.3" "$(DESTDIR)$(mandir)/man3/SSL_get_verify_mode.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_load_verify_locations.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_default_verify_paths.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/DTLS_client_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/DTLS_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/DTLS_server_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/DTLSv1_2_client_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/DTLSv1_2_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/DTLSv1_2_server_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/DTLSv1_client_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/DTLSv1_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/DTLSv1_server_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_up_ref.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/SSLv23_client_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/SSLv23_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/SSLv23_server_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/TLS_client_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/TLS_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/TLS_server_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/TLSv1_1_client_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/TLSv1_1_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/TLSv1_1_server_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/TLSv1_2_client_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/TLSv1_2_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/TLSv1_2_server_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/TLSv1_client_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/TLSv1_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_new.3" "$(DESTDIR)$(mandir)/man3/TLSv1_server_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_sess_number.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_accept.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_sess_number.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_accept_good.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_sess_number.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_accept_renegotiate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_sess_number.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_cache_full.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_sess_number.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_cb_hits.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_sess_number.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_connect.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_sess_number.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_connect_good.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_sess_number.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_connect_renegotiate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_sess_number.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_hits.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_sess_number.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_misses.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_sess_number.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_timeouts.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_sess_set_cache_size.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_get_cache_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_sess_set_get_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_get_get_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_sess_set_get_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_get_new_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_sess_set_get_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_get_remove_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_sess_set_get_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_set_new_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_sess_set_get_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_set_remove_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_sess_set_get_cb.3" "$(DESTDIR)$(mandir)/man3/get_session_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_sess_set_get_cb.3" "$(DESTDIR)$(mandir)/man3/new_session_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_sess_set_get_cb.3" "$(DESTDIR)$(mandir)/man3/remove_session_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set1_groups.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set1_curves.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set1_groups.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set1_curves_list.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set1_groups.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set1_groups_list.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set1_groups.3" "$(DESTDIR)$(mandir)/man3/SSL_set1_curves.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set1_groups.3" "$(DESTDIR)$(mandir)/man3/SSL_set1_curves_list.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set1_groups.3" "$(DESTDIR)$(mandir)/man3/SSL_set1_groups.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set1_groups.3" "$(DESTDIR)$(mandir)/man3/SSL_set1_groups_list.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_alpn_select_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_alpn_protos.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_alpn_select_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_get0_alpn_selected.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_alpn_select_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_select_next_proto.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_alpn_select_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_set_alpn_protos.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_cert_store.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_cert_store.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_cipher_list.3" "$(DESTDIR)$(mandir)/man3/SSL_set_cipher_list.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_client_CA_list.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_add_client_CA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_client_CA_list.3" "$(DESTDIR)$(mandir)/man3/SSL_add_client_CA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_client_CA_list.3" "$(DESTDIR)$(mandir)/man3/SSL_set_client_CA_list.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_client_cert_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_client_cert_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_client_cert_cb.3" "$(DESTDIR)$(mandir)/man3/client_cert_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_default_passwd_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_default_passwd_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_default_passwd_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_default_passwd_cb_userdata.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_default_passwd_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_default_passwd_cb_userdata.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_default_passwd_cb.3" "$(DESTDIR)$(mandir)/man3/pem_password_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_generate_session_id.3" "$(DESTDIR)$(mandir)/man3/GEN_SESSION_CB.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_generate_session_id.3" "$(DESTDIR)$(mandir)/man3/SSL_has_matching_session_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_generate_session_id.3" "$(DESTDIR)$(mandir)/man3/SSL_set_generate_session_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_info_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_info_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_info_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_get_info_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_info_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_set_info_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_max_cert_list.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_max_cert_list.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_max_cert_list.3" "$(DESTDIR)$(mandir)/man3/SSL_get_max_cert_list.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_max_cert_list.3" "$(DESTDIR)$(mandir)/man3/SSL_set_max_cert_list.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_min_proto_version.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_max_proto_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_min_proto_version.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_min_proto_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_min_proto_version.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_max_proto_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_min_proto_version.3" "$(DESTDIR)$(mandir)/man3/SSL_get_max_proto_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_min_proto_version.3" "$(DESTDIR)$(mandir)/man3/SSL_get_min_proto_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_min_proto_version.3" "$(DESTDIR)$(mandir)/man3/SSL_set_max_proto_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_min_proto_version.3" "$(DESTDIR)$(mandir)/man3/SSL_set_min_proto_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_mode.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_clear_mode.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_mode.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_mode.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_mode.3" "$(DESTDIR)$(mandir)/man3/SSL_clear_mode.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_mode.3" "$(DESTDIR)$(mandir)/man3/SSL_get_mode.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_mode.3" "$(DESTDIR)$(mandir)/man3/SSL_set_mode.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_msg_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_msg_callback_arg.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_msg_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_set_msg_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_msg_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_set_msg_callback_arg.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_options.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_clear_options.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_options.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_options.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_options.3" "$(DESTDIR)$(mandir)/man3/SSL_clear_options.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_options.3" "$(DESTDIR)$(mandir)/man3/SSL_get_options.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_options.3" "$(DESTDIR)$(mandir)/man3/SSL_get_secure_renegotiation_support.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_options.3" "$(DESTDIR)$(mandir)/man3/SSL_set_options.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_quiet_shutdown.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_quiet_shutdown.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_quiet_shutdown.3" "$(DESTDIR)$(mandir)/man3/SSL_get_quiet_shutdown.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_quiet_shutdown.3" "$(DESTDIR)$(mandir)/man3/SSL_set_quiet_shutdown.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_read_ahead.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_default_read_ahead.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_read_ahead.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_read_ahead.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_read_ahead.3" "$(DESTDIR)$(mandir)/man3/SSL_get_read_ahead.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_read_ahead.3" "$(DESTDIR)$(mandir)/man3/SSL_set_read_ahead.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_session_cache_mode.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_session_cache_mode.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_session_id_context.3" "$(DESTDIR)$(mandir)/man3/SSL_set_session_id_context.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_ssl_version.3" "$(DESTDIR)$(mandir)/man3/SSL_get_ssl_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_ssl_version.3" "$(DESTDIR)$(mandir)/man3/SSL_set_ssl_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_timeout.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_timeout.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_tlsext_servername_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_tlsext_servername_arg.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_tlsext_servername_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_get_servername.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_tlsext_servername_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_get_servername_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_tlsext_servername_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_set_tlsext_host_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_tlsext_status_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_tlsext_status_arg.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_tlsext_status_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_tlsext_status_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_tlsext_status_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_tlsext_status_arg.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_tlsext_status_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_get_tlsext_status_ocsp_resp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_tlsext_status_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_set_tlsext_status_ocsp_resp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_tlsext_status_cb.3" "$(DESTDIR)$(mandir)/man3/SSL_set_tlsext_status_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_tlsext_use_srtp.3" "$(DESTDIR)$(mandir)/man3/SSL_get_selected_srtp_profile.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_tlsext_use_srtp.3" "$(DESTDIR)$(mandir)/man3/SSL_get_srtp_profiles.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_tlsext_use_srtp.3" "$(DESTDIR)$(mandir)/man3/SSL_set_tlsext_use_srtp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_tmp_dh_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_tmp_dh.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_tmp_dh_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_set_tmp_dh.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_tmp_dh_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_set_tmp_dh_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_tmp_rsa_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_need_tmp_RSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_tmp_rsa_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_tmp_rsa.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_tmp_rsa_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_need_tmp_RSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_tmp_rsa_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_set_tmp_rsa.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_tmp_rsa_callback.3" "$(DESTDIR)$(mandir)/man3/SSL_set_tmp_rsa_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_verify.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_verify_depth.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_verify.3" "$(DESTDIR)$(mandir)/man3/SSL_set_verify.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_verify.3" "$(DESTDIR)$(mandir)/man3/SSL_set_verify_depth.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_set_verify.3" "$(DESTDIR)$(mandir)/man3/verify_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_check_private_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_PrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_PrivateKey_ASN1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_PrivateKey_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_RSAPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_RSAPrivateKey_ASN1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_RSAPrivateKey_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_certificate_ASN1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_certificate_chain_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_certificate_chain_mem.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_certificate_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_check_private_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_use_PrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_use_PrivateKey_ASN1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_use_PrivateKey_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_use_RSAPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_use_RSAPrivateKey_ASN1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_use_RSAPrivateKey_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_use_certificate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_use_certificate_ASN1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_use_certificate_chain_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_use_certificate_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_SESSION_free.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_up_ref.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_SESSION_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_SESSION_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_SESSION_get_id.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_set1_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_SESSION_get_time.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get_timeout.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_SESSION_get_time.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_set_time.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_SESSION_get_time.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_set_timeout.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_SESSION_get_time.3" "$(DESTDIR)$(mandir)/man3/SSL_get_time.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_SESSION_get_time.3" "$(DESTDIR)$(mandir)/man3/SSL_get_timeout.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_SESSION_get_time.3" "$(DESTDIR)$(mandir)/man3/SSL_set_time.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_SESSION_get_time.3" "$(DESTDIR)$(mandir)/man3/SSL_set_timeout.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_SESSION_has_ticket.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get_ticket_lifetime_hint.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_SESSION_print.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_print_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_SESSION_set1_id_context.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get0_id_context.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_alert_type_string.3" "$(DESTDIR)$(mandir)/man3/SSL_alert_desc_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_alert_type_string.3" "$(DESTDIR)$(mandir)/man3/SSL_alert_desc_string_long.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_alert_type_string.3" "$(DESTDIR)$(mandir)/man3/SSL_alert_type_string_long.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_get_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_get_privatekey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_get_ciphers.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_ciphers.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_get_ciphers.3" "$(DESTDIR)$(mandir)/man3/SSL_get1_supported_ciphers.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_get_ciphers.3" "$(DESTDIR)$(mandir)/man3/SSL_get_cipher_list.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_get_ciphers.3" "$(DESTDIR)$(mandir)/man3/SSL_get_client_ciphers.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_get_client_CA_list.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_client_CA_list.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_get_client_random.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get_master_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_get_client_random.3" "$(DESTDIR)$(mandir)/man3/SSL_get_server_random.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_get_current_cipher.3" "$(DESTDIR)$(mandir)/man3/SSL_get_cipher.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_get_current_cipher.3" "$(DESTDIR)$(mandir)/man3/SSL_get_cipher_bits.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_get_current_cipher.3" "$(DESTDIR)$(mandir)/man3/SSL_get_cipher_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_get_current_cipher.3" "$(DESTDIR)$(mandir)/man3/SSL_get_cipher_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/SSL_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/SSL_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_get_fd.3" "$(DESTDIR)$(mandir)/man3/SSL_get_rfd.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_get_fd.3" "$(DESTDIR)$(mandir)/man3/SSL_get_wfd.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_get_finished.3" "$(DESTDIR)$(mandir)/man3/SSL_get_peer_finished.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_get_rbio.3" "$(DESTDIR)$(mandir)/man3/SSL_get_wbio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_get_session.3" "$(DESTDIR)$(mandir)/man3/SSL_get0_session.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_get_session.3" "$(DESTDIR)$(mandir)/man3/SSL_get1_session.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_get_state.3" "$(DESTDIR)$(mandir)/man3/SSL_in_accept_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_get_state.3" "$(DESTDIR)$(mandir)/man3/SSL_in_before.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_get_state.3" "$(DESTDIR)$(mandir)/man3/SSL_in_connect_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_get_state.3" "$(DESTDIR)$(mandir)/man3/SSL_in_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_get_state.3" "$(DESTDIR)$(mandir)/man3/SSL_is_init_finished.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_get_state.3" "$(DESTDIR)$(mandir)/man3/SSL_state.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_get_version.3" "$(DESTDIR)$(mandir)/man3/SSL_is_dtls.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_get_version.3" "$(DESTDIR)$(mandir)/man3/SSL_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_library_init.3" "$(DESTDIR)$(mandir)/man3/OpenSSL_add_ssl_algorithms.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_library_init.3" "$(DESTDIR)$(mandir)/man3/SSLeay_add_ssl_algorithms.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_load_client_CA_file.3" "$(DESTDIR)$(mandir)/man3/SSL_add_dir_cert_subjects_to_stack.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_load_client_CA_file.3" "$(DESTDIR)$(mandir)/man3/SSL_add_file_cert_subjects_to_stack.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_new.3" "$(DESTDIR)$(mandir)/man3/SSL_up_ref.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_num_renegotiations.3" "$(DESTDIR)$(mandir)/man3/SSL_clear_num_renegotiations.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_num_renegotiations.3" "$(DESTDIR)$(mandir)/man3/SSL_total_renegotiations.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_read.3" "$(DESTDIR)$(mandir)/man3/SSL_peek.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_read_early_data.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_max_early_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_read_early_data.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_max_early_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_read_early_data.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get_max_early_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_read_early_data.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_set_max_early_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_read_early_data.3" "$(DESTDIR)$(mandir)/man3/SSL_get_early_data_status.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_read_early_data.3" "$(DESTDIR)$(mandir)/man3/SSL_get_max_early_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_read_early_data.3" "$(DESTDIR)$(mandir)/man3/SSL_set_max_early_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_read_early_data.3" "$(DESTDIR)$(mandir)/man3/SSL_write_early_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_renegotiate.3" "$(DESTDIR)$(mandir)/man3/SSL_renegotiate_abbreviated.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_renegotiate.3" "$(DESTDIR)$(mandir)/man3/SSL_renegotiate_pending.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_rstate_string.3" "$(DESTDIR)$(mandir)/man3/SSL_rstate_string_long.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_set1_host.3" "$(DESTDIR)$(mandir)/man3/SSL_get0_peername.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_set1_host.3" "$(DESTDIR)$(mandir)/man3/SSL_set_hostflags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_set1_param.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get0_param.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_set1_param.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set1_param.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_set1_param.3" "$(DESTDIR)$(mandir)/man3/SSL_get0_param.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_set_connect_state.3" "$(DESTDIR)$(mandir)/man3/SSL_is_server.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_set_connect_state.3" "$(DESTDIR)$(mandir)/man3/SSL_set_accept_state.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_set_fd.3" "$(DESTDIR)$(mandir)/man3/SSL_set_rfd.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_set_fd.3" "$(DESTDIR)$(mandir)/man3/SSL_set_wfd.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_set_max_send_fragment.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_max_send_fragment.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_set_shutdown.3" "$(DESTDIR)$(mandir)/man3/SSL_get_shutdown.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_set_tmp_ecdh.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_ecdh_auto.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_set_tmp_ecdh.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_tmp_ecdh.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_set_tmp_ecdh.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_tmp_ecdh_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_set_tmp_ecdh.3" "$(DESTDIR)$(mandir)/man3/SSL_set_ecdh_auto.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_set_tmp_ecdh.3" "$(DESTDIR)$(mandir)/man3/SSL_set_tmp_ecdh_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_state_string.3" "$(DESTDIR)$(mandir)/man3/SSL_state_string_long.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_want.3" "$(DESTDIR)$(mandir)/man3/SSL_want_nothing.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_want.3" "$(DESTDIR)$(mandir)/man3/SSL_want_read.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_want.3" "$(DESTDIR)$(mandir)/man3/SSL_want_write.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SSL_want.3" "$(DESTDIR)$(mandir)/man3/SSL_want_x509_lookup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SXNET_new.3" "$(DESTDIR)$(mandir)/man3/SXNETID_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SXNET_new.3" "$(DESTDIR)$(mandir)/man3/SXNETID_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SXNET_new.3" "$(DESTDIR)$(mandir)/man3/SXNET_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SXNET_new.3" "$(DESTDIR)$(mandir)/man3/d2i_SXNET.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SXNET_new.3" "$(DESTDIR)$(mandir)/man3/d2i_SXNETID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SXNET_new.3" "$(DESTDIR)$(mandir)/man3/i2d_SXNET.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "SXNET_new.3" "$(DESTDIR)$(mandir)/man3/i2d_SXNETID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "TS_REQ_new.3" "$(DESTDIR)$(mandir)/man3/TS_ACCURACY_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "TS_REQ_new.3" "$(DESTDIR)$(mandir)/man3/TS_ACCURACY_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "TS_REQ_new.3" "$(DESTDIR)$(mandir)/man3/TS_MSG_IMPRINT_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "TS_REQ_new.3" "$(DESTDIR)$(mandir)/man3/TS_MSG_IMPRINT_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "TS_REQ_new.3" "$(DESTDIR)$(mandir)/man3/TS_REQ_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "TS_REQ_new.3" "$(DESTDIR)$(mandir)/man3/TS_RESP_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "TS_REQ_new.3" "$(DESTDIR)$(mandir)/man3/TS_RESP_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "TS_REQ_new.3" "$(DESTDIR)$(mandir)/man3/TS_STATUS_INFO_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "TS_REQ_new.3" "$(DESTDIR)$(mandir)/man3/TS_STATUS_INFO_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "TS_REQ_new.3" "$(DESTDIR)$(mandir)/man3/TS_TST_INFO_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "TS_REQ_new.3" "$(DESTDIR)$(mandir)/man3/TS_TST_INFO_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_UTIL_read_pw.3" "$(DESTDIR)$(mandir)/man3/UI_UTIL_read_pw_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_create_method.3" "$(DESTDIR)$(mandir)/man3/UI_destroy_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_create_method.3" "$(DESTDIR)$(mandir)/man3/UI_method_get_closer.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_create_method.3" "$(DESTDIR)$(mandir)/man3/UI_method_get_flusher.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_create_method.3" "$(DESTDIR)$(mandir)/man3/UI_method_get_opener.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_create_method.3" "$(DESTDIR)$(mandir)/man3/UI_method_get_prompt_constructor.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_create_method.3" "$(DESTDIR)$(mandir)/man3/UI_method_get_reader.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_create_method.3" "$(DESTDIR)$(mandir)/man3/UI_method_get_writer.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_create_method.3" "$(DESTDIR)$(mandir)/man3/UI_method_set_closer.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_create_method.3" "$(DESTDIR)$(mandir)/man3/UI_method_set_flusher.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_create_method.3" "$(DESTDIR)$(mandir)/man3/UI_method_set_opener.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_create_method.3" "$(DESTDIR)$(mandir)/man3/UI_method_set_prompt_constructor.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_create_method.3" "$(DESTDIR)$(mandir)/man3/UI_method_set_reader.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_create_method.3" "$(DESTDIR)$(mandir)/man3/UI_method_set_writer.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_get_string_type.3" "$(DESTDIR)$(mandir)/man3/UI_get0_action_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_get_string_type.3" "$(DESTDIR)$(mandir)/man3/UI_get0_output_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_get_string_type.3" "$(DESTDIR)$(mandir)/man3/UI_get0_result_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_get_string_type.3" "$(DESTDIR)$(mandir)/man3/UI_get0_test_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_get_string_type.3" "$(DESTDIR)$(mandir)/man3/UI_get_input_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_get_string_type.3" "$(DESTDIR)$(mandir)/man3/UI_get_result_maxsize.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_get_string_type.3" "$(DESTDIR)$(mandir)/man3/UI_get_result_minsize.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_get_string_type.3" "$(DESTDIR)$(mandir)/man3/UI_set_result.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_OpenSSL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_add_error_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_add_info_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_add_input_boolean.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_add_input_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_add_user_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_add_verify_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_construct_prompt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_dup_error_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_dup_info_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_dup_input_boolean.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_dup_input_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_dup_verify_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_get0_result.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_get0_user_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_get_default_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_get_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_new_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_process.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_set_default_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "UI_new.3" "$(DESTDIR)$(mandir)/man3/UI_set_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X25519.3" "$(DESTDIR)$(mandir)/man3/X25519_keypair.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509V3_get_d2i.3" "$(DESTDIR)$(mandir)/man3/X509V3_EXT_d2i.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509V3_get_d2i.3" "$(DESTDIR)$(mandir)/man3/X509V3_EXT_i2d.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509V3_get_d2i.3" "$(DESTDIR)$(mandir)/man3/X509V3_add1_i2d.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509V3_get_d2i.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_add1_ext_i2d.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509V3_get_d2i.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get0_extensions.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509V3_get_d2i.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get_ext_d2i.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509V3_get_d2i.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_add1_ext_i2d.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509V3_get_d2i.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get0_extensions.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509V3_get_d2i.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get_ext_d2i.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509V3_get_d2i.3" "$(DESTDIR)$(mandir)/man3/X509_add1_ext_i2d.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509V3_get_d2i.3" "$(DESTDIR)$(mandir)/man3/X509_get0_extensions.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509V3_get_d2i.3" "$(DESTDIR)$(mandir)/man3/X509_get_ext_d2i.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_ALGOR_dup.3" "$(DESTDIR)$(mandir)/man3/X509_ALGOR_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_ALGOR_dup.3" "$(DESTDIR)$(mandir)/man3/X509_ALGOR_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_ALGOR_dup.3" "$(DESTDIR)$(mandir)/man3/X509_ALGOR_get0.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_ALGOR_dup.3" "$(DESTDIR)$(mandir)/man3/X509_ALGOR_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_ALGOR_dup.3" "$(DESTDIR)$(mandir)/man3/X509_ALGOR_set0.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_ALGOR_dup.3" "$(DESTDIR)$(mandir)/man3/X509_ALGOR_set_md.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_ATTRIBUTE_new.3" "$(DESTDIR)$(mandir)/man3/X509_ATTRIBUTE_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_CINF_new.3" "$(DESTDIR)$(mandir)/man3/X509_CERT_AUX_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_CINF_new.3" "$(DESTDIR)$(mandir)/man3/X509_CERT_AUX_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_CINF_new.3" "$(DESTDIR)$(mandir)/man3/X509_CINF_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_CINF_new.3" "$(DESTDIR)$(mandir)/man3/X509_VAL_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_CINF_new.3" "$(DESTDIR)$(mandir)/man3/X509_VAL_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_CRL_get0_by_serial.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_add0_revoked.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_CRL_get0_by_serial.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get0_by_cert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_CRL_get0_by_serial.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get_REVOKED.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_CRL_get0_by_serial.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_sort.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_CRL_new.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_INFO_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_CRL_new.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_INFO_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_CRL_new.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_CRL_new.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_CRL_new.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_up_ref.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_EXTENSION_set_object.3" "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_create_by_NID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_EXTENSION_set_object.3" "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_create_by_OBJ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_EXTENSION_set_object.3" "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_EXTENSION_set_object.3" "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_get_critical.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_EXTENSION_set_object.3" "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_get_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_EXTENSION_set_object.3" "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_get_object.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_EXTENSION_set_object.3" "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_EXTENSION_set_object.3" "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_set_critical.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_EXTENSION_set_object.3" "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_set_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_INFO_new.3" "$(DESTDIR)$(mandir)/man3/X509_INFO_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_LOOKUP_hash_dir.3" "$(DESTDIR)$(mandir)/man3/X509_LOOKUP_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_LOOKUP_hash_dir.3" "$(DESTDIR)$(mandir)/man3/X509_load_cert_crl_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_LOOKUP_hash_dir.3" "$(DESTDIR)$(mandir)/man3/X509_load_cert_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_LOOKUP_hash_dir.3" "$(DESTDIR)$(mandir)/man3/X509_load_crl_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_NAME_ENTRY_get_object.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_create_by_NID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_NAME_ENTRY_get_object.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_create_by_OBJ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_NAME_ENTRY_get_object.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_create_by_txt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_NAME_ENTRY_get_object.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_NAME_ENTRY_get_object.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_get_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_NAME_ENTRY_get_object.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_NAME_ENTRY_get_object.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_set_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_NAME_ENTRY_get_object.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_set_object.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_NAME_add_entry_by_txt.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_add_entry.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_NAME_add_entry_by_txt.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_add_entry_by_NID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_NAME_add_entry_by_txt.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_add_entry_by_OBJ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_NAME_add_entry_by_txt.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_delete_entry.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_NAME_get_index_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_entry_count.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_NAME_get_index_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_get_entry.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_NAME_get_index_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_get_index_by_OBJ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_NAME_get_index_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_get_text_by_NID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_NAME_get_index_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_get_text_by_OBJ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_NAME_new.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_NAME_print_ex.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_oneline.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_NAME_print_ex.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_print.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_NAME_print_ex.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_print_ex_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_OBJECT_get0_X509.3" "$(DESTDIR)$(mandir)/man3/X509_OBJECT_free_contents.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_OBJECT_get0_X509.3" "$(DESTDIR)$(mandir)/man3/X509_OBJECT_get0_X509_CRL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_OBJECT_get0_X509.3" "$(DESTDIR)$(mandir)/man3/X509_OBJECT_get_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_OBJECT_get0_X509.3" "$(DESTDIR)$(mandir)/man3/X509_OBJECT_idx_by_subject.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_OBJECT_get0_X509.3" "$(DESTDIR)$(mandir)/man3/X509_OBJECT_retrieve_by_subject.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_OBJECT_get0_X509.3" "$(DESTDIR)$(mandir)/man3/X509_OBJECT_retrieve_match.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_OBJECT_get0_X509.3" "$(DESTDIR)$(mandir)/man3/X509_OBJECT_up_ref_count.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_PUBKEY_new.3" "$(DESTDIR)$(mandir)/man3/X509_PUBKEY_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_PUBKEY_new.3" "$(DESTDIR)$(mandir)/man3/X509_PUBKEY_get.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_PUBKEY_new.3" "$(DESTDIR)$(mandir)/man3/X509_PUBKEY_get0.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_PUBKEY_new.3" "$(DESTDIR)$(mandir)/man3/X509_PUBKEY_get0_param.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_PUBKEY_new.3" "$(DESTDIR)$(mandir)/man3/X509_PUBKEY_set.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_PUBKEY_new.3" "$(DESTDIR)$(mandir)/man3/X509_PUBKEY_set0_param.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_PUBKEY_new.3" "$(DESTDIR)$(mandir)/man3/d2i_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_PUBKEY_new.3" "$(DESTDIR)$(mandir)/man3/d2i_PUBKEY_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_PUBKEY_new.3" "$(DESTDIR)$(mandir)/man3/d2i_PUBKEY_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_PUBKEY_new.3" "$(DESTDIR)$(mandir)/man3/i2d_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_PUBKEY_new.3" "$(DESTDIR)$(mandir)/man3/i2d_PUBKEY_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_PUBKEY_new.3" "$(DESTDIR)$(mandir)/man3/i2d_PUBKEY_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_REQ_new.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_INFO_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_REQ_new.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_INFO_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_REQ_new.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_REVOKED_new.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_REVOKED_new.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_REVOKED_new.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get0_revocationDate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_REVOKED_new.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get0_serialNumber.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_REVOKED_new.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_set_revocationDate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_REVOKED_new.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_set_serialNumber.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_SIG_new.3" "$(DESTDIR)$(mandir)/man3/X509_SIG_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_CTX_get_error.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get0_cert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_CTX_get_error.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get0_chain.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_CTX_get_error.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get1_chain.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_CTX_get_error.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get_current_cert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_CTX_get_error.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get_error_depth.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_CTX_get_error.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set_error.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_CTX_get_error.3" "$(DESTDIR)$(mandir)/man3/X509_verify_cert_error_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_CTX_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_CTX_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_cleanup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get0_param.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get0_store.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get0_untrusted.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set0_crls.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set0_param.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set0_trusted_stack.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set0_untrusted.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set_cert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set_chain.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set_default.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_CTX_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_trusted_stack.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_load_locations.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_set_default_paths.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_new.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_up_ref.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_set1_param.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_add_cert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_set1_param.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_add_crl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_set1_param.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_get0_objects.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_set1_param.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_get0_param.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_set1_param.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_set1_param.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_get_ex_new_index.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_set1_param.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_set_depth.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_set1_param.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_set1_param.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_set_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_set1_param.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_set_purpose.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_set1_param.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_set_trust.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_STORE_set_verify_cb_func.3" "$(DESTDIR)$(mandir)/man3/X509_STORE_set_verify_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_add0_policy.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_add0_table.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_add1_host.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_clear_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get0.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get0_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get0_peername.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get_count.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get_depth.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_lookup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set1_email.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set1_host.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set1_ip.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set1_ip_asc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set1_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set1_policies.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set_depth.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set_hostflags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set_purpose.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set_time.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set_trust.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_table_cleanup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_check_host.3" "$(DESTDIR)$(mandir)/man3/X509_check_email.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_check_host.3" "$(DESTDIR)$(mandir)/man3/X509_check_ip.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_check_host.3" "$(DESTDIR)$(mandir)/man3/X509_check_ip_asc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_check_private_key.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_check_private_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_cmp.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_cmp.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_match.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_cmp.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_cmp.3" "$(DESTDIR)$(mandir)/man3/X509_issuer_and_serial_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_cmp.3" "$(DESTDIR)$(mandir)/man3/X509_issuer_name_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_cmp.3" "$(DESTDIR)$(mandir)/man3/X509_subject_name_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_cmp_time.3" "$(DESTDIR)$(mandir)/man3/X509_cmp_current_time.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_cmp_time.3" "$(DESTDIR)$(mandir)/man3/X509_time_adj.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_cmp_time.3" "$(DESTDIR)$(mandir)/man3/X509_time_adj_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_digest.3" "$(DESTDIR)$(mandir)/man3/PKCS7_ISSUER_AND_SERIAL_digest.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_digest.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_digest.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_digest.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_digest.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_digest.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_digest.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_digest.3" "$(DESTDIR)$(mandir)/man3/X509_pubkey_digest.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get0_lastUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get0_nextUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get_lastUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get_nextUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_set1_lastUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_set1_nextUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_set_lastUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_set_nextUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_get0_notAfter.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_get_notAfter.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_get_notBefore.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_getm_notAfter.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_getm_notBefore.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_set1_notAfter.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_set1_notBefore.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_set_notAfter.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get0_notBefore.3" "$(DESTDIR)$(mandir)/man3/X509_set_notBefore.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get0_signature.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get0_signature.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get0_signature.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get_signature_nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get0_signature.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_get0_signature.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get0_signature.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_get_signature_nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get0_signature.3" "$(DESTDIR)$(mandir)/man3/X509_get0_tbs_sigalg.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get0_signature.3" "$(DESTDIR)$(mandir)/man3/X509_get_signature_nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get0_signature.3" "$(DESTDIR)$(mandir)/man3/X509_get_signature_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get1_email.3" "$(DESTDIR)$(mandir)/man3/X509_email_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get1_email.3" "$(DESTDIR)$(mandir)/man3/X509_get1_ocsp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get_pubkey.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_get_pubkey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get_pubkey.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_set_pubkey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get_pubkey.3" "$(DESTDIR)$(mandir)/man3/X509_get0_pubkey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get_pubkey.3" "$(DESTDIR)$(mandir)/man3/X509_get0_pubkey_bitstr.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get_pubkey.3" "$(DESTDIR)$(mandir)/man3/X509_get_X509_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get_pubkey.3" "$(DESTDIR)$(mandir)/man3/X509_set_pubkey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get_serialNumber.3" "$(DESTDIR)$(mandir)/man3/X509_get0_serialNumber.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get_serialNumber.3" "$(DESTDIR)$(mandir)/man3/X509_set_serialNumber.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get_subject_name.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get_issuer.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get_subject_name.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_set_issuer_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get_subject_name.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_get_subject_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get_subject_name.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_set_subject_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get_subject_name.3" "$(DESTDIR)$(mandir)/man3/X509_get_issuer_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get_subject_name.3" "$(DESTDIR)$(mandir)/man3/X509_set_issuer_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get_subject_name.3" "$(DESTDIR)$(mandir)/man3/X509_set_subject_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get_version.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get_version.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_set_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get_version.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_get_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get_version.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_set_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_get_version.3" "$(DESTDIR)$(mandir)/man3/X509_set_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_new.3" "$(DESTDIR)$(mandir)/man3/X509_chain_up_ref.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_new.3" "$(DESTDIR)$(mandir)/man3/X509_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_new.3" "$(DESTDIR)$(mandir)/man3/X509_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_new.3" "$(DESTDIR)$(mandir)/man3/X509_up_ref.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_sign.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_sign.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_sign.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_sign_ctx.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_sign.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_verify.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_sign.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_sign.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_sign.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_sign_ctx.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_sign.3" "$(DESTDIR)$(mandir)/man3/X509_REQ_verify.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_sign.3" "$(DESTDIR)$(mandir)/man3/X509_sign_ctx.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509_sign.3" "$(DESTDIR)$(mandir)/man3/X509_verify.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_add_ext.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_delete_ext.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get_ext.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get_ext_by_NID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get_ext_by_OBJ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get_ext_by_critical.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_CRL_get_ext_count.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_add_ext.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_delete_ext.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get_ext.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get_ext_by_NID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get_ext_by_OBJ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get_ext_by_critical.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get_ext_count.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_add_ext.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_delete_ext.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_get_ext.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_get_ext_by_NID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_get_ext_by_OBJ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_get_ext_by_critical.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509_get_ext_count.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509v3_add_ext.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509v3_delete_ext.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509v3_get_ext.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509v3_get_ext_by_OBJ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509v3_get_ext_by_critical.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509v3_get_ext_count.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_add_words.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_check_top.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_cmp_words.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_div_words.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_expand.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_expand2.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_fix_top.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_mul_add_words.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_mul_comba4.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_mul_comba8.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_mul_high.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_mul_low_normal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_mul_low_recursive.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_mul_normal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_mul_part_recursive.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_mul_recursive.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_mul_words.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_set_high.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_set_low.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_set_max.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_sqr_comba4.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_sqr_comba8.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_sqr_normal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_sqr_recursive.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_sqr_words.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_sub_words.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_wexpand.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/mul.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/mul_add.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/sqr.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_NULL.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_NULL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OBJECT.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_OBJECT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_BIT_STRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_BMPSTRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_ENUMERATED.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_GENERALIZEDTIME.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_GENERALSTRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_IA5STRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_INTEGER.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_PRINTABLE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_PRINTABLESTRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_T61STRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_TIME.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_UINTEGER.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_UNIVERSALSTRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_UTCTIME.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_UTF8STRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_VISIBLESTRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_DIRECTORYSTRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/d2i_DISPLAYTEXT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_BIT_STRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_BMPSTRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_ENUMERATED.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_GENERALIZEDTIME.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_GENERALSTRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_IA5STRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_INTEGER.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_OCTET_STRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_PRINTABLE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_PRINTABLESTRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_T61STRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_TIME.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_UNIVERSALSTRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_UTCTIME.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_UTF8STRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_VISIBLESTRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_DIRECTORYSTRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_OCTET_STRING.3" "$(DESTDIR)$(mandir)/man3/i2d_DISPLAYTEXT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_SEQUENCE_ANY.3" "$(DESTDIR)$(mandir)/man3/d2i_ASN1_SET_ANY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_SEQUENCE_ANY.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_SEQUENCE_ANY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ASN1_SEQUENCE_ANY.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_SET_ANY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_AUTHORITY_KEYID.3" "$(DESTDIR)$(mandir)/man3/i2d_AUTHORITY_KEYID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_BASIC_CONSTRAINTS.3" "$(DESTDIR)$(mandir)/man3/d2i_EXTENDED_KEY_USAGE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_BASIC_CONSTRAINTS.3" "$(DESTDIR)$(mandir)/man3/i2d_BASIC_CONSTRAINTS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_BASIC_CONSTRAINTS.3" "$(DESTDIR)$(mandir)/man3/i2d_EXTENDED_KEY_USAGE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_CMS_ContentInfo.3" "$(DESTDIR)$(mandir)/man3/d2i_CMS_ReceiptRequest.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_CMS_ContentInfo.3" "$(DESTDIR)$(mandir)/man3/d2i_CMS_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_CMS_ContentInfo.3" "$(DESTDIR)$(mandir)/man3/i2d_CMS_ContentInfo.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_CMS_ContentInfo.3" "$(DESTDIR)$(mandir)/man3/i2d_CMS_ReceiptRequest.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_CMS_ContentInfo.3" "$(DESTDIR)$(mandir)/man3/i2d_CMS_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DHparams.3" "$(DESTDIR)$(mandir)/man3/i2d_DHparams.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DIST_POINT.3" "$(DESTDIR)$(mandir)/man3/d2i_ACCESS_DESCRIPTION.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DIST_POINT.3" "$(DESTDIR)$(mandir)/man3/d2i_AUTHORITY_INFO_ACCESS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DIST_POINT.3" "$(DESTDIR)$(mandir)/man3/d2i_CRL_DIST_POINTS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DIST_POINT.3" "$(DESTDIR)$(mandir)/man3/d2i_DIST_POINT_NAME.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DIST_POINT.3" "$(DESTDIR)$(mandir)/man3/d2i_ISSUING_DIST_POINT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DIST_POINT.3" "$(DESTDIR)$(mandir)/man3/i2d_ACCESS_DESCRIPTION.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DIST_POINT.3" "$(DESTDIR)$(mandir)/man3/i2d_AUTHORITY_INFO_ACCESS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DIST_POINT.3" "$(DESTDIR)$(mandir)/man3/i2d_CRL_DIST_POINTS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DIST_POINT.3" "$(DESTDIR)$(mandir)/man3/i2d_DIST_POINT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DIST_POINT.3" "$(DESTDIR)$(mandir)/man3/i2d_DIST_POINT_NAME.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DIST_POINT.3" "$(DESTDIR)$(mandir)/man3/i2d_ISSUING_DIST_POINT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/DSAparams_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_DSAPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_DSAPrivateKey_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_DSAPrivateKey_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_DSA_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_DSA_PUBKEY_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_DSA_PUBKEY_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_DSA_SIG.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_DSAparams.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_DSAparams_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_DSAparams_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_DSAPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_DSAPrivateKey_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_DSAPrivateKey_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_DSAPublicKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_DSA_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_DSA_PUBKEY_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_DSA_PUBKEY_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_DSA_SIG.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_DSAparams.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_DSAparams_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_DSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_DSAparams_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/ECPKParameters_print.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/ECPKParameters_print_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/ECParameters_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/ECParameters_print.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/ECParameters_print_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/d2i_ECPKParameters_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/d2i_ECPKParameters_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/d2i_ECParameters.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/d2i_ECPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/d2i_ECPrivateKey_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/d2i_ECPrivateKey_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/d2i_EC_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/d2i_EC_PUBKEY_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/d2i_EC_PUBKEY_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/i2d_ECPKParameters.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/i2d_ECPKParameters_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/i2d_ECPKParameters_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/i2d_ECParameters.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/i2d_ECPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/i2d_ECPrivateKey_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/i2d_ECPrivateKey_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/i2d_EC_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/i2d_EC_PUBKEY_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/i2d_EC_PUBKEY_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/i2o_ECPublicKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ECPKParameters.3" "$(DESTDIR)$(mandir)/man3/o2i_ECPublicKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ESS_SIGNING_CERT.3" "$(DESTDIR)$(mandir)/man3/d2i_ESS_CERT_ID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ESS_SIGNING_CERT.3" "$(DESTDIR)$(mandir)/man3/d2i_ESS_ISSUER_SERIAL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ESS_SIGNING_CERT.3" "$(DESTDIR)$(mandir)/man3/i2d_ESS_CERT_ID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ESS_SIGNING_CERT.3" "$(DESTDIR)$(mandir)/man3/i2d_ESS_ISSUER_SERIAL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_ESS_SIGNING_CERT.3" "$(DESTDIR)$(mandir)/man3/i2d_ESS_SIGNING_CERT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_GENERAL_NAME.3" "$(DESTDIR)$(mandir)/man3/d2i_EDIPARTYNAME.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_GENERAL_NAME.3" "$(DESTDIR)$(mandir)/man3/d2i_GENERAL_NAMES.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_GENERAL_NAME.3" "$(DESTDIR)$(mandir)/man3/d2i_OTHERNAME.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_GENERAL_NAME.3" "$(DESTDIR)$(mandir)/man3/i2d_EDIPARTYNAME.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_GENERAL_NAME.3" "$(DESTDIR)$(mandir)/man3/i2d_GENERAL_NAME.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_GENERAL_NAME.3" "$(DESTDIR)$(mandir)/man3/i2d_GENERAL_NAMES.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_GENERAL_NAME.3" "$(DESTDIR)$(mandir)/man3/i2d_OTHERNAME.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_OCSP_REQUEST.3" "$(DESTDIR)$(mandir)/man3/d2i_OCSP_CERTID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_OCSP_REQUEST.3" "$(DESTDIR)$(mandir)/man3/d2i_OCSP_ONEREQ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_OCSP_REQUEST.3" "$(DESTDIR)$(mandir)/man3/d2i_OCSP_REQINFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_OCSP_REQUEST.3" "$(DESTDIR)$(mandir)/man3/d2i_OCSP_SERVICELOC.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_OCSP_REQUEST.3" "$(DESTDIR)$(mandir)/man3/d2i_OCSP_SIGNATURE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_OCSP_REQUEST.3" "$(DESTDIR)$(mandir)/man3/i2d_OCSP_CERTID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_OCSP_REQUEST.3" "$(DESTDIR)$(mandir)/man3/i2d_OCSP_ONEREQ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_OCSP_REQUEST.3" "$(DESTDIR)$(mandir)/man3/i2d_OCSP_REQINFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_OCSP_REQUEST.3" "$(DESTDIR)$(mandir)/man3/i2d_OCSP_REQUEST.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_OCSP_REQUEST.3" "$(DESTDIR)$(mandir)/man3/i2d_OCSP_SERVICELOC.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_OCSP_REQUEST.3" "$(DESTDIR)$(mandir)/man3/i2d_OCSP_SIGNATURE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/d2i_OCSP_BASICRESP.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/d2i_OCSP_CERTSTATUS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/d2i_OCSP_CRLID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/d2i_OCSP_RESPBYTES.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/d2i_OCSP_RESPDATA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/d2i_OCSP_RESPID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/d2i_OCSP_REVOKEDINFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/d2i_OCSP_SINGLERESP.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/i2d_OCSP_BASICRESP.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/i2d_OCSP_CERTSTATUS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/i2d_OCSP_CRLID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/i2d_OCSP_RESPBYTES.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/i2d_OCSP_RESPDATA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/i2d_OCSP_RESPID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/i2d_OCSP_RESPONSE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/i2d_OCSP_REVOKEDINFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_OCSP_RESPONSE.3" "$(DESTDIR)$(mandir)/man3/i2d_OCSP_SINGLERESP.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS12.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS12_BAGS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS12.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS12_MAC_DATA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS12.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS12_SAFEBAG.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS12.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS12_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS12.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS12_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS12.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS12.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS12.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS12_BAGS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS12.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS12_MAC_DATA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS12.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS12_SAFEBAG.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS12.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS12_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS12.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS12_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_DIGEST.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_ENCRYPT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_ENC_CONTENT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_ENVELOPE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_ISSUER_AND_SERIAL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_RECIP_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_SIGNED.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_SIGNER_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_SIGN_ENVELOPE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS7.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_DIGEST.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_ENCRYPT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_ENC_CONTENT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_ENVELOPE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_ISSUER_AND_SERIAL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_NDEF.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_RECIP_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_SIGNED.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_SIGNER_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_SIGN_ENVELOPE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS7.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS8PrivateKey_bio.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS8PrivateKey_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS8PrivateKey_bio.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS8PrivateKey_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS8PrivateKey_bio.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS8PrivateKey_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS8PrivateKey_bio.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS8PrivateKey_nid_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS8PrivateKey_bio.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS8PrivateKey_nid_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS8_PRIV_KEY_INFO.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS8_PRIV_KEY_INFO_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS8_PRIV_KEY_INFO.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS8_PRIV_KEY_INFO_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS8_PRIV_KEY_INFO.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS8_PRIV_KEY_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS8_PRIV_KEY_INFO.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS8_PRIV_KEY_INFO_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKCS8_PRIV_KEY_INFO.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS8_PRIV_KEY_INFO_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PKEY_USAGE_PERIOD.3" "$(DESTDIR)$(mandir)/man3/i2d_PKEY_USAGE_PERIOD.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_POLICYINFO.3" "$(DESTDIR)$(mandir)/man3/d2i_CERTIFICATEPOLICIES.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_POLICYINFO.3" "$(DESTDIR)$(mandir)/man3/d2i_NOTICEREF.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_POLICYINFO.3" "$(DESTDIR)$(mandir)/man3/d2i_POLICYQUALINFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_POLICYINFO.3" "$(DESTDIR)$(mandir)/man3/d2i_USERNOTICE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_POLICYINFO.3" "$(DESTDIR)$(mandir)/man3/i2d_CERTIFICATEPOLICIES.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_POLICYINFO.3" "$(DESTDIR)$(mandir)/man3/i2d_NOTICEREF.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_POLICYINFO.3" "$(DESTDIR)$(mandir)/man3/i2d_POLICYINFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_POLICYINFO.3" "$(DESTDIR)$(mandir)/man3/i2d_POLICYQUALINFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_POLICYINFO.3" "$(DESTDIR)$(mandir)/man3/i2d_USERNOTICE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PROXY_POLICY.3" "$(DESTDIR)$(mandir)/man3/d2i_PROXY_CERT_INFO_EXTENSION.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PROXY_POLICY.3" "$(DESTDIR)$(mandir)/man3/i2d_PROXY_CERT_INFO_EXTENSION.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PROXY_POLICY.3" "$(DESTDIR)$(mandir)/man3/i2d_PROXY_POLICY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/d2i_AutoPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/d2i_PrivateKey_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/d2i_PrivateKey_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/d2i_PublicKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS8PrivateKeyInfo_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS8PrivateKeyInfo_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/i2d_PrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_PrivateKey.3" "$(DESTDIR)$(mandir)/man3/i2d_PublicKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_Netscape_RSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_RSAPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_RSAPrivateKey_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_RSAPrivateKey_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_RSAPublicKey_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_RSAPublicKey_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_RSA_PSS_PARAMS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_RSA_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_RSA_PUBKEY_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/d2i_RSA_PUBKEY_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_Netscape_RSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_RSAPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_RSAPrivateKey_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_RSAPrivateKey_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_RSAPublicKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_RSAPublicKey_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_RSAPublicKey_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_RSA_PSS_PARAMS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_RSA_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_RSA_PUBKEY_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_RSAPublicKey.3" "$(DESTDIR)$(mandir)/man3/i2d_RSA_PUBKEY_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_SSL_SESSION.3" "$(DESTDIR)$(mandir)/man3/i2d_SSL_SESSION.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_TS_ACCURACY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_TS_MSG_IMPRINT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_TS_MSG_IMPRINT_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_TS_MSG_IMPRINT_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_TS_REQ_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_TS_REQ_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_TS_RESP.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_TS_RESP_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_TS_RESP_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_TS_STATUS_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_TS_TST_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_TS_TST_INFO_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_TS_TST_INFO_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_TS_ACCURACY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_TS_MSG_IMPRINT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_TS_MSG_IMPRINT_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_TS_MSG_IMPRINT_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_TS_REQ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_TS_REQ_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_TS_REQ_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_TS_RESP.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_TS_RESP_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_TS_RESP_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_TS_STATUS_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_TS_TST_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_TS_TST_INFO_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_TS_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_TS_TST_INFO_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509.3" "$(DESTDIR)$(mandir)/man3/d2i_X509_AUX.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509.3" "$(DESTDIR)$(mandir)/man3/d2i_X509_CERT_AUX.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509.3" "$(DESTDIR)$(mandir)/man3/d2i_X509_CINF.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509.3" "$(DESTDIR)$(mandir)/man3/d2i_X509_VAL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509.3" "$(DESTDIR)$(mandir)/man3/d2i_X509_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509.3" "$(DESTDIR)$(mandir)/man3/d2i_X509_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509.3" "$(DESTDIR)$(mandir)/man3/i2d_X509.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_AUX.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_CERT_AUX.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_CINF.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_VAL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_ALGOR.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_ALGOR.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_ATTRIBUTE.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_ATTRIBUTE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_CRL.3" "$(DESTDIR)$(mandir)/man3/d2i_X509_CRL_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_CRL.3" "$(DESTDIR)$(mandir)/man3/d2i_X509_CRL_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_CRL.3" "$(DESTDIR)$(mandir)/man3/d2i_X509_CRL_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_CRL.3" "$(DESTDIR)$(mandir)/man3/d2i_X509_REVOKED.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_CRL.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_CRL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_CRL.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_CRL_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_CRL.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_CRL_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_CRL.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_CRL_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_CRL.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_REVOKED.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_EXTENSION.3" "$(DESTDIR)$(mandir)/man3/d2i_X509_EXTENSIONS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_EXTENSION.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_EXTENSION.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_EXTENSION.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_EXTENSIONS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_NAME.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_NAME.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_NAME.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_get0_der.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_NAME.3" "$(DESTDIR)$(mandir)/man3/X509_NAME_hash.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_NAME.3" "$(DESTDIR)$(mandir)/man3/d2i_X509_NAME_ENTRY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_NAME.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_NAME.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_NAME.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_NAME_ENTRY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_X509_REQ_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_X509_REQ_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_REQ.3" "$(DESTDIR)$(mandir)/man3/d2i_X509_REQ_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_REQ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_REQ_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_REQ_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_REQ.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_REQ_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_SIG.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS8_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_SIG.3" "$(DESTDIR)$(mandir)/man3/d2i_PKCS8_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_SIG.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS8_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_SIG.3" "$(DESTDIR)$(mandir)/man3/i2d_PKCS8_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "d2i_X509_SIG.3" "$(DESTDIR)$(mandir)/man3/i2d_X509_SIG.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "des_read_pw.3" "$(DESTDIR)$(mandir)/man3/EVP_read_pw_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "des_read_pw.3" "$(DESTDIR)$(mandir)/man3/EVP_read_pw_string_min.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "des_read_pw.3" "$(DESTDIR)$(mandir)/man3/des_read_pw_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/BN_get_rfc2409_prime_1024.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/BN_get_rfc2409_prime_768.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/BN_get_rfc3526_prime_1536.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/BN_get_rfc3526_prime_2048.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/BN_get_rfc3526_prime_3072.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/BN_get_rfc3526_prime_4096.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/BN_get_rfc3526_prime_6144.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/BN_get_rfc3526_prime_8192.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/get_rfc2409_prime_1024.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/get_rfc2409_prime_768.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/get_rfc3526_prime_1536.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/get_rfc3526_prime_2048.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/get_rfc3526_prime_3072.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/get_rfc3526_prime_4096.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "get_rfc3526_prime_8192.3" "$(DESTDIR)$(mandir)/man3/get_rfc3526_prime_6144.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/DECLARE_LHASH_OF.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/LHASH_COMP_FN_TYPE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/LHASH_DOALL_ARG_FN_TYPE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/LHASH_DOALL_FN_TYPE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/LHASH_HASH_FN_TYPE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/lh__delete.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/lh__doall.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/lh__doall_arg.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/lh__error.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/lh__free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/lh__insert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/lh__new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/lh__retrieve.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/lh_delete.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/lh_doall.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/lh_doall_arg.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/lh_error.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/lh_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/lh_insert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "lh_new.3" "$(DESTDIR)$(mandir)/man3/lh_retrieve.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "lh_stats.3" "$(DESTDIR)$(mandir)/man3/lh_node_stats.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "lh_stats.3" "$(DESTDIR)$(mandir)/man3/lh_node_stats_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "lh_stats.3" "$(DESTDIR)$(mandir)/man3/lh_node_usage_stats.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "lh_stats.3" "$(DESTDIR)$(mandir)/man3/lh_node_usage_stats_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "lh_stats.3" "$(DESTDIR)$(mandir)/man3/lh_stats_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_accept_socket.3" "$(DESTDIR)$(mandir)/man3/tls_accept_cbs.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_accept_socket.3" "$(DESTDIR)$(mandir)/man3/tls_accept_fds.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_client.3" "$(DESTDIR)$(mandir)/man3/tls_configure.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_client.3" "$(DESTDIR)$(mandir)/man3/tls_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_client.3" "$(DESTDIR)$(mandir)/man3/tls_reset.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_client.3" "$(DESTDIR)$(mandir)/man3/tls_server.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_config_set_protocols.3" "$(DESTDIR)$(mandir)/man3/tls_config_parse_protocols.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_config_set_protocols.3" "$(DESTDIR)$(mandir)/man3/tls_config_prefer_ciphers_client.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_config_set_protocols.3" "$(DESTDIR)$(mandir)/man3/tls_config_prefer_ciphers_server.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_config_set_protocols.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_alpn.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_config_set_protocols.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_ciphers.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_config_set_protocols.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_dheparams.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_config_set_protocols.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_ecdhecurves.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_config_set_session_id.3" "$(DESTDIR)$(mandir)/man3/tls_config_add_ticket_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_config_set_session_id.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_session_fd.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_config_set_session_id.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_session_lifetime.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_config_verify.3" "$(DESTDIR)$(mandir)/man3/tls_config_insecure_noverifycert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_config_verify.3" "$(DESTDIR)$(mandir)/man3/tls_config_insecure_noverifyname.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_config_verify.3" "$(DESTDIR)$(mandir)/man3/tls_config_insecure_noverifytime.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_conn_version.3" "$(DESTDIR)$(mandir)/man3/tls_conn_alpn_selected.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_conn_version.3" "$(DESTDIR)$(mandir)/man3/tls_conn_cipher.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_conn_version.3" "$(DESTDIR)$(mandir)/man3/tls_conn_cipher_strength.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_conn_version.3" "$(DESTDIR)$(mandir)/man3/tls_conn_servername.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_conn_version.3" "$(DESTDIR)$(mandir)/man3/tls_conn_session_resumed.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_conn_version.3" "$(DESTDIR)$(mandir)/man3/tls_peer_cert_chain_pem.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_conn_version.3" "$(DESTDIR)$(mandir)/man3/tls_peer_cert_contains_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_conn_version.3" "$(DESTDIR)$(mandir)/man3/tls_peer_cert_hash.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_conn_version.3" "$(DESTDIR)$(mandir)/man3/tls_peer_cert_issuer.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_conn_version.3" "$(DESTDIR)$(mandir)/man3/tls_peer_cert_notafter.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_conn_version.3" "$(DESTDIR)$(mandir)/man3/tls_peer_cert_notbefore.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_conn_version.3" "$(DESTDIR)$(mandir)/man3/tls_peer_cert_provided.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_conn_version.3" "$(DESTDIR)$(mandir)/man3/tls_peer_cert_subject.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_connect.3" "$(DESTDIR)$(mandir)/man3/tls_connect_cbs.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_connect.3" "$(DESTDIR)$(mandir)/man3/tls_connect_fds.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_connect.3" "$(DESTDIR)$(mandir)/man3/tls_connect_servername.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_connect.3" "$(DESTDIR)$(mandir)/man3/tls_connect_socket.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_init.3" "$(DESTDIR)$(mandir)/man3/tls_config_error.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_init.3" "$(DESTDIR)$(mandir)/man3/tls_config_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_init.3" "$(DESTDIR)$(mandir)/man3/tls_config_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_add_keypair_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_add_keypair_mem.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_add_keypair_ocsp_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_add_keypair_ocsp_mem.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_clear_keys.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_ca_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_ca_mem.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_ca_path.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_cert_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_cert_mem.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_crl_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_crl_mem.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_key_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_key_mem.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_keypair_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_keypair_mem.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_keypair_ocsp_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_keypair_ocsp_mem.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_ocsp_staple_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_ocsp_staple_mem.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_set_verify_depth.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_verify_client.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_config_verify_client_optional.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_default_ca_cert_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_load_file.3" "$(DESTDIR)$(mandir)/man3/tls_unload_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_ocsp_process_response.3" "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_cert_status.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_ocsp_process_response.3" "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_crl_reason.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_ocsp_process_response.3" "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_next_update.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_ocsp_process_response.3" "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_response_status.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_ocsp_process_response.3" "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_result.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_ocsp_process_response.3" "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_revocation_time.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_ocsp_process_response.3" "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_this_update.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_ocsp_process_response.3" "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_url.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_read.3" "$(DESTDIR)$(mandir)/man3/tls_close.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_read.3" "$(DESTDIR)$(mandir)/man3/tls_error.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_read.3" "$(DESTDIR)$(mandir)/man3/tls_handshake.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_read.3" "$(DESTDIR)$(mandir)/man3/tls_reset.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "tls_read.3" "$(DESTDIR)$(mandir)/man3/tls_write.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "x509_verify.3" "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_chain.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "x509_verify.3" "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_error_depth.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "x509_verify.3" "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_error_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "x509_verify.3" "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "x509_verify.3" "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "x509_verify.3" "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_set_intermediates.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "x509_verify.3" "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_set_max_chains.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "x509_verify.3" "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_set_max_depth.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "x509_verify.3" "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_set_max_signatures.3" +@ENABLE_LIBTLS_ONLY_FALSE@ ln -sf "x509_verify.3" "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_set_purpose.3" -uninstall-local: - -rm -f "$(DESTDIR)$(mandir)/man3/ACCESS_DESCRIPTION_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/AUTHORITY_INFO_ACCESS_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/AUTHORITY_INFO_ACCESS_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/AES_cbc_encrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/AES_decrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/AES_set_decrypt_key.3" - -rm -f "$(DESTDIR)$(mandir)/man3/AES_set_encrypt_key.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_ENUMERATED_get.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_ENUMERATED_set.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_ENUMERATED_to_BN.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_INTEGER_set.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_INTEGER_to_BN.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_to_ASN1_ENUMERATED.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_to_ASN1_INTEGER.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2a_ASN1_INTEGER.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_OBJECT_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_STRING_TABLE_cleanup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_STRING_TABLE_get.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_OCTET_STRING_cmp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_OCTET_STRING_dup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_OCTET_STRING_set.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_STRING_cmp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_STRING_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_STRING_dup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_STRING_get0_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_STRING_length_set.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_STRING_set.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_STRING_to_UTF8.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_STRING_type.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_BIT_STRING_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_BIT_STRING_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_BMPSTRING_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_BMPSTRING_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_ENUMERATED_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_ENUMERATED_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_GENERALIZEDTIME_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_GENERALIZEDTIME_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_GENERALSTRING_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_GENERALSTRING_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_IA5STRING_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_IA5STRING_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_INTEGER_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_INTEGER_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_OCTET_STRING_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_OCTET_STRING_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_PRINTABLESTRING_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_PRINTABLESTRING_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_PRINTABLE_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_PRINTABLE_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_STRING_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_STRING_type_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_T61STRING_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_T61STRING_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_TIME_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_TIME_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_UNIVERSALSTRING_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_UNIVERSALSTRING_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_UTF8STRING_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_UTF8STRING_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_VISIBLESTRING_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_VISIBLESTRING_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DIRECTORYSTRING_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DIRECTORYSTRING_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DISPLAYTEXT_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DISPLAYTEXT_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_STRING_print.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_STRING_print_ex_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_tag2str.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_GENERALIZEDTIME_adj.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_GENERALIZEDTIME_check.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_GENERALIZEDTIME_print.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_GENERALIZEDTIME_set.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_GENERALIZEDTIME_set_string.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_TIME_adj.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_TIME_check.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_TIME_print.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_TIME_set_string.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_TIME_to_generalizedtime.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_adj.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_check.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_cmp_time_t.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_print.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_set.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_set_string.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_TYPE_cmp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_TYPE_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_TYPE_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_TYPE_set.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_TYPE_set1.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_generate_v3.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_item_d2i_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_item_d2i_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_item_dup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_item_i2d.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_item_i2d_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_item_i2d_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_item_print.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_TYPE.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_TYPE.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_item_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_put_eoc.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_TIME_set_tm.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_time_tm_cmp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/AUTHORITY_KEYID_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BASIC_CONSTRAINTS_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BF_cbc_encrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BF_cfb64_encrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BF_decrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BF_ecb_encrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BF_encrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BF_ofb64_encrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BF_options.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_callback_ctrl.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_ctrl_pending.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_ctrl_wpending.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_eof.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_flush.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_close.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_info_callback.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_int_ctrl.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_pending.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_ptr_ctrl.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_reset.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_seek.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_close.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_info_callback.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_tell.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_wpending.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bio_info_cb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_buffer_num_lines.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_buffer_read_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_buffer_size.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_read_buffer_size.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_write_buffer_size.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_cipher_ctx.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_cipher_status.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_cipher.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_md.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_md_ctx.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_md.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_do_handshake.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_num_renegotiates.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_ssl.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_new_buffer_ssl_connect.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_new_ssl.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_new_ssl_connect.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_ssl.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_ssl_mode.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_ssl_renegotiate_bytes.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_ssl_renegotiate_timeout.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_ssl_copy_session_id.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_ssl_shutdown.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_method_type.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_next.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_shutdown.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_shutdown.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ECDH_get_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ECDH_get_ex_new_index.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ECDH_set_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_get_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_get_ex_new_index.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_set_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_get_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_get_ex_new_index.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_set_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_ex_new_index.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/TYPE_get_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/TYPE_get_ex_new_index.3" - -rm -f "$(DESTDIR)$(mandir)/man3/TYPE_set_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_get_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_get_ex_new_index.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_set_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_get_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_get_ex_new_index.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_set_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_new_index.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_get_callback_ctrl.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_get_create.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_get_ctrl.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_get_destroy.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_get_gets.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_get_puts.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_get_read.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_get_write.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_set_callback_ctrl.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_set_create.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_set_ctrl.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_set_destroy.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_set_gets.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_set_puts.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_set_read.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_set_write.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_free_all.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_up_ref.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_vfree.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_snprintf.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_vprintf.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_vsnprintf.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_pop.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_gets.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_puts.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_write.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_do_accept.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_accept_port.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_bind_mode.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_new_accept.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_accept_bios.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_accept_port.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_bind_mode.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_nbio_accept.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_ctrl_get_read_request.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_ctrl_get_write_guarantee.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_ctrl_reset_read_request.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_destroy_bio_pair.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_read_request.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_write_buf_size.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_write_guarantee.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_make_bio_pair.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_new_bio_pair.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_write_buf_size.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_shutdown_wr.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_do_connect.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_conn_hostname.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_conn_int_port.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_conn_ip.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_conn_port.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_new_connect.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_conn_hostname.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_conn_int_port.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_conn_ip.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_conn_port.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_nbio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_fd.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_new_fd.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_fd.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_append_filename.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_new_file.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_new_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_read_filename.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_rw_filename.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_write_filename.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_mem_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_mem_ptr.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_new_mem_buf.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_mem_buf.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_mem_eof_return.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_new_socket.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_callback_fn.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_debug_callback.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_callback.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_callback_arg.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_callback_arg.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_retry_BIO.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_retry_reason.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_retry_type.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_should_io_special.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_should_read.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BIO_should_write.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_BLINDING_convert.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_BLINDING_convert_ex.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_BLINDING_create_param.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_BLINDING_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_BLINDING_get_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_BLINDING_get_thread_id.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_BLINDING_invert.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_BLINDING_invert_ex.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_BLINDING_set_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_BLINDING_set_thread_id.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_BLINDING_thread_id.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_BLINDING_update.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_CTX_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_CTX_init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_CTX_end.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_CTX_get.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_div.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_exp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_gcd.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_mod.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_mod_add.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_mod_exp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_mod_mul.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_mod_sqr.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_mod_sub.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_mul.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_nnmod.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_sqr.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_sub.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_div_word.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_mod_word.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_mul_word.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_sub_word.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_asc2bn.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_bin2bn.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_bn2dec.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_bn2hex.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_bn2mpi.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_dec2bn.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_hex2bn.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_mpi2bn.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_print.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_print_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_is_odd.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_is_one.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_is_word.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_is_zero.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_ucmp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_dup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_with_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_GENCB_call.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_GENCB_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_GENCB_get_arg.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_GENCB_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_GENCB_set.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_GENCB_set_old.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_generate_prime_ex.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_is_prime.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_is_prime_ex.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_is_prime_fasttest.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_is_prime_fasttest_ex.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_get0_nist_prime_192.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_get0_nist_prime_224.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_get0_nist_prime_256.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_get0_nist_prime_384.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_MONT_CTX_copy.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_MONT_CTX_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_MONT_CTX_init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_MONT_CTX_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_MONT_CTX_set.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_from_montgomery.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_to_montgomery.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_RECP_CTX_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_RECP_CTX_init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_RECP_CTX_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_RECP_CTX_set.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_div_recp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_clear.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_clear_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_num_bits.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_num_bits_word.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_pseudo_rand.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_pseudo_rand_range.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_rand_range.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_clear_bit.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_is_bit_set.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_lshift.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_lshift1.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_mask_bits.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_rshift.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_rshift1.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_get_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_is_negative.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_get_word.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_one.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_set_word.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_value_one.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BUF_MEM_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BUF_MEM_grow.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BUF_MEM_grow_clean.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BUF_reverse.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BUF_strdup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_ContentInfo_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_ContentInfo_print_ctx.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_ReceiptRequest_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_ReceiptRequest_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_add0_crl.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_add1_cert.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_add1_crl.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_get1_certs.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_get1_crls.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_add0_recipient_key.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_SignerInfo_sign.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_decrypt_set1_key.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_decrypt_set1_pkey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_decrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_encrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_kekri_get0_id.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_kekri_id_cmp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_ktri_cert_cmp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_ktri_get0_signer_id.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_set0_key.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_set0_pkey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_type.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_SignerInfo_cert_cmp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_SignerInfo_get0_signature.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_SignerInfo_get0_signer_id.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_SignerInfo_set1_signer_cert.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_get0_content.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_get0_eContentType.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_set1_eContentType.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_ReceiptRequest_create0.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_ReceiptRequest_get0_values.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_add1_ReceiptRequest.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CMS_get0_signers.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CONF_modules_finish.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CONF_modules_unload.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CONF_modules_load.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_MEM_LEAK_CB.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_mem_ctrl.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_mem_leaks.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_mem_leaks_cb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_mem_leaks_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_set_mem_functions.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_THREADID_cmp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_THREADID_cpy.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_THREADID_current.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_THREADID_hash.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_add.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_r_lock.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_r_unlock.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_w_lock.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_w_unlock.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_EX_dup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_EX_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_EX_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_free_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_get_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_get_ex_new_index.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_new_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DES_cbc_cksum.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DES_cfb64_encrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DES_cfb_encrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DES_crypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DES_ecb2_encrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DES_ecb3_encrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DES_ecb_encrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DES_ede2_cbc_encrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DES_ede2_cfb64_encrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DES_ede2_ofb64_encrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DES_ede3_cbc_encrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DES_ede3_cbcm_encrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DES_ede3_cfb64_encrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DES_ede3_ofb64_encrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DES_enc_read.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DES_enc_write.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DES_fcrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DES_is_weak_key.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DES_key_sched.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DES_ncbc_encrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DES_ofb64_encrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DES_ofb_encrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DES_pcbc_encrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DES_quad_cksum.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DES_random_key.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DES_set_key_checked.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DES_set_key_unchecked.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DES_set_odd_parity.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DES_string_to_2keys.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DES_string_to_key.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DES_xcbc_encrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DH_compute_key.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DH_check.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DH_generate_parameters_ex.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DH_clear_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DH_get0_engine.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DH_get0_key.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DH_set0_key.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DH_set0_pqg.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DH_set_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DH_set_length.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DH_test_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DH_get_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DH_set_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DH_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DH_up_ref.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DH_OpenSSL.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DH_get_default_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DH_new_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DH_set_default_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DH_bits.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CRL_DIST_POINTS_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CRL_DIST_POINTS_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DIST_POINT_NAME_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DIST_POINT_NAME_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DIST_POINT_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ISSUING_DIST_POINT_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ISSUING_DIST_POINT_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DSA_SIG_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DSA_SIG_get0.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DSA_SIG_set0.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DSA_do_verify.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DSA_generate_parameters_ex.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DSA_clear_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DSA_get0_engine.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DSA_get0_key.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DSA_set0_key.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DSA_set0_pqg.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DSA_set_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DSA_test_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DSA_get_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DSA_set_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DSA_meth_dup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DSA_meth_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DSA_meth_set_finish.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DSA_meth_set_sign.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DSA_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DSA_up_ref.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DSA_OpenSSL.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DSA_get_default_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DSA_new_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DSA_set_default_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DSA_sign_setup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DSA_verify.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ECDH_size.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_OpenSSL.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_SIG_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_SIG_get0.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_SIG_set0.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_do_sign.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_do_sign_ex.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_do_verify.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_get_default_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_set_default_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_set_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_sign.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_sign_ex.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_sign_setup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_size.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_verify.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ECDSA_SIG.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ECDSA_SIG.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GF2m_simple_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GFp_mont_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GFp_nist_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GFp_nistp224_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GFp_nistp256_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GFp_nistp521_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_METHOD_get_field_type.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_check.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_check_discriminant.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_cmp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_dup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_get0_generator.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_get0_seed.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_asn1_flag.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_basis_type.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_cofactor.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_curve_name.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_degree.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_order.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_pentanomial_basis.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_point_conversion_form.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_seed_len.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_trinomial_basis.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_method_of.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_set_asn1_flag.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_set_curve_name.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_set_generator.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_set_point_conversion_form.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_set_seed.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_clear_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_curve_GF2m.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_curve_GFp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_new_by_curve_name.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_new_curve_GF2m.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_new_curve_GFp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_set_curve_GF2m.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_set_curve_GFp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_get_builtin_curves.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_get_compute_key.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_get_init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_get_keygen.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_get_sign.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_get_verify.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_set_compute_key.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_set_init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_set_keygen.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_set_sign.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_set_verify.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_OpenSSL.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_get_default_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_get_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_new_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_set_default_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_set_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_check_key.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_clear_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_copy.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_dup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_generate_key.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_get0_group.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_get0_private_key.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_get0_public_key.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_get_conv_form.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_get_enc_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_get_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_get_key_method_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_insert_key_method_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_new_by_curve_name.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_precompute_mult.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_print.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_print_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_set_asn1_flag.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_set_conv_form.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_set_enc_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_set_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_set_group.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_set_private_key.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_set_public_key.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_set_public_key_affine_coordinates.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_up_ref.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_have_precompute_mult.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_precompute_mult.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_cmp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_dbl.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_invert.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_is_at_infinity.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_is_on_curve.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_make_affine.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_mul.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINTs_make_affine.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINTs_mul.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_bn2point.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_clear_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_copy.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_dup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_get_Jprojective_coordinates_GFp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_get_affine_coordinates_GF2m.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_get_affine_coordinates_GFp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_hex2point.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_method_of.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_oct2point.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_point2bn.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_point2hex.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_point2oct.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_set_Jprojective_coordinates_GFp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_set_affine_coordinates_GF2m.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_set_affine_coordinates_GFp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_set_compressed_coordinates_GF2m.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_set_compressed_coordinates_GFp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_set_to_infinity.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_by_id.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_cleanup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_first.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_id.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_last.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_name.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_next.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_prev.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_remove.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_id.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_name.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_CTRL_FUNC_PTR.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_cmd_is_executable.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_ctrl_cmd.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_ctrl_cmd_string.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_cmd_defns.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_ctrl_function.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_cmd_defns.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_ctrl_function.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_cipher_engine.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_default_DH.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_default_DSA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_default_ECDH.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_default_ECDSA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_default_RAND.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_digest_engine.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_table_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_table_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_GEN_INT_FUNC_PTR.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_finish.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_finish_function.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_init_function.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_finish_function.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_init_function.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_GEN_INT_FUNC_PTR.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_destroy_function.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_destroy_function.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_up_ref.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_DH.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_DSA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_ECDH.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_ECDSA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_RAND.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_STORE.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_ciphers.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_complete.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_digests.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_load_builtin_engines.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_load_dynamic.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_DH.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_DSA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_ECDH.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_ECDSA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_RAND.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_STORE.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_ciphers.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_complete.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_digests.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_CIPHERS_PTR.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_DIGESTS_PTR.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_DH.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_DSA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_ECDH.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_ECDSA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_RAND.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_RSA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_STORE.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_cipher.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_ciphers.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_digest.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_digests.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_DH.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_DSA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_ECDH.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_ECDSA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_RAND.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_STORE.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_ciphers.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_digests.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_DH.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_DSA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_ECDH.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_ECDSA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_RAND.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_RSA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_ciphers.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_digests.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_string.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_DH.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_DSA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_ECDH.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_ECDSA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_RAND.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_STORE.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_ciphers.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_digests.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ERR_FATAL_ERROR.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ERR_GET_FUNC.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ERR_GET_REASON.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ERR_error_string_n.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ERR_func_error_string.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ERR_lib_error_string.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ERR_reason_error_string.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ERR_get_error_line.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ERR_get_error_line_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ERR_peek_error.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ERR_peek_error_line.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ERR_peek_error_line_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ERR_peek_last_error.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ERR_peek_last_error_line.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ERR_peek_last_error_line_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ERR_free_strings.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_load_error_strings.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ERR_PACK.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ERR_get_next_error_library.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ERR_print_errors_cb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ERR_print_errors_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ERR_add_error_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ERR_add_error_vdata.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ERR_remove_thread_state.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ERR_pop_to_mark.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ESS_CERT_ID_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ESS_CERT_ID_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ESS_ISSUER_SERIAL_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ESS_ISSUER_SERIAL_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ESS_SIGNING_CERT_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_AEAD_CTX_cleanup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_AEAD_CTX_open.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_AEAD_CTX_seal.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_AEAD_key_length.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_AEAD_max_overhead.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_AEAD_max_tag_len.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_AEAD_nonce_length.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aead_aes_128_gcm.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aead_aes_256_gcm.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aead_chacha20_poly1305.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aead_xchacha20_poly1305.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_Digest.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DigestFinal.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DigestFinal_ex.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DigestInit_ex.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DigestUpdate.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MAX_MD_SIZE.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_block_size.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_cleanup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_copy.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_copy_ex.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_create.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_ctrl.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_destroy.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_md.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_reset.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_size.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_type.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_block_size.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_pkey_type.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_size.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_type.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_dss.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_dss1.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_get_digestbyname.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_get_digestbynid.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_get_digestbyobj.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_md5.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_md5_sha1.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_md_null.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_ripemd160.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_sha1.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_sha224.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_sha256.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_sha384.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_sha512.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DigestSignFinal.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DigestSignUpdate.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DigestVerifyFinal.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DigestVerifyUpdate.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DecodeBlock.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DecodeFinal.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DecodeInit.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DecodeUpdate.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_ENCODE_CTX_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_ENCODE_CTX_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_EncodeBlock.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_EncodeFinal.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_EncodeUpdate.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_block_size.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_cipher.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_cleanup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_clear_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_ctrl.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_get_app_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_get_iv.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_iv_length.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_key_length.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_mode.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_nid.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_rand_key.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_reset.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_set_app_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_set_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_set_iv.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_set_key_length.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_set_padding.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_test_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_type.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_asn1_to_param.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_block_size.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_iv_length.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_key_length.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_mode.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_nid.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_param_to_asn1.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_type.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_Cipher.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CipherFinal.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CipherFinal_ex.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CipherInit.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CipherInit_ex.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CipherUpdate.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DecryptFinal.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DecryptFinal_ex.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DecryptInit.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DecryptInit_ex.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DecryptUpdate.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_EncryptFinal.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_EncryptFinal_ex.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_EncryptInit_ex.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_EncryptUpdate.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_bf_cbc.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_bf_cfb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_bf_cfb64.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_bf_ecb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_bf_ofb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_cast5_cbc.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_cast5_cfb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_cast5_cfb64.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_cast5_ecb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_cast5_ofb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_chacha20.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_enc_null.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_get_cipherbyname.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_get_cipherbynid.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_get_cipherbyobj.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_idea_cbc.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_idea_cfb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_idea_cfb64.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_idea_ecb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_idea_ofb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_rc2_40_cbc.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_rc2_64_cbc.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_rc2_cbc.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_rc2_cfb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_rc2_cfb64.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_rc2_ecb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_rc2_ofb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_OpenFinal.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_OpenUpdate.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_ctrl_str.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_rsa_mgf1_md.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_rsa_padding.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_rsa_pss_saltlen.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_signature_md.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_dh_paramgen_generator.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_dh_paramgen_prime_len.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_dsa_paramgen_bits.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_ec_paramgen_curve_nid.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_keygen_bits.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_keygen_pubexp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_mgf1_md.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_padding.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_pss_saltlen.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_signature_md.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_dup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_new_id.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_find.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_find_str.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_get0.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_get0_info.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get0_asn1.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_add0.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_add_alias.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_copy.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_set_ctrl.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_set_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_set_param.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_set_private.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_set_public.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_cmp_parameters.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_copy_parameters.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_missing_parameters.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_decrypt_init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_derive_init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_derive_set_peer.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_encrypt_init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_app_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_cb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_keygen_info.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_app_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_cb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_gen_cb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_keygen_init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_paramgen.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_paramgen_init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_add0.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_copy.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_find.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_cleanup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_copy.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_ctrl.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_decrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_derive.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_encrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_keygen.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_paramgen.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_sign.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_signctx.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_verify.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_verify_recover.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_verifyctx.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_new_mac_key.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_up_ref.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_print_params.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_print_public.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_assign.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_assign_DH.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_assign_DSA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_assign_EC_KEY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_assign_GOST.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_assign_RSA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_base_id.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get0.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get0_DH.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get0_DSA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get0_EC_KEY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get0_RSA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get0_hmac.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get1_DH.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get1_DSA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get1_EC_KEY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get1_RSA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_id.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_set1_DH.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_set1_DSA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_set1_EC_KEY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_set_type.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_type.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_sign_init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_verify_init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_verify_recover_init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_SealFinal.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_SealUpdate.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_bits.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_size.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_SignFinal.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_SignInit_ex.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_SignUpdate.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_VerifyFinal.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_VerifyInit_ex.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_VerifyUpdate.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_128_cbc_hmac_sha1.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_128_ccm.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_128_cfb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_128_cfb1.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_128_cfb128.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_128_cfb8.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_128_ctr.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_128_ecb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_128_gcm.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_128_ofb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_128_wrap.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_128_xts.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_192_cbc.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_192_ccm.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_192_cfb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_192_cfb1.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_192_cfb128.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_192_cfb8.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_192_ctr.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_192_ecb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_192_gcm.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_192_ofb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_192_wrap.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_256_cbc.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_256_cbc_hmac_sha1.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_256_ccm.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_256_cfb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_256_cfb1.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_256_cfb128.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_256_cfb8.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_256_ctr.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_256_ecb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_256_gcm.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_256_ofb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_256_wrap.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_256_xts.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_128_cfb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_128_cfb1.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_128_cfb128.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_128_cfb8.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_128_ecb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_128_ofb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_192_cbc.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_192_cfb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_192_cfb1.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_192_cfb128.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_192_cfb8.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_192_ecb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_192_ofb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_256_cbc.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_256_cfb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_256_cfb1.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_256_cfb128.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_256_cfb8.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_256_ecb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_256_ofb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_cfb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_cfb1.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_cfb64.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_cfb8.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ecb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ede.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ede3.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ede3_cbc.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ede3_cfb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ede3_cfb1.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ede3_cfb64.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ede3_cfb8.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ede3_ecb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ede3_ofb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ede_cbc.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ede_cfb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ede_cfb64.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ede_ecb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ede_ofb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ofb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_desx_cbc.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_rc4_40.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_rc4_hmac_md5.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_sm4_cfb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_sm4_cfb128.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_sm4_ctr.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_sm4_ecb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_sm4_ofb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EXTENDED_KEY_USAGE_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EDIPARTYNAME_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EDIPARTYNAME_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/GENERAL_NAMES_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/GENERAL_NAMES_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/GENERAL_NAME_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OTHERNAME_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OTHERNAME_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/HMAC_CTX_cleanup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/HMAC_CTX_copy.3" - -rm -f "$(DESTDIR)$(mandir)/man3/HMAC_CTX_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/HMAC_CTX_get_md.3" - -rm -f "$(DESTDIR)$(mandir)/man3/HMAC_CTX_init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/HMAC_CTX_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/HMAC_CTX_reset.3" - -rm -f "$(DESTDIR)$(mandir)/man3/HMAC_CTX_set_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/HMAC_Final.3" - -rm -f "$(DESTDIR)$(mandir)/man3/HMAC_Init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/HMAC_Init_ex.3" - -rm -f "$(DESTDIR)$(mandir)/man3/HMAC_Update.3" - -rm -f "$(DESTDIR)$(mandir)/man3/HMAC_cleanup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/HMAC_size.3" - -rm -f "$(DESTDIR)$(mandir)/man3/MD4.3" - -rm -f "$(DESTDIR)$(mandir)/man3/MD4_Final.3" - -rm -f "$(DESTDIR)$(mandir)/man3/MD4_Init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/MD4_Update.3" - -rm -f "$(DESTDIR)$(mandir)/man3/MD5_Final.3" - -rm -f "$(DESTDIR)$(mandir)/man3/MD5_Init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/MD5_Update.3" - -rm -f "$(DESTDIR)$(mandir)/man3/GENERAL_SUBTREE_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/GENERAL_SUBTREE_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/NAME_CONSTRAINTS_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OBJ_cleanup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OBJ_cmp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OBJ_create.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OBJ_dup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OBJ_ln2nid.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OBJ_nid2ln.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OBJ_nid2sn.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OBJ_obj2nid.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OBJ_obj2txt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OBJ_sn2nid.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OBJ_txt2nid.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OBJ_txt2obj.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2t_ASN1_OBJECT.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_CRLID_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_ONEREQ_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_ONEREQ_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_REQINFO_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_REQINFO_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_REQUEST_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_SIGNATURE_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_SIGNATURE_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_request_add0_id.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_request_add1_cert.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_request_onereq_count.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_request_onereq_get0.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_request_sign.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_SERVICELOC_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_url_svcloc_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_CERTID_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_CERTID_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_cert_id_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_id_cmp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_id_get0_info.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_id_issuer_cmp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_basic_add1_nonce.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_check_nonce.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_copy_nonce.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_CERTSTATUS_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_CERTSTATUS_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_REVOKEDINFO_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_REVOKEDINFO_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_SINGLERESP_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_SINGLERESP_get0_id.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_SINGLERESP_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_basic_verify.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_cert_status_str.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_check_validity.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_resp_count.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_resp_find.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_resp_get0.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_single_get0_status.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_BASICRESP_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_BASICRESP_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_RESPBYTES_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_RESPBYTES_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_RESPDATA_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_RESPDATA_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_RESPID_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_RESPID_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_RESPONSE_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_RESPONSE_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_basic_sign.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_response_create.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_response_get1_basic.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_response_status_str.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_REQ_CTX_add1_header.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_REQ_CTX_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_REQ_CTX_set1_req.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_parse_url.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_sendreq_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_sendreq_nbio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/LIBRESSL_VERSION_NUMBER.3" - -rm -f "$(DESTDIR)$(mandir)/man3/LIBRESSL_VERSION_TEXT.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OPENSSL_VERSION_TEXT.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OpenSSL_version.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OpenSSL_version_num.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSLeay.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSLeay_version.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OPENSSL_no_config.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_add_oid_module.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_add_conf_module.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_malloc.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_realloc.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_strdup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OPENSSL_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OPENSSL_realloc.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OPENSSL_strdup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/sk_delete.3" - -rm -f "$(DESTDIR)$(mandir)/man3/sk_delete_ptr.3" - -rm -f "$(DESTDIR)$(mandir)/man3/sk_dup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/sk_find.3" - -rm -f "$(DESTDIR)$(mandir)/man3/sk_find_ex.3" - -rm -f "$(DESTDIR)$(mandir)/man3/sk_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/sk_insert.3" - -rm -f "$(DESTDIR)$(mandir)/man3/sk_is_sorted.3" - -rm -f "$(DESTDIR)$(mandir)/man3/sk_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/sk_new_null.3" - -rm -f "$(DESTDIR)$(mandir)/man3/sk_num.3" - -rm -f "$(DESTDIR)$(mandir)/man3/sk_pop.3" - -rm -f "$(DESTDIR)$(mandir)/man3/sk_pop_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/sk_push.3" - -rm -f "$(DESTDIR)$(mandir)/man3/sk_set.3" - -rm -f "$(DESTDIR)$(mandir)/man3/sk_set_cmp_func.3" - -rm -f "$(DESTDIR)$(mandir)/man3/sk_shift.3" - -rm -f "$(DESTDIR)$(mandir)/man3/sk_sort.3" - -rm -f "$(DESTDIR)$(mandir)/man3/sk_unshift.3" - -rm -f "$(DESTDIR)$(mandir)/man3/sk_value.3" - -rm -f "$(DESTDIR)$(mandir)/man3/sk_zero.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_cleanup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OpenSSL_add_all_ciphers.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OpenSSL_add_all_digests.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_do_header.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_get_EVP_CIPHER_INFO.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_SSL_SESSION.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_SSL_SESSION.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_SSL_SESSION.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_DHparams.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_DSAPrivateKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_DSA_PUBKEY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_DSAparams.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_ECPKParameters.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_ECPrivateKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_EC_PUBKEY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_NETSCAPE_CERT_SEQUENCE.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_PKCS7.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_PKCS8.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_PKCS8_PRIV_KEY_INFO.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_PUBKEY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_PrivateKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_RSAPrivateKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_RSAPublicKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_RSA_PUBKEY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_X509.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_X509_AUX.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_X509_CRL.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_X509_REQ.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_DHparams.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_DSAPrivateKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_DSA_PUBKEY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_DSAparams.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_ECPKParameters.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_ECPrivateKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_EC_PUBKEY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_NETSCAPE_CERT_SEQUENCE.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_PKCS7.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_PKCS8.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_PKCS8_PRIV_KEY_INFO.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_PUBKEY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_RSAPrivateKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_RSAPublicKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_RSA_PUBKEY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_X509.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_X509_AUX.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_X509_CRL.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_X509_REQ.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_DHparams.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_DSAPrivateKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_DSA_PUBKEY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_DSAparams.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_ECPKParameters.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_ECPrivateKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_EC_PUBKEY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_NETSCAPE_CERT_SEQUENCE.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_PKCS7.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_PKCS8.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_PKCS8PrivateKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_PKCS8PrivateKey_nid.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_PKCS8_PRIV_KEY_INFO.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_PUBKEY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_PrivateKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_RSAPrivateKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_RSAPublicKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_RSA_PUBKEY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_X509.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_X509_AUX.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_X509_CRL.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_X509_REQ.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_X509_REQ_NEW.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_DHparams.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_DSAPrivateKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_DSA_PUBKEY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_DSAparams.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_ECPKParameters.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_ECPrivateKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_EC_PUBKEY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_NETSCAPE_CERT_SEQUENCE.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_PKCS7.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_PKCS8.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_PKCS8PrivateKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_PKCS8PrivateKey_nid.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_PKCS8_PRIV_KEY_INFO.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_PUBKEY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_PrivateKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_RSAPrivateKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_RSAPublicKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_RSA_PUBKEY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_X509.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_X509_AUX.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_X509_CRL.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_X509_REQ.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_X509_REQ_NEW.3" - -rm -f "$(DESTDIR)$(mandir)/man3/pem_password_cb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PKCS12_BAGS_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PKCS12_BAGS_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PKCS12_SAFEBAG_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PKCS12_MAC_DATA_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PKCS12_MAC_DATA_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PKCS12_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PKCS5_PBKDF2_HMAC_SHA1.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_DIGEST_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_DIGEST_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_ENCRYPT_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_ENCRYPT_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_ENC_CONTENT_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_ENC_CONTENT_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_ENVELOPE_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_ENVELOPE_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_ISSUER_AND_SERIAL_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_ISSUER_AND_SERIAL_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_RECIP_INFO_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_RECIP_INFO_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_SIGNED_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_SIGNED_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_SIGNER_INFO_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_SIGNER_INFO_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_SIGN_ENVELOPE_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_SIGN_ENVELOPE_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_get0_signers.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PKCS8_PRIV_KEY_INFO_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PKEY_USAGE_PERIOD_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CERTIFICATEPOLICIES_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CERTIFICATEPOLICIES_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/NOTICEREF_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/NOTICEREF_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/POLICYINFO_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/POLICYQUALINFO_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/POLICYQUALINFO_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/POLICY_CONSTRAINTS_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/POLICY_CONSTRAINTS_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/POLICY_MAPPING_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/POLICY_MAPPING_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/USERNOTICE_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/USERNOTICE_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PROXY_CERT_INFO_EXTENSION_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PROXY_CERT_INFO_EXTENSION_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PROXY_POLICY_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RAND_cleanup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RAND_poll.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RAND_seed.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RAND_status.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RAND_pseudo_bytes.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RAND_file_name.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RAND_write_file.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RAND_SSLeay.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RAND_get_rand_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RC4_set_key.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RIPEMD160_Final.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RIPEMD160_Init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RIPEMD160_Update.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_PSS_PARAMS_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_blinding_off.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_generate_key_ex.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_clear_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_get0_crt_params.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_get0_factors.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_set0_crt_params.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_set0_factors.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_set0_key.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_set_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_test_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_EX_dup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_EX_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_EX_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_get_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_set_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_dup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_get0_app_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_get0_name.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_get_bn_mod_exp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_get_finish.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_get_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_get_init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_get_keygen.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_get_mod_exp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_get_priv_dec.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_get_priv_enc.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_get_pub_dec.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_get_pub_enc.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_get_sign.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_get_verify.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_set0_app_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_set1_name.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_set_bn_mod_exp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_set_finish.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_set_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_set_init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_set_keygen.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_set_mod_exp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_set_priv_dec.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_set_priv_enc.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_set_pub_dec.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_set_pub_enc.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_set_sign.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_set_verify.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSAPrivateKey_dup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSAPublicKey_dup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_up_ref.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_padding_add_PKCS1_OAEP.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_padding_add_PKCS1_type_2.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_padding_add_none.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_padding_check_PKCS1_OAEP.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_padding_check_PKCS1_type_1.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_padding_check_PKCS1_type_2.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_padding_check_none.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DHparams_print.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DHparams_print_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DSA_print.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DSA_print_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DSAparams_print.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DSAparams_print_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_print_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_public_decrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_private_decrypt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_PKCS1_SSLeay.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_get_default_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_get_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_new_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_set_default_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_verify.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_verify_ASN1_OCTET_STRING.3" - -rm -f "$(DESTDIR)$(mandir)/man3/RSA_bits.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SHA1_Final.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SHA1_Init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SHA1_Update.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SHA224.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SHA224_Final.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SHA224_Init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SHA224_Update.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SHA256.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SHA256_Final.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SHA256_Init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SHA256_Update.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SHA384.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SHA384_Final.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SHA384_Init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SHA384_Update.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SHA512.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SHA512_Final.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SHA512_Init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SHA512_Update.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_description.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_get_auth_nid.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_get_bits.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_get_cipher_nid.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_get_digest_nid.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_get_id.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_get_kx_nid.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_get_version.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_is_aead.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_COMP_get_compression_methods.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_add0_chain_cert.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_clear_chain_certs.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get0_chain_certs.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set0_chain.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set1_chain.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_add0_chain_cert.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_add1_chain_cert.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_clear_chain_certs.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get0_chain_certs.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set0_chain.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set1_chain.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_clear_extra_chain_certs.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_extra_chain_certs.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_remove_session.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_callback_ctrl.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_callback_ctrl.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_ctrl.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_verify_callback.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_verify_depth.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_verify_callback.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_verify_depth.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_verify_mode.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_default_verify_paths.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DTLS_client_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DTLS_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DTLS_server_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DTLSv1_client_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DTLSv1_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DTLSv1_server_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_up_ref.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSLv23_client_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSLv23_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSLv23_server_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/TLS_client_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/TLS_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/TLS_server_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/TLSv1_1_client_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/TLSv1_1_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/TLSv1_1_server_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/TLSv1_2_client_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/TLSv1_2_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/TLSv1_2_server_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/TLSv1_client_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/TLSv1_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/TLSv1_server_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_accept.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_accept_good.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_accept_renegotiate.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_cache_full.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_cb_hits.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_connect.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_connect_good.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_connect_renegotiate.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_hits.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_misses.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_timeouts.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_get_cache_size.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_get_get_cb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_get_new_cb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_get_remove_cb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_set_new_cb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_set_remove_cb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/get_session_cb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/new_session_cb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/remove_session_cb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set1_curves.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set1_curves_list.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set1_groups_list.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set1_curves.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set1_curves_list.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set1_groups.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set1_groups_list.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_alpn_protos.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get0_alpn_selected.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_select_next_proto.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_alpn_protos.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_cert_store.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_cipher_list.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_add_client_CA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_add_client_CA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_client_CA_list.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_client_cert_cb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/client_cert_cb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_default_passwd_cb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_default_passwd_cb_userdata.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_default_passwd_cb_userdata.3" - -rm -f "$(DESTDIR)$(mandir)/man3/pem_password_cb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/GEN_SESSION_CB.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_has_matching_session_id.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_generate_session_id.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_info_callback.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_info_callback.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_info_callback.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_max_cert_list.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_max_cert_list.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_max_cert_list.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_max_proto_version.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_min_proto_version.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_max_proto_version.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_max_proto_version.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_min_proto_version.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_max_proto_version.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_min_proto_version.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_clear_mode.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_mode.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_clear_mode.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_mode.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_mode.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_msg_callback_arg.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_msg_callback.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_msg_callback_arg.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_clear_options.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_options.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_clear_options.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_options.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_secure_renegotiation_support.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_options.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_quiet_shutdown.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_quiet_shutdown.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_quiet_shutdown.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_default_read_ahead.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_read_ahead.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_read_ahead.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_read_ahead.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_session_cache_mode.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_session_id_context.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_ssl_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_ssl_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_timeout.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_tlsext_servername_arg.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_servername.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_servername_type.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_tlsext_host_name.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_tlsext_status_arg.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_tlsext_status_cb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_tlsext_status_arg.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_tlsext_status_ocsp_resp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_tlsext_status_ocsp_resp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_tlsext_status_type.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_selected_srtp_profile.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_srtp_profiles.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_tlsext_use_srtp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_tmp_dh.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_tmp_dh.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_tmp_dh_callback.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_need_tmp_RSA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_tmp_rsa.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_need_tmp_RSA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_tmp_rsa.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_tmp_rsa_callback.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_verify_depth.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_verify.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_verify_depth.3" - -rm -f "$(DESTDIR)$(mandir)/man3/verify_callback.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_check_private_key.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_PrivateKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_PrivateKey_ASN1.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_PrivateKey_file.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_RSAPrivateKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_RSAPrivateKey_ASN1.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_RSAPrivateKey_file.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_certificate_ASN1.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_certificate_chain_file.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_certificate_chain_mem.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_certificate_file.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_check_private_key.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_use_PrivateKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_use_PrivateKey_ASN1.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_use_PrivateKey_file.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_use_RSAPrivateKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_use_RSAPrivateKey_ASN1.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_use_RSAPrivateKey_file.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_use_certificate.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_use_certificate_ASN1.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_use_certificate_file.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_up_ref.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_set_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_set1_id.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get_timeout.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_set_time.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_set_timeout.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_time.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_timeout.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_time.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_timeout.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get_ticket_lifetime_hint.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_print_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get0_id_context.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_alert_desc_string.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_alert_desc_string_long.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_alert_type_string_long.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_privatekey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_ciphers.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get1_supported_ciphers.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_cipher_list.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_client_ciphers.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_client_CA_list.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get_master_key.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_server_random.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_cipher.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_cipher_bits.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_cipher_name.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_cipher_version.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_rfd.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_wfd.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_wbio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get0_session.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get1_session.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_in_accept_init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_in_before.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_in_connect_init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_in_init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_is_init_finished.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_state.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_version.3" - -rm -f "$(DESTDIR)$(mandir)/man3/OpenSSL_add_ssl_algorithms.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSLeay_add_ssl_algorithms.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_add_dir_cert_subjects_to_stack.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_add_file_cert_subjects_to_stack.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_up_ref.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_clear_num_renegotiations.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_total_renegotiations.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_peek.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_renegotiate_abbreviated.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_renegotiate_pending.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_rstate_string_long.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get0_param.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set1_param.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get0_param.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_is_server.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_accept_state.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_rfd.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_wfd.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_max_send_fragment.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_shutdown.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_ecdh_auto.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_tmp_ecdh.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_tmp_ecdh_callback.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_ecdh_auto.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_tmp_ecdh_callback.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_state_string_long.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_want_nothing.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_want_read.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_want_write.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SSL_want_x509_lookup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SXNETID_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SXNETID_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/SXNET_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_SXNET.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_SXNETID.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_SXNET.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_SXNETID.3" - -rm -f "$(DESTDIR)$(mandir)/man3/TS_ACCURACY_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/TS_ACCURACY_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/TS_MSG_IMPRINT_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/TS_MSG_IMPRINT_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/TS_REQ_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/TS_RESP_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/TS_RESP_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/TS_STATUS_INFO_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/TS_STATUS_INFO_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/TS_TST_INFO_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/TS_TST_INFO_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_UTIL_read_pw_string.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_destroy_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_method_get_closer.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_method_get_flusher.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_method_get_opener.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_method_get_prompt_constructor.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_method_get_reader.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_method_get_writer.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_method_set_closer.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_method_set_flusher.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_method_set_opener.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_method_set_prompt_constructor.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_method_set_reader.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_method_set_writer.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_get0_action_string.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_get0_output_string.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_get0_result_string.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_get0_test_string.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_get_input_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_get_result_maxsize.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_get_result_minsize.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_set_result.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_OpenSSL.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_add_error_string.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_add_info_string.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_add_input_boolean.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_add_input_string.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_add_user_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_add_verify_string.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_construct_prompt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_ctrl.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_dup_error_string.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_dup_info_string.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_dup_input_boolean.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_dup_input_string.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_dup_verify_string.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_get0_result.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_get0_user_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_get_default_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_get_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_new_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_process.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_set_default_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/UI_set_method.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X25519_keypair.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509V3_EXT_d2i.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509V3_EXT_i2d.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509V3_add1_i2d.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_add1_ext_i2d.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get0_extensions.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get_ext_d2i.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_add1_ext_i2d.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get0_extensions.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get_ext_d2i.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_add1_ext_i2d.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_get0_extensions.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_get_ext_d2i.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_ALGOR_cmp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_ALGOR_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_ALGOR_get0.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_ALGOR_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_ALGOR_set0.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_ALGOR_set_md.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_ATTRIBUTE_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CERT_AUX_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CERT_AUX_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CINF_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_VAL_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_VAL_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_add0_revoked.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get0_by_cert.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get_REVOKED.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_sort.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_INFO_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_INFO_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_dup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_up_ref.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_create_by_NID.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_create_by_OBJ.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_get_critical.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_get_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_get_object.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_set_critical.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_set_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_INFO_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_LOOKUP_file.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_load_cert_crl_file.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_load_cert_file.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_load_crl_file.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_create_by_NID.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_create_by_OBJ.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_create_by_txt.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_get_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_set_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_set_object.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_add_entry.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_add_entry_by_NID.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_add_entry_by_OBJ.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_delete_entry.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_entry_count.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_get_entry.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_get_index_by_OBJ.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_get_text_by_NID.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_get_text_by_OBJ.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_oneline.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_print.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_print_ex_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_OBJECT_free_contents.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_OBJECT_get0_X509_CRL.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_OBJECT_get_type.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_OBJECT_idx_by_subject.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_OBJECT_retrieve_by_subject.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_OBJECT_retrieve_match.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_OBJECT_up_ref_count.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_PUBKEY_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_PUBKEY_get.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_PUBKEY_get0.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_PUBKEY_get0_param.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_PUBKEY_set.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_PUBKEY_set0_param.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PUBKEY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PUBKEY_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PUBKEY_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PUBKEY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PUBKEY_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PUBKEY_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_INFO_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_INFO_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_dup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get0_revocationDate.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get0_serialNumber.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_set_revocationDate.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_set_serialNumber.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_SIG_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get0_cert.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get0_chain.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get1_chain.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get_current_cert.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get_error_depth.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set_error.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_verify_cert_error_string.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_cleanup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get0_param.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get0_store.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get0_untrusted.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_init.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set0_crls.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set0_param.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set0_trusted_stack.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set0_untrusted.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set_cert.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set_chain.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set_default.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_trusted_stack.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_set_default_paths.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_up_ref.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_add_cert.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_add_crl.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_get0_objects.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_get0_param.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_get_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_get_ex_new_index.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_set_depth.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_set_ex_data.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_set_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_set_purpose.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_set_trust.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_set_verify_cb.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_add0_policy.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_add0_table.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_add1_host.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_clear_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get0.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get0_name.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get0_peername.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get_count.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get_depth.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get_flags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_lookup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set1_email.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set1_host.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set1_ip.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set1_ip_asc.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set1_name.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set1_policies.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set_depth.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set_hostflags.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set_purpose.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set_time.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set_trust.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_table_cleanup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_check_email.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_check_ip.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_check_ip_asc.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_check_private_key.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_cmp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_match.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_cmp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_issuer_and_serial_cmp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_issuer_name_cmp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_subject_name_cmp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_cmp_current_time.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_time_adj.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_time_adj_ex.3" - -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_ISSUER_AND_SERIAL_digest.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_digest.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_digest.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_digest.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_pubkey_digest.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get0_lastUpdate.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get0_nextUpdate.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_set1_lastUpdate.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_set1_nextUpdate.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_get0_notAfter.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_getm_notAfter.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_getm_notBefore.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_set1_notAfter.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_set1_notBefore.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get0_signature.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get_signature_nid.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_get0_signature.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_get_signature_nid.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_get0_tbs_sigalg.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_get_signature_nid.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_email_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_get1_ocsp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_get_pubkey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_set_pubkey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_get0_pubkey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_get_X509_PUBKEY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_set_pubkey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_set_serialNumber.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get_issuer.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_set_issuer_name.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_get_subject_name.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_set_subject_name.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_get_issuer_name.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_set_issuer_name.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_set_subject_name.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get_version.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_set_version.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_get_version.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_set_version.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_set_version.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_chain_up_ref.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_dup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_up_ref.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_sign.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_sign_ctx.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_verify.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_sign.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_sign_ctx.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_verify.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_sign_ctx.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_verify.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_add_ext.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_delete_ext.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get_ext.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get_ext_by_NID.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get_ext_by_OBJ.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get_ext_by_critical.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get_ext_count.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_add_ext.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_delete_ext.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get_ext.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get_ext_by_NID.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get_ext_by_OBJ.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get_ext_by_critical.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get_ext_count.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_add_ext.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_delete_ext.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_get_ext.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_get_ext_by_NID.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_get_ext_by_OBJ.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_get_ext_by_critical.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_get_ext_count.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509v3_add_ext.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509v3_delete_ext.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509v3_get_ext.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509v3_get_ext_by_OBJ.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509v3_get_ext_by_critical.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509v3_get_ext_count.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_add_words.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_check_top.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_cmp_words.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_div_words.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_expand.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_expand2.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_fix_top.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_mul_add_words.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_mul_comba4.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_mul_comba8.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_mul_high.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_mul_low_normal.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_mul_low_recursive.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_mul_normal.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_mul_part_recursive.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_mul_recursive.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_mul_words.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_set_high.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_set_low.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_set_max.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_sqr_comba4.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_sqr_comba8.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_sqr_normal.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_sqr_recursive.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_sqr_words.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_sub_words.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_wexpand.3" - -rm -f "$(DESTDIR)$(mandir)/man3/mul.3" - -rm -f "$(DESTDIR)$(mandir)/man3/mul_add.3" - -rm -f "$(DESTDIR)$(mandir)/man3/sqr.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_NULL.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_OBJECT.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_BIT_STRING.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_BMPSTRING.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_ENUMERATED.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_GENERALIZEDTIME.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_GENERALSTRING.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_IA5STRING.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_INTEGER.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_PRINTABLE.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_PRINTABLESTRING.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_T61STRING.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_TIME.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_UINTEGER.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_UNIVERSALSTRING.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_UTCTIME.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_UTF8STRING.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_VISIBLESTRING.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_DIRECTORYSTRING.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_DISPLAYTEXT.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_BIT_STRING.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_BMPSTRING.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_ENUMERATED.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_GENERALIZEDTIME.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_GENERALSTRING.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_IA5STRING.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_INTEGER.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_OCTET_STRING.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_PRINTABLE.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_PRINTABLESTRING.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_T61STRING.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_TIME.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_UNIVERSALSTRING.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_UTCTIME.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_UTF8STRING.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_VISIBLESTRING.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DIRECTORYSTRING.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DISPLAYTEXT.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_SET_ANY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_SEQUENCE_ANY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_SET_ANY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_AUTHORITY_KEYID.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_EXTENDED_KEY_USAGE.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_BASIC_CONSTRAINTS.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_EXTENDED_KEY_USAGE.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_CMS_ReceiptRequest.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_CMS_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_CMS_ContentInfo.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_CMS_ReceiptRequest.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_CMS_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DHparams.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ACCESS_DESCRIPTION.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_AUTHORITY_INFO_ACCESS.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_CRL_DIST_POINTS.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_DIST_POINT_NAME.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ISSUING_DIST_POINT.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ACCESS_DESCRIPTION.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_AUTHORITY_INFO_ACCESS.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_CRL_DIST_POINTS.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DIST_POINT.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DIST_POINT_NAME.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ISSUING_DIST_POINT.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DSAparams_dup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_DSAPrivateKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_DSAPrivateKey_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_DSAPrivateKey_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_DSA_PUBKEY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_DSA_PUBKEY_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_DSA_PUBKEY_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_DSA_SIG.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_DSAparams.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_DSAparams_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_DSAparams_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DSAPrivateKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DSAPrivateKey_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DSAPrivateKey_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DSAPublicKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DSA_PUBKEY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DSA_PUBKEY_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DSA_PUBKEY_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DSA_SIG.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DSAparams.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DSAparams_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DSAparams_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ECPKParameters_print.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ECPKParameters_print_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ECParameters_dup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ECParameters_print.3" - -rm -f "$(DESTDIR)$(mandir)/man3/ECParameters_print_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ECPKParameters_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ECPKParameters_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ECParameters.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ECPrivateKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ECPrivateKey_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ECPrivateKey_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_EC_PUBKEY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_EC_PUBKEY_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_EC_PUBKEY_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ECPKParameters.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ECPKParameters_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ECPKParameters_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ECParameters.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ECPrivateKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ECPrivateKey_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ECPrivateKey_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_EC_PUBKEY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_EC_PUBKEY_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_EC_PUBKEY_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2o_ECPublicKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/o2i_ECPublicKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ESS_CERT_ID.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ESS_ISSUER_SERIAL.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ESS_CERT_ID.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ESS_ISSUER_SERIAL.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ESS_SIGNING_CERT.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_EDIPARTYNAME.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_GENERAL_NAMES.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_OTHERNAME.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_EDIPARTYNAME.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_GENERAL_NAME.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_GENERAL_NAMES.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OTHERNAME.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_OCSP_CERTID.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_OCSP_ONEREQ.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_OCSP_REQINFO.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_OCSP_SERVICELOC.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_OCSP_SIGNATURE.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OCSP_CERTID.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OCSP_ONEREQ.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OCSP_REQINFO.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OCSP_REQUEST.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OCSP_SERVICELOC.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OCSP_SIGNATURE.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_OCSP_BASICRESP.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_OCSP_CERTSTATUS.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_OCSP_CRLID.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_OCSP_RESPBYTES.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_OCSP_RESPDATA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_OCSP_RESPID.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_OCSP_REVOKEDINFO.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_OCSP_SINGLERESP.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OCSP_BASICRESP.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OCSP_CERTSTATUS.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OCSP_CRLID.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OCSP_RESPBYTES.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OCSP_RESPDATA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OCSP_RESPID.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OCSP_RESPONSE.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OCSP_REVOKEDINFO.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OCSP_SINGLERESP.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS12_BAGS.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS12_MAC_DATA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS12_SAFEBAG.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS12_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS12_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS12.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS12_BAGS.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS12_MAC_DATA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS12_SAFEBAG.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS12_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS12_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_DIGEST.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_ENCRYPT.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_ENC_CONTENT.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_ENVELOPE.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_ISSUER_AND_SERIAL.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_RECIP_INFO.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_SIGNED.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_SIGNER_INFO.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_SIGN_ENVELOPE.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS7.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_DIGEST.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_ENCRYPT.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_ENC_CONTENT.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_ENVELOPE.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_ISSUER_AND_SERIAL.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_NDEF.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_RECIP_INFO.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_SIGNED.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_SIGNER_INFO.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_SIGN_ENVELOPE.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS8PrivateKey_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS8PrivateKey_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS8PrivateKey_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS8PrivateKey_nid_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS8PrivateKey_nid_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS8_PRIV_KEY_INFO_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS8_PRIV_KEY_INFO_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS8_PRIV_KEY_INFO.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS8_PRIV_KEY_INFO_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS8_PRIV_KEY_INFO_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKEY_USAGE_PERIOD.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_CERTIFICATEPOLICIES.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_NOTICEREF.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_POLICYQUALINFO.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_USERNOTICE.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_CERTIFICATEPOLICIES.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_NOTICEREF.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_POLICYINFO.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_POLICYQUALINFO.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_USERNOTICE.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PROXY_CERT_INFO_EXTENSION.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PROXY_CERT_INFO_EXTENSION.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PROXY_POLICY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_AutoPrivateKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PrivateKey_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PrivateKey_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PublicKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS8PrivateKeyInfo_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS8PrivateKeyInfo_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PrivateKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PublicKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_Netscape_RSA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_RSAPrivateKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_RSAPrivateKey_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_RSAPrivateKey_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_RSAPublicKey_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_RSAPublicKey_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_RSA_PSS_PARAMS.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_RSA_PUBKEY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_RSA_PUBKEY_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_RSA_PUBKEY_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_Netscape_RSA.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_RSAPrivateKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_RSAPrivateKey_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_RSAPrivateKey_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_RSAPublicKey.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_RSAPublicKey_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_RSAPublicKey_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_RSA_PSS_PARAMS.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_RSA_PUBKEY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_RSA_PUBKEY_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_RSA_PUBKEY_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_SSL_SESSION.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_TS_ACCURACY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_TS_MSG_IMPRINT.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_TS_MSG_IMPRINT_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_TS_MSG_IMPRINT_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_TS_REQ_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_TS_REQ_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_TS_RESP.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_TS_RESP_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_TS_RESP_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_TS_STATUS_INFO.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_TS_TST_INFO.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_TS_TST_INFO_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_TS_TST_INFO_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_TS_ACCURACY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_TS_MSG_IMPRINT.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_TS_MSG_IMPRINT_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_TS_MSG_IMPRINT_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_TS_REQ.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_TS_REQ_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_TS_REQ_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_TS_RESP.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_TS_RESP_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_TS_RESP_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_TS_STATUS_INFO.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_TS_TST_INFO.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_TS_TST_INFO_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_TS_TST_INFO_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_X509_AUX.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_X509_CERT_AUX.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_X509_CINF.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_X509_VAL.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_X509_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_X509_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_AUX.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_CERT_AUX.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_CINF.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_VAL.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_ALGOR.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_ATTRIBUTE.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_X509_CRL_INFO.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_X509_CRL_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_X509_CRL_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_X509_REVOKED.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_CRL.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_CRL_INFO.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_CRL_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_CRL_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_REVOKED.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_X509_EXTENSIONS.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_EXTENSION.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_EXTENSIONS.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_dup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_dup.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_get0_der.3" - -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_hash.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_X509_NAME_ENTRY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_NAME.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_NAME_ENTRY.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_X509_REQ_INFO.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_X509_REQ_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_X509_REQ_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_REQ.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_REQ_INFO.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_REQ_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_REQ_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS8_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS8_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS8_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS8_fp.3" - -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_SIG.3" - -rm -f "$(DESTDIR)$(mandir)/man3/EVP_read_pw_string.3" - -rm -f "$(DESTDIR)$(mandir)/man3/des_read_pw_string.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_get_rfc2409_prime_1024.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_get_rfc2409_prime_768.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_get_rfc3526_prime_1536.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_get_rfc3526_prime_2048.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_get_rfc3526_prime_3072.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_get_rfc3526_prime_4096.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_get_rfc3526_prime_6144.3" - -rm -f "$(DESTDIR)$(mandir)/man3/BN_get_rfc3526_prime_8192.3" - -rm -f "$(DESTDIR)$(mandir)/man3/get_rfc2409_prime_1024.3" - -rm -f "$(DESTDIR)$(mandir)/man3/get_rfc2409_prime_768.3" - -rm -f "$(DESTDIR)$(mandir)/man3/get_rfc3526_prime_1536.3" - -rm -f "$(DESTDIR)$(mandir)/man3/get_rfc3526_prime_2048.3" - -rm -f "$(DESTDIR)$(mandir)/man3/get_rfc3526_prime_3072.3" - -rm -f "$(DESTDIR)$(mandir)/man3/get_rfc3526_prime_4096.3" - -rm -f "$(DESTDIR)$(mandir)/man3/get_rfc3526_prime_6144.3" - -rm -f "$(DESTDIR)$(mandir)/man3/DECLARE_LHASH_OF.3" - -rm -f "$(DESTDIR)$(mandir)/man3/LHASH_COMP_FN_TYPE.3" - -rm -f "$(DESTDIR)$(mandir)/man3/LHASH_DOALL_ARG_FN_TYPE.3" - -rm -f "$(DESTDIR)$(mandir)/man3/LHASH_DOALL_FN_TYPE.3" - -rm -f "$(DESTDIR)$(mandir)/man3/LHASH_HASH_FN_TYPE.3" - -rm -f "$(DESTDIR)$(mandir)/man3/lh__delete.3" - -rm -f "$(DESTDIR)$(mandir)/man3/lh__doall.3" - -rm -f "$(DESTDIR)$(mandir)/man3/lh__doall_arg.3" - -rm -f "$(DESTDIR)$(mandir)/man3/lh__error.3" - -rm -f "$(DESTDIR)$(mandir)/man3/lh__free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/lh__insert.3" - -rm -f "$(DESTDIR)$(mandir)/man3/lh__new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/lh__retrieve.3" - -rm -f "$(DESTDIR)$(mandir)/man3/lh_delete.3" - -rm -f "$(DESTDIR)$(mandir)/man3/lh_doall.3" - -rm -f "$(DESTDIR)$(mandir)/man3/lh_doall_arg.3" - -rm -f "$(DESTDIR)$(mandir)/man3/lh_error.3" - -rm -f "$(DESTDIR)$(mandir)/man3/lh_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/lh_insert.3" - -rm -f "$(DESTDIR)$(mandir)/man3/lh_retrieve.3" - -rm -f "$(DESTDIR)$(mandir)/man3/lh_node_stats.3" - -rm -f "$(DESTDIR)$(mandir)/man3/lh_node_stats_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/lh_node_usage_stats.3" - -rm -f "$(DESTDIR)$(mandir)/man3/lh_node_usage_stats_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/lh_stats_bio.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_accept_cbs.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_accept_fds.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_configure.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_reset.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_server.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_parse_protocols.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_prefer_ciphers_client.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_prefer_ciphers_server.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_alpn.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_ciphers.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_dheparams.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_ecdhecurves.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_add_ticket_key.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_session_fd.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_session_lifetime.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_insecure_noverifycert.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_insecure_noverifyname.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_insecure_noverifytime.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_conn_alpn_selected.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_conn_cipher.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_conn_servername.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_conn_session_resumed.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_cert_chain_pem.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_cert_contains_name.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_cert_hash.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_cert_issuer.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_cert_notafter.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_cert_notbefore.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_cert_provided.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_cert_subject.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_connect_cbs.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_connect_fds.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_connect_servername.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_connect_socket.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_error.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_free.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_new.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_add_keypair_file.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_add_keypair_mem.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_add_keypair_ocsp_file.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_add_keypair_ocsp_mem.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_clear_keys.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_ca_file.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_ca_mem.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_ca_path.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_cert_file.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_cert_mem.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_crl_file.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_crl_mem.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_key_file.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_key_mem.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_keypair_file.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_keypair_mem.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_keypair_ocsp_file.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_keypair_ocsp_mem.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_ocsp_staple_file.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_ocsp_staple_mem.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_verify_depth.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_verify_client.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_verify_client_optional.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_default_ca_cert_file.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_unload_file.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_cert_status.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_crl_reason.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_next_update.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_response_status.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_result.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_revocation_time.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_this_update.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_url.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_close.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_error.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_handshake.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_reset.3" - -rm -f "$(DESTDIR)$(mandir)/man3/tls_write.3" +@ENABLE_LIBTLS_ONLY_FALSE@uninstall-local: +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ACCESS_DESCRIPTION_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/AUTHORITY_INFO_ACCESS_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/AUTHORITY_INFO_ACCESS_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/AES_cbc_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/AES_decrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/AES_set_decrypt_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/AES_set_encrypt_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_ENUMERATED_get.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_ENUMERATED_set.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_ENUMERATED_to_BN.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_INTEGER_set.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_INTEGER_to_BN.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_to_ASN1_ENUMERATED.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_to_ASN1_INTEGER.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2a_ASN1_INTEGER.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_OBJECT_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_STRING_TABLE_cleanup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_STRING_TABLE_get.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_OCTET_STRING_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_OCTET_STRING_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_OCTET_STRING_set.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_STRING_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_STRING_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_STRING_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_STRING_get0_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_STRING_length_set.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_STRING_set.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_STRING_to_UTF8.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_STRING_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_BIT_STRING_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_BIT_STRING_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_BMPSTRING_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_BMPSTRING_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_ENUMERATED_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_ENUMERATED_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_GENERALIZEDTIME_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_GENERALIZEDTIME_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_GENERALSTRING_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_GENERALSTRING_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_IA5STRING_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_IA5STRING_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_INTEGER_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_INTEGER_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_OCTET_STRING_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_OCTET_STRING_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_PRINTABLESTRING_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_PRINTABLESTRING_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_PRINTABLE_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_PRINTABLE_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_STRING_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_STRING_type_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_T61STRING_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_T61STRING_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_TIME_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_TIME_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_UNIVERSALSTRING_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_UNIVERSALSTRING_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_UTF8STRING_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_UTF8STRING_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_VISIBLESTRING_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_VISIBLESTRING_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DIRECTORYSTRING_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DIRECTORYSTRING_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DISPLAYTEXT_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DISPLAYTEXT_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_STRING_print.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_STRING_print_ex_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_tag2str.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_GENERALIZEDTIME_adj.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_GENERALIZEDTIME_check.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_GENERALIZEDTIME_print.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_GENERALIZEDTIME_set.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_GENERALIZEDTIME_set_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_TIME_adj.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_TIME_check.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_TIME_print.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_TIME_set_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_TIME_to_generalizedtime.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_adj.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_check.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_cmp_time_t.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_print.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_set.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_UTCTIME_set_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_TYPE_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_TYPE_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_TYPE_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_TYPE_set.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_TYPE_set1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_generate_v3.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_item_d2i_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_item_d2i_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_item_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_item_i2d.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_item_i2d_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_item_i2d_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_item_print.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_TYPE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_TYPE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_item_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_put_eoc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_TIME_set_tm.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_time_tm_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/AUTHORITY_KEYID_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BASIC_CONSTRAINTS_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BF_cbc_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BF_cfb64_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BF_decrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BF_ecb_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BF_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BF_ofb64_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BF_options.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_callback_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_ctrl_pending.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_ctrl_wpending.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_eof.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_flush.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_close.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_info_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_int_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_pending.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_ptr_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_reset.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_seek.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_close.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_info_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_tell.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_wpending.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/bio_info_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_buffer_num_lines.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_buffer_read_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_buffer_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_read_buffer_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_write_buffer_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_cipher_ctx.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_cipher_status.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_cipher.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_md.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_md_ctx.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_md.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_do_handshake.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_num_renegotiates.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_ssl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_new_buffer_ssl_connect.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_new_ssl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_new_ssl_connect.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_ssl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_ssl_mode.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_ssl_renegotiate_bytes.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_ssl_renegotiate_timeout.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_ssl_copy_session_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_ssl_shutdown.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_method_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_next.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_shutdown.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_shutdown.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ECDH_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ECDH_get_ex_new_index.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ECDH_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_get_ex_new_index.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_get_ex_new_index.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_ex_new_index.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/TYPE_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/TYPE_get_ex_new_index.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/TYPE_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_get_ex_new_index.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_get_ex_new_index.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_new_index.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_get_callback_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_get_create.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_get_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_get_destroy.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_get_gets.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_get_puts.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_get_read.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_get_write.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_set_callback_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_set_create.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_set_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_set_destroy.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_set_gets.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_set_puts.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_set_read.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_meth_set_write.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_free_all.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_up_ref.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_vfree.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_snprintf.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_vprintf.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_vsnprintf.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_pop.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_gets.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_puts.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_write.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_do_accept.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_accept_port.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_bind_mode.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_new_accept.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_accept_bios.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_accept_port.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_bind_mode.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_nbio_accept.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_ctrl_get_read_request.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_ctrl_get_write_guarantee.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_ctrl_reset_read_request.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_destroy_bio_pair.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_read_request.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_write_buf_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_write_guarantee.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_make_bio_pair.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_new_bio_pair.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_write_buf_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_shutdown_wr.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_do_connect.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_conn_hostname.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_conn_int_port.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_conn_ip.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_conn_port.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_new_connect.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_conn_hostname.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_conn_int_port.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_conn_ip.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_conn_port.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_nbio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_fd.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_new_fd.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_fd.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_append_filename.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_new_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_new_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_read_filename.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_rw_filename.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_write_filename.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_mem_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_mem_ptr.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_new_mem_buf.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_mem_buf.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_mem_eof_return.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_new_socket.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_callback_fn.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_debug_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_callback_arg.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_set_callback_arg.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_retry_BIO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_get_retry_reason.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_retry_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_should_io_special.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_should_read.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BIO_should_write.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_BLINDING_convert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_BLINDING_convert_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_BLINDING_create_param.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_BLINDING_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_BLINDING_get_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_BLINDING_get_thread_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_BLINDING_invert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_BLINDING_invert_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_BLINDING_set_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_BLINDING_set_thread_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_BLINDING_thread_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_BLINDING_update.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_CTX_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_CTX_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_CTX_end.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_CTX_get.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_div.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_exp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_gcd.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_mod.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_mod_add.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_mod_exp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_mod_mul.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_mod_sqr.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_mod_sub.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_mul.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_nnmod.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_sqr.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_sub.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_div_word.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_mod_word.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_mul_word.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_sub_word.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_asc2bn.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_bin2bn.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_bn2dec.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_bn2hex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_bn2mpi.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_dec2bn.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_hex2bn.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_mpi2bn.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_print.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_print_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_is_odd.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_is_one.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_is_word.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_is_zero.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_ucmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_with_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_GENCB_call.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_GENCB_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_GENCB_get_arg.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_GENCB_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_GENCB_set.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_GENCB_set_old.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_generate_prime_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_is_prime.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_is_prime_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_is_prime_fasttest.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_is_prime_fasttest_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_get0_nist_prime_192.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_get0_nist_prime_224.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_get0_nist_prime_256.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_get0_nist_prime_384.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_MONT_CTX_copy.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_MONT_CTX_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_MONT_CTX_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_MONT_CTX_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_MONT_CTX_set.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_from_montgomery.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_to_montgomery.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_RECP_CTX_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_RECP_CTX_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_RECP_CTX_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_RECP_CTX_set.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_div_recp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_clear.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_clear_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_num_bits.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_num_bits_word.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_pseudo_rand.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_pseudo_rand_range.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_rand_range.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_clear_bit.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_is_bit_set.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_lshift.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_lshift1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_mask_bits.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_rshift.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_rshift1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_get_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_is_negative.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_get_word.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_one.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_set_word.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_value_one.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BUF_MEM_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BUF_MEM_grow.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BUF_MEM_grow_clean.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BUF_reverse.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BUF_strdup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMAC_CTX_cleanup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMAC_CTX_copy.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMAC_CTX_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMAC_CTX_get0_cipher_ctx.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMAC_CTX_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMAC_Final.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMAC_Update.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMAC_resume.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_ContentInfo_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_ContentInfo_print_ctx.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_ReceiptRequest_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_ReceiptRequest_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_add0_crl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_add1_cert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_add1_crl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_get1_certs.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_get1_crls.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_add0_recipient_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_SignerInfo_sign.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_decrypt_set1_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_decrypt_set1_pkey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_decrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_kekri_get0_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_kekri_id_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_ktri_cert_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_ktri_get0_signer_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_set0_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_set0_pkey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_RecipientInfo_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_SignerInfo_cert_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_SignerInfo_get0_signature.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_SignerInfo_get0_signer_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_SignerInfo_set1_signer_cert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_get0_content.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_get0_eContentType.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_set1_eContentType.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_ReceiptRequest_create0.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_ReceiptRequest_get0_values.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_add1_ReceiptRequest.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CMS_get0_signers.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CONF_modules_finish.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CONF_modules_unload.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CONF_modules_load.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_MEM_LEAK_CB.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_mem_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_mem_leaks.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_mem_leaks_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_mem_leaks_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_set_mem_functions.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_THREADID_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_THREADID_cpy.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_THREADID_current.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_THREADID_hash.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_add.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_r_lock.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_r_unlock.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_w_lock.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_w_unlock.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_EX_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_EX_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_EX_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_free_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_get_ex_new_index.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_new_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_chacha_20.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_hchacha_20.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_xchacha_20.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ChaCha_set_iv.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ChaCha_set_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DES_cbc_cksum.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DES_cfb64_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DES_cfb_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DES_crypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DES_ecb2_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DES_ecb3_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DES_ecb_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DES_ede2_cbc_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DES_ede2_cfb64_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DES_ede2_ofb64_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DES_ede3_cbc_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DES_ede3_cbcm_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DES_ede3_cfb64_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DES_ede3_ofb64_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DES_enc_read.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DES_enc_write.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DES_fcrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DES_is_weak_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DES_key_sched.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DES_ncbc_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DES_ofb64_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DES_ofb_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DES_pcbc_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DES_quad_cksum.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DES_random_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DES_set_key_checked.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DES_set_key_unchecked.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DES_set_odd_parity.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DES_string_to_2keys.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DES_string_to_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DES_xcbc_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DH_compute_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DH_check.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DH_generate_parameters_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DH_clear_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DH_get0_engine.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DH_get0_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DH_set0_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DH_set0_pqg.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DH_set_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DH_set_length.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DH_test_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DH_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DH_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DH_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DH_up_ref.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DH_OpenSSL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DH_get_default_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DH_new_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DH_set_default_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DH_bits.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRL_DIST_POINTS_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRL_DIST_POINTS_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DIST_POINT_NAME_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DIST_POINT_NAME_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DIST_POINT_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ISSUING_DIST_POINT_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ISSUING_DIST_POINT_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DSA_SIG_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DSA_SIG_get0.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DSA_SIG_set0.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DSA_do_verify.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DSA_generate_parameters_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DSA_clear_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DSA_get0_engine.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DSA_get0_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DSA_set0_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DSA_set0_pqg.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DSA_set_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DSA_test_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DSA_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DSA_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DSA_meth_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DSA_meth_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DSA_meth_set_finish.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DSA_meth_set_sign.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DSA_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DSA_up_ref.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DSA_OpenSSL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DSA_get_default_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DSA_new_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DSA_set_default_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DSA_sign_setup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DSA_verify.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ECDH_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_OpenSSL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_SIG_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_SIG_get0.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_SIG_set0.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_do_sign.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_do_sign_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_do_verify.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_get_default_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_set_default_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_set_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_sign.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_sign_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_sign_setup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ECDSA_verify.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ECDSA_SIG.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ECDSA_SIG.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GF2m_simple_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GFp_mont_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GFp_nist_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GFp_nistp224_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GFp_nistp256_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GFp_nistp521_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_METHOD_get_field_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_check.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_check_discriminant.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_get0_generator.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_get0_seed.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_asn1_flag.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_basis_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_cofactor.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_curve_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_degree.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_order.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_pentanomial_basis.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_point_conversion_form.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_seed_len.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_trinomial_basis.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_method_of.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_set_asn1_flag.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_set_curve_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_set_generator.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_set_point_conversion_form.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_set_seed.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_clear_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_curve_GF2m.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_get_curve_GFp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_new_by_curve_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_new_curve_GF2m.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_new_curve_GFp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_set_curve_GF2m.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_set_curve_GFp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_get_builtin_curves.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_get_compute_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_get_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_get_keygen.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_get_sign.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_get_verify.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_set_compute_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_set_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_set_keygen.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_set_sign.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_METHOD_set_verify.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_OpenSSL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_get_default_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_get_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_new_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_set_default_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_set_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_check_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_clear_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_copy.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_generate_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_get0_group.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_get0_private_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_get0_public_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_get_conv_form.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_get_enc_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_get_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_get_key_method_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_insert_key_method_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_new_by_curve_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_precompute_mult.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_print.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_print_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_set_asn1_flag.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_set_conv_form.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_set_enc_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_set_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_set_group.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_set_private_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_set_public_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_set_public_key_affine_coordinates.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_KEY_up_ref.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_have_precompute_mult.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_GROUP_precompute_mult.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_dbl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_invert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_is_at_infinity.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_is_on_curve.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_make_affine.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_mul.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINTs_make_affine.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINTs_mul.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_bn2point.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_clear_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_copy.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_get_Jprojective_coordinates_GFp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_get_affine_coordinates_GF2m.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_get_affine_coordinates_GFp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_hex2point.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_method_of.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_oct2point.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_point2bn.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_point2hex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_point2oct.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_set_Jprojective_coordinates_GFp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_set_affine_coordinates_GF2m.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_set_affine_coordinates_GFp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_set_compressed_coordinates_GF2m.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_set_compressed_coordinates_GFp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EC_POINT_set_to_infinity.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_by_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_cleanup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_first.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_last.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_next.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_prev.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_remove.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_CTRL_FUNC_PTR.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_cmd_is_executable.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_ctrl_cmd.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_ctrl_cmd_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_cmd_defns.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_ctrl_function.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_cmd_defns.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_ctrl_function.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_cipher_engine.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_default_DH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_default_DSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_default_ECDH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_default_ECDSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_default_RAND.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_digest_engine.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_table_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_table_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_GEN_INT_FUNC_PTR.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_finish.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_finish_function.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_init_function.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_finish_function.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_init_function.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_GEN_INT_FUNC_PTR.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_destroy_function.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_destroy_function.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_up_ref.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_DH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_DSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_ECDH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_ECDSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_RAND.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_STORE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_ciphers.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_complete.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_digests.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_load_builtin_engines.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_load_dynamic.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_DH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_DSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_ECDH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_ECDSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_RAND.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_STORE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_ciphers.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_complete.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_register_all_digests.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_CIPHERS_PTR.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_DIGESTS_PTR.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_DH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_DSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_ECDH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_ECDSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_RAND.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_RSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_STORE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_cipher.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_ciphers.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_digest.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_digests.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_DH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_DSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_ECDH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_ECDSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_RAND.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_STORE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_ciphers.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_digests.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_DH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_DSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_ECDH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_ECDSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_RAND.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_RSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_ciphers.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_digests.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_set_default_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_get_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_DH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_DSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_ECDH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_ECDSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_RAND.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_STORE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_ciphers.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_unregister_digests.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ERR_FATAL_ERROR.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ERR_GET_FUNC.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ERR_GET_REASON.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ERR_error_string_n.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ERR_func_error_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ERR_lib_error_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ERR_reason_error_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ERR_get_error_line.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ERR_get_error_line_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ERR_peek_error.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ERR_peek_error_line.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ERR_peek_error_line_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ERR_peek_last_error.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ERR_peek_last_error_line.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ERR_peek_last_error_line_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ERR_free_strings.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_load_error_strings.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ERR_PACK.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ERR_get_next_error_library.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ERR_print_errors_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ERR_print_errors_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ERR_add_error_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ERR_add_error_vdata.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ERR_remove_thread_state.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ERR_pop_to_mark.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ESS_CERT_ID_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ESS_CERT_ID_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ESS_ISSUER_SERIAL_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ESS_ISSUER_SERIAL_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ESS_SIGNING_CERT_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_AEAD_CTX_cleanup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_AEAD_CTX_open.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_AEAD_CTX_seal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_AEAD_key_length.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_AEAD_max_overhead.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_AEAD_max_tag_len.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_AEAD_nonce_length.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aead_aes_128_gcm.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aead_aes_256_gcm.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aead_chacha20_poly1305.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aead_xchacha20_poly1305.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_Digest.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DigestFinal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DigestFinal_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DigestInit_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DigestUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MAX_MD_SIZE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_block_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_cleanup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_copy.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_copy_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_create.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_destroy.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_md.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_reset.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_CTX_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_block_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_pkey_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_MD_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_dss.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_dss1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_get_digestbyname.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_get_digestbynid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_get_digestbyobj.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_md5.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_md5_sha1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_md_null.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_ripemd160.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_sha1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_sha224.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_sha256.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_sha384.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_sha512.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DigestSignFinal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DigestSignUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DigestVerifyFinal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DigestVerifyUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DecodeBlock.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DecodeFinal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DecodeInit.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DecodeUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_ENCODE_CTX_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_ENCODE_CTX_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_EncodeBlock.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_EncodeFinal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_EncodeUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_block_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_cipher.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_cleanup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_clear_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_get_app_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_get_iv.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_iv_length.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_key_length.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_mode.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_rand_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_reset.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_set_app_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_set_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_set_iv.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_set_key_length.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_set_padding.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_test_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_CTX_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_asn1_to_param.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_block_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_iv_length.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_key_length.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_mode.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_param_to_asn1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CIPHER_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_Cipher.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CipherFinal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CipherFinal_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CipherInit.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CipherInit_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_CipherUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DecryptFinal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DecryptFinal_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DecryptInit.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DecryptInit_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_DecryptUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_EncryptFinal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_EncryptFinal_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_EncryptInit_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_EncryptUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_bf_cbc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_bf_cfb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_bf_cfb64.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_bf_ecb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_bf_ofb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_cast5_cbc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_cast5_cfb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_cast5_cfb64.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_cast5_ecb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_cast5_ofb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_chacha20.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_enc_null.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_get_cipherbyname.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_get_cipherbynid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_get_cipherbyobj.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_idea_cbc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_idea_cfb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_idea_cfb64.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_idea_ecb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_idea_ofb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_rc2_40_cbc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_rc2_64_cbc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_rc2_cbc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_rc2_cfb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_rc2_cfb64.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_rc2_ecb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_rc2_ofb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_OpenFinal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_OpenUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_ctrl_str.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get0_ecdh_kdf_ukm.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get1_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get1_id_len.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_ecdh_cofactor_mode.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_ecdh_kdf_md.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_ecdh_kdf_outlen.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_ecdh_kdf_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_signature_md.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set0_ecdh_kdf_ukm.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set1_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_dh_paramgen_generator.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_dh_paramgen_prime_len.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_dsa_paramgen_bits.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_ec_param_enc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_ec_paramgen_curve_nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_ecdh_cofactor_mode.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_ecdh_kdf_md.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_ecdh_kdf_outlen.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_ecdh_kdf_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_signature_md.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_new_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_find.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_find_str.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_get0.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_get0_info.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get0_asn1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_add0.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_add_alias.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_copy.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_set_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_set_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_set_param.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_set_private.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_asn1_set_public.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_cmp_parameters.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_copy_parameters.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_missing_parameters.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_decrypt_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_derive_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_derive_set_peer.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_encrypt_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_app_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_keygen_info.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_app_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_gen_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_keygen_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_paramgen.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_paramgen_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_add0.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_copy.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_find.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_cleanup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_copy.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_decrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_derive.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_encrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_keygen.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_paramgen.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_sign.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_signctx.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_verify.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_verify_recover.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_verifyctx.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_new_CMAC_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_new_mac_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_up_ref.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_print_params.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_print_public.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_assign.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_assign_DH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_assign_DSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_assign_EC_KEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_assign_GOST.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_assign_RSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_base_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get0.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get0_DH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get0_DSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get0_EC_KEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get0_RSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get0_hmac.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get1_DH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get1_DSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get1_EC_KEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_get1_RSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_set1_DH.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_set1_DSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_set1_EC_KEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_set_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_sign_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_verify_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_verify_recover_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_SealFinal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_SealUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_bits.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_SignFinal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_SignInit_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_SignUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_VerifyFinal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_VerifyInit_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_VerifyUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_128_cbc_hmac_sha1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_128_ccm.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_128_cfb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_128_cfb1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_128_cfb128.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_128_cfb8.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_128_ctr.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_128_ecb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_128_gcm.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_128_ofb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_128_wrap.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_128_xts.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_192_cbc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_192_ccm.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_192_cfb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_192_cfb1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_192_cfb128.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_192_cfb8.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_192_ctr.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_192_ecb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_192_gcm.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_192_ofb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_192_wrap.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_256_cbc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_256_cbc_hmac_sha1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_256_ccm.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_256_cfb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_256_cfb1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_256_cfb128.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_256_cfb8.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_256_ctr.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_256_ecb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_256_gcm.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_256_ofb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_256_wrap.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_aes_256_xts.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_128_cfb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_128_cfb1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_128_cfb128.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_128_cfb8.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_128_ecb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_128_ofb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_192_cbc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_192_cfb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_192_cfb1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_192_cfb128.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_192_cfb8.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_192_ecb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_192_ofb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_256_cbc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_256_cfb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_256_cfb1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_256_cfb128.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_256_cfb8.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_256_ecb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_camellia_256_ofb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_cfb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_cfb1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_cfb64.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_cfb8.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ecb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ede.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ede3.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ede3_cbc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ede3_cfb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ede3_cfb1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ede3_cfb64.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ede3_cfb8.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ede3_ecb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ede3_ofb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ede_cbc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ede_cfb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ede_cfb64.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ede_ecb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ede_ofb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_des_ofb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_desx_cbc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_rc4_40.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_rc4_hmac_md5.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_sm4_cfb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_sm4_cfb128.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_sm4_ctr.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_sm4_ecb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_sm4_ofb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EXTENDED_KEY_USAGE_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EDIPARTYNAME_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EDIPARTYNAME_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/GENERAL_NAMES_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/GENERAL_NAMES_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/GENERAL_NAME_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OTHERNAME_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OTHERNAME_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/HMAC_CTX_cleanup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/HMAC_CTX_copy.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/HMAC_CTX_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/HMAC_CTX_get_md.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/HMAC_CTX_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/HMAC_CTX_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/HMAC_CTX_reset.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/HMAC_CTX_set_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/HMAC_Final.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/HMAC_Init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/HMAC_Init_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/HMAC_Update.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/HMAC_cleanup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/HMAC_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/MD4.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/MD4_Final.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/MD4_Init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/MD4_Update.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/MD5_Final.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/MD5_Init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/MD5_Update.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/GENERAL_SUBTREE_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/GENERAL_SUBTREE_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/NAME_CONSTRAINTS_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OBJ_cleanup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OBJ_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OBJ_create.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OBJ_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OBJ_ln2nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OBJ_nid2ln.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OBJ_nid2sn.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OBJ_obj2nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OBJ_obj2txt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OBJ_sn2nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OBJ_txt2nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OBJ_txt2obj.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2t_ASN1_OBJECT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_CRLID_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_ONEREQ_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_ONEREQ_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_REQINFO_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_REQINFO_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_REQUEST_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_SIGNATURE_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_SIGNATURE_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_request_add0_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_request_add1_cert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_request_onereq_count.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_request_onereq_get0.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_request_sign.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_SERVICELOC_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_url_svcloc_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_CERTID_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_CERTID_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_cert_id_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_id_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_id_get0_info.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_id_issuer_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_basic_add1_nonce.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_check_nonce.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_copy_nonce.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_CERTSTATUS_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_CERTSTATUS_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_REVOKEDINFO_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_REVOKEDINFO_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_SINGLERESP_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_SINGLERESP_get0_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_SINGLERESP_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_basic_verify.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_cert_status_str.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_check_validity.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_resp_count.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_resp_find.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_resp_get0.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_single_get0_status.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_BASICRESP_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_BASICRESP_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_RESPBYTES_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_RESPBYTES_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_RESPDATA_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_RESPDATA_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_RESPID_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_RESPID_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_RESPONSE_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_RESPONSE_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_basic_sign.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_response_create.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_response_get1_basic.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_response_status_str.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_REQ_CTX_add1_header.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_REQ_CTX_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_REQ_CTX_set1_req.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_parse_url.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_sendreq_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OCSP_sendreq_nbio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/LIBRESSL_VERSION_NUMBER.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/LIBRESSL_VERSION_TEXT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OPENSSL_VERSION_TEXT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OpenSSL_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OpenSSL_version_num.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSLeay.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSLeay_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OPENSSL_no_config.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OPENSSL_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ASN1_add_oid_module.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ENGINE_add_conf_module.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_malloc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_realloc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_strdup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OPENSSL_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OPENSSL_realloc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OPENSSL_strdup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/sk_delete.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/sk_delete_ptr.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/sk_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/sk_find.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/sk_find_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/sk_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/sk_insert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/sk_is_sorted.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/sk_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/sk_new_null.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/sk_num.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/sk_pop.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/sk_pop_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/sk_push.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/sk_set.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/sk_set_cmp_func.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/sk_shift.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/sk_sort.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/sk_unshift.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/sk_value.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/sk_zero.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_cleanup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OpenSSL_add_all_ciphers.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OpenSSL_add_all_digests.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_ASN1_read_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_of_void.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_X509_INFO_read_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_def_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_do_header.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_get_EVP_CIPHER_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/pem_password_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_SSL_SESSION.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_SSL_SESSION.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_SSL_SESSION.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_CMS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_DHparams.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_DSAPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_DSA_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_DSAparams.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_ECPKParameters.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_ECPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_EC_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_NETSCAPE_CERT_SEQUENCE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_PKCS7.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_PKCS8.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_PKCS8_PRIV_KEY_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_PrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_RSAPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_RSAPublicKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_RSA_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_X509.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_X509_AUX.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_X509_CRL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_X509_REQ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_CMS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_DHparams.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_DSAPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_DSA_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_DSAparams.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_ECPKParameters.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_ECPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_EC_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_NETSCAPE_CERT_SEQUENCE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_PKCS7.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_PKCS8.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_PKCS8_PRIV_KEY_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_RSAPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_RSAPublicKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_RSA_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_X509.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_X509_AUX.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_X509_CRL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_read_bio_X509_REQ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_CMS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_DHparams.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_DSAPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_DSA_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_DSAparams.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_ECPKParameters.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_ECPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_EC_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_NETSCAPE_CERT_SEQUENCE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_PKCS7.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_PKCS8.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_PKCS8PrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_PKCS8PrivateKey_nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_PKCS8_PRIV_KEY_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_PrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_RSAPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_RSAPublicKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_RSA_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_X509.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_X509_AUX.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_X509_CRL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_X509_REQ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_X509_REQ_NEW.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_CMS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_DHparams.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_DSAPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_DSA_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_DSAparams.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_ECPKParameters.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_ECPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_EC_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_NETSCAPE_CERT_SEQUENCE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_PKCS7.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_PKCS8.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_PKCS8PrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_PKCS8PrivateKey_nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_PKCS8_PRIV_KEY_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_PrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_RSAPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_RSAPublicKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_RSA_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_X509.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_X509_AUX.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_X509_CRL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_X509_REQ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PEM_write_bio_X509_REQ_NEW.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS12_BAGS_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS12_BAGS_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS12_SAFEBAG_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS12_MAC_DATA_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS12_MAC_DATA_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS12_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS5_PBKDF2_HMAC_SHA1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_add0_attrib_signing_time.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_add1_attrib_digest.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_add_attrib_content_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_add_attrib_smimecap.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_add_signed_attribute.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_get_attribute.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_get_signed_attribute.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_set_attributes.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_set_signed_attributes.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_DIGEST_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_DIGEST_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_ENCRYPT_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_ENCRYPT_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_ENC_CONTENT_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_ENC_CONTENT_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_ENVELOPE_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_ENVELOPE_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_ISSUER_AND_SERIAL_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_ISSUER_AND_SERIAL_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_RECIP_INFO_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_RECIP_INFO_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_SIGNED_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_SIGNED_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_SIGNER_INFO_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_SIGNER_INFO_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_SIGN_ENVELOPE_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_SIGN_ENVELOPE_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_content_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_set0_type_other.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_get0_signers.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS8_PRIV_KEY_INFO_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKEY_USAGE_PERIOD_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CERTIFICATEPOLICIES_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CERTIFICATEPOLICIES_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/NOTICEREF_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/NOTICEREF_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/POLICYINFO_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/POLICYQUALINFO_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/POLICYQUALINFO_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/POLICY_CONSTRAINTS_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/POLICY_CONSTRAINTS_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/POLICY_MAPPING_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/POLICY_MAPPING_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/USERNOTICE_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/USERNOTICE_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PROXY_CERT_INFO_EXTENSION_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PROXY_CERT_INFO_EXTENSION_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PROXY_POLICY_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RAND_cleanup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RAND_poll.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RAND_seed.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RAND_status.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RAND_pseudo_bytes.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RAND_file_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RAND_write_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RAND_SSLeay.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RAND_get_rand_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RC4_set_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RIPEMD160_Final.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RIPEMD160_Init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RIPEMD160_Update.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_PSS_PARAMS_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_blinding_off.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_generate_key_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_clear_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_get0_crt_params.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_get0_factors.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_set0_crt_params.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_set0_factors.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_set0_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_set_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_test_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_EX_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_EX_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/CRYPTO_EX_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_get0_app_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_get0_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_get_bn_mod_exp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_get_finish.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_get_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_get_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_get_keygen.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_get_mod_exp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_get_priv_dec.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_get_priv_enc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_get_pub_dec.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_get_pub_enc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_get_sign.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_get_verify.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_set0_app_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_set1_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_set_bn_mod_exp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_set_finish.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_set_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_set_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_set_keygen.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_set_mod_exp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_set_priv_dec.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_set_priv_enc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_set_pub_dec.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_set_pub_enc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_set_sign.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_meth_set_verify.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSAPrivateKey_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSAPublicKey_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_up_ref.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_padding_add_PKCS1_OAEP.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_padding_add_PKCS1_type_2.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_padding_add_none.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_padding_check_PKCS1_OAEP.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_padding_check_PKCS1_type_1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_padding_check_PKCS1_type_2.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_padding_check_none.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get0_rsa_oaep_label.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_rsa_mgf1_md.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_rsa_oaep_md.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_rsa_padding.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_get_rsa_pss_saltlen.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set0_rsa_oaep_label.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_keygen_bits.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_keygen_pubexp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_mgf1_md.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_oaep_md.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_padding.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_CTX_set_rsa_pss_saltlen.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DHparams_print.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DHparams_print_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DSA_print.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DSA_print_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DSAparams_print.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DSAparams_print_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_print_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_public_decrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_private_decrypt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_PKCS1_SSLeay.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_get_default_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_get_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_new_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_set_default_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_verify.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_verify_ASN1_OCTET_STRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/RSA_bits.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SHA1_Final.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SHA1_Init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SHA1_Update.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SHA224.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SHA224_Final.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SHA224_Init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SHA224_Update.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SHA256.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SHA256_Final.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SHA256_Init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SHA256_Update.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SHA384.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SHA384_Final.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SHA384_Init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SHA384_Update.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SHA512.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SHA512_Final.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SHA512_Init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SHA512_Update.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_description.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_get_auth_nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_get_bits.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_get_cipher_nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_get_digest_nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_get_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_get_kx_nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_get_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CIPHER_is_aead.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_COMP_get_compression_methods.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_add0_chain_cert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_clear_chain_certs.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get0_chain_certs.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set0_chain.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set1_chain.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_add0_chain_cert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_add1_chain_cert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_clear_chain_certs.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get0_chain_certs.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set0_chain.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set1_chain.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_clear_extra_chain_certs.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_extra_chain_certs.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_extra_chain_certs_only.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_remove_session.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_callback_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_callback_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_verify_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_verify_depth.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_verify_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_verify_depth.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_verify_mode.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_default_verify_paths.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DTLS_client_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DTLS_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DTLS_server_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DTLSv1_2_client_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DTLSv1_2_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DTLSv1_2_server_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DTLSv1_client_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DTLSv1_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DTLSv1_server_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_up_ref.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSLv23_client_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSLv23_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSLv23_server_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/TLS_client_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/TLS_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/TLS_server_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/TLSv1_1_client_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/TLSv1_1_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/TLSv1_1_server_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/TLSv1_2_client_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/TLSv1_2_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/TLSv1_2_server_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/TLSv1_client_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/TLSv1_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/TLSv1_server_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_accept.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_accept_good.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_accept_renegotiate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_cache_full.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_cb_hits.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_connect.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_connect_good.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_connect_renegotiate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_hits.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_misses.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_timeouts.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_get_cache_size.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_get_get_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_get_new_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_get_remove_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_set_new_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_sess_set_remove_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/get_session_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/new_session_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/remove_session_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set1_curves.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set1_curves_list.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set1_groups_list.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set1_curves.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set1_curves_list.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set1_groups.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set1_groups_list.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_alpn_protos.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get0_alpn_selected.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_select_next_proto.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_alpn_protos.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_cert_store.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_cipher_list.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_add_client_CA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_add_client_CA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_client_CA_list.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_client_cert_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/client_cert_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_default_passwd_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_default_passwd_cb_userdata.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_default_passwd_cb_userdata.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/pem_password_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/GEN_SESSION_CB.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_has_matching_session_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_generate_session_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_info_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_info_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_info_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_max_cert_list.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_max_cert_list.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_max_cert_list.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_max_proto_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_min_proto_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_max_proto_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_max_proto_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_min_proto_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_max_proto_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_min_proto_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_clear_mode.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_mode.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_clear_mode.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_mode.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_mode.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_msg_callback_arg.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_msg_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_msg_callback_arg.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_clear_options.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_options.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_clear_options.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_options.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_secure_renegotiation_support.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_options.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_quiet_shutdown.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_quiet_shutdown.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_quiet_shutdown.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_default_read_ahead.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_read_ahead.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_read_ahead.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_read_ahead.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_session_cache_mode.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_session_id_context.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_ssl_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_ssl_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_timeout.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_tlsext_servername_arg.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_servername.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_servername_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_tlsext_host_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_tlsext_status_arg.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_tlsext_status_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_tlsext_status_arg.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_tlsext_status_ocsp_resp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_tlsext_status_ocsp_resp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_tlsext_status_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_selected_srtp_profile.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_srtp_profiles.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_tlsext_use_srtp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_tmp_dh.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_tmp_dh.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_tmp_dh_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_need_tmp_RSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_tmp_rsa.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_need_tmp_RSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_tmp_rsa.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_tmp_rsa_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_verify_depth.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_verify.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_verify_depth.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/verify_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_check_private_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_PrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_PrivateKey_ASN1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_PrivateKey_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_RSAPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_RSAPrivateKey_ASN1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_RSAPrivateKey_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_certificate_ASN1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_certificate_chain_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_certificate_chain_mem.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_use_certificate_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_check_private_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_use_PrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_use_PrivateKey_ASN1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_use_PrivateKey_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_use_RSAPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_use_RSAPrivateKey_ASN1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_use_RSAPrivateKey_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_use_certificate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_use_certificate_ASN1.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_use_certificate_chain_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_use_certificate_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_up_ref.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_set1_id.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get_timeout.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_set_time.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_set_timeout.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_time.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_timeout.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_time.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_timeout.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get_ticket_lifetime_hint.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_print_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get0_id_context.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_alert_desc_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_alert_desc_string_long.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_alert_type_string_long.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_privatekey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_ciphers.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get1_supported_ciphers.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_cipher_list.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_client_ciphers.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_client_CA_list.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get_master_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_server_random.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_cipher.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_cipher_bits.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_cipher_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_cipher_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_rfd.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_wfd.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_peer_finished.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_wbio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get0_session.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get1_session.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_in_accept_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_in_before.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_in_connect_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_in_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_is_init_finished.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_state.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_is_dtls.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/OpenSSL_add_ssl_algorithms.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSLeay_add_ssl_algorithms.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_add_dir_cert_subjects_to_stack.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_add_file_cert_subjects_to_stack.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_up_ref.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_clear_num_renegotiations.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_total_renegotiations.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_peek.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_max_early_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_max_early_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get_max_early_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_set_max_early_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_early_data_status.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_max_early_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_max_early_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_write_early_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_renegotiate_abbreviated.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_renegotiate_pending.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_rstate_string_long.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get0_peername.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_hostflags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get0_param.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set1_param.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get0_param.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_is_server.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_accept_state.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_rfd.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_wfd.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_max_send_fragment.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_shutdown.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_ecdh_auto.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_tmp_ecdh.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_tmp_ecdh_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_ecdh_auto.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_tmp_ecdh_callback.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_state_string_long.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_want_nothing.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_want_read.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_want_write.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SSL_want_x509_lookup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SXNETID_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SXNETID_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/SXNET_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_SXNET.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_SXNETID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_SXNET.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_SXNETID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/TS_ACCURACY_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/TS_ACCURACY_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/TS_MSG_IMPRINT_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/TS_MSG_IMPRINT_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/TS_REQ_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/TS_RESP_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/TS_RESP_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/TS_STATUS_INFO_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/TS_STATUS_INFO_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/TS_TST_INFO_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/TS_TST_INFO_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_UTIL_read_pw_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_destroy_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_method_get_closer.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_method_get_flusher.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_method_get_opener.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_method_get_prompt_constructor.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_method_get_reader.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_method_get_writer.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_method_set_closer.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_method_set_flusher.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_method_set_opener.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_method_set_prompt_constructor.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_method_set_reader.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_method_set_writer.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_get0_action_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_get0_output_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_get0_result_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_get0_test_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_get_input_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_get_result_maxsize.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_get_result_minsize.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_set_result.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_OpenSSL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_add_error_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_add_info_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_add_input_boolean.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_add_input_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_add_user_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_add_verify_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_construct_prompt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_ctrl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_dup_error_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_dup_info_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_dup_input_boolean.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_dup_input_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_dup_verify_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_get0_result.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_get0_user_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_get_default_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_get_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_new_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_process.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_set_default_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/UI_set_method.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X25519_keypair.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509V3_EXT_d2i.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509V3_EXT_i2d.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509V3_add1_i2d.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_add1_ext_i2d.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get0_extensions.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get_ext_d2i.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_add1_ext_i2d.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get0_extensions.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get_ext_d2i.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_add1_ext_i2d.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_get0_extensions.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_get_ext_d2i.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_ALGOR_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_ALGOR_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_ALGOR_get0.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_ALGOR_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_ALGOR_set0.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_ALGOR_set_md.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_ATTRIBUTE_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CERT_AUX_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CERT_AUX_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CINF_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_VAL_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_VAL_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_add0_revoked.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get0_by_cert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get_REVOKED.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_sort.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_INFO_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_INFO_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_up_ref.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_create_by_NID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_create_by_OBJ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_get_critical.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_get_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_get_object.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_set_critical.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_EXTENSION_set_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_INFO_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_LOOKUP_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_load_cert_crl_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_load_cert_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_load_crl_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_create_by_NID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_create_by_OBJ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_create_by_txt.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_get_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_set_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_set_object.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_add_entry.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_add_entry_by_NID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_add_entry_by_OBJ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_delete_entry.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_entry_count.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_get_entry.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_get_index_by_OBJ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_get_text_by_NID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_get_text_by_OBJ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_oneline.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_print.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_print_ex_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_OBJECT_free_contents.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_OBJECT_get0_X509_CRL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_OBJECT_get_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_OBJECT_idx_by_subject.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_OBJECT_retrieve_by_subject.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_OBJECT_retrieve_match.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_OBJECT_up_ref_count.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_PUBKEY_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_PUBKEY_get.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_PUBKEY_get0.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_PUBKEY_get0_param.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_PUBKEY_set.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_PUBKEY_set0_param.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PUBKEY_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PUBKEY_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PUBKEY_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PUBKEY_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_INFO_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_INFO_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get0_revocationDate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get0_serialNumber.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_set_revocationDate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_set_serialNumber.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_SIG_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get0_cert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get0_chain.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get1_chain.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get_current_cert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get_error_depth.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set_error.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_verify_cert_error_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_cleanup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get0_param.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get0_store.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_get0_untrusted.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_init.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set0_crls.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set0_param.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set0_trusted_stack.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set0_untrusted.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set_cert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set_chain.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set_default.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_set_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_CTX_trusted_stack.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_set_default_paths.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_up_ref.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_add_cert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_add_crl.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_get0_objects.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_get0_param.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_get_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_get_ex_new_index.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_set_depth.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_set_ex_data.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_set_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_set_purpose.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_set_trust.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_STORE_set_verify_cb.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_add0_policy.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_add0_table.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_add1_host.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_clear_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get0.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get0_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get0_peername.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get_count.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get_depth.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get_flags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_lookup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set1_email.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set1_host.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set1_ip.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set1_ip_asc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set1_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set1_policies.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set_depth.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set_hostflags.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set_purpose.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set_time.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set_trust.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_table_cleanup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_check_email.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_check_ip.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_check_ip_asc.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_check_private_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_match.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_issuer_and_serial_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_issuer_name_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_subject_name_cmp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_cmp_current_time.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_time_adj.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_time_adj_ex.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/PKCS7_ISSUER_AND_SERIAL_digest.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_digest.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_digest.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_digest.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_pubkey_digest.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get0_lastUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get0_nextUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get_lastUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get_nextUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_set1_lastUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_set1_nextUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_set_lastUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_set_nextUpdate.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_get0_notAfter.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_get_notAfter.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_get_notBefore.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_getm_notAfter.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_getm_notBefore.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_set1_notAfter.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_set1_notBefore.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_set_notAfter.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_set_notBefore.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get0_signature.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get_signature_nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_get0_signature.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_get_signature_nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_get0_tbs_sigalg.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_get_signature_nid.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_get_signature_type.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_email_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_get1_ocsp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_get_pubkey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_set_pubkey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_get0_pubkey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_get0_pubkey_bitstr.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_get_X509_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_set_pubkey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_get0_serialNumber.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_set_serialNumber.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get_issuer.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_set_issuer_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_get_subject_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_set_subject_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_get_issuer_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_set_issuer_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_set_subject_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_set_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_get_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_set_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_set_version.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_chain_up_ref.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_up_ref.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_sign.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_sign_ctx.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_verify.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_sign.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_sign_ctx.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REQ_verify.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_sign_ctx.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_verify.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_add_ext.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_delete_ext.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get_ext.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get_ext_by_NID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get_ext_by_OBJ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get_ext_by_critical.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_CRL_get_ext_count.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_add_ext.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_delete_ext.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get_ext.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get_ext_by_NID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get_ext_by_OBJ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get_ext_by_critical.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_REVOKED_get_ext_count.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_add_ext.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_delete_ext.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_get_ext.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_get_ext_by_NID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_get_ext_by_OBJ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_get_ext_by_critical.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_get_ext_count.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509v3_add_ext.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509v3_delete_ext.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509v3_get_ext.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509v3_get_ext_by_OBJ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509v3_get_ext_by_critical.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509v3_get_ext_count.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/bn_add_words.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/bn_check_top.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/bn_cmp_words.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/bn_div_words.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/bn_expand.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/bn_expand2.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/bn_fix_top.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/bn_mul_add_words.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/bn_mul_comba4.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/bn_mul_comba8.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/bn_mul_high.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/bn_mul_low_normal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/bn_mul_low_recursive.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/bn_mul_normal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/bn_mul_part_recursive.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/bn_mul_recursive.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/bn_mul_words.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/bn_set_high.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/bn_set_low.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/bn_set_max.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/bn_sqr_comba4.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/bn_sqr_comba8.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/bn_sqr_normal.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/bn_sqr_recursive.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/bn_sqr_words.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/bn_sub_words.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/bn_wexpand.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/mul.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/mul_add.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/sqr.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_NULL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_OBJECT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_BIT_STRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_BMPSTRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_ENUMERATED.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_GENERALIZEDTIME.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_GENERALSTRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_IA5STRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_INTEGER.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_PRINTABLE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_PRINTABLESTRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_T61STRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_TIME.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_UINTEGER.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_UNIVERSALSTRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_UTCTIME.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_UTF8STRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_VISIBLESTRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_DIRECTORYSTRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_DISPLAYTEXT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_BIT_STRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_BMPSTRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_ENUMERATED.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_GENERALIZEDTIME.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_GENERALSTRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_IA5STRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_INTEGER.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_OCTET_STRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_PRINTABLE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_PRINTABLESTRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_T61STRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_TIME.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_UNIVERSALSTRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_UTCTIME.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_UTF8STRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_VISIBLESTRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DIRECTORYSTRING.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DISPLAYTEXT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ASN1_SET_ANY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_SEQUENCE_ANY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_SET_ANY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_AUTHORITY_KEYID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_EXTENDED_KEY_USAGE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_BASIC_CONSTRAINTS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_EXTENDED_KEY_USAGE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_CMS_ReceiptRequest.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_CMS_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_CMS_ContentInfo.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_CMS_ReceiptRequest.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_CMS_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DHparams.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ACCESS_DESCRIPTION.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_AUTHORITY_INFO_ACCESS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_CRL_DIST_POINTS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_DIST_POINT_NAME.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ISSUING_DIST_POINT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ACCESS_DESCRIPTION.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_AUTHORITY_INFO_ACCESS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_CRL_DIST_POINTS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DIST_POINT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DIST_POINT_NAME.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ISSUING_DIST_POINT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DSAparams_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_DSAPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_DSAPrivateKey_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_DSAPrivateKey_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_DSA_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_DSA_PUBKEY_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_DSA_PUBKEY_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_DSA_SIG.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_DSAparams.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_DSAparams_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_DSAparams_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DSAPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DSAPrivateKey_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DSAPrivateKey_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DSAPublicKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DSA_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DSA_PUBKEY_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DSA_PUBKEY_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DSA_SIG.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DSAparams.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DSAparams_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_DSAparams_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ECPKParameters_print.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ECPKParameters_print_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ECParameters_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ECParameters_print.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/ECParameters_print_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ECPKParameters_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ECPKParameters_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ECParameters.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ECPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ECPrivateKey_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ECPrivateKey_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_EC_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_EC_PUBKEY_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_EC_PUBKEY_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ECPKParameters.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ECPKParameters_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ECPKParameters_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ECParameters.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ECPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ECPrivateKey_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ECPrivateKey_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_EC_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_EC_PUBKEY_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_EC_PUBKEY_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2o_ECPublicKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/o2i_ECPublicKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ESS_CERT_ID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_ESS_ISSUER_SERIAL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ESS_CERT_ID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ESS_ISSUER_SERIAL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ESS_SIGNING_CERT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_EDIPARTYNAME.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_GENERAL_NAMES.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_OTHERNAME.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_EDIPARTYNAME.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_GENERAL_NAME.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_GENERAL_NAMES.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OTHERNAME.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_OCSP_CERTID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_OCSP_ONEREQ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_OCSP_REQINFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_OCSP_SERVICELOC.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_OCSP_SIGNATURE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OCSP_CERTID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OCSP_ONEREQ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OCSP_REQINFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OCSP_REQUEST.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OCSP_SERVICELOC.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OCSP_SIGNATURE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_OCSP_BASICRESP.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_OCSP_CERTSTATUS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_OCSP_CRLID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_OCSP_RESPBYTES.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_OCSP_RESPDATA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_OCSP_RESPID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_OCSP_REVOKEDINFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_OCSP_SINGLERESP.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OCSP_BASICRESP.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OCSP_CERTSTATUS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OCSP_CRLID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OCSP_RESPBYTES.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OCSP_RESPDATA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OCSP_RESPID.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OCSP_RESPONSE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OCSP_REVOKEDINFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_OCSP_SINGLERESP.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS12_BAGS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS12_MAC_DATA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS12_SAFEBAG.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS12_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS12_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS12.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS12_BAGS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS12_MAC_DATA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS12_SAFEBAG.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS12_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS12_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_DIGEST.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_ENCRYPT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_ENC_CONTENT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_ENVELOPE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_ISSUER_AND_SERIAL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_RECIP_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_SIGNED.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_SIGNER_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_SIGN_ENVELOPE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS7_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS7.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_DIGEST.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_ENCRYPT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_ENC_CONTENT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_ENVELOPE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_ISSUER_AND_SERIAL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_NDEF.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_RECIP_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_SIGNED.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_SIGNER_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_SIGN_ENVELOPE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS7_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS8PrivateKey_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS8PrivateKey_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS8PrivateKey_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS8PrivateKey_nid_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS8PrivateKey_nid_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS8_PRIV_KEY_INFO_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS8_PRIV_KEY_INFO_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS8_PRIV_KEY_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS8_PRIV_KEY_INFO_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS8_PRIV_KEY_INFO_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKEY_USAGE_PERIOD.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_CERTIFICATEPOLICIES.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_NOTICEREF.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_POLICYQUALINFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_USERNOTICE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_CERTIFICATEPOLICIES.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_NOTICEREF.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_POLICYINFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_POLICYQUALINFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_USERNOTICE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PROXY_CERT_INFO_EXTENSION.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PROXY_CERT_INFO_EXTENSION.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PROXY_POLICY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_AutoPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PrivateKey_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PrivateKey_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PublicKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS8PrivateKeyInfo_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS8PrivateKeyInfo_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PublicKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_Netscape_RSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_RSAPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_RSAPrivateKey_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_RSAPrivateKey_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_RSAPublicKey_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_RSAPublicKey_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_RSA_PSS_PARAMS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_RSA_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_RSA_PUBKEY_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_RSA_PUBKEY_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_Netscape_RSA.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_RSAPrivateKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_RSAPrivateKey_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_RSAPrivateKey_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_RSAPublicKey.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_RSAPublicKey_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_RSAPublicKey_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_RSA_PSS_PARAMS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_RSA_PUBKEY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_RSA_PUBKEY_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_RSA_PUBKEY_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_SSL_SESSION.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_TS_ACCURACY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_TS_MSG_IMPRINT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_TS_MSG_IMPRINT_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_TS_MSG_IMPRINT_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_TS_REQ_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_TS_REQ_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_TS_RESP.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_TS_RESP_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_TS_RESP_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_TS_STATUS_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_TS_TST_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_TS_TST_INFO_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_TS_TST_INFO_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_TS_ACCURACY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_TS_MSG_IMPRINT.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_TS_MSG_IMPRINT_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_TS_MSG_IMPRINT_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_TS_REQ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_TS_REQ_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_TS_REQ_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_TS_RESP.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_TS_RESP_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_TS_RESP_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_TS_STATUS_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_TS_TST_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_TS_TST_INFO_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_TS_TST_INFO_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_X509_AUX.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_X509_CERT_AUX.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_X509_CINF.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_X509_VAL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_X509_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_X509_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_AUX.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_CERT_AUX.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_CINF.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_VAL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_ALGOR.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_ATTRIBUTE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_X509_CRL_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_X509_CRL_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_X509_CRL_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_X509_REVOKED.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_CRL.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_CRL_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_CRL_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_CRL_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_REVOKED.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_X509_EXTENSIONS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_EXTENSION.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_EXTENSIONS.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_ENTRY_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_dup.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_get0_der.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/X509_NAME_hash.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_X509_NAME_ENTRY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_NAME.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_NAME_ENTRY.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_X509_REQ_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_X509_REQ_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_X509_REQ_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_REQ.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_REQ_INFO.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_REQ_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_REQ_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS8_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/d2i_PKCS8_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS8_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_PKCS8_fp.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/i2d_X509_SIG.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_read_pw_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/EVP_read_pw_string_min.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/des_read_pw_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_get_rfc2409_prime_1024.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_get_rfc2409_prime_768.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_get_rfc3526_prime_1536.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_get_rfc3526_prime_2048.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_get_rfc3526_prime_3072.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_get_rfc3526_prime_4096.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_get_rfc3526_prime_6144.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/BN_get_rfc3526_prime_8192.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/get_rfc2409_prime_1024.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/get_rfc2409_prime_768.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/get_rfc3526_prime_1536.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/get_rfc3526_prime_2048.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/get_rfc3526_prime_3072.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/get_rfc3526_prime_4096.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/get_rfc3526_prime_6144.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/DECLARE_LHASH_OF.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/LHASH_COMP_FN_TYPE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/LHASH_DOALL_ARG_FN_TYPE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/LHASH_DOALL_FN_TYPE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/LHASH_HASH_FN_TYPE.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/lh__delete.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/lh__doall.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/lh__doall_arg.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/lh__error.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/lh__free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/lh__insert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/lh__new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/lh__retrieve.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/lh_delete.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/lh_doall.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/lh_doall_arg.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/lh_error.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/lh_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/lh_insert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/lh_retrieve.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/lh_node_stats.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/lh_node_stats_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/lh_node_usage_stats.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/lh_node_usage_stats_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/lh_stats_bio.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_accept_cbs.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_accept_fds.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_configure.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_reset.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_server.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_parse_protocols.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_prefer_ciphers_client.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_prefer_ciphers_server.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_alpn.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_ciphers.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_dheparams.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_ecdhecurves.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_add_ticket_key.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_session_fd.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_session_lifetime.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_insecure_noverifycert.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_insecure_noverifyname.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_insecure_noverifytime.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_conn_alpn_selected.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_conn_cipher.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_conn_cipher_strength.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_conn_servername.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_conn_session_resumed.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_cert_chain_pem.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_cert_contains_name.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_cert_hash.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_cert_issuer.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_cert_notafter.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_cert_notbefore.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_cert_provided.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_cert_subject.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_connect_cbs.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_connect_fds.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_connect_servername.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_connect_socket.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_error.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_add_keypair_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_add_keypair_mem.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_add_keypair_ocsp_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_add_keypair_ocsp_mem.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_clear_keys.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_ca_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_ca_mem.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_ca_path.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_cert_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_cert_mem.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_crl_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_crl_mem.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_key_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_key_mem.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_keypair_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_keypair_mem.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_keypair_ocsp_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_keypair_ocsp_mem.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_ocsp_staple_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_ocsp_staple_mem.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_set_verify_depth.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_verify_client.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_config_verify_client_optional.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_default_ca_cert_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_unload_file.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_cert_status.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_crl_reason.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_next_update.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_response_status.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_result.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_revocation_time.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_this_update.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_peer_ocsp_url.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_close.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_error.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_handshake.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_reset.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/tls_write.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_chain.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_error_depth.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_error_string.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_free.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_new.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_set_intermediates.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_set_max_chains.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_set_max_depth.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_set_max_signatures.3" +@ENABLE_LIBTLS_ONLY_FALSE@ -rm -f "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_set_purpose.3" # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/man/NAME_CONSTRAINTS_new.3 b/man/NAME_CONSTRAINTS_new.3 index db64e14c..fec3aba7 100644 --- a/man/NAME_CONSTRAINTS_new.3 +++ b/man/NAME_CONSTRAINTS_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: NAME_CONSTRAINTS_new.3,v 1.3 2018/03/23 00:09:11 schwarze Exp $ +.\" $OpenBSD: NAME_CONSTRAINTS_new.3,v 1.4 2020/09/17 08:50:05 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: March 23 2018 $ +.Dd $Mdocdate: September 17 2020 $ .Dt NAME_CONSTRAINTS_NEW 3 .Os .Sh NAME @@ -22,6 +22,9 @@ .Nm NAME_CONSTRAINTS_free , .Nm GENERAL_SUBTREE_new , .Nm GENERAL_SUBTREE_free +.\" .Nm NAME_CONSTRAINTS_check is intentionally undocumented. +.\" beck@ said in the x509/x509_ncons.c rev. 1.4 commit message: +.\" We probably need to deprecate it thoughtfully. .Nd X.509 CA name constraints extension .Sh SYNOPSIS .In openssl/x509v3.h diff --git a/man/OPENSSL_init_crypto.3 b/man/OPENSSL_init_crypto.3 index e6dac13f..6f38c7bd 100644 --- a/man/OPENSSL_init_crypto.3 +++ b/man/OPENSSL_init_crypto.3 @@ -1,5 +1,5 @@ -.\" $OpenBSD: OPENSSL_init_crypto.3,v 1.4 2019/06/14 13:41:31 schwarze Exp $ -.\" Copyright (c) 2018 Ingo Schwarze +.\" $OpenBSD: OPENSSL_init_crypto.3,v 1.5 2020/05/24 12:21:31 schwarze Exp $ +.\" Copyright (c) 2018, 2020 Ingo Schwarze .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -13,11 +13,12 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: June 14 2019 $ +.Dd $Mdocdate: May 24 2020 $ .Dt OPENSSL_INIT_CRYPTO 3 .Os .Sh NAME -.Nm OPENSSL_init_crypto +.Nm OPENSSL_init_crypto , +.Nm OPENSSL_init .Nd initialise the crypto library .Sh SYNOPSIS .In openssl/crypto.h @@ -26,10 +27,16 @@ .Fa "uint64_t options" .Fa "const void *dummy" .Fc +.Ft void +.Fn OPENSSL_init void .Sh DESCRIPTION -This function is deprecated. -It is never useful for any application program to call it explicitly. -The library automatically calls it internally with an +These functions are deprecated. +It is never useful for an application program +to call either of them explicitly. +.Pp +The library automatically calls +.Fn OPENSSL_init_crypto +internally with an .Fa options argument of 0 whenever needed. It is safest to assume that any function may do so. @@ -76,6 +83,9 @@ argument has no effect. .Pp If this function is called more than once, none of the calls except the first one have any effect. +.Pp +.Fn OPENSSL_init +has no effect at all. .Sh RETURN VALUES .Fn OPENSSL_init_crypto is intended to return 1 on success or 0 on error. @@ -85,6 +95,12 @@ is intended to return 1 on success or 0 on error. .Xr OPENSSL_load_builtin_modules 3 , .Xr openssl.cnf 5 .Sh HISTORY +.Fn OPENSSL_init +first appeared in OpenSSL 1.0.0e and has been available since +.Ox 5.3 . +It stopped having any effect in OpenSSL 1.1.1 and in +.Ox 5.6 . +.Pp .Fn OPENSSL_init_crypto first appeared in OpenSSL 1.1.0 and has been available since .Ox 6.3 . diff --git a/man/OPENSSL_sk_new.3 b/man/OPENSSL_sk_new.3 index 112671f1..5df45534 100644 --- a/man/OPENSSL_sk_new.3 +++ b/man/OPENSSL_sk_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: OPENSSL_sk_new.3,v 1.11 2019/06/06 01:06:58 schwarze Exp $ +.\" $OpenBSD: OPENSSL_sk_new.3,v 1.12 2021/03/12 05:18:00 jsg Exp $ .\" .\" Copyright (c) 2018 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: June 6 2019 $ +.Dd $Mdocdate: March 12 2021 $ .Dt OPENSSL_SK_NEW 3 .Os .Sh NAME @@ -276,7 +276,7 @@ Calling .Fn sk_new_null or .Fn sk_new , -successfuly calling +successfully calling .Fn sk_push , .Fn sk_unshift , .Fn sk_insert , diff --git a/man/PEM_ASN1_read.3 b/man/PEM_ASN1_read.3 new file mode 100644 index 00000000..53ebe5ad --- /dev/null +++ b/man/PEM_ASN1_read.3 @@ -0,0 +1,172 @@ +.\" $OpenBSD: PEM_ASN1_read.3,v 1.2 2020/07/23 17:34:53 schwarze Exp $ +.\" +.\" Copyright (c) 2020 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: July 23 2020 $ +.Dt PEM_ASN1_READ 3 +.Os +.Sh NAME +.Nm d2i_of_void , +.Nm PEM_ASN1_read , +.Nm PEM_ASN1_read_bio +.Nd PEM and DER decode an arbitrary ASN.1 value +.Sh SYNOPSIS +.In openssl/pem.h +.Ft typedef void * +.Fo d2i_of_void +.Fa "void **val_out" +.Fa "const unsigned char **der_in" +.Fa "long length" +.Fc +.Ft void * +.Fo PEM_ASN1_read +.Fa "d2i_of_void *d2i" +.Fa "const char *name" +.Fa "FILE *in_fp" +.Fa "void **val_out" +.Fa "pem_password_cb *cb" +.Fa "void *u" +.Fc +.Ft void * +.Fo PEM_ASN1_read_bio +.Fa "d2i_of_void *d2i" +.Fa "const char *name" +.Fa "BIO *in_bp" +.Fa "void **val_out" +.Fa "pem_password_cb *cb" +.Fa "void *u" +.Fc +.Sh DESCRIPTION +These functions read one object from +.Fa in_fp +or +.Fa in_bp +and perform both PEM and DER decoding. +They are needed when more specific decoding functions +like those documented in +.Xr PEM_read_bio_PrivateKey 3 +and +.Xr PEM_read_SSL_SESSION 3 +are inadequate for the type +.Fa name . +.Pp +For PEM decoding, +.Xr PEM_bytes_read_bio 3 +is called internally. +Consequently, the first object of type +.Fa name +is returned and preceding objects of other types are discarded. +If necessary, data is decrypted, using +.Fa cb +and/or +.Fa u +if they are not +.Dv NULL , +as described in the +.Xr pem_password_cb 3 +manual page. +.Pp +For subsequent DER decoding, pass a +.Fa d2i +callback function that is adequate for the type +.Fa name , +typically returning a pointer of a type more specific than +.Ft void * . +For example, +.Xr d2i_ASN1_TYPE 3 +can always be used and its manual page describes the required +behaviour of the callback function to be passed. +Normally, passing a more specific function is more useful; +candidate functions can be found with +.Ql man -k Nm~^d2i_ . +.Pp +For the +.Fa name +argument, the +.Dv PEM_STRING_* +string constants defined in +.In openssl/pem.h +can be used. +.Pp +The +.Fa val_out +argument is useless and its many dangers are described in detail in the +.Xr d2i_ASN1_TYPE 3 +manual page. +To reduce the risk of bugs, always passing +.Dv NULL +is recommended. +.Sh RETURN VALUES +These functions return a pointer to the decoded object or +.Dv NULL +if an error occurs. +They fail if +.Xr PEM_bytes_read_bio 3 +fails, for example because of invalid syntax in the input, an unknown +encryption, or an invalid passphrase entered by the user. +They also fail if +.Fa d2i +returns +.Dv NULL , +for example due to DER decoding errors. +.Pp +.Fn PEM_ASN1_read +may also fail if memory is exhausted. +.Sh EXAMPLES +Typical usage of +.Fn PEM_ASN1_read +is demonstrated by the implementation of the more specific function +to PEM and DER decode an X.509 certificate: +.Bd -literal -offset 2n +X509 * +PEM_read_X509(FILE *fp, X509 **val_out, pem_password_cb *cb, void *u) +{ + return PEM_ASN1_read((d2i_of_void *)d2i_X509, PEM_STRING_X509, + fp, (void **)val_out, cb, u); +} +.Ed +.Sh ERRORS +Diagnostics that can be retrieved with +.Xr ERR_get_error 3 , +.Xr ERR_GET_REASON 3 , +and +.Xr ERR_reason_error_string 3 +include: +.Bl -tag -width Ds +.It Dv ERR_R_BUF_LIB Qq "BUF lib" +.Fn PEM_ASN1_read +failed to set up a temporary BIO, +for example because memory was exhausted. +.It Dv ERR_R_ASN1_LIB Qq "ASN1 lib" +.Fa d2i +returned +.Dv NULL , +for example due to a DER syntax error. +.El +.Pp +Additional types of errors can result from +.Xr PEM_bytes_read_bio 3 . +.Sh SEE ALSO +.Xr BIO_new 3 , +.Xr d2i_ASN1_TYPE 3 , +.Xr PEM_bytes_read_bio 3 , +.Xr PEM_read 3 , +.Xr PEM_read_bio_PrivateKey 3 , +.Xr PEM_read_SSL_SESSION 3 , +.Xr PEM_X509_INFO_read 3 +.Sh HISTORY +These functions first appeared in SSLeay 0.5.1 +and have been available since +.Ox 2.4 . diff --git a/man/PEM_X509_INFO_read.3 b/man/PEM_X509_INFO_read.3 new file mode 100644 index 00000000..4a9dc971 --- /dev/null +++ b/man/PEM_X509_INFO_read.3 @@ -0,0 +1,187 @@ +.\" $OpenBSD: PEM_X509_INFO_read.3,v 1.2 2021/03/12 05:18:00 jsg Exp $ +.\" +.\" Copyright (c) 2020 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: March 12 2021 $ +.Dt PEM_X509_INFO_READ 3 +.Os +.Sh NAME +.Nm PEM_X509_INFO_read , +.Nm PEM_X509_INFO_read_bio +.Nd PEM and DER decode X.509 certificates, private keys, and revocation lists +.Sh SYNOPSIS +.In openssl/pem.h +.Ft STACK_OF(X509_INFO) * +.Fo PEM_X509_INFO_read +.Fa "FILE *in_fp" +.Fa "STACK_OF(X509_INFO) *sk" +.Fa "pem_password_cb *cb" +.Fa "void *u" +.Fc +.Ft STACK_OF(X509_INFO) * +.Fo PEM_X509_INFO_read_bio +.Fa "BIO *in_bp" +.Fa "STACK_OF(X509_INFO) *sk" +.Fa "pem_password_cb *cb" +.Fa "void *u" +.Fc +.Sh DESCRIPTION +These functions read zero or more objects +related to X.509 certificates from +.Fa in_fp +or +.Fa in_bp , +perform both PEM and DER decoding, +and wrap the resulting objects in newly allocated +.Vt X509_INFO +containers. +.Pp +Setting +.Fa sk +to +.Dv NULL +is recommended, in which case +a new stack is allocated, populated, and returned. +If an existing +.Fa sk +is passed in, the created +.Vt X509_INFO +objects are pushed onto that stack. +.Pp +For PEM decoding, +.Xr PEM_read_bio 3 +is used internally, implying that any non-PEM data +before, between, and after the objects is silently discarded. +.Pp +For subsequent DER decoding, +the decoding function and the field of the +.Vt X509_INFO +structure to store the new object in +are selected according to the PEM type name: +.Bl -column "TRUSTED CERTIFICATE" "d2i_PrivateKey()" "revocation list" +.It PEM type name Ta decoder Ta Vt X509_INFO No field +.It CERTIFICATE Ta Xr d2i_X509 3 Ta certificate +.It X509 CERTIFICATE Ta Xr d2i_X509 3 Ta certificate +.It TRUSTED CERTIFICATE Ta Xr d2i_X509_AUX 3 Ta certificate +.It X509 CRL Ta Xr d2i_X509_CRL 3 Ta revocation list +.It RSA PRIVATE KEY Ta Xr d2i_PrivateKey 3 Ta private key +.It DSA PRIVATE KEY Ta Xr d2i_PrivateKey 3 Ta private key +.It EC PRIVATE KEY Ta Xr d2i_PrivateKey 3 Ta private key +.El +.Pp +Whenever the selected field is already occupied, another new +.Vt X509_INFO +container is allocated and pushed onto the stack. +Depending on the sequence of objects in the input, this can result +in several partially populated +.Vt X509_INFO +containers being pushed onto the stack. +.Pp +PEM objects of types not listed in the above table are silently skipped. +.Pp +Encrypted certificates and revocation lists are decrypted by calling +.Xr PEM_do_header 3 +internally, passing through the optional arguments +.Fa cb +and +.Fa u . +Encrypted private keys are not decrypted. +Instead, the encrypted form is stored as read. +All the same, +.Xr PEM_get_EVP_CIPHER_INFO 3 +is called internally to check that PEM headers, if there are any, +are valid and specify an encryption the library is prepared to handle. +.Pp +If any error occurs, objects that had already been read +during the same call are deleted again and +.Fa sk +is left unchanged. +.Sh RETURN VALUES +These functions return a pointer to the stack +the objects read were pushed onto or +.Dv NULL +if an error occurs. +They fail if +.Xr PEM_read_bio 3 , +.Xr PEM_get_EVP_CIPHER_INFO 3 , +.Xr PEM_do_header 3 , +or DER decoding fails or if memory is exhausted. +.Sh ERRORS +Diagnostics that can be retrieved with +.Xr ERR_get_error 3 , +.Xr ERR_GET_REASON 3 , +and +.Xr ERR_reason_error_string 3 +include: +.Bl -tag -width Ds +.It Dv ERR_R_ASN1_LIB Qq "ASN1 lib" +DER decoding of a PEM object failed. +.It Dv ERR_R_BUF_LIB Qq BUF lib +.Fn PEM_X509_INFO_read +failed to set up a temporary BIO, for example because memory was exhausted. +.It Dv ERR_R_MALLOC_FAILURE Qq "malloc failure" +.Fn PEM_X509_INFO_read_bio +failed to allocate a new +.Vt X509_INFO , +.Vt STACK_OF(X509_INFO) , +or +.Vt X509_PKEY +object. +.El +.Pp +Additional types of errors can result from +.Xr PEM_read_bio 3 , +.Xr PEM_get_EVP_CIPHER_INFO 3 , +and +.Xr PEM_do_header 3 . +.Pp +After these functions failed due to memory exhaustion, +.Xr ERR_get_error 3 +may sometimes return 0 anyway. +.Sh SEE ALSO +.Xr BIO_new 3 , +.Xr d2i_PrivateKey 3 , +.Xr d2i_X509 3 , +.Xr d2i_X509_CRL 3 , +.Xr EVP_PKEY_new 3 , +.Xr PEM_read 3 , +.Xr PEM_read_bio_PrivateKey 3 , +.Xr STACK_OF 3 , +.Xr X509_CRL_new 3 , +.Xr X509_INFO_new 3 , +.Xr X509_new 3 +.Sh HISTORY +.Fn PEM_X509_INFO_read +first appeared in SSLeay 0.5.1 and +.Fn PEM_X509_INFO_read_bio +in SSLeay 0.6.0. +Both functions have been available since +.Ox 2.4 . +.Sh CAVEATS +It is not an error +if the input does not contain any objects of the desired types. +In that case, nothing is added to +.Fa sk , +or if +.Fa sk +is +.Dv NULL , +a newly allocated, empty stack is returned. +The only way to detect this situation is by comparing +the number of objects on the stack before and after the call. +.Sh BUGS +When reaching the end of the input, these functions call +.Xr ERR_clear_error 3 , +which may hide errors that occurred before calling these functions. diff --git a/man/PEM_bytes_read_bio.3 b/man/PEM_bytes_read_bio.3 index b3cb143c..20ad6b8a 100644 --- a/man/PEM_bytes_read_bio.3 +++ b/man/PEM_bytes_read_bio.3 @@ -1,7 +1,24 @@ -.\" $OpenBSD: PEM_bytes_read_bio.3,v 1.2 2018/03/22 21:08:22 schwarze Exp $ -.\" OpenSSL PEM_bytes_read_bio.pod 7671342e Feb 29 15:47:12 2016 -0600 +.\" $OpenBSD: PEM_bytes_read_bio.3,v 1.6 2020/07/23 17:34:53 schwarze Exp $ +.\" selective merge up to: +.\" OpenSSL PEM_bytes_read_bio.pod 7671342e Feb 29 15:47:12 2016 -0600 .\" -.\" This file was written by Benjamin Kaduk . +.\" This file is a derived work. +.\" The changes are covered by the following Copyright and license: +.\" Copyright (c) 2020 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.\" The original file was written by Benjamin Kaduk . .\" Copyright (c) 2017 The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -48,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 22 2018 $ +.Dd $Mdocdate: July 23 2020 $ .Dt PEM_BYTES_READ_BIO 3 .Os .Sh NAME @@ -62,30 +79,32 @@ .Fa "long *plen" .Fa "char **pnm" .Fa "const char *name" -.Fa "BIO *bp" +.Fa "BIO *in_bp" .Fa "pem_password_cb *cb" .Fa "void *u" .Fc .Sh DESCRIPTION .Fn PEM_bytes_read_bio -reads PEM-formatted (RFC 1421) data from the BIO -.Fa bp -for the data type given in +reads and PEM decodes the first object of type .Fa name -(RSA PRIVATE KEY, CERTIFICATE, etc.). +.Pq e.g. RSA PRIVATE KEY, CERTIFICATE, etc.\& +from +.Fa in_bp . If multiple PEM-encoded data structures are present in the same stream, -.Fn PEM_bytes_read_bio -will skip non-matching data types and continue reading. -Non-PEM data present in the stream may cause an error. +it skips non-matching data types and continues reading. +Before reading each PEM object, lines not starting with +.Qq "-----BEGIN " +are also skipped; see +.Xr PEM_read_bio 3 +for details of PEM parsing. .Pp The PEM header may indicate that the following data is encrypted; if so, -the data will be decrypted, waiting on user input to supply a passphrase -if needed. -The password callback +the data is decrypted, optionally using .Fa cb -and rock -.Fa u -are used to obtain the decryption passphrase, if applicable. +and +.Fa u , +as described in +.Xr pem_password_cb 3 . .Pp Some data types have compatibility aliases, such as a file containing X509 CERTIFICATE matching a request for the deprecated type CERTIFICATE. @@ -107,9 +126,58 @@ The caller must free the storage pointed to by .Sh RETURN VALUES .Fn PEM_bytes_read_bio returns 1 for success or 0 for failure. +.Sh ERRORS +Diagnostics that can be retrieved with +.Xr ERR_get_error 3 , +.Xr ERR_GET_REASON 3 , +and +.Xr ERR_reason_error_string 3 +include: +.Bl -tag -width Ds +.It Dv PEM_R_NO_START_LINE Qq no start line +No more PEM objects were found in the input. +This can happen when the input contains no PEM objects at all, +or only objects that do not match the type +.Fa name . +.It Dv PEM_R_NOT_PROC_TYPE Qq not proc type +The first PEM header does not start with +.Qq "Proc-Type: " . +.It Dv PEM_R_NOT_ENCRYPTED Qq not encrypted +The Proc-Type header differs from +.Qq 4,ENCRYPTED . +.It Dv PEM_R_SHORT_HEADER Qq short header +The Proc-Type header is the last header line. +.It Dv PEM_R_NOT_DEK_INFO Qq not dek info +The second PEM header does not start with +.Qq "DEK-Info: " . +.It Dv PEM_R_UNSUPPORTED_ENCRYPTION Qq unsupported encryption +The cipher name given in the DEK-Info header is unknown to +.Xr EVP_get_cipherbyname 3 . +.It Dv PEM_R_BAD_IV_CHARS Qq "bad iv chars" +The word following the cipher name in the DEK-Info header +contains bytes that are not hexadecimal digits. +This also happens when the initialization vector is missing or too short. +.It Dv PEM_R_BAD_PASSWORD_READ Qq bad password read +.Fa cb +reported failure. +This may for example happen when the user mistypes the password. +.It Dv PEM_R_BAD_DECRYPT Qq bad decrypt +.Xr EVP_DecryptInit_ex 3 , +.Xr EVP_DecryptUpdate 3 , +or +.Xr EVP_DecryptFinal_ex 3 +failed. +.El +.Pp +Additional types of errors can result from +.Xr PEM_read_bio 3 . .Sh SEE ALSO +.Xr PEM_ASN1_read 3 , .Xr PEM_read 3 , -.Xr PEM_read_bio_PrivateKey 3 +.Xr PEM_read_bio_PrivateKey 3 , +.Xr PEM_X509_INFO_read 3 +.Sh STANDARDS +RFC 1421: Privacy Enhancement for Internet Electronic Mail (PEM), Part I .Sh HISTORY .Fn PEM_bytes_read_bio first appeared in OpenSSL 0.9.7 and has been available since diff --git a/man/PEM_read.3 b/man/PEM_read.3 index 5648aa01..df1c84ee 100644 --- a/man/PEM_read.3 +++ b/man/PEM_read.3 @@ -1,7 +1,24 @@ -.\" $OpenBSD: PEM_read.3,v 1.9 2019/06/10 14:58:48 schwarze Exp $ -.\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" $OpenBSD: PEM_read.3,v 1.13 2021/03/12 05:18:00 jsg Exp $ +.\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100 .\" -.\" This file was written by Viktor Dukhovni +.\" This file is a derived work. +.\" The changes are covered by the following Copyright and license: +.\" +.\" Copyright (c) 2020 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.\" The original file was written by Viktor Dukhovni .\" and by Rich Salz . .\" Copyright (c) 2016 The OpenSSL Project. All rights reserved. .\" @@ -49,7 +66,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 10 2019 $ +.Dd $Mdocdate: March 12 2021 $ .Dt PEM_READ 3 .Os .Sh NAME @@ -57,8 +74,10 @@ .Nm PEM_write_bio , .Nm PEM_read , .Nm PEM_read_bio , +.Nm PEM_get_EVP_CIPHER_INFO , .Nm PEM_do_header , -.Nm PEM_get_EVP_CIPHER_INFO +.Nm PEM_def_callback , +.Nm pem_password_cb .Nd PEM encoding routines .Sh SYNOPSIS .In openssl/pem.h @@ -107,6 +126,20 @@ .Fa "pem_password_cb *cb" .Fa "void *u" .Fc +.Ft int +.Fo PEM_def_callback +.Fa "char *password" +.Fa "int size" +.Fa "int verify" +.Fa "void *u" +.Fc +.Ft typedef int +.Fo pem_password_cb +.Fa "char *password" +.Fa "int size" +.Fa "int verify" +.Fa "void *u" +.Fc .Sh DESCRIPTION These functions read and write PEM-encoded objects, using the PEM type .Fa name , @@ -224,34 +257,83 @@ unknown or some internal error happens, 0 is returned. can then be used to decrypt the data if the header indicates encryption. The .Fa cinfo -argument is a pointer to the structure initialized by the previous call +argument is a pointer to the structure initialized by a preceding call to .Fn PEM_get_EVP_CIPHER_INFO . +If that structure indicates the absence of encryption, +.Fn PEM_do_header +returns successfully without taking any action. The .Fa data and .Fa len -arguments are those returned by the previous call to +arguments are used both to pass in the encrypted data that was +returned in the same arguments from the preceding call to .Fn PEM_read or -.Fn PEM_read_bio . +.Fn PEM_read_bio +and to pass out the decrypted data. +.Pp +The callback function +.Fa cb +is used to obtain the encryption +.Fa password ; +if +.Fa cb +is +.Dv NULL , +.Fn PEM_def_callback +is used instead. The +.Fa password +buffer needs to be at least +.Fa size +bytes long. +.Fn PEM_def_callback +silently truncates the NUL-terminated byte string +.Fa u +to at most +.Fa num +bytes and copies it into +.Fa password +without a terminating NUL byte. +If +.Fa u +is +.Dv NULL , +.Fn PEM_def_callback +instead prompts the user for the password with echoing turned off +by calling +.Xr EVP_read_pw_string_min 3 +internally. +In this case, the +.Fa size +is silently reduced to at most +.Dv BUFSIZ +and at most +.Fa size No \- 1 +bytes are accepted from the user and copied into the byte string buffer +.Fa password . +A callback function .Fa cb -and +supplied by the application may use .Fa u -arguments make it possible to override the default password prompt -function as described in -.Xr PEM_read_PrivateKey 3 . -On successful completion, the -.Fa data -is decrypted in place, and -.Fa len -is updated to indicate the plaintext length. +for a different purpose than +.Fn PEM_def_callback +does, e.g., as auxiliary data to use while acquiring the password. +For example, a GUI application might pass a window handle. +If the +.Fa verify +flag is non-zero, the user is prompted twice for the password to +make typos less likely and it is checked that both inputs agree. +This flag is not set by +.Fn PEM_do_header +nor by other read functions. .Pp If the data is a priori known to not be encrypted, then neither -.Fn PEM_do_header -nor .Fn PEM_get_EVP_CIPHER_INFO +nor +.Fn PEM_do_header need to be called. .Sh RETURN VALUES .Fn PEM_read @@ -276,12 +358,38 @@ return 1 on success or 0 on failure. The .Fa data is likely meaningless if these functions fail. +.Pp +.Fn PEM_def_callback +returns the number of bytes stored into +.Fa buf +or a negative value on failure, and +.Fa cb +is expected to behave in the same way. +If +.Fa u +is +.Dv NULL , +.Fn PEM_def_callback +fails if +.Fa num +is less than 5 +or if an error occurs trying to prompt the user for the password. +Otherwise, it fails when +.Fa num +is negative. +The details of the circumstances that cause +.Fa cb +to fail may differ. .Sh SEE ALSO .Xr crypto 3 , .Xr d2i_PKCS8PrivateKey_bio 3 , +.Xr PEM_ASN1_read 3 , .Xr PEM_bytes_read_bio 3 , .Xr PEM_read_bio_PrivateKey 3 , -.Xr PEM_write_bio_PKCS7_stream 3 +.Xr PEM_read_SSL_SESSION 3 , +.Xr PEM_write_bio_CMS_stream 3 , +.Xr PEM_write_bio_PKCS7_stream 3 , +.Xr PEM_X509_INFO_read 3 .Sh HISTORY .Fn PEM_write , .Fn PEM_read , @@ -296,3 +404,7 @@ and first appeared in SSLeay 0.6.0. These functions have been available since .Ox 2.4 . +.Pp +.Fn PEM_def_callback +first appeared in OpenSSL 0.9.7 and has been available since +.Ox 3.2 . diff --git a/man/PEM_read_bio_PrivateKey.3 b/man/PEM_read_bio_PrivateKey.3 index ca61f31f..89677a7c 100644 --- a/man/PEM_read_bio_PrivateKey.3 +++ b/man/PEM_read_bio_PrivateKey.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: PEM_read_bio_PrivateKey.3,v 1.15 2019/08/12 11:36:12 schwarze Exp $ +.\" $OpenBSD: PEM_read_bio_PrivateKey.3,v 1.19 2020/07/23 17:34:53 schwarze Exp $ .\" full merge up to: .\" OpenSSL man3/PEM_read_bio_PrivateKey.pod 18bad535 Apr 9 15:13:55 2019 +0100 .\" OpenSSL man3/PEM_read_CMS.pod 83cf7abf May 29 13:07:08 2018 +0100 @@ -51,11 +51,10 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 12 2019 $ +.Dd $Mdocdate: July 23 2020 $ .Dt PEM_READ_BIO_PRIVATEKEY 3 .Os .Sh NAME -.Nm pem_password_cb , .Nm PEM_read_bio_PrivateKey , .Nm PEM_read_PrivateKey , .Nm PEM_write_bio_PrivateKey , @@ -141,17 +140,14 @@ .Nm PEM_read_bio_NETSCAPE_CERT_SEQUENCE , .Nm PEM_read_NETSCAPE_CERT_SEQUENCE , .Nm PEM_write_bio_NETSCAPE_CERT_SEQUENCE , -.Nm PEM_write_NETSCAPE_CERT_SEQUENCE +.Nm PEM_write_NETSCAPE_CERT_SEQUENCE , +.Nm PEM_read_CMS , +.Nm PEM_read_bio_CMS , +.Nm PEM_write_CMS , +.Nm PEM_write_bio_CMS .Nd PEM routines .Sh SYNOPSIS .In openssl/pem.h -.Ft typedef int -.Fo pem_password_cb -.Fa "char *buf" -.Fa "int size" -.Fa "int rwflag" -.Fa "void *u" -.Fc .Ft EVP_PKEY * .Fo PEM_read_bio_PrivateKey .Fa "BIO *bp" @@ -722,10 +718,37 @@ .Fa "FILE *fp" .Fa "NETSCAPE_CERT_SEQUENCE *x" .Fc +.In openssl/cms.h +.Ft CMS_ContentInfo * +.Fo PEM_read_CMS +.Fa "FILE *fp" +.Fa "CMS_ContentInfo **x" +.Fa "pem_password_cb *cb" +.Fa "void *u" +.Fc +.Ft CMS_ContentInfo * +.Fo PEM_read_bio_CMS +.Fa "BIO *bp" +.Fa "CMS_ContentInfo **x" +.Fa "pem_password_cb *cb" +.Fa "void *u" +.Fc +.Ft int +.Fo PEM_write_CMS +.Fa "FILE *fp" +.Fa "const CMS_ContentInfo *x" +.Fc +.Ft int +.Fo PEM_write_bio_CMS +.Fa "BIO *bp" +.Fa "const CMS_ContentInfo *x" +.Fc .Sh DESCRIPTION The PEM functions read or write structures in PEM format. In this sense PEM format is simply base64-encoded data surrounded by -header lines. +header lines; see +.Xr PEM_read 3 +for more details. .Pp For more details about the meaning of arguments see the .Sx PEM function arguments @@ -741,6 +764,9 @@ will be used to collectively refer to the and .Fn PEM_write_TYPE functions. +If no set of specific functions exists for a given type, +.Xr PEM_ASN1_read 3 +can be used instead. .Pp The .Sy PrivateKey @@ -937,6 +963,12 @@ functions process a Netscape Certificate Sequence using a .Vt NETSCAPE_CERT_SEQUENCE structure. .Pp +The +.Sy CMS +functions process a +.Vt CMS_ContentInfo +structure. +.Pp The old .Sy PrivateKey write routines are retained for compatibility. @@ -1012,10 +1044,14 @@ If this parameter is set to .Dv NULL , then the private key is written in unencrypted form. .Pp -The +The optional arguments +.Fa u +and .Fa cb -argument is the callback to use when querying for the passphrase used -for encrypted PEM structures (normally only private keys). +are a passphrase used for encrypting a PEM structure +or a callback to obtain the passphrase; see +.Xr pem_password_cb 3 +for details. .Pp For the PEM write routines, if the .Fa kstr @@ -1028,62 +1064,6 @@ bytes at are used as the passphrase and .Fa cb is ignored. -.Pp -If the -.Fa cb -parameter is set to -.Dv NULL -and the -.Fa u -parameter is not -.Dv NULL , -then the -.Fa u -parameter is interpreted as a null terminated string to use as the -passphrase. -If both -.Fa cb -and -.Fa u -are -.Dv NULL , -then the default callback routine is used, which will typically -prompt for the passphrase on the current terminal with echoing -turned off. -.Pp -The default passphrase callback is sometimes inappropriate (for example -in a GUI application) so an alternative can be supplied. -The callback routine has the following form: -.Bd -filled -offset inset -.Ft int -.Fo cb -.Fa "char *buf" -.Fa "int size" -.Fa "int rwflag" -.Fa "void *u" -.Fc -.Ed -.Pp -.Fa buf -is the buffer to write the passphrase to. -.Fa size -is the maximum length of the passphrase, i.e. the size of -.Fa buf . -.Fa rwflag -is a flag which is set to 0 when reading and 1 when writing. -A typical routine will ask the user to verify the passphrase (for -example by prompting for it twice) if -.Fa rwflag -is 1. -The -.Fa u -parameter has the same value as the -.Fa u -parameter passed to the PEM routine. -It allows arbitrary data to be passed to the callback by the application -(for example a window handle in a GUI application). -The callback must return the number of characters in the passphrase -or -1 if an error occurred. .Ss PEM encryption format This old .Sy PrivateKey @@ -1231,9 +1211,13 @@ pass_cb(char *buf, int size, int rwflag, void *u) .Sh SEE ALSO .Xr BIO_new 3 , .Xr DSA_new 3 , +.Xr PEM_ASN1_read 3 , .Xr PEM_bytes_read_bio 3 , .Xr PEM_read 3 , +.Xr PEM_read_SSL_SESSION 3 , +.Xr PEM_write_bio_CMS_stream 3 , .Xr PEM_write_bio_PKCS7_stream 3 , +.Xr PEM_X509_INFO_read 3 , .Xr RSA_new 3 , .Xr X509_CRL_new 3 , .Xr X509_REQ_new 3 , @@ -1351,6 +1335,14 @@ and .Fn PEM_write_EC_PUBKEY first appeared in OpenSSL 0.9.8 and have been available since .Ox 4.5 . +.Pp +.Fn PEM_read_CMS , +.Fn PEM_read_bio_CMS , +.Fn PEM_write_CMS , +and +.Fn PEM_write_bio_CMS +first appeared in OpenSSL 0.9.8h and have been available since +.Ox 6.7 . .Sh CAVEATS A frequent cause of problems is attempting to use the PEM routines like this: diff --git a/man/PEM_write_bio_CMS_stream.3 b/man/PEM_write_bio_CMS_stream.3 index 59568b78..0a6b4d31 100644 --- a/man/PEM_write_bio_CMS_stream.3 +++ b/man/PEM_write_bio_CMS_stream.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: PEM_write_bio_CMS_stream.3,v 1.3 2019/08/18 21:44:10 schwarze Exp $ +.\" $OpenBSD: PEM_write_bio_CMS_stream.3,v 1.4 2019/11/02 15:39:46 schwarze Exp $ .\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 18 2019 $ +.Dd $Mdocdate: November 2 2019 $ .Dt PEM_WRITE_BIO_CMS_STREAM 3 .Os .Sh NAME @@ -92,4 +92,4 @@ returns 1 for success or 0 for failure. .Fn PEM_write_bio_CMS_stream first appeared in OpenSSL 1.0.0 and has been available since -.Ox 6.6 . +.Ox 6.7 . diff --git a/man/PEM_write_bio_PKCS7_stream.3 b/man/PEM_write_bio_PKCS7_stream.3 index 91a1a5cd..dba2a42a 100644 --- a/man/PEM_write_bio_PKCS7_stream.3 +++ b/man/PEM_write_bio_PKCS7_stream.3 @@ -1,5 +1,5 @@ -.\" $OpenBSD: PEM_write_bio_PKCS7_stream.3,v 1.9 2019/06/14 13:59:32 schwarze Exp $ -.\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" $OpenBSD: PEM_write_bio_PKCS7_stream.3,v 1.10 2020/06/03 13:41:27 schwarze Exp $ +.\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100 .\" .\" This file was written by Dr. Stephen Henson . .\" Copyright (c) 2007, 2009, 2016 The OpenSSL Project. All rights reserved. @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 14 2019 $ +.Dd $Mdocdate: June 3 2020 $ .Dt PEM_WRITE_BIO_PKCS7_STREAM 3 .Os .Sh NAME @@ -81,6 +81,7 @@ otherwise 0 is returned and an error code can be retrieved with .Xr BIO_new 3 , .Xr i2d_PKCS7_bio_stream 3 , .Xr PEM_write_PKCS7 3 , +.Xr PKCS7_final 3 , .Xr PKCS7_new 3 , .Xr SMIME_write_PKCS7 3 .Sh HISTORY diff --git a/man/PKCS7_add_attribute.3 b/man/PKCS7_add_attribute.3 new file mode 100644 index 00000000..4a1c350f --- /dev/null +++ b/man/PKCS7_add_attribute.3 @@ -0,0 +1,365 @@ +.\" $OpenBSD: PKCS7_add_attribute.3,v 1.3 2020/06/10 11:39:12 schwarze Exp $ +.\" +.\" Copyright (c) 2020 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: June 10 2020 $ +.Dt PKCS7_ADD_ATTRIBUTE 3 +.Os +.Sh NAME +.Nm PKCS7_add_attribute , +.Nm PKCS7_set_attributes , +.Nm PKCS7_get_attribute , +.Nm PKCS7_add_signed_attribute , +.Nm PKCS7_set_signed_attributes , +.Nm PKCS7_get_signed_attribute , +.Nm PKCS7_add_attrib_content_type , +.Nm PKCS7_add1_attrib_digest , +.Nm PKCS7_add0_attrib_signing_time , +.Nm PKCS7_add_attrib_smimecap +.Nd attributes of SignerInfo objects +.Sh SYNOPSIS +.In openssl/pkcs7.h +.Ft int +.Fo PKCS7_add_attribute +.Fa "PKCS7_SIGNER_INFO *si" +.Fa "int nid" +.Fa "int attrtype" +.Fa "void *value" +.Fc +.Ft int +.Fo PKCS7_set_attributes +.Fa "PKCS7_SIGNER_INFO *si" +.Fa "STACK_OF(X509_ATTRIBUTE) *sk" +.Fc +.Ft ASN1_TYPE * +.Fo PKCS7_get_attribute +.Fa "PKCS7_SIGNER_INFO *si" +.Fa "int nid" +.Fc +.Ft int +.Fo PKCS7_add_signed_attribute +.Fa "PKCS7_SIGNER_INFO *si" +.Fa "int nid" +.Fa "int attrtype" +.Fa "void *value" +.Fc +.Ft int +.Fo PKCS7_set_signed_attributes +.Fa "PKCS7_SIGNER_INFO *si" +.Fa "STACK_OF(X509_ATTRIBUTE) *sk" +.Fc +.Ft ASN1_TYPE * +.Fo PKCS7_get_signed_attribute +.Fa "PKCS7_SIGNER_INFO *si" +.Fa "int nid" +.Fc +.Ft int +.Fo PKCS7_add_attrib_content_type +.Fa "PKCS7_SIGNER_INFO *si" +.Fa "ASN1_OBJECT *coid" +.Fc +.Ft int +.Fo PKCS7_add1_attrib_digest +.Fa "PKCS7_SIGNER_INFO *si" +.Fa "const unsigned char *md" +.Fa "int mdlen" +.Fc +.Ft int +.Fo PKCS7_add0_attrib_signing_time +.Fa "PKCS7_SIGNER_INFO *si" +.Fa "ASN1_TIME *t" +.Fc +.Ft int +.Fo PKCS7_add_attrib_smimecap +.Fa "PKCS7_SIGNER_INFO *si" +.Fa "STACK_OF(X509_ALGOR) *cap" +.Fc +.Sh DESCRIPTION +.Fn PKCS7_add_attribute +appends a new attribute of type +.Fa nid +to the +.Fa unauthenticatedAttributes +list of +.Fa si , +and it adds a new ASN.1 ANY object of type +.Fa attrtype +with the given +.Fa value +to the new attribute. +Ownership of the +.Fa value +is transferred into the new attribute object, so the calling code +must not +.Xr free 3 +the +.Fa value . +If the list already contains an unauthenticated attribute of type +.Fa nid +before the call, the new attribute replaces the old one +instead of being appended to the end of the list. +.Pp +.Fn PKCS7_set_attributes +frees the +.Fa unauthenticatedAttributes +list of +.Fa si +and all the attributes contained in it and replaces it with a deep copy of +.Fa sk . +.Pp +.Fn PKCS7_get_attribute +retrieves the first ASN.1 ANY member of the attribute of type +.Fa nid +from the +.Fa unauthenticatedAttributes +list of +.Fa si . +.Pp +The behaviour of +.Fn PKCS7_add_signed_attribute , +.Fn PKCS7_set_signed_attributes , +and +.Fn PKCS7_get_signed_attribute +is identical except that they operate on the list of +.Fa authenticatedAttributes . +.Pp +The normal way to use +.Fn PKCS7_add_signed_attribute +is to first create a +.Vt SignedInfo +object with +.Xr PKCS7_sign 3 +using the +.Dv PKCS7_PARTIAL +or +.Dv PKCS7_STREAM +flag, retrieve the +.Vt PKCS7_SIGNER_INFO +object with +.Xr PKCS7_get_signer_info 3 +or add an additional one with +.Xr PKCS7_sign_add_signer 3 , +call +.Fn PKCS7_add_signed_attribute +for each desired additional attribute, then do the signing with +.Xr PKCS7_final 3 +or with another finalizing function. +.Pp +The four remaining functions are wrappers around +.Fn PKCS7_add_signed_attribute . +.Pp +.Fn PKCS7_add_attrib_content_type +sets the +.Dv NID_pkcs9_contentType +attribute to +.Fa coid , +which specifies the content type of the +.Vt ContentInfo +value to be signed. +This attribute is mandatory and automatically added by +.Xr PKCS7_sign 3 +and +.Xr PKCS7_sign_add_signer 3 +unless the +.Dv PKCS7_NOATTR +flag is present. +Objects suitable as +.Fa coid +arguments can for example be obtained with +.Xr OBJ_nid2obj 3 . +If +.Fa coid +is +.Dv NULL , +the content type defaults to +.Dv NID_pkcs7_data . +.Pp +.Fn PKCS7_add1_attrib_digest +sets or replaces the +.Dv NID_pkcs9_messageDigest +attribute, which is the message digest of the contents octets +of the DER-encoding of the content field of the +.Vt ContentInfo +value being signed, to a copy of +.Fa md , +which is assumed to be +.Fa mdlen +bytes long. +If +.Fa mdlen +is -1, then +.Fn strlen md +is used instead of +.Fa mdlen . +This attribute is mandatory and automatically added by +.Xr PKCS7_dataFinal 3 +and +.Xr PKCS7_final 3 . +.Pp +.Fn PKCS7_add0_attrib_signing_time +sets or replaces the optional +.Dv NID_pkcs9_signingTime +attribute to +.Fa t , +specifying the time at which the signer performed the signing process. +Ownership of +.Fa t +is transferred into the new attribute object, so the calling code +must not +.Xr free 3 +.Fa t . +If +.Fa t +is +.Dv NULL , +a new +.Vt ASN1_TIME +structure is allocated. +This attribute is automatically added by +.Xr PKCS7_dataFinal 3 +and +.Xr PKCS7_final 3 . +.Pp +.Fn PKCS7_add_attrib_smimecap +sets or replaces the optional +.Dv NID_SMIMECapabilities +attribute, indicating algorithms the sender is prepared to handle. +The +.Fa cap +pointer is not stored in the new attribute object and can be passed to +.Fn sk_X509_ALGOR_pop_free +after the call. +This attribute is automatically added by +.Xr PKCS7_sign 3 +and +.Xr PKCS7_sign_add_signer 3 +unless the +.Dv PKCS7_NOATTR +or +.Dv PKCS7_NOSMIMECAP +flag is present. +.Sh RETURN VALUES +.Fn PKCS7_add_attribute , +.Fn PKCS7_set_attributes , +.Fn PKCS7_add_signed_attribute , +.Fn PKCS7_set_signed_attributes , +.Fn PKCS7_add_attrib_content_type , +.Fn PKCS7_add1_attrib_digest , +.Fn PKCS7_add0_attrib_signing_time , +and +.Fn PKCS7_add_attrib_smimecap +return 1 on success or 0 on failure. +The most common reason for failure is lack of memory. +.Fn PKCS7_add_attribute +and +.Fn PKCS7_add_signed_attribute +also fail if +.Fa nid +is invalid, and +.Fn PKCS7_add_attrib_content_type +if +.Fa si +already contains an authenticated attribute of type +.Dv NID_pkcs9_contentType . +.Pp +.Fn PKCS7_get_attribute +and +.Fn PKCS7_get_signed_attribute +return an internal pointer to an ASN.1 ANY object or +.Dv NULL +on failure. +They fail if +.Fa nid +is invalid, if the respective list in +.Fa si +contains no attribute of the requested type, or if an invalid element +is found in the list before finding the attribute of the requested type. +.Sh SEE ALSO +.Xr ASN1_TIME_new 3 , +.Xr ASN1_TYPE_new 3 , +.Xr OBJ_nid2obj 3 , +.Xr PKCS7_final 3 , +.Xr PKCS7_get_signer_info 3 , +.Xr PKCS7_new 3 , +.Xr PKCS7_sign 3 , +.Xr PKCS7_sign_add_signer 3 , +.Xr STACK_OF 3 , +.Xr X509_ALGOR_new 3 , +.Xr X509_ATTRIBUTE_new 3 +.Sh STANDARDS +RFC 2315: PKCS #7: Cryptographic Message Syntax Version 1.5, +section 9.2: SignerInfo type +.Pp +RFC 2985: PKCS #9: Selected Object Classes and Attribute Types Version 2.0, +section 5.3: Attribute types for use in PKCS #7 data +and section 5.6: Attributes defined in S/MIME +.Pp +RFC 8551: Secure/Multipurpose Internet Mail Extensions (S/MIME) +Version 4.0 Message Specification, +section 2.5.2: SMIMECapabilities Attribute +.Sh HISTORY +.Fn PKCS7_add_attribute , +.Fn PKCS7_set_attributes , +.Fn PKCS7_get_attribute , +.Fn PKCS7_add_signed_attribute , +.Fn PKCS7_set_signed_attributes , +and +.Fn PKCS7_get_signed_attribute +first appeared in OpenSSL 0.9.1 and have been available since +.Ox 2.6 . +.Pp +.Fn PKCS7_add_attrib_smimecap +first appeared in OpenSSL 0.9.5 and has been available since +.Ox 2.7 . +.Pp +.Fn PKCS7_add_attrib_content_type , +.Fn PKCS7_add1_attrib_digest , +and +.Fn PKCS7_add0_attrib_signing_time +first appeared in OpenSSL 1.0.0 and have been available since +.Ox 4.9 . +.Sh CAVEATS +.Fn PKCS7_set_signed_attributes +does not validate that +.Fa sk +contains the PKCS #9 content type and message digest attributes +required by RFC 2315. +It succeeds even when +.Fa sk +is empty, leaving +.Fa si +in a state that violates the standard. +.Pp +.Fn PKCS7_add0_attrib_signing_time +does not validate +.Fa t +in any way. +In particular, it may set the signing time to the future +or to the remote past. +.Sh BUGS +A function to remove individual attributes from these lists +does not appear to exist. +A program desiring to do that might have to manually iterate the fields +.Fa auth_attr +and +.Fa unauth_attr +of +.Fa si , +which are both of type +.Vt STACK_OF(X509_ATTRIBUTE) , +using the facilities described in +.Xr STACK_OF 3 +and +.Xr OPENSSL_sk_new 3 . diff --git a/man/PKCS7_dataFinal.3 b/man/PKCS7_dataFinal.3 new file mode 100644 index 00000000..e2e088d9 --- /dev/null +++ b/man/PKCS7_dataFinal.3 @@ -0,0 +1,158 @@ +.\" $OpenBSD: PKCS7_dataFinal.3,v 1.2 2020/06/03 13:41:27 schwarze Exp $ +.\" +.\" Copyright (c) 2020 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: June 3 2020 $ +.Dt PKCS7_DATAFINAL 3 +.Os +.Sh NAME +.Nm PKCS7_dataFinal +.Nd move data from a BIO chain to a ContentInfo object +.Sh SYNOPSIS +.In openssl/pkcs7.h +.Ft int +.Fo PKCS7_dataFinal +.Fa "PKCS7 *p7" +.Fa "BIO *chain" +.Fc +.Sh DESCRIPTION +.Fn PKCS7_dataFinal +transfers the data from the memory BIO at the end of the given +.Fa chain +into the appropriate content field of +.Fa p7 +itself or of its appropriate substructure. +It is typically used as the final step of populating +.Fa p7 , +after creating the +.Fa chain +with +.Xr PKCS7_dataInit 3 +and after writing the data into it. +.Pp +After calling +.Fn PKCS7_dataFinal , +the program can call +.Xr BIO_free_all 3 +on the +.Fa chain +because such chains are not designed for reuse. +.Pp +Depending on the +.Fa contentType +of +.Fa p7 , +.Fn PKCS7_dataFinal +sets the following fields: +.Bl -tag -width Ds +.It for Vt SignedData No or Vt DigestedData : +in substructures of the +.Fa content +field of +.Fa p7 : +the +.Fa content +field in the +.Vt ContentInfo +structure (unless +.Fa p7 +is configured to store a detached signature) and the +.Fa encryptedDigest +fields in all the +.Vt SignerInfo +structures +.It for Vt EnvelopedData No or Vt SignedAndEnvelopedData : +the +.Fa encryptedContent +field in the +.Vt EncryptedContentInfo +structure contained in the +.Fa content +field of +.Fa p7 +.It for arbitrary data : +the +.Fa content +field of +.Fa p7 +itself +.El +.Sh RETURN VALUES +.Fn PKCS7_dataFinal +returns 1 on success or 0 on failure. +.Pp +Possible reasons for failure include: +.Pp +.Bl -dash -compact -offset 2n -width 1n +.It +.Fa p7 +is +.Dv NULL . +.It +The +.Fa content +field of +.Fa p7 +is empty. +.It +The +.Fa contentType +of +.Fa p7 +is unsupported. +.It +The +.Fa chain +does not contain the expected memory BIO. +.It +Signing or digesting is requested and +.Fa p7 +is not configured to store a detached signature, +but does not contain the required field to store the content either. +.It +At least one signer lacks a useable digest algorithm. +.It +Signing or digesting fails. +.It +Memory allocation fails. +.El +.Pp +Signers lacking private keys do not cause failure +but are silently skipped. +.Sh SEE ALSO +.Xr BIO_new 3 , +.Xr PKCS7_dataInit 3 , +.Xr PKCS7_final 3 , +.Xr PKCS7_new 3 , +.Xr PKCS7_sign 3 +.Sh HISTORY +.Fn PKCS7_dataFinal +first appeared in SSLeay 0.9.1 and has been available since +.Ox 2.6 . +.Sh CAVEATS +This function does not support +.Vt EncryptedData . +.Pp +Even though this function is typically used after +.Xr PKCS7_dataInit 3 +and even though +.Xr PKCS7_dataInit 3 +also supports reading from +.Vt ContentInfo +structures that are already fully populated, do not use +.Fn PKCS7_dataFinal +on fully populated structures. +It is only intended for putting data into new structures +and it is neither needed nor suitable for reading. diff --git a/man/PKCS7_dataInit.3 b/man/PKCS7_dataInit.3 new file mode 100644 index 00000000..cb54d3f9 --- /dev/null +++ b/man/PKCS7_dataInit.3 @@ -0,0 +1,226 @@ +.\" $OpenBSD: PKCS7_dataInit.3,v 1.2 2020/06/03 13:41:27 schwarze Exp $ +.\" +.\" Copyright (c) 2020 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: June 3 2020 $ +.Dt PKCS7_DATAINIT 3 +.Os +.Sh NAME +.Nm PKCS7_dataInit +.Nd construct a BIO chain for adding or retrieving content +.Sh SYNOPSIS +.In openssl/pkcs7.h +.Ft BIO * +.Fo PKCS7_dataInit +.Fa "PKCS7 *p7" +.Fa "BIO *indata" +.Fc +.Sh DESCRIPTION +.Fn PKCS7_dataInit +constructs a BIO chain in preparation for putting data into +or retrieving data out of +.Fa p7 . +Depending on the +.Fa contentType +of +.Fa p7 , +the created chain starts with: +.Bl -tag -width Ds +.It for Vt SignedData : +one or more +.Xr BIO_f_md 3 +message digest filters +.It for Vt EnvelopedData : +one +.Xr BIO_f_cipher 3 +encryption filter +.It for Vt SignedAndEnvelopedData : +one or more +.Xr BIO_f_md 3 +message digest filters followed by one +.Xr BIO_f_cipher 3 +encryption filter +.It for Vt DigestedData : +one +.Xr BIO_f_md 3 +message digest filter +.It for arbitrary data : +no filter BIO +.El +.Pp +One additional BIO is appended to the end of the chain, +depending on the first condition that holds in the following list: +.Bl -tag -width Ds +.It Fa indata +if the +.Fa indata +argument is not +.Dv NULL . +This only makes sense while verifying a detached signature, in which case +.Fa indata +is expected to supply the content associated with the detached signature. +.It Xr BIO_s_null 3 +if the +.Fa contentType +of +.Fa p7 +is +.Vt SignedData +and it is configured to contain a detached signature. +This only makes sense while creating the detached signature. +.It Xr BIO_new_mem_buf 3 +when reading from a +.Vt SignedData +or +.Vt DigestedData +object. +.Fn PKCS7_dataInit +attaches the end of the chain to the nested content of +.Fa p7 . +.It Xr BIO_s_mem 3 +otherwise. +This is the most common case while writing data to +.Fa p7 . +.Xr PKCS7_dataFinal 3 +can later be used to transfer the data from the memory BIO into +.Fa p7 . +.El +.Ss Adding content +Before calling +.Fn PKCS7_dataInit +in order to add content, +.Xr PKCS7_new 3 , +.Xr PKCS7_set_type 3 , +and +.Xr PKCS7_content_new 3 +are typically required to create +.Fa p7 , +to choose its desired type, and to allocate the nested +.Vt ContentInfo +structure. +Alternatively, for +.Vt SignedData , +.Xr PKCS7_sign 3 +can be used with the +.Dv PKCS7_PARTIAL +or +.Dv PKCS7_STREAM +.Fa flags +or for +.Vt EnvelopedData , +.Xr PKCS7_encrypt 3 +with the +.Dv PKCS7_STREAM +flag. +.Pp +After calling +.Fn PKCS7_dataInit , +the desired data can be written into the returned +.Vt BIO , +.Xr BIO_flush 3 +can be called on it, +.Xr PKCS7_dataFinal 3 +can be used to transfer the processed data +from the returned memory BIO to the +.Fa p7 +structure, and the chain can finally be destroyed with +.Xr BIO_free_all 3 . +.Pp +While +.Fn PKCS7_dataInit +does support the +.Vt EnvelopedData +and +.Vt SignedAndEnvelopedData +types, using it for these types is awkward and error prone +except when using +.Xr PKCS7_encrypt 3 +for the setup because +.Xr PKCS7_content_new 3 +does not support these two types. +So in addition to creating +.Fa p7 +itself and setting its type, the nested +.Fa ContentInfo +structure also needs to be constructed with +.Xr PKCS7_new 3 +and +.Xr PKCS7_set_type 3 +and manually inserted into the correct field +of the respective sub-structure of +.Fa p7 . +.Ss Retrieving content +.Fn PKCS7_dataInit +can also be called on a fully populated object of type +.Vt SignedData +or +.Vt DigestedData . +After that, +.Xr BIO_read 3 +can be used to retrieve data from it. +In this use case, do not call +.Xr PKCS7_dataFinal 3 ; +simply proceed directly to +.Xr BIO_free_all 3 +after reading the data. +.Sh RETURN VALUES +.Fn PKCS7_dataInit +returns a BIO chain on success or +.Dv NULL +on failure. +It fails if +.Fa p7 +is +.Dv NULL , +if the +.Fa content +field of +.Fa p7 +is empty, if the +.Fa contentType +of +.Fa p7 +is unsupported, if a cipher is required but none is configured, or +if any required operation fails, for example due to lack of memory +or for various other reasons. +.Sh SEE ALSO +.Xr BIO_new 3 , +.Xr BIO_read 3 , +.Xr PKCS7_content_new 3 , +.Xr PKCS7_dataFinal 3 , +.Xr PKCS7_encrypt 3 , +.Xr PKCS7_final 3 , +.Xr PKCS7_new 3 , +.Xr PKCS7_set_type 3 , +.Xr PKCS7_sign 3 +.Sh HISTORY +.Fn PKCS7_dataInit +first appeared in SSLeay 0.8.1 and has been available since +.Ox 2.4 . +.Sh CAVEATS +This function does not support +.Vt EncryptedData . +.Sh BUGS +If +.Fa p7 +is a fully populated structure containing +.Vt EnvelopedData , +.Vt SignedAndEnvelopedData , +or arbitrary data, +.Fn PKCS7_dataInit +returns a BIO chain that ultimately reads from an empty memory BIO, +so reading from it will instantly return an end-of-file indication +rather than reading the actual data contained in +.Fa p7 . diff --git a/man/PKCS7_encrypt.3 b/man/PKCS7_encrypt.3 index 4d1b435f..700498a1 100644 --- a/man/PKCS7_encrypt.3 +++ b/man/PKCS7_encrypt.3 @@ -1,5 +1,5 @@ -.\" $OpenBSD: PKCS7_encrypt.3,v 1.10 2019/06/10 14:58:48 schwarze Exp $ -.\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" $OpenBSD: PKCS7_encrypt.3,v 1.11 2020/06/03 13:41:27 schwarze Exp $ +.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100 .\" .\" This file was written by Dr. Stephen Henson . .\" Copyright (c) 2002, 2006, 2007, 2008, 2009 The OpenSSL Project. @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 10 2019 $ +.Dd $Mdocdate: June 3 2020 $ .Dt PKCS7_ENCRYPT 3 .Os .Sh NAME @@ -133,11 +133,12 @@ properly finalize the .Vt PKCS7 structure will give unpredictable results. .Pp -Several functions, including +Several functions including +.Xr PKCS7_final 3 , .Xr SMIME_write_PKCS7 3 , -.Xr i2d_PKCS7_bio_stream 3 , -and .Xr PEM_write_bio_PKCS7_stream 3 , +and +.Xr i2d_PKCS7_bio_stream 3 finalize the structure. Alternatively finalization can be performed by obtaining the streaming ASN.1 @@ -155,6 +156,7 @@ The error can be obtained from .Xr ERR_get_error 3 . .Sh SEE ALSO .Xr PKCS7_decrypt 3 , +.Xr PKCS7_final 3 , .Xr PKCS7_new 3 , .Xr PKCS7_sign 3 .Sh HISTORY diff --git a/man/PKCS7_final.3 b/man/PKCS7_final.3 new file mode 100644 index 00000000..7c9e5152 --- /dev/null +++ b/man/PKCS7_final.3 @@ -0,0 +1,202 @@ +.\" $OpenBSD: PKCS7_final.3,v 1.2 2020/06/04 10:24:27 schwarze Exp $ +.\" +.\" Copyright (c) 2020 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: June 4 2020 $ +.Dt PKCS7_FINAL 3 +.Os +.Sh NAME +.Nm PKCS7_final +.Nd read data from a BIO into a ContentInfo object +.Sh SYNOPSIS +.In openssl/pkcs7.h +.Ft int +.Fo PKCS7_final +.Fa "PKCS7 *p7" +.Fa "BIO *data" +.Fa "int flags" +.Fc +.Sh DESCRIPTION +.Fn PKCS7_final +reads +.Fa data +and puts it into the appropriate content field of +.Fa p7 +itself or of its appropriate substructure, which can be of type +.Vt SignedData , +.Vt EnvelopedData , +.Vt SignedAndEnvelopedData , +.Vt DigestedData , +or arbitrary data. +The +.Xr PKCS7_dataFinal 3 +manual explains which field exactly the data is put into. +.Pp +The following +.Fa flags +are recognized: +.Bl -tag -width PKCS7_BINARY +.It Dv PKCS7_BINARY +Copy the data verbatim without changing any bytes. +By default, line endings are replaced with two-byte +.Qq \er\en +sequences (ASCII CR+LF). +If this flag is set, +.Dv PKCS7_TEXT +is ignored. +.It Dv PKCS7_TEXT +Prepend +.Qq Content-Type: text/plain +followed by a blank line to the data. +This flag is ignored if +.Dv PKCS7_BINARY +is also set. +.El +.Pp +If any other bits are set in +.Fa flags , +for example +.Dv PKCS7_STREAM +or +.Dv PKCS7_PARTIAL , +they are ignored, allowing to pass the same +.Fa flags +argument that was already passed to +.Xr PKCS7_sign 3 +or +.Xr PKCS7_encrypt 3 . +.Pp +.Fn PKCS7_final +is most commonly used to finalize a +.Fa p7 +object returned from a call to +.Xr PKCS7_sign 3 +that used +.Fa flags +including +.Dv PKCS7_PARTIAL +or +.Dv PKCS7_STREAM . +With these flags, +.Xr PKCS7_sign 3 +ignores its +.Fa data +argument. +The partial +.Fa p7 +object returned can then be customized, for example setting up +multiple signers or non-default digest algorithms with +.Xr PKCS7_sign_add_signer 3 , +before calling +.Fn PKCS7_final . +.Pp +Similarly, +.Fn PKCS7_final +can be used to finalize a +.Fa p7 +object returned from a call to +.Xr PKCS7_encrypt 3 +that used +.Fa flags +including +.Dv PKCS7_STREAM . +.Pp +Since +.Fn PKCS7_final +starts by calling +.Xr PKCS7_dataInit 3 +internally, using it to finalize a +.Fa p7 +object containing +.Vt SignedAndEnvelopedData , +.Vt DigestedData , +or arbitrary data requires the setup described in the +.Xr PKCS7_dataInit 3 +manual. +For +.Vt SignedData +and +.Vt EnvelopedData , +such manual setup is also feasible, but it is more easily performed with +.Xr PKCS7_sign 3 +or +.Xr PKCS7_encrypt 3 , +respectively. +.Pp +.Fn PKCS7_final +is only one among several functions that can be used to finalize +.Fa p7 ; +alternatives include +.Xr SMIME_write_PKCS7 3 , +.Xr PEM_write_bio_PKCS7_stream 3 , +and +.Xr i2d_PKCS7_bio_stream 3 . +.Sh RETURN VALUES +.Fn PKCS7_final +returns 1 on success or 0 on failure. +.Pp +Possible reasons for failure include: +.Pp +.Bl -dash -compact -offset 2n -width 1n +.It +.Fa p7 +is +.Dv NULL . +.It +The +.Fa content +field of +.Fa p7 +is empty. +.It +The +.Fa contentType +of +.Fa p7 +is unsupported. +.It +Signing or digesting is requested and +.Fa p7 +is not configured to store a detached signature, but does not contain +the required field to store the content either. +.It +At least one signer lacks a useable digest algorithm. +.It +A cipher is required but none is configured. +.It +Any required operation fails, for example signing or digesting. +.It +Memory allocation fails. +.El +.Pp +Signers lacking private keys do not cause failure but are silently skipped. +.Sh SEE ALSO +.Xr BIO_new 3 , +.Xr i2d_PKCS7_bio_stream 3 , +.Xr PEM_write_bio_PKCS7_stream 3 , +.Xr PKCS7_add_attribute 3 , +.Xr PKCS7_dataFinal 3 , +.Xr PKCS7_dataInit 3 , +.Xr PKCS7_encrypt 3 , +.Xr PKCS7_new 3 , +.Xr PKCS7_sign 3 , +.Xr SMIME_write_PKCS7 3 +.Sh HISTORY +.Fn PKCS7_final +first appeared in OpenSSL 1.0.0 and has been available since +.Ox 4.9 . +.Sh CAVEATS +This function does not support +.Vt EncryptedData . diff --git a/man/PKCS7_get_signer_info.3 b/man/PKCS7_get_signer_info.3 new file mode 100644 index 00000000..280f373e --- /dev/null +++ b/man/PKCS7_get_signer_info.3 @@ -0,0 +1,62 @@ +.\" $OpenBSD: PKCS7_get_signer_info.3,v 1.1 2020/06/10 11:43:08 schwarze Exp $ +.\" +.\" Copyright (c) 2020 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: June 10 2020 $ +.Dt PKCS7_GET_SIGNER_INFO 3 +.Os +.Sh NAME +.Nm PKCS7_get_signer_info +.Nd retrieve signerInfos from a SignedData object +.Sh SYNOPSIS +.In openssl/pkcs7.h +.Ft STACK_OF(PKCS7_SIGNER_INFO) * +.Fn PKCS7_get_signer_info "PKCS7 *p7" +.Sh DESCRIPTION +This function retrieves the set of +.Vt SignerInfo +structures from the +.Fa signerInfos +field of +.Fa p7 . +.Pp +These can subsequently be manipulated with the functions documented in +.Xr PKCS7_add_attribute 3 . +.Sh RETURN VALUES +.Fn PKCS7_get_signer_info +returns an internal pointer to a +.Vt STACK_OF(PKCS7_SIGNER_INFO) +object or +.Dv NULL +on failure. +It fails if +.Fa p7 +is +.Dv NULL , +if it has no content, +or if it is of a type other than +.Vt SignedData +or +.Vt SignedAndEnvelopedData . +.Sh SEE ALSO +.Xr PKCS7_add_attribute 3 , +.Xr PKCS7_final 3 , +.Xr PKCS7_new 3 , +.Xr PKCS7_sign 3 , +.Xr PKCS7_sign_add_signer 3 +.Sh HISTORY +.Fn PKCS7_get_signer_info +first appeared in SSLeay 0.8.1 and has been available since +.Ox 2.4 . diff --git a/man/PKCS7_new.3 b/man/PKCS7_new.3 index d77ab73f..151261a3 100644 --- a/man/PKCS7_new.3 +++ b/man/PKCS7_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: PKCS7_new.3,v 1.6 2019/06/10 09:49:48 schwarze Exp $ +.\" $OpenBSD: PKCS7_new.3,v 1.12 2020/06/10 11:43:08 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: June 10 2019 $ +.Dd $Mdocdate: June 10 2020 $ .Dt PKCS7_NEW 3 .Os .Sh NAME @@ -246,9 +246,16 @@ frees .Xr i2d_PKCS7_bio_stream 3 , .Xr PEM_read_PKCS7 3 , .Xr PEM_write_bio_PKCS7_stream 3 , +.Xr PKCS7_add_attribute 3 , +.Xr PKCS7_dataFinal 3 , +.Xr PKCS7_dataInit 3 , .Xr PKCS7_decrypt 3 , .Xr PKCS7_encrypt 3 , +.Xr PKCS7_final 3 , +.Xr PKCS7_get_signer_info 3 , .Xr PKCS7_ISSUER_AND_SERIAL_digest 3 , +.Xr PKCS7_set_content 3 , +.Xr PKCS7_set_type 3 , .Xr PKCS7_sign 3 , .Xr PKCS7_sign_add_signer 3 , .Xr PKCS7_verify 3 , diff --git a/man/PKCS7_set_content.3 b/man/PKCS7_set_content.3 new file mode 100644 index 00000000..fa057341 --- /dev/null +++ b/man/PKCS7_set_content.3 @@ -0,0 +1,120 @@ +.\" $OpenBSD: PKCS7_set_content.3,v 1.2 2020/05/24 12:37:30 schwarze Exp $ +.\" +.\" Copyright (c) 2020 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: May 24 2020 $ +.Dt PKCS7_SET_CONTENT 3 +.Os +.Sh NAME +.Nm PKCS7_set_content , +.Nm PKCS7_content_new +.Nd set the nested contentInfo in a PKCS#7 structure +.Sh SYNOPSIS +.In openssl/pkcs7.h +.Ft int +.Fo PKCS7_set_content +.Fa "PKCS7 *outer" +.Fa "PKCS7 *inner" +.Fc +.Ft int +.Fo PKCS7_content_new +.Fa "PKCS7 *outer" +.Fa "int inner_type" +.Fc +.Sh DESCRIPTION +If the +.Fa contentType +of the +.Fa outer +PKCS7 structure is +.Vt SignedData +or +.Vt DigestedData , +.Fn PKCS7_set_content +sets the +.Fa contentInfo +field of the +.Fa content +field of +.Fa outer +to +.Fa inner , +without copying +.Fa inner . +If there was previous +.Fa contentInfo , +it is freed rather than overwritten. +The rest of the internal state of +.Fa outer +and of its +.Fa content +remains unchanged. +.Pp +.Fn PKCS7_content_new +is similar except that it first allocates and initializes a new, empty +.Fa inner +object of the given +.Fa inner_type +using +.Xr PKCS7_new 3 +and +.Xr PKCS7_set_type 3 . +The +.Fa inner_type +can be any of the NIDs listed in the +.Xr PKCS7_set_type 3 +manual. +.Sh RETURN VALUES +These functions return 1 on success or 0 on failure. +They fail if the +.Fa contentType +of +.Fa outer +is unsupported. +.Fn PKCS7_content_new +can also fail when memory is exhausted. +In case of failure, +.Fa outer +remains unchanged. +.Sh SEE ALSO +.Xr PKCS7_dataInit 3 , +.Xr PKCS7_new 3 , +.Xr PKCS7_set_type 3 , +.Xr PKCS7_sign 3 +.Sh STANDARDS +RFC 2315: PKCS #7: Cryptographic Message Syntax Version 1.5 +.Bl -bullet -compact -offset 1n -width 1n +.It +Section 7. General syntax +.It +Section 9. Signed-data content type +.It +Section 12.\& Digested-data content type +.El +.Sh HISTORY +These functions first appeared in SSLeay 0.8.1 +and have been available since +.Ox 2.4 . +.Sh CAVEATS +Despite the function names, these functions do not set the +.Fa content +field of +.Fa outer , +but only the +.Fa contentInfo +field inside it. +The rest of the +.Fa content +remains unchanged. diff --git a/man/PKCS7_set_type.3 b/man/PKCS7_set_type.3 new file mode 100644 index 00000000..f414b128 --- /dev/null +++ b/man/PKCS7_set_type.3 @@ -0,0 +1,119 @@ +.\" $OpenBSD: PKCS7_set_type.3,v 1.2 2020/05/20 11:40:26 schwarze Exp $ +.\" +.\" Copyright (c) 2020 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: May 20 2020 $ +.Dt PKCS7_SET_TYPE 3 +.Os +.Sh NAME +.Nm PKCS7_set_type , +.Nm PKCS7_set0_type_other +.Nd initialize type of PKCS#7 ContentInfo +.Sh SYNOPSIS +.In openssl/pkcs7.h +.Ft int +.Fo PKCS7_set_type +.Fa "PKCS7 *p7" +.Fa "int type" +.Fc +.Ft int +.Fo PKCS7_set0_type_other +.Fa "PKCS7 *p7" +.Fa "int type" +.Fa "ASN1_TYPE *content" +.Fc +.Sh DESCRIPTION +These functions set the +.Fa type +of an unused +.Vt ContentInfo +structure +.Fa p7 . +.Pp +The function +.Fn PKCS7_set_type +also allocates and initializes an empty child object in +.Fa p7 . +The +.Fa type +argument can be any of these NIDs, +creating a child object of the indicated data type: +.Pp +.Bl -column NID_pkcs7_signedAndEnveloped PKCS7_SIGN_ENVELOPE n.a. -compact +.It Fa type No argument Ta data type of child Ta version +.It Dv NID_pkcs7_data Ta Vt ASN1_OCTET_STRING Ta n.a. +.It Dv NID_pkcs7_digest Ta Vt PKCS7_DIGEST Ta 0 +.It Dv NID_pkcs7_encrypted Ta Vt PKCS7_ENCRYPT Ta 0 +.It Dv NID_pkcs7_enveloped Ta Vt PKCS7_ENVELOPE Ta 0 +.It Dv NID_pkcs7_signed Ta Vt PKCS7_SIGNED Ta 1 +.It Dv NID_pkcs7_signedAndEnveloped Ta Vt PKCS7_SIGN_ENVELOPE Ta 1 +.El +.Pp +If the provided +.Fa type +is invalid, +.Fa p7 +remains unchanged and +.Fn PKCS7_set_type +fails. +.Pp +If memory allocation fails, +.Fn PKCS7_set_type +fails and +.Fa p7 +may remain in an inconsistent state. +.Pp +The function +.Fn PKCS7_set0_type_other +accepts an arbitrary NID as the +.Fa type +and also sets the +.Fa content , +neither checking it in any way nor copying it. +.Pp +For both functions, the rest of the internal state of +.Fa p7 +remains unchanged. +.Sh RETURN VALUES +The function +.Fn PKCS7_set_type +returns 1 on success or 0 on failure. +.Pp +The function +.Fn PKCS7_set0_type_other +does no error handling at all and always returns 1. +.Sh SEE ALSO +.Xr ASN1_OCTET_STRING_new 3 , +.Xr ASN1_TYPE_new 3 , +.Xr PKCS7_encrypt 3 , +.Xr PKCS7_new 3 , +.Xr PKCS7_set_content 3 , +.Xr PKCS7_sign 3 +.Sh HISTORY +The function +.Fn PKCS7_set_type +first appeared in SSLeay 0.8.1 and +.Fn PKCS7_set0_type_other +in OpenSSL 0.9.8. +Both have been available since +.Ox 2.4 . +.Sh CAVEATS +If +.Fa p7 +has already been in use before being passed to one of these functions, +it will report success even though it leaks memory. +Later on, if other functions try to use +.Fa p7 +in its former role, they are likely to misbehave. diff --git a/man/PKCS7_sign.3 b/man/PKCS7_sign.3 index a04e800c..37257e60 100644 --- a/man/PKCS7_sign.3 +++ b/man/PKCS7_sign.3 @@ -1,5 +1,5 @@ -.\" $OpenBSD: PKCS7_sign.3,v 1.10 2019/06/10 14:58:48 schwarze Exp $ -.\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" $OpenBSD: PKCS7_sign.3,v 1.13 2020/06/10 11:43:08 schwarze Exp $ +.\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100 .\" .\" This file was written by Dr. Stephen Henson . .\" Copyright (c) 2002, 2003, 2006-2009, 2015 The OpenSSL Project. @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 10 2019 $ +.Dd $Mdocdate: June 10 2020 $ .Dt PKCS7_SIGN 3 .Os .Sh NAME @@ -166,11 +166,12 @@ properly finalize the .Vt PKCS7 structure will give unpredictable results. .Pp -Several functions, including +Several functions including +.Xr PKCS7_final 3 , .Xr SMIME_write_PKCS7 3 , -.Xr i2d_PKCS7_bio_stream 3 , -and .Xr PEM_write_bio_PKCS7_stream 3 , +and +.Xr i2d_PKCS7_bio_stream 3 finalize the structure. Alternatively finalization can be performed by obtaining the streaming ASN.1 @@ -195,8 +196,10 @@ if the .Dv PKCS7_PARTIAL flag is set. One or more signers can be added using the function -.Xr PKCS7_sign_add_signer 3 . -.Fn PKCS7_final +.Xr PKCS7_sign_add_signer 3 +and attributes can be added using the functions described in +.Xr PKCS7_add_attribute 3 . +.Xr PKCS7_final 3 must also be called to finalize the structure if streaming is not enabled. Alternative signing digests can also be specified using this method. @@ -227,7 +230,10 @@ if an error occurred. The error can be obtained from .Xr ERR_get_error 3 . .Sh SEE ALSO +.Xr PKCS7_add_attribute 3 , .Xr PKCS7_encrypt 3 , +.Xr PKCS7_final 3 , +.Xr PKCS7_get_signer_info 3 , .Xr PKCS7_new 3 , .Xr PKCS7_sign_add_signer 3 , .Xr PKCS7_verify 3 diff --git a/man/PKCS7_sign_add_signer.3 b/man/PKCS7_sign_add_signer.3 index 41d57c2c..195d6388 100644 --- a/man/PKCS7_sign_add_signer.3 +++ b/man/PKCS7_sign_add_signer.3 @@ -1,5 +1,5 @@ -.\" $OpenBSD: PKCS7_sign_add_signer.3,v 1.10 2019/06/14 13:59:32 schwarze Exp $ -.\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" $OpenBSD: PKCS7_sign_add_signer.3,v 1.13 2020/06/10 11:43:08 schwarze Exp $ +.\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100 .\" .\" This file was written by Dr. Stephen Henson . .\" Copyright (c) 2007, 2008, 2009, 2015 The OpenSSL Project. @@ -49,12 +49,12 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 14 2019 $ +.Dd $Mdocdate: June 10 2020 $ .Dt PKCS7_SIGN_ADD_SIGNER 3 .Os .Sh NAME .Nm PKCS7_sign_add_signer -.Nd add a signer PKCS7 signed data structure +.Nd add a signer to a SignedData structure .Sh SYNOPSIS .In openssl/pkcs7.h .Ft PKCS7_SIGNER_INFO * @@ -100,7 +100,7 @@ flag is set, the returned .Dv PKCS7 structure is not complete and must be finalized either by streaming (if applicable) or by a call to -.Fn PKCS7_final . +.Xr PKCS7_final 3 . .Pp The main purpose of this function is to provide finer control over a PKCS#7 signed data structure where the simpler @@ -162,6 +162,8 @@ If any of these algorithms is disabled, then it will not be included. returns an internal pointer to the .Vt PKCS7_SIGNER_INFO structure just added, which can be used to set additional attributes +with the functions described in +.Xr PKCS7_add_attribute 3 before it is finalized. .Sh RETURN VALUES .Fn PKCS7_sign_add_signer @@ -174,6 +176,9 @@ In some cases of failure, the reason can be determined with .Xr ERR_get_error 3 . .Sh SEE ALSO .Xr EVP_DigestInit 3 , +.Xr PKCS7_add_attribute 3 , +.Xr PKCS7_final 3 , +.Xr PKCS7_get_signer_info 3 , .Xr PKCS7_new 3 , .Xr PKCS7_sign 3 .Sh HISTORY diff --git a/man/RC4.3 b/man/RC4.3 index 285ef477..8b20a434 100644 --- a/man/RC4.3 +++ b/man/RC4.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: RC4.3,v 1.7 2019/06/06 01:06:59 schwarze Exp $ +.\" $OpenBSD: RC4.3,v 1.8 2020/03/29 17:05:02 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 6 2019 $ +.Dd $Mdocdate: March 29 2020 $ .Dt RC4 3 .Os .Sh NAME @@ -112,11 +112,6 @@ yield a continuous key stream. Since RC4 is a stream cipher (the input is XOR'ed with a pseudo-random key stream to produce the output), decryption uses the same function calls as encryption. -.Sh RETURN VALUES -.Fn RC4_set_key -and -.Fn RC4 -do not return values. .Sh SEE ALSO .Xr blowfish 3 , .Xr EVP_EncryptInit 3 , diff --git a/man/RSA_check_key.3 b/man/RSA_check_key.3 index c1e9c315..96b14684 100644 --- a/man/RSA_check_key.3 +++ b/man/RSA_check_key.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: RSA_check_key.3,v 1.7 2019/06/10 14:58:48 schwarze Exp $ +.\" $OpenBSD: RSA_check_key.3,v 1.8 2021/03/12 05:18:00 jsg Exp $ .\" OpenSSL 6859cf74 Sep 25 13:33:28 2002 +0000 .\" .\" This file was written by Ulf Moeller and @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 10 2019 $ +.Dd $Mdocdate: March 12 2021 $ .Dt RSA_CHECK_KEY 3 .Os .Sh NAME @@ -69,7 +69,7 @@ and .Fa rsa->q are in fact prime, and that .Fa rsa->n -satifies n = p*q. +satisfies n = p*q. .Pp It also checks that .Fa rsa->d diff --git a/man/RSA_new.3 b/man/RSA_new.3 index b0009b85..9efcbd0b 100644 --- a/man/RSA_new.3 +++ b/man/RSA_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: RSA_new.3,v 1.15 2019/08/23 15:18:13 schwarze Exp $ +.\" $OpenBSD: RSA_new.3,v 1.16 2019/11/01 12:02:58 schwarze Exp $ .\" full merge up to: .\" OpenSSL doc/man3/RSA_new.pod e9b77246 Jan 20 19:58:49 2017 +0100 .\" OpenSSL doc/crypto/rsa.pod 35d2e327 Jun 3 16:19:49 2016 -0400 (final) @@ -67,7 +67,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 23 2019 $ +.Dd $Mdocdate: November 1 2019 $ .Dt RSA_NEW 3 .Os .Sh NAME @@ -225,6 +225,7 @@ returns 1 for success or 0 for failure. .Xr RSA_get_ex_new_index 3 , .Xr RSA_meth_new 3 , .Xr RSA_padding_add_PKCS1_type_1 3 , +.Xr RSA_pkey_ctx_ctrl 3 , .Xr RSA_print 3 , .Xr RSA_private_encrypt 3 , .Xr RSA_PSS_PARAMS_new 3 , diff --git a/man/RSA_pkey_ctx_ctrl.3 b/man/RSA_pkey_ctx_ctrl.3 new file mode 100644 index 00000000..c89ceec4 --- /dev/null +++ b/man/RSA_pkey_ctx_ctrl.3 @@ -0,0 +1,403 @@ +.\" $OpenBSD: RSA_pkey_ctx_ctrl.3,v 1.4 2019/11/01 19:37:21 schwarze Exp $ +.\" full merge up to: +.\" OpenSSL man3/EVP_PKEY_CTX_ctrl.pod 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" OpenSSL man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.pod +.\" 87103969 Oct 1 14:11:57 2018 -0700 +.\" selective merge up to: +.\" OpenSSL man3/EVP_PKEY_CTX_ctrl.pod df75c2b f Dec 9 01:02:36 2018 +0100 +.\" +.\" This file was written by Dr. Stephen Henson +.\" and Antoine Salon . +.\" Copyright (c) 2006, 2009, 2013, 2014, 2015, 2017, 2018 The OpenSSL Project. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: November 1 2019 $ +.Dt RSA_PKEY_CTX_CTRL 3 +.Os +.Sh NAME +.Nm RSA_pkey_ctx_ctrl , +.Nm EVP_PKEY_CTX_set_rsa_padding , +.Nm EVP_PKEY_CTX_get_rsa_padding , +.Nm EVP_PKEY_CTX_set_rsa_keygen_bits , +.Nm EVP_PKEY_CTX_set_rsa_keygen_pubexp , +.Nm EVP_PKEY_CTX_set_rsa_mgf1_md , +.Nm EVP_PKEY_CTX_get_rsa_mgf1_md , +.Nm EVP_PKEY_CTX_set_rsa_oaep_md , +.Nm EVP_PKEY_CTX_get_rsa_oaep_md , +.Nm EVP_PKEY_CTX_set0_rsa_oaep_label , +.Nm EVP_PKEY_CTX_get0_rsa_oaep_label , +.Nm EVP_PKEY_CTX_set_rsa_pss_saltlen , +.Nm EVP_PKEY_CTX_get_rsa_pss_saltlen , +.Nm EVP_PKEY_CTX_set_rsa_pss_keygen_md , +.Nm EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md , +.Nm EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen +.Nd RSA private key control operations +.Sh SYNOPSIS +.In openssl/rsa.h +.Ft int +.Fo RSA_pkey_ctx_ctrl +.Fa "EVP_PKEY_CTX *ctx" +.Fa "int optype" +.Fa "int cmd" +.Fa "int p1" +.Fa "void *p2" +.Fc +.Ft int +.Fo EVP_PKEY_CTX_set_rsa_padding +.Fa "EVP_PKEY_CTX *ctx" +.Fa "int pad" +.Fc +.Ft int +.Fo EVP_PKEY_CTX_get_rsa_padding +.Fa "EVP_PKEY_CTX *ctx" +.Fa "int *ppad" +.Fc +.Ft int +.Fo EVP_PKEY_CTX_set_rsa_keygen_bits +.Fa "EVP_PKEY_CTX *ctx" +.Fa "int mbits" +.Fc +.Ft int +.Fo EVP_PKEY_CTX_set_rsa_keygen_pubexp +.Fa "EVP_PKEY_CTX *ctx" +.Fa "BIGNUM *pubexp" +.Fc +.Ft int +.Fo EVP_PKEY_CTX_set_rsa_mgf1_md +.Fa "EVP_PKEY_CTX *ctx" +.Fa "const EVP_MD *md" +.Fc +.Ft int +.Fo EVP_PKEY_CTX_get_rsa_mgf1_md +.Fa "EVP_PKEY_CTX *ctx" +.Fa "const EVP_MD **pmd" +.Fc +.Ft int +.Fo EVP_PKEY_CTX_set_rsa_oaep_md +.Fa "EVP_PKEY_CTX *ctx" +.Fa "const EVP_MD *md" +.Fc +.Ft int +.Fo EVP_PKEY_CTX_get_rsa_oaep_md +.Fa "EVP_PKEY_CTX *ctx" +.Fa "const EVP_MD **pmd" +.Fc +.Ft int +.Fo EVP_PKEY_CTX_set0_rsa_oaep_label +.Fa "EVP_PKEY_CTX *ctx" +.Fa "unsigned char *label" +.Fa "int len" +.Fc +.Ft int +.Fo EVP_PKEY_CTX_get0_rsa_oaep_label +.Fa "EVP_PKEY_CTX *ctx" +.Fa "unsigned char **plabel" +.Fc +.Ft int +.Fo EVP_PKEY_CTX_set_rsa_pss_saltlen +.Fa "EVP_PKEY_CTX *ctx" +.Fa "int len" +.Fc +.Ft int +.Fo EVP_PKEY_CTX_get_rsa_pss_saltlen +.Fa "EVP_PKEY_CTX *ctx" +.Fa "int *plen" +.Fc +.Ft int +.Fo EVP_PKEY_CTX_set_rsa_pss_keygen_md +.Fa "EVP_PKEY_CTX *pctx" +.Fa "const EVP_MD *md" +.Fc +.Ft int +.Fo EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md +.Fa "EVP_PKEY_CTX *pctx" +.Fa "const EVP_MD *md" +.Fc +.Ft int +.Fo EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen +.Fa "EVP_PKEY_CTX *pctx" +.Fa "int saltlen" +.Fc +.Sh DESCRIPTION +The function +.Fn RSA_pkey_ctx_ctrl +is a shallow wrapper around +.Xr EVP_PKEY_CTX_ctrl 3 +which only succeeds if +.Fa ctx +matches either +.Dv EVP_PKEY_RSA +or +.Dv EVP_PKEY_RSA_PSS . +.Pp +All the remaining "functions" are implemented as macros. +.Pp +The +.Fn EVP_PKEY_CTX_set_rsa_padding +macro sets the RSA padding mode for +.Fa ctx . +The +.Fa pad +parameter can take the value +.Dv RSA_PKCS1_PADDING +for PKCS#1 padding, +.Dv RSA_NO_PADDING +for no padding, +.Dv RSA_PKCS1_OAEP_PADDING +for OAEP padding (encrypt and decrypt only), +.Dv RSA_X931_PADDING +for X9.31 padding (signature operations only) and +.Dv RSA_PKCS1_PSS_PADDING +(sign and verify only). +Only the last one can be used with keys of the type +.Dv EVP_PKEY_RSA_PSS . +.Pp +Two RSA padding modes behave differently if +.Xr EVP_PKEY_CTX_set_signature_md 3 +is used. +If this macro is called for PKCS#1 padding, the plaintext buffer is an +actual digest value and is encapsulated in a +.Vt DigestInfo +structure according to PKCS#1 when signing and this structure is +expected (and stripped off) when verifying. +If this control is not used with RSA and PKCS#1 padding then the +supplied data is used directly and not encapsulated. +In the case of X9.31 padding for RSA the algorithm identifier byte is +added or checked and removed if this control is called. +If it is not called then the first byte of the plaintext buffer is +expected to be the algorithm identifier byte. +.Pp +The +.Fn EVP_PKEY_CTX_get_rsa_padding +macro retrieves the RSA padding mode for +.Fa ctx . +.Pp +The +.Fn EVP_PKEY_CTX_set_rsa_keygen_bits +macro sets the RSA key length for RSA or RSA-PSS key generation to +.Fa mbits . +The smallest supported value is 512 bits. +If not specified, 1024 bits is used. +.Pp +The +.Fn EVP_PKEY_CTX_set_rsa_keygen_pubexp +macro sets the public exponent value for RSA or RSA-PSS key generation to +.Fa pubexp . +Currently, it should be an odd integer. +The +.Fa pubexp +pointer is used internally by this function, so it should not be modified +or freed after the call. +If this macro is not called, then 65537 is used. +.Pp +The +.Fn EVP_PKEY_CTX_set_rsa_mgf1_md +macro sets the MGF1 digest for RSA padding schemes to +.Fa md . +Unless explicitly specified, the signing digest is used. +The padding mode must have been set to +.Dv RSA_PKCS1_OAEP_PADDING +or +.Dv RSA_PKCS1_PSS_PADDING . +If the key is of the type +.Dv EVP_PKEY_RSA_PSS +and has usage restrictions, an error occurs if an attempt is made +to set the digest to anything other than the restricted value. +.Pp +The +.Fn EVP_PKEY_CTX_get_rsa_mgf1_md +macro retrieves the MGF1 digest for +.Fa ctx . +Unless explicitly specified, the signing digest is used. +The padding mode must have been set to +.Dv RSA_PKCS1_OAEP_PADDING +or +.Dv RSA_PKCS1_PSS_PADDING . +.Ss Optimal asymmetric encryption padding +The following macros require that the padding mode was set to +.Dv RSA_PKCS1_OAEP_PADDING . +.Pp +The +.Fn EVP_PKEY_CTX_set_rsa_oaep_md +macro sets the message digest type used in RSA OAEP to +.Fa md . +.Pp +The +.Fn EVP_PKEY_CTX_get_rsa_oaep_md +macro gets the message digest type used in RSA OAEP to +.Pf * Fa pmd . +.Pp +The +.Fn EVP_PKEY_CTX_set0_rsa_oaep_label +macro sets the RSA OAEP label to +.Fa label +and its length to +.Fa len . +If +.Fa label +is +.Dv NULL +or +.Fa len +is 0, the label is cleared. +The library takes ownership of the label so the caller should not +free the original memory pointed to by +.Fa label . +.Pp +The +.Fn EVP_PKEY_CTX_get0_rsa_oaep_label +macro gets the RSA OAEP label to +.Pf * Fa plabel . +The return value is the label length. +The resulting pointer is owned by the library and should not be +freed by the caller. +.Ss Probabilistic signature scheme +The following macros require that the padding mode was set to +.Dv RSA_PKCS1_PSS_PADDING . +.Pp +The +.Fn EVP_PKEY_CTX_set_rsa_pss_saltlen +macro sets the RSA PSS salt length to +.Fa len . +Three special values are supported: +.Dv RSA_PSS_SALTLEN_DIGEST +sets the salt length to the digest length. +.Dv RSA_PSS_SALTLEN_MAX +sets the salt length to the maximum permissible value. +When signing, +.Dv RSA_PSS_SALTLEN_AUTO +sets the salt length to the maximum permissible value. +When verifying, +.Dv RSA_PSS_SALTLEN_AUTO +causes the salt length to be automatically determined based on the +PSS block structure. +If this macro is not called, a salt length value of +.Dv RSA_PSS_SALTLEN_AUTO +is used by default. +.Pp +If the key has usage restrictions and an attempt is made to set the +salt length below the minimum value, an error occurs. +Also, if the key has usage restrictions, +.Dv RSA_PSS_SALTLEN_AUTO +is not supported for verification. +.Pp +The +.Fn EVP_PKEY_CTX_get_rsa_pss_saltlen +macro retrieves the RSA PSS salt length for +.Fa ctx . +.Pp +Optional parameter restrictions can be specified when generating a PSS +key. +If any restrictions are set using the macros described below, +then all parameters are restricted. +For example, setting a minimum salt length also restricts the digest and +MGF1 algorithms. +If any restrictions are in place, then they are reflected in the +corresponding parameters of the public key when (for example) a +certificate request is signed. +.Pp +.Fn EVP_PKEY_CTX_set_rsa_pss_keygen_md +restricts the digest algorithm the generated key can use to +.Fa md . +.Pp +.Fn EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md +restricts the MGF1 algorithm the generated key can use to +.Fa md . +.Pp +.Fn EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen +restricts the minimum salt length to +.Fa saltlen . +.Sh RETURN VALUES +These functions return a positive value for success or 0 or a negative +value for failure. +In particular, a return value of -2 indicates the operation is not +supported by the public key algorithm. +.Sh SEE ALSO +.Xr EVP_DigestInit 3 , +.Xr EVP_PKEY_CTX_ctrl 3 , +.Xr EVP_PKEY_CTX_new 3 , +.Xr EVP_PKEY_decrypt 3 , +.Xr EVP_PKEY_derive 3 , +.Xr EVP_PKEY_encrypt 3 , +.Xr EVP_PKEY_get_default_digest_nid 3 , +.Xr EVP_PKEY_keygen 3 , +.Xr EVP_PKEY_meth_set_ctrl 3 , +.Xr EVP_PKEY_sign 3 , +.Xr EVP_PKEY_verify 3 , +.Xr EVP_PKEY_verify_recover 3 +.Sh HISTORY +The functions +.Fn EVP_PKEY_CTX_set_rsa_padding , +.Fn EVP_PKEY_CTX_set_rsa_keygen_bits , +.Fn EVP_PKEY_CTX_set_rsa_keygen_pubexp , +and +.Fn EVP_PKEY_CTX_set_rsa_pss_saltlen +first appeared in OpenSSL 1.0.0 and have been available since +.Ox 4.9 . +.Pp +The functions +.Fn EVP_PKEY_CTX_get_rsa_padding , +.Fn EVP_PKEY_CTX_set_rsa_mgf1_md , +.Fn EVP_PKEY_CTX_get_rsa_mgf1_md , +and +.Fn EVP_PKEY_CTX_get_rsa_pss_saltlen +first appeared in OpenSSL 1.0.1 and have been available since +.Ox 5.3 . +.Pp +The functions +.Fn EVP_PKEY_CTX_set_rsa_oaep_md , +.Fn EVP_PKEY_CTX_get_rsa_oaep_md , +.Fn EVP_PKEY_CTX_set0_rsa_oaep_label , +and +.Fn EVP_PKEY_CTX_get0_rsa_oaep_label +first appeared in OpenSSL 1.0.2 and have been available since +.Ox 6.7 . +.Pp +The function +.Fn RSA_pkey_ctx_ctrl +first appeared in OpenSSL 1.1.1 and has been available since +.Ox 6.7 . diff --git a/man/SMIME_read_CMS.3 b/man/SMIME_read_CMS.3 index 267c98ed..bbfb1e54 100644 --- a/man/SMIME_read_CMS.3 +++ b/man/SMIME_read_CMS.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SMIME_read_CMS.3,v 1.5 2019/08/18 21:44:10 schwarze Exp $ +.\" $OpenBSD: SMIME_read_CMS.3,v 1.6 2019/11/02 15:39:46 schwarze Exp $ .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 18 2019 $ +.Dd $Mdocdate: November 2 2019 $ .Dt SMIME_READ_CMS 3 .Os .Sh NAME @@ -113,7 +113,7 @@ The error can be obtained from .Fn SMIME_read_CMS first appeared in OpenSSL 0.9.8h and has been available since -.Ox 6.6 . +.Ox 6.7 . .Sh BUGS The MIME parser used by .Fn SMIME_read_CMS diff --git a/man/SMIME_write_CMS.3 b/man/SMIME_write_CMS.3 index bd580992..5a4e607a 100644 --- a/man/SMIME_write_CMS.3 +++ b/man/SMIME_write_CMS.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SMIME_write_CMS.3,v 1.4 2019/08/18 21:44:10 schwarze Exp $ +.\" $OpenBSD: SMIME_write_CMS.3,v 1.5 2019/11/02 15:39:46 schwarze Exp $ .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 18 2019 $ +.Dd $Mdocdate: November 2 2019 $ .Dt SMIME_WRITE_CMS 3 .Os .Sh NAME @@ -125,7 +125,7 @@ returns 1 for success or 0 for failure. .Fn SMIME_write_CMS first appeared in OpenSSL 0.9.8h and has been available since -.Ox 6.6 . +.Ox 6.7 . .Sh BUGS .Fn SMIME_write_CMS always base64 encodes CMS structures. diff --git a/man/SMIME_write_PKCS7.3 b/man/SMIME_write_PKCS7.3 index 8baf6689..39d8b5d8 100644 --- a/man/SMIME_write_PKCS7.3 +++ b/man/SMIME_write_PKCS7.3 @@ -1,5 +1,5 @@ -.\" $OpenBSD: SMIME_write_PKCS7.3,v 1.6 2019/06/14 13:59:32 schwarze Exp $ -.\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" $OpenBSD: SMIME_write_PKCS7.3,v 1.7 2020/06/03 13:41:27 schwarze Exp $ +.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . .\" Copyright (c) 2002, 2003, 2006, 2007, 2015 The OpenSSL Project. @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 14 2019 $ +.Dd $Mdocdate: June 3 2020 $ .Dt SMIME_WRITE_PKCS7 3 .Os .Sh NAME @@ -132,7 +132,9 @@ otherwise 0 is returned and an error code can be retrieved with .Xr ERR_get_error 3 . .Sh SEE ALSO .Xr i2d_PKCS7_bio_stream 3 , +.Xr PEM_write_bio_PKCS7_stream 3 , .Xr PEM_write_PKCS7 3 , +.Xr PKCS7_final 3 , .Xr PKCS7_new 3 , .Xr SMIME_read_PKCS7 3 .Sh HISTORY diff --git a/man/SSL_CIPHER_get_name.3 b/man/SSL_CIPHER_get_name.3 index 37707566..697b1bd3 100644 --- a/man/SSL_CIPHER_get_name.3 +++ b/man/SSL_CIPHER_get_name.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CIPHER_get_name.3,v 1.10 2018/04/25 13:51:34 schwarze Exp $ +.\" $OpenBSD: SSL_CIPHER_get_name.3,v 1.11 2020/04/14 15:27:35 schwarze Exp $ .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800 .\" @@ -52,7 +52,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 25 2018 $ +.Dd $Mdocdate: April 14 2020 $ .Dt SSL_CIPHER_GET_NAME 3 .Os .Sh NAME @@ -212,9 +212,10 @@ consists of several fields separated by whitespace: Textual representation of the cipher name. .It Aq Ar protocol version Protocol version: -.Sy SSLv3 +.Sy SSLv3 , +.Sy TLSv1.2 , or -.Sy TLSv1.2 . +.Sy TLSv1.3 . The TLSv1.0 ciphers are flagged with SSLv3. No new ciphers were added by TLSv1.1. .It Kx= Ns Aq Ar key exchange @@ -222,25 +223,23 @@ Key exchange method: .Sy DH , .Sy ECDH , .Sy GOST , +.Sy RSA , or -.Sy RSA . +.Sy TLSv1.3 . .It Au= Ns Aq Ar authentication Authentication method: -.Sy DSS , .Sy ECDSA , .Sy GOST01 , .Sy RSA , +.Sy TLSv1.3 , or .Sy None . .Sy None is the representation of anonymous ciphers. .It Enc= Ns Aq Ar symmetric encryption method Encryption method with number of secret bits: -.Sy DES(56) , .Sy 3DES(168) , -.Sy RC4(64) , .Sy RC4(128) , -.Sy IDEA(128) , .Sy AES(128) , .Sy AES(256) , .Sy AESCGM(128) , @@ -248,7 +247,6 @@ Encryption method with number of secret bits: .Sy Camellia(128) , .Sy Camellia(256) , .Sy ChaCha20-Poly1305 , -.Sy ChaCha20-Poly1305-Old , .Sy GOST-28178-89-CNT , or .Sy None . @@ -261,8 +259,8 @@ Message digest: .Sy AEAD , .Sy GOST94 , .Sy GOST89IMIT , -.Sy STREEBOG256 , -.Sy STREEBOG512 . +or +.Sy STREEBOG256 . .El .Sh RETURN VALUES .Fn SSL_CIPHER_get_name @@ -315,7 +313,7 @@ ECDHE-RSA-AES256-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD .Pp A complete list can be retrieved by invoking the following command: .Pp -.Dl $ openssl ciphers -v ALL +.Dl $ openssl ciphers -v ALL:COMPLEMENTOFALL .Sh SEE ALSO .Xr openssl 1 , .Xr ssl 3 , diff --git a/man/SSL_CTX_add_extra_chain_cert.3 b/man/SSL_CTX_add_extra_chain_cert.3 index a6d869b3..4c731309 100644 --- a/man/SSL_CTX_add_extra_chain_cert.3 +++ b/man/SSL_CTX_add_extra_chain_cert.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.6 2019/04/05 18:29:43 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.7 2020/01/02 09:09:16 schwarze Exp $ .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke and @@ -50,11 +50,12 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 5 2019 $ +.Dd $Mdocdate: January 2 2020 $ .Dt SSL_CTX_ADD_EXTRA_CHAIN_CERT 3 .Os .Sh NAME .Nm SSL_CTX_add_extra_chain_cert , +.Nm SSL_CTX_get_extra_chain_certs_only , .Nm SSL_CTX_get_extra_chain_certs , .Nm SSL_CTX_clear_extra_chain_certs .Nd add, retrieve, and clear extra chain certificates @@ -63,6 +64,8 @@ .Ft long .Fn SSL_CTX_add_extra_chain_cert "SSL_CTX *ctx" "X509 *x509" .Ft long +.Fn SSL_CTX_get_extra_chain_certs_only "SSL_CTX *ctx" "STACK_OF(X509) **certs" +.Ft long .Fn SSL_CTX_get_extra_chain_certs "SSL_CTX *ctx" "STACK_OF(X509) **certs" .Ft long .Fn SSL_CTX_clear_extra_chain_certs "SSL_CTX *ctx" @@ -74,10 +77,20 @@ to the extra chain certificates associated with .Fa ctx . Several certificates can be added one after another. .Pp -.Fn SSL_CTX_get_extra_chain_certs +.Fn SSL_CTX_get_extra_chain_certs_only retrieves an internal pointer to the stack of extra chain certificates associated with -.Fa ctx . +.Fa ctx , +or set +.Pf * Fa certs +to +.Dv NULL +if there are none. +.Pp +.Fn SSL_CTX_get_extra_chain_certs +does the same except that it retrieves an internal pointer +to the chain associated with the certificate +if there are no extra chain certificates. .Pp .Fn SSL_CTX_clear_extra_chain_certs clears all extra chain certificates associated with @@ -123,6 +136,10 @@ and .Fn SSL_CTX_clear_extra_chain_certs first appeared in OpenSSL 1.0.1 and have been available since .Ox 5.3 . +.Pp +.Fn SSL_CTX_get_extra_chain_certs_only +first appeared in OpenSSL 1.0.2 and has been available since +.Ox 6.7 . .Sh CAVEATS Certificates added with .Fn SSL_CTX_add_extra_chain_cert diff --git a/man/SSL_CTX_new.3 b/man/SSL_CTX_new.3 index 35fe702f..c1c7635d 100644 --- a/man/SSL_CTX_new.3 +++ b/man/SSL_CTX_new.3 @@ -1,6 +1,6 @@ -.\" $OpenBSD: SSL_CTX_new.3,v 1.11 2019/03/18 06:23:38 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_new.3,v 1.16 2021/04/15 16:30:14 tb Exp $ .\" full merge up to: OpenSSL 21cd6e00 Oct 21 14:40:15 2015 +0100 -.\" selective merge up to: OpenSSL 1212818e Sep 11 13:22:14 2018 +0100 +.\" selective merge up to: OpenSSL 8f75443f May 24 14:04:26 2019 +0200 .\" .\" This file was written by Lutz Jaenicke . .\" Copyright (c) 2000, 2005, 2012, 2013, 2015, 2016 The OpenSSL Project. @@ -50,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 18 2019 $ +.Dd $Mdocdate: April 15 2021 $ .Dt SSL_CTX_NEW 3 .Os .Sh NAME @@ -76,8 +76,11 @@ .Nm DTLS_client_method , .Nm DTLSv1_method , .Nm DTLSv1_server_method , -.Nm DTLSv1_client_method -.Nd create a new SSL_CTX object as framework for TLS/SSL enabled functions +.Nm DTLSv1_client_method , +.Nm DTLSv1_2_method , +.Nm DTLSv1_2_server_method , +.Nm DTLSv1_2_client_method +.Nd create a new SSL_CTX object as a framework for TLS enabled functions .Sh SYNOPSIS .In openssl/ssl.h .Ft SSL_CTX * @@ -126,11 +129,17 @@ .Fn DTLSv1_server_method void .Ft const SSL_METHOD * .Fn DTLSv1_client_method void +.Ft const SSL_METHOD * +.Fn DTLSv1_2_method void +.Ft const SSL_METHOD * +.Fn DTLSv1_2_server_method void +.Ft const SSL_METHOD * +.Fn DTLSv1_2_client_method void .Sh DESCRIPTION .Fn SSL_CTX_new creates a new .Vt SSL_CTX -object as framework to establish TLS/SSL or DTLS enabled connections. +object as a framework to establish TLS or DTLS enabled connections. It initializes the list of ciphers, the session cache setting, the callbacks, the keys and certificates, and the options to its default values. @@ -156,72 +165,79 @@ The .Vt SSL_CTX object uses .Fa method -as its connection method. -The methods exist in a generic type (for client and server use), -a server only type, and a client only type. +as its connection method, which can be: +.Bl -tag -width Ds +.It Fn TLS_method +The general-purpose version-flexible TLS method. +The protocol version used will be negotiated to the highest +version mutually supported by the client and the server. +The supported protocols are TLSv1, TLSv1.1, TLSv1.2, and TLSv1.3. +.It Fn DTLS_method +The version-flexible DTLS method. +The currently supported protocols are DTLSv1 and DTLSv1.2. +.El +.Pp +The following .Fa method -can be of the following types: +arguments are deprecated: .Bl -tag -width Ds .It Xo -.Fn TLS_method , .Fn TLS_server_method , -.Fn TLS_client_method -.Xc -These are the general-purpose version-flexible SSL/TLS methods. -The actual protocol version used will be negotiated to the highest -version mutually supported by the client and the server. -The supported protocols are TLSv1, TLSv1.1 and TLSv1.2. -Applications should use these methods and avoid the version-specific -methods described below. -.It Xo +.Fn TLS_client_method , .Fn SSLv23_method , .Fn SSLv23_server_method , .Fn SSLv23_client_method .Xc -Use of these functions is deprecated. -They have been replaced with the above -.Fn TLS_method , -.Fn TLS_server_method , -and -.Fn TLS_client_method , -respectively. -New code should use those functions instead. +Deprecated aliases for +.Fn TLS_method . +.It Xo +.Fn DTLS_server_method , +.Fn DTLS_client_method +.Xc +Deprecated aliases for +.Fn DTLS_method . .It Xo .Fn TLSv1_method , .Fn TLSv1_server_method , .Fn TLSv1_client_method .Xc -A TLS/SSL connection established with these methods will only +A connection established with these methods will only understand the TLSv1 protocol. .It Xo .Fn TLSv1_1_method , .Fn TLSv1_1_server_method , .Fn TLSv1_1_client_method .Xc -A TLS/SSL connection established with these methods will only +A connection established with these methods will only understand the TLSv1.1 protocol. .It Xo .Fn TLSv1_2_method , .Fn TLSv1_2_server_method , .Fn TLSv1_2_client_method .Xc -A TLS/SSL connection established with these methods will only +A connection established with these methods will only understand the TLSv1.2 protocol. .It Xo -.Fn DTLS_method , -.Fn DTLS_server_method , -.Fn DTLS_client_method -.Xc -These are the version-flexible DTLS methods. -The currently supported protocol is DTLS 1.0. -.It Xo .Fn DTLSv1_method , .Fn DTLSv1_server_method , .Fn DTLSv1_client_method .Xc These are the version-specific methods for DTLSv1. +.It Xo +.Fn DTLSv1_2_method , +.Fn DTLSv1_2_server_method , +.Fn DTLSv1_2_client_method +These are the version-specific methods for DTLSv1.2. +.Xc .El .Pp +In LibreSSL, the methods containing the substrings +.Dq _server +or +.Dq _client +in their names return the same objects +as the methods without these substrings. +.Pp The list of protocols available can also be limited using the .Dv SSL_OP_NO_TLSv1 , .Dv SSL_OP_NO_TLSv1_1 , @@ -238,6 +254,16 @@ all previous or all subsequent protocol versions. In clients, when a protocol version is disabled without disabling all previous protocol versions, the effect is to also disable all subsequent protocol versions. +.Pp +DTLSv1 and DTLSv1.2 can be disabled with +.Xr SSL_CTX_set_options 3 +or +.Xr SSL_set_options 3 +using the +.Dv SSL_OP_NO_DTLSv1 +and +.Dv SSL_OP_NO_DTLSv1_2 +options, respectively. .Sh RETURN VALUES .Fn SSL_CTX_new returns a pointer to the newly allocated object or @@ -247,6 +273,11 @@ Check the error stack to find out the reason for failure. .Pp .Fn SSL_CTX_up_ref returns 1 for success or 0 for failure. +.Pp +.Fn TLS_method +and the other +.Fn *_method +functions return pointers to constant static objects. .Sh SEE ALSO .Xr ssl 3 , .Xr SSL_accept 3 , @@ -304,3 +335,10 @@ first appeared in OpenSSL 1.1.0 and have been available since .Fn SSL_CTX_up_ref first appeared in OpenSSL 1.1.0 and has been available since .Ox 6.3 . +.Pp +.Fn DTLSv1_2_method , +.Fn DTLSv1_2_server_method , +and +.Fn DTLSv1_2_client_method +first appeared in OpenSSL 1.1.0 and have been available since +.Ox 6.9 . diff --git a/man/SSL_CTX_set_cipher_list.3 b/man/SSL_CTX_set_cipher_list.3 index 64da0092..95f22b1d 100644 --- a/man/SSL_CTX_set_cipher_list.3 +++ b/man/SSL_CTX_set_cipher_list.3 @@ -1,10 +1,10 @@ -.\" $OpenBSD: SSL_CTX_set_cipher_list.3,v 1.8 2019/05/20 06:04:45 jmc Exp $ +.\" $OpenBSD: SSL_CTX_set_cipher_list.3,v 1.15 2020/04/25 14:03:38 schwarze Exp $ .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file is a derived work. .\" The changes are covered by the following Copyright and license: .\" -.\" Copyright (c) 2018 Ingo Schwarze +.\" Copyright (c) 2018, 2020 Ingo Schwarze .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -65,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: May 20 2019 $ +.Dd $Mdocdate: April 25 2020 $ .Dt SSL_CTX_SET_CIPHER_LIST 3 .Os .Sh NAME @@ -134,10 +134,16 @@ An alias for .Cm ALL No :! Cm aNULL No :! Cm eNULL . .Sm on It can only be used as the first word. +The +.Cm DEFAULT +cipher list can be displayed with the +.Xr openssl 1 +.Cm ciphers +command. .It Cm @STRENGTH Sort the list by decreasing encryption strength, preserving the order of cipher suites that have the same strength. -It is usally given as the last word. +It is usually given as the last word. .El .Pp The following words can be used to select groups of cipher suites, @@ -151,17 +157,14 @@ is selected. Cipher suites using ephemeral DH for key exchange without doing any server authentication. Equivalent to -.Cm kEDH Ns + Ns Cm aNULL . -.It Cm aDSS -Cipher suites using DSS server authentication. -LibreSSL does not provide any such cipher suites. +.Cm DH Ns + Ns Cm aNULL . .It Cm AEAD Cipher suites using Authenticated Encryption with Additional Data. .It Cm AECDH Cipher suites using ephemeral ECDH for key exchange without doing any server authentication. Equivalent to -.Cm kEECDH Ns + Ns Cm aNULL . +.Cm ECDH Ns + Ns Cm aNULL . .It Cm aECDSA Cipher suites using ECDSA server authentication. .It Cm AES @@ -210,44 +213,31 @@ Currently similar to except for the order of the cipher suites which are .Em not selected. -.It Cm DES -Cipher suites using single DES for symmetric encryption. .It Cm 3DES Cipher suites using triple DES for symmetric encryption. .It Cm DH -An alias for -.Cm kEDH . +Cipher suites using ephemeral DH for key exchange. .It Cm DHE Cipher suites using ephemeral DH for key exchange, but excluding those that don't do any server authentication. Similar to -.Cm kEDH Ns :! Ns Cm aNULL +.Cm DH Ns :! Ns Cm aNULL except for the order of the cipher suites which are .Em not selected. -.It Cm DSS -An alias for -.Cm aDSS . .It Cm ECDH -An alias for -.Cm kEECHD . +Cipher suites using ephemeral ECDH for key exchange. .It Cm ECDHE Cipher suites using ephemeral ECDH for key exchange, but excluding those that don't do any server authentication. Similar to -.Cm kEECDH Ns :! Ns Cm aNULL +.Cm ECDH Ns :! Ns Cm aNULL except for the order of the cipher suites which are .Em not selected. .It Cm ECDSA An alias for .Cm aECDSA . -.It Cm EDH -An alias for -.Cm DHE . -.It Cm EECHD -An alias for -.Cm ECDHE . .It Cm eNULL Cipher suites that do not use any encryption. Not enabled by @@ -262,36 +252,16 @@ Cipher suites using HMAC based on GOST R 34.11-94 for message authentication. .It Cm HIGH Cipher suites of high strength. -Currently, these are cipher suites using -.Cm CHACHA20 , -.Cm AES , -.Cm CAMELLIA , -or GOST-28178-89-CNT symmetric encryption. -.It Cm IDEA -Cipher suites using IDEA for symmetric encryption. -LibreSSL does not provide any such cipher suites. -.It Cm kEDH -Cipher suites using ephemeral DH for key exchange. -.It Cm kEECDH -Cipher suites using ephemeral ECDH for key exchange. .It Cm kGOST Cipher suites using VKO 34.10 key exchange, specified in RFC 4357. .It Cm kRSA Cipher suites using RSA key exchange. .It Cm LOW Cipher suites of low strength. -Currently, these are cipher suites using -.Cm DES -or -.Cm RC4 -symmetric encryption. .It Cm MD5 Cipher suites using MD5 for message authentication. .It Cm MEDIUM Cipher suites of medium strength. -Currently, these are cipher suites using -.Cm 3DES -symmetric encryption. .It Cm NULL An alias for .Cm eNULL . @@ -316,9 +286,18 @@ An alias for .It Cm STREEBOG256 Cipher suites using STREEBOG256 for message authentication. .It Cm TLSv1 -Cipher suites usable with any TLS protocol. +Cipher suites usable with the TLSv1.0, TLSv1.1, and TLSv1.2 protocols. .It Cm TLSv1.2 Cipher suites for the TLSv1.2 protocol. +.It Cm TLSv1.3 +Cipher suites for the TLSv1.3 protocol. +If the +.Fa control +string selects at least one cipher suite but neither contains the word +.Cm TLSv1.3 +nor specifically includes nor excludes any TLSv1.3 cipher suites, all the +.Cm TLSv1.3 +cipher suites are made available, too. .El .Pp The full words returned by the @@ -326,6 +305,28 @@ The full words returned by the .Cm ciphers command can be used to select individual cipher suites. .Pp +The following words do not match anything because +LibreSSL no longer provides any such cipher suites: +.Pp +.Bl -tag -width Ds -compact +.It Cm DES +Cipher suites using single DES for symmetric encryption. +.It Cm DSS +Cipher suites using DSS server authentication. +.It Cm IDEA +Cipher suites using IDEA for symmetric encryption. +.El +.Pp +The following are deprecated aliases: +.Pp +.Bl -column kEECDH ECDHE -compact -offset indent +.It avoid: Ta use: +.It Cm EDH Ta Cm DHE +.It Cm EECDH Ta Cm ECDHE +.It Cm kEDH Ta Cm DH +.It Cm kEECDH Ta Cm ECDH +.El +.Pp Unknown words are silently ignored, selecting no cipher suites. Failure is only flagged if the .Fa control @@ -371,3 +372,14 @@ and .Fn SSL_set_cipher_list first appeared in SSLeay 0.5.2 and have been available since .Ox 2.4 . +.Sh CAVEATS +In LibreSSL, +.Fn SSL_CTX_set_cipher_list +and +.Fn SSL_set_cipher_list +can be used to configure the list of available cipher suites for +all versions of the TLS protocol, whereas in OpenSSL, they only +control cipher suites for protocols up to TLSv1.2. +If compatibility with OpenSSL is required, the list of +available TLSv1.3 cipher suites can only be changed with +.Fn SSL_set_ciphersuites . diff --git a/man/SSL_CTX_set_client_CA_list.3 b/man/SSL_CTX_set_client_CA_list.3 index 274a673b..d19fb93e 100644 --- a/man/SSL_CTX_set_client_CA_list.3 +++ b/man/SSL_CTX_set_client_CA_list.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_client_CA_list.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_client_CA_list.3,v 1.6 2020/03/30 10:28:59 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 27 2018 $ +.Dd $Mdocdate: March 30 2020 $ .Dt SSL_CTX_SET_CLIENT_CA_LIST 3 .Os .Sh NAME @@ -143,11 +143,6 @@ or .Pp These functions are only useful for TLS/SSL servers. .Sh RETURN VALUES -.Fn SSL_CTX_set_client_CA_list -and -.Fn SSL_set_client_CA_list -do not return diagnostic information. -.Pp .Fn SSL_CTX_add_client_CA and .Fn SSL_add_client_CA diff --git a/man/SSL_CTX_set_min_proto_version.3 b/man/SSL_CTX_set_min_proto_version.3 index b1b313ff..a2597cda 100644 --- a/man/SSL_CTX_set_min_proto_version.3 +++ b/man/SSL_CTX_set_min_proto_version.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_min_proto_version.3,v 1.3 2018/03/24 00:55:37 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_min_proto_version.3,v 1.5 2021/04/15 16:40:32 tb Exp $ .\" full merge up to: OpenSSL 3edabd3c Sep 14 09:28:39 2017 +0200 .\" .\" This file was written by Kurt Roeckx and @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 24 2018 $ +.Dd $Mdocdate: April 15 2021 $ .Dt SSL_CTX_SET_MIN_PROTO_VERSION 3 .Os .Sh NAME @@ -116,12 +116,14 @@ versions down to the lowest or up to the highest version supported by the library, respectively. .Pp Currently supported versions are -.Sy TLS1_VERSION , -.Sy TLS1_1_VERSION , +.Dv TLS1_VERSION , +.Dv TLS1_1_VERSION , and -.Sy TLS1_2_VERSION +.Dv TLS1_2_VERSION for TLS and -.Sy DTLS1_VERSION +.Dv DTLS1_VERSION +and +.Dv DTLS1_2_VERSION for DTLS. .Pp In other implementations, these functions may be implemented as macros. @@ -144,7 +146,7 @@ with shorter names without the .Sy proto_ part. Two years later, OpenSSL included them in their 1.1.0 release, -gratuitiously changing the names; Google shrugged and adopted +gratuitously changing the names; Google shrugged and adopted the longer names one month later. They have been available since .Ox 6.2 . diff --git a/man/SSL_CTX_set_mode.3 b/man/SSL_CTX_set_mode.3 index 32bb340b..fca1a977 100644 --- a/man/SSL_CTX_set_mode.3 +++ b/man/SSL_CTX_set_mode.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_mode.3,v 1.6 2019/06/12 09:36:30 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_mode.3,v 1.7 2020/10/08 16:02:38 tb Exp $ .\" full merge up to: OpenSSL 8671b898 Jun 3 02:48:34 2008 +0000 .\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100 .\" @@ -50,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 12 2019 $ +.Dd $Mdocdate: October 8 2020 $ .Dt SSL_CTX_SET_MODE 3 .Os .Sh NAME @@ -145,7 +145,7 @@ behaves like non-blocking .Xr write 2 . .It Dv SSL_MODE_AUTO_RETRY Never bother the application with retries if the transport is blocking. -If a renegotiation take place during normal operation, a +If a renegotiation takes place during normal operation, a .Xr SSL_read 3 or .Xr SSL_write 3 diff --git a/man/SSL_CTX_set_msg_callback.3 b/man/SSL_CTX_set_msg_callback.3 index a8af1a34..a27333e6 100644 --- a/man/SSL_CTX_set_msg_callback.3 +++ b/man/SSL_CTX_set_msg_callback.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_msg_callback.3,v 1.4 2018/03/22 21:09:18 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_msg_callback.3,v 1.5 2021/04/15 16:43:27 tb Exp $ .\" OpenSSL SSL_CTX_set_msg_callback.pod e9b77246 Jan 20 19:58:49 2017 +0100 .\" OpenSSL SSL_CTX_set_msg_callback.pod b97fdb57 Nov 11 09:33:09 2016 +0100 .\" @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 22 2018 $ +.Dd $Mdocdate: April 15 2021 $ .Dt SSL_CTX_SET_MSG_CALLBACK 3 .Os .Sh NAME @@ -122,8 +122,9 @@ interpreted by the library, such as .Dv TLS1_VERSION , .Dv TLS1_1_VERSION , .Dv TLS1_2_VERSION , +.Dv DTLS1_VERSION , or -.Dv DTLS1_VERSION . +.Dv DTLS1_2_VERSION . .It Fa content_type This is one of the .Em ContentType diff --git a/man/SSL_CTX_set_options.3 b/man/SSL_CTX_set_options.3 index 4535eee5..ed797da2 100644 --- a/man/SSL_CTX_set_options.3 +++ b/man/SSL_CTX_set_options.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_options.3,v 1.12 2018/04/11 18:05:49 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_options.3,v 1.13 2021/04/15 16:35:54 tb Exp $ .\" full merge up to: OpenSSL 7946ab33 Dec 6 17:56:41 2015 +0100 .\" selective merge up to: OpenSSL edb79c3a Mar 29 10:07:14 2017 +1000 .\" @@ -52,7 +52,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 11 2018 $ +.Dd $Mdocdate: April 15 2021 $ .Dt SSL_CTX_SET_OPTIONS 3 .Os .Sh NAME @@ -184,6 +184,16 @@ this option is currently set by default. See the .Sx SECURE RENEGOTIATION section for more details. +.It Dv SSL_OP_NO_DTLSv1 +Do not use the DTLSv1 protocol. +Deprecated; use +.Xr SSL_CTX_set_min_proto_version 3 +instead. +.It Dv SSL_OP_NO_DTLSv1_2 +Do not use the DTLSv1.2 protocol. +Deprecated; use +.Xr SSL_CTX_set_min_proto_version 3 +instead. .It Dv SSL_OP_NO_QUERY_MTU Do not query the MTU. Only affects DTLS connections. @@ -204,6 +214,9 @@ Deprecated; use instead. .It Dv SSL_OP_NO_TLSv1_1 Do not use the TLSv1.1 protocol. +Deprecated; use +.Xr SSL_CTX_set_min_proto_version 3 +instead. .It Dv SSL_OP_NO_TLSv1_2 Do not use the TLSv1.2 protocol. Deprecated; use diff --git a/man/SSL_CTX_set_quiet_shutdown.3 b/man/SSL_CTX_set_quiet_shutdown.3 index 98a37d76..71463f1e 100644 --- a/man/SSL_CTX_set_quiet_shutdown.3 +++ b/man/SSL_CTX_set_quiet_shutdown.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_quiet_shutdown.3,v 1.5 2019/06/08 15:25:43 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_quiet_shutdown.3,v 1.6 2020/03/30 10:28:59 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 8 2019 $ +.Dd $Mdocdate: March 30 2020 $ .Dt SSL_CTX_SET_QUIET_SHUTDOWN 3 .Os .Sh NAME @@ -144,11 +144,6 @@ This behaviour violates the TLS standard. .Pp The default is normal shutdown behaviour as described by the TLS standard. .Sh RETURN VALUES -.Fn SSL_CTX_set_quiet_shutdown -and -.Fn SSL_set_quiet_shutdown -do not return diagnostic information. -.Pp .Fn SSL_CTX_get_quiet_shutdown and .Fn SSL_get_quiet_shutdown diff --git a/man/SSL_CTX_set_tmp_dh_callback.3 b/man/SSL_CTX_set_tmp_dh_callback.3 index b4f54eab..2628c65a 100644 --- a/man/SSL_CTX_set_tmp_dh_callback.3 +++ b/man/SSL_CTX_set_tmp_dh_callback.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_tmp_dh_callback.3,v 1.7 2018/03/27 17:35:50 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_tmp_dh_callback.3,v 1.8 2020/03/30 10:28:59 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 27 2018 $ +.Dd $Mdocdate: March 30 2020 $ .Dt SSL_CTX_SET_TMP_DH_CALLBACK 3 .Os .Sh NAME @@ -175,11 +175,6 @@ and .Fa is_export and simply supply at least 2048-bit parameters in the callback. .Sh RETURN VALUES -.Fn SSL_CTX_set_tmp_dh_callback -and -.Fn SSL_set_tmp_dh_callback -do not return diagnostic output. -.Pp .Fn SSL_CTX_set_tmp_dh and .Fn SSL_set_tmp_dh diff --git a/man/SSL_CTX_set_verify.3 b/man/SSL_CTX_set_verify.3 index 40a09de9..5b137358 100644 --- a/man/SSL_CTX_set_verify.3 +++ b/man/SSL_CTX_set_verify.3 @@ -1,6 +1,6 @@ -.\" $OpenBSD: SSL_CTX_set_verify.3,v 1.7 2018/03/27 17:35:50 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_verify.3,v 1.8 2020/09/17 08:04:22 schwarze Exp $ .\" full merge up to: OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400 -.\" selective merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 +.\" selective merge up to: OpenSSL 1cb7eff4 Sep 10 13:56:40 2019 +0100 .\" .\" This file was written by Lutz Jaenicke . .\" Copyright (c) 2000, 2001, 2002, 2003, 2014 The OpenSSL Project. @@ -50,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 27 2018 $ +.Dd $Mdocdate: September 17 2020 $ .Dt SSL_CTX_SET_VERIFY 3 .Os .Sh NAME @@ -443,7 +443,8 @@ if (peer = SSL_get_peer_certificate(ssl)) { .Xr SSL_get_ex_new_index 3 , .Xr SSL_get_peer_certificate 3 , .Xr SSL_get_verify_result 3 , -.Xr SSL_new 3 +.Xr SSL_new 3 , +.Xr SSL_set1_host 3 .Sh HISTORY .Fn SSL_set_verify appeared in SSLeay 0.4 or earlier. diff --git a/man/SSL_CTX_use_certificate.3 b/man/SSL_CTX_use_certificate.3 index cdf6067f..fac1245f 100644 --- a/man/SSL_CTX_use_certificate.3 +++ b/man/SSL_CTX_use_certificate.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_use_certificate.3,v 1.13 2019/06/08 15:25:43 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_use_certificate.3,v 1.16 2021/03/31 16:53:30 tb Exp $ .\" full merge up to: OpenSSL 3aaa1bd0 Mar 28 16:35:25 2017 +1000 .\" selective merge up to: OpenSSL d1f7a1e6 Apr 26 14:05:40 2018 +0100 .\" @@ -50,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 8 2019 $ +.Dd $Mdocdate: March 31 2021 $ .Dt SSL_CTX_USE_CERTIFICATE 3 .Os .Sh NAME @@ -59,6 +59,7 @@ .Nm SSL_CTX_use_certificate_file , .Nm SSL_use_certificate , .Nm SSL_use_certificate_ASN1 , +.Nm SSL_use_certificate_chain_file , .Nm SSL_use_certificate_file , .Nm SSL_CTX_use_certificate_chain_file , .Nm SSL_CTX_use_certificate_chain_mem , @@ -90,6 +91,8 @@ .Ft int .Fn SSL_use_certificate_ASN1 "SSL *ssl" "unsigned char *d" "int len" .Ft int +.Fn SSL_use_certificate_chain_file "SSL *ssl" "const char *file" +.Ft int .Fn SSL_use_certificate_file "SSL *ssl" "const char *file" "int type" .Ft int .Fn SSL_CTX_use_certificate_chain_file "SSL_CTX *ctx" "const char *file" @@ -206,7 +209,7 @@ loads the certificate from into .Fa ssl . See the -.Pp +.Sx NOTES section on why .Fn SSL_CTX_use_certificate_chain_file should be preferred. @@ -219,7 +222,9 @@ The certificates must be in PEM format and must be sorted starting with the subject's certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA. -There is no corresponding function working on a single +With the exception of +.Fn SSL_use_certificate_chain_file , +there is no corresponding function working on a single .Vt SSL object. .Pp @@ -429,6 +434,10 @@ All these functions have been available since first appeared in OpenSSL 0.9.4 and has been available since .Ox 2.6 . .Pp +.Fn SSL_use_certificate_chain_file +first appeared in OpenSSL 1.1.0 and has been available since +.Ox 6.9 . +.Pp Support for DER encoded private keys .Pq Dv SSL_FILETYPE_ASN1 in diff --git a/man/SSL_SESSION_new.3 b/man/SSL_SESSION_new.3 index 0b35c114..bfc68eb6 100644 --- a/man/SSL_SESSION_new.3 +++ b/man/SSL_SESSION_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_SESSION_new.3,v 1.7 2019/06/12 09:36:30 schwarze Exp $ +.\" $OpenBSD: SSL_SESSION_new.3,v 1.8 2020/12/03 22:47:22 jmc Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: June 12 2019 $ +.Dd $Mdocdate: December 3 2020 $ .Dt SSL_SESSION_NEW 3 .Os .Sh NAME @@ -26,7 +26,7 @@ .Fn SSL_SESSION_new void .Sh DESCRIPTION .Fn SSL_SESSION_new -allocates and initializes an new +allocates and initializes a new .Vt SSL_SESSION object. The reference count is set to 1, the time to the current time, and diff --git a/man/SSL_free.3 b/man/SSL_free.3 index 38694a06..d31f3e40 100644 --- a/man/SSL_free.3 +++ b/man/SSL_free.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_free.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $ +.\" $OpenBSD: SSL_free.3,v 1.5 2020/03/30 10:28:59 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 27 2018 $ +.Dd $Mdocdate: March 30 2020 $ .Dt SSL_FREE 3 .Os .Sh NAME @@ -103,9 +103,6 @@ was not used to set the .Vt SSL_SENT_SHUTDOWN state, the session will also be removed from the session cache as required by RFC2246. -.Sh RETURN VALUES -.Fn SSL_free -does not provide diagnostic information. .Sh SEE ALSO .Xr ssl 3 , .Xr SSL_clear 3 , diff --git a/man/SSL_get_ciphers.3 b/man/SSL_get_ciphers.3 index 07361da4..8030f0bb 100644 --- a/man/SSL_get_ciphers.3 +++ b/man/SSL_get_ciphers.3 @@ -1,10 +1,28 @@ -.\" $OpenBSD: SSL_get_ciphers.3,v 1.7 2019/01/22 01:18:24 tb Exp $ -.\" full merge up to: OpenSSL c3e64028 Mar 30 11:50:14 2005 +0000 +.\" $OpenBSD: SSL_get_ciphers.3,v 1.11 2020/09/16 07:25:15 schwarze Exp $ +.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" selective merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100 .\" -.\" This file was written by Lutz Jaenicke , -.\" Nick Mathewson , and Kazuki Yamaguchi . -.\" Copyright (c) 2000, 2005, 2015, 2016 The OpenSSL Project. +.\" This file is a derived work. +.\" The changes are covered by the following Copyright and license: +.\" +.\" Copyright (c) 2020 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.\" The original file was written by Lutz Jaenicke , +.\" Nick Mathewson , Kurt Roeckx , +.\" Kazuki Yamaguchi , and Benjamin Kaduk . +.\" Copyright (c) 2000, 2005, 2015, 2016, 2017 The OpenSSL Project. .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -51,7 +69,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 22 2019 $ +.Dd $Mdocdate: September 16 2020 $ .Dt SSL_GET_CIPHERS 3 .Os .Sh NAME @@ -60,7 +78,7 @@ .Nm SSL_get1_supported_ciphers , .Nm SSL_get_client_ciphers , .Nm SSL_get_cipher_list -.Nd get list of available SSL_CIPHERs +.Nd get lists of available SSL_CIPHERs .Sh SYNOPSIS .In openssl/ssl.h .Ft STACK_OF(SSL_CIPHER) * @@ -80,13 +98,6 @@ returns the stack of available for .Fa ssl , sorted by preference. -If -.Fa ssl -is -.Dv NULL -or no ciphers are available, -.Dv NULL -is returned. .Pp .Fn SSL_CTX_get_ciphers returns the stack of available @@ -95,7 +106,7 @@ for .Fa ctx . .Pp .Fn SSL_get1_supported_ciphers -returns the stack of enabled +returns a stack of enabled .Vt SSL_CIPHER Ns s for .Fa ssl @@ -110,40 +121,12 @@ For example, additional ciphers may be usable by a server if there is a gap in the list of supported protocols, and some ciphers may not be usable by a server if there is not a suitable certificate configured. -If -.Fa ssl -is -.Dv NULL -or no ciphers are available, -.Dv NULL -is returned. .Pp .Fn SSL_get_client_ciphers returns the stack of available .Vt SSL_CIPHER Ns s matching the list received from the client on .Fa ssl . -If -.Fa ssl -is -.Dv NULL , -no ciphers are available, or -.Fa ssl -is not operating in server mode, -.Dv NULL -is returned. -.Pp -.Fn SSL_get_ciphers , -.Fn SSL_CTX_get_ciphers , -and -.Fn SSL_get_client_ciphers -return pointers to internal cipher stacks, which will be freed -later on when the -.Vt SSL -or -.Vt SSL_CTX -object is freed. -Therefore, the calling code must not free the return value itself. .Pp The details of the ciphers obtained by .Fn SSL_get_ciphers , @@ -156,29 +139,93 @@ can be obtained using the family of functions. .Pp .Fn SSL_get_cipher_list -returns a pointer to the name of the -.Vt SSL_CIPHER -listed for +is deprecated \(em use +.Fn SSL_get_ciphers +instead \(em and badly misnamed; it does not return a list +but the name of one element of the return value of +.Fn SSL_get_ciphers , +with the index given by the +.Fa priority +argument. +Passing 0 selects the cipher with the highest priority. +To iterate over all available ciphers in decreasing priority, +repeatedly increment the argument by 1 until +.Dv NULL +is returned. +.Sh RETURN VALUES +.Fn SSL_get_ciphers +returns an internal pointer to a list of ciphers or +.Dv NULL +if +.Fa ssl +is +.Dv NULL +or if no ciphers are available. +The returned pointer may not only become invalid when .Fa ssl -with -.Fa priority . -If +is destroyed or when +.Xr SSL_set_cipher_list 3 +is called on it, but also when the +.Vt SSL_CTX +object in use by +.Fa ssl +at the time of the call is freed or when +.Xr SSL_CTX_set_cipher_list 3 +is called on that context object. +.Pp +.Fn SSL_CTX_get_ciphers +returns an internal pointer to a list of ciphers or +.Dv NULL +if +.Fa ctx +is +.Dv NULL +or if no ciphers are available. +The returned pointer becomes invalid when +.Fa ctx +is destroyed or when +.Xr SSL_CTX_set_cipher_list 3 +is called on it. +.Pp +.Fn SSL_get1_supported_ciphers +returns a newly allocated list of ciphers or +.Dv NULL +if .Fa ssl is .Dv NULL , -no ciphers are available, or there are fewer ciphers than -.Fa priority -available, +if no ciphers are available, or if an error occurs. +When the returned pointer is no longer needed, the caller is +responsible for freeing it using +.Fn sk_SSL_CIPHER_free . +.Pp +.Fn SSL_get_client_ciphers +returns an internal pointer to a list of ciphers or .Dv NULL -is returned. +if +.Fa ssl +is +.Dv NULL , +has no active session, +or is not operating in server mode. +The returned pointer becomes invalid when the +.Vt SSL_SESSION +object is destroyed, even if the +.Fa ssl +object remains valid. +It may also become invalid in other circumstances, +for example when processing a new ClientHello. .Pp -Call .Fn SSL_get_cipher_list -with -.Fa priority -starting from 0 to obtain the sorted list of available ciphers, until +returns an internal pointer to a string or .Dv NULL -is returned. +if +.Fa ssl +is +.Dv NULL , +if no ciphers are available, or if +.Fa priority +is greater than or equal to the number of available ciphers. .Sh SEE ALSO .Xr ssl 3 , .Xr SSL_CIPHER_get_name 3 , diff --git a/man/SSL_get_finished.3 b/man/SSL_get_finished.3 new file mode 100644 index 00000000..3cfb655e --- /dev/null +++ b/man/SSL_get_finished.3 @@ -0,0 +1,77 @@ +.\" $OpenBSD: SSL_get_finished.3,v 1.2 2021/01/30 10:48:15 tb Exp $ +.\" +.\" Copyright (c) 2020 Theo Buehler +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: January 30 2021 $ +.Dt SSL_GET_FINISHED 3 +.Os +.Sh NAME +.Nm SSL_get_finished , +.Nm SSL_get_peer_finished +.Nd get last sent or last expected finished message +.Sh SYNOPSIS +.In openssl/ssl.h +.Ft size_t +.Fn SSL_get_finished "const SSL *ssl" "void *buf" "size_t count" +.Ft size_t +.Fn SSL_get_peer_finished "const SSL *ssl" "void *buf" "size_t count" +.Sh DESCRIPTION +.Fn SSL_get_finished +and +.Fn SSL_get_peer_finished +copy +.Fa count +bytes from the last finished message sent to the peer +or expected from the peer into the +caller-provided buffer +.Fa buf . +.Pp +The finished message is computed from a checksum of the handshake records +exchanged with the peer. +Its length depends on the ciphersuite in use and is at most +.Dv EVP_MAX_MD_SIZE , +i.e., 64 bytes. +.\" In TLSv1.3 the length is equal to the length of the hash algorithm +.\" used by the hash-based message authentication code (HMAC), +.\" which is currently either 32 bytes for SHA-256 or 48 bytes for SHA-384. +.\" In TLSv1.2 the length defaults to 12 bytes, but it can explicitly be +.\" specified by the ciphersuite to be longer. +.\" In TLS versions 1.1 and 1.0, the finished message has a fixed length +.\" of 12 bytes. +.Sh RETURN VALUES +.Fn SSL_get_finished +and +.Fn SSL_get_peer_finished +return the number of bytes copied into +.Fa buf . +The return value is zero if the handshake has not reached the +finished message. +.Sh SEE ALSO +.Xr ssl 3 , +.Xr SSL_get_session 3 , +.Xr SSL_set_session 3 +.Sh STANDARDS +RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3, +section 4.4.4: Finished. +.Pp +RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2, +section 7.4.9: Finished. +.Sh HISTORY +.Fn SSL_get_finished +and +.Fn SSL_get_peer_finished +first appeared in SSLeay 0.9.5 +and have been available since +.Ox 2.7 . diff --git a/man/SSL_get_peer_certificate.3 b/man/SSL_get_peer_certificate.3 index 5e7247f4..358026d3 100644 --- a/man/SSL_get_peer_certificate.3 +++ b/man/SSL_get_peer_certificate.3 @@ -1,5 +1,5 @@ -.\" $OpenBSD: SSL_get_peer_certificate.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 +.\" $OpenBSD: SSL_get_peer_certificate.3,v 1.5 2020/09/17 08:04:22 schwarze Exp $ +.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . .\" Copyright (c) 2000, 2001, 2005 The OpenSSL Project. All rights reserved. @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 27 2018 $ +.Dd $Mdocdate: September 17 2020 $ .Dt SSL_GET_PEER_CERTIFICATE 3 .Os .Sh NAME @@ -97,7 +97,8 @@ The return value points to the certificate presented by the peer. .Sh SEE ALSO .Xr ssl 3 , .Xr SSL_CTX_set_verify 3 , -.Xr SSL_get_verify_result 3 +.Xr SSL_get_verify_result 3 , +.Xr SSL_get0_peername 3 .Sh HISTORY .Fn SSL_get_peer_certificate appeared in SSLeay 0.4 or earlier and has been available since diff --git a/man/SSL_get_shared_ciphers.3 b/man/SSL_get_shared_ciphers.3 index 6b75439f..207e8c42 100644 --- a/man/SSL_get_shared_ciphers.3 +++ b/man/SSL_get_shared_ciphers.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_get_shared_ciphers.3,v 1.4 2019/06/12 09:36:30 schwarze Exp $ +.\" $OpenBSD: SSL_get_shared_ciphers.3,v 1.5 2021/01/09 10:50:02 tb Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: June 12 2019 $ +.Dd $Mdocdate: January 9 2021 $ .Dt SSL_GET_SHARED_CIPHERS 3 .Os .Sh NAME @@ -29,12 +29,14 @@ .Fa "int len" .Fc .Sh DESCRIPTION -.Fn SSL_get_shared_ciphers -puts the names of the ciphers that are supported by both the client -and the server of +If .Fa ssl -into the buffer -.Fa buf . +contains a session in server mode, +.Fn SSL_get_shared_ciphers +puts as many names of ciphers that are supported by both the client +and the server into the buffer +.Fa buf +as the buffer is long enough to contain. Names are separated by colons. At most .Fa len @@ -42,19 +44,47 @@ bytes are written to .Fa buf including the terminating NUL character. .Sh RETURN VALUES -If -.Fa ssl -contains no session, if the session contains no shared ciphers, -or if -.Fa len -is less than 2, .Fn SSL_get_shared_ciphers returns -.Dv NULL . -Otherwise, it returns -.Fa buf . +.Fa buf +on success or +.Dv NULL +on failure. +The following situations cause failure: +.Bl -bullet +.It +.Xr SSL_is_server 3 +is false, i.e., +.Ar ssl +is not set to server mode. +.It +.Xr SSL_get_ciphers 3 +is +.Dv NULL +or empty, i.e., no ciphers are available for use by the server. +.It +.Xr SSL_get_session 3 +is +.Dv NULL , +i.e., +.Ar ssl +contains no session. +.It +.Xr SSL_get_client_ciphers 3 +is +.Dv NULL +or empty, i.e., +.Ar ssl +contains no information about ciphers supported by the client, +or the client does not support any ciphers. +.It +The +.Fa len +argument is less than 2. +.El .Sh SEE ALSO -.Xr ssl 3 +.Xr ssl 3 , +.Xr SSL_get_ciphers 3 .Sh HISTORY .Fn SSL_get_shared_ciphers first appeared in SSLeay 0.4.5b and has been available since diff --git a/man/SSL_get_verify_result.3 b/man/SSL_get_verify_result.3 index ec4df2d3..03c42100 100644 --- a/man/SSL_get_verify_result.3 +++ b/man/SSL_get_verify_result.3 @@ -1,5 +1,5 @@ -.\" $OpenBSD: SSL_get_verify_result.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 +.\" $OpenBSD: SSL_get_verify_result.3,v 1.5 2020/09/17 08:04:22 schwarze Exp $ +.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . .\" Copyright (c) 2000, 2001, 2005 The OpenSSL Project. All rights reserved. @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 27 2018 $ +.Dd $Mdocdate: September 17 2020 $ .Dt SSL_GET_VERIFY_RESULT 3 .Os .Sh NAME @@ -84,7 +84,9 @@ Documented in .Sh SEE ALSO .Xr openssl 1 , .Xr ssl 3 , +.Xr SSL_CTX_set_verify 3 , .Xr SSL_get_peer_certificate 3 , +.Xr SSL_get0_peername 3 , .Xr SSL_set_verify_result 3 .Sh HISTORY .Fn SSL_get_verify_result diff --git a/man/SSL_get_version.3 b/man/SSL_get_version.3 index cc4297c5..a6cefb05 100644 --- a/man/SSL_get_version.3 +++ b/man/SSL_get_version.3 @@ -1,5 +1,5 @@ -.\" $OpenBSD: SSL_get_version.3,v 1.7 2019/03/18 18:31:15 schwarze Exp $ -.\" full merge up to: OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400 +.\" $OpenBSD: SSL_get_version.3,v 1.9 2021/04/15 16:13:22 tb Exp $ +.\" full merge up to: OpenSSL e417070c Jun 8 11:37:06 2016 -0400 .\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -49,11 +49,12 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 18 2019 $ +.Dd $Mdocdate: April 15 2021 $ .Dt SSL_GET_VERSION 3 .Os .Sh NAME .Nm SSL_get_version , +.Nm SSL_is_dtls , .Nm SSL_version .\" The following are intentionally undocumented because .\" - the longer term plan is to remove them @@ -61,25 +62,33 @@ .\" - and they have the wrong namespace prefix .\" Nm TLS1_get_version .\" Nm TLS1_get_client_version -.Nd get the protocol version of a connection +.Nd get the protocol information of a connection .Sh SYNOPSIS .In openssl/ssl.h .Ft const char * .Fn SSL_get_version "const SSL *ssl" .Ft int +.Fn SSL_is_dtls "const SSL *ssl" +.Ft int .Fn SSL_version "const SSL *ssl" .Sh DESCRIPTION .Fn SSL_get_version returns the name of the protocol used for the connection .Fa ssl . .Pp +.Fn SSL_is_dtls +returns 1 if the connection is using DTLS, 0 if not. +.Pp .Fn SSL_version returns an integer constant representing that protocol. .Pp These functions only return reliable results after the initial handshake has been completed. .Sh RETURN VALUES -The following strings or integers can be returned: +The following strings or integers can be returned by +.Fn SSL_get_version +and +.Fn SSL_version : .Bl -tag -width Ds .It Qo TLSv1 Qc No or Dv TLS1_VERSION The connection uses the TLSv1.0 protocol. @@ -91,10 +100,15 @@ The connection uses the TLSv1.2 protocol. The connection uses the TLSv1.3 protocol. .It Qo DTLSv1 Qc No or Dv DTLS1_VERSION The connection uses the Datagram Transport Layer Security 1.0 protocol. +.It Qo DTLSv1.2 Qc No or Dv DTLS1_2_VERSION +The connection uses the Datagram Transport Layer Security 1.2 protocol. .It Qq unknown This indicates an unknown protocol version; it cannot currently happen with LibreSSL. .El +.Pp +.Fn SSL_is_dtls +returns 1 if the connection uses DTLS, 0 if not. .Sh SEE ALSO .Xr ssl 3 .Sh HISTORY @@ -103,3 +117,7 @@ and .Fn SSL_version first appeared in SSLeay 0.8.0 and have been available since .Ox 2.4 . +.Pp +.Fn SSL_is_dtls +first appeared in OpenSSL 1.1.0 and has been available since +.Ox 6.9 . diff --git a/man/SSL_pending.3 b/man/SSL_pending.3 index b3efa426..bbc2e9bd 100644 --- a/man/SSL_pending.3 +++ b/man/SSL_pending.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_pending.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $ +.\" $OpenBSD: SSL_pending.3,v 1.5 2020/01/23 03:40:18 beck Exp $ .\" OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400 .\" .\" This file was written by Lutz Jaenicke , @@ -50,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 27 2018 $ +.Dd $Mdocdate: January 23 2020 $ .Dt SSL_PENDING 3 .Os .Sh NAME @@ -67,37 +67,18 @@ is buffered until it is read by the application via a call to .Xr SSL_read 3 . .Pp .Fn SSL_pending -returns the number of bytes which are available inside -.Fa ssl +returns the number of bytes of application data which are available for immediate read. .Pp .Fn SSL_pending takes into account only bytes from the TLS/SSL record that is currently being processed (if any). -If the -.Fa ssl->read_ahead -flag is set (see -.Xr SSL_CTX_set_read_ahead 3 ) , -additional protocol bytes beyond the current record may have been -read containing more TLS/SSL records. -This also applies to DTLS. -These additional bytes will be buffered but will remain unprocessed -until they are needed. -As these bytes are still in an unprocessed state, -.Fn SSL_pending -will ignore them. -Therefore it is possible for no more bytes to be readable from the -underlying BIO (because the library has already read them) and for -.Fn SSL_pending -to return 0, even though readable application data bytes are available -(because the data is in unprocessed buffered records). .Sh RETURN VALUES .Fn SSL_pending returns the number of buffered and processed application data bytes that are pending and are available for immediate read. .Sh SEE ALSO .Xr ssl 3 , -.Xr SSL_CTX_set_read_ahead 3 , .Xr SSL_read 3 .Sh HISTORY .Fn SSL_pending diff --git a/man/SSL_read.3 b/man/SSL_read.3 index d773065a..ea181ce1 100644 --- a/man/SSL_read.3 +++ b/man/SSL_read.3 @@ -1,9 +1,11 @@ -.\" $OpenBSD: SSL_read.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" $OpenBSD: SSL_read.3,v 1.7 2020/05/26 19:45:58 schwarze Exp $ +.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" partial merge up to: OpenSSL 18bad535 Apr 9 15:13:55 2019 +0100 .\" .\" This file was written by Lutz Jaenicke and .\" Matt Caswell . -.\" Copyright (c) 2000, 2001, 2008, 2016 The OpenSSL Project. All rights reserved. +.\" Copyright (c) 2000, 2001, 2008, 2016 The OpenSSL Project. +.\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -49,13 +51,13 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 27 2018 $ +.Dd $Mdocdate: May 26 2020 $ .Dt SSL_READ 3 .Os .Sh NAME .Nm SSL_read , .Nm SSL_peek -.Nd read bytes from a TLS/SSL connection +.Nd read bytes from a TLS connection .Sh SYNOPSIS .In openssl/ssl.h .Ft int @@ -86,7 +88,7 @@ and are called .Dq read functions . .Pp -If necessary, a read function will negotiate a TLS/SSL session, if +If necessary, a read function will negotiate a TLS session, if not already explicitly performed by .Xr SSL_connect 3 or @@ -105,12 +107,12 @@ or .Xr SSL_set_accept_state 3 before the first call to a read function. .Pp -The read functions works based on the SSL/TLS records. +The read functions works based on the TLS records. The data are received in records (with a maximum record size of 16kB). Only when a record has been completely received, it can be processed (decrypted and checked for integrity). Therefore data that was not retrieved at the last read call can -still be buffered inside the SSL layer and will be retrieved on the +still be buffered inside the TLS layer and will be retrieved on the next read call. If .Fa num @@ -121,7 +123,7 @@ the processing of the next record. Only when the record has been received and processed completely will the read functions return reporting success. At most the contents of the record will be returned. -As the size of an SSL/TLS record may exceed the maximum packet size +As the size of a TLS record may exceed the maximum packet size of the underlying transport (e.g., TCP), it may be necessary to read several packets from the transport layer before the record is complete and the read call can succeed. @@ -185,7 +187,7 @@ The following return values can occur: .It >0 The read operation was successful. The return value is the number of bytes actually read from the -TLS/SSL connection. +TLS connection. .It 0 The read operation was not successful. The reason may either be a clean shutdown due to a @@ -199,7 +201,7 @@ and It is also possible that the peer simply shut down the underlying transport and the shutdown is incomplete. Call -.Fn SSL_get_error +.Xr SSL_get_error 3 with the return value to find out whether an error occurred or the connection was shut down cleanly .Pq Dv SSL_ERROR_ZERO_RETURN . @@ -207,7 +209,7 @@ was shut down cleanly The read operation was not successful, because either an error occurred or action must be taken by the calling process. Call -.Fn SSL_get_error +.Xr SSL_get_error 3 with the return value to find out the reason. .El .Sh SEE ALSO diff --git a/man/SSL_read_early_data.3 b/man/SSL_read_early_data.3 new file mode 100644 index 00000000..e08b9545 --- /dev/null +++ b/man/SSL_read_early_data.3 @@ -0,0 +1,174 @@ +.\" $OpenBSD: SSL_read_early_data.3,v 1.2 2020/09/21 15:18:13 schwarze Exp $ +.\" content checked up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200 +.\" +.\" Copyright (c) 2020 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: September 21 2020 $ +.Dt SSL_READ_EARLY_DATA 3 +.Os +.Sh NAME +.Nm SSL_CTX_set_max_early_data , +.Nm SSL_set_max_early_data , +.Nm SSL_SESSION_set_max_early_data , +.Nm SSL_CTX_get_max_early_data , +.Nm SSL_get_max_early_data , +.Nm SSL_SESSION_get_max_early_data , +.Nm SSL_write_early_data , +.Nm SSL_read_early_data , +.Nm SSL_get_early_data_status +.Nd transmit application data during the handshake +.Sh SYNOPSIS +.In openssl/ssl.h +.Ft int +.Fo SSL_CTX_set_max_early_data +.Fa "SSL_CTX *ctx" +.Fa "uint32_t max_bytes" +.Fc +.Ft int +.Fo SSL_set_max_early_data +.Fa "SSL *ssl" +.Fa "uint32_t max_bytes" +.Fc +.Ft int +.Fo SSL_SESSION_set_max_early_data +.Fa "SSL_SESSION *session" +.Fa "uint32_t max_bytes" +.Fc +.Ft uint32_t +.Fo SSL_CTX_get_max_early_data +.Fa "const SSL_CTX *ctx" +.Fc +.Ft uint32_t +.Fo SSL_get_max_early_data +.Fa "const SSL *ssl" +.Fc +.Ft uint32_t +.Fo SSL_SESSION_get_max_early_data +.Fa "const SSL_SESSION *session" +.Fc +.Ft int +.Fo SSL_write_early_data +.Fa "SSL *ssl" +.Fa "const void *buf" +.Fa "size_t len" +.Fa "size_t *written" +.Fc +.Ft int +.Fo SSL_read_early_data +.Fa "SSL *ssl" +.Fa "void *buf" +.Fa "size_t maxlen" +.Fa "size_t *readbytes" +.Fc +.Ft int +.Fo SSL_get_early_data_status +.Fa "const SSL *ssl" +.Fc +.Sh DESCRIPTION +In LibreSSL, these functions have no effect. +They are only provided because some application programs +expect the API to be available when TLSv1.3 is supported. +Using these functions is strongly discouraged because they provide +marginal benefit in the first place even when implemented and +used as designed, because they have absurdly complicated semantics, +and because when they are used, inconspicuous oversights are likely +to cause serious security vulnerabilities. +.Pp +If these functions are used, other TLS implementations +may allow the transfer of application data during the inital handshake. +Even when used as designed, security of the connection is compromised; +in particular, application data is exchanged with unauthenticated peers, +and there is no forward secrecy. +Other downsides include an increased risk of replay attacks. +.Pp +.Fn SSL_CTX_set_max_early_data , +.Fn SSL_set_max_early_data , +and +.Fn SSL_SESSION_set_max_early_data +are intended to configure the maximum number of bytes per session +that can be transmitted during the handshake. +With LibreSSL, all arguments are ignored. +.Pp +An endpoint can attempt to send application data with +.Fn SSL_write_early_data +during the handshake. +With LibreSSL, such attempts always fail and set +.Pf * Fa written +to 0. +.Pp +A server can attempt to read application data from the client using +.Fn SSL_read_early_data +during the handshake. +With LibreSSL, no such data is ever accepted and +.Pf * Fa readbytes +is always set to 0. +.Sh RETURN VALUES +.Fn SSL_CTX_set_max_early_data , +.Fn SSL_set_max_early_data , +and +.Fn SSL_SESSION_set_max_early_data +return 1 for success or 0 for failure. +With LibreSSL, they always succeed. +.Pp +.Fn SSL_CTX_get_max_early_data , +.Fn SSL_get_max_early_data , +and +.Fn SSL_SESSION_get_max_early_data +return the maximum number of bytes of application data +that will be accepted from the peer during the handshake. +With LibreSSL, they always return 0. +.Pp +.Fn SSL_write_early_data +returns 1 for success or 0 for failure. +With LibreSSL, it always fails. +.Pp +With LibreSSL, +.Fn SSL_read_early_data +always returns +.Dv SSL_READ_EARLY_DATA_FINISH +on the server side and +.Dv SSL_READ_EARLY_DATA_ERROR +on the client side. +.Dv SSL_READ_EARLY_DATA_SUCCESS +can occur with other implementations, but not with LibreSSL. +.Pp +With LibreSSL, +.Fn SSL_get_early_data_status +always returns +.Dv SSL_EARLY_DATA_REJECTED . +With other implementations, it might also return +.Dv SSL_EARLY_DATA_NOT_SENT +or +.Dv SSL_EARLY_DATA_ACCEPTED . +.Sh SEE ALSO +.Xr ssl 3 , +.Xr SSL_read 3 , +.Xr SSL_write 3 +.Sh STANDARDS +RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3: +.Bl -tag -width "section 4.2.10" -compact +.It Section 2.3 +0-RTT data +.It Section 4.2.10 +Early Data Indication +.It Section 8 +0-RTT and Anti-Replay +.It Appendix E.5 +Replay Attacks on 0-RTT +.El +.Sh HISTORY +These functions first appeared in OpenSSL 1.1.1 +and have been available since +.Ox 6.9 . diff --git a/man/SSL_set1_host.3 b/man/SSL_set1_host.3 new file mode 100644 index 00000000..2a3935c3 --- /dev/null +++ b/man/SSL_set1_host.3 @@ -0,0 +1,172 @@ +.\" $OpenBSD: SSL_set1_host.3,v 1.4 2021/03/31 16:56:46 tb Exp $ +.\" selective merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200 +.\" +.\" This file was written by Viktor Dukhovni +.\" Copyright (c) 2015 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: March 31 2021 $ +.Dt SSL_SET1_HOST 3 +.Os +.Sh NAME +.Nm SSL_set1_host , +.Nm SSL_set_hostflags , +.Nm SSL_get0_peername +.Nd SSL server verification parameters +.Sh SYNOPSIS +.In openssl/ssl.h +.Ft int +.Fo SSL_set1_host +.Fa "SSL *ssl" +.Fa "const char *hostname" +.Fc +.Ft void +.Fo SSL_set_hostflags +.Fa "SSL *ssl" +.Fa "unsigned int flags" +.Fc +.Ft const char * +.Fo SSL_get0_peername +.Fa "SSL *ssl" +.Fc +.Sh DESCRIPTION +.Fn SSL_set1_host +configures a server hostname check in the +.Fa ssl +client, setting the expected DNS hostname to +.Fa hostname +and clearing any previously specified hostname. +If +.Fa hostname +is +.Dv NULL +or the empty string, name checks are not performed on the peer certificate. +If a nonempty +.Fa hostname +is specified, certificate verification automatically checks the peer +hostname via +.Xr X509_check_host 3 +with +.Fa flags +set to 0. +.Pp +.Fn SSL_set_hostflags +sets the flags that will be passed to +.Xr X509_check_host 3 +when name checks are applicable, +by default the flags value is 0. +See +.Xr X509_check_host 3 +for the list of available flags and their meaning. +.Pp +.Fn SSL_get0_peername +returns the DNS hostname or subject CommonName from the peer certificate +that matched one of the reference identifiers. +Unless wildcard matching is disabled, the name matched in the peer +certificate may be a wildcard name. +A reference identifier starting with +.Sq \&. +indicates a parent domain prefix rather than a fixed name. +In this case, the matched peername may be a sub-domain +of the reference identifier. +The returned string is owned by the library and is no longer valid +once the associated +.Fa ssl +object is cleared or freed, or if a renegotiation takes place. +Applications must not free the return value. +.Pp +SSL clients are advised to use these functions in preference to +explicitly calling +.Xr X509_check_host 3 . +.Sh RETURN VALUES +.Fn SSL_set1_host +returns 1 for success or 0 for failure. +.Pp +.Fn SSL_get0_peername +returns the matched peername or +.Dv NULL +if peername verification is not applicable +or no trusted peername was matched. +Use +.Xr SSL_get_verify_result 3 +to determine whether verification succeeded. +.Sh EXAMPLES +The calls below check the hostname. +Wildcards are supported, but they must match the entire label. +The actual name matched in the certificate (which might be a wildcard) +is retrieved, and must be copied by the application if it is to be +retained beyond the lifetime of the SSL connection. +.Bd -literal +if (!SSL_set1_host(ssl, "smtp.example.com")) + /* error */ + +/* XXX: Perform SSL_connect() handshake and handle errors here */ + +if (SSL_get_verify_result(ssl) == X509_V_OK) { + const char *peername = SSL_get0_peername(ssl); + + if (peername != NULL) + /* Name checks were in scope and matched the peername */ +} +.Ed +.Sh SEE ALSO +.Xr ssl 3 , +.Xr SSL_CTX_set_verify 3 , +.Xr SSL_get_peer_certificate 3 , +.Xr SSL_get_verify_result 3 , +.Xr X509_check_host 3 , +.Xr X509_VERIFY_PARAM_set1_host 3 +.Sh HISTORY +All three functions first appeared in OpenSSL 1.1.0. +.Fn SSL_set1_host +has been available since +.Ox 6.5 , +and +.Fn SSL_set_hostflags +and +.Fn SSL_get0_peername +since +.Ox 6.9 . diff --git a/man/SSL_set_SSL_CTX.3 b/man/SSL_set_SSL_CTX.3 new file mode 100644 index 00000000..9b667347 --- /dev/null +++ b/man/SSL_set_SSL_CTX.3 @@ -0,0 +1,66 @@ +.\" $OpenBSD: SSL_set_SSL_CTX.3,v 1.3 2020/09/22 13:27:08 schwarze Exp $ +.\" +.\" Copyright (c) 2020 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: September 22 2020 $ +.Dt SSL_SET_SSL_CTX 3 +.Os +.Sh NAME +.Nm SSL_set_SSL_CTX +.Nd modify an SSL connection object to use another context +.Sh SYNOPSIS +.In openssl/ssl.h +.Ft SSL_CTX * +.Fo SSL_set_SSL_CTX +.Fa "SSL *ssl" +.Fa "SSL_CTX* ctx" +.Fc +.Sh DESCRIPTION +.Fn SSL_set_SSL_CTX +causes +.Fa ssl +to use the context +.Fa ctx . +.Pp +If +.Fa ctx +is +.Dv NULL , +.Fa ssl +reverts to using the context that it was initially created from with +.Xr SSL_new 3 . +.Pp +If +.Fa ssl +already uses +.Fa ctx , +no action occurs. +.Sh RETURN VALUES +.Fn SSL_set_SSL_CTX +returns an internal pointer to the context that +.Fa ssl +is using as a result of the call, or +.Dv NULL +if memory allocation fails. +.Sh SEE ALSO +.Xr ssl 3 , +.Xr SSL_clear 3 , +.Xr SSL_CTX_new 3 , +.Xr SSL_get_SSL_CTX 3 , +.Xr SSL_new 3 +.Sh HISTORY +.Fn SSL_set_SSL_CTX +first appeared in OpenSSL 0.9.8f and has been available since +.Ox 4.5 . diff --git a/man/SSL_set_bio.3 b/man/SSL_set_bio.3 index f3ea507d..e727f442 100644 --- a/man/SSL_set_bio.3 +++ b/man/SSL_set_bio.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_set_bio.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $ +.\" $OpenBSD: SSL_set_bio.3,v 1.6 2020/10/08 18:21:30 tb Exp $ .\" OpenSSL acb5b343 Sep 16 16:00:38 2000 +0000 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 27 2018 $ +.Dd $Mdocdate: October 8 2020 $ .Dt SSL_SET_BIO 3 .Os .Sh NAME @@ -86,9 +86,6 @@ connected to .Fa ssl , .Xr BIO_free 3 will be called (for both the reading and writing side, if different). -.Sh RETURN VALUES -.Fn SSL_set_bio -cannot fail. .Sh SEE ALSO .Xr BIO_new 3 , .Xr ssl 3 , diff --git a/man/SSL_set_shutdown.3 b/man/SSL_set_shutdown.3 index 1a4d9de4..6882d29c 100644 --- a/man/SSL_set_shutdown.3 +++ b/man/SSL_set_shutdown.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_set_shutdown.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $ +.\" $OpenBSD: SSL_set_shutdown.3,v 1.5 2020/03/30 10:28:59 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 27 2018 $ +.Dd $Mdocdate: March 30 2020 $ .Dt SSL_SET_SHUTDOWN 3 .Os .Sh NAME @@ -122,9 +122,6 @@ or .Fn SSL_set_shutdown itself. .Sh RETURN VALUES -.Fn SSL_set_shutdown -does not return diagnostic information. -.Pp .Fn SSL_get_shutdown returns the current setting. .Sh SEE ALSO diff --git a/man/SSL_set_verify_result.3 b/man/SSL_set_verify_result.3 index 1ff8101f..4b7cc6ec 100644 --- a/man/SSL_set_verify_result.3 +++ b/man/SSL_set_verify_result.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_set_verify_result.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $ +.\" $OpenBSD: SSL_set_verify_result.3,v 1.5 2020/03/29 17:05:02 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 27 2018 $ +.Dd $Mdocdate: March 29 2020 $ .Dt SSL_SET_VERIFY_RESULT 3 .Os .Sh NAME @@ -79,9 +79,6 @@ The valid codes for .Fa verify_result are documented in .Xr openssl 1 . -.Sh RETURN VALUES -.Fn SSL_set_verify_result -does not provide a return value. .Sh SEE ALSO .Xr openssl 1 , .Xr ssl 3 , diff --git a/man/SSL_write.3 b/man/SSL_write.3 index d5e985e4..16be55f2 100644 --- a/man/SSL_write.3 +++ b/man/SSL_write.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_write.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $ +.\" $OpenBSD: SSL_write.3,v 1.6 2020/10/08 16:02:38 tb Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 27 2018 $ +.Dd $Mdocdate: October 8 2020 $ .Dt SSL_WRITE 3 .Os .Sh NAME @@ -102,7 +102,7 @@ is .Em blocking , .Fn SSL_write will only return once the write operation has been finished or an error -occurred, except when a renegotiation take place, in which case a +occurred, except when a renegotiation takes place, in which case a .Dv SSL_ERROR_WANT_READ may occur. This behaviour can be controlled with the diff --git a/man/UI_new.3 b/man/UI_new.3 index c5b204bd..ab7dfb36 100644 --- a/man/UI_new.3 +++ b/man/UI_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: UI_new.3,v 1.9 2019/06/10 09:49:48 schwarze Exp $ +.\" $OpenBSD: UI_new.3,v 1.10 2020/06/19 17:17:13 schwarze Exp $ .\" full merge up to: OpenSSL 78b19e90 Jan 11 00:12:01 2017 +0100 .\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800 .\" @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 10 2019 $ +.Dd $Mdocdate: June 19 2020 $ .Dt UI_NEW 3 .Os .Sh NAME @@ -502,7 +502,6 @@ is called with an explicit argument. .Sh SEE ALSO .Xr crypto 3 , -.Xr des_read_pw 3 , .Xr UI_create_method 3 , .Xr UI_get_string_type 3 , .Xr UI_UTIL_read_pw 3 diff --git a/man/X509_ALGOR_dup.3 b/man/X509_ALGOR_dup.3 index 85d69051..99c65b00 100644 --- a/man/X509_ALGOR_dup.3 +++ b/man/X509_ALGOR_dup.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_ALGOR_dup.3,v 1.14 2019/06/06 01:06:59 schwarze Exp $ +.\" $OpenBSD: X509_ALGOR_dup.3,v 1.15 2021/03/12 05:18:00 jsg Exp $ .\" OpenSSL 4692340e Jun 7 15:49:08 2016 -0400 .\" .\" This file is a derived work. @@ -65,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 6 2019 $ +.Dd $Mdocdate: March 12 2021 $ .Dt X509_ALGOR_DUP 3 .Os .Sh NAME @@ -222,7 +222,7 @@ appeared in SSLeay 0.4 or earlier and have been available since .Ox 2.4 . .Pp .Fn X509_ALGOR_dup -first appeared in SSLeay 0.9.1 and has been avialable since +first appeared in SSLeay 0.9.1 and has been available since .Ox 2.6 . .Pp .Fn X509_ALGOR_set0 diff --git a/man/X509_ATTRIBUTE_new.3 b/man/X509_ATTRIBUTE_new.3 index b5c78ee8..66779d63 100644 --- a/man/X509_ATTRIBUTE_new.3 +++ b/man/X509_ATTRIBUTE_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_ATTRIBUTE_new.3,v 1.7 2019/06/06 01:06:59 schwarze Exp $ +.\" $OpenBSD: X509_ATTRIBUTE_new.3,v 1.8 2020/06/04 10:24:27 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: June 6 2019 $ +.Dd $Mdocdate: June 4 2020 $ .Dt X509_ATTRIBUTE_NEW 3 .Os .Sh NAME @@ -65,6 +65,7 @@ if an error occurs. .Sh SEE ALSO .Xr d2i_X509_ATTRIBUTE 3 , .Xr PKCS12_SAFEBAG_new 3 , +.Xr PKCS7_add_attribute 3 , .Xr PKCS8_PRIV_KEY_INFO_new 3 , .Xr X509_EXTENSION_new 3 , .Xr X509_new 3 , diff --git a/man/X509_CRL_get0_by_serial.3 b/man/X509_CRL_get0_by_serial.3 index 14eb8249..8db04605 100644 --- a/man/X509_CRL_get0_by_serial.3 +++ b/man/X509_CRL_get0_by_serial.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_CRL_get0_by_serial.3,v 1.10 2019/06/14 13:59:32 schwarze Exp $ +.\" $OpenBSD: X509_CRL_get0_by_serial.3,v 1.11 2020/10/21 17:17:43 tb Exp $ .\" OpenSSL X509_CRL_get0_by_serial.pod cdd6c8c5 Mar 20 12:29:37 2017 +0100 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 14 2019 $ +.Dd $Mdocdate: October 21 2020 $ .Dt X509_CRL_GET0_BY_SERIAL 3 .Os .Sh NAME @@ -108,7 +108,6 @@ of certificate .Fn X509_CRL_get_REVOKED returns an internal pointer to a stack of all revoked entries for .Fa crl . -It is implemented as a macro. .Pp .Fn X509_CRL_add0_revoked appends revoked entry diff --git a/man/X509_INFO_new.3 b/man/X509_INFO_new.3 index 545480e0..9c601ccb 100644 --- a/man/X509_INFO_new.3 +++ b/man/X509_INFO_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_INFO_new.3,v 1.1 2019/08/19 13:52:53 schwarze Exp $ +.\" $OpenBSD: X509_INFO_new.3,v 1.2 2020/07/23 17:34:53 schwarze Exp $ .\" Copyright (c) 2019 Ingo Schwarze .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,7 +13,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: August 19 2019 $ +.Dd $Mdocdate: July 23 2020 $ .Dt X509_INFO_NEW 3 .Os .Sh NAME @@ -60,6 +60,7 @@ object or .Dv NULL if an error occurs. .Sh SEE ALSO +.Xr PEM_X509_INFO_read 3 , .Xr X509_CRL_new 3 , .Xr X509_new 3 .Sh HISTORY diff --git a/man/X509_PUBKEY_new.3 b/man/X509_PUBKEY_new.3 index 4fc17b42..69afcb5a 100644 --- a/man/X509_PUBKEY_new.3 +++ b/man/X509_PUBKEY_new.3 @@ -1,7 +1,24 @@ -.\" $OpenBSD: X509_PUBKEY_new.3,v 1.15 2019/06/10 14:58:48 schwarze Exp $ +.\" $OpenBSD: X509_PUBKEY_new.3,v 1.16 2020/06/19 14:04:25 schwarze Exp $ .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" -.\" This file was written by Dr. Stephen Henson . +.\" This file is a derived work. +.\" The changes are covered by the following Copyright and license: +.\" +.\" Copyright (c) 2020 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.\" The original file was written by Dr. Stephen Henson . .\" Copyright (c) 2016 The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -48,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 10 2019 $ +.Dd $Mdocdate: June 19 2020 $ .Dt X509_PUBKEY_NEW 3 .Os .Sh NAME @@ -273,6 +290,38 @@ if an error occurs. and .Fn i2d_PUBKEY_bio return 1 for success and 0 if an error occurred. +.Sh ERRORS +After failure of +.Fn X509_PUBKEY_get0 +or +.Fn X509_PUBKEY_get , +one of the following diagnostics can be retrieved with +.Xr ERR_get_error 3 , +.Xr ERR_GET_REASON 3 , +and +.Xr ERR_reason_error_string 3 : +.Bl -tag -width Ds +.It Dv X509_R_UNSUPPORTED_ALGORITHM Qq "unsupported algorithm" +The public key uses an algorithm unsupported by +.Xr EVP_PKEY_set_type 3 . +.It X509_R_METHOD_NOT_SUPPORTED Qq "method not supported" +While the algorithm is known to +.Xr EVP_PKEY_set_type 3 , +using it for decoding is not supported. +.It X509_R_PUBLIC_KEY_DECODE_ERROR Qq "public key decode error" +Decoding the public key failed. +.It Dv ERR_R_MALLOC_FAILURE Qq "malloc failure" +Memory was exhausted when trying to allocate the new +.Vt EVP_PKEY +object. +.El +.Pp +If +.Fa key +is +.Dv NULL +or does not contain a public key, +these functions fail but no error is pushed onto the stack. .Sh SEE ALSO .Xr d2i_X509 3 , .Xr EVP_PKEY_asn1_set_public 3 , diff --git a/man/X509_STORE_CTX_new.3 b/man/X509_STORE_CTX_new.3 index 84f75244..bcacb990 100644 --- a/man/X509_STORE_CTX_new.3 +++ b/man/X509_STORE_CTX_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_STORE_CTX_new.3,v 1.19 2019/06/06 01:06:59 schwarze Exp $ +.\" $OpenBSD: X509_STORE_CTX_new.3,v 1.20 2019/12/05 14:38:56 claudio Exp $ .\" full merge up to: OpenSSL 186bb907 Apr 13 11:05:13 2015 -0700 .\" selective merge up to: OpenSSL 7643a172 Apr 21 13:35:51 2017 +0200 .\" @@ -50,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 6 2019 $ +.Dd $Mdocdate: December 5 2019 $ .Dt X509_STORE_CTX_NEW 3 .Os .Sh NAME @@ -65,6 +65,7 @@ .\" X509_STORE_CTX_get0_chain moved to X509_STORE_CTX_get_error(3) .Nm X509_STORE_CTX_set_chain , .Nm X509_STORE_CTX_set0_crls , +.Nm X509_STORE_CTX_set_flags , .Nm X509_STORE_CTX_get0_param , .Nm X509_STORE_CTX_set0_param , .Nm X509_STORE_CTX_get0_untrusted , @@ -119,6 +120,11 @@ .Fa "X509_STORE_CTX *ctx" .Fa "STACK_OF(X509_CRL) *sk" .Fc +.Ft void +.Fo X509_STORE_CTX_set_flags +.Fa "X509_STORE_CTX *ctx" +.Fa "unsigned long flags" +.Fc .Ft X509_VERIFY_PARAM * .Fo X509_STORE_CTX_get0_param .Fa "X509_STORE_CTX *ctx" @@ -231,6 +237,13 @@ structure. This might be used where additional "useful" CRLs are supplied as part of a protocol, for example in a PKCS#7 structure. .Pp +.Fn X509_STORE_CTX_set_flags +sets the internal verification parameter flags to +.Fa flags . +See +.Xr X509_VERIFY_PARAM_set_flags 3 +for a description of the verification flags. +.Pp .Fn X509_STORE_CTX_get0_param retrieves an internal pointer to the verification parameters associated with @@ -339,7 +352,9 @@ first appeared in OpenSSL 0.9.5 and have been available since .Ox 2.7 . .Pp .Fn X509_STORE_CTX_trusted_stack -first appeared in OpenSSL 0.9.6 and has been available since +and +.Fn X509_STORE_CTX_set_flags +first appeared in OpenSSL 0.9.6 and have been available since .Ox 2.9 . .Pp .Fn X509_STORE_CTX_set0_crls , diff --git a/man/X509_STORE_CTX_set_verify_cb.3 b/man/X509_STORE_CTX_set_verify_cb.3 index 0af222fb..5a4bb333 100644 --- a/man/X509_STORE_CTX_set_verify_cb.3 +++ b/man/X509_STORE_CTX_set_verify_cb.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_STORE_CTX_set_verify_cb.3,v 1.4 2018/03/22 17:38:08 schwarze Exp $ +.\" $OpenBSD: X509_STORE_CTX_set_verify_cb.3,v 1.5 2020/03/29 17:05:02 schwarze Exp $ .\" OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 22 2018 $ +.Dd $Mdocdate: March 29 2020 $ .Dt X509_STORE_CTX_SET_VERIFY_CB 3 .Os .Sh NAME @@ -108,9 +108,6 @@ In some cases (such as S/MIME verification) the structure is created and destroyed internally and the only way to set a custom verification callback is by inheriting it from the associated .Vt X509_STORE . -.Sh RETURN VALUES -.Fn X509_STORE_CTX_set_verify_cb -does not return a value. .Sh EXAMPLES Default callback operation: .Bd -literal diff --git a/man/X509_STORE_load_locations.3 b/man/X509_STORE_load_locations.3 index ad64bd03..bc2a3e2d 100644 --- a/man/X509_STORE_load_locations.3 +++ b/man/X509_STORE_load_locations.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_STORE_load_locations.3,v 1.6 2018/03/30 00:44:24 schwarze Exp $ +.\" $OpenBSD: X509_STORE_load_locations.3,v 1.7 2021/03/12 05:18:00 jsg Exp $ .\" full merge up to: .\" OpenSSL X509_STORE_add_cert b0edda11 Mar 20 13:00:17 2018 +0000 .\" @@ -16,7 +16,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: March 30 2018 $ +.Dd $Mdocdate: March 12 2021 $ .Dt X509_STORE_LOAD_LOCATIONS 3 .Os .Sh NAME @@ -46,7 +46,7 @@ contained in the colon-separated list .Fa dirs for looking up certificates, in addition to files and directories that are already configured. -The certificates in the directores must be in hashed form, as documented in +The certificates in the directories must be in hashed form, as documented in .Xr X509_LOOKUP_hash_dir 3 . Directories already in use are not added again. If diff --git a/man/X509_STORE_set_verify_cb_func.3 b/man/X509_STORE_set_verify_cb_func.3 index 16f1fac2..052c28b6 100644 --- a/man/X509_STORE_set_verify_cb_func.3 +++ b/man/X509_STORE_set_verify_cb_func.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_STORE_set_verify_cb_func.3,v 1.8 2018/03/27 17:35:50 schwarze Exp $ +.\" $OpenBSD: X509_STORE_set_verify_cb_func.3,v 1.9 2020/03/29 17:05:02 schwarze Exp $ .\" OpenSSL 05ea606a May 20 20:52:46 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 27 2018 $ +.Dd $Mdocdate: March 29 2020 $ .Dt X509_STORE_SET_VERIFY_CB_FUNC 3 .Os .Sh NAME @@ -86,11 +86,6 @@ structure when it is initialized. This can be used to set the verification callback when the .Vt X509_STORE_CTX is otherwise inaccessible (for example during S/MIME verification). -.Sh RETURN VALUES -.Fn X509_STORE_set_verify_cb -and -.Fn X509_STORE_set_verify_cb_func -do not return a value. .Sh SEE ALSO .Xr X509_STORE_CTX_set_verify_cb 3 , .Xr X509_STORE_new 3 diff --git a/man/X509_VERIFY_PARAM_set_flags.3 b/man/X509_VERIFY_PARAM_set_flags.3 index 5e452786..33cca3b4 100644 --- a/man/X509_VERIFY_PARAM_set_flags.3 +++ b/man/X509_VERIFY_PARAM_set_flags.3 @@ -1,6 +1,6 @@ -.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.14 2018/04/07 13:57:43 jmc Exp $ +.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.15 2020/09/17 08:04:22 schwarze Exp $ .\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500 -.\" selective merge up to: OpenSSL 48e5119a Jan 19 10:49:22 2018 +0100 +.\" selective merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200 .\" .\" This file is a derived work. .\" The changes are covered by the following Copyright and license: @@ -68,7 +68,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 7 2018 $ +.Dd $Mdocdate: September 17 2020 $ .Dt X509_VERIFY_PARAM_SET_FLAGS 3 .Os .Sh NAME @@ -337,7 +337,7 @@ in a chain. .Fn X509_VERIFY_PARAM_set1_host sets the expected DNS hostname to .Fa name -clearing any previously specified host name or names. +clearing any previously specified hostname or names. If .Fa name is @@ -693,6 +693,7 @@ SSL_CTX_set1_param(ctx, param); X509_VERIFY_PARAM_free(param); .Ed .Sh SEE ALSO +.Xr SSL_set1_host 3 , .Xr SSL_set1_param 3 , .Xr X509_check_host 3 , .Xr X509_STORE_CTX_set0_param 3 , diff --git a/man/X509_check_host.3 b/man/X509_check_host.3 index a2c91af1..dbc56c0d 100644 --- a/man/X509_check_host.3 +++ b/man/X509_check_host.3 @@ -1,5 +1,6 @@ -.\" $OpenBSD: X509_check_host.3,v 1.5 2019/08/23 12:23:39 schwarze Exp $ -.\" full merge up to: OpenSSL 6738bf14 Feb 13 12:51:29 2018 +0000 +.\" $OpenBSD: X509_check_host.3,v 1.6 2020/09/17 08:04:22 schwarze Exp $ +.\" full merge up to: OpenSSL a09e4d24 Jun 12 01:56:31 2014 -0400 +.\" selective merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200 .\" .\" This file was written by Florian Weimer and .\" Viktor Dukhovni . @@ -50,7 +51,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 23 2019 $ +.Dd $Mdocdate: September 17 2020 $ .Dt X509_CHECK_HOST 3 .Os .Sh NAME @@ -91,13 +92,13 @@ .Fc .Sh DESCRIPTION The certificate matching functions are used to check whether a -certificate matches a given host name, email address, or IP address. +certificate matches a given hostname, email address, or IP address. The validity of the certificate and its trust level has to be checked by other means. .Pp .Fn X509_check_host checks if the certificate Subject Alternative Name (SAN) or Subject -CommonName (CN) matches the specified host name, which must be encoded +CommonName (CN) matches the specified hostname, which must be encoded in the preferred name syntax described in section 3.5 of RFC 1034. By default, wildcards are supported and they match only in the left-most label; they may match part of that label with an @@ -234,9 +235,11 @@ returns -2 if the provided .Fa name contains embedded NUL bytes. .Sh SEE ALSO +.Xr SSL_set1_host 3 , .Xr X509_EXTENSION_new 3 , .Xr X509_get1_email 3 , -.Xr X509_new 3 +.Xr X509_new 3 , +.Xr X509_VERIFY_PARAM_set1_host 3 .Sh HISTORY These functions first appeared in OpenSSL 1.0.2 and have been available since diff --git a/man/X509_cmp.3 b/man/X509_cmp.3 index 1734d6a7..bd168c2a 100644 --- a/man/X509_cmp.3 +++ b/man/X509_cmp.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_cmp.3,v 1.1 2019/08/20 13:27:19 schwarze Exp $ +.\" $OpenBSD: X509_cmp.3,v 1.2 2020/06/12 12:15:59 schwarze Exp $ .\" full merge up to: OpenSSL ea5d4b89 Jun 6 11:42:02 2019 +0800 .\" .\" This file is a derived work. @@ -65,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 20 2019 $ +.Dd $Mdocdate: June 12 2020 $ .Dt X509_CMP 3 .Os .Sh NAME @@ -77,6 +77,9 @@ .Nm X509_CRL_cmp , .Nm X509_CRL_match .Nd compare X.509 certificates and related values +.\" The function name_cmp() is intentionally undocumented. +.\" It was a mistake to make it public in the first place, +.\" and it is no longer part of the public API in OpenSSL 1.1. .Sh SYNOPSIS .In openssl/x509.h .Ft int diff --git a/man/X509_get0_notBefore.3 b/man/X509_get0_notBefore.3 index 334f70e5..e9f0d629 100644 --- a/man/X509_get0_notBefore.3 +++ b/man/X509_get0_notBefore.3 @@ -1,7 +1,7 @@ -.\" $OpenBSD: X509_get0_notBefore.3,v 1.4 2018/03/23 23:18:17 schwarze Exp $ +.\" $OpenBSD: X509_get0_notBefore.3,v 1.5 2020/06/24 14:59:41 schwarze Exp $ .\" content checked up to: OpenSSL 27b138e9 May 19 00:16:38 2017 +0000 .\" -.\" Copyright (c) 2018 Ingo Schwarze +.\" Copyright (c) 2018, 2020 Ingo Schwarze .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: March 23 2018 $ +.Dd $Mdocdate: June 24 2020 $ .Dt X509_GET0_NOTBEFORE 3 .Os .Sh NAME @@ -23,12 +23,20 @@ .Nm X509_get0_notAfter , .Nm X509_getm_notBefore , .Nm X509_getm_notAfter , +.Nm X509_get_notBefore , +.Nm X509_get_notAfter , .Nm X509_CRL_get0_lastUpdate , .Nm X509_CRL_get0_nextUpdate , +.Nm X509_CRL_get_lastUpdate , +.Nm X509_CRL_get_nextUpdate , .Nm X509_set1_notBefore , .Nm X509_set1_notAfter , +.Nm X509_set_notBefore , +.Nm X509_set_notAfter , .Nm X509_CRL_set1_lastUpdate , -.Nm X509_CRL_set1_nextUpdate +.Nm X509_CRL_set1_nextUpdate , +.Nm X509_CRL_set_lastUpdate , +.Nm X509_CRL_set_nextUpdate .Nd get and set certificate and CRL validity dates .Sh SYNOPSIS .In openssl/x509.h @@ -49,13 +57,29 @@ .Fa "const X509 *x" .Fc .Ft ASN1_TIME * +.Fo X509_get_notBefore +.Fa "const X509 *x" +.Fc +.Ft ASN1_TIME * +.Fo X509_get_notAfter +.Fa "const X509 *x" +.Fc +.Ft const ASN1_TIME * .Fo X509_CRL_get0_lastUpdate .Fa "const X509_CRL *crl" .Fc -.Ft ASN1_TIME * +.Ft const ASN1_TIME * .Fo X509_CRL_get0_nextUpdate .Fa "const X509_CRL *crl" .Fc +.Ft ASN1_TIME * +.Fo X509_CRL_get_lastUpdate +.Fa "X509_CRL *crl" +.Fc +.Ft ASN1_TIME * +.Fo X509_CRL_get_nextUpdate +.Fa "X509_CRL *crl" +.Fc .Ft int .Fo X509_set1_notBefore .Fa "X509 *x" @@ -67,6 +91,16 @@ .Fa "const ASN1_TIME *tm" .Fc .Ft int +.Fo X509_set_notBefore +.Fa "X509 *x" +.Fa "const ASN1_TIME *tm" +.Fc +.Ft int +.Fo X509_set_notAfter +.Fa "X509 *x" +.Fa "const ASN1_TIME *tm" +.Fc +.Ft int .Fo X509_CRL_set1_lastUpdate .Fa "X509_CRL *crl" .Fa "const ASN1_TIME *tm" @@ -76,6 +110,16 @@ .Fa "X509_CRL *crl" .Fa "const ASN1_TIME *tm" .Fc +.Ft int +.Fo X509_CRL_set_lastUpdate +.Fa "X509_CRL *crl" +.Fa "const ASN1_TIME *tm" +.Fc +.Ft int +.Fo X509_CRL_set_nextUpdate +.Fa "X509_CRL *crl" +.Fa "const ASN1_TIME *tm" +.Fc .Sh DESCRIPTION .Fn X509_getm_notBefore and @@ -87,6 +131,10 @@ and fields of the validity period of the certificate .Fa x , respectively. +.Fn X509_get_notBefore +and +.Fn X509_get_notAfter +are deprecated aliases implemented as macros. .Pp .Fn X509_get0_notBefore and @@ -103,6 +151,12 @@ and fields of .Fa crl . .Pp +.Fn X509_CRL_get_lastUpdate +and +.Fn X509_CRL_get_nextUpdate +are deprecated and identical except for the const qualifier +on the argument and on the return type. +.Pp .Fn X509_set1_notBefore , .Fn X509_set1_notAfter , .Fn X509_CRL_set1_lastUpdate , @@ -123,24 +177,51 @@ respectively, to a deep copy of and free the .Vt ASN1_TIME value that they replace. -.Sh RETURN VALUES -.Fn X509_get0_notBefore , -.Fn X509_get0_notAfter , -.Fn X509_getm_notBefore , -.Fn X509_getm_notAfter , -.Fn X509_CRL_get0_lastUpdate , +.Pp +.Fn X509_set_notBefore , +.Fn X509_set_notAfter , +.Fn X509_CRL_set_lastUpdate , and -.Fn X509_CRL_get0_nextUpdate -return internal pointers which must not be freed by the application, or +.Fn X509_CRL_set_nextUpdate +are deprecated aliases. +.Sh RETURN VALUES +The +.Sy get +functions return internal pointers +which must not be freed by the application, or +.Dv NULL +if the requested field is not available. +They may crash with a .Dv NULL -if the requested fields are not available. +pointer access if +.Fa x +or +.Fa crl +is +.Dv NULL . .Pp -.Fn X509_set1_notBefore , -.Fn X509_set1_notAfter , -.Fn X509_CRL_set1_lastUpdate , -and -.Fn X509_CRL_set1_nextUpdate -return 1 on success or 0 on failure. +The +.Sy set +functions return 1 on success or 0 on failure. +They fail if +.Fa x +is +.Dv NULL +or does not contain a +.Fa validity +substructure, if +.Fa crl +is +.Dv NULL , +or if +.Xr ASN1_STRING_dup 3 +fails. +.Pp +Except for some cases of +.Xr ASN1_STRING_dup 3 +failure, these functions do not support +determining reasons for failure with +.Xr ERR_get_error 3 . .Sh SEE ALSO .Xr ASN1_TIME_set 3 , .Xr ASN1_TIME_set_tm 3 , @@ -153,6 +234,26 @@ return 1 on success or 0 on failure. .Xr X509_VAL_new 3 , .Xr X509_verify_cert 3 .Sh HISTORY -These functions first appeared in OpenSSL 1.1.0 +.Fn X509_get_notBefore , +.Fn X509_get_notAfter , +.Fn X509_set_notBefore , +and +.Fn X509_set_notAfter +first appeared in SSLeay 0.6.5 and have been available since +.Ox 2.4 . +.Pp +.Fn X509_CRL_get_lastUpdate +and +.Fn X509_CRL_get_nextUpdate +first appeared in OpenSSL 0.9.2 and have been available since +.Ox 2.6 . +.Pp +.Fn X509_CRL_set_lastUpdate +and +.Fn X509_CRL_set_nextUpdate +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . +.Pp +The remaining functions first appeared in OpenSSL 1.1.0 and have been available since .Ox 6.3 . diff --git a/man/X509_get0_signature.3 b/man/X509_get0_signature.3 index a0982f21..903cc043 100644 --- a/man/X509_get0_signature.3 +++ b/man/X509_get0_signature.3 @@ -1,8 +1,25 @@ -.\" $OpenBSD: X509_get0_signature.3,v 1.5 2018/03/23 23:18:17 schwarze Exp $ +.\" $OpenBSD: X509_get0_signature.3,v 1.6 2020/06/24 19:55:55 schwarze Exp $ .\" selective merge up to: .\" OpenSSL man3/X509_get0_signature 2f7a2520 Apr 25 17:28:08 2017 +0100 .\" -.\" This file was written by Dr. Stephen Henson . +.\" This file is a derived work. +.\" The changes are covered by the following Copyright and license: +.\" +.\" Copyright (c) 2020 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.\" The original file was written by Dr. Stephen Henson . .\" Copyright (c) 2015 The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -49,7 +66,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 23 2018 $ +.Dd $Mdocdate: June 24 2020 $ .Dt X509_GET0_SIGNATURE 3 .Os .Sh NAME @@ -57,6 +74,7 @@ .Nm X509_REQ_get0_signature , .Nm X509_CRL_get0_signature , .Nm X509_get0_tbs_sigalg , +.Nm X509_get_signature_type , .Nm X509_get_signature_nid , .Nm X509_REQ_get_signature_nid , .Nm X509_CRL_get_signature_nid @@ -86,6 +104,10 @@ .Fa "const X509 *x" .Fc .Ft int +.Fo X509_get_signature_type +.Fa "const X509 *x" +.Fc +.Ft int .Fo X509_get_signature_nid .Fa "const X509 *x" .Fc @@ -118,6 +140,13 @@ returns the signature algorithm in the signed portion of The values returned are internal pointers that must not be freed by the caller. .Pp +.Fn X509_get_signature_type +returns the base NID corresponding to the signature algorithm of +.Fa x +just like +.Xr EVP_PKEY_base_id 3 +does. +.Pp .Fn X509_get_signature_nid , .Fn X509_REQ_get_signature_nid , and @@ -127,7 +156,9 @@ return the NID corresponding to the signature algorithm of .Fa req , or .Fa crl , -respectively. +respectively, just like +.Xr EVP_PKEY_id 3 +does. .Pp These functions provide lower level access to the signature for cases where an application wishes to analyse or generate a @@ -135,6 +166,7 @@ signature in a form where .Xr X509_sign 3 is not appropriate, for example in a non-standard or unsupported format. .Sh SEE ALSO +.Xr EVP_PKEY_base_id 3 , .Xr OBJ_obj2nid 3 , .Xr X509_ALGOR_new 3 , .Xr X509_CRL_get0_by_serial 3 , @@ -147,6 +179,10 @@ is not appropriate, for example in a non-standard or unsupported format. .Xr X509_sign 3 , .Xr X509_verify_cert 3 .Sh HISTORY +.Fn X509_get_signature_type +first appeared in SSLeay 0.8.0 and has been available since +.Ox 2.4 . +.Pp .Fn X509_get0_signature and .Fn X509_get_signature_nid diff --git a/man/X509_get_pubkey.3 b/man/X509_get_pubkey.3 index 62367d8b..ad9c1ab0 100644 --- a/man/X509_get_pubkey.3 +++ b/man/X509_get_pubkey.3 @@ -1,7 +1,25 @@ -.\" $OpenBSD: X509_get_pubkey.3,v 1.7 2019/06/14 13:59:32 schwarze Exp $ +.\" $OpenBSD: X509_get_pubkey.3,v 1.8 2020/06/19 14:31:29 schwarze Exp $ .\" selective merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" X509_REQ_get0_pubkey and X509_REQ_get_X509_PUBKEY not yet in LibreSSL .\" -.\" This file was written by Dr. Stephen Henson . +.\" This file is a derived work. +.\" The changes are covered by the following Copyright and license: +.\" +.\" Copyright (c) 2020 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.\" The original file was written by Dr. Stephen Henson . .\" Copyright (c) 2015 The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -48,7 +66,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 14 2019 $ +.Dd $Mdocdate: June 19 2020 $ .Dt X509_GET_PUBKEY 3 .Os .Sh NAME @@ -56,6 +74,7 @@ .Nm X509_get0_pubkey , .Nm X509_set_pubkey , .Nm X509_get_X509_PUBKEY , +.Nm X509_get0_pubkey_bitstr , .Nm X509_REQ_get_pubkey , .Nm X509_REQ_set_pubkey .Nd get or set certificate or certificate request public key @@ -78,6 +97,10 @@ .Fo X509_get_X509_PUBKEY .Fa "X509 *x" .Fc +.Ft ASN1_BIT_STRING * +.Fo X509_get0_pubkey_bitstr +.Fa "const X509 *x" +.Fc .Ft EVP_PKEY * .Fo X509_REQ_get_pubkey .Fa "X509_REQ *req" @@ -103,13 +126,18 @@ so it must not be freed up after use. .Pp .Fn X509_get_X509_PUBKEY returns an internal pointer to the -.Vt X509_PUBKEY -structure which encodes the certificate of +.Vt SubjectPublicKeyInfo +structure contained in .Fa x . The returned value must not be freed up after use. .Fn X509_get_X509_PUBKEY is implemented as a macro. .Pp +.Fn X509_get0_pubkey_bitstr +returns an internal pointer to just the public key contained in this +.Vt SubjectPublicKeyInfo +structure, without the information about the algorithm used. +.Pp .Fn X509_set_pubkey attempts to set the public key for certificate .Fa x @@ -134,6 +162,7 @@ incremented to improve performance. .Fn X509_get_pubkey , .Fn X509_get0_pubkey , .Fn X509_get_X509_PUBKEY , +.Fn X509_get0_pubkey_bitstr , and .Fn X509_REQ_get_pubkey return a public key or @@ -153,6 +182,42 @@ and .Fn X509_REQ_set_pubkey , the reason can be determined with .Xr ERR_get_error 3 . +.Sh ERRORS +.Fn X509_get_pubkey , +.Fn X509_get0_pubkey , +and +.Fn X509_REQ_get_pubkey +provide diagnostics as documented for +.Xr X509_PUBKEY_get 3 . +If +.Fa x +or +.Fa req +is +.Dv NULL +or contains no certificate information, +they fail without pushing an error onto the stack. +.Pp +.Fn X509_get_X509_PUBKEY +provides no diagnostics and crashes by accessing a +.Dv NULL +pointer if +.Fa x +is +.Dv NULL +or contains no certificate information, +.Pp +.Fn X509_get0_pubkey_bitstr +provides no diagnostics +and fails without pushing an error onto the stack if +.Fa x +is +.Dv NULL , +but it crashes by accessing a +.Dv NULL +pointer if +.Fa x +contains no certificate information. .Sh SEE ALSO .Xr d2i_X509 3 , .Xr X509_CRL_get0_by_serial 3 , @@ -166,6 +231,13 @@ the reason can be determined with .Xr X509_sign 3 , .Xr X509_verify_cert 3 , .Xr X509V3_get_d2i 3 +.Sh STANDARDS +RFC 5280, Internet X.509 Public Key Infrastructure Certificate +and Certificate Revocation List (CRL) Profile, +section 4.1 Basic Certificate Fields +.Pp +RFC 2986: PKCS #10: Certification Request Syntax Specification, +section 4.1 CertificationRequestInfo .Sh HISTORY .Fn X509_get_pubkey , .Fn X509_set_pubkey , @@ -178,6 +250,10 @@ first appeared in SSLeay 0.8.0. These functions have been available since .Ox 2.4 . .Pp +.Fn X509_get0_pubkey_bitstr +first appeared in OpenSSL 0.9.7 and has been available since +.Ox 3.4 . +.Pp .Fn X509_get0_pubkey first appeared in OpenSSL 1.1.0 and has been available since .Ox 6.3 . diff --git a/man/X509_get_serialNumber.3 b/man/X509_get_serialNumber.3 index f40b7ca7..7d757c7a 100644 --- a/man/X509_get_serialNumber.3 +++ b/man/X509_get_serialNumber.3 @@ -1,5 +1,5 @@ -.\" $OpenBSD: X509_get_serialNumber.3,v 1.4 2019/06/14 13:59:32 schwarze Exp $ -.\" OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400 +.\" $OpenBSD: X509_get_serialNumber.3,v 1.5 2020/06/19 12:01:20 schwarze Exp $ +.\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100 .\" .\" This file was written by Dr. Stephen Henson . .\" Copyright (c) 2016 The OpenSSL Project. All rights reserved. @@ -48,11 +48,12 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 14 2019 $ +.Dd $Mdocdate: June 19 2020 $ .Dt X509_GET_SERIALNUMBER 3 .Os .Sh NAME .Nm X509_get_serialNumber , +.Nm X509_get0_serialNumber , .Nm X509_set_serialNumber .Nd get or set certificate serial number .Sh SYNOPSIS @@ -61,6 +62,10 @@ .Fo X509_get_serialNumber .Fa "X509 *x" .Fc +.Ft const ASN1_INTEGER * +.Fo X509_get0_serialNumber +.Fa "const X509 *x" +.Fc .Ft int .Fo X509_set_serialNumber .Fa "X509 *x" @@ -76,6 +81,10 @@ structure which can be examined or initialised. The value returned is an internal pointer which must not be freed up after the call. .Pp +.Fn X509_get0_serialNumber +does the same except that it accepts a constant argument +and returns a constant result. +.Pp .Fn X509_set_serialNumber sets the serial number of certificate .Fa x @@ -86,7 +95,9 @@ A copy of the serial number is used internally so should be freed up after use. .Sh RETURN VALUES .Fn X509_get_serialNumber -returns an +and +.Fn X509_get0_serialNumber +return a pointer to an .Vt ASN1_INTEGER structure. .Pp @@ -112,3 +123,7 @@ and .Fn X509_set_serialNumber first appeared in SSLeay 0.6.5 and have been available since .Ox 2.4 . +.Pp +.Fn X509_get0_serialNumber +first appeared in OpenSSL 1.1.0 and has been available since +.Ox 6.4 . diff --git a/man/X509_get_subject_name.3 b/man/X509_get_subject_name.3 index 33bc5de2..fb9611f6 100644 --- a/man/X509_get_subject_name.3 +++ b/man/X509_get_subject_name.3 @@ -1,5 +1,5 @@ -.\" $OpenBSD: X509_get_subject_name.3,v 1.9 2019/06/14 13:59:32 schwarze Exp $ -.\" OpenSSL 0ad69cd6 Jun 14 23:02:16 2016 +0200 +.\" $OpenBSD: X509_get_subject_name.3,v 1.10 2020/10/21 17:17:44 tb Exp $ +.\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . .\" Copyright (c) 2015 The OpenSSL Project. All rights reserved. @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 14 2019 $ +.Dd $Mdocdate: October 21 2020 $ .Dt X509_GET_SUBJECT_NAME 3 .Os .Sh NAME @@ -133,11 +133,6 @@ and .Fn X509_CRL_set_issuer_name get or set the subject or issuer names of certificate requests of CRLs, respectively. -.Pp -.Fn X509_REQ_get_subject_name -and -.Fn X509_CRL_get_issuer -are implemented as macros. .Sh RETURN VALUES .Fn X509_get_subject_name , .Fn X509_get_issuer_name , diff --git a/man/X509_get_version.3 b/man/X509_get_version.3 index 05d42e23..ee46ff7c 100644 --- a/man/X509_get_version.3 +++ b/man/X509_get_version.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_get_version.3,v 1.7 2019/06/14 13:59:32 schwarze Exp $ +.\" $OpenBSD: X509_get_version.3,v 1.8 2020/10/21 17:17:44 tb Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 14 2019 $ +.Dd $Mdocdate: October 21 2020 $ .Dt X509_GET_VERSION 3 .Os .Sh NAME @@ -115,12 +115,6 @@ The version field of certificates, certificate requests, and CRLs has a DEFAULT value of v1(0) meaning the field should be omitted for version 1. This is handled transparently by these functions. -.Pp -.Fn X509_get_version , -.Fn X509_REQ_get_version -and -.Fn X509_CRL_get_version -are implemented as macros. .Sh RETURN VALUES .Fn X509_get_version , .Fn X509_REQ_get_version , diff --git a/man/crypto.3 b/man/crypto.3 index f589c6bb..6e98f643 100644 --- a/man/crypto.3 +++ b/man/crypto.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: crypto.3,v 1.22 2019/08/28 10:37:42 schwarze Exp $ +.\" $OpenBSD: crypto.3,v 1.25 2020/06/24 17:00:38 schwarze Exp $ .\" OpenSSL a9c85cea Nov 11 09:33:55 2016 +0100 .\" .\" This file was written by Ulf Moeller and @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 28 2019 $ +.Dd $Mdocdate: June 24 2020 $ .Dt CRYPTO 3 .Os .Sh NAME @@ -69,6 +69,7 @@ are provided by the generic interface Low-level stand-alone interfaces include .Xr AES_encrypt 3 , .Xr BF_set_key 3 , +.Xr ChaCha 3 , .Xr DES_set_key 3 , and .Xr RC4 3 . @@ -93,6 +94,7 @@ and .Sy Authentication codes and hash functions offered include .Xr EVP_DigestInit 3 , +.Xr CMAC_Init 3 , .Xr HMAC 3 , .Xr MD4 3 , .Xr MD5 3 , @@ -105,6 +107,7 @@ and facilities include .Xr ASN1_TYPE_get 3 , .Xr BIO_new 3 , +.Xr CMS_ContentInfo_new 3 , .Xr evp 3 , .Xr EVP_EncodeInit 3 , .Xr PEM_read 3 , diff --git a/man/d2i_CMS_ContentInfo.3 b/man/d2i_CMS_ContentInfo.3 index d927697f..0c61047c 100644 --- a/man/d2i_CMS_ContentInfo.3 +++ b/man/d2i_CMS_ContentInfo.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_CMS_ContentInfo.3,v 1.2 2019/08/18 21:44:10 schwarze Exp $ +.\" $OpenBSD: d2i_CMS_ContentInfo.3,v 1.3 2019/11/02 15:39:46 schwarze Exp $ .\" Copyright (c) 2019 Ingo Schwarze .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,7 +13,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: August 18 2019 $ +.Dd $Mdocdate: November 2 2019 $ .Dt D2I_CMS_CONTENTINFO 3 .Os .Sh NAME @@ -125,4 +125,4 @@ section 2.7: Receipt Request Syntax .Sh HISTORY These functions first appeared in OpenSSL 0.9.8h and have been available since -.Ox 6.6 . +.Ox 6.7 . diff --git a/man/d2i_OCSP_REQUEST.3 b/man/d2i_OCSP_REQUEST.3 index cc07bd7d..07a99055 100644 --- a/man/d2i_OCSP_REQUEST.3 +++ b/man/d2i_OCSP_REQUEST.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_OCSP_REQUEST.3,v 1.2 2018/03/22 21:08:22 schwarze Exp $ +.\" $OpenBSD: d2i_OCSP_REQUEST.3,v 1.3 2021/03/12 05:18:00 jsg Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: March 22 2018 $ +.Dd $Mdocdate: March 12 2021 $ .Dt D2I_OCSP_REQUEST 3 .Os .Sh NAME @@ -100,7 +100,7 @@ .Fa "unsigned char **der_out" .Fc .Sh DESCRIPTION -Theses functions decode and encode ASN.1 structures used for OCSP +These functions decode and encode ASN.1 structures used for OCSP requests. For details about the semantics, examples, caveats, and bugs, see .Xr ASN1_item_d2i 3 . diff --git a/man/d2i_OCSP_RESPONSE.3 b/man/d2i_OCSP_RESPONSE.3 index 14023482..716e85dc 100644 --- a/man/d2i_OCSP_RESPONSE.3 +++ b/man/d2i_OCSP_RESPONSE.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_OCSP_RESPONSE.3,v 1.3 2019/06/06 01:06:59 schwarze Exp $ +.\" $OpenBSD: d2i_OCSP_RESPONSE.3,v 1.4 2021/03/12 05:18:00 jsg Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: June 6 2019 $ +.Dd $Mdocdate: March 12 2021 $ .Dt D2I_OCSP_RESPONSE 3 .Os .Sh NAME @@ -139,7 +139,7 @@ .Fa "unsigned char **der_out" .Fc .Sh DESCRIPTION -Theses functions decode and encode ASN.1 structures used for OCSP +These functions decode and encode ASN.1 structures used for OCSP responses. For details about the semantics, examples, caveats, and bugs, see .Xr ASN1_item_d2i 3 . diff --git a/man/des_read_pw.3 b/man/des_read_pw.3 index 8c63a65f..30ae099d 100644 --- a/man/des_read_pw.3 +++ b/man/des_read_pw.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: des_read_pw.3,v 1.8 2018/03/27 17:35:50 schwarze Exp $ +.\" $OpenBSD: des_read_pw.3,v 1.10 2020/06/19 17:17:13 schwarze Exp $ .\" OpenSSL doc/crypto/ui_compat.pod May 14 11:28:00 2006 +0000 .\" OpenSSL doc/crypto/des.pod 2a9aca32 Oct 25 08:44:10 2001 +0000 .\" @@ -50,13 +50,14 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 27 2018 $ +.Dd $Mdocdate: June 19 2020 $ .Dt DES_READ_PW 3 .Os .Sh NAME .Nm des_read_pw , .Nm des_read_pw_string , -.Nm EVP_read_pw_string +.Nm EVP_read_pw_string , +.Nm EVP_read_pw_string_min .Nd compatibility user interface functions .Sh SYNOPSIS .In openssl/ui_compat.h @@ -83,7 +84,20 @@ .Fa "const char *prompt" .Fa "int verify" .Fc +.Ft int +.Fo EVP_read_pw_string_min +.Fa "char *buf" +.Fa "int min_length" +.Fa "int length" +.Fa "const char *prompt" +.Fa "int verify" +.Fc .Sh DESCRIPTION +These functions are deprecated. +Use +.Xr UI_UTIL_read_pw 3 +instead. +.Pp The DES library contained a few routines to prompt for passwords. These aren't necessarily dependent on DES, and have therefore become part of the UI compatibility library. @@ -107,8 +121,6 @@ The second password is stored in which must therefore also be at least .Fa length bytes. -A return code of -1 indicates a system error, 1 failure due to use -interaction, and 0 is success. .Pp .Fn des_read_pw_string is a variant of @@ -126,10 +138,37 @@ uses .Dv BUFSIZ . .Pp .Fn EVP_read_pw_string -is functionally similar to +and +.Fn EVP_read_pw_string_min +are functionally similar to .Fn des_read_pw_string . +.Fn EVP_read_pw_string_min +additionally checks that the password is at least +.Fa min_length +bytes long. +.Sh RETURN VALUES +These functions return 0 on success and a negative value on failure. +.Pp +They return -1 if +.Fa length +is less than or equal to zero or on memory allocation failure. +They return -1 or -2 if the internal call to +.Xr UI_process 3 +fails. +.Pp +In addition, +.Fa EVP_read_pw_string_min +returns -1 if +.Fa min_length +is negative, if +.Fa length +is less than or equal to +.Fa min_length , +or if the user entered a password shorter than +.Fa min_length . .Sh SEE ALSO -.Xr UI_new 3 +.Xr UI_new 3 , +.Xr UI_UTIL_read_pw 3 .Sh HISTORY .Fn des_read_pw_string appeared in SSLeay 0.4 or earlier. @@ -139,6 +178,11 @@ first appeared in SSLeay 0.5.1. first appeared in SSLeay 0.8.0. These functions have been available since .Ox 2.4 . +.Pp +.Fn EVP_read_pw_string_min +first appeared in OpenSSL 1.0.0 +and has been available since +.Ox 4.9 . .Sh AUTHORS .An Richard Levitte Aq Mt richard@levitte.org for the OpenSSL project. diff --git a/man/i2d_CMS_bio_stream.3 b/man/i2d_CMS_bio_stream.3 index ecf069c1..efb8902f 100644 --- a/man/i2d_CMS_bio_stream.3 +++ b/man/i2d_CMS_bio_stream.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: i2d_CMS_bio_stream.3,v 1.3 2019/08/18 21:44:10 schwarze Exp $ +.\" $OpenBSD: i2d_CMS_bio_stream.3,v 1.4 2019/11/02 15:39:46 schwarze Exp $ .\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 18 2019 $ +.Dd $Mdocdate: November 2 2019 $ .Dt I2D_CMS_BIO_STREAM 3 .Os .Sh NAME @@ -89,7 +89,7 @@ returns 1 for success or 0 for failure. .Fn i2d_CMS_bio_stream first appeared in OpenSSL 1.0.0 and has been available since -.Ox 6.6 . +.Ox 6.7 . .Sh BUGS The prefix "i2d" is arguably wrong because the function outputs BER format. diff --git a/man/i2d_PKCS7_bio_stream.3 b/man/i2d_PKCS7_bio_stream.3 index 463d861b..3d5df72b 100644 --- a/man/i2d_PKCS7_bio_stream.3 +++ b/man/i2d_PKCS7_bio_stream.3 @@ -1,5 +1,5 @@ -.\" $OpenBSD: i2d_PKCS7_bio_stream.3,v 1.7 2018/03/23 04:34:23 schwarze Exp $ -.\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" $OpenBSD: i2d_PKCS7_bio_stream.3,v 1.8 2020/06/03 13:41:27 schwarze Exp $ +.\" OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100 .\" .\" This file was written by Dr. Stephen Henson . .\" Copyright (c) 2007, 2008, 2009, 2013 The OpenSSL Project. @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 23 2018 $ +.Dd $Mdocdate: June 3 2020 $ .Dt I2D_PKCS7_BIO_STREAM 3 .Os .Sh NAME @@ -82,6 +82,7 @@ returns 1 for success or 0 for failure. .Xr ERR_get_error 3 , .Xr PEM_write_bio_PKCS7_stream 3 , .Xr PEM_write_PKCS7 3 , +.Xr PKCS7_final 3 , .Xr PKCS7_new 3 , .Xr SMIME_write_PKCS7 3 .Sh HISTORY diff --git a/man/lh_new.3 b/man/lh_new.3 index 987b394f..1c37347e 100644 --- a/man/lh_new.3 +++ b/man/lh_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: lh_new.3,v 1.6 2019/06/10 09:49:48 schwarze Exp $ +.\" $OpenBSD: lh_new.3,v 1.7 2020/03/28 22:40:58 schwarze Exp $ .\" OpenSSL 1bc74519 May 20 08:11:46 2016 -0400 .\" .\" -------------------------------------------------------------------------- @@ -115,7 +115,7 @@ .\" copied and put under another distribution licence .\" [including the GNU Public Licence.] .\" -.Dd $Mdocdate: June 10 2019 $ +.Dd $Mdocdate: March 28 2020 $ .Dt LH_NEW 3 .Os .Sh NAME @@ -402,12 +402,6 @@ otherwise. .Pp .Fn lh__error returns 1 if an error occurred in the last operation, or 0 otherwise. -.Pp -.Fn lh__free , -.Fn lh__doall , -and -.Fn lh__doall_arg -return no values. .Sh NOTES The various LHASH macros and callback types exist to make it possible to write type-checked code without resorting to function-prototype casting diff --git a/man/lh_stats.3 b/man/lh_stats.3 index e057d7d6..5041721f 100644 --- a/man/lh_stats.3 +++ b/man/lh_stats.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: lh_stats.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $ +.\" $OpenBSD: lh_stats.3,v 1.7 2020/03/29 17:05:02 schwarze Exp $ .\" OpenSSL e2f92610 May 18 11:44:05 2016 -0400 .\" .\" -------------------------------------------------------------------------- @@ -113,7 +113,7 @@ .\" copied and put under another distribution licence .\" [including the GNU Public Licence.] .\" -.Dd $Mdocdate: March 27 2018 $ +.Dd $Mdocdate: March 29 2020 $ .Dt LH_STATS 3 .Os .Sh NAME @@ -187,8 +187,6 @@ and .Fn lh_node_usage_stats_bio are the same as the above, except that the output goes to a .Vt BIO . -.Sh RETURN VALUES -These functions do not return values. .Sh SEE ALSO .Xr BIO_new 3 , .Xr lh_new 3 diff --git a/man/openssl.cnf.5 b/man/openssl.cnf.5 index c38bc3c7..ae56869b 100644 --- a/man/openssl.cnf.5 +++ b/man/openssl.cnf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: openssl.cnf.5,v 1.6 2019/06/06 01:06:59 schwarze Exp $ +.\" $OpenBSD: openssl.cnf.5,v 1.7 2020/02/17 12:52:42 inoguchi Exp $ .\" full merge up to: OpenSSL man5/config b53338cb Feb 28 12:30:28 2017 +0100 .\" selective merge up to: OpenSSL a8c5ed81 Jul 18 13:57:25 2017 -0400 .\" @@ -50,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 6 2019 $ +.Dd $Mdocdate: February 17 2020 $ .Dt OPENSSL.CNF 5 .Os .Sh NAME @@ -134,6 +134,8 @@ This will work if the program looks up environment variables using the CONF library instead of calling .Xr getenv 3 directly. +The value string must not exceed 64k in length after variable expansion or an +error will occur. .Pp It is possible to escape certain characters by using any kind of quote or the diff --git a/man/ssl.3 b/man/ssl.3 index 6e7914c8..81778df7 100644 --- a/man/ssl.3 +++ b/man/ssl.3 @@ -1,6 +1,6 @@ -.\" $OpenBSD: ssl.3,v 1.17 2019/06/14 13:41:31 schwarze Exp $ +.\" $OpenBSD: ssl.3,v 1.20 2020/09/21 08:53:56 schwarze Exp $ .\" full merge up to: OpenSSL e330f55d Nov 11 00:51:04 2016 +0100 -.\" selective merge up to: OpenSSL cbade361 Dec 12 13:14:45 2017 +0100 +.\" selective merge up to: OpenSSL 322755cc Sep 1 08:40:51 2018 +0800 .\" .\" This file was written by Ralf S. Engelschall , .\" Ben Laurie , and Ulf Moeller . @@ -51,7 +51,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 14 2019 $ +.Dd $Mdocdate: September 21 2020 $ .Dt SSL 3 .Os .Sh NAME @@ -295,11 +295,13 @@ Constructors and destructors: .Pp To change the configuration: .Xr SSL_clear 3 , +.Xr SSL_set_SSL_CTX 3 , .Xr SSL_copy_session_id 3 , .Xr SSL_set_bio 3 , .Xr SSL_set_connect_state 3 , .Xr SSL_set_fd 3 , .Xr SSL_set_session 3 , +.Xr SSL_set1_host 3 , .Xr SSL_set_verify_result 3 .Pp To inspect the configuration: @@ -316,6 +318,7 @@ To transmit data: .Xr SSL_connect 3 , .Xr SSL_do_handshake 3 , .Xr SSL_read 3 , +.\" XXX enable after the 6.8 release: Xr SSL_read_early_data 3 , .Xr SSL_renegotiate 3 , .Xr SSL_shutdown 3 , .Xr SSL_write 3 diff --git a/man/tls_config_set_protocols.3 b/man/tls_config_set_protocols.3 index 4f5c91a3..7c62493e 100644 --- a/man/tls_config_set_protocols.3 +++ b/man/tls_config_set_protocols.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tls_config_set_protocols.3,v 1.6 2017/08/12 04:24:49 jsing Exp $ +.\" $OpenBSD: tls_config_set_protocols.3,v 1.11 2021/01/02 19:58:44 schwarze Exp $ .\" .\" Copyright (c) 2014 Ted Unangst .\" Copyright (c) 2015, 2016 Joel Sing @@ -16,7 +16,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: August 12 2017 $ +.Dd $Mdocdate: January 2 2021 $ .Dt TLS_CONFIG_SET_PROTOCOLS 3 .Os .Sh NAME @@ -74,19 +74,24 @@ otherwise. specifies which versions of the TLS protocol may be used. Possible values are the bitwise OR of: .Pp -.Bl -tag -width "TLS_PROTOCOL_TLSv1_2" -offset indent -compact -.It Dv TLS_PROTOCOL_TLSv1_0 -.It Dv TLS_PROTOCOL_TLSv1_1 -.It Dv TLS_PROTOCOL_TLSv1_2 +.Bl -item -offset indent -compact +.It +.Dv TLS_PROTOCOL_TLSv1_0 +.It +.Dv TLS_PROTOCOL_TLSv1_1 +.It +.Dv TLS_PROTOCOL_TLSv1_2 +.It +.Dv TLS_PROTOCOL_TLSv1_3 .El .Pp Additionally, the values .Dv TLS_PROTOCOL_TLSv1 -(TLSv1.0, TLSv1.1 and TLSv1.2), +(TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3), .Dv TLS_PROTOCOLS_ALL (all supported protocols) and .Dv TLS_PROTOCOLS_DEFAULT -(TLSv1.2 only) may be used. +(TLSv1.2 and TLSv1.3) may be used. .Pp The .Fn tls_config_parse_protocols @@ -98,9 +103,23 @@ This value can then be passed to the .Fn tls_config_set_protocols function. The protocol string is a comma or colon separated list of keywords. -Valid keywords are tlsv1.0, tlsv1.1, tlsv1.2, all (all supported protocols), -default (an alias for secure), legacy (an alias for all) and secure (currently -TLSv1.2 only). +Valid keywords are: +.Pp +.Bl -tag -width "tlsv1.3" -offset indent -compact +.It Dv tlsv1.0 +.It Dv tlsv1.1 +.It Dv tlsv1.2 +.It Dv tlsv1.3 +.It Dv all +.Pq all supported protocols +.It Dv default +.Pq an alias for Dv secure +.It Dv legacy +.Pq an alias for Dv all +.It Dv secure +.Pq currently TLSv1.2 and TLSv1.3 +.El +.Pp If a value has a negative prefix (in the form of a leading exclamation mark) then it is removed from the list of available protocols, rather than being added to it. @@ -114,11 +133,15 @@ sets the list of ciphers that may be used. Lists of ciphers are specified by name, and the permitted names are: .Pp -.Bl -tag -width "insecure" -offset indent -compact -.It Dv "secure" (or alias "default") -.It Dv "compat" -.It Dv "legacy" -.It Dv "insecure" (or alias "all") +.Bl -item -offset indent -compact +.It +.Dv secure Pq or alias Dv default +.It +.Dv compat +.It +.Dv legacy +.It +.Dv insecure Pq or alias Dv all .El .Pp Alternatively, libssl cipher strings can be specified. @@ -129,11 +152,27 @@ for further information. .Fn tls_config_set_dheparams specifies the parameters that will be used during Diffie-Hellman Ephemeral (DHE) key exchange. -Possible values are "none", "auto" and "legacy". -In "auto" mode, the key size for the ephemeral key is automatically selected +Possible values are: +.Pp +.Bl -item -offset indent -compact +.It +.Dv none +.It +.Dv auto +.It +.Dv legacy +.El +.Pp +In +.Dv auto +mode, the key size for the ephemeral key is automatically selected based on the size of the private key being used for signing. -In "legacy" mode, 1024 bit ephemeral keys are used. -The default value is "none", which disables DHE key exchange. +In +.Dv legacy +mode, 1024 bit ephemeral keys are used. +The default value is +.Dv none , +which disables DHE key exchange. .Pp .Fn tls_config_set_ecdhecurves specifies the names of the elliptic curves that may be used during Elliptic diff --git a/man/tls_conn_version.3 b/man/tls_conn_version.3 index b93f1c34..9ab6932f 100644 --- a/man/tls_conn_version.3 +++ b/man/tls_conn_version.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tls_conn_version.3,v 1.9 2018/12/14 20:18:27 schwarze Exp $ +.\" $OpenBSD: tls_conn_version.3,v 1.10 2019/11/02 13:43:14 jsing Exp $ .\" .\" Copyright (c) 2015 Bob Beck .\" Copyright (c) 2016, 2018 Joel Sing @@ -15,12 +15,13 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 14 2018 $ +.Dd $Mdocdate: November 2 2019 $ .Dt TLS_CONN_VERSION 3 .Os .Sh NAME .Nm tls_conn_version , .Nm tls_conn_cipher , +.Nm tls_conn_cipher_strength , .Nm tls_conn_alpn_selected , .Nm tls_conn_servername , .Nm tls_conn_session_resumed , @@ -39,6 +40,8 @@ .Fn tls_conn_version "struct tls *ctx" .Ft const char * .Fn tls_conn_cipher "struct tls *ctx" +.Ft int +.Fn tls_conn_cipher_strength "struct tls *ctx" .Ft const char * .Fn tls_conn_alpn_selected "struct tls *ctx" .Ft const char * @@ -82,6 +85,11 @@ returns a string corresponding to the cipher suite negotiated with the peer connected to .Ar ctx . .Pp +.Fn tls_conn_cipher_strength +returns the strength in bits for the symmetric cipher that is being +used with the peer connected to +.Ar ctx . +.Pp .Fn tls_conn_alpn_selected returns a string that specifies the ALPN protocol selected for use with the peer connected to @@ -197,6 +205,10 @@ appeared in .Fn tls_conn_session_resumed appeared in .Ox 6.3 . +.Pp +.Fn tls_conn_cipher_strength +appeared in +.Ox 6.7 . .Sh AUTHORS .An Bob Beck Aq Mt beck@openbsd.org .An Joel Sing Aq Mt jsing@openbsd.org diff --git a/man/x509_verify.3 b/man/x509_verify.3 new file mode 100644 index 00000000..b9fe13a5 --- /dev/null +++ b/man/x509_verify.3 @@ -0,0 +1,221 @@ +.\" $OpenBSD: x509_verify.3,v 1.2 2020/09/14 14:21:46 schwarze Exp $ +.\" +.\" Copyright (c) 2020 Bob Beck +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: September 14 2020 $ +.Dt X509_VERIFY 3 +.Os +.Sh NAME +.Nm x509_verify , +.Nm x509_verify_ctx_new , +.Nm x509_verify_ctx_free , +.Nm x509_verify_ctx_set_max_depth , +.Nm x509_verify_ctx_set_max_signatures , +.Nm x509_verify_ctx_set_max_chains , +.Nm x509_verify_ctx_set_purpose , +.Nm x509_verify_ctx_set_intermediates , +.Nm x509_verify_ctx_error_string , +.Nm x509_verify_ctx_error_depth , +.Nm x509_verify_ctx_chain +.Nd discover and verify X.509 certificate chains +.Sh SYNOPSIS +.In openssl/x509_verify.h +.Ft size_t +.Fo x509_verify +.Fa "X509_VERIFY_CTX *ctx" +.Fa "X509 *leaf" +.Fa "char *name" +.Fc +.Ft X509_VERIFY_CTX * +.Fo x509_verify_ctx_new +.Fa "STACK_OF(X509) *roots" +.Fc +.Ft void +.Fo x509_verify_ctx_free +.Fa "X509_VERIFY_CTX *ctx" +.Fc +.Ft int +.Fo x509_verify_ctx_set_max_depth +.Fa "X509_VERIFY_CTX *ctx" +.Fa "size_t max" +.Fc +.Ft int +.Fo x509_verify_ctx_set_max_signatures +.Fa "X509_VERIFY_CTX *ctx" +.Fa "size_t max" +.Fc +.Ft int +.Fo x509_verify_ctx_set_max_chains +.Fa "X509_VERIFY_CTX *ctx" +.Fa "size_t max" +.Fc +.Ft int +.Fo x509_verify_ctx_set_purpose +.Fa "X509_VERIFY_CTX *ctx" +.Fa "int purpose_id" +.Fc +.Ft int +.Fo x509_verify_ctx_set_intermediates +.Fa "X509_VERIFY_CTX *ctx" +.Fa "STACK_OF(X509) *intermediates" +.Fc +.Ft const char * +.Fo x509_verify_ctx_error_string +.Fa "X509_VERIFY_CTX *ctx" +.Fc +.Ft size_t +.Fo x509_verify_ctx_error_depth +.Fa "X509_VERIFY_CTX *ctx" +.Fc +.Ft STACK_OF(X509) * +.Fo x509_verify_ctx_chain +.Fa "X509_VERIFY_CTX *ctx" +.Fa "size_t index" +.Fc +.Sh DESCRIPTION +The +.Fn x509_verify +function attempts to discover and validate all certificate chains +for the +.Fa name +from the +.Fa leaf +certificate based on the parameters in +.Fa ctx . +Multiple chains may be built and validated. +Revocation checking is not done by this function, and should be +performed by the caller on any returned chains if so desired. +.Pp +.Fn x509_verify_ctx_new +allocates a new context using the trusted +.Fa roots . +In case of success, it increments the reference count of +.Fa roots . +.Pp +.Fn x509_verify_ctx_free +frees +.Fa ctx +and decrements the reference count of the +.Fa roots +and +.Fa intermediates +associated with it. +If +.Fa ctx +is +.Dv NULL , +no action occurs. +.Pp +.Fn x509_verify_ctx_set_max_depth +sets the maximum depth of certificate chains that will be constructed to +.Fa max , +which can be in the range from 1 to the default of 32. +.Pp +.Fn x509_verify_ctx_set_max_signatures +sets the maximum number of public key signature operations that will be +used when verifying certificate chains to +.Fa max , +which can be in the range from 1 to 100000. +The default is 256. +.Pp +.Fn x509_verify_ctx_set_max_chains +sets the maximum number of chains which may be returned to +.Fa max , +which can be in the range from 1 to the default of 8. +.Pp +.Fn x509_verify_ctx_set_purpose +sets the certificate purpose for validation to +.Fa purpose_id . +The +.Dv X509_PURPOSE_* +constants listed in +.Xr X509_check_purpose 3 +can be used. +.Pp +.Fn x509_verify_ctx_set_intermediates +provides some intermediate certificates, typically received from +the peer, to be used for building chains. +In case of success, this function increases the reference count of +.Fa intermediates . +.Pp +.Fn x509_verify_ctx_error_string +extracts a description of the last error encountered by a previous +call to +.Fn x509_verify +from +.Fa ctx . +.Pp +.Fn x509_verify_ctx_error_depth +extracts the depth of the last error encountered by a previous +call to +.Fn x509_verify +from +.Fa ctx . +.Pp +.Fn x509_verify_ctx_chain +extracts the validated chain with the given +.Fa index +from +.Fa ctx +after a previous call to +.Fn x509_verify . +The +.Fa index +starts at 0, and it is an error to pass a number +greater than or equal to the return value of +.Fn x509_verify . +The returned chain is neither copied, +nor is its reference count increased. +.Sh RETURN VALUES +.Fn x509_verify +returns the number of chains successfully built and validated +or 0 on failure. +.Pp +.Fn x509_verify_ctx_new +returns a newly allocated context or +.Dv NULL +on failure. +.Pp +.Fn x509_verify_ctx_set_max_depth , +.Fn x509_verify_ctx_set_max_signatures , +.Fn x509_verify_ctx_set_max_chains , +.Fn x509_verify_ctx_set_purpose , +and +.Fn x509_verify_ctx_set_intermediates +return 1 on success or 0 on failure. +.Pp +.Fn x509_verify_ctx_error_string +returns a pointer to a human readable error string. +If no error occurred, +.Qq ok +is returned. +.Pp +.Fn x509_verify_ctx_chain +returns an internal pointer to a validated chain or +.Dv NULL +if +.Fa index +is greater than or equal to the number of chains +that were successfully built and validated. +The returned pointer becomes invalid when +.Fa ctx +is destroyed. +.Sh SEE ALSO +.Xr X509_verify_cert 3 +.Sh HISTORY +These functions first appeared in +.Ox 6.8 . +.Sh AUTHORS +.An Bob Beck Aq Mt beck@openbsd.org diff --git a/man/x509v3.cnf.5 b/man/x509v3.cnf.5 index 4d5aaa3e..392c44d4 100644 --- a/man/x509v3.cnf.5 +++ b/man/x509v3.cnf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: x509v3.cnf.5,v 1.6 2019/06/06 01:06:59 schwarze Exp $ +.\" $OpenBSD: x509v3.cnf.5,v 1.7 2020/06/11 18:03:19 jmc Exp $ .\" full merge up to: .\" OpenSSL man5/x509v3_config a41815f0 Mar 17 18:43:53 2017 -0700 .\" selective merge up to: OpenSSL 36cf10cf Oct 4 02:11:08 2017 -0400 @@ -51,7 +51,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 6 2019 $ +.Dd $Mdocdate: June 11 2020 $ .Dt X509V3.CNF 5 .Os .Sh NAME @@ -186,16 +186,16 @@ keyUsage=digitalSignature, nonRepudiation keyUsage=critical, keyCertSign .Ed .Ss Extended key usage -This extensions consists of a list of usages indicating purposes for -which the certificate public key can be used for. +This extension consists of a list of purposes for +which the certificate public key can be used. .Pp These can either be object short names or the dotted numerical form of OIDs. While any OID can be used, only certain values make sense. In particular the following PKIX, NS and MS values are meaningful: .Bl -column emailProtection .It Em value Ta Em meaning -.It Ic serverAuth Ta SSL/TLS web server authentication -.It Ic clientAuth Ta SSL/TLS web client authentication +.It Ic serverAuth Ta TLS server authentication +.It Ic clientAuth Ta TLS client authentication .It Ic codeSigning Ta code signing .It Ic emailProtection Ta E-mail protection (S/MIME) .It Ic timeStamping Ta trusted timestamping diff --git a/missing b/missing index 625aeb11..8d0eaad2 100644 --- a/missing +++ b/missing @@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1996-2018 Free Software Foundation, Inc. +# Copyright (C) 1996-2020 Free Software Foundation, Inc. # Originally written by Fran,cois Pinard , 1996. # This program is free software; you can redistribute it and/or modify diff --git a/apps/openssl/openssl.cnf b/openssl.cnf similarity index 100% rename from apps/openssl/openssl.cnf rename to openssl.cnf diff --git a/scripts/travis b/scripts/travis index 3e794e7f..5c2f6ad9 100644 --- a/scripts/travis +++ b/scripts/travis @@ -82,13 +82,13 @@ elif [ "x$ARCH" = "xarm32" -o "x$ARCH" = "xarm64" ]; then if [ "x$ARCH" = "xarm32" ]; then sudo apt-get install -y g++-arm-linux-gnueabihf sudo ln -s /usr/arm-linux-gnueabihf/lib /lib/arm-linux-gnueabihf - sudo ln -s /lib/arm-linux-gnueabihf/ld-2.19.so /lib/ld-linux-armhf.so.3 + sudo ln -s /lib/arm-linux-gnueabihf/ld-2.27.so /lib/ld-linux-armhf.so.3 export CC=arm-linux-gnueabihf-gcc ./configure --host=arm-linux else sudo apt-get install -y g++-aarch64-linux-gnu sudo ln -s /usr/aarch64-linux-gnu/lib/ /lib/aarch64-linux-gnu - sudo ln -s /lib/aarch64-linux-gnu/ld-2.19.so /lib/ld-linux-aarch64.so.1 + sudo ln -s /lib/aarch64-linux-gnu/ld-2.27.so /lib/ld-linux-aarch64.so.1 export CC=aarch64-linux-gnu-gcc ./configure --host=aarch64-linux fi @@ -97,11 +97,10 @@ elif [ "x$ARCH" = "xarm32" -o "x$ARCH" = "xarm64" ]; then file apps/openssl/.libs/openssl elif [ "x$ARCH" = "xandroid" ]; then + touch $HOME/.android/repositories.cfg echo y | sdkmanager 'ndk-bundle' + echo y | sdkmanager 'ndk;20.1.5948944' echo y | sdkmanager 'cmake;3.6.4111459' - echo y | sdkmanager 'lldb;3.0' - echo y | sdkmanager --update - echo y | sdkmanager --licenses export CMAKE=$ANDROID_HOME/cmake/3.6.4111459/bin/cmake export NINJA=$ANDROID_HOME/cmake/3.6.4111459/bin/ninja diff --git a/ssl/CMakeLists.txt b/ssl/CMakeLists.txt index 5c6460f1..03eafad4 100644 --- a/ssl/CMakeLists.txt +++ b/ssl/CMakeLists.txt @@ -5,12 +5,9 @@ set( bs_cbb.c bs_cbs.c d1_both.c - d1_clnt.c - d1_enc.c d1_lib.c d1_pkt.c d1_srtp.c - d1_srvr.c pqueue.c s3_cbc.c s3_lib.c @@ -23,6 +20,7 @@ set( ssl_clnt.c ssl_err.c ssl_init.c + ssl_kex.c ssl_lib.c ssl_methods.c ssl_packet.c @@ -38,14 +36,19 @@ set( ssl_versions.c t1_enc.c t1_lib.c + tls12_record_layer.c tls13_buffer.c tls13_client.c + tls13_error.c tls13_handshake.c tls13_handshake_msg.c tls13_key_schedule.c + tls13_key_share.c + tls13_legacy.c tls13_lib.c tls13_record.c tls13_record_layer.c + tls13_server.c ) add_library(ssl ${SSL_SRC}) @@ -56,18 +59,16 @@ target_include_directories(ssl PUBLIC ../include) -if (BUILD_SHARED_LIBS) - export_symbol(ssl ${CMAKE_CURRENT_SOURCE_DIR}/ssl.sym) - target_link_libraries(ssl crypto ${PLATFORM_LIBS}) - if (WIN32) - set(SSL_POSTFIX -${SSL_MAJOR_VERSION}) - endif() - set_target_properties(ssl PROPERTIES - OUTPUT_NAME ssl${SSL_POSTFIX} - ARCHIVE_OUTPUT_NAME ssl${SSL_POSTFIX}) - set_target_properties(ssl PROPERTIES VERSION ${SSL_VERSION} - SOVERSION ${SSL_MAJOR_VERSION}) +export_symbol(ssl ${CMAKE_CURRENT_SOURCE_DIR}/ssl.sym) +target_link_libraries(ssl crypto ${PLATFORM_LIBS}) +if (WIN32) + set(SSL_POSTFIX -${SSL_MAJOR_VERSION}) endif() +set_target_properties(ssl PROPERTIES + OUTPUT_NAME ssl${SSL_POSTFIX} + ARCHIVE_OUTPUT_NAME ssl${SSL_POSTFIX}) +set_target_properties(ssl PROPERTIES VERSION ${SSL_VERSION} + SOVERSION ${SSL_MAJOR_VERSION}) if(ENABLE_LIBRESSL_INSTALL) install( diff --git a/ssl/Makefile.am b/ssl/Makefile.am index 02109f58..7f4c1648 100644 --- a/ssl/Makefile.am +++ b/ssl/Makefile.am @@ -1,25 +1,35 @@ include $(top_srcdir)/Makefile.am.common +if ENABLE_LIBTLS_ONLY +noinst_LTLIBRARIES = libssl.la +else lib_LTLIBRARIES = libssl.la +endif EXTRA_DIST = VERSION EXTRA_DIST += CMakeLists.txt EXTRA_DIST += ssl.sym +CLEANFILES = libssl_la_objects.mk + +EXTRA_libssl_la_DEPENDENCIES = libssl_la_objects.mk + +libssl_la_objects.mk: Makefile + @echo "libssl_la_objects= $(libssl_la_OBJECTS)" \ + | sed 's/ */ $$\(abs_top_builddir\)\/ssl\//g' \ + > libssl_la_objects.mk + libssl_la_LDFLAGS = -version-info @LIBSSL_VERSION@ -no-undefined -export-symbols $(top_srcdir)/ssl/ssl.sym -libssl_la_LIBADD = $(abs_top_builddir)/crypto/libcrypto.la +libssl_la_LIBADD = $(abs_top_builddir)/crypto/libcrypto.la $(PLATFORM_LDADD) libssl_la_SOURCES = bio_ssl.c libssl_la_SOURCES += bs_ber.c libssl_la_SOURCES += bs_cbb.c libssl_la_SOURCES += bs_cbs.c libssl_la_SOURCES += d1_both.c -libssl_la_SOURCES += d1_clnt.c -libssl_la_SOURCES += d1_enc.c libssl_la_SOURCES += d1_lib.c libssl_la_SOURCES += d1_pkt.c libssl_la_SOURCES += d1_srtp.c -libssl_la_SOURCES += d1_srvr.c libssl_la_SOURCES += pqueue.c libssl_la_SOURCES += s3_cbc.c libssl_la_SOURCES += s3_lib.c @@ -32,6 +42,7 @@ libssl_la_SOURCES += ssl_ciphers.c libssl_la_SOURCES += ssl_clnt.c libssl_la_SOURCES += ssl_err.c libssl_la_SOURCES += ssl_init.c +libssl_la_SOURCES += ssl_kex.c libssl_la_SOURCES += ssl_lib.c libssl_la_SOURCES += ssl_methods.c libssl_la_SOURCES += ssl_packet.c @@ -47,14 +58,19 @@ libssl_la_SOURCES += ssl_txt.c libssl_la_SOURCES += ssl_versions.c libssl_la_SOURCES += t1_enc.c libssl_la_SOURCES += t1_lib.c +libssl_la_SOURCES += tls12_record_layer.c libssl_la_SOURCES += tls13_buffer.c libssl_la_SOURCES += tls13_client.c +libssl_la_SOURCES += tls13_error.c libssl_la_SOURCES += tls13_handshake.c libssl_la_SOURCES += tls13_handshake_msg.c libssl_la_SOURCES += tls13_key_schedule.c +libssl_la_SOURCES += tls13_key_share.c +libssl_la_SOURCES += tls13_legacy.c libssl_la_SOURCES += tls13_lib.c libssl_la_SOURCES += tls13_record.c libssl_la_SOURCES += tls13_record_layer.c +libssl_la_SOURCES += tls13_server.c noinst_HEADERS = bytestring.h noinst_HEADERS += srtp.h diff --git a/ssl/Makefile.in b/ssl/Makefile.in index efc91100..4565629d 100644 --- a/ssl/Makefile.in +++ b/ssl/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -91,7 +91,9 @@ build_triplet = @build@ host_triplet = @host@ subdir = ssl ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/check-hardening-options.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_add_fortify_source.m4 \ + $(top_srcdir)/m4/ax_check_compile_flag.m4 \ + $(top_srcdir)/m4/check-hardening-options.m4 \ $(top_srcdir)/m4/check-libc.m4 \ $(top_srcdir)/m4/check-os-options.m4 \ $(top_srcdir)/m4/disable-compiler-warnings.m4 \ @@ -133,19 +135,22 @@ am__uninstall_files_from_dir = { \ $(am__cd) "$$dir" && rm -f $$files; }; \ } am__installdirs = "$(DESTDIR)$(libdir)" -LTLIBRARIES = $(lib_LTLIBRARIES) -libssl_la_DEPENDENCIES = $(abs_top_builddir)/crypto/libcrypto.la +LTLIBRARIES = $(lib_LTLIBRARIES) $(noinst_LTLIBRARIES) +am__DEPENDENCIES_1 = +libssl_la_DEPENDENCIES = $(abs_top_builddir)/crypto/libcrypto.la \ + $(am__DEPENDENCIES_1) am_libssl_la_OBJECTS = bio_ssl.lo bs_ber.lo bs_cbb.lo bs_cbs.lo \ - d1_both.lo d1_clnt.lo d1_enc.lo d1_lib.lo d1_pkt.lo d1_srtp.lo \ - d1_srvr.lo pqueue.lo s3_cbc.lo s3_lib.lo ssl_algs.lo \ - ssl_asn1.lo ssl_both.lo ssl_cert.lo ssl_ciph.lo ssl_ciphers.lo \ - ssl_clnt.lo ssl_err.lo ssl_init.lo ssl_lib.lo ssl_methods.lo \ - ssl_packet.lo ssl_pkt.lo ssl_rsa.lo ssl_sess.lo ssl_sigalgs.lo \ - ssl_srvr.lo ssl_stat.lo ssl_tlsext.lo ssl_transcript.lo \ - ssl_txt.lo ssl_versions.lo t1_enc.lo t1_lib.lo tls13_buffer.lo \ - tls13_client.lo tls13_handshake.lo tls13_handshake_msg.lo \ - tls13_key_schedule.lo tls13_lib.lo tls13_record.lo \ - tls13_record_layer.lo + d1_both.lo d1_lib.lo d1_pkt.lo d1_srtp.lo pqueue.lo s3_cbc.lo \ + s3_lib.lo ssl_algs.lo ssl_asn1.lo ssl_both.lo ssl_cert.lo \ + ssl_ciph.lo ssl_ciphers.lo ssl_clnt.lo ssl_err.lo ssl_init.lo \ + ssl_kex.lo ssl_lib.lo ssl_methods.lo ssl_packet.lo ssl_pkt.lo \ + ssl_rsa.lo ssl_sess.lo ssl_sigalgs.lo ssl_srvr.lo ssl_stat.lo \ + ssl_tlsext.lo ssl_transcript.lo ssl_txt.lo ssl_versions.lo \ + t1_enc.lo t1_lib.lo tls12_record_layer.lo tls13_buffer.lo \ + tls13_client.lo tls13_error.lo tls13_handshake.lo \ + tls13_handshake_msg.lo tls13_key_schedule.lo \ + tls13_key_share.lo tls13_legacy.lo tls13_lib.lo \ + tls13_record.lo tls13_record_layer.lo tls13_server.lo libssl_la_OBJECTS = $(am_libssl_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) @@ -154,6 +159,8 @@ am__v_lt_1 = libssl_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(libssl_la_LDFLAGS) $(LDFLAGS) -o $@ +@ENABLE_LIBTLS_ONLY_FALSE@am_libssl_la_rpath = -rpath $(libdir) +@ENABLE_LIBTLS_ONLY_TRUE@am_libssl_la_rpath = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -171,16 +178,15 @@ depcomp = $(SHELL) $(top_srcdir)/depcomp am__maybe_remake_depfiles = depfiles am__depfiles_remade = ./$(DEPDIR)/bio_ssl.Plo ./$(DEPDIR)/bs_ber.Plo \ ./$(DEPDIR)/bs_cbb.Plo ./$(DEPDIR)/bs_cbs.Plo \ - ./$(DEPDIR)/d1_both.Plo ./$(DEPDIR)/d1_clnt.Plo \ - ./$(DEPDIR)/d1_enc.Plo ./$(DEPDIR)/d1_lib.Plo \ + ./$(DEPDIR)/d1_both.Plo ./$(DEPDIR)/d1_lib.Plo \ ./$(DEPDIR)/d1_pkt.Plo ./$(DEPDIR)/d1_srtp.Plo \ - ./$(DEPDIR)/d1_srvr.Plo ./$(DEPDIR)/pqueue.Plo \ - ./$(DEPDIR)/s3_cbc.Plo ./$(DEPDIR)/s3_lib.Plo \ - ./$(DEPDIR)/ssl_algs.Plo ./$(DEPDIR)/ssl_asn1.Plo \ - ./$(DEPDIR)/ssl_both.Plo ./$(DEPDIR)/ssl_cert.Plo \ - ./$(DEPDIR)/ssl_ciph.Plo ./$(DEPDIR)/ssl_ciphers.Plo \ - ./$(DEPDIR)/ssl_clnt.Plo ./$(DEPDIR)/ssl_err.Plo \ - ./$(DEPDIR)/ssl_init.Plo ./$(DEPDIR)/ssl_lib.Plo \ + ./$(DEPDIR)/pqueue.Plo ./$(DEPDIR)/s3_cbc.Plo \ + ./$(DEPDIR)/s3_lib.Plo ./$(DEPDIR)/ssl_algs.Plo \ + ./$(DEPDIR)/ssl_asn1.Plo ./$(DEPDIR)/ssl_both.Plo \ + ./$(DEPDIR)/ssl_cert.Plo ./$(DEPDIR)/ssl_ciph.Plo \ + ./$(DEPDIR)/ssl_ciphers.Plo ./$(DEPDIR)/ssl_clnt.Plo \ + ./$(DEPDIR)/ssl_err.Plo ./$(DEPDIR)/ssl_init.Plo \ + ./$(DEPDIR)/ssl_kex.Plo ./$(DEPDIR)/ssl_lib.Plo \ ./$(DEPDIR)/ssl_methods.Plo ./$(DEPDIR)/ssl_packet.Plo \ ./$(DEPDIR)/ssl_pkt.Plo ./$(DEPDIR)/ssl_rsa.Plo \ ./$(DEPDIR)/ssl_sess.Plo ./$(DEPDIR)/ssl_sigalgs.Plo \ @@ -188,12 +194,15 @@ am__depfiles_remade = ./$(DEPDIR)/bio_ssl.Plo ./$(DEPDIR)/bs_ber.Plo \ ./$(DEPDIR)/ssl_tlsext.Plo ./$(DEPDIR)/ssl_transcript.Plo \ ./$(DEPDIR)/ssl_txt.Plo ./$(DEPDIR)/ssl_versions.Plo \ ./$(DEPDIR)/t1_enc.Plo ./$(DEPDIR)/t1_lib.Plo \ + ./$(DEPDIR)/tls12_record_layer.Plo \ ./$(DEPDIR)/tls13_buffer.Plo ./$(DEPDIR)/tls13_client.Plo \ - ./$(DEPDIR)/tls13_handshake.Plo \ + ./$(DEPDIR)/tls13_error.Plo ./$(DEPDIR)/tls13_handshake.Plo \ ./$(DEPDIR)/tls13_handshake_msg.Plo \ - ./$(DEPDIR)/tls13_key_schedule.Plo ./$(DEPDIR)/tls13_lib.Plo \ - ./$(DEPDIR)/tls13_record.Plo \ - ./$(DEPDIR)/tls13_record_layer.Plo + ./$(DEPDIR)/tls13_key_schedule.Plo \ + ./$(DEPDIR)/tls13_key_share.Plo ./$(DEPDIR)/tls13_legacy.Plo \ + ./$(DEPDIR)/tls13_lib.Plo ./$(DEPDIR)/tls13_record.Plo \ + ./$(DEPDIR)/tls13_record_layer.Plo \ + ./$(DEPDIR)/tls13_server.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -358,6 +367,7 @@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -370,20 +380,24 @@ AM_CFLAGS = AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat \ -DLIBRESSL_INTERNAL -D__BEGIN_HIDDEN_DECLS= \ -D__END_HIDDEN_DECLS= -lib_LTLIBRARIES = libssl.la +@ENABLE_LIBTLS_ONLY_TRUE@noinst_LTLIBRARIES = libssl.la +@ENABLE_LIBTLS_ONLY_FALSE@lib_LTLIBRARIES = libssl.la EXTRA_DIST = VERSION CMakeLists.txt ssl.sym +CLEANFILES = libssl_la_objects.mk +EXTRA_libssl_la_DEPENDENCIES = libssl_la_objects.mk libssl_la_LDFLAGS = -version-info @LIBSSL_VERSION@ -no-undefined -export-symbols $(top_srcdir)/ssl/ssl.sym -libssl_la_LIBADD = $(abs_top_builddir)/crypto/libcrypto.la +libssl_la_LIBADD = $(abs_top_builddir)/crypto/libcrypto.la $(PLATFORM_LDADD) libssl_la_SOURCES = bio_ssl.c bs_ber.c bs_cbb.c bs_cbs.c d1_both.c \ - d1_clnt.c d1_enc.c d1_lib.c d1_pkt.c d1_srtp.c d1_srvr.c \ - pqueue.c s3_cbc.c s3_lib.c ssl_algs.c ssl_asn1.c ssl_both.c \ - ssl_cert.c ssl_ciph.c ssl_ciphers.c ssl_clnt.c ssl_err.c \ - ssl_init.c ssl_lib.c ssl_methods.c ssl_packet.c ssl_pkt.c \ - ssl_rsa.c ssl_sess.c ssl_sigalgs.c ssl_srvr.c ssl_stat.c \ - ssl_tlsext.c ssl_transcript.c ssl_txt.c ssl_versions.c \ - t1_enc.c t1_lib.c tls13_buffer.c tls13_client.c \ - tls13_handshake.c tls13_handshake_msg.c tls13_key_schedule.c \ - tls13_lib.c tls13_record.c tls13_record_layer.c + d1_lib.c d1_pkt.c d1_srtp.c pqueue.c s3_cbc.c s3_lib.c \ + ssl_algs.c ssl_asn1.c ssl_both.c ssl_cert.c ssl_ciph.c \ + ssl_ciphers.c ssl_clnt.c ssl_err.c ssl_init.c ssl_kex.c \ + ssl_lib.c ssl_methods.c ssl_packet.c ssl_pkt.c ssl_rsa.c \ + ssl_sess.c ssl_sigalgs.c ssl_srvr.c ssl_stat.c ssl_tlsext.c \ + ssl_transcript.c ssl_txt.c ssl_versions.c t1_enc.c t1_lib.c \ + tls12_record_layer.c tls13_buffer.c tls13_client.c \ + tls13_error.c tls13_handshake.c tls13_handshake_msg.c \ + tls13_key_schedule.c tls13_key_share.c tls13_legacy.c \ + tls13_lib.c tls13_record.c tls13_record_layer.c tls13_server.c noinst_HEADERS = bytestring.h srtp.h ssl_locl.h ssl_sigalgs.h \ ssl_tlsext.h tls13_internal.h tls13_handshake.h tls13_record.h all: all-am @@ -456,8 +470,19 @@ clean-libLTLIBRARIES: rm -f $${locs}; \ } +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + libssl.la: $(libssl_la_OBJECTS) $(libssl_la_DEPENDENCIES) $(EXTRA_libssl_la_DEPENDENCIES) - $(AM_V_CCLD)$(libssl_la_LINK) -rpath $(libdir) $(libssl_la_OBJECTS) $(libssl_la_LIBADD) $(LIBS) + $(AM_V_CCLD)$(libssl_la_LINK) $(am_libssl_la_rpath) $(libssl_la_OBJECTS) $(libssl_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -470,12 +495,9 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bs_cbb.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bs_cbs.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/d1_both.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/d1_clnt.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/d1_enc.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/d1_lib.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/d1_pkt.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/d1_srtp.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/d1_srvr.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pqueue.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/s3_cbc.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/s3_lib.Plo@am__quote@ # am--include-marker @@ -488,6 +510,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ssl_clnt.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ssl_err.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ssl_init.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ssl_kex.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ssl_lib.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ssl_methods.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ssl_packet.Plo@am__quote@ # am--include-marker @@ -503,14 +526,19 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ssl_versions.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/t1_enc.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/t1_lib.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls12_record_layer.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls13_buffer.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls13_client.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls13_error.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls13_handshake.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls13_handshake_msg.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls13_key_schedule.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls13_key_share.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls13_legacy.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls13_lib.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls13_record.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls13_record_layer.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls13_server.Plo@am__quote@ # am--include-marker $(am__depfiles_remade): @$(MKDIR_P) $(@D) @@ -662,6 +690,7 @@ install-strip: mostlyclean-generic: clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) @@ -673,7 +702,7 @@ maintainer-clean-generic: clean: clean-am clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ - mostlyclean-am + clean-noinstLTLIBRARIES mostlyclean-am distclean: distclean-am -rm -f ./$(DEPDIR)/bio_ssl.Plo @@ -681,12 +710,9 @@ distclean: distclean-am -rm -f ./$(DEPDIR)/bs_cbb.Plo -rm -f ./$(DEPDIR)/bs_cbs.Plo -rm -f ./$(DEPDIR)/d1_both.Plo - -rm -f ./$(DEPDIR)/d1_clnt.Plo - -rm -f ./$(DEPDIR)/d1_enc.Plo -rm -f ./$(DEPDIR)/d1_lib.Plo -rm -f ./$(DEPDIR)/d1_pkt.Plo -rm -f ./$(DEPDIR)/d1_srtp.Plo - -rm -f ./$(DEPDIR)/d1_srvr.Plo -rm -f ./$(DEPDIR)/pqueue.Plo -rm -f ./$(DEPDIR)/s3_cbc.Plo -rm -f ./$(DEPDIR)/s3_lib.Plo @@ -699,6 +725,7 @@ distclean: distclean-am -rm -f ./$(DEPDIR)/ssl_clnt.Plo -rm -f ./$(DEPDIR)/ssl_err.Plo -rm -f ./$(DEPDIR)/ssl_init.Plo + -rm -f ./$(DEPDIR)/ssl_kex.Plo -rm -f ./$(DEPDIR)/ssl_lib.Plo -rm -f ./$(DEPDIR)/ssl_methods.Plo -rm -f ./$(DEPDIR)/ssl_packet.Plo @@ -714,14 +741,19 @@ distclean: distclean-am -rm -f ./$(DEPDIR)/ssl_versions.Plo -rm -f ./$(DEPDIR)/t1_enc.Plo -rm -f ./$(DEPDIR)/t1_lib.Plo + -rm -f ./$(DEPDIR)/tls12_record_layer.Plo -rm -f ./$(DEPDIR)/tls13_buffer.Plo -rm -f ./$(DEPDIR)/tls13_client.Plo + -rm -f ./$(DEPDIR)/tls13_error.Plo -rm -f ./$(DEPDIR)/tls13_handshake.Plo -rm -f ./$(DEPDIR)/tls13_handshake_msg.Plo -rm -f ./$(DEPDIR)/tls13_key_schedule.Plo + -rm -f ./$(DEPDIR)/tls13_key_share.Plo + -rm -f ./$(DEPDIR)/tls13_legacy.Plo -rm -f ./$(DEPDIR)/tls13_lib.Plo -rm -f ./$(DEPDIR)/tls13_record.Plo -rm -f ./$(DEPDIR)/tls13_record_layer.Plo + -rm -f ./$(DEPDIR)/tls13_server.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -772,12 +804,9 @@ maintainer-clean: maintainer-clean-am -rm -f ./$(DEPDIR)/bs_cbb.Plo -rm -f ./$(DEPDIR)/bs_cbs.Plo -rm -f ./$(DEPDIR)/d1_both.Plo - -rm -f ./$(DEPDIR)/d1_clnt.Plo - -rm -f ./$(DEPDIR)/d1_enc.Plo -rm -f ./$(DEPDIR)/d1_lib.Plo -rm -f ./$(DEPDIR)/d1_pkt.Plo -rm -f ./$(DEPDIR)/d1_srtp.Plo - -rm -f ./$(DEPDIR)/d1_srvr.Plo -rm -f ./$(DEPDIR)/pqueue.Plo -rm -f ./$(DEPDIR)/s3_cbc.Plo -rm -f ./$(DEPDIR)/s3_lib.Plo @@ -790,6 +819,7 @@ maintainer-clean: maintainer-clean-am -rm -f ./$(DEPDIR)/ssl_clnt.Plo -rm -f ./$(DEPDIR)/ssl_err.Plo -rm -f ./$(DEPDIR)/ssl_init.Plo + -rm -f ./$(DEPDIR)/ssl_kex.Plo -rm -f ./$(DEPDIR)/ssl_lib.Plo -rm -f ./$(DEPDIR)/ssl_methods.Plo -rm -f ./$(DEPDIR)/ssl_packet.Plo @@ -805,14 +835,19 @@ maintainer-clean: maintainer-clean-am -rm -f ./$(DEPDIR)/ssl_versions.Plo -rm -f ./$(DEPDIR)/t1_enc.Plo -rm -f ./$(DEPDIR)/t1_lib.Plo + -rm -f ./$(DEPDIR)/tls12_record_layer.Plo -rm -f ./$(DEPDIR)/tls13_buffer.Plo -rm -f ./$(DEPDIR)/tls13_client.Plo + -rm -f ./$(DEPDIR)/tls13_error.Plo -rm -f ./$(DEPDIR)/tls13_handshake.Plo -rm -f ./$(DEPDIR)/tls13_handshake_msg.Plo -rm -f ./$(DEPDIR)/tls13_key_schedule.Plo + -rm -f ./$(DEPDIR)/tls13_key_share.Plo + -rm -f ./$(DEPDIR)/tls13_legacy.Plo -rm -f ./$(DEPDIR)/tls13_lib.Plo -rm -f ./$(DEPDIR)/tls13_record.Plo -rm -f ./$(DEPDIR)/tls13_record_layer.Plo + -rm -f ./$(DEPDIR)/tls13_server.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -834,15 +869,16 @@ uninstall-am: uninstall-libLTLIBRARIES .MAKE: install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-am clean \ - clean-generic clean-libLTLIBRARIES clean-libtool cscopelist-am \ - ctags ctags-am distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am install-data \ - install-data-am install-dvi install-dvi-am install-exec \ - install-exec-am install-html install-html-am install-info \ - install-info-am install-libLTLIBRARIES install-man install-pdf \ - install-pdf-am install-ps install-ps-am install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ + clean-generic clean-libLTLIBRARIES clean-libtool \ + clean-noinstLTLIBRARIES cscopelist-am ctags ctags-am distclean \ + distclean-compile distclean-generic distclean-libtool \ + distclean-tags distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am \ + install-libLTLIBRARIES install-man install-pdf install-pdf-am \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags tags-am uninstall uninstall-am uninstall-libLTLIBRARIES @@ -850,6 +886,11 @@ uninstall-am: uninstall-libLTLIBRARIES .PRECIOUS: Makefile +libssl_la_objects.mk: Makefile + @echo "libssl_la_objects= $(libssl_la_OBJECTS)" \ + | sed 's/ */ $$\(abs_top_builddir\)\/ssl\//g' \ + > libssl_la_objects.mk + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/ssl/VERSION b/ssl/VERSION index ef2ff70c..f12977a2 100644 --- a/ssl/VERSION +++ b/ssl/VERSION @@ -1 +1 @@ -47:6:0 +48:2:0 diff --git a/ssl/bs_cbb.c b/ssl/bs_cbb.c index a34e822c..62e98cb4 100644 --- a/ssl/bs_cbb.c +++ b/ssl/bs_cbb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bs_cbb.c,v 1.20 2019/01/23 22:20:40 beck Exp $ */ +/* $OpenBSD: bs_cbb.c,v 1.24 2021/01/04 19:19:12 tb Exp $ */ /* * Copyright (c) 2014, Google Inc. * @@ -28,8 +28,7 @@ cbb_init(CBB *cbb, uint8_t *buf, size_t cap) { struct cbb_buffer_st *base; - base = malloc(sizeof(struct cbb_buffer_st)); - if (base == NULL) + if ((base = calloc(1, sizeof(struct cbb_buffer_st))) == NULL) return 0; base->buf = buf; @@ -53,7 +52,7 @@ CBB_init(CBB *cbb, size_t initial_capacity) if (initial_capacity == 0) initial_capacity = CBB_INITIAL_SIZE; - if ((buf = malloc(initial_capacity)) == NULL) + if ((buf = calloc(1, initial_capacity)) == NULL) return 0; if (!cbb_init(cbb, buf, initial_capacity)) { @@ -278,7 +277,7 @@ CBB_discard_child(CBB *cbb) return; cbb->base->len = cbb->offset; - + cbb->child->base = NULL; cbb->child = NULL; cbb->pending_len_len = 0; @@ -362,7 +361,7 @@ CBB_add_bytes(CBB *cbb, const uint8_t *data, size_t len) { uint8_t *dest; - if (!CBB_add_space(cbb, &dest, len)) + if (!CBB_flush(cbb) || !cbb_buffer_add(cbb->base, &dest, len)) return 0; memcpy(dest, data, len); @@ -375,6 +374,7 @@ CBB_add_space(CBB *cbb, uint8_t **out_data, size_t len) if (!CBB_flush(cbb) || !cbb_buffer_add(cbb->base, out_data, len)) return 0; + memset(*out_data, 0, len); return 1; } diff --git a/ssl/d1_both.c b/ssl/d1_both.c index 8f3cc610..f4c1cb95 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_both.c,v 1.57 2019/02/10 16:42:35 phessler Exp $ */ +/* $OpenBSD: d1_both.c,v 1.68 2021/02/27 14:20:50 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -148,15 +148,15 @@ if (is_complete) for (ii = (((msg_len) - 1) >> 3) - 1; ii >= 0 ; ii--) \ if (bitmask[ii] != 0xff) { is_complete = 0; break; } } -static unsigned char bitmask_start_values[] = { +static const unsigned char bitmask_start_values[] = { 0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80 }; -static unsigned char bitmask_end_values[] = { +static const unsigned char bitmask_end_values[] = { 0xff, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f }; /* XDTLS: figure out the right values */ -static unsigned int g_probable_mtu[] = {1500 - 28, 512 - 28, 256 - 28}; +static const unsigned int g_probable_mtu[] = {1500 - 28, 512 - 28, 256 - 28}; static unsigned int dtls1_guess_mtu(unsigned int curr_mtu); static void dtls1_fix_message_header(SSL *s, unsigned long frag_off, @@ -166,56 +166,41 @@ static int dtls1_write_message_header(const struct hm_header_st *msg_hdr, static long dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok); +void dtls1_hm_fragment_free(hm_fragment *frag); + static hm_fragment * dtls1_hm_fragment_new(unsigned long frag_len, int reassembly) { - hm_fragment *frag = NULL; - unsigned char *buf = NULL; - unsigned char *bitmask = NULL; + hm_fragment *frag; - frag = malloc(sizeof(hm_fragment)); - if (frag == NULL) - return NULL; + if ((frag = calloc(1, sizeof(*frag))) == NULL) + goto err; - if (frag_len) { - buf = malloc(frag_len); - if (buf == NULL) { - free(frag); - return NULL; - } + if (frag_len > 0) { + if ((frag->fragment = calloc(1, frag_len)) == NULL) + goto err; } - /* zero length fragment gets zero frag->fragment */ - frag->fragment = buf; - - /* Initialize reassembly bitmask if necessary */ + /* Initialize reassembly bitmask if necessary. */ if (reassembly) { - bitmask = malloc(RSMBLY_BITMASK_SIZE(frag_len)); - if (bitmask == NULL) { - free(buf); - free(frag); - return NULL; - } - memset(bitmask, 0, RSMBLY_BITMASK_SIZE(frag_len)); + if ((frag->reassembly = calloc(1, + RSMBLY_BITMASK_SIZE(frag_len))) == NULL) + goto err; } - frag->reassembly = bitmask; - return frag; + + err: + dtls1_hm_fragment_free(frag); + return NULL; } -static void +void dtls1_hm_fragment_free(hm_fragment *frag) { if (frag == NULL) return; - if (frag->msg_header.is_ccs) { - EVP_CIPHER_CTX_free( - frag->msg_header.saved_retransmit_state.enc_write_ctx); - EVP_MD_CTX_free( - frag->msg_header.saved_retransmit_state.write_hash); - } free(frag->fragment); free(frag->reassembly); free(frag); @@ -227,7 +212,8 @@ dtls1_do_write(SSL *s, int type) { int ret; int curr_mtu; - unsigned int len, frag_off, mac_size, blocksize; + unsigned int len, frag_off; + size_t overhead; /* AHA! Figure out the MTU, and stick to the right size */ if (D1I(s)->mtu < dtls1_min_mtu() && @@ -255,21 +241,13 @@ dtls1_do_write(SSL *s, int type) OPENSSL_assert(s->internal->init_num == (int)D1I(s)->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH); - if (s->internal->write_hash) - mac_size = EVP_MD_CTX_size(s->internal->write_hash); - else - mac_size = 0; - - if (s->internal->enc_write_ctx && - (EVP_CIPHER_mode( s->internal->enc_write_ctx->cipher) & EVP_CIPH_CBC_MODE)) - blocksize = 2 * EVP_CIPHER_block_size(s->internal->enc_write_ctx->cipher); - else - blocksize = 0; + if (!tls12_record_layer_write_overhead(s->internal->rl, &overhead)) + return -1; frag_off = 0; while (s->internal->init_num) { curr_mtu = D1I(s)->mtu - BIO_wpending(SSL_get_wbio(s)) - - DTLS1_RT_HEADER_LENGTH - mac_size - blocksize; + DTLS1_RT_HEADER_LENGTH - overhead; if (curr_mtu <= DTLS1_HM_HEADER_LENGTH) { /* grr.. we could get an error if MTU picked was wrong */ @@ -277,7 +255,7 @@ dtls1_do_write(SSL *s, int type) if (ret <= 0) return ret; curr_mtu = D1I(s)->mtu - DTLS1_RT_HEADER_LENGTH - - mac_size - blocksize; + overhead; } if (s->internal->init_num > curr_mtu) @@ -285,7 +263,6 @@ dtls1_do_write(SSL *s, int type) else len = s->internal->init_num; - /* XDTLS: this function is too long. split out the CCS part */ if (type == SSL3_RT_HANDSHAKE) { if (s->internal->init_off != 0) { @@ -408,7 +385,7 @@ dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) if ((mt >= 0) && (S3I(s)->tmp.message_type != mt)) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); - goto f_err; + goto fatal_err; } *ok = 1; s->internal->init_msg = s->internal->init_buf->data + DTLS1_HM_HEADER_LENGTH; @@ -417,7 +394,7 @@ dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) } msg_hdr = &D1I(s)->r_msg_hdr; - memset(msg_hdr, 0x00, sizeof(struct hm_header_st)); + memset(msg_hdr, 0, sizeof(struct hm_header_st)); again: i = dtls1_get_message_fragment(s, st1, stn, max, ok); @@ -441,7 +418,7 @@ dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) s->internal->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, p, msg_len, s, s->internal->msg_callback_arg); - memset(msg_hdr, 0x00, sizeof(struct hm_header_st)); + memset(msg_hdr, 0, sizeof(struct hm_header_st)); /* Don't change sequence numbers while listening */ if (!D1I(s)->listen) @@ -450,7 +427,7 @@ dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) s->internal->init_msg = s->internal->init_buf->data + DTLS1_HM_HEADER_LENGTH; return s->internal->init_num; -f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); *ok = 0; return -1; @@ -793,7 +770,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) dtls1_get_message_header(wire, &msg_hdr) == 0) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); - goto f_err; + goto fatal_err; } /* @@ -835,12 +812,12 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); - goto f_err; + goto fatal_err; } } if ((al = dtls1_preprocess_fragment(s, &msg_hdr, max))) - goto f_err; + goto fatal_err; /* XDTLS: ressurect this when restart is in place */ S3I(s)->hs.state = stn; @@ -866,7 +843,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) if (i != (int)frag_len) { al = SSL3_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL3_AD_ILLEGAL_PARAMETER); - goto f_err; + goto fatal_err; } *ok = 1; @@ -880,7 +857,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) s->internal->init_num = frag_len; return frag_len; -f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); s->internal->init_num = 0; @@ -982,14 +959,9 @@ dtls1_buffer_message(SSL *s, int is_ccs) memcpy(frag->fragment, s->internal->init_buf->data, s->internal->init_num); - if (is_ccs) { - OPENSSL_assert(D1I(s)->w_msg_hdr.msg_len + - ((s->version == DTLS1_VERSION) ? - DTLS1_CCS_HEADER_LENGTH : 3) == (unsigned int)s->internal->init_num); - } else { - OPENSSL_assert(D1I(s)->w_msg_hdr.msg_len + - DTLS1_HM_HEADER_LENGTH == (unsigned int)s->internal->init_num); - } + OPENSSL_assert(D1I(s)->w_msg_hdr.msg_len + + (is_ccs ? DTLS1_CCS_HEADER_LENGTH : DTLS1_HM_HEADER_LENGTH) == + (unsigned int)s->internal->init_num); frag->msg_header.msg_len = D1I(s)->w_msg_hdr.msg_len; frag->msg_header.seq = D1I(s)->w_msg_hdr.seq; @@ -999,8 +971,6 @@ dtls1_buffer_message(SSL *s, int is_ccs) frag->msg_header.is_ccs = is_ccs; /* save current state*/ - frag->msg_header.saved_retransmit_state.enc_write_ctx = s->internal->enc_write_ctx; - frag->msg_header.saved_retransmit_state.write_hash = s->internal->write_hash; frag->msg_header.saved_retransmit_state.session = s->session; frag->msg_header.saved_retransmit_state.epoch = D1I(s)->w_epoch; @@ -1031,7 +1001,6 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off, unsigned long header_length; unsigned char seq64be[8]; struct dtls1_retransmit_state saved_state; - unsigned char save_write_sequence[8]; /* OPENSSL_assert(s->internal->init_num == 0); @@ -1069,43 +1038,27 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off, frag->msg_header.frag_len); /* save current state */ - saved_state.enc_write_ctx = s->internal->enc_write_ctx; - saved_state.write_hash = s->internal->write_hash; saved_state.session = s->session; saved_state.epoch = D1I(s)->w_epoch; D1I(s)->retransmitting = 1; /* restore state in which the message was originally sent */ - s->internal->enc_write_ctx = frag->msg_header.saved_retransmit_state.enc_write_ctx; - s->internal->write_hash = frag->msg_header.saved_retransmit_state.write_hash; s->session = frag->msg_header.saved_retransmit_state.session; D1I(s)->w_epoch = frag->msg_header.saved_retransmit_state.epoch; - if (frag->msg_header.saved_retransmit_state.epoch == - saved_state.epoch - 1) { - memcpy(save_write_sequence, S3I(s)->write_sequence, - sizeof(S3I(s)->write_sequence)); - memcpy(S3I(s)->write_sequence, D1I(s)->last_write_sequence, - sizeof(S3I(s)->write_sequence)); - } + if (!tls12_record_layer_use_write_epoch(s->internal->rl, D1I(s)->w_epoch)) + return 0; ret = dtls1_do_write(s, frag->msg_header.is_ccs ? SSL3_RT_CHANGE_CIPHER_SPEC : SSL3_RT_HANDSHAKE); /* restore current state */ - s->internal->enc_write_ctx = saved_state.enc_write_ctx; - s->internal->write_hash = saved_state.write_hash; s->session = saved_state.session; D1I(s)->w_epoch = saved_state.epoch; - if (frag->msg_header.saved_retransmit_state.epoch == - saved_state.epoch - 1) { - memcpy(D1I(s)->last_write_sequence, S3I(s)->write_sequence, - sizeof(S3I(s)->write_sequence)); - memcpy(S3I(s)->write_sequence, save_write_sequence, - sizeof(S3I(s)->write_sequence)); - } + if (!tls12_record_layer_use_write_epoch(s->internal->rl, D1I(s)->w_epoch)) + return 0; D1I(s)->retransmitting = 0; @@ -1117,11 +1070,16 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off, void dtls1_clear_record_buffer(SSL *s) { + hm_fragment *frag; pitem *item; for(item = pqueue_pop(s->d1->sent_messages); item != NULL; item = pqueue_pop(s->d1->sent_messages)) { - dtls1_hm_fragment_free((hm_fragment *)item->data); + frag = item->data; + if (frag->msg_header.is_ccs) + tls12_record_layer_write_epoch_done(s->internal->rl, + frag->msg_header.saved_retransmit_state.epoch); + dtls1_hm_fragment_free(frag); pitem_free(item); } } @@ -1249,7 +1207,7 @@ dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr) void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr) { - memset(ccs_hdr, 0x00, sizeof(struct ccs_header_st)); + memset(ccs_hdr, 0, sizeof(struct ccs_header_st)); ccs_hdr->type = *(data++); } diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c deleted file mode 100644 index ee21a1be..00000000 --- a/ssl/d1_clnt.c +++ /dev/null @@ -1,185 +0,0 @@ -/* $OpenBSD: d1_clnt.c,v 1.82 2018/11/05 05:45:15 jsing Exp $ */ -/* - * DTLS implementation written by Nagendra Modadugu - * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. - */ -/* ==================================================================== - * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include -#include - -#include "ssl_locl.h" - -#include -#include -#include -#include -#include -#include - -#include "bytestring.h" - -int -dtls1_get_hello_verify(SSL *s) -{ - long n; - int al, ok = 0; - size_t cookie_len; - uint16_t ssl_version; - CBS hello_verify_request, cookie; - - n = s->method->internal->ssl_get_message(s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A, - DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, -1, s->internal->max_cert_list, &ok); - - if (!ok) - return ((int)n); - - if (S3I(s)->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) { - D1I(s)->send_cookie = 0; - S3I(s)->tmp.reuse_message = 1; - return (1); - } - - if (n < 0) - goto truncated; - - CBS_init(&hello_verify_request, s->internal->init_msg, n); - - if (!CBS_get_u16(&hello_verify_request, &ssl_version)) - goto truncated; - - if (ssl_version != s->version) { - SSLerror(s, SSL_R_WRONG_SSL_VERSION); - s->version = (s->version & 0xff00) | (ssl_version & 0xff); - al = SSL_AD_PROTOCOL_VERSION; - goto f_err; - } - - if (!CBS_get_u8_length_prefixed(&hello_verify_request, &cookie)) - goto truncated; - - if (!CBS_write_bytes(&cookie, D1I(s)->cookie, - sizeof(D1I(s)->cookie), &cookie_len)) { - D1I(s)->cookie_len = 0; - al = SSL_AD_ILLEGAL_PARAMETER; - goto f_err; - } - D1I(s)->cookie_len = cookie_len; - D1I(s)->send_cookie = 1; - - return 1; - -truncated: - al = SSL_AD_DECODE_ERROR; -f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - return -1; -} diff --git a/ssl/d1_enc.c b/ssl/d1_enc.c deleted file mode 100644 index 20686d29..00000000 --- a/ssl/d1_enc.c +++ /dev/null @@ -1,212 +0,0 @@ -/* $OpenBSD: d1_enc.c,v 1.14 2017/01/23 08:08:06 beck Exp $ */ -/* - * DTLS implementation written by Nagendra Modadugu - * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. - */ -/* ==================================================================== - * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include - -#include "ssl_locl.h" - -#include -#include -#include - -/* dtls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. - * - * Returns: - * 0: (in non-constant time) if the record is publically invalid (i.e. too - * short etc). - * 1: if the record's padding is valid / the encryption was successful. - * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, - * an internal error occured. */ -int -dtls1_enc(SSL *s, int send) -{ - SSL3_RECORD *rec; - EVP_CIPHER_CTX *ds; - unsigned long l; - int bs, i, j, k, mac_size = 0; - const EVP_CIPHER *enc; - - if (send) { - if (EVP_MD_CTX_md(s->internal->write_hash)) { - mac_size = EVP_MD_CTX_size(s->internal->write_hash); - if (mac_size < 0) - return -1; - } - ds = s->internal->enc_write_ctx; - rec = &(S3I(s)->wrec); - if (s->internal->enc_write_ctx == NULL) - enc = NULL; - else { - enc = EVP_CIPHER_CTX_cipher(s->internal->enc_write_ctx); - if (rec->data != rec->input) { -#ifdef DEBUG - /* we can't write into the input stream */ - fprintf(stderr, "%s:%d: rec->data != rec->input\n", - __FILE__, __LINE__); -#endif - } else if (EVP_CIPHER_block_size(ds->cipher) > 1) { - arc4random_buf(rec->input, - EVP_CIPHER_block_size(ds->cipher)); - } - } - } else { - if (EVP_MD_CTX_md(s->read_hash)) { - mac_size = EVP_MD_CTX_size(s->read_hash); - OPENSSL_assert(mac_size >= 0); - } - ds = s->enc_read_ctx; - rec = &(S3I(s)->rrec); - if (s->enc_read_ctx == NULL) - enc = NULL; - else - enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx); - } - - - if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { - memmove(rec->data, rec->input, rec->length); - rec->input = rec->data; - } else { - l = rec->length; - bs = EVP_CIPHER_block_size(ds->cipher); - - if ((bs != 1) && send) { - i = bs - ((int)l % bs); - - /* Add weird padding of upto 256 bytes */ - - /* we need to add 'i' padding bytes of value j */ - j = i - 1; - for (k = (int)l; k < (int)(l + i); k++) - rec->input[k] = j; - l += i; - rec->length += i; - } - - - if (!send) { - if (l == 0 || l % bs != 0) - return 0; - } - - EVP_Cipher(ds, rec->data, rec->input, l); - - - if ((bs != 1) && !send) - return tls1_cbc_remove_padding(s, rec, bs, mac_size); - } - return (1); -} - diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index 7e919a6c..4a45e66f 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_lib.c,v 1.42 2017/04/10 17:27:33 jsing Exp $ */ +/* $OpenBSD: d1_lib.c,v 1.53 2021/02/20 07:29:07 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -70,111 +70,84 @@ #include "pqueue.h" #include "ssl_locl.h" -static int dtls1_listen(SSL *s, struct sockaddr *client); - -SSL3_ENC_METHOD DTLSv1_enc_data = { - .enc = dtls1_enc, - .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV, -}; +void dtls1_hm_fragment_free(hm_fragment *frag); -long -dtls1_default_timeout(void) -{ - /* 2 hours, the 24 hours mentioned in the DTLSv1 spec - * is way too long for http, the cache would over fill */ - return (60*60*2); -} +static int dtls1_listen(SSL *s, struct sockaddr *client); int dtls1_new(SSL *s) { - DTLS1_STATE *d1; - if (!ssl3_new(s)) - return (0); - if ((d1 = calloc(1, sizeof(*d1))) == NULL) { - ssl3_free(s); - return (0); - } - if ((d1->internal = calloc(1, sizeof(*d1->internal))) == NULL) { - free(d1); - ssl3_free(s); - return (0); - } - - /* d1->handshake_epoch=0; */ - - d1->internal->unprocessed_rcds.q = pqueue_new(); - d1->internal->processed_rcds.q = pqueue_new(); - d1->internal->buffered_messages = pqueue_new(); - d1->sent_messages = pqueue_new(); - d1->internal->buffered_app_data.q = pqueue_new(); + goto err; + + if ((s->d1 = calloc(1, sizeof(*s->d1))) == NULL) + goto err; + if ((s->d1->internal = calloc(1, sizeof(*s->d1->internal))) == NULL) + goto err; + + if ((s->d1->internal->unprocessed_rcds.q = pqueue_new()) == NULL) + goto err; + if ((s->d1->internal->processed_rcds.q = pqueue_new()) == NULL) + goto err; + if ((s->d1->internal->buffered_messages = pqueue_new()) == NULL) + goto err; + if ((s->d1->sent_messages = pqueue_new()) == NULL) + goto err; + if ((s->d1->internal->buffered_app_data.q = pqueue_new()) == NULL) + goto err; + + if (s->server) + s->d1->internal->cookie_len = sizeof(D1I(s)->cookie); - if (s->server) { - d1->internal->cookie_len = sizeof(D1I(s)->cookie); - } - - if (!d1->internal->unprocessed_rcds.q || !d1->internal->processed_rcds.q || - !d1->internal->buffered_messages || !d1->sent_messages || - !d1->internal->buffered_app_data.q) { - pqueue_free(d1->internal->unprocessed_rcds.q); - pqueue_free(d1->internal->processed_rcds.q); - pqueue_free(d1->internal->buffered_messages); - pqueue_free(d1->sent_messages); - pqueue_free(d1->internal->buffered_app_data.q); - free(d1); - ssl3_free(s); - return (0); - } - - s->d1 = d1; s->method->internal->ssl_clear(s); return (1); + + err: + dtls1_free(s); + return (0); } static void -dtls1_clear_queues(SSL *s) +dtls1_drain_records(pqueue queue) { - pitem *item = NULL; - hm_fragment *frag = NULL; - DTLS1_RECORD_DATA *rdata; + pitem *item; + DTLS1_RECORD_DATA_INTERNAL *rdata; - while ((item = pqueue_pop(D1I(s)->unprocessed_rcds.q)) != NULL) { - rdata = (DTLS1_RECORD_DATA *) item->data; - free(rdata->rbuf.buf); - free(item->data); - pitem_free(item); - } + if (queue == NULL) + return; - while ((item = pqueue_pop(D1I(s)->processed_rcds.q)) != NULL) { - rdata = (DTLS1_RECORD_DATA *) item->data; - free(rdata->rbuf.buf); + while ((item = pqueue_pop(queue)) != NULL) { + rdata = (DTLS1_RECORD_DATA_INTERNAL *)item->data; + ssl3_release_buffer(&rdata->rbuf); free(item->data); pitem_free(item); } +} - while ((item = pqueue_pop(D1I(s)->buffered_messages)) != NULL) { - frag = (hm_fragment *)item->data; - free(frag->fragment); - free(frag); - pitem_free(item); - } +static void +dtls1_drain_fragments(pqueue queue) +{ + pitem *item; - while ((item = pqueue_pop(s->d1->sent_messages)) != NULL) { - frag = (hm_fragment *)item->data; - free(frag->fragment); - free(frag); - pitem_free(item); - } + if (queue == NULL) + return; - while ((item = pqueue_pop(D1I(s)->buffered_app_data.q)) != NULL) { - rdata = (DTLS1_RECORD_DATA *) item->data; - free(rdata->rbuf.buf); - free(item->data); + while ((item = pqueue_pop(queue)) != NULL) { + dtls1_hm_fragment_free(item->data); pitem_free(item); } } +static void +dtls1_clear_queues(SSL *s) +{ + dtls1_drain_records(D1I(s)->unprocessed_rcds.q); + dtls1_drain_records(D1I(s)->processed_rcds.q); + dtls1_drain_fragments(D1I(s)->buffered_messages); + dtls1_drain_fragments(s->d1->sent_messages); + dtls1_drain_records(D1I(s)->buffered_app_data.q); +} + void dtls1_free(SSL *s) { @@ -278,14 +251,15 @@ dtls1_ctrl(SSL *s, int cmd, long larg, void *parg) const SSL_CIPHER * dtls1_get_cipher(unsigned int u) { - const SSL_CIPHER *ciph = ssl3_get_cipher(u); + const SSL_CIPHER *cipher; - if (ciph != NULL) { - if (ciph->algorithm_enc == SSL_RC4) - return NULL; - } + if ((cipher = ssl3_get_cipher(u)) == NULL) + return NULL; + + if (cipher->algorithm_enc == SSL_RC4) + return NULL; - return ciph; + return cipher; } void @@ -450,16 +424,3 @@ dtls1_listen(SSL *s, struct sockaddr *client) (void)BIO_dgram_get_peer(SSL_get_rbio(s), client); return 1; } - -void -dtls1_build_sequence_number(unsigned char *dst, unsigned char *seq, - unsigned short epoch) -{ - unsigned char dtlsseq[SSL3_SEQUENCE_SIZE]; - unsigned char *p; - - p = dtlsseq; - s2n(epoch, p); - memcpy(p, &seq[2], SSL3_SEQUENCE_SIZE - 2); - memcpy(dst, dtlsseq, SSL3_SEQUENCE_SIZE); -} diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index b406b625..7f4261e4 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_pkt.c,v 1.66 2018/12/03 17:16:12 tb Exp $ */ +/* $OpenBSD: d1_pkt.c,v 1.93 2021/02/20 14:14:16 tb Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -184,9 +184,11 @@ satsub64be(const unsigned char *v1, const unsigned char *v2) static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, int len, int peek); -static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap); -static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap); -static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, +static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap, + const unsigned char *seq); +static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap, + const unsigned char *seq); +static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD_INTERNAL *rr, unsigned int *is_next_epoch); static int dtls1_buffer_record(SSL *s, record_pqueue *q, unsigned char *priority); @@ -194,53 +196,44 @@ static int dtls1_process_record(SSL *s); /* copy buffered record into SSL structure */ static int -dtls1_copy_record(SSL *s, pitem *item) +dtls1_copy_record(SSL *s, DTLS1_RECORD_DATA_INTERNAL *rdata) { - DTLS1_RECORD_DATA *rdata; - - rdata = (DTLS1_RECORD_DATA *)item->data; - - free(S3I(s)->rbuf.buf); + ssl3_release_buffer(&S3I(s)->rbuf); s->internal->packet = rdata->packet; s->internal->packet_length = rdata->packet_length; - memcpy(&(S3I(s)->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER)); - memcpy(&(S3I(s)->rrec), &(rdata->rrec), sizeof(SSL3_RECORD)); - - /* Set proper sequence number for mac calculation */ - memcpy(&(S3I(s)->read_sequence[2]), &(rdata->packet[5]), 6); + memcpy(&(S3I(s)->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER_INTERNAL)); + memcpy(&(S3I(s)->rrec), &(rdata->rrec), sizeof(SSL3_RECORD_INTERNAL)); return (1); } - static int dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) { - DTLS1_RECORD_DATA *rdata; + DTLS1_RECORD_DATA_INTERNAL *rdata; pitem *item; /* Limit the size of the queue to prevent DOS attacks */ if (pqueue_size(queue->q) >= 100) return 0; - rdata = malloc(sizeof(DTLS1_RECORD_DATA)); + rdata = malloc(sizeof(DTLS1_RECORD_DATA_INTERNAL)); item = pitem_new(priority, rdata); if (rdata == NULL || item == NULL) goto init_err; rdata->packet = s->internal->packet; rdata->packet_length = s->internal->packet_length; - memcpy(&(rdata->rbuf), &(S3I(s)->rbuf), sizeof(SSL3_BUFFER)); - memcpy(&(rdata->rrec), &(S3I(s)->rrec), sizeof(SSL3_RECORD)); + memcpy(&(rdata->rbuf), &(S3I(s)->rbuf), sizeof(SSL3_BUFFER_INTERNAL)); + memcpy(&(rdata->rrec), &(S3I(s)->rrec), sizeof(SSL3_RECORD_INTERNAL)); item->data = rdata; - s->internal->packet = NULL; s->internal->packet_length = 0; - memset(&(S3I(s)->rbuf), 0, sizeof(SSL3_BUFFER)); - memset(&(S3I(s)->rrec), 0, sizeof(SSL3_RECORD)); + memset(&(S3I(s)->rbuf), 0, sizeof(SSL3_BUFFER_INTERNAL)); + memset(&(S3I(s)->rrec), 0, sizeof(SSL3_RECORD_INTERNAL)); if (!ssl3_setup_buffers(s)) goto err; @@ -252,7 +245,7 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) return (1); err: - free(rdata->rbuf.buf); + ssl3_release_buffer(&rdata->rbuf); init_err: SSLerror(s, ERR_R_INTERNAL_ERROR); @@ -269,7 +262,7 @@ dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue) item = pqueue_pop(queue->q); if (item) { - dtls1_copy_record(s, item); + dtls1_copy_record(s, item->data); free(item->data); pitem_free(item); @@ -280,18 +273,6 @@ dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue) return (0); } - -/* retrieve a buffered record that belongs to the new epoch, i.e., not processed - * yet */ -#define dtls1_get_unprocessed_record(s) \ - dtls1_retrieve_buffered_record((s), \ - &((D1I(s))->unprocessed_rcds)) - -/* retrieve a buffered record that belongs to the current epoch, ie, processed */ -#define dtls1_get_processed_record(s) \ - dtls1_retrieve_buffered_record((s), \ - &((D1I(s))->processed_rcds)) - static int dtls1_process_buffered_records(SSL *s) { @@ -306,8 +287,10 @@ dtls1_process_buffered_records(SSL *s) /* Process all the records. */ while (pqueue_peek(D1I(s)->unprocessed_rcds.q)) { - dtls1_get_unprocessed_record(s); - if (! dtls1_process_record(s)) + if (!dtls1_retrieve_buffered_record((s), + &((D1I(s))->unprocessed_rcds))) + return (0); + if (!dtls1_process_record(s)) return (0); if (dtls1_buffer_record(s, &(D1I(s)->processed_rcds), S3I(s)->rrec.seq_num) < 0) @@ -326,133 +309,39 @@ dtls1_process_buffered_records(SSL *s) static int dtls1_process_record(SSL *s) { - int i, al; - int enc_err; - SSL_SESSION *sess; - SSL3_RECORD *rr; - unsigned int mac_size, orig_len; - unsigned char md[EVP_MAX_MD_SIZE]; + SSL3_RECORD_INTERNAL *rr = &(S3I(s)->rrec); + uint8_t alert_desc; + uint8_t *out; + size_t out_len; - rr = &(S3I(s)->rrec); - sess = s->session; + tls12_record_layer_set_version(s->internal->rl, s->version); - /* At this point, s->internal->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, - * and we have that many bytes in s->internal->packet - */ - rr->input = &(s->internal->packet[DTLS1_RT_HEADER_LENGTH]); - - /* ok, we can now read from 's->internal->packet' data into 'rr' - * rr->input points at rr->length bytes, which - * need to be copied into rr->data by either - * the decryption or by the decompression - * When the data is 'copied' into the rr->data buffer, - * rr->input will be pointed at the new buffer */ - - /* We now have - encrypted [ MAC [ compressed [ plain ] ] ] - * rr->length bytes of encrypted compressed stuff. */ - - /* check is not needed I believe */ - if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); - goto f_err; - } - - /* decrypt in place in 'rr->input' */ - rr->data = rr->input; + if (!tls12_record_layer_open_record(s->internal->rl, s->internal->packet, + s->internal->packet_length, &out, &out_len)) { + tls12_record_layer_alert(s->internal->rl, &alert_desc); - enc_err = s->method->internal->ssl3_enc->enc(s, 0); - /* enc_err is: - * 0: (in non-constant time) if the record is publically invalid. - * 1: if the padding is valid - * -1: if the padding is invalid */ - if (enc_err == 0) { - /* For DTLS we simply ignore bad packets. */ - rr->length = 0; - s->internal->packet_length = 0; - goto err; - } - - - /* r->length is now the compressed data plus mac */ - if ((sess != NULL) && (s->enc_read_ctx != NULL) && - (EVP_MD_CTX_md(s->read_hash) != NULL)) { - /* s->read_hash != NULL => mac_size != -1 */ - unsigned char *mac = NULL; - unsigned char mac_tmp[EVP_MAX_MD_SIZE]; - mac_size = EVP_MD_CTX_size(s->read_hash); - OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); - - /* kludge: *_cbc_remove_padding passes padding length in rr->type */ - orig_len = rr->length + ((unsigned int)rr->type >> 8); - - /* orig_len is the length of the record before any padding was - * removed. This is public information, as is the MAC in use, - * therefore we can safely process the record in a different - * amount of time if it's too short to possibly contain a MAC. - */ - if (orig_len < mac_size || - /* CBC records must have a padding length byte too. */ - (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && - orig_len < mac_size + 1)) { - al = SSL_AD_DECODE_ERROR; - SSLerror(s, SSL_R_LENGTH_TOO_SHORT); - goto f_err; - } - - if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) { - /* We update the length so that the TLS header bytes - * can be constructed correctly but we need to extract - * the MAC in constant time from within the record, - * without leaking the contents of the padding bytes. - * */ - mac = mac_tmp; - ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len); - rr->length -= mac_size; - } else { - /* In this case there's no padding, so |orig_len| - * equals |rec->length| and we checked that there's - * enough bytes for |mac_size| above. */ - rr->length -= mac_size; - mac = &rr->data[rr->length]; - } - - i = tls1_mac(s, md, 0 /* not send */); - if (i < 0 || mac == NULL || timingsafe_memcmp(md, mac, (size_t)mac_size) != 0) - enc_err = -1; - if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size) - enc_err = -1; - } + if (alert_desc == 0) + goto err; - if (enc_err < 0) { - /* decryption failed, silently discard message */ - rr->length = 0; - s->internal->packet_length = 0; - goto err; - } + if (alert_desc == SSL_AD_RECORD_OVERFLOW) + SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); + else if (alert_desc == SSL_AD_BAD_RECORD_MAC) + SSLerror(s, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); - if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); - goto f_err; + goto fatal_err; } + rr->data = out; + rr->length = out_len; rr->off = 0; - /* So at this point the following is true - * ssl->s3->internal->rrec.type is the type of record - * ssl->s3->internal->rrec.length == number of bytes in record - * ssl->s3->internal->rrec.off == offset to first valid byte - * ssl->s3->internal->rrec.data == where to take bytes from, increment - * after use :-). - */ - /* we have pulled in a full packet so zero things */ s->internal->packet_length = 0; + return (1); -f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); -err: + fatal_err: + ssl3_send_alert(s, SSL3_AL_FATAL, alert_desc); + err: return (0); } @@ -469,7 +358,7 @@ dtls1_process_record(SSL *s) int dtls1_get_record(SSL *s) { - SSL3_RECORD *rr; + SSL3_RECORD_INTERNAL *rr; unsigned char *p = NULL; DTLS1_BITMAP *bitmap; unsigned int is_next_epoch; @@ -483,7 +372,7 @@ dtls1_get_record(SSL *s) return (-1); /* if we're renegotiating, then there may be buffered records */ - if (dtls1_get_processed_record(s)) + if (dtls1_retrieve_buffered_record((s), &((D1I(s))->processed_rcds))) return 1; /* get something from the wire */ @@ -524,12 +413,13 @@ dtls1_get_record(SSL *s) !CBS_get_bytes(&header, &seq_no, 6)) goto again; - if (!CBS_write_bytes(&seq_no, &(S3I(s)->read_sequence[2]), - sizeof(S3I(s)->read_sequence) - 2, NULL)) - goto again; if (!CBS_get_u16(&header, &len)) goto again; + if (!CBS_write_bytes(&seq_no, &rr->seq_num[2], + sizeof(rr->seq_num) - 2, NULL)) + goto again; + rr->type = type; rr->epoch = epoch; rr->length = len; @@ -576,7 +466,7 @@ dtls1_get_record(SSL *s) */ if (!(D1I(s)->listen && rr->type == SSL3_RT_HANDSHAKE && p != NULL && *p == SSL3_MT_CLIENT_HELLO) && - !dtls1_record_replay_check(s, bitmap)) + !dtls1_record_replay_check(s, bitmap, rr->seq_num)) goto again; /* just read a 0 length packet */ @@ -594,7 +484,7 @@ dtls1_get_record(SSL *s) rr->seq_num) < 0) return (-1); /* Mark receipt of record. */ - dtls1_record_bitmap_update(s, bitmap); + dtls1_record_bitmap_update(s, bitmap, rr->seq_num); } goto again; } @@ -603,7 +493,7 @@ dtls1_get_record(SSL *s) goto again; /* Mark receipt of record. */ - dtls1_record_bitmap_update(s, bitmap); + dtls1_record_bitmap_update(s, bitmap, rr->seq_num); return (1); } @@ -640,7 +530,7 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) { int al, i, j, ret; unsigned int n; - SSL3_RECORD *rr; + SSL3_RECORD_INTERNAL *rr; void (*cb)(const SSL *ssl, int type2, int val) = NULL; if (S3I(s)->rbuf.buf == NULL) /* Not initialized yet */ @@ -685,17 +575,8 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) * so process data buffered during the last handshake * in advance, if any. */ - if (S3I(s)->hs.state == SSL_ST_OK && rr->length == 0) { - pitem *item; - item = pqueue_pop(D1I(s)->buffered_app_data.q); - if (item) { - - dtls1_copy_record(s, item); - - free(item->data); - pitem_free(item); - } - } + if (S3I(s)->hs.state == SSL_ST_OK && rr->length == 0) + dtls1_retrieve_buffered_record(s, &(D1I(s)->buffered_app_data)); /* Check for timeout */ if (dtls1_handle_timeout(s) > 0) @@ -746,16 +627,15 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) return (0); } - - if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */ - { + /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */ + if (type == rr->type) { /* make sure that we are not getting application data when we * are doing a handshake for the first time */ - if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) && - (s->enc_read_ctx == NULL)) { + if (SSL_in_init(s) && type == SSL3_RT_APPLICATION_DATA && + !tls12_record_layer_read_protected(s->internal->rl)) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_APP_DATA_IN_HANDSHAKE); - goto f_err; + goto fatal_err; } if (len <= 0) @@ -818,7 +698,7 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) /* Not certain if this is the right error handling */ al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_UNEXPECTED_RECORD); - goto f_err; + goto fatal_err; } if (dest_maxlen > 0) { @@ -855,7 +735,7 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) (D1I(s)->handshake_fragment[3] != 0)) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_HELLO_REQUEST); - goto f_err; + goto fatal_err; } /* no need to check sequence number on HELLO REQUEST messages */ @@ -941,7 +821,7 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) } else { al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_UNKNOWN_ALERT_TYPE); - goto f_err; + goto fatal_err; } goto start; @@ -967,7 +847,7 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS)) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_CHANGE_CIPHER_SPEC); - goto f_err; + goto fatal_err; } rr->length = 0; @@ -1061,7 +941,7 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) } al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_UNEXPECTED_RECORD); - goto f_err; + goto fatal_err; case SSL3_RT_CHANGE_CIPHER_SPEC: case SSL3_RT_ALERT: case SSL3_RT_HANDSHAKE: @@ -1070,7 +950,7 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) * should not happen when type != rr->type */ al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, ERR_R_INTERNAL_ERROR); - goto f_err; + goto fatal_err; case SSL3_RT_APPLICATION_DATA: /* At this point, we were expecting handshake data, * but have application data. If the library was @@ -1092,12 +972,12 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) } else { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_UNEXPECTED_RECORD); - goto f_err; + goto fatal_err; } } /* not reached */ - f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: return (-1); @@ -1178,185 +1058,90 @@ dtls1_write_bytes(SSL *s, int type, const void *buf, int len) int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len) { - unsigned char *p, *pseq; - int i, mac_size, clear = 0; - int prefix_len = 0; - SSL3_RECORD *wr; - SSL3_BUFFER *wb; - SSL_SESSION *sess; - int bs; - - /* first check if there is a SSL3_BUFFER still being written - * out. This will happen with non blocking IO */ - if (S3I(s)->wbuf.left != 0) { + SSL3_BUFFER_INTERNAL *wb = &(S3I(s)->wbuf); + size_t out_len; + CBB cbb; + int ret; + + memset(&cbb, 0, sizeof(cbb)); + + /* + * First check if there is a SSL3_BUFFER_INTERNAL still being written + * out. This will happen with non blocking IO. + */ + if (wb->left != 0) { OPENSSL_assert(0); /* XDTLS: want to see if we ever get here */ return (ssl3_write_pending(s, type, buf, len)); } - /* If we have an alert to send, lets send it */ + /* If we have an alert to send, let's send it */ if (S3I(s)->alert_dispatch) { - i = s->method->ssl_dispatch_alert(s); - if (i <= 0) - return (i); - /* if it went, fall through and send more stuff */ + if ((ret = s->method->ssl_dispatch_alert(s)) <= 0) + return (ret); + /* If it went, fall through and send more stuff. */ } if (len == 0) return 0; - wr = &(S3I(s)->wrec); - wb = &(S3I(s)->wbuf); - sess = s->session; - - if ((sess == NULL) || (s->internal->enc_write_ctx == NULL) || - (EVP_MD_CTX_md(s->internal->write_hash) == NULL)) - clear = 1; - - if (clear) - mac_size = 0; - else { - mac_size = EVP_MD_CTX_size(s->internal->write_hash); - if (mac_size < 0) - goto err; - } - - /* DTLS implements explicit IV, so no need for empty fragments. */ - - p = wb->buf + prefix_len; - - /* write the header */ + wb->offset = 0; - *(p++) = type&0xff; - wr->type = type; + if (!CBB_init_fixed(&cbb, wb->buf, wb->len)) + goto err; - *(p++) = (s->version >> 8); - *(p++) = s->version&0xff; + tls12_record_layer_set_version(s->internal->rl, s->version); - /* field where we are to write out packet epoch, seq num and len */ - pseq = p; + if (!tls12_record_layer_seal_record(s->internal->rl, type, buf, len, &cbb)) + goto err; - p += 10; + if (!CBB_finish(&cbb, NULL, &out_len)) + goto err; - /* lets setup the record stuff. */ + wb->left = out_len; - /* Make space for the explicit IV in case of CBC. - * (this is a bit of a boundary violation, but what the heck). + /* + * Memorize arguments so that ssl3_write_pending can detect + * bad write retries later. */ - if (s->internal->enc_write_ctx && - (EVP_CIPHER_mode(s->internal->enc_write_ctx->cipher) & EVP_CIPH_CBC_MODE)) - bs = EVP_CIPHER_block_size(s->internal->enc_write_ctx->cipher); - else - bs = 0; - - wr->data = p + bs; - /* make room for IV in case of CBC */ - wr->length = (int)len; - wr->input = (unsigned char *)buf; - - /* we now 'read' from wr->input, wr->length bytes into - * wr->data */ - - memcpy(wr->data, wr->input, wr->length); - wr->input = wr->data; - - /* we should still have the output to wr->data and the input - * from wr->input. Length should be wr->length. - * wr->data still points in the wb->buf */ - - if (mac_size != 0) { - if (tls1_mac(s, &(p[wr->length + bs]), 1) < 0) - goto err; - wr->length += mac_size; - } - - /* this is true regardless of mac size */ - wr->input = p; - wr->data = p; - - - /* ssl3_enc can only have an error on read */ - if (bs) /* bs != 0 in case of CBC */ - { - arc4random_buf(p, bs); - /* master IV and last CBC residue stand for - * the rest of randomness */ - wr->length += bs; - } - - s->method->internal->ssl3_enc->enc(s, 1); - - /* record length after mac and block padding */ -/* if (type == SSL3_RT_APPLICATION_DATA || - (type == SSL3_RT_ALERT && ! SSL_in_init(s))) */ - - /* there's only one epoch between handshake and app data */ - - s2n(D1I(s)->w_epoch, pseq); - - /* XDTLS: ?? */ -/* else - s2n(D1I(s)->handshake_epoch, pseq); -*/ - - memcpy(pseq, &(S3I(s)->write_sequence[2]), 6); - pseq += 6; - s2n(wr->length, pseq); - - /* we should now have - * wr->data pointing to the encrypted data, which is - * wr->length long */ - wr->type=type; /* not needed but helps for debugging */ - wr->length += DTLS1_RT_HEADER_LENGTH; - - tls1_record_sequence_increment(S3I(s)->write_sequence); - - /* now let's set up wb */ - wb->left = prefix_len + wr->length; - wb->offset = 0; - - /* memorize arguments so that ssl3_write_pending can detect bad write retries later */ S3I(s)->wpend_tot = len; S3I(s)->wpend_buf = buf; S3I(s)->wpend_type = type; S3I(s)->wpend_ret = len; - /* we now just need to write the buffer */ + /* We now just need to write the buffer. */ return ssl3_write_pending(s, type, buf, len); -err: - return -1; -} + err: + CBB_cleanup(&cbb); + return -1; +} static int -dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap) +dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap, + const unsigned char *seq) { - int cmp; unsigned int shift; - const unsigned char *seq = S3I(s)->read_sequence; + int cmp; cmp = satsub64be(seq, bitmap->max_seq_num); - if (cmp > 0) { - memcpy (S3I(s)->rrec.seq_num, seq, 8); + if (cmp > 0) return 1; /* this record in new */ - } shift = -cmp; if (shift >= sizeof(bitmap->map)*8) return 0; /* stale, outside the window */ else if (bitmap->map & (1UL << shift)) return 0; /* record previously received */ - memcpy(S3I(s)->rrec.seq_num, seq, 8); return 1; } - static void -dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap) +dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap, + const unsigned char *seq) { - int cmp; unsigned int shift; - const unsigned char *seq = S3I(s)->read_sequence; + int cmp; cmp = satsub64be(seq, bitmap->max_seq_num); if (cmp > 0) { @@ -1373,7 +1158,6 @@ dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap) } } - int dtls1_dispatch_alert(SSL *s) { @@ -1384,7 +1168,7 @@ dtls1_dispatch_alert(SSL *s) S3I(s)->alert_dispatch = 0; - memset(buf, 0x00, sizeof(buf)); + memset(buf, 0, sizeof(buf)); *ptr++ = S3I(s)->send_alert[0]; *ptr++ = S3I(s)->send_alert[1]; @@ -1415,7 +1199,7 @@ dtls1_dispatch_alert(SSL *s) static DTLS1_BITMAP * -dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch) +dtls1_get_bitmap(SSL *s, SSL3_RECORD_INTERNAL *rr, unsigned int *is_next_epoch) { *is_next_epoch = 0; @@ -1437,19 +1221,13 @@ dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch) void dtls1_reset_seq_numbers(SSL *s, int rw) { - unsigned char *seq; - unsigned int seq_bytes = sizeof(S3I(s)->read_sequence); - if (rw & SSL3_CC_READ) { - seq = S3I(s)->read_sequence; D1I(s)->r_epoch++; - memcpy(&(D1I(s)->bitmap), &(D1I(s)->next_bitmap), sizeof(DTLS1_BITMAP)); - memset(&(D1I(s)->next_bitmap), 0x00, sizeof(DTLS1_BITMAP)); + memcpy(&(D1I(s)->bitmap), &(D1I(s)->next_bitmap), + sizeof(DTLS1_BITMAP)); + memset(&(D1I(s)->next_bitmap), 0, sizeof(DTLS1_BITMAP)); } else { - seq = S3I(s)->write_sequence; - memcpy(D1I(s)->last_write_sequence, seq, sizeof(S3I(s)->write_sequence)); D1I(s)->w_epoch++; + tls12_record_layer_set_write_epoch(s->internal->rl, D1I(s)->w_epoch); } - - memset(seq, 0x00, seq_bytes); } diff --git a/ssl/d1_srtp.c b/ssl/d1_srtp.c index 4b1b24a3..1ea678a2 100644 --- a/ssl/d1_srtp.c +++ b/ssl/d1_srtp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_srtp.c,v 1.23 2018/11/09 04:35:09 tb Exp $ */ +/* $OpenBSD: d1_srtp.c,v 1.26 2020/10/11 02:44:27 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -126,7 +126,7 @@ #include "bytestring.h" #include "srtp.h" -static SRTP_PROTECTION_PROFILE srtp_known_profiles[] = { +static const SRTP_PROTECTION_PROFILE srtp_known_profiles[] = { { "SRTP_AES128_CM_SHA1_80", SRTP_AES128_CM_SHA1_80, @@ -139,10 +139,10 @@ static SRTP_PROTECTION_PROFILE srtp_known_profiles[] = { }; int -srtp_find_profile_by_name(char *profile_name, SRTP_PROTECTION_PROFILE **pptr, - unsigned len) +srtp_find_profile_by_name(const char *profile_name, + const SRTP_PROTECTION_PROFILE **pptr, unsigned int len) { - SRTP_PROTECTION_PROFILE *p; + const SRTP_PROTECTION_PROFILE *p; p = srtp_known_profiles; while (p->name) { @@ -159,9 +159,10 @@ srtp_find_profile_by_name(char *profile_name, SRTP_PROTECTION_PROFILE **pptr, } int -srtp_find_profile_by_num(unsigned profile_num, SRTP_PROTECTION_PROFILE **pptr) +srtp_find_profile_by_num(unsigned int profile_num, + const SRTP_PROTECTION_PROFILE **pptr) { - SRTP_PROTECTION_PROFILE *p; + const SRTP_PROTECTION_PROFILE *p; p = srtp_known_profiles; while (p->name) { @@ -180,11 +181,9 @@ ssl_ctx_make_profiles(const char *profiles_string, STACK_OF(SRTP_PROTECTION_PROFILE) **out) { STACK_OF(SRTP_PROTECTION_PROFILE) *profiles; - char *col; - char *ptr = (char *)profiles_string; - - SRTP_PROTECTION_PROFILE *p; + const char *ptr = profiles_string; + const SRTP_PROTECTION_PROFILE *p; if (!(profiles = sk_SRTP_PROTECTION_PROFILE_new_null())) { SSLerrorx(SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES); @@ -244,7 +243,8 @@ SSL_get_srtp_profiles(SSL *s) SRTP_PROTECTION_PROFILE * SSL_get_selected_srtp_profile(SSL *s) { - return s->internal->srtp_profile; + /* XXX cast away the const */ + return (SRTP_PROTECTION_PROFILE *)s->internal->srtp_profile; } #endif diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c deleted file mode 100644 index 1a1ee542..00000000 --- a/ssl/d1_srvr.c +++ /dev/null @@ -1,165 +0,0 @@ -/* $OpenBSD: d1_srvr.c,v 1.95 2018/11/05 05:45:15 jsing Exp $ */ -/* - * DTLS implementation written by Nagendra Modadugu - * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. - */ -/* ==================================================================== - * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include - -#include "ssl_locl.h" - -#include -#include -#include -#include -#include -#include -#include - -int -dtls1_send_hello_verify_request(SSL *s) -{ - CBB cbb, verify, cookie; - - memset(&cbb, 0, sizeof(cbb)); - - if (S3I(s)->hs.state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A) { - if (s->ctx->internal->app_gen_cookie_cb == NULL || - s->ctx->internal->app_gen_cookie_cb(s, D1I(s)->cookie, - &(D1I(s)->cookie_len)) == 0) { - SSLerror(s, ERR_R_INTERNAL_ERROR); - return 0; - } - - if (!ssl3_handshake_msg_start(s, &cbb, &verify, - DTLS1_MT_HELLO_VERIFY_REQUEST)) - goto err; - if (!CBB_add_u16(&verify, s->version)) - goto err; - if (!CBB_add_u8_length_prefixed(&verify, &cookie)) - goto err; - if (!CBB_add_bytes(&cookie, D1I(s)->cookie, D1I(s)->cookie_len)) - goto err; - if (!ssl3_handshake_msg_finish(s, &cbb)) - goto err; - - S3I(s)->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B; - } - - /* S3I(s)->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */ - return (ssl3_handshake_write(s)); - - err: - CBB_cleanup(&cbb); - - return (-1); -} diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index a1c0ce6b..4f84c948 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_cbc.c,v 1.17 2018/09/08 14:39:41 jsing Exp $ */ +/* $OpenBSD: s3_cbc.c,v 1.23 2020/10/03 17:35:16 jsing Exp $ */ /* ==================================================================== * Copyright (c) 2012 The OpenSSL Project. All rights reserved. * @@ -73,20 +73,20 @@ * bits. They use the fact that arithmetic shift shifts-in the sign bit. * However, this is not ensured by the C standard so you may need to replace * them with something else on odd CPUs. */ -#define DUPLICATE_MSB_TO_ALL(x) ((unsigned)((int)(x) >> (sizeof(int) * 8 - 1))) +#define DUPLICATE_MSB_TO_ALL(x) ((unsigned int)((int)(x) >> (sizeof(int) * 8 - 1))) #define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x))) /* constant_time_lt returns 0xff if a=b and 0x00 otherwise. */ -static unsigned -constant_time_ge(unsigned a, unsigned b) +static unsigned int +constant_time_ge(unsigned int a, unsigned int b) { a -= b; return DUPLICATE_MSB_TO_ALL(~a); @@ -94,14 +94,14 @@ constant_time_ge(unsigned a, unsigned b) /* constant_time_eq_8 returns 0xff if a==b and 0x00 otherwise. */ static unsigned char -constant_time_eq_8(unsigned a, unsigned b) +constant_time_eq_8(unsigned int a, unsigned int b) { - unsigned c = a ^ b; + unsigned int c = a ^ b; c--; return DUPLICATE_MSB_TO_ALL_8(c); } -/* tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC +/* ssl3_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC * record in |rec| in constant time and returns 1 if the padding is valid and * -1 otherwise. It also removes any explicit IV from the start of the record * without leaking any timing about whether there was enough space after the @@ -113,26 +113,24 @@ constant_time_eq_8(unsigned a, unsigned b) * 1: if the padding was valid * -1: otherwise. */ int -tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD *rec, unsigned block_size, - unsigned mac_size) +ssl3_cbc_remove_padding(SSL3_RECORD_INTERNAL *rec, unsigned int eiv_len, + unsigned int mac_size) { - unsigned padding_length, good, to_check, i; - const unsigned overhead = 1 /* padding length byte */ + mac_size; - - /* Check if version requires explicit IV */ - if (SSL_USE_EXPLICIT_IV(s)) { - /* These lengths are all public so we can test them in - * non-constant time. - */ - if (overhead + block_size > rec->length) - return 0; - /* We can now safely skip explicit IV */ - rec->data += block_size; - rec->input += block_size; - rec->length -= block_size; - } else if (overhead > rec->length) + unsigned int padding_length, good, to_check, i; + const unsigned int overhead = 1 /* padding length byte */ + mac_size; + + /* + * These lengths are all public so we can test them in + * non-constant time. + */ + if (overhead + eiv_len > rec->length) return 0; + /* We can now safely skip explicit IV, if any. */ + rec->data += eiv_len; + rec->input += eiv_len; + rec->length -= eiv_len; + padding_length = rec->data[rec->length - 1]; good = constant_time_ge(rec->length, overhead + padding_length); @@ -145,9 +143,9 @@ tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD *rec, unsigned block_size, * decrypted information. Therefore we always have to check the maximum * amount of padding possible. (Again, the length of the record is * public information so we can use it.) */ - to_check = 255; /* maximum amount of padding. */ - if (to_check > rec->length - 1) - to_check = rec->length - 1; + to_check = 256; /* maximum amount of padding, inc length byte. */ + if (to_check > rec->length) + to_check = rec->length; for (i = 0; i < to_check; i++) { unsigned char mask = constant_time_ge(padding_length, i); @@ -169,7 +167,7 @@ tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD *rec, unsigned block_size, padding_length = good & (padding_length + 1); rec->length -= padding_length; - rec->type |= padding_length<<8; /* kludge: pass padding length */ + rec->padding_length = padding_length; return (int)((good & 1) | (~good & -1)); } @@ -194,8 +192,8 @@ tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD *rec, unsigned block_size, #define CBC_MAC_ROTATE_IN_PLACE void -ssl3_cbc_copy_mac(unsigned char* out, const SSL3_RECORD *rec, - unsigned md_size, unsigned orig_len) +ssl3_cbc_copy_mac(unsigned char* out, const SSL3_RECORD_INTERNAL *rec, + unsigned int md_size, unsigned int orig_len) { #if defined(CBC_MAC_ROTATE_IN_PLACE) unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE]; @@ -205,14 +203,14 @@ ssl3_cbc_copy_mac(unsigned char* out, const SSL3_RECORD *rec, #endif /* mac_end is the index of |rec->data| just after the end of the MAC. */ - unsigned mac_end = rec->length; - unsigned mac_start = mac_end - md_size; + unsigned int mac_end = rec->length; + unsigned int mac_start = mac_end - md_size; /* scan_start contains the number of bytes that we can ignore because * the MAC's position can only vary by 255 bytes. */ - unsigned scan_start = 0; - unsigned i, j; - unsigned div_spoiler; - unsigned rotate_offset; + unsigned int scan_start = 0; + unsigned int i, j; + unsigned int div_spoiler; + unsigned int rotate_offset; OPENSSL_assert(orig_len >= md_size); OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE); @@ -266,6 +264,20 @@ ssl3_cbc_copy_mac(unsigned char* out, const SSL3_RECORD *rec, #endif } +#define l2n(l,c) (*((c)++)=(unsigned char)(((l)>>24)&0xff), \ + *((c)++)=(unsigned char)(((l)>>16)&0xff), \ + *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ + *((c)++)=(unsigned char)(((l) )&0xff)) + +#define l2n8(l,c) (*((c)++)=(unsigned char)(((l)>>56)&0xff), \ + *((c)++)=(unsigned char)(((l)>>48)&0xff), \ + *((c)++)=(unsigned char)(((l)>>40)&0xff), \ + *((c)++)=(unsigned char)(((l)>>32)&0xff), \ + *((c)++)=(unsigned char)(((l)>>24)&0xff), \ + *((c)++)=(unsigned char)(((l)>>16)&0xff), \ + *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ + *((c)++)=(unsigned char)(((l) )&0xff)) + /* u32toLE serialises an unsigned, 32-bit number (n) as four bytes at (p) in * little-endian order. The value of p is advanced by four. */ #define u32toLE(n, p) \ @@ -302,7 +314,7 @@ static void tls1_sha256_final_raw(void* ctx, unsigned char *md_out) { SHA256_CTX *sha256 = ctx; - unsigned i; + unsigned int i; for (i = 0; i < 8; i++) { l2n(sha256->h[i], md_out); @@ -313,7 +325,7 @@ static void tls1_sha512_final_raw(void* ctx, unsigned char *md_out) { SHA512_CTX *sha512 = ctx; - unsigned i; + unsigned int i; for (i = 0; i < 8; i++) { l2n8(sha512->h[i], md_out); @@ -368,7 +380,7 @@ ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char* md_out, size_t* md_out_size, const unsigned char header[13], const unsigned char *data, size_t data_plus_mac_size, size_t data_plus_mac_plus_padding_size, const unsigned char *mac_secret, - unsigned mac_secret_length) + unsigned int mac_secret_length) { union { /* @@ -381,8 +393,8 @@ ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char* md_out, } md_state; void (*md_final_raw)(void *ctx, unsigned char *md_out); void (*md_transform)(void *ctx, const unsigned char *block); - unsigned md_size, md_block_size = 64; - unsigned header_length, variance_blocks, + unsigned int md_size, md_block_size = 64; + unsigned int header_length, variance_blocks, len, max_mac_bytes, num_blocks, num_starting_blocks, k, mac_end_offset, c, index_a, index_b; unsigned int bits; /* at most 18 bits */ @@ -391,11 +403,11 @@ ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char* md_out, unsigned char hmac_pad[MAX_HASH_BLOCK_SIZE]; unsigned char first_block[MAX_HASH_BLOCK_SIZE]; unsigned char mac_out[EVP_MAX_MD_SIZE]; - unsigned i, j, md_out_size_u; + unsigned int i, j, md_out_size_u; EVP_MD_CTX md_ctx; /* mdLengthSize is the number of bytes in the length field that terminates * the hash. */ - unsigned md_length_size = 8; + unsigned int md_length_size = 8; char length_is_big_endian = 1; /* This is a, hopefully redundant, check that allows us to forget about diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 2943842c..9df06c51 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.187 2019/10/04 17:21:24 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.206 2021/03/24 18:43:59 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -170,7 +170,7 @@ #define FIXED_NONCE_LEN(x) (((x / 2) & 0xf) << 24) /* list of available SSLv3 ciphers (sorted by id) */ -SSL_CIPHER ssl3_ciphers[] = { +const SSL_CIPHER ssl3_ciphers[] = { /* The RSA ciphers */ /* Cipher 01 */ @@ -417,7 +417,7 @@ SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA256, .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_STRONG_NONE, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, .strength_bits = 0, .alg_bits = 0, }, @@ -433,7 +433,7 @@ SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA256, .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, .strength_bits = 128, .alg_bits = 128, }, @@ -449,7 +449,7 @@ SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA256, .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, .strength_bits = 256, .alg_bits = 256, }, @@ -518,7 +518,7 @@ SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA256, .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, .strength_bits = 128, .alg_bits = 128, }, @@ -534,7 +534,7 @@ SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA256, .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, .strength_bits = 256, .alg_bits = 256, }, @@ -550,7 +550,7 @@ SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA256, .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, .strength_bits = 128, .alg_bits = 128, }, @@ -566,7 +566,7 @@ SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA256, .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, .strength_bits = 256, .alg_bits = 256, }, @@ -1447,7 +1447,7 @@ ssl3_pending(const SSL *s) int ssl3_handshake_msg_hdr_len(SSL *s) { - return (SSL_IS_DTLS(s) ? DTLS1_HM_HEADER_LENGTH : + return (SSL_is_dtls(s) ? DTLS1_HM_HEADER_LENGTH : SSL3_HM_HEADER_LENGTH); } @@ -1460,7 +1460,7 @@ ssl3_handshake_msg_start(SSL *s, CBB *handshake, CBB *body, uint8_t msg_type) goto err; if (!CBB_add_u8(handshake, msg_type)) goto err; - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { unsigned char *data; if (!CBB_add_space(handshake, &data, DTLS1_HM_HEADER_LENGTH - @@ -1497,7 +1497,7 @@ ssl3_handshake_msg_finish(SSL *s, CBB *handshake) s->internal->init_num = (int)outlen; s->internal->init_off = 0; - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { unsigned long len; uint8_t msg_type; CBS cbs; @@ -1529,7 +1529,7 @@ ssl3_handshake_write(SSL *s) int ssl3_record_write(SSL *s, int type) { - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) return dtls1_do_write(s, type); return ssl3_do_write(s, type); @@ -1563,14 +1563,12 @@ ssl3_free(SSL *s) DH_free(S3I(s)->tmp.dh); EC_KEY_free(S3I(s)->tmp.ecdh); - freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH); - tls13_secrets_destroy(S3I(s)->hs_tls13.secrets); - freezero(S3I(s)->hs_tls13.x25519_private, X25519_KEY_LENGTH); - freezero(S3I(s)->hs_tls13.x25519_public, X25519_KEY_LENGTH); - freezero(S3I(s)->hs_tls13.x25519_peer_public, X25519_KEY_LENGTH); - freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len); + tls13_key_share_free(S3I(s)->hs.tls13.key_share); + tls13_secrets_destroy(S3I(s)->hs.tls13.secrets); + freezero(S3I(s)->hs.tls13.cookie, S3I(s)->hs.tls13.cookie_len); + tls13_clienthello_hash_clear(&S3I(s)->hs.tls13); sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free); @@ -1599,24 +1597,23 @@ ssl3_clear(SSL *s) S3I(s)->tmp.dh = NULL; EC_KEY_free(S3I(s)->tmp.ecdh); S3I(s)->tmp.ecdh = NULL; + S3I(s)->tmp.ecdh_nid = NID_undef; + freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH); + S3I(s)->tmp.x25519 = NULL; + freezero(S3I(s)->hs.sigalgs, S3I(s)->hs.sigalgs_len); S3I(s)->hs.sigalgs = NULL; S3I(s)->hs.sigalgs_len = 0; - freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH); - S3I(s)->tmp.x25519 = NULL; + tls13_key_share_free(S3I(s)->hs.tls13.key_share); + S3I(s)->hs.tls13.key_share = NULL; - tls13_secrets_destroy(S3I(s)->hs_tls13.secrets); - S3I(s)->hs_tls13.secrets = NULL; - freezero(S3I(s)->hs_tls13.x25519_private, X25519_KEY_LENGTH); - S3I(s)->hs_tls13.x25519_private = NULL; - freezero(S3I(s)->hs_tls13.x25519_public, X25519_KEY_LENGTH); - S3I(s)->hs_tls13.x25519_public = NULL; - freezero(S3I(s)->hs_tls13.x25519_peer_public, X25519_KEY_LENGTH); - S3I(s)->hs_tls13.x25519_peer_public = NULL; - freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len); - S3I(s)->hs_tls13.cookie = NULL; - S3I(s)->hs_tls13.cookie_len = 0; + tls13_secrets_destroy(S3I(s)->hs.tls13.secrets); + S3I(s)->hs.tls13.secrets = NULL; + freezero(S3I(s)->hs.tls13.cookie, S3I(s)->hs.tls13.cookie_len); + S3I(s)->hs.tls13.cookie = NULL; + S3I(s)->hs.tls13.cookie_len = 0; + tls13_clienthello_hash_clear(&S3I(s)->hs.tls13); S3I(s)->hs.extensions_seen = 0; @@ -1651,23 +1648,19 @@ ssl3_clear(SSL *s) s->internal->packet_length = 0; s->version = TLS1_VERSION; + + S3I(s)->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT); } -static long -ssl_ctrl_get_server_tmp_key(SSL *s, EVP_PKEY **pkey_tmp) +long +_SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key) { EVP_PKEY *pkey = NULL; - EC_GROUP *group = NULL; - EC_POINT *point = NULL; - EC_KEY *ec_key = NULL; - BIGNUM *order = NULL; SESS_CERT *sc; int ret = 0; - *pkey_tmp = NULL; + *key = NULL; - if (s->server != 0) - return 0; if (s->session == NULL || SSI(s)->sess_cert == NULL) return 0; @@ -1677,41 +1670,29 @@ ssl_ctrl_get_server_tmp_key(SSL *s, EVP_PKEY **pkey_tmp) return 0; if (sc->peer_dh_tmp != NULL) { - ret = EVP_PKEY_set1_DH(pkey, sc->peer_dh_tmp); - } else if (sc->peer_ecdh_tmp) { - ret = EVP_PKEY_set1_EC_KEY(pkey, sc->peer_ecdh_tmp); - } else if (sc->peer_x25519_tmp != NULL) { - /* Fudge up an EC_KEY that looks like X25519... */ - if ((group = EC_GROUP_new_by_curve_name( - NID_X9_62_prime256v1)) == NULL) - goto err; - if ((point = EC_POINT_new(group)) == NULL) + if (!EVP_PKEY_set1_DH(pkey, sc->peer_dh_tmp)) goto err; - if ((order = BN_new()) == NULL) - goto err; - if (!BN_set_bit(order, 252)) - goto err; - if (!EC_GROUP_set_generator(group, point, order, NULL)) + } else if (sc->peer_ecdh_tmp) { + if (!EVP_PKEY_set1_EC_KEY(pkey, sc->peer_ecdh_tmp)) goto err; - EC_GROUP_set_curve_name(group, NID_X25519); - if ((ec_key = EC_KEY_new()) == NULL) + } else if (sc->peer_x25519_tmp != NULL) { + if (!ssl_kex_dummy_ecdhe_x25519(pkey)) goto err; - if (!EC_KEY_set_group(ec_key, group)) + } else if (S3I(s)->hs.tls13.key_share != NULL) { + if (!tls13_key_share_peer_pkey(S3I(s)->hs.tls13.key_share, + pkey)) goto err; - ret = EVP_PKEY_set1_EC_KEY(pkey, ec_key); + } else { + goto err; } - if (ret == 1) { - *pkey_tmp = pkey; - pkey = NULL; - } + *key = pkey; + pkey = NULL; - err: + ret = 1; + + err: EVP_PKEY_free(pkey); - EC_GROUP_free(group); - EC_POINT_free(point); - EC_KEY_free(ec_key); - BN_free(order); return (ret); } @@ -1863,16 +1844,30 @@ _SSL_set_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) *ids) static int _SSL_get_tlsext_status_ocsp_resp(SSL *s, unsigned char **resp) { - *resp = s->internal->tlsext_ocsp_resp; - return s->internal->tlsext_ocsp_resplen; + if (s->internal->tlsext_ocsp_resp != NULL && + s->internal->tlsext_ocsp_resp_len < INT_MAX) { + *resp = s->internal->tlsext_ocsp_resp; + return (int)s->internal->tlsext_ocsp_resp_len; + } + + *resp = NULL; + + return -1; } static int _SSL_set_tlsext_status_ocsp_resp(SSL *s, unsigned char *resp, int resp_len) { free(s->internal->tlsext_ocsp_resp); + s->internal->tlsext_ocsp_resp = NULL; + s->internal->tlsext_ocsp_resp_len = 0; + + if (resp_len < 0) + return 0; + s->internal->tlsext_ocsp_resp = resp; - s->internal->tlsext_ocsp_resplen = resp_len; + s->internal->tlsext_ocsp_resp_len = (size_t)resp_len; + return 1; } @@ -2019,8 +2014,11 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_SET_GROUPS_LIST: return SSL_set1_groups_list(s, parg); + /* XXX - rename to SSL_CTRL_GET_PEER_TMP_KEY and remove server check. */ case SSL_CTRL_GET_SERVER_TMP_KEY: - return ssl_ctrl_get_server_tmp_key(s, parg); + if (s->server != 0) + return 0; + return _SSL_get_peer_tmp_key(s, parg); case SSL_CTRL_GET_MIN_PROTO_VERSION: return SSL_get_min_proto_version(s); @@ -2240,6 +2238,16 @@ _SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *cert) static int _SSL_CTX_get_extra_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **certs) +{ + *certs = ctx->extra_certs; + if (*certs == NULL) + *certs = ctx->internal->cert->key->chain; + + return 1; +} + +static int +_SSL_CTX_get_extra_chain_certs_only(SSL_CTX *ctx, STACK_OF(X509) **certs) { *certs = ctx->extra_certs; return 1; @@ -2325,7 +2333,10 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return _SSL_CTX_add_extra_chain_cert(ctx, parg); case SSL_CTRL_GET_EXTRA_CHAIN_CERTS: - return _SSL_CTX_get_extra_chain_certs(ctx, parg); + if (larg == 0) + return _SSL_CTX_get_extra_chain_certs(ctx, parg); + else + return _SSL_CTX_get_extra_chain_certs_only(ctx, parg); case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS: return _SSL_CTX_clear_extra_chain_certs(ctx); @@ -2489,6 +2500,16 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, !SSL_USE_TLS1_2_CIPHERS(s)) continue; + /* Skip TLS v1.3 only ciphersuites if not supported. */ + if ((c->algorithm_ssl & SSL_TLSV1_3) && + !SSL_USE_TLS1_3_CIPHERS(s)) + continue; + + /* If TLS v1.3, only allow TLS v1.3 ciphersuites. */ + if (SSL_USE_TLS1_3_CIPHERS(s) && + !(c->algorithm_ssl & SSL_TLSV1_3)) + continue; + ssl_set_cert_masks(cert, c); mask_k = cert->mask_k; mask_a = cert->mask_a; @@ -2496,7 +2517,6 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, alg_k = c->algorithm_mkey; alg_a = c->algorithm_auth; - ok = (alg_k & mask_k) && (alg_a & mask_a); /* @@ -2528,18 +2548,20 @@ ssl3_get_req_cert_types(SSL *s, CBB *cbb) { unsigned long alg_k; - alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; + alg_k = S3I(s)->hs.cipher->algorithm_mkey; #ifndef OPENSSL_NO_GOST if ((alg_k & SSL_kGOST) != 0) { - if (!CBB_add_u8(cbb, TLS_CT_GOST94_SIGN)) - return 0; if (!CBB_add_u8(cbb, TLS_CT_GOST01_SIGN)) return 0; if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN)) return 0; if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN)) return 0; + if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN_COMPAT)) + return 0; + if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN_COMPAT)) + return 0; } #endif @@ -2636,8 +2658,8 @@ ssl3_read_internal(SSL *s, void *buf, int len, int peek) SSL3_RT_APPLICATION_DATA, buf, len, peek); if ((ret == -1) && (S3I(s)->in_read_app_data == 2)) { /* - * ssl3_read_bytes decided to call s->internal->handshake_func, which - * called ssl3_read_bytes to read handshake data. + * ssl3_read_bytes decided to call s->internal->handshake_func, + * which called ssl3_read_bytes to read handshake data. * However, ssl3_read_bytes actually found application data * and thinks that application data makes sense here; so disable * handshake processing and try to read application data again. @@ -2700,17 +2722,3 @@ ssl3_renegotiate_check(SSL *s) } return (ret); } -/* - * If we are using default SHA1+MD5 algorithms switch to new SHA256 PRF - * and handshake macs if required. - */ -long -ssl_get_algorithm2(SSL *s) -{ - long alg2 = S3I(s)->hs.new_cipher->algorithm2; - - if (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_SHA256_PRF && - alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF)) - return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256; - return alg2; -} diff --git a/ssl/ssl.sym b/ssl/ssl.sym index e094c2ae..e2d7b707 100644 --- a/ssl/ssl.sym +++ b/ssl/ssl.sym @@ -10,6 +10,9 @@ DTLS_server_method DTLSv1_client_method DTLSv1_method DTLSv1_server_method +DTLSv1_2_client_method +DTLSv1_2_method +DTLSv1_2_server_method SSLv23_client_method SSLv23_method SSLv23_server_method @@ -187,6 +190,7 @@ SSL_get0_alpn_selected SSL_get0_chain_certs SSL_get0_next_proto_negotiated SSL_get0_param +SSL_get0_peername SSL_get1_session SSL_get1_supported_ciphers SSL_get_SSL_CTX @@ -234,6 +238,7 @@ SSL_get_version SSL_get_wbio SSL_get_wfd SSL_has_matching_session_id +SSL_is_dtls SSL_is_server SSL_library_init SSL_load_client_CA_file @@ -265,6 +270,7 @@ SSL_set_debug SSL_set_ex_data SSL_set_fd SSL_set_generate_session_id +SSL_set_hostflags SSL_set_info_callback SSL_set_max_proto_version SSL_set_min_proto_version @@ -303,6 +309,7 @@ SSL_use_RSAPrivateKey_ASN1 SSL_use_RSAPrivateKey_file SSL_use_certificate SSL_use_certificate_ASN1 +SSL_use_certificate_chain_file SSL_use_certificate_file SSL_version SSL_version_str diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c index 94fc8685..cea2b31f 100644 --- a/ssl/ssl_asn1.c +++ b/ssl/ssl_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_asn1.c,v 1.57 2018/08/27 16:42:48 jsing Exp $ */ +/* $OpenBSD: ssl_asn1.c,v 1.58 2021/03/29 18:24:04 tb Exp $ */ /* * Copyright (c) 2016 Joel Sing * @@ -331,7 +331,7 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) goto err; if (timeout != 0) s->timeout = (long)timeout; - + /* Peer certificate [3]. */ X509_free(s->peer); s->peer = NULL; @@ -383,7 +383,7 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) if (!CBS_strdup(&hostname, &s->tlsext_hostname)) goto err; } - + /* PSK identity hint [7]. */ /* PSK identity [8]. */ @@ -421,7 +421,7 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) return (s); -err: + err: ERR_asprintf_error_data("offset=%d", (int)(CBS_data(&cbs) - *pp)); if (s != NULL && (a == NULL || *a != s)) diff --git a/ssl/ssl_both.c b/ssl/ssl_both.c index 6bd5f081..4851231a 100644 --- a/ssl/ssl_both.c +++ b/ssl/ssl_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_both.c,v 1.15 2019/03/25 16:35:48 jsing Exp $ */ +/* $OpenBSD: ssl_both.c,v 1.27 2021/03/29 16:46:09 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -176,25 +176,25 @@ ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen) OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE); if (tls1_final_finish_mac(s, sender, slen, - S3I(s)->tmp.finish_md) != md_len) + S3I(s)->hs.finished) != md_len) return (0); - S3I(s)->tmp.finish_md_len = md_len; + S3I(s)->hs.finished_len = md_len; /* Copy finished so we can use it for renegotiation checks. */ - if (s->internal->type == SSL_ST_CONNECT) { + if (!s->server) { memcpy(S3I(s)->previous_client_finished, - S3I(s)->tmp.finish_md, md_len); + S3I(s)->hs.finished, md_len); S3I(s)->previous_client_finished_len = md_len; } else { memcpy(S3I(s)->previous_server_finished, - S3I(s)->tmp.finish_md, md_len); + S3I(s)->hs.finished, md_len); S3I(s)->previous_server_finished_len = md_len; } if (!ssl3_handshake_msg_start(s, &cbb, &finished, SSL3_MT_FINISHED)) goto err; - if (!CBB_add_bytes(&finished, S3I(s)->tmp.finish_md, md_len)) + if (!CBB_add_bytes(&finished, S3I(s)->hs.finished, md_len)) goto err; if (!ssl3_handshake_msg_finish(s, &cbb)) goto err; @@ -224,7 +224,7 @@ ssl3_take_mac(SSL *s) * If no new cipher setup return immediately: other functions will * set the appropriate error. */ - if (S3I(s)->hs.new_cipher == NULL) + if (S3I(s)->hs.cipher == NULL) return; if (S3I(s)->hs.state & SSL_ST_CONNECT) { @@ -235,9 +235,9 @@ ssl3_take_mac(SSL *s) slen = TLS_MD_CLIENT_FINISH_CONST_SIZE; } - S3I(s)->tmp.peer_finish_md_len = + S3I(s)->hs.peer_finished_len = tls1_final_finish_mac(s, sender, slen, - S3I(s)->tmp.peer_finish_md); + S3I(s)->hs.peer_finished); } int @@ -248,7 +248,7 @@ ssl3_get_finished(SSL *s, int a, int b) CBS cbs; /* should actually be 36+4 :-) */ - n = s->method->internal->ssl_get_message(s, a, b, SSL3_MT_FINISHED, 64, &ok); + n = ssl3_get_message(s, a, b, SSL3_MT_FINISHED, 64, &ok); if (!ok) return ((int)n); @@ -256,7 +256,7 @@ ssl3_get_finished(SSL *s, int a, int b) if (!S3I(s)->change_cipher_spec) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_GOT_A_FIN_BEFORE_A_CCS); - goto f_err; + goto fatal_err; } S3I(s)->change_cipher_spec = 0; @@ -265,49 +265,42 @@ ssl3_get_finished(SSL *s, int a, int b) if (n < 0) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_DIGEST_LENGTH); - goto f_err; + goto fatal_err; } CBS_init(&cbs, s->internal->init_msg, n); - if (S3I(s)->tmp.peer_finish_md_len != md_len || + if (S3I(s)->hs.peer_finished_len != md_len || CBS_len(&cbs) != md_len) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_DIGEST_LENGTH); - goto f_err; + goto fatal_err; } - if (!CBS_mem_equal(&cbs, S3I(s)->tmp.peer_finish_md, CBS_len(&cbs))) { + if (!CBS_mem_equal(&cbs, S3I(s)->hs.peer_finished, CBS_len(&cbs))) { al = SSL_AD_DECRYPT_ERROR; SSLerror(s, SSL_R_DIGEST_CHECK_FAILED); - goto f_err; + goto fatal_err; } /* Copy finished so we can use it for renegotiation checks. */ OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE); - if (s->internal->type == SSL_ST_ACCEPT) { + if (s->server) { memcpy(S3I(s)->previous_client_finished, - S3I(s)->tmp.peer_finish_md, md_len); + S3I(s)->hs.peer_finished, md_len); S3I(s)->previous_client_finished_len = md_len; } else { memcpy(S3I(s)->previous_server_finished, - S3I(s)->tmp.peer_finish_md, md_len); + S3I(s)->hs.peer_finished, md_len); S3I(s)->previous_server_finished_len = md_len; } return (1); -f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); return (0); } -/* for these 2 messages, we need to - * ssl->enc_read_ctx re-init - * ssl->s3->internal->read_sequence zero - * ssl->s3->internal->read_mac_secret re-init - * ssl->session->read_sym_enc assign - * ssl->session->read_hash assign - */ int ssl3_send_change_cipher_spec(SSL *s, int a, int b) { @@ -331,7 +324,7 @@ ssl3_send_change_cipher_spec(SSL *s, int a, int b) s->internal->init_num = (int)outlen; s->internal->init_off = 0; - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { D1I(s)->handshake_write_seq = D1I(s)->next_handshake_write_seq; dtls1_set_message_header_int(s, SSL3_MT_CCS, 0, @@ -408,6 +401,8 @@ ssl3_output_cert_chain(SSL *s, CBB *cbb, CERT_PKEY *cpk) SSLerror(s, ERR_R_X509_LIB); goto err; } + X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xs_ctx), + X509_V_FLAG_LEGACY_VERIFY); X509_verify_cert(xs_ctx); ERR_clear_error(); chain = xs_ctx->chain; @@ -447,12 +442,15 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) CBS cbs; uint8_t u8; + if (SSL_is_dtls(s)) + return (dtls1_get_message(s, st1, stn, mt, max, ok)); + if (S3I(s)->tmp.reuse_message) { S3I(s)->tmp.reuse_message = 0; if ((mt >= 0) && (S3I(s)->tmp.message_type != mt)) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); - goto f_err; + goto fatal_err; } *ok = 1; s->internal->init_msg = s->internal->init_buf->data + 4; @@ -504,7 +502,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) if ((mt >= 0) && (*p != mt)) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); - goto f_err; + goto fatal_err; } CBS_init(&cbs, p, 4); @@ -518,7 +516,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) if (l > (unsigned long)max) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_EXCESSIVE_MESSAGE_SIZE); - goto f_err; + goto fatal_err; } if (l && !BUF_MEM_grow_clean(s->internal->init_buf, l + 4)) { SSLerror(s, ERR_R_BUF_LIB); @@ -566,7 +564,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) *ok = 1; return (s->internal->init_num); -f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: *ok = 0; @@ -588,7 +586,7 @@ ssl_cert_type(X509 *x, EVP_PKEY *pkey) i = pk->type; if (i == EVP_PKEY_RSA) { - ret = SSL_PKEY_RSA_ENC; + ret = SSL_PKEY_RSA; } else if (i == EVP_PKEY_EC) { ret = SSL_PKEY_ECC; } else if (i == NID_id_GostR3410_2001 || @@ -683,13 +681,23 @@ ssl3_setup_init_buffer(SSL *s) return (0); } +void +ssl3_release_init_buffer(SSL *s) +{ + BUF_MEM_free(s->internal->init_buf); + s->internal->init_buf = NULL; + s->internal->init_msg = NULL; + s->internal->init_num = 0; + s->internal->init_off = 0; +} + int ssl3_setup_read_buffer(SSL *s) { unsigned char *p; size_t len, align, headerlen; - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) headerlen = DTLS1_RT_HEADER_LENGTH; else headerlen = SSL3_RT_HEADER_LENGTH; @@ -699,13 +707,13 @@ ssl3_setup_read_buffer(SSL *s) if (S3I(s)->rbuf.buf == NULL) { len = SSL3_RT_MAX_PLAIN_LENGTH + SSL3_RT_MAX_ENCRYPTED_OVERHEAD + headerlen + align; - if ((p = malloc(len)) == NULL) + if ((p = calloc(1, len)) == NULL) goto err; S3I(s)->rbuf.buf = p; S3I(s)->rbuf.len = len; } - s->internal->packet = &(S3I(s)->rbuf.buf[0]); + s->internal->packet = S3I(s)->rbuf.buf; return 1; err: @@ -719,7 +727,7 @@ ssl3_setup_write_buffer(SSL *s) unsigned char *p; size_t len, align, headerlen; - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) headerlen = DTLS1_RT_HEADER_LENGTH + 1; else headerlen = SSL3_RT_HEADER_LENGTH; @@ -733,7 +741,7 @@ ssl3_setup_write_buffer(SSL *s) len += headerlen + align + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD; - if ((p = malloc(len)) == NULL) + if ((p = calloc(1, len)) == NULL) goto err; S3I(s)->wbuf.buf = p; S3I(s)->wbuf.len = len; @@ -756,18 +764,22 @@ ssl3_setup_buffers(SSL *s) return 1; } -int -ssl3_release_write_buffer(SSL *s) +void +ssl3_release_buffer(SSL3_BUFFER_INTERNAL *b) { - free(S3I(s)->wbuf.buf); - S3I(s)->wbuf.buf = NULL; - return 1; + freezero(b->buf, b->len); + b->buf = NULL; + b->len = 0; } -int +void ssl3_release_read_buffer(SSL *s) { - free(S3I(s)->rbuf.buf); - S3I(s)->rbuf.buf = NULL; - return 1; + ssl3_release_buffer(&S3I(s)->rbuf); +} + +void +ssl3_release_write_buffer(SSL *s) +{ + ssl3_release_buffer(&S3I(s)->wbuf); } diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index af8ef329..03ef8565 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_cert.c,v 1.76 2019/05/15 09:13:16 bcook Exp $ */ +/* $OpenBSD: ssl_cert.c,v 1.81 2021/03/27 17:56:28 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -168,7 +168,7 @@ ssl_cert_new(void) SSLerrorx(ERR_R_MALLOC_FAILURE); return (NULL); } - ret->key = &(ret->pkeys[SSL_PKEY_RSA_ENC]); + ret->key = &(ret->pkeys[SSL_PKEY_RSA]); ret->references = 1; return (ret); } @@ -240,19 +240,18 @@ ssl_cert_dup(CERT *cert) * (Nothing at the moment, I think.) */ - case SSL_PKEY_RSA_ENC: - case SSL_PKEY_RSA_SIGN: + case SSL_PKEY_RSA: /* We have an RSA key. */ break; - case SSL_PKEY_DH_RSA: - /* We have a DH key. */ - break; - case SSL_PKEY_ECC: /* We have an ECC key */ break; + case SSL_PKEY_GOST01: + /* We have a GOST key */ + break; + default: /* Can't happen. */ SSLerrorx(SSL_R_LIBRARY_BUG); @@ -377,7 +376,7 @@ ssl_sess_cert_new(void) SSLerrorx(ERR_R_MALLOC_FAILURE); return NULL; } - ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]); + ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA]); ret->references = 1; return ret; @@ -506,7 +505,7 @@ SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) STACK_OF(X509_NAME) * SSL_get_client_CA_list(const SSL *s) { - if (s->internal->type == SSL_ST_CONNECT) { + if (!s->server) { /* We are in the client. */ if ((s->version >> 8) == SSL3_VERSION_MAJOR) return (S3I(s)->tmp.ca_names); @@ -596,8 +595,9 @@ SSL_load_client_CA_file(const char *file) goto err; } } - if ((xn = X509_get_subject_name(x)) == NULL) goto err; - /* check for duplicates */ + if ((xn = X509_get_subject_name(x)) == NULL) + goto err; + /* check for duplicates */ xn = X509_NAME_dup(xn); if (xn == NULL) goto err; @@ -657,8 +657,9 @@ SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, for (;;) { if (PEM_read_bio_X509(in, &x, NULL, NULL) == NULL) break; - if ((xn = X509_get_subject_name(x)) == NULL) goto err; - xn = X509_NAME_dup(xn); + if ((xn = X509_get_subject_name(x)) == NULL) + goto err; + xn = X509_NAME_dup(xn); if (xn == NULL) goto err; if (sk_X509_NAME_find(stack, xn) >= 0) diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index ed167eff..ee627a8c 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciph.c,v 1.108 2019/04/04 16:44:24 jsing Exp $ */ +/* $OpenBSD: ssl_ciph.c,v 1.121 2021/03/24 18:44:00 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -396,6 +396,28 @@ static const SSL_CIPHER cipher_aliases[] = { .algorithm_ssl = SSL_TLSV1_3, }, + /* cipher suite aliases */ +#ifdef LIBRESSL_HAS_TLS1_3 + { + .valid = 1, + .name = "TLS_AES_128_GCM_SHA256", + .id = TLS1_3_CK_AES_128_GCM_SHA256, + .algorithm_ssl = SSL_TLSV1_3, + }, + { + .valid = 1, + .name = "TLS_AES_256_GCM_SHA384", + .id = TLS1_3_CK_AES_256_GCM_SHA384, + .algorithm_ssl = SSL_TLSV1_3, + }, + { + .valid = 1, + .name = "TLS_CHACHA20_POLY1305_SHA256", + .id = TLS1_3_CK_CHACHA20_POLY1305_SHA256, + .algorithm_ssl = SSL_TLSV1_3, + }, +#endif + /* strength classes */ { .name = SSL_TXT_LOW, @@ -537,9 +559,21 @@ ssl_cipher_get_evp_aead(const SSL_SESSION *ss, const EVP_AEAD **aead) int ssl_get_handshake_evp_md(SSL *s, const EVP_MD **md) { + unsigned long handshake_mac; + *md = NULL; - switch (ssl_get_algorithm2(s) & SSL_HANDSHAKE_MAC_MASK) { + if (S3I(s)->hs.cipher == NULL) + return 0; + + handshake_mac = S3I(s)->hs.cipher->algorithm2 & + SSL_HANDSHAKE_MAC_MASK; + + /* For TLSv1.2 we upgrade the default MD5+SHA1 MAC to SHA256. */ + if (SSL_USE_SHA256_PRF(s) && handshake_mac == SSL_HANDSHAKE_MAC_DEFAULT) + handshake_mac = SSL_HANDSHAKE_MAC_SHA256; + + switch (handshake_mac) { case SSL_HANDSHAKE_MAC_DEFAULT: *md = EVP_md5_sha1(); return 1; @@ -758,14 +792,13 @@ ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list, int num_of_group_aliases, static void ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long alg_mkey, unsigned long alg_auth, unsigned long alg_enc, unsigned long alg_mac, - unsigned long alg_ssl, unsigned long algo_strength, - int rule, int strength_bits, CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) + unsigned long alg_ssl, unsigned long algo_strength, int rule, + int strength_bits, CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) { CIPHER_ORDER *head, *tail, *curr, *next, *last; const SSL_CIPHER *cp; int reverse = 0; - if (rule == CIPHER_DEL) reverse = 1; /* needed to maintain sorting between currently deleted ciphers */ @@ -908,7 +941,7 @@ ssl_cipher_strength_sort(CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) static int ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, - CIPHER_ORDER **tail_p, const SSL_CIPHER **ca_list) + CIPHER_ORDER **tail_p, const SSL_CIPHER **ca_list, int *tls13_seen) { unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl; unsigned long algo_strength; @@ -917,6 +950,8 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, const char *l, *buf; char ch; + *tls13_seen = 0; + retval = 1; l = rule_str; for (;;) { @@ -960,7 +995,8 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, while (((ch >= 'A') && (ch <= 'Z')) || ((ch >= '0') && (ch <= '9')) || ((ch >= 'a') && (ch <= 'z')) || - (ch == '-') || (ch == '.')) { + (ch == '-') || (ch == '.') || + (ch == '_')) { ch = *(++l); buflen++; } @@ -1084,6 +1120,8 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, * pattern! */ cipher_id = ca_list[j]->id; + if (ca_list[j]->algorithm_ssl == SSL_TLSV1_3) + *tls13_seen = 1; } else { /* * not an explicit ciphersuite; only in this @@ -1129,6 +1167,8 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, while ((*l != '\0') && !ITEM_SEP(*l)) l++; } else if (found) { + if (alg_ssl == SSL_TLSV1_3) + *tls13_seen = 1; ssl_cipher_apply_rule(cipher_id, alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength, rule, -1, head_p, tail_p); @@ -1156,20 +1196,24 @@ ssl_aes_is_accelerated(void) STACK_OF(SSL_CIPHER) * ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK_OF(SSL_CIPHER) **cipher_list, - STACK_OF(SSL_CIPHER) **cipher_list_by_id, + STACK_OF(SSL_CIPHER) *cipher_list_tls13, const char *rule_str) { int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl; - STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list; + STACK_OF(SSL_CIPHER) *cipherstack; const char *rule_p; CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; const SSL_CIPHER **ca_list = NULL; + const SSL_CIPHER *cipher; + int tls13_seen = 0; + int any_active; + int i; /* * Return with error if nothing to do. */ - if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL) + if (rule_str == NULL || cipher_list == NULL) return NULL; /* @@ -1201,7 +1245,7 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail); ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail); - if (ssl_aes_is_accelerated() == 1) { + if (ssl_aes_is_accelerated()) { /* * We have hardware assisted AES - prefer AES as a symmetric * cipher, with CHACHA20 second. @@ -1268,9 +1312,8 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, SSLerrorx(ERR_R_MALLOC_FAILURE); return(NULL); /* Failure */ } - ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, - disabled_mkey, disabled_auth, disabled_enc, - disabled_mac, disabled_ssl, head); + ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, disabled_mkey, + disabled_auth, disabled_enc, disabled_mac, disabled_ssl, head); /* * If the rule_string begins with DEFAULT, apply the default rule @@ -1280,14 +1323,15 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, rule_p = rule_str; if (strncmp(rule_str, "DEFAULT", 7) == 0) { ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, - &head, &tail, ca_list); + &head, &tail, ca_list, &tls13_seen); rule_p += 7; if (*rule_p == ':') rule_p++; } if (ok && (strlen(rule_p) > 0)) - ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list); + ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list, + &tls13_seen); free((void *)ca_list); /* Not needed anymore */ @@ -1306,30 +1350,41 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, return (NULL); } + /* Prefer TLSv1.3 cipher suites. */ + if (cipher_list_tls13 != NULL) { + for (i = 0; i < sk_SSL_CIPHER_num(cipher_list_tls13); i++) { + cipher = sk_SSL_CIPHER_value(cipher_list_tls13, i); + sk_SSL_CIPHER_push(cipherstack, cipher); + } + tls13_seen = 1; + } + /* * The cipher selection for the list is done. The ciphers are added * to the resulting precedence to the STACK_OF(SSL_CIPHER). + * + * If the rule string did not contain any references to TLSv1.3 and + * TLSv1.3 cipher suites have not been configured separately, + * include inactive TLSv1.3 cipher suites. This avoids attempts to + * use TLSv1.3 with an older rule string that does not include + * TLSv1.3 cipher suites. If the rule string resulted in no active + * cipher suites then we return an empty stack. */ + any_active = 0; for (curr = head; curr != NULL; curr = curr->next) { - if (curr->active) { + if (curr->active || + (!tls13_seen && curr->cipher->algorithm_ssl == SSL_TLSV1_3)) sk_SSL_CIPHER_push(cipherstack, curr->cipher); - } + any_active |= curr->active; } + if (!any_active) + sk_SSL_CIPHER_zero(cipherstack); + free(co_list); /* Not needed any longer */ - tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack); - if (tmp_cipher_list == NULL) { - sk_SSL_CIPHER_free(cipherstack); - return NULL; - } sk_SSL_CIPHER_free(*cipher_list); *cipher_list = cipherstack; - sk_SSL_CIPHER_free(*cipher_list_by_id); - *cipher_list_by_id = tmp_cipher_list; - (void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id, - ssl_cipher_ptr_id_cmp); - sk_SSL_CIPHER_sort(*cipher_list_by_id); return (cipherstack); } @@ -1383,6 +1438,9 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_kGOST: kx = "GOST"; break; + case SSL_kTLS1_3: + kx = "TLSv1.3"; + break; default: kx = "unknown"; } @@ -1403,6 +1461,9 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_aGOST01: au = "GOST01"; break; + case SSL_aTLS1_3: + au = "TLSv1.3"; + break; default: au = "unknown"; break; diff --git a/ssl/ssl_ciphers.c b/ssl/ssl_ciphers.c index 3abed60b..4e4a0d93 100644 --- a/ssl/ssl_ciphers.c +++ b/ssl/ssl_ciphers.c @@ -1,7 +1,7 @@ -/* $OpenBSD: ssl_ciphers.c,v 1.3 2019/05/15 09:13:16 bcook Exp $ */ +/* $OpenBSD: ssl_ciphers.c,v 1.11 2021/03/11 17:14:46 jsing Exp $ */ /* * Copyright (c) 2015-2017 Doug Hogan - * Copyright (c) 2015-2018 Joel Sing + * Copyright (c) 2015-2018, 2020 Joel Sing * Copyright (c) 2019 Theo Buehler * * Permission to use, copy, modify, and distribute this software for any @@ -23,28 +23,30 @@ #include "ssl_locl.h" int -ssl_cipher_is_permitted(const SSL_CIPHER *cipher, uint16_t min_ver, - uint16_t max_ver) +ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher) { - /* XXX: We only support DTLSv1 which is effectively TLSv1.1 */ - if (min_ver == DTLS1_VERSION || max_ver == DTLS1_VERSION) - min_ver = max_ver = TLS1_1_VERSION; + int i; + + for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { + if (sk_SSL_CIPHER_value(ciphers, i)->id == cipher->id) + return 1; + } + + return 0; +} +int +ssl_cipher_allowed_in_tls_version_range(const SSL_CIPHER *cipher, uint16_t min_ver, + uint16_t max_ver) +{ switch(cipher->algorithm_ssl) { case SSL_SSLV3: - if (min_ver <= TLS1_2_VERSION) - return 1; - break; + return (min_ver <= TLS1_2_VERSION); case SSL_TLSV1_2: - if (min_ver <= TLS1_2_VERSION && TLS1_2_VERSION <= max_ver) - return 1; - break; + return (min_ver <= TLS1_2_VERSION && TLS1_2_VERSION <= max_ver); case SSL_TLSV1_3: - if (min_ver <= TLS1_3_VERSION && TLS1_3_VERSION <= max_ver) - return 1; - break; + return (min_ver <= TLS1_3_VERSION && TLS1_3_VERSION <= max_ver); } - return 0; } @@ -59,16 +61,15 @@ ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb) if (ciphers == NULL) return 0; - if (!ssl_supported_version_range(s, &min_vers, &max_vers)) + if (!ssl_supported_tls_version_range(s, &min_vers, &max_vers)) return 0; for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL) return 0; - - if (!ssl_cipher_is_permitted(cipher, min_vers, max_vers)) + if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers, + max_vers)) continue; - if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher))) return 0; @@ -92,7 +93,7 @@ ssl_bytes_to_cipher_list(SSL *s, CBS *cbs) { STACK_OF(SSL_CIPHER) *ciphers = NULL; const SSL_CIPHER *cipher; - uint16_t cipher_value, max_version; + uint16_t cipher_value; unsigned long cipher_id; S3I(s)->send_connection_binding = 0; @@ -133,8 +134,8 @@ ssl_bytes_to_cipher_list(SSL *s, CBS *cbs) * Fail if the current version is an unexpected * downgrade. */ - max_version = ssl_max_server_version(s); - if (max_version == 0 || s->version < max_version) { + if (S3I(s)->hs.negotiated_tls_version < + S3I(s)->hs.our_max_tls_version) { SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INAPPROPRIATE_FALLBACK); @@ -158,3 +159,126 @@ ssl_bytes_to_cipher_list(SSL *s, CBS *cbs) return (NULL); } + +struct ssl_tls13_ciphersuite { + const char *name; + const char *alias; + unsigned long cid; +}; + +static const struct ssl_tls13_ciphersuite ssl_tls13_ciphersuites[] = { + { + .name = TLS1_3_TXT_AES_128_GCM_SHA256, + .alias = "TLS_AES_128_GCM_SHA256", + .cid = TLS1_3_CK_AES_128_GCM_SHA256, + }, + { + .name = TLS1_3_TXT_AES_256_GCM_SHA384, + .alias = "TLS_AES_256_GCM_SHA384", + .cid = TLS1_3_CK_AES_256_GCM_SHA384, + }, + { + .name = TLS1_3_TXT_CHACHA20_POLY1305_SHA256, + .alias = "TLS_CHACHA20_POLY1305_SHA256", + .cid = TLS1_3_CK_CHACHA20_POLY1305_SHA256, + }, + { + .name = TLS1_3_TXT_AES_128_CCM_SHA256, + .alias = "TLS_AES_128_CCM_SHA256", + .cid = TLS1_3_CK_AES_128_CCM_SHA256, + }, + { + .name = TLS1_3_TXT_AES_128_CCM_8_SHA256, + .alias = "TLS_AES_128_CCM_8_SHA256", + .cid = TLS1_3_CK_AES_128_CCM_8_SHA256, + }, + { + .name = NULL, + }, +}; + +int +ssl_parse_ciphersuites(STACK_OF(SSL_CIPHER) **out_ciphers, const char *str) +{ + const struct ssl_tls13_ciphersuite *ciphersuite; + STACK_OF(SSL_CIPHER) *ciphers; + const SSL_CIPHER *cipher; + char *s = NULL; + char *p, *q; + int i; + int ret = 0; + + if ((ciphers = sk_SSL_CIPHER_new_null()) == NULL) + goto err; + + /* An empty string is valid and means no ciphers. */ + if (strcmp(str, "") == 0) + goto done; + + if ((s = strdup(str)) == NULL) + goto err; + + q = s; + while ((p = strsep(&q, ":")) != NULL) { + ciphersuite = &ssl_tls13_ciphersuites[0]; + for (i = 0; ciphersuite->name != NULL; i++) { + if (strcmp(p, ciphersuite->name) == 0) + break; + if (strcmp(p, ciphersuite->alias) == 0) + break; + ciphersuite = &ssl_tls13_ciphersuites[i]; + } + if (ciphersuite->name == NULL) + goto err; + + /* We know about the cipher suite, but it is not supported. */ + if ((cipher = ssl3_get_cipher_by_id(ciphersuite->cid)) == NULL) + continue; + + if (!sk_SSL_CIPHER_push(ciphers, cipher)) + goto err; + } + + done: + sk_SSL_CIPHER_free(*out_ciphers); + *out_ciphers = ciphers; + ciphers = NULL; + ret = 1; + + err: + sk_SSL_CIPHER_free(ciphers); + free(s); + + return ret; +} + +int +ssl_merge_cipherlists(STACK_OF(SSL_CIPHER) *cipherlist, + STACK_OF(SSL_CIPHER) *cipherlist_tls13, + STACK_OF(SSL_CIPHER) **out_cipherlist) +{ + STACK_OF(SSL_CIPHER) *ciphers = NULL; + const SSL_CIPHER *cipher; + int i, ret = 0; + + if ((ciphers = sk_SSL_CIPHER_dup(cipherlist_tls13)) == NULL) + goto err; + for (i = 0; i < sk_SSL_CIPHER_num(cipherlist); i++) { + cipher = sk_SSL_CIPHER_value(cipherlist, i); + if (cipher->algorithm_ssl == SSL_TLSV1_3) + continue; + if (!sk_SSL_CIPHER_push(ciphers, cipher)) + goto err; + } + + sk_SSL_CIPHER_free(*out_cipherlist); + *out_cipherlist = ciphers; + ciphers = NULL; + + ret = 1; + + err: + sk_SSL_CIPHER_free(ciphers); + + return ret; +} diff --git a/ssl/ssl_clnt.c b/ssl/ssl_clnt.c index 90aa80f5..92113c29 100644 --- a/ssl/ssl_clnt.c +++ b/ssl/ssl_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_clnt.c,v 1.61 2019/03/31 15:49:03 jsing Exp $ */ +/* $OpenBSD: ssl_clnt.c,v 1.90 2021/04/11 07:06:01 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -212,22 +212,19 @@ ssl3_connect(SSL *s) if (cb != NULL) cb(s, SSL_CB_HANDSHAKE_START, 1); - if (SSL_IS_DTLS(s)) { - if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) { - SSLerror(s, ERR_R_INTERNAL_ERROR); - ret = -1; - goto end; - } - } else { - if ((s->version & 0xff00) != 0x0300) { - SSLerror(s, ERR_R_INTERNAL_ERROR); - ret = -1; - goto end; - } + if (!ssl_legacy_stack_version(s, s->version)) { + SSLerror(s, ERR_R_INTERNAL_ERROR); + ret = -1; + goto end; } - /* s->version=SSL3_VERSION; */ - s->internal->type = SSL_ST_CONNECT; + if (!ssl_supported_tls_version_range(s, + &S3I(s)->hs.our_min_tls_version, + &S3I(s)->hs.our_max_tls_version)) { + SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); + ret = -1; + goto end; + } if (!ssl3_setup_init_buffer(s)) { ret = -1; @@ -253,7 +250,7 @@ ssl3_connect(SSL *s) s->ctx->internal->stats.sess_connect++; s->internal->init_num = 0; - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { /* mark client_random uninitialized */ memset(s->s3->client_random, 0, sizeof(s->s3->client_random)); @@ -266,7 +263,7 @@ ssl3_connect(SSL *s) case SSL3_ST_CW_CLNT_HELLO_B: s->internal->shutdown = 0; - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { /* every DTLS ClientHello resets Finished MAC */ tls1_transcript_reset(s); @@ -277,9 +274,9 @@ ssl3_connect(SSL *s) if (ret <= 0) goto end; - if (SSL_IS_DTLS(s) && D1I(s)->send_cookie) { + if (SSL_is_dtls(s) && D1I(s)->send_cookie) { S3I(s)->hs.state = SSL3_ST_CW_FLUSH; - S3I(s)->hs.next_state = SSL3_ST_CR_SRVR_HELLO_A; + S3I(s)->hs.tls12.next_state = SSL3_ST_CR_SRVR_HELLO_A; } else S3I(s)->hs.state = SSL3_ST_CR_SRVR_HELLO_A; @@ -299,7 +296,7 @@ ssl3_connect(SSL *s) if (s->internal->hit) { S3I(s)->hs.state = SSL3_ST_CR_FINISHED_A; - if (!SSL_IS_DTLS(s)) { + if (!SSL_is_dtls(s)) { if (s->internal->tlsext_ticket_expected) { /* receive renewed session ticket */ S3I(s)->hs.state = SSL3_ST_CR_SESSION_TICKET_A; @@ -308,7 +305,7 @@ ssl3_connect(SSL *s) /* No client certificate verification. */ tls1_transcript_free(s); } - } else if (SSL_IS_DTLS(s)) { + } else if (SSL_is_dtls(s)) { S3I(s)->hs.state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A; } else { S3I(s)->hs.state = SSL3_ST_CR_CERT_A; @@ -318,7 +315,7 @@ ssl3_connect(SSL *s) case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A: case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B: - ret = dtls1_get_hello_verify(s); + ret = ssl3_get_dtls_hello_verify(s); if (ret <= 0) goto end; dtls1_stop_timer(s); @@ -344,7 +341,7 @@ ssl3_connect(SSL *s) break; } /* Check if it is anon DH/ECDH. */ - if (!(S3I(s)->hs.new_cipher->algorithm_auth & + if (!(S3I(s)->hs.cipher->algorithm_auth & SSL_aNULL)) { ret = ssl3_get_server_certificate(s); if (ret <= 0) @@ -392,7 +389,7 @@ ssl3_connect(SSL *s) ret = ssl3_get_server_done(s); if (ret <= 0) goto end; - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) dtls1_stop_timer(s); if (S3I(s)->tmp.cert_req) S3I(s)->hs.state = SSL3_ST_CW_CERT_A; @@ -406,7 +403,7 @@ ssl3_connect(SSL *s) case SSL3_ST_CW_CERT_B: case SSL3_ST_CW_CERT_C: case SSL3_ST_CW_CERT_D: - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) dtls1_start_timer(s); ret = ssl3_send_client_certificate(s); if (ret <= 0) @@ -417,7 +414,7 @@ ssl3_connect(SSL *s) case SSL3_ST_CW_KEY_EXCH_A: case SSL3_ST_CW_KEY_EXCH_B: - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) dtls1_start_timer(s); ret = ssl3_send_client_key_exchange(s); if (ret <= 0) @@ -444,7 +441,7 @@ ssl3_connect(SSL *s) S3I(s)->hs.state = SSL3_ST_CW_CHANGE_A; S3I(s)->change_cipher_spec = 0; } - if (!SSL_IS_DTLS(s)) { + if (!SSL_is_dtls(s)) { if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) { S3I(s)->hs.state = SSL3_ST_CW_CHANGE_A; S3I(s)->change_cipher_spec = 0; @@ -456,7 +453,7 @@ ssl3_connect(SSL *s) case SSL3_ST_CW_CERT_VRFY_A: case SSL3_ST_CW_CERT_VRFY_B: - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) dtls1_start_timer(s); ret = ssl3_send_client_verify(s); if (ret <= 0) @@ -468,7 +465,7 @@ ssl3_connect(SSL *s) case SSL3_ST_CW_CHANGE_A: case SSL3_ST_CW_CHANGE_B: - if (SSL_IS_DTLS(s) && !s->internal->hit) + if (SSL_is_dtls(s) && !s->internal->hit) dtls1_start_timer(s); ret = ssl3_send_change_cipher_spec(s, SSL3_ST_CW_CHANGE_A, SSL3_ST_CW_CHANGE_B); @@ -478,7 +475,7 @@ ssl3_connect(SSL *s) S3I(s)->hs.state = SSL3_ST_CW_FINISHED_A; s->internal->init_num = 0; - s->session->cipher = S3I(s)->hs.new_cipher; + s->session->cipher = S3I(s)->hs.cipher; if (!tls1_setup_key_block(s)) { ret = -1; goto end; @@ -490,34 +487,34 @@ ssl3_connect(SSL *s) goto end; } - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); break; case SSL3_ST_CW_FINISHED_A: case SSL3_ST_CW_FINISHED_B: - if (SSL_IS_DTLS(s) && !s->internal->hit) + if (SSL_is_dtls(s) && !s->internal->hit) dtls1_start_timer(s); ret = ssl3_send_finished(s, SSL3_ST_CW_FINISHED_A, SSL3_ST_CW_FINISHED_B, TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE); if (ret <= 0) goto end; - if (!SSL_IS_DTLS(s)) + if (!SSL_is_dtls(s)) s->s3->flags |= SSL3_FLAGS_CCS_OK; S3I(s)->hs.state = SSL3_ST_CW_FLUSH; /* clear flags */ if (s->internal->hit) { - S3I(s)->hs.next_state = SSL_ST_OK; + S3I(s)->hs.tls12.next_state = SSL_ST_OK; } else { /* Allow NewSessionTicket if ticket expected */ if (s->internal->tlsext_ticket_expected) - S3I(s)->hs.next_state = + S3I(s)->hs.tls12.next_state = SSL3_ST_CR_SESSION_TICKET_A; else - S3I(s)->hs.next_state = + S3I(s)->hs.tls12.next_state = SSL3_ST_CR_FINISHED_A; } s->internal->init_num = 0; @@ -543,7 +540,7 @@ ssl3_connect(SSL *s) case SSL3_ST_CR_FINISHED_A: case SSL3_ST_CR_FINISHED_B: - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) D1I(s)->change_cipher_spec_ok = 1; else s->s3->flags |= SSL3_FLAGS_CCS_OK; @@ -551,7 +548,7 @@ ssl3_connect(SSL *s) SSL3_ST_CR_FINISHED_B); if (ret <= 0) goto end; - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) dtls1_stop_timer(s); if (s->internal->hit) @@ -564,18 +561,18 @@ ssl3_connect(SSL *s) case SSL3_ST_CW_FLUSH: s->internal->rwstate = SSL_WRITING; if (BIO_flush(s->wbio) <= 0) { - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { /* If the write error was fatal, stop trying */ if (!BIO_should_retry(s->wbio)) { s->internal->rwstate = SSL_NOTHING; - S3I(s)->hs.state = S3I(s)->hs.next_state; + S3I(s)->hs.state = S3I(s)->hs.tls12.next_state; } } ret = -1; goto end; } s->internal->rwstate = SSL_NOTHING; - S3I(s)->hs.state = S3I(s)->hs.next_state; + S3I(s)->hs.state = S3I(s)->hs.tls12.next_state; break; case SSL_ST_OK: @@ -588,10 +585,8 @@ ssl3_connect(SSL *s) goto end; } - if (!SSL_IS_DTLS(s)) { - BUF_MEM_free(s->internal->init_buf); - s->internal->init_buf = NULL; - } + if (!SSL_is_dtls(s)) + ssl3_release_init_buffer(s); ssl_free_wbio_buffer(s); @@ -611,7 +606,7 @@ ssl3_connect(SSL *s) if (cb != NULL) cb(s, SSL_CB_HANDSHAKE_DONE, 1); - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { /* done with handshaking */ D1I(s)->handshake_read_seq = 0; D1I(s)->next_handshake_write_seq = 0; @@ -644,7 +639,7 @@ ssl3_connect(SSL *s) skip = 0; } -end: + end: s->internal->in_handshake--; if (cb != NULL) cb(s, SSL_CB_CONNECT_EXIT, ret); @@ -665,7 +660,7 @@ ssl3_send_client_hello(SSL *s) if (S3I(s)->hs.state == SSL3_ST_CW_CLNT_HELLO_A) { SSL_SESSION *sess = s->session; - if (ssl_supported_version_range(s, NULL, &max_version) != 1) { + if (!ssl_max_supported_version(s, &max_version)) { SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); return (-1); } @@ -685,7 +680,7 @@ ssl3_send_client_hello(SSL *s) * HelloVerifyRequest, we must retain the original client * random value. */ - if (!SSL_IS_DTLS(s) || D1I(s)->send_cookie == 0) + if (!SSL_is_dtls(s) || D1I(s)->send_cookie == 0) arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE); if (!ssl3_handshake_msg_start(s, &cbb, &client_hello, @@ -704,10 +699,10 @@ ssl3_send_client_hello(SSL *s) * 1.0. * * Possible scenario with previous logic: - * 1. Client hello indicates TLS 1.2 - * 2. Server hello says TLS 1.0 + * 1. Client hello indicates TLS 1.2 + * 2. Server hello says TLS 1.0 * 3. RSA encrypted premaster secret uses 1.2. - * 4. Handhaked proceeds using TLS 1.0. + * 4. Handhaked proceeds using TLS 1.0. * 5. Server sends hello request to renegotiate. * 6. Client hello indicates TLS v1.0 as we now * know that is maximum server supports. @@ -746,7 +741,7 @@ ssl3_send_client_hello(SSL *s) } /* DTLS Cookie. */ - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { if (D1I(s)->cookie_len > sizeof(D1I(s)->cookie)) { SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; @@ -775,7 +770,7 @@ ssl3_send_client_hello(SSL *s) goto err; /* TLS extensions */ - if (!tlsext_client_build(s, &client_hello, SSL_TLSEXT_MSG_CH)) { + if (!tlsext_client_build(s, SSL_TLSEXT_MSG_CH, &client_hello)) { SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } @@ -789,40 +784,100 @@ ssl3_send_client_hello(SSL *s) /* SSL3_ST_CW_CLNT_HELLO_B */ return (ssl3_handshake_write(s)); -err: + err: CBB_cleanup(&cbb); return (-1); } +int +ssl3_get_dtls_hello_verify(SSL *s) +{ + long n; + int al, ok = 0; + size_t cookie_len; + uint16_t ssl_version; + CBS hello_verify_request, cookie; + + n = ssl3_get_message(s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A, + DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, -1, s->internal->max_cert_list, &ok); + if (!ok) + return ((int)n); + + if (S3I(s)->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) { + D1I(s)->send_cookie = 0; + S3I(s)->tmp.reuse_message = 1; + return (1); + } + + if (n < 0) + goto decode_err; + + CBS_init(&hello_verify_request, s->internal->init_msg, n); + + if (!CBS_get_u16(&hello_verify_request, &ssl_version)) + goto decode_err; + if (!CBS_get_u8_length_prefixed(&hello_verify_request, &cookie)) + goto decode_err; + if (CBS_len(&hello_verify_request) != 0) + goto decode_err; + + /* + * Per RFC 6347 section 4.2.1, the HelloVerifyRequest should always + * contain DTLSv1.0 the version that is going to be negotiated. + * Tolerate DTLSv1.2 just in case. + */ + if (ssl_version != DTLS1_VERSION && ssl_version != DTLS1_2_VERSION) { + SSLerror(s, SSL_R_WRONG_SSL_VERSION); + s->version = (s->version & 0xff00) | (ssl_version & 0xff); + al = SSL_AD_PROTOCOL_VERSION; + goto fatal_err; + } + + if (!CBS_write_bytes(&cookie, D1I(s)->cookie, + sizeof(D1I(s)->cookie), &cookie_len)) { + D1I(s)->cookie_len = 0; + al = SSL_AD_ILLEGAL_PARAMETER; + goto fatal_err; + } + D1I(s)->cookie_len = cookie_len; + D1I(s)->send_cookie = 1; + + return 1; + + decode_err: + al = SSL_AD_DECODE_ERROR; + fatal_err: + ssl3_send_alert(s, SSL3_AL_FATAL, al); + return -1; +} + int ssl3_get_server_hello(SSL *s) { CBS cbs, server_random, session_id; uint16_t server_version, cipher_suite; - uint16_t min_version, max_version; uint8_t compression_method; - STACK_OF(SSL_CIPHER) *sk; const SSL_CIPHER *cipher; const SSL_METHOD *method; unsigned long alg_k; size_t outlen; - int i, al, ok; + int al, ok; long n; s->internal->first_packet = 1; - n = s->method->internal->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A, + n = ssl3_get_message(s, SSL3_ST_CR_SRVR_HELLO_A, SSL3_ST_CR_SRVR_HELLO_B, -1, 20000, /* ?? */ &ok); if (!ok) return ((int)n); s->internal->first_packet = 0; if (n < 0) - goto truncated; + goto decode_err; CBS_init(&cbs, s->internal->init_msg, n); - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { if (S3I(s)->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) { if (D1I(s)->send_cookie == 0) { S3I(s)->tmp.reuse_message = 1; @@ -831,7 +886,7 @@ ssl3_get_server_hello(SSL *s) /* Already sent a cookie. */ al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_BAD_MESSAGE_TYPE); - goto f_err; + goto fatal_err; } } } @@ -839,28 +894,27 @@ ssl3_get_server_hello(SSL *s) if (S3I(s)->tmp.message_type != SSL3_MT_SERVER_HELLO) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_BAD_MESSAGE_TYPE); - goto f_err; + goto fatal_err; } if (!CBS_get_u16(&cbs, &server_version)) - goto truncated; + goto decode_err; - if (ssl_supported_version_range(s, &min_version, &max_version) != 1) { - SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); - goto err; - } - - if (server_version < min_version || server_version > max_version) { + if (!ssl_check_version_from_server(s, server_version)) { SSLerror(s, SSL_R_WRONG_SSL_VERSION); s->version = (s->version & 0xff00) | (server_version & 0xff); al = SSL_AD_PROTOCOL_VERSION; - goto f_err; + goto fatal_err; } s->version = server_version; - if ((method = tls1_get_client_method(server_version)) == NULL) - method = dtls1_get_client_method(server_version); - if (method == NULL) { + S3I(s)->hs.negotiated_tls_version = ssl_tls_version(server_version); + if (S3I(s)->hs.negotiated_tls_version == 0) { + SSLerror(s, ERR_R_INTERNAL_ERROR); + goto err; + } + + if ((method = ssl_get_method(server_version)) == NULL) { SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } @@ -868,25 +922,48 @@ ssl3_get_server_hello(SSL *s) /* Server random. */ if (!CBS_get_bytes(&cbs, &server_random, SSL3_RANDOM_SIZE)) - goto truncated; + goto decode_err; if (!CBS_write_bytes(&server_random, s->s3->server_random, sizeof(s->s3->server_random), NULL)) goto err; + if (S3I(s)->hs.our_max_tls_version >= TLS1_2_VERSION && + S3I(s)->hs.negotiated_tls_version < S3I(s)->hs.our_max_tls_version) { + /* + * RFC 8446 section 4.1.3. We must not downgrade if the server + * random value contains the TLS 1.2 or TLS 1.1 magical value. + */ + if (!CBS_skip(&server_random, + CBS_len(&server_random) - sizeof(tls13_downgrade_12))) + goto err; + if (S3I(s)->hs.negotiated_tls_version == TLS1_2_VERSION && + CBS_mem_equal(&server_random, tls13_downgrade_12, + sizeof(tls13_downgrade_12))) { + al = SSL_AD_ILLEGAL_PARAMETER; + SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK); + goto fatal_err; + } + if (CBS_mem_equal(&server_random, tls13_downgrade_11, + sizeof(tls13_downgrade_11))) { + al = SSL_AD_ILLEGAL_PARAMETER; + SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK); + goto fatal_err; + } + } + /* Session ID. */ if (!CBS_get_u8_length_prefixed(&cbs, &session_id)) - goto truncated; + goto decode_err; - if ((CBS_len(&session_id) > sizeof(s->session->session_id)) || - (CBS_len(&session_id) > SSL3_SESSION_ID_SIZE)) { + if (CBS_len(&session_id) > SSL3_SESSION_ID_SIZE) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_SSL3_SESSION_ID_TOO_LONG); - goto f_err; + goto fatal_err; } /* Cipher suite. */ if (!CBS_get_u16(&cbs, &cipher_suite)) - goto truncated; + goto decode_err; /* * Check if we want to resume the session based on external @@ -913,7 +990,7 @@ ssl3_get_server_hello(SSL *s) /* actually a client application bug */ al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); - goto f_err; + goto fatal_err; } s->s3->flags |= SSL3_FLAGS_CCS_OK; s->internal->hit = 1; @@ -926,7 +1003,7 @@ ssl3_get_server_hello(SSL *s) if (s->session->session_id_length > 0) { if (!ssl_get_new_session(s, 0)) { al = SSL_AD_INTERNAL_ERROR; - goto f_err; + goto fatal_err; } } @@ -945,24 +1022,22 @@ ssl3_get_server_hello(SSL *s) if ((cipher = ssl3_get_cipher_by_value(cipher_suite)) == NULL) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_UNKNOWN_CIPHER_RETURNED); - goto f_err; + goto fatal_err; } /* TLS v1.2 only ciphersuites require v1.2 or later. */ if ((cipher->algorithm_ssl & SSL_TLSV1_2) && - (TLS1_get_version(s) < TLS1_2_VERSION)) { + S3I(s)->hs.negotiated_tls_version < TLS1_2_VERSION) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_WRONG_CIPHER_RETURNED); - goto f_err; + goto fatal_err; } - sk = ssl_get_ciphers_by_id(s); - i = sk_SSL_CIPHER_find(sk, cipher); - if (i < 0) { + if (!ssl_cipher_in_list(SSL_get_ciphers(s), cipher)) { /* we did not say we would use this cipher */ al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_WRONG_CIPHER_RETURNED); - goto f_err; + goto fatal_err; } /* @@ -975,9 +1050,9 @@ ssl3_get_server_hello(SSL *s) if (s->internal->hit && (s->session->cipher_id != cipher->id)) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); - goto f_err; + goto fatal_err; } - S3I(s)->hs.new_cipher = cipher; + S3I(s)->hs.cipher = cipher; if (!tls1_transcript_hash_init(s)) goto err; @@ -986,22 +1061,22 @@ ssl3_get_server_hello(SSL *s) * Don't digest cached records if no sigalgs: we may need them for * client authentication. */ - alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; + alg_k = S3I(s)->hs.cipher->algorithm_mkey; if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST))) tls1_transcript_free(s); if (!CBS_get_u8(&cbs, &compression_method)) - goto truncated; + goto decode_err; if (compression_method != 0) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); - goto f_err; + goto fatal_err; } - if (!tlsext_client_parse(s, &cbs, &al, SSL_TLSEXT_MSG_SH)) { + if (!tlsext_client_parse(s, SSL_TLSEXT_MSG_SH, &cbs, &al)) { SSLerror(s, SSL_R_PARSE_TLSEXT); - goto f_err; + goto fatal_err; } /* @@ -1016,7 +1091,7 @@ ssl3_get_server_hello(SSL *s) !(s->internal->options & SSL_OP_LEGACY_SERVER_CONNECT)) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); - goto f_err; + goto fatal_err; } if (ssl_check_serverhello_tlsext(s) <= 0) { @@ -1026,13 +1101,13 @@ ssl3_get_server_hello(SSL *s) return (1); -truncated: + decode_err: /* wrong packet length */ al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_PACKET_LENGTH); -f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); -err: + err: return (-1); } @@ -1048,9 +1123,8 @@ ssl3_get_server_certificate(SSL *s) SESS_CERT *sc; EVP_PKEY *pkey = NULL; - n = s->method->internal->ssl_get_message(s, SSL3_ST_CR_CERT_A, + n = ssl3_get_message(s, SSL3_ST_CR_CERT_A, SSL3_ST_CR_CERT_B, -1, s->internal->max_cert_list, &ok); - if (!ok) return ((int)n); @@ -1062,7 +1136,7 @@ ssl3_get_server_certificate(SSL *s) if (S3I(s)->tmp.message_type != SSL3_MT_CERTIFICATE) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_BAD_MESSAGE_TYPE); - goto f_err; + goto fatal_err; } @@ -1072,28 +1146,28 @@ ssl3_get_server_certificate(SSL *s) } if (n < 0) - goto truncated; + goto decode_err; CBS_init(&cbs, s->internal->init_msg, n); if (CBS_len(&cbs) < 3) - goto truncated; + goto decode_err; if (!CBS_get_u24_length_prefixed(&cbs, &cert_list) || CBS_len(&cbs) != 0) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_LENGTH_MISMATCH); - goto f_err; + goto fatal_err; } while (CBS_len(&cert_list) > 0) { CBS cert; if (CBS_len(&cert_list) < 3) - goto truncated; + goto decode_err; if (!CBS_get_u24_length_prefixed(&cert_list, &cert)) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_CERT_LENGTH_MISMATCH); - goto f_err; + goto fatal_err; } q = CBS_data(&cert); @@ -1101,12 +1175,12 @@ ssl3_get_server_certificate(SSL *s) if (x == NULL) { al = SSL_AD_BAD_CERTIFICATE; SSLerror(s, ERR_R_ASN1_LIB); - goto f_err; + goto fatal_err; } if (q != CBS_data(&cert) + CBS_len(&cert)) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_CERT_LENGTH_MISMATCH); - goto f_err; + goto fatal_err; } if (!sk_X509_push(sk, x)) { SSLerror(s, ERR_R_MALLOC_FAILURE); @@ -1119,7 +1193,7 @@ ssl3_get_server_certificate(SSL *s) if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)) { al = ssl_verify_alarm_type(s->verify_result); SSLerror(s, SSL_R_CERTIFICATE_VERIFY_FAILED); - goto f_err; + goto fatal_err; } ERR_clear_error(); /* but we keep s->verify_result */ @@ -1145,7 +1219,7 @@ ssl3_get_server_certificate(SSL *s) x = NULL; al = SSL3_AL_FATAL; SSLerror(s, SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); - goto f_err; + goto fatal_err; } i = ssl_cert_type(x, pkey); @@ -1153,7 +1227,7 @@ ssl3_get_server_certificate(SSL *s) x = NULL; al = SSL3_AL_FATAL; SSLerror(s, SSL_R_UNKNOWN_CERTIFICATE_TYPE); - goto f_err; + goto fatal_err; } sc->peer_cert_type = i; @@ -1175,14 +1249,14 @@ ssl3_get_server_certificate(SSL *s) ret = 1; if (0) { -truncated: + decode_err: /* wrong packet length */ al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_PACKET_LENGTH); -f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); } -err: + err: EVP_PKEY_free(pkey); X509_free(x); sk_X509_pop_free(sk, X509_free); @@ -1200,7 +1274,7 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs) long alg_a; int al; - alg_a = S3I(s)->hs.new_cipher->algorithm_auth; + alg_a = S3I(s)->hs.cipher->algorithm_auth; sc = SSI(s)->sess_cert; if ((dh = DH_new()) == NULL) { @@ -1209,21 +1283,21 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs) } if (!CBS_get_u16_length_prefixed(cbs, &dhp)) - goto truncated; + goto decode_err; if ((dh->p = BN_bin2bn(CBS_data(&dhp), CBS_len(&dhp), NULL)) == NULL) { SSLerror(s, ERR_R_BN_LIB); goto err; } if (!CBS_get_u16_length_prefixed(cbs, &dhg)) - goto truncated; + goto decode_err; if ((dh->g = BN_bin2bn(CBS_data(&dhg), CBS_len(&dhg), NULL)) == NULL) { SSLerror(s, ERR_R_BN_LIB); goto err; } if (!CBS_get_u16_length_prefixed(cbs, &dhpk)) - goto truncated; + goto decode_err; if ((dh->pub_key = BN_bin2bn(CBS_data(&dhpk), CBS_len(&dhpk), NULL)) == NULL) { SSLerror(s, ERR_R_BN_LIB); @@ -1240,7 +1314,7 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs) } if (alg_a & SSL_aRSA) - *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_RSA_ENC].x509); + *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_RSA].x509); else /* XXX - Anonymous DH, so no certificate or pkey. */ *pkey = NULL; @@ -1249,7 +1323,7 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs) return (1); - truncated: + decode_err: al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_PACKET_LENGTH); ssl3_send_alert(s, SSL3_AL_FATAL, al); @@ -1264,56 +1338,27 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs) static int ssl3_get_server_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, int nid, CBS *public) { - const EC_GROUP *group; - EC_GROUP *ngroup = NULL; - EC_POINT *point = NULL; - BN_CTX *bn_ctx = NULL; EC_KEY *ecdh = NULL; int ret = -1; - /* - * Extract the server's ephemeral ECDH public key. - */ - + /* Extract the server's ephemeral ECDH public key. */ if ((ecdh = EC_KEY_new()) == NULL) { SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } - - if ((ngroup = EC_GROUP_new_by_curve_name(nid)) == NULL) { - SSLerror(s, ERR_R_EC_LIB); - goto err; - } - if (EC_KEY_set_group(ecdh, ngroup) == 0) { - SSLerror(s, ERR_R_EC_LIB); - goto err; - } - - group = EC_KEY_get0_group(ecdh); - - if ((point = EC_POINT_new(group)) == NULL || - (bn_ctx = BN_CTX_new()) == NULL) { - SSLerror(s, ERR_R_MALLOC_FAILURE); - goto err; - } - - if (EC_POINT_oct2point(group, point, CBS_data(public), - CBS_len(public), bn_ctx) == 0) { + if (!ssl_kex_peer_public_ecdhe_ecp(ecdh, nid, public)) { SSLerror(s, SSL_R_BAD_ECPOINT); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); goto err; } - EC_KEY_set_public_key(ecdh, point); + sc->peer_nid = nid; sc->peer_ecdh_tmp = ecdh; ecdh = NULL; ret = 1; err: - BN_CTX_free(bn_ctx); - EC_GROUP_free(ngroup); - EC_POINT_free(point); EC_KEY_free(ecdh); return (ret); @@ -1357,7 +1402,7 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, CBS *cbs) int nid; int al; - alg_a = S3I(s)->hs.new_cipher->algorithm_auth; + alg_a = S3I(s)->hs.cipher->algorithm_auth; sc = SSI(s)->sess_cert; /* Only named curves are supported. */ @@ -1366,7 +1411,7 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, CBS *cbs) !CBS_get_u16(cbs, &curve_id)) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_LENGTH_TOO_SHORT); - goto f_err; + goto fatal_err; } /* @@ -1376,17 +1421,17 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, CBS *cbs) if (tls1_check_curve(s, curve_id) != 1) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_WRONG_CURVE); - goto f_err; + goto fatal_err; } if ((nid = tls1_ec_curve_id2nid(curve_id)) == 0) { al = SSL_AD_INTERNAL_ERROR; SSLerror(s, SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); - goto f_err; + goto fatal_err; } if (!CBS_get_u8_length_prefixed(cbs, &public)) - goto truncated; + goto decode_err; if (nid == NID_X25519) { if (ssl3_get_server_kex_ecdhe_ecx(s, sc, nid, &public) != 1) @@ -1402,7 +1447,7 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, CBS *cbs) * and ECDSA. */ if (alg_a & SSL_aRSA) - *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_RSA_ENC].x509); + *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_RSA].x509); else if (alg_a & SSL_aECDSA) *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_ECC].x509); else @@ -1411,11 +1456,11 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, CBS *cbs) return (1); - truncated: + decode_err: al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_PACKET_LENGTH); - f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: @@ -1436,14 +1481,14 @@ ssl3_get_server_key_exchange(SSL *s) EVP_MD_CTX_init(&md_ctx); - alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; - alg_a = S3I(s)->hs.new_cipher->algorithm_auth; + alg_k = S3I(s)->hs.cipher->algorithm_mkey; + alg_a = S3I(s)->hs.cipher->algorithm_auth; /* * Use same message size as in ssl3_get_certificate_request() * as ServerKeyExchange message may be skipped. */ - n = s->method->internal->ssl_get_message(s, SSL3_ST_CR_KEY_EXCH_A, + n = ssl3_get_message(s, SSL3_ST_CR_KEY_EXCH_A, SSL3_ST_CR_KEY_EXCH_B, -1, s->internal->max_cert_list, &ok); if (!ok) return ((int)n); @@ -1461,7 +1506,7 @@ ssl3_get_server_key_exchange(SSL *s) if (alg_k & (SSL_kDHE|SSL_kECDHE)) { SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); al = SSL_AD_UNEXPECTED_MESSAGE; - goto f_err; + goto fatal_err; } S3I(s)->tmp.reuse_message = 1; @@ -1496,7 +1541,7 @@ ssl3_get_server_key_exchange(SSL *s) } else if (alg_k != 0) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); - goto f_err; + goto fatal_err; } param_len -= CBS_len(&cbs); @@ -1510,22 +1555,22 @@ ssl3_get_server_key_exchange(SSL *s) uint16_t sigalg_value; if (!CBS_get_u16(&cbs, &sigalg_value)) - goto truncated; + goto decode_err; if ((sigalg = ssl_sigalg(sigalg_value, tls12_sigalgs, tls12_sigalgs_len)) == NULL) { SSLerror(s, SSL_R_UNKNOWN_DIGEST); al = SSL_AD_DECODE_ERROR; - goto f_err; + goto fatal_err; } if ((md = sigalg->md()) == NULL) { SSLerror(s, SSL_R_UNKNOWN_DIGEST); al = SSL_AD_DECODE_ERROR; - goto f_err; + goto fatal_err; } if (!ssl_sigalg_pkey_ok(sigalg, pkey, 0)) { SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE); al = SSL_AD_DECODE_ERROR; - goto f_err; + goto fatal_err; } } else if (pkey->type == EVP_PKEY_RSA) { sigalg = ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1); @@ -1534,16 +1579,16 @@ ssl3_get_server_key_exchange(SSL *s) } else { SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE); al = SSL_AD_DECODE_ERROR; - goto f_err; + goto fatal_err; } md = sigalg->md(); if (!CBS_get_u16_length_prefixed(&cbs, &signature)) - goto truncated; + goto decode_err; if (CBS_len(&signature) > EVP_PKEY_size(pkey)) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_WRONG_SIGNATURE_LENGTH); - goto f_err; + goto fatal_err; } if (!EVP_DigestVerifyInit(&md_ctx, &pctx, md, NULL, pkey)) @@ -1565,7 +1610,7 @@ ssl3_get_server_key_exchange(SSL *s) CBS_len(&signature)) <= 0) { al = SSL_AD_DECRYPT_ERROR; SSLerror(s, SSL_R_BAD_SIGNATURE); - goto f_err; + goto fatal_err; } } else { /* aNULL does not need public keys. */ @@ -1578,7 +1623,7 @@ ssl3_get_server_key_exchange(SSL *s) if (CBS_len(&cbs) != 0) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_EXTRA_DATA_IN_MESSAGE); - goto f_err; + goto fatal_err; } EVP_PKEY_free(pkey); @@ -1586,11 +1631,11 @@ ssl3_get_server_key_exchange(SSL *s) return (1); - truncated: + decode_err: al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_PACKET_LENGTH); - f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: @@ -1604,16 +1649,15 @@ int ssl3_get_certificate_request(SSL *s) { int ok, ret = 0; - long n; + long n; uint8_t ctype_num; CBS cert_request, ctypes, rdn_list; X509_NAME *xn = NULL; const unsigned char *q; STACK_OF(X509_NAME) *ca_sk = NULL; - n = s->method->internal->ssl_get_message(s, SSL3_ST_CR_CERT_REQ_A, + n = ssl3_get_message(s, SSL3_ST_CR_CERT_REQ_A, SSL3_ST_CR_CERT_REQ_B, -1, s->internal->max_cert_list, &ok); - if (!ok) return ((int)n); @@ -1636,14 +1680,14 @@ ssl3_get_certificate_request(SSL *s) } /* TLS does not like anon-DH with client cert */ - if (S3I(s)->hs.new_cipher->algorithm_auth & SSL_aNULL) { + if (S3I(s)->hs.cipher->algorithm_auth & SSL_aNULL) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); SSLerror(s, SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER); goto err; } if (n < 0) - goto truncated; + goto decode_err; CBS_init(&cert_request, s->internal->init_msg, n); if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) { @@ -1653,7 +1697,7 @@ ssl3_get_certificate_request(SSL *s) /* get the certificate types */ if (!CBS_get_u8(&cert_request, &ctype_num)) - goto truncated; + goto decode_err; if (ctype_num > SSL3_CT_NUMBER) ctype_num = SSL3_CT_NUMBER; @@ -1742,10 +1786,10 @@ ssl3_get_certificate_request(SSL *s) ret = 1; if (0) { -truncated: + decode_err: SSLerror(s, SSL_R_BAD_PACKET_LENGTH); } -err: + err: X509_NAME_free(xn); sk_X509_NAME_pop_free(ca_sk, X509_NAME_free); return (ret); @@ -1765,7 +1809,7 @@ ssl3_get_new_session_ticket(SSL *s) long n; CBS cbs, session_ticket; - n = s->method->internal->ssl_get_message(s, SSL3_ST_CR_SESSION_TICKET_A, + n = ssl3_get_message(s, SSL3_ST_CR_SESSION_TICKET_A, SSL3_ST_CR_SESSION_TICKET_B, -1, 16384, &ok); if (!ok) return ((int)n); @@ -1777,13 +1821,13 @@ ssl3_get_new_session_ticket(SSL *s) if (S3I(s)->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_BAD_MESSAGE_TYPE); - goto f_err; + goto fatal_err; } if (n < 0) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_LENGTH_MISMATCH); - goto f_err; + goto fatal_err; } CBS_init(&cbs, s->internal->init_msg, n); @@ -1795,7 +1839,7 @@ ssl3_get_new_session_ticket(SSL *s) CBS_len(&cbs) != 0) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_LENGTH_MISMATCH); - goto f_err; + goto fatal_err; } s->session->tlsext_tick_lifetime_hint = (long)lifetime_hint; @@ -1826,9 +1870,9 @@ ssl3_get_new_session_ticket(SSL *s) EVP_sha256(), NULL); ret = 1; return (ret); -f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); -err: + err: return (-1); } @@ -1836,15 +1880,13 @@ int ssl3_get_cert_status(SSL *s) { CBS cert_status, response; - size_t stow_len; int ok, al; long n; uint8_t status_type; - n = s->method->internal->ssl_get_message(s, SSL3_ST_CR_CERT_STATUS_A, + n = ssl3_get_message(s, SSL3_ST_CR_CERT_STATUS_A, SSL3_ST_CR_CERT_STATUS_B, SSL3_MT_CERTIFICATE_STATUS, 16384, &ok); - if (!ok) return ((int)n); @@ -1852,7 +1894,7 @@ ssl3_get_cert_status(SSL *s) /* need at least status type + length */ al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_LENGTH_MISMATCH); - goto f_err; + goto fatal_err; } CBS_init(&cert_status, s->internal->init_msg, n); @@ -1861,30 +1903,28 @@ ssl3_get_cert_status(SSL *s) /* need at least status type + length */ al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_LENGTH_MISMATCH); - goto f_err; + goto fatal_err; } if (status_type != TLSEXT_STATUSTYPE_ocsp) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE); - goto f_err; + goto fatal_err; } if (!CBS_get_u24_length_prefixed(&cert_status, &response) || CBS_len(&cert_status) != 0) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_LENGTH_MISMATCH); - goto f_err; + goto fatal_err; } if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp, - &stow_len) || stow_len > INT_MAX) { - s->internal->tlsext_ocsp_resplen = 0; - al = SSL_AD_INTERNAL_ERROR; - SSLerror(s, ERR_R_MALLOC_FAILURE); - goto f_err; - } - s->internal->tlsext_ocsp_resplen = (int)stow_len; + &s->internal->tlsext_ocsp_resp_len)) { + al = SSL_AD_INTERNAL_ERROR; + SSLerror(s, ERR_R_MALLOC_FAILURE); + goto fatal_err; + } if (s->ctx->internal->tlsext_status_cb) { int ret; @@ -1893,16 +1933,16 @@ ssl3_get_cert_status(SSL *s) if (ret == 0) { al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE); - goto f_err; + goto fatal_err; } if (ret < 0) { al = SSL_AD_INTERNAL_ERROR; SSLerror(s, ERR_R_MALLOC_FAILURE); - goto f_err; + goto fatal_err; } } return (1); -f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); return (-1); } @@ -1913,12 +1953,12 @@ ssl3_get_server_done(SSL *s) int ok, ret = 0; long n; - n = s->method->internal->ssl_get_message(s, SSL3_ST_CR_SRVR_DONE_A, + n = ssl3_get_message(s, SSL3_ST_CR_SRVR_DONE_A, SSL3_ST_CR_SRVR_DONE_B, SSL3_MT_SERVER_DONE, 30, /* should be very small, like 0 :-) */ &ok); - if (!ok) return ((int)n); + if (n > 0) { /* should contain no data */ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); @@ -1943,13 +1983,14 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb) * RSA-Encrypted Premaster Secret Message - RFC 5246 section 7.4.7.1. */ - pkey = X509_get_pubkey(sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); + pkey = X509_get_pubkey(sess_cert->peer_pkeys[SSL_PKEY_RSA].x509); if (pkey == NULL || pkey->type != EVP_PKEY_RSA || pkey->pkey.rsa == NULL) { SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } + /* XXX - our max protocol version. */ pms[0] = s->client_version >> 8; pms[1] = s->client_version & 0xff; arc4random_buf(&pms[2], sizeof(pms) - 2); @@ -1979,7 +2020,7 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb) ret = 1; -err: + err: explicit_bzero(pms, sizeof(pms)); EVP_PKEY_free(pkey); free(enc_pms); @@ -2042,7 +2083,7 @@ ssl3_send_client_kex_dhe(SSL *s, SESS_CERT *sess_cert, CBB *cbb) ret = 1; -err: + err: DH_free(dh_clnt); freezero(key, key_size); @@ -2052,87 +2093,37 @@ ssl3_send_client_kex_dhe(SSL *s, SESS_CERT *sess_cert, CBB *cbb) static int ssl3_send_client_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, CBB *cbb) { - const EC_GROUP *group = NULL; - const EC_POINT *point = NULL; EC_KEY *ecdh = NULL; - BN_CTX *bn_ctx = NULL; - unsigned char *key = NULL; - unsigned char *data; - size_t encoded_len; - int key_size = 0, key_len; + uint8_t *key = NULL; + size_t key_len = 0; int ret = -1; CBB ecpoint; - if ((group = EC_KEY_get0_group(sc->peer_ecdh_tmp)) == NULL || - (point = EC_KEY_get0_public_key(sc->peer_ecdh_tmp)) == NULL) { - SSLerror(s, ERR_R_INTERNAL_ERROR); - goto err; - } - if ((ecdh = EC_KEY_new()) == NULL) { SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } - if (!EC_KEY_set_group(ecdh, group)) { - SSLerror(s, ERR_R_EC_LIB); - goto err; - } - - /* Generate a new ECDH key pair. */ - if (!EC_KEY_generate_key(ecdh)) { - SSLerror(s, ERR_R_ECDH_LIB); - goto err; - } - if ((key_size = ECDH_size(ecdh)) <= 0) { - SSLerror(s, ERR_R_ECDH_LIB); - goto err; - } - if ((key = malloc(key_size)) == NULL) { - SSLerror(s, ERR_R_MALLOC_FAILURE); - goto err; - } - key_len = ECDH_compute_key(key, key_size, point, ecdh, NULL); - if (key_len <= 0) { - SSLerror(s, ERR_R_ECDH_LIB); - goto err; - } - - /* Generate master key from the result. */ - s->session->master_key_length = - tls1_generate_master_secret(s, - s->session->master_key, key, key_len); - - encoded_len = EC_POINT_point2oct(group, EC_KEY_get0_public_key(ecdh), - POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL); - if (encoded_len == 0) { - SSLerror(s, ERR_R_ECDH_LIB); - goto err; - } - - if ((bn_ctx = BN_CTX_new()) == NULL) { - SSLerror(s, ERR_R_MALLOC_FAILURE); + if (!ssl_kex_generate_ecdhe_ecp(ecdh, sc->peer_nid)) goto err; - } - /* Encode the public key. */ + /* Encode our public key. */ if (!CBB_add_u8_length_prefixed(cbb, &ecpoint)) goto err; - if (!CBB_add_space(&ecpoint, &data, encoded_len)) - goto err; - if (EC_POINT_point2oct(group, EC_KEY_get0_public_key(ecdh), - POINT_CONVERSION_UNCOMPRESSED, data, encoded_len, - bn_ctx) == 0) + if (!ssl_kex_public_ecdhe_ecp(ecdh, &ecpoint)) goto err; if (!CBB_flush(cbb)) goto err; + if (!ssl_kex_derive_ecdhe_ecp(ecdh, sc->peer_ecdh_tmp, &key, &key_len)) + goto err; + s->session->master_key_length = tls1_generate_master_secret(s, + s->session->master_key, key, key_len); + ret = 1; err: - freezero(key, key_size); - - BN_CTX_free(bn_ctx); + freezero(key, key_len); EC_KEY_free(ecdh); return (ret); @@ -2257,7 +2248,8 @@ ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb) goto err; } - if (ssl_get_algorithm2(s) & SSL_HANDSHAKE_MAC_GOST94) + /* XXX check handshake hash instead. */ + if (S3I(s)->hs.cipher->algorithm2 & SSL_HANDSHAKE_MAC_GOST94) nid = NID_id_GostR3411_94; else nid = NID_id_tc26_gost3411_2012_256; @@ -2320,7 +2312,7 @@ ssl3_send_client_key_exchange(SSL *s) memset(&cbb, 0, sizeof(cbb)); if (S3I(s)->hs.state == SSL3_ST_CW_KEY_EXCH_A) { - alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; + alg_k = S3I(s)->hs.cipher->algorithm_mkey; if ((sess_cert = SSI(s)->sess_cert) == NULL) { ssl3_send_alert(s, SSL3_AL_FATAL, @@ -2361,7 +2353,7 @@ ssl3_send_client_key_exchange(SSL *s) /* SSL3_ST_CW_KEY_EXCH_B */ return (ssl3_handshake_write(s)); -err: + err: CBB_cleanup(&cbb); return (-1); @@ -2401,6 +2393,12 @@ ssl3_send_client_verify_sigalgs(SSL *s, CBB *cert_verify) SSLerror(s, ERR_R_EVP_LIB); goto err; } + if (sigalg->key_type == EVP_PKEY_GOSTR01 && + EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, + EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE, NULL) <= 0) { + SSLerror(s, ERR_R_EVP_LIB); + goto err; + } if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) && (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) || !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) { @@ -2661,8 +2659,8 @@ ssl3_send_client_certificate(SSL *s) if (S3I(s)->hs.state == SSL3_ST_CW_CERT_B) { /* * If we get an error, we need to - * ssl->rwstate=SSL_X509_LOOKUP; return(-1); - * We then get retied later + * ssl->internal->rwstate = SSL_X509_LOOKUP; return(-1); + * We then get retried later. */ i = ssl_do_client_cert_cb(s, &x509, &pkey); if (i < 0) { @@ -2726,8 +2724,8 @@ ssl3_check_cert_and_algorithm(SSL *s) SESS_CERT *sc; DH *dh; - alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; - alg_a = S3I(s)->hs.new_cipher->algorithm_auth; + alg_k = S3I(s)->hs.cipher->algorithm_mkey; + alg_a = S3I(s)->hs.cipher->algorithm_auth; /* We don't have a certificate. */ if (alg_a & SSL_aNULL) @@ -2748,7 +2746,7 @@ ssl3_check_cert_and_algorithm(SSL *s) sc->peer_pkeys[idx].x509, s) == 0) { /* check failed */ SSLerror(s, SSL_R_BAD_ECC_CERT); - goto f_err; + goto fatal_err; } else { return (1); } @@ -2760,22 +2758,22 @@ ssl3_check_cert_and_algorithm(SSL *s) /* Check that we have a certificate if we require one. */ if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_SIGN)) { SSLerror(s, SSL_R_MISSING_RSA_SIGNING_CERT); - goto f_err; + goto fatal_err; } if ((alg_k & SSL_kRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_ENC)) { SSLerror(s, SSL_R_MISSING_RSA_ENCRYPTING_CERT); - goto f_err; + goto fatal_err; } if ((alg_k & SSL_kDHE) && !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) { SSLerror(s, SSL_R_MISSING_DH_KEY); - goto f_err; + goto fatal_err; } return (1); -f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); -err: + err: return (0); } @@ -2796,10 +2794,11 @@ ssl3_check_finished(SSL *s) return (1); /* this function is called when we really expect a Certificate * message, so permit appropriate message length */ - n = s->method->internal->ssl_get_message(s, SSL3_ST_CR_CERT_A, + n = ssl3_get_message(s, SSL3_ST_CR_CERT_A, SSL3_ST_CR_CERT_B, -1, s->internal->max_cert_list, &ok); if (!ok) return ((int)n); + S3I(s)->tmp.reuse_message = 1; if ((S3I(s)->tmp.message_type == SSL3_MT_FINISHED) || (S3I(s)->tmp.message_type == SSL3_MT_NEWSESSION_TICKET)) diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 250a9eef..cbc28982 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_err.c,v 1.36 2018/03/20 15:28:12 tb Exp $ */ +/* $OpenBSD: ssl_err.c,v 1.37 2020/01/21 05:19:02 jsing Exp $ */ /* ==================================================================== * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * @@ -462,7 +462,8 @@ static ERR_STRING_DATA SSL_str_reasons[]= { {ERR_REASON(SSL_R_WRONG_VERSION_NUMBER) , "wrong version number"}, {ERR_REASON(SSL_R_X509_LIB) , "x509 lib"}, {ERR_REASON(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS), "x509 verification setup problems"}, - {ERR_REASON(SSL_R_PEER_BEHAVING_BADLY) ,"peer is doing strange or hostile things"}, + {ERR_REASON(SSL_R_PEER_BEHAVING_BADLY), "peer is doing strange or hostile things"}, + {ERR_REASON(SSL_R_UNKNOWN), "unknown failure occurred"}, {0, NULL} }; diff --git a/ssl/ssl_kex.c b/ssl/ssl_kex.c new file mode 100644 index 00000000..9f05fd60 --- /dev/null +++ b/ssl/ssl_kex.c @@ -0,0 +1,182 @@ +/* $OpenBSD: ssl_kex.c,v 1.2 2020/04/18 14:07:56 jsing Exp $ */ +/* + * Copyright (c) 2020 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include +#include +#include +#include + +#include "bytestring.h" + +int +ssl_kex_dummy_ecdhe_x25519(EVP_PKEY *pkey) +{ + EC_GROUP *group = NULL; + EC_POINT *point = NULL; + EC_KEY *ec_key = NULL; + BIGNUM *order = NULL; + int ret = 0; + + /* Fudge up an EC_KEY that looks like X25519... */ + if ((group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)) == NULL) + goto err; + if ((point = EC_POINT_new(group)) == NULL) + goto err; + if ((order = BN_new()) == NULL) + goto err; + if (!BN_set_bit(order, 252)) + goto err; + if (!EC_GROUP_set_generator(group, point, order, NULL)) + goto err; + EC_GROUP_set_curve_name(group, NID_X25519); + if ((ec_key = EC_KEY_new()) == NULL) + goto err; + if (!EC_KEY_set_group(ec_key, group)) + goto err; + if (!EVP_PKEY_set1_EC_KEY(pkey, ec_key)) + goto err; + + ret = 1; + + err: + EC_GROUP_free(group); + EC_POINT_free(point); + EC_KEY_free(ec_key); + BN_free(order); + + return ret; +} + +int +ssl_kex_generate_ecdhe_ecp(EC_KEY *ecdh, int nid) +{ + EC_GROUP *group; + int ret = 0; + + if ((group = EC_GROUP_new_by_curve_name(nid)) == NULL) + goto err; + + if (!EC_KEY_set_group(ecdh, group)) + goto err; + if (!EC_KEY_generate_key(ecdh)) + goto err; + + ret = 1; + + err: + EC_GROUP_free(group); + + return ret; +} + +int +ssl_kex_public_ecdhe_ecp(EC_KEY *ecdh, CBB *cbb) +{ + const EC_GROUP *group; + const EC_POINT *point; + uint8_t *ecp; + size_t ecp_len; + int ret = 0; + + if ((group = EC_KEY_get0_group(ecdh)) == NULL) + goto err; + if ((point = EC_KEY_get0_public_key(ecdh)) == NULL) + goto err; + + if ((ecp_len = EC_POINT_point2oct(group, point, + POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL)) == 0) + goto err; + if (!CBB_add_space(cbb, &ecp, ecp_len)) + goto err; + if ((EC_POINT_point2oct(group, point, POINT_CONVERSION_UNCOMPRESSED, + ecp, ecp_len, NULL)) == 0) + goto err; + + ret = 1; + + err: + return ret; +} + +int +ssl_kex_peer_public_ecdhe_ecp(EC_KEY *ecdh, int nid, CBS *cbs) +{ + EC_GROUP *group = NULL; + EC_POINT *point = NULL; + int ret = 0; + + if ((group = EC_GROUP_new_by_curve_name(nid)) == NULL) + goto err; + + if (!EC_KEY_set_group(ecdh, group)) + goto err; + + if ((point = EC_POINT_new(group)) == NULL) + goto err; + if (EC_POINT_oct2point(group, point, CBS_data(cbs), CBS_len(cbs), + NULL) == 0) + goto err; + if (!EC_KEY_set_public_key(ecdh, point)) + goto err; + + ret = 1; + + err: + EC_GROUP_free(group); + EC_POINT_free(point); + + return ret; +} + +int +ssl_kex_derive_ecdhe_ecp(EC_KEY *ecdh, EC_KEY *ecdh_peer, + uint8_t **shared_key, size_t *shared_key_len) +{ + const EC_POINT *point; + uint8_t *sk = NULL; + int sk_len = 0; + int ret = 0; + + if (!EC_GROUP_check(EC_KEY_get0_group(ecdh), NULL)) + goto err; + if (!EC_GROUP_check(EC_KEY_get0_group(ecdh_peer), NULL)) + goto err; + + if ((point = EC_KEY_get0_public_key(ecdh_peer)) == NULL) + goto err; + + if ((sk_len = ECDH_size(ecdh)) <= 0) + goto err; + if ((sk = calloc(1, sk_len)) == NULL) + goto err; + + if (ECDH_compute_key(sk, sk_len, point, ecdh, NULL) <= 0) + goto err; + + *shared_key = sk; + *shared_key_len = sk_len; + sk = NULL; + + ret = 1; + + err: + freezero(sk, sk_len); + + return ret; +} diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index bf370cbf..44cc1ed3 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.205 2019/05/15 09:13:16 bcook Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.255 2021/03/29 16:57:38 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -140,6 +140,10 @@ * OTHERWISE. */ +#include +#include +#include + #include #include "ssl_locl.h" @@ -182,15 +186,15 @@ SSL_clear(SSL *s) return (0); } - s->internal->type = 0; - s->version = s->method->internal->version; s->client_version = s->version; s->internal->rwstate = SSL_NOTHING; s->internal->rstate = SSL_ST_READ_HEADER; - BUF_MEM_free(s->internal->init_buf); - s->internal->init_buf = NULL; + tls13_ctx_free(s->internal->tls13); + s->internal->tls13 = NULL; + + ssl3_release_init_buffer(s); ssl_clear_cipher_state(s); @@ -209,8 +213,6 @@ SSL_clear(SSL *s) } else s->method->internal->ssl_clear(s); - S3I(s)->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT); - return (1); } @@ -218,13 +220,13 @@ SSL_clear(SSL *s) int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) { - STACK_OF(SSL_CIPHER) *sk; + STACK_OF(SSL_CIPHER) *ciphers; ctx->method = meth; - sk = ssl_create_cipher_list(ctx->method, &(ctx->cipher_list), - &(ctx->internal->cipher_list_by_id), SSL_DEFAULT_CIPHER_LIST); - if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { + ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, + ctx->internal->cipher_list_tls13, SSL_DEFAULT_CIPHER_LIST); + if (ciphers == NULL || sk_SSL_CIPHER_num(ciphers) <= 0) { SSLerrorx(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); return (0); } @@ -234,7 +236,7 @@ SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) SSL * SSL_new(SSL_CTX *ctx) { - SSL *s; + SSL *s; if (ctx == NULL) { SSLerrorx(SSL_R_NULL_SSL_CTX); @@ -245,18 +247,15 @@ SSL_new(SSL_CTX *ctx) return (NULL); } - if ((s = calloc(1, sizeof(*s))) == NULL) { - SSLerrorx(ERR_R_MALLOC_FAILURE); - return (NULL); - } - if ((s->internal = calloc(1, sizeof(*s->internal))) == NULL) { - free(s); - SSLerrorx(ERR_R_MALLOC_FAILURE); - return (NULL); - } + if ((s = calloc(1, sizeof(*s))) == NULL) + goto err; + if ((s->internal = calloc(1, sizeof(*s->internal))) == NULL) + goto err; - s->internal->min_version = ctx->internal->min_version; - s->internal->max_version = ctx->internal->max_version; + s->internal->min_tls_version = ctx->internal->min_tls_version; + s->internal->max_tls_version = ctx->internal->max_tls_version; + s->internal->min_proto_version = ctx->internal->min_proto_version; + s->internal->max_proto_version = ctx->internal->max_proto_version; s->internal->options = ctx->internal->options; s->internal->mode = ctx->internal->mode; @@ -292,7 +291,7 @@ SSL_new(SSL_CTX *ctx) s->internal->tlsext_ocsp_ids = NULL; s->internal->tlsext_ocsp_exts = NULL; s->internal->tlsext_ocsp_resp = NULL; - s->internal->tlsext_ocsp_resplen = -1; + s->internal->tlsext_ocsp_resp_len = 0; CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX); s->initial_ctx = ctx; @@ -342,8 +341,11 @@ SSL_new(SSL_CTX *ctx) if (!s->method->internal->ssl_new(s)) goto err; + if ((s->internal->rl = tls12_record_layer_new()) == NULL) + goto err; + s->references = 1; - s->server = (ctx->method->internal->ssl_accept == ssl_undefined_function) ? 0 : 1; + s->server = ctx->method->internal->server; SSL_clear(s); @@ -456,7 +458,27 @@ SSL_set_trust(SSL *s, int trust) int SSL_set1_host(SSL *s, const char *hostname) { - return X509_VERIFY_PARAM_set1_host(s->param, hostname, 0); + struct in_addr ina; + struct in6_addr in6a; + + if (hostname != NULL && *hostname != '\0' && + (inet_pton(AF_INET, hostname, &ina) == 1 || + inet_pton(AF_INET6, hostname, &in6a) == 1)) + return X509_VERIFY_PARAM_set1_ip_asc(s->param, hostname); + else + return X509_VERIFY_PARAM_set1_host(s->param, hostname, 0); +} + +void +SSL_set_hostflags(SSL *s, unsigned int flags) +{ + X509_VERIFY_PARAM_set_hostflags(s->param, flags); +} + +const char * +SSL_get0_peername(SSL *s) +{ + return X509_VERIFY_PARAM_get0_peername(s->param); } X509_VERIFY_PARAM * @@ -512,11 +534,12 @@ SSL_free(SSL *s) BIO_free_all(s->rbio); BIO_free_all(s->wbio); - BUF_MEM_free(s->internal->init_buf); + tls13_ctx_free(s->internal->tls13); + + ssl3_release_init_buffer(s); - /* add extra stuff */ sk_SSL_CIPHER_free(s->cipher_list); - sk_SSL_CIPHER_free(s->internal->cipher_list_by_id); + sk_SSL_CIPHER_free(s->internal->cipher_list_tls13); /* Make the next call work :-) */ if (s->session != NULL) { @@ -552,6 +575,8 @@ SSL_free(SSL *s) sk_SRTP_PROTECTION_PROFILE_free(s->internal->srtp_profiles); #endif + tls12_record_layer_free(s->internal->rl); + free(s->internal); free(s); } @@ -698,10 +723,10 @@ SSL_get_finished(const SSL *s, void *buf, size_t count) { size_t ret; - ret = S3I(s)->tmp.finish_md_len; + ret = S3I(s)->hs.finished_len; if (count > ret) count = ret; - memcpy(buf, S3I(s)->tmp.finish_md, count); + memcpy(buf, S3I(s)->hs.finished, count); return (ret); } @@ -711,10 +736,10 @@ SSL_get_peer_finished(const SSL *s, void *buf, size_t count) { size_t ret; - ret = S3I(s)->tmp.peer_finish_md_len; + ret = S3I(s)->hs.peer_finished_len; if (count > ret) count = ret; - memcpy(buf, S3I(s)->tmp.peer_finish_md, count); + memcpy(buf, S3I(s)->hs.peer_finished, count); return (ret); } @@ -785,15 +810,7 @@ SSL_get_read_ahead(const SSL *s) int SSL_pending(const SSL *s) { - /* - * SSL_pending cannot work properly if read-ahead is enabled - * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)), - * and it is impossible to fix since SSL_pending cannot report - * errors that may be observed while scanning the new data. - * (Note that SSL_pending() is often used as a boolean value, - * so we'd better not return -1.) - */ - return (ssl3_pending(s)); + return (s->method->internal->ssl_pending(s)); } X509 * @@ -927,16 +944,32 @@ SSL_connect(SSL *s) return (s->method->internal->ssl_connect(s)); } +int +SSL_is_dtls(const SSL *s) +{ + return s->method->internal->dtls; +} + int SSL_is_server(const SSL *s) { return s->server; } +static long +ssl_get_default_timeout() +{ + /* + * 2 hours, the 24 hours mentioned in the TLSv1 spec + * is way too long for http, the cache would over fill. + */ + return (2 * 60 * 60); +} + long SSL_get_default_timeout(const SSL *s) { - return (s->method->internal->get_timeout()); + return (ssl_get_default_timeout()); } int @@ -984,6 +1017,57 @@ SSL_write(SSL *s, const void *buf, int num) return ssl3_write(s, buf, num); } +uint32_t +SSL_CTX_get_max_early_data(const SSL_CTX *ctx) +{ + return 0; +} + +int +SSL_CTX_set_max_early_data(SSL_CTX *ctx, uint32_t max_early_data) +{ + return 1; +} + +uint32_t +SSL_get_max_early_data(const SSL *s) +{ + return 0; +} + +int +SSL_set_max_early_data(SSL *s, uint32_t max_early_data) +{ + return 1; +} + +int +SSL_get_early_data_status(const SSL *s) +{ + return SSL_EARLY_DATA_REJECTED; +} + +int +SSL_read_early_data(SSL *s, void *buf, size_t num, size_t *readbytes) +{ + *readbytes = 0; + + if (!s->server) { + SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return SSL_READ_EARLY_DATA_ERROR; + } + + return SSL_READ_EARLY_DATA_FINISH; +} + +int +SSL_write_early_data(SSL *s, const void *buf, size_t num, size_t *written) +{ + *written = 0; + SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; +} + int SSL_shutdown(SSL *s) { @@ -1000,7 +1084,7 @@ SSL_shutdown(SSL *s) } if (s != NULL && !SSL_in_init(s)) - return (ssl3_shutdown(s)); + return (s->method->internal->ssl_shutdown(s)); return (1); } @@ -1073,7 +1157,7 @@ SSL_ctrl(SSL *s, int cmd, long larg, void *parg) if (larg < (long)dtls1_min_mtu()) return (0); #endif - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { D1I(s)->mtu = larg; return (larg); } @@ -1088,7 +1172,7 @@ SSL_ctrl(SSL *s, int cmd, long larg, void *parg) return (S3I(s)->send_connection_binding); else return (0); default: - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) return dtls1_ctrl(s, cmd, larg, parg); return ssl3_ctrl(s, cmd, larg, parg); } @@ -1221,34 +1305,15 @@ ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b) return ((l > 0) ? 1:-1); } -int -ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap, - const SSL_CIPHER * const *bp) -{ - long l; - - l = (*ap)->id - (*bp)->id; - if (l == 0L) - return (0); - else - return ((l > 0) ? 1:-1); -} - -/* - * Return a STACK of the ciphers available for the SSL and in order of - * preference. - */ STACK_OF(SSL_CIPHER) * SSL_get_ciphers(const SSL *s) { - if (s != NULL) { - if (s->cipher_list != NULL) { - return (s->cipher_list); - } else if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL)) { - return (s->ctx->cipher_list); - } - } - return (NULL); + if (s == NULL) + return (NULL); + if (s->cipher_list != NULL) + return (s->cipher_list); + + return (s->ctx->cipher_list); } STACK_OF(SSL_CIPHER) * @@ -1269,7 +1334,7 @@ SSL_get1_supported_ciphers(SSL *s) if (s == NULL) return NULL; - if (!ssl_supported_version_range(s, &min_vers, &max_vers)) + if (!ssl_supported_tls_version_range(s, &min_vers, &max_vers)) return NULL; if ((ciphers = SSL_get_ciphers(s)) == NULL) return NULL; @@ -1279,7 +1344,8 @@ SSL_get1_supported_ciphers(SSL *s) for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL) goto err; - if (!ssl_cipher_is_permitted(cipher, min_vers, max_vers)) + if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers, + max_vers)) continue; if (!sk_SSL_CIPHER_push(supported_ciphers, cipher)) goto err; @@ -1293,24 +1359,6 @@ SSL_get1_supported_ciphers(SSL *s) return NULL; } -/* - * Return a STACK of the ciphers available for the SSL and in order of - * algorithm id. - */ -STACK_OF(SSL_CIPHER) * -ssl_get_ciphers_by_id(SSL *s) -{ - if (s != NULL) { - if (s->internal->cipher_list_by_id != NULL) { - return (s->internal->cipher_list_by_id); - } else if ((s->ctx != NULL) && - (s->ctx->internal->cipher_list_by_id != NULL)) { - return (s->ctx->internal->cipher_list_by_id); - } - } - return (NULL); -} - /* See if we have any ECC cipher suites. */ int ssl_has_ecc_ciphers(SSL *s) @@ -1320,8 +1368,6 @@ ssl_has_ecc_ciphers(SSL *s) SSL_CIPHER *cipher; int i; - if (s->version == DTLS1_VERSION) - return 0; if ((ciphers = SSL_get_ciphers(s)) == NULL) return 0; @@ -1342,23 +1388,22 @@ ssl_has_ecc_ciphers(SSL *s) const char * SSL_get_cipher_list(const SSL *s, int n) { - SSL_CIPHER *c; - STACK_OF(SSL_CIPHER) *sk; + STACK_OF(SSL_CIPHER) *ciphers; + const SSL_CIPHER *cipher; - if (s == NULL) + if ((ciphers = SSL_get_ciphers(s)) == NULL) return (NULL); - sk = SSL_get_ciphers(s); - if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n)) + if ((cipher = sk_SSL_CIPHER_value(ciphers, n)) == NULL) return (NULL); - c = sk_SSL_CIPHER_value(sk, n); - if (c == NULL) - return (NULL); - return (c->name); + + return (cipher->name); } STACK_OF(SSL_CIPHER) * SSL_CTX_get_ciphers(const SSL_CTX *ctx) { + if (ctx == NULL) + return NULL; return ctx->cipher_list; } @@ -1366,68 +1411,109 @@ SSL_CTX_get_ciphers(const SSL_CTX *ctx) int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) { - STACK_OF(SSL_CIPHER) *sk; + STACK_OF(SSL_CIPHER) *ciphers; - sk = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, - &ctx->internal->cipher_list_by_id, str); /* - * ssl_create_cipher_list may return an empty stack if it - * was unable to find a cipher matching the given rule string - * (for example if the rule string specifies a cipher which - * has been disabled). This is not an error as far as - * ssl_create_cipher_list is concerned, and hence - * ctx->cipher_list and ctx->internal->cipher_list_by_id has been - * updated. + * ssl_create_cipher_list may return an empty stack if it was unable to + * find a cipher matching the given rule string (for example if the + * rule string specifies a cipher which has been disabled). This is not + * an error as far as ssl_create_cipher_list is concerned, and hence + * ctx->cipher_list has been updated. */ - if (sk == NULL) + ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, + ctx->internal->cipher_list_tls13, str); + if (ciphers == NULL) { return (0); - else if (sk_SSL_CIPHER_num(sk) == 0) { + } else if (sk_SSL_CIPHER_num(ciphers) == 0) { SSLerrorx(SSL_R_NO_CIPHER_MATCH); return (0); } return (1); } +int +SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str) +{ + if (!ssl_parse_ciphersuites(&ctx->internal->cipher_list_tls13, str)) { + SSLerrorx(SSL_R_NO_CIPHER_MATCH); + return 0; + } + if (!ssl_merge_cipherlists(ctx->cipher_list, + ctx->internal->cipher_list_tls13, &ctx->cipher_list)) + return 0; + + return 1; +} + /* Specify the ciphers to be used by the SSL. */ int SSL_set_cipher_list(SSL *s, const char *str) { - STACK_OF(SSL_CIPHER) *sk; + STACK_OF(SSL_CIPHER) *ciphers, *ciphers_tls13; + + if ((ciphers_tls13 = s->internal->cipher_list_tls13) == NULL) + ciphers_tls13 = s->ctx->internal->cipher_list_tls13; - sk = ssl_create_cipher_list(s->ctx->method, &s->cipher_list, - &s->internal->cipher_list_by_id, str); - /* see comment in SSL_CTX_set_cipher_list */ - if (sk == NULL) + /* See comment in SSL_CTX_set_cipher_list. */ + ciphers = ssl_create_cipher_list(s->ctx->method, &s->cipher_list, + ciphers_tls13, str); + if (ciphers == NULL) { return (0); - else if (sk_SSL_CIPHER_num(sk) == 0) { + } else if (sk_SSL_CIPHER_num(ciphers) == 0) { SSLerror(s, SSL_R_NO_CIPHER_MATCH); return (0); } return (1); } -/* works well for SSLv2, not so good for SSLv3 */ +int +SSL_set_ciphersuites(SSL *s, const char *str) +{ + STACK_OF(SSL_CIPHER) *ciphers; + + if ((ciphers = s->cipher_list) == NULL) + ciphers = s->ctx->cipher_list; + + if (!ssl_parse_ciphersuites(&s->internal->cipher_list_tls13, str)) { + SSLerrorx(SSL_R_NO_CIPHER_MATCH); + return (0); + } + if (!ssl_merge_cipherlists(ciphers, s->internal->cipher_list_tls13, + &s->cipher_list)) + return 0; + + return 1; +} + char * SSL_get_shared_ciphers(const SSL *s, char *buf, int len) { - char *end; - STACK_OF(SSL_CIPHER) *sk; - SSL_CIPHER *c; - size_t curlen = 0; - int i; + STACK_OF(SSL_CIPHER) *client_ciphers, *server_ciphers; + const SSL_CIPHER *cipher; + size_t curlen = 0; + char *end; + int i; - if (s->session == NULL || s->session->ciphers == NULL || len < 2) - return (NULL); + if (!s->server || s->session == NULL || len < 2) + return NULL; - sk = s->session->ciphers; - if (sk_SSL_CIPHER_num(sk) == 0) - return (NULL); + if ((client_ciphers = s->session->ciphers) == NULL) + return NULL; + if ((server_ciphers = SSL_get_ciphers(s)) == NULL) + return NULL; + if (sk_SSL_CIPHER_num(client_ciphers) == 0 || + sk_SSL_CIPHER_num(server_ciphers) == 0) + return NULL; buf[0] = '\0'; - for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { - c = sk_SSL_CIPHER_value(sk, i); + for (i = 0; i < sk_SSL_CIPHER_num(client_ciphers); i++) { + cipher = sk_SSL_CIPHER_value(client_ciphers, i); + + if (sk_SSL_CIPHER_find(server_ciphers, cipher) < 0) + continue; + end = buf + curlen; - if (strlcat(buf, c->name, len) >= len || + if (strlcat(buf, cipher->name, len) >= len || (curlen = strlcat(buf, ":", len)) >= len) { /* remove truncated cipher from list */ *end = '\0'; @@ -1437,7 +1523,7 @@ SSL_get_shared_ciphers(const SSL *s, char *buf, int len) /* remove trailing colon */ if ((end = strrchr(buf, ':')) != NULL) *end = '\0'; - return (buf); + return buf; } /* @@ -1512,7 +1598,7 @@ SSL_select_next_proto(unsigned char **out, unsigned char *outlen, result = client; status = OPENSSL_NPN_NO_OVERLAP; -found: + found: *out = (unsigned char *) result + 1; *outlen = result[0]; return (status); @@ -1521,7 +1607,7 @@ SSL_select_next_proto(unsigned char **out, unsigned char *outlen, /* SSL_get0_next_proto_negotiated is deprecated. */ void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, - unsigned *len) + unsigned int *len) { *data = NULL; *len = 0; @@ -1628,11 +1714,8 @@ SSL_CTX_set_alpn_select_cb(SSL_CTX* ctx, */ void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, - unsigned *len) + unsigned int *len) { - *data = NULL; - *len = 0; - *data = ssl->s3->internal->alpn_selected; *len = ssl->s3->internal->alpn_selected_len; } @@ -1642,8 +1725,17 @@ SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, const char *label, size_t llen, const unsigned char *p, size_t plen, int use_context) { - return (tls1_export_keying_material(s, out, olen, - label, llen, p, plen, use_context)); + if (s->internal->tls13 != NULL && s->version == TLS1_3_VERSION) { + if (!use_context) { + p = NULL; + plen = 0; + } + return tls13_exporter(s->internal->tls13, label, llen, p, plen, + out, olen); + } + + return (tls1_export_keying_material(s, out, olen, label, llen, p, plen, + use_context)); } static unsigned long @@ -1732,8 +1824,11 @@ SSL_CTX_new(const SSL_METHOD *meth) } ret->method = meth; - ret->internal->min_version = meth->internal->min_version; - ret->internal->max_version = meth->internal->max_version; + ret->internal->min_tls_version = meth->internal->min_tls_version; + ret->internal->max_tls_version = meth->internal->max_tls_version; + ret->internal->min_proto_version = 0; + ret->internal->max_proto_version = 0; + ret->internal->mode = SSL_MODE_AUTO_RETRY; ret->cert_store = NULL; ret->internal->session_cache_mode = SSL_SESS_CACHE_SERVER; @@ -1742,7 +1837,7 @@ SSL_CTX_new(const SSL_METHOD *meth) ret->internal->session_cache_tail = NULL; /* We take the system default */ - ret->session_timeout = meth->internal->get_timeout(); + ret->session_timeout = ssl_get_default_timeout(); ret->internal->new_session_cb = 0; ret->internal->remove_session_cb = 0; @@ -1784,7 +1879,7 @@ SSL_CTX_new(const SSL_METHOD *meth) goto err; ssl_create_cipher_list(ret->method, &ret->cipher_list, - &ret->internal->cipher_list_by_id, SSL_DEFAULT_CIPHER_LIST); + NULL, SSL_DEFAULT_CIPHER_LIST); if (ret->cipher_list == NULL || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { SSLerrorx(SSL_R_LIBRARY_HAS_NO_CIPHERS); @@ -1842,9 +1937,9 @@ SSL_CTX_new(const SSL_METHOD *meth) ret->internal->options |= SSL_OP_LEGACY_SERVER_CONNECT; return (ret); -err: + err: SSLerrorx(ERR_R_MALLOC_FAILURE); -err2: + err2: SSL_CTX_free(ret); return (NULL); } @@ -1881,7 +1976,7 @@ SSL_CTX_free(SSL_CTX *ctx) X509_STORE_free(ctx->cert_store); sk_SSL_CIPHER_free(ctx->cipher_list); - sk_SSL_CIPHER_free(ctx->internal->cipher_list_by_id); + sk_SSL_CIPHER_free(ctx->internal->cipher_list_tls13); ssl_cert_free(ctx->internal->cert); sk_X509_NAME_pop_free(ctx->internal->client_CA, X509_NAME_free); sk_X509_pop_free(ctx->extra_certs, X509_free); @@ -1936,8 +2031,8 @@ SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u) } void -SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *, - void *), void *arg) +SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, + int (*cb)(X509_STORE_CTX *, void *), void *arg) { ctx->internal->app_verify_callback = cb; ctx->internal->app_verify_arg = arg; @@ -1956,66 +2051,50 @@ SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth) X509_VERIFY_PARAM_set_depth(ctx->param, depth); } +static int +ssl_cert_can_sign(X509 *x) +{ + /* This call populates extension flags (ex_flags). */ + X509_check_purpose(x, -1, 0); + + /* Key usage, if present, must allow signing. */ + return ((x->ex_flags & EXFLAG_KUSAGE) == 0 || + (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE)); +} + void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) { - int rsa_enc, rsa_sign, dh_tmp; - int have_ecc_cert; - unsigned long mask_k, mask_a; - X509 *x = NULL; - CERT_PKEY *cpk; + unsigned long mask_a, mask_k; + CERT_PKEY *cpk; if (c == NULL) return; - dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL || - c->dh_tmp_auto != 0); + mask_a = SSL_aNULL | SSL_aTLS1_3; + mask_k = SSL_kECDHE | SSL_kTLS1_3; - cpk = &(c->pkeys[SSL_PKEY_RSA_ENC]); - rsa_enc = (cpk->x509 != NULL && cpk->privatekey != NULL); - cpk = &(c->pkeys[SSL_PKEY_RSA_SIGN]); - rsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL); - cpk = &(c->pkeys[SSL_PKEY_ECC]); - have_ecc_cert = (cpk->x509 != NULL && cpk->privatekey != NULL); + if (c->dh_tmp != NULL || c->dh_tmp_cb != NULL || c->dh_tmp_auto != 0) + mask_k |= SSL_kDHE; - mask_k = 0; - mask_a = 0; + cpk = &(c->pkeys[SSL_PKEY_ECC]); + if (cpk->x509 != NULL && cpk->privatekey != NULL) { + if (ssl_cert_can_sign(cpk->x509)) + mask_a |= SSL_aECDSA; + } cpk = &(c->pkeys[SSL_PKEY_GOST01]); - if (cpk->x509 != NULL && cpk->privatekey !=NULL) { + if (cpk->x509 != NULL && cpk->privatekey != NULL) { mask_k |= SSL_kGOST; mask_a |= SSL_aGOST01; } - if (rsa_enc) - mask_k |= SSL_kRSA; - - if (dh_tmp) - mask_k |= SSL_kDHE; - - if (rsa_enc || rsa_sign) + cpk = &(c->pkeys[SSL_PKEY_RSA]); + if (cpk->x509 != NULL && cpk->privatekey != NULL) { mask_a |= SSL_aRSA; - - mask_a |= SSL_aNULL; - - /* - * An ECC certificate may be usable for ECDH and/or - * ECDSA cipher suites depending on the key usage extension. - */ - if (have_ecc_cert) { - x = (c->pkeys[SSL_PKEY_ECC]).x509; - - /* This call populates extension flags (ex_flags). */ - X509_check_purpose(x, -1, 0); - - /* Key usage, if present, must allow signing. */ - if ((x->ex_flags & EXFLAG_KUSAGE) == 0 || - (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE)) - mask_a |= SSL_aECDSA; + mask_k |= SSL_kRSA; } - mask_k |= SSL_kECDHE; - c->mask_k = mask_k; c->mask_a = mask_a; c->valid = 1; @@ -2027,8 +2106,8 @@ ssl_using_ecc_cipher(SSL *s) { unsigned long alg_a, alg_k; - alg_a = S3I(s)->hs.new_cipher->algorithm_auth; - alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; + alg_a = S3I(s)->hs.cipher->algorithm_auth; + alg_k = S3I(s)->hs.cipher->algorithm_mkey; return SSI(s)->tlsext_ecpointformatlist != NULL && SSI(s)->tlsext_ecpointformatlist_length > 0 && @@ -2038,7 +2117,7 @@ ssl_using_ecc_cipher(SSL *s) int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) { - const SSL_CIPHER *cs = S3I(s)->hs.new_cipher; + const SSL_CIPHER *cs = S3I(s)->hs.cipher; unsigned long alg_a; alg_a = cs->algorithm_auth; @@ -2066,17 +2145,14 @@ ssl_get_server_send_pkey(const SSL *s) int i; c = s->cert; - ssl_set_cert_masks(c, S3I(s)->hs.new_cipher); + ssl_set_cert_masks(c, S3I(s)->hs.cipher); - alg_a = S3I(s)->hs.new_cipher->algorithm_auth; + alg_a = S3I(s)->hs.cipher->algorithm_auth; if (alg_a & SSL_aECDSA) { i = SSL_PKEY_ECC; } else if (alg_a & SSL_aRSA) { - if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL) - i = SSL_PKEY_RSA_SIGN; - else - i = SSL_PKEY_RSA_ENC; + i = SSL_PKEY_RSA; } else if (alg_a & SSL_aGOST01) { i = SSL_PKEY_GOST01; } else { /* if (alg_a & SSL_aNULL) */ @@ -2101,10 +2177,7 @@ ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd, c = s->cert; if (alg_a & SSL_aRSA) { - if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL) - idx = SSL_PKEY_RSA_SIGN; - else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL) - idx = SSL_PKEY_RSA_ENC; + idx = SSL_PKEY_RSA; } else if ((alg_a & SSL_aECDSA) && (c->pkeys[SSL_PKEY_ECC].privatekey != NULL)) idx = SSL_PKEY_ECC; @@ -2133,9 +2206,9 @@ ssl_get_auto_dh(SSL *s) if (s->cert->dh_tmp_auto == 2) { keylen = 1024; - } else if (S3I(s)->hs.new_cipher->algorithm_auth & SSL_aNULL) { + } else if (S3I(s)->hs.cipher->algorithm_auth & SSL_aNULL) { keylen = 1024; - if (S3I(s)->hs.new_cipher->strength_bits == 256) + if (S3I(s)->hs.cipher->strength_bits == 256) keylen = 3072; } else { if ((cpk = ssl_get_server_send_pkey(s)) == NULL) @@ -2211,28 +2284,28 @@ SSL_get_ssl_method(SSL *s) } int -SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth) +SSL_set_ssl_method(SSL *s, const SSL_METHOD *method) { - int conn = -1; - int ret = 1; + int (*handshake_func)(SSL *) = NULL; + int ret = 1; - if (s->method != meth) { - if (s->internal->handshake_func != NULL) - conn = (s->internal->handshake_func == s->method->internal->ssl_connect); + if (s->method == method) + return (ret); - if (s->method->internal->version == meth->internal->version) - s->method = meth; - else { - s->method->internal->ssl_free(s); - s->method = meth; - ret = s->method->internal->ssl_new(s); - } + if (s->internal->handshake_func == s->method->internal->ssl_connect) + handshake_func = method->internal->ssl_connect; + else if (s->internal->handshake_func == s->method->internal->ssl_accept) + handshake_func = method->internal->ssl_accept; - if (conn == 1) - s->internal->handshake_func = meth->internal->ssl_connect; - else if (conn == 0) - s->internal->handshake_func = meth->internal->ssl_accept; + if (s->method->internal->version == method->internal->version) { + s->method = method; + } else { + s->method->internal->ssl_free(s); + s->method = method; + ret = s->method->internal->ssl_new(s); } + s->internal->handshake_func = handshake_func; + return (ret); } @@ -2309,7 +2382,7 @@ SSL_get_error(const SSL *s, int i) if (i == 0) { if ((s->internal->shutdown & SSL_RECEIVED_SHUTDOWN) && (S3I(s)->warn_alert == SSL_AD_CLOSE_NOTIFY)) - return (SSL_ERROR_ZERO_RETURN); + return (SSL_ERROR_ZERO_RETURN); } return (SSL_ERROR_SYSCALL); } @@ -2381,8 +2454,6 @@ const char * ssl_version_string(int ver) { switch (ver) { - case DTLS1_VERSION: - return (SSL_TXT_DTLS1); case TLS1_VERSION: return (SSL_TXT_TLSV1); case TLS1_1_VERSION: @@ -2391,6 +2462,10 @@ ssl_version_string(int ver) return (SSL_TXT_TLSV1_2); case TLS1_3_VERSION: return (SSL_TXT_TLSV1_3); + case DTLS1_VERSION: + return (SSL_TXT_DTLS1); + case DTLS1_2_VERSION: + return (SSL_TXT_DTLS1_2); default: return ("unknown"); } @@ -2414,7 +2489,6 @@ SSL_dup(SSL *s) goto err; ret->version = s->version; - ret->internal->type = s->internal->type; ret->method = s->method; if (s->session != NULL) { @@ -2495,15 +2569,14 @@ SSL_dup(SSL *s) X509_VERIFY_PARAM_inherit(ret->param, s->param); - /* dup the cipher_list and cipher_list_by_id stacks */ if (s->cipher_list != NULL) { if ((ret->cipher_list = sk_SSL_CIPHER_dup(s->cipher_list)) == NULL) goto err; } - if (s->internal->cipher_list_by_id != NULL) { - if ((ret->internal->cipher_list_by_id = - sk_SSL_CIPHER_dup(s->internal->cipher_list_by_id)) == NULL) + if (s->internal->cipher_list_tls13 != NULL) { + if ((ret->internal->cipher_list_tls13 = + sk_SSL_CIPHER_dup(s->internal->cipher_list_tls13)) == NULL) goto err; } @@ -2537,31 +2610,15 @@ ssl_clear_cipher_state(SSL *s) void ssl_clear_cipher_read_state(SSL *s) { - EVP_CIPHER_CTX_free(s->enc_read_ctx); - s->enc_read_ctx = NULL; - EVP_MD_CTX_free(s->read_hash); - s->read_hash = NULL; - - if (s->internal->aead_read_ctx != NULL) { - EVP_AEAD_CTX_cleanup(&s->internal->aead_read_ctx->ctx); - free(s->internal->aead_read_ctx); - s->internal->aead_read_ctx = NULL; - } + tls12_record_layer_clear_read_state(s->internal->rl); + tls12_record_layer_read_cipher_hash(s->internal->rl, + &s->enc_read_ctx, &s->read_hash); } void ssl_clear_cipher_write_state(SSL *s) { - EVP_CIPHER_CTX_free(s->internal->enc_write_ctx); - s->internal->enc_write_ctx = NULL; - EVP_MD_CTX_free(s->internal->write_hash); - s->internal->write_hash = NULL; - - if (s->internal->aead_write_ctx != NULL) { - EVP_AEAD_CTX_cleanup(&s->internal->aead_write_ctx->ctx); - free(s->internal->aead_write_ctx); - s->internal->aead_write_ctx = NULL; - } + tls12_record_layer_clear_write_state(s->internal->rl); } /* Fix this function so that it takes an optional type parameter */ @@ -2728,17 +2785,22 @@ SSL_get_SSL_CTX(const SSL *ssl) SSL_CTX * SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx) { - if (ssl->ctx == ctx) - return (ssl->ctx); + CERT *new_cert; + if (ctx == NULL) ctx = ssl->initial_ctx; + if (ssl->ctx == ctx) + return (ssl->ctx); + if ((new_cert = ssl_cert_dup(ctx->internal->cert)) == NULL) + return NULL; ssl_cert_free(ssl->cert); - ssl->cert = ssl_cert_dup(ctx->internal->cert); + ssl->cert = new_cert; - CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX); + SSL_CTX_up_ref(ctx); SSL_CTX_free(ssl->ctx); /* decrement reference count */ ssl->ctx = ctx; + return (ssl->ctx); } @@ -2944,52 +3006,56 @@ SSL_cache_hit(SSL *s) int SSL_CTX_get_min_proto_version(SSL_CTX *ctx) { - return ctx->internal->min_version; + return ctx->internal->min_proto_version; } int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) { return ssl_version_set_min(ctx->method, version, - ctx->internal->max_version, &ctx->internal->min_version); + ctx->internal->max_tls_version, &ctx->internal->min_tls_version, + &ctx->internal->min_proto_version); } int SSL_CTX_get_max_proto_version(SSL_CTX *ctx) { - return ctx->internal->max_version; + return ctx->internal->max_proto_version; } int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) { return ssl_version_set_max(ctx->method, version, - ctx->internal->min_version, &ctx->internal->max_version); + ctx->internal->min_tls_version, &ctx->internal->max_tls_version, + &ctx->internal->max_proto_version); } int SSL_get_min_proto_version(SSL *ssl) { - return ssl->internal->min_version; + return ssl->internal->min_proto_version; } int SSL_set_min_proto_version(SSL *ssl, uint16_t version) { return ssl_version_set_min(ssl->method, version, - ssl->internal->max_version, &ssl->internal->min_version); + ssl->internal->max_tls_version, &ssl->internal->min_tls_version, + &ssl->internal->min_proto_version); } int SSL_get_max_proto_version(SSL *ssl) { - return ssl->internal->max_version; + return ssl->internal->max_proto_version; } int SSL_set_max_proto_version(SSL *ssl, uint16_t version) { return ssl_version_set_max(ssl->method, version, - ssl->internal->min_version, &ssl->internal->max_version); + ssl->internal->min_tls_version, &ssl->internal->max_tls_version, + &ssl->internal->max_proto_version); } static int diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index c3c762a5..3339c573 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.247 2019/04/22 15:12:20 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.333 2021/03/29 16:46:09 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -169,22 +169,21 @@ __BEGIN_HIDDEN_DECLS #define CTASSERT(x) extern char _ctassert[(x) ? 1 : -1 ] \ __attribute__((__unused__)) -#define l2n(l,c) (*((c)++)=(unsigned char)(((l)>>24)&0xff), \ - *((c)++)=(unsigned char)(((l)>>16)&0xff), \ - *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ - *((c)++)=(unsigned char)(((l) )&0xff)) +#ifndef LIBRESSL_HAS_DTLS1_2 +#define LIBRESSL_HAS_DTLS1_2 +#endif + +#ifndef LIBRESSL_HAS_TLS1_3_CLIENT +#define LIBRESSL_HAS_TLS1_3_CLIENT +#endif -#define l2n8(l,c) (*((c)++)=(unsigned char)(((l)>>56)&0xff), \ - *((c)++)=(unsigned char)(((l)>>48)&0xff), \ - *((c)++)=(unsigned char)(((l)>>40)&0xff), \ - *((c)++)=(unsigned char)(((l)>>32)&0xff), \ - *((c)++)=(unsigned char)(((l)>>24)&0xff), \ - *((c)++)=(unsigned char)(((l)>>16)&0xff), \ - *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ - *((c)++)=(unsigned char)(((l) )&0xff)) +#ifndef LIBRESSL_HAS_TLS1_3_SERVER +#define LIBRESSL_HAS_TLS1_3_SERVER +#endif -#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \ - c[1]=(unsigned char)(((s) )&0xff)),c+=2) +#if defined(LIBRESSL_HAS_TLS1_3_CLIENT) || defined(LIBRESSL_HAS_TLS1_3_SERVER) +#define LIBRESSL_HAS_TLS1_3 +#endif /* LOCAL STUFF */ @@ -318,28 +317,26 @@ __BEGIN_HIDDEN_DECLS */ #define SSL_C_PKEYLENGTH(c) 1024 -/* Check if an SSL structure is using DTLS. */ -#define SSL_IS_DTLS(s) \ - (s->method->internal->version == DTLS1_VERSION) - -/* See if we need explicit IV. */ -#define SSL_USE_EXPLICIT_IV(s) \ - (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_EXPLICIT_IV) - /* See if we use signature algorithms extension. */ #define SSL_USE_SIGALGS(s) \ - (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_SIGALGS) + (s->method->internal->enc_flags & SSL_ENC_FLAG_SIGALGS) + +/* See if we use SHA256 default PRF. */ +#define SSL_USE_SHA256_PRF(s) \ + (s->method->internal->enc_flags & SSL_ENC_FLAG_SHA256_PRF) /* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */ #define SSL_USE_TLS1_2_CIPHERS(s) \ - (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS) + (s->method->internal->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS) + +/* Allow TLS 1.3 ciphersuites only. */ +#define SSL_USE_TLS1_3_CIPHERS(s) \ + (s->method->internal->enc_flags & SSL_ENC_FLAG_TLS1_3_CIPHERS) -#define SSL_PKEY_RSA_ENC 0 -#define SSL_PKEY_RSA_SIGN 1 -#define SSL_PKEY_DH_RSA 2 -#define SSL_PKEY_ECC 3 -#define SSL_PKEY_GOST01 4 -#define SSL_PKEY_NUM 5 +#define SSL_PKEY_RSA 0 +#define SSL_PKEY_ECC 1 +#define SSL_PKEY_GOST01 2 +#define SSL_PKEY_NUM 3 #define SSL_MAX_EMPTY_RECORDS 32 @@ -365,10 +362,12 @@ __BEGIN_HIDDEN_DECLS #define NAMED_CURVE_TYPE 3 typedef struct ssl_method_internal_st { + int dtls; + int server; int version; - uint16_t min_version; - uint16_t max_version; + uint16_t min_tls_version; + uint16_t max_tls_version; int (*ssl_new)(SSL *s); void (*ssl_clear)(SSL *s); @@ -376,22 +375,17 @@ typedef struct ssl_method_internal_st { int (*ssl_accept)(SSL *s); int (*ssl_connect)(SSL *s); + int (*ssl_shutdown)(SSL *s); int (*ssl_renegotiate)(SSL *s); int (*ssl_renegotiate_check)(SSL *s); - long (*ssl_get_message)(SSL *s, int st1, int stn, int mt, - long max, int *ok); - int (*ssl_read_bytes)(SSL *s, int type, unsigned char *buf, - int len, int peek); + int (*ssl_pending)(const SSL *s); + int (*ssl_read_bytes)(SSL *s, int type, unsigned char *buf, int len, + int peek); int (*ssl_write_bytes)(SSL *s, int type, const void *buf_, int len); - const struct ssl_method_st *(*get_ssl_method)(int version); - - long (*get_timeout)(void); - int (*ssl_version)(void); - - struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */ + unsigned int enc_flags; /* SSL_ENC_FLAG_* */ } SSL_METHOD_INTERNAL; typedef struct ssl_session_internal_st { @@ -416,41 +410,34 @@ typedef struct ssl_session_internal_st { } SSL_SESSION_INTERNAL; #define SSI(s) (s->session->internal) -typedef struct ssl_handshake_st { - /* state contains one of the SSL3_ST_* values. */ - int state; +typedef struct cert_pkey_st { + X509 *x509; + EVP_PKEY *privatekey; + STACK_OF(X509) *chain; +} CERT_PKEY; - /* used when SSL_ST_FLUSH_DATA is entered */ +typedef struct ssl_handshake_tls12_st { + /* Used when SSL_ST_FLUSH_DATA is entered. */ int next_state; - /* new_cipher is the cipher being negotiated in this handshake. */ - const SSL_CIPHER *new_cipher; - - /* key_block is the record-layer key block for TLS 1.2 and earlier. */ - int key_block_len; + /* Record-layer key block for TLS 1.2 and earlier. */ unsigned char *key_block; - - /* Extensions seen in this handshake. */ - uint32_t extensions_seen; - - /* sigalgs offered in this handshake in wire form */ - size_t sigalgs_len; - uint8_t *sigalgs; -} SSL_HANDSHAKE; + size_t key_block_len; +} SSL_HANDSHAKE_TLS12; typedef struct ssl_handshake_tls13_st { - uint16_t min_version; - uint16_t max_version; - uint16_t version; + int use_legacy; + int hrr; + + /* Certificate and sigalg selected for use (static pointers). */ + const CERT_PKEY *cpk; + const struct ssl_sigalg *sigalg; /* Version proposed by peer server. */ uint16_t server_version; - /* X25519 key share. */ - uint8_t *x25519_public; - uint8_t *x25519_private; - uint8_t *x25519_peer_public; - + uint16_t server_group; + struct tls13_key_share *key_share; struct tls13_secrets *secrets; uint8_t *cookie; @@ -459,11 +446,115 @@ typedef struct ssl_handshake_tls13_st { /* Preserved transcript hash. */ uint8_t transcript_hash[EVP_MAX_MD_SIZE]; size_t transcript_hash_len; + + /* Legacy session ID. */ + uint8_t legacy_session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]; + size_t legacy_session_id_len; + + /* ClientHello hash, used to validate following HelloRetryRequest */ + EVP_MD_CTX *clienthello_md_ctx; + unsigned char *clienthello_hash; + unsigned int clienthello_hash_len; } SSL_HANDSHAKE_TLS13; +typedef struct ssl_handshake_st { + /* + * Minimum and maximum versions supported for this handshake. These are + * initialised at the start of a handshake based on the method in use + * and the current protocol version configuration. + */ + uint16_t our_min_tls_version; + uint16_t our_max_tls_version; + + /* + * Version negotiated for this session. For a client this is set once + * the server selected version is parsed from the ServerHello (either + * from the legacy version or supported versions extension). For a + * server this is set once we select the version we will use with the + * client. + */ + uint16_t negotiated_tls_version; + + /* + * Current handshake state - contains one of the SSL3_ST_* values and + * is used by the TLSv1.2 state machine, as well as being updated by + * the TLSv1.3 stack due to it being exposed externally. + */ + int state; + + /* Cipher being negotiated in this handshake. */ + const SSL_CIPHER *cipher; + + /* Extensions seen in this handshake. */ + uint32_t extensions_seen; + + /* sigalgs offered in this handshake in wire form */ + uint8_t *sigalgs; + size_t sigalgs_len; + + /* + * Copies of the verify data sent in our finished message and the + * verify data received in the finished message sent by our peer. + */ + uint8_t finished[EVP_MAX_MD_SIZE]; + size_t finished_len; + uint8_t peer_finished[EVP_MAX_MD_SIZE]; + size_t peer_finished_len; + + SSL_HANDSHAKE_TLS12 tls12; + SSL_HANDSHAKE_TLS13 tls13; +} SSL_HANDSHAKE; + +struct tls12_record_layer; + +struct tls12_record_layer *tls12_record_layer_new(void); +void tls12_record_layer_free(struct tls12_record_layer *rl); +void tls12_record_layer_alert(struct tls12_record_layer *rl, + uint8_t *alert_desc); +int tls12_record_layer_write_overhead(struct tls12_record_layer *rl, + size_t *overhead); +int tls12_record_layer_read_protected(struct tls12_record_layer *rl); +int tls12_record_layer_write_protected(struct tls12_record_layer *rl); +void tls12_record_layer_set_aead(struct tls12_record_layer *rl, + const EVP_AEAD *aead); +void tls12_record_layer_set_cipher_hash(struct tls12_record_layer *rl, + const EVP_CIPHER *cipher, const EVP_MD *handshake_hash, + const EVP_MD *mac_hash); +void tls12_record_layer_set_version(struct tls12_record_layer *rl, + uint16_t version); +void tls12_record_layer_set_write_epoch(struct tls12_record_layer *rl, + uint16_t epoch); +int tls12_record_layer_use_write_epoch(struct tls12_record_layer *rl, + uint16_t epoch); +void tls12_record_layer_write_epoch_done(struct tls12_record_layer *rl, + uint16_t epoch); +void tls12_record_layer_clear_read_state(struct tls12_record_layer *rl); +void tls12_record_layer_clear_write_state(struct tls12_record_layer *rl); +void tls12_record_layer_reflect_seq_num(struct tls12_record_layer *rl); +void tls12_record_layer_read_cipher_hash(struct tls12_record_layer *rl, + EVP_CIPHER_CTX **cipher, EVP_MD_CTX **hash); +int tls12_record_layer_change_read_cipher_state(struct tls12_record_layer *rl, + const uint8_t *mac_key, size_t mac_key_len, const uint8_t *key, + size_t key_len, const uint8_t *iv, size_t iv_len); +int tls12_record_layer_change_write_cipher_state(struct tls12_record_layer *rl, + const uint8_t *mac_key, size_t mac_key_len, const uint8_t *key, + size_t key_len, const uint8_t *iv, size_t iv_len); +int tls12_record_layer_open_record(struct tls12_record_layer *rl, + uint8_t *buf, size_t buf_len, uint8_t **out, size_t *out_len); +int tls12_record_layer_seal_record(struct tls12_record_layer *rl, + uint8_t content_type, const uint8_t *content, size_t content_len, + CBB *out); + typedef struct ssl_ctx_internal_st { - uint16_t min_version; - uint16_t max_version; + uint16_t min_tls_version; + uint16_t max_tls_version; + + /* + * These may be zero to imply minimum or maximum version supported by + * the method. + */ + uint16_t min_proto_version; + uint16_t max_proto_version; unsigned long options; unsigned long mode; @@ -557,8 +648,7 @@ typedef struct ssl_ctx_internal_st { CRYPTO_EX_DATA ex_data; - /* same cipher_list but sorted for lookup */ - STACK_OF(SSL_CIPHER) *cipher_list_by_id; + STACK_OF(SSL_CIPHER) *cipher_list_tls13; struct cert_st /* CERT */ *cert; @@ -625,8 +715,15 @@ typedef struct ssl_ctx_internal_st { typedef struct ssl_internal_st { struct tls13_ctx *tls13; - uint16_t min_version; - uint16_t max_version; + uint16_t min_tls_version; + uint16_t max_tls_version; + + /* + * These may be zero to imply minimum or maximum version supported by + * the method. + */ + uint16_t min_proto_version; + uint16_t max_proto_version; unsigned long options; /* protocol behaviour */ unsigned long mode; /* API behaviour */ @@ -667,8 +764,6 @@ typedef struct ssl_internal_st { /* XXX non-callback */ - int type; /* SSL_ST_CONNECT or SSL_ST_ACCEPT */ - /* This holds a variable that indicates what we were doing * when a 0 or -1 is returned. This is needed for * non-blocking IO so we know what request needs re-doing when @@ -704,23 +799,9 @@ typedef struct ssl_internal_st { int hit; /* reusing a previous session */ - /* crypto */ - STACK_OF(SSL_CIPHER) *cipher_list_by_id; - - /* These are the ones being used, the ones in SSL_SESSION are - * the ones to be 'copied' into these ones */ - int mac_flags; + STACK_OF(SSL_CIPHER) *cipher_list_tls13; - SSL_AEAD_CTX *aead_read_ctx; /* AEAD context. If non-NULL, then - enc_read_ctx and read_hash are - ignored. */ - - SSL_AEAD_CTX *aead_write_ctx; /* AEAD context. If non-NULL, then - enc_write_ctx and write_hash are - ignored. */ - - EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */ - EVP_MD_CTX *write_hash; /* used for mac generation */ + struct tls12_record_layer *rl; /* session info */ @@ -737,20 +818,15 @@ typedef struct ssl_internal_st { long max_cert_list; int first_packet; - int servername_done; /* no further mod of servername - 0 : call the servername extension callback. - 1 : prepare 2, allow last ack just after in server callback. - 2 : don't call servername callback, no ack in server hello - */ - /* Expect OCSP CertificateStatus message */ int tlsext_status_expected; /* OCSP status request only */ STACK_OF(OCSP_RESPID) *tlsext_ocsp_ids; X509_EXTENSIONS *tlsext_ocsp_exts; + /* OCSP response received or to be sent */ unsigned char *tlsext_ocsp_resp; - int tlsext_ocsp_resplen; + size_t tlsext_ocsp_resp_len; /* RFC4507 session ticket expected to be received or sent */ int tlsext_ticket_expected; @@ -764,7 +840,7 @@ typedef struct ssl_internal_st { TLS_SESSION_TICKET_EXT *tlsext_session_ticket; STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; /* What we'll do */ - SRTP_PROTECTION_PROFILE *srtp_profile; /* What's been chosen */ + const SRTP_PROTECTION_PROFILE *srtp_profile; /* What's been chosen */ int renegotiate;/* 1 if we are renegotiating. * 2 if we are a server and are inside a handshake @@ -777,16 +853,28 @@ typedef struct ssl_internal_st { int empty_record_count; } SSL_INTERNAL; -typedef struct ssl3_state_internal_st { - unsigned char read_sequence[SSL3_SEQUENCE_SIZE]; - int read_mac_secret_size; - unsigned char read_mac_secret[EVP_MAX_MD_SIZE]; - unsigned char write_sequence[SSL3_SEQUENCE_SIZE]; - int write_mac_secret_size; - unsigned char write_mac_secret[EVP_MAX_MD_SIZE]; +typedef struct ssl3_record_internal_st { + int type; /* type of record */ + unsigned int length; /* How many bytes available */ + unsigned int padding_length; /* Number of padding bytes. */ + unsigned int off; /* read/write offset into 'buf' */ + unsigned char *data; /* pointer to the record data */ + unsigned char *input; /* where the decode bytes are */ + unsigned long epoch; /* epoch number, needed by DTLS1 */ + unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */ +} SSL3_RECORD_INTERNAL; + +typedef struct ssl3_buffer_internal_st { + unsigned char *buf; /* at least SSL3_RT_MAX_PACKET_SIZE bytes, + * see ssl3_setup_buffers() */ + size_t len; /* buffer size */ + int offset; /* where to 'copy from' */ + int left; /* how many bytes left */ +} SSL3_BUFFER_INTERNAL; - SSL3_BUFFER rbuf; /* read IO goes into here */ - SSL3_BUFFER wbuf; /* write IO goes into here */ +typedef struct ssl3_state_internal_st { + SSL3_BUFFER_INTERNAL rbuf; /* read IO goes into here */ + SSL3_BUFFER_INTERNAL wbuf; /* write IO goes into here */ /* we allow one fatal and one warning alert to be outstanding, * send close alert via the warning alert */ @@ -797,8 +885,7 @@ typedef struct ssl3_state_internal_st { int need_empty_fragments; int empty_fragment_done; - SSL3_RECORD rrec; /* each decoded record goes in here */ - SSL3_RECORD wrec; /* goes out from here */ + SSL3_RECORD_INTERNAL rrec; /* each decoded record goes in here */ /* storage for Alert/Handshake protocol data received but not * yet processed by ssl3_read_bytes: */ @@ -836,19 +923,9 @@ typedef struct ssl3_state_internal_st { int in_read_app_data; SSL_HANDSHAKE hs; - SSL_HANDSHAKE_TLS13 hs_tls13; struct { - int new_mac_secret_size; - - /* actually only needs to be 16+20 */ - unsigned char cert_verify_md[EVP_MAX_MD_SIZE*2]; - - /* actually only need to be 16+20 for SSLv3 and 12 for TLS */ - unsigned char finish_md[EVP_MAX_MD_SIZE*2]; - int finish_md_len; - unsigned char peer_finish_md[EVP_MAX_MD_SIZE*2]; - int peer_finish_md_len; + unsigned char cert_verify_md[EVP_MAX_MD_SIZE]; unsigned long message_size; int message_type; @@ -856,6 +933,7 @@ typedef struct ssl3_state_internal_st { DH *dh; EC_KEY *ecdh; /* holds short lived ECDH key */ + int ecdh_nid; uint8_t *x25519; @@ -869,8 +947,8 @@ typedef struct ssl3_state_internal_st { const EVP_CIPHER *new_sym_enc; const EVP_AEAD *new_aead; - const EVP_MD *new_hash; - int new_mac_pkey_type; + int new_mac_secret_size; + int cert_request; } tmp; @@ -897,6 +975,13 @@ typedef struct ssl3_state_internal_st { } SSL3_STATE_INTERNAL; #define S3I(s) (s->s3->internal) +typedef struct dtls1_record_data_internal_st { + unsigned char *packet; + unsigned int packet_length; + SSL3_BUFFER_INTERNAL rbuf; + SSL3_RECORD_INTERNAL rrec; +} DTLS1_RECORD_DATA_INTERNAL; + typedef struct dtls1_state_internal_st { unsigned int send_cookie; unsigned char cookie[DTLS1_COOKIE_LENGTH]; @@ -923,9 +1008,6 @@ typedef struct dtls1_state_internal_st { unsigned short handshake_read_seq; - /* save last sequence number for retransmissions */ - unsigned char last_write_sequence[8]; - /* Received handshake records (processed and unprocessed) */ record_pqueue unprocessed_rcds; record_pqueue processed_rcds; @@ -962,12 +1044,6 @@ typedef struct dtls1_state_internal_st { } DTLS1_STATE_INTERNAL; #define D1I(s) (s->d1->internal) -typedef struct cert_pkey_st { - X509 *x509; - EVP_PKEY *privatekey; - STACK_OF(X509) *chain; -} CERT_PKEY; - typedef struct cert_st { /* Current active set */ CERT_PKEY *key; /* ALWAYS points to an element of the pkeys array @@ -1001,6 +1077,7 @@ typedef struct sess_cert_st { /* Obviously we don't have the private keys of these, * so maybe we shouldn't even use the CERT_PKEY type here. */ + int peer_nid; DH *peer_dh_tmp; EC_KEY *peer_ecdh_tmp; uint8_t *peer_x25519_tmp; @@ -1011,18 +1088,10 @@ typedef struct sess_cert_st { /*#define SSL_DEBUG */ /*#define RSA_DEBUG */ -typedef struct ssl3_enc_method { - int (*enc)(SSL *, int); - unsigned int enc_flags; -} SSL3_ENC_METHOD; - /* * Flag values for enc_flags. */ -/* Uses explicit IV. */ -#define SSL_ENC_FLAG_EXPLICIT_IV (1 << 0) - /* Uses signature algorithms extension. */ #define SSL_ENC_FLAG_SIGALGS (1 << 1) @@ -1032,6 +1101,17 @@ typedef struct ssl3_enc_method { /* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */ #define SSL_ENC_FLAG_TLS1_2_CIPHERS (1 << 4) +/* Allow TLS 1.3 ciphersuites only. */ +#define SSL_ENC_FLAG_TLS1_3_CIPHERS (1 << 5) + +#define TLSV1_ENC_FLAGS 0 +#define TLSV1_1_ENC_FLAGS 0 +#define TLSV1_2_ENC_FLAGS (SSL_ENC_FLAG_SIGALGS | \ + SSL_ENC_FLAG_SHA256_PRF | \ + SSL_ENC_FLAG_TLS1_2_CIPHERS) +#define TLSV1_3_ENC_FLAGS (SSL_ENC_FLAG_SIGALGS | \ + SSL_ENC_FLAG_TLS1_3_CIPHERS) + /* * ssl_aead_ctx_st contains information about an AEAD that is being used to * encrypt an SSL connection. @@ -1054,31 +1134,27 @@ struct ssl_aead_ctx_st { char variable_nonce_in_record; }; -extern SSL_CIPHER ssl3_ciphers[]; +extern const SSL_CIPHER ssl3_ciphers[]; const char *ssl_version_string(int ver); -int ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver); -int ssl_supported_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver); +int ssl_version_set_min(const SSL_METHOD *meth, uint16_t proto_ver, + uint16_t max_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver); +int ssl_version_set_max(const SSL_METHOD *meth, uint16_t proto_ver, + uint16_t min_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver); +int ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver); +int ssl_supported_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver); +uint16_t ssl_tls_version(uint16_t version); +uint16_t ssl_effective_tls_version(SSL *s); +int ssl_max_supported_version(SSL *s, uint16_t *max_ver); int ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver); -int ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver, - uint16_t *out_ver); -int ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver, - uint16_t *out_ver); -uint16_t ssl_max_server_version(SSL *s); -int ssl_cipher_is_permitted(const SSL_CIPHER *cipher, uint16_t min_ver, - uint16_t max_ver); - -const SSL_METHOD *tls_legacy_client_method(void); - -const SSL_METHOD *dtls1_get_client_method(int ver); -const SSL_METHOD *dtls1_get_server_method(int ver); -const SSL_METHOD *tls1_get_client_method(int ver); -const SSL_METHOD *tls1_get_server_method(int ver); - -extern SSL3_ENC_METHOD DTLSv1_enc_data; -extern SSL3_ENC_METHOD TLSv1_enc_data; -extern SSL3_ENC_METHOD TLSv1_1_enc_data; -extern SSL3_ENC_METHOD TLSv1_2_enc_data; +int ssl_check_version_from_server(SSL *s, uint16_t server_version); +int ssl_legacy_stack_version(SSL *s, uint16_t version); +int ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher); +int ssl_cipher_allowed_in_tls_version_range(const SSL_CIPHER *cipher, + uint16_t min_ver, uint16_t max_ver); + +const SSL_METHOD *tls_legacy_method(void); +const SSL_METHOD *ssl_get_method(uint16_t version); void ssl_clear_cipher_state(SSL *s); void ssl_clear_cipher_read_state(SSL *s); @@ -1096,17 +1172,20 @@ int ssl_cert_add1_chain_cert(CERT *c, X509 *cert); SESS_CERT *ssl_sess_cert_new(void); void ssl_sess_cert_free(SESS_CERT *sc); int ssl_get_new_session(SSL *s, int session); -int ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block); +int ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block, + int *alert); int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b); SSL_CIPHER *OBJ_bsearch_ssl_cipher_id(SSL_CIPHER *key, SSL_CIPHER const *base, int num); -int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap, - const SSL_CIPHER * const *bp); int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb); STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, CBS *cbs); STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth, - STACK_OF(SSL_CIPHER) **pref, STACK_OF(SSL_CIPHER) **sorted, + STACK_OF(SSL_CIPHER) **pref, STACK_OF(SSL_CIPHER) *tls13, const char *rule_str); +int ssl_parse_ciphersuites(STACK_OF(SSL_CIPHER) **out_ciphers, const char *str); +int ssl_merge_cipherlists(STACK_OF(SSL_CIPHER) *cipherlist, + STACK_OF(SSL_CIPHER) *cipherlist_tls13, + STACK_OF(SSL_CIPHER) **out_cipherlist); void ssl_update_cache(SSL *s, int mode); int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size); @@ -1158,10 +1237,12 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *ssl, STACK_OF(SSL_CIPHER) *clnt, STACK_OF(SSL_CIPHER) *srvr); int ssl3_setup_buffers(SSL *s); int ssl3_setup_init_buffer(SSL *s); +void ssl3_release_init_buffer(SSL *s); int ssl3_setup_read_buffer(SSL *s); int ssl3_setup_write_buffer(SSL *s); -int ssl3_release_read_buffer(SSL *s); -int ssl3_release_write_buffer(SSL *s); +void ssl3_release_buffer(SSL3_BUFFER_INTERNAL *b); +void ssl3_release_read_buffer(SSL *s); +void ssl3_release_write_buffer(SSL *s); int ssl3_new(SSL *s); void ssl3_free(SSL *s); int ssl3_accept(SSL *s); @@ -1184,10 +1265,8 @@ int ssl3_handshake_msg_finish(SSL *s, CBB *handshake); int ssl3_handshake_write(SSL *s); int ssl3_record_write(SSL *s, int type); -void tls1_record_sequence_increment(unsigned char *seq); int ssl3_do_change_cipher_spec(SSL *ssl); -long tls1_default_timeout(void); int dtls1_do_write(SSL *s, int type); int ssl3_packet_read(SSL *s, int plen); int ssl3_packet_extend(SSL *s, int plen); @@ -1215,9 +1294,6 @@ int dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr); void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr); void dtls1_reset_seq_numbers(SSL *s, int rw); -void dtls1_build_sequence_number(unsigned char *dst, unsigned char *seq, - unsigned short epoch); -long dtls1_default_timeout(void); struct timeval* dtls1_get_timeout(SSL *s, struct timeval* timeleft); int dtls1_check_timeout_num(SSL *s); int dtls1_handle_timeout(SSL *s); @@ -1229,8 +1305,8 @@ void dtls1_double_timeout(SSL *s); unsigned int dtls1_min_mtu(void); /* some client-only functions */ -int dtls1_get_hello_verify(SSL *s); int ssl3_send_client_hello(SSL *s); +int ssl3_get_dtls_hello_verify(SSL *s); int ssl3_get_server_hello(SSL *s); int ssl3_get_certificate_request(SSL *s); int ssl3_get_new_session_ticket(SSL *s); @@ -1246,8 +1322,8 @@ int ssl3_check_cert_and_algorithm(SSL *s); int ssl3_check_finished(SSL *s); /* some server-only functions */ -int dtls1_send_hello_verify_request(SSL *s); int ssl3_get_client_hello(SSL *s); +int ssl3_send_dtls_hello_verify_request(SSL *s); int ssl3_send_server_hello(SSL *s); int ssl3_send_hello_request(SSL *s); int ssl3_send_server_key_exchange(SSL *s); @@ -1257,6 +1333,13 @@ int ssl3_get_client_certificate(SSL *s); int ssl3_get_client_key_exchange(SSL *s); int ssl3_get_cert_verify(SSL *s); +int ssl_kex_dummy_ecdhe_x25519(EVP_PKEY *pkey); +int ssl_kex_generate_ecdhe_ecp(EC_KEY *ecdh, int nid); +int ssl_kex_public_ecdhe_ecp(EC_KEY *ecdh, CBB *cbb); +int ssl_kex_peer_public_ecdhe_ecp(EC_KEY *ecdh, int nid, CBS *cbs); +int ssl_kex_derive_ecdhe_ecp(EC_KEY *ecdh, EC_KEY *ecdh_peer, + uint8_t **shared_key, size_t *shared_key_len); + int tls1_new(SSL *s); void tls1_free(SSL *s); void tls1_clear(SSL *s); @@ -1269,7 +1352,6 @@ long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg); long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok); int dtls1_get_record(SSL *s); int dtls1_dispatch_alert(SSL *s); -int dtls1_enc(SSL *s, int snd); int ssl_init_wbio_buffer(SSL *s, int push); void ssl_free_wbio_buffer(SSL *s); @@ -1286,14 +1368,13 @@ void tls1_transcript_reset(SSL *s); int tls1_transcript_append(SSL *s, const unsigned char *buf, size_t len); int tls1_transcript_data(SSL *s, const unsigned char **data, size_t *len); void tls1_transcript_freeze(SSL *s); +void tls1_transcript_unfreeze(SSL *s); int tls1_transcript_record(SSL *s, const unsigned char *buf, size_t len); void tls1_cleanup_key_block(SSL *s); int tls1_change_cipher_state(SSL *s, int which); int tls1_setup_key_block(SSL *s); -int tls1_enc(SSL *s, int snd); int tls1_final_finish_mac(SSL *s, const char *str, int slen, unsigned char *p); -int tls1_mac(SSL *ssl, unsigned char *md, int snd); int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, int len); int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, @@ -1326,33 +1407,27 @@ int ssl_check_clienthello_tlsext_early(SSL *s); int ssl_check_clienthello_tlsext_late(SSL *s); int ssl_check_serverhello_tlsext(SSL *s); -int tls1_process_ticket(SSL *s, CBS *session_id, CBS *ext_block, - SSL_SESSION **ret); +#define TLS1_TICKET_FATAL_ERROR -1 +#define TLS1_TICKET_NONE 0 +#define TLS1_TICKET_EMPTY 1 +#define TLS1_TICKET_NOT_DECRYPTED 2 +#define TLS1_TICKET_DECRYPTED 3 -long ssl_get_algorithm2(SSL *s); +int tls1_process_ticket(SSL *s, CBS *ext_block, int *alert, SSL_SESSION **ret); int tls1_check_ec_server_key(SSL *s); -int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, - int *len, int maxlen); -int ssl_parse_clienthello_use_srtp_ext(SSL *s, const unsigned char *d, - int len, int *al); -int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, - int *len, int maxlen); -int ssl_parse_serverhello_use_srtp_ext(SSL *s, const unsigned char *d, - int len, int *al); - /* s3_cbc.c */ -void ssl3_cbc_copy_mac(unsigned char *out, const SSL3_RECORD *rec, - unsigned md_size, unsigned orig_len); -int tls1_cbc_remove_padding(const SSL *s, SSL3_RECORD *rec, - unsigned block_size, unsigned mac_size); +void ssl3_cbc_copy_mac(unsigned char *out, const SSL3_RECORD_INTERNAL *rec, + unsigned int md_size, unsigned int orig_len); +int ssl3_cbc_remove_padding(SSL3_RECORD_INTERNAL *rec, unsigned int eiv_len, + unsigned int mac_size); char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx); int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char *md_out, size_t *md_out_size, const unsigned char header[13], const unsigned char *data, size_t data_plus_mac_size, size_t data_plus_mac_plus_padding_size, const unsigned char *mac_secret, - unsigned mac_secret_length); + unsigned int mac_secret_length); int SSL_state_func_code(int _state); #define SSLerror(s, r) SSL_error_internal(s, r, __FILE__, __LINE__) @@ -1361,10 +1436,10 @@ void SSL_error_internal(const SSL *s, int r, char *f, int l); #ifndef OPENSSL_NO_SRTP -int srtp_find_profile_by_name(char *profile_name, - SRTP_PROTECTION_PROFILE **pptr, unsigned len); -int srtp_find_profile_by_num(unsigned profile_num, - SRTP_PROTECTION_PROFILE **pptr); +int srtp_find_profile_by_name(const char *profile_name, + const SRTP_PROTECTION_PROFILE **pptr, unsigned int len); +int srtp_find_profile_by_num(unsigned int profile_num, + const SRTP_PROTECTION_PROFILE **pptr); #endif /* OPENSSL_NO_SRTP */ diff --git a/ssl/ssl_methods.c b/ssl/ssl_methods.c index df99d98c..a3e51ac0 100644 --- a/ssl/ssl_methods.c +++ b/ssl/ssl_methods.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_methods.c,v 1.4 2019/03/17 17:28:08 jsing Exp $ */ +/* $OpenBSD: ssl_methods.c,v 1.24 2021/03/31 16:59:32 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -59,75 +59,82 @@ #include "ssl_locl.h" #include "tls13_internal.h" -static const SSL_METHOD_INTERNAL DTLSv1_client_method_internal_data = { - .version = DTLS1_VERSION, - .min_version = DTLS1_VERSION, - .max_version = DTLS1_VERSION, +static const SSL_METHOD_INTERNAL DTLS_method_internal_data = { + .dtls = 1, + .server = 1, + .version = DTLS1_2_VERSION, + .min_tls_version = TLS1_1_VERSION, + .max_tls_version = TLS1_2_VERSION, .ssl_new = dtls1_new, .ssl_clear = dtls1_clear, .ssl_free = dtls1_free, - .ssl_accept = ssl_undefined_function, + .ssl_accept = ssl3_accept, .ssl_connect = ssl3_connect, - .get_ssl_method = dtls1_get_client_method, - .get_timeout = dtls1_default_timeout, - .ssl_version = ssl_undefined_void_function, + .ssl_shutdown = ssl3_shutdown, .ssl_renegotiate = ssl3_renegotiate, .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = dtls1_get_message, + .ssl_pending = ssl3_pending, .ssl_read_bytes = dtls1_read_bytes, .ssl_write_bytes = dtls1_write_app_data_bytes, - .ssl3_enc = &DTLSv1_enc_data, + .enc_flags = TLSV1_2_ENC_FLAGS, }; -static const SSL_METHOD DTLSv1_client_method_data = { +static const SSL_METHOD DTLS_method_data = { .ssl_dispatch_alert = dtls1_dispatch_alert, .num_ciphers = ssl3_num_ciphers, .get_cipher = dtls1_get_cipher, .get_cipher_by_char = ssl3_get_cipher_by_char, .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &DTLSv1_client_method_internal_data, + .internal = &DTLS_method_internal_data, }; -const SSL_METHOD * -DTLSv1_client_method(void) -{ - return &DTLSv1_client_method_data; -} - -const SSL_METHOD * -DTLS_client_method(void) -{ - return DTLSv1_client_method(); -} - -const SSL_METHOD * -dtls1_get_client_method(int ver) -{ - if (ver == DTLS1_VERSION) - return (DTLSv1_client_method()); - return (NULL); -} +static const SSL_METHOD_INTERNAL DTLS_client_method_internal_data = { + .dtls = 1, + .server = 0, + .version = DTLS1_2_VERSION, + .min_tls_version = TLS1_1_VERSION, + .max_tls_version = TLS1_2_VERSION, + .ssl_new = dtls1_new, + .ssl_clear = dtls1_clear, + .ssl_free = dtls1_free, + .ssl_accept = ssl_undefined_function, + .ssl_connect = ssl3_connect, + .ssl_shutdown = ssl3_shutdown, + .ssl_renegotiate = ssl3_renegotiate, + .ssl_renegotiate_check = ssl3_renegotiate_check, + .ssl_pending = ssl3_pending, + .ssl_read_bytes = dtls1_read_bytes, + .ssl_write_bytes = dtls1_write_app_data_bytes, + .enc_flags = TLSV1_2_ENC_FLAGS, +}; -static const SSL_METHOD *dtls1_get_method(int ver); +static const SSL_METHOD DTLS_client_method_data = { + .ssl_dispatch_alert = dtls1_dispatch_alert, + .num_ciphers = ssl3_num_ciphers, + .get_cipher = dtls1_get_cipher, + .get_cipher_by_char = ssl3_get_cipher_by_char, + .put_cipher_by_char = ssl3_put_cipher_by_char, + .internal = &DTLS_client_method_internal_data, +}; static const SSL_METHOD_INTERNAL DTLSv1_method_internal_data = { + .dtls = 1, + .server = 1, .version = DTLS1_VERSION, - .min_version = DTLS1_VERSION, - .max_version = DTLS1_VERSION, + .min_tls_version = TLS1_1_VERSION, + .max_tls_version = TLS1_1_VERSION, .ssl_new = dtls1_new, .ssl_clear = dtls1_clear, .ssl_free = dtls1_free, .ssl_accept = ssl3_accept, .ssl_connect = ssl3_connect, - .get_ssl_method = dtls1_get_method, - .get_timeout = dtls1_default_timeout, - .ssl_version = ssl_undefined_void_function, + .ssl_shutdown = ssl3_shutdown, .ssl_renegotiate = ssl3_renegotiate, .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = dtls1_get_message, + .ssl_pending = ssl3_pending, .ssl_read_bytes = dtls1_read_bytes, .ssl_write_bytes = dtls1_write_app_data_bytes, - .ssl3_enc = &DTLSv1_enc_data, + .enc_flags = TLSV1_1_ENC_FLAGS, }; static const SSL_METHOD DTLSv1_method_data = { @@ -139,588 +146,562 @@ static const SSL_METHOD DTLSv1_method_data = { .internal = &DTLSv1_method_internal_data, }; -const SSL_METHOD * -DTLSv1_method(void) -{ - return &DTLSv1_method_data; -} - -const SSL_METHOD * -DTLS_method(void) -{ - return DTLSv1_method(); -} +static const SSL_METHOD_INTERNAL DTLSv1_client_method_internal_data = { + .dtls = 1, + .server = 0, + .version = DTLS1_VERSION, + .min_tls_version = TLS1_1_VERSION, + .max_tls_version = TLS1_1_VERSION, + .ssl_new = dtls1_new, + .ssl_clear = dtls1_clear, + .ssl_free = dtls1_free, + .ssl_accept = ssl_undefined_function, + .ssl_connect = ssl3_connect, + .ssl_shutdown = ssl3_shutdown, + .ssl_renegotiate = ssl3_renegotiate, + .ssl_renegotiate_check = ssl3_renegotiate_check, + .ssl_pending = ssl3_pending, + .ssl_read_bytes = dtls1_read_bytes, + .ssl_write_bytes = dtls1_write_app_data_bytes, + .enc_flags = TLSV1_1_ENC_FLAGS, +}; -static const SSL_METHOD * -dtls1_get_method(int ver) -{ - if (ver == DTLS1_VERSION) - return (DTLSv1_method()); - return (NULL); -} +static const SSL_METHOD DTLSv1_client_method_data = { + .ssl_dispatch_alert = dtls1_dispatch_alert, + .num_ciphers = ssl3_num_ciphers, + .get_cipher = dtls1_get_cipher, + .get_cipher_by_char = ssl3_get_cipher_by_char, + .put_cipher_by_char = ssl3_put_cipher_by_char, + .internal = &DTLSv1_client_method_internal_data, +}; -static const SSL_METHOD_INTERNAL DTLSv1_server_method_internal_data = { - .version = DTLS1_VERSION, - .min_version = DTLS1_VERSION, - .max_version = DTLS1_VERSION, +static const SSL_METHOD_INTERNAL DTLSv1_2_method_internal_data = { + .dtls = 1, + .server = 1, + .version = DTLS1_2_VERSION, + .min_tls_version = TLS1_2_VERSION, + .max_tls_version = TLS1_2_VERSION, .ssl_new = dtls1_new, .ssl_clear = dtls1_clear, .ssl_free = dtls1_free, .ssl_accept = ssl3_accept, - .ssl_connect = ssl_undefined_function, - .get_ssl_method = dtls1_get_server_method, - .get_timeout = dtls1_default_timeout, - .ssl_version = ssl_undefined_void_function, + .ssl_connect = ssl3_connect, + .ssl_shutdown = ssl3_shutdown, .ssl_renegotiate = ssl3_renegotiate, .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = dtls1_get_message, + .ssl_pending = ssl3_pending, .ssl_read_bytes = dtls1_read_bytes, .ssl_write_bytes = dtls1_write_app_data_bytes, - .ssl3_enc = &DTLSv1_enc_data, + .enc_flags = TLSV1_2_ENC_FLAGS, }; -static const SSL_METHOD DTLSv1_server_method_data = { +static const SSL_METHOD DTLSv1_2_method_data = { .ssl_dispatch_alert = dtls1_dispatch_alert, .num_ciphers = ssl3_num_ciphers, .get_cipher = dtls1_get_cipher, .get_cipher_by_char = ssl3_get_cipher_by_char, .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &DTLSv1_server_method_internal_data, + .internal = &DTLSv1_2_method_internal_data, }; +static const SSL_METHOD_INTERNAL DTLSv1_2_client_method_internal_data = { + .dtls = 1, + .server = 0, + .version = DTLS1_2_VERSION, + .min_tls_version = TLS1_2_VERSION, + .max_tls_version = TLS1_2_VERSION, + .ssl_new = dtls1_new, + .ssl_clear = dtls1_clear, + .ssl_free = dtls1_free, + .ssl_accept = ssl_undefined_function, + .ssl_connect = ssl3_connect, + .ssl_shutdown = ssl3_shutdown, + .ssl_renegotiate = ssl3_renegotiate, + .ssl_renegotiate_check = ssl3_renegotiate_check, + .ssl_pending = ssl3_pending, + .ssl_read_bytes = dtls1_read_bytes, + .ssl_write_bytes = dtls1_write_app_data_bytes, + .enc_flags = TLSV1_2_ENC_FLAGS, +}; + +static const SSL_METHOD DTLSv1_2_client_method_data = { + .ssl_dispatch_alert = dtls1_dispatch_alert, + .num_ciphers = ssl3_num_ciphers, + .get_cipher = dtls1_get_cipher, + .get_cipher_by_char = ssl3_get_cipher_by_char, + .put_cipher_by_char = ssl3_put_cipher_by_char, + .internal = &DTLSv1_2_client_method_internal_data, +}; + +const SSL_METHOD * +DTLSv1_client_method(void) +{ + return &DTLSv1_client_method_data; +} + +const SSL_METHOD * +DTLSv1_method(void) +{ + return &DTLSv1_method_data; +} + const SSL_METHOD * DTLSv1_server_method(void) { - return &DTLSv1_server_method_data; + return &DTLSv1_method_data; } const SSL_METHOD * -DTLS_server_method(void) +DTLSv1_2_client_method(void) { - return DTLSv1_server_method(); + return &DTLSv1_2_client_method_data; } const SSL_METHOD * -dtls1_get_server_method(int ver) +DTLSv1_2_method(void) { - if (ver == DTLS1_VERSION) - return (DTLSv1_server_method()); - return (NULL); + return &DTLSv1_2_method_data; } -#ifdef LIBRESSL_HAS_TLS1_3 -static const SSL_METHOD_INTERNAL TLS_client_method_internal_data = { +const SSL_METHOD * +DTLSv1_2_server_method(void) +{ + return &DTLSv1_2_method_data; +} + +const SSL_METHOD * +DTLS_client_method(void) +{ + return &DTLS_client_method_data; +} + +const SSL_METHOD * +DTLS_method(void) +{ + return &DTLS_method_data; +} + +const SSL_METHOD * +DTLS_server_method(void) +{ + return &DTLS_method_data; +} + +#if defined(LIBRESSL_HAS_TLS1_3_CLIENT) && defined(LIBRESSL_HAS_TLS1_3_SERVER) +static const SSL_METHOD_INTERNAL TLS_method_internal_data = { + .dtls = 0, + .server = 1, .version = TLS1_3_VERSION, - .min_version = TLS1_VERSION, - .max_version = TLS1_3_VERSION, + .min_tls_version = TLS1_VERSION, + .max_tls_version = TLS1_3_VERSION, .ssl_new = tls1_new, .ssl_clear = tls1_clear, .ssl_free = tls1_free, - .ssl_accept = ssl_undefined_function, + .ssl_accept = tls13_legacy_accept, .ssl_connect = tls13_legacy_connect, - .get_ssl_method = tls1_get_client_method, - .get_timeout = tls1_default_timeout, - .ssl_version = ssl_undefined_void_function, + .ssl_shutdown = tls13_legacy_shutdown, .ssl_renegotiate = ssl_undefined_function, .ssl_renegotiate_check = ssl_ok, - .ssl_get_message = ssl3_get_message, + .ssl_pending = tls13_legacy_pending, .ssl_read_bytes = tls13_legacy_read_bytes, .ssl_write_bytes = tls13_legacy_write_bytes, - .ssl3_enc = &TLSv1_2_enc_data, + .enc_flags = TLSV1_3_ENC_FLAGS, }; -static const SSL_METHOD TLS_client_method_data = { +static const SSL_METHOD TLS_method_data = { .ssl_dispatch_alert = ssl3_dispatch_alert, .num_ciphers = ssl3_num_ciphers, .get_cipher = ssl3_get_cipher, .get_cipher_by_char = ssl3_get_cipher_by_char, .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLS_client_method_internal_data, + .internal = &TLS_method_internal_data, }; #endif -static const SSL_METHOD_INTERNAL TLS_legacy_client_method_internal_data = { +static const SSL_METHOD_INTERNAL TLS_legacy_method_internal_data = { + .dtls = 0, + .server = 1, .version = TLS1_2_VERSION, - .min_version = TLS1_VERSION, - .max_version = TLS1_2_VERSION, + .min_tls_version = TLS1_VERSION, + .max_tls_version = TLS1_2_VERSION, .ssl_new = tls1_new, .ssl_clear = tls1_clear, .ssl_free = tls1_free, - .ssl_accept = ssl_undefined_function, + .ssl_accept = ssl3_accept, .ssl_connect = ssl3_connect, - .get_ssl_method = tls1_get_client_method, - .get_timeout = tls1_default_timeout, - .ssl_version = ssl_undefined_void_function, + .ssl_shutdown = ssl3_shutdown, .ssl_renegotiate = ssl_undefined_function, .ssl_renegotiate_check = ssl_ok, - .ssl_get_message = ssl3_get_message, + .ssl_pending = ssl3_pending, .ssl_read_bytes = ssl3_read_bytes, .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_2_enc_data, + .enc_flags = TLSV1_2_ENC_FLAGS, }; -static const SSL_METHOD TLS_legacy_client_method_data = { +static const SSL_METHOD TLS_legacy_method_data = { .ssl_dispatch_alert = ssl3_dispatch_alert, .num_ciphers = ssl3_num_ciphers, .get_cipher = ssl3_get_cipher, .get_cipher_by_char = ssl3_get_cipher_by_char, .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLS_legacy_client_method_internal_data, + .internal = &TLS_legacy_method_internal_data, }; -static const SSL_METHOD_INTERNAL TLSv1_client_method_internal_data = { - .version = TLS1_VERSION, - .min_version = TLS1_VERSION, - .max_version = TLS1_VERSION, +#if defined(LIBRESSL_HAS_TLS1_3_CLIENT) +static const SSL_METHOD_INTERNAL TLS_client_method_internal_data = { + .dtls = 0, + .server = 0, + .version = TLS1_3_VERSION, + .min_tls_version = TLS1_VERSION, + .max_tls_version = TLS1_3_VERSION, .ssl_new = tls1_new, .ssl_clear = tls1_clear, .ssl_free = tls1_free, - .ssl_accept = ssl_undefined_function, + .ssl_accept = tls13_legacy_accept, + .ssl_connect = tls13_legacy_connect, + .ssl_shutdown = tls13_legacy_shutdown, + .ssl_renegotiate = ssl_undefined_function, + .ssl_renegotiate_check = ssl_ok, + .ssl_pending = tls13_legacy_pending, + .ssl_read_bytes = tls13_legacy_read_bytes, + .ssl_write_bytes = tls13_legacy_write_bytes, + .enc_flags = TLSV1_3_ENC_FLAGS, +}; + +static const SSL_METHOD TLS_client_method_data = { + .ssl_dispatch_alert = ssl3_dispatch_alert, + .num_ciphers = ssl3_num_ciphers, + .get_cipher = ssl3_get_cipher, + .get_cipher_by_char = ssl3_get_cipher_by_char, + .put_cipher_by_char = ssl3_put_cipher_by_char, + .internal = &TLS_client_method_internal_data, +}; + +#else + +static const SSL_METHOD_INTERNAL TLS_legacy_client_method_internal_data = { + .dtls = 0, + .server = 0, + .version = TLS1_2_VERSION, + .min_tls_version = TLS1_VERSION, + .max_tls_version = TLS1_2_VERSION, + .ssl_new = tls1_new, + .ssl_clear = tls1_clear, + .ssl_free = tls1_free, + .ssl_accept = ssl3_accept, .ssl_connect = ssl3_connect, - .get_ssl_method = tls1_get_client_method, - .get_timeout = tls1_default_timeout, - .ssl_version = ssl_undefined_void_function, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = ssl3_get_message, + .ssl_shutdown = ssl3_shutdown, + .ssl_renegotiate = ssl_undefined_function, + .ssl_renegotiate_check = ssl_ok, + .ssl_pending = ssl3_pending, .ssl_read_bytes = ssl3_read_bytes, .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_enc_data, + .enc_flags = TLSV1_2_ENC_FLAGS, }; -static const SSL_METHOD TLSv1_client_method_data = { +static const SSL_METHOD TLS_legacy_client_method_data = { .ssl_dispatch_alert = ssl3_dispatch_alert, .num_ciphers = ssl3_num_ciphers, .get_cipher = ssl3_get_cipher, .get_cipher_by_char = ssl3_get_cipher_by_char, .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLSv1_client_method_internal_data, + .internal = &TLS_legacy_client_method_internal_data, }; +#endif -static const SSL_METHOD_INTERNAL TLSv1_1_client_method_internal_data = { - .version = TLS1_1_VERSION, - .min_version = TLS1_1_VERSION, - .max_version = TLS1_1_VERSION, +static const SSL_METHOD_INTERNAL TLSv1_method_internal_data = { + .dtls = 0, + .server = 1, + .version = TLS1_VERSION, + .min_tls_version = TLS1_VERSION, + .max_tls_version = TLS1_VERSION, .ssl_new = tls1_new, .ssl_clear = tls1_clear, .ssl_free = tls1_free, - .ssl_accept = ssl_undefined_function, + .ssl_accept = ssl3_accept, .ssl_connect = ssl3_connect, - .get_ssl_method = tls1_get_client_method, - .get_timeout = tls1_default_timeout, - .ssl_version = ssl_undefined_void_function, + .ssl_shutdown = ssl3_shutdown, .ssl_renegotiate = ssl3_renegotiate, .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = ssl3_get_message, + .ssl_pending = ssl3_pending, .ssl_read_bytes = ssl3_read_bytes, .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_1_enc_data, + .enc_flags = TLSV1_ENC_FLAGS, }; -static const SSL_METHOD TLSv1_1_client_method_data = { +static const SSL_METHOD TLSv1_method_data = { .ssl_dispatch_alert = ssl3_dispatch_alert, .num_ciphers = ssl3_num_ciphers, .get_cipher = ssl3_get_cipher, .get_cipher_by_char = ssl3_get_cipher_by_char, .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLSv1_1_client_method_internal_data, + .internal = &TLSv1_method_internal_data, }; -static const SSL_METHOD_INTERNAL TLSv1_2_client_method_internal_data = { - .version = TLS1_2_VERSION, - .min_version = TLS1_2_VERSION, - .max_version = TLS1_2_VERSION, +static const SSL_METHOD_INTERNAL TLSv1_client_method_internal_data = { + .dtls = 0, + .server = 0, + .version = TLS1_VERSION, + .min_tls_version = TLS1_VERSION, + .max_tls_version = TLS1_VERSION, .ssl_new = tls1_new, .ssl_clear = tls1_clear, .ssl_free = tls1_free, .ssl_accept = ssl_undefined_function, .ssl_connect = ssl3_connect, - .get_ssl_method = tls1_get_client_method, - .get_timeout = tls1_default_timeout, - .ssl_version = ssl_undefined_void_function, + .ssl_shutdown = ssl3_shutdown, .ssl_renegotiate = ssl3_renegotiate, .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = ssl3_get_message, + .ssl_pending = ssl3_pending, .ssl_read_bytes = ssl3_read_bytes, .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_2_enc_data, + .enc_flags = TLSV1_ENC_FLAGS, }; -static const SSL_METHOD TLSv1_2_client_method_data = { +static const SSL_METHOD TLSv1_client_method_data = { .ssl_dispatch_alert = ssl3_dispatch_alert, .num_ciphers = ssl3_num_ciphers, .get_cipher = ssl3_get_cipher, .get_cipher_by_char = ssl3_get_cipher_by_char, .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLSv1_2_client_method_internal_data, + .internal = &TLSv1_client_method_internal_data, }; -const SSL_METHOD * -tls1_get_client_method(int ver) -{ - if (ver == TLS1_2_VERSION) - return (TLSv1_2_client_method()); - if (ver == TLS1_1_VERSION) - return (TLSv1_1_client_method()); - if (ver == TLS1_VERSION) - return (TLSv1_client_method()); - return (NULL); -} - -const SSL_METHOD * -SSLv23_client_method(void) -{ - return (TLS_client_method()); -} - -const SSL_METHOD * -TLS_client_method(void) -{ -#ifdef LIBRESSL_HAS_TLS1_3 - return (&TLS_client_method_data); -#else - return tls_legacy_client_method(); -#endif -} - -const SSL_METHOD * -tls_legacy_client_method(void) -{ - return (&TLS_legacy_client_method_data); -} - -const SSL_METHOD * -TLSv1_client_method(void) -{ - return (&TLSv1_client_method_data); -} - -const SSL_METHOD * -TLSv1_1_client_method(void) -{ - return (&TLSv1_1_client_method_data); -} - -const SSL_METHOD * -TLSv1_2_client_method(void) -{ - return (&TLSv1_2_client_method_data); -} - -static const SSL_METHOD *tls1_get_method(int ver); - -static const SSL_METHOD_INTERNAL TLS_method_internal_data = { - .version = TLS1_2_VERSION, - .min_version = TLS1_VERSION, - .max_version = TLS1_2_VERSION, +static const SSL_METHOD_INTERNAL TLSv1_1_method_internal_data = { + .dtls = 0, + .server = 1, + .version = TLS1_1_VERSION, + .min_tls_version = TLS1_1_VERSION, + .max_tls_version = TLS1_1_VERSION, .ssl_new = tls1_new, .ssl_clear = tls1_clear, .ssl_free = tls1_free, .ssl_accept = ssl3_accept, .ssl_connect = ssl3_connect, - .get_ssl_method = tls1_get_method, - .get_timeout = tls1_default_timeout, - .ssl_version = ssl_undefined_void_function, - .ssl_renegotiate = ssl_undefined_function, - .ssl_renegotiate_check = ssl_ok, - .ssl_get_message = ssl3_get_message, + .ssl_shutdown = ssl3_shutdown, + .ssl_renegotiate = ssl3_renegotiate, + .ssl_renegotiate_check = ssl3_renegotiate_check, + .ssl_pending = ssl3_pending, .ssl_read_bytes = ssl3_read_bytes, .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_2_enc_data, + .enc_flags = TLSV1_1_ENC_FLAGS, }; -static const SSL_METHOD TLS_method_data = { +static const SSL_METHOD TLSv1_1_method_data = { .ssl_dispatch_alert = ssl3_dispatch_alert, .num_ciphers = ssl3_num_ciphers, .get_cipher = ssl3_get_cipher, .get_cipher_by_char = ssl3_get_cipher_by_char, .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLS_method_internal_data, + .internal = &TLSv1_1_method_internal_data, }; -static const SSL_METHOD_INTERNAL TLSv1_method_internal_data = { - .version = TLS1_VERSION, - .min_version = TLS1_VERSION, - .max_version = TLS1_VERSION, +static const SSL_METHOD_INTERNAL TLSv1_1_client_method_internal_data = { + .dtls = 0, + .server = 0, + .version = TLS1_1_VERSION, + .min_tls_version = TLS1_1_VERSION, + .max_tls_version = TLS1_1_VERSION, .ssl_new = tls1_new, .ssl_clear = tls1_clear, .ssl_free = tls1_free, - .ssl_accept = ssl3_accept, + .ssl_accept = ssl_undefined_function, .ssl_connect = ssl3_connect, - .get_ssl_method = tls1_get_method, - .get_timeout = tls1_default_timeout, - .ssl_version = ssl_undefined_void_function, + .ssl_shutdown = ssl3_shutdown, .ssl_renegotiate = ssl3_renegotiate, .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = ssl3_get_message, + .ssl_pending = ssl3_pending, .ssl_read_bytes = ssl3_read_bytes, .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_enc_data, + .enc_flags = TLSV1_1_ENC_FLAGS, }; -static const SSL_METHOD TLSv1_method_data = { +static const SSL_METHOD TLSv1_1_client_method_data = { .ssl_dispatch_alert = ssl3_dispatch_alert, .num_ciphers = ssl3_num_ciphers, .get_cipher = ssl3_get_cipher, .get_cipher_by_char = ssl3_get_cipher_by_char, .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLSv1_method_internal_data, + .internal = &TLSv1_1_client_method_internal_data, }; -static const SSL_METHOD_INTERNAL TLSv1_1_method_internal_data = { - .version = TLS1_1_VERSION, - .min_version = TLS1_1_VERSION, - .max_version = TLS1_1_VERSION, +static const SSL_METHOD_INTERNAL TLSv1_2_method_internal_data = { + .dtls = 0, + .server = 1, + .version = TLS1_2_VERSION, + .min_tls_version = TLS1_2_VERSION, + .max_tls_version = TLS1_2_VERSION, .ssl_new = tls1_new, .ssl_clear = tls1_clear, .ssl_free = tls1_free, .ssl_accept = ssl3_accept, .ssl_connect = ssl3_connect, - .get_ssl_method = tls1_get_method, - .get_timeout = tls1_default_timeout, - .ssl_version = ssl_undefined_void_function, + .ssl_shutdown = ssl3_shutdown, .ssl_renegotiate = ssl3_renegotiate, .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = ssl3_get_message, + .ssl_pending = ssl3_pending, .ssl_read_bytes = ssl3_read_bytes, .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_1_enc_data, + .enc_flags = TLSV1_2_ENC_FLAGS, }; -static const SSL_METHOD TLSv1_1_method_data = { +static const SSL_METHOD TLSv1_2_method_data = { .ssl_dispatch_alert = ssl3_dispatch_alert, .num_ciphers = ssl3_num_ciphers, .get_cipher = ssl3_get_cipher, .get_cipher_by_char = ssl3_get_cipher_by_char, .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLSv1_1_method_internal_data, + .internal = &TLSv1_2_method_internal_data, }; -static const SSL_METHOD_INTERNAL TLSv1_2_method_internal_data = { +static const SSL_METHOD_INTERNAL TLSv1_2_client_method_internal_data = { + .dtls = 0, + .server = 0, .version = TLS1_2_VERSION, - .min_version = TLS1_2_VERSION, - .max_version = TLS1_2_VERSION, + .min_tls_version = TLS1_2_VERSION, + .max_tls_version = TLS1_2_VERSION, .ssl_new = tls1_new, .ssl_clear = tls1_clear, .ssl_free = tls1_free, - .ssl_accept = ssl3_accept, + .ssl_accept = ssl_undefined_function, .ssl_connect = ssl3_connect, - .get_ssl_method = tls1_get_method, - .get_timeout = tls1_default_timeout, - .ssl_version = ssl_undefined_void_function, + .ssl_shutdown = ssl3_shutdown, .ssl_renegotiate = ssl3_renegotiate, .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = ssl3_get_message, + .ssl_pending = ssl3_pending, .ssl_read_bytes = ssl3_read_bytes, .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_2_enc_data, + .enc_flags = TLSV1_2_ENC_FLAGS, }; -static const SSL_METHOD TLSv1_2_method_data = { +static const SSL_METHOD TLSv1_2_client_method_data = { .ssl_dispatch_alert = ssl3_dispatch_alert, .num_ciphers = ssl3_num_ciphers, .get_cipher = ssl3_get_cipher, .get_cipher_by_char = ssl3_get_cipher_by_char, .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLSv1_2_method_internal_data, + .internal = &TLSv1_2_client_method_internal_data, }; -static const SSL_METHOD * -tls1_get_method(int ver) +const SSL_METHOD * +TLS_client_method(void) { - if (ver == TLS1_2_VERSION) - return (TLSv1_2_method()); - if (ver == TLS1_1_VERSION) - return (TLSv1_1_method()); - if (ver == TLS1_VERSION) - return (TLSv1_method()); - return (NULL); +#if defined(LIBRESSL_HAS_TLS1_3_CLIENT) + return (&TLS_client_method_data); +#else + return (&TLS_legacy_client_method_data); +#endif } const SSL_METHOD * -SSLv23_method(void) +TLS_method(void) { - return (TLS_method()); +#if defined(LIBRESSL_HAS_TLS1_3_CLIENT) && defined(LIBRESSL_HAS_TLS1_3_SERVER) + return (&TLS_method_data); +#else + return tls_legacy_method(); +#endif } const SSL_METHOD * -TLS_method(void) +TLS_server_method(void) { - return &TLS_method_data; + return TLS_method(); } const SSL_METHOD * -TLSv1_method(void) +tls_legacy_method(void) { - return (&TLSv1_method_data); + return (&TLS_legacy_method_data); } const SSL_METHOD * -TLSv1_1_method(void) +SSLv23_client_method(void) { - return (&TLSv1_1_method_data); + return TLS_client_method(); } const SSL_METHOD * -TLSv1_2_method(void) +SSLv23_method(void) { - return (&TLSv1_2_method_data); + return TLS_method(); } -static const SSL_METHOD_INTERNAL TLS_server_method_internal_data = { - .version = TLS1_2_VERSION, - .min_version = TLS1_VERSION, - .max_version = TLS1_2_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl3_accept, - .ssl_connect = ssl_undefined_function, - .get_ssl_method = tls1_get_server_method, - .get_timeout = tls1_default_timeout, - .ssl_version = ssl_undefined_void_function, - .ssl_renegotiate = ssl_undefined_function, - .ssl_renegotiate_check = ssl_ok, - .ssl_get_message = ssl3_get_message, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_2_enc_data, -}; - -static const SSL_METHOD TLS_server_method_data = { - .ssl_dispatch_alert = ssl3_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLS_server_method_internal_data, -}; - -static const SSL_METHOD_INTERNAL TLSv1_server_method_internal_data = { - .version = TLS1_VERSION, - .min_version = TLS1_VERSION, - .max_version = TLS1_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl3_accept, - .ssl_connect = ssl_undefined_function, - .get_ssl_method = tls1_get_server_method, - .get_timeout = tls1_default_timeout, - .ssl_version = ssl_undefined_void_function, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = ssl3_get_message, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_enc_data, -}; - -static const SSL_METHOD TLSv1_server_method_data = { - .ssl_dispatch_alert = ssl3_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLSv1_server_method_internal_data, -}; - -static const SSL_METHOD_INTERNAL TLSv1_1_server_method_internal_data = { - .version = TLS1_1_VERSION, - .min_version = TLS1_1_VERSION, - .max_version = TLS1_1_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl3_accept, - .ssl_connect = ssl_undefined_function, - .get_ssl_method = tls1_get_server_method, - .get_timeout = tls1_default_timeout, - .ssl_version = ssl_undefined_void_function, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = ssl3_get_message, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_1_enc_data, -}; +const SSL_METHOD * +SSLv23_server_method(void) +{ + return TLS_method(); +} -static const SSL_METHOD TLSv1_1_server_method_data = { - .ssl_dispatch_alert = ssl3_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLSv1_1_server_method_internal_data, -}; +const SSL_METHOD * +TLSv1_client_method(void) +{ + return (&TLSv1_client_method_data); +} -static const SSL_METHOD_INTERNAL TLSv1_2_server_method_internal_data = { - .version = TLS1_2_VERSION, - .min_version = TLS1_2_VERSION, - .max_version = TLS1_2_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl3_accept, - .ssl_connect = ssl_undefined_function, - .get_ssl_method = tls1_get_server_method, - .get_timeout = tls1_default_timeout, - .ssl_version = ssl_undefined_void_function, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = ssl3_get_message, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_2_enc_data, -}; +const SSL_METHOD * +TLSv1_method(void) +{ + return (&TLSv1_method_data); +} -static const SSL_METHOD TLSv1_2_server_method_data = { - .ssl_dispatch_alert = ssl3_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLSv1_2_server_method_internal_data, -}; +const SSL_METHOD * +TLSv1_server_method(void) +{ + return (&TLSv1_method_data); +} const SSL_METHOD * -tls1_get_server_method(int ver) +TLSv1_1_client_method(void) { - if (ver == TLS1_2_VERSION) - return (TLSv1_2_server_method()); - if (ver == TLS1_1_VERSION) - return (TLSv1_1_server_method()); - if (ver == TLS1_VERSION) - return (TLSv1_server_method()); - return (NULL); + return (&TLSv1_1_client_method_data); } const SSL_METHOD * -SSLv23_server_method(void) +TLSv1_1_method(void) { - return (TLS_server_method()); + return (&TLSv1_1_method_data); } const SSL_METHOD * -TLS_server_method(void) +TLSv1_1_server_method(void) { - return (&TLS_server_method_data); + return (&TLSv1_1_method_data); } const SSL_METHOD * -TLSv1_server_method(void) +TLSv1_2_client_method(void) { - return (&TLSv1_server_method_data); + return (&TLSv1_2_client_method_data); } const SSL_METHOD * -TLSv1_1_server_method(void) +TLSv1_2_method(void) { - return (&TLSv1_1_server_method_data); + return (&TLSv1_2_method_data); } const SSL_METHOD * TLSv1_2_server_method(void) { - return (&TLSv1_2_server_method_data); + return (&TLSv1_2_method_data); +} + +const SSL_METHOD * +ssl_get_method(uint16_t version) +{ + if (version == TLS1_3_VERSION) + return (TLS_method()); + if (version == TLS1_2_VERSION) + return (TLSv1_2_method()); + if (version == TLS1_1_VERSION) + return (TLSv1_1_method()); + if (version == TLS1_VERSION) + return (TLSv1_method()); + if (version == DTLS1_VERSION) + return (DTLSv1_method()); + if (version == DTLS1_2_VERSION) + return (DTLSv1_2_method()); + + return (NULL); } diff --git a/ssl/ssl_packet.c b/ssl/ssl_packet.c index d8fb409d..b383fe83 100644 --- a/ssl/ssl_packet.c +++ b/ssl/ssl_packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_packet.c,v 1.8 2018/11/08 22:28:52 jsing Exp $ */ +/* $OpenBSD: ssl_packet.c,v 1.10 2021/02/25 17:06:05 jsing Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing * @@ -238,7 +238,7 @@ ssl_server_legacy_first_packet(SSL *s) const char *data; CBS header; - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) return 1; CBS_init(&header, s->internal->packet, SSL3_RT_HEADER_LENGTH); @@ -247,12 +247,13 @@ ssl_server_legacy_first_packet(SSL *s) return 1; /* Only continue if this is not a version locked method. */ - if (s->method->internal->min_version == s->method->internal->max_version) + if (s->method->internal->min_tls_version == + s->method->internal->max_tls_version) return 1; if (ssl_is_sslv2_client_hello(&header) == 1) { /* Only permit SSLv2 client hellos if TLSv1.0 is enabled. */ - if (ssl_enabled_version_range(s, &min_version, NULL) != 1) { + if (ssl_enabled_tls_version_range(s, &min_version, NULL) != 1) { SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); return -1; } diff --git a/ssl/ssl_pkt.c b/ssl/ssl_pkt.c index 2a0dd68a..a760f90a 100644 --- a/ssl/ssl_pkt.c +++ b/ssl/ssl_pkt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_pkt.c,v 1.16 2019/03/19 16:53:03 jsing Exp $ */ +/* $OpenBSD: ssl_pkt.c,v 1.40 2021/03/29 16:46:09 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -120,7 +120,7 @@ #include "bytestring.h" static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, - unsigned int len, int create_empty_fragment); + unsigned int len); static int ssl3_get_record(SSL *s); /* @@ -149,15 +149,14 @@ ssl_force_want_read(SSL *s) static int ssl3_read_n(SSL *s, int n, int max, int extend) { + SSL3_BUFFER_INTERNAL *rb = &(S3I(s)->rbuf); int i, len, left; size_t align; unsigned char *pkt; - SSL3_BUFFER *rb; if (n <= 0) return n; - rb = &(S3I(s)->rbuf); if (rb->buf == NULL) if (!ssl3_setup_read_buffer(s)) return -1; @@ -195,7 +194,7 @@ ssl3_read_n(SSL *s, int n, int max, int extend) /* For DTLS/UDP reads should not span multiple packets * because the read operation returns the whole packet * at once (as long as it fits into the buffer). */ - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { if (left > 0 && n > left) n = left; } @@ -228,14 +227,14 @@ ssl3_read_n(SSL *s, int n, int max, int extend) return -1; } - if (!s->internal->read_ahead) { - /* ignore max parameter */ - max = n; - } else { + if (s->internal->read_ahead || SSL_is_dtls(s)) { if (max < n) max = n; if (max > (int)(rb->len - rb->offset)) max = rb->len - rb->offset; + } else { + /* ignore max parameter */ + max = n; } while (left < n) { @@ -255,7 +254,7 @@ ssl3_read_n(SSL *s, int n, int max, int extend) if (i <= 0) { rb->left = left; if (s->internal->mode & SSL_MODE_RELEASE_BUFFERS && - !SSL_IS_DTLS(s)) { + !SSL_is_dtls(s)) { if (len + left == 0) ssl3_release_read_buffer(s); } @@ -268,7 +267,7 @@ ssl3_read_n(SSL *s, int n, int max, int extend) * the underlying transport protocol is message oriented as * opposed to byte oriented as in the TLS case. */ - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { if (n > left) n = left; /* makes the while condition false */ } @@ -327,15 +326,13 @@ ssl3_packet_extend(SSL *s, int plen) static int ssl3_get_record(SSL *s) { - int al; - int enc_err, n, i, ret = -1; - SSL3_RECORD *rr; - SSL_SESSION *sess; - unsigned char md[EVP_MAX_MD_SIZE]; - unsigned mac_size, orig_len; - - rr = &(S3I(s)->rrec); - sess = s->session; + SSL3_BUFFER_INTERNAL *rb = &(S3I(s)->rbuf); + SSL3_RECORD_INTERNAL *rr = &(S3I(s)->rrec); + uint8_t alert_desc; + uint8_t *out; + size_t out_len; + int al, n; + int ret = -1; again: /* check if we have the header */ @@ -360,7 +357,7 @@ ssl3_get_record(SSL *s) CBS_init(&header, s->internal->packet, SSL3_RT_HEADER_LENGTH); - /* Pull apart the header into the SSL3_RECORD */ + /* Pull apart the header into the SSL3_RECORD_INTERNAL */ if (!CBS_get_u8(&header, &type) || !CBS_get_u16(&header, &ssl_version) || !CBS_get_u16(&header, &len)) { @@ -373,13 +370,14 @@ ssl3_get_record(SSL *s) /* Lets check version */ if (!s->internal->first_packet && ssl_version != s->version) { - SSLerror(s, SSL_R_WRONG_VERSION_NUMBER); if ((s->version & 0xFF00) == (ssl_version & 0xFF00) && - !s->internal->enc_write_ctx && !s->internal->write_hash) + !tls12_record_layer_write_protected(s->internal->rl)) { /* Send back error using their minor version number :-) */ s->version = ssl_version; + } + SSLerror(s, SSL_R_WRONG_VERSION_NUMBER); al = SSL_AD_PROTOCOL_VERSION; - goto f_err; + goto fatal_err; } if ((ssl_version >> 8) != SSL3_VERSION_MAJOR) { @@ -387,17 +385,13 @@ ssl3_get_record(SSL *s) goto err; } - if (rr->length > S3I(s)->rbuf.len - SSL3_RT_HEADER_LENGTH) { + if (rr->length > rb->len - SSL3_RT_HEADER_LENGTH) { al = SSL_AD_RECORD_OVERFLOW; SSLerror(s, SSL_R_PACKET_LENGTH_TOO_LONG); - goto f_err; + goto fatal_err; } - - /* now s->internal->rstate == SSL_ST_READ_BODY */ } - /* s->internal->rstate == SSL_ST_READ_BODY, get and decode the data */ - n = ssl3_packet_extend(s, SSL3_RT_HEADER_LENGTH + rr->length); if (n <= 0) return (n); @@ -406,136 +400,40 @@ ssl3_get_record(SSL *s) s->internal->rstate = SSL_ST_READ_HEADER; /* set state for later operations */ - /* At this point, s->internal->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, - * and we have that many bytes in s->internal->packet + /* + * A full record has now been read from the wire, which now needs + * to be processed. */ - rr->input = &(s->internal->packet[SSL3_RT_HEADER_LENGTH]); - - /* ok, we can now read from 's->internal->packet' data into 'rr' - * rr->input points at rr->length bytes, which - * need to be copied into rr->data by either - * the decryption or by the decompression - * When the data is 'copied' into the rr->data buffer, - * rr->input will be pointed at the new buffer */ - - /* We now have - encrypted [ MAC [ compressed [ plain ] ] ] - * rr->length bytes of encrypted compressed stuff. */ - - /* check is not needed I believe */ - if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); - goto f_err; - } - - /* decrypt in place in 'rr->input' */ - rr->data = rr->input; - - enc_err = s->method->internal->ssl3_enc->enc(s, 0); - /* enc_err is: - * 0: (in non-constant time) if the record is publically invalid. - * 1: if the padding is valid - * -1: if the padding is invalid */ - if (enc_err == 0) { - al = SSL_AD_DECRYPTION_FAILED; - SSLerror(s, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); - goto f_err; - } - - - /* r->length is now the compressed data plus mac */ - if ((sess != NULL) && (s->enc_read_ctx != NULL) && - (EVP_MD_CTX_md(s->read_hash) != NULL)) { - /* s->read_hash != NULL => mac_size != -1 */ - unsigned char *mac = NULL; - unsigned char mac_tmp[EVP_MAX_MD_SIZE]; + tls12_record_layer_set_version(s->internal->rl, s->version); - mac_size = EVP_MD_CTX_size(s->read_hash); - OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); + if (!tls12_record_layer_open_record(s->internal->rl, s->internal->packet, + s->internal->packet_length, &out, &out_len)) { + tls12_record_layer_alert(s->internal->rl, &alert_desc); - /* kludge: *_cbc_remove_padding passes padding length in rr->type */ - orig_len = rr->length + ((unsigned int)rr->type >> 8); - - /* orig_len is the length of the record before any padding was - * removed. This is public information, as is the MAC in use, - * therefore we can safely process the record in a different - * amount of time if it's too short to possibly contain a MAC. - */ - if (orig_len < mac_size || - /* CBC records must have a padding length byte too. */ - (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && - orig_len < mac_size + 1)) { - al = SSL_AD_DECODE_ERROR; - SSLerror(s, SSL_R_LENGTH_TOO_SHORT); - goto f_err; - } - - if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) { - /* We update the length so that the TLS header bytes - * can be constructed correctly but we need to extract - * the MAC in constant time from within the record, - * without leaking the contents of the padding bytes. - * */ - mac = mac_tmp; - ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len); - rr->length -= mac_size; - } else { - /* In this case there's no padding, so |orig_len| - * equals |rec->length| and we checked that there's - * enough bytes for |mac_size| above. */ - rr->length -= mac_size; - mac = &rr->data[rr->length]; - } - - i = tls1_mac(s,md,0 /* not send */); - if (i < 0 || mac == NULL || - timingsafe_memcmp(md, mac, (size_t)mac_size) != 0) - enc_err = -1; - if (rr->length > - SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size) - enc_err = -1; - } + if (alert_desc == 0) + goto err; - if (enc_err < 0) { - /* - * A separate 'decryption_failed' alert was introduced with - * TLS 1.0, SSL 3.0 only has 'bad_record_mac'. But unless a - * decryption failure is directly visible from the ciphertext - * anyway, we should not reveal which kind of error - * occurred -- this might become visible to an attacker - * (e.g. via a logfile) - */ - al = SSL_AD_BAD_RECORD_MAC; - SSLerror(s, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); - goto f_err; - } + if (alert_desc == SSL_AD_RECORD_OVERFLOW) + SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); + else if (alert_desc == SSL_AD_BAD_RECORD_MAC) + SSLerror(s, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); - if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); - goto f_err; + al = alert_desc; + goto fatal_err; } + rr->data = out; + rr->length = out_len; rr->off = 0; - /* - * So at this point the following is true - * - * ssl->s3->internal->rrec.type is the type of record - * ssl->s3->internal->rrec.length == number of bytes in record - * ssl->s3->internal->rrec.off == offset to first valid byte - * ssl->s3->internal->rrec.data == where to take bytes from, increment - * after use :-). - */ /* we have pulled in a full packet so zero things */ s->internal->packet_length = 0; if (rr->length == 0) { /* - * CBC countermeasures for known IV weaknesses - * can legitimately insert a single empty record, - * so we allow ourselves to read once past a single - * empty record without forcing want_read. + * CBC countermeasures for known IV weaknesses can legitimately + * insert a single empty record, so we allow ourselves to read + * once past a single empty record without forcing want_read. */ if (s->internal->empty_record_count++ > SSL_MAX_EMPTY_RECORDS) { SSLerror(s, SSL_R_PEER_BEHAVING_BADLY); @@ -546,15 +444,15 @@ ssl3_get_record(SSL *s) return -1; } goto again; - } else { - s->internal->empty_record_count = 0; } + s->internal->empty_record_count = 0; + return (1); -f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); -err: + err: return (ret); } @@ -596,7 +494,7 @@ ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) else nw = n; - i = do_ssl3_write(s, type, &(buf[tot]), nw, 0); + i = do_ssl3_write(s, type, &(buf[tot]), nw); if (i <= 0) { S3I(s)->wnum = tot; return i; @@ -620,201 +518,112 @@ ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) } static int -do_ssl3_write(SSL *s, int type, const unsigned char *buf, - unsigned int len, int create_empty_fragment) +do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len) { - unsigned char *p, *plen; - int i, mac_size, clear = 0; - int prefix_len = 0; - int eivlen; - size_t align; - SSL3_RECORD *wr; - SSL3_BUFFER *wb = &(S3I(s)->wbuf); - SSL_SESSION *sess; + SSL3_BUFFER_INTERNAL *wb = &(S3I(s)->wbuf); + SSL_SESSION *sess = s->session; + int need_empty_fragment = 0; + size_t align, out_len; + uint16_t version; + CBB cbb; + int ret; + + memset(&cbb, 0, sizeof(cbb)); if (wb->buf == NULL) if (!ssl3_setup_write_buffer(s)) return -1; - /* first check if there is a SSL3_BUFFER still being written - * out. This will happen with non blocking IO */ + /* + * First check if there is a SSL3_BUFFER_INTERNAL still being written + * out. This will happen with non blocking IO. + */ if (wb->left != 0) return (ssl3_write_pending(s, type, buf, len)); - /* If we have an alert to send, lets send it */ + /* If we have an alert to send, let's send it. */ if (S3I(s)->alert_dispatch) { - i = s->method->ssl_dispatch_alert(s); - if (i <= 0) - return (i); - /* if it went, fall through and send more stuff */ - /* we may have released our buffer, so get it again */ + if ((ret = s->method->ssl_dispatch_alert(s)) <= 0) + return (ret); + /* If it went, fall through and send more stuff. */ + + /* We may have released our buffer, if so get it again. */ if (wb->buf == NULL) if (!ssl3_setup_write_buffer(s)) return -1; } - if (len == 0 && !create_empty_fragment) + if (len == 0) return 0; - wr = &(S3I(s)->wrec); - sess = s->session; - - if ((sess == NULL) || (s->internal->enc_write_ctx == NULL) || - (EVP_MD_CTX_md(s->internal->write_hash) == NULL)) { - clear = s->internal->enc_write_ctx ? 0 : 1; /* must be AEAD cipher */ - mac_size = 0; - } else { - mac_size = EVP_MD_CTX_size(s->internal->write_hash); - if (mac_size < 0) - goto err; - } + /* + * Some servers hang if initial client hello is larger than 256 + * bytes and record version number > TLS 1.0. + */ + version = s->version; + if (S3I(s)->hs.state == SSL3_ST_CW_CLNT_HELLO_B && + !s->internal->renegotiate && + S3I(s)->hs.our_max_tls_version > TLS1_VERSION) + version = TLS1_VERSION; /* - * 'create_empty_fragment' is true only when this function calls - * itself. + * Countermeasure against known-IV weakness in CBC ciphersuites + * (see http://www.openssl.org/~bodo/tls-cbc.txt). Note that this + * is unnecessary for AEAD. */ - if (!clear && !create_empty_fragment && !S3I(s)->empty_fragment_done) { - /* - * Countermeasure against known-IV weakness in CBC ciphersuites - * (see http://www.openssl.org/~bodo/tls-cbc.txt) - */ + if (sess != NULL && tls12_record_layer_write_protected(s->internal->rl)) { if (S3I(s)->need_empty_fragments && - type == SSL3_RT_APPLICATION_DATA) { - /* recursive function call with 'create_empty_fragment' set; - * this prepares and buffers the data for an empty fragment - * (these 'prefix_len' bytes are sent out later - * together with the actual payload) */ - prefix_len = do_ssl3_write(s, type, buf, 0, 1); - if (prefix_len <= 0) - goto err; - - if (prefix_len > - (SSL3_RT_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD)) { - /* insufficient space */ - SSLerror(s, ERR_R_INTERNAL_ERROR); - goto err; - } - } - - S3I(s)->empty_fragment_done = 1; - } - - if (create_empty_fragment) { - /* extra fragment would be couple of cipher blocks, - * which would be multiple of SSL3_ALIGN_PAYLOAD, so - * if we want to align the real payload, then we can - * just pretent we simply have two headers. */ - align = (size_t)wb->buf + 2 * SSL3_RT_HEADER_LENGTH; - align = (-align) & (SSL3_ALIGN_PAYLOAD - 1); - - p = wb->buf + align; - wb->offset = align; - } else if (prefix_len) { - p = wb->buf + wb->offset + prefix_len; - } else { - align = (size_t)wb->buf + SSL3_RT_HEADER_LENGTH; - align = (-align) & (SSL3_ALIGN_PAYLOAD - 1); - - p = wb->buf + align; - wb->offset = align; + !S3I(s)->empty_fragment_done && + type == SSL3_RT_APPLICATION_DATA) + need_empty_fragment = 1; } - /* write the header */ - - *(p++) = type&0xff; - wr->type = type; - - *(p++) = (s->version >> 8); - /* Some servers hang if iniatial client hello is larger than 256 - * bytes and record version number > TLS 1.0 + /* + * An extra fragment would be a couple of cipher blocks, which would + * be a multiple of SSL3_ALIGN_PAYLOAD, so if we want to align the real + * payload, then we can just simply pretend we have two headers. */ - if (S3I(s)->hs.state == SSL3_ST_CW_CLNT_HELLO_B && !s->internal->renegotiate && - TLS1_get_version(s) > TLS1_VERSION) - *(p++) = 0x1; - else - *(p++) = s->version&0xff; - - /* field where we are to write out packet length */ - plen = p; - p += 2; - - /* Explicit IV length. */ - eivlen = 0; - if (s->internal->enc_write_ctx && SSL_USE_EXPLICIT_IV(s)) { - int mode = EVP_CIPHER_CTX_mode(s->internal->enc_write_ctx); - if (mode == EVP_CIPH_CBC_MODE) { - eivlen = EVP_CIPHER_CTX_iv_length(s->internal->enc_write_ctx); - if (eivlen <= 1) - eivlen = 0; - } - } else if (s->internal->aead_write_ctx != NULL && - s->internal->aead_write_ctx->variable_nonce_in_record) { - eivlen = s->internal->aead_write_ctx->variable_nonce_len; - } - - /* lets setup the record stuff. */ - wr->data = p + eivlen; - wr->length = (int)len; - wr->input = (unsigned char *)buf; - - /* we now 'read' from wr->input, wr->length bytes into wr->data */ - - memcpy(wr->data, wr->input, wr->length); - wr->input = wr->data; - - /* we should still have the output to wr->data and the input - * from wr->input. Length should be wr->length. - * wr->data still points in the wb->buf */ + align = (size_t)wb->buf + SSL3_RT_HEADER_LENGTH; + if (need_empty_fragment) + align += SSL3_RT_HEADER_LENGTH; + align = (-align) & (SSL3_ALIGN_PAYLOAD - 1); + wb->offset = align; - if (mac_size != 0) { - if (tls1_mac(s, - &(p[wr->length + eivlen]), 1) < 0) - goto err; - wr->length += mac_size; - } + if (!CBB_init_fixed(&cbb, wb->buf + align, wb->len - align)) + goto err; - wr->input = p; - wr->data = p; + tls12_record_layer_set_version(s->internal->rl, version); - if (eivlen) { - /* if (RAND_pseudo_bytes(p, eivlen) <= 0) + if (need_empty_fragment) { + if (!tls12_record_layer_seal_record(s->internal->rl, type, + buf, 0, &cbb)) goto err; - */ - wr->length += eivlen; + S3I(s)->empty_fragment_done = 1; } - /* ssl3_enc can only have an error on read */ - s->method->internal->ssl3_enc->enc(s, 1); - - /* record length after mac and block padding */ - s2n(wr->length, plen); + if (!tls12_record_layer_seal_record(s->internal->rl, type, buf, len, &cbb)) + goto err; - /* we should now have - * wr->data pointing to the encrypted data, which is - * wr->length long */ - wr->type=type; /* not needed but helps for debugging */ - wr->length += SSL3_RT_HEADER_LENGTH; - - if (create_empty_fragment) { - /* we are in a recursive call; - * just return the length, don't write out anything here - */ - return wr->length; - } + if (!CBB_finish(&cbb, NULL, &out_len)) + goto err; - /* now let's set up wb */ - wb->left = prefix_len + wr->length; + wb->left = out_len; - /* memorize arguments so that ssl3_write_pending can detect - * bad write retries later */ + /* + * Memorize arguments so that ssl3_write_pending can detect + * bad write retries later. + */ S3I(s)->wpend_tot = len; S3I(s)->wpend_buf = buf; S3I(s)->wpend_type = type; S3I(s)->wpend_ret = len; - /* we now just need to write the buffer */ + /* We now just need to write the buffer. */ return ssl3_write_pending(s, type, buf, len); -err: + + err: + CBB_cleanup(&cbb); + return -1; } @@ -823,7 +632,7 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len) { int i; - SSL3_BUFFER *wb = &(S3I(s)->wbuf); + SSL3_BUFFER_INTERNAL *wb = &(S3I(s)->wbuf); /* XXXX */ if ((S3I(s)->wpend_tot > (int)len) || ((S3I(s)->wpend_buf != buf) && @@ -837,9 +646,8 @@ ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len) errno = 0; if (s->wbio != NULL) { s->internal->rwstate = SSL_WRITING; - i = BIO_write(s->wbio, - (char *)&(wb->buf[wb->offset]), - (unsigned int)wb->left); + i = BIO_write(s->wbio, (char *)&(wb->buf[wb->offset]), + (unsigned int)wb->left); } else { SSLerror(s, SSL_R_BIO_NOT_SET); i = -1; @@ -848,7 +656,7 @@ ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len) wb->left = 0; wb->offset += i; if (s->internal->mode & SSL_MODE_RELEASE_BUFFERS && - !SSL_IS_DTLS(s)) + !SSL_is_dtls(s)) ssl3_release_write_buffer(s); s->internal->rwstate = SSL_NOTHING; return (S3I(s)->wpend_ret); @@ -857,7 +665,7 @@ ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len) * For DTLS, just drop it. That's kind of the * whole point in using a datagram service. */ - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) wb->left = 0; return (i); } @@ -899,7 +707,7 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) void (*cb)(const SSL *ssl, int type2, int val) = NULL; int al, i, j, ret, rrcount = 0; unsigned int n; - SSL3_RECORD *rr; + SSL3_RECORD_INTERNAL *rr; if (S3I(s)->rbuf.buf == NULL) /* Not initialized yet */ if (!ssl3_setup_read_buffer(s)) @@ -953,7 +761,7 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) } } -start: + start: /* * Do not process more than three consecutive records, otherwise the * peer can cause us to loop indefinitely. Instead, return with an @@ -991,7 +799,7 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) && (rr->type != SSL3_RT_HANDSHAKE)) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_DATA_BETWEEN_CCS_AND_FINISHED); - goto f_err; + goto fatal_err; } /* If the other end has shut down, throw anything we read away @@ -1007,11 +815,11 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) if (type == rr->type) { /* make sure that we are not getting application data when we * are doing a handshake for the first time */ - if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) && - (s->enc_read_ctx == NULL)) { + if (SSL_in_init(s) && type == SSL3_RT_APPLICATION_DATA && + !tls12_record_layer_read_protected(s->internal->rl)) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_APP_DATA_IN_HANDSHAKE); - goto f_err; + goto fatal_err; } if (len <= 0) @@ -1093,7 +901,7 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) (S3I(s)->handshake_fragment[3] != 0)) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_HELLO_REQUEST); - goto f_err; + goto fatal_err; } if (s->internal->msg_callback) @@ -1137,7 +945,7 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) S3I(s)->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO && (s->internal->options & SSL_OP_NO_CLIENT_RENEGOTIATION)) { al = SSL_AD_NO_RENEGOTIATION; - goto f_err; + goto fatal_err; } /* If we are a server and get a client hello when renegotiation isn't * allowed send back a no renegotiation alert and carry on. @@ -1192,7 +1000,7 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) else if (alert_descr == SSL_AD_NO_RENEGOTIATION) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_NO_RENEGOTIATION); - goto f_err; + goto fatal_err; } } else if (alert_level == SSL3_AL_FATAL) { s->internal->rwstate = SSL_NOTHING; @@ -1206,7 +1014,7 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) } else { al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_UNKNOWN_ALERT_TYPE); - goto f_err; + goto fatal_err; } goto start; @@ -1226,21 +1034,21 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) (rr->data[0] != SSL3_MT_CCS)) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_BAD_CHANGE_CIPHER_SPEC); - goto f_err; + goto fatal_err; } /* Check we have a cipher to change to */ - if (S3I(s)->hs.new_cipher == NULL) { + if (S3I(s)->hs.cipher == NULL) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_CCS_RECEIVED_EARLY); - goto f_err; + goto fatal_err; } /* Check that we should be receiving a Change Cipher Spec. */ if (!(s->s3->flags & SSL3_FLAGS_CCS_OK)) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_CCS_RECEIVED_EARLY); - goto f_err; + goto fatal_err; } s->s3->flags &= ~SSL3_FLAGS_CCS_OK; @@ -1301,7 +1109,7 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) } al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_UNEXPECTED_RECORD); - goto f_err; + goto fatal_err; case SSL3_RT_CHANGE_CIPHER_SPEC: case SSL3_RT_ALERT: case SSL3_RT_HANDSHAKE: @@ -1310,7 +1118,7 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) * should not happen when type != rr->type */ al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, ERR_R_INTERNAL_ERROR); - goto f_err; + goto fatal_err; case SSL3_RT_APPLICATION_DATA: /* At this point, we were expecting handshake data, * but have application data. If the library was @@ -1332,14 +1140,14 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) } else { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_UNEXPECTED_RECORD); - goto f_err; + goto fatal_err; } } /* not reached */ -f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); -err: + err: return (-1); } @@ -1355,14 +1163,14 @@ ssl3_do_change_cipher_spec(SSL *s) else i = SSL3_CHANGE_CIPHER_CLIENT_READ; - if (S3I(s)->hs.key_block == NULL) { + if (S3I(s)->hs.tls12.key_block == NULL) { if (s->session == NULL || s->session->master_key_length == 0) { /* might happen if dtls1_read_bytes() calls this */ SSLerror(s, SSL_R_CCS_RECEIVED_EARLY); return (0); } - s->session->cipher = S3I(s)->hs.new_cipher; + s->session->cipher = S3I(s)->hs.cipher; if (!tls1_setup_key_block(s)) return (0); } @@ -1382,12 +1190,12 @@ ssl3_do_change_cipher_spec(SSL *s) } i = tls1_final_finish_mac(s, sender, slen, - S3I(s)->tmp.peer_finish_md); + S3I(s)->hs.peer_finished); if (i == 0) { SSLerror(s, ERR_R_INTERNAL_ERROR); return 0; } - S3I(s)->tmp.peer_finish_md_len = i; + S3I(s)->hs.peer_finished_len = i; return (1); } @@ -1421,7 +1229,7 @@ ssl3_dispatch_alert(SSL *s) void (*cb)(const SSL *ssl, int type, int val) = NULL; S3I(s)->alert_dispatch = 0; - i = do_ssl3_write(s, SSL3_RT_ALERT, &S3I(s)->send_alert[0], 2, 0); + i = do_ssl3_write(s, SSL3_RT_ALERT, &S3I(s)->send_alert[0], 2); if (i <= 0) { S3I(s)->alert_dispatch = 1; } else { diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index 0936c0bd..18ae5307 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_rsa.c,v 1.31 2019/03/25 16:46:48 jsing Exp $ */ +/* $OpenBSD: ssl_rsa.c,v 1.32 2021/03/19 19:51:07 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -68,7 +68,10 @@ static int ssl_set_cert(CERT *c, X509 *x509); static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey); -static int ssl_ctx_use_certificate_chain_bio(SSL_CTX *, BIO *); +static int use_certificate_chain_bio(BIO *in, CERT *cert, + pem_password_cb *passwd_cb, void *passwd_arg); +static int use_certificate_chain_file(const char *file, CERT *cert, + pem_password_cb *passwd_cb, void *passwd_arg); int SSL_use_certificate(SSL *ssl, X509 *x) @@ -609,29 +612,29 @@ SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d, * sent to the peer in the Certificate message. */ static int -ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in) +use_certificate_chain_bio(BIO *in, CERT *cert, pem_password_cb *passwd_cb, + void *passwd_arg) { X509 *ca, *x = NULL; unsigned long err; int ret = 0; - if ((x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback, - ctx->default_passwd_callback_userdata)) == NULL) { + if ((x = PEM_read_bio_X509_AUX(in, NULL, passwd_cb, passwd_arg)) == + NULL) { SSLerrorx(ERR_R_PEM_LIB); goto err; } - if (!SSL_CTX_use_certificate(ctx, x)) + if (!ssl_set_cert(cert, x)) goto err; - if (!ssl_cert_set0_chain(ctx->internal->cert, NULL)) + if (!ssl_cert_set0_chain(cert, NULL)) goto err; /* Process any additional CA certificates. */ - while ((ca = PEM_read_bio_X509(in, NULL, - ctx->default_passwd_callback, - ctx->default_passwd_callback_userdata)) != NULL) { - if (!ssl_cert_add0_chain_cert(ctx->internal->cert, ca)) { + while ((ca = PEM_read_bio_X509(in, NULL, passwd_cb, passwd_arg)) != + NULL) { + if (!ssl_cert_add0_chain_cert(cert, ca)) { X509_free(ca); goto err; } @@ -652,7 +655,8 @@ ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in) } int -SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) +use_certificate_chain_file(const char *file, CERT *cert, + pem_password_cb *passwd_cb, void *passwd_arg) { BIO *in; int ret = 0; @@ -668,13 +672,29 @@ SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) goto end; } - ret = ssl_ctx_use_certificate_chain_bio(ctx, in); + ret = use_certificate_chain_bio(in, cert, passwd_cb, passwd_arg); end: BIO_free(in); return (ret); } +int +SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) +{ + return use_certificate_chain_file(file, ctx->internal->cert, + ctx->default_passwd_callback, + ctx->default_passwd_callback_userdata); +} + +int +SSL_use_certificate_chain_file(SSL *ssl, const char *file) +{ + return use_certificate_chain_file(file, ssl->cert, + ssl->ctx->default_passwd_callback, + ssl->ctx->default_passwd_callback_userdata); +} + int SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, void *buf, int len) { @@ -687,7 +707,9 @@ SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, void *buf, int len) goto end; } - ret = ssl_ctx_use_certificate_chain_bio(ctx, in); + ret = use_certificate_chain_bio(in, ctx->internal->cert, + ctx->default_passwd_callback, + ctx->default_passwd_callback_userdata); end: BIO_free(in); diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 16b4b75b..4d5b8156 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sess.c,v 1.85 2019/04/22 15:12:20 jsing Exp $ */ +/* $OpenBSD: ssl_sess.c,v 1.102 2021/02/20 08:30:52 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -194,6 +194,18 @@ SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx) return (CRYPTO_get_ex_data(&s->internal->ex_data, idx)); } +uint32_t +SSL_SESSION_get_max_early_data(const SSL_SESSION *s) +{ + return 0; +} + +int +SSL_SESSION_set_max_early_data(SSL_SESSION *s, uint32_t max_early_data) +{ + return 1; +} + SSL_SESSION * SSL_SESSION_new(void) { @@ -333,6 +345,7 @@ ssl_get_new_session(SSL *s, int session) case TLS1_1_VERSION: case TLS1_2_VERSION: case DTLS1_VERSION: + case DTLS1_2_VERSION: ss->ssl_version = s->version; ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; break; @@ -385,7 +398,7 @@ ssl_get_new_session(SSL *s, int session) return (0); } -sess_id_done: + sess_id_done: if (s->tlsext_hostname) { ss->tlsext_hostname = strdup(s->tlsext_hostname); if (ss->tlsext_hostname == NULL) { @@ -413,15 +426,94 @@ ssl_get_new_session(SSL *s, int session) return (1); } +static SSL_SESSION * +ssl_session_from_cache(SSL *s, CBS *session_id) +{ + SSL_SESSION *sess; + SSL_SESSION data; + + if ((s->session_ctx->internal->session_cache_mode & + SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) + return NULL; + + memset(&data, 0, sizeof(data)); + + data.ssl_version = s->version; + data.session_id_length = CBS_len(session_id); + memcpy(data.session_id, CBS_data(session_id), CBS_len(session_id)); + + CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); + sess = lh_SSL_SESSION_retrieve(s->session_ctx->internal->sessions, &data); + if (sess != NULL) + CRYPTO_add(&sess->references, 1, CRYPTO_LOCK_SSL_SESSION); + CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); + + if (sess == NULL) + s->session_ctx->internal->stats.sess_miss++; + + return sess; +} + +static SSL_SESSION * +ssl_session_from_callback(SSL *s, CBS *session_id) +{ + SSL_SESSION *sess; + int copy; + + if (s->session_ctx->internal->get_session_cb == NULL) + return NULL; + + copy = 1; + if ((sess = s->session_ctx->internal->get_session_cb(s, + CBS_data(session_id), CBS_len(session_id), ©)) == NULL) + return NULL; + /* + * The copy handler may have set copy == 0 to indicate that the session + * structures are shared between threads and that it handles the + * reference count itself. If it didn't set copy to zero, we must + * increment the reference count. + */ + if (copy) + CRYPTO_add(&sess->references, 1, CRYPTO_LOCK_SSL_SESSION); + + s->session_ctx->internal->stats.sess_cb_hit++; + + /* Add the externally cached session to the internal cache as well. */ + if (!(s->session_ctx->internal->session_cache_mode & + SSL_SESS_CACHE_NO_INTERNAL_STORE)) { + /* + * The following should not return 1, + * otherwise, things are very strange. + */ + SSL_CTX_add_session(s->session_ctx, sess); + } + + return sess; +} + +static SSL_SESSION * +ssl_session_by_id(SSL *s, CBS *session_id) +{ + SSL_SESSION *sess; + + if (CBS_len(session_id) == 0) + return NULL; + + if ((sess = ssl_session_from_cache(s, session_id)) == NULL) + sess = ssl_session_from_callback(s, session_id); + + return sess; +} + /* - * ssl_get_prev attempts to find an SSL_SESSION to be used to resume this - * connection. It is only called by servers. + * ssl_get_prev_session attempts to find an SSL_SESSION to be used to resume + * this connection. It is only called by servers. * * session_id: points at the session ID in the ClientHello. This code will * read past the end of this in order to parse out the session ticket * extension, if any. - * session_id_len: the length of the session ID. * ext_block: a CBS for the ClientHello extensions block. + * alert: alert that the caller should send in case of failure. * * Returns: * -1: error @@ -431,37 +523,47 @@ ssl_get_new_session(SSL *s, int session) * - If a session is found then s->session is pointed at it (after freeing * an existing session if need be) and s->verify_result is set from the * session. - * - Both for new and resumed sessions, s->internal->tlsext_ticket_expected is set - * to 1 if the server should issue a new session ticket (to 0 otherwise). + * - For both new and resumed sessions, s->internal->tlsext_ticket_expected + * indicates whether the server should issue a new session ticket or not. */ int -ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block) +ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block, int *alert) { - SSL_SESSION *ret = NULL; - int fatal = 0; - int try_session_cache = 1; - int r; + SSL_SESSION *sess = NULL; + size_t session_id_len; + int alert_desc = SSL_AD_INTERNAL_ERROR, fatal = 0; + int ticket_decrypted = 0; /* This is used only by servers. */ if (CBS_len(session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) goto err; - if (CBS_len(session_id) == 0) - try_session_cache = 0; - /* Sets s->internal->tlsext_ticket_expected. */ - r = tls1_process_ticket(s, session_id, ext_block, &ret); - switch (r) { - case -1: /* Error during processing */ + switch (tls1_process_ticket(s, ext_block, &alert_desc, &sess)) { + case TLS1_TICKET_FATAL_ERROR: fatal = 1; goto err; - case 0: /* No ticket found */ - case 1: /* Zero length ticket found */ - break; /* Ok to carry on processing session id. */ - case 2: /* Ticket found but not decrypted. */ - case 3: /* Ticket decrypted, *ret has been set. */ - try_session_cache = 0; + case TLS1_TICKET_NONE: + case TLS1_TICKET_EMPTY: + if ((sess = ssl_session_by_id(s, session_id)) == NULL) + goto err; + break; + case TLS1_TICKET_NOT_DECRYPTED: + goto err; + case TLS1_TICKET_DECRYPTED: + ticket_decrypted = 1; + + /* + * The session ID is used by some clients to detect that the + * ticket has been accepted so we copy it into sess. + */ + if (!CBS_write_bytes(session_id, sess->session_id, + sizeof(sess->session_id), &session_id_len)) { + fatal = 1; + goto err; + } + sess->session_id_length = (unsigned int)session_id_len; break; default: SSLerror(s, ERR_R_INTERNAL_ERROR); @@ -469,74 +571,16 @@ ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block) goto err; } - if (try_session_cache && ret == NULL && - !(s->session_ctx->internal->session_cache_mode & - SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) { - SSL_SESSION data; - - data.ssl_version = s->version; - data.session_id_length = CBS_len(session_id); - memcpy(data.session_id, CBS_data(session_id), - CBS_len(session_id)); - - CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); - ret = lh_SSL_SESSION_retrieve(s->session_ctx->internal->sessions, &data); - if (ret != NULL) { - /* Don't allow other threads to steal it. */ - CRYPTO_add(&ret->references, 1, - CRYPTO_LOCK_SSL_SESSION); - } - CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); - - if (ret == NULL) - s->session_ctx->internal->stats.sess_miss++; - } - - if (try_session_cache && ret == NULL && - s->session_ctx->internal->get_session_cb != NULL) { - int copy = 1; - - if ((ret = s->session_ctx->internal->get_session_cb(s, - CBS_data(session_id), CBS_len(session_id), ©))) { - s->session_ctx->internal->stats.sess_cb_hit++; - - /* - * Increment reference count now if the session - * callback asks us to do so (note that if the session - * structures returned by the callback are shared - * between threads, it must handle the reference count - * itself [i.e. copy == 0], or things won't be - * thread-safe). - */ - if (copy) - CRYPTO_add(&ret->references, 1, - CRYPTO_LOCK_SSL_SESSION); - - /* - * Add the externally cached session to the internal - * cache as well if and only if we are supposed to. - */ - if (!(s->session_ctx->internal->session_cache_mode & - SSL_SESS_CACHE_NO_INTERNAL_STORE)) - /* - * The following should not return 1, - * otherwise, things are very strange. - */ - SSL_CTX_add_session(s->session_ctx, ret); - } - } + /* Now sess is non-NULL and we own one of its reference counts. */ - if (ret == NULL) + if (sess->sid_ctx_length != s->sid_ctx_length || + timingsafe_memcmp(sess->sid_ctx, s->sid_ctx, + sess->sid_ctx_length) != 0) { + /* + * We have the session requested by the client, but we don't + * want to use it in this context. Treat it like a cache miss. + */ goto err; - - /* Now ret is non-NULL and we own one of its reference counts. */ - - if (ret->sid_ctx_length != s->sid_ctx_length || - timingsafe_memcmp(ret->sid_ctx, - s->sid_ctx, ret->sid_ctx_length) != 0) { - /* We have the session requested by the client, but we don't - * want to use it in this context. */ - goto err; /* treat like cache miss */ } if ((s->verify_mode & SSL_VERIFY_PEER) && s->sid_ctx_length == 0) { @@ -556,45 +600,43 @@ ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block) goto err; } - if (ret->cipher == NULL) { - ret->cipher = ssl3_get_cipher_by_id(ret->cipher_id); - if (ret->cipher == NULL) + if (sess->cipher == NULL) { + sess->cipher = ssl3_get_cipher_by_id(sess->cipher_id); + if (sess->cipher == NULL) goto err; } - if (ret->timeout < (time(NULL) - ret->time)) { - /* timeout */ + if (sess->timeout < (time(NULL) - sess->time)) { s->session_ctx->internal->stats.sess_timeout++; - if (try_session_cache) { - /* session was from the cache, so remove it */ - SSL_CTX_remove_session(s->session_ctx, ret); + if (!ticket_decrypted) { + /* The session was from the cache, so remove it. */ + SSL_CTX_remove_session(s->session_ctx, sess); } goto err; } s->session_ctx->internal->stats.sess_hit++; - if (s->session != NULL) - SSL_SESSION_free(s->session); - s->session = ret; + SSL_SESSION_free(s->session); + s->session = sess; s->verify_result = s->session->verify_result; + return 1; -err: - if (ret != NULL) { - SSL_SESSION_free(ret); - if (!try_session_cache) { - /* - * The session was from a ticket, so we should - * issue a ticket for the new session. - */ - s->internal->tlsext_ticket_expected = 1; - } + err: + SSL_SESSION_free(sess); + if (ticket_decrypted) { + /* + * The session was from a ticket. Issue a ticket for the new + * session. + */ + s->internal->tlsext_ticket_expected = 1; } - if (fatal) + if (fatal) { + *alert = alert_desc; return -1; - else - return 0; + } + return 0; } int @@ -747,45 +789,29 @@ SSL_SESSION_up_ref(SSL_SESSION *ss) int SSL_set_session(SSL *s, SSL_SESSION *session) { - int ret = 0; - const SSL_METHOD *meth; - - if (session != NULL) { - meth = s->ctx->method->internal->get_ssl_method(session->ssl_version); - if (meth == NULL) - meth = s->method->internal->get_ssl_method(session->ssl_version); - if (meth == NULL) { - SSLerror(s, SSL_R_UNABLE_TO_FIND_SSL_METHOD); - return (0); - } + const SSL_METHOD *method; - if (meth != s->method) { - if (!SSL_set_ssl_method(s, meth)) - return (0); - } + if (session == NULL) { + SSL_SESSION_free(s->session); + s->session = NULL; - /* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/ - CRYPTO_add(&session->references, 1, CRYPTO_LOCK_SSL_SESSION); - if (s->session != NULL) - SSL_SESSION_free(s->session); - s->session = session; - s->verify_result = s->session->verify_result; - /* CRYPTO_w_unlock(CRYPTO_LOCK_SSL);*/ - ret = 1; - } else { - if (s->session != NULL) { - SSL_SESSION_free(s->session); - s->session = NULL; - } + return SSL_set_ssl_method(s, s->ctx->method); + } - meth = s->ctx->method; - if (meth != s->method) { - if (!SSL_set_ssl_method(s, meth)) - return (0); - } - ret = 1; + if ((method = ssl_get_method(session->ssl_version)) == NULL) { + SSLerror(s, SSL_R_UNABLE_TO_FIND_SSL_METHOD); + return (0); } - return (ret); + + if (!SSL_set_ssl_method(s, method)) + return (0); + + CRYPTO_add(&session->references, 1, CRYPTO_LOCK_SSL_SESSION); + SSL_SESSION_free(s->session); + s->session = session; + s->verify_result = s->session->verify_result; + + return (1); } size_t diff --git a/ssl/ssl_sigalgs.c b/ssl/ssl_sigalgs.c index 37fdcfa7..68bb6a38 100644 --- a/ssl/ssl_sigalgs.c +++ b/ssl/ssl_sigalgs.c @@ -1,6 +1,6 @@ -/* $OpenBSD: ssl_sigalgs.c,v 1.20 2019/04/01 02:09:21 beck Exp $ */ +/* $OpenBSD: ssl_sigalgs.c,v 1.23 2021/03/10 18:27:02 jsing Exp $ */ /* - * Copyright (c) 2018-2019 Bob Beck + * Copyright (c) 2018-2020 Bob Beck * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -144,7 +144,7 @@ const struct ssl_sigalg sigalgs[] = { }; /* Sigalgs for tls 1.3, in preference order, */ -uint16_t tls13_sigalgs[] = { +const uint16_t tls13_sigalgs[] = { SIGALG_RSA_PSS_RSAE_SHA512, SIGALG_RSA_PKCS1_SHA512, SIGALG_ECDSA_SECP521R1_SHA512, @@ -155,10 +155,10 @@ uint16_t tls13_sigalgs[] = { SIGALG_RSA_PKCS1_SHA256, SIGALG_ECDSA_SECP256R1_SHA256, }; -size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0])); +const size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0])); /* Sigalgs for tls 1.2, in preference order, */ -uint16_t tls12_sigalgs[] = { +const uint16_t tls12_sigalgs[] = { SIGALG_RSA_PSS_RSAE_SHA512, SIGALG_RSA_PKCS1_SHA512, SIGALG_ECDSA_SECP521R1_SHA512, @@ -171,7 +171,7 @@ uint16_t tls12_sigalgs[] = { SIGALG_RSA_PKCS1_SHA1, /* XXX */ SIGALG_ECDSA_SHA1, /* XXX */ }; -size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0])); +const size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0])); const struct ssl_sigalg * ssl_sigalg_lookup(uint16_t sigalg) @@ -187,7 +187,7 @@ ssl_sigalg_lookup(uint16_t sigalg) } const struct ssl_sigalg * -ssl_sigalg(uint16_t sigalg, uint16_t *values, size_t len) +ssl_sigalg(uint16_t sigalg, const uint16_t *values, size_t len) { int i; @@ -200,7 +200,7 @@ ssl_sigalg(uint16_t sigalg, uint16_t *values, size_t len) } int -ssl_sigalgs_build(CBB *cbb, uint16_t *values, size_t len) +ssl_sigalgs_build(CBB *cbb, const uint16_t *values, size_t len) { size_t i; @@ -260,12 +260,12 @@ ssl_sigalg_pkey_ok(const struct ssl_sigalg *sigalg, EVP_PKEY *pkey, const struct ssl_sigalg * ssl_sigalg_select(SSL *s, EVP_PKEY *pkey) { - uint16_t *tls_sigalgs = tls12_sigalgs; + const uint16_t *tls_sigalgs = tls12_sigalgs; size_t tls_sigalgs_len = tls12_sigalgs_len; int check_curve = 0; CBS cbs; - if (TLS1_get_version(s) >= TLS1_3_VERSION) { + if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION) { tls_sigalgs = tls13_sigalgs; tls_sigalgs_len = tls13_sigalgs_len; check_curve = 1; @@ -291,7 +291,7 @@ ssl_sigalg_select(SSL *s, EVP_PKEY *pkey) * RFC 5246 allows a TLS 1.2 client to send no sigalgs, in * which case the server must use the the default. */ - if (TLS1_get_version(s) < TLS1_3_VERSION && + if (S3I(s)->hs.negotiated_tls_version < TLS1_3_VERSION && S3I(s)->hs.sigalgs == NULL) { switch (pkey->type) { case EVP_PKEY_RSA: @@ -322,6 +322,12 @@ ssl_sigalg_select(SSL *s, EVP_PKEY *pkey) tls_sigalgs_len)) == NULL) continue; + /* RSA cannot be used without PSS in TLSv1.3. */ + if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION && + sigalg->key_type == EVP_PKEY_RSA && + (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0) + continue; + if (ssl_sigalg_pkey_ok(sigalg, pkey, check_curve)) return sigalg; } diff --git a/ssl/ssl_sigalgs.h b/ssl/ssl_sigalgs.h index 13a3597f..80674bae 100644 --- a/ssl/ssl_sigalgs.h +++ b/ssl/ssl_sigalgs.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sigalgs.h,v 1.14 2019/03/25 17:33:26 jsing Exp $ */ +/* $OpenBSD: ssl_sigalgs.h,v 1.15 2020/10/11 01:13:04 guenther Exp $ */ /* * Copyright (c) 2018-2019 Bob Beck * @@ -68,14 +68,14 @@ struct ssl_sigalg{ int flags; }; -extern uint16_t tls12_sigalgs[]; -extern size_t tls12_sigalgs_len; -extern uint16_t tls13_sigalgs[]; -extern size_t tls13_sigalgs_len; +extern const uint16_t tls12_sigalgs[]; +extern const size_t tls12_sigalgs_len; +extern const uint16_t tls13_sigalgs[]; +extern const size_t tls13_sigalgs_len; const struct ssl_sigalg *ssl_sigalg_lookup(uint16_t sigalg); -const struct ssl_sigalg *ssl_sigalg(uint16_t sigalg, uint16_t *values, size_t len); -int ssl_sigalgs_build(CBB *cbb, uint16_t *values, size_t len); +const struct ssl_sigalg *ssl_sigalg(uint16_t sigalg, const uint16_t *values, size_t len); +int ssl_sigalgs_build(CBB *cbb, const uint16_t *values, size_t len); int ssl_sigalg_pkey_check(uint16_t sigalg, EVP_PKEY *pk); int ssl_sigalg_pkey_ok(const struct ssl_sigalg *sigalg, EVP_PKEY *pkey, int check_curve); diff --git a/ssl/ssl_srvr.c b/ssl/ssl_srvr.c index 809f5896..0f3572a6 100644 --- a/ssl/ssl_srvr.c +++ b/ssl/ssl_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_srvr.c,v 1.68 2019/04/22 15:12:20 jsing Exp $ */ +/* $OpenBSD: ssl_srvr.c,v 1.101 2021/03/29 16:56:20 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -186,7 +186,7 @@ ssl3_accept(SSL *s) else if (s->ctx->internal->info_callback != NULL) cb = s->ctx->internal->info_callback; - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) listen = D1I(s)->listen; /* init things to blank */ @@ -194,7 +194,7 @@ ssl3_accept(SSL *s) if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) D1I(s)->listen = listen; for (;;) { @@ -213,20 +213,19 @@ ssl3_accept(SSL *s) if (cb != NULL) cb(s, SSL_CB_HANDSHAKE_START, 1); - if (SSL_IS_DTLS(s)) { - if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) { - SSLerror(s, ERR_R_INTERNAL_ERROR); - ret = -1; - goto end; - } - } else { - if ((s->version >> 8) != 3) { - SSLerror(s, ERR_R_INTERNAL_ERROR); - ret = -1; - goto end; - } + if (!ssl_legacy_stack_version(s, s->version)) { + SSLerror(s, ERR_R_INTERNAL_ERROR); + ret = -1; + goto end; + } + + if (!ssl_supported_tls_version_range(s, + &S3I(s)->hs.our_min_tls_version, + &S3I(s)->hs.our_max_tls_version)) { + SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); + ret = -1; + goto end; } - s->internal->type = SSL_ST_ACCEPT; if (!ssl3_setup_init_buffer(s)) { ret = -1; @@ -257,7 +256,7 @@ ssl3_accept(SSL *s) S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A; s->ctx->internal->stats.sess_accept++; - } else if (!SSL_IS_DTLS(s) && !S3I(s)->send_connection_binding) { + } else if (!SSL_is_dtls(s) && !S3I(s)->send_connection_binding) { /* * Server attempting to renegotiate with * client that doesn't support secure @@ -281,23 +280,25 @@ ssl3_accept(SSL *s) case SSL3_ST_SW_HELLO_REQ_A: case SSL3_ST_SW_HELLO_REQ_B: s->internal->shutdown = 0; - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { dtls1_clear_record_buffer(s); dtls1_start_timer(s); } ret = ssl3_send_hello_request(s); if (ret <= 0) goto end; - if (SSL_IS_DTLS(s)) - S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A; + if (SSL_is_dtls(s)) + S3I(s)->hs.tls12.next_state = SSL3_ST_SR_CLNT_HELLO_A; else - S3I(s)->hs.next_state = SSL3_ST_SW_HELLO_REQ_C; + S3I(s)->hs.tls12.next_state = SSL3_ST_SW_HELLO_REQ_C; S3I(s)->hs.state = SSL3_ST_SW_FLUSH; s->internal->init_num = 0; - if (!tls1_transcript_init(s)) { - ret = -1; - goto end; + if (SSL_is_dtls(s)) { + if (!tls1_transcript_init(s)) { + ret = -1; + goto end; + } } break; @@ -309,7 +310,7 @@ ssl3_accept(SSL *s) case SSL3_ST_SR_CLNT_HELLO_B: case SSL3_ST_SR_CLNT_HELLO_C: s->internal->shutdown = 0; - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { ret = ssl3_get_client_hello(s); if (ret <= 0) goto end; @@ -328,9 +329,8 @@ ssl3_accept(SSL *s) * stateless while listening. */ if (listen) { - memcpy(S3I(s)->write_sequence, - S3I(s)->read_sequence, - sizeof(S3I(s)->write_sequence)); + tls12_record_layer_reflect_seq_num( + s->internal->rl); } /* If we're just listening, stop here */ @@ -361,11 +361,11 @@ ssl3_accept(SSL *s) case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A: case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B: - ret = dtls1_send_hello_verify_request(s); + ret = ssl3_send_dtls_hello_verify_request(s); if (ret <= 0) goto end; S3I(s)->hs.state = SSL3_ST_SW_FLUSH; - S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A; + S3I(s)->hs.tls12.next_state = SSL3_ST_SR_CLNT_HELLO_A; /* HelloVerifyRequest resets Finished MAC. */ tls1_transcript_reset(s); @@ -373,7 +373,7 @@ ssl3_accept(SSL *s) case SSL3_ST_SW_SRVR_HELLO_A: case SSL3_ST_SW_SRVR_HELLO_B: - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { s->internal->renegotiate = 2; dtls1_start_timer(s); } @@ -394,9 +394,9 @@ ssl3_accept(SSL *s) case SSL3_ST_SW_CERT_A: case SSL3_ST_SW_CERT_B: /* Check if it is anon DH or anon ECDH. */ - if (!(S3I(s)->hs.new_cipher->algorithm_auth & + if (!(S3I(s)->hs.cipher->algorithm_auth & SSL_aNULL)) { - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) dtls1_start_timer(s); ret = ssl3_send_server_certificate(s); if (ret <= 0) @@ -414,7 +414,7 @@ ssl3_accept(SSL *s) case SSL3_ST_SW_KEY_EXCH_A: case SSL3_ST_SW_KEY_EXCH_B: - alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; + alg_k = S3I(s)->hs.cipher->algorithm_mkey; /* * Only send if using a DH key exchange. @@ -425,7 +425,7 @@ ssl3_accept(SSL *s) * public key for key exchange. */ if (alg_k & (SSL_kDHE|SSL_kECDHE)) { - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) dtls1_start_timer(s); ret = ssl3_send_server_key_exchange(s); if (ret <= 0) @@ -459,7 +459,7 @@ ssl3_accept(SSL *s) if (!(s->verify_mode & SSL_VERIFY_PEER) || ((s->session->peer != NULL) && (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || - ((S3I(s)->hs.new_cipher->algorithm_auth & + ((S3I(s)->hs.cipher->algorithm_auth & SSL_aNULL) && !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) { /* No cert request. */ @@ -467,11 +467,11 @@ ssl3_accept(SSL *s) S3I(s)->tmp.cert_request = 0; S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A; - if (!SSL_IS_DTLS(s)) + if (!SSL_is_dtls(s)) tls1_transcript_free(s); } else { S3I(s)->tmp.cert_request = 1; - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) dtls1_start_timer(s); ret = ssl3_send_certificate_request(s); if (ret <= 0) @@ -483,12 +483,12 @@ ssl3_accept(SSL *s) case SSL3_ST_SW_SRVR_DONE_A: case SSL3_ST_SW_SRVR_DONE_B: - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) dtls1_start_timer(s); ret = ssl3_send_server_done(s); if (ret <= 0) goto end; - S3I(s)->hs.next_state = SSL3_ST_SR_CERT_A; + S3I(s)->hs.tls12.next_state = SSL3_ST_SR_CERT_A; S3I(s)->hs.state = SSL3_ST_SW_FLUSH; s->internal->init_num = 0; break; @@ -506,18 +506,18 @@ ssl3_accept(SSL *s) */ s->internal->rwstate = SSL_WRITING; if (BIO_flush(s->wbio) <= 0) { - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { /* If the write error was fatal, stop trying. */ if (!BIO_should_retry(s->wbio)) { s->internal->rwstate = SSL_NOTHING; - S3I(s)->hs.state = S3I(s)->hs.next_state; + S3I(s)->hs.state = S3I(s)->hs.tls12.next_state; } } ret = -1; goto end; } s->internal->rwstate = SSL_NOTHING; - S3I(s)->hs.state = S3I(s)->hs.next_state; + S3I(s)->hs.state = S3I(s)->hs.tls12.next_state; break; case SSL3_ST_SR_CERT_A: @@ -537,12 +537,12 @@ ssl3_accept(SSL *s) if (ret <= 0) goto end; - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A; s->internal->init_num = 0; } - alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; + alg_k = S3I(s)->hs.cipher->algorithm_mkey; if (ret == 2) { /* * For the ECDH ciphersuites when @@ -587,7 +587,7 @@ ssl3_accept(SSL *s) case SSL3_ST_SR_CERT_VRFY_A: case SSL3_ST_SR_CERT_VRFY_B: - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) D1I(s)->change_cipher_spec_ok = 1; else s->s3->flags |= SSL3_FLAGS_CCS_OK; @@ -602,7 +602,7 @@ ssl3_accept(SSL *s) case SSL3_ST_SR_FINISHED_A: case SSL3_ST_SR_FINISHED_B: - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) D1I(s)->change_cipher_spec_ok = 1; else s->s3->flags |= SSL3_FLAGS_CCS_OK; @@ -610,7 +610,7 @@ ssl3_accept(SSL *s) SSL3_ST_SR_FINISHED_B); if (ret <= 0) goto end; - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) dtls1_stop_timer(s); if (s->internal->hit) S3I(s)->hs.state = SSL_ST_OK; @@ -641,7 +641,7 @@ ssl3_accept(SSL *s) case SSL3_ST_SW_CHANGE_A: case SSL3_ST_SW_CHANGE_B: - s->session->cipher = S3I(s)->hs.new_cipher; + s->session->cipher = S3I(s)->hs.cipher; if (!tls1_setup_key_block(s)) { ret = -1; goto end; @@ -660,7 +660,7 @@ ssl3_accept(SSL *s) goto end; } - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); break; @@ -674,10 +674,10 @@ ssl3_accept(SSL *s) goto end; S3I(s)->hs.state = SSL3_ST_SW_FLUSH; if (s->internal->hit) { - S3I(s)->hs.next_state = SSL3_ST_SR_FINISHED_A; + S3I(s)->hs.tls12.next_state = SSL3_ST_SR_FINISHED_A; tls1_transcript_free(s); } else - S3I(s)->hs.next_state = SSL_ST_OK; + S3I(s)->hs.tls12.next_state = SSL_ST_OK; s->internal->init_num = 0; break; @@ -691,10 +691,8 @@ ssl3_accept(SSL *s) goto end; } - if (!SSL_IS_DTLS(s)) { - BUF_MEM_free(s->internal->init_buf); - s->internal->init_buf = NULL; - } + if (!SSL_is_dtls(s)) + ssl3_release_init_buffer(s); /* remove buffering on output */ ssl_free_wbio_buffer(s); @@ -718,7 +716,7 @@ ssl3_accept(SSL *s) ret = 1; - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { /* Done handshaking, next message is client hello. */ D1I(s)->handshake_read_seq = 0; /* Next message is server hello. */ @@ -751,7 +749,7 @@ ssl3_accept(SSL *s) } skip = 0; } -end: + end: /* BIO_flush(s->wbio); */ s->internal->in_handshake--; if (cb != NULL) @@ -815,7 +813,7 @@ ssl3_get_client_hello(SSL *s) } s->internal->first_packet = 1; - n = s->method->internal->ssl_get_message(s, SSL3_ST_SR_CLNT_HELLO_B, + n = ssl3_get_message(s, SSL3_ST_SR_CLNT_HELLO_B, SSL3_ST_SR_CLNT_HELLO_C, SSL3_MT_CLIENT_HELLO, SSL3_RT_MAX_PLAIN_LENGTH, &ok); if (!ok) @@ -829,43 +827,52 @@ ssl3_get_client_hello(SSL *s) /* Parse client hello up until the extensions (if any). */ if (!CBS_get_u16(&cbs, &client_version)) - goto truncated; + goto decode_err; if (!CBS_get_bytes(&cbs, &client_random, SSL3_RANDOM_SIZE)) - goto truncated; + goto decode_err; if (!CBS_get_u8_length_prefixed(&cbs, &session_id)) - goto truncated; - if (SSL_IS_DTLS(s)) { + goto decode_err; + if (CBS_len(&session_id) > SSL3_SESSION_ID_SIZE) { + al = SSL_AD_ILLEGAL_PARAMETER; + SSLerror(s, SSL_R_SSL3_SESSION_ID_TOO_LONG); + goto fatal_err; + } + if (SSL_is_dtls(s)) { if (!CBS_get_u8_length_prefixed(&cbs, &cookie)) - goto truncated; + goto decode_err; } if (!CBS_get_u16_length_prefixed(&cbs, &cipher_suites)) - goto truncated; + goto decode_err; if (!CBS_get_u8_length_prefixed(&cbs, &compression_methods)) - goto truncated; + goto decode_err; /* * Use version from inside client hello, not from record header. * (may differ: see RFC 2246, Appendix E, second paragraph) */ - if (ssl_max_shared_version(s, client_version, &shared_version) != 1) { - SSLerror(s, SSL_R_WRONG_VERSION_NUMBER); + if (!ssl_max_shared_version(s, client_version, &shared_version)) { if ((s->client_version >> 8) == SSL3_VERSION_MAJOR && - !s->internal->enc_write_ctx && !s->internal->write_hash) { + !tls12_record_layer_write_protected(s->internal->rl)) { /* * Similar to ssl3_get_record, send alert using remote * version number. */ s->version = s->client_version; } + SSLerror(s, SSL_R_WRONG_VERSION_NUMBER); al = SSL_AD_PROTOCOL_VERSION; - goto f_err; + goto fatal_err; } s->client_version = client_version; s->version = shared_version; - if ((method = tls1_get_server_method(shared_version)) == NULL) - method = dtls1_get_server_method(shared_version); - if (method == NULL) { + S3I(s)->hs.negotiated_tls_version = ssl_tls_version(shared_version); + if (S3I(s)->hs.negotiated_tls_version == 0) { + SSLerror(s, ERR_R_INTERNAL_ERROR); + goto err; + } + + if ((method = ssl_get_method(shared_version)) == NULL) { SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } @@ -876,7 +883,7 @@ ssl3_get_client_hello(SSL *s) * one, just return since we do not want to allocate any memory yet. * So check cookie length... */ - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) { if (CBS_len(&cookie) == 0) return (1); @@ -913,11 +920,11 @@ ssl3_get_client_hello(SSL *s) CBS_dup(&cbs, &ext_block); - i = ssl_get_prev_session(s, &session_id, &ext_block); + i = ssl_get_prev_session(s, &session_id, &ext_block, &al); if (i == 1) { /* previous session */ s->internal->hit = 1; } else if (i == -1) - goto err; + goto fatal_err; else { /* i == 0 */ if (!ssl_get_new_session(s, 1)) @@ -925,7 +932,7 @@ ssl3_get_client_hello(SSL *s) } } - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { /* * The ClientHello may contain a cookie even if the HelloVerify * message has not been sent - make sure that it does not cause @@ -934,7 +941,7 @@ ssl3_get_client_hello(SSL *s) if (CBS_len(&cookie) > sizeof(D1I(s)->rcvd_cookie)) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_COOKIE_MISMATCH); - goto f_err; + goto fatal_err; } /* Verify the cookie if appropriate option is set. */ @@ -952,7 +959,7 @@ ssl3_get_client_hello(SSL *s) D1I(s)->rcvd_cookie, cookie_len) == 0) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_COOKIE_MISMATCH); - goto f_err; + goto fatal_err; } /* else cookie verification succeeded */ /* XXX - can d1->cookie_len > sizeof(rcvd_cookie) ? */ @@ -961,7 +968,7 @@ ssl3_get_client_hello(SSL *s) /* default verification */ al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_COOKIE_MISMATCH); - goto f_err; + goto fatal_err; } cookie_valid = 1; } @@ -972,7 +979,7 @@ ssl3_get_client_hello(SSL *s) /* we need a cipher if we are not resuming a session */ al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_NO_CIPHERS_SPECIFIED); - goto f_err; + goto fatal_err; } if (CBS_len(&cipher_suites) > 0) { @@ -1001,32 +1008,32 @@ ssl3_get_client_hello(SSL *s) */ al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_REQUIRED_CIPHER_MISSING); - goto f_err; + goto fatal_err; } } comp_null = 0; while (CBS_len(&compression_methods) > 0) { if (!CBS_get_u8(&compression_methods, &comp_method)) - goto truncated; + goto decode_err; if (comp_method == 0) comp_null = 1; } if (comp_null == 0) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_NO_COMPRESSION_SPECIFIED); - goto f_err; + goto fatal_err; } - if (!tlsext_server_parse(s, &cbs, &al, SSL_TLSEXT_MSG_CH)) { + if (!tlsext_server_parse(s, SSL_TLSEXT_MSG_CH, &cbs, &al)) { SSLerror(s, SSL_R_PARSE_TLSEXT); - goto f_err; + goto fatal_err; } if (!S3I(s)->renegotiate_seen && s->internal->renegotiate) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); - goto f_err; + goto fatal_err; } if (ssl_check_clienthello_tlsext_early(s) <= 0) { @@ -1042,6 +1049,27 @@ ssl3_get_client_hello(SSL *s) */ arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); + if (S3I(s)->hs.our_max_tls_version >= TLS1_2_VERSION && + S3I(s)->hs.negotiated_tls_version < S3I(s)->hs.our_max_tls_version) { + /* + * RFC 8446 section 4.1.3. If we are downgrading from TLS 1.3 + * we must set the last 8 bytes of the server random to magical + * values to indicate we meant to downgrade. For TLS 1.2 it is + * recommended that we do the same. + */ + size_t index = SSL3_RANDOM_SIZE - sizeof(tls13_downgrade_12); + uint8_t *magic = &s->s3->server_random[index]; + if (S3I(s)->hs.negotiated_tls_version == TLS1_2_VERSION) { + /* Indicate we chose to downgrade to 1.2. */ + memcpy(magic, tls13_downgrade_12, + sizeof(tls13_downgrade_12)); + } else { + /* Indicate we chose to downgrade to 1.1 or lower */ + memcpy(magic, tls13_downgrade_11, + sizeof(tls13_downgrade_11)); + } + } + if (!s->internal->hit && s->internal->tls_session_secret_cb) { SSL_CIPHER *pref_cipher = NULL; @@ -1062,17 +1090,13 @@ ssl3_get_client_hello(SSL *s) if (pref_cipher == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_NO_SHARED_CIPHER); - goto f_err; + goto fatal_err; } s->session->cipher = pref_cipher; sk_SSL_CIPHER_free(s->cipher_list); - sk_SSL_CIPHER_free(s->internal->cipher_list_by_id); - s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers); - s->internal->cipher_list_by_id = - sk_SSL_CIPHER_dup(s->session->ciphers); } } @@ -1087,7 +1111,7 @@ ssl3_get_client_hello(SSL *s) if (ciphers == NULL) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_NO_CIPHERS_PASSED); - goto f_err; + goto fatal_err; } ciphers = NULL; c = ssl3_choose_cipher(s, s->session->ciphers, @@ -1096,17 +1120,17 @@ ssl3_get_client_hello(SSL *s) if (c == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_NO_SHARED_CIPHER); - goto f_err; + goto fatal_err; } - S3I(s)->hs.new_cipher = c; + S3I(s)->hs.cipher = c; } else { - S3I(s)->hs.new_cipher = s->session->cipher; + S3I(s)->hs.cipher = s->session->cipher; } if (!tls1_transcript_hash_init(s)) goto err; - alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; + alg_k = S3I(s)->hs.cipher->algorithm_mkey; if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) || !(s->verify_mode & SSL_VERIFY_PEER)) tls1_transcript_free(s); @@ -1114,13 +1138,13 @@ ssl3_get_client_hello(SSL *s) /* * We now have the following setup. * client_random - * cipher_list - our prefered list of ciphers - * ciphers - the clients prefered list of ciphers + * cipher_list - our prefered list of ciphers + * ciphers - the clients prefered list of ciphers * compression - basically ignored right now * ssl version is set - sslv3 * s->session - The ssl session has been setup. * s->internal->hit - session reuse flag - * s->hs.new_cipher - the new cipher to use. + * s->hs.cipher - the new cipher to use. */ /* Handles TLS extensions that we couldn't check earlier */ @@ -1132,18 +1156,62 @@ ssl3_get_client_hello(SSL *s) ret = cookie_valid ? 2 : 1; if (0) { -truncated: + decode_err: al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_PACKET_LENGTH); -f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); } -err: + err: sk_SSL_CIPHER_free(ciphers); return (ret); } +int +ssl3_send_dtls_hello_verify_request(SSL *s) +{ + CBB cbb, verify, cookie; + + memset(&cbb, 0, sizeof(cbb)); + + if (S3I(s)->hs.state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A) { + if (s->ctx->internal->app_gen_cookie_cb == NULL || + s->ctx->internal->app_gen_cookie_cb(s, D1I(s)->cookie, + &(D1I(s)->cookie_len)) == 0) { + SSLerror(s, ERR_R_INTERNAL_ERROR); + return 0; + } + + /* + * Per RFC 6347 section 4.2.1, the HelloVerifyRequest should + * always contain DTLSv1.0 regardless of the version that is + * going to be negotiated. + */ + if (!ssl3_handshake_msg_start(s, &cbb, &verify, + DTLS1_MT_HELLO_VERIFY_REQUEST)) + goto err; + if (!CBB_add_u16(&verify, DTLS1_VERSION)) + goto err; + if (!CBB_add_u8_length_prefixed(&verify, &cookie)) + goto err; + if (!CBB_add_bytes(&cookie, D1I(s)->cookie, D1I(s)->cookie_len)) + goto err; + if (!ssl3_handshake_msg_finish(s, &cbb)) + goto err; + + S3I(s)->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B; + } + + /* S3I(s)->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */ + return (ssl3_handshake_write(s)); + + err: + CBB_cleanup(&cbb); + + return (-1); +} + int ssl3_send_server_hello(SSL *s) { @@ -1197,7 +1265,7 @@ ssl3_send_server_hello(SSL *s) /* Cipher suite. */ if (!CBB_add_u16(&server_hello, - ssl3_cipher_get_value(S3I(s)->hs.new_cipher))) + ssl3_cipher_get_value(S3I(s)->hs.cipher))) goto err; /* Compression method (null). */ @@ -1205,7 +1273,7 @@ ssl3_send_server_hello(SSL *s) goto err; /* TLS extensions */ - if (!tlsext_server_build(s, &server_hello, SSL_TLSEXT_MSG_SH)) { + if (!tlsext_server_build(s, SSL_TLSEXT_MSG_SH, &server_hello)) { SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } @@ -1261,19 +1329,19 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb) if ((dhp = ssl_get_auto_dh(s)) == NULL) { al = SSL_AD_INTERNAL_ERROR; SSLerror(s, ERR_R_INTERNAL_ERROR); - goto f_err; + goto fatal_err; } } else dhp = s->cert->dh_tmp; if (dhp == NULL && s->cert->dh_tmp_cb != NULL) dhp = s->cert->dh_tmp_cb(s, 0, - SSL_C_PKEYLENGTH(S3I(s)->hs.new_cipher)); + SSL_C_PKEYLENGTH(S3I(s)->hs.cipher)); if (dhp == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_MISSING_TMP_DH_KEY); - goto f_err; + goto fatal_err; } if (S3I(s)->tmp.dh != NULL) { @@ -1319,7 +1387,7 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb) return (1); - f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: return (-1); @@ -1328,12 +1396,7 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb) static int ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb) { - const EC_GROUP *group; - const EC_POINT *pubkey; - unsigned char *data; - int encoded_len = 0; - int curve_id = 0; - BN_CTX *bn_ctx = NULL; + uint16_t curve_id; EC_KEY *ecdh; CBB ecpoint; int al; @@ -1352,39 +1415,20 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb) goto err; } - if ((S3I(s)->tmp.ecdh = EC_KEY_new_by_curve_name(nid)) == NULL) { + if ((S3I(s)->tmp.ecdh = EC_KEY_new()) == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_MISSING_TMP_ECDH_KEY); - goto f_err; + goto fatal_err; } + S3I(s)->tmp.ecdh_nid = nid; ecdh = S3I(s)->tmp.ecdh; - if (!EC_KEY_generate_key(ecdh)) { - SSLerror(s, ERR_R_ECDH_LIB); - goto err; - } - if ((group = EC_KEY_get0_group(ecdh)) == NULL || - (pubkey = EC_KEY_get0_public_key(ecdh)) == NULL || - EC_KEY_get0_private_key(ecdh) == NULL) { - SSLerror(s, ERR_R_ECDH_LIB); + if (!ssl_kex_generate_ecdhe_ecp(ecdh, nid)) goto err; - } /* * Encode the public key. - */ - encoded_len = EC_POINT_point2oct(group, pubkey, - POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL); - if (encoded_len == 0) { - SSLerror(s, ERR_R_ECDH_LIB); - goto err; - } - if ((bn_ctx = BN_CTX_new()) == NULL) { - SSLerror(s, ERR_R_MALLOC_FAILURE); - goto err; - } - - /* + * * Only named curves are supported in ECDH ephemeral key exchanges. * In this case the ServerKeyExchange message has: * [1 byte CurveType], [2 byte CurveName] @@ -1397,33 +1441,24 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb) goto err; if (!CBB_add_u8_length_prefixed(cbb, &ecpoint)) goto err; - if (!CBB_add_space(&ecpoint, &data, encoded_len)) + if (!ssl_kex_public_ecdhe_ecp(ecdh, &ecpoint)) goto err; - if (EC_POINT_point2oct(group, pubkey, POINT_CONVERSION_UNCOMPRESSED, - data, encoded_len, bn_ctx) == 0) { - SSLerror(s, ERR_R_ECDH_LIB); - goto err; - } if (!CBB_flush(cbb)) goto err; - BN_CTX_free(bn_ctx); - return (1); - f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: - BN_CTX_free(bn_ctx); - return (-1); } static int ssl3_send_server_kex_ecdhe_ecx(SSL *s, int nid, CBB *cbb) { - uint8_t *public_key = NULL; - int curve_id; + uint8_t *public_key = NULL, *private_key = NULL; + uint16_t curve_id; CBB ecpoint; int ret = -1; @@ -1432,11 +1467,11 @@ ssl3_send_server_kex_ecdhe_ecx(SSL *s, int nid, CBB *cbb) SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } - if ((S3I(s)->tmp.x25519 = malloc(X25519_KEY_LENGTH)) == NULL) + if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL) goto err; if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL) goto err; - X25519_keypair(public_key, S3I(s)->tmp.x25519); + X25519_keypair(public_key, private_key); /* Serialize public key. */ if ((curve_id = tls1_ec_nid2curve_id(nid)) == 0) { @@ -1455,10 +1490,13 @@ ssl3_send_server_kex_ecdhe_ecx(SSL *s, int nid, CBB *cbb) if (!CBB_flush(cbb)) goto err; + S3I(s)->tmp.x25519 = private_key; + private_key = NULL; ret = 1; err: free(public_key); + freezero(private_key, X25519_KEY_LENGTH); return (ret); } @@ -1506,7 +1544,7 @@ ssl3_send_server_key_exchange(SSL *s) if (!CBB_init(&cbb_params, 0)) goto err; - type = S3I(s)->hs.new_cipher->algorithm_mkey; + type = S3I(s)->hs.cipher->algorithm_mkey; if (type & SSL_kDHE) { if (ssl3_send_server_kex_dhe(s, &cbb_params) != 1) goto err; @@ -1516,7 +1554,7 @@ ssl3_send_server_key_exchange(SSL *s) } else { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); - goto f_err; + goto fatal_err; } if (!CBB_finish(&cbb_params, ¶ms, ¶ms_len)) @@ -1526,11 +1564,11 @@ ssl3_send_server_key_exchange(SSL *s) goto err; /* Add signature unless anonymous. */ - if (!(S3I(s)->hs.new_cipher->algorithm_auth & SSL_aNULL)) { - if ((pkey = ssl_get_sign_pkey(s, S3I(s)->hs.new_cipher, + if (!(S3I(s)->hs.cipher->algorithm_auth & SSL_aNULL)) { + if ((pkey = ssl_get_sign_pkey(s, S3I(s)->hs.cipher, &md, &sigalg)) == NULL) { al = SSL_AD_DECODE_ERROR; - goto f_err; + goto fatal_err; } /* Send signature algorithm. */ @@ -1538,7 +1576,7 @@ ssl3_send_server_key_exchange(SSL *s) if (!CBB_add_u16(&server_kex, sigalg->value)) { al = SSL_AD_INTERNAL_ERROR; SSLerror(s, ERR_R_INTERNAL_ERROR); - goto f_err; + goto fatal_err; } } @@ -1601,7 +1639,7 @@ ssl3_send_server_key_exchange(SSL *s) return (ssl3_handshake_write(s)); - f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: CBB_cleanup(&cbb_params); @@ -1692,15 +1730,17 @@ ssl3_get_client_kex_rsa(SSL *s, CBS *cbs) int al = -1; arc4random_buf(fakekey, sizeof(fakekey)); + + /* XXX - peer max protocol version. */ fakekey[0] = s->client_version >> 8; fakekey[1] = s->client_version & 0xff; - pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey; + pkey = s->cert->pkeys[SSL_PKEY_RSA].privatekey; if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) || (pkey->pkey.rsa == NULL)) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_MISSING_RSA_CERTIFICATE); - goto f_err; + goto fatal_err; } rsa = pkey->pkey.rsa; @@ -1712,7 +1752,7 @@ ssl3_get_client_kex_rsa(SSL *s, CBS *cbs) p = pms; if (!CBS_get_u16_length_prefixed(cbs, &enc_pms)) - goto truncated; + goto decode_err; if (CBS_len(cbs) != 0 || CBS_len(&enc_pms) != RSA_size(rsa)) { SSLerror(s, SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG); goto err; @@ -1728,6 +1768,7 @@ ssl3_get_client_kex_rsa(SSL *s, CBS *cbs) /* SSLerror(s, SSL_R_BAD_RSA_DECRYPT); */ } + /* XXX - peer max version. */ if ((al == -1) && !((pms[0] == (s->client_version >> 8)) && (pms[1] == (s->client_version & 0xff)))) { /* @@ -1760,16 +1801,16 @@ ssl3_get_client_kex_rsa(SSL *s, CBS *cbs) s->session->master_key_length = tls1_generate_master_secret(s, - s->session->master_key, p, SSL_MAX_MASTER_KEY_LENGTH); + s->session->master_key, p, SSL_MAX_MASTER_KEY_LENGTH); freezero(pms, pms_len); return (1); - truncated: + decode_err: al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_PACKET_LENGTH); - f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: freezero(pms, pms_len); @@ -1780,21 +1821,22 @@ ssl3_get_client_kex_rsa(SSL *s, CBS *cbs) static int ssl3_get_client_kex_dhe(SSL *s, CBS *cbs) { - int key_size = 0, key_len, al; + int key_size = 0; + int key_is_invalid, key_len, al; unsigned char *key = NULL; BIGNUM *bn = NULL; CBS dh_Yc; DH *dh; if (!CBS_get_u16_length_prefixed(cbs, &dh_Yc)) - goto truncated; + goto decode_err; if (CBS_len(cbs) != 0) - goto truncated; + goto decode_err; if (S3I(s)->tmp.dh == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_MISSING_TMP_DH_KEY); - goto f_err; + goto fatal_err; } dh = S3I(s)->tmp.dh; @@ -1811,9 +1853,20 @@ ssl3_get_client_kex_dhe(SSL *s, CBS *cbs) SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } + if (!DH_check_pub_key(dh, bn, &key_is_invalid)) { + al = SSL_AD_INTERNAL_ERROR; + SSLerror(s, ERR_R_DH_LIB); + goto fatal_err; + } + if (key_is_invalid) { + al = SSL_AD_ILLEGAL_PARAMETER; + SSLerror(s, ERR_R_DH_LIB); + goto fatal_err; + } if ((key_len = DH_compute_key(key, bn, dh)) <= 0) { + al = SSL_AD_INTERNAL_ERROR; SSLerror(s, ERR_R_DH_LIB); - goto err; + goto fatal_err; } s->session->master_key_length = tls1_generate_master_secret(s, @@ -1827,10 +1880,10 @@ ssl3_get_client_kex_dhe(SSL *s, CBS *cbs) return (1); - truncated: + decode_err: al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_PACKET_LENGTH); - f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: freezero(key, key_size); @@ -1842,20 +1895,13 @@ ssl3_get_client_kex_dhe(SSL *s, CBS *cbs) static int ssl3_get_client_kex_ecdhe_ecp(SSL *s, CBS *cbs) { - unsigned char *key = NULL; - int key_size = 0, key_len; - EC_POINT *point = NULL; - BN_CTX *bn_ctx = NULL; - const EC_GROUP *group; + uint8_t *key = NULL; + size_t key_len = 0; + EC_KEY *ecdh_peer = NULL; EC_KEY *ecdh; CBS public; int ret = -1; - if (!CBS_get_u8_length_prefixed(cbs, &public)) - goto err; - if (CBS_len(cbs) != 0) - goto err; - /* * Use the ephemeral values we saved when generating the * ServerKeyExchange message. @@ -1864,54 +1910,38 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, CBS *cbs) SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } - group = EC_KEY_get0_group(ecdh); /* * Get client's public key from encoded point in the ClientKeyExchange * message. */ - if ((bn_ctx = BN_CTX_new()) == NULL) { - SSLerror(s, ERR_R_MALLOC_FAILURE); - goto err; - } - if ((point = EC_POINT_new(group)) == NULL) { - SSLerror(s, ERR_R_MALLOC_FAILURE); + if (!CBS_get_u8_length_prefixed(cbs, &public)) goto err; - } - if (EC_POINT_oct2point(group, point, CBS_data(&public), - CBS_len(&public), bn_ctx) == 0) { - SSLerror(s, ERR_R_EC_LIB); + if (CBS_len(cbs) != 0) goto err; - } - /* Compute the shared pre-master secret */ - if ((key_size = ECDH_size(ecdh)) <= 0) { - SSLerror(s, ERR_R_ECDH_LIB); - goto err; - } - if ((key = malloc(key_size)) == NULL) { - SSLerror(s, ERR_R_MALLOC_FAILURE); + if ((ecdh_peer = EC_KEY_new()) == NULL) goto err; - } - if ((key_len = ECDH_compute_key(key, key_size, point, ecdh, - NULL)) <= 0) { - SSLerror(s, ERR_R_ECDH_LIB); + + if (!ssl_kex_peer_public_ecdhe_ecp(ecdh_peer, S3I(s)->tmp.ecdh_nid, + &public)) goto err; - } - /* Compute the master secret */ + /* Derive the shared secret and compute master secret. */ + if (!ssl_kex_derive_ecdhe_ecp(ecdh, ecdh_peer, &key, &key_len)) + goto err; s->session->master_key_length = tls1_generate_master_secret(s, s->session->master_key, key, key_len); EC_KEY_free(S3I(s)->tmp.ecdh); S3I(s)->tmp.ecdh = NULL; + S3I(s)->tmp.ecdh_nid = NID_undef; ret = 1; err: - freezero(key, key_size); - EC_POINT_free(point); - BN_CTX_free(bn_ctx); + freezero(key, key_len); + EC_KEY_free(ecdh_peer); return (ret); } @@ -1953,7 +1983,7 @@ ssl3_get_client_kex_ecdhe_ecx(SSL *s, CBS *cbs) static int ssl3_get_client_kex_ecdhe(SSL *s, CBS *cbs) { - if (S3I(s)->tmp.x25519 != NULL) + if (S3I(s)->tmp.x25519 != NULL) return ssl3_get_client_kex_ecdhe_ecx(s, cbs); return ssl3_get_client_kex_ecdhe_ecp(s, cbs); @@ -1972,7 +2002,7 @@ ssl3_get_client_kex_gost(SSL *s, CBS *cbs) int ret = 0; /* Get our certificate private key*/ - alg_a = S3I(s)->hs.new_cipher->algorithm_auth; + alg_a = S3I(s)->hs.cipher->algorithm_auth; if (alg_a & SSL_aGOST01) pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; @@ -1996,9 +2026,9 @@ ssl3_get_client_kex_gost(SSL *s, CBS *cbs) /* Decrypt session key */ if (!CBS_get_asn1(cbs, &gostblob, CBS_ASN1_SEQUENCE)) - goto truncated; + goto decode_err; if (CBS_len(cbs) != 0) - goto truncated; + goto decode_err; if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, CBS_data(&gostblob), CBS_len(&gostblob)) <= 0) { SSLerror(s, SSL_R_DECRYPTION_FAILED); @@ -2024,7 +2054,7 @@ ssl3_get_client_kex_gost(SSL *s, CBS *cbs) else goto err; - truncated: + decode_err: al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_PACKET_LENGTH); ssl3_send_alert(s, SSL3_AL_FATAL, al); @@ -2041,7 +2071,7 @@ ssl3_get_client_key_exchange(SSL *s) long n; /* 2048 maxlen is a guess. How long a key does that permit? */ - n = s->method->internal->ssl_get_message(s, SSL3_ST_SR_KEY_EXCH_A, + n = ssl3_get_message(s, SSL3_ST_SR_KEY_EXCH_A, SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE, 2048, &ok); if (!ok) return ((int)n); @@ -2051,7 +2081,7 @@ ssl3_get_client_key_exchange(SSL *s) CBS_init(&cbs, s->internal->init_msg, n); - alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; + alg_k = S3I(s)->hs.cipher->algorithm_mkey; if (alg_k & SSL_kRSA) { if (ssl3_get_client_kex_rsa(s, &cbs) != 1) @@ -2068,18 +2098,18 @@ ssl3_get_client_key_exchange(SSL *s) } else { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_UNKNOWN_CIPHER_TYPE); - goto f_err; + goto fatal_err; } if (CBS_len(&cbs) != 0) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_PACKET_LENGTH); - goto f_err; + goto fatal_err; } return (1); - f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: return (-1); @@ -2103,7 +2133,7 @@ ssl3_get_cert_verify(SSL *s) EVP_MD_CTX_init(&mctx); - n = s->method->internal->ssl_get_message(s, SSL3_ST_SR_CERT_VRFY_A, + n = ssl3_get_message(s, SSL3_ST_SR_CERT_VRFY_A, SSL3_ST_SR_CERT_VRFY_B, -1, SSL3_RT_MAX_PLAIN_LENGTH, &ok); if (!ok) return ((int)n); @@ -2124,7 +2154,7 @@ ssl3_get_cert_verify(SSL *s) if (peer != NULL) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_MISSING_VERIFY_MESSAGE); - goto f_err; + goto fatal_err; } ret = 1; goto end; @@ -2133,19 +2163,19 @@ ssl3_get_cert_verify(SSL *s) if (peer == NULL) { SSLerror(s, SSL_R_NO_CLIENT_CERT_RECEIVED); al = SSL_AD_UNEXPECTED_MESSAGE; - goto f_err; + goto fatal_err; } if (!(type & EVP_PKT_SIGN)) { SSLerror(s, SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); al = SSL_AD_ILLEGAL_PARAMETER; - goto f_err; + goto fatal_err; } if (S3I(s)->change_cipher_spec) { SSLerror(s, SSL_R_CCS_RECEIVED_EARLY); al = SSL_AD_UNEXPECTED_MESSAGE; - goto f_err; + goto fatal_err; } if (!SSL_USE_SIGALGS(s)) { @@ -2154,12 +2184,12 @@ ssl3_get_cert_verify(SSL *s) if (CBS_len(&signature) > EVP_PKEY_size(pkey)) { SSLerror(s, SSL_R_WRONG_SIGNATURE_SIZE); al = SSL_AD_DECODE_ERROR; - goto f_err; + goto fatal_err; } if (CBS_len(&cbs) != 0) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_EXTRA_DATA_IN_MESSAGE); - goto f_err; + goto fatal_err; } } @@ -2168,18 +2198,18 @@ ssl3_get_cert_verify(SSL *s) uint16_t sigalg_value; if (!CBS_get_u16(&cbs, &sigalg_value)) - goto truncated; + goto decode_err; if ((sigalg = ssl_sigalg(sigalg_value, tls12_sigalgs, tls12_sigalgs_len)) == NULL || (md = sigalg->md()) == NULL) { SSLerror(s, SSL_R_UNKNOWN_DIGEST); al = SSL_AD_DECODE_ERROR; - goto f_err; + goto fatal_err; } if (!ssl_sigalg_pkey_ok(sigalg, pkey, 0)) { SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE); al = SSL_AD_DECODE_ERROR; - goto f_err; + goto fatal_err; } if (!CBS_get_u16_length_prefixed(&cbs, &signature)) @@ -2187,41 +2217,48 @@ ssl3_get_cert_verify(SSL *s) if (CBS_len(&signature) > EVP_PKEY_size(pkey)) { SSLerror(s, SSL_R_WRONG_SIGNATURE_SIZE); al = SSL_AD_DECODE_ERROR; - goto f_err; + goto fatal_err; } if (CBS_len(&cbs) != 0) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_EXTRA_DATA_IN_MESSAGE); - goto f_err; + goto fatal_err; } if (!tls1_transcript_data(s, &hdata, &hdatalen)) { SSLerror(s, ERR_R_INTERNAL_ERROR); al = SSL_AD_INTERNAL_ERROR; - goto f_err; + goto fatal_err; } if (!EVP_DigestVerifyInit(&mctx, &pctx, md, NULL, pkey)) { SSLerror(s, ERR_R_EVP_LIB); al = SSL_AD_INTERNAL_ERROR; - goto f_err; + goto fatal_err; } if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) && (!EVP_PKEY_CTX_set_rsa_padding (pctx, RSA_PKCS1_PSS_PADDING) || !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) { al = SSL_AD_INTERNAL_ERROR; - goto f_err; + goto fatal_err; + } + if (sigalg->key_type == EVP_PKEY_GOSTR01 && + EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_VERIFY, + EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE, + NULL) <= 0) { + al = SSL_AD_INTERNAL_ERROR; + goto fatal_err; } if (!EVP_DigestVerifyUpdate(&mctx, hdata, hdatalen)) { SSLerror(s, ERR_R_EVP_LIB); al = SSL_AD_INTERNAL_ERROR; - goto f_err; + goto fatal_err; } if (EVP_DigestVerifyFinal(&mctx, CBS_data(&signature), CBS_len(&signature)) <= 0) { al = SSL_AD_DECRYPT_ERROR; SSLerror(s, SSL_R_BAD_SIGNATURE); - goto f_err; + goto fatal_err; } } else if (pkey->type == EVP_PKEY_RSA) { verify = RSA_verify(NID_md5_sha1, S3I(s)->tmp.cert_verify_md, @@ -2230,12 +2267,12 @@ ssl3_get_cert_verify(SSL *s) if (verify < 0) { al = SSL_AD_DECRYPT_ERROR; SSLerror(s, SSL_R_BAD_RSA_DECRYPT); - goto f_err; + goto fatal_err; } if (verify == 0) { al = SSL_AD_DECRYPT_ERROR; SSLerror(s, SSL_R_BAD_RSA_SIGNATURE); - goto f_err; + goto fatal_err; } } else if (pkey->type == EVP_PKEY_EC) { verify = ECDSA_verify(pkey->save_type, @@ -2245,7 +2282,7 @@ ssl3_get_cert_verify(SSL *s) if (verify <= 0) { al = SSL_AD_DECRYPT_ERROR; SSLerror(s, SSL_R_BAD_ECDSA_SIGNATURE); - goto f_err; + goto fatal_err; } #ifndef OPENSSL_NO_GOST } else if (pkey->type == NID_id_GostR3410_94 || @@ -2258,18 +2295,18 @@ ssl3_get_cert_verify(SSL *s) if (!tls1_transcript_data(s, &hdata, &hdatalen)) { SSLerror(s, ERR_R_INTERNAL_ERROR); al = SSL_AD_INTERNAL_ERROR; - goto f_err; + goto fatal_err; } if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) || !(md = EVP_get_digestbynid(nid))) { SSLerror(s, ERR_R_EVP_LIB); al = SSL_AD_INTERNAL_ERROR; - goto f_err; + goto fatal_err; } if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) { SSLerror(s, ERR_R_EVP_LIB); al = SSL_AD_INTERNAL_ERROR; - goto f_err; + goto fatal_err; } if (!EVP_DigestInit_ex(&mctx, md, NULL) || !EVP_DigestUpdate(&mctx, hdata, hdatalen) || @@ -2282,14 +2319,14 @@ ssl3_get_cert_verify(SSL *s) SSLerror(s, ERR_R_EVP_LIB); al = SSL_AD_INTERNAL_ERROR; EVP_PKEY_CTX_free(pctx); - goto f_err; + goto fatal_err; } if (EVP_PKEY_verify(pctx, CBS_data(&signature), CBS_len(&signature), sigbuf, siglen) <= 0) { al = SSL_AD_DECRYPT_ERROR; SSLerror(s, SSL_R_BAD_SIGNATURE); EVP_PKEY_CTX_free(pctx); - goto f_err; + goto fatal_err; } EVP_PKEY_CTX_free(pctx); @@ -2297,15 +2334,15 @@ ssl3_get_cert_verify(SSL *s) } else { SSLerror(s, ERR_R_INTERNAL_ERROR); al = SSL_AD_UNSUPPORTED_CERTIFICATE; - goto f_err; + goto fatal_err; } ret = 1; if (0) { - truncated: + decode_err: al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_PACKET_LENGTH); - f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); } end: @@ -2326,18 +2363,17 @@ ssl3_get_client_certificate(SSL *s) const unsigned char *q; STACK_OF(X509) *sk = NULL; - n = s->method->internal->ssl_get_message(s, SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_B, + n = ssl3_get_message(s, SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_B, -1, s->internal->max_cert_list, &ok); - if (!ok) return ((int)n); if (S3I(s)->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) { if ((s->verify_mode & SSL_VERIFY_PEER) && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { - SSLerror(s, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); + SSLerror(s, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); al = SSL_AD_HANDSHAKE_FAILURE; - goto f_err; + goto fatal_err; } /* * If tls asked for a client cert, @@ -2347,7 +2383,7 @@ ssl3_get_client_certificate(SSL *s) SSLerror(s, SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST ); al = SSL_AD_UNEXPECTED_MESSAGE; - goto f_err; + goto fatal_err; } S3I(s)->tmp.reuse_message = 1; return (1); @@ -2356,11 +2392,11 @@ ssl3_get_client_certificate(SSL *s) if (S3I(s)->tmp.message_type != SSL3_MT_CERTIFICATE) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_WRONG_MESSAGE_TYPE); - goto f_err; + goto fatal_err; } if (n < 0) - goto truncated; + goto decode_err; CBS_init(&cbs, s->internal->init_msg, n); @@ -2371,7 +2407,7 @@ ssl3_get_client_certificate(SSL *s) if (!CBS_get_u24_length_prefixed(&cbs, &client_certs) || CBS_len(&cbs) != 0) - goto truncated; + goto decode_err; while (CBS_len(&client_certs) > 0) { CBS cert; @@ -2379,7 +2415,7 @@ ssl3_get_client_certificate(SSL *s) if (!CBS_get_u24_length_prefixed(&client_certs, &cert)) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_CERT_LENGTH_MISMATCH); - goto f_err; + goto fatal_err; } q = CBS_data(&cert); @@ -2391,7 +2427,7 @@ ssl3_get_client_certificate(SSL *s) if (q != CBS_data(&cert) + CBS_len(&cert)) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_CERT_LENGTH_MISMATCH); - goto f_err; + goto fatal_err; } if (!sk_X509_push(sk, x)) { SSLerror(s, ERR_R_MALLOC_FAILURE); @@ -2409,7 +2445,7 @@ ssl3_get_client_certificate(SSL *s) (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { SSLerror(s, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); al = SSL_AD_HANDSHAKE_FAILURE; - goto f_err; + goto fatal_err; } /* No client certificate so free transcript. */ tls1_transcript_free(s); @@ -2418,7 +2454,7 @@ ssl3_get_client_certificate(SSL *s) if (i <= 0) { al = ssl_verify_alarm_type(s->verify_result); SSLerror(s, SSL_R_NO_CERTIFICATE_RETURNED); - goto f_err; + goto fatal_err; } } @@ -2449,13 +2485,13 @@ ssl3_get_client_certificate(SSL *s) ret = 1; if (0) { -truncated: + decode_err: al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_PACKET_LENGTH); -f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); } -err: + err: X509_free(x); sk_X509_pop_free(sk, X509_free); @@ -2650,7 +2686,7 @@ ssl3_send_cert_status(SSL *s) if (!CBB_add_u24_length_prefixed(&certstatus, &ocspresp)) goto err; if (!CBB_add_bytes(&ocspresp, s->internal->tlsext_ocsp_resp, - s->internal->tlsext_ocsp_resplen)) + s->internal->tlsext_ocsp_resp_len)) goto err; if (!ssl3_handshake_msg_finish(s, &cbb)) goto err; diff --git a/ssl/ssl_tlsext.c b/ssl/ssl_tlsext.c index 91b74b5d..797eb840 100644 --- a/ssl/ssl_tlsext.c +++ b/ssl/ssl_tlsext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.c,v 1.49 2019/05/29 17:28:37 jsing Exp $ */ +/* $OpenBSD: ssl_tlsext.c,v 1.89 2021/03/29 16:46:09 jsing Exp $ */ /* * Copyright (c) 2016, 2017, 2019 Joel Sing * Copyright (c) 2017 Doug Hogan @@ -16,7 +16,9 @@ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#include + +#include + #include #include "ssl_locl.h" @@ -30,15 +32,15 @@ */ int -tlsext_alpn_client_needs(SSL *s) +tlsext_alpn_client_needs(SSL *s, uint16_t msg_type) { /* ALPN protos have been specified and this is the initial handshake */ return s->internal->alpn_client_proto_list != NULL && - S3I(s)->tmp.finish_md_len == 0; + S3I(s)->hs.finished_len == 0; } int -tlsext_alpn_client_build(SSL *s, CBB *cbb) +tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB protolist; @@ -56,7 +58,7 @@ tlsext_alpn_client_build(SSL *s, CBB *cbb) } int -tlsext_alpn_server_parse(SSL *s, CBS *cbs, int *alert) +tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert) { CBS proto_name_list, alpn; const unsigned char *selected; @@ -89,6 +91,7 @@ tlsext_alpn_server_parse(SSL *s, CBS *cbs, int *alert) if (r == SSL_TLSEXT_ERR_OK) { free(S3I(s)->alpn_selected); if ((S3I(s)->alpn_selected = malloc(selected_len)) == NULL) { + S3I(s)->alpn_selected_len = 0; *alert = SSL_AD_INTERNAL_ERROR; return 0; } @@ -104,13 +107,13 @@ tlsext_alpn_server_parse(SSL *s, CBS *cbs, int *alert) } int -tlsext_alpn_server_needs(SSL *s) +tlsext_alpn_server_needs(SSL *s, uint16_t msg_type) { return S3I(s)->alpn_selected != NULL; } int -tlsext_alpn_server_build(SSL *s, CBB *cbb) +tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB list, selected; @@ -131,7 +134,7 @@ tlsext_alpn_server_build(SSL *s, CBB *cbb) } int -tlsext_alpn_client_parse(SSL *s, CBS *cbs, int *alert) +tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { CBS list, proto; @@ -168,14 +171,14 @@ tlsext_alpn_client_parse(SSL *s, CBS *cbs, int *alert) * Supported Groups - RFC 7919 section 2 */ int -tlsext_supportedgroups_client_needs(SSL *s) +tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type) { return ssl_has_ecc_ciphers(s) || - (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION); + (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION); } int -tlsext_supportedgroups_client_build(SSL *s, CBB *cbb) +tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { const uint16_t *groups; size_t groups_len; @@ -203,7 +206,8 @@ tlsext_supportedgroups_client_build(SSL *s, CBB *cbb) } int -tlsext_supportedgroups_server_parse(SSL *s, CBS *cbs, int *alert) +tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, + int *alert) { CBS grouplist; size_t groups_len; @@ -222,6 +226,33 @@ tlsext_supportedgroups_server_parse(SSL *s, CBS *cbs, int *alert) uint16_t *groups; int i; + if (S3I(s)->hs.tls13.hrr) { + if (SSI(s)->tlsext_supportedgroups == NULL) { + *alert = SSL_AD_HANDSHAKE_FAILURE; + return 0; + } + /* + * In the case of TLSv1.3 the client cannot change + * the supported groups. + */ + if (groups_len != SSI(s)->tlsext_supportedgroups_length) { + *alert = SSL_AD_ILLEGAL_PARAMETER; + return 0; + } + for (i = 0; i < groups_len; i++) { + uint16_t group; + + if (!CBS_get_u16(&grouplist, &group)) + goto err; + if (SSI(s)->tlsext_supportedgroups[i] != group) { + *alert = SSL_AD_ILLEGAL_PARAMETER; + return 0; + } + } + + return 1; + } + if (SSI(s)->tlsext_supportedgroups != NULL) goto err; @@ -256,19 +287,20 @@ tlsext_supportedgroups_server_parse(SSL *s, CBS *cbs, int *alert) /* This extension is never used by the server. */ int -tlsext_supportedgroups_server_needs(SSL *s) +tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type) { return 0; } int -tlsext_supportedgroups_server_build(SSL *s, CBB *cbb) +tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { return 0; } int -tlsext_supportedgroups_client_parse(SSL *s, CBS *cbs, int *alert) +tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, + int *alert) { /* * Servers should not send this extension per the RFC. @@ -292,7 +324,7 @@ tlsext_supportedgroups_client_parse(SSL *s, CBS *cbs, int *alert) * Supported Point Formats Extension - RFC 4492 section 5.1.2 */ static int -tlsext_ecpf_build(SSL *s, CBB *cbb) +tlsext_ecpf_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB ecpf; size_t formats_len; @@ -316,7 +348,7 @@ tlsext_ecpf_build(SSL *s, CBB *cbb) } static int -tlsext_ecpf_parse(SSL *s, CBS *cbs, int *alert) +tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { CBS ecpf; @@ -349,55 +381,52 @@ tlsext_ecpf_parse(SSL *s, CBS *cbs, int *alert) } int -tlsext_ecpf_client_needs(SSL *s) +tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type) { return ssl_has_ecc_ciphers(s); } int -tlsext_ecpf_client_build(SSL *s, CBB *cbb) +tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { - return tlsext_ecpf_build(s, cbb); + return tlsext_ecpf_build(s, msg_type, cbb); } int -tlsext_ecpf_server_parse(SSL *s, CBS *cbs, int *alert) +tlsext_ecpf_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { - return tlsext_ecpf_parse(s, cbs, alert); + return tlsext_ecpf_parse(s, msg_type, cbs, alert); } int -tlsext_ecpf_server_needs(SSL *s) +tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type) { - if (s->version == DTLS1_VERSION) - return 0; - return ssl_using_ecc_cipher(s); } int -tlsext_ecpf_server_build(SSL *s, CBB *cbb) +tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { - return tlsext_ecpf_build(s, cbb); + return tlsext_ecpf_build(s, msg_type, cbb); } int -tlsext_ecpf_client_parse(SSL *s, CBS *cbs, int *alert) +tlsext_ecpf_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { - return tlsext_ecpf_parse(s, cbs, alert); + return tlsext_ecpf_parse(s, msg_type, cbs, alert); } /* * Renegotiation Indication - RFC 5746. */ int -tlsext_ri_client_needs(SSL *s) +tlsext_ri_client_needs(SSL *s, uint16_t msg_type) { return (s->internal->renegotiate); } int -tlsext_ri_client_build(SSL *s, CBB *cbb) +tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB reneg; @@ -413,7 +442,7 @@ tlsext_ri_client_build(SSL *s, CBB *cbb) } int -tlsext_ri_server_parse(SSL *s, CBS *cbs, int *alert) +tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { CBS reneg; @@ -441,13 +470,14 @@ tlsext_ri_server_parse(SSL *s, CBS *cbs, int *alert) } int -tlsext_ri_server_needs(SSL *s) +tlsext_ri_server_needs(SSL *s, uint16_t msg_type) { - return (S3I(s)->send_connection_binding); + return (S3I(s)->hs.negotiated_tls_version < TLS1_3_VERSION && + S3I(s)->send_connection_binding); } int -tlsext_ri_server_build(SSL *s, CBB *cbb) +tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB reneg; @@ -466,7 +496,7 @@ tlsext_ri_server_build(SSL *s, CBB *cbb) } int -tlsext_ri_client_parse(SSL *s, CBS *cbs, int *alert) +tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { CBS reneg, prev_client, prev_server; @@ -523,20 +553,19 @@ tlsext_ri_client_parse(SSL *s, CBS *cbs, int *alert) * Signature Algorithms - RFC 5246 section 7.4.1.4.1. */ int -tlsext_sigalgs_client_needs(SSL *s) +tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type) { - return (TLS1_get_client_version(s) >= TLS1_2_VERSION); + return (S3I(s)->hs.our_max_tls_version >= TLS1_2_VERSION); } int -tlsext_sigalgs_client_build(SSL *s, CBB *cbb) +tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { - uint16_t *tls_sigalgs = tls12_sigalgs; + const uint16_t *tls_sigalgs = tls12_sigalgs; size_t tls_sigalgs_len = tls12_sigalgs_len; CBB sigalgs; - if (TLS1_get_client_version(s) >= TLS1_3_VERSION && - S3I(s)->hs_tls13.min_version >= TLS1_3_VERSION) { + if (S3I(s)->hs.our_min_tls_version >= TLS1_3_VERSION) { tls_sigalgs = tls13_sigalgs; tls_sigalgs_len = tls13_sigalgs_len; } @@ -554,7 +583,7 @@ tlsext_sigalgs_client_build(SSL *s, CBB *cbb) } int -tlsext_sigalgs_server_parse(SSL *s, CBS *cbs, int *alert) +tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { CBS sigalgs; @@ -569,35 +598,64 @@ tlsext_sigalgs_server_parse(SSL *s, CBS *cbs, int *alert) } int -tlsext_sigalgs_server_needs(SSL *s) +tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type) { - return 0; + return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION); } int -tlsext_sigalgs_server_build(SSL *s, CBB *cbb) +tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { - return 0; + const uint16_t *tls_sigalgs = tls12_sigalgs; + size_t tls_sigalgs_len = tls12_sigalgs_len; + CBB sigalgs; + + if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION) { + tls_sigalgs = tls13_sigalgs; + tls_sigalgs_len = tls13_sigalgs_len; + } + + if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) + return 0; + + if (!ssl_sigalgs_build(&sigalgs, tls_sigalgs, tls_sigalgs_len)) + return 0; + + if (!CBB_flush(cbb)) + return 0; + + return 1; } int -tlsext_sigalgs_client_parse(SSL *s, CBS *cbs, int *alert) +tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { - /* As per the RFC, servers must not send this extension. */ - return 0; + CBS sigalgs; + + if (ssl_effective_tls_version(s) < TLS1_3_VERSION) + return 0; + + if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) + return 0; + if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) + return 0; + if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, &S3I(s)->hs.sigalgs_len)) + return 0; + + return 1; } /* * Server Name Indication - RFC 6066, section 3. */ int -tlsext_sni_client_needs(SSL *s) +tlsext_sni_client_needs(SSL *s, uint16_t msg_type) { return (s->tlsext_hostname != NULL); } int -tlsext_sni_client_build(SSL *s, CBB *cbb) +tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB server_name_list, host_name; @@ -616,8 +674,57 @@ tlsext_sni_client_build(SSL *s, CBB *cbb) return 1; } +/* + * Validate that the CBS contains only a hostname consisting of RFC 5890 + * compliant A-labels (see RFC 6066 section 3). Not a complete check + * since we don't parse punycode to verify its validity but limits to + * correct structure and character set. + */ +int +tlsext_sni_is_valid_hostname(CBS *cbs) +{ + uint8_t prev, c = 0; + int component = 0; + CBS hostname; + + CBS_dup(cbs, &hostname); + + if (CBS_len(&hostname) > TLSEXT_MAXLEN_host_name) + return 0; + + while(CBS_len(&hostname) > 0) { + prev = c; + if (!CBS_get_u8(&hostname, &c)) + return 0; + /* Everything has to be ASCII, with no NUL byte. */ + if (!isascii(c) || c == '\0') + return 0; + /* It must be alphanumeric, a '-', or a '.' */ + if (!isalnum(c) && c != '-' && c != '.') + return 0; + /* '-' and '.' must not start a component or be at the end. */ + if (component == 0 || CBS_len(&hostname) == 0) { + if (c == '-' || c == '.') + return 0; + } + if (c == '.') { + /* Components can not end with a dash. */ + if (prev == '-') + return 0; + /* Start new component */ + component = 0; + continue; + } + /* Components must be 63 chars or less. */ + if (++component > 63) + return 0; + } + + return 1; +} + int -tlsext_sni_server_parse(SSL *s, CBS *cbs, int *alert) +tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { CBS server_name_list, host_name; uint8_t name_type; @@ -625,57 +732,71 @@ tlsext_sni_server_parse(SSL *s, CBS *cbs, int *alert) if (!CBS_get_u16_length_prefixed(cbs, &server_name_list)) goto err; - /* - * RFC 6066 section 3 forbids multiple host names with the same type. - * Additionally, only one type (host_name) is specified. - */ if (!CBS_get_u8(&server_name_list, &name_type)) goto err; - if (name_type != TLSEXT_NAMETYPE_host_name) + /* + * RFC 6066 section 3, only one type (host_name) is specified. + * We do not tolerate unknown types, neither does BoringSSL. + * other implementations appear more tolerant. + */ + if (name_type != TLSEXT_NAMETYPE_host_name) { + *alert = SSL3_AD_ILLEGAL_PARAMETER; goto err; + } + if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name)) goto err; - if (CBS_len(&host_name) == 0 || - CBS_len(&host_name) > TLSEXT_MAXLEN_host_name || - CBS_contains_zero_byte(&host_name)) { - *alert = TLS1_AD_UNRECOGNIZED_NAME; - return 0; + /* + * RFC 6066 section 3 specifies a host name must be at least 1 byte + * so 0 length is a decode error. + */ + if (CBS_len(&host_name) < 1) + goto err; + + if (!tlsext_sni_is_valid_hostname(&host_name)) { + *alert = SSL3_AD_ILLEGAL_PARAMETER; + goto err; } - if (s->internal->hit) { + if (s->internal->hit || S3I(s)->hs.tls13.hrr) { if (s->session->tlsext_hostname == NULL) { *alert = TLS1_AD_UNRECOGNIZED_NAME; - return 0; + goto err; } if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname, strlen(s->session->tlsext_hostname))) { *alert = TLS1_AD_UNRECOGNIZED_NAME; - return 0; + goto err; } } else { if (s->session->tlsext_hostname != NULL) goto err; if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) { *alert = TLS1_AD_INTERNAL_ERROR; - return 0; + goto err; } } - if (CBS_len(&server_name_list) != 0) + /* + * RFC 6066 section 3 forbids multiple host names with the same type, + * therefore we allow only one entry. + */ + if (CBS_len(&server_name_list) != 0) { + *alert = SSL3_AD_ILLEGAL_PARAMETER; goto err; + } if (CBS_len(cbs) != 0) goto err; return 1; err: - *alert = SSL_AD_DECODE_ERROR; return 0; } int -tlsext_sni_server_needs(SSL *s) +tlsext_sni_server_needs(SSL *s, uint16_t msg_type) { if (s->internal->hit) return 0; @@ -684,13 +805,13 @@ tlsext_sni_server_needs(SSL *s) } int -tlsext_sni_server_build(SSL *s, CBB *cbb) +tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { return 1; } int -tlsext_sni_client_parse(SSL *s, CBS *cbs, int *alert) +tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) { *alert = TLS1_AD_UNRECOGNIZED_NAME; @@ -724,18 +845,20 @@ tlsext_sni_client_parse(SSL *s, CBS *cbs, int *alert) /* - *Certificate Status Request - RFC 6066 section 8. + * Certificate Status Request - RFC 6066 section 8. */ int -tlsext_ocsp_client_needs(SSL *s) +tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type) { - return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && - s->version != DTLS1_VERSION); + if (msg_type != SSL_TLSEXT_MSG_CH) + return 0; + + return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp); } int -tlsext_ocsp_client_build(SSL *s, CBB *cbb) +tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB respid_list, respid, exts; unsigned char *ext_data; @@ -779,14 +902,17 @@ tlsext_ocsp_client_build(SSL *s, CBB *cbb) } int -tlsext_ocsp_server_parse(SSL *s, CBS *cbs, int *alert) +tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { - int failure = SSL_AD_DECODE_ERROR; + int alert_desc = SSL_AD_DECODE_ERROR; CBS respid_list, respid, exts; const unsigned char *p; uint8_t status_type; int ret = 0; + if (msg_type != SSL_TLSEXT_MSG_CH) + goto err; + if (!CBS_get_u8(cbs, &status_type)) goto err; if (status_type != TLSEXT_STATUSTYPE_ocsp) { @@ -809,7 +935,7 @@ tlsext_ocsp_server_parse(SSL *s, CBS *cbs, int *alert) if (CBS_len(&respid_list) > 0) { s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); if (s->internal->tlsext_ocsp_ids == NULL) { - failure = SSL_AD_INTERNAL_ERROR; + alert_desc = SSL_AD_INTERNAL_ERROR; goto err; } } @@ -823,7 +949,7 @@ tlsext_ocsp_server_parse(SSL *s, CBS *cbs, int *alert) if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL) goto err; if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) { - failure = SSL_AD_INTERNAL_ERROR; + alert_desc = SSL_AD_INTERNAL_ERROR; OCSP_RESPID_free(id); goto err; } @@ -848,31 +974,92 @@ tlsext_ocsp_server_parse(SSL *s, CBS *cbs, int *alert) ret = 1; err: if (ret == 0) - *alert = failure; + *alert = alert_desc; return ret; } int -tlsext_ocsp_server_needs(SSL *s) +tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type) { + if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION && + s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && + s->ctx->internal->tlsext_status_cb != NULL) { + s->internal->tlsext_status_expected = 0; + if (s->ctx->internal->tlsext_status_cb(s, + s->ctx->internal->tlsext_status_arg) == SSL_TLSEXT_ERR_OK && + s->internal->tlsext_ocsp_resp_len > 0) + s->internal->tlsext_status_expected = 1; + } return s->internal->tlsext_status_expected; } int -tlsext_ocsp_server_build(SSL *s, CBB *cbb) +tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { + CBB ocsp_response; + + if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION) { + if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) + return 0; + if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response)) + return 0; + if (!CBB_add_bytes(&ocsp_response, + s->internal->tlsext_ocsp_resp, + s->internal->tlsext_ocsp_resp_len)) + return 0; + if (!CBB_flush(cbb)) + return 0; + } return 1; } int -tlsext_ocsp_client_parse(SSL *s, CBS *cbs, int *alert) +tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { - if (s->tlsext_status_type == -1) { - *alert = TLS1_AD_UNSUPPORTED_EXTENSION; - return 0; + uint8_t status_type; + CBS response; + + if (ssl_effective_tls_version(s) >= TLS1_3_VERSION) { + if (msg_type == SSL_TLSEXT_MSG_CR) { + /* + * RFC 8446, 4.4.2.1 - the server may request an OCSP + * response with an empty status_request. + */ + if (CBS_len(cbs) == 0) + return 1; + + SSLerror(s, SSL_R_LENGTH_MISMATCH); + return 0; + } + if (!CBS_get_u8(cbs, &status_type)) { + SSLerror(s, SSL_R_LENGTH_MISMATCH); + return 0; + } + if (status_type != TLSEXT_STATUSTYPE_ocsp) { + SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE); + return 0; + } + if (!CBS_get_u24_length_prefixed(cbs, &response)) { + SSLerror(s, SSL_R_LENGTH_MISMATCH); + return 0; + } + if (CBS_len(&response) > 65536) { + SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); + return 0; + } + if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp, + &s->internal->tlsext_ocsp_resp_len)) { + *alert = SSL_AD_INTERNAL_ERROR; + return 0; + } + } else { + if (s->tlsext_status_type == -1) { + *alert = TLS1_AD_UNSUPPORTED_EXTENSION; + return 0; + } + /* Set flag to expect CertificateStatus message */ + s->internal->tlsext_status_expected = 1; } - /* Set flag to expect CertificateStatus message */ - s->internal->tlsext_status_expected = 1; return 1; } @@ -880,7 +1067,7 @@ tlsext_ocsp_client_parse(SSL *s, CBS *cbs, int *alert) * SessionTicket extension - RFC 5077 section 3.2 */ int -tlsext_sessionticket_client_needs(SSL *s) +tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type) { /* * Send session ticket extension when enabled and not overridden. @@ -901,7 +1088,7 @@ tlsext_sessionticket_client_needs(SSL *s) } int -tlsext_sessionticket_client_build(SSL *s, CBB *cbb) +tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { /* * Signal that we support session tickets by sending an empty @@ -944,7 +1131,8 @@ tlsext_sessionticket_client_build(SSL *s, CBB *cbb) } int -tlsext_sessionticket_server_parse(SSL *s, CBS *cbs, int *alert) +tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, + int *alert) { if (s->internal->tls_session_ticket_ext_cb) { if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), @@ -965,21 +1153,22 @@ tlsext_sessionticket_server_parse(SSL *s, CBS *cbs, int *alert) } int -tlsext_sessionticket_server_needs(SSL *s) +tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type) { return (s->internal->tlsext_ticket_expected && !(SSL_get_options(s) & SSL_OP_NO_TICKET)); } int -tlsext_sessionticket_server_build(SSL *s, CBB *cbb) +tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { /* Empty ticket */ return 1; } int -tlsext_sessionticket_client_parse(SSL *s, CBS *cbs, int *alert) +tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, + int *alert) { if (s->internal->tls_session_ticket_ext_cb) { if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), @@ -1007,18 +1196,18 @@ tlsext_sessionticket_client_parse(SSL *s, CBS *cbs, int *alert) #ifndef OPENSSL_NO_SRTP int -tlsext_srtp_client_needs(SSL *s) +tlsext_srtp_client_needs(SSL *s, uint16_t msg_type) { - return SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) != NULL; + return SSL_is_dtls(s) && SSL_get_srtp_profiles(s) != NULL; } int -tlsext_srtp_client_build(SSL *s, CBB *cbb) +tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB profiles, mki; int ct, i; STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL; - SRTP_PROTECTION_PROFILE *prof; + const SRTP_PROTECTION_PROFILE *prof; if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); @@ -1050,9 +1239,9 @@ tlsext_srtp_client_build(SSL *s, CBB *cbb) } int -tlsext_srtp_server_parse(SSL *s, CBS *cbs, int *alert) +tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { - SRTP_PROTECTION_PROFILE *cprof, *sprof; + const SRTP_PROTECTION_PROFILE *cprof, *sprof; STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr; int i, j; int ret; @@ -1130,13 +1319,13 @@ tlsext_srtp_server_parse(SSL *s, CBS *cbs, int *alert) } int -tlsext_srtp_server_needs(SSL *s) +tlsext_srtp_server_needs(SSL *s, uint16_t msg_type) { - return SSL_IS_DTLS(s) && SSL_get_selected_srtp_profile(s) != NULL; + return SSL_is_dtls(s) && SSL_get_selected_srtp_profile(s) != NULL; } int -tlsext_srtp_server_build(SSL *s, CBB *cbb) +tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { SRTP_PROTECTION_PROFILE *profile; CBB srtp, mki; @@ -1160,10 +1349,10 @@ tlsext_srtp_server_build(SSL *s, CBB *cbb) } int -tlsext_srtp_client_parse(SSL *s, CBS *cbs, int *alert) +tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; - SRTP_PROTECTION_PROFILE *prof; + const SRTP_PROTECTION_PROFILE *prof; int i; uint16_t id; CBS profile_ids, mki; @@ -1214,94 +1403,70 @@ tlsext_srtp_client_parse(SSL *s, CBS *cbs, int *alert) * TLSv1.3 Key Share - RFC 8446 section 4.2.8. */ int -tlsext_keyshare_client_needs(SSL *s) +tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type) { - /* XXX once this gets initialized when we get tls13_client.c */ - if (S3I(s)->hs_tls13.max_version == 0) - return 0; - return (!SSL_IS_DTLS(s) && S3I(s)->hs_tls13.max_version >= - TLS1_3_VERSION); + return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION); } int -tlsext_keyshare_client_build(SSL *s, CBB *cbb) +tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { - uint8_t *public_key = NULL, *private_key = NULL; - CBB client_shares, key_exchange; + CBB client_shares; - /* Generate and provide key shares. */ if (!CBB_add_u16_length_prefixed(cbb, &client_shares)) return 0; - /* XXX - other groups. */ - - /* Generate X25519 key pair. */ - if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL) - goto err; - if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL) - goto err; - X25519_keypair(public_key, private_key); - - /* Add the group and serialize the public key. */ - if (!CBB_add_u16(&client_shares, tls1_ec_nid2curve_id(NID_X25519))) - goto err; - if (!CBB_add_u16_length_prefixed(&client_shares, &key_exchange)) - goto err; - if (!CBB_add_bytes(&key_exchange, public_key, X25519_KEY_LENGTH)) - goto err; + if (!tls13_key_share_public(S3I(s)->hs.tls13.key_share, + &client_shares)) + return 0; if (!CBB_flush(cbb)) - goto err; - - S3I(s)->hs_tls13.x25519_public = public_key; - S3I(s)->hs_tls13.x25519_private = private_key; + return 0; return 1; - - err: - freezero(public_key, X25519_KEY_LENGTH); - freezero(private_key, X25519_KEY_LENGTH); - - return 0; } int -tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert) +tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { - CBS client_shares; - CBS key_exchange; + CBS client_shares, key_exchange; uint16_t group; - size_t out_len; if (!CBS_get_u16_length_prefixed(cbs, &client_shares)) goto err; - if (CBS_len(cbs) != 0) - goto err; - while (CBS_len(&client_shares) > 0) { /* Unpack client share. */ if (!CBS_get_u16(&client_shares, &group)) goto err; - if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange)) - goto err; + return 0; /* - * Skip this client share if not X25519 - * XXX support other groups later. - * XXX enforce group can only appear once. + * XXX - check key exchange against supported groups from client. + * XXX - check that groups only appear once. */ - if (S3I(s)->hs_tls13.x25519_peer_public != NULL || - group != tls1_ec_nid2curve_id(NID_X25519)) + + /* + * Ignore this client share if we're using earlier than TLSv1.3 + * or we've already selected a key share. + */ + if (S3I(s)->hs.our_max_tls_version < TLS1_3_VERSION) + continue; + if (S3I(s)->hs.tls13.key_share != NULL) continue; - if (CBS_len(&key_exchange) != X25519_KEY_LENGTH) - goto err; + /* XXX - consider implementing server preference. */ + if (!tls1_check_curve(s, group)) + continue; - if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public, - &out_len)) + /* Decode and store the selected key share. */ + S3I(s)->hs.tls13.key_share = tls13_key_share_new(group); + if (S3I(s)->hs.tls13.key_share == NULL) + goto err; + if (!tls13_key_share_peer_public(S3I(s)->hs.tls13.key_share, + group, &key_exchange)) goto err; } @@ -1313,79 +1478,56 @@ tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert) } int -tlsext_keyshare_server_needs(SSL *s) +tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type) { - if (SSL_IS_DTLS(s) || s->version < TLS1_3_VERSION) - return 0; - - return tlsext_extension_seen(s, TLSEXT_TYPE_key_share); + return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION && + tlsext_extension_seen(s, TLSEXT_TYPE_key_share)); } int -tlsext_keyshare_server_build(SSL *s, CBB *cbb) +tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { - uint8_t *public_key = NULL, *private_key = NULL; - CBB key_exchange; - - /* XXX deduplicate with client code */ + /* In the case of a HRR, we only send the server selected group. */ + if (S3I(s)->hs.tls13.hrr) { + if (S3I(s)->hs.tls13.server_group == 0) + return 0; + return CBB_add_u16(cbb, S3I(s)->hs.tls13.server_group); + } - /* X25519 */ - if (S3I(s)->hs_tls13.x25519_peer_public == NULL) + if (S3I(s)->hs.tls13.key_share == NULL) return 0; - /* Generate X25519 key pair. */ - if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL) - goto err; - if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL) - goto err; - X25519_keypair(public_key, private_key); - - /* Add the group and serialize the public key. */ - if (!CBB_add_u16(cbb, tls1_ec_nid2curve_id(NID_X25519))) - goto err; - if (!CBB_add_u16_length_prefixed(cbb, &key_exchange)) - goto err; - if (!CBB_add_bytes(&key_exchange, public_key, X25519_KEY_LENGTH)) - goto err; - - if (!CBB_flush(cbb)) - goto err; - - S3I(s)->hs_tls13.x25519_public = public_key; - S3I(s)->hs_tls13.x25519_private = private_key; + if (!tls13_key_share_public(S3I(s)->hs.tls13.key_share, cbb)) + return 0; return 1; - - err: - freezero(public_key, X25519_KEY_LENGTH); - freezero(private_key, X25519_KEY_LENGTH); - - return 0; } int -tlsext_keyshare_client_parse(SSL *s, CBS *cbs, int *alert) +tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { CBS key_exchange; uint16_t group; - size_t out_len; /* Unpack server share. */ if (!CBS_get_u16(cbs, &group)) goto err; - /* Handle other groups and verify that they're valid. */ - if (group != tls1_ec_nid2curve_id(NID_X25519)) - goto err; + if (CBS_len(cbs) == 0) { + /* HRR does not include an actual key share. */ + /* XXX - we should know that we are in a HRR... */ + S3I(s)->hs.tls13.server_group = group; + return 1; + } if (!CBS_get_u16_length_prefixed(cbs, &key_exchange)) - goto err; + return 0; - if (CBS_len(&key_exchange) != X25519_KEY_LENGTH) - goto err; + if (S3I(s)->hs.tls13.key_share == NULL) + return 0; - if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public, - &out_len)) + if (!tls13_key_share_peer_public(S3I(s)->hs.tls13.key_share, + group, &key_exchange)) goto err; return 1; @@ -1399,25 +1541,20 @@ tlsext_keyshare_client_parse(SSL *s, CBS *cbs, int *alert) * Supported Versions - RFC 8446 section 4.2.1. */ int -tlsext_versions_client_needs(SSL *s) +tlsext_versions_client_needs(SSL *s, uint16_t msg_type) { - if (SSL_IS_DTLS(s)) - return 0; - return (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION); + return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION); } int -tlsext_versions_client_build(SSL *s, CBB *cbb) +tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { uint16_t max, min; uint16_t version; CBB versions; - max = S3I(s)->hs_tls13.max_version; - min = S3I(s)->hs_tls13.min_version; - - if (min < TLS1_VERSION) - return 0; + max = S3I(s)->hs.our_max_tls_version; + min = S3I(s)->hs.our_min_tls_version; if (!CBB_add_u8_length_prefixed(cbb, &versions)) return 0; @@ -1435,20 +1572,20 @@ tlsext_versions_client_build(SSL *s, CBB *cbb) } int -tlsext_versions_server_parse(SSL *s, CBS *cbs, int *alert) +tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { CBS versions; uint16_t version; uint16_t max, min; uint16_t matched_version = 0; - max = S3I(s)->hs_tls13.max_version; - min = S3I(s)->hs_tls13.min_version; + max = S3I(s)->hs.our_max_tls_version; + min = S3I(s)->hs.our_min_tls_version; if (!CBS_get_u8_length_prefixed(cbs, &versions)) goto err; - while (CBS_len(&versions) > 0) { + while (CBS_len(&versions) > 0) { if (!CBS_get_u16(&versions, &version)) goto err; /* @@ -1459,16 +1596,8 @@ tlsext_versions_server_parse(SSL *s, CBS *cbs, int *alert) matched_version = version; } - /* - * XXX if we haven't matched a version we should - * fail - but we currently need to succeed to - * ignore this before the server code for 1.3 - * is set up and initialized. - */ - if (max == 0) - return 1; /* XXX */ - - if (matched_version != 0) { + if (matched_version > 0) { + /* XXX - this should be stored for later processing. */ s->version = matched_version; return 1; } @@ -1482,23 +1611,19 @@ tlsext_versions_server_parse(SSL *s, CBS *cbs, int *alert) } int -tlsext_versions_server_needs(SSL *s) +tlsext_versions_server_needs(SSL *s, uint16_t msg_type) { - return (!SSL_IS_DTLS(s) && s->version >= TLS1_3_VERSION); + return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION); } int -tlsext_versions_server_build(SSL *s, CBB *cbb) +tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { - if (!CBB_add_u16(cbb, TLS1_3_VERSION)) - return 0; - /* XXX set 1.2 in legacy version? */ - - return 1; + return CBB_add_u16(cbb, TLS1_3_VERSION); } int -tlsext_versions_client_parse(SSL *s, CBS *cbs, int *alert) +tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { uint16_t selected_version; @@ -1507,13 +1632,14 @@ tlsext_versions_client_parse(SSL *s, CBS *cbs, int *alert) return 0; } + /* XXX - need to fix for DTLS 1.3 */ if (selected_version < TLS1_3_VERSION) { *alert = SSL_AD_ILLEGAL_PARAMETER; return 0; } /* XXX test between min and max once initialization code goes in */ - S3I(s)->hs_tls13.server_version = selected_version; + S3I(s)->hs.tls13.server_version = selected_version; return 1; } @@ -1524,26 +1650,22 @@ tlsext_versions_client_parse(SSL *s, CBS *cbs, int *alert) */ int -tlsext_cookie_client_needs(SSL *s) +tlsext_cookie_client_needs(SSL *s, uint16_t msg_type) { - if (SSL_IS_DTLS(s)) - return 0; - if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) - return 0; - return (S3I(s)->hs_tls13.cookie_len > 0 && - S3I(s)->hs_tls13.cookie != NULL); + return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION && + S3I(s)->hs.tls13.cookie_len > 0 && S3I(s)->hs.tls13.cookie != NULL); } int -tlsext_cookie_client_build(SSL *s, CBB *cbb) +tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB cookie; if (!CBB_add_u16_length_prefixed(cbb, &cookie)) return 0; - if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie, - S3I(s)->hs_tls13.cookie_len)) + if (!CBB_add_bytes(&cookie, S3I(s)->hs.tls13.cookie, + S3I(s)->hs.tls13.cookie_len)) return 0; if (!CBB_flush(cbb)) @@ -1553,14 +1675,14 @@ tlsext_cookie_client_build(SSL *s, CBB *cbb) } int -tlsext_cookie_server_parse(SSL *s, CBS *cbs, int *alert) +tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { CBS cookie; if (!CBS_get_u16_length_prefixed(cbs, &cookie)) goto err; - if (CBS_len(&cookie) != S3I(s)->hs_tls13.cookie_len) + if (CBS_len(&cookie) != S3I(s)->hs.tls13.cookie_len) goto err; /* @@ -1568,8 +1690,8 @@ tlsext_cookie_server_parse(SSL *s, CBS *cbs, int *alert) * sent - client *MUST* send the same cookie with new CR after * a cookie is sent by the server with an HRR. */ - if (!CBS_mem_equal(&cookie, S3I(s)->hs_tls13.cookie, - S3I(s)->hs_tls13.cookie_len)) { + if (!CBS_mem_equal(&cookie, S3I(s)->hs.tls13.cookie, + S3I(s)->hs.tls13.cookie_len)) { /* XXX special cookie mismatch alert? */ *alert = SSL_AD_ILLEGAL_PARAMETER; return 0; @@ -1583,23 +1705,18 @@ tlsext_cookie_server_parse(SSL *s, CBS *cbs, int *alert) } int -tlsext_cookie_server_needs(SSL *s) +tlsext_cookie_server_needs(SSL *s, uint16_t msg_type) { - - if (SSL_IS_DTLS(s)) - return 0; - if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) - return 0; /* * Server needs to set cookie value in tls13 handshake * in order to send one, should only be sent with HRR. */ - return (S3I(s)->hs_tls13.cookie_len > 0 && - S3I(s)->hs_tls13.cookie != NULL); + return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION && + S3I(s)->hs.tls13.cookie_len > 0 && S3I(s)->hs.tls13.cookie != NULL); } int -tlsext_cookie_server_build(SSL *s, CBB *cbb) +tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB cookie; @@ -1608,8 +1725,8 @@ tlsext_cookie_server_build(SSL *s, CBB *cbb) if (!CBB_add_u16_length_prefixed(cbb, &cookie)) return 0; - if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie, - S3I(s)->hs_tls13.cookie_len)) + if (!CBB_add_bytes(&cookie, S3I(s)->hs.tls13.cookie, + S3I(s)->hs.tls13.cookie_len)) return 0; if (!CBB_flush(cbb)) @@ -1619,7 +1736,7 @@ tlsext_cookie_server_build(SSL *s, CBB *cbb) } int -tlsext_cookie_client_parse(SSL *s, CBS *cbs, int *alert) +tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { CBS cookie; @@ -1628,8 +1745,8 @@ tlsext_cookie_client_parse(SSL *s, CBS *cbs, int *alert) * HRR from a server with a cookie to process after accepting * one from the server in the same handshake */ - if (S3I(s)->hs_tls13.cookie != NULL || - S3I(s)->hs_tls13.cookie_len != 0) { + if (S3I(s)->hs.tls13.cookie != NULL || + S3I(s)->hs.tls13.cookie_len != 0) { *alert = SSL_AD_ILLEGAL_PARAMETER; return 0; } @@ -1637,8 +1754,8 @@ tlsext_cookie_client_parse(SSL *s, CBS *cbs, int *alert) if (!CBS_get_u16_length_prefixed(cbs, &cookie)) goto err; - if (!CBS_stow(&cookie, &S3I(s)->hs_tls13.cookie, - &S3I(s)->hs_tls13.cookie_len)) + if (!CBS_stow(&cookie, &S3I(s)->hs.tls13.cookie, + &S3I(s)->hs.tls13.cookie_len)) goto err; return 1; @@ -1649,9 +1766,9 @@ tlsext_cookie_client_parse(SSL *s, CBS *cbs, int *alert) } struct tls_extension_funcs { - int (*needs)(SSL *s); - int (*build)(SSL *s, CBB *cbb); - int (*parse)(SSL *s, CBS *cbs, int *alert); + int (*needs)(SSL *s, uint16_t msg_type); + int (*build)(SSL *s, uint16_t msg_type, CBB *cbb); + int (*parse)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); }; struct tls_extension { @@ -1661,7 +1778,7 @@ struct tls_extension { struct tls_extension_funcs server; }; -static struct tls_extension tls_extensions[] = { +static const struct tls_extension tls_extensions[] = { { .type = TLSEXT_TYPE_supported_versions, .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | @@ -1843,7 +1960,7 @@ static struct tls_extension tls_extensions[] = { /* Ensure that extensions fit in a uint32_t bitmask. */ CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8)); -struct tls_extension * +const struct tls_extension * tls_extension_find(uint16_t type, size_t *tls_extensions_idx) { size_t i; @@ -1868,29 +1985,26 @@ tlsext_extension_seen(SSL *s, uint16_t type) return ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0); } -static struct tls_extension_funcs * -tlsext_funcs(struct tls_extension *tlsext, int is_server) +static const struct tls_extension_funcs * +tlsext_funcs(const struct tls_extension *tlsext, int is_server) { if (is_server) return &tlsext->server; - return &tlsext->client; + return &tlsext->client; } static int -tlsext_build(SSL *s, CBB *cbb, int is_server, uint16_t msg_type) +tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb) { - struct tls_extension_funcs *ext; - struct tls_extension *tlsext; + const struct tls_extension_funcs *ext; + const struct tls_extension *tlsext; CBB extensions, extension_data; int extensions_present = 0; + uint16_t tls_version; size_t i; - uint16_t version; - if (is_server) - version = s->version; - else - version = TLS1_get_client_version(s); + tls_version = ssl_effective_tls_version(s); if (!CBB_add_u16_length_prefixed(cbb, &extensions)) return 0; @@ -1900,11 +2014,11 @@ tlsext_build(SSL *s, CBB *cbb, int is_server, uint16_t msg_type) ext = tlsext_funcs(tlsext, is_server); /* RFC 8446 Section 4.2 */ - if (version >= TLS1_3_VERSION && + if (tls_version >= TLS1_3_VERSION && !(tlsext->messages & msg_type)) continue; - if (!ext->needs(s)) + if (!ext->needs(s, msg_type)) continue; if (!CBB_add_u16(&extensions, tlsext->type)) @@ -1912,13 +2026,14 @@ tlsext_build(SSL *s, CBB *cbb, int is_server, uint16_t msg_type) if (!CBB_add_u16_length_prefixed(&extensions, &extension_data)) return 0; - if (!ext->build(s, &extension_data)) + if (!ext->build(s, msg_type, &extension_data)) return 0; extensions_present = 1; } - if (!extensions_present) + if (!extensions_present && + (msg_type & (SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH)) != 0) CBB_discard_child(cbb); if (!CBB_flush(cbb)) @@ -1927,37 +2042,62 @@ tlsext_build(SSL *s, CBB *cbb, int is_server, uint16_t msg_type) return 1; } +int +tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs) +{ + /* + * RFC 8446 4.1.2. For subsequent CH, early data will be removed, + * cookie may be added, padding may be removed. + */ + struct tls13_ctx *ctx = s->internal->tls13; + + if (type == TLSEXT_TYPE_early_data || type == TLSEXT_TYPE_cookie || + type == TLSEXT_TYPE_padding) + return 1; + if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type, + sizeof(type))) + return 0; + /* + * key_share data may be changed, and pre_shared_key data may + * be changed + */ + if (type == TLSEXT_TYPE_pre_shared_key || type == TLSEXT_TYPE_key_share) + return 1; + if (!tls13_clienthello_hash_update(ctx, cbs)) + return 0; + + return 1; +} + static int -tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_server, uint16_t msg_type) +tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert) { - struct tls_extension_funcs *ext; - struct tls_extension *tlsext; + const struct tls_extension_funcs *ext; + const struct tls_extension *tlsext; CBS extensions, extension_data; uint16_t type; size_t idx; - uint16_t version; + uint16_t tls_version; + int alert_desc; - S3I(s)->hs.extensions_seen = 0; + tls_version = ssl_effective_tls_version(s); - if (is_server) - version = s->version; - else - version = TLS1_get_client_version(s); + S3I(s)->hs.extensions_seen = 0; /* An empty extensions block is valid. */ if (CBS_len(cbs) == 0) return 1; - *alert = SSL_AD_DECODE_ERROR; + alert_desc = SSL_AD_DECODE_ERROR; if (!CBS_get_u16_length_prefixed(cbs, &extensions)) - return 0; + goto err; while (CBS_len(&extensions) > 0) { if (!CBS_get_u16(&extensions, &type)) - return 0; + goto err; if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) - return 0; + goto err; if (s->internal->tlsext_debug_cb != NULL) s->internal->tlsext_debug_cb(s, is_server, type, @@ -1965,57 +2105,70 @@ tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_server, uint16_t msg_type) CBS_len(&extension_data), s->internal->tlsext_debug_arg); + if (tls_version >= TLS1_3_VERSION && is_server && + msg_type == SSL_TLSEXT_MSG_CH) { + if (!tlsext_clienthello_hash_extension(s, type, + &extension_data)) + goto err; + } + /* Unknown extensions are ignored. */ if ((tlsext = tls_extension_find(type, &idx)) == NULL) continue; /* RFC 8446 Section 4.2 */ - if (version >= TLS1_3_VERSION && + if (tls_version >= TLS1_3_VERSION && !(tlsext->messages & msg_type)) { - *alert = SSL_AD_ILLEGAL_PARAMETER; - return 0; + alert_desc = SSL_AD_ILLEGAL_PARAMETER; + goto err; } /* Check for duplicate known extensions. */ if ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0) - return 0; + goto err; S3I(s)->hs.extensions_seen |= (1 << idx); ext = tlsext_funcs(tlsext, is_server); - if (!ext->parse(s, &extension_data, alert)) - return 0; + if (!ext->parse(s, msg_type, &extension_data, &alert_desc)) + goto err; if (CBS_len(&extension_data) != 0) - return 0; + goto err; } return 1; + + err: + *alert = alert_desc; + + return 0; } static void tlsext_server_reset_state(SSL *s) { - s->internal->servername_done = 0; s->tlsext_status_type = -1; S3I(s)->renegotiate_seen = 0; free(S3I(s)->alpn_selected); S3I(s)->alpn_selected = NULL; + S3I(s)->alpn_selected_len = 0; s->internal->srtp_profile = NULL; } int -tlsext_server_build(SSL *s, CBB *cbb, uint16_t msg_type) +tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { - return tlsext_build(s, cbb, 1, msg_type); + return tlsext_build(s, 1, msg_type, cbb); } int -tlsext_server_parse(SSL *s, CBS *cbs, int *alert, uint16_t msg_type) +tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { - /* XXX - this possibly should be done by the caller... */ - tlsext_server_reset_state(s); + /* XXX - this should be done by the caller... */ + if (msg_type == SSL_TLSEXT_MSG_CH) + tlsext_server_reset_state(s); - return tlsext_parse(s, cbs, alert, 1, msg_type); + return tlsext_parse(s, 1, msg_type, cbs, alert); } static void @@ -2024,19 +2177,21 @@ tlsext_client_reset_state(SSL *s) S3I(s)->renegotiate_seen = 0; free(S3I(s)->alpn_selected); S3I(s)->alpn_selected = NULL; + S3I(s)->alpn_selected_len = 0; } int -tlsext_client_build(SSL *s, CBB *cbb, uint16_t msg_type) +tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { - return tlsext_build(s, cbb, 0, msg_type); + return tlsext_build(s, 0, msg_type, cbb); } int -tlsext_client_parse(SSL *s, CBS *cbs, int *alert, uint16_t msg_type) +tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { - /* XXX - this possibly should be done by the caller... */ - tlsext_client_reset_state(s); + /* XXX - this should be done by the caller... */ + if (msg_type == SSL_TLSEXT_MSG_SH) + tlsext_client_reset_state(s); - return tlsext_parse(s, cbs, alert, 0, msg_type); + return tlsext_parse(s, 0, msg_type, cbs, alert); } diff --git a/ssl/ssl_tlsext.h b/ssl/ssl_tlsext.h index 2121ef66..8e0742aa 100644 --- a/ssl/ssl_tlsext.h +++ b/ssl/ssl_tlsext.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.h,v 1.21 2019/01/28 15:44:33 beck Exp $ */ +/* $OpenBSD: ssl_tlsext.h,v 1.26 2020/10/11 01:13:04 guenther Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing * Copyright (c) 2017 Doug Hogan @@ -27,103 +27,114 @@ #define SSL_TLSEXT_MSG_CT 0x0008 /* Certificate */ #define SSL_TLSEXT_MSG_CR 0x0010 /* CertificateRequest */ #define SSL_TLSEXT_MSG_NST 0x0020 /* NewSessionTicket */ -#define SSL_TLSEXT_MSG_HRR 0x0030 /* HelloRetryRequest */ +#define SSL_TLSEXT_MSG_HRR 0x0040 /* HelloRetryRequest */ __BEGIN_HIDDEN_DECLS -int tlsext_alpn_client_needs(SSL *s); -int tlsext_alpn_client_build(SSL *s, CBB *cbb); -int tlsext_alpn_client_parse(SSL *s, CBS *cbs, int *alert); -int tlsext_alpn_server_needs(SSL *s); -int tlsext_alpn_server_build(SSL *s, CBB *cbb); -int tlsext_alpn_server_parse(SSL *s, CBS *cbs, int *alert); - -int tlsext_ri_client_needs(SSL *s); -int tlsext_ri_client_build(SSL *s, CBB *cbb); -int tlsext_ri_client_parse(SSL *s, CBS *cbs, int *alert); -int tlsext_ri_server_needs(SSL *s); -int tlsext_ri_server_build(SSL *s, CBB *cbb); -int tlsext_ri_server_parse(SSL *s, CBS *cbs, int *alert); - -int tlsext_sigalgs_client_needs(SSL *s); -int tlsext_sigalgs_client_build(SSL *s, CBB *cbb); -int tlsext_sigalgs_client_parse(SSL *s, CBS *cbs, int *alert); -int tlsext_sigalgs_server_needs(SSL *s); -int tlsext_sigalgs_server_build(SSL *s, CBB *cbb); -int tlsext_sigalgs_server_parse(SSL *s, CBS *cbs, int *alert); - -int tlsext_sni_client_needs(SSL *s); -int tlsext_sni_client_build(SSL *s, CBB *cbb); -int tlsext_sni_client_parse(SSL *s, CBS *cbs, int *alert); -int tlsext_sni_server_needs(SSL *s); -int tlsext_sni_server_build(SSL *s, CBB *cbb); -int tlsext_sni_server_parse(SSL *s, CBS *cbs, int *alert); - -int tlsext_supportedgroups_client_needs(SSL *s); -int tlsext_supportedgroups_client_build(SSL *s, CBB *cbb); -int tlsext_supportedgroups_client_parse(SSL *s, CBS *cbs, int *alert); -int tlsext_supportedgroups_server_needs(SSL *s); -int tlsext_supportedgroups_server_build(SSL *s, CBB *cbb); -int tlsext_supportedgroups_server_parse(SSL *s, CBS *cbs, int *alert); - -int tlsext_ecpf_client_needs(SSL *s); -int tlsext_ecpf_client_build(SSL *s, CBB *cbb); -int tlsext_ecpf_client_parse(SSL *s, CBS *cbs, int *alert); -int tlsext_ecpf_server_needs(SSL *s); -int tlsext_ecpf_server_build(SSL *s, CBB *cbb); -int tlsext_ecpf_server_parse(SSL *s, CBS *cbs, int *alert); - -int tlsext_ocsp_client_needs(SSL *s); -int tlsext_ocsp_client_build(SSL *s, CBB *cbb); -int tlsext_ocsp_client_parse(SSL *s, CBS *cbs, int *alert); -int tlsext_ocsp_server_needs(SSL *s); -int tlsext_ocsp_server_build(SSL *s, CBB *cbb); -int tlsext_ocsp_server_parse(SSL *s, CBS *cbs, int *alert); - -int tlsext_sessionticket_client_needs(SSL *s); -int tlsext_sessionticket_client_build(SSL *s, CBB *cbb); -int tlsext_sessionticket_client_parse(SSL *s, CBS *cbs, int *alert); -int tlsext_sessionticket_server_needs(SSL *s); -int tlsext_sessionticket_server_build(SSL *s, CBB *cbb); -int tlsext_sessionticket_server_parse(SSL *s, CBS *cbs, int *alert); - -int tlsext_versions_client_needs(SSL *s); -int tlsext_versions_client_build(SSL *s, CBB *cbb); -int tlsext_versions_client_parse(SSL *s, CBS *cbs, int *alert); -int tlsext_versions_server_needs(SSL *s); -int tlsext_versions_server_build(SSL *s, CBB *cbb); -int tlsext_versions_server_parse(SSL *s, CBS *cbs, int *alert); - -int tlsext_keyshare_client_needs(SSL *s); -int tlsext_keyshare_client_build(SSL *s, CBB *cbb); -int tlsext_keyshare_client_parse(SSL *s, CBS *cbs, int *alert); -int tlsext_keyshare_server_needs(SSL *s); -int tlsext_keyshare_server_build(SSL *s, CBB *cbb); -int tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert); - -int tlsext_cookie_client_needs(SSL *s); -int tlsext_cookie_client_build(SSL *s, CBB *cbb); -int tlsext_cookie_client_parse(SSL *s, CBS *cbs, int *alert); -int tlsext_cookie_server_needs(SSL *s); -int tlsext_cookie_server_build(SSL *s, CBB *cbb); -int tlsext_cookie_server_parse(SSL *s, CBS *cbs, int *alert); +int tlsext_alpn_client_needs(SSL *s, uint16_t msg_type); +int tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); +int tlsext_alpn_server_needs(SSL *s, uint16_t msg_type); +int tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_alpn_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); + +int tlsext_ri_client_needs(SSL *s, uint16_t msg_type); +int tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); +int tlsext_ri_server_needs(SSL *s, uint16_t msg_type); +int tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); + +int tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type); +int tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, + int *alert); +int tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type); +int tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, + int *alert); + +int tlsext_sni_client_needs(SSL *s, uint16_t msg_type); +int tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); +int tlsext_sni_server_needs(SSL *s, uint16_t msg_type); +int tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); +int tlsext_sni_is_valid_hostname(CBS *cbs); + +int tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type); +int tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, + int *alert); +int tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type); +int tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, + int *alert); + +int tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type); +int tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_ecpf_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); +int tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type); +int tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_ecpf_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); + +int tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type); +int tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); +int tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type); +int tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); + +int tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type); +int tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, + int *alert); +int tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type); +int tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, + int *alert); + +int tlsext_versions_client_needs(SSL *s, uint16_t msg_type); +int tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, + int *alert); +int tlsext_versions_server_needs(SSL *s, uint16_t msg_type); +int tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, + int *alert); + +int tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type); +int tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, + int *alert); +int tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type); +int tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, + int *alert); + +int tlsext_cookie_client_needs(SSL *s, uint16_t msg_type); +int tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); +int tlsext_cookie_server_needs(SSL *s, uint16_t msg_type); +int tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); #ifndef OPENSSL_NO_SRTP -int tlsext_srtp_client_needs(SSL *s); -int tlsext_srtp_client_build(SSL *s, CBB *cbb); -int tlsext_srtp_client_parse(SSL *s, CBS *cbs, int *alert); -int tlsext_srtp_server_needs(SSL *s); -int tlsext_srtp_server_build(SSL *s, CBB *cbb); -int tlsext_srtp_server_parse(SSL *s, CBS *cbs, int *alert); +int tlsext_srtp_client_needs(SSL *s, uint16_t msg_type); +int tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); +int tlsext_srtp_server_needs(SSL *s, uint16_t msg_type); +int tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); #endif -int tlsext_client_build(SSL *s, CBB *cbb, uint16_t msg_type); -int tlsext_client_parse(SSL *s, CBS *cbs, int *alert, uint16_t msg_type); +int tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); -int tlsext_server_build(SSL *s, CBB *cbb, uint16_t msg_type); -int tlsext_server_parse(SSL *s, CBS *cbs, int *alert, uint16_t msg_type); +int tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); -struct tls_extension *tls_extension_find(uint16_t, size_t *); +const struct tls_extension *tls_extension_find(uint16_t, size_t *); int tlsext_extension_seen(SSL *s, uint16_t); __END_HIDDEN_DECLS diff --git a/ssl/ssl_transcript.c b/ssl/ssl_transcript.c index e94eb8de..b93004cd 100644 --- a/ssl/ssl_transcript.c +++ b/ssl/ssl_transcript.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_transcript.c,v 1.1 2019/02/09 15:30:52 jsing Exp $ */ +/* $OpenBSD: ssl_transcript.c,v 1.2 2020/02/05 16:47:34 jsing Exp $ */ /* * Copyright (c) 2017 Joel Sing * @@ -142,7 +142,7 @@ tls1_transcript_reset(SSL *s) */ (void)BUF_MEM_grow_clean(S3I(s)->handshake_transcript, 0); - s->s3->flags &= ~TLS1_FLAGS_FREEZE_TRANSCRIPT; + tls1_transcript_unfreeze(s); } int @@ -188,6 +188,12 @@ tls1_transcript_freeze(SSL *s) s->s3->flags |= TLS1_FLAGS_FREEZE_TRANSCRIPT; } +void +tls1_transcript_unfreeze(SSL *s) +{ + s->s3->flags &= ~TLS1_FLAGS_FREEZE_TRANSCRIPT; +} + int tls1_transcript_record(SSL *s, const unsigned char *buf, size_t len) { diff --git a/ssl/ssl_versions.c b/ssl/ssl_versions.c index 2b5e94e5..0d8487d5 100644 --- a/ssl/ssl_versions.c +++ b/ssl/ssl_versions.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_versions.c,v 1.4 2018/11/06 01:40:23 jsing Exp $ */ +/* $OpenBSD: ssl_versions.c,v 1.18 2021/03/19 19:52:55 tb Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing * @@ -17,8 +17,28 @@ #include "ssl_locl.h" +static uint16_t +ssl_dtls_to_tls_version(uint16_t dtls_ver) +{ + if (dtls_ver == DTLS1_VERSION) + return TLS1_1_VERSION; + if (dtls_ver == DTLS1_2_VERSION) + return TLS1_2_VERSION; + return 0; +} + +static uint16_t +ssl_tls_to_dtls_version(uint16_t tls_ver) +{ + if (tls_ver == TLS1_1_VERSION) + return DTLS1_VERSION; + if (tls_ver == TLS1_2_VERSION) + return DTLS1_2_VERSION; + return 0; +} + static int -ssl_clamp_version_range(uint16_t *min_ver, uint16_t *max_ver, +ssl_clamp_tls_version_range(uint16_t *min_ver, uint16_t *max_ver, uint16_t clamp_min, uint16_t clamp_max) { if (clamp_min > clamp_max || *min_ver > *max_ver) @@ -35,55 +55,80 @@ ssl_clamp_version_range(uint16_t *min_ver, uint16_t *max_ver, } int -ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver, - uint16_t *out_ver) +ssl_version_set_min(const SSL_METHOD *meth, uint16_t proto_ver, + uint16_t max_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver) { - uint16_t min_version, max_version; + uint16_t min_proto, min_version, max_version; - if (ver == 0) { - *out_ver = meth->internal->min_version; + if (proto_ver == 0) { + *out_tls_ver = meth->internal->min_tls_version; + *out_proto_ver = 0; return 1; } - min_version = ver; - max_version = max_ver; + min_version = proto_ver; + max_version = max_tls_ver; - if (!ssl_clamp_version_range(&min_version, &max_version, - meth->internal->min_version, meth->internal->max_version)) + if (meth->internal->dtls) { + if ((min_version = ssl_dtls_to_tls_version(proto_ver)) == 0) + return 0; + } + + if (!ssl_clamp_tls_version_range(&min_version, &max_version, + meth->internal->min_tls_version, meth->internal->max_tls_version)) return 0; - *out_ver = min_version; - + min_proto = min_version; + if (meth->internal->dtls) { + if ((min_proto = ssl_tls_to_dtls_version(min_version)) == 0) + return 0; + } + *out_tls_ver = min_version; + *out_proto_ver = min_proto; + return 1; } int -ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver, - uint16_t *out_ver) +ssl_version_set_max(const SSL_METHOD *meth, uint16_t proto_ver, + uint16_t min_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver) { - uint16_t min_version, max_version; + uint16_t max_proto, min_version, max_version; - if (ver == 0) { - *out_ver = meth->internal->max_version; + if (proto_ver == 0) { + *out_tls_ver = meth->internal->max_tls_version; + *out_proto_ver = 0; return 1; } - min_version = min_ver; - max_version = ver; + min_version = min_tls_ver; + max_version = proto_ver; - if (!ssl_clamp_version_range(&min_version, &max_version, - meth->internal->min_version, meth->internal->max_version)) + if (meth->internal->dtls) { + if ((max_version = ssl_dtls_to_tls_version(proto_ver)) == 0) + return 0; + } + + if (!ssl_clamp_tls_version_range(&min_version, &max_version, + meth->internal->min_tls_version, meth->internal->max_tls_version)) return 0; - *out_ver = max_version; - + max_proto = max_version; + if (meth->internal->dtls) { + if ((max_proto = ssl_tls_to_dtls_version(max_version)) == 0) + return 0; + } + *out_tls_ver = max_version; + *out_proto_ver = max_proto; + return 1; } int -ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) +ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) { uint16_t min_version, max_version; + unsigned long options; /* * The enabled versions have to be a contiguous range, which means we @@ -95,23 +140,32 @@ ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) min_version = 0; max_version = TLS1_3_VERSION; + options = s->internal->options; + + if (SSL_is_dtls(s)) { + options = 0; + if (s->internal->options & SSL_OP_NO_DTLSv1) + options |= SSL_OP_NO_TLSv1_1; + if (s->internal->options & SSL_OP_NO_DTLSv1_2) + options |= SSL_OP_NO_TLSv1_2; + } - if ((s->internal->options & SSL_OP_NO_TLSv1) == 0) + if ((options & SSL_OP_NO_TLSv1) == 0) min_version = TLS1_VERSION; - else if ((s->internal->options & SSL_OP_NO_TLSv1_1) == 0) + else if ((options & SSL_OP_NO_TLSv1_1) == 0) min_version = TLS1_1_VERSION; - else if ((s->internal->options & SSL_OP_NO_TLSv1_2) == 0) + else if ((options & SSL_OP_NO_TLSv1_2) == 0) min_version = TLS1_2_VERSION; - else if ((s->internal->options & SSL_OP_NO_TLSv1_3) == 0) + else if ((options & SSL_OP_NO_TLSv1_3) == 0) min_version = TLS1_3_VERSION; - if ((s->internal->options & SSL_OP_NO_TLSv1_3) && min_version < TLS1_3_VERSION) + if ((options & SSL_OP_NO_TLSv1_3) && min_version < TLS1_3_VERSION) max_version = TLS1_2_VERSION; - if ((s->internal->options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION) + if ((options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION) max_version = TLS1_1_VERSION; - if ((s->internal->options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION) + if ((options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION) max_version = TLS1_VERSION; - if ((s->internal->options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION) + if ((options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION) max_version = 0; /* Everything has been disabled... */ @@ -119,8 +173,8 @@ ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) return 0; /* Limit to configured version range. */ - if (!ssl_clamp_version_range(&min_version, &max_version, - s->internal->min_version, s->internal->max_version)) + if (!ssl_clamp_tls_version_range(&min_version, &max_version, + s->internal->min_tls_version, s->internal->max_tls_version)) return 0; if (min_ver != NULL) @@ -132,26 +186,19 @@ ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) } int -ssl_supported_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) +ssl_supported_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) { uint16_t min_version, max_version; - /* DTLS cannot currently be disabled... */ - if (SSL_IS_DTLS(s)) { - min_version = max_version = DTLS1_VERSION; - goto done; - } - - if (!ssl_enabled_version_range(s, &min_version, &max_version)) + if (!ssl_enabled_tls_version_range(s, &min_version, &max_version)) return 0; /* Limit to the versions supported by this method. */ - if (!ssl_clamp_version_range(&min_version, &max_version, - s->method->internal->min_version, - s->method->internal->max_version)) + if (!ssl_clamp_tls_version_range(&min_version, &max_version, + s->method->internal->min_tls_version, + s->method->internal->max_tls_version)) return 0; - done: if (min_ver != NULL) *min_ver = min_version; if (max_ver != NULL) @@ -160,33 +207,93 @@ ssl_supported_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) return 1; } +uint16_t +ssl_tls_version(uint16_t version) +{ + if (version == TLS1_VERSION || version == TLS1_1_VERSION || + version == TLS1_2_VERSION || version == TLS1_3_VERSION) + return version; + + if (version == DTLS1_VERSION) + return TLS1_1_VERSION; + if (version == DTLS1_2_VERSION) + return TLS1_2_VERSION; + + return 0; +} + +uint16_t +ssl_effective_tls_version(SSL *s) +{ + if (S3I(s)->hs.negotiated_tls_version > 0) + return S3I(s)->hs.negotiated_tls_version; + + return S3I(s)->hs.our_max_tls_version; +} + +int +ssl_max_supported_version(SSL *s, uint16_t *max_ver) +{ + uint16_t max_version; + + *max_ver = 0; + + if (!ssl_supported_tls_version_range(s, NULL, &max_version)) + return 0; + + if (SSL_is_dtls(s)) { + if ((max_version = ssl_tls_to_dtls_version(max_version)) == 0) + return 0; + } + + *max_ver = max_version; + + return 1; +} + int ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver) { - uint16_t min_version, max_version, shared_version; + uint16_t min_version, max_version, peer_tls_version, shared_version; *max_ver = 0; - - if (SSL_IS_DTLS(s)) { - if (peer_ver >= DTLS1_VERSION) { - *max_ver = DTLS1_VERSION; - return 1; + peer_tls_version = peer_ver; + + if (SSL_is_dtls(s)) { + if ((peer_ver >> 8) != DTLS1_VERSION_MAJOR) + return 0; + + /* + * Convert the peer version to a TLS version - DTLS versions are + * the 1's complement of TLS version numbers (but not the actual + * protocol version numbers, that would be too sensible). Not to + * mention that DTLSv1.0 is really equivalent to DTLSv1.1. + */ + peer_tls_version = ssl_dtls_to_tls_version(peer_ver); + + /* + * This may be a version that we do not know about, if it is + * newer than DTLS1_2_VERSION (yes, less than is correct due + * to the "clever" versioning scheme), use TLS1_2_VERSION. + */ + if (peer_tls_version == 0) { + if (peer_ver < DTLS1_2_VERSION) + peer_tls_version = TLS1_2_VERSION; } - return 0; } - if (peer_ver >= TLS1_3_VERSION) + if (peer_tls_version >= TLS1_3_VERSION) shared_version = TLS1_3_VERSION; - else if (peer_ver >= TLS1_2_VERSION) + else if (peer_tls_version >= TLS1_2_VERSION) shared_version = TLS1_2_VERSION; - else if (peer_ver >= TLS1_1_VERSION) + else if (peer_tls_version >= TLS1_1_VERSION) shared_version = TLS1_1_VERSION; - else if (peer_ver >= TLS1_VERSION) + else if (peer_tls_version >= TLS1_VERSION) shared_version = TLS1_VERSION; else return 0; - if (!ssl_supported_version_range(s, &min_version, &max_version)) + if (!ssl_supported_tls_version_range(s, &min_version, &max_version)) return 0; if (shared_version < min_version) @@ -195,31 +302,49 @@ ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver) if (shared_version > max_version) shared_version = max_version; + if (SSL_is_dtls(s)) { + /* + * The resulting shared version will by definition be something + * that we know about. Switch back from TLS to DTLS. + */ + shared_version = ssl_tls_to_dtls_version(shared_version); + if (shared_version == 0) + return 0; + } + *max_ver = shared_version; return 1; } -uint16_t -ssl_max_server_version(SSL *s) +int +ssl_check_version_from_server(SSL *s, uint16_t server_version) { - uint16_t max_version, min_version = 0; + uint16_t min_tls_version, max_tls_version, server_tls_version; - if (SSL_IS_DTLS(s)) - return (DTLS1_VERSION); + /* Ensure that the version selected by the server is valid. */ - if (!ssl_enabled_version_range(s, &min_version, &max_version)) - return 0; + server_tls_version = server_version; + if (SSL_is_dtls(s)) { + server_tls_version = ssl_dtls_to_tls_version(server_version); + if (server_tls_version == 0) + return 0; + } - /* - * Limit to the versions supported by this method. The SSL method - * will be changed during version negotiation, as such we want to - * use the SSL method from the context. - */ - if (!ssl_clamp_version_range(&min_version, &max_version, - s->ctx->method->internal->min_version, - s->ctx->method->internal->max_version)) + if (!ssl_supported_tls_version_range(s, &min_tls_version, + &max_tls_version)) return 0; - return (max_version); + return (server_tls_version >= min_tls_version && + server_tls_version <= max_tls_version); +} + +int +ssl_legacy_stack_version(SSL *s, uint16_t version) +{ + if (SSL_is_dtls(s)) + return version == DTLS1_VERSION || version == DTLS1_2_VERSION; + + return version == TLS1_VERSION || version == TLS1_1_VERSION || + version == TLS1_2_VERSION; } diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 1eaa0873..0ddd52b5 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_enc.c,v 1.118 2019/05/13 22:48:30 bcook Exp $ */ +/* $OpenBSD: t1_enc.c,v 1.136 2021/03/29 16:19:15 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -152,20 +152,9 @@ int tls1_PRF(SSL *s, const unsigned char *secret, size_t secret_len, void tls1_cleanup_key_block(SSL *s) { - freezero(S3I(s)->hs.key_block, S3I(s)->hs.key_block_len); - S3I(s)->hs.key_block = NULL; - S3I(s)->hs.key_block_len = 0; -} - -void -tls1_record_sequence_increment(unsigned char *seq) -{ - int i; - - for (i = SSL3_SEQUENCE_SIZE - 1; i >= 0; i--) { - if (++seq[i] != 0) - break; - } + freezero(S3I(s)->hs.tls12.key_block, S3I(s)->hs.tls12.key_block_len); + S3I(s)->hs.tls12.key_block = NULL; + S3I(s)->hs.tls12.key_block_len = 0; } /* @@ -300,180 +289,14 @@ tls1_PRF(SSL *s, const unsigned char *secret, size_t secret_len, } static int -tls1_generate_key_block(SSL *s, unsigned char *km, int num) +tls1_generate_key_block(SSL *s, uint8_t *key_block, size_t key_block_len) { - if (num < 0) - return (0); - return tls1_PRF(s, s->session->master_key, s->session->master_key_length, TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE, s->s3->server_random, SSL3_RANDOM_SIZE, s->s3->client_random, SSL3_RANDOM_SIZE, - NULL, 0, NULL, 0, km, num); -} - -/* - * tls1_aead_ctx_init allocates aead_ctx, if needed. It returns 1 on success - * and 0 on failure. - */ -static int -tls1_aead_ctx_init(SSL_AEAD_CTX **aead_ctx) -{ - if (*aead_ctx != NULL) { - EVP_AEAD_CTX_cleanup(&(*aead_ctx)->ctx); - return (1); - } - - *aead_ctx = malloc(sizeof(SSL_AEAD_CTX)); - if (*aead_ctx == NULL) { - SSLerrorx(ERR_R_MALLOC_FAILURE); - return (0); - } - - return (1); -} - -static int -tls1_change_cipher_state_aead(SSL *s, char is_read, const unsigned char *key, - unsigned key_len, const unsigned char *iv, unsigned iv_len) -{ - const EVP_AEAD *aead = S3I(s)->tmp.new_aead; - SSL_AEAD_CTX *aead_ctx; - - if (is_read) { - ssl_clear_cipher_read_state(s); - if (!tls1_aead_ctx_init(&s->internal->aead_read_ctx)) - return 0; - aead_ctx = s->internal->aead_read_ctx; - } else { - /* XXX - Need to correctly handle DTLS. */ - ssl_clear_cipher_write_state(s); - if (!tls1_aead_ctx_init(&s->internal->aead_write_ctx)) - return 0; - aead_ctx = s->internal->aead_write_ctx; - } - - if (!EVP_AEAD_CTX_init(&aead_ctx->ctx, aead, key, key_len, - EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) - return (0); - if (iv_len > sizeof(aead_ctx->fixed_nonce)) { - SSLerrorx(ERR_R_INTERNAL_ERROR); - return (0); - } - memcpy(aead_ctx->fixed_nonce, iv, iv_len); - aead_ctx->fixed_nonce_len = iv_len; - aead_ctx->variable_nonce_len = 8; /* always the case, currently. */ - aead_ctx->variable_nonce_in_record = - (S3I(s)->hs.new_cipher->algorithm2 & - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD) != 0; - aead_ctx->xor_fixed_nonce = - S3I(s)->hs.new_cipher->algorithm_enc == SSL_CHACHA20POLY1305; - aead_ctx->tag_len = EVP_AEAD_max_overhead(aead); - - if (aead_ctx->xor_fixed_nonce) { - if (aead_ctx->fixed_nonce_len != EVP_AEAD_nonce_length(aead) || - aead_ctx->variable_nonce_len > EVP_AEAD_nonce_length(aead)) { - SSLerrorx(ERR_R_INTERNAL_ERROR); - return (0); - } - } else { - if (aead_ctx->variable_nonce_len + aead_ctx->fixed_nonce_len != - EVP_AEAD_nonce_length(aead)) { - SSLerrorx(ERR_R_INTERNAL_ERROR); - return (0); - } - } - - return (1); -} - -/* - * tls1_change_cipher_state_cipher performs the work needed to switch cipher - * states when using EVP_CIPHER. The argument is_read is true iff this function - * is being called due to reading, as opposed to writing, a ChangeCipherSpec - * message. - */ -static int -tls1_change_cipher_state_cipher(SSL *s, char is_read, - const unsigned char *mac_secret, unsigned int mac_secret_size, - const unsigned char *key, unsigned int key_len, const unsigned char *iv, - unsigned int iv_len) -{ - EVP_CIPHER_CTX *cipher_ctx; - const EVP_CIPHER *cipher; - EVP_MD_CTX *mac_ctx; - EVP_PKEY *mac_key; - const EVP_MD *mac; - int mac_type; - - cipher = S3I(s)->tmp.new_sym_enc; - mac = S3I(s)->tmp.new_hash; - mac_type = S3I(s)->tmp.new_mac_pkey_type; - - if (is_read) { - if (S3I(s)->hs.new_cipher->algorithm2 & TLS1_STREAM_MAC) - s->internal->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM; - else - s->internal->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM; - - ssl_clear_cipher_read_state(s); - - if ((cipher_ctx = EVP_CIPHER_CTX_new()) == NULL) - goto err; - s->enc_read_ctx = cipher_ctx; - if ((mac_ctx = EVP_MD_CTX_new()) == NULL) - goto err; - s->read_hash = mac_ctx; - } else { - if (S3I(s)->hs.new_cipher->algorithm2 & TLS1_STREAM_MAC) - s->internal->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; - else - s->internal->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; - - /* - * DTLS fragments retain a pointer to the compression, cipher - * and hash contexts, so that it can restore state in order - * to perform retransmissions. As such, we cannot free write - * contexts that are used for DTLS - these are instead freed - * by DTLS when its frees a ChangeCipherSpec fragment. - */ - if (!SSL_IS_DTLS(s)) - ssl_clear_cipher_write_state(s); - - if ((cipher_ctx = EVP_CIPHER_CTX_new()) == NULL) - goto err; - s->internal->enc_write_ctx = cipher_ctx; - if ((mac_ctx = EVP_MD_CTX_new()) == NULL) - goto err; - s->internal->write_hash = mac_ctx; - } - - EVP_CipherInit_ex(cipher_ctx, cipher, NULL, key, iv, !is_read); - - if ((mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, mac_secret, - mac_secret_size)) == NULL) - goto err; - EVP_DigestSignInit(mac_ctx, NULL, mac, NULL, mac_key); - EVP_PKEY_free(mac_key); - - if (S3I(s)->hs.new_cipher->algorithm_enc == SSL_eGOST2814789CNT) { - int nid; - if (S3I(s)->hs.new_cipher->algorithm2 & SSL_HANDSHAKE_MAC_GOST94) - nid = NID_id_Gost28147_89_CryptoPro_A_ParamSet; - else - nid = NID_id_tc26_gost_28147_param_Z; - - EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_GOST_SET_SBOX, nid, 0); - if (S3I(s)->hs.new_cipher->algorithm_mac == SSL_GOST89MAC) - EVP_MD_CTX_ctrl(mac_ctx, EVP_MD_CTRL_GOST_SET_SBOX, nid, 0); - } - - return (1); - -err: - SSLerrorx(ERR_R_MALLOC_FAILURE); - return (0); + NULL, 0, NULL, 0, key_block, key_block_len); } int @@ -484,7 +307,7 @@ tls1_change_cipher_state(SSL *s, int which) const unsigned char *client_write_iv, *server_write_iv; const unsigned char *mac_secret, *key, *iv; int mac_secret_size, key_len, iv_len; - unsigned char *key_block, *seq; + unsigned char *key_block; const EVP_CIPHER *cipher; const EVP_AEAD *aead; char is_read, use_client_keys; @@ -507,18 +330,9 @@ tls1_change_cipher_state(SSL *s, int which) use_client_keys = ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || (which == SSL3_CHANGE_CIPHER_SERVER_READ)); - /* - * Reset sequence number to zero - for DTLS this is handled in - * dtls1_reset_seq_numbers(). - */ - if (!SSL_IS_DTLS(s)) { - seq = is_read ? S3I(s)->read_sequence : S3I(s)->write_sequence; - memset(seq, 0, SSL3_SEQUENCE_SIZE); - } - if (aead != NULL) { key_len = EVP_AEAD_key_length(aead); - iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(S3I(s)->hs.new_cipher); + iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(S3I(s)->hs.cipher); } else { key_len = EVP_CIPHER_key_length(cipher); iv_len = EVP_CIPHER_iv_length(cipher); @@ -526,7 +340,7 @@ tls1_change_cipher_state(SSL *s, int which) mac_secret_size = S3I(s)->tmp.new_mac_secret_size; - key_block = S3I(s)->hs.key_block; + key_block = S3I(s)->hs.tls12.key_block; client_write_mac_secret = key_block; key_block += mac_secret_size; server_write_mac_secret = key_block; @@ -550,28 +364,26 @@ tls1_change_cipher_state(SSL *s, int which) iv = server_write_iv; } - if (key_block - S3I(s)->hs.key_block != S3I(s)->hs.key_block_len) { + if (key_block - S3I(s)->hs.tls12.key_block != + S3I(s)->hs.tls12.key_block_len) { SSLerror(s, ERR_R_INTERNAL_ERROR); - goto err2; + goto err; } if (is_read) { - memcpy(S3I(s)->read_mac_secret, mac_secret, mac_secret_size); - S3I(s)->read_mac_secret_size = mac_secret_size; + if (!tls12_record_layer_change_read_cipher_state(s->internal->rl, + mac_secret, mac_secret_size, key, key_len, iv, iv_len)) + goto err; + tls12_record_layer_read_cipher_hash(s->internal->rl, + &s->enc_read_ctx, &s->read_hash); } else { - memcpy(S3I(s)->write_mac_secret, mac_secret, mac_secret_size); - S3I(s)->write_mac_secret_size = mac_secret_size; - } - - if (aead != NULL) { - return tls1_change_cipher_state_aead(s, is_read, key, key_len, - iv, iv_len); + if (!tls12_record_layer_change_write_cipher_state(s->internal->rl, + mac_secret, mac_secret_size, key, key_len, iv, iv_len)) + goto err; } + return (1); - return tls1_change_cipher_state_cipher(s, is_read, - mac_secret, mac_secret_size, key, key_len, iv, iv_len); - -err2: + err: return (0); } @@ -580,13 +392,15 @@ tls1_setup_key_block(SSL *s) { unsigned char *key_block; int mac_type = NID_undef, mac_secret_size = 0; - int key_block_len, key_len, iv_len; + size_t key_block_len; + int key_len, iv_len; const EVP_CIPHER *cipher = NULL; const EVP_AEAD *aead = NULL; - const EVP_MD *mac = NULL; + const EVP_MD *handshake_hash = NULL; + const EVP_MD *mac_hash = NULL; int ret = 0; - if (S3I(s)->hs.key_block_len != 0) + if (S3I(s)->hs.tls12.key_block_len != 0) return (1); if (s->session->cipher && @@ -598,8 +412,8 @@ tls1_setup_key_block(SSL *s) key_len = EVP_AEAD_key_length(aead); iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(s->session->cipher); } else { - if (!ssl_cipher_get_evp(s->session, &cipher, &mac, &mac_type, - &mac_secret_size)) { + if (!ssl_cipher_get_evp(s->session, &cipher, &mac_hash, + &mac_type, &mac_secret_size)) { SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); return (0); } @@ -607,12 +421,17 @@ tls1_setup_key_block(SSL *s) iv_len = EVP_CIPHER_iv_length(cipher); } + if (!ssl_get_handshake_evp_md(s, &handshake_hash)) + return (0); + S3I(s)->tmp.new_aead = aead; S3I(s)->tmp.new_sym_enc = cipher; - S3I(s)->tmp.new_hash = mac; - S3I(s)->tmp.new_mac_pkey_type = mac_type; S3I(s)->tmp.new_mac_secret_size = mac_secret_size; + tls12_record_layer_set_aead(s->internal->rl, aead); + tls12_record_layer_set_cipher_hash(s->internal->rl, cipher, + handshake_hash, mac_hash); + tls1_cleanup_key_block(s); if ((key_block = reallocarray(NULL, mac_secret_size + key_len + iv_len, @@ -622,8 +441,8 @@ tls1_setup_key_block(SSL *s) } key_block_len = (mac_secret_size + key_len + iv_len) * 2; - S3I(s)->hs.key_block_len = key_block_len; - S3I(s)->hs.key_block = key_block; + S3I(s)->hs.tls12.key_block_len = key_block_len; + S3I(s)->hs.tls12.key_block = key_block; if (!tls1_generate_key_block(s, key_block, key_block_len)) goto err; @@ -653,261 +472,6 @@ tls1_setup_key_block(SSL *s) return (ret); } -/* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. - * - * Returns: - * 0: (in non-constant time) if the record is publically invalid (i.e. too - * short etc). - * 1: if the record's padding is valid / the encryption was successful. - * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, - * an internal error occured. - */ -int -tls1_enc(SSL *s, int send) -{ - const SSL_AEAD_CTX *aead; - const EVP_CIPHER *enc; - EVP_CIPHER_CTX *ds; - SSL3_RECORD *rec; - unsigned char *seq; - unsigned long l; - int bs, i, j, k, ret, mac_size = 0; - - if (send) { - aead = s->internal->aead_write_ctx; - rec = &S3I(s)->wrec; - seq = S3I(s)->write_sequence; - } else { - aead = s->internal->aead_read_ctx; - rec = &S3I(s)->rrec; - seq = S3I(s)->read_sequence; - } - - if (aead) { - unsigned char ad[13], *in, *out, nonce[16]; - size_t out_len, pad_len = 0; - unsigned int nonce_used; - - if (SSL_IS_DTLS(s)) { - dtls1_build_sequence_number(ad, seq, - send ? D1I(s)->w_epoch : D1I(s)->r_epoch); - } else { - memcpy(ad, seq, SSL3_SEQUENCE_SIZE); - tls1_record_sequence_increment(seq); - } - - ad[8] = rec->type; - ad[9] = (unsigned char)(s->version >> 8); - ad[10] = (unsigned char)(s->version); - - if (aead->variable_nonce_len > 8 || - aead->variable_nonce_len > sizeof(nonce)) - return -1; - - if (aead->xor_fixed_nonce) { - if (aead->fixed_nonce_len > sizeof(nonce) || - aead->variable_nonce_len > aead->fixed_nonce_len) - return -1; /* Should never happen. */ - pad_len = aead->fixed_nonce_len - aead->variable_nonce_len; - } else { - if (aead->fixed_nonce_len + - aead->variable_nonce_len > sizeof(nonce)) - return -1; /* Should never happen. */ - } - - if (send) { - size_t len = rec->length; - size_t eivlen = 0; - in = rec->input; - out = rec->data; - - if (aead->xor_fixed_nonce) { - /* - * The sequence number is left zero - * padded, then xored with the fixed - * nonce. - */ - memset(nonce, 0, pad_len); - memcpy(nonce + pad_len, ad, - aead->variable_nonce_len); - for (i = 0; i < aead->fixed_nonce_len; i++) - nonce[i] ^= aead->fixed_nonce[i]; - nonce_used = aead->fixed_nonce_len; - } else { - /* - * When sending we use the sequence number as - * the variable part of the nonce. - */ - memcpy(nonce, aead->fixed_nonce, - aead->fixed_nonce_len); - nonce_used = aead->fixed_nonce_len; - memcpy(nonce + nonce_used, ad, - aead->variable_nonce_len); - nonce_used += aead->variable_nonce_len; - } - - /* - * In do_ssl3_write, rec->input is moved forward by - * variable_nonce_len in order to leave space for the - * variable nonce. Thus we can copy the sequence number - * bytes into place without overwriting any of the - * plaintext. - */ - if (aead->variable_nonce_in_record) { - memcpy(out, ad, aead->variable_nonce_len); - len -= aead->variable_nonce_len; - eivlen = aead->variable_nonce_len; - } - - ad[11] = len >> 8; - ad[12] = len & 0xff; - - if (!EVP_AEAD_CTX_seal(&aead->ctx, - out + eivlen, &out_len, len + aead->tag_len, nonce, - nonce_used, in + eivlen, len, ad, sizeof(ad))) - return -1; - if (aead->variable_nonce_in_record) - out_len += aead->variable_nonce_len; - } else { - /* receive */ - size_t len = rec->length; - - if (rec->data != rec->input) - return -1; /* internal error - should never happen. */ - out = in = rec->input; - - if (len < aead->variable_nonce_len) - return 0; - - if (aead->xor_fixed_nonce) { - /* - * The sequence number is left zero - * padded, then xored with the fixed - * nonce. - */ - memset(nonce, 0, pad_len); - memcpy(nonce + pad_len, ad, - aead->variable_nonce_len); - for (i = 0; i < aead->fixed_nonce_len; i++) - nonce[i] ^= aead->fixed_nonce[i]; - nonce_used = aead->fixed_nonce_len; - } else { - memcpy(nonce, aead->fixed_nonce, - aead->fixed_nonce_len); - nonce_used = aead->fixed_nonce_len; - - memcpy(nonce + nonce_used, - aead->variable_nonce_in_record ? in : ad, - aead->variable_nonce_len); - nonce_used += aead->variable_nonce_len; - } - - if (aead->variable_nonce_in_record) { - in += aead->variable_nonce_len; - len -= aead->variable_nonce_len; - out += aead->variable_nonce_len; - } - - if (len < aead->tag_len) - return 0; - len -= aead->tag_len; - - ad[11] = len >> 8; - ad[12] = len & 0xff; - - if (!EVP_AEAD_CTX_open(&aead->ctx, out, &out_len, len, - nonce, nonce_used, in, len + aead->tag_len, ad, - sizeof(ad))) - return -1; - - rec->data = rec->input = out; - } - - rec->length = out_len; - - return 1; - } - - if (send) { - if (EVP_MD_CTX_md(s->internal->write_hash)) { - int n = EVP_MD_CTX_size(s->internal->write_hash); - OPENSSL_assert(n >= 0); - } - ds = s->internal->enc_write_ctx; - if (s->internal->enc_write_ctx == NULL) - enc = NULL; - else { - int ivlen = 0; - enc = EVP_CIPHER_CTX_cipher(s->internal->enc_write_ctx); - if (SSL_USE_EXPLICIT_IV(s) && - EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE) - ivlen = EVP_CIPHER_iv_length(enc); - if (ivlen > 1) { - if (rec->data != rec->input) { -#ifdef DEBUG - /* we can't write into the input stream: - * Can this ever happen?? (steve) - */ - fprintf(stderr, - "%s:%d: rec->data != rec->input\n", - __FILE__, __LINE__); -#endif - } else - arc4random_buf(rec->input, ivlen); - } - } - } else { - if (EVP_MD_CTX_md(s->read_hash)) { - int n = EVP_MD_CTX_size(s->read_hash); - OPENSSL_assert(n >= 0); - } - ds = s->enc_read_ctx; - if (s->enc_read_ctx == NULL) - enc = NULL; - else - enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx); - } - - if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { - memmove(rec->data, rec->input, rec->length); - rec->input = rec->data; - ret = 1; - } else { - l = rec->length; - bs = EVP_CIPHER_block_size(ds->cipher); - - if (bs != 1 && send) { - i = bs - ((int)l % bs); - - /* Add weird padding of upto 256 bytes */ - - /* we need to add 'i' padding bytes of value j */ - j = i - 1; - for (k = (int)l; k < (int)(l + i); k++) - rec->input[k] = j; - l += i; - rec->length += i; - } - - if (!send) { - if (l == 0 || l % bs != 0) - return 0; - } - - i = EVP_Cipher(ds, rec->data, rec->input, l); - if ((EVP_CIPHER_flags(ds->cipher) & - EVP_CIPH_FLAG_CUSTOM_CIPHER) ? (i < 0) : (i == 0)) - return -1; /* AEAD can fail to verify MAC */ - - ret = 1; - if (EVP_MD_CTX_md(s->read_hash) != NULL) - mac_size = EVP_MD_CTX_size(s->read_hash); - if ((bs != 1) && !send) - ret = tls1_cbc_remove_padding(s, rec, bs, mac_size); - } - return ret; -} - int tls1_final_finish_mac(SSL *s, const char *str, int str_len, unsigned char *out) { @@ -928,88 +492,6 @@ tls1_final_finish_mac(SSL *s, const char *str, int str_len, unsigned char *out) return TLS1_FINISH_MAC_LENGTH; } -int -tls1_mac(SSL *ssl, unsigned char *md, int send) -{ - SSL3_RECORD *rec; - unsigned char *seq; - EVP_MD_CTX *hash; - size_t md_size, orig_len; - EVP_MD_CTX hmac, *mac_ctx; - unsigned char header[13]; - int stream_mac = (send ? - (ssl->internal->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM) : - (ssl->internal->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM)); - int t; - - if (send) { - rec = &(ssl->s3->internal->wrec); - seq = &(ssl->s3->internal->write_sequence[0]); - hash = ssl->internal->write_hash; - } else { - rec = &(ssl->s3->internal->rrec); - seq = &(ssl->s3->internal->read_sequence[0]); - hash = ssl->read_hash; - } - - t = EVP_MD_CTX_size(hash); - OPENSSL_assert(t >= 0); - md_size = t; - - /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ - if (stream_mac) { - mac_ctx = hash; - } else { - if (!EVP_MD_CTX_copy(&hmac, hash)) - return -1; - mac_ctx = &hmac; - } - - if (SSL_IS_DTLS(ssl)) - dtls1_build_sequence_number(header, seq, - send ? D1I(ssl)->w_epoch : D1I(ssl)->r_epoch); - else - memcpy(header, seq, SSL3_SEQUENCE_SIZE); - - /* kludge: tls1_cbc_remove_padding passes padding length in rec->type */ - orig_len = rec->length + md_size + ((unsigned int)rec->type >> 8); - rec->type &= 0xff; - - header[8] = rec->type; - header[9] = (unsigned char)(ssl->version >> 8); - header[10] = (unsigned char)(ssl->version); - header[11] = (rec->length) >> 8; - header[12] = (rec->length) & 0xff; - - if (!send && - EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && - ssl3_cbc_record_digest_supported(mac_ctx)) { - /* This is a CBC-encrypted record. We must avoid leaking any - * timing-side channel information about how many blocks of - * data we are hashing because that gives an attacker a - * timing-oracle. */ - if (!ssl3_cbc_digest_record(mac_ctx, - md, &md_size, header, rec->input, - rec->length + md_size, orig_len, - ssl->s3->internal->read_mac_secret, - ssl->s3->internal->read_mac_secret_size)) - return -1; - } else { - EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)); - EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length); - t = EVP_DigestSignFinal(mac_ctx, md, &md_size); - OPENSSL_assert(t > 0); - } - - if (!stream_mac) - EVP_MD_CTX_cleanup(&hmac); - - if (!SSL_IS_DTLS(ssl)) - tls1_record_sequence_increment(seq); - - return (md_size); -} - int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, int len) @@ -1036,6 +518,11 @@ tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, size_t vallen, currentvalpos; int rv; + if (!SSL_is_init_finished(s)) { + SSLerror(s, SSL_R_BAD_STATE); + return 0; + } + /* construct PRF arguments * we construct the PRF argument ourself rather than passing separate * values into the TLS PRF to ensure that the concatenation of values diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 162cfe5e..7c9aba90 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_lib.c,v 1.164 2019/04/25 04:57:36 jsing Exp $ */ +/* $OpenBSD: t1_lib.c,v 1.179 2020/12/05 19:33:38 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -122,33 +122,9 @@ #include "ssl_sigalgs.h" #include "ssl_tlsext.h" -static int tls_decrypt_ticket(SSL *s, CBS *session_id, CBS *ticket, +static int tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess); -SSL3_ENC_METHOD TLSv1_enc_data = { - .enc = tls1_enc, - .enc_flags = 0, -}; - -SSL3_ENC_METHOD TLSv1_1_enc_data = { - .enc = tls1_enc, - .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV, -}; - -SSL3_ENC_METHOD TLSv1_2_enc_data = { - .enc = tls1_enc, - .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS| - SSL_ENC_FLAG_SHA256_PRF|SSL_ENC_FLAG_TLS1_2_CIPHERS, -}; - -long -tls1_default_timeout(void) -{ - /* 2 hours, the 24 hours mentioned in the TLSv1 spec - * is way too long for http, the cache would over fill */ - return (60 * 60 * 2); -} - int tls1_new(SSL *s) { @@ -175,7 +151,7 @@ tls1_clear(SSL *s) s->version = s->method->internal->version; } -static int nid_list[] = { +static const int nid_list[] = { NID_sect163k1, /* sect163k1 (1) */ NID_sect163r1, /* sect163r1 (2) */ NID_sect163r2, /* sect163r2 (3) */ @@ -253,7 +229,14 @@ static const uint16_t eccurves_list[] = { }; #endif -static const uint16_t eccurves_default[] = { +static const uint16_t eccurves_client_default[] = { + 29, /* X25519 (29) */ + 23, /* secp256r1 (23) */ + 24, /* secp384r1 (24) */ + 25, /* secp521r1 (25) */ +}; + +static const uint16_t eccurves_server_default[] = { 29, /* X25519 (29) */ 23, /* secp256r1 (23) */ 24, /* secp384r1 (24) */ @@ -377,9 +360,15 @@ tls1_get_group_list(SSL *s, int client_groups, const uint16_t **pgroups, *pgroups = s->internal->tlsext_supportedgroups; *pgroupslen = s->internal->tlsext_supportedgroups_length; - if (*pgroups == NULL) { - *pgroups = eccurves_default; - *pgroupslen = sizeof(eccurves_default) / 2; + if (*pgroups != NULL) + return; + + if (!s->server) { + *pgroups = eccurves_client_default; + *pgroupslen = sizeof(eccurves_client_default) / 2; + } else { + *pgroups = eccurves_server_default; + *pgroupslen = sizeof(eccurves_server_default) / 2; } } @@ -504,43 +493,38 @@ tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec) { const EC_GROUP *grp; const EC_METHOD *meth; - int is_prime = 0; - int nid, id; + int prime_field; + int nid; if (ec == NULL) return (0); - /* Determine if it is a prime field. */ + /* Determine whether the curve is defined over a prime field. */ if ((grp = EC_KEY_get0_group(ec)) == NULL) return (0); if ((meth = EC_GROUP_method_of(grp)) == NULL) return (0); - if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field) - is_prime = 1; + prime_field = (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field); - /* Determine curve ID. */ + /* Determine curve ID - NID_undef results in a curve ID of zero. */ nid = EC_GROUP_get_curve_name(grp); - id = tls1_ec_nid2curve_id(nid); - /* If we have an ID set it, otherwise set arbitrary explicit curve. */ - if (id != 0) - *curve_id = id; - else - *curve_id = is_prime ? 0xff01 : 0xff02; + if ((*curve_id = tls1_ec_nid2curve_id(nid)) == 0) + *curve_id = prime_field ? 0xff01 : 0xff02; - /* Specify the compression identifier. */ - if (comp_id != NULL) { - if (EC_KEY_get0_public_key(ec) == NULL) - return (0); + if (comp_id == NULL) + return (1); - if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) { - *comp_id = is_prime ? - TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime : - TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; - } else { - *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; - } + /* Specify the compression identifier. */ + if (EC_KEY_get0_public_key(ec) == NULL) + return (0); + *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; + if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) { + *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; + if (prime_field) + *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; } + return (1); } @@ -632,7 +616,6 @@ ssl_check_clienthello_tlsext_early(SSL *s) ssl3_send_alert(s, SSL3_AL_WARNING, al); return 1; case SSL_TLSEXT_ERR_NOACK: - s->internal->servername_done = 0; default: return 1; } @@ -720,12 +703,11 @@ ssl_check_serverhello_tlsext(SSL *s) if ((s->tlsext_status_type != -1) && !(s->internal->tlsext_status_expected) && s->ctx && s->ctx->internal->tlsext_status_cb) { int r; - /* Set resp to NULL, resplen to -1 so callback knows - * there is no response. - */ + free(s->internal->tlsext_ocsp_resp); s->internal->tlsext_ocsp_resp = NULL; - s->internal->tlsext_ocsp_resplen = -1; + s->internal->tlsext_ocsp_resp_len = 0; + r = s->ctx->internal->tlsext_status_cb(s, s->ctx->internal->tlsext_status_arg); if (r == 0) { @@ -741,14 +723,11 @@ ssl_check_serverhello_tlsext(SSL *s) switch (ret) { case SSL_TLSEXT_ERR_ALERT_FATAL: ssl3_send_alert(s, SSL3_AL_FATAL, al); - return -1; case SSL_TLSEXT_ERR_ALERT_WARNING: ssl3_send_alert(s, SSL3_AL_WARNING, al); - return 1; case SSL_TLSEXT_ERR_NOACK: - s->internal->servername_done = 0; default: return 1; } @@ -758,7 +737,6 @@ ssl_check_serverhello_tlsext(SSL *s) * ClientHello, and other operations depend on the result, we need to handle * any TLS session ticket extension at the same time. * - * session_id: a CBS containing the session ID. * ext_block: a CBS for the ClientHello extensions block. * ret: (output) on return, if a ticket was decrypted, then this is set to * point to the resulting session. @@ -768,13 +746,14 @@ ssl_check_serverhello_tlsext(SSL *s) * never be decrypted, nor will s->internal->tlsext_ticket_expected be set to 1. * * Returns: - * -1: fatal error, either from parsing or decrypting the ticket. - * 0: no ticket was found (or was ignored, based on settings). - * 1: a zero length extension was found, indicating that the client supports - * session tickets but doesn't currently have one to offer. - * 2: either s->internal->tls_session_secret_cb was set, or a ticket was offered but - * couldn't be decrypted because of a non-fatal error. - * 3: a ticket was successfully decrypted and *ret was set. + * TLS1_TICKET_FATAL_ERROR: error from parsing or decrypting the ticket. + * TLS1_TICKET_NONE: no ticket was found (or was ignored, based on settings). + * TLS1_TICKET_EMPTY: a zero length extension was found, indicating that the + * client supports session tickets but doesn't currently have one to offer. + * TLS1_TICKET_NOT_DECRYPTED: either s->internal->tls_session_secret_cb was + * set, or a ticket was offered but couldn't be decrypted because of a + * non-fatal error. + * TLS1_TICKET_DECRYPTED: a ticket was successfully decrypted and *ret was set. * * Side effects: * Sets s->internal->tlsext_ticket_expected to 1 if the server will have to issue @@ -785,11 +764,10 @@ ssl_check_serverhello_tlsext(SSL *s) * Otherwise, s->internal->tlsext_ticket_expected is set to 0. */ int -tls1_process_ticket(SSL *s, CBS *session_id, CBS *ext_block, SSL_SESSION **ret) +tls1_process_ticket(SSL *s, CBS *ext_block, int *alert, SSL_SESSION **ret) { CBS extensions, ext_data; uint16_t ext_type = 0; - int r; s->internal->tlsext_ticket_expected = 0; *ret = NULL; @@ -799,29 +777,33 @@ tls1_process_ticket(SSL *s, CBS *session_id, CBS *ext_block, SSL_SESSION **ret) * resumption. */ if (SSL_get_options(s) & SSL_OP_NO_TICKET) - return 0; + return TLS1_TICKET_NONE; /* * An empty extensions block is valid, but obviously does not contain * a session ticket. */ if (CBS_len(ext_block) == 0) - return 0; + return TLS1_TICKET_NONE; - if (!CBS_get_u16_length_prefixed(ext_block, &extensions)) - return -1; + if (!CBS_get_u16_length_prefixed(ext_block, &extensions)) { + *alert = SSL_AD_DECODE_ERROR; + return TLS1_TICKET_FATAL_ERROR; + } while (CBS_len(&extensions) > 0) { if (!CBS_get_u16(&extensions, &ext_type) || - !CBS_get_u16_length_prefixed(&extensions, &ext_data)) - return -1; + !CBS_get_u16_length_prefixed(&extensions, &ext_data)) { + *alert = SSL_AD_DECODE_ERROR; + return TLS1_TICKET_FATAL_ERROR; + } if (ext_type == TLSEXT_TYPE_session_ticket) break; } if (ext_type != TLSEXT_TYPE_session_ticket) - return 0; + return TLS1_TICKET_NONE; if (CBS_len(&ext_data) == 0) { /* @@ -829,7 +811,7 @@ tls1_process_ticket(SSL *s, CBS *session_id, CBS *ext_block, SSL_SESSION **ret) * have one. */ s->internal->tlsext_ticket_expected = 1; - return 1; + return TLS1_TICKET_EMPTY; } if (s->internal->tls_session_secret_cb != NULL) { @@ -839,53 +821,38 @@ tls1_process_ticket(SSL *s, CBS *session_id, CBS *ext_block, SSL_SESSION **ret) * handshake based on external mechanism to calculate the master * secret later. */ - return 2; + return TLS1_TICKET_NOT_DECRYPTED; } - r = tls_decrypt_ticket(s, session_id, &ext_data, ret); - switch (r) { - case 2: /* ticket couldn't be decrypted */ - s->internal->tlsext_ticket_expected = 1; - return 2; - case 3: /* ticket was decrypted */ - return r; - case 4: /* ticket decrypted but need to renew */ - s->internal->tlsext_ticket_expected = 1; - return 3; - default: /* fatal error */ - return -1; - } + return tls_decrypt_ticket(s, &ext_data, alert, ret); } /* tls_decrypt_ticket attempts to decrypt a session ticket. * - * session_id: a CBS containing the session ID. * ticket: a CBS containing the body of the session ticket extension. * psess: (output) on return, if a ticket was decrypted, then this is set to * point to the resulting session. * * Returns: - * -1: fatal error, either from parsing or decrypting the ticket. - * 2: the ticket couldn't be decrypted. - * 3: a ticket was successfully decrypted and *psess was set. - * 4: same as 3, but the ticket needs to be renewed. + * TLS1_TICKET_FATAL_ERROR: error from parsing or decrypting the ticket. + * TLS1_TICKET_NOT_DECRYPTED: the ticket couldn't be decrypted. + * TLS1_TICKET_DECRYPTED: a ticket was decrypted and *psess was set. */ static int -tls_decrypt_ticket(SSL *s, CBS *session_id, CBS *ticket, SSL_SESSION **psess) +tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess) { CBS ticket_name, ticket_iv, ticket_encdata, ticket_hmac; SSL_SESSION *sess = NULL; unsigned char *sdec = NULL; size_t sdec_len = 0; - size_t session_id_len; const unsigned char *p; unsigned char hmac[EVP_MAX_MD_SIZE]; HMAC_CTX *hctx = NULL; EVP_CIPHER_CTX *cctx = NULL; SSL_CTX *tctx = s->initial_ctx; int slen, hlen; - int renew_ticket = 0; - int ret = -1; + int alert_desc = SSL_AD_INTERNAL_ERROR; + int ret = TLS1_TICKET_FATAL_ERROR; *psess = NULL; @@ -918,8 +885,10 @@ tls_decrypt_ticket(SSL *s, CBS *session_id, CBS *ticket, SSL_SESSION **psess) goto err; if (rv == 0) goto derr; - if (rv == 2) - renew_ticket = 1; + if (rv == 2) { + /* Renew ticket. */ + s->internal->tlsext_ticket_expected = 1; + } /* * Now that the cipher context is initialised, we can extract @@ -959,8 +928,10 @@ tls_decrypt_ticket(SSL *s, CBS *session_id, CBS *ticket, SSL_SESSION **psess) goto derr; if (!CBS_get_bytes(ticket, &ticket_hmac, hlen)) goto derr; - if (CBS_len(ticket) != 0) + if (CBS_len(ticket) != 0) { + alert_desc = SSL_AD_DECODE_ERROR; goto err; + } /* Check HMAC of encrypted ticket. */ if (HMAC_Update(hctx, CBS_data(&ticket_name), @@ -997,33 +968,21 @@ tls_decrypt_ticket(SSL *s, CBS *session_id, CBS *ticket, SSL_SESSION **psess) p = sdec; if ((sess = d2i_SSL_SESSION(NULL, &p, slen)) == NULL) goto derr; - - /* - * The session ID, if non-empty, is used by some clients to detect that - * the ticket has been accepted. So we copy it to the session structure. - * If it is empty set length to zero as required by standard. - */ - if (!CBS_write_bytes(session_id, sess->session_id, - sizeof(sess->session_id), &session_id_len)) - goto err; - sess->session_id_length = (unsigned int)session_id_len; - *psess = sess; sess = NULL; - if (renew_ticket) - ret = 4; - else - ret = 3; - + ret = TLS1_TICKET_DECRYPTED; goto done; derr: - ret = 2; + ERR_clear_error(); + s->internal->tlsext_ticket_expected = 1; + ret = TLS1_TICKET_NOT_DECRYPTED; goto done; err: - ret = -1; + *alert = alert_desc; + ret = TLS1_TICKET_FATAL_ERROR; goto done; done: @@ -1032,8 +991,5 @@ tls_decrypt_ticket(SSL *s, CBS *session_id, CBS *ticket, SSL_SESSION **psess) HMAC_CTX_free(hctx); SSL_SESSION_free(sess); - if (ret == 2) - ERR_clear_error(); - return ret; } diff --git a/ssl/tls12_record_layer.c b/ssl/tls12_record_layer.c new file mode 100644 index 00000000..6cf8b31c --- /dev/null +++ b/ssl/tls12_record_layer.c @@ -0,0 +1,1323 @@ +/* $OpenBSD: tls12_record_layer.c,v 1.25 2021/03/29 16:19:15 jsing Exp $ */ +/* + * Copyright (c) 2020 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include + +#include + +#include "ssl_locl.h" + +#define TLS12_RECORD_SEQ_NUM_LEN 8 + +struct tls12_record_protection { + uint16_t epoch; + uint8_t seq_num[TLS12_RECORD_SEQ_NUM_LEN]; + + SSL_AEAD_CTX *aead_ctx; + + EVP_CIPHER_CTX *cipher_ctx; + EVP_MD_CTX *hash_ctx; + + int stream_mac; + + uint8_t *mac_key; + size_t mac_key_len; +}; + +static struct tls12_record_protection * +tls12_record_protection_new(void) +{ + return calloc(1, sizeof(struct tls12_record_protection)); +} + +static void +tls12_record_protection_clear(struct tls12_record_protection *rp) +{ + memset(rp->seq_num, 0, sizeof(rp->seq_num)); + + if (rp->aead_ctx != NULL) { + EVP_AEAD_CTX_cleanup(&rp->aead_ctx->ctx); + freezero(rp->aead_ctx, sizeof(*rp->aead_ctx)); + rp->aead_ctx = NULL; + } + + EVP_CIPHER_CTX_free(rp->cipher_ctx); + rp->cipher_ctx = NULL; + + EVP_MD_CTX_free(rp->hash_ctx); + rp->hash_ctx = NULL; + + freezero(rp->mac_key, rp->mac_key_len); + rp->mac_key = NULL; + rp->mac_key_len = 0; +} + +static void +tls12_record_protection_free(struct tls12_record_protection *rp) +{ + if (rp == NULL) + return; + + tls12_record_protection_clear(rp); + + freezero(rp, sizeof(struct tls12_record_protection)); +} + +static int +tls12_record_protection_engaged(struct tls12_record_protection *rp) +{ + return rp->aead_ctx != NULL || rp->cipher_ctx != NULL; +} + +static int +tls12_record_protection_unused(struct tls12_record_protection *rp) +{ + return rp->aead_ctx == NULL && rp->cipher_ctx == NULL && + rp->hash_ctx == NULL && rp->mac_key == NULL; +} + +static int +tls12_record_protection_eiv_len(struct tls12_record_protection *rp, + size_t *out_eiv_len) +{ + int eiv_len; + + *out_eiv_len = 0; + + if (rp->cipher_ctx == NULL) + return 0; + + eiv_len = 0; + if (EVP_CIPHER_CTX_mode(rp->cipher_ctx) == EVP_CIPH_CBC_MODE) + eiv_len = EVP_CIPHER_CTX_iv_length(rp->cipher_ctx); + if (eiv_len < 0 || eiv_len > EVP_MAX_IV_LENGTH) + return 0; + + *out_eiv_len = eiv_len; + + return 1; +} + +static int +tls12_record_protection_block_size(struct tls12_record_protection *rp, + size_t *out_block_size) +{ + int block_size; + + *out_block_size = 0; + + if (rp->cipher_ctx == NULL) + return 0; + + block_size = EVP_CIPHER_CTX_block_size(rp->cipher_ctx); + if (block_size < 0 || block_size > EVP_MAX_BLOCK_LENGTH) + return 0; + + *out_block_size = block_size; + + return 1; +} + +static int +tls12_record_protection_mac_len(struct tls12_record_protection *rp, + size_t *out_mac_len) +{ + int mac_len; + + *out_mac_len = 0; + + if (rp->hash_ctx == NULL) + return 0; + + mac_len = EVP_MD_CTX_size(rp->hash_ctx); + if (mac_len <= 0 || mac_len > EVP_MAX_MD_SIZE) + return 0; + + *out_mac_len = mac_len; + + return 1; +} + +struct tls12_record_layer { + uint16_t version; + int dtls; + + uint8_t alert_desc; + + const EVP_AEAD *aead; + const EVP_CIPHER *cipher; + const EVP_MD *handshake_hash; + const EVP_MD *mac_hash; + + /* Pointers to active record protection (memory is not owned). */ + struct tls12_record_protection *read; + struct tls12_record_protection *write; + + struct tls12_record_protection *read_current; + struct tls12_record_protection *write_current; + struct tls12_record_protection *write_previous; +}; + +struct tls12_record_layer * +tls12_record_layer_new(void) +{ + struct tls12_record_layer *rl; + + if ((rl = calloc(1, sizeof(struct tls12_record_layer))) == NULL) + goto err; + if ((rl->read_current = tls12_record_protection_new()) == NULL) + goto err; + if ((rl->write_current = tls12_record_protection_new()) == NULL) + goto err; + + rl->read = rl->read_current; + rl->write = rl->write_current; + + return rl; + + err: + tls12_record_layer_free(rl); + + return NULL; +} + +void +tls12_record_layer_free(struct tls12_record_layer *rl) +{ + if (rl == NULL) + return; + + tls12_record_protection_free(rl->read_current); + tls12_record_protection_free(rl->write_current); + tls12_record_protection_free(rl->write_previous); + + freezero(rl, sizeof(struct tls12_record_layer)); +} + +void +tls12_record_layer_alert(struct tls12_record_layer *rl, uint8_t *alert_desc) +{ + *alert_desc = rl->alert_desc; +} + +int +tls12_record_layer_write_overhead(struct tls12_record_layer *rl, + size_t *overhead) +{ + size_t block_size, eiv_len, mac_len; + + *overhead = 0; + + if (rl->write->aead_ctx != NULL) { + *overhead = rl->write->aead_ctx->tag_len; + } else if (rl->write->cipher_ctx != NULL) { + eiv_len = 0; + if (rl->version != TLS1_VERSION) { + if (!tls12_record_protection_eiv_len(rl->write, &eiv_len)) + return 0; + } + if (!tls12_record_protection_block_size(rl->write, &block_size)) + return 0; + if (!tls12_record_protection_mac_len(rl->write, &mac_len)) + return 0; + + *overhead = eiv_len + block_size + mac_len; + } + + return 1; +} + +int +tls12_record_layer_read_protected(struct tls12_record_layer *rl) +{ + return tls12_record_protection_engaged(rl->read); +} + +int +tls12_record_layer_write_protected(struct tls12_record_layer *rl) +{ + return tls12_record_protection_engaged(rl->write); +} + +void +tls12_record_layer_set_aead(struct tls12_record_layer *rl, const EVP_AEAD *aead) +{ + rl->aead = aead; +} + +void +tls12_record_layer_set_cipher_hash(struct tls12_record_layer *rl, + const EVP_CIPHER *cipher, const EVP_MD *handshake_hash, + const EVP_MD *mac_hash) +{ + rl->cipher = cipher; + rl->handshake_hash = handshake_hash; + rl->mac_hash = mac_hash; +} + +void +tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version) +{ + rl->version = version; + rl->dtls = ((version >> 8) == DTLS1_VERSION_MAJOR); +} + +void +tls12_record_layer_set_write_epoch(struct tls12_record_layer *rl, uint16_t epoch) +{ + rl->write->epoch = epoch; +} + +int +tls12_record_layer_use_write_epoch(struct tls12_record_layer *rl, uint16_t epoch) +{ + if (rl->write->epoch == epoch) + return 1; + + if (rl->write_current->epoch == epoch) { + rl->write = rl->write_current; + return 1; + } + + if (rl->write_previous != NULL && rl->write_previous->epoch == epoch) { + rl->write = rl->write_previous; + return 1; + } + + return 0; +} + +void +tls12_record_layer_write_epoch_done(struct tls12_record_layer *rl, uint16_t epoch) +{ + if (rl->write_previous == NULL || rl->write_previous->epoch != epoch) + return; + + rl->write = rl->write_current; + + tls12_record_protection_free(rl->write_previous); + rl->write_previous = NULL; +} + +void +tls12_record_layer_clear_read_state(struct tls12_record_layer *rl) +{ + tls12_record_protection_clear(rl->read); +} + +void +tls12_record_layer_clear_write_state(struct tls12_record_layer *rl) +{ + tls12_record_protection_clear(rl->write); + + tls12_record_protection_free(rl->write_previous); + rl->write_previous = NULL; +} + +void +tls12_record_layer_read_cipher_hash(struct tls12_record_layer *rl, + EVP_CIPHER_CTX **cipher, EVP_MD_CTX **hash) +{ + *cipher = rl->read->cipher_ctx; + *hash = rl->read->hash_ctx; +} + +void +tls12_record_layer_reflect_seq_num(struct tls12_record_layer *rl) +{ + memcpy(rl->write->seq_num, rl->read->seq_num, + sizeof(rl->write->seq_num)); +} + +static const uint8_t tls12_max_seq_num[TLS12_RECORD_SEQ_NUM_LEN] = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, +}; + +int +tls12_record_layer_inc_seq_num(struct tls12_record_layer *rl, uint8_t *seq_num) +{ + CBS max_seq_num; + int i; + + /* + * RFC 5246 section 6.1 and RFC 6347 section 4.1 - both TLS and DTLS + * sequence numbers must not wrap. Note that for DTLS the first two + * bytes are used as an "epoch" and not part of the sequence number. + */ + CBS_init(&max_seq_num, seq_num, TLS12_RECORD_SEQ_NUM_LEN); + if (rl->dtls) { + if (!CBS_skip(&max_seq_num, 2)) + return 0; + } + if (CBS_mem_equal(&max_seq_num, tls12_max_seq_num, + CBS_len(&max_seq_num))) + return 0; + + for (i = TLS12_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) { + if (++seq_num[i] != 0) + break; + } + + return 1; +} + +static int +tls12_record_layer_set_mac_key(struct tls12_record_protection *rp, + const uint8_t *mac_key, size_t mac_key_len) +{ + freezero(rp->mac_key, rp->mac_key_len); + rp->mac_key = NULL; + rp->mac_key_len = 0; + + if (mac_key == NULL || mac_key_len == 0) + return 1; + + if ((rp->mac_key = calloc(1, mac_key_len)) == NULL) + return 0; + + memcpy(rp->mac_key, mac_key, mac_key_len); + rp->mac_key_len = mac_key_len; + + return 1; +} + +static int +tls12_record_layer_ccs_aead(struct tls12_record_layer *rl, + struct tls12_record_protection *rp, int is_write, const uint8_t *mac_key, + size_t mac_key_len, const uint8_t *key, size_t key_len, const uint8_t *iv, + size_t iv_len) +{ + size_t aead_nonce_len; + + if (!tls12_record_protection_unused(rp)) + return 0; + + if ((rp->aead_ctx = calloc(1, sizeof(*rp->aead_ctx))) == NULL) + return 0; + + /* AES GCM cipher suites use variable nonce in record. */ + if (rl->aead == EVP_aead_aes_128_gcm() || + rl->aead == EVP_aead_aes_256_gcm()) + rp->aead_ctx->variable_nonce_in_record = 1; + + /* ChaCha20 Poly1305 XORs the fixed and variable nonces. */ + if (rl->aead == EVP_aead_chacha20_poly1305()) + rp->aead_ctx->xor_fixed_nonce = 1; + + if (iv_len > sizeof(rp->aead_ctx->fixed_nonce)) + return 0; + + memcpy(rp->aead_ctx->fixed_nonce, iv, iv_len); + rp->aead_ctx->fixed_nonce_len = iv_len; + rp->aead_ctx->tag_len = EVP_AEAD_max_overhead(rl->aead); + rp->aead_ctx->variable_nonce_len = 8; + + aead_nonce_len = EVP_AEAD_nonce_length(rl->aead); + + if (rp->aead_ctx->xor_fixed_nonce) { + /* Fixed nonce length must match, variable must not exceed. */ + if (rp->aead_ctx->fixed_nonce_len != aead_nonce_len) + return 0; + if (rp->aead_ctx->variable_nonce_len > aead_nonce_len) + return 0; + } else { + /* Concatenated nonce length must equal AEAD nonce length. */ + if (rp->aead_ctx->fixed_nonce_len + + rp->aead_ctx->variable_nonce_len != aead_nonce_len) + return 0; + } + + if (!EVP_AEAD_CTX_init(&rp->aead_ctx->ctx, rl->aead, key, key_len, + EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) + return 0; + + return 1; +} + +static int +tls12_record_layer_ccs_cipher(struct tls12_record_layer *rl, + struct tls12_record_protection *rp, int is_write, const uint8_t *mac_key, + size_t mac_key_len, const uint8_t *key, size_t key_len, const uint8_t *iv, + size_t iv_len) +{ + EVP_PKEY *mac_pkey = NULL; + int gost_param_nid; + int mac_type; + int ret = 0; + + if (!tls12_record_protection_unused(rp)) + goto err; + + mac_type = EVP_PKEY_HMAC; + rp->stream_mac = 0; + + if (iv_len > INT_MAX || key_len > INT_MAX) + goto err; + if (EVP_CIPHER_iv_length(rl->cipher) != iv_len) + goto err; + if (EVP_CIPHER_key_length(rl->cipher) != key_len) + goto err; + + /* Special handling for GOST... */ + if (EVP_MD_type(rl->mac_hash) == NID_id_Gost28147_89_MAC) { + if (mac_key_len != 32) + goto err; + mac_type = EVP_PKEY_GOSTIMIT; + rp->stream_mac = 1; + } else { + if (mac_key_len > INT_MAX) + goto err; + if (EVP_MD_size(rl->mac_hash) != mac_key_len) + goto err; + } + + if ((rp->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL) + goto err; + if ((rp->hash_ctx = EVP_MD_CTX_new()) == NULL) + goto err; + + if (!tls12_record_layer_set_mac_key(rp, mac_key, mac_key_len)) + goto err; + + if ((mac_pkey = EVP_PKEY_new_mac_key(mac_type, NULL, mac_key, + mac_key_len)) == NULL) + goto err; + + if (!EVP_CipherInit_ex(rp->cipher_ctx, rl->cipher, NULL, key, iv, + is_write)) + goto err; + + if (EVP_DigestSignInit(rp->hash_ctx, NULL, rl->mac_hash, NULL, + mac_pkey) <= 0) + goto err; + + /* More special handling for GOST... */ + if (EVP_CIPHER_type(rl->cipher) == NID_gost89_cnt) { + gost_param_nid = NID_id_tc26_gost_28147_param_Z; + if (EVP_MD_type(rl->handshake_hash) == NID_id_GostR3411_94) + gost_param_nid = NID_id_Gost28147_89_CryptoPro_A_ParamSet; + + if (EVP_CIPHER_CTX_ctrl(rp->cipher_ctx, EVP_CTRL_GOST_SET_SBOX, + gost_param_nid, 0) <= 0) + goto err; + + if (EVP_MD_type(rl->mac_hash) == NID_id_Gost28147_89_MAC) { + if (EVP_MD_CTX_ctrl(rp->hash_ctx, EVP_MD_CTRL_GOST_SET_SBOX, + gost_param_nid, 0) <= 0) + goto err; + } + } + + ret = 1; + + err: + EVP_PKEY_free(mac_pkey); + + return ret; +} + +static int +tls12_record_layer_change_cipher_state(struct tls12_record_layer *rl, + struct tls12_record_protection *rp, int is_write, const uint8_t *mac_key, + size_t mac_key_len, const uint8_t *key, size_t key_len, const uint8_t *iv, + size_t iv_len) +{ + if (rl->aead != NULL) + return tls12_record_layer_ccs_aead(rl, rp, is_write, mac_key, + mac_key_len, key, key_len, iv, iv_len); + + return tls12_record_layer_ccs_cipher(rl, rp, is_write, mac_key, + mac_key_len, key, key_len, iv, iv_len); +} + +int +tls12_record_layer_change_read_cipher_state(struct tls12_record_layer *rl, + const uint8_t *mac_key, size_t mac_key_len, const uint8_t *key, + size_t key_len, const uint8_t *iv, size_t iv_len) +{ + struct tls12_record_protection *read_new = NULL; + int ret = 0; + + if ((read_new = tls12_record_protection_new()) == NULL) + goto err; + + /* Read sequence number gets reset to zero. */ + + if (!tls12_record_layer_change_cipher_state(rl, read_new, 0, + mac_key, mac_key_len, key, key_len, iv, iv_len)) + goto err; + + tls12_record_protection_free(rl->read_current); + rl->read = rl->read_current = read_new; + read_new = NULL; + + ret = 1; + + err: + tls12_record_protection_free(read_new); + + return ret; +} + +int +tls12_record_layer_change_write_cipher_state(struct tls12_record_layer *rl, + const uint8_t *mac_key, size_t mac_key_len, const uint8_t *key, + size_t key_len, const uint8_t *iv, size_t iv_len) +{ + struct tls12_record_protection *write_new; + int ret = 0; + + if ((write_new = tls12_record_protection_new()) == NULL) + goto err; + + /* Write sequence number gets reset to zero. */ + + if (!tls12_record_layer_change_cipher_state(rl, write_new, 1, + mac_key, mac_key_len, key, key_len, iv, iv_len)) + goto err; + + if (rl->dtls) { + tls12_record_protection_free(rl->write_previous); + rl->write_previous = rl->write_current; + rl->write_current = NULL; + } + tls12_record_protection_free(rl->write_current); + rl->write = rl->write_current = write_new; + write_new = NULL; + + ret = 1; + + err: + tls12_record_protection_free(write_new); + + return ret; +} + +static int +tls12_record_layer_build_seq_num(struct tls12_record_layer *rl, CBB *cbb, + uint16_t epoch, uint8_t *seq_num, size_t seq_num_len) +{ + CBS seq; + + CBS_init(&seq, seq_num, seq_num_len); + + if (rl->dtls) { + if (!CBB_add_u16(cbb, epoch)) + return 0; + if (!CBS_skip(&seq, 2)) + return 0; + } + + return CBB_add_bytes(cbb, CBS_data(&seq), CBS_len(&seq)); +} + +static int +tls12_record_layer_pseudo_header(struct tls12_record_layer *rl, + uint8_t content_type, uint16_t record_len, CBS *seq_num, uint8_t **out, + size_t *out_len) +{ + CBB cbb; + + *out = NULL; + *out_len = 0; + + /* Build the pseudo-header used for MAC/AEAD. */ + if (!CBB_init(&cbb, 13)) + goto err; + + if (!CBB_add_bytes(&cbb, CBS_data(seq_num), CBS_len(seq_num))) + goto err; + if (!CBB_add_u8(&cbb, content_type)) + goto err; + if (!CBB_add_u16(&cbb, rl->version)) + goto err; + if (!CBB_add_u16(&cbb, record_len)) + goto err; + + if (!CBB_finish(&cbb, out, out_len)) + goto err; + + return 1; + + err: + CBB_cleanup(&cbb); + + return 0; +} + +static int +tls12_record_layer_mac(struct tls12_record_layer *rl, CBB *cbb, + EVP_MD_CTX *hash_ctx, int stream_mac, CBS *seq_num, uint8_t content_type, + const uint8_t *content, size_t content_len, size_t *out_len) +{ + EVP_MD_CTX *mac_ctx = NULL; + uint8_t *header = NULL; + size_t header_len = 0; + size_t mac_len; + uint8_t *mac; + int ret = 0; + + if ((mac_ctx = EVP_MD_CTX_new()) == NULL) + goto err; + if (!EVP_MD_CTX_copy(mac_ctx, hash_ctx)) + goto err; + + if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, + seq_num, &header, &header_len)) + goto err; + + if (EVP_DigestSignUpdate(mac_ctx, header, header_len) <= 0) + goto err; + if (EVP_DigestSignUpdate(mac_ctx, content, content_len) <= 0) + goto err; + if (EVP_DigestSignFinal(mac_ctx, NULL, &mac_len) <= 0) + goto err; + if (!CBB_add_space(cbb, &mac, mac_len)) + goto err; + if (EVP_DigestSignFinal(mac_ctx, mac, &mac_len) <= 0) + goto err; + if (mac_len == 0) + goto err; + + if (stream_mac) { + if (!EVP_MD_CTX_copy(hash_ctx, mac_ctx)) + goto err; + } + + *out_len = mac_len; + ret = 1; + + err: + EVP_MD_CTX_free(mac_ctx); + freezero(header, header_len); + + return ret; +} + +static int +tls12_record_layer_read_mac_cbc(struct tls12_record_layer *rl, CBB *cbb, + uint8_t content_type, CBS *seq_num, const uint8_t *content, + size_t content_len, size_t mac_len, size_t padding_len) +{ + uint8_t *header = NULL; + size_t header_len = 0; + uint8_t *mac = NULL; + size_t out_mac_len = 0; + int ret = 0; + + /* + * Must be constant time to avoid leaking details about CBC padding. + */ + + if (!ssl3_cbc_record_digest_supported(rl->read->hash_ctx)) + goto err; + + if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, + seq_num, &header, &header_len)) + goto err; + + if (!CBB_add_space(cbb, &mac, mac_len)) + goto err; + if (!ssl3_cbc_digest_record(rl->read->hash_ctx, mac, &out_mac_len, header, + content, content_len + mac_len, content_len + mac_len + padding_len, + rl->read->mac_key, rl->read->mac_key_len)) + goto err; + if (mac_len != out_mac_len) + goto err; + + ret = 1; + + err: + freezero(header, header_len); + + return ret; +} + +static int +tls12_record_layer_read_mac(struct tls12_record_layer *rl, CBB *cbb, + uint8_t content_type, CBS *seq_num, const uint8_t *content, + size_t content_len) +{ + EVP_CIPHER_CTX *enc = rl->read->cipher_ctx; + size_t out_len; + + if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) + return 0; + + return tls12_record_layer_mac(rl, cbb, rl->read->hash_ctx, + rl->read->stream_mac, seq_num, content_type, content, content_len, + &out_len); +} + +static int +tls12_record_layer_write_mac(struct tls12_record_layer *rl, CBB *cbb, + uint8_t content_type, CBS *seq_num, const uint8_t *content, + size_t content_len, size_t *out_len) +{ + return tls12_record_layer_mac(rl, cbb, rl->write->hash_ctx, + rl->write->stream_mac, seq_num, content_type, content, content_len, + out_len); +} + +static int +tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl, + const SSL_AEAD_CTX *aead, const uint8_t *seq_num, + uint8_t **out, size_t *out_len) +{ + CBB cbb; + + if (aead->variable_nonce_len > SSL3_SEQUENCE_SIZE) + return 0; + + /* Fixed nonce and variable nonce (sequence number) are concatenated. */ + if (!CBB_init(&cbb, 16)) + goto err; + if (!CBB_add_bytes(&cbb, aead->fixed_nonce, + aead->fixed_nonce_len)) + goto err; + if (!CBB_add_bytes(&cbb, seq_num, aead->variable_nonce_len)) + goto err; + if (!CBB_finish(&cbb, out, out_len)) + goto err; + + return 1; + + err: + CBB_cleanup(&cbb); + + return 0; +} + +static int +tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl, + const SSL_AEAD_CTX *aead, const uint8_t *seq_num, + uint8_t **out, size_t *out_len) +{ + uint8_t *nonce = NULL; + size_t nonce_len = 0; + uint8_t *pad; + CBB cbb; + int i; + + if (aead->variable_nonce_len > SSL3_SEQUENCE_SIZE) + return 0; + if (aead->fixed_nonce_len < aead->variable_nonce_len) + return 0; + + /* + * Variable nonce (sequence number) is right padded, before the fixed + * nonce is XOR'd in. + */ + if (!CBB_init(&cbb, 16)) + goto err; + if (!CBB_add_space(&cbb, &pad, + aead->fixed_nonce_len - aead->variable_nonce_len)) + goto err; + if (!CBB_add_bytes(&cbb, seq_num, aead->variable_nonce_len)) + goto err; + if (!CBB_finish(&cbb, &nonce, &nonce_len)) + goto err; + + for (i = 0; i < aead->fixed_nonce_len; i++) + nonce[i] ^= aead->fixed_nonce[i]; + + *out = nonce; + *out_len = nonce_len; + + return 1; + + err: + CBB_cleanup(&cbb); + freezero(nonce, nonce_len); + + return 0; +} + +static int +tls12_record_layer_open_record_plaintext(struct tls12_record_layer *rl, + uint8_t content_type, CBS *fragment, uint8_t **out, size_t *out_len) +{ + if (tls12_record_protection_engaged(rl->read)) + return 0; + + /* XXX - decrypt/process in place for now. */ + *out = (uint8_t *)CBS_data(fragment); + *out_len = CBS_len(fragment); + + return 1; +} + +static int +tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl, + uint8_t content_type, CBS *seq_num, CBS *fragment, uint8_t **out, + size_t *out_len) +{ + const SSL_AEAD_CTX *aead = rl->read->aead_ctx; + uint8_t *header = NULL, *nonce = NULL; + size_t header_len = 0, nonce_len = 0; + uint8_t *plain; + size_t plain_len; + CBS var_nonce; + int ret = 0; + + /* XXX - move to nonce allocated in record layer, matching TLSv1.3 */ + if (aead->xor_fixed_nonce) { + if (!tls12_record_layer_aead_xored_nonce(rl, aead, + CBS_data(seq_num), &nonce, &nonce_len)) + goto err; + } else if (aead->variable_nonce_in_record) { + if (!CBS_get_bytes(fragment, &var_nonce, + aead->variable_nonce_len)) + goto err; + if (!tls12_record_layer_aead_concat_nonce(rl, aead, + CBS_data(&var_nonce), &nonce, &nonce_len)) + goto err; + } else { + if (!tls12_record_layer_aead_concat_nonce(rl, aead, + CBS_data(seq_num), &nonce, &nonce_len)) + goto err; + } + + /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ + if (CBS_len(fragment) < aead->tag_len) { + rl->alert_desc = SSL_AD_BAD_RECORD_MAC; + goto err; + } + if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH) { + rl->alert_desc = SSL_AD_RECORD_OVERFLOW; + goto err; + } + + /* XXX - decrypt/process in place for now. */ + plain = (uint8_t *)CBS_data(fragment); + plain_len = CBS_len(fragment) - aead->tag_len; + + if (!tls12_record_layer_pseudo_header(rl, content_type, plain_len, + seq_num, &header, &header_len)) + goto err; + + if (!EVP_AEAD_CTX_open(&aead->ctx, plain, out_len, plain_len, + nonce, nonce_len, CBS_data(fragment), CBS_len(fragment), + header, header_len)) { + rl->alert_desc = SSL_AD_BAD_RECORD_MAC; + goto err; + } + + if (*out_len > SSL3_RT_MAX_PLAIN_LENGTH) { + rl->alert_desc = SSL_AD_RECORD_OVERFLOW; + goto err; + } + + if (*out_len != plain_len) + goto err; + + *out = plain; + + ret = 1; + + err: + freezero(header, header_len); + freezero(nonce, nonce_len); + + return ret; +} + +static int +tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl, + uint8_t content_type, CBS *seq_num, CBS *fragment, uint8_t **out, + size_t *out_len) +{ + EVP_CIPHER_CTX *enc = rl->read->cipher_ctx; + SSL3_RECORD_INTERNAL rrec; + size_t block_size, eiv_len; + uint8_t *mac = NULL; + size_t mac_len = 0; + uint8_t *out_mac = NULL; + size_t out_mac_len = 0; + uint8_t *plain; + size_t plain_len; + size_t min_len; + CBB cbb_mac; + int ret = 0; + + memset(&cbb_mac, 0, sizeof(cbb_mac)); + memset(&rrec, 0, sizeof(rrec)); + + if (!tls12_record_protection_block_size(rl->read, &block_size)) + goto err; + + /* Determine explicit IV length. */ + eiv_len = 0; + if (rl->version != TLS1_VERSION) { + if (!tls12_record_protection_eiv_len(rl->read, &eiv_len)) + goto err; + } + + mac_len = 0; + if (rl->read->hash_ctx != NULL) { + if (!tls12_record_protection_mac_len(rl->read, &mac_len)) + goto err; + } + + /* CBC has at least one padding byte. */ + min_len = eiv_len + mac_len; + if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) + min_len += 1; + + if (CBS_len(fragment) < min_len) { + rl->alert_desc = SSL_AD_BAD_RECORD_MAC; + goto err; + } + if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH) { + rl->alert_desc = SSL_AD_RECORD_OVERFLOW; + goto err; + } + if (CBS_len(fragment) % block_size != 0) { + rl->alert_desc = SSL_AD_BAD_RECORD_MAC; + goto err; + } + + /* XXX - decrypt/process in place for now. */ + plain = (uint8_t *)CBS_data(fragment); + plain_len = CBS_len(fragment); + + if (!EVP_Cipher(enc, plain, CBS_data(fragment), plain_len)) + goto err; + + rrec.data = plain; + rrec.input = plain; + rrec.length = plain_len; + + /* + * We now have to remove padding, extract MAC, calculate MAC + * and compare MAC in constant time. + */ + if (block_size > 1) + ssl3_cbc_remove_padding(&rrec, eiv_len, mac_len); + + if ((mac = calloc(1, mac_len)) == NULL) + goto err; + + if (!CBB_init(&cbb_mac, EVP_MAX_MD_SIZE)) + goto err; + if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) { + ssl3_cbc_copy_mac(mac, &rrec, mac_len, rrec.length + + rrec.padding_length); + rrec.length -= mac_len; + if (!tls12_record_layer_read_mac_cbc(rl, &cbb_mac, content_type, + seq_num, rrec.input, rrec.length, mac_len, + rrec.padding_length)) + goto err; + } else { + rrec.length -= mac_len; + memcpy(mac, rrec.data + rrec.length, mac_len); + if (!tls12_record_layer_read_mac(rl, &cbb_mac, content_type, + seq_num, rrec.input, rrec.length)) + goto err; + } + if (!CBB_finish(&cbb_mac, &out_mac, &out_mac_len)) + goto err; + if (mac_len != out_mac_len) + goto err; + + if (timingsafe_memcmp(mac, out_mac, mac_len) != 0) { + rl->alert_desc = SSL_AD_BAD_RECORD_MAC; + goto err; + } + + if (rrec.length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_len) { + rl->alert_desc = SSL_AD_BAD_RECORD_MAC; + goto err; + } + if (rrec.length > SSL3_RT_MAX_PLAIN_LENGTH) { + rl->alert_desc = SSL_AD_RECORD_OVERFLOW; + goto err; + } + + *out = rrec.data; + *out_len = rrec.length; + + ret = 1; + + err: + CBB_cleanup(&cbb_mac); + freezero(mac, mac_len); + freezero(out_mac, out_mac_len); + + return ret; +} + +int +tls12_record_layer_open_record(struct tls12_record_layer *rl, uint8_t *buf, + size_t buf_len, uint8_t **out, size_t *out_len) +{ + CBS cbs, fragment, seq_num; + uint16_t version; + uint8_t content_type; + + CBS_init(&cbs, buf, buf_len); + CBS_init(&seq_num, rl->read->seq_num, sizeof(rl->read->seq_num)); + + if (!CBS_get_u8(&cbs, &content_type)) + return 0; + if (!CBS_get_u16(&cbs, &version)) + return 0; + if (rl->dtls) { + /* + * The DTLS sequence number is split into a 16 bit epoch and + * 48 bit sequence number, however for the purposes of record + * processing it is treated the same as a TLS 64 bit sequence + * number. DTLS also uses explicit read sequence numbers, which + * we need to extract from the DTLS record header. + */ + if (!CBS_get_bytes(&cbs, &seq_num, SSL3_SEQUENCE_SIZE)) + return 0; + if (!CBS_write_bytes(&seq_num, rl->read->seq_num, + sizeof(rl->read->seq_num), NULL)) + return 0; + } + if (!CBS_get_u16_length_prefixed(&cbs, &fragment)) + return 0; + + if (rl->read->aead_ctx != NULL) { + if (!tls12_record_layer_open_record_protected_aead(rl, + content_type, &seq_num, &fragment, out, out_len)) + return 0; + } else if (rl->read->cipher_ctx != NULL) { + if (!tls12_record_layer_open_record_protected_cipher(rl, + content_type, &seq_num, &fragment, out, out_len)) + return 0; + } else { + if (!tls12_record_layer_open_record_plaintext(rl, + content_type, &fragment, out, out_len)) + return 0; + } + + if (!rl->dtls) { + if (!tls12_record_layer_inc_seq_num(rl, rl->read->seq_num)) + return 0; + } + + return 1; +} + +static int +tls12_record_layer_seal_record_plaintext(struct tls12_record_layer *rl, + uint8_t content_type, const uint8_t *content, size_t content_len, CBB *out) +{ + if (tls12_record_protection_engaged(rl->write)) + return 0; + + return CBB_add_bytes(out, content, content_len); +} + +static int +tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer *rl, + uint8_t content_type, CBS *seq_num, const uint8_t *content, + size_t content_len, CBB *out) +{ + const SSL_AEAD_CTX *aead = rl->write->aead_ctx; + uint8_t *header = NULL, *nonce = NULL; + size_t header_len = 0, nonce_len = 0; + size_t enc_record_len, out_len; + uint8_t *enc_data; + int ret = 0; + + /* XXX - move to nonce allocated in record layer, matching TLSv1.3 */ + if (aead->xor_fixed_nonce) { + if (!tls12_record_layer_aead_xored_nonce(rl, aead, + CBS_data(seq_num), &nonce, &nonce_len)) + goto err; + } else { + if (!tls12_record_layer_aead_concat_nonce(rl, aead, + CBS_data(seq_num), &nonce, &nonce_len)) + goto err; + } + + if (aead->variable_nonce_in_record) { + /* XXX - length check? */ + if (!CBB_add_bytes(out, CBS_data(seq_num), + aead->variable_nonce_len)) + goto err; + } + + if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, + seq_num, &header, &header_len)) + goto err; + + /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ + enc_record_len = content_len + aead->tag_len; + if (enc_record_len > SSL3_RT_MAX_ENCRYPTED_LENGTH) + goto err; + if (!CBB_add_space(out, &enc_data, enc_record_len)) + goto err; + + if (!EVP_AEAD_CTX_seal(&aead->ctx, enc_data, &out_len, enc_record_len, + nonce, nonce_len, content, content_len, header, header_len)) + goto err; + + if (out_len != enc_record_len) + goto err; + + ret = 1; + + err: + freezero(header, header_len); + freezero(nonce, nonce_len); + + return ret; +} + +static int +tls12_record_layer_seal_record_protected_cipher(struct tls12_record_layer *rl, + uint8_t content_type, CBS *seq_num, const uint8_t *content, + size_t content_len, CBB *out) +{ + EVP_CIPHER_CTX *enc = rl->write->cipher_ctx; + size_t block_size, eiv_len, mac_len, pad_len; + uint8_t *enc_data, *eiv, *pad, pad_val; + uint8_t *plain = NULL; + size_t plain_len = 0; + int ret = 0; + CBB cbb; + + if (!CBB_init(&cbb, SSL3_RT_MAX_PLAIN_LENGTH)) + goto err; + + /* Add explicit IV if necessary. */ + eiv_len = 0; + if (rl->version != TLS1_VERSION) { + if (!tls12_record_protection_eiv_len(rl->write, &eiv_len)) + goto err; + } + if (eiv_len > 0) { + if (!CBB_add_space(&cbb, &eiv, eiv_len)) + goto err; + arc4random_buf(eiv, eiv_len); + } + + if (!CBB_add_bytes(&cbb, content, content_len)) + goto err; + + mac_len = 0; + if (rl->write->hash_ctx != NULL) { + if (!tls12_record_layer_write_mac(rl, &cbb, content_type, + seq_num, content, content_len, &mac_len)) + goto err; + } + + plain_len = eiv_len + content_len + mac_len; + + /* Add padding to block size, if necessary. */ + if (!tls12_record_protection_block_size(rl->write, &block_size)) + goto err; + if (block_size > 1) { + pad_len = block_size - (plain_len % block_size); + pad_val = pad_len - 1; + + if (pad_len > 255) + goto err; + if (!CBB_add_space(&cbb, &pad, pad_len)) + goto err; + memset(pad, pad_val, pad_len); + } + + if (!CBB_finish(&cbb, &plain, &plain_len)) + goto err; + + if (plain_len % block_size != 0) + goto err; + if (plain_len > SSL3_RT_MAX_ENCRYPTED_LENGTH) + goto err; + + if (!CBB_add_space(out, &enc_data, plain_len)) + goto err; + if (!EVP_Cipher(enc, enc_data, plain, plain_len)) + goto err; + + ret = 1; + + err: + CBB_cleanup(&cbb); + freezero(plain, plain_len); + + return ret; +} + +int +tls12_record_layer_seal_record(struct tls12_record_layer *rl, + uint8_t content_type, const uint8_t *content, size_t content_len, CBB *cbb) +{ + uint8_t *seq_num_data = NULL; + size_t seq_num_len = 0; + CBB fragment, seq_num_cbb; + CBS seq_num; + int ret = 0; + + /* + * Construct the effective sequence number - this is used in both + * the DTLS header and for MAC calculations. + */ + if (!CBB_init(&seq_num_cbb, SSL3_SEQUENCE_SIZE)) + goto err; + if (!tls12_record_layer_build_seq_num(rl, &seq_num_cbb, rl->write->epoch, + rl->write->seq_num, sizeof(rl->write->seq_num))) + goto err; + if (!CBB_finish(&seq_num_cbb, &seq_num_data, &seq_num_len)) + goto err; + CBS_init(&seq_num, seq_num_data, seq_num_len); + + if (!CBB_add_u8(cbb, content_type)) + goto err; + if (!CBB_add_u16(cbb, rl->version)) + goto err; + if (rl->dtls) { + if (!CBB_add_bytes(cbb, CBS_data(&seq_num), CBS_len(&seq_num))) + goto err; + } + if (!CBB_add_u16_length_prefixed(cbb, &fragment)) + goto err; + + if (rl->write->aead_ctx != NULL) { + if (!tls12_record_layer_seal_record_protected_aead(rl, + content_type, &seq_num, content, content_len, &fragment)) + goto err; + } else if (rl->write->cipher_ctx != NULL) { + if (!tls12_record_layer_seal_record_protected_cipher(rl, + content_type, &seq_num, content, content_len, &fragment)) + goto err; + } else { + if (!tls12_record_layer_seal_record_plaintext(rl, + content_type, content, content_len, &fragment)) + goto err; + } + + if (!CBB_flush(cbb)) + goto err; + + if (!tls12_record_layer_inc_seq_num(rl, rl->write->seq_num)) + goto err; + + ret = 1; + + err: + CBB_cleanup(&seq_num_cbb); + free(seq_num_data); + + return ret; +} diff --git a/ssl/tls13_buffer.c b/ssl/tls13_buffer.c index 1b490c8b..bc10abde 100644 --- a/ssl/tls13_buffer.c +++ b/ssl/tls13_buffer.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_buffer.c,v 1.1 2019/01/17 06:32:12 jsing Exp $ */ +/* $OpenBSD: tls13_buffer.c,v 1.3 2020/03/10 17:11:25 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -75,6 +75,15 @@ tls13_buffer_resize(struct tls13_buffer *buf, size_t capacity) return 1; } +int +tls13_buffer_set_data(struct tls13_buffer *buf, CBS *data) +{ + if (!tls13_buffer_resize(buf, CBS_len(data))) + return 0; + memcpy(buf->data, CBS_data(data), CBS_len(data)); + return 1; +} + ssize_t tls13_buffer_extend(struct tls13_buffer *buf, size_t len, tls13_read_cb read_cb, void *cb_arg) @@ -95,6 +104,9 @@ tls13_buffer_extend(struct tls13_buffer *buf, size_t len, buf->capacity - buf->len, cb_arg)) <= 0) return ret; + if (ret > buf->capacity - buf->len) + return TLS13_IO_FAILURE; + buf->len += ret; if (buf->len == buf->capacity) diff --git a/ssl/tls13_client.c b/ssl/tls13_client.c index a9f1b6bb..e0febee9 100644 --- a/ssl/tls13_client.c +++ b/ssl/tls13_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_client.c,v 1.16 2019/04/05 20:23:38 tb Exp $ */ +/* $OpenBSD: tls13_client.c,v 1.77 2021/03/29 16:46:09 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -17,7 +17,6 @@ #include "ssl_locl.h" -#include #include #include "bytestring.h" @@ -26,25 +25,21 @@ #include "tls13_internal.h" int -tls13_connect(struct tls13_ctx *ctx) -{ - if (ctx->mode != TLS13_HS_CLIENT) - return TLS13_IO_FAILURE; - - return tls13_handshake_perform(ctx); -} - -static int tls13_client_init(struct tls13_ctx *ctx) { + const uint16_t *groups; + size_t groups_len; SSL *s = ctx->ssl; - if (!ssl_supported_version_range(s, &ctx->hs->min_version, - &ctx->hs->max_version)) { + if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version, + &ctx->hs->our_max_tls_version)) { SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); return 0; } - s->client_version = s->version = ctx->hs->max_version; + s->client_version = s->version = ctx->hs->our_max_tls_version; + + tls13_record_layer_set_retry_after_phh(ctx->rl, + (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0); if (!ssl_get_new_session(s, 0)) /* XXX */ return 0; @@ -52,103 +47,65 @@ tls13_client_init(struct tls13_ctx *ctx) if (!tls1_transcript_init(s)) return 0; - arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE); - - return 1; -} + /* Generate a key share using our preferred group. */ + tls1_get_group_list(s, 0, &groups, &groups_len); + if (groups_len < 1) + return 0; + if ((ctx->hs->tls13.key_share = tls13_key_share_new(groups[0])) == NULL) + return 0; + if (!tls13_key_share_generate(ctx->hs->tls13.key_share)) + return 0; -int -tls13_legacy_connect(SSL *ssl) -{ - struct tls13_ctx *ctx = ssl->internal->tls13; - int ret; + arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE); - if (ctx == NULL) { - if ((ctx = tls13_ctx_new(TLS13_HS_CLIENT)) == NULL) { - SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ - return -1; - } - ssl->internal->tls13 = ctx; - ctx->ssl = ssl; - ctx->hs = &S3I(ssl)->hs_tls13; - - if (!tls13_client_init(ctx)) { - if (ERR_peek_error() == 0) - SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ - return -1; - } + /* + * The legacy session identifier should either be set to an + * unpredictable 32-byte value or zero length... a non-zero length + * legacy session identifier triggers compatibility mode (see RFC 8446 + * Appendix D.4). In the pre-TLSv1.3 case a zero length value is used. + */ + if (ctx->middlebox_compat && + ctx->hs->our_max_tls_version >= TLS1_3_VERSION) { + arc4random_buf(ctx->hs->tls13.legacy_session_id, + sizeof(ctx->hs->tls13.legacy_session_id)); + ctx->hs->tls13.legacy_session_id_len = + sizeof(ctx->hs->tls13.legacy_session_id); } - S3I(ssl)->hs.state = SSL_ST_CONNECT; - - ret = tls13_connect(ctx); - if (ret == TLS13_IO_USE_LEGACY) - return ssl->method->internal->ssl_connect(ssl); - if (ret == TLS13_IO_SUCCESS) - S3I(ssl)->hs.state = SSL_ST_OK; - - return tls13_legacy_return_code(ssl, ret); + return 1; } int -tls13_use_legacy_client(struct tls13_ctx *ctx) +tls13_client_connect(struct tls13_ctx *ctx) { - SSL *s = ctx->ssl; - CBS cbs; - - s->method = tls_legacy_client_method(); - s->client_version = s->version = s->method->internal->max_version; - - if (!ssl3_setup_init_buffer(s)) - goto err; - if (!ssl3_setup_buffers(s)) - goto err; - if (!ssl_init_wbio_buffer(s, 0)) - goto err; - - if (s->bbio != s->wbio) - s->wbio = BIO_push(s->bbio, s->wbio); - - if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs)) - goto err; - - if (!BUF_MEM_grow_clean(s->internal->init_buf, CBS_len(&cbs) + 4)) - goto err; - - if (!CBS_write_bytes(&cbs, s->internal->init_buf->data + 4, - s->internal->init_buf->length - 4, NULL)) - goto err; - - S3I(s)->tmp.reuse_message = 1; - S3I(s)->tmp.message_type = tls13_handshake_msg_type(ctx->hs_msg); - S3I(s)->tmp.message_size = CBS_len(&cbs); - - S3I(s)->hs.state = SSL3_ST_CR_SRVR_HELLO_A; - - return 1; + if (ctx->mode != TLS13_HS_CLIENT) + return TLS13_IO_FAILURE; - err: - return 0; + return tls13_handshake_perform(ctx); } static int -tls13_client_hello_build(SSL *s, CBB *cbb) +tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb) { CBB cipher_suites, compression_methods, session_id; - uint8_t *sid; + uint16_t client_version; + SSL *s = ctx->ssl; + + /* Legacy client version is capped at TLS 1.2. */ + client_version = ctx->hs->our_max_tls_version; + if (client_version > TLS1_2_VERSION) + client_version = TLS1_2_VERSION; - if (!CBB_add_u16(cbb, TLS1_2_VERSION)) + if (!CBB_add_u16(cbb, client_version)) goto err; if (!CBB_add_bytes(cbb, s->s3->client_random, SSL3_RANDOM_SIZE)) goto err; - /* Either 32-random bytes or zero length... */ - /* XXX - session resumption for TLSv1.2? */ if (!CBB_add_u8_length_prefixed(cbb, &session_id)) goto err; - if (!CBB_add_space(&session_id, &sid, 32)) + if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id, + ctx->hs->tls13.legacy_session_id_len)) goto err; - arc4random_buf(sid, 32); if (!CBB_add_u16_length_prefixed(cbb, &cipher_suites)) goto err; @@ -162,7 +119,7 @@ tls13_client_hello_build(SSL *s, CBB *cbb) if (!CBB_add_u8(&compression_methods, 0)) goto err; - if (!tlsext_client_build(s, cbb, SSL_TLSEXT_MSG_CH)) + if (!tlsext_client_build(s, SSL_TLSEXT_MSG_CH, cbb)) goto err; if (!CBB_flush(cbb)) @@ -175,29 +132,32 @@ tls13_client_hello_build(SSL *s, CBB *cbb) } int -tls13_client_hello_send(struct tls13_ctx *ctx) +tls13_client_hello_send(struct tls13_ctx *ctx, CBB *cbb) { - CBB body; + if (ctx->hs->our_min_tls_version < TLS1_2_VERSION) + tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION); - if (!tls13_handshake_msg_start(ctx->hs_msg, &body, TLS13_MT_CLIENT_HELLO)) - return 0; - if (!tls13_client_hello_build(ctx->ssl, &body)) - return 0; - if (!tls13_handshake_msg_finish(ctx->hs_msg)) + /* We may receive a pre-TLSv1.3 alert in response to the client hello. */ + tls13_record_layer_allow_legacy_alerts(ctx->rl, 1); + + if (!tls13_client_hello_build(ctx, cbb)) return 0; return 1; } -/* - * HelloRetryRequest hash - RFC 8446 section 4.1.3. - */ -static const uint8_t tls13_hello_retry_request_hash[] = { - 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, - 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91, - 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, - 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c, -}; +int +tls13_client_hello_sent(struct tls13_ctx *ctx) +{ + tls13_record_layer_allow_ccs(ctx->rl, 1); + + tls1_transcript_freeze(ctx->ssl); + + if (ctx->middlebox_compat) + ctx->send_dummy_ccs = 1; + + return 1; +} static int tls13_server_hello_is_legacy(CBS *cbs) @@ -228,15 +188,34 @@ tls13_server_hello_is_legacy(CBS *cbs) return (selected_version < TLS1_3_VERSION); } +static int +tls13_server_hello_is_retry(CBS *cbs) +{ + CBS server_hello, server_random; + uint16_t legacy_version; + + CBS_dup(cbs, &server_hello); + + if (!CBS_get_u16(&server_hello, &legacy_version)) + return 0; + if (!CBS_get_bytes(&server_hello, &server_random, SSL3_RANDOM_SIZE)) + return 0; + + /* See if this is a HelloRetryRequest. */ + return CBS_mem_equal(&server_random, tls13_hello_retry_request_hash, + sizeof(tls13_hello_retry_request_hash)); +} + static int tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs) { CBS server_random, session_id; + uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH; uint16_t cipher_suite, legacy_version; uint8_t compression_method; const SSL_CIPHER *cipher; + int alert_desc; SSL *s = ctx->ssl; - int alert; if (!CBS_get_u16(cbs, &legacy_version)) goto err; @@ -249,122 +228,132 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs) if (!CBS_get_u8(cbs, &compression_method)) goto err; - if (tls13_server_hello_is_legacy(cbs)) - return tls13_use_legacy_client(ctx); + if (tls13_server_hello_is_legacy(cbs)) { + if (ctx->hs->our_max_tls_version >= TLS1_3_VERSION) { + /* + * RFC 8446 section 4.1.3: we must not downgrade if + * the server random value contains the TLS 1.2 or 1.1 + * magical value. + */ + if (!CBS_skip(&server_random, CBS_len(&server_random) - + sizeof(tls13_downgrade_12))) + goto err; + if (CBS_mem_equal(&server_random, tls13_downgrade_12, + sizeof(tls13_downgrade_12)) || + CBS_mem_equal(&server_random, tls13_downgrade_11, + sizeof(tls13_downgrade_11))) { + ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; + goto err; + } + } - if (!tlsext_client_parse(s, cbs, &alert, SSL_TLSEXT_MSG_SH)) - goto err; + if (!CBS_skip(cbs, CBS_len(cbs))) + goto err; + + ctx->hs->tls13.use_legacy = 1; + return 1; + } + + /* From here on in we know we are doing TLSv1.3. */ + tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION); + tls13_record_layer_allow_legacy_alerts(ctx->rl, 0); + + /* See if this is a HelloRetryRequest. */ + /* XXX - see if we can avoid doing this twice. */ + if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash, + sizeof(tls13_hello_retry_request_hash))) { + tlsext_msg_type = SSL_TLSEXT_MSG_HRR; + ctx->hs->tls13.hrr = 1; + } - if (CBS_len(cbs) != 0) + if (!tlsext_client_parse(s, tlsext_msg_type, cbs, &alert_desc)) { + ctx->alert = alert_desc; goto err; + } /* - * See if a supported versions extension was returned. If it was then - * the legacy version must be set to 0x0303 (RFC 8446 section 4.1.3). - * Otherwise, fallback to the legacy version, ensuring that it is both - * within range and not TLS 1.3 or greater (which must use the - * supported version extension. + * The supported versions extension indicated 0x0304 or greater. + * Ensure that it was 0x0304 and that legacy version is set to 0x0303 + * (RFC 8446 section 4.2.1). */ - if (ctx->hs->server_version != 0) { - if (legacy_version != TLS1_2_VERSION) { - /* XXX - alert. */ - goto err; - } - } else { - if (legacy_version < ctx->hs->min_version || - legacy_version > ctx->hs->max_version || - legacy_version > TLS1_2_VERSION) { - /* XXX - alert. */ - goto err; - } - ctx->hs->server_version = legacy_version; + if (ctx->hs->tls13.server_version != TLS1_3_VERSION || + legacy_version != TLS1_2_VERSION) { + ctx->alert = TLS13_ALERT_PROTOCOL_VERSION; + goto err; } + ctx->hs->negotiated_tls_version = ctx->hs->tls13.server_version; - /* XXX - session_id must match. */ + /* The session_id must match. */ + if (!CBS_mem_equal(&session_id, ctx->hs->tls13.legacy_session_id, + ctx->hs->tls13.legacy_session_id_len)) { + ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; + goto err; + } /* * Ensure that the cipher suite is one that we offered in the client - * hello and that it matches the TLS version selected. + * hello and that it is a TLSv1.3 cipher suite. */ cipher = ssl3_get_cipher_by_value(cipher_suite); - if (cipher == NULL || - sk_SSL_CIPHER_find(ssl_get_ciphers_by_id(s), cipher) < 0) { - /* XXX - alert. */ + if (cipher == NULL || !ssl_cipher_in_list(SSL_get_ciphers(s), cipher)) { + ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; goto err; } - if (ctx->hs->server_version == TLS1_3_VERSION && - cipher->algorithm_ssl != SSL_TLSV1_3) { - /* XXX - alert. */ + if (cipher->algorithm_ssl != SSL_TLSV1_3) { + ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; goto err; } - /* XXX - move this to hs_tls13? */ - S3I(s)->hs.new_cipher = cipher; + /* XXX - move this to hs.tls13? */ + ctx->hs->cipher = cipher; if (compression_method != 0) { - /* XXX - alert. */ + ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; goto err; } - if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash, - sizeof(tls13_hello_retry_request_hash))) - ctx->handshake_stage.hs_type |= WITH_HRR; - return 1; err: - /* XXX - send alert. */ + if (ctx->alert == 0) + ctx->alert = TLS13_ALERT_DECODE_ERROR; return 0; } -int -tls13_server_hello_recv(struct tls13_ctx *ctx) +static int +tls13_client_engage_record_protection(struct tls13_ctx *ctx) { struct tls13_secrets *secrets; struct tls13_secret context; unsigned char buf[EVP_MAX_MD_SIZE]; uint8_t *shared_key = NULL; + size_t shared_key_len = 0; size_t hash_len; SSL *s = ctx->ssl; int ret = 0; - CBS cbs; - if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs)) - goto err; + /* Derive the shared key and engage record protection. */ - if (!tls13_server_hello_process(ctx, &cbs)) + if (!tls13_key_share_derive(ctx->hs->tls13.key_share, &shared_key, + &shared_key_len)) goto err; - /* See if we switched back to the legacy client method. */ - if (s->method->internal->version < TLS1_3_VERSION) - return 1; + s->session->cipher = ctx->hs->cipher; + s->session->ssl_version = ctx->hs->tls13.server_version; - /* XXX - handle other key share types. */ - if (ctx->hs->x25519_peer_public == NULL) { - /* XXX - alert. */ - goto err; - } - if ((shared_key = malloc(X25519_KEY_LENGTH)) == NULL) + if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL) goto err; - if (!X25519(shared_key, ctx->hs->x25519_private, - ctx->hs->x25519_peer_public)) - goto err; - - s->session->cipher = S3I(s)->hs.new_cipher; - s->session->ssl_version = ctx->hs->server_version; - - if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL) - goto err; - if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL) + if ((ctx->hash = tls13_cipher_hash(ctx->hs->cipher)) == NULL) goto err; if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL) goto err; - S3I(ctx->ssl)->hs_tls13.secrets = secrets; + ctx->hs->tls13.secrets = secrets; /* XXX - pass in hash. */ if (!tls1_transcript_hash_init(s)) goto err; + tls1_transcript_free(s); if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) goto err; context.data = buf; @@ -376,8 +365,8 @@ tls13_server_hello_recv(struct tls13_ctx *ctx) goto err; /* Handshake secrets. */ - if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key, - X25519_KEY_LENGTH, &context)) + if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key, + shared_key_len, &context)) goto err; tls13_record_layer_set_aead(ctx->rl, ctx->aead); @@ -390,40 +379,140 @@ tls13_server_hello_recv(struct tls13_ctx *ctx) &secrets->client_handshake_traffic)) goto err; - ctx->handshake_stage.hs_type |= NEGOTIATED; ret = 1; err: - freezero(shared_key, X25519_KEY_LENGTH); + freezero(shared_key, shared_key_len); + return ret; } int -tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx) +tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs) { - int alert; - CBS cbs; + /* + * The state machine has no way of knowing if we're going to receive a + * HelloRetryRequest or a ServerHello. As such, we have to handle + * this case here and hand off to the appropriate function. + */ + if (!tls13_server_hello_is_retry(cbs)) { + ctx->handshake_stage.hs_type |= WITHOUT_HRR; + return tls13_server_hello_recv(ctx, cbs); + } - if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs)) - goto err; + if (!tls13_server_hello_process(ctx, cbs)) + return 0; - if (!tlsext_client_parse(ctx->ssl, &cbs, &alert, SSL_TLSEXT_MSG_EE)) - goto err; + /* + * This may have been a TLSv1.2 or earlier ServerHello that just happened + * to have matching server random... + */ + if (ctx->hs->tls13.use_legacy) + return tls13_use_legacy_client(ctx); + + if (!ctx->hs->tls13.hrr) + return 0; + + if (!tls13_synthetic_handshake_message(ctx)) + return 0; + if (!tls13_handshake_msg_record(ctx)) + return 0; + + ctx->hs->tls13.hrr = 0; + + return 1; +} + +int +tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb) +{ + /* + * Ensure that the server supported group is one that we listed in our + * supported groups and is not the same as the key share we previously + * offered. + */ + if (!tls1_check_curve(ctx->ssl, ctx->hs->tls13.server_group)) + return 0; /* XXX alert */ + if (ctx->hs->tls13.server_group == tls13_key_share_group(ctx->hs->tls13.key_share)) + return 0; /* XXX alert */ + + /* Switch to new key share. */ + tls13_key_share_free(ctx->hs->tls13.key_share); + if ((ctx->hs->tls13.key_share = + tls13_key_share_new(ctx->hs->tls13.server_group)) == NULL) + return 0; + if (!tls13_key_share_generate(ctx->hs->tls13.key_share)) + return 0; + + if (!tls13_client_hello_build(ctx, cbb)) + return 0; + + return 1; +} + +int +tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs) +{ + SSL *s = ctx->ssl; + + /* + * We may have received a legacy (pre-TLSv1.3) ServerHello or a TLSv1.3 + * ServerHello. HelloRetryRequests have already been handled. + */ + if (!tls13_server_hello_process(ctx, cbs)) + return 0; + + if (ctx->handshake_stage.hs_type & WITHOUT_HRR) { + tls1_transcript_unfreeze(s); + if (!tls13_handshake_msg_record(ctx)) + return 0; + } + + if (ctx->hs->tls13.use_legacy) { + if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR)) + return 0; + return tls13_use_legacy_client(ctx); + } + + if (ctx->hs->tls13.hrr) { + /* The server has sent two HelloRetryRequests. */ + ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; + return 0; + } + + if (!tls13_client_engage_record_protection(ctx)) + return 0; + + ctx->handshake_stage.hs_type |= NEGOTIATED; + + return 1; +} + +int +tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx, CBS *cbs) +{ + int alert_desc; - if (CBS_len(&cbs) != 0) + if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_EE, cbs, &alert_desc)) { + ctx->alert = alert_desc; goto err; + } return 1; err: - /* XXX - send alert. */ + if (ctx->alert == 0) + ctx->alert = TLS13_ALERT_DECODE_ERROR; return 0; } int -tls13_server_certificate_request_recv(struct tls13_ctx *ctx) +tls13_server_certificate_request_recv(struct tls13_ctx *ctx, CBS *cbs) { + CBS cert_request_context; + int alert_desc; + /* * Thanks to poor state design in the RFC, this function can be called * when we actually have a certificate message instead of a certificate @@ -432,46 +521,59 @@ tls13_server_certificate_request_recv(struct tls13_ctx *ctx) */ if (tls13_handshake_msg_type(ctx->hs_msg) == TLS13_MT_CERTIFICATE) { ctx->handshake_stage.hs_type |= WITHOUT_CR; - return tls13_server_certificate_recv(ctx); + return tls13_server_certificate_recv(ctx, cbs); } - /* XXX - unimplemented. */ + if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) + goto err; + if (CBS_len(&cert_request_context) != 0) + goto err; + + if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_CR, cbs, &alert_desc)) { + ctx->alert = alert_desc; + goto err; + } + + return 1; + + err: + if (ctx->alert == 0) + ctx->alert = TLS13_ALERT_DECODE_ERROR; return 0; } int -tls13_server_certificate_recv(struct tls13_ctx *ctx) +tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) { - CBS cbs, cert_request_context, cert_list, cert_data, cert_exts; + CBS cert_request_context, cert_list, cert_data; struct stack_st_X509 *certs = NULL; SSL *s = ctx->ssl; X509 *cert = NULL; EVP_PKEY *pkey; const uint8_t *p; - int cert_idx; + int cert_idx, alert_desc; int ret = 0; if ((certs = sk_X509_new_null()) == NULL) goto err; - if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs)) - goto err; - - if (!CBS_get_u8_length_prefixed(&cbs, &cert_request_context)) + if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) goto err; if (CBS_len(&cert_request_context) != 0) goto err; - if (!CBS_get_u24_length_prefixed(&cbs, &cert_list)) - goto err; - if (CBS_len(&cbs) != 0) + if (!CBS_get_u24_length_prefixed(cbs, &cert_list)) goto err; while (CBS_len(&cert_list) > 0) { if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data)) goto err; - if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts)) + + if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_CT, + &cert_list, &alert_desc)) { + ctx->alert = alert_desc; goto err; + } p = CBS_data(&cert_data); if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) @@ -485,6 +587,14 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx) cert = NULL; } + /* A server must always provide a non-empty certificate list. */ + if (sk_X509_num(certs) < 1) { + ctx->alert = TLS13_ALERT_DECODE_ERROR; + tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0, + "peer failed to provide a certificate", NULL); + goto err; + } + /* * At this stage we still have no proof of possession. As such, it would * be preferable to keep the chain and verify once we have successfully @@ -492,7 +602,9 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx) */ if (ssl_verify_cert_chain(s, certs) <= 0 && s->verify_mode != SSL_VERIFY_NONE) { - /* XXX send alert */ + ctx->alert = ssl_verify_alarm_type(s->verify_result); + tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0, + "failed to verify peer certificate", NULL); goto err; } ERR_clear_error(); @@ -524,6 +636,10 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx) s->session->peer = cert; s->session->verify_result = s->verify_result; + if (ctx->ocsp_status_recv_cb != NULL && + !ctx->ocsp_status_recv_cb(ctx)) + goto err; + ret = 1; err: @@ -533,24 +649,8 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx) return ret; } -/* - * Certificate Verify padding - RFC 8446 section 4.4.3. - */ -static uint8_t cert_verify_pad[64] = { - 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, - 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, - 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, - 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, - 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, - 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, - 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, - 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, -}; - -static uint8_t server_cert_verify_context[] = "TLS 1.3, server CertificateVerify"; - int -tls13_server_certificate_verify_recv(struct tls13_ctx *ctx) +tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) { const struct ssl_sigalg *sigalg; uint16_t signature_scheme; @@ -560,20 +660,15 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx) EVP_PKEY_CTX *pctx; EVP_PKEY *pkey; X509 *cert; - CBS cbs, signature; + CBS signature; CBB cbb; int ret = 0; memset(&cbb, 0, sizeof(cbb)); - if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs)) + if (!CBS_get_u16(cbs, &signature_scheme)) goto err; - - if (!CBS_get_u16(&cbs, &signature_scheme)) - goto err; - if (!CBS_get_u16_length_prefixed(&cbs, &signature)) - goto err; - if (CBS_len(&cbs) != 0) + if (!CBS_get_u16_length_prefixed(cbs, &signature)) goto err; if ((sigalg = ssl_sigalg(signature_scheme, tls13_sigalgs, @@ -582,15 +677,16 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx) if (!CBB_init(&cbb, 0)) goto err; - if (!CBB_add_bytes(&cbb, cert_verify_pad, sizeof(cert_verify_pad))) + if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, + sizeof(tls13_cert_verify_pad))) goto err; - if (!CBB_add_bytes(&cbb, server_cert_verify_context, - strlen(server_cert_verify_context))) + if (!CBB_add_bytes(&cbb, tls13_cert_server_verify_context, + strlen(tls13_cert_server_verify_context))) goto err; if (!CBB_add_u8(&cbb, 0)) goto err; - if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash, - ctx->hs->transcript_hash_len)) + if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash, + ctx->hs->tls13.transcript_hash_len)) goto err; if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) goto err; @@ -615,17 +711,21 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx) if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) goto err; } - if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) + if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) { + ctx->alert = TLS13_ALERT_DECRYPT_ERROR; goto err; + } if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature), CBS_len(&signature)) <= 0) { - /* XXX - send alert. */ + ctx->alert = TLS13_ALERT_DECRYPT_ERROR; goto err; } ret = 1; err: + if (!ret && ctx->alert == 0) + ctx->alert = TLS13_ALERT_DECODE_ERROR; CBB_cleanup(&cbb); EVP_MD_CTX_free(mdctx); free(sig_content); @@ -634,9 +734,9 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx) } int -tls13_server_finished_recv(struct tls13_ctx *ctx) +tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs) { - struct tls13_secrets *secrets = ctx->hs->secrets; + struct tls13_secrets *secrets = ctx->hs->tls13.secrets; struct tls13_secret context = { .data = "", .len = 0 }; struct tls13_secret finished_key; uint8_t transcript_hash[EVP_MAX_MD_SIZE]; @@ -647,10 +747,6 @@ tls13_server_finished_recv(struct tls13_ctx *ctx) HMAC_CTX *hmac_ctx = NULL; unsigned int hlen; int ret = 0; - CBS cbs; - - if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs)) - goto err; /* * Verify server finished. @@ -668,8 +764,8 @@ tls13_server_finished_recv(struct tls13_ctx *ctx) if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, ctx->hash, NULL)) goto err; - if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash, - ctx->hs->transcript_hash_len)) + if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash, + ctx->hs->tls13.transcript_hash_len)) goto err; verify_data_len = HMAC_size(hmac_ctx); if ((verify_data = calloc(1, verify_data_len)) == NULL) @@ -679,11 +775,19 @@ tls13_server_finished_recv(struct tls13_ctx *ctx) if (hlen != verify_data_len) goto err; - if (!CBS_mem_equal(&cbs, verify_data, verify_data_len)) { - /* XXX - send alert. */ + if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) { + ctx->alert = TLS13_ALERT_DECRYPT_ERROR; goto err; } + if (!CBS_write_bytes(cbs, ctx->hs->peer_finished, + sizeof(ctx->hs->peer_finished), + &ctx->hs->peer_finished_len)) + goto err; + + if (!CBS_skip(cbs, verify_data_len)) + goto err; + /* * Derive application traffic keys. */ @@ -705,6 +809,8 @@ tls13_server_finished_recv(struct tls13_ctx *ctx) &secrets->server_application_traffic)) goto err; + tls13_record_layer_allow_ccs(ctx->rl, 0); + ret = 1; err: @@ -714,24 +820,221 @@ tls13_server_finished_recv(struct tls13_ctx *ctx) return ret; } +static int +tls13_client_check_certificate(struct tls13_ctx *ctx, CERT_PKEY *cpk, + int *ok, const struct ssl_sigalg **out_sigalg) +{ + const struct ssl_sigalg *sigalg; + SSL *s = ctx->ssl; + + *ok = 0; + *out_sigalg = NULL; + + if (cpk->x509 == NULL || cpk->privatekey == NULL) + goto done; + + if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL) + goto done; + + *ok = 1; + *out_sigalg = sigalg; + + done: + return 1; +} + +static int +tls13_client_select_certificate(struct tls13_ctx *ctx, CERT_PKEY **out_cpk, + const struct ssl_sigalg **out_sigalg) +{ + SSL *s = ctx->ssl; + const struct ssl_sigalg *sigalg; + CERT_PKEY *cpk; + int cert_ok; + + *out_cpk = NULL; + *out_sigalg = NULL; + + /* + * XXX - RFC 8446, 4.4.2.3: the server can communicate preferences + * with the certificate_authorities (4.2.4) and oid_filters (4.2.5) + * extensions. We should honor the former and must apply the latter. + */ + + cpk = &s->cert->pkeys[SSL_PKEY_ECC]; + if (!tls13_client_check_certificate(ctx, cpk, &cert_ok, &sigalg)) + return 0; + if (cert_ok) + goto done; + + cpk = &s->cert->pkeys[SSL_PKEY_RSA]; + if (!tls13_client_check_certificate(ctx, cpk, &cert_ok, &sigalg)) + return 0; + if (cert_ok) + goto done; + + cpk = NULL; + sigalg = NULL; + + done: + *out_cpk = cpk; + *out_sigalg = sigalg; + + return 1; +} + +int +tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb) +{ + SSL *s = ctx->ssl; + CBB cert_request_context, cert_list; + const struct ssl_sigalg *sigalg; + STACK_OF(X509) *chain; + CERT_PKEY *cpk; + X509 *cert; + int i, ret = 0; + + if (!tls13_client_select_certificate(ctx, &cpk, &sigalg)) + goto err; + + ctx->hs->tls13.cpk = cpk; + ctx->hs->tls13.sigalg = sigalg; + + if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) + goto err; + if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) + goto err; + + /* No certificate selected. */ + if (cpk == NULL) + goto done; + + if ((chain = cpk->chain) == NULL) + chain = s->ctx->extra_certs; + + if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_client_build)) + goto err; + + for (i = 0; i < sk_X509_num(chain); i++) { + cert = sk_X509_value(chain, i); + if (!tls13_cert_add(ctx, &cert_list, cert, tlsext_client_build)) + goto err; + } + + ctx->handshake_stage.hs_type |= WITH_CCV; + done: + if (!CBB_flush(cbb)) + goto err; + + ret = 1; + + err: + return ret; +} + int -tls13_client_finished_send(struct tls13_ctx *ctx) +tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) { - struct tls13_secrets *secrets = ctx->hs->secrets; + const struct ssl_sigalg *sigalg; + uint8_t *sig = NULL, *sig_content = NULL; + size_t sig_len, sig_content_len; + EVP_MD_CTX *mdctx = NULL; + EVP_PKEY_CTX *pctx; + EVP_PKEY *pkey; + const CERT_PKEY *cpk; + CBB sig_cbb; + int ret = 0; + + memset(&sig_cbb, 0, sizeof(sig_cbb)); + + if ((cpk = ctx->hs->tls13.cpk) == NULL) + goto err; + if ((sigalg = ctx->hs->tls13.sigalg) == NULL) + goto err; + pkey = cpk->privatekey; + + if (!CBB_init(&sig_cbb, 0)) + goto err; + if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad, + sizeof(tls13_cert_verify_pad))) + goto err; + if (!CBB_add_bytes(&sig_cbb, tls13_cert_client_verify_context, + strlen(tls13_cert_client_verify_context))) + goto err; + if (!CBB_add_u8(&sig_cbb, 0)) + goto err; + if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash, + ctx->hs->tls13.transcript_hash_len)) + goto err; + if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len)) + goto err; + + if ((mdctx = EVP_MD_CTX_new()) == NULL) + goto err; + if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) + goto err; + if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { + if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) + goto err; + if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) + goto err; + } + if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len)) + goto err; + if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0) + goto err; + if ((sig = calloc(1, sig_len)) == NULL) + goto err; + if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0) + goto err; + + if (!CBB_add_u16(cbb, sigalg->value)) + goto err; + if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb)) + goto err; + if (!CBB_add_bytes(&sig_cbb, sig, sig_len)) + goto err; + + if (!CBB_flush(cbb)) + goto err; + + ret = 1; + + err: + if (!ret && ctx->alert == 0) + ctx->alert = TLS13_ALERT_INTERNAL_ERROR; + + CBB_cleanup(&sig_cbb); + EVP_MD_CTX_free(mdctx); + free(sig_content); + free(sig); + + return ret; +} + +int +tls13_client_end_of_early_data_send(struct tls13_ctx *ctx, CBB *cbb) +{ + return 0; +} + +int +tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb) +{ + struct tls13_secrets *secrets = ctx->hs->tls13.secrets; struct tls13_secret context = { .data = "", .len = 0 }; - struct tls13_secret finished_key; + struct tls13_secret finished_key = { .data = NULL, .len = 0 }; uint8_t transcript_hash[EVP_MAX_MD_SIZE]; size_t transcript_hash_len; - uint8_t key[EVP_MAX_MD_SIZE]; uint8_t *verify_data; - size_t hmac_len; + size_t verify_data_len; unsigned int hlen; HMAC_CTX *hmac_ctx = NULL; + CBS cbs; int ret = 0; - CBB body; - finished_key.data = key; - finished_key.len = EVP_MD_size(ctx->hash); + if (!tls13_secret_init(&finished_key, EVP_MD_size(ctx->hash))) + goto err; if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, &secrets->client_handshake_traffic, "finished", @@ -750,21 +1053,23 @@ tls13_client_finished_send(struct tls13_ctx *ctx) if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len)) goto err; - if (!tls13_handshake_msg_start(ctx->hs_msg, &body, TLS13_MT_FINISHED)) - goto err; - hmac_len = HMAC_size(hmac_ctx); - if (!CBB_add_space(&body, &verify_data, hmac_len)) + verify_data_len = HMAC_size(hmac_ctx); + if (!CBB_add_space(cbb, &verify_data, verify_data_len)) goto err; if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) goto err; - if (hlen != hmac_len) + if (hlen != verify_data_len) goto err; - if (!tls13_handshake_msg_finish(ctx->hs_msg)) + + CBS_init(&cbs, verify_data, verify_data_len); + if (!CBS_write_bytes(&cbs, ctx->hs->finished, + sizeof(ctx->hs->finished), &ctx->hs->finished_len)) goto err; ret = 1; err: + tls13_secret_cleanup(&finished_key); HMAC_CTX_free(hmac_ctx); return ret; @@ -773,7 +1078,7 @@ tls13_client_finished_send(struct tls13_ctx *ctx) int tls13_client_finished_sent(struct tls13_ctx *ctx) { - struct tls13_secrets *secrets = ctx->hs->secrets; + struct tls13_secrets *secrets = ctx->hs->tls13.secrets; /* * Any records following the client finished message must be encrypted diff --git a/ssl/tls13_error.c b/ssl/tls13_error.c new file mode 100644 index 00000000..295b6c4f --- /dev/null +++ b/ssl/tls13_error.c @@ -0,0 +1,99 @@ +/* $OpenBSD: tls13_error.c,v 1.1 2020/01/20 13:10:37 jsing Exp $ */ +/* + * Copyright (c) 2014,2019 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include "tls13_internal.h" + +void +tls13_error_clear(struct tls13_error *error) +{ + error->code = 0; + error->subcode = 0; + error->errnum = 0; + error->file = NULL; + error->line = 0; + free(error->msg); + error->msg = NULL; +} + +static int +tls13_error_vset(struct tls13_error *error, int code, int subcode, int errnum, + const char *file, int line, const char *fmt, va_list ap) +{ + char *errmsg = NULL; + int rv = -1; + + tls13_error_clear(error); + + error->code = code; + error->subcode = subcode; + error->errnum = errnum; + error->file = file; + error->line = line; + + if (vasprintf(&errmsg, fmt, ap) == -1) { + errmsg = NULL; + goto err; + } + + if (errnum == -1) { + error->msg = errmsg; + return 0; + } + + if (asprintf(&error->msg, "%s: %s", errmsg, strerror(errnum)) == -1) { + error->msg = NULL; + goto err; + } + rv = 0; + + err: + free(errmsg); + + return rv; +} + +int +tls13_error_set(struct tls13_error *error, int code, int subcode, + const char *file, int line, const char *fmt, ...) +{ + va_list ap; + int errnum, rv; + + errnum = errno; + + va_start(ap, fmt); + rv = tls13_error_vset(error, code, subcode, errnum, file, line, fmt, ap); + va_end(ap); + + return (rv); +} + +int +tls13_error_setx(struct tls13_error *error, int code, int subcode, + const char *file, int line, const char *fmt, ...) +{ + va_list ap; + int rv; + + va_start(ap, fmt); + rv = tls13_error_vset(error, code, subcode, -1, file, line, fmt, ap); + va_end(ap); + + return (rv); +} diff --git a/ssl/tls13_handshake.c b/ssl/tls13_handshake.c index 542410bd..c18a2dfe 100644 --- a/ssl/tls13_handshake.c +++ b/ssl/tls13_handshake.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_handshake.c,v 1.35 2019/04/05 20:23:38 tb Exp $ */ +/* $OpenBSD: tls13_handshake.c,v 1.65 2021/03/21 18:36:34 jsing Exp $ */ /* * Copyright (c) 2018-2019 Theo Buehler * Copyright (c) 2019 Joel Sing @@ -25,34 +25,35 @@ /* Based on RFC 8446 and inspired by s2n's TLS 1.2 state machine. */ struct tls13_handshake_action { - uint8_t handshake_type; - uint8_t sender; - uint8_t handshake_complete; - uint8_t preserve_transcript_hash; + uint8_t handshake_type; + uint8_t sender; + uint8_t handshake_complete; + uint8_t send_preserve_transcript_hash; + uint8_t recv_preserve_transcript_hash; - int (*send)(struct tls13_ctx *ctx); + int (*send)(struct tls13_ctx *ctx, CBB *cbb); int (*sent)(struct tls13_ctx *ctx); - int (*recv)(struct tls13_ctx *ctx); + int (*recv)(struct tls13_ctx *ctx, CBS *cbs); }; -enum tls13_message_type tls13_handshake_active_state(struct tls13_ctx *ctx); +static enum tls13_message_type + tls13_handshake_active_state(struct tls13_ctx *ctx); -int tls13_accept(struct tls13_ctx *ctx); - -struct tls13_handshake_action * +static const struct tls13_handshake_action * tls13_handshake_active_action(struct tls13_ctx *ctx); -int tls13_handshake_advance_state_machine(struct tls13_ctx *ctx); +static int tls13_handshake_advance_state_machine(struct tls13_ctx *ctx); -int tls13_handshake_send_action(struct tls13_ctx *ctx, - struct tls13_handshake_action *action); -int tls13_handshake_recv_action(struct tls13_ctx *ctx, - struct tls13_handshake_action *action); +static int tls13_handshake_send_action(struct tls13_ctx *ctx, + const struct tls13_handshake_action *action); +static int tls13_handshake_recv_action(struct tls13_ctx *ctx, + const struct tls13_handshake_action *action); -struct tls13_handshake_action state_machine[] = { +static const struct tls13_handshake_action state_machine[] = { [CLIENT_HELLO] = { .handshake_type = TLS13_MT_CLIENT_HELLO, .sender = TLS13_HS_CLIENT, .send = tls13_client_hello_send, + .sent = tls13_client_hello_sent, .recv = tls13_client_hello_recv, }, [CLIENT_HELLO_RETRY] = { @@ -70,39 +71,38 @@ struct tls13_handshake_action state_machine[] = { [CLIENT_CERTIFICATE] = { .handshake_type = TLS13_MT_CERTIFICATE, .sender = TLS13_HS_CLIENT, + .send_preserve_transcript_hash = 1, .send = tls13_client_certificate_send, .recv = tls13_client_certificate_recv, }, [CLIENT_CERTIFICATE_VERIFY] = { .handshake_type = TLS13_MT_CERTIFICATE_VERIFY, .sender = TLS13_HS_CLIENT, + .recv_preserve_transcript_hash = 1, .send = tls13_client_certificate_verify_send, .recv = tls13_client_certificate_verify_recv, }, [CLIENT_FINISHED] = { .handshake_type = TLS13_MT_FINISHED, .sender = TLS13_HS_CLIENT, + .recv_preserve_transcript_hash = 1, .send = tls13_client_finished_send, .sent = tls13_client_finished_sent, .recv = tls13_client_finished_recv, }, - [CLIENT_KEY_UPDATE] = { - .handshake_type = TLS13_MT_KEY_UPDATE, - .sender = TLS13_HS_CLIENT, - .send = tls13_client_key_update_send, - .recv = tls13_client_key_update_recv, - }, [SERVER_HELLO] = { .handshake_type = TLS13_MT_SERVER_HELLO, .sender = TLS13_HS_SERVER, .send = tls13_server_hello_send, + .sent = tls13_server_hello_sent, .recv = tls13_server_hello_recv, }, - [SERVER_HELLO_RETRY] = { + [SERVER_HELLO_RETRY_REQUEST] = { .handshake_type = TLS13_MT_SERVER_HELLO, .sender = TLS13_HS_SERVER, - .send = tls13_server_hello_retry_send, - .recv = tls13_server_hello_retry_recv, + .send = tls13_server_hello_retry_request_send, + .recv = tls13_server_hello_retry_request_recv, + .sent = tls13_server_hello_retry_request_sent, }, [SERVER_ENCRYPTED_EXTENSIONS] = { .handshake_type = TLS13_MT_ENCRYPTED_EXTENSIONS, @@ -113,11 +113,12 @@ struct tls13_handshake_action state_machine[] = { [SERVER_CERTIFICATE] = { .handshake_type = TLS13_MT_CERTIFICATE, .sender = TLS13_HS_SERVER, + .send_preserve_transcript_hash = 1, .send = tls13_server_certificate_send, .recv = tls13_server_certificate_recv, }, [SERVER_CERTIFICATE_REQUEST] = { - .handshake_type = TLS13_MT_CERTIFICATE, + .handshake_type = TLS13_MT_CERTIFICATE_REQUEST, .sender = TLS13_HS_SERVER, .send = tls13_server_certificate_request_send, .recv = tls13_server_certificate_request_recv, @@ -125,15 +126,17 @@ struct tls13_handshake_action state_machine[] = { [SERVER_CERTIFICATE_VERIFY] = { .handshake_type = TLS13_MT_CERTIFICATE_VERIFY, .sender = TLS13_HS_SERVER, - .preserve_transcript_hash = 1, + .recv_preserve_transcript_hash = 1, .send = tls13_server_certificate_verify_send, .recv = tls13_server_certificate_verify_recv, }, [SERVER_FINISHED] = { .handshake_type = TLS13_MT_FINISHED, .sender = TLS13_HS_SERVER, - .preserve_transcript_hash = 1, + .recv_preserve_transcript_hash = 1, + .send_preserve_transcript_hash = 1, .send = tls13_server_finished_send, + .sent = tls13_server_finished_sent, .recv = tls13_server_finished_recv, }, [APPLICATION_DATA] = { @@ -141,13 +144,17 @@ struct tls13_handshake_action state_machine[] = { }, }; -enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = { +const enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = { [INITIAL] = { CLIENT_HELLO, + SERVER_HELLO_RETRY_REQUEST, + CLIENT_HELLO_RETRY, SERVER_HELLO, }, [NEGOTIATED] = { CLIENT_HELLO, + SERVER_HELLO_RETRY_REQUEST, + CLIENT_HELLO_RETRY, SERVER_HELLO, SERVER_ENCRYPTED_EXTENSIONS, SERVER_CERTIFICATE_REQUEST, @@ -158,11 +165,9 @@ enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = { CLIENT_FINISHED, APPLICATION_DATA, }, - [NEGOTIATED | WITH_HRR] = { + [NEGOTIATED | WITHOUT_HRR] = { CLIENT_HELLO, SERVER_HELLO, - CLIENT_HELLO_RETRY, - SERVER_HELLO_RETRY, SERVER_ENCRYPTED_EXTENSIONS, SERVER_CERTIFICATE_REQUEST, SERVER_CERTIFICATE, @@ -174,6 +179,8 @@ enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = { }, [NEGOTIATED | WITHOUT_CR] = { CLIENT_HELLO, + SERVER_HELLO_RETRY_REQUEST, + CLIENT_HELLO_RETRY, SERVER_HELLO, SERVER_ENCRYPTED_EXTENSIONS, SERVER_CERTIFICATE, @@ -182,11 +189,9 @@ enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = { CLIENT_FINISHED, APPLICATION_DATA, }, - [NEGOTIATED | WITH_HRR | WITHOUT_CR] = { + [NEGOTIATED | WITHOUT_HRR | WITHOUT_CR] = { CLIENT_HELLO, SERVER_HELLO, - CLIENT_HELLO_RETRY, - SERVER_HELLO_RETRY, SERVER_ENCRYPTED_EXTENSIONS, SERVER_CERTIFICATE, SERVER_CERTIFICATE_VERIFY, @@ -196,17 +201,17 @@ enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = { }, [NEGOTIATED | WITH_PSK] = { CLIENT_HELLO, + SERVER_HELLO_RETRY_REQUEST, + CLIENT_HELLO_RETRY, SERVER_HELLO, SERVER_ENCRYPTED_EXTENSIONS, SERVER_FINISHED, CLIENT_FINISHED, APPLICATION_DATA, }, - [NEGOTIATED | WITH_HRR | WITH_PSK] = { + [NEGOTIATED | WITHOUT_HRR | WITH_PSK] = { CLIENT_HELLO, SERVER_HELLO, - CLIENT_HELLO_RETRY, - SERVER_HELLO_RETRY, SERVER_ENCRYPTED_EXTENSIONS, SERVER_FINISHED, CLIENT_FINISHED, @@ -214,6 +219,8 @@ enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = { }, [NEGOTIATED | WITH_CCV] = { CLIENT_HELLO, + SERVER_HELLO_RETRY_REQUEST, + CLIENT_HELLO_RETRY, SERVER_HELLO, SERVER_ENCRYPTED_EXTENSIONS, SERVER_CERTIFICATE_REQUEST, @@ -225,11 +232,9 @@ enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = { CLIENT_FINISHED, APPLICATION_DATA, }, - [NEGOTIATED | WITH_HRR | WITH_CCV] = { + [NEGOTIATED | WITHOUT_HRR | WITH_CCV] = { CLIENT_HELLO, SERVER_HELLO, - CLIENT_HELLO_RETRY, - SERVER_HELLO_RETRY, SERVER_ENCRYPTED_EXTENSIONS, SERVER_CERTIFICATE_REQUEST, SERVER_CERTIFICATE, @@ -244,7 +249,53 @@ enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = { const size_t handshake_count = sizeof(handshakes) / sizeof(handshakes[0]); -enum tls13_message_type +#ifndef TLS13_DEBUG +#define DEBUGF(...) +#else +#define DEBUGF(...) fprintf(stderr, __VA_ARGS__) + +static const char * +tls13_handshake_mode_name(uint8_t mode) +{ + switch (mode) { + case TLS13_HS_CLIENT: + return "Client"; + case TLS13_HS_SERVER: + return "Server"; + } + return "Unknown"; +} + +static const char * +tls13_handshake_message_name(uint8_t msg_type) +{ + switch (msg_type) { + case TLS13_MT_CLIENT_HELLO: + return "ClientHello"; + case TLS13_MT_SERVER_HELLO: + return "ServerHello"; + case TLS13_MT_NEW_SESSION_TICKET: + return "NewSessionTicket"; + case TLS13_MT_END_OF_EARLY_DATA: + return "EndOfEarlyData"; + case TLS13_MT_ENCRYPTED_EXTENSIONS: + return "EncryptedExtensions"; + case TLS13_MT_CERTIFICATE: + return "Certificate"; + case TLS13_MT_CERTIFICATE_REQUEST: + return "CertificateRequest"; + case TLS13_MT_CERTIFICATE_VERIFY: + return "CertificateVerify"; + case TLS13_MT_FINISHED: + return "Finished"; + case TLS13_MT_KEY_UPDATE: + return "KeyUpdate"; + } + return "Unknown"; +} +#endif + +static enum tls13_message_type tls13_handshake_active_state(struct tls13_ctx *ctx) { struct tls13_handshake_stage hs = ctx->handshake_stage; @@ -257,7 +308,7 @@ tls13_handshake_active_state(struct tls13_ctx *ctx) return handshakes[hs.hs_type][hs.message_number]; } -struct tls13_handshake_action * +static const struct tls13_handshake_action * tls13_handshake_active_action(struct tls13_ctx *ctx) { enum tls13_message_type mt = tls13_handshake_active_state(ctx); @@ -268,7 +319,7 @@ tls13_handshake_active_action(struct tls13_ctx *ctx) return &state_machine[mt]; } -int +static int tls13_handshake_advance_state_machine(struct tls13_ctx *ctx) { if (++ctx->handshake_stage.message_number >= TLS13_NUM_MESSAGE_TYPES) @@ -277,12 +328,27 @@ tls13_handshake_advance_state_machine(struct tls13_ctx *ctx) return 1; } +int +tls13_handshake_msg_record(struct tls13_ctx *ctx) +{ + CBS cbs; + + tls13_handshake_msg_data(ctx->hs_msg, &cbs); + return tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs)); +} + int tls13_handshake_perform(struct tls13_ctx *ctx) { - struct tls13_handshake_action *action; + const struct tls13_handshake_action *action; int ret; + if (!ctx->handshake_started) { + ctx->handshake_started = 1; + if (ctx->info_cb != NULL) + ctx->info_cb(ctx, TLS13_INFO_HANDSHAKE_STARTED, 1); + } + for (;;) { if ((action = tls13_handshake_active_action(ctx)) == NULL) return TLS13_IO_FAILURE; @@ -290,15 +356,33 @@ tls13_handshake_perform(struct tls13_ctx *ctx) if (action->handshake_complete) { ctx->handshake_completed = 1; tls13_record_layer_handshake_completed(ctx->rl); + if (ctx->info_cb != NULL) + ctx->info_cb(ctx, + TLS13_INFO_HANDSHAKE_COMPLETED, 1); return TLS13_IO_SUCCESS; } - if (action->sender == ctx->mode) { - if ((ret = tls13_handshake_send_action(ctx, action)) <= 0) - return ret; - } else { - if ((ret = tls13_handshake_recv_action(ctx, action)) <= 0) - return ret; + DEBUGF("%s %s %s\n", tls13_handshake_mode_name(ctx->mode), + (action->sender == ctx->mode) ? "sending" : "receiving", + tls13_handshake_message_name(action->handshake_type)); + + if (ctx->alert) + return tls13_send_alert(ctx->rl, ctx->alert); + + if (action->sender == ctx->mode) + ret = tls13_handshake_send_action(ctx, action); + else + ret = tls13_handshake_recv_action(ctx, action); + + if (ctx->alert) + return tls13_send_alert(ctx->rl, ctx->alert); + + if (ret <= 0) { + DEBUGF("%s %s returned %d\n", + tls13_handshake_mode_name(ctx->mode), + (action->sender == ctx->mode) ? "send" : "recv", + ret); + return ret; } if (!tls13_handshake_advance_state_machine(ctx)) @@ -306,50 +390,73 @@ tls13_handshake_perform(struct tls13_ctx *ctx) } } -int -tls13_accept(struct tls13_ctx *ctx) -{ - ctx->mode = TLS13_HS_SERVER; - - return tls13_handshake_perform(ctx); -} - -int +static int tls13_handshake_send_action(struct tls13_ctx *ctx, - struct tls13_handshake_action *action) + const struct tls13_handshake_action *action) { ssize_t ret; - CBS cbs; + CBB cbb; + + if (ctx->send_dummy_ccs) { + if ((ret = tls13_send_dummy_ccs(ctx->rl)) != TLS13_IO_SUCCESS) + return ret; + ctx->send_dummy_ccs = 0; + if (ctx->send_dummy_ccs_after) { + ctx->send_dummy_ccs_after = 0; + return TLS13_IO_SUCCESS; + } + } /* If we have no handshake message, we need to build one. */ if (ctx->hs_msg == NULL) { if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL) return TLS13_IO_FAILURE; - - /* XXX - provide CBB. */ - if (!action->send(ctx)) + if (!tls13_handshake_msg_start(ctx->hs_msg, &cbb, + action->handshake_type)) + return TLS13_IO_FAILURE; + if (!action->send(ctx, &cbb)) + return TLS13_IO_FAILURE; + if (!tls13_handshake_msg_finish(ctx->hs_msg)) return TLS13_IO_FAILURE; } if ((ret = tls13_handshake_msg_send(ctx->hs_msg, ctx->rl)) <= 0) return ret; - tls13_handshake_msg_data(ctx->hs_msg, &cbs); - if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs))) + if (!tls13_handshake_msg_record(ctx)) return TLS13_IO_FAILURE; + if (action->send_preserve_transcript_hash) { + if (!tls1_transcript_hash_value(ctx->ssl, + ctx->hs->tls13.transcript_hash, + sizeof(ctx->hs->tls13.transcript_hash), + &ctx->hs->tls13.transcript_hash_len)) + return TLS13_IO_FAILURE; + } + + if (ctx->handshake_message_sent_cb != NULL) + ctx->handshake_message_sent_cb(ctx); + tls13_handshake_msg_free(ctx->hs_msg); ctx->hs_msg = NULL; if (action->sent != NULL && !action->sent(ctx)) return TLS13_IO_FAILURE; + if (ctx->send_dummy_ccs_after) { + ctx->send_dummy_ccs = 1; + if ((ret = tls13_send_dummy_ccs(ctx->rl)) != TLS13_IO_SUCCESS) + return ret; + ctx->send_dummy_ccs = 0; + ctx->send_dummy_ccs_after = 0; + } + return TLS13_IO_SUCCESS; } -int +static int tls13_handshake_recv_action(struct tls13_ctx *ctx, - struct tls13_handshake_action *action) + const struct tls13_handshake_action *action) { uint8_t msg_type; ssize_t ret; @@ -363,17 +470,20 @@ tls13_handshake_recv_action(struct tls13_ctx *ctx, if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) <= 0) return ret; - if (action->preserve_transcript_hash) { + if (action->recv_preserve_transcript_hash) { if (!tls1_transcript_hash_value(ctx->ssl, - ctx->hs->transcript_hash, sizeof(ctx->hs->transcript_hash), - &ctx->hs->transcript_hash_len)) + ctx->hs->tls13.transcript_hash, + sizeof(ctx->hs->tls13.transcript_hash), + &ctx->hs->tls13.transcript_hash_len)) return TLS13_IO_FAILURE; } - tls13_handshake_msg_data(ctx->hs_msg, &cbs); - if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs))) + if (!tls13_handshake_msg_record(ctx)) return TLS13_IO_FAILURE; + if (ctx->handshake_message_recv_cb != NULL) + ctx->handshake_message_recv_cb(ctx); + /* * In TLSv1.3 there is no way to know if you're going to receive a * certificate request message or not, hence we have to special case it @@ -382,15 +492,22 @@ tls13_handshake_recv_action(struct tls13_ctx *ctx, msg_type = tls13_handshake_msg_type(ctx->hs_msg); if (msg_type != action->handshake_type && (msg_type != TLS13_MT_CERTIFICATE || - action->handshake_type != TLS13_MT_CERTIFICATE_REQUEST)) { - /* XXX send unexpected message alert */ + action->handshake_type != TLS13_MT_CERTIFICATE_REQUEST)) + return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE); + + if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs)) return TLS13_IO_FAILURE; - } - /* XXX provide CBS and check all consumed. */ ret = TLS13_IO_FAILURE; - if (action->recv(ctx)) - ret = TLS13_IO_SUCCESS; + if (action->recv(ctx, &cbs)) { + if (CBS_len(&cbs) != 0) { + tls13_set_errorx(ctx, TLS13_ERR_TRAILING_DATA, 0, + "trailing data in handshake message", NULL); + ctx->alert = TLS13_ALERT_DECODE_ERROR; + } else { + ret = TLS13_IO_SUCCESS; + } + } tls13_handshake_msg_free(ctx->hs_msg); ctx->hs_msg = NULL; @@ -400,126 +517,3 @@ tls13_handshake_recv_action(struct tls13_ctx *ctx, return ret; } - -int -tls13_client_hello_recv(struct tls13_ctx *ctx) -{ - return 0; -} - -int -tls13_client_hello_retry_send(struct tls13_ctx *ctx) -{ - return 0; -} - -int -tls13_server_hello_retry_recv(struct tls13_ctx *ctx) -{ - return 0; -} - -int -tls13_client_hello_retry_recv(struct tls13_ctx *ctx) -{ - return 0; -} - - -int -tls13_client_end_of_early_data_send(struct tls13_ctx *ctx) -{ - return 0; -} - -int -tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx) -{ - return 0; -} - -int -tls13_client_certificate_send(struct tls13_ctx *ctx) -{ - return 0; -} - -int -tls13_client_certificate_recv(struct tls13_ctx *ctx) -{ - return 0; -} - -int -tls13_client_certificate_verify_send(struct tls13_ctx *ctx) -{ - return 0; -} - -int -tls13_client_certificate_verify_recv(struct tls13_ctx *ctx) -{ - return 0; -} - -int -tls13_client_finished_recv(struct tls13_ctx *ctx) -{ - return 0; -} - -int -tls13_client_key_update_send(struct tls13_ctx *ctx) -{ - return 0; -} - -int -tls13_client_key_update_recv(struct tls13_ctx *ctx) -{ - return 0; -} - -int -tls13_server_hello_send(struct tls13_ctx *ctx) -{ - ctx->handshake_stage.hs_type |= NEGOTIATED; - - return 0; -} - -int -tls13_server_hello_retry_send(struct tls13_ctx *ctx) -{ - return 0; -} - -int -tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx) -{ - return 0; -} - -int -tls13_server_certificate_send(struct tls13_ctx *ctx) -{ - return 0; -} - -int -tls13_server_certificate_request_send(struct tls13_ctx *ctx) -{ - return 0; -} - -int -tls13_server_certificate_verify_send(struct tls13_ctx *ctx) -{ - return 0; -} - -int -tls13_server_finished_send(struct tls13_ctx *ctx) -{ - return 0; -} diff --git a/ssl/tls13_handshake.h b/ssl/tls13_handshake.h index 9910dab1..8a08b9fd 100644 --- a/ssl/tls13_handshake.h +++ b/ssl/tls13_handshake.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_handshake.h,v 1.3 2019/04/05 20:23:38 tb Exp $ */ +/* $OpenBSD: tls13_handshake.h,v 1.5 2020/04/22 17:05:07 jsing Exp $ */ /* * Copyright (c) 2019 Theo Buehler * @@ -24,7 +24,7 @@ __BEGIN_HIDDEN_DECLS #define INITIAL 0x00 #define NEGOTIATED 0x01 -#define WITH_HRR 0x02 +#define WITHOUT_HRR 0x02 #define WITHOUT_CR 0x04 #define WITH_PSK 0x08 #define WITH_CCV 0x10 @@ -33,9 +33,9 @@ __BEGIN_HIDDEN_DECLS enum tls13_message_type { INVALID, CLIENT_HELLO, - SERVER_HELLO, + SERVER_HELLO_RETRY_REQUEST, CLIENT_HELLO_RETRY, - SERVER_HELLO_RETRY, + SERVER_HELLO, SERVER_ENCRYPTED_EXTENSIONS, SERVER_CERTIFICATE_REQUEST, SERVER_CERTIFICATE, @@ -45,8 +45,6 @@ enum tls13_message_type { CLIENT_CERTIFICATE, CLIENT_CERTIFICATE_VERIFY, CLIENT_FINISHED, - CLIENT_KEY_UPDATE, - SERVER_NEW_SESSION_TICKET, APPLICATION_DATA, TLS13_NUM_MESSAGE_TYPES, }; diff --git a/ssl/tls13_handshake_msg.c b/ssl/tls13_handshake_msg.c index f85271a5..21932fc4 100644 --- a/ssl/tls13_handshake_msg.c +++ b/ssl/tls13_handshake_msg.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_handshake_msg.c,v 1.1 2019/01/20 12:27:34 jsing Exp $ */ +/* $OpenBSD: tls13_handshake_msg.c,v 1.2 2019/11/20 16:21:20 beck Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -72,6 +72,12 @@ tls13_handshake_msg_data(struct tls13_handshake_msg *msg, CBS *cbs) CBS_init(cbs, msg->data, msg->data_len); } +int +tls13_handshake_msg_set_buffer(struct tls13_handshake_msg *msg, CBS *cbs) +{ + return tls13_buffer_set_data(msg->buf, cbs); +} + uint8_t tls13_handshake_msg_type(struct tls13_handshake_msg *msg) { diff --git a/ssl/tls13_internal.h b/ssl/tls13_internal.h index 1d7a7eb6..973661ac 100644 --- a/ssl/tls13_internal.h +++ b/ssl/tls13_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_internal.h,v 1.28 2019/04/05 20:23:38 tb Exp $ */ +/* $OpenBSD: tls13_internal.h,v 1.89 2021/03/21 18:36:34 jsing Exp $ */ /* * Copyright (c) 2018 Bob Beck * Copyright (c) 2018 Theo Buehler @@ -27,25 +27,78 @@ __BEGIN_HIDDEN_DECLS -#define TLS13_HS_CLIENT 1 -#define TLS13_HS_SERVER 2 - -#define TLS13_IO_SUCCESS 1 -#define TLS13_IO_EOF 0 -#define TLS13_IO_FAILURE -1 -#define TLS13_IO_WANT_POLLIN -2 -#define TLS13_IO_WANT_POLLOUT -3 -#define TLS13_IO_USE_LEGACY -4 +#define TLS13_HS_CLIENT 1 +#define TLS13_HS_SERVER 2 + +#define TLS13_IO_SUCCESS 1 +#define TLS13_IO_EOF 0 +#define TLS13_IO_FAILURE -1 +#define TLS13_IO_ALERT -2 +#define TLS13_IO_WANT_POLLIN -3 +#define TLS13_IO_WANT_POLLOUT -4 +#define TLS13_IO_WANT_RETRY -5 /* Retry the previous call immediately. */ +#define TLS13_IO_USE_LEGACY -6 +#define TLS13_IO_RECORD_VERSION -7 +#define TLS13_IO_RECORD_OVERFLOW -8 + +#define TLS13_ERR_VERIFY_FAILED 16 +#define TLS13_ERR_HRR_FAILED 17 +#define TLS13_ERR_TRAILING_DATA 18 +#define TLS13_ERR_NO_SHARED_CIPHER 19 +#define TLS13_ERR_NO_CERTIFICATE 20 +#define TLS13_ERR_NO_PEER_CERTIFICATE 21 + +#define TLS13_ALERT_LEVEL_WARNING 1 +#define TLS13_ALERT_LEVEL_FATAL 2 + +#define TLS13_ALERT_CLOSE_NOTIFY 0 +#define TLS13_ALERT_UNEXPECTED_MESSAGE 10 +#define TLS13_ALERT_BAD_RECORD_MAC 20 +#define TLS13_ALERT_RECORD_OVERFLOW 22 +#define TLS13_ALERT_HANDSHAKE_FAILURE 40 +#define TLS13_ALERT_BAD_CERTIFICATE 42 +#define TLS13_ALERT_UNSUPPORTED_CERTIFICATE 43 +#define TLS13_ALERT_CERTIFICATE_REVOKED 44 +#define TLS13_ALERT_CERTIFICATE_EXPIRED 45 +#define TLS13_ALERT_CERTIFICATE_UNKNOWN 46 +#define TLS13_ALERT_ILLEGAL_PARAMETER 47 +#define TLS13_ALERT_UNKNOWN_CA 48 +#define TLS13_ALERT_ACCESS_DENIED 49 +#define TLS13_ALERT_DECODE_ERROR 50 +#define TLS13_ALERT_DECRYPT_ERROR 51 +#define TLS13_ALERT_PROTOCOL_VERSION 70 +#define TLS13_ALERT_INSUFFICIENT_SECURITY 71 +#define TLS13_ALERT_INTERNAL_ERROR 80 +#define TLS13_ALERT_INAPPROPRIATE_FALLBACK 86 +#define TLS13_ALERT_USER_CANCELED 90 +#define TLS13_ALERT_MISSING_EXTENSION 109 +#define TLS13_ALERT_UNSUPPORTED_EXTENSION 110 +#define TLS13_ALERT_UNRECOGNIZED_NAME 112 +#define TLS13_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE 113 +#define TLS13_ALERT_UNKNOWN_PSK_IDENTITY 115 +#define TLS13_ALERT_CERTIFICATE_REQUIRED 116 +#define TLS13_ALERT_NO_APPLICATION_PROTOCOL 120 + +#define TLS13_INFO_HANDSHAKE_STARTED SSL_CB_HANDSHAKE_START +#define TLS13_INFO_HANDSHAKE_COMPLETED SSL_CB_HANDSHAKE_DONE typedef void (*tls13_alert_cb)(uint8_t _alert_desc, void *_cb_arg); -typedef int (*tls13_post_handshake_cb)(void *_cb_arg); +typedef ssize_t (*tls13_phh_recv_cb)(void *_cb_arg, CBS *_cbs); +typedef void (*tls13_phh_sent_cb)(void *_cb_arg); typedef ssize_t (*tls13_read_cb)(void *_buf, size_t _buflen, void *_cb_arg); typedef ssize_t (*tls13_write_cb)(const void *_buf, size_t _buflen, void *_cb_arg); +typedef void (*tls13_handshake_message_cb)(void *_cb_arg); +typedef void (*tls13_info_cb)(void *_cb_arg, int _state, int _ret); +typedef int (*tls13_ocsp_status_cb)(void *_cb_arg); +/* + * Buffers. + */ struct tls13_buffer; struct tls13_buffer *tls13_buffer_new(size_t init_size); +int tls13_buffer_set_data(struct tls13_buffer *buf, CBS *data); void tls13_buffer_free(struct tls13_buffer *buf); ssize_t tls13_buffer_extend(struct tls13_buffer *buf, size_t len, tls13_read_cb read_cb, void *cb_arg); @@ -53,6 +106,9 @@ void tls13_buffer_cbs(struct tls13_buffer *buf, CBS *cbs); int tls13_buffer_finish(struct tls13_buffer *buf, uint8_t **out, size_t *out_len); +/* + * Secrets. + */ struct tls13_secret { uint8_t *data; size_t len; @@ -85,6 +141,8 @@ struct tls13_secrets { struct tls13_secret resumption_master; }; +int tls13_secret_init(struct tls13_secret *secret, size_t len); +void tls13_secret_cleanup(struct tls13_secret *secret); struct tls13_secrets *tls13_secrets_create(const EVP_MD *digest, int resumption); void tls13_secrets_destroy(struct tls13_secrets *secrets); @@ -92,6 +150,16 @@ void tls13_secrets_destroy(struct tls13_secrets *secrets); int tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest, const struct tls13_secret *secret, const char *label, const struct tls13_secret *context); +int tls13_hkdf_expand_label_with_length(struct tls13_secret *out, + const EVP_MD *digest, const struct tls13_secret *secret, + const uint8_t *label, size_t label_len, const struct tls13_secret *context); + +int tls13_derive_secret(struct tls13_secret *out, const EVP_MD *digest, + const struct tls13_secret *secret, const char *label, + const struct tls13_secret *context); +int tls13_derive_secret_with_label_length(struct tls13_secret *out, + const EVP_MD *digest, const struct tls13_secret *secret, + const uint8_t *label, size_t label_len, const struct tls13_secret *context); int tls13_derive_early_secrets(struct tls13_secrets *secrets, uint8_t *psk, size_t psk_len, const struct tls13_secret *context); @@ -99,33 +167,74 @@ int tls13_derive_handshake_secrets(struct tls13_secrets *secrets, const uint8_t *ecdhe, size_t ecdhe_len, const struct tls13_secret *context); int tls13_derive_application_secrets(struct tls13_secrets *secrets, const struct tls13_secret *context); +int tls13_update_client_traffic_secret(struct tls13_secrets *secrets); +int tls13_update_server_traffic_secret(struct tls13_secrets *secrets); + +/* + * Key shares. + */ +struct tls13_key_share; + +struct tls13_key_share *tls13_key_share_new(uint16_t group_id); +struct tls13_key_share *tls13_key_share_new_nid(int nid); +void tls13_key_share_free(struct tls13_key_share *ks); + +uint16_t tls13_key_share_group(struct tls13_key_share *ks); +int tls13_key_share_peer_pkey(struct tls13_key_share *ks, EVP_PKEY *pkey); +int tls13_key_share_generate(struct tls13_key_share *ks); +int tls13_key_share_public(struct tls13_key_share *ks, CBB *cbb); +int tls13_key_share_peer_public(struct tls13_key_share *ks, uint16_t group, + CBS *cbs); +int tls13_key_share_derive(struct tls13_key_share *ks, uint8_t **shared_key, + size_t *shared_key_len); /* * Record Layer. */ struct tls13_record_layer; -struct tls13_record_layer *tls13_record_layer_new(tls13_read_cb wire_read, - tls13_write_cb wire_write, tls13_alert_cb alert_cb, - tls13_post_handshake_cb post_handshake_cb, void *cb_arg); +struct tls13_record_layer_callbacks { + tls13_read_cb wire_read; + tls13_write_cb wire_write; + tls13_alert_cb alert_recv; + tls13_alert_cb alert_sent; + tls13_phh_recv_cb phh_recv; + tls13_phh_sent_cb phh_sent; +}; + +struct tls13_record_layer *tls13_record_layer_new( + const struct tls13_record_layer_callbacks *callbacks, void *cb_arg); void tls13_record_layer_free(struct tls13_record_layer *rl); +void tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow); +void tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer *rl, int allow); +void tls13_record_layer_rbuf(struct tls13_record_layer *rl, CBS *cbs); void tls13_record_layer_set_aead(struct tls13_record_layer *rl, const EVP_AEAD *aead); void tls13_record_layer_set_hash(struct tls13_record_layer *rl, const EVP_MD *hash); +void tls13_record_layer_set_legacy_version(struct tls13_record_layer *rl, + uint16_t version); +void tls13_record_layer_set_retry_after_phh(struct tls13_record_layer *rl, int retry); void tls13_record_layer_handshake_completed(struct tls13_record_layer *rl); int tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl, struct tls13_secret *read_key); int tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl, struct tls13_secret *write_key); +ssize_t tls13_record_layer_send_pending(struct tls13_record_layer *rl); +ssize_t tls13_record_layer_phh(struct tls13_record_layer *rl, CBS *cbs); ssize_t tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n); ssize_t tls13_write_handshake_data(struct tls13_record_layer *rl, const uint8_t *buf, size_t n); +ssize_t tls13_pending_application_data(struct tls13_record_layer *rl); +ssize_t tls13_peek_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n); ssize_t tls13_read_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n); ssize_t tls13_write_application_data(struct tls13_record_layer *rl, const uint8_t *buf, size_t n); +ssize_t tls13_send_alert(struct tls13_record_layer *rl, uint8_t alert_desc); +ssize_t tls13_send_dummy_ccs(struct tls13_record_layer *rl); + /* * Handshake Messages. */ @@ -134,6 +243,7 @@ struct tls13_handshake_msg; struct tls13_handshake_msg *tls13_handshake_msg_new(void); void tls13_handshake_msg_free(struct tls13_handshake_msg *msg); void tls13_handshake_msg_data(struct tls13_handshake_msg *msg, CBS *cbs); +int tls13_handshake_msg_set_buffer(struct tls13_handshake_msg *msg, CBS *cbs); uint8_t tls13_handshake_msg_type(struct tls13_handshake_msg *msg); int tls13_handshake_msg_content(struct tls13_handshake_msg *msg, CBS *cbs); int tls13_handshake_msg_start(struct tls13_handshake_msg *msg, CBB *body, @@ -151,19 +261,52 @@ struct tls13_handshake_stage { struct ssl_handshake_tls13_st; +struct tls13_error { + int code; + int subcode; + int errnum; + const char *file; + int line; + char *msg; +}; + struct tls13_ctx { + struct tls13_error error; + SSL *ssl; - struct ssl_handshake_tls13_st *hs; + struct ssl_handshake_st *hs; uint8_t mode; struct tls13_handshake_stage handshake_stage; + int handshake_started; int handshake_completed; + int middlebox_compat; + int send_dummy_ccs; + int send_dummy_ccs_after; + + int close_notify_sent; + int close_notify_recv; const EVP_AEAD *aead; const EVP_MD *hash; struct tls13_record_layer *rl; struct tls13_handshake_msg *hs_msg; + uint8_t key_update_request; + uint8_t alert; + int phh_count; + time_t phh_last_seen; + + tls13_handshake_message_cb handshake_message_sent_cb; + tls13_handshake_message_cb handshake_message_recv_cb; + tls13_info_cb info_cb; + tls13_ocsp_status_cb ocsp_status_recv_cb; }; +#ifndef TLS13_PHH_LIMIT_TIME +#define TLS13_PHH_LIMIT_TIME 3600 +#endif +#ifndef TLS13_PHH_LIMIT +#define TLS13_PHH_LIMIT 100 +#endif struct tls13_ctx *tls13_ctx_new(int mode); void tls13_ctx_free(struct tls13_ctx *ctx); @@ -174,13 +317,19 @@ const EVP_MD *tls13_cipher_hash(const SSL_CIPHER *cipher); /* * Legacy interfaces. */ +int tls13_use_legacy_client(struct tls13_ctx *ctx); +int tls13_use_legacy_server(struct tls13_ctx *ctx); +int tls13_legacy_accept(SSL *ssl); int tls13_legacy_connect(SSL *ssl); int tls13_legacy_return_code(SSL *ssl, ssize_t ret); ssize_t tls13_legacy_wire_read_cb(void *buf, size_t n, void *arg); ssize_t tls13_legacy_wire_write_cb(const void *buf, size_t n, void *arg); +int tls13_legacy_pending(const SSL *ssl); int tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int peek); int tls13_legacy_write_bytes(SSL *ssl, int type, const void *buf, int len); +int tls13_legacy_shutdown(SSL *ssl); +int tls13_legacy_servername_process(struct tls13_ctx *ctx, uint8_t *alert); /* * Message Types - RFC 8446, Section B.3. @@ -210,37 +359,81 @@ int tls13_legacy_write_bytes(SSL *ssl, int type, const void *buf, int len); #define TLS13_MT_KEY_UPDATE 24 #define TLS13_MT_MESSAGE_HASH 254 +int tls13_handshake_msg_record(struct tls13_ctx *ctx); int tls13_handshake_perform(struct tls13_ctx *ctx); -int tls13_client_hello_send(struct tls13_ctx *ctx); -int tls13_client_hello_recv(struct tls13_ctx *ctx); -int tls13_client_hello_retry_send(struct tls13_ctx *ctx); -int tls13_client_hello_retry_recv(struct tls13_ctx *ctx); -int tls13_client_end_of_early_data_send(struct tls13_ctx *ctx); -int tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx); -int tls13_client_certificate_send(struct tls13_ctx *ctx); -int tls13_client_certificate_recv(struct tls13_ctx *ctx); -int tls13_client_certificate_verify_send(struct tls13_ctx *ctx); -int tls13_client_certificate_verify_recv(struct tls13_ctx *ctx); -int tls13_client_finished_recv(struct tls13_ctx *ctx); -int tls13_client_finished_send(struct tls13_ctx *ctx); +int tls13_client_init(struct tls13_ctx *ctx); +int tls13_server_init(struct tls13_ctx *ctx); +int tls13_client_connect(struct tls13_ctx *ctx); +int tls13_server_accept(struct tls13_ctx *ctx); + +int tls13_client_hello_send(struct tls13_ctx *ctx, CBB *cbb); +int tls13_client_hello_sent(struct tls13_ctx *ctx); +int tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs); +int tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb); +int tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs); +int tls13_client_end_of_early_data_send(struct tls13_ctx *ctx, CBB *cbb); +int tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs); +int tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb); +int tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs); +int tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb); +int tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs); +int tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs); +int tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb); int tls13_client_finished_sent(struct tls13_ctx *ctx); -int tls13_client_key_update_send(struct tls13_ctx *ctx); -int tls13_client_key_update_recv(struct tls13_ctx *ctx); -int tls13_server_hello_recv(struct tls13_ctx *ctx); -int tls13_server_hello_send(struct tls13_ctx *ctx); -int tls13_server_hello_retry_recv(struct tls13_ctx *ctx); -int tls13_server_hello_retry_send(struct tls13_ctx *ctx); -int tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx); -int tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx); -int tls13_server_certificate_recv(struct tls13_ctx *ctx); -int tls13_server_certificate_send(struct tls13_ctx *ctx); -int tls13_server_certificate_request_recv(struct tls13_ctx *ctx); -int tls13_server_certificate_request_send(struct tls13_ctx *ctx); -int tls13_server_certificate_verify_send(struct tls13_ctx *ctx); -int tls13_server_certificate_verify_recv(struct tls13_ctx *ctx); -int tls13_server_finished_recv(struct tls13_ctx *ctx); -int tls13_server_finished_send(struct tls13_ctx *ctx); +int tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs); +int tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb); +int tls13_server_hello_sent(struct tls13_ctx *ctx); +int tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs); +int tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb); +int tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx); +int tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx, CBS *cbs); +int tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb); +int tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs); +int tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb); +int tls13_server_certificate_request_recv(struct tls13_ctx *ctx, CBS *cbs); +int tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb); +int tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb); +int tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs); +int tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs); +int tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb); +int tls13_server_finished_sent(struct tls13_ctx *ctx); + +void tls13_error_clear(struct tls13_error *error); +int tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert, + int(*build_extensions)(SSL *s, uint16_t msg_type, CBB *cbb)); + +int tls13_synthetic_handshake_message(struct tls13_ctx *ctx); +int tls13_clienthello_hash_init(struct tls13_ctx *ctx); +void tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs); +int tls13_clienthello_hash_update_bytes(struct tls13_ctx *ctx, void *data, + size_t len); +int tls13_clienthello_hash_update(struct tls13_ctx *ctx, CBS *cbs); +int tls13_clienthello_hash_finalize(struct tls13_ctx *ctx); +int tls13_clienthello_hash_validate(struct tls13_ctx *ctx); + +int tls13_error_set(struct tls13_error *error, int code, int subcode, + const char *file, int line, const char *fmt, ...); +int tls13_error_setx(struct tls13_error *error, int code, int subcode, + const char *file, int line, const char *fmt, ...); + +#define tls13_set_error(ctx, code, subcode, fmt, ...) \ + tls13_error_set(&(ctx)->error, (code), (subcode), __FILE__, __LINE__, \ + (fmt), __VA_ARGS__) +#define tls13_set_errorx(ctx, code, subcode, fmt, ...) \ + tls13_error_setx(&(ctx)->error, (code), (subcode), __FILE__, __LINE__, \ + (fmt), __VA_ARGS__) + +int tls13_exporter(struct tls13_ctx *ctx, const uint8_t *label, size_t label_len, + const uint8_t *context_value, size_t context_value_len, uint8_t *out, + size_t out_len); + +extern const uint8_t tls13_downgrade_12[8]; +extern const uint8_t tls13_downgrade_11[8]; +extern const uint8_t tls13_hello_retry_request_hash[32]; +extern const uint8_t tls13_cert_verify_pad[64]; +extern const uint8_t tls13_cert_client_verify_context[]; +extern const uint8_t tls13_cert_server_verify_context[]; __END_HIDDEN_DECLS diff --git a/ssl/tls13_key_schedule.c b/ssl/tls13_key_schedule.c index 8a0b3e8a..bb96cf3d 100644 --- a/ssl/tls13_key_schedule.c +++ b/ssl/tls13_key_schedule.c @@ -1,5 +1,6 @@ -/* $OpenBSD: tls13_key_schedule.c,v 1.7 2018/11/13 01:25:13 beck Exp $ */ -/* Copyright (c) 2018, Bob Beck +/* $OpenBSD: tls13_key_schedule.c,v 1.14 2021/01/05 18:36:22 tb Exp $ */ +/* + * Copyright (c) 2018, Bob Beck * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -22,46 +23,25 @@ #include "bytestring.h" #include "tls13_internal.h" -void -tls13_secrets_destroy(struct tls13_secrets *secrets) +int +tls13_secret_init(struct tls13_secret *secret, size_t len) { - if (secrets == NULL) - return; + if (secret->data != NULL) + return 0; - /* you can never be too sure :) */ - freezero(secrets->zeros.data, secrets->zeros.len); - freezero(secrets->empty_hash.data, secrets->empty_hash.len); - - freezero(secrets->extracted_early.data, - secrets->extracted_early.len); - freezero(secrets->binder_key.data, - secrets->binder_key.len); - freezero(secrets->client_early_traffic.data, - secrets->client_early_traffic.len); - freezero(secrets->early_exporter_master.data, - secrets->early_exporter_master.len); - freezero(secrets->derived_early.data, - secrets->derived_early.len); - freezero(secrets->extracted_handshake.data, - secrets->extracted_handshake.len); - freezero(secrets->client_handshake_traffic.data, - secrets->client_handshake_traffic.len); - freezero(secrets->server_handshake_traffic.data, - secrets->server_handshake_traffic.len); - freezero(secrets->derived_handshake.data, - secrets->derived_handshake.len); - freezero(secrets->extracted_master.data, - secrets->extracted_master.len); - freezero(secrets->client_application_traffic.data, - secrets->client_application_traffic.len); - freezero(secrets->server_application_traffic.data, - secrets->server_application_traffic.len); - freezero(secrets->exporter_master.data, - secrets->exporter_master.len); - freezero(secrets->resumption_master.data, - secrets->resumption_master.len); + if ((secret->data = calloc(1, len)) == NULL) + return 0; + secret->len = len; - freezero(secrets, sizeof(struct tls13_secrets)); + return 1; +} + +void +tls13_secret_cleanup(struct tls13_secret *secret) +{ + freezero(secret->data, secret->len); + secret->data = NULL; + secret->len = 0; } /* @@ -81,62 +61,39 @@ tls13_secrets_create(const EVP_MD *digest, int resumption) if ((secrets = calloc(1, sizeof(struct tls13_secrets))) == NULL) goto err; - if ((secrets->zeros.data = calloc(hash_length, sizeof(uint8_t))) == - NULL) + if (!tls13_secret_init(&secrets->zeros, hash_length)) goto err; - secrets->zeros.len = hash_length; - - if ((secrets->empty_hash.data = malloc(hash_length)) == NULL) + if (!tls13_secret_init(&secrets->empty_hash, hash_length)) goto err; - secrets->empty_hash.len = hash_length; - if ((secrets->extracted_early.data = malloc(hash_length)) == NULL) + if (!tls13_secret_init(&secrets->extracted_early, hash_length)) goto err; - secrets->extracted_early.len = hash_length; - if ((secrets->binder_key.data = malloc(hash_length)) == NULL) + if (!tls13_secret_init(&secrets->binder_key, hash_length)) goto err; - secrets->binder_key.len = hash_length; - if ((secrets->client_early_traffic.data = malloc(hash_length)) == NULL) + if (!tls13_secret_init(&secrets->client_early_traffic, hash_length)) goto err; - secrets->client_early_traffic.len = hash_length; - if ((secrets->early_exporter_master.data = malloc(hash_length)) == - NULL) + if (!tls13_secret_init(&secrets->early_exporter_master, hash_length)) goto err; - secrets->early_exporter_master.len = hash_length; - if ((secrets->derived_early.data = malloc(hash_length)) == NULL) + if (!tls13_secret_init(&secrets->derived_early, hash_length)) goto err; - secrets->derived_early.len = hash_length; - if ((secrets->extracted_handshake.data = malloc(hash_length)) == NULL) + if (!tls13_secret_init(&secrets->extracted_handshake, hash_length)) goto err; - secrets->extracted_handshake.len = hash_length; - if ((secrets->client_handshake_traffic.data = malloc(hash_length)) - == NULL) + if (!tls13_secret_init(&secrets->client_handshake_traffic, hash_length)) goto err; - secrets->client_handshake_traffic.len = hash_length; - if ((secrets->server_handshake_traffic.data = malloc(hash_length)) - == NULL) + if (!tls13_secret_init(&secrets->server_handshake_traffic, hash_length)) goto err; - secrets->server_handshake_traffic.len = hash_length; - if ((secrets->derived_handshake.data = malloc(hash_length)) == NULL) + if (!tls13_secret_init(&secrets->derived_handshake, hash_length)) goto err; - secrets->derived_handshake.len = hash_length; - if ((secrets->extracted_master.data = malloc(hash_length)) == NULL) + if (!tls13_secret_init(&secrets->extracted_master, hash_length)) goto err; - secrets->extracted_master.len = hash_length; - if ((secrets->client_application_traffic.data = malloc(hash_length)) == - NULL) + if (!tls13_secret_init(&secrets->client_application_traffic, hash_length)) goto err; - secrets->client_application_traffic.len = hash_length; - if ((secrets->server_application_traffic.data = malloc(hash_length)) == - NULL) + if (!tls13_secret_init(&secrets->server_application_traffic, hash_length)) goto err; - secrets->server_application_traffic.len = hash_length; - if ((secrets->exporter_master.data = malloc(hash_length)) == NULL) + if (!tls13_secret_init(&secrets->exporter_master, hash_length)) goto err; - secrets->exporter_master.len = hash_length; - if ((secrets->resumption_master.data = malloc(hash_length)) == NULL) + if (!tls13_secret_init(&secrets->resumption_master, hash_length)) goto err; - secrets->resumption_master.len = hash_length; /* * Calculate the hash of a zero-length string - this is needed during @@ -169,10 +126,47 @@ tls13_secrets_create(const EVP_MD *digest, int resumption) return NULL; } +void +tls13_secrets_destroy(struct tls13_secrets *secrets) +{ + if (secrets == NULL) + return; + + /* you can never be too sure :) */ + tls13_secret_cleanup(&secrets->zeros); + tls13_secret_cleanup(&secrets->empty_hash); + + tls13_secret_cleanup(&secrets->extracted_early); + tls13_secret_cleanup(&secrets->binder_key); + tls13_secret_cleanup(&secrets->client_early_traffic); + tls13_secret_cleanup(&secrets->early_exporter_master); + tls13_secret_cleanup(&secrets->derived_early); + tls13_secret_cleanup(&secrets->extracted_handshake); + tls13_secret_cleanup(&secrets->client_handshake_traffic); + tls13_secret_cleanup(&secrets->server_handshake_traffic); + tls13_secret_cleanup(&secrets->derived_handshake); + tls13_secret_cleanup(&secrets->extracted_master); + tls13_secret_cleanup(&secrets->client_application_traffic); + tls13_secret_cleanup(&secrets->server_application_traffic); + tls13_secret_cleanup(&secrets->exporter_master); + tls13_secret_cleanup(&secrets->resumption_master); + + freezero(secrets, sizeof(struct tls13_secrets)); +} + int tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest, const struct tls13_secret *secret, const char *label, const struct tls13_secret *context) +{ + return tls13_hkdf_expand_label_with_length(out, digest, secret, label, + strlen(label), context); +} + +int +tls13_hkdf_expand_label_with_length(struct tls13_secret *out, + const EVP_MD *digest, const struct tls13_secret *secret, + const uint8_t *label, size_t label_len, const struct tls13_secret *context) { const char tls13_plabel[] = "tls13 "; uint8_t *hkdf_label; @@ -188,7 +182,7 @@ tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest, goto err; if (!CBB_add_bytes(&child, tls13_plabel, strlen(tls13_plabel))) goto err; - if (!CBB_add_bytes(&child, label, strlen(label))) + if (!CBB_add_bytes(&child, label, label_len)) goto err; if (!CBB_add_u8_length_prefixed(&cbb, &child)) goto err; @@ -207,7 +201,7 @@ tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest, return(0); } -static int +int tls13_derive_secret(struct tls13_secret *out, const EVP_MD *digest, const struct tls13_secret *secret, const char *label, const struct tls13_secret *context) @@ -215,6 +209,15 @@ tls13_derive_secret(struct tls13_secret *out, const EVP_MD *digest, return tls13_hkdf_expand_label(out, digest, secret, label, context); } +int +tls13_derive_secret_with_label_length(struct tls13_secret *out, + const EVP_MD *digest, const struct tls13_secret *secret, const uint8_t *label, + size_t label_len, const struct tls13_secret *context) +{ + return tls13_hkdf_expand_label_with_length(out, digest, secret, label, + label_len, context); +} + int tls13_derive_early_secrets(struct tls13_secrets *secrets, uint8_t *psk, size_t psk_len, const struct tls13_secret *context) @@ -354,23 +357,27 @@ tls13_derive_application_secrets(struct tls13_secrets *secrets, int tls13_update_client_traffic_secret(struct tls13_secrets *secrets) { + struct tls13_secret context = { .data = "", .len = 0 }; + if (!secrets->init_done || !secrets->early_done || !secrets->handshake_done || !secrets->schedule_done) return 0; return tls13_hkdf_expand_label(&secrets->client_application_traffic, secrets->digest, &secrets->client_application_traffic, - "traffic upd", &secrets->empty_hash); + "traffic upd", &context); } int tls13_update_server_traffic_secret(struct tls13_secrets *secrets) { + struct tls13_secret context = { .data = "", .len = 0 }; + if (!secrets->init_done || !secrets->early_done || !secrets->handshake_done || !secrets->schedule_done) return 0; return tls13_hkdf_expand_label(&secrets->server_application_traffic, secrets->digest, &secrets->server_application_traffic, - "traffic upd", &secrets->empty_hash); + "traffic upd", &context); } diff --git a/ssl/tls13_key_share.c b/ssl/tls13_key_share.c new file mode 100644 index 00000000..0d1c0914 --- /dev/null +++ b/ssl/tls13_key_share.c @@ -0,0 +1,324 @@ +/* $OpenBSD: tls13_key_share.c,v 1.6 2020/04/18 14:07:56 jsing Exp $ */ +/* + * Copyright (c) 2020 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include + +#include "bytestring.h" +#include "ssl_locl.h" +#include "tls13_internal.h" + +struct tls13_key_share { + int nid; + uint16_t group_id; + + EC_KEY *ecdhe; + EC_KEY *ecdhe_peer; + + uint8_t *x25519_public; + uint8_t *x25519_private; + uint8_t *x25519_peer_public; +}; + +struct tls13_key_share * +tls13_key_share_new(uint16_t group_id) +{ + struct tls13_key_share *ks; + int nid; + + if ((nid = tls1_ec_curve_id2nid(group_id)) == 0) + return NULL; + + if ((ks = calloc(1, sizeof(struct tls13_key_share))) == NULL) + return NULL; + + ks->group_id = group_id; + ks->nid = nid; + + return ks; +} + +struct tls13_key_share * +tls13_key_share_new_nid(int nid) +{ + uint16_t group_id; + + if ((group_id = tls1_ec_nid2curve_id(nid)) == 0) + return NULL; + + return tls13_key_share_new(group_id); +} + +void +tls13_key_share_free(struct tls13_key_share *ks) +{ + if (ks == NULL) + return; + + EC_KEY_free(ks->ecdhe); + EC_KEY_free(ks->ecdhe_peer); + + freezero(ks->x25519_public, X25519_KEY_LENGTH); + freezero(ks->x25519_private, X25519_KEY_LENGTH); + freezero(ks->x25519_peer_public, X25519_KEY_LENGTH); + + freezero(ks, sizeof(*ks)); +} + +uint16_t +tls13_key_share_group(struct tls13_key_share *ks) +{ + return ks->group_id; +} + +int +tls13_key_share_peer_pkey(struct tls13_key_share *ks, EVP_PKEY *pkey) +{ + if (ks->nid == NID_X25519 && ks->x25519_peer_public != NULL) { + if (!ssl_kex_dummy_ecdhe_x25519(pkey)) + return 0; + } else if (ks->ecdhe_peer != NULL) { + if (!EVP_PKEY_set1_EC_KEY(pkey, ks->ecdhe_peer)) + return 0; + } else { + return 0; + } + + return 1; +} + +static int +tls13_key_share_generate_ecdhe_ecp(struct tls13_key_share *ks) +{ + EC_KEY *ecdhe = NULL; + int ret = 0; + + if (ks->ecdhe != NULL) + goto err; + + if ((ecdhe = EC_KEY_new()) == NULL) + goto err; + if (!ssl_kex_generate_ecdhe_ecp(ecdhe, ks->nid)) + goto err; + + ks->ecdhe = ecdhe; + ecdhe = NULL; + + ret = 1; + + err: + EC_KEY_free(ecdhe); + + return ret; +} + +static int +tls13_key_share_generate_x25519(struct tls13_key_share *ks) +{ + uint8_t *public = NULL, *private = NULL; + int ret = 0; + + if (ks->x25519_public != NULL || ks->x25519_private != NULL) + goto err; + + if ((public = calloc(1, X25519_KEY_LENGTH)) == NULL) + goto err; + if ((private = calloc(1, X25519_KEY_LENGTH)) == NULL) + goto err; + + X25519_keypair(public, private); + + ks->x25519_public = public; + ks->x25519_private = private; + public = NULL; + private = NULL; + + ret = 1; + + err: + freezero(public, X25519_KEY_LENGTH); + freezero(private, X25519_KEY_LENGTH); + + return ret; +} + +int +tls13_key_share_generate(struct tls13_key_share *ks) +{ + if (ks->nid == NID_X25519) + return tls13_key_share_generate_x25519(ks); + + return tls13_key_share_generate_ecdhe_ecp(ks); +} + +static int +tls13_key_share_public_ecdhe_ecp(struct tls13_key_share *ks, CBB *cbb) +{ + if (ks->ecdhe == NULL) + return 0; + + return ssl_kex_public_ecdhe_ecp(ks->ecdhe, cbb); +} + +static int +tls13_key_share_public_x25519(struct tls13_key_share *ks, CBB *cbb) +{ + if (ks->x25519_public == NULL) + return 0; + + return CBB_add_bytes(cbb, ks->x25519_public, X25519_KEY_LENGTH); +} + +int +tls13_key_share_public(struct tls13_key_share *ks, CBB *cbb) +{ + CBB key_exchange; + + if (!CBB_add_u16(cbb, ks->group_id)) + goto err; + if (!CBB_add_u16_length_prefixed(cbb, &key_exchange)) + goto err; + + if (ks->nid == NID_X25519) { + if (!tls13_key_share_public_x25519(ks, &key_exchange)) + goto err; + } else { + if (!tls13_key_share_public_ecdhe_ecp(ks, &key_exchange)) + goto err; + } + + if (!CBB_flush(cbb)) + goto err; + + return 1; + + err: + return 0; +} + +static int +tls13_key_share_peer_public_ecdhe_ecp(struct tls13_key_share *ks, CBS *cbs) +{ + EC_KEY *ecdhe = NULL; + int ret = 0; + + if (ks->ecdhe_peer != NULL) + goto err; + + if ((ecdhe = EC_KEY_new()) == NULL) + goto err; + if (!ssl_kex_peer_public_ecdhe_ecp(ecdhe, ks->nid, cbs)) + goto err; + + ks->ecdhe_peer = ecdhe; + ecdhe = NULL; + + ret = 1; + + err: + EC_KEY_free(ecdhe); + + return ret; +} + +static int +tls13_key_share_peer_public_x25519(struct tls13_key_share *ks, CBS *cbs) +{ + size_t out_len; + + if (ks->x25519_peer_public != NULL) + return 0; + + if (CBS_len(cbs) != X25519_KEY_LENGTH) + return 0; + + return CBS_stow(cbs, &ks->x25519_peer_public, &out_len); +} + +int +tls13_key_share_peer_public(struct tls13_key_share *ks, uint16_t group, + CBS *cbs) +{ + if (ks->group_id != group) + return 0; + + if (ks->nid == NID_X25519) { + if (!tls13_key_share_peer_public_x25519(ks, cbs)) + return 0; + } else { + if (!tls13_key_share_peer_public_ecdhe_ecp(ks, cbs)) + return 0; + } + + return 1; +} + +static int +tls13_key_share_derive_ecdhe_ecp(struct tls13_key_share *ks, + uint8_t **shared_key, size_t *shared_key_len) +{ + if (ks->ecdhe == NULL || ks->ecdhe_peer == NULL) + return 0; + + return ssl_kex_derive_ecdhe_ecp(ks->ecdhe, ks->ecdhe_peer, + shared_key, shared_key_len); +} + +static int +tls13_key_share_derive_x25519(struct tls13_key_share *ks, + uint8_t **shared_key, size_t *shared_key_len) +{ + uint8_t *sk = NULL; + int ret = 0; + + if (ks->x25519_private == NULL || ks->x25519_peer_public == NULL) + goto err; + + if ((sk = calloc(1, X25519_KEY_LENGTH)) == NULL) + goto err; + if (!X25519(sk, ks->x25519_private, ks->x25519_peer_public)) + goto err; + + *shared_key = sk; + *shared_key_len = X25519_KEY_LENGTH; + sk = NULL; + + ret = 1; + + err: + freezero(sk, X25519_KEY_LENGTH); + + return ret; +} + +int +tls13_key_share_derive(struct tls13_key_share *ks, uint8_t **shared_key, + size_t *shared_key_len) +{ + if (*shared_key != NULL) + return 0; + + *shared_key_len = 0; + + if (ks->nid == NID_X25519) + return tls13_key_share_derive_x25519(ks, shared_key, + shared_key_len); + + return tls13_key_share_derive_ecdhe_ecp(ks, shared_key, + shared_key_len); +} diff --git a/ssl/tls13_legacy.c b/ssl/tls13_legacy.c new file mode 100644 index 00000000..19271ef7 --- /dev/null +++ b/ssl/tls13_legacy.c @@ -0,0 +1,536 @@ +/* $OpenBSD: tls13_legacy.c,v 1.23 2021/03/21 18:36:34 jsing Exp $ */ +/* + * Copyright (c) 2018, 2019 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include "ssl_locl.h" +#include "tls13_internal.h" + +static ssize_t +tls13_legacy_wire_read(SSL *ssl, uint8_t *buf, size_t len) +{ + int n; + + if (ssl->rbio == NULL) { + SSLerror(ssl, SSL_R_BIO_NOT_SET); + return TLS13_IO_FAILURE; + } + + ssl->internal->rwstate = SSL_READING; + errno = 0; + + if ((n = BIO_read(ssl->rbio, buf, len)) <= 0) { + if (BIO_should_read(ssl->rbio)) + return TLS13_IO_WANT_POLLIN; + if (n == 0) + return TLS13_IO_EOF; + + if (ERR_peek_error() == 0 && errno != 0) + SYSerror(errno); + + return TLS13_IO_FAILURE; + } + + if (n == len) + ssl->internal->rwstate = SSL_NOTHING; + + return n; +} + +ssize_t +tls13_legacy_wire_read_cb(void *buf, size_t n, void *arg) +{ + struct tls13_ctx *ctx = arg; + + return tls13_legacy_wire_read(ctx->ssl, buf, n); +} + +static ssize_t +tls13_legacy_wire_write(SSL *ssl, const uint8_t *buf, size_t len) +{ + int n; + + if (ssl->wbio == NULL) { + SSLerror(ssl, SSL_R_BIO_NOT_SET); + return TLS13_IO_FAILURE; + } + + ssl->internal->rwstate = SSL_WRITING; + errno = 0; + + if ((n = BIO_write(ssl->wbio, buf, len)) <= 0) { + if (BIO_should_write(ssl->wbio)) + return TLS13_IO_WANT_POLLOUT; + + if (ERR_peek_error() == 0 && errno != 0) + SYSerror(errno); + + return TLS13_IO_FAILURE; + } + + if (n == len) + ssl->internal->rwstate = SSL_NOTHING; + + return n; +} + +ssize_t +tls13_legacy_wire_write_cb(const void *buf, size_t n, void *arg) +{ + struct tls13_ctx *ctx = arg; + + return tls13_legacy_wire_write(ctx->ssl, buf, n); +} + +static void +tls13_legacy_error(SSL *ssl) +{ + struct tls13_ctx *ctx = ssl->internal->tls13; + int reason = SSL_R_UNKNOWN; + + /* If we received a fatal alert we already put an error on the stack. */ + if (S3I(ssl)->fatal_alert != 0) + return; + + switch (ctx->error.code) { + case TLS13_ERR_VERIFY_FAILED: + reason = SSL_R_CERTIFICATE_VERIFY_FAILED; + break; + case TLS13_ERR_HRR_FAILED: + reason = SSL_R_NO_CIPHERS_AVAILABLE; + break; + case TLS13_ERR_TRAILING_DATA: + reason = SSL_R_EXTRA_DATA_IN_MESSAGE; + break; + case TLS13_ERR_NO_SHARED_CIPHER: + reason = SSL_R_NO_SHARED_CIPHER; + break; + case TLS13_ERR_NO_CERTIFICATE: + reason = SSL_R_MISSING_RSA_CERTIFICATE; /* XXX */ + break; + case TLS13_ERR_NO_PEER_CERTIFICATE: + reason = SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE; + break; + } + + /* Something (probably libcrypto) already pushed an error on the stack. */ + if (reason == SSL_R_UNKNOWN && ERR_peek_error() != 0) + return; + + ERR_put_error(ERR_LIB_SSL, (0xfff), reason, ctx->error.file, + ctx->error.line); +} + +int +tls13_legacy_return_code(SSL *ssl, ssize_t ret) +{ + if (ret > INT_MAX) { + SSLerror(ssl, ERR_R_INTERNAL_ERROR); + return -1; + } + + /* A successful read, write or other operation. */ + if (ret > 0) + return ret; + + ssl->internal->rwstate = SSL_NOTHING; + + switch (ret) { + case TLS13_IO_EOF: + return 0; + + case TLS13_IO_FAILURE: + tls13_legacy_error(ssl); + return -1; + + case TLS13_IO_ALERT: + tls13_legacy_error(ssl); + return -1; + + case TLS13_IO_WANT_POLLIN: + BIO_set_retry_read(ssl->rbio); + ssl->internal->rwstate = SSL_READING; + return -1; + + case TLS13_IO_WANT_POLLOUT: + BIO_set_retry_write(ssl->wbio); + ssl->internal->rwstate = SSL_WRITING; + return -1; + + case TLS13_IO_WANT_RETRY: + SSLerror(ssl, ERR_R_INTERNAL_ERROR); + return -1; + } + + SSLerror(ssl, ERR_R_INTERNAL_ERROR); + return -1; +} + +int +tls13_legacy_pending(const SSL *ssl) +{ + struct tls13_ctx *ctx = ssl->internal->tls13; + ssize_t ret; + + if (ctx == NULL) + return 0; + + ret = tls13_pending_application_data(ctx->rl); + if (ret < 0 || ret > INT_MAX) + return 0; + + return ret; +} + +int +tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int peek) +{ + struct tls13_ctx *ctx = ssl->internal->tls13; + ssize_t ret; + + if (ctx == NULL || !ctx->handshake_completed) { + if ((ret = ssl->internal->handshake_func(ssl)) <= 0) + return ret; + return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLIN); + } + + tls13_record_layer_set_retry_after_phh(ctx->rl, + (ctx->ssl->internal->mode & SSL_MODE_AUTO_RETRY) != 0); + + if (type != SSL3_RT_APPLICATION_DATA) { + SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return -1; + } + if (len < 0) { + SSLerror(ssl, SSL_R_BAD_LENGTH); + return -1; + } + + if (peek) + ret = tls13_peek_application_data(ctx->rl, buf, len); + else + ret = tls13_read_application_data(ctx->rl, buf, len); + + return tls13_legacy_return_code(ssl, ret); +} + +int +tls13_legacy_write_bytes(SSL *ssl, int type, const void *vbuf, int len) +{ + struct tls13_ctx *ctx = ssl->internal->tls13; + const uint8_t *buf = vbuf; + size_t n, sent; + ssize_t ret; + + if (ctx == NULL || !ctx->handshake_completed) { + if ((ret = ssl->internal->handshake_func(ssl)) <= 0) + return ret; + return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLOUT); + } + + if (type != SSL3_RT_APPLICATION_DATA) { + SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return -1; + } + if (len < 0) { + SSLerror(ssl, SSL_R_BAD_LENGTH); + return -1; + } + + /* + * The TLSv1.3 record layer write behaviour is the same as + * SSL_MODE_ENABLE_PARTIAL_WRITE. + */ + if (ssl->internal->mode & SSL_MODE_ENABLE_PARTIAL_WRITE) { + ret = tls13_write_application_data(ctx->rl, buf, len); + return tls13_legacy_return_code(ssl, ret); + } + + /* + * In the non-SSL_MODE_ENABLE_PARTIAL_WRITE case we have to loop until + * we have written out all of the requested data. + */ + sent = S3I(ssl)->wnum; + if (len < sent) { + SSLerror(ssl, SSL_R_BAD_LENGTH); + return -1; + } + n = len - sent; + for (;;) { + if (n == 0) { + S3I(ssl)->wnum = 0; + return sent; + } + if ((ret = tls13_write_application_data(ctx->rl, + &buf[sent], n)) <= 0) { + S3I(ssl)->wnum = sent; + return tls13_legacy_return_code(ssl, ret); + } + sent += ret; + n -= ret; + } +} + +static int +tls13_use_legacy_stack(struct tls13_ctx *ctx) +{ + SSL *s = ctx->ssl; + CBB cbb, fragment; + CBS cbs; + + memset(&cbb, 0, sizeof(cbb)); + + s->method = tls_legacy_method(); + + if (!ssl3_setup_init_buffer(s)) + goto err; + if (!ssl3_setup_buffers(s)) + goto err; + if (!ssl_init_wbio_buffer(s, 1)) + goto err; + + /* Stash any unprocessed data from the last record. */ + tls13_record_layer_rbuf(ctx->rl, &cbs); + if (CBS_len(&cbs) > 0) { + if (!CBB_init_fixed(&cbb, S3I(s)->rbuf.buf, + S3I(s)->rbuf.len)) + goto err; + if (!CBB_add_u8(&cbb, SSL3_RT_HANDSHAKE)) + goto err; + if (!CBB_add_u16(&cbb, TLS1_2_VERSION)) + goto err; + if (!CBB_add_u16_length_prefixed(&cbb, &fragment)) + goto err; + if (!CBB_add_bytes(&fragment, CBS_data(&cbs), CBS_len(&cbs))) + goto err; + if (!CBB_finish(&cbb, NULL, NULL)) + goto err; + + S3I(s)->rbuf.offset = SSL3_RT_HEADER_LENGTH; + S3I(s)->rbuf.left = CBS_len(&cbs); + S3I(s)->rrec.type = SSL3_RT_HANDSHAKE; + S3I(s)->rrec.length = CBS_len(&cbs); + s->internal->rstate = SSL_ST_READ_BODY; + s->internal->packet = S3I(s)->rbuf.buf; + s->internal->packet_length = SSL3_RT_HEADER_LENGTH; + s->internal->mac_packet = 1; + } + + /* Stash the current handshake message. */ + tls13_handshake_msg_data(ctx->hs_msg, &cbs); + if (!BUF_MEM_grow_clean(s->internal->init_buf, CBS_len(&cbs))) + goto err; + if (!CBS_write_bytes(&cbs, s->internal->init_buf->data, + s->internal->init_buf->length, NULL)) + goto err; + + S3I(s)->tmp.reuse_message = 1; + S3I(s)->tmp.message_type = tls13_handshake_msg_type(ctx->hs_msg); + S3I(s)->tmp.message_size = CBS_len(&cbs); + + return 1; + + err: + CBB_cleanup(&cbb); + + return 0; +} + +int +tls13_use_legacy_client(struct tls13_ctx *ctx) +{ + SSL *s = ctx->ssl; + + if (!tls13_use_legacy_stack(ctx)) + return 0; + + s->internal->handshake_func = s->method->internal->ssl_connect; + s->client_version = s->version = s->method->internal->max_tls_version; + + ctx->hs->state = SSL3_ST_CR_SRVR_HELLO_A; + + return 1; +} + +int +tls13_use_legacy_server(struct tls13_ctx *ctx) +{ + SSL *s = ctx->ssl; + + if (!tls13_use_legacy_stack(ctx)) + return 0; + + s->internal->handshake_func = s->method->internal->ssl_accept; + s->client_version = s->version = s->method->internal->max_tls_version; + s->server = 1; + + ctx->hs->state = SSL3_ST_SR_CLNT_HELLO_A; + + return 1; +} + +int +tls13_legacy_accept(SSL *ssl) +{ + struct tls13_ctx *ctx = ssl->internal->tls13; + int ret; + + if (ctx == NULL) { + if ((ctx = tls13_ctx_new(TLS13_HS_SERVER)) == NULL) { + SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ + return -1; + } + ssl->internal->tls13 = ctx; + ctx->ssl = ssl; + ctx->hs = &S3I(ssl)->hs; + + if (!tls13_server_init(ctx)) { + if (ERR_peek_error() == 0) + SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ + return -1; + } + } + + ERR_clear_error(); + ctx->hs->state = SSL_ST_ACCEPT; + + ret = tls13_server_accept(ctx); + if (ret == TLS13_IO_USE_LEGACY) + return ssl->method->internal->ssl_accept(ssl); + if (ret == TLS13_IO_SUCCESS) + ctx->hs->state = SSL_ST_OK; + + return tls13_legacy_return_code(ssl, ret); +} + +int +tls13_legacy_connect(SSL *ssl) +{ + struct tls13_ctx *ctx = ssl->internal->tls13; + int ret; + +#ifdef TLS13_USE_LEGACY_CLIENT_AUTH + /* XXX drop back to legacy for client auth for now */ + if (ssl->cert->key->privatekey != NULL) { + ssl->method = tls_legacy_client_method(); + return ssl->method->internal->ssl_connect(ssl); + } +#endif + + if (ctx == NULL) { + if ((ctx = tls13_ctx_new(TLS13_HS_CLIENT)) == NULL) { + SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ + return -1; + } + ssl->internal->tls13 = ctx; + ctx->ssl = ssl; + ctx->hs = &S3I(ssl)->hs; + + if (!tls13_client_init(ctx)) { + if (ERR_peek_error() == 0) + SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ + return -1; + } + } + + ERR_clear_error(); + ctx->hs->state = SSL_ST_CONNECT; + + ret = tls13_client_connect(ctx); + if (ret == TLS13_IO_USE_LEGACY) + return ssl->method->internal->ssl_connect(ssl); + if (ret == TLS13_IO_SUCCESS) + ctx->hs->state = SSL_ST_OK; + + return tls13_legacy_return_code(ssl, ret); +} + +int +tls13_legacy_shutdown(SSL *ssl) +{ + struct tls13_ctx *ctx = ssl->internal->tls13; + uint8_t buf[512]; /* XXX */ + ssize_t ret; + + /* + * We need to return 0 when we have sent a close-notify but have not + * yet received one. We return 1 only once we have sent and received + * close-notify alerts. All other cases return -1 and set internal + * state appropriately. + */ + if (ctx == NULL || ssl->internal->quiet_shutdown) { + ssl->internal->shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN; + return 1; + } + + if (!ctx->close_notify_sent) { + /* Enqueue and send close notify. */ + if (!(ssl->internal->shutdown & SSL_SENT_SHUTDOWN)) { + ssl->internal->shutdown |= SSL_SENT_SHUTDOWN; + if ((ret = tls13_send_alert(ctx->rl, + TLS13_ALERT_CLOSE_NOTIFY)) < 0) + return tls13_legacy_return_code(ssl, ret); + } + if ((ret = tls13_record_layer_send_pending(ctx->rl)) != + TLS13_IO_SUCCESS) + return tls13_legacy_return_code(ssl, ret); + } else if (!ctx->close_notify_recv) { + /* + * If there is no application data pending, attempt to read more + * data in order to receive a close notify. This should trigger + * a record to be read from the wire, which may be application + * handshake or alert data. Only one attempt is made to match + * previous semantics. + */ + if (tls13_pending_application_data(ctx->rl) == 0) { + if ((ret = tls13_read_application_data(ctx->rl, buf, + sizeof(buf))) < 0) + return tls13_legacy_return_code(ssl, ret); + } + } + + if (ctx->close_notify_recv) + return 1; + + return 0; +} + +int +tls13_legacy_servername_process(struct tls13_ctx *ctx, uint8_t *alert) +{ + int legacy_alert = SSL_AD_UNRECOGNIZED_NAME; + int ret = SSL_TLSEXT_ERR_NOACK; + SSL_CTX *ssl_ctx = ctx->ssl->ctx; + SSL *s = ctx->ssl; + + if (ssl_ctx->internal->tlsext_servername_callback == NULL) + ssl_ctx = s->initial_ctx; + if (ssl_ctx->internal->tlsext_servername_callback == NULL) + return 1; + + ret = ssl_ctx->internal->tlsext_servername_callback(s, &legacy_alert, + ssl_ctx->internal->tlsext_servername_arg); + + if (ret == SSL_TLSEXT_ERR_ALERT_FATAL || + ret == SSL_TLSEXT_ERR_ALERT_WARNING) { + if (legacy_alert >= 0 && legacy_alert <= 255) + *alert = legacy_alert; + return 0; + } + + return 1; +} diff --git a/ssl/tls13_lib.c b/ssl/tls13_lib.c index 81325cd8..f064521c 100644 --- a/ssl/tls13_lib.c +++ b/ssl/tls13_lib.c @@ -1,6 +1,7 @@ -/* $OpenBSD: tls13_lib.c,v 1.11 2019/03/17 15:13:23 jsing Exp $ */ +/* $OpenBSD: tls13_lib.c,v 1.59 2021/04/07 21:48:23 tb Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing + * Copyright (c) 2019 Bob Beck * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -15,14 +16,55 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#include #include #include #include "ssl_locl.h" +#include "ssl_tlsext.h" #include "tls13_internal.h" +/* + * Downgrade sentinels - RFC 8446 section 4.1.3, magic values which must be set + * by the server in server random if it is willing to downgrade but supports + * TLSv1.3 + */ +const uint8_t tls13_downgrade_12[8] = { + 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01, +}; +const uint8_t tls13_downgrade_11[8] = { + 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00, +}; + +/* + * HelloRetryRequest hash - RFC 8446 section 4.1.3. + */ +const uint8_t tls13_hello_retry_request_hash[32] = { + 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, + 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91, + 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, + 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c, +}; + +/* + * Certificate Verify padding - RFC 8446 section 4.4.3. + */ +const uint8_t tls13_cert_verify_pad[64] = { + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, +}; + +const uint8_t tls13_cert_client_verify_context[] = + "TLS 1.3, client CertificateVerify"; +const uint8_t tls13_cert_server_verify_context[] = + "TLS 1.3, server CertificateVerify"; + const EVP_AEAD * tls13_cipher_aead(const SSL_CIPHER *cipher) { @@ -65,15 +107,15 @@ static void tls13_alert_received_cb(uint8_t alert_desc, void *arg) { struct tls13_ctx *ctx = arg; - SSL *s = ctx->ssl; - if (alert_desc == SSL_AD_CLOSE_NOTIFY) { + if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { + ctx->close_notify_recv = 1; ctx->ssl->internal->shutdown |= SSL_RECEIVED_SHUTDOWN; S3I(ctx->ssl)->warn_alert = alert_desc; return; } - if (alert_desc == SSL_AD_USER_CANCELLED) { + if (alert_desc == TLS13_ALERT_USER_CANCELED) { /* * We treat this as advisory, since a close_notify alert * SHOULD follow this alert (RFC 8446 section 6.1). @@ -87,9 +129,264 @@ tls13_alert_received_cb(uint8_t alert_desc, void *arg) SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc); ERR_asprintf_error_data("SSL alert number %d", alert_desc); - SSL_CTX_remove_session(s->ctx, s->session); + SSL_CTX_remove_session(ctx->ssl->ctx, ctx->ssl->session); +} + +static void +tls13_alert_sent_cb(uint8_t alert_desc, void *arg) +{ + struct tls13_ctx *ctx = arg; + + if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { + ctx->close_notify_sent = 1; + return; + } + + if (alert_desc == TLS13_ALERT_USER_CANCELED) { + return; + } + + /* All other alerts are treated as fatal in TLSv1.3. */ + if (ctx->error.code == 0) + SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc); +} + +static void +tls13_legacy_handshake_message_recv_cb(void *arg) +{ + struct tls13_ctx *ctx = arg; + SSL *s = ctx->ssl; + CBS cbs; + + if (s->internal->msg_callback == NULL) + return; + + tls13_handshake_msg_data(ctx->hs_msg, &cbs); + s->internal->msg_callback(0, TLS1_3_VERSION, SSL3_RT_HANDSHAKE, + CBS_data(&cbs), CBS_len(&cbs), s, s->internal->msg_callback_arg); +} + +static void +tls13_legacy_handshake_message_sent_cb(void *arg) +{ + struct tls13_ctx *ctx = arg; + SSL *s = ctx->ssl; + CBS cbs; + + if (s->internal->msg_callback == NULL) + return; + + tls13_handshake_msg_data(ctx->hs_msg, &cbs); + s->internal->msg_callback(1, TLS1_3_VERSION, SSL3_RT_HANDSHAKE, + CBS_data(&cbs), CBS_len(&cbs), s, s->internal->msg_callback_arg); +} + +static void +tls13_legacy_info_cb(void *arg, int state, int ret) +{ + struct tls13_ctx *ctx = arg; + SSL *s = ctx->ssl; + void (*cb)(const SSL *, int, int); + + if ((cb = s->internal->info_callback) == NULL) + cb = s->ctx->internal->info_callback; + if (cb != NULL) + cb(s, state, ret); +} + +static int +tls13_legacy_ocsp_status_recv_cb(void *arg) +{ + struct tls13_ctx *ctx = arg; + SSL *s = ctx->ssl; + int ret; + + if (s->ctx->internal->tlsext_status_cb == NULL || + s->internal->tlsext_ocsp_resp == NULL) + return 1; + + ret = s->ctx->internal->tlsext_status_cb(s, + s->ctx->internal->tlsext_status_arg); + if (ret < 0) { + ctx->alert = TLS13_ALERT_INTERNAL_ERROR; + SSLerror(s, ERR_R_MALLOC_FAILURE); + return 0; + } + if (ret == 0) { + ctx->alert = TLS13_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE; + SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE); + return 0; + } + + return 1; +} + +static int +tls13_phh_update_local_traffic_secret(struct tls13_ctx *ctx) +{ + struct tls13_secrets *secrets = ctx->hs->tls13.secrets; + + if (ctx->mode == TLS13_HS_CLIENT) + return (tls13_update_client_traffic_secret(secrets) && + tls13_record_layer_set_write_traffic_key(ctx->rl, + &secrets->client_application_traffic)); + return (tls13_update_server_traffic_secret(secrets) && + tls13_record_layer_set_read_traffic_key(ctx->rl, + &secrets->server_application_traffic)); +} + +static int +tls13_phh_update_peer_traffic_secret(struct tls13_ctx *ctx) +{ + struct tls13_secrets *secrets = ctx->hs->tls13.secrets; + + if (ctx->mode == TLS13_HS_CLIENT) + return (tls13_update_server_traffic_secret(secrets) && + tls13_record_layer_set_read_traffic_key(ctx->rl, + &secrets->server_application_traffic)); + return (tls13_update_client_traffic_secret(secrets) && + tls13_record_layer_set_write_traffic_key(ctx->rl, + &secrets->client_application_traffic)); +} + +/* + * XXX arbitrarily chosen limit of 100 post handshake handshake + * messages in an hour - to avoid a hostile peer from constantly + * requesting certificates or key renegotiaitons, etc. + */ +static int +tls13_phh_limit_check(struct tls13_ctx *ctx) +{ + time_t now = time(NULL); + + if (ctx->phh_last_seen > now - TLS13_PHH_LIMIT_TIME) { + if (ctx->phh_count > TLS13_PHH_LIMIT) + return 0; + } else + ctx->phh_count = 0; + ctx->phh_count++; + ctx->phh_last_seen = now; + return 1; } +static ssize_t +tls13_key_update_recv(struct tls13_ctx *ctx, CBS *cbs) +{ + struct tls13_handshake_msg *hs_msg = NULL; + CBB cbb_hs; + CBS cbs_hs; + uint8_t alert = TLS13_ALERT_INTERNAL_ERROR; + uint8_t key_update_request; + ssize_t ret; + + if (!CBS_get_u8(cbs, &key_update_request)) { + alert = TLS13_ALERT_DECODE_ERROR; + goto err; + } + if (CBS_len(cbs) != 0) { + alert = TLS13_ALERT_DECODE_ERROR; + goto err; + } + if (key_update_request > 1) { + alert = TLS13_ALERT_ILLEGAL_PARAMETER; + goto err; + } + + if (!tls13_phh_update_peer_traffic_secret(ctx)) + goto err; + + if (key_update_request == 0) + return TLS13_IO_SUCCESS; + + /* key_update_request == 1 */ + if ((hs_msg = tls13_handshake_msg_new()) == NULL) + goto err; + if (!tls13_handshake_msg_start(hs_msg, &cbb_hs, TLS13_MT_KEY_UPDATE)) + goto err; + if (!CBB_add_u8(&cbb_hs, 0)) + goto err; + if (!tls13_handshake_msg_finish(hs_msg)) + goto err; + + ctx->key_update_request = 1; + tls13_handshake_msg_data(hs_msg, &cbs_hs); + ret = tls13_record_layer_phh(ctx->rl, &cbs_hs); + + tls13_handshake_msg_free(hs_msg); + hs_msg = NULL; + + return ret; + + err: + tls13_handshake_msg_free(hs_msg); + + return tls13_send_alert(ctx->rl, alert); +} + +static void +tls13_phh_done_cb(void *cb_arg) +{ + struct tls13_ctx *ctx = cb_arg; + + if (ctx->key_update_request) { + tls13_phh_update_local_traffic_secret(ctx); + ctx->key_update_request = 0; + } +} + +static ssize_t +tls13_phh_received_cb(void *cb_arg, CBS *cbs) +{ + ssize_t ret = TLS13_IO_FAILURE; + struct tls13_ctx *ctx = cb_arg; + CBS phh_cbs; + + if (!tls13_phh_limit_check(ctx)) + return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE); + + if ((ctx->hs_msg == NULL) && + ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL)) + return TLS13_IO_FAILURE; + + if (!tls13_handshake_msg_set_buffer(ctx->hs_msg, cbs)) + return TLS13_IO_FAILURE; + + if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) + != TLS13_IO_SUCCESS) + return ret; + + if (!tls13_handshake_msg_content(ctx->hs_msg, &phh_cbs)) + return TLS13_IO_FAILURE; + + switch(tls13_handshake_msg_type(ctx->hs_msg)) { + case TLS13_MT_KEY_UPDATE: + ret = tls13_key_update_recv(ctx, &phh_cbs); + break; + case TLS13_MT_NEW_SESSION_TICKET: + /* XXX do nothing for now and ignore this */ + break; + case TLS13_MT_CERTIFICATE_REQUEST: + /* XXX add support if we choose to advertise this */ + /* FALLTHROUGH */ + default: + ret = TLS13_IO_FAILURE; /* XXX send alert */ + break; + } + + tls13_handshake_msg_free(ctx->hs_msg); + ctx->hs_msg = NULL; + return ret; +} + +static const struct tls13_record_layer_callbacks rl_callbacks = { + .wire_read = tls13_legacy_wire_read_cb, + .wire_write = tls13_legacy_wire_write_cb, + .alert_recv = tls13_alert_received_cb, + .alert_sent = tls13_alert_sent_cb, + .phh_recv = tls13_phh_received_cb, + .phh_sent = tls13_phh_done_cb, +}; + struct tls13_ctx * tls13_ctx_new(int mode) { @@ -100,11 +397,16 @@ tls13_ctx_new(int mode) ctx->mode = mode; - if ((ctx->rl = tls13_record_layer_new(tls13_legacy_wire_read_cb, - tls13_legacy_wire_write_cb, tls13_alert_received_cb, NULL, - ctx)) == NULL) + if ((ctx->rl = tls13_record_layer_new(&rl_callbacks, ctx)) == NULL) goto err; + ctx->handshake_message_sent_cb = tls13_legacy_handshake_message_sent_cb; + ctx->handshake_message_recv_cb = tls13_legacy_handshake_message_recv_cb; + ctx->info_cb = tls13_legacy_info_cb; + ctx->ocsp_status_recv_cb = tls13_legacy_ocsp_status_recv_cb; + + ctx->middlebox_compat = 1; + return ctx; err: @@ -119,206 +421,230 @@ tls13_ctx_free(struct tls13_ctx *ctx) if (ctx == NULL) return; + tls13_error_clear(&ctx->error); tls13_record_layer_free(ctx->rl); + tls13_handshake_msg_free(ctx->hs_msg); freezero(ctx, sizeof(struct tls13_ctx)); } -static ssize_t -tls13_legacy_wire_read(SSL *ssl, uint8_t *buf, size_t len) +int +tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert, + int (*build_extensions)(SSL *s, uint16_t msg_type, CBB *cbb)) { - int n; + CBB cert_data, cert_exts; + uint8_t *data; + int cert_len; - if (ssl->rbio == NULL) { - SSLerror(ssl, SSL_R_BIO_NOT_SET); - return TLS13_IO_FAILURE; - } - - ssl->internal->rwstate = SSL_READING; - - if ((n = BIO_read(ssl->rbio, buf, len)) <= 0) { - if (BIO_should_read(ssl->rbio)) - return TLS13_IO_WANT_POLLIN; - if (BIO_should_write(ssl->rbio)) - return TLS13_IO_WANT_POLLOUT; - if (n == 0) - return TLS13_IO_EOF; + if ((cert_len = i2d_X509(cert, NULL)) < 0) + return 0; - return TLS13_IO_FAILURE; + if (!CBB_add_u24_length_prefixed(cbb, &cert_data)) + return 0; + if (!CBB_add_space(&cert_data, &data, cert_len)) + return 0; + if (i2d_X509(cert, &data) != cert_len) + return 0; + if (build_extensions != NULL) { + if (!build_extensions(ctx->ssl, SSL_TLSEXT_MSG_CT, cbb)) + return 0; + } else { + if (!CBB_add_u16_length_prefixed(cbb, &cert_exts)) + return 0; } + if (!CBB_flush(cbb)) + return 0; - if (n == len) - ssl->internal->rwstate = SSL_NOTHING; - - return n; + return 1; } -ssize_t -tls13_legacy_wire_read_cb(void *buf, size_t n, void *arg) +int +tls13_synthetic_handshake_message(struct tls13_ctx *ctx) { - struct tls13_ctx *ctx = arg; + struct tls13_handshake_msg *hm = NULL; + unsigned char buf[EVP_MAX_MD_SIZE]; + size_t hash_len; + CBB cbb; + CBS cbs; + SSL *s = ctx->ssl; + int ret = 0; - return tls13_legacy_wire_read(ctx->ssl, buf, n); -} + /* + * Replace ClientHello with synthetic handshake message - see + * RFC 8446 section 4.4.1. + */ + if (!tls1_transcript_hash_init(s)) + goto err; + if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) + goto err; -static ssize_t -tls13_legacy_wire_write(SSL *ssl, const uint8_t *buf, size_t len) -{ - int n; + if ((hm = tls13_handshake_msg_new()) == NULL) + goto err; + if (!tls13_handshake_msg_start(hm, &cbb, TLS13_MT_MESSAGE_HASH)) + goto err; + if (!CBB_add_bytes(&cbb, buf, hash_len)) + goto err; + if (!tls13_handshake_msg_finish(hm)) + goto err; - if (ssl->wbio == NULL) { - SSLerror(ssl, SSL_R_BIO_NOT_SET); - return TLS13_IO_FAILURE; - } + tls13_handshake_msg_data(hm, &cbs); - ssl->internal->rwstate = SSL_WRITING; + tls1_transcript_reset(ctx->ssl); + if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs))) + goto err; - if ((n = BIO_write(ssl->wbio, buf, len)) <= 0) { - if (BIO_should_read(ssl->wbio)) - return TLS13_IO_WANT_POLLIN; - if (BIO_should_write(ssl->wbio)) - return TLS13_IO_WANT_POLLOUT; + ret = 1; - return TLS13_IO_FAILURE; - } + err: + tls13_handshake_msg_free(hm); - if (n == len) - ssl->internal->rwstate = SSL_NOTHING; + return ret; +} - return n; +int +tls13_clienthello_hash_init(struct tls13_ctx *ctx) +{ + if (ctx->hs->tls13.clienthello_md_ctx != NULL) + return 0; + if ((ctx->hs->tls13.clienthello_md_ctx = EVP_MD_CTX_new()) == NULL) + return 0; + if (!EVP_DigestInit_ex(ctx->hs->tls13.clienthello_md_ctx, + EVP_sha256(), NULL)) + return 0; + + if ((ctx->hs->tls13.clienthello_hash == NULL) && + (ctx->hs->tls13.clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) == + NULL) + return 0; + + return 1; } -ssize_t -tls13_legacy_wire_write_cb(const void *buf, size_t n, void *arg) +void +tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs) /* XXX */ { - struct tls13_ctx *ctx = arg; + EVP_MD_CTX_free(hs->clienthello_md_ctx); + hs->clienthello_md_ctx = NULL; + freezero(hs->clienthello_hash, EVP_MAX_MD_SIZE); + hs->clienthello_hash = NULL; +} - return tls13_legacy_wire_write(ctx->ssl, buf, n); +int +tls13_clienthello_hash_update_bytes(struct tls13_ctx *ctx, void *data, + size_t len) +{ + return EVP_DigestUpdate(ctx->hs->tls13.clienthello_md_ctx, data, len); } int -tls13_legacy_return_code(SSL *ssl, ssize_t ret) +tls13_clienthello_hash_update(struct tls13_ctx *ctx, CBS *cbs) { - if (ret > INT_MAX) { - SSLerror(ssl, ERR_R_INTERNAL_ERROR); - return -1; - } + return tls13_clienthello_hash_update_bytes(ctx, (void *)CBS_data(cbs), + CBS_len(cbs)); +} - /* A successful read, write or other operation. */ - if (ret > 0) - return ret; +int +tls13_clienthello_hash_finalize(struct tls13_ctx *ctx) +{ + if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx, + ctx->hs->tls13.clienthello_hash, + &ctx->hs->tls13.clienthello_hash_len)) + return 0; + EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx); + ctx->hs->tls13.clienthello_md_ctx = NULL; + return 1; +} - ssl->internal->rwstate = SSL_NOTHING; +int +tls13_clienthello_hash_validate(struct tls13_ctx *ctx) +{ + unsigned char new_ch_hash[EVP_MAX_MD_SIZE]; + unsigned int new_ch_hash_len; - switch (ret) { - case TLS13_IO_EOF: + if (ctx->hs->tls13.clienthello_hash == NULL) return 0; - case TLS13_IO_FAILURE: - /* XXX - we need to record/map internal errors. */ - if (ERR_peek_error() == 0) - SSLerror(ssl, ERR_R_INTERNAL_ERROR); - return -1; - - case TLS13_IO_WANT_POLLIN: - BIO_set_retry_read(ssl->rbio); - ssl->internal->rwstate = SSL_READING; - return -1; - - case TLS13_IO_WANT_POLLOUT: - BIO_set_retry_write(ssl->wbio); - ssl->internal->rwstate = SSL_WRITING; - return -1; - } + if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx, + new_ch_hash, &new_ch_hash_len)) + return 0; + EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx); + ctx->hs->tls13.clienthello_md_ctx = NULL; + + if (ctx->hs->tls13.clienthello_hash_len != new_ch_hash_len) + return 0; + if (memcmp(ctx->hs->tls13.clienthello_hash, new_ch_hash, + new_ch_hash_len) != 0) + return 0; - SSLerror(ssl, ERR_R_INTERNAL_ERROR); - return -1; + return 1; } int -tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int peek) +tls13_exporter(struct tls13_ctx *ctx, const uint8_t *label, size_t label_len, + const uint8_t *context_value, size_t context_value_len, uint8_t *out, + size_t out_len) { - struct tls13_ctx *ctx = ssl->internal->tls13; - ssize_t ret; + struct tls13_secret context, export_out, export_secret; + struct tls13_secrets *secrets = ctx->hs->tls13.secrets; + EVP_MD_CTX *md_ctx = NULL; + unsigned int md_out_len; + int md_len; + int ret = 0; - if (ctx == NULL || !ctx->handshake_completed) { - if ((ret = ssl->internal->handshake_func(ssl)) <= 0) - return ret; - return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLIN); - } + /* + * RFC 8446 Section 7.5. + */ - if (peek) { - /* XXX - support peek... */ - SSLerror(ssl, ERR_R_INTERNAL_ERROR); - return -1; - } + memset(&context, 0, sizeof(context)); + memset(&export_secret, 0, sizeof(export_secret)); - if (type != SSL3_RT_APPLICATION_DATA) { - SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return -1; - } - if (len < 0) { - SSLerror(ssl, SSL_R_BAD_LENGTH); - return -1; - } + export_out.data = out; + export_out.len = out_len; - ret = tls13_read_application_data(ctx->rl, buf, len); - return tls13_legacy_return_code(ssl, ret); -} + if (!ctx->handshake_completed) + return 0; -int -tls13_legacy_write_bytes(SSL *ssl, int type, const void *vbuf, int len) -{ - struct tls13_ctx *ctx = ssl->internal->tls13; - const uint8_t *buf = vbuf; - size_t n, sent; - ssize_t ret; + md_len = EVP_MD_size(secrets->digest); + if (md_len <= 0 || md_len > EVP_MAX_MD_SIZE) + goto err; - if (ctx == NULL || !ctx->handshake_completed) { - if ((ret = ssl->internal->handshake_func(ssl)) <= 0) - return ret; - return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLOUT); - } + if (!tls13_secret_init(&export_secret, md_len)) + goto err; + if (!tls13_secret_init(&context, md_len)) + goto err; - if (type != SSL3_RT_APPLICATION_DATA) { - SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return -1; - } - if (len <= 0) { - SSLerror(ssl, SSL_R_BAD_LENGTH); - return -1; + /* In TLSv1.3 no context is equivalent to an empty context. */ + if (context_value == NULL) { + context_value = ""; + context_value_len = 0; } - /* - * The TLSv1.3 record layer write behaviour is the same as - * SSL_MODE_ENABLE_PARTIAL_WRITE. - */ - if (ssl->internal->mode & SSL_MODE_ENABLE_PARTIAL_WRITE) { - ret = tls13_write_application_data(ctx->rl, buf, len); - return tls13_legacy_return_code(ssl, ret); - } + if ((md_ctx = EVP_MD_CTX_new()) == NULL) + goto err; + if (!EVP_DigestInit_ex(md_ctx, secrets->digest, NULL)) + goto err; + if (!EVP_DigestUpdate(md_ctx, context_value, context_value_len)) + goto err; + if (!EVP_DigestFinal_ex(md_ctx, context.data, &md_out_len)) + goto err; + if (md_len != md_out_len) + goto err; - /* - * In the non-SSL_MODE_ENABLE_PARTIAL_WRITE case we have to loop until - * we have written out all of the requested data. - */ - sent = S3I(ssl)->wnum; - if (len < sent) { - SSLerror(ssl, SSL_R_BAD_LENGTH); - return -1; - } - n = len - sent; - for (;;) { - if (n == 0) { - S3I(ssl)->wnum = 0; - return sent; - } - if ((ret = tls13_write_application_data(ctx->rl, - &buf[sent], n)) <= 0) { - S3I(ssl)->wnum = sent; - return tls13_legacy_return_code(ssl, ret); - } - sent += ret; - n -= ret; - } + if (!tls13_derive_secret_with_label_length(&export_secret, + secrets->digest, &secrets->exporter_master, label, label_len, + &secrets->empty_hash)) + goto err; + + if (!tls13_hkdf_expand_label(&export_out, secrets->digest, + &export_secret, "exporter", &context)) + goto err; + + ret = 1; + + err: + EVP_MD_CTX_free(md_ctx); + tls13_secret_cleanup(&context); + tls13_secret_cleanup(&export_secret); + + return ret; } diff --git a/ssl/tls13_record.c b/ssl/tls13_record.c index e0631dff..c856932b 100644 --- a/ssl/tls13_record.c +++ b/ssl/tls13_record.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_record.c,v 1.3 2019/01/21 00:24:19 jsing Exp $ */ +/* $OpenBSD: tls13_record.c,v 1.6 2020/05/11 18:08:11 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -17,8 +17,6 @@ #include "ssl_locl.h" -#include - #include "tls13_internal.h" #include "tls13_record.h" @@ -147,9 +145,10 @@ tls13_record_recv(struct tls13_record *rec, tls13_read_cb wire_read, if (!CBS_get_u16(&cbs, &rec_len)) return TLS13_IO_FAILURE; - /* XXX - record overflow alert. */ + if ((rec_version >> 8) != SSL3_VERSION_MAJOR) + return TLS13_IO_RECORD_VERSION; if (rec_len > TLS13_RECORD_MAX_CIPHERTEXT_LEN) - return TLS13_IO_FAILURE; + return TLS13_IO_RECORD_OVERFLOW; rec->content_type = content_type; rec->version = rec_version; diff --git a/ssl/tls13_record_layer.c b/ssl/tls13_record_layer.c index 66e201fc..4be4bad8 100644 --- a/ssl/tls13_record_layer.c +++ b/ssl/tls13_record_layer.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_record_layer.c,v 1.9 2019/03/17 15:13:23 jsing Exp $ */ +/* $OpenBSD: tls13_record_layer.c,v 1.59 2021/03/21 17:25:17 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -17,14 +17,59 @@ #include "ssl_locl.h" -#include - #include "tls13_internal.h" #include "tls13_record.h" +static ssize_t tls13_record_layer_write_chunk(struct tls13_record_layer *rl, + uint8_t content_type, const uint8_t *buf, size_t n); +static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl, + uint8_t content_type, const uint8_t *content, size_t content_len); + +struct tls13_record_protection { + EVP_AEAD_CTX aead_ctx; + struct tls13_secret iv; + struct tls13_secret nonce; + uint8_t seq_num[TLS13_RECORD_SEQ_NUM_LEN]; +}; + +struct tls13_record_protection * +tls13_record_protection_new(void) +{ + return calloc(1, sizeof(struct tls13_record_protection)); +} + +void +tls13_record_protection_clear(struct tls13_record_protection *rp) +{ + EVP_AEAD_CTX_cleanup(&rp->aead_ctx); + + tls13_secret_cleanup(&rp->iv); + tls13_secret_cleanup(&rp->nonce); + + memset(rp->seq_num, 0, sizeof(rp->seq_num)); +} + +void +tls13_record_protection_free(struct tls13_record_protection *rp) +{ + if (rp == NULL) + return; + + tls13_record_protection_clear(rp); + + freezero(rp, sizeof(struct tls13_record_protection)); +} + struct tls13_record_layer { - int change_cipher_spec_seen; + uint16_t legacy_version; + + int ccs_allowed; + int ccs_seen; + int ccs_sent; int handshake_completed; + int legacy_alerts_allowed; + int phh; + int phh_retry; /* * Read and/or write channels are closed due to an alert being @@ -36,7 +81,25 @@ struct tls13_record_layer { int write_closed; struct tls13_record *rrec; + struct tls13_record *wrec; + uint8_t wrec_content_type; + size_t wrec_appdata_len; + size_t wrec_content_len; + + /* Alert to be sent on return from current read handler. */ + uint8_t alert; + + /* Pending alert messages. */ + uint8_t *alert_data; + size_t alert_len; + uint8_t alert_level; + uint8_t alert_desc; + + /* Pending post-handshake handshake messages (RFC 8446, section 4.6). */ + CBS phh_cbs; + uint8_t *phh_data; + size_t phh_len; /* Buffer containing plaintext from opened records. */ uint8_t rbuf_content_type; @@ -47,22 +110,11 @@ struct tls13_record_layer { /* Record protection. */ const EVP_MD *hash; const EVP_AEAD *aead; - EVP_AEAD_CTX read_aead_ctx; - EVP_AEAD_CTX write_aead_ctx; - struct tls13_secret read_iv; - struct tls13_secret write_iv; - struct tls13_secret read_nonce; - struct tls13_secret write_nonce; - uint8_t read_seq_num[TLS13_RECORD_SEQ_NUM_LEN]; - uint8_t write_seq_num[TLS13_RECORD_SEQ_NUM_LEN]; - - /* Record callbacks. */ - tls13_alert_cb alert_cb; - tls13_post_handshake_cb post_handshake_cb; - - /* Wire read/write callbacks. */ - tls13_read_cb wire_read; - tls13_write_cb wire_write; + struct tls13_record_protection *read; + struct tls13_record_protection *write; + + /* Callbacks. */ + struct tls13_record_layer_callbacks cb; void *cb_arg; }; @@ -91,22 +143,29 @@ tls13_record_layer_wrec_free(struct tls13_record_layer *rl) } struct tls13_record_layer * -tls13_record_layer_new(tls13_read_cb wire_read, tls13_write_cb wire_write, - tls13_alert_cb alert_cb, tls13_post_handshake_cb post_handshake_cb, +tls13_record_layer_new(const struct tls13_record_layer_callbacks *callbacks, void *cb_arg) { struct tls13_record_layer *rl; if ((rl = calloc(1, sizeof(struct tls13_record_layer))) == NULL) - return NULL; + goto err; - rl->wire_read = wire_read; - rl->wire_write = wire_write; - rl->alert_cb = alert_cb; - rl->post_handshake_cb = post_handshake_cb; + if ((rl->read = tls13_record_protection_new()) == NULL) + goto err; + if ((rl->write = tls13_record_protection_new()) == NULL) + goto err; + + rl->legacy_version = TLS1_2_VERSION; + rl->cb = *callbacks; rl->cb_arg = cb_arg; return rl; + + err: + tls13_record_layer_free(rl); + + return NULL; } void @@ -115,34 +174,45 @@ tls13_record_layer_free(struct tls13_record_layer *rl) if (rl == NULL) return; - tls13_record_layer_rbuf_free(rl); - tls13_record_layer_rrec_free(rl); tls13_record_layer_wrec_free(rl); - EVP_AEAD_CTX_cleanup(&rl->read_aead_ctx); - EVP_AEAD_CTX_cleanup(&rl->write_aead_ctx); + freezero(rl->alert_data, rl->alert_len); + freezero(rl->phh_data, rl->phh_len); + + tls13_record_layer_rbuf_free(rl); - freezero(rl->read_iv.data, rl->read_iv.len); - freezero(rl->write_iv.data, rl->write_iv.len); - freezero(rl->read_nonce.data, rl->read_nonce.len); - freezero(rl->write_nonce.data, rl->write_nonce.len); + tls13_record_protection_free(rl->read); + tls13_record_protection_free(rl->write); freezero(rl, sizeof(struct tls13_record_layer)); } -static int +void +tls13_record_layer_rbuf(struct tls13_record_layer *rl, CBS *cbs) +{ + CBS_dup(&rl->rbuf_cbs, cbs); +} + +static const uint8_t tls13_max_seq_num[TLS13_RECORD_SEQ_NUM_LEN] = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, +}; + +int tls13_record_layer_inc_seq_num(uint8_t *seq_num) { - size_t i; + int i; + + /* RFC 8446 section 5.3 - sequence numbers must not wrap. */ + if (memcmp(seq_num, tls13_max_seq_num, TLS13_RECORD_SEQ_NUM_LEN) == 0) + return 0; - for (i = TLS13_RECORD_SEQ_NUM_LEN - 1; i > 0; i--) { + for (i = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) { if (++seq_num[i] != 0) break; } - /* RFC 8446 section 5.3 - sequence numbers must not wrap. */ - return (i != 0 || seq_num[0] != 0); + return 1; } static int @@ -165,6 +235,18 @@ tls13_record_layer_update_nonce(struct tls13_secret *nonce, return 1; } +void +tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow) +{ + rl->ccs_allowed = allow; +} + +void +tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer *rl, int allow) +{ + rl->legacy_alerts_allowed = allow; +} + void tls13_record_layer_set_aead(struct tls13_record_layer *rl, const EVP_AEAD *aead) @@ -179,12 +261,25 @@ tls13_record_layer_set_hash(struct tls13_record_layer *rl, rl->hash = hash; } +void +tls13_record_layer_set_legacy_version(struct tls13_record_layer *rl, + uint16_t version) +{ + rl->legacy_version = version; +} + void tls13_record_layer_handshake_completed(struct tls13_record_layer *rl) { rl->handshake_completed = 1; } +void +tls13_record_layer_set_retry_after_phh(struct tls13_record_layer *rl, int retry) +{ + rl->phh_retry = retry; +} + static ssize_t tls13_record_layer_process_alert(struct tls13_record_layer *rl) { @@ -200,17 +295,19 @@ tls13_record_layer_process_alert(struct tls13_record_layer *rl) * read channel closure (close_notify) or termination (all others). */ if (rl->rbuf == NULL) - goto err; + return TLS13_IO_FAILURE; + if (rl->rbuf_content_type != SSL3_RT_ALERT) - goto err; + return TLS13_IO_FAILURE; if (!CBS_get_u8(&rl->rbuf_cbs, &alert_level)) - goto err; /* XXX - decode error alert. */ + return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); + if (!CBS_get_u8(&rl->rbuf_cbs, &alert_desc)) - goto err; /* XXX - decode error alert. */ + return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); if (CBS_len(&rl->rbuf_cbs) != 0) - goto err; /* XXX - decode error alert. */ + return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); tls13_record_layer_rbuf_free(rl); @@ -219,77 +316,183 @@ tls13_record_layer_process_alert(struct tls13_record_layer *rl) * however for error alerts (RFC 8446 section 6.2), the alert level * must be specified as fatal. */ - if (alert_desc == SSL_AD_CLOSE_NOTIFY) { + if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { rl->read_closed = 1; ret = TLS13_IO_EOF; - } else if (alert_desc == SSL_AD_USER_CANCELLED) { + } else if (alert_desc == TLS13_ALERT_USER_CANCELED) { /* Ignored at the record layer. */ - ret = TLS13_IO_WANT_POLLIN; - } else if (alert_level == SSL3_AL_FATAL) { + ret = TLS13_IO_WANT_RETRY; + } else if (alert_level == TLS13_ALERT_LEVEL_FATAL) { rl->read_closed = 1; rl->write_closed = 1; - ret = TLS13_IO_EOF; + ret = TLS13_IO_ALERT; + } else if (rl->legacy_alerts_allowed && + alert_level == TLS13_ALERT_LEVEL_WARNING) { + /* Ignored and not passed to the callback. */ + return TLS13_IO_WANT_RETRY; } else { - /* XXX - decode error alert. */ - return TLS13_IO_FAILURE; + return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER); } - rl->alert_cb(alert_desc, rl->cb_arg); + rl->cb.alert_recv(alert_desc, rl->cb_arg); - err: return ret; } -int -tls13_record_layer_send_alert(struct tls13_record_layer *rl, +static ssize_t +tls13_record_layer_send_alert(struct tls13_record_layer *rl) +{ + ssize_t ret; + + /* This has to fit into a single record, per RFC 8446 section 5.1. */ + if ((ret = tls13_record_layer_write_record(rl, SSL3_RT_ALERT, + rl->alert_data, rl->alert_len)) != rl->alert_len) { + if (ret == TLS13_IO_EOF) + ret = TLS13_IO_ALERT; + return ret; + } + + freezero(rl->alert_data, rl->alert_len); + rl->alert_data = NULL; + rl->alert_len = 0; + + if (rl->alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { + rl->write_closed = 1; + ret = TLS13_IO_SUCCESS; + } else if (rl->alert_desc == TLS13_ALERT_USER_CANCELED) { + /* Ignored at the record layer. */ + ret = TLS13_IO_SUCCESS; + } else { + rl->read_closed = 1; + rl->write_closed = 1; + ret = TLS13_IO_ALERT; + } + + rl->cb.alert_sent(rl->alert_desc, rl->cb_arg); + + return ret; +} + +static ssize_t +tls13_record_layer_send_phh(struct tls13_record_layer *rl) +{ + ssize_t ret; + + /* Push out pending post-handshake handshake messages. */ + if ((ret = tls13_record_layer_write_chunk(rl, SSL3_RT_HANDSHAKE, + CBS_data(&rl->phh_cbs), CBS_len(&rl->phh_cbs))) <= 0) + return ret; + if (!CBS_skip(&rl->phh_cbs, ret)) + return TLS13_IO_FAILURE; + if (CBS_len(&rl->phh_cbs) != 0) + return TLS13_IO_WANT_RETRY; + + freezero(rl->phh_data, rl->phh_len); + rl->phh_data = NULL; + rl->phh_len = 0; + + CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len); + + rl->cb.phh_sent(rl->cb_arg); + + return TLS13_IO_SUCCESS; +} + +ssize_t +tls13_record_layer_send_pending(struct tls13_record_layer *rl) +{ + /* + * If an alert is pending, then it needs to be sent. However, + * if we're already part of the way through sending post-handshake + * handshake messages, then we need to finish that first... + */ + + if (rl->phh_data != NULL && CBS_len(&rl->phh_cbs) != rl->phh_len) + return tls13_record_layer_send_phh(rl); + + if (rl->alert_data != NULL) + return tls13_record_layer_send_alert(rl); + + if (rl->phh_data != NULL) + return tls13_record_layer_send_phh(rl); + + return TLS13_IO_SUCCESS; +} + +static ssize_t +tls13_record_layer_enqueue_alert(struct tls13_record_layer *rl, uint8_t alert_level, uint8_t alert_desc) { - /* XXX - implement. */ - return -1; + CBB cbb; + + if (rl->alert_data != NULL) + return TLS13_IO_FAILURE; + + if (!CBB_init(&cbb, 0)) + goto err; + + if (!CBB_add_u8(&cbb, alert_level)) + goto err; + if (!CBB_add_u8(&cbb, alert_desc)) + goto err; + if (!CBB_finish(&cbb, &rl->alert_data, &rl->alert_len)) + goto err; + + rl->alert_level = alert_level; + rl->alert_desc = alert_desc; + + return tls13_record_layer_send_pending(rl); + + err: + CBB_cleanup(&cbb); + + return TLS13_IO_FAILURE; +} + +ssize_t +tls13_record_layer_phh(struct tls13_record_layer *rl, CBS *cbs) +{ + if (rl->phh_data != NULL) + return TLS13_IO_FAILURE; + + if (!CBS_stow(cbs, &rl->phh_data, &rl->phh_len)) + return TLS13_IO_FAILURE; + + CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len); + + return tls13_record_layer_send_pending(rl); } static int -tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, EVP_AEAD_CTX *aead_ctx, - const EVP_MD *hash, struct tls13_secret *iv, struct tls13_secret *nonce, - struct tls13_secret *traffic_key) +tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, const EVP_MD *hash, + struct tls13_record_protection *rp, struct tls13_secret *traffic_key) { struct tls13_secret context = { .data = "", .len = 0 }; struct tls13_secret key = { .data = NULL, .len = 0 }; int ret = 0; - freezero(iv->data, iv->len); - iv->data = NULL; - iv->len = 0; - - freezero(nonce->data, nonce->len); - nonce->data = NULL; - nonce->len = 0; + tls13_record_protection_clear(rp); - if ((iv->data = calloc(1, EVP_AEAD_nonce_length(aead))) == NULL) + if (!tls13_secret_init(&rp->iv, EVP_AEAD_nonce_length(aead))) goto err; - iv->len = EVP_AEAD_nonce_length(aead); - - if ((nonce->data = calloc(1, EVP_AEAD_nonce_length(aead))) == NULL) + if (!tls13_secret_init(&rp->nonce, EVP_AEAD_nonce_length(aead))) goto err; - nonce->len = EVP_AEAD_nonce_length(aead); - - if ((key.data = calloc(1, EVP_AEAD_key_length(aead))) == NULL) + if (!tls13_secret_init(&key, EVP_AEAD_key_length(aead))) goto err; - key.len = EVP_AEAD_key_length(aead); - if (!tls13_hkdf_expand_label(iv, hash, traffic_key, "iv", &context)) + if (!tls13_hkdf_expand_label(&rp->iv, hash, traffic_key, "iv", &context)) goto err; if (!tls13_hkdf_expand_label(&key, hash, traffic_key, "key", &context)) goto err; - if (!EVP_AEAD_CTX_init(aead_ctx, aead, key.data, key.len, + if (!EVP_AEAD_CTX_init(&rp->aead_ctx, aead, key.data, key.len, EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) goto err; ret = 1; err: - freezero(key.data, key.len); + tls13_secret_cleanup(&key); return ret; } @@ -298,20 +501,16 @@ int tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl, struct tls13_secret *read_key) { - memset(rl->read_seq_num, 0, TLS13_RECORD_SEQ_NUM_LEN); - - return tls13_record_layer_set_traffic_key(rl->aead, &rl->read_aead_ctx, - rl->hash, &rl->read_iv, &rl->read_nonce, read_key); + return tls13_record_layer_set_traffic_key(rl->aead, rl->hash, + rl->read, read_key); } int tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl, struct tls13_secret *write_key) { - memset(rl->write_seq_num, 0, TLS13_RECORD_SEQ_NUM_LEN); - - return tls13_record_layer_set_traffic_key(rl->aead, &rl->write_aead_ctx, - rl->hash, &rl->write_iv, &rl->write_nonce, write_key); + return tls13_record_layer_set_traffic_key(rl->aead, rl->hash, + rl->write, write_key); } static int @@ -329,6 +528,11 @@ tls13_record_layer_open_record_plaintext(struct tls13_record_layer *rl) if (!tls13_record_content(rl->rrec, &cbs)) return 0; + if (CBS_len(&cbs) > TLS13_RECORD_MAX_PLAINTEXT_LEN) { + rl->alert = TLS13_ALERT_RECORD_OVERFLOW; + return 0; + } + tls13_record_layer_rbuf_free(rl); if (!CBS_stow(&cbs, &rl->rbuf, &rl->rbuf_len)) @@ -345,8 +549,9 @@ static int tls13_record_layer_open_record_protected(struct tls13_record_layer *rl) { CBS header, enc_record; + ssize_t inner_len; uint8_t *content = NULL; - ssize_t content_len = 0; + size_t content_len = 0; uint8_t content_type; size_t out_len; @@ -362,18 +567,23 @@ tls13_record_layer_open_record_protected(struct tls13_record_layer *rl) goto err; content_len = CBS_len(&enc_record); - if (!tls13_record_layer_update_nonce(&rl->read_nonce, &rl->read_iv, - rl->read_seq_num)) + if (!tls13_record_layer_update_nonce(&rl->read->nonce, &rl->read->iv, + rl->read->seq_num)) goto err; - if (!EVP_AEAD_CTX_open(&rl->read_aead_ctx, + if (!EVP_AEAD_CTX_open(&rl->read->aead_ctx, content, &out_len, content_len, - rl->read_nonce.data, rl->read_nonce.len, + rl->read->nonce.data, rl->read->nonce.len, CBS_data(&enc_record), CBS_len(&enc_record), CBS_data(&header), CBS_len(&header))) goto err; - if (!tls13_record_layer_inc_seq_num(rl->read_seq_num)) + if (out_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) { + rl->alert = TLS13_ALERT_RECORD_OVERFLOW; + goto err; + } + + if (!tls13_record_layer_inc_seq_num(rl->read->seq_num)) goto err; /* @@ -382,18 +592,25 @@ tls13_record_layer_open_record_protected(struct tls13_record_layer *rl) * Time to hunt for that elusive content type! */ /* XXX - CBS from end? CBS_get_end_u8()? */ - content_len = out_len - 1; - while (content_len >= 0 && content[content_len] == 0) - content_len--; - if (content_len < 0) + inner_len = out_len - 1; + while (inner_len >= 0 && content[inner_len] == 0) + inner_len--; + if (inner_len < 0) { + /* Unexpected message per RFC 8446 section 5.4. */ + rl->alert = TLS13_ALERT_UNEXPECTED_MESSAGE; goto err; - content_type = content[content_len]; + } + if (inner_len > TLS13_RECORD_MAX_PLAINTEXT_LEN) { + rl->alert = TLS13_ALERT_RECORD_OVERFLOW; + goto err; + } + content_type = content[inner_len]; tls13_record_layer_rbuf_free(rl); rl->rbuf_content_type = content_type; rl->rbuf = content; - rl->rbuf_len = content_len; + rl->rbuf_len = inner_len; CBS_init(&rl->rbuf_cbs, rl->rbuf, rl->rbuf_len); @@ -408,6 +625,9 @@ tls13_record_layer_open_record_protected(struct tls13_record_layer *rl) static int tls13_record_layer_open_record(struct tls13_record_layer *rl) { + if (rl->handshake_completed && rl->aead == NULL) + return 0; + if (rl->aead == NULL) return tls13_record_layer_open_record_plaintext(rl); @@ -420,14 +640,17 @@ tls13_record_layer_seal_record_plaintext(struct tls13_record_layer *rl, { uint8_t *data = NULL; size_t data_len = 0; - uint16_t version; CBB cbb, body; - if (rl->aead != NULL) + /* + * Allow dummy CCS messages to be sent in plaintext even when + * record protection has been engaged, as long as the handshake + * has not yet completed. + */ + if (rl->handshake_completed) + return 0; + if (rl->aead != NULL && content_type != SSL3_RT_CHANGE_CIPHER_SPEC) return 0; - - /* XXX - TLS1_VERSION for first client hello... */ - version = TLS1_2_VERSION; /* * We're still operating in plaintext mode, so just copy the @@ -438,7 +661,7 @@ tls13_record_layer_seal_record_plaintext(struct tls13_record_layer *rl, if (!CBB_add_u8(&cbb, content_type)) goto err; - if (!CBB_add_u16(&cbb, version)) + if (!CBB_add_u16(&cbb, rl->legacy_version)) goto err; if (!CBB_add_u16_length_prefixed(&cbb, &body)) goto err; @@ -451,6 +674,9 @@ tls13_record_layer_seal_record_plaintext(struct tls13_record_layer *rl, if (!tls13_record_set_data(rl->wrec, data, data_len)) goto err; + rl->wrec_content_len = content_len; + rl->wrec_content_type = content_type; + return 1; err: @@ -518,8 +744,8 @@ tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl, if (!CBB_finish(&cbb, &data, &data_len)) goto err; - if (!tls13_record_layer_update_nonce(&rl->write_nonce, - &rl->write_iv, rl->write_seq_num)) + if (!tls13_record_layer_update_nonce(&rl->write->nonce, + &rl->write->iv, rl->write->seq_num)) goto err; /* @@ -527,21 +753,24 @@ tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl, * this would avoid a copy since the inner would be passed as two * separate pieces. */ - if (!EVP_AEAD_CTX_seal(&rl->write_aead_ctx, + if (!EVP_AEAD_CTX_seal(&rl->write->aead_ctx, enc_record, &out_len, enc_record_len, - rl->write_nonce.data, rl->write_nonce.len, + rl->write->nonce.data, rl->write->nonce.len, inner, inner_len, header, header_len)) goto err; if (out_len != enc_record_len) goto err; - if (!tls13_record_layer_inc_seq_num(rl->write_seq_num)) + if (!tls13_record_layer_inc_seq_num(rl->write->seq_num)) goto err; if (!tls13_record_set_data(rl->wrec, data, data_len)) goto err; + rl->wrec_content_len = content_len; + rl->wrec_content_type = content_type; + data = NULL; data_len = 0; @@ -561,12 +790,15 @@ static int tls13_record_layer_seal_record(struct tls13_record_layer *rl, uint8_t content_type, const uint8_t *content, size_t content_len) { + if (rl->handshake_completed && rl->aead == NULL) + return 0; + tls13_record_layer_wrec_free(rl); if ((rl->wrec = tls13_record_new()) == NULL) return 0; - if (rl->aead == NULL) + if (rl->aead == NULL || content_type == SSL3_RT_CHANGE_CIPHER_SPEC) return tls13_record_layer_seal_record_plaintext(rl, content_type, content, content_len); @@ -586,10 +818,19 @@ tls13_record_layer_read_record(struct tls13_record_layer *rl) goto err; } - if ((ret = tls13_record_recv(rl->rrec, rl->wire_read, rl->cb_arg)) <= 0) + if ((ret = tls13_record_recv(rl->rrec, rl->cb.wire_read, rl->cb_arg)) <= 0) { + switch (ret) { + case TLS13_IO_RECORD_VERSION: + return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION); + case TLS13_IO_RECORD_OVERFLOW: + return tls13_send_alert(rl, TLS13_ALERT_RECORD_OVERFLOW); + } return ret; + } - /* XXX - record version checks. */ + if (rl->legacy_version == TLS1_2_VERSION && + tls13_record_version(rl->rrec) != TLS1_2_VERSION) + return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION); content_type = tls13_record_content_type(rl->rrec); @@ -601,26 +842,17 @@ tls13_record_layer_read_record(struct tls13_record_layer *rl) * ignored. */ if (content_type == SSL3_RT_CHANGE_CIPHER_SPEC) { - /* XXX - need to check after ClientHello, before Finished. */ - if (rl->handshake_completed || rl->change_cipher_spec_seen) { - /* XXX - unexpected message alert. */ - goto err; - } - if (!tls13_record_content(rl->rrec, &cbs)) { - /* XXX - decode error alert. */ - goto err; - } - if (!CBS_get_u8(&cbs, &ccs)) { - /* XXX - decode error alert. */ - goto err; - } - if (ccs != 1) { - /* XXX - something alert. */ - goto err; - } - rl->change_cipher_spec_seen = 1; + if (!rl->ccs_allowed || rl->ccs_seen >= 2) + return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); + if (!tls13_record_content(rl->rrec, &cbs)) + return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); + if (!CBS_get_u8(&cbs, &ccs)) + return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); + if (ccs != 1) + return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER); + rl->ccs_seen++; tls13_record_layer_rrec_free(rl); - return TLS13_IO_WANT_POLLIN; + return TLS13_IO_WANT_RETRY; } /* @@ -628,16 +860,24 @@ tls13_record_layer_read_record(struct tls13_record_layer *rl) * protected application data messages (aside from the * dummy ChangeCipherSpec messages, handled above). */ - if (rl->aead != NULL && content_type != SSL3_RT_APPLICATION_DATA) { - /* XXX - unexpected message alert. */ - goto err; - } + if (rl->aead != NULL && content_type != SSL3_RT_APPLICATION_DATA) + return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); if (!tls13_record_layer_open_record(rl)) goto err; tls13_record_layer_rrec_free(rl); + /* + * On receiving a handshake or alert record with empty inner plaintext, + * we must terminate the connection with an unexpected_message alert. + * See RFC 8446 section 5.4. + */ + if (CBS_len(&rl->rbuf_cbs) == 0 && + (rl->rbuf_content_type == SSL3_RT_ALERT || + rl->rbuf_content_type == SSL3_RT_HANDSHAKE)) + return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); + switch (rl->rbuf_content_type) { case SSL3_RT_ALERT: return tls13_record_layer_process_alert(rl); @@ -646,15 +886,12 @@ tls13_record_layer_read_record(struct tls13_record_layer *rl) break; case SSL3_RT_APPLICATION_DATA: - if (!rl->handshake_completed) { - /* XXX - unexpected message alert. */ - goto err; - } + if (!rl->handshake_completed) + return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); break; default: - /* XXX - unexpected message alert. */ - goto err; + return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); } return TLS13_IO_SUCCESS; @@ -663,42 +900,95 @@ tls13_record_layer_read_record(struct tls13_record_layer *rl) return TLS13_IO_FAILURE; } -ssize_t -tls13_record_layer_read(struct tls13_record_layer *rl, uint8_t content_type, - uint8_t *buf, size_t n) +static ssize_t +tls13_record_layer_pending(struct tls13_record_layer *rl, uint8_t content_type) +{ + if (rl->rbuf_content_type != content_type) + return 0; + + return CBS_len(&rl->rbuf_cbs); +} + +static ssize_t +tls13_record_layer_recv_phh(struct tls13_record_layer *rl) +{ + ssize_t ret = TLS13_IO_FAILURE; + + rl->phh = 1; + + /* + * The post handshake handshake receive callback is allowed to return: + * + * TLS13_IO_WANT_POLLIN need more handshake data. + * TLS13_IO_WANT_POLLOUT got whole handshake message, response enqueued. + * TLS13_IO_SUCCESS got the whole handshake, nothing more to do. + * TLS13_IO_FAILURE something broke. + */ + if (rl->cb.phh_recv != NULL) + ret = rl->cb.phh_recv(rl->cb_arg, &rl->rbuf_cbs); + + tls13_record_layer_rbuf_free(rl); + + /* Leave post handshake handshake mode unless we need more data. */ + if (ret != TLS13_IO_WANT_POLLIN) + rl->phh = 0; + + if (ret == TLS13_IO_SUCCESS) { + if (rl->phh_retry) + return TLS13_IO_WANT_RETRY; + + return TLS13_IO_WANT_POLLIN; + } + + return ret; +} + +static ssize_t +tls13_record_layer_read_internal(struct tls13_record_layer *rl, + uint8_t content_type, uint8_t *buf, size_t n, int peek) { ssize_t ret; + if ((ret = tls13_record_layer_send_pending(rl)) != TLS13_IO_SUCCESS) + return ret; + if (rl->read_closed) return TLS13_IO_EOF; - /* XXX - loop here with record and byte limits. */ - /* XXX - send alert... */ - /* If necessary, pull up the next record. */ if (CBS_len(&rl->rbuf_cbs) == 0) { if ((ret = tls13_record_layer_read_record(rl)) <= 0) return ret; - /* XXX - need to check record version. */ - } - if (rl->rbuf_content_type != content_type) { /* - * Handshake content can appear as post-handshake messages (yup, - * the RFC reused the same content type...), which means we can - * be trying to read application data and need to handle a - * post-handshake handshake message instead... + * We may have read a valid 0-byte application data record, + * in which case we need to read the next record. */ - if (rl->rbuf_content_type == SSL3_RT_HANDSHAKE) { - if (rl->handshake_completed) { - /* XXX - call callback, drop for now... */ - tls13_record_layer_rbuf_free(rl); - return TLS13_IO_WANT_POLLIN; - } + if (CBS_len(&rl->rbuf_cbs) == 0) { + tls13_record_layer_rbuf_free(rl); + return TLS13_IO_WANT_POLLIN; } + } - /* XXX - unexpected message alert. */ - goto err; + /* + * If we are in post handshake handshake mode, we must not see + * any record type that isn't a handshake until we are done. + */ + if (rl->phh && rl->rbuf_content_type != SSL3_RT_HANDSHAKE) + return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); + + /* + * Handshake content can appear as post-handshake messages (yup, + * the RFC reused the same content type...), which means we can + * be trying to read application data and need to handle a + * post-handshake handshake message instead... + */ + if (rl->rbuf_content_type != content_type) { + if (rl->rbuf_content_type == SSL3_RT_HANDSHAKE) { + if (rl->handshake_completed) + return tls13_record_layer_recv_phh(rl); + } + return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); } if (n > CBS_len(&rl->rbuf_cbs)) @@ -706,8 +996,11 @@ tls13_record_layer_read(struct tls13_record_layer *rl, uint8_t content_type, /* XXX - CBS_memcpy? CBS_copy_bytes? */ memcpy(buf, CBS_data(&rl->rbuf_cbs), n); - if (!CBS_skip(&rl->rbuf_cbs, n)) - goto err; + + if (!peek) { + if (!CBS_skip(&rl->rbuf_cbs, n)) + goto err; + } if (CBS_len(&rl->rbuf_cbs) == 0) tls13_record_layer_rbuf_free(rl); @@ -718,6 +1011,38 @@ tls13_record_layer_read(struct tls13_record_layer *rl, uint8_t content_type, return TLS13_IO_FAILURE; } +static ssize_t +tls13_record_layer_peek(struct tls13_record_layer *rl, uint8_t content_type, + uint8_t *buf, size_t n) +{ + ssize_t ret; + + do { + ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 1); + } while (ret == TLS13_IO_WANT_RETRY); + + if (rl->alert != 0) + return tls13_send_alert(rl, rl->alert); + + return ret; +} + +static ssize_t +tls13_record_layer_read(struct tls13_record_layer *rl, uint8_t content_type, + uint8_t *buf, size_t n) +{ + ssize_t ret; + + do { + ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 0); + } while (ret == TLS13_IO_WANT_RETRY); + + if (rl->alert != 0) + return tls13_send_alert(rl, rl->alert); + + return ret; +} + static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl, uint8_t content_type, const uint8_t *content, size_t content_len) @@ -727,16 +1052,38 @@ tls13_record_layer_write_record(struct tls13_record_layer *rl, if (rl->write_closed) return TLS13_IO_EOF; + /* + * If we pushed out application data while handling other messages, + * we need to return content length on the next call. + */ + if (content_type == SSL3_RT_APPLICATION_DATA && + rl->wrec_appdata_len != 0) { + ret = rl->wrec_appdata_len; + rl->wrec_appdata_len = 0; + return ret; + } + /* See if there is an existing record and attempt to push it out... */ if (rl->wrec != NULL) { - if ((ret = tls13_record_send(rl->wrec, rl->wire_write, + if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, rl->cb_arg)) <= 0) return ret; - tls13_record_layer_wrec_free(rl); - /* XXX - could be pushing out different data... */ - return content_len; + if (rl->wrec_content_type == content_type) { + ret = rl->wrec_content_len; + rl->wrec_content_len = 0; + rl->wrec_content_type = 0; + return ret; + } + + /* + * The only partial record type should be application data. + * All other cases are handled to completion. + */ + if (rl->wrec_content_type != SSL3_RT_APPLICATION_DATA) + return TLS13_IO_FAILURE; + rl->wrec_appdata_len = rl->wrec_content_len; } if (content_len > TLS13_RECORD_MAX_PLAINTEXT_LEN) @@ -745,7 +1092,7 @@ tls13_record_layer_write_record(struct tls13_record_layer *rl, if (!tls13_record_layer_seal_record(rl, content_type, content, content_len)) goto err; - if ((ret = tls13_record_send(rl->wrec, rl->wire_write, rl->cb_arg)) <= 0) + if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, rl->cb_arg)) <= 0) return ret; tls13_record_layer_wrec_free(rl); @@ -757,8 +1104,8 @@ tls13_record_layer_write_record(struct tls13_record_layer *rl, } static ssize_t -tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type, - const uint8_t *buf, size_t n) +tls13_record_layer_write_chunk(struct tls13_record_layer *rl, + uint8_t content_type, const uint8_t *buf, size_t n) { if (n > TLS13_RECORD_MAX_PLAINTEXT_LEN) n = TLS13_RECORD_MAX_PLAINTEXT_LEN; @@ -766,6 +1113,44 @@ tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type, return tls13_record_layer_write_record(rl, content_type, buf, n); } +static ssize_t +tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type, + const uint8_t *buf, size_t n) +{ + ssize_t ret; + + do { + ret = tls13_record_layer_send_pending(rl); + } while (ret == TLS13_IO_WANT_RETRY); + if (ret != TLS13_IO_SUCCESS) + return ret; + + do { + ret = tls13_record_layer_write_chunk(rl, content_type, buf, n); + } while (ret == TLS13_IO_WANT_RETRY); + + return ret; +} + +static const uint8_t tls13_dummy_ccs[] = { 0x01 }; + +ssize_t +tls13_send_dummy_ccs(struct tls13_record_layer *rl) +{ + ssize_t ret; + + if (rl->ccs_sent) + return TLS13_IO_FAILURE; + + if ((ret = tls13_record_layer_write(rl, SSL3_RT_CHANGE_CIPHER_SPEC, + tls13_dummy_ccs, sizeof(tls13_dummy_ccs))) <= 0) + return ret; + + rl->ccs_sent = 1; + + return TLS13_IO_SUCCESS; +} + ssize_t tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) { @@ -779,6 +1164,24 @@ tls13_write_handshake_data(struct tls13_record_layer *rl, const uint8_t *buf, return tls13_record_layer_write(rl, SSL3_RT_HANDSHAKE, buf, n); } +ssize_t +tls13_pending_application_data(struct tls13_record_layer *rl) +{ + if (!rl->handshake_completed) + return 0; + + return tls13_record_layer_pending(rl, SSL3_RT_APPLICATION_DATA); +} + +ssize_t +tls13_peek_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) +{ + if (!rl->handshake_completed) + return TLS13_IO_FAILURE; + + return tls13_record_layer_peek(rl, SSL3_RT_APPLICATION_DATA, buf, n); +} + ssize_t tls13_read_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) { @@ -797,3 +1200,21 @@ tls13_write_application_data(struct tls13_record_layer *rl, const uint8_t *buf, return tls13_record_layer_write(rl, SSL3_RT_APPLICATION_DATA, buf, n); } + +ssize_t +tls13_send_alert(struct tls13_record_layer *rl, uint8_t alert_desc) +{ + uint8_t alert_level = TLS13_ALERT_LEVEL_FATAL; + ssize_t ret; + + if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY || + alert_desc == TLS13_ALERT_USER_CANCELED) + alert_level = TLS13_ALERT_LEVEL_WARNING; + + do { + ret = tls13_record_layer_enqueue_alert(rl, alert_level, + alert_desc); + } while (ret == TLS13_IO_WANT_RETRY); + + return ret; +} diff --git a/ssl/tls13_server.c b/ssl/tls13_server.c new file mode 100644 index 00000000..4fed1a43 --- /dev/null +++ b/ssl/tls13_server.c @@ -0,0 +1,1111 @@ +/* $OpenBSD: tls13_server.c,v 1.74 2021/03/29 16:46:09 jsing Exp $ */ +/* + * Copyright (c) 2019, 2020 Joel Sing + * Copyright (c) 2020 Bob Beck + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include "ssl_locl.h" +#include "ssl_tlsext.h" + +#include "tls13_handshake.h" +#include "tls13_internal.h" + +int +tls13_server_init(struct tls13_ctx *ctx) +{ + SSL *s = ctx->ssl; + + if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version, + &ctx->hs->our_max_tls_version)) { + SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); + return 0; + } + s->version = ctx->hs->our_max_tls_version; + + tls13_record_layer_set_retry_after_phh(ctx->rl, + (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0); + + if (!ssl_get_new_session(s, 0)) /* XXX */ + return 0; + + tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION); + + if (!tls1_transcript_init(s)) + return 0; + + arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); + + return 1; +} + +int +tls13_server_accept(struct tls13_ctx *ctx) +{ + if (ctx->mode != TLS13_HS_SERVER) + return TLS13_IO_FAILURE; + + return tls13_handshake_perform(ctx); +} + +static int +tls13_client_hello_is_legacy(CBS *cbs) +{ + CBS extensions_block, extensions, extension_data, versions; + uint16_t version, max_version = 0; + uint16_t type; + + CBS_dup(cbs, &extensions_block); + + if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions)) + return 1; + + while (CBS_len(&extensions) > 0) { + if (!CBS_get_u16(&extensions, &type)) + return 1; + if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) + return 1; + + if (type != TLSEXT_TYPE_supported_versions) + continue; + if (!CBS_get_u8_length_prefixed(&extension_data, &versions)) + return 1; + while (CBS_len(&versions) > 0) { + if (!CBS_get_u16(&versions, &version)) + return 1; + if (version >= max_version) + max_version = version; + } + if (CBS_len(&extension_data) != 0) + return 1; + } + + return (max_version < TLS1_3_VERSION); +} + +int +tls13_client_hello_required_extensions(struct tls13_ctx *ctx) +{ + SSL *s = ctx->ssl; + + /* + * RFC 8446, section 9.2. If the ClientHello has supported_versions + * containing TLSv1.3, presence or absence of some extensions requires + * presence or absence of others. + */ + + /* + * If we got no pre_shared_key, then signature_algorithms and + * supported_groups must both be present. + */ + if (!tlsext_extension_seen(s, TLSEXT_TYPE_pre_shared_key)) { + if (!tlsext_extension_seen(s, TLSEXT_TYPE_signature_algorithms)) + return 0; + if (!tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups)) + return 0; + } + + /* + * supported_groups and key_share must either both be present or + * both be absent. + */ + if (tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups) != + tlsext_extension_seen(s, TLSEXT_TYPE_key_share)) + return 0; + + /* + * XXX - Require server_name from client? If so, we SHOULD enforce + * this here - RFC 8446, 9.2. + */ + + return 1; +} + +static const uint8_t tls13_compression_null_only[] = { 0 }; + +static int +tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) +{ + CBS cipher_suites, client_random, compression_methods, session_id; + STACK_OF(SSL_CIPHER) *ciphers = NULL; + const SSL_CIPHER *cipher; + uint16_t legacy_version; + int alert_desc; + SSL *s = ctx->ssl; + int ret = 0; + + if (!CBS_get_u16(cbs, &legacy_version)) + goto err; + if (!CBS_get_bytes(cbs, &client_random, SSL3_RANDOM_SIZE)) + goto err; + if (!CBS_get_u8_length_prefixed(cbs, &session_id)) + goto err; + if (!CBS_get_u16_length_prefixed(cbs, &cipher_suites)) + goto err; + if (!CBS_get_u8_length_prefixed(cbs, &compression_methods)) + goto err; + + if (tls13_client_hello_is_legacy(cbs) || s->version < TLS1_3_VERSION) { + if (!CBS_skip(cbs, CBS_len(cbs))) + goto err; + return tls13_use_legacy_server(ctx); + } + ctx->hs->negotiated_tls_version = TLS1_3_VERSION; + + /* Add decoded values to the current ClientHello hash */ + if (!tls13_clienthello_hash_init(ctx)) { + ctx->alert = TLS13_ALERT_INTERNAL_ERROR; + goto err; + } + if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&legacy_version, + sizeof(legacy_version))) { + ctx->alert = TLS13_ALERT_INTERNAL_ERROR; + goto err; + } + if (!tls13_clienthello_hash_update(ctx, &client_random)) { + ctx->alert = TLS13_ALERT_INTERNAL_ERROR; + goto err; + } + if (!tls13_clienthello_hash_update(ctx, &session_id)) { + ctx->alert = TLS13_ALERT_INTERNAL_ERROR; + goto err; + } + if (!tls13_clienthello_hash_update(ctx, &cipher_suites)) { + ctx->alert = TLS13_ALERT_INTERNAL_ERROR; + goto err; + } + if (!tls13_clienthello_hash_update(ctx, &compression_methods)) { + ctx->alert = TLS13_ALERT_INTERNAL_ERROR; + goto err; + } + + if (!tlsext_server_parse(s, SSL_TLSEXT_MSG_CH, cbs, &alert_desc)) { + ctx->alert = alert_desc; + goto err; + } + + /* Finalize first ClientHello hash, or validate against it */ + if (!ctx->hs->tls13.hrr) { + if (!tls13_clienthello_hash_finalize(ctx)) { + ctx->alert = TLS13_ALERT_INTERNAL_ERROR; + goto err; + } + } else { + if (!tls13_clienthello_hash_validate(ctx)) { + ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; + goto err; + } + tls13_clienthello_hash_clear(&ctx->hs->tls13); + } + + if (!tls13_client_hello_required_extensions(ctx)) { + ctx->alert = TLS13_ALERT_MISSING_EXTENSION; + goto err; + } + + /* + * If we got this far we have a supported versions extension that offers + * TLS 1.3 or later. This requires the legacy version be set to 0x0303. + */ + if (legacy_version != TLS1_2_VERSION) { + ctx->alert = TLS13_ALERT_PROTOCOL_VERSION; + goto err; + } + + /* Store legacy session identifier so we can echo it. */ + if (CBS_len(&session_id) > sizeof(ctx->hs->tls13.legacy_session_id)) { + ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; + goto err; + } + if (!CBS_write_bytes(&session_id, ctx->hs->tls13.legacy_session_id, + sizeof(ctx->hs->tls13.legacy_session_id), + &ctx->hs->tls13.legacy_session_id_len)) { + ctx->alert = TLS13_ALERT_INTERNAL_ERROR; + goto err; + } + + /* Parse cipher suites list and select preferred cipher. */ + if ((ciphers = ssl_bytes_to_cipher_list(s, &cipher_suites)) == NULL) { + ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; + goto err; + } + cipher = ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s)); + if (cipher == NULL) { + tls13_set_errorx(ctx, TLS13_ERR_NO_SHARED_CIPHER, 0, + "no shared cipher found", NULL); + ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; + goto err; + } + ctx->hs->cipher = cipher; + + sk_SSL_CIPHER_free(s->session->ciphers); + s->session->ciphers = ciphers; + ciphers = NULL; + + /* Ensure only the NULL compression method is advertised. */ + if (!CBS_mem_equal(&compression_methods, tls13_compression_null_only, + sizeof(tls13_compression_null_only))) { + ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; + goto err; + } + + ret = 1; + + err: + sk_SSL_CIPHER_free(ciphers); + + return ret; +} + +int +tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs) +{ + SSL *s = ctx->ssl; + + if (!tls13_client_hello_process(ctx, cbs)) + goto err; + + /* See if we switched back to the legacy client method. */ + if (s->method->internal->version < TLS1_3_VERSION) + return 1; + + tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION); + + /* + * If a matching key share was provided, we do not need to send a + * HelloRetryRequest. + */ + /* + * XXX - ideally NEGOTIATED would only be added after record protection + * has been enabled. This would probably mean using either an + * INITIAL | WITHOUT_HRR state, or another intermediate state. + */ + if (ctx->hs->tls13.key_share != NULL) + ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR; + + /* XXX - check this is the correct point */ + tls13_record_layer_allow_ccs(ctx->rl, 1); + + return 1; + + err: + return 0; +} + +static int +tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr) +{ + uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH; + const uint8_t *server_random; + CBB session_id; + SSL *s = ctx->ssl; + uint16_t cipher; + + cipher = SSL_CIPHER_get_value(ctx->hs->cipher); + server_random = s->s3->server_random; + + if (hrr) { + server_random = tls13_hello_retry_request_hash; + tlsext_msg_type = SSL_TLSEXT_MSG_HRR; + } + + if (!CBB_add_u16(cbb, TLS1_2_VERSION)) + goto err; + if (!CBB_add_bytes(cbb, server_random, SSL3_RANDOM_SIZE)) + goto err; + if (!CBB_add_u8_length_prefixed(cbb, &session_id)) + goto err; + if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id, + ctx->hs->tls13.legacy_session_id_len)) + goto err; + if (!CBB_add_u16(cbb, cipher)) + goto err; + if (!CBB_add_u8(cbb, 0)) + goto err; + if (!tlsext_server_build(s, tlsext_msg_type, cbb)) + goto err; + + if (!CBB_flush(cbb)) + goto err; + + return 1; +err: + return 0; +} + +static int +tls13_server_engage_record_protection(struct tls13_ctx *ctx) +{ + struct tls13_secrets *secrets; + struct tls13_secret context; + unsigned char buf[EVP_MAX_MD_SIZE]; + uint8_t *shared_key = NULL; + size_t shared_key_len = 0; + size_t hash_len; + SSL *s = ctx->ssl; + int ret = 0; + + if (!tls13_key_share_derive(ctx->hs->tls13.key_share, + &shared_key, &shared_key_len)) + goto err; + + s->session->cipher = ctx->hs->cipher; + + if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL) + goto err; + if ((ctx->hash = tls13_cipher_hash(ctx->hs->cipher)) == NULL) + goto err; + + if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL) + goto err; + ctx->hs->tls13.secrets = secrets; + + /* XXX - pass in hash. */ + if (!tls1_transcript_hash_init(s)) + goto err; + tls1_transcript_free(s); + if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) + goto err; + context.data = buf; + context.len = hash_len; + + /* Early secrets. */ + if (!tls13_derive_early_secrets(secrets, secrets->zeros.data, + secrets->zeros.len, &context)) + goto err; + + /* Handshake secrets. */ + if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key, + shared_key_len, &context)) + goto err; + + tls13_record_layer_set_aead(ctx->rl, ctx->aead); + tls13_record_layer_set_hash(ctx->rl, ctx->hash); + + if (!tls13_record_layer_set_read_traffic_key(ctx->rl, + &secrets->client_handshake_traffic)) + goto err; + if (!tls13_record_layer_set_write_traffic_key(ctx->rl, + &secrets->server_handshake_traffic)) + goto err; + + ctx->handshake_stage.hs_type |= NEGOTIATED; + if (!(SSL_get_verify_mode(s) & SSL_VERIFY_PEER)) + ctx->handshake_stage.hs_type |= WITHOUT_CR; + + ret = 1; + + err: + freezero(shared_key, shared_key_len); + return ret; +} + +int +tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb) +{ + int nid; + + ctx->hs->tls13.hrr = 1; + + if (!tls13_synthetic_handshake_message(ctx)) + return 0; + + if (ctx->hs->tls13.key_share != NULL) + return 0; + if ((nid = tls1_get_shared_curve(ctx->ssl)) == NID_undef) + return 0; + if ((ctx->hs->tls13.server_group = tls1_ec_nid2curve_id(nid)) == 0) + return 0; + + if (!tls13_server_hello_build(ctx, cbb, 1)) + return 0; + + return 1; +} + +int +tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx) +{ + /* + * If the client has requested middlebox compatibility mode, + * we MUST send a dummy CCS following our first handshake message. + * See RFC 8446 Appendix D.4. + */ + if (ctx->hs->tls13.legacy_session_id_len > 0) + ctx->send_dummy_ccs_after = 1; + + return 1; +} + +int +tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs) +{ + SSL *s = ctx->ssl; + + if (!tls13_client_hello_process(ctx, cbs)) + return 0; + + /* XXX - need further checks. */ + if (s->method->internal->version < TLS1_3_VERSION) + return 0; + + ctx->hs->tls13.hrr = 0; + + return 1; +} + +static int +tls13_servername_process(struct tls13_ctx *ctx) +{ + uint8_t alert = TLS13_ALERT_INTERNAL_ERROR; + + if (!tls13_legacy_servername_process(ctx, &alert)) { + ctx->alert = alert; + return 0; + } + + return 1; +} + +int +tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb) +{ + if (ctx->hs->tls13.key_share == NULL) + return 0; + if (!tls13_key_share_generate(ctx->hs->tls13.key_share)) + return 0; + if (!tls13_servername_process(ctx)) + return 0; + + ctx->hs->tls13.server_group = 0; + + if (!tls13_server_hello_build(ctx, cbb, 0)) + return 0; + + return 1; +} + +int +tls13_server_hello_sent(struct tls13_ctx *ctx) +{ + /* + * If the client has requested middlebox compatibility mode, + * we MUST send a dummy CCS following our first handshake message. + * See RFC 8446 Appendix D.4. + */ + if ((ctx->handshake_stage.hs_type & WITHOUT_HRR) && + ctx->hs->tls13.legacy_session_id_len > 0) + ctx->send_dummy_ccs_after = 1; + + return tls13_server_engage_record_protection(ctx); +} + +int +tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb) +{ + if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_EE, cbb)) + goto err; + + return 1; + err: + return 0; +} + +int +tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb) +{ + CBB certificate_request_context; + + if (!CBB_add_u8_length_prefixed(cbb, &certificate_request_context)) + goto err; + if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_CR, cbb)) + goto err; + + if (!CBB_flush(cbb)) + goto err; + + return 1; + err: + return 0; +} + +static int +tls13_server_check_certificate(struct tls13_ctx *ctx, CERT_PKEY *cpk, + int *ok, const struct ssl_sigalg **out_sigalg) +{ + const struct ssl_sigalg *sigalg; + SSL *s = ctx->ssl; + + *ok = 0; + *out_sigalg = NULL; + + if (cpk->x509 == NULL || cpk->privatekey == NULL) + goto done; + + if (!X509_check_purpose(cpk->x509, -1, 0)) + return 0; + + /* + * The digitalSignature bit MUST be set if the Key Usage extension is + * present as per RFC 8446 section 4.4.2.2. + */ + if ((cpk->x509->ex_flags & EXFLAG_KUSAGE) && + !(cpk->x509->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE)) + goto done; + + if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL) + goto done; + + *ok = 1; + *out_sigalg = sigalg; + + done: + return 1; +} + +static int +tls13_server_select_certificate(struct tls13_ctx *ctx, CERT_PKEY **out_cpk, + const struct ssl_sigalg **out_sigalg) +{ + SSL *s = ctx->ssl; + const struct ssl_sigalg *sigalg; + CERT_PKEY *cpk; + int cert_ok; + + *out_cpk = NULL; + *out_sigalg = NULL; + + cpk = &s->cert->pkeys[SSL_PKEY_ECC]; + if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg)) + return 0; + if (cert_ok) + goto done; + + cpk = &s->cert->pkeys[SSL_PKEY_RSA]; + if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg)) + return 0; + if (cert_ok) + goto done; + + cpk = NULL; + sigalg = NULL; + + done: + *out_cpk = cpk; + *out_sigalg = sigalg; + + return 1; +} + +int +tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) +{ + SSL *s = ctx->ssl; + CBB cert_request_context, cert_list; + const struct ssl_sigalg *sigalg; + X509_STORE_CTX *xsc = NULL; + STACK_OF(X509) *chain; + CERT_PKEY *cpk; + X509 *cert; + int i, ret = 0; + + if (!tls13_server_select_certificate(ctx, &cpk, &sigalg)) + goto err; + + if (cpk == NULL) { + /* A server must always provide a certificate. */ + ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; + tls13_set_errorx(ctx, TLS13_ERR_NO_CERTIFICATE, 0, + "no server certificate", NULL); + goto err; + } + + ctx->hs->tls13.cpk = cpk; + ctx->hs->tls13.sigalg = sigalg; + + if ((chain = cpk->chain) == NULL) + chain = s->ctx->extra_certs; + + if (chain == NULL && !(s->internal->mode & SSL_MODE_NO_AUTO_CHAIN)) { + if ((xsc = X509_STORE_CTX_new()) == NULL) + goto err; + if (!X509_STORE_CTX_init(xsc, s->ctx->cert_store, cpk->x509, NULL)) + goto err; + X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xsc), + X509_V_FLAG_LEGACY_VERIFY); + X509_verify_cert(xsc); + ERR_clear_error(); + chain = xsc->chain; + } + + if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) + goto err; + if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) + goto err; + + if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_server_build)) + goto err; + + for (i = 0; i < sk_X509_num(chain); i++) { + cert = sk_X509_value(chain, i); + + /* + * In the case of auto chain, the leaf certificate will be at + * the top of the chain - skip over it as we've already added + * it earlier. + */ + if (i == 0 && cert == cpk->x509) + continue; + + /* + * XXX we don't send extensions with chain certs to avoid sending + * a leaf ocsp staple with the chain certs. This needs to get + * fixed. + */ + if (!tls13_cert_add(ctx, &cert_list, cert, NULL)) + goto err; + } + + if (!CBB_flush(cbb)) + goto err; + + ret = 1; + + err: + X509_STORE_CTX_free(xsc); + + return ret; +} + +int +tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) +{ + const struct ssl_sigalg *sigalg; + uint8_t *sig = NULL, *sig_content = NULL; + size_t sig_len, sig_content_len; + EVP_MD_CTX *mdctx = NULL; + EVP_PKEY_CTX *pctx; + EVP_PKEY *pkey; + const CERT_PKEY *cpk; + CBB sig_cbb; + int ret = 0; + + memset(&sig_cbb, 0, sizeof(sig_cbb)); + + if ((cpk = ctx->hs->tls13.cpk) == NULL) + goto err; + if ((sigalg = ctx->hs->tls13.sigalg) == NULL) + goto err; + pkey = cpk->privatekey; + + if (!CBB_init(&sig_cbb, 0)) + goto err; + if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad, + sizeof(tls13_cert_verify_pad))) + goto err; + if (!CBB_add_bytes(&sig_cbb, tls13_cert_server_verify_context, + strlen(tls13_cert_server_verify_context))) + goto err; + if (!CBB_add_u8(&sig_cbb, 0)) + goto err; + if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash, + ctx->hs->tls13.transcript_hash_len)) + goto err; + if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len)) + goto err; + + if ((mdctx = EVP_MD_CTX_new()) == NULL) + goto err; + if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) + goto err; + if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { + if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) + goto err; + if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) + goto err; + } + if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len)) + goto err; + if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0) + goto err; + if ((sig = calloc(1, sig_len)) == NULL) + goto err; + if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0) + goto err; + + if (!CBB_add_u16(cbb, sigalg->value)) + goto err; + if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb)) + goto err; + if (!CBB_add_bytes(&sig_cbb, sig, sig_len)) + goto err; + + if (!CBB_flush(cbb)) + goto err; + + ret = 1; + + err: + if (!ret && ctx->alert == 0) + ctx->alert = TLS13_ALERT_INTERNAL_ERROR; + + CBB_cleanup(&sig_cbb); + EVP_MD_CTX_free(mdctx); + free(sig_content); + free(sig); + + return ret; +} + +int +tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb) +{ + struct tls13_secrets *secrets = ctx->hs->tls13.secrets; + struct tls13_secret context = { .data = "", .len = 0 }; + struct tls13_secret finished_key = { .data = NULL, .len = 0 } ; + uint8_t transcript_hash[EVP_MAX_MD_SIZE]; + size_t transcript_hash_len; + uint8_t *verify_data; + size_t verify_data_len; + unsigned int hlen; + HMAC_CTX *hmac_ctx = NULL; + CBS cbs; + int ret = 0; + + if (!tls13_secret_init(&finished_key, EVP_MD_size(ctx->hash))) + goto err; + + if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, + &secrets->server_handshake_traffic, "finished", + &context)) + goto err; + + if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, + sizeof(transcript_hash), &transcript_hash_len)) + goto err; + + if ((hmac_ctx = HMAC_CTX_new()) == NULL) + goto err; + if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, + ctx->hash, NULL)) + goto err; + if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len)) + goto err; + + verify_data_len = HMAC_size(hmac_ctx); + if (!CBB_add_space(cbb, &verify_data, verify_data_len)) + goto err; + if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) + goto err; + if (hlen != verify_data_len) + goto err; + + CBS_init(&cbs, verify_data, verify_data_len); + if (!CBS_write_bytes(&cbs, ctx->hs->finished, + sizeof(ctx->hs->finished), &ctx->hs->finished_len)) + goto err; + + ret = 1; + + err: + tls13_secret_cleanup(&finished_key); + HMAC_CTX_free(hmac_ctx); + + return ret; +} + +int +tls13_server_finished_sent(struct tls13_ctx *ctx) +{ + struct tls13_secrets *secrets = ctx->hs->tls13.secrets; + struct tls13_secret context = { .data = "", .len = 0 }; + + /* + * Derive application traffic keys. + */ + context.data = ctx->hs->tls13.transcript_hash; + context.len = ctx->hs->tls13.transcript_hash_len; + + if (!tls13_derive_application_secrets(secrets, &context)) + return 0; + + /* + * Any records following the server finished message must be encrypted + * using the server application traffic keys. + */ + return tls13_record_layer_set_write_traffic_key(ctx->rl, + &secrets->server_application_traffic); +} + +int +tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) +{ + CBS cert_request_context, cert_list, cert_data, cert_exts; + struct stack_st_X509 *certs = NULL; + SSL *s = ctx->ssl; + X509 *cert = NULL; + EVP_PKEY *pkey; + const uint8_t *p; + int cert_idx; + int ret = 0; + + if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) + goto err; + if (CBS_len(&cert_request_context) != 0) + goto err; + if (!CBS_get_u24_length_prefixed(cbs, &cert_list)) + goto err; + if (CBS_len(&cert_list) == 0) { + if (!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) + return 1; + ctx->alert = TLS13_ALERT_CERTIFICATE_REQUIRED; + tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0, + "peer did not provide a certificate", NULL); + goto err; + } + + if ((certs = sk_X509_new_null()) == NULL) + goto err; + while (CBS_len(&cert_list) > 0) { + if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data)) + goto err; + if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts)) + goto err; + + p = CBS_data(&cert_data); + if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) + goto err; + if (p != CBS_data(&cert_data) + CBS_len(&cert_data)) + goto err; + + if (!sk_X509_push(certs, cert)) + goto err; + + cert = NULL; + } + + /* + * At this stage we still have no proof of possession. As such, it would + * be preferable to keep the chain and verify once we have successfully + * processed the CertificateVerify message. + */ + if (ssl_verify_cert_chain(s, certs) <= 0) { + ctx->alert = ssl_verify_alarm_type(s->verify_result); + tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0, + "failed to verify peer certificate", NULL); + goto err; + } + ERR_clear_error(); + + cert = sk_X509_value(certs, 0); + X509_up_ref(cert); + + if ((pkey = X509_get0_pubkey(cert)) == NULL) + goto err; + if (EVP_PKEY_missing_parameters(pkey)) + goto err; + if ((cert_idx = ssl_cert_type(cert, pkey)) < 0) + goto err; + + ssl_sess_cert_free(SSI(s)->sess_cert); + if ((SSI(s)->sess_cert = ssl_sess_cert_new()) == NULL) + goto err; + + SSI(s)->sess_cert->cert_chain = certs; + certs = NULL; + + X509_up_ref(cert); + SSI(s)->sess_cert->peer_pkeys[cert_idx].x509 = cert; + SSI(s)->sess_cert->peer_key = &(SSI(s)->sess_cert->peer_pkeys[cert_idx]); + + X509_free(s->session->peer); + + X509_up_ref(cert); + s->session->peer = cert; + s->session->verify_result = s->verify_result; + + ctx->handshake_stage.hs_type |= WITH_CCV; + ret = 1; + + err: + sk_X509_pop_free(certs, X509_free); + X509_free(cert); + + return ret; +} + +int +tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) +{ + const struct ssl_sigalg *sigalg; + uint16_t signature_scheme; + uint8_t *sig_content = NULL; + size_t sig_content_len; + EVP_MD_CTX *mdctx = NULL; + EVP_PKEY_CTX *pctx; + EVP_PKEY *pkey; + X509 *cert; + CBS signature; + CBB cbb; + int ret = 0; + + memset(&cbb, 0, sizeof(cbb)); + + if (!CBS_get_u16(cbs, &signature_scheme)) + goto err; + if (!CBS_get_u16_length_prefixed(cbs, &signature)) + goto err; + + if ((sigalg = ssl_sigalg(signature_scheme, tls13_sigalgs, + tls13_sigalgs_len)) == NULL) + goto err; + + if (!CBB_init(&cbb, 0)) + goto err; + if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, + sizeof(tls13_cert_verify_pad))) + goto err; + if (!CBB_add_bytes(&cbb, tls13_cert_client_verify_context, + strlen(tls13_cert_client_verify_context))) + goto err; + if (!CBB_add_u8(&cbb, 0)) + goto err; + if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash, + ctx->hs->tls13.transcript_hash_len)) + goto err; + if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) + goto err; + + if ((cert = ctx->ssl->session->peer) == NULL) + goto err; + if ((pkey = X509_get0_pubkey(cert)) == NULL) + goto err; + if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1)) + goto err; + + if (CBS_len(&signature) > EVP_PKEY_size(pkey)) + goto err; + + if ((mdctx = EVP_MD_CTX_new()) == NULL) + goto err; + if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) + goto err; + if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { + if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) + goto err; + if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) + goto err; + } + if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) { + ctx->alert = TLS13_ALERT_DECRYPT_ERROR; + goto err; + } + if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature), + CBS_len(&signature)) <= 0) { + ctx->alert = TLS13_ALERT_DECRYPT_ERROR; + goto err; + } + + ret = 1; + + err: + if (!ret && ctx->alert == 0) + ctx->alert = TLS13_ALERT_DECODE_ERROR; + + CBB_cleanup(&cbb); + EVP_MD_CTX_free(mdctx); + free(sig_content); + + return ret; +} + +int +tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs) +{ + return 0; +} + +int +tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs) +{ + struct tls13_secrets *secrets = ctx->hs->tls13.secrets; + struct tls13_secret context = { .data = "", .len = 0 }; + struct tls13_secret finished_key; + uint8_t *verify_data = NULL; + size_t verify_data_len; + uint8_t key[EVP_MAX_MD_SIZE]; + HMAC_CTX *hmac_ctx = NULL; + unsigned int hlen; + int ret = 0; + + /* + * Verify client finished. + */ + finished_key.data = key; + finished_key.len = EVP_MD_size(ctx->hash); + + if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, + &secrets->client_handshake_traffic, "finished", + &context)) + goto err; + + if ((hmac_ctx = HMAC_CTX_new()) == NULL) + goto err; + if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, + ctx->hash, NULL)) + goto err; + if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash, + ctx->hs->tls13.transcript_hash_len)) + goto err; + verify_data_len = HMAC_size(hmac_ctx); + if ((verify_data = calloc(1, verify_data_len)) == NULL) + goto err; + if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) + goto err; + if (hlen != verify_data_len) + goto err; + + if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) { + ctx->alert = TLS13_ALERT_DECRYPT_ERROR; + goto err; + } + + if (!CBS_write_bytes(cbs, ctx->hs->peer_finished, + sizeof(ctx->hs->peer_finished), + &ctx->hs->peer_finished_len)) + goto err; + + if (!CBS_skip(cbs, verify_data_len)) + goto err; + + /* + * Any records following the client finished message must be encrypted + * using the client application traffic keys. + */ + if (!tls13_record_layer_set_read_traffic_key(ctx->rl, + &secrets->client_application_traffic)) + goto err; + + tls13_record_layer_allow_ccs(ctx->rl, 0); + + ret = 1; + + err: + HMAC_CTX_free(hmac_ctx); + free(verify_data); + + return ret; +} diff --git a/tap-driver.sh b/tap-driver.sh index 2516e9c3..0ca49037 100644 --- a/tap-driver.sh +++ b/tap-driver.sh @@ -1,5 +1,5 @@ #! /bin/sh -# Copyright (C) 2011-2018 Free Software Foundation, Inc. +# Copyright (C) 2011-2020 Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -369,7 +369,7 @@ function setup_result_obj(line) sub("^(not )?ok[ \t]*", "", line) # If the result has an explicit number, get it and strip it; otherwise, - # automatically assing the next progresive number to it. + # automatically assign the next test number to it. if (line ~ /^[0-9]+$/ || line ~ /^[0-9]+[^a-zA-Z0-9_]/) { match(line, "^[0-9]+") diff --git a/test-driver b/test-driver index b8521a48..9759384a 100644 --- a/test-driver +++ b/test-driver @@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 2011-2018 Free Software Foundation, Inc. +# Copyright (C) 2011-2020 Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -42,11 +42,13 @@ print_usage () { cat <) +if(NOT BUILD_SHARED_LIBS) + add_executable(servertest servertest.c) + target_link_libraries(servertest ${OPENSSL_LIBS}) + if(NOT MSVC) + add_test(NAME servertest COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/servertest.sh) + else() + add_test(NAME servertest COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/servertest.bat $) + endif() + set_tests_properties(servertest PROPERTIES ENVIRONMENT "srcdir=${TEST_SOURCE_DIR}") endif() -set_tests_properties(servertest PROPERTIES ENVIRONMENT "srcdir=${TEST_SOURCE_DIR}") # sha1test add_executable(sha1test sha1test.c) @@ -511,6 +543,16 @@ add_executable(x25519test x25519test.c) target_link_libraries(x25519test ${OPENSSL_LIBS}) add_test(x25519test x25519test) +# x509attribute +add_executable(x509attribute x509attribute.c) +target_link_libraries(x509attribute ${OPENSSL_LIBS}) +add_test(x509attribute x509attribute) + +# x509_info +add_executable(x509_info x509_info.c) +target_link_libraries(x509_info ${OPENSSL_LIBS}) +add_test(x509_info x509_info) + # x509name add_executable(x509name x509name.c) target_link_libraries(x509name ${OPENSSL_LIBS}) diff --git a/tests/Makefile.am b/tests/Makefile.am index e14257b3..dbff1dcf 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -2,6 +2,7 @@ include $(top_srcdir)/Makefile.am.common AM_CPPFLAGS += -I $(top_srcdir)/crypto/modes AM_CPPFLAGS += -I $(top_srcdir)/crypto/asn1 +AM_CPPFLAGS += -I $(top_srcdir)/crypto/x509 AM_CPPFLAGS += -I $(top_srcdir)/ssl AM_CPPFLAGS += -I $(top_srcdir)/tls AM_CPPFLAGS += -I $(top_srcdir)/apps/openssl @@ -131,15 +132,26 @@ check_PROGRAMS += cipherstest cipherstest_SOURCES = cipherstest.c # clienttest -TESTS += clienttest -check_PROGRAMS += clienttest -clienttest_SOURCES = clienttest.c +# disabled +#TESTS += clienttest +#check_PROGRAMS += clienttest +#clienttest_SOURCES = clienttest.c + +# cmstest +TESTS += cmstest +check_PROGRAMS += cmstest +cmstest_SOURCES = cmstest.c # configtest TESTS += configtest check_PROGRAMS += configtest configtest_SOURCES = configtest.c +# constraints +TESTS += constraints +check_PROGRAMS += constraints +constraints_SOURCES = constraints.c + # cts128test TESTS += cts128test check_PROGRAMS += cts128test @@ -222,7 +234,8 @@ check_PROGRAMS += gost2814789t gost2814789t_SOURCES = gost2814789t.c # handshake_table -noinst_PROGRAMS = handshake_table +TESTS += handshake_table +check_PROGRAMS += handshake_table handshake_table_SOURCES = handshake_table.c # hkdf_test @@ -336,6 +349,11 @@ TESTS += recordtest check_PROGRAMS += recordtest recordtest_SOURCES = recordtest.c +# record_layer_test +TESTS += record_layer_test +check_PROGRAMS += record_layer_test +record_layer_test_SOURCES = record_layer_test.c + # rfc5280time check_PROGRAMS += rfc5280time rfc5280time_SOURCES = rfc5280time.c @@ -387,6 +405,11 @@ TESTS += sm4test check_PROGRAMS += sm4test sm4test_SOURCES = sm4test.c +# ssl_methods +TESTS += ssl_methods +check_PROGRAMS += ssl_methods +ssl_methods_SOURCES = ssl_methods.c + # ssl_versions TESTS += ssl_versions check_PROGRAMS += ssl_versions @@ -461,6 +484,16 @@ TESTS += x25519test check_PROGRAMS += x25519test x25519test_SOURCES = x25519test.c +# x509attribute +TESTS += x509attribute +check_PROGRAMS += x509attribute +x509attribute_SOURCES = x509attribute.c + +# x509_info +TESTS += x509_info +check_PROGRAMS += x509_info +x509_info_SOURCES = x509_info.c + # x509name TESTS += x509name check_PROGRAMS += x509name diff --git a/tests/Makefile.in b/tests/Makefile.in index ee53e7bc..baee43dd 100644 --- a/tests/Makefile.in +++ b/tests/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -14,7 +14,6 @@ @SET_MAKE@ - VPATH = @srcdir@ am__is_gnu_make = { \ if test -z '$(MAKELEVEL)'; then \ @@ -96,53 +95,60 @@ TESTS = aeadtest.sh aes_wrap$(EXEEXT) $(am__append_2) asn1evp$(EXEEXT) \ bn_rand_interval$(EXEEXT) bntest$(EXEEXT) \ bn_to_string$(EXEEXT) buffertest$(EXEEXT) \ bytestringtest$(EXEEXT) casttest$(EXEEXT) chachatest$(EXEEXT) \ - cipher_list$(EXEEXT) cipherstest$(EXEEXT) clienttest$(EXEEXT) \ - configtest$(EXEEXT) cts128test$(EXEEXT) destest$(EXEEXT) \ - dhtest$(EXEEXT) dsatest$(EXEEXT) ecdhtest$(EXEEXT) \ - ecdsatest$(EXEEXT) ectest$(EXEEXT) enginetest$(EXEEXT) \ - evptest.sh $(am__EXEEXT_3) exptest$(EXEEXT) freenull$(EXEEXT) \ - gcm128test$(EXEEXT) gost2814789t$(EXEEXT) hkdftest$(EXEEXT) \ - hmactest$(EXEEXT) ideatest$(EXEEXT) igetest$(EXEEXT) \ - keypairtest.sh key_schedule$(EXEEXT) md4test$(EXEEXT) \ - md5test$(EXEEXT) mont$(EXEEXT) $(am__append_9) \ - optionstest$(EXEEXT) pbkdf2$(EXEEXT) $(am__append_11) \ - pkcs7test$(EXEEXT) poly1305test$(EXEEXT) pq_test.sh \ - randtest$(EXEEXT) rc2test$(EXEEXT) rc4test$(EXEEXT) \ - recordtest$(EXEEXT) $(am__append_13) $(am__EXEEXT_6) \ - rmdtest$(EXEEXT) rsa_test$(EXEEXT) servertest.sh \ - sha1test$(EXEEXT) sha256test$(EXEEXT) sha512test$(EXEEXT) \ - sm3test$(EXEEXT) sm4test$(EXEEXT) ssl_versions$(EXEEXT) \ + cipher_list$(EXEEXT) cipherstest$(EXEEXT) cmstest$(EXEEXT) \ + configtest$(EXEEXT) constraints$(EXEEXT) cts128test$(EXEEXT) \ + destest$(EXEEXT) dhtest$(EXEEXT) dsatest$(EXEEXT) \ + ecdhtest$(EXEEXT) ecdsatest$(EXEEXT) ectest$(EXEEXT) \ + enginetest$(EXEEXT) evptest.sh $(am__EXEEXT_3) \ + exptest$(EXEEXT) freenull$(EXEEXT) gcm128test$(EXEEXT) \ + gost2814789t$(EXEEXT) handshake_table$(EXEEXT) \ + hkdftest$(EXEEXT) hmactest$(EXEEXT) ideatest$(EXEEXT) \ + igetest$(EXEEXT) keypairtest.sh key_schedule$(EXEEXT) \ + md4test$(EXEEXT) md5test$(EXEEXT) mont$(EXEEXT) \ + $(am__append_9) optionstest$(EXEEXT) pbkdf2$(EXEEXT) \ + $(am__append_11) pkcs7test$(EXEEXT) poly1305test$(EXEEXT) \ + pq_test.sh randtest$(EXEEXT) rc2test$(EXEEXT) rc4test$(EXEEXT) \ + recordtest$(EXEEXT) record_layer_test$(EXEEXT) \ + $(am__append_13) $(am__EXEEXT_6) rmdtest$(EXEEXT) \ + rsa_test$(EXEEXT) servertest.sh sha1test$(EXEEXT) \ + sha256test$(EXEEXT) sha512test$(EXEEXT) sm3test$(EXEEXT) \ + sm4test$(EXEEXT) ssl_methods$(EXEEXT) ssl_versions$(EXEEXT) \ ssltest.sh testdsa.sh testenc.sh testrsa.sh \ timingsafe$(EXEEXT) tlsexttest$(EXEEXT) tlstest.sh \ tls_ext_alpn$(EXEEXT) tls_prf$(EXEEXT) utf8test$(EXEEXT) \ valid_handshakes_terminate$(EXEEXT) verifytest$(EXEEXT) \ - x25519test$(EXEEXT) x509name$(EXEEXT) + x25519test$(EXEEXT) x509attribute$(EXEEXT) x509_info$(EXEEXT) \ + x509name$(EXEEXT) check_PROGRAMS = aeadtest$(EXEEXT) aes_wrap$(EXEEXT) $(am__EXEEXT_1) \ asn1evp$(EXEEXT) asn1test$(EXEEXT) asn1time$(EXEEXT) \ base64test$(EXEEXT) bftest$(EXEEXT) $(am__EXEEXT_2) \ bnaddsub$(EXEEXT) bn_rand_interval$(EXEEXT) bntest$(EXEEXT) \ bn_to_string$(EXEEXT) buffertest$(EXEEXT) \ bytestringtest$(EXEEXT) casttest$(EXEEXT) chachatest$(EXEEXT) \ - cipher_list$(EXEEXT) cipherstest$(EXEEXT) clienttest$(EXEEXT) \ - configtest$(EXEEXT) cts128test$(EXEEXT) destest$(EXEEXT) \ - dhtest$(EXEEXT) dsatest$(EXEEXT) ecdhtest$(EXEEXT) \ - ecdsatest$(EXEEXT) ectest$(EXEEXT) enginetest$(EXEEXT) \ - evptest$(EXEEXT) $(am__EXEEXT_3) exptest$(EXEEXT) \ - freenull$(EXEEXT) gcm128test$(EXEEXT) gost2814789t$(EXEEXT) \ + cipher_list$(EXEEXT) cipherstest$(EXEEXT) cmstest$(EXEEXT) \ + configtest$(EXEEXT) constraints$(EXEEXT) cts128test$(EXEEXT) \ + destest$(EXEEXT) dhtest$(EXEEXT) dsatest$(EXEEXT) \ + ecdhtest$(EXEEXT) ecdsatest$(EXEEXT) ectest$(EXEEXT) \ + enginetest$(EXEEXT) evptest$(EXEEXT) $(am__EXEEXT_3) \ + exptest$(EXEEXT) freenull$(EXEEXT) gcm128test$(EXEEXT) \ + gost2814789t$(EXEEXT) handshake_table$(EXEEXT) \ hkdftest$(EXEEXT) hmactest$(EXEEXT) ideatest$(EXEEXT) \ igetest$(EXEEXT) keypairtest$(EXEEXT) key_schedule$(EXEEXT) \ md4test$(EXEEXT) md5test$(EXEEXT) mont$(EXEEXT) \ $(am__EXEEXT_4) optionstest$(EXEEXT) pbkdf2$(EXEEXT) \ $(am__EXEEXT_5) pkcs7test$(EXEEXT) poly1305test$(EXEEXT) \ pq_test$(EXEEXT) randtest$(EXEEXT) rc2test$(EXEEXT) \ - rc4test$(EXEEXT) recordtest$(EXEEXT) rfc5280time$(EXEEXT) \ + rc4test$(EXEEXT) recordtest$(EXEEXT) \ + record_layer_test$(EXEEXT) rfc5280time$(EXEEXT) \ rmdtest$(EXEEXT) rsa_test$(EXEEXT) servertest$(EXEEXT) \ sha1test$(EXEEXT) sha256test$(EXEEXT) sha512test$(EXEEXT) \ - sm3test$(EXEEXT) sm4test$(EXEEXT) ssl_versions$(EXEEXT) \ - ssltest$(EXEEXT) timingsafe$(EXEEXT) tlsexttest$(EXEEXT) \ - tlstest$(EXEEXT) tls_ext_alpn$(EXEEXT) tls_prf$(EXEEXT) \ - utf8test$(EXEEXT) valid_handshakes_terminate$(EXEEXT) \ - verifytest$(EXEEXT) x25519test$(EXEEXT) x509name$(EXEEXT) + sm3test$(EXEEXT) sm4test$(EXEEXT) ssl_methods$(EXEEXT) \ + ssl_versions$(EXEEXT) ssltest$(EXEEXT) timingsafe$(EXEEXT) \ + tlsexttest$(EXEEXT) tlstest$(EXEEXT) tls_ext_alpn$(EXEEXT) \ + tls_prf$(EXEEXT) utf8test$(EXEEXT) \ + valid_handshakes_terminate$(EXEEXT) verifytest$(EXEEXT) \ + x25519test$(EXEEXT) x509attribute$(EXEEXT) x509_info$(EXEEXT) \ + x509name$(EXEEXT) # arc4randomforktest # Windows/mingw does not have fork, but Cygwin does. @@ -159,7 +165,6 @@ check_PROGRAMS = aeadtest$(EXEEXT) aes_wrap$(EXEEXT) $(am__EXEEXT_1) \ @HOST_CYGWIN_FALSE@@HOST_WIN_FALSE@am__append_6 = explicit_bzero @HOST_CYGWIN_FALSE@@HOST_WIN_FALSE@am__append_7 = explicit_bzero @HAVE_MEMMEM_FALSE@@HOST_CYGWIN_FALSE@@HOST_WIN_FALSE@am__append_8 = compat/memmem.c -noinst_PROGRAMS = handshake_table$(EXEEXT) # ocsp_test @ENABLE_EXTRATESTS_TRUE@am__append_9 = ocsptest.sh @@ -175,7 +180,9 @@ noinst_PROGRAMS = handshake_table$(EXEEXT) @HAVE_PIPE2_FALSE@am__append_15 = compat/pipe2.c subdir = tests ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/check-hardening-options.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_add_fortify_source.m4 \ + $(top_srcdir)/m4/ax_check_compile_flag.m4 \ + $(top_srcdir)/m4/check-hardening-options.m4 \ $(top_srcdir)/m4/check-libc.m4 \ $(top_srcdir)/m4/check-os-options.m4 \ $(top_srcdir)/m4/disable-compiler-warnings.m4 \ @@ -195,7 +202,6 @@ CONFIG_CLEAN_VPATH_FILES = @HOST_CYGWIN_FALSE@@HOST_WIN_FALSE@ explicit_bzero$(EXEEXT) @ENABLE_EXTRATESTS_TRUE@am__EXEEXT_4 = ocsp_test$(EXEEXT) @ENABLE_EXTRATESTS_TRUE@am__EXEEXT_5 = pidwraptest$(EXEEXT) -PROGRAMS = $(noinst_PROGRAMS) am_aeadtest_OBJECTS = aeadtest.$(OBJEXT) aeadtest_OBJECTS = $(am_aeadtest_OBJECTS) aeadtest_LDADD = $(LDADD) @@ -339,10 +345,10 @@ cipherstest_DEPENDENCIES = $(abs_top_builddir)/tls/.libs/libtls.a \ $(abs_top_builddir)/ssl/.libs/libssl.a \ $(abs_top_builddir)/crypto/.libs/libcrypto.a \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) $(am__append_1) -am_clienttest_OBJECTS = clienttest.$(OBJEXT) -clienttest_OBJECTS = $(am_clienttest_OBJECTS) -clienttest_LDADD = $(LDADD) -clienttest_DEPENDENCIES = $(abs_top_builddir)/tls/.libs/libtls.a \ +am_cmstest_OBJECTS = cmstest.$(OBJEXT) +cmstest_OBJECTS = $(am_cmstest_OBJECTS) +cmstest_LDADD = $(LDADD) +cmstest_DEPENDENCIES = $(abs_top_builddir)/tls/.libs/libtls.a \ $(abs_top_builddir)/ssl/.libs/libssl.a \ $(abs_top_builddir)/crypto/.libs/libcrypto.a \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) $(am__append_1) @@ -353,6 +359,13 @@ configtest_DEPENDENCIES = $(abs_top_builddir)/tls/.libs/libtls.a \ $(abs_top_builddir)/ssl/.libs/libssl.a \ $(abs_top_builddir)/crypto/.libs/libcrypto.a \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) $(am__append_1) +am_constraints_OBJECTS = constraints.$(OBJEXT) +constraints_OBJECTS = $(am_constraints_OBJECTS) +constraints_LDADD = $(LDADD) +constraints_DEPENDENCIES = $(abs_top_builddir)/tls/.libs/libtls.a \ + $(abs_top_builddir)/ssl/.libs/libssl.a \ + $(abs_top_builddir)/crypto/.libs/libcrypto.a \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) $(am__append_1) am_cts128test_OBJECTS = cts128test.$(OBJEXT) cts128test_OBJECTS = $(am_cts128test_OBJECTS) cts128test_LDADD = $(LDADD) @@ -599,6 +612,14 @@ rc4test_DEPENDENCIES = $(abs_top_builddir)/tls/.libs/libtls.a \ $(abs_top_builddir)/ssl/.libs/libssl.a \ $(abs_top_builddir)/crypto/.libs/libcrypto.a \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) $(am__append_1) +am_record_layer_test_OBJECTS = record_layer_test.$(OBJEXT) +record_layer_test_OBJECTS = $(am_record_layer_test_OBJECTS) +record_layer_test_LDADD = $(LDADD) +record_layer_test_DEPENDENCIES = \ + $(abs_top_builddir)/tls/.libs/libtls.a \ + $(abs_top_builddir)/ssl/.libs/libssl.a \ + $(abs_top_builddir)/crypto/.libs/libcrypto.a \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) $(am__append_1) am_recordtest_OBJECTS = recordtest.$(OBJEXT) recordtest_OBJECTS = $(am_recordtest_OBJECTS) recordtest_LDADD = $(LDADD) @@ -669,6 +690,13 @@ sm4test_DEPENDENCIES = $(abs_top_builddir)/tls/.libs/libtls.a \ $(abs_top_builddir)/ssl/.libs/libssl.a \ $(abs_top_builddir)/crypto/.libs/libcrypto.a \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) $(am__append_1) +am_ssl_methods_OBJECTS = ssl_methods.$(OBJEXT) +ssl_methods_OBJECTS = $(am_ssl_methods_OBJECTS) +ssl_methods_LDADD = $(LDADD) +ssl_methods_DEPENDENCIES = $(abs_top_builddir)/tls/.libs/libtls.a \ + $(abs_top_builddir)/ssl/.libs/libssl.a \ + $(abs_top_builddir)/crypto/.libs/libcrypto.a \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) $(am__append_1) am_ssl_versions_OBJECTS = ssl_versions.$(OBJEXT) ssl_versions_OBJECTS = $(am_ssl_versions_OBJECTS) ssl_versions_LDADD = $(LDADD) @@ -751,6 +779,20 @@ x25519test_DEPENDENCIES = $(abs_top_builddir)/tls/.libs/libtls.a \ $(abs_top_builddir)/ssl/.libs/libssl.a \ $(abs_top_builddir)/crypto/.libs/libcrypto.a \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) $(am__append_1) +am_x509_info_OBJECTS = x509_info.$(OBJEXT) +x509_info_OBJECTS = $(am_x509_info_OBJECTS) +x509_info_LDADD = $(LDADD) +x509_info_DEPENDENCIES = $(abs_top_builddir)/tls/.libs/libtls.a \ + $(abs_top_builddir)/ssl/.libs/libssl.a \ + $(abs_top_builddir)/crypto/.libs/libcrypto.a \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) $(am__append_1) +am_x509attribute_OBJECTS = x509attribute.$(OBJEXT) +x509attribute_OBJECTS = $(am_x509attribute_OBJECTS) +x509attribute_LDADD = $(LDADD) +x509attribute_DEPENDENCIES = $(abs_top_builddir)/tls/.libs/libtls.a \ + $(abs_top_builddir)/ssl/.libs/libssl.a \ + $(abs_top_builddir)/crypto/.libs/libcrypto.a \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) $(am__append_1) am_x509name_OBJECTS = x509name.$(OBJEXT) x509name_OBJECTS = $(am_x509name_OBJECTS) x509name_LDADD = $(LDADD) @@ -783,36 +825,38 @@ am__depfiles_remade = ./$(DEPDIR)/aeadtest.Po ./$(DEPDIR)/aes_wrap.Po \ ./$(DEPDIR)/buffertest-buffertest.Po \ ./$(DEPDIR)/bytestringtest.Po ./$(DEPDIR)/casttest.Po \ ./$(DEPDIR)/chachatest.Po ./$(DEPDIR)/cipher_list.Po \ - ./$(DEPDIR)/cipherstest.Po ./$(DEPDIR)/clienttest.Po \ - ./$(DEPDIR)/configtest.Po ./$(DEPDIR)/cts128test.Po \ - ./$(DEPDIR)/destest.Po ./$(DEPDIR)/dhtest.Po \ - ./$(DEPDIR)/dsatest.Po ./$(DEPDIR)/ecdhtest.Po \ - ./$(DEPDIR)/ecdsatest.Po ./$(DEPDIR)/ectest.Po \ - ./$(DEPDIR)/enginetest.Po ./$(DEPDIR)/evptest.Po \ - ./$(DEPDIR)/explicit_bzero.Po ./$(DEPDIR)/exptest-exptest.Po \ - ./$(DEPDIR)/freenull.Po ./$(DEPDIR)/gcm128test.Po \ - ./$(DEPDIR)/gost2814789t.Po ./$(DEPDIR)/handshake_table.Po \ - ./$(DEPDIR)/hkdf_test.Po ./$(DEPDIR)/hmactest.Po \ - ./$(DEPDIR)/ideatest.Po ./$(DEPDIR)/igetest.Po \ - ./$(DEPDIR)/key_schedule.Po ./$(DEPDIR)/keypairtest.Po \ - ./$(DEPDIR)/md4test.Po ./$(DEPDIR)/md5test.Po \ - ./$(DEPDIR)/mont.Po ./$(DEPDIR)/ocsp_test.Po \ - ./$(DEPDIR)/optionstest.Po ./$(DEPDIR)/pbkdf2.Po \ - ./$(DEPDIR)/pidwraptest.Po ./$(DEPDIR)/pkcs7test.Po \ - ./$(DEPDIR)/poly1305test.Po ./$(DEPDIR)/pq_test.Po \ - ./$(DEPDIR)/randtest.Po ./$(DEPDIR)/rc2test.Po \ - ./$(DEPDIR)/rc4test.Po ./$(DEPDIR)/recordtest.Po \ + ./$(DEPDIR)/cipherstest.Po ./$(DEPDIR)/cmstest.Po \ + ./$(DEPDIR)/configtest.Po ./$(DEPDIR)/constraints.Po \ + ./$(DEPDIR)/cts128test.Po ./$(DEPDIR)/destest.Po \ + ./$(DEPDIR)/dhtest.Po ./$(DEPDIR)/dsatest.Po \ + ./$(DEPDIR)/ecdhtest.Po ./$(DEPDIR)/ecdsatest.Po \ + ./$(DEPDIR)/ectest.Po ./$(DEPDIR)/enginetest.Po \ + ./$(DEPDIR)/evptest.Po ./$(DEPDIR)/explicit_bzero.Po \ + ./$(DEPDIR)/exptest-exptest.Po ./$(DEPDIR)/freenull.Po \ + ./$(DEPDIR)/gcm128test.Po ./$(DEPDIR)/gost2814789t.Po \ + ./$(DEPDIR)/handshake_table.Po ./$(DEPDIR)/hkdf_test.Po \ + ./$(DEPDIR)/hmactest.Po ./$(DEPDIR)/ideatest.Po \ + ./$(DEPDIR)/igetest.Po ./$(DEPDIR)/key_schedule.Po \ + ./$(DEPDIR)/keypairtest.Po ./$(DEPDIR)/md4test.Po \ + ./$(DEPDIR)/md5test.Po ./$(DEPDIR)/mont.Po \ + ./$(DEPDIR)/ocsp_test.Po ./$(DEPDIR)/optionstest.Po \ + ./$(DEPDIR)/pbkdf2.Po ./$(DEPDIR)/pidwraptest.Po \ + ./$(DEPDIR)/pkcs7test.Po ./$(DEPDIR)/poly1305test.Po \ + ./$(DEPDIR)/pq_test.Po ./$(DEPDIR)/randtest.Po \ + ./$(DEPDIR)/rc2test.Po ./$(DEPDIR)/rc4test.Po \ + ./$(DEPDIR)/record_layer_test.Po ./$(DEPDIR)/recordtest.Po \ ./$(DEPDIR)/rfc5280time.Po ./$(DEPDIR)/rmdtest.Po \ ./$(DEPDIR)/rsa_test.Po ./$(DEPDIR)/servertest.Po \ ./$(DEPDIR)/sha1test.Po ./$(DEPDIR)/sha256test.Po \ ./$(DEPDIR)/sha512test.Po ./$(DEPDIR)/sm3test.Po \ - ./$(DEPDIR)/sm4test.Po ./$(DEPDIR)/ssl_versions.Po \ - ./$(DEPDIR)/ssltest.Po ./$(DEPDIR)/timingsafe.Po \ - ./$(DEPDIR)/tls_ext_alpn.Po ./$(DEPDIR)/tls_prf.Po \ - ./$(DEPDIR)/tlsexttest.Po ./$(DEPDIR)/tlstest.Po \ - ./$(DEPDIR)/utf8test.Po \ + ./$(DEPDIR)/sm4test.Po ./$(DEPDIR)/ssl_methods.Po \ + ./$(DEPDIR)/ssl_versions.Po ./$(DEPDIR)/ssltest.Po \ + ./$(DEPDIR)/timingsafe.Po ./$(DEPDIR)/tls_ext_alpn.Po \ + ./$(DEPDIR)/tls_prf.Po ./$(DEPDIR)/tlsexttest.Po \ + ./$(DEPDIR)/tlstest.Po ./$(DEPDIR)/utf8test.Po \ ./$(DEPDIR)/valid_handshakes_terminate.Po \ ./$(DEPDIR)/verifytest.Po ./$(DEPDIR)/x25519test.Po \ + ./$(DEPDIR)/x509_info.Po ./$(DEPDIR)/x509attribute.Po \ ./$(DEPDIR)/x509name.Po compat/$(DEPDIR)/memmem.Po \ compat/$(DEPDIR)/pipe2.Po am__mv = mv -f @@ -842,12 +886,13 @@ SOURCES = $(aeadtest_SOURCES) $(aes_wrap_SOURCES) \ $(bnaddsub_SOURCES) $(bntest_SOURCES) $(buffertest_SOURCES) \ $(bytestringtest_SOURCES) $(casttest_SOURCES) \ $(chachatest_SOURCES) $(cipher_list_SOURCES) \ - $(cipherstest_SOURCES) $(clienttest_SOURCES) \ - $(configtest_SOURCES) $(cts128test_SOURCES) $(destest_SOURCES) \ - $(dhtest_SOURCES) $(dsatest_SOURCES) $(ecdhtest_SOURCES) \ - $(ecdsatest_SOURCES) $(ectest_SOURCES) $(enginetest_SOURCES) \ - $(evptest_SOURCES) $(explicit_bzero_SOURCES) \ - $(exptest_SOURCES) $(freenull_SOURCES) $(gcm128test_SOURCES) \ + $(cipherstest_SOURCES) $(cmstest_SOURCES) \ + $(configtest_SOURCES) $(constraints_SOURCES) \ + $(cts128test_SOURCES) $(destest_SOURCES) $(dhtest_SOURCES) \ + $(dsatest_SOURCES) $(ecdhtest_SOURCES) $(ecdsatest_SOURCES) \ + $(ectest_SOURCES) $(enginetest_SOURCES) $(evptest_SOURCES) \ + $(explicit_bzero_SOURCES) $(exptest_SOURCES) \ + $(freenull_SOURCES) $(gcm128test_SOURCES) \ $(gost2814789t_SOURCES) $(handshake_table_SOURCES) \ $(hkdftest_SOURCES) $(hmactest_SOURCES) $(ideatest_SOURCES) \ $(igetest_SOURCES) $(key_schedule_SOURCES) \ @@ -855,15 +900,18 @@ SOURCES = $(aeadtest_SOURCES) $(aes_wrap_SOURCES) \ $(mont_SOURCES) $(ocsp_test_SOURCES) $(optionstest_SOURCES) \ $(pbkdf2_SOURCES) $(pidwraptest_SOURCES) $(pkcs7test_SOURCES) \ $(poly1305test_SOURCES) $(pq_test_SOURCES) $(randtest_SOURCES) \ - $(rc2test_SOURCES) $(rc4test_SOURCES) $(recordtest_SOURCES) \ + $(rc2test_SOURCES) $(rc4test_SOURCES) \ + $(record_layer_test_SOURCES) $(recordtest_SOURCES) \ $(rfc5280time_SOURCES) $(rmdtest_SOURCES) $(rsa_test_SOURCES) \ $(servertest_SOURCES) $(sha1test_SOURCES) \ $(sha256test_SOURCES) $(sha512test_SOURCES) $(sm3test_SOURCES) \ - $(sm4test_SOURCES) $(ssl_versions_SOURCES) $(ssltest_SOURCES) \ + $(sm4test_SOURCES) $(ssl_methods_SOURCES) \ + $(ssl_versions_SOURCES) $(ssltest_SOURCES) \ $(timingsafe_SOURCES) $(tls_ext_alpn_SOURCES) \ $(tls_prf_SOURCES) $(tlsexttest_SOURCES) $(tlstest_SOURCES) \ $(utf8test_SOURCES) $(valid_handshakes_terminate_SOURCES) \ $(verifytest_SOURCES) $(x25519test_SOURCES) \ + $(x509_info_SOURCES) $(x509attribute_SOURCES) \ $(x509name_SOURCES) DIST_SOURCES = $(aeadtest_SOURCES) $(aes_wrap_SOURCES) \ $(am__arc4randomforktest_SOURCES_DIST) $(asn1evp_SOURCES) \ @@ -873,12 +921,13 @@ DIST_SOURCES = $(aeadtest_SOURCES) $(aes_wrap_SOURCES) \ $(bnaddsub_SOURCES) $(bntest_SOURCES) $(buffertest_SOURCES) \ $(bytestringtest_SOURCES) $(casttest_SOURCES) \ $(chachatest_SOURCES) $(cipher_list_SOURCES) \ - $(cipherstest_SOURCES) $(clienttest_SOURCES) \ - $(configtest_SOURCES) $(cts128test_SOURCES) $(destest_SOURCES) \ - $(dhtest_SOURCES) $(dsatest_SOURCES) $(ecdhtest_SOURCES) \ - $(ecdsatest_SOURCES) $(ectest_SOURCES) $(enginetest_SOURCES) \ - $(evptest_SOURCES) $(am__explicit_bzero_SOURCES_DIST) \ - $(exptest_SOURCES) $(freenull_SOURCES) $(gcm128test_SOURCES) \ + $(cipherstest_SOURCES) $(cmstest_SOURCES) \ + $(configtest_SOURCES) $(constraints_SOURCES) \ + $(cts128test_SOURCES) $(destest_SOURCES) $(dhtest_SOURCES) \ + $(dsatest_SOURCES) $(ecdhtest_SOURCES) $(ecdsatest_SOURCES) \ + $(ectest_SOURCES) $(enginetest_SOURCES) $(evptest_SOURCES) \ + $(am__explicit_bzero_SOURCES_DIST) $(exptest_SOURCES) \ + $(freenull_SOURCES) $(gcm128test_SOURCES) \ $(gost2814789t_SOURCES) $(handshake_table_SOURCES) \ $(hkdftest_SOURCES) $(hmactest_SOURCES) $(ideatest_SOURCES) \ $(igetest_SOURCES) $(key_schedule_SOURCES) \ @@ -887,16 +936,19 @@ DIST_SOURCES = $(aeadtest_SOURCES) $(aes_wrap_SOURCES) \ $(optionstest_SOURCES) $(pbkdf2_SOURCES) \ $(am__pidwraptest_SOURCES_DIST) $(pkcs7test_SOURCES) \ $(poly1305test_SOURCES) $(pq_test_SOURCES) $(randtest_SOURCES) \ - $(rc2test_SOURCES) $(rc4test_SOURCES) $(recordtest_SOURCES) \ + $(rc2test_SOURCES) $(rc4test_SOURCES) \ + $(record_layer_test_SOURCES) $(recordtest_SOURCES) \ $(rfc5280time_SOURCES) $(rmdtest_SOURCES) $(rsa_test_SOURCES) \ $(servertest_SOURCES) $(sha1test_SOURCES) \ $(sha256test_SOURCES) $(sha512test_SOURCES) $(sm3test_SOURCES) \ - $(sm4test_SOURCES) $(ssl_versions_SOURCES) $(ssltest_SOURCES) \ + $(sm4test_SOURCES) $(ssl_methods_SOURCES) \ + $(ssl_versions_SOURCES) $(ssltest_SOURCES) \ $(timingsafe_SOURCES) $(tls_ext_alpn_SOURCES) \ $(tls_prf_SOURCES) $(tlsexttest_SOURCES) \ $(am__tlstest_SOURCES_DIST) $(utf8test_SOURCES) \ $(valid_handshakes_terminate_SOURCES) $(verifytest_SOURCES) \ - $(x25519test_SOURCES) $(x509name_SOURCES) + $(x25519test_SOURCES) $(x509_info_SOURCES) \ + $(x509attribute_SOURCES) $(x509name_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -1104,6 +1156,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck @SMALL_TIME_T_FALSE@am__EXEEXT_6 = rfc5280time$(EXEEXT) @@ -1245,6 +1298,7 @@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -1257,8 +1311,9 @@ AM_CFLAGS = AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat \ -DLIBRESSL_INTERNAL -D__BEGIN_HIDDEN_DECLS= \ -D__END_HIDDEN_DECLS= -I $(top_srcdir)/crypto/modes -I \ - $(top_srcdir)/crypto/asn1 -I $(top_srcdir)/ssl -I \ - $(top_srcdir)/tls -I $(top_srcdir)/apps/openssl -I \ + $(top_srcdir)/crypto/asn1 -I $(top_srcdir)/crypto/x509 -I \ + $(top_srcdir)/ssl -I $(top_srcdir)/tls -I \ + $(top_srcdir)/apps/openssl -I \ $(top_srcdir)/apps/openssl/compat \ -D_PATH_SSL_CA_FILE=\"$(top_srcdir)/apps/openssl/cert.pem\" LDADD = $(abs_top_builddir)/tls/.libs/libtls.a \ @@ -1297,8 +1352,9 @@ chachatest_SOURCES = chachatest.c cipher_list_SOURCES = cipher_list.c noinst_HEADERS = tests.h cipherstest_SOURCES = cipherstest.c -clienttest_SOURCES = clienttest.c +cmstest_SOURCES = cmstest.c configtest_SOURCES = configtest.c +constraints_SOURCES = constraints.c cts128test_SOURCES = cts128test.c destest_SOURCES = destest.c dhtest_SOURCES = dhtest.c @@ -1337,6 +1393,7 @@ randtest_SOURCES = randtest.c rc2test_SOURCES = rc2test.c rc4test_SOURCES = rc4test.c recordtest_SOURCES = recordtest.c +record_layer_test_SOURCES = record_layer_test.c rfc5280time_SOURCES = rfc5280time.c rmdtest_SOURCES = rmdtest.c rsa_test_SOURCES = rsa_test.c @@ -1346,6 +1403,7 @@ sha256test_SOURCES = sha256test.c sha512test_SOURCES = sha512test.c sm3test_SOURCES = sm3test.c sm4test_SOURCES = sm4test.c +ssl_methods_SOURCES = ssl_methods.c ssl_versions_SOURCES = ssl_versions.c ssltest_SOURCES = ssltest.c timingsafe_SOURCES = timingsafe.c @@ -1357,6 +1415,8 @@ utf8test_SOURCES = utf8test.c valid_handshakes_terminate_SOURCES = valid_handshakes_terminate.c verifytest_SOURCES = verifytest.c x25519test_SOURCES = x25519test.c +x509attribute_SOURCES = x509attribute.c +x509_info_SOURCES = x509_info.c x509name_SOURCES = x509name.c all: all-am @@ -1402,15 +1462,6 @@ clean-checkPROGRAMS: echo " rm -f" $$list; \ rm -f $$list -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \ - echo " rm -f" $$list; \ - rm -f $$list || exit $$?; \ - test -n "$(EXEEXT)" || exit 0; \ - list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f" $$list; \ - rm -f $$list - aeadtest$(EXEEXT): $(aeadtest_OBJECTS) $(aeadtest_DEPENDENCIES) $(EXTRA_aeadtest_DEPENDENCIES) @rm -f aeadtest$(EXEEXT) $(AM_V_CCLD)$(LINK) $(aeadtest_OBJECTS) $(aeadtest_LDADD) $(LIBS) @@ -1487,14 +1538,18 @@ cipherstest$(EXEEXT): $(cipherstest_OBJECTS) $(cipherstest_DEPENDENCIES) $(EXTRA @rm -f cipherstest$(EXEEXT) $(AM_V_CCLD)$(LINK) $(cipherstest_OBJECTS) $(cipherstest_LDADD) $(LIBS) -clienttest$(EXEEXT): $(clienttest_OBJECTS) $(clienttest_DEPENDENCIES) $(EXTRA_clienttest_DEPENDENCIES) - @rm -f clienttest$(EXEEXT) - $(AM_V_CCLD)$(LINK) $(clienttest_OBJECTS) $(clienttest_LDADD) $(LIBS) +cmstest$(EXEEXT): $(cmstest_OBJECTS) $(cmstest_DEPENDENCIES) $(EXTRA_cmstest_DEPENDENCIES) + @rm -f cmstest$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(cmstest_OBJECTS) $(cmstest_LDADD) $(LIBS) configtest$(EXEEXT): $(configtest_OBJECTS) $(configtest_DEPENDENCIES) $(EXTRA_configtest_DEPENDENCIES) @rm -f configtest$(EXEEXT) $(AM_V_CCLD)$(LINK) $(configtest_OBJECTS) $(configtest_LDADD) $(LIBS) +constraints$(EXEEXT): $(constraints_OBJECTS) $(constraints_DEPENDENCIES) $(EXTRA_constraints_DEPENDENCIES) + @rm -f constraints$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(constraints_OBJECTS) $(constraints_LDADD) $(LIBS) + cts128test$(EXEEXT): $(cts128test_OBJECTS) $(cts128test_DEPENDENCIES) $(EXTRA_cts128test_DEPENDENCIES) @rm -f cts128test$(EXEEXT) $(AM_V_CCLD)$(LINK) $(cts128test_OBJECTS) $(cts128test_LDADD) $(LIBS) @@ -1639,6 +1694,10 @@ rc4test$(EXEEXT): $(rc4test_OBJECTS) $(rc4test_DEPENDENCIES) $(EXTRA_rc4test_DEP @rm -f rc4test$(EXEEXT) $(AM_V_CCLD)$(LINK) $(rc4test_OBJECTS) $(rc4test_LDADD) $(LIBS) +record_layer_test$(EXEEXT): $(record_layer_test_OBJECTS) $(record_layer_test_DEPENDENCIES) $(EXTRA_record_layer_test_DEPENDENCIES) + @rm -f record_layer_test$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(record_layer_test_OBJECTS) $(record_layer_test_LDADD) $(LIBS) + recordtest$(EXEEXT): $(recordtest_OBJECTS) $(recordtest_DEPENDENCIES) $(EXTRA_recordtest_DEPENDENCIES) @rm -f recordtest$(EXEEXT) $(AM_V_CCLD)$(LINK) $(recordtest_OBJECTS) $(recordtest_LDADD) $(LIBS) @@ -1679,6 +1738,10 @@ sm4test$(EXEEXT): $(sm4test_OBJECTS) $(sm4test_DEPENDENCIES) $(EXTRA_sm4test_DEP @rm -f sm4test$(EXEEXT) $(AM_V_CCLD)$(LINK) $(sm4test_OBJECTS) $(sm4test_LDADD) $(LIBS) +ssl_methods$(EXEEXT): $(ssl_methods_OBJECTS) $(ssl_methods_DEPENDENCIES) $(EXTRA_ssl_methods_DEPENDENCIES) + @rm -f ssl_methods$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(ssl_methods_OBJECTS) $(ssl_methods_LDADD) $(LIBS) + ssl_versions$(EXEEXT): $(ssl_versions_OBJECTS) $(ssl_versions_DEPENDENCIES) $(EXTRA_ssl_versions_DEPENDENCIES) @rm -f ssl_versions$(EXEEXT) $(AM_V_CCLD)$(LINK) $(ssl_versions_OBJECTS) $(ssl_versions_LDADD) $(LIBS) @@ -1725,6 +1788,14 @@ x25519test$(EXEEXT): $(x25519test_OBJECTS) $(x25519test_DEPENDENCIES) $(EXTRA_x2 @rm -f x25519test$(EXEEXT) $(AM_V_CCLD)$(LINK) $(x25519test_OBJECTS) $(x25519test_LDADD) $(LIBS) +x509_info$(EXEEXT): $(x509_info_OBJECTS) $(x509_info_DEPENDENCIES) $(EXTRA_x509_info_DEPENDENCIES) + @rm -f x509_info$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(x509_info_OBJECTS) $(x509_info_LDADD) $(LIBS) + +x509attribute$(EXEEXT): $(x509attribute_OBJECTS) $(x509attribute_DEPENDENCIES) $(EXTRA_x509attribute_DEPENDENCIES) + @rm -f x509attribute$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(x509attribute_OBJECTS) $(x509attribute_LDADD) $(LIBS) + x509name$(EXEEXT): $(x509name_OBJECTS) $(x509name_DEPENDENCIES) $(EXTRA_x509name_DEPENDENCIES) @rm -f x509name$(EXEEXT) $(AM_V_CCLD)$(LINK) $(x509name_OBJECTS) $(x509name_LDADD) $(LIBS) @@ -1755,8 +1826,9 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/chachatest.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cipher_list.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cipherstest.Po@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/clienttest.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cmstest.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/configtest.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/constraints.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cts128test.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/destest.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dhtest.Po@am__quote@ # am--include-marker @@ -1791,6 +1863,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/randtest.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rc2test.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rc4test.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/record_layer_test.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/recordtest.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rfc5280time.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rmdtest.Po@am__quote@ # am--include-marker @@ -1801,6 +1874,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha512test.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sm3test.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sm4test.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ssl_methods.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ssl_versions.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ssltest.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/timingsafe.Po@am__quote@ # am--include-marker @@ -1812,6 +1886,8 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/valid_handshakes_terminate.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/verifytest.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x25519test.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509_info.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509attribute.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509name.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@compat/$(DEPDIR)/memmem.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@compat/$(DEPDIR)/pipe2.Po@am__quote@ # am--include-marker @@ -2053,7 +2129,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -2220,9 +2296,9 @@ cipherstest.log: cipherstest$(EXEEXT) --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) -clienttest.log: clienttest$(EXEEXT) - @p='clienttest$(EXEEXT)'; \ - b='clienttest'; \ +cmstest.log: cmstest$(EXEEXT) + @p='cmstest$(EXEEXT)'; \ + b='cmstest'; \ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ @@ -2234,6 +2310,13 @@ configtest.log: configtest$(EXEEXT) --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +constraints.log: constraints$(EXEEXT) + @p='constraints$(EXEEXT)'; \ + b='constraints'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) cts128test.log: cts128test$(EXEEXT) @p='cts128test$(EXEEXT)'; \ b='cts128test'; \ @@ -2332,6 +2415,13 @@ gost2814789t.log: gost2814789t$(EXEEXT) --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +handshake_table.log: handshake_table$(EXEEXT) + @p='handshake_table$(EXEEXT)'; \ + b='handshake_table'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) hkdftest.log: hkdftest$(EXEEXT) @p='hkdftest$(EXEEXT)'; \ b='hkdftest'; \ @@ -2472,6 +2562,13 @@ recordtest.log: recordtest$(EXEEXT) --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +record_layer_test.log: record_layer_test$(EXEEXT) + @p='record_layer_test$(EXEEXT)'; \ + b='record_layer_test'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) rfc5280time.log: rfc5280time$(EXEEXT) @p='rfc5280time$(EXEEXT)'; \ b='rfc5280time'; \ @@ -2535,6 +2632,13 @@ sm4test.log: sm4test$(EXEEXT) --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +ssl_methods.log: ssl_methods$(EXEEXT) + @p='ssl_methods$(EXEEXT)'; \ + b='ssl_methods'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) ssl_versions.log: ssl_versions$(EXEEXT) @p='ssl_versions$(EXEEXT)'; \ b='ssl_versions'; \ @@ -2633,6 +2737,20 @@ x25519test.log: x25519test$(EXEEXT) --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +x509attribute.log: x509attribute$(EXEEXT) + @p='x509attribute$(EXEEXT)'; \ + b='x509attribute'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +x509_info.log: x509_info$(EXEEXT) + @p='x509_info$(EXEEXT)'; \ + b='x509_info'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) x509name.log: x509name$(EXEEXT) @p='x509name$(EXEEXT)'; \ b='x509name'; \ @@ -2692,7 +2810,7 @@ check-am: all-am $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am -all-am: Makefile $(PROGRAMS) $(HEADERS) +all-am: Makefile $(HEADERS) installdirs: install: install-am install-exec: install-exec-am @@ -2733,7 +2851,7 @@ maintainer-clean-generic: clean: clean-am clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ - clean-noinstPROGRAMS mostlyclean-am + mostlyclean-am distclean: distclean-am -rm -f ./$(DEPDIR)/aeadtest.Po @@ -2755,8 +2873,9 @@ distclean: distclean-am -rm -f ./$(DEPDIR)/chachatest.Po -rm -f ./$(DEPDIR)/cipher_list.Po -rm -f ./$(DEPDIR)/cipherstest.Po - -rm -f ./$(DEPDIR)/clienttest.Po + -rm -f ./$(DEPDIR)/cmstest.Po -rm -f ./$(DEPDIR)/configtest.Po + -rm -f ./$(DEPDIR)/constraints.Po -rm -f ./$(DEPDIR)/cts128test.Po -rm -f ./$(DEPDIR)/destest.Po -rm -f ./$(DEPDIR)/dhtest.Po @@ -2791,6 +2910,7 @@ distclean: distclean-am -rm -f ./$(DEPDIR)/randtest.Po -rm -f ./$(DEPDIR)/rc2test.Po -rm -f ./$(DEPDIR)/rc4test.Po + -rm -f ./$(DEPDIR)/record_layer_test.Po -rm -f ./$(DEPDIR)/recordtest.Po -rm -f ./$(DEPDIR)/rfc5280time.Po -rm -f ./$(DEPDIR)/rmdtest.Po @@ -2801,6 +2921,7 @@ distclean: distclean-am -rm -f ./$(DEPDIR)/sha512test.Po -rm -f ./$(DEPDIR)/sm3test.Po -rm -f ./$(DEPDIR)/sm4test.Po + -rm -f ./$(DEPDIR)/ssl_methods.Po -rm -f ./$(DEPDIR)/ssl_versions.Po -rm -f ./$(DEPDIR)/ssltest.Po -rm -f ./$(DEPDIR)/timingsafe.Po @@ -2812,6 +2933,8 @@ distclean: distclean-am -rm -f ./$(DEPDIR)/valid_handshakes_terminate.Po -rm -f ./$(DEPDIR)/verifytest.Po -rm -f ./$(DEPDIR)/x25519test.Po + -rm -f ./$(DEPDIR)/x509_info.Po + -rm -f ./$(DEPDIR)/x509attribute.Po -rm -f ./$(DEPDIR)/x509name.Po -rm -f compat/$(DEPDIR)/memmem.Po -rm -f compat/$(DEPDIR)/pipe2.Po @@ -2879,8 +3002,9 @@ maintainer-clean: maintainer-clean-am -rm -f ./$(DEPDIR)/chachatest.Po -rm -f ./$(DEPDIR)/cipher_list.Po -rm -f ./$(DEPDIR)/cipherstest.Po - -rm -f ./$(DEPDIR)/clienttest.Po + -rm -f ./$(DEPDIR)/cmstest.Po -rm -f ./$(DEPDIR)/configtest.Po + -rm -f ./$(DEPDIR)/constraints.Po -rm -f ./$(DEPDIR)/cts128test.Po -rm -f ./$(DEPDIR)/destest.Po -rm -f ./$(DEPDIR)/dhtest.Po @@ -2915,6 +3039,7 @@ maintainer-clean: maintainer-clean-am -rm -f ./$(DEPDIR)/randtest.Po -rm -f ./$(DEPDIR)/rc2test.Po -rm -f ./$(DEPDIR)/rc4test.Po + -rm -f ./$(DEPDIR)/record_layer_test.Po -rm -f ./$(DEPDIR)/recordtest.Po -rm -f ./$(DEPDIR)/rfc5280time.Po -rm -f ./$(DEPDIR)/rmdtest.Po @@ -2925,6 +3050,7 @@ maintainer-clean: maintainer-clean-am -rm -f ./$(DEPDIR)/sha512test.Po -rm -f ./$(DEPDIR)/sm3test.Po -rm -f ./$(DEPDIR)/sm4test.Po + -rm -f ./$(DEPDIR)/ssl_methods.Po -rm -f ./$(DEPDIR)/ssl_versions.Po -rm -f ./$(DEPDIR)/ssltest.Po -rm -f ./$(DEPDIR)/timingsafe.Po @@ -2936,6 +3062,8 @@ maintainer-clean: maintainer-clean-am -rm -f ./$(DEPDIR)/valid_handshakes_terminate.Po -rm -f ./$(DEPDIR)/verifytest.Po -rm -f ./$(DEPDIR)/x25519test.Po + -rm -f ./$(DEPDIR)/x509_info.Po + -rm -f ./$(DEPDIR)/x509attribute.Po -rm -f ./$(DEPDIR)/x509name.Po -rm -f compat/$(DEPDIR)/memmem.Po -rm -f compat/$(DEPDIR)/pipe2.Po @@ -2961,18 +3089,17 @@ uninstall-am: .PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ check-am clean clean-checkPROGRAMS clean-generic clean-libtool \ - clean-noinstPROGRAMS cscopelist-am ctags ctags-am distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am install-dvi \ - install-dvi-am install-exec install-exec-am install-html \ - install-html-am install-info install-info-am install-man \ - install-pdf install-pdf-am install-ps install-ps-am \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am recheck tags tags-am uninstall \ - uninstall-am + cscopelist-am ctags ctags-am distclean distclean-compile \ + distclean-generic distclean-libtool distclean-tags distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + recheck tags tags-am uninstall uninstall-am .PRECIOUS: Makefile diff --git a/tests/aes_wrap.c b/tests/aes_wrap.c index b48c7ae6..2b61ae37 100644 --- a/tests/aes_wrap.c +++ b/tests/aes_wrap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: aes_wrap.c,v 1.4 2018/07/17 17:06:49 tb Exp $ */ +/* $OpenBSD: aes_wrap.c,v 1.5 2021/04/04 20:40:48 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -85,6 +85,8 @@ AES_wrap_unwrap_test(const unsigned char *kek, int keybits, if (AES_set_decrypt_key(kek, keybits, &wctx)) goto err; r = AES_unwrap_key(&wctx, iv, ptmp, otmp, r); + if (r <= 0) + goto err; if (memcmp(key, ptmp, keylen)) goto err; diff --git a/tests/asn1evp.c b/tests/asn1evp.c index 64a3becc..7e290d5d 100644 --- a/tests/asn1evp.c +++ b/tests/asn1evp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1evp.c,v 1.3 2018/11/08 21:37:21 jsing Exp $ */ +/* $OpenBSD: asn1evp.c,v 1.4 2021/04/06 16:30:27 tb Exp $ */ /* * Copyright (c) 2017 Joel Sing * @@ -36,12 +36,12 @@ unsigned char test_octetstring[] = { static void hexdump(const unsigned char *buf, size_t len) { - size_t i; + size_t i; - for (i = 1; i <= len; i++) - fprintf(stderr, " 0x%02hhx,%s", buf[i - 1], i % 8 ? "" : "\n"); + for (i = 1; i <= len; i++) + fprintf(stderr, " 0x%02hhx,%s", buf[i - 1], i % 8 ? "" : "\n"); - fprintf(stderr, "\n"); + fprintf(stderr, "\n"); } static int diff --git a/tests/asn1test.c b/tests/asn1test.c index 69be0867..13f3d106 100644 --- a/tests/asn1test.c +++ b/tests/asn1test.c @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1test.c,v 1.6 2016/12/26 15:31:38 jsing Exp $ */ +/* $OpenBSD: asn1test.c,v 1.7 2021/03/22 20:05:21 tb Exp $ */ /* * Copyright (c) 2014, 2016 Joel Sing * @@ -334,7 +334,7 @@ session_cmp(SSL_SESSION *s1, SSL_SESSION *s2) fprintf(stderr, "peer differs\n"); return (1); } - + if (s1->verify_result != s2->verify_result) { fprintf(stderr, "verify_result differs: %li != %li\n", s1->verify_result, s2->verify_result); @@ -369,7 +369,7 @@ session_cmp(SSL_SESSION *s1, SSL_SESSION *s2) static int do_ssl_asn1_test(int test_no, struct ssl_asn1_test *sat) { - SSL_SESSION session, *sp = NULL; + SSL_SESSION *sp = NULL; unsigned char *ap, *asn1 = NULL; const unsigned char *pp; int i, len, rv = 1; @@ -426,11 +426,9 @@ do_ssl_asn1_test(int test_no, struct ssl_asn1_test *sat) goto failed; } - sp = &session; - memset(sp, 0, sizeof(*sp)); pp = sat->asn1; - if ((sp = d2i_SSL_SESSION(&sp, &pp, sat->asn1_len)) == NULL) { + if ((sp = d2i_SSL_SESSION(NULL, &pp, sat->asn1_len)) == NULL) { fprintf(stderr, "FAIL: test %i - decoding failed\n", test_no); goto failed; } @@ -442,9 +440,9 @@ do_ssl_asn1_test(int test_no, struct ssl_asn1_test *sat) rv = 0; -failed: - ERR_print_errors(BIO_new_fp(stderr, BIO_NOCLOSE)); - + failed: + ERR_print_errors_fp(stderr); + SSL_SESSION_free(sp); free(asn1); return (rv); diff --git a/tests/base64test.c b/tests/base64test.c index 1ff3b930..a05bc107 100644 --- a/tests/base64test.c +++ b/tests/base64test.c @@ -1,4 +1,4 @@ -/* $OpenBSD: base64test.c,v 1.6 2019/06/27 04:29:35 deraadt Exp $ */ +/* $OpenBSD: base64test.c,v 1.9 2021/03/21 14:06:29 tb Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -119,6 +119,102 @@ struct base64_test base64_nl_tests[] = { 74, 0, }, + + /* OpenSSL-1.1.1d test */ + /* canonical */ + { "", 0, "", 0, 0, }, + /* canonical */ + { "h", 1, "aA==\n", 5, 1, }, + /* canonical */ + { "hello", 5, "aGVsbG8=\n", 9, 5, }, + /* canonical */ + { "hello world!", 12, "aGVsbG8gd29ybGQh\n", 17, 12, }, + /* canonical */ + { "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\xa0\xb0\xc0\xd0\xe0\xf0\x00", 17, "AAECAwQFBgcICaCwwNDg8AA=\n", 25, 17, }, + /* invalid # Missing padding */ + { "", -1, "aGVsbG8", 7, 0, }, + /* invalid */ + { "", -1, "aGVsbG8\n", 8, 0, }, + /* valid # Tolerate missing newline */ + { "hello", -1, "aGVsbG8=", 8, 5, }, + /* invalid # Don't tolerate extra trailing '=' */ + { "", -1, "aGVsbG8==\n", 10, 0, }, + /* invalid */ + { "", -1, "aGVsbG8===\n", 11, 0, }, + /* invalid # Don't tolerate data after '=' */ + { "", -1, "aGV=sbG8=\n", 10, 0, }, + /* valid # Newlines are ignored */ + { "hello", -1, "aGV\nsbG8=\n", 10, 5, }, + /* canonical */ + { "hello", 5, "\x61\x47\x56\x73\x62\x47\x38\x3d\x0a", 9, 5, }, + /* invalid # Invalid characters */ + { "", -1, "\x61\x47\x56\x73\x62\x47\x38\x3d\x0a\x00", 10, 0, }, + /* invalid */ + { "", -1, "\x61\x47\x56\x00\x73\x62\x47\x38\x3d\x0a", 10, 0, }, + /* invalid */ + { "", -1, "\x61\x47\x56\x01\x73\x62\x47\x38\x3d\x0a", 10, 0, }, + /* invalid */ + { "", -1, "\x61\x47\x56\x80\x73\x62\x47\x38\x3d\x0a", 10, 0, }, + /* invalid */ + { "", -1, "\xe1\x47\x56\x73\x62\x47\x38\x3d\x0a", 9, 0, }, + /* canonical */ + { "OpenSSLOpenSSL\n", 15, "T3BlblNTTE9wZW5TU0wK\n", 21, 15, }, + /* valid */ + { "OpenSSLOpenSSL\n", -1, "T3BlblNTTE9wZW5TU0wK", 20, 15, }, + /* invalid # Truncate 1-3 chars */ + { "", -1, "T3BlblNTTE9wZW5TU0w", 19, 0, }, + /* invalid */ + { "", -1, "T3BlblNTTE9wZW5TU0", 18, 0, }, + /* invalid */ + { "", -1, "T3BlblNTTE9wZW5TU", 17, 0, }, + /* invalid */ + { "", -1, "T3BlblNTTE9wZW5TU0wK====", 24, 0, }, + /* invalid */ + { "", -1, "T3BlblNTTE9wZW5TU0wK============================================\n", 65, 0, }, + /* invalid */ + { "", -1, "YQ==YQ==YQ==\n", 13, 0, }, + /* invalid */ + { "", -1, "A", 1, 0, }, + /* invalid */ + { "", -1, "A\n", 2, 0, }, + /* invalid */ + { "", -1, "A=", 2, 0, }, + /* invalid */ + { "", -1, "A==\n", 4, 0, }, + /* invalid */ + { "", -1, "A===\n", 5, 0, }, + /* invalid */ + { "", -1, "A====\n", 6, 0, }, + /* valid */ + { "OpenSSLOpenSSL\n", -1, "T3BlblNTTE9wZW5TU0wK\n\n", 22, 15, }, + /* valid */ + { "OpenSSLOpenSSL\n", -1, "T3BlblNTTE\n9wZW5TU0wK", 21, 15, }, + /* invalid # CVE 2015-0292 */ + { "", -1, "ZW5jb2RlIG1lCg==================================================================\n", 81, 0, }, + /* canonical */ + { "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 46, "eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eA==\n", 65, 46, }, + /* valid */ + { "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", -1, "eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eA\n==\n", 66, 46, }, + /* valid */ + { "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", -1, "eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eA=\n=\n", 66, 46, }, + /* invalid */ + { "", -1, "eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eA====\n", 67, 0, }, + /* canonical # Multiline output without padding */ + { "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 60, "eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4\neHh4eHh4eHh4eHh4\n", 82, 60, }, + /* canonical # Multiline output with padding */ + { "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 64, "eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4\neHh4eHh4eHh4eHh4eHh4eA==\n", 90, 64, }, + /* valid # Multiline output with line break in the middle of a b64 block is accepted */ + { "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", -1, "eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh\n4eHh4eHh4eHh4eHh4eHh4eA==\n", 90, 64, }, + /* valid # Long lines are accepted */ + { "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", -1, "eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eA==\n", 89, 64, }, + /* invalid # Multiline input with data after '='. */ + { "", -1, "eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eA==\neHh4eHh4eHh4eHh4eHh4eHh4\n", 90, 0, }, + /* invalid */ + { "", -1, "eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4\neA==eHh4eHh4eHh4eHh4eHh4\n", 90, 0, }, + /* valid # B64_EOF ('-') terminates input and trailing bytes are ignored */ + { "OpenSSLOpenSSL\n", -1, "T3BlblNTTE9wZW5TU0wK\n-abcd", 26, 15, }, + /* valid */ + { "OpenSSLOpenSSL\n", -1, "T3BlblNTTE9wZW5TU0wK-abcd", 25, 15, }, }; #define N_NL_TESTS (sizeof(base64_nl_tests) / sizeof(*base64_nl_tests)) @@ -221,7 +317,9 @@ base64_encoding_test(int test_no, struct base64_test *bt, int test_nl) b64len = 0; for (i = 0; i < bt->out_len; i++) { - if (bt->out[i] == '\r' || bt->out[i] == '\n') + if ((!test_nl || + (test_nl && (i % 64 != 0 || i == bt->out_len - 1))) && + (bt->out[i] == '\r' || bt->out[i] == '\n')) continue; buf[b64len++] = bt->out[i]; } @@ -273,14 +371,15 @@ base64_decoding_test(int test_no, struct base64_test *bt, int test_nl) if (buf == NULL) errx(1, "malloc"); - input = (char *)bt->out; - inlen = bt->out_len; - - if (test_nl) - inlen = asprintf(&input, "%s\r\n", bt->out); + if ((input = malloc(BUF_SIZE)) == NULL) + errx(1, "malloc"); - if (inlen == -1) - errx(1, "asprintf"); + memcpy(input, bt->out, bt->out_len); + inlen = bt->out_len; + if (test_nl) { + memcpy(&input[bt->out_len], "\r\n", 2); + inlen += 2; + } bio_mem = BIO_new_mem_buf(input, inlen); if (bio_mem == NULL) @@ -326,8 +425,8 @@ base64_decoding_test(int test_no, struct base64_test *bt, int test_nl) fprintf(stderr, "0x%x ", buf[i]); fprintf(stderr, "\n"); fprintf(stderr, " test data: "); - for (i = 0; i < inlen; i++) - fprintf(stderr, "0x%x ", input[i]); + for (i = 0; i < bt->in_len; i++) + fprintf(stderr, "0x%x ", bt->in[i]); fprintf(stderr, "\n"); failure = 1; } @@ -335,8 +434,7 @@ base64_decoding_test(int test_no, struct base64_test *bt, int test_nl) done: BIO_free_all(bio_mem); free(buf); - if (test_nl) - free(input); + free(input); return failure; } diff --git a/tests/bn_rand_interval.c b/tests/bn_rand_interval.c index b8b84bd8..5d2f5478 100644 --- a/tests/bn_rand_interval.c +++ b/tests/bn_rand_interval.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_rand_interval.c,v 1.3 2018/11/10 01:39:35 tb Exp $ */ +/* $OpenBSD: bn_rand_interval.c,v 1.4 2021/04/06 16:40:34 tb Exp $ */ /* * Copyright (c) 2018 Theo Buehler * @@ -54,15 +54,15 @@ main(int argc, char *argv[]) int i, success = 1; if ((a = BN_new()) == NULL) - err(1, "BN_new(a)"); + errx(1, "BN_new(a)"); if ((b = BN_new()) == NULL) - err(1, "BN_new(b)"); + errx(1, "BN_new(b)"); if ((x = BN_new()) == NULL) - err(1, "BN_new(c)"); - + errx(1, "BN_new(c)"); + for (i = 0; i < NUM_TESTS; i++) { if (!BN_rand(a, 256, 0, 0)) - err(1, "BN_rand(a)"); + errx(1, "BN_rand(a)"); if (bn_rand_interval(x, a, a) != 0) { success = 0; @@ -72,7 +72,7 @@ main(int argc, char *argv[]) } if (!BN_rand(b, 256, 0, 0)) - err(1, "BN_rand(b)"); + errx(1, "BN_rand(b)"); switch(BN_cmp(a, b)) { case 0: /* a == b */ @@ -87,7 +87,7 @@ main(int argc, char *argv[]) } if (!bn_rand_interval(x, a, b)) - err(1, "bn_rand_interval() failed"); + errx(1, "bn_rand_interval() failed"); if (BN_cmp(x, a) < 0 || BN_cmp(x, b) >= 0) { success = 0; diff --git a/tests/bytestringtest.c b/tests/bytestringtest.c index 0e9f5f47..040667ed 100644 --- a/tests/bytestringtest.c +++ b/tests/bytestringtest.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bytestringtest.c,v 1.12 2018/08/16 18:40:19 jsing Exp $ */ +/* $OpenBSD: bytestringtest.c,v 1.14 2021/04/04 19:55:46 tb Exp $ */ /* * Copyright (c) 2014, Google Inc. * @@ -297,6 +297,45 @@ test_cbb_basic(void) return ret; } +static int +test_cbb_add_space(void) +{ + static const uint8_t kExpected[] = {1, 2, 0, 0, 0, 0, 7, 8}; + uint8_t *buf = NULL; + size_t buf_len; + uint8_t *data; + int ret = 0; + CBB cbb; + + CHECK(CBB_init(&cbb, 100)); + + CHECK_GOTO(CBB_add_u16(&cbb, 0x102)); + CHECK_GOTO(CBB_add_space(&cbb, &data, 4)); + CHECK_GOTO(CBB_add_u16(&cbb, 0x708)); + CHECK_GOTO(CBB_finish(&cbb, &buf, &buf_len)); + + ret |= (buf_len == sizeof(kExpected) + && memcmp(buf, kExpected, buf_len) == 0); + + memset(buf, 0xa5, buf_len); + CHECK(CBB_init_fixed(&cbb, buf, buf_len)); + + CHECK_GOTO(CBB_add_u16(&cbb, 0x102)); + CHECK_GOTO(CBB_add_space(&cbb, &data, 4)); + CHECK_GOTO(CBB_add_u16(&cbb, 0x708)); + CHECK_GOTO(CBB_finish(&cbb, NULL, NULL)); + + ret |= (buf_len == sizeof(kExpected) + && memcmp(buf, kExpected, buf_len) == 0); + + if (0) { +err: + CBB_cleanup(&cbb); + } + free(buf); + return ret; +} + static int test_cbb_fixed(void) { @@ -787,7 +826,7 @@ test_write_bytes(void) size_t len; static const uint8_t input[] = {'f', 'o', 'o', 'b', 'a', 'r'}; CBS data; - char *tmp = NULL; + uint8_t *tmp = NULL; CHECK_GOTO((tmp = malloc(sizeof(input))) != NULL); memset(tmp, 100, sizeof(input)); @@ -857,6 +896,7 @@ main(void) failed |= !test_get_prefixed_bad(); failed |= !test_get_asn1(); failed |= !test_cbb_basic(); + failed |= !test_cbb_add_space(); failed |= !test_cbb_fixed(); failed |= !test_cbb_finish_child(); failed |= !test_cbb_discard_child(); diff --git a/tests/cipher_list.c b/tests/cipher_list.c index 70f547ab..9a5d9781 100644 --- a/tests/cipher_list.c +++ b/tests/cipher_list.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher_list.c,v 1.9 2018/06/02 16:35:02 jsing Exp $ */ +/* $OpenBSD: cipher_list.c,v 1.10 2021/01/09 12:39:22 tb Exp $ */ /* * Copyright (c) 2015 Doug Hogan * Copyright (c) 2015 Joel Sing @@ -199,6 +199,6 @@ main(void) if (!rv) printf("PASS %s\n", __FILE__); - + return rv; } diff --git a/tests/cipherstest.c b/tests/cipherstest.c index d76fbfc8..4d0260e2 100644 --- a/tests/cipherstest.c +++ b/tests/cipherstest.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015 Joel Sing + * Copyright (c) 2015, 2020 Joel Sing * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -20,6 +20,18 @@ #include #include +int ssl_parse_ciphersuites(STACK_OF(SSL_CIPHER) **out_ciphers, const char *str); + +static inline int +ssl_aes_is_accelerated(void) +{ +#if defined(__i386__) || defined(__x86_64__) + return ((OPENSSL_cpu_caps() & (1ULL << 57)) != 0); +#else + return (0); +#endif +} + static int get_put_test(const char *name, const SSL_METHOD *method) { @@ -71,7 +83,7 @@ get_put_test(const char *name, const SSL_METHOD *method) ret = 0; -failure: + failure: SSL_CTX_free(ssl_ctx); SSL_free(ssl); @@ -154,22 +166,353 @@ cipher_get_by_value_tests(void) ret = 0; -failure: + failure: SSL_CTX_free(ssl_ctx); SSL_free(ssl); return (ret); } +struct parse_ciphersuites_test { + const char *str; + const int want; + const unsigned long cids[32]; +}; + +struct parse_ciphersuites_test parse_ciphersuites_tests[] = { + { + /* LibreSSL names. */ + .str = "AEAD-AES256-GCM-SHA384:AEAD-CHACHA20-POLY1305-SHA256:AEAD-AES128-GCM-SHA256", + .want = 1, + .cids = { + TLS1_3_CK_AES_256_GCM_SHA384, + TLS1_3_CK_CHACHA20_POLY1305_SHA256, + TLS1_3_CK_AES_128_GCM_SHA256, + }, + }, + { + /* OpenSSL names. */ + .str = "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256", + .want = 1, + .cids = { + TLS1_3_CK_AES_256_GCM_SHA384, + TLS1_3_CK_CHACHA20_POLY1305_SHA256, + TLS1_3_CK_AES_128_GCM_SHA256, + }, + }, + { + /* Different priority order. */ + .str = "AEAD-AES128-GCM-SHA256:AEAD-AES256-GCM-SHA384:AEAD-CHACHA20-POLY1305-SHA256", + .want = 1, + .cids = { + TLS1_3_CK_AES_128_GCM_SHA256, + TLS1_3_CK_AES_256_GCM_SHA384, + TLS1_3_CK_CHACHA20_POLY1305_SHA256, + }, + }, + { + /* Known but unsupported names. */ + .str = "AEAD-AES256-GCM-SHA384:AEAD-AES128-CCM-SHA256:AEAD-AES128-CCM-8-SHA256", + .want = 1, + .cids = { + TLS1_3_CK_AES_256_GCM_SHA384, + }, + }, + { + /* Empty string means no TLSv1.3 ciphersuites. */ + .str = "", + .want = 1, + .cids = { 0 }, + }, + { + .str = "TLS_CHACHA20_POLY1305_SHA256:TLS_NOT_A_CIPHERSUITE", + .want = 0, + }, + { + .str = "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256", + .want = 0, + }, +}; + +#define N_PARSE_CIPHERSUITES_TESTS \ + (sizeof(parse_ciphersuites_tests) / sizeof(*parse_ciphersuites_tests)) + +static int +parse_ciphersuites_test(void) +{ + struct parse_ciphersuites_test *pct; + STACK_OF(SSL_CIPHER) *ciphers = NULL; + SSL_CIPHER *cipher; + int failed = 1; + int j, ret; + size_t i; + + for (i = 0; i < N_PARSE_CIPHERSUITES_TESTS; i++) { + pct = &parse_ciphersuites_tests[i]; + + ret = ssl_parse_ciphersuites(&ciphers, pct->str); + if (ret != pct->want) { + fprintf(stderr, "FAIL: test %zu - " + "ssl_parse_ciphersuites returned %d, want %d\n", + i, ret, pct->want); + goto failed; + } + if (ret == 0) + continue; + + for (j = 0; j < sk_SSL_CIPHER_num(ciphers); j++) { + cipher = sk_SSL_CIPHER_value(ciphers, j); + if (SSL_CIPHER_get_id(cipher) == pct->cids[j]) + continue; + fprintf(stderr, "FAIL: test %zu - got cipher %d with " + "id %lx, want %lx\n", i, j, + SSL_CIPHER_get_id(cipher), pct->cids[j]); + goto failed; + } + if (pct->cids[j] != 0) { + fprintf(stderr, "FAIL: test %zu - got %d ciphers, " + "expected more", i, sk_SSL_CIPHER_num(ciphers)); + goto failed; + } + } + + failed = 0; + + failed: + sk_SSL_CIPHER_free(ciphers); + + return failed; +} + +struct cipher_set_test { + int ctx_ciphersuites_first; + const char *ctx_ciphersuites; + const char *ctx_rulestr; + int ssl_ciphersuites_first; + const char *ssl_ciphersuites; + const char *ssl_rulestr; + int cids_aes_accel_fixup; + unsigned long cids[32]; +}; + +struct cipher_set_test cipher_set_tests[] = { + { + .ctx_rulestr = "TLSv1.2+ECDHE+AEAD+AES", + .cids_aes_accel_fixup = 1, + .cids = { + TLS1_3_CK_AES_256_GCM_SHA384, + TLS1_3_CK_CHACHA20_POLY1305_SHA256, + TLS1_3_CK_AES_128_GCM_SHA256, + TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + }, + }, + { + .ssl_rulestr = "TLSv1.2+ECDHE+AEAD+AES", + .cids_aes_accel_fixup = 1, + .cids = { + TLS1_3_CK_AES_256_GCM_SHA384, + TLS1_3_CK_CHACHA20_POLY1305_SHA256, + TLS1_3_CK_AES_128_GCM_SHA256, + TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + }, + }, + { + .ctx_ciphersuites_first = 1, + .ctx_ciphersuites = "AEAD-AES256-GCM-SHA384:AEAD-CHACHA20-POLY1305-SHA256", + .ctx_rulestr = "TLSv1.2+ECDHE+AEAD+AES", + .cids = { + TLS1_3_CK_AES_256_GCM_SHA384, + TLS1_3_CK_CHACHA20_POLY1305_SHA256, + TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + }, + }, + { + .ssl_ciphersuites_first = 1, + .ssl_ciphersuites = "AEAD-AES256-GCM-SHA384:AEAD-CHACHA20-POLY1305-SHA256", + .ssl_rulestr = "TLSv1.2+ECDHE+AEAD+AES", + .cids = { + TLS1_3_CK_AES_256_GCM_SHA384, + TLS1_3_CK_CHACHA20_POLY1305_SHA256, + TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + }, + }, + { + .ctx_ciphersuites_first = 0, + .ctx_ciphersuites = "AEAD-AES256-GCM-SHA384:AEAD-CHACHA20-POLY1305-SHA256", + .ctx_rulestr = "TLSv1.2+ECDHE+AEAD+AES", + .cids = { + TLS1_3_CK_AES_256_GCM_SHA384, + TLS1_3_CK_CHACHA20_POLY1305_SHA256, + TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + }, + }, + { + .ssl_ciphersuites_first = 0, + .ssl_ciphersuites = "AEAD-AES256-GCM-SHA384:AEAD-CHACHA20-POLY1305-SHA256", + .ssl_rulestr = "TLSv1.2+ECDHE+AEAD+AES", + .cids = { + TLS1_3_CK_AES_256_GCM_SHA384, + TLS1_3_CK_CHACHA20_POLY1305_SHA256, + TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + }, + }, + { + .ssl_ciphersuites_first = 1, + .ssl_ciphersuites = "", + .ssl_rulestr = "TLSv1.2+ECDHE+AEAD+AES", + .cids = { + TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + }, + }, + { + .ssl_ciphersuites_first = 0, + .ssl_ciphersuites = "", + .ssl_rulestr = "TLSv1.2+ECDHE+AEAD+AES", + .cids = { + TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + }, + }, + { + .ctx_ciphersuites = "AEAD-AES256-GCM-SHA384:AEAD-CHACHA20-POLY1305-SHA256", + .ssl_rulestr = "TLSv1.2+ECDHE+AEAD+AES", + .cids = { + TLS1_3_CK_AES_256_GCM_SHA384, + TLS1_3_CK_CHACHA20_POLY1305_SHA256, + TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + }, + }, + { + .ctx_rulestr = "TLSv1.2+ECDHE+AEAD+AES", + .ssl_ciphersuites = "AEAD-AES256-GCM-SHA384:AEAD-CHACHA20-POLY1305-SHA256", + .cids = { + TLS1_3_CK_AES_256_GCM_SHA384, + TLS1_3_CK_CHACHA20_POLY1305_SHA256, + TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + }, + }, +}; + +#define N_CIPHER_SET_TESTS \ + (sizeof(cipher_set_tests) / sizeof(*cipher_set_tests)) + +static int +cipher_set_test(void) +{ + struct cipher_set_test *cst; + STACK_OF(SSL_CIPHER) *ciphers = NULL; + SSL_CIPHER *cipher; + SSL_CTX *ctx = NULL; + SSL *ssl = NULL; + int failed = 0; + size_t i; + int j; + + for (i = 0; i < N_CIPHER_SET_TESTS; i++) { + cst = &cipher_set_tests[i]; + + if (!ssl_aes_is_accelerated() && cst->cids_aes_accel_fixup) { + cst->cids[0] = TLS1_3_CK_CHACHA20_POLY1305_SHA256; + cst->cids[1] = TLS1_3_CK_AES_256_GCM_SHA384; + } + + if ((ctx = SSL_CTX_new(TLS_method())) == NULL) + errx(1, "SSL_CTX_new"); + + if (cst->ctx_ciphersuites_first && cst->ctx_ciphersuites != NULL) { + if (!SSL_CTX_set_ciphersuites(ctx, cst->ctx_ciphersuites)) + errx(1, "SSL_CTX_set_ciphersuites"); + } + if (cst->ctx_rulestr != NULL) { + if (!SSL_CTX_set_cipher_list(ctx, cst->ctx_rulestr)) + errx(1, "SSL_CTX_set_cipher_list"); + } + if (!cst->ctx_ciphersuites_first && cst->ctx_ciphersuites != NULL) { + if (!SSL_CTX_set_ciphersuites(ctx, cst->ctx_ciphersuites)) + errx(1, "SSL_CTX_set_ciphersuites"); + } + + /* XXX - check SSL_CTX_get_ciphers(ctx) */ + + if ((ssl = SSL_new(ctx)) == NULL) + errx(1, "SSL_new"); + + if (cst->ssl_ciphersuites_first && cst->ssl_ciphersuites != NULL) { + if (!SSL_set_ciphersuites(ssl, cst->ssl_ciphersuites)) + errx(1, "SSL_set_ciphersuites"); + } + if (cst->ssl_rulestr != NULL) { + if (!SSL_set_cipher_list(ssl, cst->ssl_rulestr)) + errx(1, "SSL_set_cipher_list"); + } + if (!cst->ssl_ciphersuites_first && cst->ssl_ciphersuites != NULL) { + if (!SSL_set_ciphersuites(ssl, cst->ssl_ciphersuites)) + errx(1, "SSL_set_ciphersuites"); + } + + ciphers = SSL_get_ciphers(ssl); + + for (j = 0; j < sk_SSL_CIPHER_num(ciphers); j++) { + cipher = sk_SSL_CIPHER_value(ciphers, j); + if (SSL_CIPHER_get_id(cipher) == cst->cids[j]) + continue; + fprintf(stderr, "FAIL: test %zu - got cipher %d with " + "id %lx, want %lx\n", i, j, + SSL_CIPHER_get_id(cipher), cst->cids[j]); + failed |= 1; + } + if (cst->cids[j] != 0) { + fprintf(stderr, "FAIL: test %zu - got %d ciphers, " + "expected more", i, sk_SSL_CIPHER_num(ciphers)); + failed |= 1; + } + + SSL_CTX_free(ctx); + SSL_free(ssl); + } + + return failed; +} + int main(int argc, char **argv) { int failed = 0; - SSL_library_init(); - failed |= cipher_get_put_tests(); failed |= cipher_get_by_value_tests(); + failed |= parse_ciphersuites_test(); + failed |= cipher_set_test(); + return (failed); } diff --git a/tests/clienttest.c b/tests/clienttest.c deleted file mode 100644 index 6b8ea7d8..00000000 --- a/tests/clienttest.c +++ /dev/null @@ -1,446 +0,0 @@ -/* - * Copyright (c) 2015 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include - -#include -#include - -#include -#include -#include - -#define DTLS_HM_OFFSET (DTLS1_RT_HEADER_LENGTH + DTLS1_HM_HEADER_LENGTH) -#define DTLS_RANDOM_OFFSET (DTLS_HM_OFFSET + 2) -#define DTLS_CIPHER_OFFSET (DTLS_HM_OFFSET + 38) - -#define SSL3_HM_OFFSET (SSL3_RT_HEADER_LENGTH + SSL3_HM_HEADER_LENGTH) -#define SSL3_RANDOM_OFFSET (SSL3_HM_OFFSET + 2) -#define SSL3_CIPHER_OFFSET (SSL3_HM_OFFSET + 37) - -static unsigned char cipher_list_dtls1[] = { - 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, - 0x00, 0x88, 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, - 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, - 0x00, 0x2f, 0x00, 0x41, 0xc0, 0x12, 0xc0, 0x08, - 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff, -}; - -static unsigned char client_hello_dtls1[] = { - 0x16, 0xfe, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x60, 0x01, 0x00, 0x00, - 0x54, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x54, 0xfe, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x26, 0xc0, - 0x14, 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, 0x00, - 0x88, 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, 0xc0, - 0x13, 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, 0x00, - 0x2f, 0x00, 0x41, 0xc0, 0x12, 0xc0, 0x08, 0x00, - 0x16, 0x00, 0x0a, 0x00, 0xff, 0x01, 0x00, 0x00, - 0x04, 0x00, 0x23, 0x00, 0x00, -}; - -static unsigned char cipher_list_tls10[] = { - 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, - 0x00, 0x88, 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, - 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, - 0x00, 0x2f, 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, - 0x00, 0x05, 0x00, 0x04, 0xc0, 0x12, 0xc0, 0x08, - 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff, -}; - -static unsigned char client_hello_tls10[] = { - 0x16, 0x03, 0x01, 0x00, 0x71, 0x01, 0x00, 0x00, - 0x6d, 0x03, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x2e, 0xc0, 0x14, - 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, 0x00, 0x88, - 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, 0xc0, 0x13, - 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, 0x00, 0x2f, - 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05, - 0x00, 0x04, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, - 0x00, 0x0a, 0x00, 0xff, 0x01, 0x00, 0x00, 0x16, - 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x0a, - 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, - 0x00, 0x18, 0x00, 0x23, 0x00, 0x00, -}; - -static unsigned char cipher_list_tls11[] = { - 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, - 0x00, 0x88, 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, - 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, - 0x00, 0x2f, 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, - 0x00, 0x05, 0x00, 0x04, 0xc0, 0x12, 0xc0, 0x08, - 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff, -}; - -static unsigned char client_hello_tls11[] = { - 0x16, 0x03, 0x01, 0x00, 0x71, 0x01, 0x00, 0x00, - 0x6d, 0x03, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x2e, 0xc0, 0x14, - 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, 0x00, 0x88, - 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, 0xc0, 0x13, - 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, 0x00, 0x2f, - 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05, - 0x00, 0x04, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, - 0x00, 0x0a, 0x00, 0xff, 0x01, 0x00, 0x00, 0x16, - 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x0a, - 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, - 0x00, 0x18, 0x00, 0x23, 0x00, 0x00, -}; - -static unsigned char cipher_list_tls12_aes[] = { - 0xc0, 0x30, 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, - 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, - 0x00, 0x39, 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, - 0xff, 0x85, 0x00, 0xc4, 0x00, 0x88, 0x00, 0x81, - 0x00, 0x9d, 0x00, 0x3d, 0x00, 0x35, 0x00, 0xc0, - 0x00, 0x84, 0xc0, 0x2f, 0xc0, 0x2b, 0xc0, 0x27, - 0xc0, 0x23, 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x9e, - 0x00, 0x67, 0x00, 0x33, 0x00, 0xbe, 0x00, 0x45, - 0x00, 0x9c, 0x00, 0x3c, 0x00, 0x2f, 0x00, 0xba, - 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05, - 0x00, 0x04, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, - 0x00, 0x0a, 0x00, 0xff, -}; - -static unsigned char cipher_list_tls12_chacha[] = { - 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0xc0, 0x30, - 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14, - 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39, - 0xff, 0x85, 0x00, 0xc4, 0x00, 0x88, 0x00, 0x81, - 0x00, 0x9d, 0x00, 0x3d, 0x00, 0x35, 0x00, 0xc0, - 0x00, 0x84, 0xc0, 0x2f, 0xc0, 0x2b, 0xc0, 0x27, - 0xc0, 0x23, 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x9e, - 0x00, 0x67, 0x00, 0x33, 0x00, 0xbe, 0x00, 0x45, - 0x00, 0x9c, 0x00, 0x3c, 0x00, 0x2f, 0x00, 0xba, - 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05, - 0x00, 0x04, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, - 0x00, 0x0a, 0x00, 0xff, -}; - -static unsigned char client_hello_tls12[] = { - 0x16, 0x03, 0x01, 0x00, 0xbb, 0x01, 0x00, 0x00, - 0xb7, 0x03, 0x03, 0x2b, 0x39, 0xcc, 0x56, 0xfc, - 0xc4, 0x98, 0x8e, 0xfc, 0x22, 0x89, 0xc5, 0x1e, - 0xa9, 0x88, 0xbd, 0x6e, 0xd8, 0xd1, 0xd6, 0xc1, - 0xc3, 0x12, 0xe8, 0xe0, 0x1e, 0xfa, 0xa8, 0x21, - 0xd9, 0x2d, 0x4d, 0x00, 0x00, 0x5c, 0xc0, 0x30, - 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14, - 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39, - 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0xff, 0x85, - 0x00, 0xc4, 0x00, 0x88, 0x00, 0x81, 0x00, 0x9d, - 0x00, 0x3d, 0x00, 0x35, 0x00, 0xc0, 0x00, 0x84, - 0xc0, 0x2f, 0xc0, 0x2b, 0xc0, 0x27, 0xc0, 0x23, - 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x9e, 0x00, 0x67, - 0x00, 0x33, 0x00, 0xbe, 0x00, 0x45, 0x00, 0x9c, - 0x00, 0x3c, 0x00, 0x2f, 0x00, 0xba, 0x00, 0x41, - 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05, 0x00, 0x04, - 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a, - 0x00, 0xff, 0x01, 0x00, 0x00, 0x32, 0x00, 0x0b, - 0x00, 0x02, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, - 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, - 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x18, - 0x00, 0x16, 0x08, 0x06, 0x06, 0x01, 0x06, 0x03, - 0x08, 0x05, 0x05, 0x01, 0x05, 0x03, 0x08, 0x04, - 0x04, 0x01, 0x04, 0x03, 0x02, 0x01, 0x02, 0x03, -}; - -struct client_hello_test { - const unsigned char *desc; - const int protocol; - const size_t random_start; - const SSL_METHOD *(*ssl_method)(void); - const long ssl_options; -}; - -static struct client_hello_test client_hello_tests[] = { - { - .desc = "DTLSv1 client", - .protocol = DTLS1_VERSION, - .random_start = DTLS_RANDOM_OFFSET, - .ssl_method = DTLSv1_client_method, - }, - { - .desc = "TLSv1 client", - .protocol = TLS1_VERSION, - .random_start = SSL3_RANDOM_OFFSET, - .ssl_method = TLSv1_client_method, - }, - { - .desc = "TLSv1_1 client", - .protocol = TLS1_1_VERSION, - .random_start = SSL3_RANDOM_OFFSET, - .ssl_method = TLSv1_1_client_method, - }, - { - .desc = "TLSv1_2 client", - .protocol = TLS1_2_VERSION, - .random_start = SSL3_RANDOM_OFFSET, - .ssl_method = TLSv1_2_client_method, - }, - { - .desc = "SSLv23 default", - .protocol = TLS1_2_VERSION, - .random_start = SSL3_RANDOM_OFFSET, - .ssl_method = SSLv23_client_method, - .ssl_options = 0, - }, - { - .desc = "SSLv23 (no TLSv1.2)", - .protocol = TLS1_1_VERSION, - .random_start = SSL3_RANDOM_OFFSET, - .ssl_method = SSLv23_client_method, - .ssl_options = SSL_OP_NO_TLSv1_2, - }, - { - .desc = "SSLv23 (no TLSv1.1)", - .protocol = TLS1_VERSION, - .random_start = SSL3_RANDOM_OFFSET, - .ssl_method = SSLv23_client_method, - .ssl_options = SSL_OP_NO_TLSv1_1, - }, - { - .desc = "TLS default", - .protocol = TLS1_2_VERSION, - .random_start = SSL3_RANDOM_OFFSET, - .ssl_method = TLS_client_method, - .ssl_options = 0, - }, - { - .desc = "TLS (no TLSv1.2)", - .protocol = TLS1_1_VERSION, - .random_start = SSL3_RANDOM_OFFSET, - .ssl_method = TLS_client_method, - .ssl_options = SSL_OP_NO_TLSv1_2, - }, - { - .desc = "TLS (no TLSv1.1)", - .protocol = TLS1_VERSION, - .random_start = SSL3_RANDOM_OFFSET, - .ssl_method = TLS_client_method, - .ssl_options = SSL_OP_NO_TLSv1_1, - }, - { - .desc = "TLS (no TLSv1.0, no TLSv1.1)", - .protocol = TLS1_2_VERSION, - .random_start = SSL3_RANDOM_OFFSET, - .ssl_method = TLS_client_method, - .ssl_options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1, - }, -}; - -#define N_CLIENT_HELLO_TESTS \ - (sizeof(client_hello_tests) / sizeof(*client_hello_tests)) - -static void -hexdump(const unsigned char *buf, size_t len) -{ - size_t i; - - for (i = 1; i <= len; i++) - fprintf(stderr, " 0x%02hhx,%s", buf[i - 1], i % 8 ? "" : "\n"); - - fprintf(stderr, "\n"); -} - -static inline int -ssl_aes_is_accelerated(void) -{ -#if defined(__i386__) || defined(__x86_64__) - return ((OPENSSL_cpu_caps() & (1ULL << 57)) != 0); -#else - return (0); -#endif -} - -static int -make_client_hello(int protocol, char **out, size_t *outlen) -{ - size_t client_hello_len, cipher_list_len, cipher_list_offset; - const char *client_hello, *cipher_list; - char *p; - - *out = NULL; - *outlen = 0; - - switch (protocol) { - case DTLS1_VERSION: - client_hello = client_hello_dtls1; - client_hello_len = sizeof(client_hello_dtls1); - cipher_list = cipher_list_dtls1; - cipher_list_len = sizeof(cipher_list_dtls1); - cipher_list_offset = DTLS_CIPHER_OFFSET; - break; - - case TLS1_VERSION: - client_hello = client_hello_tls10; - client_hello_len = sizeof(client_hello_tls10); - cipher_list = cipher_list_tls10; - cipher_list_len = sizeof(cipher_list_tls10); - cipher_list_offset = SSL3_CIPHER_OFFSET; - break; - - case TLS1_1_VERSION: - client_hello = client_hello_tls11; - client_hello_len = sizeof(client_hello_tls11); - cipher_list = cipher_list_tls11; - cipher_list_len = sizeof(cipher_list_tls11); - cipher_list_offset = SSL3_CIPHER_OFFSET; - break; - - case TLS1_2_VERSION: - client_hello = client_hello_tls12; - client_hello_len = sizeof(client_hello_tls12); - if (ssl_aes_is_accelerated() == 1) - cipher_list = cipher_list_tls12_aes; - else - cipher_list = cipher_list_tls12_chacha; - cipher_list_len = sizeof(cipher_list_tls12_chacha); - cipher_list_offset = SSL3_CIPHER_OFFSET; - break; - - default: - return (-1); - } - - if ((p = malloc(client_hello_len)) == NULL) - return (-1); - - memcpy(p, client_hello, client_hello_len); - memcpy(p + cipher_list_offset, cipher_list, cipher_list_len); - - *out = p; - *outlen = client_hello_len; - - return (0); -} - -static int -client_hello_test(int testno, struct client_hello_test *cht) -{ - BIO *rbio = NULL, *wbio = NULL; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - char *client_hello = NULL; - size_t client_hello_len; - char *wbuf, rbuf[1]; - int ret = 1; - size_t i; - long len; - - fprintf(stderr, "Test %i - %s\n", testno, cht->desc); - - /* Providing a small buf causes *_get_server_hello() to return. */ - if ((rbio = BIO_new_mem_buf(rbuf, sizeof(rbuf))) == NULL) { - fprintf(stderr, "Failed to setup rbio\n"); - goto failure; - } - if ((wbio = BIO_new(BIO_s_mem())) == NULL) { - fprintf(stderr, "Failed to setup wbio\n"); - goto failure; - } - - if ((ssl_ctx = SSL_CTX_new(cht->ssl_method())) == NULL) { - fprintf(stderr, "SSL_CTX_new() returned NULL\n"); - goto failure; - } - - SSL_CTX_set_options(ssl_ctx, cht->ssl_options); - - if ((ssl = SSL_new(ssl_ctx)) == NULL) { - fprintf(stderr, "SSL_new() returned NULL\n"); - goto failure; - } - - rbio->references = 2; - wbio->references = 2; - - SSL_set_bio(ssl, rbio, wbio); - - if (SSL_connect(ssl) != 0) { - fprintf(stderr, "SSL_connect() returned non-zero\n"); - goto failure; - } - - len = BIO_get_mem_data(wbio, &wbuf); - - if (make_client_hello(cht->protocol, &client_hello, - &client_hello_len) != 0) - goto failure; - - if ((size_t)len != client_hello_len) { - fprintf(stderr, "FAIL: test returned ClientHello length %li, " - "want %zu\n", len, client_hello_len); - fprintf(stderr, "received:\n"); - hexdump(wbuf, len); - goto failure; - } - - /* We expect the client random to differ. */ - i = cht->random_start + SSL3_RANDOM_SIZE; - if (memcmp(client_hello, wbuf, cht->random_start) != 0 || - memcmp(&client_hello[cht->random_start], - &wbuf[cht->random_start], SSL3_RANDOM_SIZE) == 0 || - memcmp(&client_hello[i], &wbuf[i], len - i) != 0) { - fprintf(stderr, "FAIL: ClientHello differs:\n"); - fprintf(stderr, "received:\n"); - memset(&wbuf[cht->random_start], 0, SSL3_RANDOM_SIZE); - hexdump(wbuf, len); - fprintf(stderr, "test data:\n"); - hexdump(client_hello, client_hello_len); - fprintf(stderr, "\n"); - goto failure; - } - - ret = 0; - -failure: - SSL_CTX_free(ssl_ctx); - SSL_free(ssl); - - rbio->references = 1; - wbio->references = 1; - - BIO_free(rbio); - BIO_free(wbio); - - free(client_hello); - - return (ret); -} - -int -main(int argc, char **argv) -{ - int failed = 0; - size_t i; - - SSL_library_init(); - - for (i = 0; i < N_CLIENT_HELLO_TESTS; i++) - failed |= client_hello_test(i, &client_hello_tests[i]); - - return (failed); -} diff --git a/tests/cmstest.c b/tests/cmstest.c new file mode 100644 index 00000000..185d8831 --- /dev/null +++ b/tests/cmstest.c @@ -0,0 +1,314 @@ +/* $OpenBSD: cmstest.c,v 1.4 2021/03/22 20:31:34 tb Exp $ */ +/* + * Copyright (c) 2019 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include + +#include +#include +#include +#include + +#include + +static int verbose = 0; + +static const char cms_msg[] = "Hello CMS!\r\n"; + +static const char cms_ca_1[] = \ + "-----BEGIN CERTIFICATE-----\n" + "MIICqDCCAZACCQD8ebR8e4kdvjANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtU\n" + "ZXN0IENNUyBDQTAeFw0xOTA1MTExNTUzNTNaFw0yOTA1MDgxNTUzNTNaMBYxFDAS\n" + "BgNVBAMMC1Rlc3QgQ01TIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\n" + "AQEAoIiW3POGYfhY0BEgG8mIwouOI917M72jsuUE57ccjEXLWseItLb7r9vkiwW/\n" + "FYbz0UYkJW1JgpZmWaTGOgZGxj+WTzxh1aq7OHyJb6Pxwp9wGrGJu+BEqOZN/bi/\n" + "aQ1l8x7DxVJkFeI1+4QKDfmGYfWoVzQLgamO3u0vxz3Vi/XzX01ZomcZUYYx0lIq\n" + "hxAO665HoPUmecqYdLPquJNxdfiy37ieLJOmIsKZJtMcCZAxqhcCwE7I0196Ng3P\n" + "fK9Sl7BCyTBszb2YC2qOleuI2Wjg/7o1+hugopUkjxz0RGFu5s3K9PhCLwpqylXg\n" + "IXe9Vwi38gKawD3yjtDBRDNmIwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAvsvtc\n" + "cO0Eo0F6MvB0bjBIMHBkKyWcmD2c5gVFhbHyRD+XBVXNdn5CcBba2amm0VgShBpM\n" + "4e1rOtIH/Hf6nB3c/EjZvd16ryoTCTvzayac7sD2Y8IxF1JIAKvjFbu+LmzM/F5f\n" + "x3/WdY1qs5W7lO46i8xmSUAP88gohWP4cyVUAITNrh/RSOFaWUd5i1/vZ+iEexLI\n" + "rQWsweJleOxvA8SrXm2gAkqRWEncsxOrsX/MsPl7iJoebLhWbS3cOHhutWrfhdlC\n" + "2uT6K7SA9rn6qqmvI6mLkHJQpqq++Py2UTDo1u8VKa3ieYNUN070kgxpYiVBGs3L\n" + "aaACIcEs48gnTRWc\n" + "-----END CERTIFICATE-----\n"; + +static const char cms_cert_1[] = \ + "-----BEGIN CERTIFICATE-----\n" + "MIICpDCCAYwCAQMwDQYJKoZIhvcNAQEFBQAwFjEUMBIGA1UEAwwLVGVzdCBDTVMg\n" + "Q0EwHhcNMTkwNTExMTU1MzU0WhcNMjkwNTA4MTU1MzU0WjAaMRgwFgYDVQQDDA9U\n" + "ZXN0IENNUyBDZXJ0IDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDD\n" + "MLSuy+tc0AwfrlszgHJ3z7UEpJSn5mcKxquFnEC5DtchgQJ+cj5VFvB9A9G98ykQ\n" + "0IrHXNUTbS2yvf8ac1PlocuA8ggeDK4gPHCe097j0nUphhT0VzhwwFfP6Uo6VaR8\n" + "B7Qb3zFTz64bN66V89etZ5NQJKMdrh4oOh5nfxLKvCcTK+9U4ZrgeGVdVXmL6HJp\n" + "3m9CPobCBsC8DgI+zF/tg4GjDoVCJd6Tv5MRAmKiBrzTGglVeknkgiyIZ9C7gXU/\n" + "7NMUihmLlt+80zr+nL0P+MA924WV4fZJi1wtf6Eioalq6n/9i93nBRCeu8bEOBrT\n" + "pAre2oBEoULIJu7Ubx79AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBADnLc6ZzApHq\n" + "Z8l4zrFKAG/O/oULPMRTA8/zXNQ60BMV10hVtTCxVNq59d48wEljuUOGLfM91rhj\n" + "gId8AOlsQbfRZE94DxlcaaAXaEjbkVSke56yfdLd4NqkIWrXGrFlbepj4b4ORAHh\n" + "85kPwDEDnpMgQ63LqNX3gru3xf2AGIa1Fck2ISkVafqW5TH0Y6dCeGGFTtnH/QUT\n" + "ofTm8uQ2vG9ERn+C1ooqJ2dyAckXFdmCcpor26vO/ZssMEKSee38ZNWR/01LEkOG\n" + "G0+AL7E1mJdlVOtp3DDFN0hoNY7PbVuuzT+mrAwGLhCp2jnf68iNdrIuDdIE6yvi\n" + "6WWvmmz+rC0=\n" + "-----END CERTIFICATE-----\n"; + +static const char cms_key_1[] = \ + "-----BEGIN PRIVATE KEY-----\n" + "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDDMLSuy+tc0Awf\n" + "rlszgHJ3z7UEpJSn5mcKxquFnEC5DtchgQJ+cj5VFvB9A9G98ykQ0IrHXNUTbS2y\n" + "vf8ac1PlocuA8ggeDK4gPHCe097j0nUphhT0VzhwwFfP6Uo6VaR8B7Qb3zFTz64b\n" + "N66V89etZ5NQJKMdrh4oOh5nfxLKvCcTK+9U4ZrgeGVdVXmL6HJp3m9CPobCBsC8\n" + "DgI+zF/tg4GjDoVCJd6Tv5MRAmKiBrzTGglVeknkgiyIZ9C7gXU/7NMUihmLlt+8\n" + "0zr+nL0P+MA924WV4fZJi1wtf6Eioalq6n/9i93nBRCeu8bEOBrTpAre2oBEoULI\n" + "Ju7Ubx79AgMBAAECggEAD4XkGLKm+S6iiDJ5llL0x4qBPulH2UJ9l2HNakbO7ui7\n" + "OzLjW+MCCgpU/dw75ftcnLW5E7nSSEU6iSiLDTN2zKBdatfUxW8EuhOUcU0wQLYQ\n" + "E0lSiUwWdQEW+rX27US6XBLQxBav+ZZeplN7UvmdgXDnSkxfnJCoXVKh8GEuwWip\n" + "sM/Lwg8MSZK0o5qFVXtPp7kreB8CWlVyPYW5rDYy3k02R1t9k6WSdO2foPXe9rdZ\n" + "iiThkALcHdBcFF0NHrIkAgMdtcAxkDIwO2kOnGJQKDXu+txbzPYodMU0Z6eVnlIu\n" + "jh9ZjnZKBJgX6YVLVPRBwQXHXeGAnvMNm2WXH7SCAQKBgQDmMxvspc3K6HOqMoik\n" + "59Rq1gXIuaGH0uSMSiUMTkr4laJbh9WgZ6JTAfIPuhj1xKGfDK7LF9VjPQ104SgL\n" + "dCA1pV6nsuGS3j3vBnaMfmO7yr3yON+p/WDpKOgqC51Z3/pT8reJtMnyowQuDeYe\n" + "UVRVyeXA11nve0SSc97US4AtXQKBgQDZERtgs6ejiUJQXuflu9HDczEZ/pHfPI1y\n" + "+RU0tvI4860OTjerVJA2YBeOBLa9Y3hblvNpOU0SoVeMAGQLblEznJAl1nbaWqVY\n" + "kPgvtQcTOL/awEB90JklvSRqR82WJchMOHMG5SeqrpUx3Dg+cPH6nId0e8UCt3/U\n" + "W/u/5hP+IQKBgQDfReEmxaZ10MIm6P6p24Wm3dEcYBfxEjbEb0HBzspek1u3JWep\n" + "PfsuQavTXy/IaKBOENIUgBhjOZssqxnZChgXkD7frtulRNOTW5RuLkRzp3BWWJ1v\n" + "VifB3gBYj41d16UH+VnVQbnCEiUCuk5hR4bh8oJaaUV8xvW6ipItHNHErQKBgGoe\n" + "2uuj6UkiSbFRNL4z3JFZN6AlvNsOl3imHZ/v8Ou29dwQkVbJuNdckydzVoOwpZ7h\n" + "ZY8D3JJHHq3rYv3TqQ86c56MAv8tYbiy5yMrtZHIJMOlSeI4oSa6GZt8Dx5gylO5\n" + "JUMxtPrU70u5BiZAwYxsCi0AdYimfXAsqB9hNFUBAoGBAJPT7Xsr7NIkrbv+aYXj\n" + "rVVJ1qokUEKT6H1GmFXO3Fkw3kjPKS8VZloKOB7OiBC+AwMEQIflArCZ+PJdnVNO\n" + "48ntHnaeaZk8rKXsYdJsqMKgIxZYZuCIazZz9WHeYxn5vkH76Q3DrfqrneJ3HSU/\n" + "pFtLoXoGoVXRjAtpNvX7fh/G\n" + "-----END PRIVATE KEY-----\n"; + +static void +hexdump(const unsigned char *buf, size_t len) +{ + size_t i; + + for (i = 1; i <= len; i++) + fprintf(stderr, " 0x%02x,%s", buf[i - 1], i % 8 ? "" : "\n"); + if (len % 8 != 0) + fprintf(stderr, "\n"); +} + +static int +test_cms_encrypt_decrypt(void) +{ + STACK_OF(X509) *certs = NULL; + CMS_ContentInfo *ci = NULL; + EVP_PKEY *pkey = NULL; + BIO *bio_mem = NULL; + BIO *bio_out = NULL; + X509 *cert = NULL; + size_t len; + char *p; + int failed = 1; + + if ((bio_out = BIO_new_fp(stdout, BIO_NOCLOSE)) == NULL) + errx(1, "failed to create BIO"); + + if ((certs = sk_X509_new_null()) == NULL) + errx(1, "failed to create certs"); + if ((bio_mem = BIO_new_mem_buf(cms_cert_1, -1)) == NULL) + errx(1, "failed to create BIO for cert"); + if ((cert = PEM_read_bio_X509(bio_mem, NULL, NULL, NULL)) == NULL) + errx(1, "failed to read cert"); + if (!sk_X509_push(certs, cert)) + errx(1, "failed to push cert"); + + BIO_free(bio_mem); + if ((bio_mem = BIO_new_mem_buf(cms_key_1, -1)) == NULL) + errx(1, "failed to create BIO for key"); + if ((pkey = PEM_read_bio_PrivateKey(bio_mem, NULL, NULL, NULL)) == NULL) + errx(1, "failed to read key"); + + BIO_free(bio_mem); + if ((bio_mem = BIO_new_mem_buf(cms_msg, -1)) == NULL) + errx(1, "failed to create BIO for message"); + + if ((ci = CMS_encrypt(certs, bio_mem, EVP_aes_256_cbc(), 0)) == NULL) { + fprintf(stderr, "FAIL: CMS_encrypt returned NULL\n"); + ERR_print_errors_fp(stderr); + goto failure; + } + + if (verbose) { + if (!CMS_ContentInfo_print_ctx(bio_out, ci, 0, NULL)) + errx(1, "failed to print CMS ContentInfo"); + if (!PEM_write_bio_CMS(bio_out, ci)) + errx(1, "failed to print CMS PEM"); + } + + BIO_free(bio_mem); + if ((bio_mem = BIO_new(BIO_s_mem())) == NULL) + errx(1, "failed to create BIO for message"); + + if (!CMS_decrypt(ci, pkey, cert, NULL, bio_mem, 0)) { + fprintf(stderr, "FAIL: CMS_decrypt failed\n"); + ERR_print_errors_fp(stderr); + goto failure; + } + + if ((len = BIO_get_mem_data(bio_mem, &p)) != strlen(cms_msg)) { + fprintf(stderr, "FAIL: CMS decrypt returned %li bytes, " + "want %zi bytes\n", len, strlen(cms_msg)); + fprintf(stderr, "Got CMS data:\n"); + hexdump(p, len); + fprintf(stderr, "Want CMS data:\n"); + hexdump(cms_msg, strlen(cms_msg)); + goto failure; + } + if (memcmp(p, cms_msg, len) != 0) { + fprintf(stderr, "FAIL: CMS decrypt message differs"); + fprintf(stderr, "Got CMS data:\n"); + hexdump(p, len); + fprintf(stderr, "Want CMS data:\n"); + hexdump(cms_msg, strlen(cms_msg)); + goto failure; + } + + failed = 0; + + failure: + BIO_free(bio_mem); + BIO_free(bio_out); + CMS_ContentInfo_free(ci); + EVP_PKEY_free(pkey); + sk_X509_free(certs); + X509_free(cert); + + return failed; +} + +static int +test_cms_sign_verify(void) +{ + STACK_OF(X509) *certs = NULL; + CMS_ContentInfo *ci = NULL; + X509_STORE *store = NULL; + EVP_PKEY *pkey = NULL; + BIO *bio_mem = NULL; + BIO *bio_out = NULL; + X509 *cert = NULL; + X509 *ca = NULL; + size_t len; + char *p; + int failed = 1; + + if ((bio_out = BIO_new_fp(stdout, BIO_NOCLOSE)) == NULL) + errx(1, "failed to create BIO"); + + if ((certs = sk_X509_new_null()) == NULL) + errx(1, "failed to create certs"); + if ((bio_mem = BIO_new_mem_buf(cms_cert_1, -1)) == NULL) + errx(1, "failed to create BIO for cert"); + if ((cert = PEM_read_bio_X509(bio_mem, NULL, NULL, NULL)) == NULL) + errx(1, "failed to read cert"); + if (!sk_X509_push(certs, cert)) + errx(1, "failed to push cert"); + + BIO_free(bio_mem); + if ((bio_mem = BIO_new_mem_buf(cms_ca_1, -1)) == NULL) + errx(1, "failed to create BIO for cert"); + if ((ca = PEM_read_bio_X509(bio_mem, NULL, NULL, NULL)) == NULL) + errx(1, "failed to read cert"); + if ((store = X509_STORE_new()) == NULL) + errx(1, "failed to create X509 store"); + if (!X509_STORE_add_cert(store, ca)) + errx(1, "failed to add cert to store"); + + BIO_free(bio_mem); + if ((bio_mem = BIO_new_mem_buf(cms_key_1, -1)) == NULL) + errx(1, "failed to create BIO for key"); + if ((pkey = PEM_read_bio_PrivateKey(bio_mem, NULL, NULL, NULL)) == NULL) + errx(1, "failed to read key"); + + BIO_free(bio_mem); + if ((bio_mem = BIO_new_mem_buf(cms_msg, -1)) == NULL) + errx(1, "failed to create BIO for message"); + + if ((ci = CMS_sign(cert, pkey, NULL, bio_mem, 0)) == NULL) { + fprintf(stderr, "FAIL: CMS sign failed\n"); + ERR_print_errors_fp(stderr); + goto failure; + } + + if (verbose) { + if (!CMS_ContentInfo_print_ctx(bio_out, ci, 0, NULL)) + errx(1, "failed to print CMS ContentInfo"); + if (!PEM_write_bio_CMS(bio_out, ci)) + errx(1, "failed to print CMS PEM"); + } + + BIO_free(bio_mem); + if ((bio_mem = BIO_new(BIO_s_mem())) == NULL) + errx(1, "failed to create BIO for message"); + + if (!CMS_verify(ci, certs, store, NULL, bio_mem, 0)) { + fprintf(stderr, "FAIL: CMS_verify failed\n"); + ERR_print_errors_fp(stderr); + goto failure; + } + + if ((len = BIO_get_mem_data(bio_mem, &p)) != strlen(cms_msg)) { + fprintf(stderr, "FAIL: CMS verify returned %li bytes, " + "want %zi bytes\n", len, strlen(cms_msg)); + fprintf(stderr, "Got CMS data:\n"); + hexdump(p, len); + fprintf(stderr, "Want CMS data:\n"); + hexdump(cms_msg, strlen(cms_msg)); + goto failure; + } + if (memcmp(p, cms_msg, len) != 0) { + fprintf(stderr, "FAIL: CMS verify message differs"); + fprintf(stderr, "Got CMS data:\n"); + hexdump(p, len); + fprintf(stderr, "Want CMS data:\n"); + hexdump(cms_msg, strlen(cms_msg)); + goto failure; + } + + failed = 0; + + failure: + BIO_free(bio_mem); + BIO_free(bio_out); + CMS_ContentInfo_free(ci); + EVP_PKEY_free(pkey); + sk_X509_free(certs); + X509_free(cert); + X509_STORE_free(store); + X509_free(ca); + + return failed; +} + +int +main(int argc, char **argv) +{ + int failed = 0; + + ERR_load_crypto_strings(); + + failed |= test_cms_encrypt_decrypt(); + failed |= test_cms_sign_verify(); + + return failed; +} diff --git a/tests/compat/memmem.c b/tests/compat/memmem.c index 384857df..9b11960d 100644 --- a/tests/compat/memmem.c +++ b/tests/compat/memmem.c @@ -1,63 +1,183 @@ -/* $OpenBSD: memmem.c,v 1.4 2015/08/31 02:53:57 guenther Exp $ */ -/*- - * Copyright (c) 2005 Pascal Gloor +/* $OpenBSD: memmem.c,v 1.5 2020/04/16 12:39:28 claudio Exp $ */ + +/* + * Copyright (c) 2005-2020 Rich Felker, et al. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior written - * permission. + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. + * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY + * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, + * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ #include +#include + +static char * +twobyte_memmem(const unsigned char *h, size_t k, const unsigned char *n) +{ + uint16_t nw = n[0]<<8 | n[1], hw = h[0]<<8 | h[1]; + for (h+=2, k-=2; k; k--, hw = hw<<8 | *h++) + if (hw == nw) return (char *)h-2; + return hw == nw ? (char *)h-2 : 0; +} + +static char * +threebyte_memmem(const unsigned char *h, size_t k, const unsigned char *n) +{ + uint32_t nw = n[0]<<24 | n[1]<<16 | n[2]<<8; + uint32_t hw = h[0]<<24 | h[1]<<16 | h[2]<<8; + for (h+=3, k-=3; k; k--, hw = (hw|*h++)<<8) + if (hw == nw) return (char *)h-3; + return hw == nw ? (char *)h-3 : 0; +} + +static char * +fourbyte_memmem(const unsigned char *h, size_t k, const unsigned char *n) +{ + uint32_t nw = n[0]<<24 | n[1]<<16 | n[2]<<8 | n[3]; + uint32_t hw = h[0]<<24 | h[1]<<16 | h[2]<<8 | h[3]; + for (h+=4, k-=4; k; k--, hw = hw<<8 | *h++) + if (hw == nw) return (char *)h-4; + return hw == nw ? (char *)h-4 : 0; +} + +#define MAX(a,b) ((a)>(b)?(a):(b)) +#define MIN(a,b) ((a)<(b)?(a):(b)) + +#define BITOP(a,b,op) \ + ((a)[(size_t)(b)/(8*sizeof *(a))] op (size_t)1<<((size_t)(b)%(8*sizeof *(a)))) /* - * Find the first occurrence of the byte string s in byte string l. + * Maxime Crochemore and Dominique Perrin, Two-way string-matching, + * Journal of the ACM, 38(3):651-675, July 1991. */ - -void * -memmem(const void *l, size_t l_len, const void *s, size_t s_len) +static char * +twoway_memmem(const unsigned char *h, const unsigned char *z, + const unsigned char *n, size_t l) { - const char *cur, *last; - const char *cl = l; - const char *cs = s; + size_t i, ip, jp, k, p, ms, p0, mem, mem0; + size_t byteset[32 / sizeof(size_t)] = { 0 }; + size_t shift[256]; + + /* Computing length of needle and fill shift table */ + for (i=0; i n[jp+k]) { + jp += k; + k = 1; + p = jp - ip; + } else { + ip = jp++; + k = p = 1; + } + } + ms = ip; + p0 = p; + + /* And with the opposite comparison */ + ip = -1; jp = 0; k = p = 1; + while (jp+k ms+1) ms = ip; + else p = p0; - /* a zero length needle should just return the haystack */ - if (s_len == 0) - return (void *)cl; + /* Periodic needle? */ + if (memcmp(n, n+p, ms+1)) { + mem0 = 0; + p = MAX(ms, l-ms-1) + 1; + } else mem0 = l-p; + mem = 0; - /* "s" must be smaller or equal to "l" */ - if (l_len < s_len) - return NULL; + /* Search loop */ + for (;;) { + /* If remainder of haystack is shorter than needle, done */ + if (z-h < l) return 0; + + /* Check last byte first; advance by shift on mismatch */ + if (BITOP(byteset, h[l-1], &)) { + k = l-shift[h[l-1]]; + if (k) { + if (k < mem) k = mem; + h += k; + mem = 0; + continue; + } + } else { + h += l; + mem = 0; + continue; + } + + /* Compare right half */ + for (k=MAX(ms+1,mem); kmem && n[k-1] == h[k-1]; k--); + if (k <= mem) return (char *)h; + h += p; + mem = mem0; + } +} + +void * +memmem(const void *h0, size_t k, const void *n0, size_t l) +{ + const unsigned char *h = h0, *n = n0; - /* special case where s_len == 1 */ - if (s_len == 1) - return memchr(l, *cs, l_len); + /* Return immediately on empty needle */ + if (!l) return (void *)h; - /* the last position where its possible to find "s" in "l" */ - last = cl + l_len - s_len; + /* Return immediately when needle is longer than haystack */ + if (k * @@ -58,22 +58,27 @@ struct parse_protocols_test parse_protocols_tests[] = { .want_return = 0, .want_protocols = TLS_PROTOCOL_TLSv1_2, }, + { + .protostr = "tlsv1.3", + .want_return = 0, + .want_protocols = TLS_PROTOCOL_TLSv1_3, + }, { .protostr = "", .want_return = -1, .want_protocols = 0, }, { - .protostr = "tlsv1.0:tlsv1.1:tlsv1.2", + .protostr = "tlsv1.0:tlsv1.1:tlsv1.2:tlsv1.3", .want_return = 0, .want_protocols = TLS_PROTOCOL_TLSv1_0 | TLS_PROTOCOL_TLSv1_1 | - TLS_PROTOCOL_TLSv1_2, + TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3, }, { - .protostr = "tlsv1.0,tlsv1.1,tlsv1.2", + .protostr = "tlsv1.0,tlsv1.1,tlsv1.2,tlsv1.3", .want_return = 0, .want_protocols = TLS_PROTOCOL_TLSv1_0 | TLS_PROTOCOL_TLSv1_1 | - TLS_PROTOCOL_TLSv1_2, + TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3, }, { .protostr = "tlsv1.1,tlsv1.2,tlsv1.0", @@ -109,20 +114,22 @@ struct parse_protocols_test parse_protocols_tests[] = { { .protostr = "all,!tlsv1.0", .want_return = 0, - .want_protocols = TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2, + .want_protocols = TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 | \ + TLS_PROTOCOL_TLSv1_3, }, { .protostr = "!tlsv1.0", .want_return = 0, - .want_protocols = TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2, + .want_protocols = TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 | \ + TLS_PROTOCOL_TLSv1_3, }, { - .protostr = "!tlsv1.0,!tlsv1.1", + .protostr = "!tlsv1.0,!tlsv1.1,!tlsv1.3", .want_return = 0, .want_protocols = TLS_PROTOCOL_TLSv1_2, }, { - .protostr = "!tlsv1.0,!tlsv1.1,tlsv1.2", + .protostr = "!tlsv1.0,!tlsv1.1,tlsv1.2,!tlsv1.3", .want_return = 0, .want_protocols = TLS_PROTOCOL_TLSv1_2, }, diff --git a/tests/constraints.c b/tests/constraints.c new file mode 100644 index 00000000..7eef55d5 --- /dev/null +++ b/tests/constraints.c @@ -0,0 +1,492 @@ +/* $OpenBSD: constraints.c */ +/* + * Copyright (c) 2020 Bob Beck + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include + +#include +#include +#include +#include "x509_internal.h" + + +#define FAIL(msg, ...) \ +do { \ + fprintf(stderr, "[%s:%d] FAIL: ", __FILE__, __LINE__); \ + fprintf(stderr, msg, ##__VA_ARGS__); \ +} while(0) + +unsigned char *valid_hostnames[] = { + "openbsd.org", + "op3nbsd.org", + "org", + "3openbsd.com", + "3-0penb-d.c-m", + "a", + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com", + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", + "open_bsd.org", /* because this is liberal */ + NULL, +}; + +unsigned char *valid_sandns_names[] = { + "*.ca", + "*.op3nbsd.org", + NULL, +}; + +unsigned char *valid_domain_constraints[] = { + "", + ".ca", + ".op3nbsd.org", + ".aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", + "www.openbsd.org", + NULL, +}; + +unsigned char *valid_mbox_names[] = { + "\"!#$%&\\\"*+-/=?\002^_`{|}~.\"@openbsd.org", + "beck@openbsd.org", + "beck@openbsd.org", + "beck@op3nbsd.org", + "beck@org", + "beck@3openbsd.com", + "beck@3-0penb-d.c-m", + "bec@a", + "beck@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com", + "beck@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", + "beck@open_bsd.org", /* because this is liberal */ + NULL, +}; + +unsigned char *invalid_hostnames[] = { + "openbsd.org.", + "openbsd..org", + "openbsd.org-", + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com", + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a", + "-p3nbsd.org", + "openbs-.org", + "openbsd\n.org", + "open\178bsd.org", + "open\255bsd.org", + NULL, +}; + +unsigned char *invalid_sandns_names[] = { + "", + ".", + "*.a", + "*.", + "*.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com", + ".aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a", + "*.-p3nbsd.org", + "a*.openbsd.org", + "*.*..openbsd.org", + "*..openbsd.org", + ".openbsd.org", + NULL, +}; + +unsigned char *invalid_mbox_names[] = { + "beck@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com", + "beck@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a", + "beck@.-openbsd.org", + "beck@.openbsd.org.", + "beck@.a", + "beck@.", + "beck@", + "beck@.ca", + "@openbsd.org", + NULL, +}; + +unsigned char *invalid_domain_constraints[] = { + ".", + ".a", + "..", + ".aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com", + ".aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a", + ".-p3nbsd.org", + "..openbsd.org", + NULL, +}; + +unsigned char *invaliduri[] = { + "https://-www.openbsd.org", + "https://.www.openbsd.org/", + "https://www.ope|nbsd.org%", + "https://www.openbsd.org.#", + "///", + "//", + "/", + "", + NULL, +}; + +static int +test_valid_hostnames(void) +{ + int i, failure = 0; + + for (i = 0; valid_hostnames[i] != NULL; i++) { + if (!x509_constraints_valid_host(valid_hostnames[i], + strlen(valid_hostnames[i]))) { + FAIL("Valid hostname '%s' rejected\n", + valid_hostnames[i]); + failure = 1; + goto done; + } + if (!x509_constraints_valid_sandns(valid_hostnames[i], + strlen(valid_hostnames[i]))) { + FAIL("Valid sandns '%s' rejected\n", + valid_hostnames[i]); + failure = 1; + goto done; + } + } + done: + return failure; +} + +static int +test_valid_sandns_names(void) +{ + int i, failure = 0; + for (i = 0; valid_sandns_names[i] != NULL; i++) { + if (!x509_constraints_valid_sandns(valid_sandns_names[i], + strlen(valid_sandns_names[i]))) { + FAIL("Valid dnsname '%s' rejected\n", + valid_sandns_names[i]); + failure = 1; + goto done; + } + } + done: + return failure; +} + +static int +test_valid_domain_constraints(void) +{ + int i, failure = 0; + for (i = 0; valid_domain_constraints[i] != NULL; i++) { + if (!x509_constraints_valid_domain_constraint(valid_domain_constraints[i], + strlen(valid_domain_constraints[i]))) { + FAIL("Valid dnsname '%s' rejected\n", + valid_domain_constraints[i]); + failure = 1; + goto done; + } + } + done: + return failure; +} + +static int +test_valid_mbox_names(void) +{ + struct x509_constraints_name name = {0}; + int i, failure = 0; + for (i = 0; valid_mbox_names[i] != NULL; i++) { + if (!x509_constraints_parse_mailbox(valid_mbox_names[i], + strlen(valid_mbox_names[i]), &name)) { + FAIL("Valid mailbox name '%s' rejected\n", + valid_mbox_names[i]); + failure = 1; + goto done; + } + free(name.name); + name.name = NULL; + free(name.local); + name.local = NULL; + } + done: + return failure; +} + +static int +test_invalid_hostnames(void) +{ + int i, failure = 0; + char *nulhost = "www.openbsd.org\0"; + + for (i = 0; invalid_hostnames[i] != NULL; i++) { + if (x509_constraints_valid_host(invalid_hostnames[i], + strlen(invalid_hostnames[i]))) { + FAIL("Invalid hostname '%s' accepted\n", + invalid_hostnames[i]); + failure = 1; + goto done; + } + if (x509_constraints_valid_sandns(invalid_hostnames[i], + strlen(invalid_hostnames[i]))) { + FAIL("Invalid sandns '%s' accepted\n", + invalid_hostnames[i]); + failure = 1; + goto done; + } + } + if (x509_constraints_valid_host(nulhost, + strlen(nulhost) + 1)) { + FAIL("hostname with NUL byte accepted\n"); + failure = 1; + goto done; + } + if (x509_constraints_valid_sandns(nulhost, + strlen(nulhost) + 1)) { + FAIL("sandns with NUL byte accepted\n"); + failure = 1; + goto done; + } + done: + return failure; +} + +static int +test_invalid_sandns_names(void) +{ + int i, failure = 0; + for (i = 0; invalid_sandns_names[i] != NULL; i++) { + if (x509_constraints_valid_sandns(invalid_sandns_names[i], + strlen(invalid_sandns_names[i]))) { + FAIL("Valid dnsname '%s' rejected\n", + invalid_sandns_names[i]); + failure = 1; + goto done; + } + } + done: + return failure; +} + +static int +test_invalid_mbox_names(void) +{ + int i, failure = 0; + struct x509_constraints_name name = {0}; + for (i = 0; invalid_mbox_names[i] != NULL; i++) { + if (x509_constraints_parse_mailbox(invalid_mbox_names[i], + strlen(invalid_mbox_names[i]), &name)) { + FAIL("invalid mailbox name '%s' accepted\n", + invalid_mbox_names[i]); + failure = 1; + goto done; + } + free(name.name); + name.name = NULL; + free(name.local); + name.local = NULL; + } + done: + return failure; +} + +static int +test_invalid_domain_constraints(void) +{ + int i, failure = 0; + for (i = 0; invalid_domain_constraints[i] != NULL; i++) { + if (x509_constraints_valid_domain_constraint(invalid_domain_constraints[i], + strlen(invalid_domain_constraints[i]))) { + FAIL("invalid dnsname '%s' accepted\n", + invalid_domain_constraints[i]); + failure = 1; + goto done; + } + } + done: + return failure; +} + +static int +test_invalid_uri(void) { + int j, failure=0; + char *hostpart; + for (j = 0; invaliduri[j] != NULL; j++) { + if (x509_constraints_uri_host(invaliduri[j], + strlen(invaliduri[j]), &hostpart) != 0) { + FAIL("invalid URI '%s' accepted\n", + invaliduri[j]); + failure = 1; + goto done; + } + } + done: + return failure; +} + +static int +test_constraints1(void) +{ + char *c; size_t cl; + char *d; size_t dl; + int failure = 0; + int error = 0; + int i, j; + unsigned char *constraints[] = { + ".org", + ".openbsd.org", + "www.openbsd.org", + NULL, + }; + unsigned char *failing[] = { + ".ca", + "openbsd.ca", + "org", + NULL, + }; + unsigned char *matching[] = { + "www.openbsd.org", + NULL, + }; + unsigned char *matchinguri[] = { + "https://www.openbsd.org", + "https://www.openbsd.org/", + "https://www.openbsd.org?", + "https://www.openbsd.org#", + "herp://beck@www.openbsd.org:", + "spiffe://beck@www.openbsd.org/this/is/so/spiffe/", + NULL, + }; + unsigned char *failinguri[] = { + "https://www.openbsd.ca", + "https://www.freebsd.com/", + "https://www.openbsd.net?", + "https://org#", + "herp://beck@org:", + "///", + "//", + "/", + "", + NULL, + }; + for (i = 0; constraints[i] != NULL; i++) { + char *constraint = constraints[i]; + size_t clen = strlen(constraints[i]); + for (j = 0; matching[j] != NULL; j++) { + if (!x509_constraints_domain(matching[j], + strlen(matching[j]), constraint, clen)) { + FAIL("constraint '%s' should have matched" + " '%s'\n", + constraint, matching[j]); + failure = 1; + goto done; + } + } + for (j = 0; matchinguri[j] != NULL; j++) { + error = 0; + if (!x509_constraints_uri(matchinguri[j], + strlen(matchinguri[j]), constraint, clen, &error)) { + FAIL("constraint '%s' should have matched URI" + " '%s' (error %d)\n", + constraint, matchinguri[j], error); + failure = 1; + goto done; + } + } + for (j = 0; failing[j] != NULL; j++) { + if (x509_constraints_domain(failing[j], + strlen(failing[j]), constraint, clen)) { + FAIL("constraint '%s' should not have matched" + " '%s'\n", + constraint, failing[j]); + failure = 1; + goto done; + } + } + for (j = 0; failinguri[j] != NULL; j++) { + error = 0; + if (x509_constraints_uri(failinguri[j], + strlen(failinguri[j]), constraint, clen, &error)) { + FAIL("constraint '%s' should not have matched URI" + " '%s' (error %d)\n", + constraint, failinguri[j], error); + failure = 1; + goto done; + } + } + } + c = ".openbsd.org"; + cl = strlen(".openbsd.org"); + d = "*.openbsd.org"; + dl = strlen("*.openbsd.org"); + if (!x509_constraints_domain(d, dl, c, cl)) { + FAIL("constraint '%s' should have matched '%s'\n", + c, d); + failure = 1; + goto done; + } + c = "www.openbsd.org"; + cl = strlen("www.openbsd.org"); + if (x509_constraints_domain(d, dl, c, cl)) { + FAIL("constraint '%s' should not have matched '%s'\n", + c, d); + failure = 1; + goto done; + } + c = ""; + cl = 0; + if (!x509_constraints_domain(d, dl, c, cl)) { + FAIL("constraint '%s' should have matched '%s'\n", + c, d); + failure = 1; + goto done; + } + done: + return failure; +} + +int +main(int argc, char **argv) +{ + int failed = 0; + + failed |= test_valid_hostnames(); + failed |= test_invalid_hostnames(); + failed |= test_valid_sandns_names(); + failed |= test_invalid_sandns_names(); + failed |= test_valid_mbox_names(); + failed |= test_invalid_mbox_names(); + failed |= test_valid_domain_constraints(); + failed |= test_invalid_domain_constraints(); + failed |= test_invalid_uri(); + failed |= test_constraints1(); + + return (failed); +} diff --git a/tests/evptest.c b/tests/evptest.c index ac15a55a..8dc9fc0b 100644 --- a/tests/evptest.c +++ b/tests/evptest.c @@ -1,4 +1,4 @@ -/* $OpenBSD: evptest.c,v 1.8 2019/03/17 18:33:01 tb Exp $ */ +/* $OpenBSD: evptest.c,v 1.9 2020/01/26 02:46:26 tb Exp $ */ /* Written by Ben Laurie, 2001 */ /* * Copyright (c) 2001 The OpenSSL Project. All rights reserved. @@ -350,7 +350,7 @@ main(int argc, char **argv) #endif for (;;) { - char line[4096]; + char line[8 * 1024]; char *p; char *cipher; unsigned char *iv, *key, *plaintext, *ciphertext; diff --git a/tests/evptests.txt b/tests/evptests.txt index ef144095..2a580652 100644 --- a/tests/evptests.txt +++ b/tests/evptests.txt @@ -1,4 +1,4 @@ -# $OpenBSD: evptests.txt,v 1.7 2019/05/09 23:01:09 tb Exp $ +# $OpenBSD: evptests.txt,v 1.9 2020/01/26 03:31:40 tb Exp $ #cipher:key:iv:plaintext:ciphertext:0/1(decrypt/encrypt) #digest:::input:output @@ -355,11 +355,30 @@ SEED-ECB:4706480851E61BE85D74BFB3FD956185::83A2F8A288641FB9A4E9A5CC2F131C7D:EE54 SEED-ECB:28DBC3BC49FFD87DCFA509B11D422BE7::B41E6BE2EBA84A148E2EED84593C5EC7:9B9B7BFCD1813CB95D0B3618F40F5122:1 # ChaCha test vectors -ChaCha:0000000000000000000000000000000000000000000000000000000000000000:0000000000000000:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:76b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7da41597c5157488d7724e03fb8d84a376a43b8f41518a11cc387b669b2ee6586:1 -ChaCha:0100000000000000000000000000000000000000000000000000000000000000:0000000000000000:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:c5d30a7ce1ec119378c84f487d775a8542f13ece238a9455e8229e888de85bbd29eb63d0a17a5b999b52da22be4023eb07620a54f6fa6ad8737b71eb0464dac0:1 -ChaCha:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff:ffffffffffffffff:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:d9bf3f6bce6ed0b54254557767fb57443dd4778911b606055c39cc25e674b8363feabc57fde54f790c52c8ae43240b79d49042b777bfd6cb80e931270b7f50eb:1 -ChaCha:5555555555555555555555555555555555555555555555555555555555555555:aaaaaaaaaaaaaaaa:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:aff7418293f3a553894b1e7484bd1e8ede196eced5a1d6814de37091e07e076e34bbba8107a686c982850f0a7353940d40db1ab0b5765b78b4cf473d9485a3dd:1 -ChaCha:5555555555555555555555555555555555555555555555555555555555555555:5555555555555555:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:bea9411aa453c5434a5ae8c92862f564396855a9ea6e22d6d3b50ae1b3663311a4a3606c671d605ce16c3aece8e61ea145c59775017bee2fa6f88afc758069f7:1 -ChaCha:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:aaaaaaaaaaaaaaaa:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:9aa2a9f656efde5aa7591c5fed4b35aea2895dec7cb4543b9e9f21f5e7bcbcf3c43c748a970888f8248393a09d43e0b7e164bc4d0b0fb240a2d72115c4808906:1 -ChaCha:00112233445566778899aabbccddeeffffeeddccbbaa99887766554433221100:0f1e2d3c4b5a6978:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:9fadf409c00811d00431d67efbd88fba59218d5d6708b1d685863fabbb0e961eea480fd6fb532bfd494b2151015057423ab60a63fe4f55f7a212e2167ccab931:1 -ChaCha:c46ec1b18ce8a878725a37e780dfb7351f68ed2e194c79fbc6aebee1a667975d:1ada31d5cf688221:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:f63a89b75c2271f9368816542ba52f06ed49241792302b00b5e8f80ae9a473afc25b218f519af0fdd406362e8d69de7f54c604a6e00f353f110f771bdca8ab92:1 +ChaCha:0000000000000000000000000000000000000000000000000000000000000000:00000000000000000000000000000000:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:76b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7da41597c5157488d7724e03fb8d84a376a43b8f41518a11cc387b669b2ee6586:1 +ChaCha:0000000000000000000000000000000000000000000000000000000000000000:01000000000000000000000000000000:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:9f07e7be5551387a98ba977c732d080dcb0f29a048e3656912c6533e32ee7aed29b721769ce64e43d57133b074d839d531ed1f28510afb45ace10a1f4b794d6f:1 +ChaCha:0000000000000000000000000000000000000000000000000000000000000001:01000000000000000000000000000002:416e79207375626d697373696f6e20746f20746865204945544620696e74656e6465642062792074686520436f6e7472696275746f7220666f72207075626c69636174696f6e20617320616c6c206f722070617274206f6620616e204945544620496e7465726e65742d4472616674206f722052464320616e6420616e792073746174656d656e74206d6164652077697468696e2074686520636f6e74657874206f6620616e204945544620616374697669747920697320636f6e7369646572656420616e20224945544620436f6e747269627574696f6e222e20537563682073746174656d656e747320696e636c756465206f72616c2073746174656d656e747320696e20494554462073657373696f6e732c2061732077656c6c206173207772697474656e20616e6420656c656374726f6e696320636f6d6d756e69636174696f6e73206d61646520617420616e792074696d65206f7220706c6163652c207768696368206172652061646472657373656420746f:a3fbf07df3fa2fde4f376ca23e82737041605d9f4f4f57bd8cff2c1d4b7955ec2a97948bd3722915c8f3d337f7d370050e9e96d647b7c39f56e031ca5eb6250d4042e02785ececfa4b4bb5e8ead0440e20b6e8db09d881a7c6132f420e52795042bdfa7773d8a9051447b3291ce1411c680465552aa6c405b7764d5e87bea85ad00f8449ed8f72d0d662ab052691ca66424bc86d2df80ea41f43abf937d3259dc4b2d0dfb48a6c9139ddd7f76966e928e635553ba76c5c879d7b35d49eb2e62b0871cdac638939e25e8a1e0ef9d5280fa8ca328b351c3c765989cbcf3daa8b6ccc3aaf9f3979c92b3720fc88dc95ed84a1be059c6499b9fda236e7e818b04b0bc39c1e876b193bfe5569753f88128cc08aaa9b63d1a16f80ef2554d7189c411f5869ca52c5b83fa36ff216b9c1d30062bebcfd2dc5bce0911934fda79a86f6e698ced759c3ff9b6477338f3da4f9cd8514ea9982ccafb341b2384dd902f3d1ab7ac61dd29c6f21ba5b862f3730e37cfdc4fd806c22f221:1 +ChaCha:1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0:2a000000000000000000000000000002:2754776173206272696c6c69672c20616e642074686520736c6974687920746f7665730a446964206779726520616e642067696d626c6520696e2074686520776162653a0a416c6c206d696d737920776572652074686520626f726f676f7665732c0a416e6420746865206d6f6d65207261746873206f757467726162652e:62e6347f95ed87a45ffae7426f27a1df5fb69110044c0d73118effa95b01e5cf166d3df2d721caf9b21e5fb14c616871fd84c54f9d65b283196c7fe4f60553ebf39c6402c42234e32a356b3e764312a61a5532055716ead6962568f87d3f3f7704c6a8d1bcd1bf4d50d6154b6da731b187b58dfd728afa36757a797ac188d1:1 +ChaCha:0000000000000000000000000000000000000000000000000000000000000001:00000000000000000000000000000000:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:4540f05a9f1fb296d7736e7b208e3c96eb4fe1834688d2604f450952ed432d41bbe2a0b6ea7566d2a5d1e7e20d42af2c53d792b1c43fea817e9ad275ae546963:1 +ChaCha:0000000000000000000000000000000000000000000000000000000000000000:00000000000000000000000000000001:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:de9cba7bf3d69ef5e786dc63973f653a0b49e015adbff7134fcb7df137821031e85a050278a7084527214f73efc7fa5b5277062eb7a0433e445f41e31afab757:1 +ChaCha:0000000000000000000000000000000000000000000000000000000000000000:00000000000000000100000000000000:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:ef3fdfd6c61578fbf5cf35bd3dd33b8009631634d21e42ac33960bd138e50d32111e4caf237ee53ca8ad6426194a88545ddc497a0b466e7d6bbdb0041b2f586b:1 +ChaCha:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f:00000000000000000001020304050607:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:f798a189f195e66982105ffb640bb7757f579da31602fc93ec01ac56f85ac3c134a4547b733b46413042c9440049176905d3be59ea1c53f15916155c2be8241a38008b9a26bc35941e2444177c8ade6689de95264986d95889fb60e84629c9bd9a5acb1cc118be563eb9b3a4a472f82e09a7e778492b562ef7130e88dfe031c79db9d4f7c7a899151b9a475032b63fc385245fe054e3dd5a97a5f576fe064025d3ce042c566ab2c507b138db853e3d6959660996546cc9c4a6eafdc777c040d70eaf46f76dad3979e5c5360c3317166a1c894c94a371876a94df7628fe4eaaf2ccb27d5aaae0ad7ad0f9d4b6ad3b54098746d4524d38407a6deb:1 +ChaCha:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f:00000000000000000001020304050607:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:f798a189f195e66982105ffb640bb7757f579da31602fc93ec01ac56f85ac3c134a4547b733b46413042c9440049176905d3be59ea1c53f15916155c2be8241a38008b9a26bc35941e2444177c8ade6689de95264986d95889fb60e84629c9bd9a5acb1cc118be563eb9b3a4a472f82e09a7e778492b562ef7130e88dfe031c79db9d4f7c7a899151b9a475032b63fc385245fe054e3dd5a97a5f576fe064025d3ce042c566ab2c507b138db853e3d6959660996546cc9c4a6eafdc777c040d70eaf46f76dad3979e5c5360c3317166a1c894c94a371876a94df7628fe4eaaf2ccb27d5aaae0ad7ad0f9d4b6ad3b54098746d4524d38407a6deb3ab78fab78c9:1 +ChaCha:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f:00000000000000000001020304050607:0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:f798a189f195e66982105ffb640bb7757f579da31602fc93ec01ac56f85ac3c134a4547b733b46413042c9440049176905d3be59ea1c53f15916155c2be8241a38008b9a26bc35941e2444177c8ade6689de95264986d95889fb60e84629c9bd9a5acb1cc118be563eb9b3a4a472f82e09a7e778492b562ef7130e88dfe031c79db9d4f7c7a899151b9a475032b63fc385245fe054e3dd5a97a5f576fe064025d3ce042c566ab2c507b138db853e3d6959660996546cc9c4a6eafdc777c040d70eaf46f76dad3979e5c5360c3317166a1c894c94a371876a94df7628fe4eaaf2ccb27d5aaae0ad7ad0f9d4b6ad3b54098746d4524d38407a6deb3ab78fab78c94213668bbbd394c5de93b853178addd6b97f9fa1ec3e56c00c9ddff0a44a204241175a4cab0f961ba53ede9bdf960b94f9829b1f3414726429b362c5b538e391520f489b7ed8d20ae3fd49e9e259e44397514d618c96c4846be3c680bdc11c71dcbbe29ccf80d62a0938fa549391e6ea57ecbe2606790ec15d2224ae307c144226b7c4e8c2f97d2a1d67852d29beba110edd445197012062a393a9c92803ad3b4f31d7bc6033ccf7932cfed3f019044d25905916777286f82f9a4cc1ffe430ffd1dcfc27deed327b9f9630d2fa969fb6f0603cd19dd9a9519e673bcfcd9014125291a44669ef7285e74ed3729b677f801c3cdf058c50963168b496043716c730:1 +ChaCha:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f:00000000000000000001020304050607:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:f798a189f195e66982105ffb640bb7757f579da31602fc93ec01ac56f85ac3c134a4547b733b46413042c9440049176905d3be59ea1c53f15916155c2be8241a38008b9a26bc35941e2444177c8ade6689de95264986d95889fb60e84629c9bd9a5acb1cc118be563eb9b3a4a472f82e09a7e778492b562ef7130e88dfe031c79db9d4f7c7a899151b9a475032b63fc385245fe054e3dd5a97a5f576fe064025d3ce042c566ab2c507b138db853e3d6959660996546cc9c4a6eafdc777c040d70eaf46f76dad3979e5c5360c3317166a1c894c94a371876a94df7628fe4eaaf2ccb27d5aaae0ad7ad0f9d4b6ad3b54098746d4524d38407a6deb3ab78fab78c94213668bbbd394c5de93b853178addd6b97f9fa1ec3e56c00c9ddff0a44a204241175a4cab0f961ba53ede9bdf960b94f9829b1f3414726429b362c5b538e391520f489b7ed8d20ae3fd49e9e259e44397514d618c96c4846be3c680bdc11c71dcbbe29ccf80d62a0938fa549391e6ea57ecbe2606790ec15d2224ae307c144226b7c4e8c2f97d2a1d67852d29beba110edd445197012062a393a9c92803ad3b4f31d7bc6033ccf7932cfed3f019044d25905916777286f82f9a4cc1ffe430ffd1dcfc27deed327b9f9630d2fa969fb6f0603cd19dd9a9519e673bcfcd9014125291a44669ef7285e74ed3729b677f801c3cdf058c50963168b496043716c7307cd9e0cdd137fccb0f05b47cdbb95c5f54831622c3652a32b2531fe326bcd6e2bbf56a194fa196fbd1a54952110f51c73433865f7664b836685e3664b3d8444aF89A242805E18C975F1146324996FDE17007CF3E6E8F4E764022533EDBFE07D4733E48BB372D75B0EF48EC983EB78532161CC529E5ABB89837DFCCA6261DBB37:1 +ChaCha:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f:00000000000000000001020304050607:000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:f798a189f195e66982105ffb640bb7757f579da31602fc93ec01ac56f85ac3c134a4547b733b46413042c9440049176905d3be59ea1c53f15916155c2be8241a38008b9a26bc35941e2444177c8ade6689de95264986d95889fb60e84629c9bd9a5acb1cc118be563eb9b3a4a472f82e09a7e778492b562ef7130e88dfe031c79db9d4f7c7a899151b9a475032b63fc385245fe054e3dd5a97a5f576fe064025d3ce042c566ab2c507b138db853e3d6959660996546cc9c4a6eafdc777c040d70eaf46f76dad3979e5c5360c3317166a1c894c94a371876a94df7628fe4eaaf2ccb27d5aaae0ad7ad0f9d4b6ad3b54098746d4524d38407a6deb3ab78fab78c94213668bbbd394c5de93b853178addd6b97f9fa1ec3e56c00c9ddff0a44a204241175a4cab0f961ba53ede9bdf960b94f9829b1f3414726429b362c5b538e391520f489b7ed8d20ae3fd49e9e259e44397514d618c96c4846be3c680bdc11c71dcbbe29ccf80d62a0938fa549391e6ea57ecbe2606790ec15d2224ae307c144226b7c4e8c2f97d2a1d67852d29beba110edd445197012062a393a9c92803ad3b4f31d7bc6033ccf7932cfed3f019044d25905916777286f82f9a4cc1ffe430ffd1dcfc27deed327b9f9630d2fa969fb6f0603cd19dd9a9519e673bcfcd9014125291a44669ef7285e74ed3729b677f801c3cdf058c50963168b496043716c7307cd9e0cdd137fccb0f05b47cdbb95c5f54831622c3652a32b2531fe326bcd6e2bbf56a194fa196fbd1a54952110f51c73433865f7664b836685e3664b3d8444a:1 +ChaCha:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f:00000000000000000001020304050607:0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:f798a189f195e66982105ffb640bb7757f579da31602fc93ec01ac56f85ac3c134a4547b733b46413042c9440049176905d3be59ea1c53f15916155c2be8241a38008b9a26bc35941e2444177c8ade6689de95264986d95889fb60e84629c9bd9a5acb1cc118be563eb9b3a4a472f82e09a7e778492b562ef7130e88dfe031c79db9d4f7c7a899151b9a475032b63fc385245fe054e3dd5a97a5f576fe064025d3ce042c566ab2c507b138db853e3d6959660996546cc9c4a6eafdc777c040d70eaf46f76dad3979e5c5360c3317166a1c894c94a371876a94df7628fe4eaaf2ccb27d5aaae0ad7ad0f9d4b6ad3b54098746d4524d38407a6deb3ab78fab78c94213668bbbd394c5de93b853178addd6b97f9fa1ec3e56c00c9ddff0a44a204241175a4cab0f961ba53ede9bdf960b94f9829b1f3414726429b362c5b538e391520f489b7ed8d20ae3fd49e9e259e44397514d618c96c4846be3c680bdc11c71dcbbe29ccf80d62a0938fa549391e6ea57ecbe2606790ec15d2224ae307c144226b7c4e8c2f97d2a1d67852d29beba110edd445197012062a393a9c92803ad3b4f31d7bc6033ccf7932cfed3f019044d25905916777286f82f9a4cc1ffe430ffd1dcfc27deed327b9f9630d2fa969fb6f0603cd19dd9a9519e673bcfcd9014125291a44669ef7285e74ed3729b677f801c3cdf058c50963168b496043716c7307cd9e0cdd137fccb0f05b47cdbb95c5f54831622c3652a32b2531fe326bcd6e2bbf56a194fa196fbd1a54952110f51c73433865f7664b836685e3664b3d8444aF89A242805E18C975F1146324996FDE17007CF3E6E8F4E764022533EDBFE07D4733E48BB372D75B0EF48EC983EB78532161CC529E5ABB89837DFCCA6261DBB37C7C5E6A87478BF41EE85A518C0F4EFA9BDE828C5A71B8E46597B634AFD204D3C501334239C3414285ED72D3A9169EABBD4DC25D52BB7516D3BA712D75AD8C0AE:1 +ChaCha:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f:00000000000000000001020304050607:000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:f798a189f195e66982105ffb640bb7757f579da31602fc93ec01ac56f85ac3c134a4547b733b46413042c9440049176905d3be59ea1c53f15916155c2be8241a38008b9a26bc35941e2444177c8ade6689de95264986d95889fb60e84629c9bd9a5acb1cc118be563eb9b3a4a472f82e09a7e778492b562ef7130e88dfe031c79db9d4f7c7a899151b9a475032b63fc385245fe054e3dd5a97a5f576fe064025d3ce042c566ab2c507b138db853e3d6959660996546cc9c4a6eafdc777c040d70eaf46f76dad3979e5c5360c3317166a1c894c94a371876a94df7628fe4eaaf2ccb27d5aaae0ad7ad0f9d4b6ad3b54098746d4524d38407a6deb3ab78fab78c94213668bbbd394c5de93b853178addd6b97f9fa1ec3e56c00c9ddff0a44a204241175a4cab0f961ba53ede9bdf960b94f9829b1f3414726429b362c5b538e391520f489b7ed8d20ae3fd49e9e259e44397514d618c96c4846be3c680bdc11c71dcbbe29ccf80d62a0938fa549391e6ea57ecbe2606790ec15d2224ae307c144226b7c4e8c2f97d2a1d67852d29beba110edd445197012062a393a9c92803ad3b4f31d7bc6033ccf7932cfed3f019044d25905916777286f82f9a4cc1ffe430ffd1dcfc27deed327b9f9630d2fa969fb6f0603cd19dd9a9519e673bcfcd9014125291a44669ef7285e74ed3729b677f801c3cdf058c50963168b496043716c7307cd9e0cdd137fccb0f05b47cdbb95c5f54831622c3652a32b2531fe326bcd6e2bbf56a194fa196fbd1a54952110f51c73433865f7664b836685e3664b3d8444aF89A242805E18C975F1146324996FDE17007CF3E6E8F4E764022533EDBFE07D4733E48BB372D75B0EF48EC983EB78532161CC529E5ABB89837DFCCA6261DBB37C7C5E6A87478BF41EE85A518C0F4EFA9BDE828C5A71B8E46597B634AFD204D3C501334239C3414285ED72D3A9169EABBD4DC25D52BB7516D3BA712D75AD8C0AE5D493C19E38A77939E7A058D713E9CCCCA58045F436B434B1C80D365472406E392951987DB6905C80D431DA18451135BE7E82BCAB358CB3971E61405B2FF1798:1 +ChaCha:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f:00000000000000000001020304050607:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:f798a189f195e66982105ffb640bb7757f579da31602fc93ec01ac56f85ac3c134a4547b733b46413042c9440049176905d3be59ea1c53f15916155c2be8241a38008b9a26bc35941e2444177c8ade6689de95264986d95889fb60e84629c9bd9a5acb1cc118be563eb9b3a4a472f82e09a7e778492b562ef7130e88dfe031c79db9d4f7c7a899151b9a475032b63fc385245fe054e3dd5a97a5f576fe064025d3ce042c566ab2c507b138db853e3d6959660996546cc9c4a6eafdc777c040d70eaf46f76dad3979e5c5360c3317166a1c894c94a371876a94df7628fe4eaaf2ccb27d5aaae0ad7ad0f9d4b6ad3b54098746d4524d38407a6deb3ab78fab78c94213668bbbd394c5de93b853178addd6b97f9fa1ec3e56c00c9ddff0a44a204241175a4cab0f961ba53ede9bdf960b94f9829b1f3414726429b362c5b538e391520f489b7ed8d20ae3fd49e9e259e44397514d618c96c4846be3c680bdc11c71dcbbe29ccf80d62a0938fa549391e6ea57ecbe2606790ec15d2224ae307c144226b7c4e8c2f97d2a1d67852d29beba110edd445197012062a393a9c92803ad3b4f31d7bc6033ccf7932cfed3f019044d25905916777286f82f9a4cc1ffe430ffd1dcfc27deed327b9f9630d2fa969fb6f0603cd19dd9a9519e673bcfcd9014125291a44669ef7285e74ed3729b677f801c3cdf058c50963168b496043716c7307cd9e0cdd137fccb0f05b47cdbb95c5f54831622c3652a32b2531fe326bcd6e2bbf56a194fa196fbd1a54952110f51c73433865f7664b836685e3664b3d8444aF89A242805E18C975F1146324996FDE17007CF3E6E8F4E764022533EDBFE07D4733E48BB372D75B0EF48EC983EB78532161CC529E5ABB89837DFCCA6261DBB37C7C5E6A87478BF41EE85A518C0F4EFA9BDE828C5A71B8E46597B634AFD204D3C501334239C3414285ED72D3A9169EABBD4DC25D52BB7516D3BA712D75AD8C0AE5D493C19E38A77939E7A058D713E9CCCCA58045F436B434B1C80D365472406E392951987DB6905C80D431DA18451135BE7E82BCAB358CB3971E61405B2FF17980D6E7E67E861E28201C1EE30B441040FD06878D65042C95582A4318207BFC700BE0CE32889AEC2FFE5085E8967910D879FA0E8C0FF85FDC510B9FF2FBF87CFCB:1 +ChaCha:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f:00000000000000000001020304050607:0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:f798a189f195e66982105ffb640bb7757f579da31602fc93ec01ac56f85ac3c134a4547b733b46413042c9440049176905d3be59ea1c53f15916155c2be8241a38008b9a26bc35941e2444177c8ade6689de95264986d95889fb60e84629c9bd9a5acb1cc118be563eb9b3a4a472f82e09a7e778492b562ef7130e88dfe031c79db9d4f7c7a899151b9a475032b63fc385245fe054e3dd5a97a5f576fe064025d3ce042c566ab2c507b138db853e3d6959660996546cc9c4a6eafdc777c040d70eaf46f76dad3979e5c5360c3317166a1c894c94a371876a94df7628fe4eaaf2ccb27d5aaae0ad7ad0f9d4b6ad3b54098746d4524d38407a6deb3ab78fab78c94213668bbbd394c5de93b853178addd6b97f9fa1ec3e56c00c9ddff0a44a204241175a4cab0f961ba53ede9bdf960b94f9829b1f3414726429b362c5b538e391520f489b7ed8d20ae3fd49e9e259e44397514d618c96c4846be3c680bdc11c71dcbbe29ccf80d62a0938fa549391e6ea57ecbe2606790ec15d2224ae307c144226b7c4e8c2f97d2a1d67852d29beba110edd445197012062a393a9c92803ad3b4f31d7bc6033ccf7932cfed3f019044d25905916777286f82f9a4cc1ffe430ffd1dcfc27deed327b9f9630d2fa969fb6f0603cd19dd9a9519e673bcfcd9014125291a44669ef7285e74ed3729b677f801c3cdf058c50963168b496043716c7307cd9e0cdd137fccb0f05b47cdbb95c5f54831622c3652a32b2531fe326bcd6e2bbf56a194fa196fbd1a54952110f51c73433865f7664b836685e3664b3d8444aF89A242805E18C975F1146324996FDE17007CF3E6E8F4E764022533EDBFE07D4733E48BB372D75B0EF48EC983EB78532161CC529E5ABB89837DFCCA6261DBB37C7C5E6A87478BF41EE85A518C0F4EFA9BDE828C5A71B8E46597B634AFD204D3C501334239C3414285ED72D3A9169EABBD4DC25D52BB7516D3BA712D75AD8C0AE5D493C19E38A77939E7A058D713E9CCCCA58045F436B434B1C80D365472406E392951987DB6905C80D431DA18451135BE7E82BCAB358CB3971E61405B2FF17980D6E7E67E861E28201C1EE30B441040FD06878D65042C95582A4318207BFC700BE0CE32889AEC2FFE5085E8967910D879FA0E8C0FF85FDC510B9FF2FBF87CFCB29577D68099E04FFA05F752A73D377C70D3A8BC2DA80E6E780EC057182C33AD1DE387252258A1E18E6FAD910327CE7F42FD1E1E0515F9586E2F2EFCB9F472B1D:1 +ChaCha:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f:00000000000000000001020304050607:000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:f798a189f195e66982105ffb640bb7757f579da31602fc93ec01ac56f85ac3c134a4547b733b46413042c9440049176905d3be59ea1c53f15916155c2be8241a38008b9a26bc35941e2444177c8ade6689de95264986d95889fb60e84629c9bd9a5acb1cc118be563eb9b3a4a472f82e09a7e778492b562ef7130e88dfe031c79db9d4f7c7a899151b9a475032b63fc385245fe054e3dd5a97a5f576fe064025d3ce042c566ab2c507b138db853e3d6959660996546cc9c4a6eafdc777c040d70eaf46f76dad3979e5c5360c3317166a1c894c94a371876a94df7628fe4eaaf2ccb27d5aaae0ad7ad0f9d4b6ad3b54098746d4524d38407a6deb3ab78fab78c94213668bbbd394c5de93b853178addd6b97f9fa1ec3e56c00c9ddff0a44a204241175a4cab0f961ba53ede9bdf960b94f9829b1f3414726429b362c5b538e391520f489b7ed8d20ae3fd49e9e259e44397514d618c96c4846be3c680bdc11c71dcbbe29ccf80d62a0938fa549391e6ea57ecbe2606790ec15d2224ae307c144226b7c4e8c2f97d2a1d67852d29beba110edd445197012062a393a9c92803ad3b4f31d7bc6033ccf7932cfed3f019044d25905916777286f82f9a4cc1ffe430ffd1dcfc27deed327b9f9630d2fa969fb6f0603cd19dd9a9519e673bcfcd9014125291a44669ef7285e74ed3729b677f801c3cdf058c50963168b496043716c7307cd9e0cdd137fccb0f05b47cdbb95c5f54831622c3652a32b2531fe326bcd6e2bbf56a194fa196fbd1a54952110f51c73433865f7664b836685e3664b3d8444aF89A242805E18C975F1146324996FDE17007CF3E6E8F4E764022533EDBFE07D4733E48BB372D75B0EF48EC983EB78532161CC529E5ABB89837DFCCA6261DBB37C7C5E6A87478BF41EE85A518C0F4EFA9BDE828C5A71B8E46597B634AFD204D3C501334239C3414285ED72D3A9169EABBD4DC25D52BB7516D3BA712D75AD8C0AE5D493C19E38A77939E7A058D713E9CCCCA58045F436B434B1C80D365472406E392951987DB6905C80D431DA18451135BE7E82BCAB358CB3971E61405B2FF17980D6E7E67E861E28201C1EE30B441040FD06878D65042C95582A4318207BFC700BE0CE32889AEC2FFE5085E8967910D879FA0E8C0FF85FDC510B9FF2FBF87CFCB29577D68099E04FFA05F752A73D377C70D3A8BC2DA80E6E780EC057182C33AD1DE387252258A1E18E6FAD910327CE7F42FD1E1E0515F9586E2F2EFCB9F472B1DBDBAC354A4162151E9D92C79FB08BB4DDC56F19448C0175A46E2E6C491FEC71419AA43A349BEA768A92C75DE68FD9591E68067F3197094D3FB87ED81785EA075:1 +ChaCha:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f:00000000000000000001020304050607:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:f798a189f195e66982105ffb640bb7757f579da31602fc93ec01ac56f85ac3c134a4547b733b46413042c9440049176905d3be59ea1c53f15916155c2be8241a38008b9a26bc35941e2444177c8ade6689de95264986d95889fb60e84629c9bd9a5acb1cc118be563eb9b3a4a472f82e09a7e778492b562ef7130e88dfe031c79db9d4f7c7a899151b9a475032b63fc385245fe054e3dd5a97a5f576fe064025d3ce042c566ab2c507b138db853e3d6959660996546cc9c4a6eafdc777c040d70eaf46f76dad3979e5c5360c3317166a1c894c94a371876a94df7628fe4eaaf2ccb27d5aaae0ad7ad0f9d4b6ad3b54098746d4524d38407a6deb3ab78fab78c94213668bbbd394c5de93b853178addd6b97f9fa1ec3e56c00c9ddff0a44a204241175a4cab0f961ba53ede9bdf960b94f9829b1f3414726429b362c5b538e391520f489b7ed8d20ae3fd49e9e259e44397514d618c96c4846be3c680bdc11c71dcbbe29ccf80d62a0938fa549391e6ea57ecbe2606790ec15d2224ae307c144226b7c4e8c2f97d2a1d67852d29beba110edd445197012062a393a9c92803ad3b4f31d7bc6033ccf7932cfed3f019044d25905916777286f82f9a4cc1ffe430ffd1dcfc27deed327b9f9630d2fa969fb6f0603cd19dd9a9519e673bcfcd9014125291a44669ef7285e74ed3729b677f801c3cdf058c50963168b496043716c7307cd9e0cdd137fccb0f05b47cdbb95c5f54831622c3652a32b2531fe326bcd6e2bbf56a194fa196fbd1a54952110f51c73433865f7664b836685e3664b3d8444aF89A242805E18C975F1146324996FDE17007CF3E6E8F4E764022533EDBFE07D4733E48BB372D75B0EF48EC983EB78532161CC529E5ABB89837DFCCA6261DBB37C7C5E6A87478BF41EE85A518C0F4EFA9BDE828C5A71B8E46597B634AFD204D3C501334239C3414285ED72D3A9169EABBD4DC25D52BB7516D3BA712D75AD8C0AE5D493C19E38A77939E7A058D713E9CCCCA58045F436B434B1C80D365472406E392951987DB6905C80D431DA18451135BE7E82BCAB358CB3971E61405B2FF17980D6E7E67E861E28201C1EE30B441040FD06878D65042C95582A4318207BFC700BE0CE32889AEC2FFE5085E8967910D879FA0E8C0FF85FDC510B9FF2FBF87CFCB29577D68099E04FFA05F752A73D377C70D3A8BC2DA80E6E780EC057182C33AD1DE387252258A1E18E6FAD910327CE7F42FD1E1E0515F9586E2F2EFCB9F472B1DBDBAC354A4162151E9D92C79FB08BB4DDC56F19448C0175A46E2E6C491FEC71419AA43A349BEA768A92C75DE68FD9591E68067F3197094D3FB87ED81785EA075E4B65E3E4C78F81DA9B751C5EFE024152301C48E63245B556C4C67AFF857E5EA15A908D83A1D9704F8E55E7352B20B694BF9970298E6B5AAD33EA2155D105D4E:1 + +ChaCha:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f:00000000000000000001020304050607:0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:f798a189f195e66982105ffb640bb7757f579da31602fc93ec01ac56f85ac3c134a4547b733b46413042c9440049176905d3be59ea1c53f15916155c2be8241a38008b9a26bc35941e2444177c8ade6689de95264986d95889fb60e84629c9bd9a5acb1cc118be563eb9b3a4a472f82e09a7e778492b562ef7130e88dfe031c79db9d4f7c7a899151b9a475032b63fc385245fe054e3dd5a97a5f576fe064025d3ce042c566ab2c507b138db853e3d6959660996546cc9c4a6eafdc777c040d70eaf46f76dad3979e5c5360c3317166a1c894c94a371876a94df7628fe4eaaf2ccb27d5aaae0ad7ad0f9d4b6ad3b54098746d4524d38407a6deb3ab78fab78c94213668bbbd394c5de93b853178addd6b97f9fa1ec3e56c00c9ddff0a44a204241175a4cab0f961ba53ede9bdf960b94f9829b1f3414726429b362c5b538e391520f489b7ed8d20ae3fd49e9e259e44397514d618c96c4846be3c680bdc11c71dcbbe29ccf80d62a0938fa549391e6ea57ecbe2606790ec15d2224ae307c144226b7c4e8c2f97d2a1d67852d29beba110edd445197012062a393a9c92803ad3b4f31d7bc6033ccf7932cfed3f019044d25905916777286f82f9a4cc1ffe430ffd1dcfc27deed327b9f9630d2fa969fb6f0603cd19dd9a9519e673bcfcd9014125291a44669ef7285e74ed3729b677f801c3cdf058c50963168b496043716c7307cd9e0cdd137fccb0f05b47cdbb95c5f54831622c3652a32b2531fe326bcd6e2bbf56a194fa196fbd1a54952110f51c73433865f7664b836685e3664b3d8444aF89A242805E18C975F1146324996FDE17007CF3E6E8F4E764022533EDBFE07D4733E48BB372D75B0EF48EC983EB78532161CC529E5ABB89837DFCCA6261DBB37C7C5E6A87478BF41EE85A518C0F4EFA9BDE828C5A71B8E46597B634AFD204D3C501334239C3414285ED72D3A9169EABBD4DC25D52BB7516D3BA712D75AD8C0AE5D493C19E38A77939E7A058D713E9CCCCA58045F436B434B1C80D365472406E392951987DB6905C80D431DA18451135BE7E82BCAB358CB3971E61405B2FF17980D6E7E67E861E28201C1EE30B441040FD06878D65042C95582A4318207BFC700BE0CE32889AEC2FFE5085E8967910D879FA0E8C0FF85FDC510B9FF2FBF87CFCB29577D68099E04FFA05F752A73D377C70D3A8BC2DA80E6E780EC057182C33AD1DE387252258A1E18E6FAD910327CE7F42FD1E1E0515F9586E2F2EFCB9F472B1DBDBAC354A4162151E9D92C79FB08BB4DDC56F19448C0175A46E2E6C491FEC71419AA43A349BEA768A92C75DE68FD9591E68067F3197094D3FB87ED81785EA075E4B65E3E4C78F81DA9B751C5EFE024152301C48E63245B556C4C67AFF857E5EA15A908D83A1D9704F8E55E7352B20B694BF9970298E6B5AAD33EA2155D105D4E637D1E87C40A8E5F4E8C5A16A4B8F3DC27B31721D77A65FD1ED6F86BE25FB95DB29B1988493770A7C60E451FF97DD241A236851FC425691979FE30226559AD95:1 +ChaCha:0100000000000000000000000000000000000000000000000000000000000000:000000000000000000000000000000000000000000000000:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:c5d30a7ce1ec119378c84f487d775a8542f13ece238a9455e8229e888de85bbd29eb63d0a17a5b999b52da22be4023eb07620a54f6fa6ad8737b71eb0464dac0:1 +ChaCha:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff:0000000000000000ffffffffffffffff0000000000000000:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:d9bf3f6bce6ed0b54254557767fb57443dd4778911b606055c39cc25e674b8363feabc57fde54f790c52c8ae43240b79d49042b777bfd6cb80e931270b7f50eb:1 +ChaCha:5555555555555555555555555555555555555555555555555555555555555555:0000000000000000aaaaaaaaaaaaaaaa0000000000000000:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:aff7418293f3a553894b1e7484bd1e8ede196eced5a1d6814de37091e07e076e34bbba8107a686c982850f0a7353940d40db1ab0b5765b78b4cf473d9485a3dd:1 +ChaCha:5555555555555555555555555555555555555555555555555555555555555555:000000000000000055555555555555550000000000000000:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:bea9411aa453c5434a5ae8c92862f564396855a9ea6e22d6d3b50ae1b3663311a4a3606c671d605ce16c3aece8e61ea145c59775017bee2fa6f88afc758069f7:1 +ChaCha:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:0000000000000000aaaaaaaaaaaaaaaa0000000000000000:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:9aa2a9f656efde5aa7591c5fed4b35aea2895dec7cb4543b9e9f21f5e7bcbcf3c43c748a970888f8248393a09d43e0b7e164bc4d0b0fb240a2d72115c4808906:1 +ChaCha:00112233445566778899aabbccddeeffffeeddccbbaa99887766554433221100:00000000000000000f1e2d3c4b5a69780000000000000000:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:9fadf409c00811d00431d67efbd88fba59218d5d6708b1d685863fabbb0e961eea480fd6fb532bfd494b2151015057423ab60a63fe4f55f7a212e2167ccab931:1 +ChaCha:c46ec1b18ce8a878725a37e780dfb7351f68ed2e194c79fbc6aebee1a667975d:00000000000000001ada31d5cf6882210000000000000000:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:f63a89b75c2271f9368816542ba52f06ed49241792302b00b5e8f80ae9a473afc25b218f519af0fdd406362e8d69de7f54c604a6e00f353f110f771bdca8ab92:1 diff --git a/tests/explicit_bzero.c b/tests/explicit_bzero.c index 34c60baa..9c0e9178 100644 --- a/tests/explicit_bzero.c +++ b/tests/explicit_bzero.c @@ -1,4 +1,4 @@ -/* $OpenBSD: explicit_bzero.c,v 1.6 2014/07/11 01:10:35 matthew Exp $ */ +/* $OpenBSD: explicit_bzero.c,v 1.7 2021/03/27 11:17:58 bcook Exp $ */ /* * Copyright (c) 2014 Google Inc. * @@ -18,6 +18,7 @@ #include #include #include +#include #include #include @@ -36,19 +37,33 @@ enum { SECRETBYTES = SECRETCOUNT * sizeof(secret) }; -static char altstack[SIGSTKSZ + SECRETBYTES]; +/* + * As of glibc 2.34, when _GNU_SOURCE is defined, SIGSTKSZ is no longer + * constant on Linux. SIGSTKSZ is redefined to sysconf (_SC_SIGSTKSZ). + */ +static char *altstack; +#define ALTSTACK_SIZE (SIGSTKSZ + SECRETBYTES) static void setup_stack(void) { + altstack = calloc(1, ALTSTACK_SIZE); + ASSERT_NE(NULL, altstack); + const stack_t sigstk = { .ss_sp = altstack, - .ss_size = sizeof(altstack), + .ss_size = ALTSTACK_SIZE }; ASSERT_EQ(0, sigaltstack(&sigstk, NULL)); } +static void +cleanup_stack(void) +{ + free(altstack); +} + static void assert_on_stack(void) { @@ -129,7 +144,7 @@ test_without_bzero() char buf[SECRETBYTES]; assert_on_stack(); populate_secret(buf, sizeof(buf)); - char *res = memmem(altstack, sizeof(altstack), buf, sizeof(buf)); + char *res = memmem(altstack, ALTSTACK_SIZE, buf, sizeof(buf)); ASSERT_NE(NULL, res); return (res); } @@ -140,7 +155,7 @@ test_with_bzero() char buf[SECRETBYTES]; assert_on_stack(); populate_secret(buf, sizeof(buf)); - char *res = memmem(altstack, sizeof(altstack), buf, sizeof(buf)); + char *res = memmem(altstack, ALTSTACK_SIZE, buf, sizeof(buf)); ASSERT_NE(NULL, res); explicit_bzero(buf, sizeof(buf)); return (res); @@ -183,15 +198,17 @@ main() * on the stack. This sanity checks that call_on_stack() and * populate_secret() work as intended. */ - memset(altstack, 0, sizeof(altstack)); + memset(altstack, 0, ALTSTACK_SIZE); call_on_stack(do_test_without_bzero); /* * Now test with a call to explicit_bzero() and check that we * *don't* find any instances of the secret data. */ - memset(altstack, 0, sizeof(altstack)); + memset(altstack, 0, ALTSTACK_SIZE); call_on_stack(do_test_with_bzero); + cleanup_stack(); + return (0); } diff --git a/tests/freenull.c b/tests/freenull.c index fbecf783..18bd3a58 100644 --- a/tests/freenull.c +++ b/tests/freenull.c @@ -1,7 +1,8 @@ -/* $OpenBSD: freenull.c.head,v 1.2 2018/07/10 20:55:57 tb Exp $ */ +/* $OpenBSD: freenull.c.head,v 1.3 2019/11/02 15:38:46 jsing Exp $ */ #include #include +#include #include #include #include @@ -62,6 +63,8 @@ main(int argc, char **argv) BUF_MEM_free(NULL); CERTIFICATEPOLICIES_free(NULL); CMAC_CTX_free(NULL); + CMS_ContentInfo_free(NULL); + CMS_ReceiptRequest_free(NULL); COMP_CTX_free(NULL); CONF_free(NULL); CRL_DIST_POINTS_free(NULL); @@ -152,6 +155,7 @@ main(int argc, char **argv) POLICY_MAPPING_free(NULL); PROXY_CERT_INFO_EXTENSION_free(NULL); PROXY_POLICY_free(NULL); + RSA_OAEP_PARAMS_free(NULL); RSA_PSS_PARAMS_free(NULL); RSA_free(NULL); RSA_meth_free(NULL); diff --git a/tests/handshake_table.c b/tests/handshake_table.c index 494f72fd..de59ca19 100644 --- a/tests/handshake_table.c +++ b/tests/handshake_table.c @@ -1,4 +1,4 @@ -/* $OpenBSD: handshake_table.c,v 1.11 2019/04/05 20:25:25 tb Exp $ */ +/* $OpenBSD: handshake_table.c,v 1.15 2020/05/14 18:04:19 tb Exp $ */ /* * Copyright (c) 2019 Theo Buehler * @@ -23,6 +23,8 @@ #include "tls13_handshake.h" +#define MAX_FLAGS (UINT8_MAX + 1) + /* * From RFC 8446: * @@ -86,16 +88,16 @@ struct child { static struct child stateinfo[][TLS13_NUM_MESSAGE_TYPES] = { [CLIENT_HELLO] = { - {SERVER_HELLO, DEFAULT, 0, 0}, + {SERVER_HELLO_RETRY_REQUEST, DEFAULT, 0, 0}, + {SERVER_HELLO, WITHOUT_HRR, 0, 0}, }, - [SERVER_HELLO] = { - {SERVER_ENCRYPTED_EXTENSIONS, DEFAULT, 0, 0}, - {CLIENT_HELLO_RETRY, WITH_HRR, 0, 0}, + [SERVER_HELLO_RETRY_REQUEST] = { + {CLIENT_HELLO_RETRY, DEFAULT, 0, 0}, }, [CLIENT_HELLO_RETRY] = { - {SERVER_HELLO_RETRY, DEFAULT, 0, 0}, + {SERVER_HELLO, DEFAULT, 0, 0}, }, - [SERVER_HELLO_RETRY] = { + [SERVER_HELLO] = { {SERVER_ENCRYPTED_EXTENSIONS, DEFAULT, 0, 0}, }, [SERVER_ENCRYPTED_EXTENSIONS] = { @@ -134,7 +136,7 @@ static struct child stateinfo[][TLS13_NUM_MESSAGE_TYPES] = { const size_t stateinfo_count = sizeof(stateinfo) / sizeof(stateinfo[0]); void build_table(enum tls13_message_type - table[UINT8_MAX][TLS13_NUM_MESSAGE_TYPES], + table[MAX_FLAGS][TLS13_NUM_MESSAGE_TYPES], struct child current, struct child end, struct child path[], uint8_t flags, unsigned int depth); size_t count_handshakes(void); @@ -152,7 +154,7 @@ void fprint_flags(FILE *stream, uint8_t flags); const char *mt2str(enum tls13_message_type mt); __dead void usage(void); int verify_table(enum tls13_message_type - table[UINT8_MAX][TLS13_NUM_MESSAGE_TYPES], int print); + table[MAX_FLAGS][TLS13_NUM_MESSAGE_TYPES], int print); const char * flag2str(uint8_t flag) @@ -172,8 +174,8 @@ flag2str(uint8_t flag) case WITHOUT_CR: ret = "WITHOUT_CR"; break; - case WITH_HRR: - ret = "WITH_HRR"; + case WITHOUT_HRR: + ret = "WITHOUT_HRR"; break; case WITH_PSK: ret = "WITH_PSK"; @@ -218,17 +220,11 @@ mt2str(enum tls13_message_type mt) case CLIENT_FINISHED: ret = "CLIENT_FINISHED"; break; - case CLIENT_KEY_UPDATE: - ret = "CLIENT_KEY_UPDATE"; - break; case SERVER_HELLO: ret = "SERVER_HELLO"; break; - case SERVER_HELLO_RETRY: - ret = "SERVER_HELLO_RETRY"; - break; - case SERVER_NEW_SESSION_TICKET: - ret = "SERVER_NEW_SESSION_TICKET"; + case SERVER_HELLO_RETRY_REQUEST: + ret = "SERVER_HELLO_RETRY_REQUEST"; break; case SERVER_ENCRYPTED_EXTENSIONS: ret = "SERVER_ENCRYPTED_EXTENSIONS"; @@ -376,7 +372,7 @@ count_handshakes(void) } void -build_table(enum tls13_message_type table[UINT8_MAX][TLS13_NUM_MESSAGE_TYPES], +build_table(enum tls13_message_type table[MAX_FLAGS][TLS13_NUM_MESSAGE_TYPES], struct child current, struct child end, struct child path[], uint8_t flags, unsigned int depth) { @@ -415,7 +411,7 @@ build_table(enum tls13_message_type table[UINT8_MAX][TLS13_NUM_MESSAGE_TYPES], } int -verify_table(enum tls13_message_type table[UINT8_MAX][TLS13_NUM_MESSAGE_TYPES], +verify_table(enum tls13_message_type table[MAX_FLAGS][TLS13_NUM_MESSAGE_TYPES], int print) { int success = 1, i; @@ -464,9 +460,11 @@ int main(int argc, char *argv[]) { static enum tls13_message_type - hs_table[UINT8_MAX][TLS13_NUM_MESSAGE_TYPES] = { + hs_table[MAX_FLAGS][TLS13_NUM_MESSAGE_TYPES] = { [INITIAL] = { CLIENT_HELLO, + SERVER_HELLO_RETRY_REQUEST, + CLIENT_HELLO_RETRY, SERVER_HELLO, }, }; @@ -481,6 +479,7 @@ main(int argc, char *argv[]) unsigned int depth = 0; int ch, graphviz = 0, print = 0; +#ifndef _MSC_VER while ((ch = getopt(argc, argv, "Cg")) != -1) { switch (ch) { case 'C': @@ -498,6 +497,7 @@ main(int argc, char *argv[]) if (argc != 0) usage(); +#endif if (graphviz && print) usage(); diff --git a/tests/key_schedule.c b/tests/key_schedule.c index 2b03b9a4..2746bb59 100644 --- a/tests/key_schedule.c +++ b/tests/key_schedule.c @@ -1,6 +1,6 @@ -/* $OpenBSD: key_schedule.c,v 1.7 2019/05/09 05:47:27 claudio Exp $ */ +/* $OpenBSD: key_schedule.c,v 1.9 2019/11/18 02:09:58 beck Exp $ */ /* - * Copyright (c) 2018 Bob Beck + * Copyright (c) 2018-2019 Bob Beck * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -154,6 +154,27 @@ uint8_t expected_server_application_traffic[] = { 0x4b, 0x4f, 0x1f, 0x3f, 0xcb, 0x63, 0x16, 0x43 }; +uint8_t expected_server_application_traffic_updated[] = { + 0x51, 0x92, 0x1b, 0x8a, 0xa3, 0x00, 0x19, 0x76, + 0xeb, 0x40, 0x1d, 0x0a, 0x43, 0x19, 0xa8, 0x51, + 0x64, 0x16, 0xa6, 0xc5, 0x60, 0x01, 0xa3, 0x57, + 0xe5, 0xd1, 0x62, 0x03, 0x1e, 0x84, 0xf9, 0x16, +}; + +uint8_t expected_client_application_traffic[] = { + 0x9e, 0x40, 0x64, 0x6c, 0xe7, 0x9a, 0x7f, 0x9d, + 0xc0, 0x5a, 0xf8, 0x88, 0x9b, 0xce, 0x65, 0x52, + 0x87, 0x5a, 0xfa, 0x0b, 0x06, 0xdf, 0x00, 0x87, + 0xf7, 0x92, 0xeb, 0xb7, 0xc1, 0x75, 0x04, 0xa5, +}; + +uint8_t expected_client_application_traffic_updated[] = { + 0xfc, 0xdf, 0xcc, 0x72, 0x72, 0x5a, 0xae, 0xe4, + 0x8b, 0xf6, 0x4e, 0x4f, 0xd8, 0xb7, 0x49, 0xcd, + 0xbd, 0xba, 0xb3, 0x9d, 0x90, 0xda, 0x0b, 0x26, + 0xe2, 0x24, 0x5c, 0xa6, 0xea, 0x16, 0x72, 0x07, +}; + uint8_t expected_exporter_master[] = { 0xfe, 0x22, 0xf8, 0x81, 0x17, 0x6e, 0xda, 0x18, 0xeb, 0x8f, 0x44, 0x52, 0x9e, 0x67, 0x92, 0xc5, @@ -259,6 +280,13 @@ main (int argc, char **argv) expected_server_application_traffic, 32) != 0) FAIL("server_application_traffic does not match\n"); + fprintf(stderr, "client_application_traffic:\n"); + compare_data(secrets->client_application_traffic.data, 32, + expected_client_application_traffic, 32); + if (memcmp(secrets->client_application_traffic.data, + expected_client_application_traffic, 32) != 0) + FAIL("server_application_traffic does not match\n"); + fprintf(stderr, "exporter_master:\n"); compare_data(secrets->exporter_master.data, 32, expected_exporter_master, 32); @@ -266,6 +294,23 @@ main (int argc, char **argv) expected_exporter_master, 32) != 0) FAIL("exporter_master does not match\n"); + tls13_update_server_traffic_secret(secrets); + fprintf(stderr, "server_application_traffic after update:\n"); + compare_data(secrets->server_application_traffic.data, 32, + expected_server_application_traffic_updated, 32); + if (memcmp(secrets->server_application_traffic.data, + expected_server_application_traffic_updated, 32) != 0) + FAIL("server_application_traffic does not match after update\n"); + + + tls13_update_client_traffic_secret(secrets); + fprintf(stderr, "client_application_traffic after update:\n"); + compare_data(secrets->client_application_traffic.data, 32, + expected_client_application_traffic_updated, 32); + if (memcmp(secrets->client_application_traffic.data, + expected_client_application_traffic_updated, 32) != 0) + FAIL("client_application_traffic does not match after update\n"); + tls13_secrets_destroy(secrets); return failures; diff --git a/tests/mont.c b/tests/mont.c index 30d5317b..54626b5c 100644 --- a/tests/mont.c +++ b/tests/mont.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mont.c,v 1.2 2014/10/22 13:23:05 jsing Exp $ */ +/* $OpenBSD: mont.c,v 1.4 2021/04/04 19:36:09 tb Exp $ */ /* * Copyright (c) 2014 Miodrag Vallat. @@ -34,8 +34,9 @@ int main(int argc, char *argv[]) { - DH *dh; - unsigned char *key, r[32 + 16 * 8]; + DH *dh = NULL; + unsigned char *key = NULL; + unsigned char r[32 + 16 * 8]; size_t privsz; arc4random_buf(r, sizeof(r)); @@ -62,12 +63,16 @@ main(int argc, char *argv[]) goto err; free(key); + key = NULL; DH_free(dh); + dh = NULL; } return 0; -err: + err: ERR_print_errors_fp(stderr); + free(key); + DH_free(dh); return 1; } diff --git a/tests/pkcs7test.c b/tests/pkcs7test.c index 5a72586c..28e0f67a 100644 --- a/tests/pkcs7test.c +++ b/tests/pkcs7test.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pkcs7test.c,v 1.4 2018/11/10 02:23:28 jsing Exp $ */ +/* $OpenBSD: pkcs7test.c,v 1.5 2021/04/07 17:21:40 tb Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -103,7 +103,7 @@ static void fatal(const char *msg) { warnx("%s", msg); - ERR_print_errors(BIO_new_fd(STDERR_FILENO, 0)); + ERR_print_errors_fp(stderr); exit(1); } diff --git a/tests/record_layer_test.c b/tests/record_layer_test.c new file mode 100644 index 00000000..4e75ba4a --- /dev/null +++ b/tests/record_layer_test.c @@ -0,0 +1,306 @@ +/* $OpenBSD: record_layer_test.c,v 1.4 2021/03/29 16:22:02 jsing Exp $ */ +/* + * Copyright (c) 2019, 2020 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include + +#include "ssl_locl.h" +#include "tls13_internal.h" +#include "tls13_record.h" + +int tls12_record_layer_inc_seq_num(struct tls12_record_layer *rl, + uint8_t *seq_num); +int tls13_record_layer_inc_seq_num(uint8_t *seq_num); + +static void +hexdump(const unsigned char *buf, size_t len) +{ + size_t i; + + for (i = 1; i <= len; i++) + fprintf(stderr, " 0x%02x,%s", buf[i - 1], i % 8 ? "" : "\n"); + if (len % 8 != 0) + fprintf(stderr, "\n"); +} + +struct seq_num_test { + uint8_t seq_num[TLS13_RECORD_SEQ_NUM_LEN]; + uint8_t want_num[TLS13_RECORD_SEQ_NUM_LEN]; + int want; +}; + +struct seq_num_test seq_num_dtls_tests[] = { + { + .seq_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, + .want_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, + .want = 1, + }, + { + .seq_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, + .want_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}, + .want = 1, + }, + { + .seq_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfe}, + .want_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff}, + .want = 1, + }, + { + .seq_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff}, + .want_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00}, + .want = 1, + }, + { + .seq_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00}, + .want_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x01}, + .want = 1, + }, + { + .seq_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xff}, + .want_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00}, + .want = 1, + }, + { + .seq_num = {0xab, 0xcd, 0xef, 0x00, 0xfe, 0xff, 0xff, 0xff}, + .want_num = {0xab, 0xcd, 0xef, 0x00, 0xff, 0x00, 0x00, 0x00}, + .want = 1, + }, + { + .seq_num = {0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, + .want_num = {0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, + .want = 0, + }, + { + .seq_num = {0x01, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff}, + .want_num = {0x01, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00}, + .want = 1, + }, + { + .seq_num = {0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe}, + .want_num = {0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, + .want = 1, + }, + { + .seq_num = {0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, + .want_num = {0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, + .want = 1, + }, + { + .seq_num = {0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, + .want_num = {0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, + .want = 0, + }, + { + .seq_num = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe}, + .want_num = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, + .want = 1, + }, + { + .seq_num = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, + .want_num = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, + .want = 0, + }, +}; + +#define N_SEQ_NUM_DTLS_TESTS \ + (sizeof(seq_num_dtls_tests) / sizeof(seq_num_dtls_tests[0])) + +struct seq_num_test seq_num_tls_tests[] = { + { + .seq_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, + .want_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, + .want = 1, + }, + { + .seq_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, + .want_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}, + .want = 1, + }, + { + .seq_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfe}, + .want_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff}, + .want = 1, + }, + { + .seq_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff}, + .want_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00}, + .want = 1, + }, + { + .seq_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00}, + .want_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x01}, + .want = 1, + }, + { + .seq_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xff}, + .want_num = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00}, + .want = 1, + }, + { + .seq_num = {0xab, 0xcd, 0xef, 0x00, 0xfe, 0xff, 0xff, 0xff}, + .want_num = {0xab, 0xcd, 0xef, 0x00, 0xff, 0x00, 0x00, 0x00}, + .want = 1, + }, + { + .seq_num = {0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, + .want_num = {0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, + .want = 1, + }, + { + .seq_num = {0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, + .want_num = {0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, + .want = 1, + }, + { + .seq_num = {0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, + .want_num = {0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, + .want = 1, + }, + { + .seq_num = {0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, + .want_num = {0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, + .want = 1, + }, + { + .seq_num = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe}, + .want_num = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, + .want = 1, + }, + { + .seq_num = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, + .want_num = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, + .want = 0, + }, +}; + +#define N_SEQ_NUM_TLS_TESTS \ + (sizeof(seq_num_tls_tests) / sizeof(seq_num_tls_tests[0])) + +#ifndef TLS12_RECORD_SEQ_NUM_LEN +#define TLS12_RECORD_SEQ_NUM_LEN 8 +#endif + +static int +do_seq_num_test_tls12(size_t test_no, int dtls, struct seq_num_test *snt) +{ + uint8_t seq_num[TLS12_RECORD_SEQ_NUM_LEN]; + struct tls12_record_layer *rl; + int failed = 1; + int ret; + + if ((rl = tls12_record_layer_new()) == NULL) + errx(1, "tls12_record_layer_new"); + + if (dtls) + tls12_record_layer_set_version(rl, DTLS1_2_VERSION); + + memcpy(seq_num, snt->seq_num, sizeof(seq_num)); + + if ((ret = tls12_record_layer_inc_seq_num(rl, seq_num)) != snt->want) { + fprintf(stderr, "FAIL: Test %zu - got return %i, want %i\n", + test_no, ret, snt->want); + goto failure; + } + + if (memcmp(seq_num, snt->want_num, sizeof(seq_num)) != 0) { + fprintf(stderr, "FAIL: Test %zu - got sequence number:\n", + test_no); + hexdump(seq_num, sizeof(seq_num)); + fprintf(stderr, "want:\n"); + hexdump(snt->want_num, sizeof(snt->want_num)); + goto failure; + } + + failed = 0; + + failure: + tls12_record_layer_free(rl); + + return failed; +} + +static int +test_seq_num_tls12(void) +{ + int failed = 0; + size_t i; + + fprintf(stderr, "Running TLSv1.2 sequence number tests...\n"); + for (i = 0; i < N_SEQ_NUM_TLS_TESTS; i++) + failed |= do_seq_num_test_tls12(i, 0, &seq_num_tls_tests[i]); + + fprintf(stderr, "Running DTLSv1.2 sequence number tests...\n"); + for (i = 0; i < N_SEQ_NUM_DTLS_TESTS; i++) + failed |= do_seq_num_test_tls12(i, 1, &seq_num_dtls_tests[i]); + + return failed; +} + +static int +do_seq_num_test_tls13(size_t test_no, struct seq_num_test *snt) +{ + uint8_t seq_num[TLS13_RECORD_SEQ_NUM_LEN]; + int failed = 1; + int ret; + + memcpy(seq_num, snt->seq_num, sizeof(seq_num)); + + if ((ret = tls13_record_layer_inc_seq_num(seq_num)) != snt->want) { + fprintf(stderr, "FAIL: Test %zu - got return %i, want %i\n", + test_no, ret, snt->want); + goto failure; + } + + if (memcmp(seq_num, snt->want_num, sizeof(seq_num)) != 0) { + fprintf(stderr, "FAIL: Test %zu - got sequence number:\n", + test_no); + hexdump(seq_num, sizeof(seq_num)); + fprintf(stderr, "want:\n"); + hexdump(snt->want_num, sizeof(snt->want_num)); + goto failure; + } + + failed = 0; + + failure: + return failed; +} + +static int +test_seq_num_tls13(void) +{ + int failed = 0; + size_t i; + + fprintf(stderr, "Running TLSv1.3 sequence number tests...\n"); + + for (i = 0; i < N_SEQ_NUM_TLS_TESTS; i++) + failed |= do_seq_num_test_tls13(i, &seq_num_tls_tests[i]); + + return failed; +} + +int +main(int argc, char **argv) +{ + int failed = 0; + + failed |= test_seq_num_tls12(); + failed |= test_seq_num_tls13(); + + return failed; +} diff --git a/tests/recordtest.c b/tests/recordtest.c index 42bba88c..c345a68c 100644 --- a/tests/recordtest.c +++ b/tests/recordtest.c @@ -1,3 +1,4 @@ +/* $OpenBSD: recordtest.c,v 1.4 2020/05/11 18:08:37 jsing Exp $ */ /* * Copyright (c) 2019 Joel Sing * @@ -240,7 +241,7 @@ struct record_recv_test record_recv_tests[] = { .rt = { { .rw_len = sizeof(test_record_3), - .want_ret = TLS13_IO_FAILURE, + .want_ret = TLS13_IO_RECORD_OVERFLOW, }, }, }, diff --git a/tests/servertest.c b/tests/servertest.c index 32578599..a71c5f8c 100644 --- a/tests/servertest.c +++ b/tests/servertest.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servertest.c,v 1.1 2017/03/05 14:15:53 jsing Exp $ */ +/* $OpenBSD: servertest.c,v 1.5 2021/01/22 15:56:17 tb Exp $ */ /* * Copyright (c) 2015, 2016, 2017 Joel Sing * @@ -25,6 +25,8 @@ #include #include +const SSL_METHOD *tls_legacy_method(void); + char *server_ca_file; char *server_cert_file; char *server_key_file; @@ -80,7 +82,8 @@ struct server_hello_test { unsigned char *client_hello; const size_t client_hello_len; const SSL_METHOD *(*ssl_method)(void); - const long ssl_options; + const long ssl_clear_options; + const long ssl_set_options; }; static struct server_hello_test server_hello_tests[] = { @@ -88,15 +91,17 @@ static struct server_hello_test server_hello_tests[] = { .desc = "TLSv1.0 in SSLv2 record", .client_hello = sslv2_client_hello_tls10, .client_hello_len = sizeof(sslv2_client_hello_tls10), - .ssl_method = TLS_server_method, - .ssl_options = 0, + .ssl_method = tls_legacy_method, + .ssl_clear_options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1, + .ssl_set_options = 0, }, { .desc = "TLSv1.2 in SSLv2 record", .client_hello = sslv2_client_hello_tls12, .client_hello_len = sizeof(sslv2_client_hello_tls12), - .ssl_method = TLS_server_method, - .ssl_options = 0, + .ssl_method = tls_legacy_method, + .ssl_clear_options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1, + .ssl_set_options = 0, }, }; @@ -141,7 +146,9 @@ server_hello_test(int testno, struct server_hello_test *sht) SSL_CTX_set_dh_auto(ssl_ctx, 1); SSL_CTX_set_ecdh_auto(ssl_ctx, 1); - SSL_CTX_set_options(ssl_ctx, sht->ssl_options); + + SSL_CTX_clear_options(ssl_ctx, sht->ssl_clear_options); + SSL_CTX_set_options(ssl_ctx, sht->ssl_set_options); if ((ssl = SSL_new(ssl_ctx)) == NULL) { fprintf(stderr, "SSL_new() returned NULL\n"); @@ -152,7 +159,7 @@ server_hello_test(int testno, struct server_hello_test *sht) wbio->references = 2; SSL_set_bio(ssl, rbio, wbio); - + if (SSL_accept(ssl) != 0) { fprintf(stderr, "SSL_accept() returned non-zero\n"); ERR_print_errors_fp(stderr); @@ -165,8 +172,10 @@ server_hello_test(int testno, struct server_hello_test *sht) SSL_CTX_free(ssl_ctx); SSL_free(ssl); - rbio->references = 1; - wbio->references = 1; + if (rbio != NULL) + rbio->references = 1; + if (wbio != NULL) + wbio->references = 1; BIO_free(rbio); BIO_free(wbio); diff --git a/tests/sm3test.c b/tests/sm3test.c index 66113728..f02ce3a6 100644 --- a/tests/sm3test.c +++ b/tests/sm3test.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sm3test.c,v 1.2 2018/11/12 15:55:59 tb Exp $ */ +/* $OpenBSD: sm3test.c,v 1.3 2021/04/06 15:00:19 tb Exp $ */ /* * Copyright (c) 2018 Ribose Inc * @@ -68,12 +68,13 @@ main(int argc, char *argv[]) { EVP_MD_CTX *ctx; uint8_t digest[32]; - int numerrors = 0, i; - + int i; + int numerrors = 0; + if ((ctx = EVP_MD_CTX_new()) == NULL) err(1, NULL); - - for (i = 0; i != SM3_TESTS; ++i) { + + for (i = 0; i < SM3_TESTS; i++) { if (!EVP_DigestInit(ctx, EVP_sm3())) errx(1, "EVP_DigestInit() failed"); if (!EVP_DigestUpdate(ctx, sm3_input[i], strlen(sm3_input[i]))) diff --git a/tests/ssl_methods.c b/tests/ssl_methods.c new file mode 100644 index 00000000..0fc33a40 --- /dev/null +++ b/tests/ssl_methods.c @@ -0,0 +1,267 @@ +/* $OpenBSD: ssl_methods.c,v 1.4 2021/04/04 20:21:43 tb Exp $ */ +/* + * Copyright (c) 2020 Theo Buehler + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include + +struct ssl_method_test_data { + const SSL_METHOD *(*method)(void); + const char *name; + int server; + int dtls; +}; + +struct ssl_method_test_data ssl_method_tests[] = { + { + .method = SSLv23_method, + .name = "SSLv23_method", + .server = 1, + .dtls = 0, + }, + { + .method = SSLv23_server_method, + .name = "SSLv23_server_method", + .server = 1, + .dtls = 0, + }, + { + .method = SSLv23_client_method, + .name = "SSLv23_client_method", + .server = 0, + .dtls = 0, + }, + + { + .method = TLSv1_method, + .name = "TLSv1_method", + .server = 1, + .dtls = 0, + }, + { + .method = TLSv1_server_method, + .name = "TLSv1_server_method", + .server = 1, + .dtls = 0, + }, + { + .method = TLSv1_client_method, + .name = "TLSv1_client_method", + .server = 0, + .dtls = 0, + }, + + { + .method = TLSv1_1_method, + .name = "TLSv1_1_method", + .server = 1, + .dtls = 0, + }, + { + .method = TLSv1_1_server_method, + .name = "TLSv1_1_server_method", + .server = 1, + .dtls = 0, + }, + { + .method = TLSv1_1_client_method, + .name = "TLSv1_1_client_method", + .server = 0, + .dtls = 0, + }, + + { + .method = TLSv1_2_method, + .name = "TLSv1_2_method", + .server = 1, + .dtls = 0, + }, + { + .method = TLSv1_2_server_method, + .name = "TLSv1_2_server_method", + .server = 1, + .dtls = 0, + }, + { + .method = TLSv1_2_client_method, + .name = "TLSv1_2_client_method", + .server = 0, + .dtls = 0, + }, + + { + .method = TLS_method, + .name = "TLS_method", + .server = 1, + .dtls = 0, + }, + { + .method = TLS_server_method, + .name = "TLS_server_method", + .server = 1, + .dtls = 0, + }, + { + .method = TLS_client_method, + .name = "TLS_client_method", + .server = 0, + .dtls = 0, + }, + + { + .method = DTLSv1_method, + .name = "DTLSv1_method", + .server = 1, + .dtls = 1, + }, + { + .method = DTLSv1_server_method, + .name = "DTLSv1_server_method", + .server = 1, + .dtls = 1, + }, + { + .method = DTLSv1_client_method, + .name = "DTLSv1_client_method", + .server = 0, + .dtls = 1, + }, + + { + .method = DTLSv1_2_method, + .name = "DTLSv1_2_method", + .server = 1, + .dtls = 1, + }, + { + .method = DTLSv1_2_server_method, + .name = "DTLSv1_2_server_method", + .server = 1, + .dtls = 1, + }, + { + .method = DTLSv1_2_client_method, + .name = "DTLSv1_2_client_method", + .server = 0, + .dtls = 1, + }, + + { + .method = DTLS_method, + .name = "DTLS_method", + .server = 1, + .dtls = 1, + }, + { + .method = DTLS_server_method, + .name = "DTLS_server_method", + .server = 1, + .dtls = 1, + }, + { + .method = DTLS_client_method, + .name = "DTLS_client_method", + .server = 0, + .dtls = 1, + }, +}; + +#define N_METHOD_TESTS (sizeof(ssl_method_tests) / sizeof(ssl_method_tests[0])) + +int test_client_or_server_method(struct ssl_method_test_data *); +int test_dtls_method(struct ssl_method_test_data *); + +int +test_client_or_server_method(struct ssl_method_test_data *testcase) +{ + SSL_CTX *ssl_ctx; + SSL *ssl = NULL; + int failed = 1; + + if ((ssl_ctx = SSL_CTX_new(testcase->method())) == NULL) { + fprintf(stderr, "SSL_CTX_new returned NULL\n"); + goto err; + } + + if ((ssl = SSL_new(ssl_ctx)) == NULL) { + fprintf(stderr, "SSL_new returned NULL\n"); + goto err; + } + + if (SSL_is_server(ssl) != testcase->server) { + fprintf(stderr, "%s: SSL_is_server: want %d, got %d\n", + testcase->name, testcase->server, SSL_is_server(ssl)); + goto err; + } + + failed = 0; + + err: + SSL_free(ssl); + SSL_CTX_free(ssl_ctx); + + return failed; +} + +int +test_dtls_method(struct ssl_method_test_data *testcase) +{ + SSL_CTX *ssl_ctx; + SSL *ssl = NULL; + int failed = 1; + + if ((ssl_ctx = SSL_CTX_new(testcase->method())) == NULL) { + fprintf(stderr, "SSL_CTX_new returned NULL\n"); + goto err; + } + + if ((ssl = SSL_new(ssl_ctx)) == NULL) { + fprintf(stderr, "SSL_new returned NULL\n"); + goto err; + } + + if (SSL_is_dtls(ssl) != testcase->dtls) { + fprintf(stderr, "%s: SSL_is_dtls: want %d, got %d\n", + testcase->name, testcase->dtls, SSL_is_dtls(ssl)); + goto err; + } + + failed = 0; + + err: + SSL_free(ssl); + SSL_CTX_free(ssl_ctx); + + return failed; +} + +int +main(int argc, char **argv) +{ + size_t i; + int failed = 0; + + for (i = 0; i < N_METHOD_TESTS; i++) { + failed |= test_client_or_server_method(&ssl_method_tests[i]); + failed |= test_dtls_method(&ssl_method_tests[i]); + } + + if (failed == 0) + printf("PASS %s\n", __FILE__); + + return failed; +} diff --git a/tests/ssl_versions.c b/tests/ssl_versions.c index ec16576e..7ddc0e4a 100644 --- a/tests/ssl_versions.c +++ b/tests/ssl_versions.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_versions.c,v 1.7 2019/04/04 15:47:15 jsing Exp $ */ +/* $OpenBSD: ssl_versions.c,v 1.14 2021/03/17 17:43:31 jsing Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing * @@ -193,7 +193,9 @@ test_ssl_enabled_version_range(void) int failed = 1; size_t i; - if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) { + fprintf(stderr, "INFO: starting enabled version range tests...\n"); + + if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) { fprintf(stderr, "SSL_CTX_new() returned NULL\n"); goto failure; } @@ -212,10 +214,10 @@ test_ssl_enabled_version_range(void) SSL_set_options(ssl, vrt->options); minver = maxver = 0xffff; - ssl->internal->min_version = vrt->minver; - ssl->internal->max_version = vrt->maxver; + ssl->internal->min_tls_version = vrt->minver; + ssl->internal->max_tls_version = vrt->maxver; - if (ssl_enabled_version_range(ssl, &minver, &maxver) != 1) { + if (ssl_enabled_tls_version_range(ssl, &minver, &maxver) != 1) { if (vrt->want_minver != 0 || vrt->want_maxver != 0) { fprintf(stderr, "FAIL: test %zu - failed but " "wanted non-zero versions\n", i); @@ -405,21 +407,69 @@ static struct shared_version_test shared_version_tests[] = { .want_maxver = TLS1_1_VERSION, }, { - .ssl_method = DTLSv1_method, + .ssl_method = DTLS_method, .options = 0, - .minver = TLS1_VERSION, + .minver = TLS1_1_VERSION, .maxver = TLS1_2_VERSION, .peerver = DTLS1_VERSION, .want_maxver = DTLS1_VERSION, }, + { + .ssl_method = DTLS_method, + .options = 0, + .minver = TLS1_1_VERSION, + .maxver = TLS1_2_VERSION, + .peerver = DTLS1_2_VERSION, + .want_maxver = DTLS1_2_VERSION, + }, + { + .ssl_method = DTLS_method, + .options = 0, + .minver = TLS1_1_VERSION, + .maxver = TLS1_2_VERSION, + .peerver = 0xfefc, /* DTLSv1.3, probably. */ + .want_maxver = DTLS1_2_VERSION, + }, { .ssl_method = DTLSv1_method, .options = 0, - .minver = TLS1_VERSION, + .minver = TLS1_1_VERSION, + .maxver = TLS1_1_VERSION, + .peerver = DTLS1_2_VERSION, + .want_maxver = DTLS1_VERSION, + }, + { + .ssl_method = DTLSv1_2_method, + .options = 0, + .minver = TLS1_2_VERSION, .maxver = TLS1_2_VERSION, + .peerver = DTLS1_2_VERSION, + .want_maxver = DTLS1_2_VERSION, + }, + { + .ssl_method = DTLSv1_method, + .options = 0, + .minver = TLS1_1_VERSION, + .maxver = TLS1_1_VERSION, .peerver = TLS1_2_VERSION, .want_maxver = 0, }, + { + .ssl_method = DTLS_method, + .options = SSL_OP_NO_DTLSv1, + .minver = TLS1_1_VERSION, + .maxver = TLS1_2_VERSION, + .peerver = DTLS1_VERSION, + .want_maxver = 0, + }, + { + .ssl_method = DTLS_method, + .options = SSL_OP_NO_DTLSv1_2, + .minver = TLS1_1_VERSION, + .maxver = TLS1_2_VERSION, + .peerver = DTLS1_2_VERSION, + .want_maxver = DTLS1_VERSION, + }, }; #define N_SHARED_VERSION_TESTS \ @@ -437,10 +487,12 @@ test_ssl_max_shared_version(void) failed = 0; + fprintf(stderr, "INFO: starting max shared version tests...\n"); + for (i = 0; i < N_SHARED_VERSION_TESTS; i++) { svt = &shared_version_tests[i]; - if ((ssl_ctx = SSL_CTX_new(svt->ssl_method())) == NULL) { + if ((ssl_ctx = SSL_CTX_new(svt->ssl_method())) == NULL) { fprintf(stderr, "SSL_CTX_new() returned NULL\n"); return 1; } @@ -454,13 +506,14 @@ test_ssl_max_shared_version(void) SSL_set_options(ssl, svt->options); maxver = 0; - ssl->internal->min_version = svt->minver; - ssl->internal->max_version = svt->maxver; + ssl->internal->min_tls_version = svt->minver; + ssl->internal->max_tls_version = svt->maxver; - if (ssl_max_shared_version(ssl, svt->peerver, &maxver) != 1) { + if (!ssl_max_shared_version(ssl, svt->peerver, &maxver)) { if (svt->want_maxver != 0) { fprintf(stderr, "FAIL: test %zu - failed but " - "wanted non-zero shared version\n", i); + "wanted non-zero shared version (peer %x)\n", + i, svt->peerver); failed++; } continue; @@ -485,6 +538,8 @@ struct min_max_version_test { const uint16_t maxver; const uint16_t want_minver; const uint16_t want_maxver; + const int want_min_fail; + const int want_max_fail; }; static struct min_max_version_test min_max_version_tests[] = { @@ -492,29 +547,29 @@ static struct min_max_version_test min_max_version_tests[] = { .ssl_method = TLS_method, .minver = 0, .maxver = 0, - .want_minver = TLS1_VERSION, - .want_maxver = TLS1_2_VERSION, + .want_minver = 0, + .want_maxver = 0, }, { .ssl_method = TLS_method, .minver = TLS1_VERSION, .maxver = 0, .want_minver = TLS1_VERSION, - .want_maxver = TLS1_2_VERSION, + .want_maxver = 0, }, { .ssl_method = TLS_method, .minver = 0, .maxver = TLS1_2_VERSION, - .want_minver = TLS1_VERSION, + .want_minver = 0, .want_maxver = TLS1_2_VERSION, }, { .ssl_method = TLS_method, .minver = 0, .maxver = TLS1_3_VERSION, - .want_minver = TLS1_VERSION, - .want_maxver = TLS1_2_VERSION, + .want_minver = 0, + .want_maxver = TLS1_3_VERSION, }, { .ssl_method = TLS_method, @@ -528,56 +583,54 @@ static struct min_max_version_test min_max_version_tests[] = { .minver = TLS1_1_VERSION, .maxver = 0, .want_minver = TLS1_1_VERSION, - .want_maxver = TLS1_2_VERSION, + .want_maxver = 0, }, { .ssl_method = TLS_method, .minver = TLS1_2_VERSION, .maxver = 0, .want_minver = TLS1_2_VERSION, - .want_maxver = TLS1_2_VERSION, + .want_maxver = 0, }, { .ssl_method = TLS_method, .minver = 0x0300, .maxver = 0, .want_minver = TLS1_VERSION, - .want_maxver = TLS1_2_VERSION, + .want_maxver = 0, }, { .ssl_method = TLS_method, .minver = 0x0305, .maxver = 0, - .want_minver = 0, - .want_maxver = 0, + .want_min_fail = 1, }, { .ssl_method = TLS_method, .minver = 0, .maxver = 0x0305, - .want_minver = TLS1_VERSION, - .want_maxver = TLS1_2_VERSION, + .want_minver = 0, + .want_maxver = TLS1_3_VERSION, }, { .ssl_method = TLS_method, .minver = 0, .maxver = TLS1_1_VERSION, - .want_minver = TLS1_VERSION, + .want_minver = 0, .want_maxver = TLS1_1_VERSION, }, { .ssl_method = TLS_method, .minver = 0, .maxver = TLS1_VERSION, - .want_minver = TLS1_VERSION, + .want_minver = 0, .want_maxver = TLS1_VERSION, }, { .ssl_method = TLS_method, .minver = 0, .maxver = 0x0300, - .want_minver = 0, - .want_maxver = 0, + .want_max_fail = 1, }, { .ssl_method = TLS_method, @@ -585,13 +638,14 @@ static struct min_max_version_test min_max_version_tests[] = { .maxver = TLS1_1_VERSION, .want_minver = TLS1_2_VERSION, .want_maxver = 0, + .want_max_fail = 1, }, { .ssl_method = TLSv1_1_method, .minver = 0, .maxver = 0, - .want_minver = TLS1_1_VERSION, - .want_maxver = TLS1_1_VERSION, + .want_minver = 0, + .want_maxver = 0, }, { .ssl_method = TLSv1_1_method, @@ -606,6 +660,7 @@ static struct min_max_version_test min_max_version_tests[] = { .maxver = 0, .want_minver = 0, .want_maxver = 0, + .want_min_fail = 1, }, { .ssl_method = TLSv1_1_method, @@ -613,26 +668,62 @@ static struct min_max_version_test min_max_version_tests[] = { .maxver = TLS1_VERSION, .want_minver = 0, .want_maxver = 0, + .want_max_fail = 1, }, { - .ssl_method = DTLSv1_method, + .ssl_method = DTLS_method, .minver = 0, .maxver = 0, - .want_minver = DTLS1_VERSION, + .want_minver = 0, + .want_maxver = 0, + }, + { + .ssl_method = DTLS_method, + .minver = 0, + .maxver = DTLS1_VERSION, + .want_minver = 0, .want_maxver = DTLS1_VERSION, }, + { + .ssl_method = DTLS_method, + .minver = DTLS1_VERSION, + .maxver = 0, + .want_minver = DTLS1_VERSION, + .want_maxver = 0, + }, + { + .ssl_method = DTLS_method, + .minver = DTLS1_VERSION, + .maxver = DTLS1_2_VERSION, + .want_minver = DTLS1_VERSION, + .want_maxver = DTLS1_2_VERSION, + }, + { + .ssl_method = DTLSv1_method, + .minver = 0, + .maxver = 0, + .want_minver = 0, + .want_maxver = 0, + }, { .ssl_method = DTLSv1_method, .minver = DTLS1_VERSION, .maxver = 0, .want_minver = DTLS1_VERSION, - .want_maxver = DTLS1_VERSION, + .want_maxver = 0, }, { .ssl_method = DTLSv1_method, .minver = 0, .maxver = DTLS1_VERSION, - .want_minver = DTLS1_VERSION, + .want_minver = 0, + .want_maxver = DTLS1_VERSION, + }, + { + .ssl_method = DTLSv1_method, + .minver = 0, + .maxver = DTLS1_2_VERSION, + .want_minver = 0, .want_maxver = DTLS1_VERSION, }, { @@ -641,6 +732,8 @@ static struct min_max_version_test min_max_version_tests[] = { .maxver = TLS1_2_VERSION, .want_minver = 0, .want_maxver = 0, + .want_min_fail = 1, + .want_max_fail = 1, }, }; @@ -658,24 +751,26 @@ test_ssl_min_max_version(void) failed = 0; + fprintf(stderr, "INFO: starting min max version tests...\n"); + for (i = 0; i < N_MIN_MAX_VERSION_TESTS; i++) { mmvt = &min_max_version_tests[i]; - if ((ssl_ctx = SSL_CTX_new(mmvt->ssl_method())) == NULL) { + if ((ssl_ctx = SSL_CTX_new(mmvt->ssl_method())) == NULL) { fprintf(stderr, "SSL_CTX_new() returned NULL\n"); return 1; } - if (SSL_CTX_set_min_proto_version(ssl_ctx, mmvt->minver) != 1) { - if (mmvt->want_minver != 0) { + if (!SSL_CTX_set_min_proto_version(ssl_ctx, mmvt->minver)) { + if (!mmvt->want_min_fail) { fprintf(stderr, "FAIL: test %zu - failed to set " "SSL_CTX min version\n", i); failed++; } goto next; } - if (SSL_CTX_set_max_proto_version(ssl_ctx, mmvt->maxver) != 1) { - if (mmvt->want_maxver != 0) { + if (!SSL_CTX_set_max_proto_version(ssl_ctx, mmvt->maxver)) { + if (!mmvt->want_max_fail) { fprintf(stderr, "FAIL: test %zu - failed to set " "SSL_CTX min version\n", i); failed++; @@ -683,14 +778,16 @@ test_ssl_min_max_version(void) goto next; } - if (mmvt->want_minver == 0) { + if (mmvt->want_min_fail) { fprintf(stderr, "FAIL: test %zu - successfully set " "SSL_CTX min version, should have failed\n", i); + failed++; goto next; } - if (mmvt->want_maxver == 0) { + if (mmvt->want_max_fail) { fprintf(stderr, "FAIL: test %zu - successfully set " "SSL_CTX max version, should have failed\n", i); + failed++; goto next; } @@ -698,12 +795,14 @@ test_ssl_min_max_version(void) fprintf(stderr, "FAIL: test %zu - got SSL_CTX min " "version 0x%x, want 0x%x\n", i, SSL_CTX_get_min_proto_version(ssl_ctx), mmvt->want_minver); + failed++; goto next; } if (SSL_CTX_get_max_proto_version(ssl_ctx) != mmvt->want_maxver) { fprintf(stderr, "FAIL: test %zu - got SSL_CTX max " "version 0x%x, want 0x%x\n", i, SSL_CTX_get_max_proto_version(ssl_ctx), mmvt->want_maxver); + failed++; goto next; } @@ -716,25 +815,27 @@ test_ssl_min_max_version(void) fprintf(stderr, "FAIL: test %zu - initial SSL min " "version 0x%x, want 0x%x\n", i, SSL_get_min_proto_version(ssl), mmvt->want_minver); + failed++; goto next; } if (SSL_get_max_proto_version(ssl) != mmvt->want_maxver) { fprintf(stderr, "FAIL: test %zu - initial SSL max " "version 0x%x, want 0x%x\n", i, SSL_get_max_proto_version(ssl), mmvt->want_maxver); + failed++; goto next; } - if (SSL_set_min_proto_version(ssl, mmvt->minver) != 1) { - if (mmvt->want_minver != 0) { + if (!SSL_set_min_proto_version(ssl, mmvt->minver)) { + if (mmvt->want_min_fail) { fprintf(stderr, "FAIL: test %zu - failed to set " "SSL min version\n", i); failed++; } goto next; } - if (SSL_set_max_proto_version(ssl, mmvt->maxver) != 1) { - if (mmvt->want_maxver != 0) { + if (!SSL_set_max_proto_version(ssl, mmvt->maxver)) { + if (mmvt->want_max_fail) { fprintf(stderr, "FAIL: test %zu - failed to set " "SSL min version\n", i); failed++; @@ -742,14 +843,16 @@ test_ssl_min_max_version(void) goto next; } - if (mmvt->want_minver == 0) { + if (mmvt->want_min_fail) { fprintf(stderr, "FAIL: test %zu - successfully set SSL " "min version, should have failed\n", i); + failed++; goto next; } - if (mmvt->want_maxver == 0) { + if (mmvt->want_max_fail) { fprintf(stderr, "FAIL: test %zu - successfully set SSL " "max version, should have failed\n", i); + failed++; goto next; } @@ -757,12 +860,14 @@ test_ssl_min_max_version(void) fprintf(stderr, "FAIL: test %zu - got SSL min " "version 0x%x, want 0x%x\n", i, SSL_get_min_proto_version(ssl), mmvt->want_minver); + failed++; goto next; } if (SSL_get_max_proto_version(ssl) != mmvt->want_maxver) { fprintf(stderr, "FAIL: test %zu - got SSL max " "version 0x%x, want 0x%x\n", i, SSL_get_max_proto_version(ssl), mmvt->want_maxver); + failed++; goto next; } @@ -793,5 +898,5 @@ main(int argc, char **argv) if (failed == 0) printf("PASS %s\n", __FILE__); - return (failed); + return (failed); } diff --git a/tests/ssltest.c b/tests/ssltest.c index 0c9a03c8..f4057418 100644 --- a/tests/ssltest.c +++ b/tests/ssltest.c @@ -181,8 +181,6 @@ #define TEST_CLIENT_CERT "../apps/client.pem" static int verify_callback(int ok, X509_STORE_CTX *ctx); -static RSA *tmp_rsa_cb(SSL *s, int is_export, int keylength); -static void free_tmp_rsa(void); static int app_verify_callback(X509_STORE_CTX *ctx, void *arg); #define APP_CALLBACK_STRING "Test Callback Argument" struct app_verify_arg { @@ -350,6 +348,7 @@ sv_usage(void) fprintf(stderr, " -no_ecdhe - disable ECDHE\n"); fprintf(stderr, " -dtls1 - use DTLSv1\n"); fprintf(stderr, " -tls1 - use TLSv1\n"); + fprintf(stderr, " -tls1_2 - use TLSv1.2\n"); fprintf(stderr, " -CApath arg - PEM format directory of CA's\n"); fprintf(stderr, " -CAfile arg - PEM format file of CA's\n"); fprintf(stderr, " -cert arg - Server certificate file\n"); @@ -410,7 +409,7 @@ main(int argc, char *argv[]) int badop = 0; int bio_pair = 0; int force = 0; - int tls1 = 0, dtls1 = 0, ret = 1; + int tls1 = 0, tls1_2 = 0, dtls1 = 0, ret = 1; int client_auth = 0; int server_auth = 0, i; struct app_verify_arg app_verify_arg = @@ -478,6 +477,8 @@ main(int argc, char *argv[]) dtls1 = 1; else if (strcmp(*argv, "-tls1") == 0) tls1 = 1; + else if (strcmp(*argv, "-tls1_2") == 0) + tls1_2 = 1; else if (strncmp(*argv, "-num", 4) == 0) { if (--argc < 1) goto bad; @@ -581,12 +582,11 @@ main(int argc, char *argv[]) goto end; } - if (!dtls1 && !tls1 && - number > 1 && !reuse && !force) { + if (!dtls1 && !tls1 && !tls1_2 && number > 1 && !reuse && !force) { fprintf(stderr, "This case cannot work. Use -f to perform " "the test anyway (and\n-d to see what happens), " - "or add one of -dtls1, -tls1, -reuse\n" + "or add one of -dtls1, -tls1, -tls1_2, -reuse\n" "to avoid protocol mismatch.\n"); exit(1); } @@ -609,8 +609,10 @@ main(int argc, char *argv[]) meth = DTLSv1_method(); else if (tls1) meth = TLSv1_method(); + else if (tls1_2) + meth = TLSv1_2_method(); else - meth = SSLv23_method(); + meth = TLS_method(); c_ctx = SSL_CTX_new(meth); s_ctx = SSL_CTX_new(meth); @@ -658,8 +660,6 @@ main(int argc, char *argv[]) EC_KEY_free(ecdh); } - SSL_CTX_set_tmp_rsa_callback(s_ctx, tmp_rsa_cb); - if (!SSL_CTX_use_certificate_file(s_ctx, server_cert, SSL_FILETYPE_PEM)) { ERR_print_errors(bio_err); @@ -772,7 +772,6 @@ main(int argc, char *argv[]) SSL_CTX_free(c_ctx); BIO_free(bio_stdout); - free_tmp_rsa(); #ifndef OPENSSL_NO_ENGINE ENGINE_cleanup(); #endif @@ -1844,44 +1843,6 @@ app_verify_callback(X509_STORE_CTX *ctx, void *arg) return (ok); } -static RSA *rsa_tmp = NULL; - -static RSA * -tmp_rsa_cb(SSL *s, int is_export, int keylength) -{ - BIGNUM *bn = NULL; - if (rsa_tmp == NULL) { - bn = BN_new(); - rsa_tmp = RSA_new(); - if (!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4)) { - BIO_printf(bio_err, "Memory error..."); - goto end; - } - BIO_printf(bio_err, "Generating temp (%d bit) RSA key...", keylength); - (void)BIO_flush(bio_err); - if (!RSA_generate_key_ex(rsa_tmp, keylength, bn, NULL)) { - BIO_printf(bio_err, "Error generating key."); - RSA_free(rsa_tmp); - rsa_tmp = NULL; - } -end: - BIO_printf(bio_err, "\n"); - (void)BIO_flush(bio_err); - } - if (bn) - BN_free(bn); - return (rsa_tmp); -} - -static void -free_tmp_rsa(void) -{ - if (rsa_tmp != NULL) { - RSA_free(rsa_tmp); - rsa_tmp = NULL; - } -} - /* These DH parameters have been generated as follows: * $ openssl dhparam -C -noout 1024 * $ openssl dhparam -C -noout -dsaparam 1024 diff --git a/tests/testssl b/tests/testssl index 3563d136..fe633e87 100644 --- a/tests/testssl +++ b/tests/testssl @@ -53,9 +53,22 @@ echo test sslv2/sslv3 with both client and server authentication via BIO pair an $ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1 echo "Testing ciphersuites" -for protocol in TLSv1.2; do +for protocol in SSLv3 TLSv1.2; do echo "Testing ciphersuites for $protocol" - for cipher in `$openssl ciphers "$protocol+aRSA" | tr ':' ' '`; do + for cipher in `$openssl ciphers -v "$protocol+aRSA" | + awk "/ $protocol / { print \\$1 }"`; do + echo "Testing $cipher" + $ssltest -cipher $cipher -tls1_2 + if [ $? -ne 0 ] ; then + echo "Failed $cipher" + exit 1 + fi + done +done +for protocol in TLSv1.3; do + echo "Testing ciphersuites for $protocol" + for cipher in `$openssl ciphers -v "$protocol" | + awk "/ $protocol / { print \\$1 }"`; do echo "Testing $cipher" $ssltest -cipher $cipher if [ $? -ne 0 ] ; then @@ -107,7 +120,8 @@ $ssltest -dtls1 -server_auth -client_auth $CA $extra || exit 1 echo "Testing DTLS ciphersuites" for protocol in SSLv3; do echo "Testing ciphersuites for $protocol" - for cipher in `$openssl ciphers "RSA+$protocol" | tr ':' '\n' | + for cipher in `$openssl ciphers -v "RSA+$protocol" | + awk "/ $protocol / { print \\$1 }" | grep -v RC4`; do echo "Testing $cipher" $ssltest -cipher $cipher -dtls1 diff --git a/tests/testssl.bat b/tests/testssl.bat index b6f087c6..64c6d7f0 100644 --- a/tests/testssl.bat +++ b/tests/testssl.bat @@ -11,7 +11,10 @@ set extra=%6 %openssl% version & if !errorlevel! neq 0 exit /b 1 -for /f "usebackq" %%s in (`%openssl% x509 -in %cert% -text -noout ^| find /c "DSA Public Key"`) do set lines=%%s +set lines=0 +for /f "usebackq" %%s in (`%openssl% x509 -in %cert% -text -noout ^| find "DSA Public Key"`) do ( + set /a lines=%lines%+1 +) if %lines% gtr 0 ( set dsa_cert=YES ) else ( @@ -56,9 +59,20 @@ echo test sslv2/sslv3 with both client and server authentication via BIO pair an %ssltest% -bio_pair -server_auth -client_auth -app_verify %CA% %extra% & if !errorlevel! neq 0 exit /b 1 echo "Testing ciphersuites" -for %%p in ( TLSv1.2 ) do ( +for %%p in ( SSLv3,TLSv1.2 ) do ( + echo "Testing ciphersuites for %%p" + for /f "usebackq" %%c in (`%openssl% ciphers -v "%%p+aRSA" ^| find "%%p"`) do ( + echo "Testing %%c" + %ssltest% -cipher %%c -tls1_2 + if !errorlevel! neq 0 ( + echo "Failed %%c" + exit /b 1 + ) + ) +) +for %%p in ( TLSv1.3 ) do ( echo "Testing ciphersuites for %%p" - for /f "usebackq" %%c in (`%openssl% ciphers -v "%%p+aRSA"`) do ( + for /f "usebackq" %%c in (`%openssl% ciphers -v "%%p" ^| find "%%p"`) do ( echo "Testing %%c" %ssltest% -cipher %%c if !errorlevel! neq 0 ( @@ -113,7 +127,7 @@ echo test dtlsv1 with both client and server authentication echo "Testing DTLS ciphersuites" for %%p in ( SSLv3 ) do ( echo "Testing ciphersuites for %%p" - for /f "usebackq" %%c in (`%openssl% ciphers -v "RSA+%%p:-RC4"`) do ( + for /f "usebackq" %%c in (`%openssl% ciphers -v "RSA+%%p:-RC4" ^| find "%%p"`) do ( echo "Testing %%c" %ssltest% -cipher %%c -dtls1 if !errorlevel! neq 0 ( diff --git a/tests/tls_ext_alpn.c b/tests/tls_ext_alpn.c index 63e5f247..378929aa 100644 --- a/tests/tls_ext_alpn.c +++ b/tests/tls_ext_alpn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_ext_alpn.c,v 1.6 2019/01/18 00:55:15 jsing Exp $ */ +/* $OpenBSD: tls_ext_alpn.c,v 1.7 2020/07/03 04:14:10 tb Exp $ */ /* * Copyright (c) 2015 Doug Hogan * @@ -321,9 +321,9 @@ static uint8_t proto_invalid_missing9[] = { int al; \ \ CBS_init(&cbs, proto, sizeof(proto)); \ - CHECK(c_val == tlsext_server_parse(s, &cbs, &al, SSL_TLSEXT_MSG_CH)); \ + CHECK(c_val == tlsext_server_parse(s, SSL_TLSEXT_MSG_CH, &cbs, &al)); \ CBS_init(&cbs, proto, sizeof(proto)); \ - CHECK(s_val == tlsext_client_parse(s, &cbs, &al, SSL_TLSEXT_MSG_SH)); \ + CHECK(s_val == tlsext_client_parse(s, SSL_TLSEXT_MSG_SH, &cbs, &al)); \ } \ } while (0) diff --git a/tests/tls_prf.c b/tests/tls_prf.c index 2eacb12a..9e8f5b40 100644 --- a/tests/tls_prf.c +++ b/tests/tls_prf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_prf.c,v 1.4 2017/05/06 22:24:58 beck Exp $ */ +/* $OpenBSD: tls_prf.c,v 1.5 2021/03/24 19:02:35 jsing Exp $ */ /* * Copyright (c) 2017 Joel Sing * @@ -197,7 +197,7 @@ do_tls_prf_test(int test_no, struct tls_prf_test *tpt) goto failure; } - S3I(ssl)->hs.new_cipher = cipher; + S3I(ssl)->hs.cipher = cipher; for (len = 1; len <= TLS_PRF_OUT_LEN; len++) { memset(out, 'A', TLS_PRF_OUT_LEN); diff --git a/tests/tlsexttest.c b/tests/tlsexttest.c index 67871c39..63c16a28 100644 --- a/tests/tlsexttest.c +++ b/tests/tlsexttest.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tlsexttest.c,v 1.29 2019/03/25 18:12:05 jsing Exp $ */ +/* $OpenBSD: tlsexttest.c,v 1.49 2021/03/24 21:36:26 tb Exp $ */ /* * Copyright (c) 2017 Joel Sing * Copyright (c) 2017 Doug Hogan @@ -140,8 +140,8 @@ test_tlsext_alpn_client(void) errx(1, "failed to create SSL"); /* By default, we don't need this */ - if (tlsext_alpn_client_needs(ssl)) { - FAIL("client should not need ALPN by default"); + if (tlsext_alpn_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { + FAIL("client should not need ALPN by default\n"); goto err; } @@ -154,17 +154,17 @@ test_tlsext_alpn_client(void) */ if (SSL_set_alpn_protos(ssl, tlsext_alpn_single_proto_val, sizeof(tlsext_alpn_single_proto_val)) != 0) { - FAIL("should be able to set ALPN to http/1.1"); + FAIL("should be able to set ALPN to http/1.1\n"); goto err; } - if (!tlsext_alpn_client_needs(ssl)) { - FAIL("client should need ALPN by now"); + if (!tlsext_alpn_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { + FAIL("client should need ALPN by now\n"); goto err; } /* Make sure we can build the client with a single proto. */ - if (!tlsext_alpn_client_build(ssl, &cbb)) { + if (!tlsext_alpn_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { FAIL("client failed to build ALPN\n"); goto err; } @@ -195,12 +195,12 @@ test_tlsext_alpn_client(void) CBS_init(&cbs, tlsext_alpn_single_proto, sizeof(tlsext_alpn_single_proto)); - if (!tlsext_alpn_server_parse(ssl, &cbs, &alert)) { - FAIL("failed to parse ALPN"); + if (!tlsext_alpn_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { + FAIL("failed to parse ALPN\n"); goto err; } if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining"); + FAIL("extension data remaining\n"); goto err; } @@ -228,15 +228,15 @@ test_tlsext_alpn_client(void) if (SSL_set_alpn_protos(ssl, tlsext_alpn_multiple_protos_val, sizeof(tlsext_alpn_multiple_protos_val)) != 0) { - FAIL("should be able to set ALPN to http/1.1"); + FAIL("should be able to set ALPN to http/1.1\n"); goto err; } - if (!tlsext_alpn_client_needs(ssl)) { - FAIL("client should need ALPN by now"); + if (!tlsext_alpn_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { + FAIL("client should need ALPN by now\n"); goto err; } - if (!tlsext_alpn_client_build(ssl, &cbb)) { + if (!tlsext_alpn_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { FAIL("client failed to build ALPN\n"); goto err; } @@ -262,12 +262,12 @@ test_tlsext_alpn_client(void) CBS_init(&cbs, tlsext_alpn_multiple_protos, sizeof(tlsext_alpn_multiple_protos)); - if (!tlsext_alpn_server_parse(ssl, &cbs, &alert)) { - FAIL("failed to parse ALPN"); + if (!tlsext_alpn_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { + FAIL("failed to parse ALPN\n"); goto err; } if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining"); + FAIL("extension data remaining\n"); goto err; } @@ -297,8 +297,8 @@ test_tlsext_alpn_client(void) ssl->internal->alpn_client_proto_list = NULL; ssl->internal->alpn_client_proto_list_len = 0; - if (tlsext_alpn_client_needs(ssl)) { - FAIL("client should need ALPN by default"); + if (tlsext_alpn_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { + FAIL("client should need ALPN by default\n"); goto err; } @@ -334,7 +334,7 @@ test_tlsext_alpn_server(void) errx(1, "failed to create SSL"); /* By default, ALPN isn't needed. */ - if (tlsext_alpn_server_needs(ssl)) { + if (tlsext_alpn_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { FAIL("server should not need ALPN by default\n"); goto err; } @@ -352,15 +352,15 @@ test_tlsext_alpn_server(void) sizeof(tlsext_alpn_single_proto_name)); S3I(ssl)->alpn_selected_len = sizeof(tlsext_alpn_single_proto_name); - if (!tlsext_alpn_server_needs(ssl)) { + if (!tlsext_alpn_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { FAIL("server should need ALPN after a protocol is selected\n"); goto err; } /* Make sure we can build a server with one protocol */ - if (!tlsext_alpn_server_build(ssl, &cbb)) { - FAIL("server should be able to build a response"); + if (!tlsext_alpn_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { + FAIL("server should be able to build a response\n"); goto err; } if (!CBB_finish(&cbb, &data, &dlen)) @@ -392,23 +392,23 @@ test_tlsext_alpn_server(void) sizeof(tlsext_alpn_single_proto)); /* Shouldn't be able to parse without requesting */ - if (tlsext_alpn_client_parse(ssl, &cbs, &alert)) { - FAIL("Should only parse server if we requested it"); + if (tlsext_alpn_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { + FAIL("Should only parse server if we requested it\n"); goto err; } /* Should be able to parse once requested. */ if (SSL_set_alpn_protos(ssl, tlsext_alpn_single_proto_val, sizeof(tlsext_alpn_single_proto_val)) != 0) { - FAIL("should be able to set ALPN to http/1.1"); + FAIL("should be able to set ALPN to http/1.1\n"); goto err; } - if (!tlsext_alpn_server_parse(ssl, &cbs, &alert)) { - FAIL("Should be able to parse server when we request it"); + if (!tlsext_alpn_server_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { + FAIL("Should be able to parse server when we request it\n"); goto err; } if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining"); + FAIL("extension data remaining\n"); goto err; } @@ -446,8 +446,8 @@ test_tlsext_alpn_server(void) S3I(ssl)->alpn_selected = NULL; S3I(ssl)->alpn_selected_len = 0; - if (tlsext_alpn_server_needs(ssl)) { - FAIL("server should need ALPN by default"); + if (tlsext_alpn_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { + FAIL("server should need ALPN by default\n"); goto err; } @@ -470,10 +470,11 @@ test_tlsext_alpn_server(void) */ static uint8_t tlsext_supportedgroups_client_default[] = { - 0x00, 0x06, + 0x00, 0x08, 0x00, 0x1d, /* X25519 (29) */ 0x00, 0x17, /* secp256r1 (23) */ - 0x00, 0x18 /* secp384r1 (24) */ + 0x00, 0x18, /* secp384r1 (24) */ + 0x00, 0x19, /* secp521r1 (25) */ }; static uint16_t tlsext_supportedgroups_client_secp384r1_val[] = { @@ -519,7 +520,7 @@ test_tlsext_supportedgroups_client(void) /* * Default ciphers include EC so we need it by default. */ - if (!tlsext_supportedgroups_client_needs(ssl)) { + if (!tlsext_supportedgroups_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { FAIL("client should need Ellipticcurves for default " "ciphers\n"); goto err; @@ -532,7 +533,7 @@ test_tlsext_supportedgroups_client(void) FAIL("client should be able to set cipher list\n"); goto err; } - if (tlsext_supportedgroups_client_needs(ssl)) { + if (tlsext_supportedgroups_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { FAIL("client should not need Ellipticcurves\n"); goto err; } @@ -544,7 +545,7 @@ test_tlsext_supportedgroups_client(void) FAIL("client should be able to set cipher list\n"); goto err; } - if (!tlsext_supportedgroups_client_needs(ssl)) { + if (!tlsext_supportedgroups_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { FAIL("client should need Ellipticcurves\n"); goto err; } @@ -563,12 +564,12 @@ test_tlsext_supportedgroups_client(void) SSI(ssl)->tlsext_supportedgroups[0] = tls1_ec_nid2curve_id(NID_secp384r1); SSI(ssl)->tlsext_supportedgroups_length = 1; - if (!tlsext_supportedgroups_client_needs(ssl)) { + if (!tlsext_supportedgroups_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { FAIL("client should need Ellipticcurves\n"); goto err; } - if (!tlsext_supportedgroups_client_build(ssl, &cbb)) { + if (!tlsext_supportedgroups_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { FAIL("client failed to build Ellipticcurves\n"); goto err; } @@ -606,12 +607,12 @@ test_tlsext_supportedgroups_client(void) CBS_init(&cbs, tlsext_supportedgroups_client_secp384r1, sizeof(tlsext_supportedgroups_client_secp384r1)); - if (!tlsext_supportedgroups_server_parse(ssl, &cbs, &alert)) { + if (!tlsext_supportedgroups_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { FAIL("failed to parse client Ellipticcurves\n"); goto err; } if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining"); + FAIL("extension data remaining\n"); goto err; } @@ -652,12 +653,12 @@ test_tlsext_supportedgroups_client(void) ssl->internal->tlsext_supportedgroups[1] = tls1_ec_nid2curve_id(NID_secp224r1); ssl->internal->tlsext_supportedgroups_length = 2; - if (!tlsext_supportedgroups_client_needs(ssl)) { + if (!tlsext_supportedgroups_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { FAIL("client should need Ellipticcurves\n"); goto err; } - if (!tlsext_supportedgroups_client_build(ssl, &cbb)) { + if (!tlsext_supportedgroups_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { FAIL("client failed to build Ellipticcurves\n"); goto err; } @@ -706,12 +707,12 @@ test_tlsext_supportedgroups_client(void) CBS_init(&cbs, tlsext_supportedgroups_client_nistp192and224, sizeof(tlsext_supportedgroups_client_nistp192and224)); - if (!tlsext_supportedgroups_server_parse(ssl, &cbs, &alert)) { + if (!tlsext_supportedgroups_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { FAIL("failed to parse client Ellipticcurves\n"); goto err; } if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining"); + FAIL("extension data remaining\n"); goto err; } @@ -759,7 +760,7 @@ test_tlsext_supportedgroups_server(void) if ((ssl = SSL_new(ssl_ctx)) == NULL) errx(1, "failed to create SSL"); - if (tlsext_supportedgroups_server_needs(ssl)) { + if (tlsext_supportedgroups_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { FAIL("server should not need elliptic_curves\n"); goto err; } @@ -767,7 +768,7 @@ test_tlsext_supportedgroups_server(void) if ((ssl->session = SSL_SESSION_new()) == NULL) errx(1, "failed to create session"); - if (tlsext_supportedgroups_server_needs(ssl)) { + if (tlsext_supportedgroups_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { FAIL("server should not need elliptic_curves\n"); goto err; } @@ -837,7 +838,7 @@ test_tlsext_ecpf_client(void) /* * Default ciphers include EC so we need it by default. */ - if (!tlsext_ecpf_client_needs(ssl)) { + if (!tlsext_ecpf_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { FAIL("client should need ECPointFormats for default " "ciphers\n"); goto err; @@ -850,7 +851,7 @@ test_tlsext_ecpf_client(void) FAIL("client should be able to set cipher list\n"); goto err; } - if (tlsext_ecpf_client_needs(ssl)) { + if (tlsext_ecpf_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { FAIL("client should not need ECPointFormats\n"); goto err; } @@ -862,7 +863,7 @@ test_tlsext_ecpf_client(void) FAIL("client should be able to set cipher list\n"); goto err; } - if (!tlsext_ecpf_client_needs(ssl)) { + if (!tlsext_ecpf_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { FAIL("client should need ECPointFormats\n"); goto err; } @@ -873,7 +874,7 @@ test_tlsext_ecpf_client(void) if ((ssl->session = SSL_SESSION_new()) == NULL) errx(1, "failed to create session"); - if (!tlsext_ecpf_client_build(ssl, &cbb)) { + if (!tlsext_ecpf_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { FAIL("client failed to build ECPointFormats\n"); goto err; } @@ -911,12 +912,12 @@ test_tlsext_ecpf_client(void) CBS_init(&cbs, tlsext_ecpf_hello_uncompressed, sizeof(tlsext_ecpf_hello_uncompressed)); - if (!tlsext_ecpf_server_parse(ssl, &cbs, &alert)) { + if (!tlsext_ecpf_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { FAIL("failed to parse client ECPointFormats\n"); goto err; } if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining"); + FAIL("extension data remaining\n"); goto err; } @@ -955,13 +956,13 @@ test_tlsext_ecpf_client(void) ssl->internal->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; ssl->internal->tlsext_ecpointformatlist_length = 3; - if (!tlsext_ecpf_client_needs(ssl)) { + if (!tlsext_ecpf_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { FAIL("client should need ECPointFormats with a custom " "format\n"); goto err; } - if (!tlsext_ecpf_client_build(ssl, &cbb)) { + if (!tlsext_ecpf_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { FAIL("client failed to build ECPointFormats\n"); goto err; } @@ -1004,12 +1005,12 @@ test_tlsext_ecpf_client(void) CBS_init(&cbs, tlsext_ecpf_hello_prefer_order, sizeof(tlsext_ecpf_hello_prefer_order)); - if (!tlsext_ecpf_server_parse(ssl, &cbs, &alert)) { + if (!tlsext_ecpf_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { FAIL("failed to parse client ECPointFormats\n"); goto err; } if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining"); + FAIL("extension data remaining\n"); goto err; } @@ -1063,7 +1064,7 @@ test_tlsext_ecpf_server(void) errx(1, "failed to create session"); /* Setup the state so we can call needs. */ - if ((S3I(ssl)->hs.new_cipher = + if ((S3I(ssl)->hs.cipher = ssl3_get_cipher_by_id(TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305)) == NULL) { FAIL("server cannot find cipher\n"); @@ -1077,7 +1078,7 @@ test_tlsext_ecpf_server(void) SSI(ssl)->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; SSI(ssl)->tlsext_ecpointformatlist_length = 1; - if (!tlsext_ecpf_server_needs(ssl)) { + if (!tlsext_ecpf_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { FAIL("server should need ECPointFormats now\n"); goto err; } @@ -1086,7 +1087,7 @@ test_tlsext_ecpf_server(void) * The server will ignore the session list and use either a custom * list or the default (uncompressed). */ - if (!tlsext_ecpf_server_build(ssl, &cbb)) { + if (!tlsext_ecpf_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { FAIL("server failed to build ECPointFormats\n"); goto err; } @@ -1124,12 +1125,12 @@ test_tlsext_ecpf_server(void) CBS_init(&cbs, tlsext_ecpf_hello_prime, sizeof(tlsext_ecpf_hello_prime)); - if (tlsext_ecpf_client_parse(ssl, &cbs, &alert)) { + if (tlsext_ecpf_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { FAIL("must include uncompressed in server ECPointFormats\n"); goto err; } if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining"); + FAIL("extension data remaining\n"); goto err; } @@ -1164,12 +1165,12 @@ test_tlsext_ecpf_server(void) ssl->internal->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; ssl->internal->tlsext_ecpointformatlist_length = 3; - if (!tlsext_ecpf_server_needs(ssl)) { + if (!tlsext_ecpf_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { FAIL("server should need ECPointFormats\n"); goto err; } - if (!tlsext_ecpf_server_build(ssl, &cbb)) { + if (!tlsext_ecpf_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { FAIL("server failed to build ECPointFormats\n"); goto err; } @@ -1212,12 +1213,12 @@ test_tlsext_ecpf_server(void) CBS_init(&cbs, tlsext_ecpf_hello_prefer_order, sizeof(tlsext_ecpf_hello_prefer_order)); - if (!tlsext_ecpf_client_parse(ssl, &cbs, &alert)) { + if (!tlsext_ecpf_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { FAIL("failed to parse server ECPointFormats\n"); goto err; } if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining"); + FAIL("extension data remaining\n"); goto err; } @@ -1295,7 +1296,7 @@ test_tlsext_ri_client(void) if ((ssl = SSL_new(ssl_ctx)) == NULL) errx(1, "failed to create SSL"); - if (tlsext_ri_client_needs(ssl)) { + if (tlsext_ri_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { FAIL("client should not need RI\n"); goto err; } @@ -1305,7 +1306,7 @@ test_tlsext_ri_client(void) goto err; } - if (!tlsext_ri_client_needs(ssl)) { + if (!tlsext_ri_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { FAIL("client should need RI\n"); goto err; } @@ -1316,7 +1317,7 @@ test_tlsext_ri_client(void) S3I(ssl)->renegotiate_seen = 0; - if (!tlsext_ri_client_build(ssl, &cbb)) { + if (!tlsext_ri_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { FAIL("client failed to build RI\n"); goto err; } @@ -1340,12 +1341,12 @@ test_tlsext_ri_client(void) } CBS_init(&cbs, tlsext_ri_client, sizeof(tlsext_ri_client)); - if (!tlsext_ri_server_parse(ssl, &cbs, &alert)) { + if (!tlsext_ri_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { FAIL("failed to parse client RI\n"); goto err; } if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining"); + FAIL("extension data remaining\n"); goto err; } @@ -1364,7 +1365,7 @@ test_tlsext_ri_client(void) S3I(ssl)->renegotiate_seen = 0; CBS_init(&cbs, tlsext_ri_client, sizeof(tlsext_ri_client)); - if (tlsext_ri_server_parse(ssl, &cbs, &alert)) { + if (tlsext_ri_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { FAIL("parsed invalid client RI\n"); failure = 1; goto err; @@ -1407,14 +1408,15 @@ test_tlsext_ri_server(void) if ((ssl = SSL_new(ssl_ctx)) == NULL) errx(1, "failed to create SSL"); - if (tlsext_ri_server_needs(ssl)) { + ssl->version = TLS1_2_VERSION; + if (tlsext_ri_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { FAIL("server should not need RI\n"); goto err; } S3I(ssl)->send_connection_binding = 1; - if (!tlsext_ri_server_needs(ssl)) { + if (!tlsext_ri_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { FAIL("server should need RI\n"); goto err; } @@ -1429,7 +1431,7 @@ test_tlsext_ri_server(void) S3I(ssl)->renegotiate_seen = 0; - if (!tlsext_ri_server_build(ssl, &cbb)) { + if (!tlsext_ri_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { FAIL("server failed to build RI\n"); goto err; } @@ -1453,12 +1455,12 @@ test_tlsext_ri_server(void) } CBS_init(&cbs, tlsext_ri_server, sizeof(tlsext_ri_server)); - if (!tlsext_ri_client_parse(ssl, &cbs, &alert)) { + if (!tlsext_ri_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { FAIL("failed to parse server RI\n"); goto err; } if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining"); + FAIL("extension data remaining\n"); goto err; } @@ -1479,7 +1481,7 @@ test_tlsext_ri_server(void) S3I(ssl)->renegotiate_seen = 0; CBS_init(&cbs, tlsext_ri_server, sizeof(tlsext_ri_server)); - if (tlsext_ri_client_parse(ssl, &cbs, &alert)) { + if (tlsext_ri_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { FAIL("parsed invalid server RI\n"); goto err; } @@ -1529,23 +1531,23 @@ test_tlsext_sigalgs_client(void) if ((ssl = SSL_new(ssl_ctx)) == NULL) errx(1, "failed to create SSL"); - ssl->client_version = TLS1_1_VERSION; + S3I(ssl)->hs.our_max_tls_version = TLS1_1_VERSION; - if (tlsext_sigalgs_client_needs(ssl)) { + if (tlsext_sigalgs_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { fprintf(stderr, "FAIL: client should not need sigalgs\n"); failure = 1; goto done; } - ssl->client_version = TLS1_2_VERSION; + S3I(ssl)->hs.our_max_tls_version = TLS1_2_VERSION; - if (!tlsext_sigalgs_client_needs(ssl)) { + if (!tlsext_sigalgs_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { fprintf(stderr, "FAIL: client should need sigalgs\n"); failure = 1; goto done; } - if (!tlsext_sigalgs_client_build(ssl, &cbb)) { + if (!tlsext_sigalgs_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { fprintf(stderr, "FAIL: client failed to build sigalgs\n"); failure = 1; goto done; @@ -1572,13 +1574,13 @@ test_tlsext_sigalgs_client(void) } CBS_init(&cbs, tlsext_sigalgs_client, sizeof(tlsext_sigalgs_client)); - if (!tlsext_sigalgs_server_parse(ssl, &cbs, &alert)) { + if (!tlsext_sigalgs_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { fprintf(stderr, "FAIL: failed to parse client SNI\n"); failure = 1; goto done; } if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining"); + FAIL("extension data remaining\n"); goto done; } @@ -1591,6 +1593,7 @@ test_tlsext_sigalgs_client(void) return (failure); } +#if 0 static int test_tlsext_sigalgs_server(void) { @@ -1610,13 +1613,13 @@ test_tlsext_sigalgs_server(void) if ((ssl = SSL_new(ssl_ctx)) == NULL) errx(1, "failed to create SSL"); - if (tlsext_sigalgs_server_needs(ssl)) { + if (tlsext_sigalgs_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { fprintf(stderr, "FAIL: server should not need sigalgs\n"); failure = 1; goto done; } - if (tlsext_sigalgs_server_build(ssl, &cbb)) { + if (tlsext_sigalgs_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { fprintf(stderr, "FAIL: server should not build sigalgs\n"); failure = 1; goto done; @@ -1626,7 +1629,7 @@ test_tlsext_sigalgs_server(void) errx(1, "failed to finish CBB"); CBS_init(&cbs, tlsext_sigalgs_client, sizeof(tlsext_sigalgs_client)); - if (tlsext_sigalgs_client_parse(ssl, &cbs, &alert)) { + if (tlsext_sigalgs_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { fprintf(stderr, "FAIL: server should not parse sigalgs\n"); failure = 1; goto done; @@ -1640,6 +1643,7 @@ test_tlsext_sigalgs_server(void) return (failure); } +#endif /* * Server Name Indication - RFC 6066 section 3. @@ -1679,7 +1683,7 @@ test_tlsext_sni_client(void) if ((ssl = SSL_new(ssl_ctx)) == NULL) errx(1, "failed to create SSL"); - if (tlsext_sni_client_needs(ssl)) { + if (tlsext_sni_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { FAIL("client should not need SNI\n"); goto err; } @@ -1689,12 +1693,12 @@ test_tlsext_sni_client(void) goto err; } - if (!tlsext_sni_client_needs(ssl)) { + if (!tlsext_sni_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { FAIL("client should need SNI\n"); goto err; } - if (!tlsext_sni_client_build(ssl, &cbb)) { + if (!tlsext_sni_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { FAIL("client failed to build SNI\n"); goto err; } @@ -1723,12 +1727,12 @@ test_tlsext_sni_client(void) ssl->internal->hit = 0; CBS_init(&cbs, tlsext_sni_client, sizeof(tlsext_sni_client)); - if (!tlsext_sni_server_parse(ssl, &cbs, &alert)) { + if (!tlsext_sni_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { FAIL("failed to parse client SNI\n"); goto err; } if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining"); + FAIL("extension data remaining\n"); goto err; } @@ -1752,7 +1756,7 @@ test_tlsext_sni_client(void) errx(1, "failed to strdup tlsext_hostname"); CBS_init(&cbs, tlsext_sni_client, sizeof(tlsext_sni_client)); - if (tlsext_sni_server_parse(ssl, &cbs, &alert)) { + if (tlsext_sni_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { FAIL("parsed client with mismatched SNI\n"); goto err; } @@ -1792,7 +1796,7 @@ test_tlsext_sni_server(void) if ((ssl->session = SSL_SESSION_new()) == NULL) errx(1, "failed to create session"); - if (tlsext_sni_server_needs(ssl)) { + if (tlsext_sni_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { FAIL("server should not need SNI\n"); goto err; } @@ -1806,12 +1810,12 @@ test_tlsext_sni_server(void) NULL) errx(1, "failed to strdup tlsext_hostname"); - if (!tlsext_sni_server_needs(ssl)) { + if (!tlsext_sni_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { FAIL("server should need SNI\n"); goto err; } - if (!tlsext_sni_server_build(ssl, &cbb)) { + if (!tlsext_sni_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { FAIL("server failed to build SNI\n"); goto err; } @@ -1838,12 +1842,12 @@ test_tlsext_sni_server(void) ssl->session->tlsext_hostname = NULL; CBS_init(&cbs, tlsext_sni_server, sizeof_tlsext_sni_server); - if (!tlsext_sni_client_parse(ssl, &cbs, &alert)) { + if (!tlsext_sni_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { FAIL("failed to parse server SNI\n"); goto err; } if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining"); + FAIL("extension data remaining\n"); goto err; } @@ -1896,17 +1900,17 @@ test_tlsext_ocsp_client(void) if ((ssl = SSL_new(ssl_ctx)) == NULL) errx(1, "failed to create SSL"); - if (tlsext_ocsp_client_needs(ssl)) { + if (tlsext_ocsp_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { FAIL("client should not need ocsp\n"); goto err; } SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp); - if (!tlsext_ocsp_client_needs(ssl)) { + if (!tlsext_ocsp_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { FAIL("client should need ocsp\n"); goto err; } - if (!tlsext_ocsp_client_build(ssl, &cbb)) { + if (!tlsext_ocsp_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { FAIL("client failed to build SNI\n"); goto err; } @@ -1930,12 +1934,12 @@ test_tlsext_ocsp_client(void) } CBS_init(&cbs, tls_ocsp_client_default, sizeof(tls_ocsp_client_default)); - if (!tlsext_ocsp_server_parse(ssl, &cbs, &alert)) { + if (!tlsext_ocsp_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { FAIL("failed to parse ocsp client\n"); goto err; } if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining"); + FAIL("extension data remaining\n"); goto err; } @@ -1969,18 +1973,18 @@ test_tlsext_ocsp_server(void) if ((ssl = SSL_new(ssl_ctx)) == NULL) errx(1, "failed to create SSL"); - if (tlsext_ocsp_server_needs(ssl)) { + if (tlsext_ocsp_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { FAIL("server should not need ocsp\n"); goto err; } ssl->internal->tlsext_status_expected = 1; - if (!tlsext_ocsp_server_needs(ssl)) { + if (!tlsext_ocsp_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { FAIL("server should need ocsp\n"); goto err; } - if (!tlsext_ocsp_server_build(ssl, &cbb)) { + if (!tlsext_ocsp_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { FAIL("server failed to build ocsp\n"); goto err; } @@ -2036,7 +2040,7 @@ test_tlsext_sessionticket_client(void) errx(1, "failed to create SSL"); /* Should need a ticket by default. */ - if (!tlsext_sessionticket_client_needs(ssl)) { + if (!tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { FAIL("client should need Sessionticket for default " "ciphers\n"); goto err; @@ -2044,31 +2048,31 @@ test_tlsext_sessionticket_client(void) /* Test disabling tickets. */ if ((SSL_set_options(ssl, SSL_OP_NO_TICKET) & SSL_OP_NO_TICKET) == 0) { - FAIL("Cannot disable tickets in the TLS connection"); + FAIL("Cannot disable tickets in the TLS connection\n"); return 0; } - if (tlsext_sessionticket_client_needs(ssl)) { - FAIL("client should not need SessionTicket if it was disabled"); + if (tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { + FAIL("client should not need SessionTicket if it was disabled\n"); goto err; } /* Test re-enabling tickets. */ if ((SSL_clear_options(ssl, SSL_OP_NO_TICKET) & SSL_OP_NO_TICKET) != 0) { - FAIL("Cannot re-enable tickets in the TLS connection"); + FAIL("Cannot re-enable tickets in the TLS connection\n"); return 0; } - if (!tlsext_sessionticket_client_needs(ssl)) { - FAIL("client should need SessionTicket if it was disabled"); + if (!tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { + FAIL("client should need SessionTicket if it was disabled\n"); goto err; } /* Since we don't have a session, we should build an empty ticket. */ - if (!tlsext_sessionticket_client_build(ssl, &cbb)) { - FAIL("Cannot build a ticket"); + if (!tlsext_sessionticket_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { + FAIL("Cannot build a ticket\n"); goto err; } if (!CBB_finish(&cbb, &data, &dlen)) { - FAIL("Cannot finish CBB"); + FAIL("Cannot finish CBB\n"); goto err; } if (dlen != 0) { @@ -2084,16 +2088,16 @@ test_tlsext_sessionticket_client(void) /* With a new session (but no ticket), we should still have 0 length */ if ((ssl->session = SSL_SESSION_new()) == NULL) errx(1, "failed to create session"); - if (!tlsext_sessionticket_client_needs(ssl)) { - FAIL("Should still want a session ticket with a new session"); + if (!tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { + FAIL("Should still want a session ticket with a new session\n"); goto err; } - if (!tlsext_sessionticket_client_build(ssl, &cbb)) { - FAIL("Cannot build a ticket"); + if (!tlsext_sessionticket_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { + FAIL("Cannot build a ticket\n"); goto err; } if (!CBB_finish(&cbb, &data, &dlen)) { - FAIL("Cannot finish CBB"); + FAIL("Cannot finish CBB\n"); goto err; } if (dlen != 0) { @@ -2118,16 +2122,16 @@ test_tlsext_sessionticket_client(void) memcpy(ssl->session->tlsext_tick, dummy, sizeof(dummy)); ssl->session->tlsext_ticklen = sizeof(dummy); - if (!tlsext_sessionticket_client_needs(ssl)) { - FAIL("Should still want a session ticket with a new session"); + if (!tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { + FAIL("Should still want a session ticket with a new session\n"); goto err; } - if (!tlsext_sessionticket_client_build(ssl, &cbb)) { - FAIL("Cannot build a ticket"); + if (!tlsext_sessionticket_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { + FAIL("Cannot build a ticket\n"); goto err; } if (!CBB_finish(&cbb, &data, &dlen)) { - FAIL("Cannot finish CBB"); + FAIL("Cannot finish CBB\n"); goto err; } if (dlen != sizeof(dummy)) { @@ -2154,12 +2158,12 @@ test_tlsext_sessionticket_client(void) * through SSL_set_options(). */ if (!SSL_set_session_ticket_ext(ssl, NULL, 0)) { - FAIL("Could not set a NULL custom ticket"); + FAIL("Could not set a NULL custom ticket\n"); goto err; } /* Should not need a ticket in this case */ - if (tlsext_sessionticket_client_needs(ssl)) { - FAIL("Should not want to use session tickets with a NULL custom"); + if (tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { + FAIL("Should not want to use session tickets with a NULL custom\n"); goto err; } @@ -2170,27 +2174,27 @@ test_tlsext_sessionticket_client(void) free(ssl->internal->tlsext_session_ticket); ssl->internal->tlsext_session_ticket = NULL; - if (!tlsext_sessionticket_client_needs(ssl)) { - FAIL("Should need a session ticket again when the custom one is removed"); + if (!tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { + FAIL("Should need a session ticket again when the custom one is removed\n"); goto err; } /* Test a custom session ticket (not recommended in practice) */ if (!SSL_set_session_ticket_ext(ssl, tlsext_sessionticket_hello_max, sizeof(tlsext_sessionticket_hello_max))) { - FAIL("Should be able to set a custom ticket"); + FAIL("Should be able to set a custom ticket\n"); goto err; } - if (!tlsext_sessionticket_client_needs(ssl)) { - FAIL("Should need a session ticket again when the custom one is not empty"); + if (!tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { + FAIL("Should need a session ticket again when the custom one is not empty\n"); goto err; } - if (!tlsext_sessionticket_client_build(ssl, &cbb)) { - FAIL("Cannot build a ticket with a max length random payload"); + if (!tlsext_sessionticket_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { + FAIL("Cannot build a ticket with a max length random payload\n"); goto err; } if (!CBB_finish(&cbb, &data, &dlen)) { - FAIL("Cannot finish CBB"); + FAIL("Cannot finish CBB\n"); goto err; } if (dlen != sizeof(tlsext_sessionticket_hello_max)) { @@ -2200,7 +2204,7 @@ test_tlsext_sessionticket_client(void) } if (memcmp(data, tlsext_sessionticket_hello_max, sizeof(tlsext_sessionticket_hello_max)) != 0) { - FAIL("Expected to get what we passed in"); + FAIL("Expected to get what we passed in\n"); compare_data(data, dlen, tlsext_sessionticket_hello_max, sizeof(tlsext_sessionticket_hello_max)); @@ -2242,45 +2246,45 @@ test_tlsext_sessionticket_server(void) * By default, should not need a session ticket since the ticket * is not yet expected. */ - if (tlsext_sessionticket_server_needs(ssl)) { + if (tlsext_sessionticket_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { FAIL("server should not need SessionTicket by default\n"); goto err; } /* Test disabling tickets. */ if ((SSL_set_options(ssl, SSL_OP_NO_TICKET) & SSL_OP_NO_TICKET) == 0) { - FAIL("Cannot disable tickets in the TLS connection"); + FAIL("Cannot disable tickets in the TLS connection\n"); return 0; } - if (tlsext_sessionticket_server_needs(ssl)) { - FAIL("server should not need SessionTicket if it was disabled"); + if (tlsext_sessionticket_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { + FAIL("server should not need SessionTicket if it was disabled\n"); goto err; } /* Test re-enabling tickets. */ if ((SSL_clear_options(ssl, SSL_OP_NO_TICKET) & SSL_OP_NO_TICKET) != 0) { - FAIL("Cannot re-enable tickets in the TLS connection"); + FAIL("Cannot re-enable tickets in the TLS connection\n"); return 0; } - if (tlsext_sessionticket_server_needs(ssl)) { - FAIL("server should not need SessionTicket yet"); + if (tlsext_sessionticket_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { + FAIL("server should not need SessionTicket yet\n"); goto err; } /* Set expected to require it. */ ssl->internal->tlsext_ticket_expected = 1; - if (!tlsext_sessionticket_server_needs(ssl)) { - FAIL("server should now be required for SessionTicket"); + if (!tlsext_sessionticket_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { + FAIL("server should now be required for SessionTicket\n"); goto err; } /* server hello's session ticket should always be 0 length payload. */ - if (!tlsext_sessionticket_server_build(ssl, &cbb)) { - FAIL("Cannot build a ticket with a max length random payload"); + if (!tlsext_sessionticket_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { + FAIL("Cannot build a ticket with a max length random payload\n"); goto err; } if (!CBB_finish(&cbb, &data, &dlen)) { - FAIL("Cannot finish CBB"); + FAIL("Cannot finish CBB\n"); goto err; } if (dlen != 0) { @@ -2370,7 +2374,7 @@ test_tlsext_srtp_client(void) errx(1, "failed to create SSL"); /* By default, we don't need this */ - if (tlsext_srtp_client_needs(ssl)) { + if (tlsext_srtp_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { FAIL("client should not need SRTP by default\n"); goto err; } @@ -2379,14 +2383,14 @@ test_tlsext_srtp_client(void) FAIL("should be able to set a single SRTP\n"); goto err; } - if (!tlsext_srtp_client_needs(ssl)) { + if (!tlsext_srtp_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { FAIL("client should need SRTP\n"); goto err; } /* Make sure we can build the client with a single profile. */ - if (!tlsext_srtp_client_build(ssl, &cbb)) { + if (!tlsext_srtp_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { FAIL("client failed to build SRTP\n"); goto err; } @@ -2421,12 +2425,12 @@ test_tlsext_srtp_client(void) } CBS_init(&cbs, tlsext_srtp_single, sizeof(tlsext_srtp_single)); - if (!tlsext_srtp_server_parse(ssl, &cbs, &alert)) { + if (!tlsext_srtp_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { FAIL("failed to parse SRTP\n"); goto err; } if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining"); + FAIL("extension data remaining\n"); goto err; } @@ -2439,7 +2443,7 @@ test_tlsext_srtp_client(void) goto err; } - if (!tlsext_srtp_server_needs(ssl)) { + if (!tlsext_srtp_server_needs(ssl, SSL_TLSEXT_MSG_CH)) { FAIL("should send server extension when profile selected\n"); goto err; } @@ -2450,12 +2454,12 @@ test_tlsext_srtp_client(void) FAIL("should be able to set SRTP to multiple profiles\n"); goto err; } - if (!tlsext_srtp_client_needs(ssl)) { + if (!tlsext_srtp_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { FAIL("client should need SRTP by now\n"); goto err; } - if (!tlsext_srtp_client_build(ssl, &cbb)) { + if (!tlsext_srtp_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { FAIL("client failed to build SRTP\n"); goto err; } @@ -2488,12 +2492,12 @@ test_tlsext_srtp_client(void) CBS_init(&cbs, tlsext_srtp_multiple, sizeof(tlsext_srtp_multiple)); - if (!tlsext_srtp_server_parse(ssl, &cbs, &alert)) { + if (!tlsext_srtp_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { FAIL("failed to parse SRTP\n"); goto err; } if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining"); + FAIL("extension data remaining\n"); goto err; } @@ -2506,7 +2510,7 @@ test_tlsext_srtp_client(void) goto err; } - if (!tlsext_srtp_server_needs(ssl)) { + if (!tlsext_srtp_server_needs(ssl, SSL_TLSEXT_MSG_CH)) { FAIL("should send server extension when profile selected\n"); goto err; } @@ -2519,12 +2523,12 @@ test_tlsext_srtp_client(void) CBS_init(&cbs, tlsext_srtp_multiple_one_valid, sizeof(tlsext_srtp_multiple_one_valid)); - if (!tlsext_srtp_server_parse(ssl, &cbs, &alert)) { + if (!tlsext_srtp_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { FAIL("failed to parse SRTP\n"); goto err; } if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining"); + FAIL("extension data remaining\n"); goto err; } @@ -2537,7 +2541,7 @@ test_tlsext_srtp_client(void) goto err; } - if (!tlsext_srtp_server_needs(ssl)) { + if (!tlsext_srtp_server_needs(ssl, SSL_TLSEXT_MSG_CH)) { FAIL("should send server extension when profile selected\n"); goto err; } @@ -2548,12 +2552,12 @@ test_tlsext_srtp_client(void) CBS_init(&cbs, tlsext_srtp_multiple_invalid, sizeof(tlsext_srtp_multiple_invalid)); - if (!tlsext_srtp_server_parse(ssl, &cbs, &alert)) { + if (!tlsext_srtp_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { FAIL("should be able to fall back to negotiated\n"); goto err; } if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining"); + FAIL("extension data remaining\n"); goto err; } @@ -2562,7 +2566,7 @@ test_tlsext_srtp_client(void) FAIL("should not have selected a profile when none found\n"); goto err; } - if (tlsext_srtp_server_needs(ssl)) { + if (tlsext_srtp_server_needs(ssl, SSL_TLSEXT_MSG_CH)) { FAIL("should not send server tlsext when no profile found\n"); goto err; } @@ -2581,7 +2585,7 @@ test_tlsext_srtp_client(void) static int test_tlsext_srtp_server(void) { - SRTP_PROTECTION_PROFILE *prof; + const SRTP_PROTECTION_PROFILE *prof; SSL_CTX *ssl_ctx = NULL; SSL *ssl = NULL; uint8_t *data = NULL; @@ -2601,25 +2605,25 @@ test_tlsext_srtp_server(void) errx(1, "failed to create SSL"); /* By default, we don't need this */ - if (tlsext_srtp_server_needs(ssl)) { + if (tlsext_srtp_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { FAIL("server should not need SRTP by default\n"); goto err; } - if (srtp_find_profile_by_name((char *)tlsext_srtp_aes128cmsha80, &prof, + if (srtp_find_profile_by_name(tlsext_srtp_aes128cmsha80, &prof, strlen(tlsext_srtp_aes128cmsha80))) { FAIL("should be able to find the given profile\n"); goto err; } ssl->internal->srtp_profile = prof; - if (!tlsext_srtp_server_needs(ssl)) { + if (!tlsext_srtp_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { FAIL("server should need SRTP by now\n"); goto err; } /* Make sure we can build the server with a single profile. */ - if (!tlsext_srtp_server_build(ssl, &cbb)) { + if (!tlsext_srtp_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { FAIL("server failed to build SRTP\n"); goto err; } @@ -2661,12 +2665,12 @@ test_tlsext_srtp_server(void) } CBS_init(&cbs, tlsext_srtp_single, sizeof(tlsext_srtp_single)); - if (!tlsext_srtp_client_parse(ssl, &cbs, &alert)) { + if (!tlsext_srtp_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { FAIL("failed to parse SRTP\n"); goto err; } if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining"); + FAIL("extension data remaining\n"); goto err; } @@ -2684,7 +2688,7 @@ test_tlsext_srtp_server(void) CBS_init(&cbs, tlsext_srtp_multiple, sizeof(tlsext_srtp_multiple)); - if (tlsext_srtp_client_parse(ssl, &cbs, &alert)) { + if (tlsext_srtp_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { FAIL("should not find multiple entries from the server\n"); goto err; } @@ -2694,7 +2698,7 @@ test_tlsext_srtp_server(void) CBS_init(&cbs, tlsext_srtp_single_invalid, sizeof(tlsext_srtp_single_invalid)); - if (tlsext_srtp_client_parse(ssl, &cbs, &alert)) { + if (tlsext_srtp_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { FAIL("should not be able to parse this\n"); goto err; } @@ -2712,13 +2716,13 @@ test_tlsext_srtp_server(void) #endif /* OPENSSL_NO_SRTP */ unsigned char tlsext_clienthello_default[] = { - 0x00, 0x32, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, - 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, - 0x00, 0x17, 0x00, 0x18, 0x00, 0x23, 0x00, 0x00, - 0x00, 0x0d, 0x00, 0x18, 0x00, 0x16, 0x08, 0x06, - 0x06, 0x01, 0x06, 0x03, 0x08, 0x05, 0x05, 0x01, - 0x05, 0x03, 0x08, 0x04, 0x04, 0x01, 0x04, 0x03, - 0x02, 0x01, 0x02, 0x03, + 0x00, 0x34, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, + 0x00, 0x0a, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x1d, + 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, 0x23, + 0x00, 0x00, 0x00, 0x0d, 0x00, 0x18, 0x00, 0x16, + 0x08, 0x06, 0x06, 0x01, 0x06, 0x03, 0x08, 0x05, + 0x05, 0x01, 0x05, 0x03, 0x08, 0x04, 0x04, 0x01, + 0x04, 0x03, 0x02, 0x01, 0x02, 0x03, }; unsigned char tlsext_clienthello_disabled[] = { @@ -2746,7 +2750,10 @@ test_tlsext_clienthello_build(void) if ((ssl = SSL_new(ssl_ctx)) == NULL) errx(1, "failed to create SSL"); - if (!tlsext_client_build(ssl, &cbb, SSL_TLSEXT_MSG_CH)) { + S3I(ssl)->hs.our_min_tls_version = TLS1_VERSION; + S3I(ssl)->hs.our_max_tls_version = TLS1_2_VERSION; + + if (!tlsext_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { FAIL("failed to build clienthello extensions\n"); goto err; } @@ -2772,17 +2779,17 @@ test_tlsext_clienthello_build(void) CBB_init(&cbb, 0); /* Switch to TLSv1.1, disable EC ciphers and session tickets. */ - ssl->client_version = TLS1_1_VERSION; + S3I(ssl)->hs.our_max_tls_version = TLS1_1_VERSION; if (!SSL_set_cipher_list(ssl, "TLSv1.2:!ECDHE:!ECDSA")) { FAIL("failed to set cipher list\n"); goto err; } if ((SSL_set_options(ssl, SSL_OP_NO_TICKET) & SSL_OP_NO_TICKET) == 0) { - FAIL("failed to disable session tickets"); + FAIL("failed to disable session tickets\n"); return 0; } - if (!tlsext_client_build(ssl, &cbb, SSL_TLSEXT_MSG_CH)) { + if (!tlsext_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { FAIL("failed to build clienthello extensions\n"); goto err; } @@ -2816,14 +2823,13 @@ test_tlsext_clienthello_build(void) } unsigned char tlsext_serverhello_default[] = { - 0x00 + 0x00, 0x06, 0x00, 0x2b, 0x00, 0x02, 0x03, 0x04, }; -const size_t sizeof_tlsext_serverhello_default = 0; unsigned char tlsext_serverhello_enabled[] = { - 0x00, 0x13, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, - 0x05, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, - 0x00, 0x00, 0x23, 0x00, 0x00, + 0x00, 0x10, 0x00, 0x2b, 0x00, 0x02, 0x03, 0x04, + 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, + 0x00, 0x00, }; static int @@ -2848,28 +2854,30 @@ test_tlsext_serverhello_build(void) if ((ssl->session = SSL_SESSION_new()) == NULL) errx(1, "failed to create session"); - S3I(ssl)->hs.new_cipher = + S3I(ssl)->hs.our_max_tls_version = TLS1_3_VERSION; + S3I(ssl)->hs.negotiated_tls_version = TLS1_3_VERSION; + S3I(ssl)->hs.cipher = ssl3_get_cipher_by_id(TLS1_CK_RSA_WITH_AES_128_SHA256); - if (!tlsext_server_build(ssl, &cbb, SSL_TLSEXT_MSG_SH)) { + if (!tlsext_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { FAIL("failed to build serverhello extensions\n"); goto err; } if (!CBB_finish(&cbb, &data, &dlen)) errx(1, "failed to finish CBB"); - if (dlen != sizeof_tlsext_serverhello_default) { + if (dlen != sizeof(tlsext_serverhello_default)) { FAIL("got serverhello extensions with length %zu, " "want length %zu\n", dlen, - sizeof_tlsext_serverhello_default); + sizeof(tlsext_serverhello_default)); compare_data(data, dlen, tlsext_serverhello_default, - sizeof_tlsext_serverhello_default); + sizeof(tlsext_serverhello_default)); goto err; } if (memcmp(data, tlsext_serverhello_default, dlen) != 0) { FAIL("serverhello extensions differs:\n"); compare_data(data, dlen, tlsext_serverhello_default, - sizeof_tlsext_serverhello_default); + sizeof(tlsext_serverhello_default)); goto err; } @@ -2878,7 +2886,7 @@ test_tlsext_serverhello_build(void) /* Turn a few things on so we get extensions... */ S3I(ssl)->send_connection_binding = 1; - S3I(ssl)->hs.new_cipher = + S3I(ssl)->hs.cipher = ssl3_get_cipher_by_id(TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256); ssl->internal->tlsext_status_expected = 1; ssl->internal->tlsext_ticket_expected = 1; @@ -2888,7 +2896,7 @@ test_tlsext_serverhello_build(void) SSI(ssl)->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed; - if (!tlsext_server_build(ssl, &cbb, SSL_TLSEXT_MSG_SH)) { + if (!tlsext_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { FAIL("failed to build serverhello extensions\n"); goto err; } @@ -2949,48 +2957,41 @@ test_tlsext_versions_client(void) if ((ssl = SSL_new(ssl_ctx)) == NULL) errx(1, "failed to create SSL"); - S3I(ssl)->hs_tls13.max_version = 0; + S3I(ssl)->hs.our_max_tls_version = TLS1_1_VERSION; - if (tlsext_versions_client_needs(ssl)) { + if (tlsext_versions_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { FAIL("client should not need versions\n"); failure = 1; goto done; } - S3I(ssl)->hs_tls13.max_version = TLS1_2_VERSION; + S3I(ssl)->hs.our_max_tls_version = TLS1_2_VERSION; - if (tlsext_versions_client_needs(ssl)) { + if (tlsext_versions_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { FAIL("client should not need versions\n"); failure = 1; goto done; } - S3I(ssl)->hs_tls13.max_version = TLS1_3_VERSION; + S3I(ssl)->hs.our_max_tls_version = TLS1_3_VERSION; - if (!tlsext_versions_client_needs(ssl)) { + if (!tlsext_versions_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { FAIL("client should need versions\n"); failure = 1; goto done; } - S3I(ssl)->hs_tls13.max_version = TLS1_3_VERSION; - S3I(ssl)->hs_tls13.min_version = 0; - if (tlsext_versions_client_build(ssl, &cbb)) { - FAIL("client should not have built versions\n"); - failure = 1; - goto done; - } + S3I(ssl)->hs.our_min_tls_version = TLS1_VERSION; + S3I(ssl)->hs.our_max_tls_version = TLS1_3_VERSION; - S3I(ssl)->hs_tls13.max_version = TLS1_3_VERSION; - S3I(ssl)->hs_tls13.min_version = TLS1_VERSION; - if (!tlsext_versions_client_build(ssl, &cbb)) { + if (!tlsext_versions_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { FAIL("client should have built versions\n"); failure = 1; goto done; } if (!CBB_finish(&cbb, &data, &dlen)) { - FAIL("failed to finish CBB"); + FAIL("failed to finish CBB\n"); failure = 1; goto done; } @@ -3003,13 +3004,13 @@ test_tlsext_versions_client(void) } CBS_init(&cbs, data, dlen); - if (!tlsext_versions_server_parse(ssl, &cbs, &alert)) { + if (!tlsext_versions_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { FAIL("failed to parse client versions\n"); failure = 1; goto done; } if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining"); + FAIL("extension data remaining\n"); failure = 1; goto done; } @@ -3042,30 +3043,30 @@ test_tlsext_versions_server(void) if ((ssl = SSL_new(ssl_ctx)) == NULL) errx(1, "failed to create SSL"); - ssl->version = TLS1_2_VERSION; + S3I(ssl)->hs.negotiated_tls_version = TLS1_2_VERSION; - if (tlsext_versions_server_needs(ssl)) { + if (tlsext_versions_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { FAIL("server should not need versions\n"); failure = 1; goto done; } - ssl->version = TLS1_3_VERSION; + S3I(ssl)->hs.negotiated_tls_version = TLS1_3_VERSION; - if (!tlsext_versions_server_needs(ssl)) { + if (!tlsext_versions_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { FAIL("server should need versions\n"); failure = 1; goto done; } - if (!tlsext_versions_server_build(ssl, &cbb)) { + if (!tlsext_versions_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { FAIL("server should have built versions\n"); failure = 1; goto done; } if (!CBB_finish(&cbb, &data, &dlen)) { - FAIL("failed to finish CBB"); + FAIL("failed to finish CBB\n"); failure = 1; goto done; } @@ -3078,13 +3079,13 @@ test_tlsext_versions_server(void) } CBS_init(&cbs, data, dlen); - if (!tlsext_versions_client_parse(ssl, &cbs, &alert)) { + if (!tlsext_versions_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { FAIL("failed to parse client versions\n"); failure = 1; goto done; } if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining"); + FAIL("extension data remaining\n"); failure = 1; goto done; } @@ -3132,37 +3133,35 @@ test_tlsext_keyshare_client(void) if ((ssl = SSL_new(ssl_ctx)) == NULL) errx(1, "failed to create SSL"); - S3I(ssl)->hs_tls13.max_version = 0; + if ((S3I(ssl)->hs.tls13.key_share = + tls13_key_share_new_nid(NID_X25519)) == NULL) + errx(1, "failed to create key share"); + if (!tls13_key_share_generate(S3I(ssl)->hs.tls13.key_share)) + errx(1, "failed to generate key share"); - if (tlsext_keyshare_client_needs(ssl)) { + S3I(ssl)->hs.our_max_tls_version = TLS1_2_VERSION; + if (tlsext_keyshare_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { FAIL("client should not need keyshare\n"); failure = 1; goto done; } - S3I(ssl)->hs_tls13.max_version = TLS1_2_VERSION; - if (tlsext_keyshare_client_needs(ssl)) { - FAIL("client should not need keyshare\n"); - failure = 1; - goto done; - } - - S3I(ssl)->hs_tls13.max_version = TLS1_3_VERSION; - if (!tlsext_keyshare_client_needs(ssl)) { + S3I(ssl)->hs.our_max_tls_version = TLS1_3_VERSION; + if (!tlsext_keyshare_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { FAIL("client should need keyshare\n"); failure = 1; goto done; } - S3I(ssl)->hs_tls13.max_version = TLS1_3_VERSION; - if (!tlsext_keyshare_client_build(ssl, &cbb)) { + S3I(ssl)->hs.our_max_tls_version = TLS1_3_VERSION; + if (!tlsext_keyshare_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { FAIL("client should have built keyshare\n"); failure = 1; goto done; } if (!CBB_finish(&cbb, &data, &dlen)) { - FAIL("failed to finish CBB"); + FAIL("failed to finish CBB\n"); failure = 1; goto done; } @@ -3177,14 +3176,14 @@ test_tlsext_keyshare_client(void) (ssl)->version = TLS1_3_VERSION; CBS_init(&cbs, data, dlen); - if (!tlsext_keyshare_server_parse(ssl, &cbs, &alert)) { + if (!tlsext_keyshare_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { FAIL("failed to parse client keyshare\n"); failure = 1; goto done; } if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining"); + FAIL("extension data remaining\n"); failure = 1; goto done; } @@ -3214,7 +3213,7 @@ test_tlsext_keyshare_server(void) 0xe5, 0xe8, 0x5a, 0xb9, 0x7e, 0x12, 0x62, 0xe3, 0xd8, 0x7f, 0x6e, 0x3c, 0xec, 0xa6, 0x8b, 0x99, 0x45, 0x77, 0x8e, 0x11, 0xb3, 0xb9, 0x12, 0xb6, - 0xbe, 0x35, 0xca, 0x51, 0x76, 0x1e, 0xe8, 0x22 + 0xbe, 0x35, 0xca, 0x51, 0x76, 0x1e, 0xe8, 0x22, }; CBB_init(&cbb, 0); @@ -3224,56 +3223,61 @@ test_tlsext_keyshare_server(void) if ((ssl = SSL_new(ssl_ctx)) == NULL) errx(1, "failed to create SSL"); - (ssl)->version = 0; - if (tlsext_keyshare_server_needs(ssl)) { + S3I(ssl)->hs.negotiated_tls_version = TLS1_2_VERSION; + if (tlsext_keyshare_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { FAIL("server should not need keyshare\n"); failure = 1; goto done; } - (ssl)->version = TLS1_2_VERSION; - if (tlsext_keyshare_server_needs(ssl)) { - FAIL("server should not need keyshare\n"); + S3I(ssl)->hs.negotiated_tls_version = TLS1_3_VERSION; + if (tlsext_keyshare_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { + FAIL("client should not need keyshare\n"); failure = 1; goto done; } - ssl->version = TLS1_3_VERSION; - if (tlsext_keyshare_server_needs(ssl)) { - FAIL("client should not need keyshare\n"); + if (tls_extension_find(TLSEXT_TYPE_key_share, &idx) == NULL) { + FAIL("failed to find keyshare extension\n"); failure = 1; goto done; } - - if (tls_extension_find(TLSEXT_TYPE_key_share, &idx) == NULL) - FAIL("Can't find keyshare extension"); S3I(ssl)->hs.extensions_seen |= (1 << idx); - if (!tlsext_keyshare_server_needs(ssl)) { - FAIL("server should need keyshare"); + if (!tlsext_keyshare_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { + FAIL("server should need keyshare\n"); failure = 1; goto done; } - if (tlsext_keyshare_server_build(ssl, &cbb)) { - FAIL("server should not have built a keyshare response"); + if (tlsext_keyshare_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { + FAIL("server should not have built a keyshare response\n"); failure = 1; goto done; } - if ((S3I(ssl)->hs_tls13.x25519_peer_public = - malloc(sizeof(bogokey))) == NULL) - errx(1, "malloc failed"); - memcpy(S3I(ssl)->hs_tls13.x25519_peer_public, bogokey, sizeof(bogokey)); + if ((S3I(ssl)->hs.tls13.key_share = + tls13_key_share_new_nid(NID_X25519)) == NULL) + errx(1, "failed to create key share"); + if (!tls13_key_share_generate(S3I(ssl)->hs.tls13.key_share)) + errx(1, "failed to generate key share"); + + CBS_init(&cbs, bogokey, sizeof(bogokey)); + if (!tls13_key_share_peer_public(S3I(ssl)->hs.tls13.key_share, + 0x001d, &cbs)) { + FAIL("failed to load peer public key\n"); + failure = 1; + goto done; + } - if (!tlsext_keyshare_server_build(ssl, &cbb)) { - FAIL("server should be able to build a keyshare response"); + if (!tlsext_keyshare_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { + FAIL("server should be able to build a keyshare response\n"); failure = 1; goto done; } if (!CBB_finish(&cbb, &data, &dlen)) { - FAIL("failed to finish CBB"); + FAIL("failed to finish CBB\n"); failure = 1; goto done; } @@ -3285,16 +3289,22 @@ test_tlsext_keyshare_server(void) goto done; } + if ((S3I(ssl)->hs.tls13.key_share = + tls13_key_share_new_nid(NID_X25519)) == NULL) + errx(1, "failed to create key share"); + if (!tls13_key_share_generate(S3I(ssl)->hs.tls13.key_share)) + errx(1, "failed to generate key share"); + CBS_init(&cbs, data, dlen); - if (!tlsext_keyshare_client_parse(ssl, &cbs, &alert)) { + if (!tlsext_keyshare_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { FAIL("failed to parse server keyshare\n"); failure = 1; goto done; } if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining"); + FAIL("extension data remaining\n"); failure = 1; goto done; } @@ -3310,22 +3320,12 @@ test_tlsext_keyshare_server(void) /* One day I hope to be the only Muppet in this codebase */ const uint8_t cookie[] = "\n" - " .---. .---. \n" - " : : o : me want cookie! \n" - " _..-: o : :-.._ / \n" - " .-'' ' `---' `---' ' ``-. \n" - " .' ' ' ' . ' . ' ' `. \n" - " : '.---.,,.,...,.,.,.,..---. ' ; \n" - " `. ' `. .' ' .' \n" - " `. '`. .' ' .' \n" - " `. `-._ _.-' ' .' .----. \n" - " `. ' ''--...--'' . ' .' .' o `. \n" - " .'`-._' ' . ' _.-'`. : o : \n" - " jgs .' ```--.....--''' ' `:_ o : \n" - " .' ' ' ' ' ; `.;';';';' \n" - " ; ' ' ' . ; .' ; ; ; \n" - " ; ' ' ' ' .' .-' \n" - " ' ' ' ' ' ' _.-' \n"; + " (o)(o) \n" + " m' 'm \n" + " M -****- M \n" + " 'm m' \n" + " m''''''''''m \n" + " M M BB \n"; static int test_tlsext_cookie_client(void) @@ -3346,46 +3346,39 @@ test_tlsext_cookie_client(void) if ((ssl = SSL_new(ssl_ctx)) == NULL) errx(1, "failed to create SSL"); - S3I(ssl)->hs_tls13.max_version = 0; - if (tlsext_cookie_client_needs(ssl)) { - FAIL("client should not need cookie\n"); - failure = 1; - goto done; - } - - S3I(ssl)->hs_tls13.max_version = TLS1_2_VERSION; - if (tlsext_cookie_client_needs(ssl)) { + S3I(ssl)->hs.our_max_tls_version = TLS1_2_VERSION; + if (tlsext_cookie_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { FAIL("client should not need cookie\n"); failure = 1; goto done; } - S3I(ssl)->hs_tls13.max_version = TLS1_3_VERSION; - if (tlsext_cookie_client_needs(ssl)) { + S3I(ssl)->hs.our_max_tls_version = TLS1_3_VERSION; + if (tlsext_cookie_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { FAIL("client should not need cookie\n"); failure = 1; goto done; } /* Normally would be set by receiving a server cookie in an HRR */ - S3I(ssl)->hs_tls13.cookie = strdup(cookie); - S3I(ssl)->hs_tls13.cookie_len = strlen(cookie); + S3I(ssl)->hs.tls13.cookie = strdup(cookie); + S3I(ssl)->hs.tls13.cookie_len = strlen(cookie); - if (!tlsext_cookie_client_needs(ssl)) { - FAIL("client should need cookie"); + if (!tlsext_cookie_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { + FAIL("client should need cookie\n"); failure = 1; goto done; } - if (!tlsext_cookie_client_build(ssl, &cbb)) { - FAIL("client should have built a cookie response"); + if (!tlsext_cookie_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { + FAIL("client should have built a cookie response\n"); failure = 1; goto done; } if (!CBB_finish(&cbb, &data, &dlen)) { - FAIL("failed to finish CBB"); + FAIL("failed to finish CBB\n"); failure = 1; goto done; } @@ -3400,15 +3393,15 @@ test_tlsext_cookie_client(void) CBS_init(&cbs, data, dlen); - /* Checks cookie against what's in the hs_tls13 */ - if (!tlsext_cookie_server_parse(ssl, &cbs, &alert)) { + /* Checks cookie against what's in the hs.tls13 */ + if (!tlsext_cookie_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { FAIL("failed to parse client cookie\n"); failure = 1; goto done; } if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining"); + FAIL("extension data remaining\n"); failure = 1; goto done; } @@ -3441,46 +3434,38 @@ test_tlsext_cookie_server(void) if ((ssl = SSL_new(ssl_ctx)) == NULL) errx(1, "failed to create SSL"); - S3I(ssl)->hs_tls13.max_version = 0; - if (tlsext_cookie_server_needs(ssl)) { + S3I(ssl)->hs.our_max_tls_version = TLS1_2_VERSION; + if (tlsext_cookie_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { FAIL("server should not need cookie\n"); failure = 1; goto done; } - S3I(ssl)->hs_tls13.max_version = TLS1_2_VERSION; - if (tlsext_cookie_server_needs(ssl)) { - FAIL("server should not need cookie\n"); - failure = 1; - goto done; - } - - - S3I(ssl)->hs_tls13.max_version = TLS1_3_VERSION; - if (tlsext_cookie_server_needs(ssl)) { + S3I(ssl)->hs.our_max_tls_version = TLS1_3_VERSION; + if (tlsext_cookie_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { FAIL("server should not need cookie\n"); failure = 1; goto done; } /* Normally would be set by server before sending HRR */ - S3I(ssl)->hs_tls13.cookie = strdup(cookie); - S3I(ssl)->hs_tls13.cookie_len = strlen(cookie); + S3I(ssl)->hs.tls13.cookie = strdup(cookie); + S3I(ssl)->hs.tls13.cookie_len = strlen(cookie); - if (!tlsext_cookie_server_needs(ssl)) { - FAIL("server should need cookie"); + if (!tlsext_cookie_server_needs(ssl, SSL_TLSEXT_MSG_HRR)) { + FAIL("server should need cookie\n"); failure = 1; goto done; } - if (!tlsext_cookie_server_build(ssl, &cbb)) { - FAIL("server have built a cookie response"); + if (!tlsext_cookie_server_build(ssl, SSL_TLSEXT_MSG_HRR, &cbb)) { + FAIL("server should have built a cookie response\n"); failure = 1; goto done; } if (!CBB_finish(&cbb, &data, &dlen)) { - FAIL("failed to finish CBB"); + FAIL("failed to finish CBB\n"); failure = 1; goto done; } @@ -3495,31 +3480,31 @@ test_tlsext_cookie_server(void) CBS_init(&cbs, data, dlen); - if (tlsext_cookie_client_parse(ssl, &cbs, &alert)) { + if (tlsext_cookie_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { FAIL("client should not have parsed server cookie\n"); failure = 1; goto done; } - freezero(S3I(ssl)->hs_tls13.cookie, S3I(ssl)->hs_tls13.cookie_len); - S3I(ssl)->hs_tls13.cookie = NULL; - S3I(ssl)->hs_tls13.cookie_len = 0; + freezero(S3I(ssl)->hs.tls13.cookie, S3I(ssl)->hs.tls13.cookie_len); + S3I(ssl)->hs.tls13.cookie = NULL; + S3I(ssl)->hs.tls13.cookie_len = 0; - if (!tlsext_cookie_client_parse(ssl, &cbs, &alert)) { + if (!tlsext_cookie_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { FAIL("failed to parse server cookie\n"); failure = 1; goto done; } - if (memcmp(cookie, S3I(ssl)->hs_tls13.cookie, - S3I(ssl)->hs_tls13.cookie_len) != 0) { + if (memcmp(cookie, S3I(ssl)->hs.tls13.cookie, + S3I(ssl)->hs.tls13.cookie_len) != 0) { FAIL("parsed server cookie does not match sent cookie\n"); failure = 1; goto done; } if (CBS_len(&cbs) != 0) { - FAIL("extension data remaining"); + FAIL("extension data remaining\n"); failure = 1; goto done; } @@ -3533,6 +3518,85 @@ test_tlsext_cookie_server(void) return (failure); } +unsigned char *valid_hostnames[] = { + "openbsd.org", + "op3nbsd.org", + "org", + "3openbsd.com", + "3-0penb-d.c-m", + "a", + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com", + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", + NULL, +}; + +static int +test_tlsext_valid_hostnames(void) +{ + int i, failure = 0; + + for (i = 0; valid_hostnames[i] != NULL; i++) { + CBS cbs; + CBS_init(&cbs, valid_hostnames[i], strlen(valid_hostnames[i])); + if (!tlsext_sni_is_valid_hostname(&cbs)) { + FAIL("Valid hostname '%s' rejected\n", + valid_hostnames[i]); + failure = 1; + goto done; + } + } + done: + return failure; +} + +unsigned char *invalid_hostnames[] = { + "openbsd.org.", + "openbsd..org", + "openbsd.org-", + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com", + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a", + "-p3nbsd.org", + "openbs-.org", + "openbsd\n.org", + "open_bsd.org", + "open\178bsd.org", + "open\255bsd.org", + NULL, +}; + +static int +test_tlsext_invalid_hostnames(void) +{ + int i, failure = 0; + CBS cbs; + + for (i = 0; invalid_hostnames[i] != NULL; i++) { + CBS_init(&cbs, invalid_hostnames[i], + strlen(invalid_hostnames[i])); + if (tlsext_sni_is_valid_hostname(&cbs)) { + FAIL("Invalid hostname '%s' accepted\n", + invalid_hostnames[i]); + failure = 1; + goto done; + } + } + CBS_init(&cbs, valid_hostnames[0], + strlen(valid_hostnames[0]) + 1); + if (tlsext_sni_is_valid_hostname(&cbs)) { + FAIL("hostname with NUL byte accepted\n"); + failure = 1; + goto done; + } + done: + return failure; +} + int main(int argc, char **argv) @@ -3555,7 +3619,6 @@ main(int argc, char **argv) failed |= test_tlsext_ri_server(); failed |= test_tlsext_sigalgs_client(); - failed |= test_tlsext_sigalgs_server(); failed |= test_tlsext_sni_client(); failed |= test_tlsext_sni_server(); @@ -3585,5 +3648,8 @@ main(int argc, char **argv) failed |= test_tlsext_clienthello_build(); failed |= test_tlsext_serverhello_build(); + failed |= test_tlsext_valid_hostnames(); + failed |= test_tlsext_invalid_hostnames(); + return (failed); } diff --git a/tests/tlstest.c b/tests/tlstest.c index 8a4d5dbb..14684231 100644 --- a/tests/tlstest.c +++ b/tests/tlstest.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tlstest.c,v 1.10 2018/03/19 16:36:12 jsing Exp $ */ +/* $OpenBSD: tlstest.c,v 1.13 2021/04/04 16:19:47 tb Exp $ */ /* * Copyright (c) 2017 Joel Sing * @@ -291,6 +291,59 @@ test_tls_socket(struct tls *client, struct tls *server) return (failure); } +static int +test_tls(char *client_protocols, char *server_protocols, char *ciphers) +{ + struct tls_config *client_cfg, *server_cfg; + struct tls *client, *server; + uint32_t protocols; + int failure = 0; + + if ((client = tls_client()) == NULL) + errx(1, "failed to create tls client"); + if ((client_cfg = tls_config_new()) == NULL) + errx(1, "failed to create tls client config"); + tls_config_insecure_noverifyname(client_cfg); + if (tls_config_parse_protocols(&protocols, client_protocols) == -1) + errx(1, "failed to parse protocols: %s", tls_config_error(client_cfg)); + if (tls_config_set_protocols(client_cfg, protocols) == -1) + errx(1, "failed to set protocols: %s", tls_config_error(client_cfg)); + if (tls_config_set_ciphers(client_cfg, ciphers) == -1) + errx(1, "failed to set ciphers: %s", tls_config_error(client_cfg)); + if (tls_config_set_ca_file(client_cfg, cafile) == -1) + errx(1, "failed to set ca: %s", tls_config_error(client_cfg)); + + if ((server = tls_server()) == NULL) + errx(1, "failed to create tls server"); + if ((server_cfg = tls_config_new()) == NULL) + errx(1, "failed to create tls server config"); + if (tls_config_parse_protocols(&protocols, server_protocols) == -1) + errx(1, "failed to parse protocols: %s", tls_config_error(server_cfg)); + if (tls_config_set_protocols(server_cfg, protocols) == -1) + errx(1, "failed to set protocols: %s", tls_config_error(server_cfg)); + if (tls_config_set_ciphers(server_cfg, ciphers) == -1) + errx(1, "failed to set ciphers: %s", tls_config_error(server_cfg)); + if (tls_config_set_keypair_file(server_cfg, certfile, keyfile) == -1) + errx(1, "failed to set keypair: %s", + tls_config_error(server_cfg)); + + if (tls_configure(client, client_cfg) == -1) + errx(1, "failed to configure client: %s", tls_error(client)); + tls_reset(server); + if (tls_configure(server, server_cfg) == -1) + errx(1, "failed to configure server: %s", tls_error(server)); + + tls_config_free(client_cfg); + tls_config_free(server_cfg); + + failure |= test_tls_cbs(client, server); + + tls_free(client); + tls_free(server); + + return (failure); +} + static int do_tls_tests(void) { @@ -298,6 +351,8 @@ do_tls_tests(void) struct tls *client, *server; int failure = 0; + printf("== TLS tests ==\n"); + if ((client = tls_client()) == NULL) errx(1, "failed to create tls client"); if ((client_cfg = tls_config_new()) == NULL) @@ -347,6 +402,8 @@ do_tls_tests(void) tls_free(client); tls_free(server); + printf("\n"); + return (failure); } @@ -357,7 +414,7 @@ do_tls_ordering_tests(void) struct tls_config *client_cfg, *server_cfg; int failure = 0; - circular_init(); + printf("== TLS ordering tests ==\n"); if ((client = tls_client()) == NULL) errx(1, "failed to create tls client"); @@ -390,6 +447,8 @@ do_tls_ordering_tests(void) goto done; } + circular_init(); + if (tls_accept_cbs(server, &server_cctx, server_read, server_write, NULL) == -1) errx(1, "failed to accept: %s", tls_error(server)); @@ -425,9 +484,54 @@ do_tls_ordering_tests(void) tls_free(server); tls_free(server_cctx); + printf("\n"); + return (failure); } +struct test_versions { + char *client; + char *server; +}; + +static struct test_versions tls_test_versions[] = { + {"tlsv1.3", "all"}, + {"tlsv1.2", "all"}, + {"tlsv1.1", "all"}, + {"tlsv1.0", "all"}, + {"all", "tlsv1.3"}, + {"all", "tlsv1.2"}, + {"all", "tlsv1.1"}, + {"all", "tlsv1.0"}, + {"tlsv1.3", "tlsv1.3"}, + {"tlsv1.2", "tlsv1.2"}, + {"tlsv1.1", "tlsv1.1"}, + {"tlsv1.0", "tlsv1.0"}, +}; + +#define N_TLS_VERSION_TESTS \ + (sizeof(tls_test_versions) / sizeof(*tls_test_versions)) + +static int +do_tls_version_tests(void) +{ + struct test_versions *tv; + int failure = 0; + size_t i; + + printf("== TLS version tests ==\n"); + + for (i = 0; i < N_TLS_VERSION_TESTS; i++) { + tv = &tls_test_versions[i]; + printf("INFO: version test %zu - client versions '%s' " + "and server versions '%s'\n", i, tv->client, tv->server); + failure |= test_tls(tv->client, tv->server, "legacy"); + printf("\n"); + } + + return failure; +} + int main(int argc, char **argv) { @@ -445,6 +549,7 @@ main(int argc, char **argv) failure |= do_tls_tests(); failure |= do_tls_ordering_tests(); + failure |= do_tls_version_tests(); return (failure); } diff --git a/tests/x509_info.c b/tests/x509_info.c new file mode 100644 index 00000000..8e223e20 --- /dev/null +++ b/tests/x509_info.c @@ -0,0 +1,184 @@ +/* $OpenBSD: x509_info.c,v 1.2 2020/09/18 14:41:04 tb Exp $ */ +/* + * Copyright (c) 2020 Ingo Schwarze + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include + +#include +#include +#include +#include + +static const char *const bogus_pem = "\ +-----BEGIN BOGUS----- \n\ +-----END BOGUS----- \n\ +"; + +static const char *const cert_pem = "\ +-----BEGIN CERTIFICATE----- \n\ +MIIDpTCCAo2gAwIBAgIJAPYm3GvOr5eTMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV \n\ +BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMSIwIAYDVQQLDBlGT1IgVEVT \n\ +VElORyBQVVJQT1NFUyBPTkxZMSUwIwYDVQQDDBxPcGVuU1NMIFRlc3QgSW50ZXJt \n\ +ZWRpYXRlIENBMB4XDTE0MDUyNDE0NDUxMVoXDTI0MDQwMTE0NDUxMVowZDELMAkG \n\ +A1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxIjAgBgNVBAsMGUZPUiBU \n\ +RVNUSU5HIFBVUlBPU0VTIE9OTFkxGTAXBgNVBAMMEFRlc3QgQ2xpZW50IENlcnQw \n\ +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0ranbHRLcLVqN+0BzcZpY \n\ ++yOLqxzDWT1LD9eW1stC4NzXX9/DCtSIVyN7YIHdGLrIPr64IDdXXaMRzgZ2rOKs \n\ +lmHCAiFpO/ja99gGCJRxH0xwQatqAULfJVHeUhs7OEGOZc2nWifjqKvGfNTilP7D \n\ +nwi69ipQFq9oS19FmhwVHk2wg7KZGHI1qDyG04UrfCZMRitvS9+UVhPpIPjuiBi2 \n\ +x3/FZIpL5gXJvvFK6xHY63oq2asyzBATntBgnP4qJFWWcvRx24wF1PnZabxuVoL2 \n\ +bPnQ/KvONDrw3IdqkKhYNTul7jEcu3OlcZIMw+7DiaKJLAzKb/bBF5gm/pwW6As9 \n\ +AgMBAAGjTjBMMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMCwGCWCGSAGG \n\ ++EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTANBgkqhkiG9w0B \n\ +AQUFAAOCAQEAJzA4KTjkjXGSC4He63yX9Br0DneGBzjAwc1H6f72uqnCs8m7jgkE \n\ +PQJFdTzQUKh97QPUuayZ2gl8XHagg+iWGy60Kw37gQ0+lumCN2sllvifhHU9R03H \n\ +bWtS4kue+yQjMbrzf3zWygMDgwvFOUAIgBpH9qGc+CdNu97INTYd0Mvz51vLlxRn \n\ +sC5aBYCWaZFnw3lWYxf9eVFRy9U+DkYFqX0LpmbDtcKP7AZGE6ZwSzaim+Cnoz1u \n\ +Cgn+QmpFXgJKMFIZ82iSZISn+JkCCGxctZX1lMvai4Wi8Y0HxW9FTFZ6KBNwwE4B \n\ +zjbN/ehBkgLlW/DWfi44DvwUHmuU6QP3cw== \n\ +-----END CERTIFICATE----- \n\ +"; + +int +main(void) +{ + BIO *bp; + STACK_OF(X509_INFO) *skin, *skout; + X509_INFO *info0, *info1; + const char *errdata; + unsigned long errcode; + int errcount, errflags, num; + + errcount = 0; + if ((skin = sk_X509_INFO_new_null()) == NULL) + err(1, "sk_X509_INFO_new_null"); + + /* Test with empty input. */ + + if ((bp = BIO_new_mem_buf("", 0)) == NULL) + err(1, "BIO_new_mem_buf(empty)"); + if ((skout = PEM_X509_INFO_read_bio(bp, skin, NULL, NULL)) == NULL) + err(1, "empty input: %s", + ERR_error_string(ERR_get_error(), NULL)); + if (skout != skin) + errx(1, "empty input did not return the same stack"); + skout = NULL; + if ((num = sk_X509_INFO_num(skin)) != 0) + errx(1, "empty input created %d X509_INFO objects", num); + BIO_free(bp); + + /* Test with bogus input. */ + + if ((bp = BIO_new_mem_buf(bogus_pem, strlen(bogus_pem))) == NULL) + err(1, "BIO_new_mem_buf(bogus_pem)"); + if ((skout = PEM_X509_INFO_read_bio(bp, skin, NULL, NULL)) != NULL) + errx(1, "success with bogus input on first try"); + if ((num = sk_X509_INFO_num(skin)) != 0) + errx(1, "bogus input created %d X509_INFO objects", num); + if (BIO_reset(bp) != 1) + errx(1, "BIO_reset"); + + /* Populate stack and test again with bogus input. */ + + if ((info0 = X509_INFO_new()) == NULL) + err(1, "X509_INFO_new"); + info0->references = 2; /* X509_INFO_up_ref(3) doesn't exist. */ + if (sk_X509_INFO_push(skin, info0) != 1) + err(1, "sk_X509_INFO_push"); + if ((skout = PEM_X509_INFO_read_bio(bp, skin, NULL, NULL)) != NULL) + errx(1, "success with bogus input on second try"); + if ((num = sk_X509_INFO_num(skin)) != 1) + errx(1, "bogus input changed stack size from 1 to %d", num); + if (sk_X509_INFO_value(skin, 0) != info0) + errx(1, "bogus input changed stack content"); + if (info0->references != 2) { + warnx("bogus input changed ref count from 2 to %d", + info0->references); + info0->references = 2; + errcount++; + } + BIO_free(bp); + + /* Use a real certificate object. */ + + if ((bp = BIO_new_mem_buf(cert_pem, strlen(cert_pem))) == NULL) + err(1, "BIO_new_mem_buf(cert_pem)"); + if ((skout = PEM_X509_INFO_read_bio(bp, skin, NULL, NULL)) == NULL) { + errdata = NULL; + errflags = 0; + while ((errcode = ERR_get_error_line_data(NULL, NULL, + &errdata, &errflags)) != 0) + if (errdata != NULL && (errflags & ERR_TXT_STRING)) + warnx("%s --- %s", + ERR_error_string(errcode, NULL), + errdata); + else + warnx("%s", ERR_error_string(errcode, NULL)); + err(1, "real input: parsing failed"); + } + if (skout != skin) + errx(1, "real input did not return the same stack"); + skout = NULL; + if ((num = sk_X509_INFO_num(skin)) != 2) + errx(1, "real input changed stack size from 1 to %d", num); + if (sk_X509_INFO_value(skin, 0) != info0) + errx(1, "real input changed stack content"); + if (info0->references != 2) + errx(1, "real input changed ref count from 2 to %d", + info0->references); + info1 = sk_X509_INFO_pop(skin); + if (info1->x509 == NULL) + errx(1, "real input did not create a certificate"); + X509_INFO_free(info1); + info1 = NULL; + BIO_free(bp); + + /* Two real certificates followed by bogus input. */ + + if ((bp = BIO_new(BIO_s_mem())) == NULL) + err(1, "BIO_new"); + if (BIO_puts(bp, cert_pem) != strlen(cert_pem)) + err(1, "BIO_puts(cert_pem) first copy"); + if (BIO_puts(bp, cert_pem) != strlen(cert_pem)) + err(1, "BIO_puts(cert_pem) second copy"); + if (BIO_puts(bp, bogus_pem) != strlen(bogus_pem)) + err(1, "BIO_puts(bogus_pem)"); + if ((skout = PEM_X509_INFO_read_bio(bp, skin, NULL, NULL)) != NULL) + errx(1, "success with real + bogus input"); + if ((num = sk_X509_INFO_num(skin)) != 1) { + warnx("real + bogus input changed stack size from 1 to %d", + num); + while (sk_X509_INFO_num(skin) > 1) + (void)sk_X509_INFO_pop(skin); + errcount++; + } + if (sk_X509_INFO_value(skin, 0) != info0) + errx(1, "real + bogus input changed stack content"); + if (info0->references != 2) { + warnx("real + bogus input changed ref count from 2 to %d", + info0->references); + errcount++; + } + BIO_free(bp); + info0->references = 1; + X509_INFO_free(info0); + sk_X509_INFO_free(skin); + + if (errcount > 0) + errx(1, "%d errors detected", errcount); + return 0; +} diff --git a/tests/x509attribute.c b/tests/x509attribute.c new file mode 100644 index 00000000..3dd6d291 --- /dev/null +++ b/tests/x509attribute.c @@ -0,0 +1,107 @@ +/* $OpenBSD: x509attribute.c,v 1.1 2020/06/04 21:21:03 schwarze Exp $ */ +/* + * Copyright (c) 2020 Ingo Schwarze + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include +#include + +#include +#include + +void fail_head(const char *); +void fail_tail(void); +void fail_str(const char *, const char *); +void fail_int(const char *, int); + +static const char *testname; +static int errcount; + +void +fail_head(const char *stepname) +{ + fprintf(stderr, "failure#%d testname=%s stepname=%s ", + ++errcount, testname, stepname); +} + +void +fail_tail(void) +{ + unsigned long errnum; + + if ((errnum = ERR_get_error())) + fprintf(stderr, "OpenSSL says: %s\n", + ERR_error_string(errnum, NULL)); + if (errno) + fprintf(stderr, "libc says: %s\n", strerror(errno)); +} + +void +fail_str(const char *stepname, const char *result) +{ + fail_head(stepname); + fprintf(stderr, "wrong result=%s\n", result); + fail_tail(); +} + +void +fail_int(const char *stepname, int result) +{ + fail_head(stepname); + fprintf(stderr, "wrong result=%d\n", result); + fail_tail(); +} + +int +main(void) +{ + X509_ATTRIBUTE *attrib; + ASN1_TYPE *any; + ASN1_OBJECT *coid; + int num; + + testname = "preparation"; + if ((coid = OBJ_nid2obj(NID_pkcs7_data)) == NULL) { + fail_str("OBJ_nid2obj", "NULL"); + return 1; + } + + testname = "valid_args"; + if ((attrib = X509_ATTRIBUTE_create(NID_pkcs9_contentType, + V_ASN1_OBJECT, coid)) == NULL) + fail_str("X509_ATTRIBUTE_create", "NULL"); + else if (attrib->object == NULL) + fail_str("attrib->object", "NULL"); + else if (attrib->single) + fail_int("attrib->single", attrib->single); + else if ((num = sk_ASN1_TYPE_num(attrib->value.set)) != 1) + fail_int("num", num); + else if ((any = sk_ASN1_TYPE_value(attrib->value.set, 0)) == NULL) + fail_str("any", "NULL"); + else if (any->type != V_ASN1_OBJECT) + fail_int("any->type", any->type); + else if (any->value.object != coid) + fail_str("value", "wrong pointer"); + X509_ATTRIBUTE_free(attrib); + + testname = "bad_nid"; + if ((attrib = X509_ATTRIBUTE_create(-1, + V_ASN1_OBJECT, coid)) != NULL) + fail_str("X509_ATTRIBUTE_create", "not NULL"); + X509_ATTRIBUTE_free(attrib); + + return errcount != 0; +} diff --git a/tls/CMakeLists.txt b/tls/CMakeLists.txt index 94803ce1..f64b1c3d 100644 --- a/tls/CMakeLists.txt +++ b/tls/CMakeLists.txt @@ -24,9 +24,9 @@ if(WIN32) endif() if(NOT "${OPENSSLDIR}" STREQUAL "") - add_definitions(-D_PATH_SSL_CA_FILE=\"${OPENSSLDIR}/cert.pem\") + add_definitions(-DTLS_DEFAULT_CA_FILE=\"${OPENSSLDIR}/cert.pem\") else() - add_definitions(-D_PATH_SSL_CA_FILE=\"${CMAKE_INSTALL_PREFIX}/etc/ssl/cert.pem\") + add_definitions(-DTLS_DEFAULT_CA_FILE=\"${CMAKE_INSTALL_PREFIX}/etc/ssl/cert.pem\") endif() add_library(tls ${TLS_SRC}) @@ -37,18 +37,16 @@ target_include_directories(tls PUBLIC ../include) -if (BUILD_SHARED_LIBS) - export_symbol(tls ${CMAKE_CURRENT_SOURCE_DIR}/tls.sym) - target_link_libraries(tls ssl crypto ${PLATFORM_LIBS}) - if (WIN32) - set(TLS_POSTFIX -${TLS_MAJOR_VERSION}) - endif() - set_target_properties(tls PROPERTIES - OUTPUT_NAME tls${TLS_POSTFIX} - ARCHIVE_OUTPUT_NAME tls${TLS_POSTFIX}) - set_target_properties(tls PROPERTIES VERSION ${TLS_VERSION} - SOVERSION ${TLS_MAJOR_VERSION}) +export_symbol(tls ${CMAKE_CURRENT_SOURCE_DIR}/tls.sym) +target_link_libraries(tls ssl crypto ${PLATFORM_LIBS}) +if (WIN32) + set(TLS_POSTFIX -${TLS_MAJOR_VERSION}) endif() +set_target_properties(tls PROPERTIES + OUTPUT_NAME tls${TLS_POSTFIX} + ARCHIVE_OUTPUT_NAME tls${TLS_POSTFIX}) +set_target_properties(tls PROPERTIES VERSION ${TLS_VERSION} + SOVERSION ${TLS_MAJOR_VERSION}) if(ENABLE_LIBRESSL_INSTALL) install( diff --git a/tls/Makefile.am b/tls/Makefile.am index fec147e8..4cea3a26 100644 --- a/tls/Makefile.am +++ b/tls/Makefile.am @@ -1,5 +1,8 @@ include $(top_srcdir)/Makefile.am.common +-include $(abs_top_builddir)/crypto/libcrypto_la_objects.mk +-include $(abs_top_builddir)/ssl/libssl_la_objects.mk + lib_LTLIBRARIES = libtls.la EXTRA_DIST = VERSION @@ -7,15 +10,17 @@ EXTRA_DIST += CMakeLists.txt EXTRA_DIST += tls.sym libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@ -no-undefined -export-symbols $(top_srcdir)/tls/tls.sym -libtls_la_LIBADD = $(abs_top_builddir)/ssl/libssl.la -libtls_la_LIBADD += $(abs_top_builddir)/crypto/libcrypto.la +libtls_la_LIBADD = $(libcrypto_la_objects) +libtls_la_LIBADD += $(libcompat_la_objects) +libtls_la_LIBADD += $(libcompatnoopt_la_objects) +libtls_la_LIBADD += $(libssl_la_objects) libtls_la_LIBADD += $(PLATFORM_LDADD) libtls_la_CPPFLAGS = $(AM_CPPFLAGS) if OPENSSLDIR_DEFINED -libtls_la_CPPFLAGS += -D_PATH_SSL_CA_FILE=\"@OPENSSLDIR@/cert.pem\" +libtls_la_CPPFLAGS += -DTLS_DEFAULT_CA_FILE=\"@OPENSSLDIR@/cert.pem\" else -libtls_la_CPPFLAGS += -D_PATH_SSL_CA_FILE=\"$(sysconfdir)/ssl/cert.pem\" +libtls_la_CPPFLAGS += -DTLS_DEFAULT_CA_FILE=\"$(sysconfdir)/ssl/cert.pem\" endif libtls_la_SOURCES = tls.c diff --git a/tls/Makefile.in b/tls/Makefile.in index a5c39630..ce25e8df 100644 --- a/tls/Makefile.in +++ b/tls/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -89,13 +89,15 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -@OPENSSLDIR_DEFINED_TRUE@am__append_1 = -D_PATH_SSL_CA_FILE=\"@OPENSSLDIR@/cert.pem\" -@OPENSSLDIR_DEFINED_FALSE@am__append_2 = -D_PATH_SSL_CA_FILE=\"$(sysconfdir)/ssl/cert.pem\" +@OPENSSLDIR_DEFINED_TRUE@am__append_1 = -DTLS_DEFAULT_CA_FILE=\"@OPENSSLDIR@/cert.pem\" +@OPENSSLDIR_DEFINED_FALSE@am__append_2 = -DTLS_DEFAULT_CA_FILE=\"$(sysconfdir)/ssl/cert.pem\" @HOST_WIN_TRUE@am__append_3 = compat/ftruncate.c compat/pread.c \ @HOST_WIN_TRUE@ compat/pwrite.c subdir = tls ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/check-hardening-options.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_add_fortify_source.m4 \ + $(top_srcdir)/m4/ax_check_compile_flag.m4 \ + $(top_srcdir)/m4/check-hardening-options.m4 \ $(top_srcdir)/m4/check-libc.m4 \ $(top_srcdir)/m4/check-os-options.m4 \ $(top_srcdir)/m4/disable-compiler-warnings.m4 \ @@ -139,8 +141,7 @@ am__uninstall_files_from_dir = { \ am__installdirs = "$(DESTDIR)$(libdir)" LTLIBRARIES = $(lib_LTLIBRARIES) am__DEPENDENCIES_1 = -libtls_la_DEPENDENCIES = $(abs_top_builddir)/ssl/libssl.la \ - $(abs_top_builddir)/crypto/libcrypto.la $(am__DEPENDENCIES_1) +libtls_la_DEPENDENCIES = $(am__DEPENDENCIES_1) am__libtls_la_SOURCES_DIST = tls.c tls_client.c tls_bio_cb.c \ tls_config.c tls_conninfo.c tls_keypair.c tls_server.c \ tls_ocsp.c tls_peer.c tls_util.c tls_verify.c \ @@ -356,6 +357,7 @@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -371,8 +373,9 @@ AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat \ lib_LTLIBRARIES = libtls.la EXTRA_DIST = VERSION CMakeLists.txt tls.sym libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@ -no-undefined -export-symbols $(top_srcdir)/tls/tls.sym -libtls_la_LIBADD = $(abs_top_builddir)/ssl/libssl.la \ - $(abs_top_builddir)/crypto/libcrypto.la $(PLATFORM_LDADD) +libtls_la_LIBADD = $(libcrypto_la_objects) $(libcompat_la_objects) \ + $(libcompatnoopt_la_objects) $(libssl_la_objects) \ + $(PLATFORM_LDADD) libtls_la_CPPFLAGS = $(AM_CPPFLAGS) $(am__append_1) $(am__append_2) libtls_la_SOURCES = tls.c tls_client.c tls_bio_cb.c tls_config.c \ tls_conninfo.c tls_keypair.c tls_server.c tls_ocsp.c \ @@ -861,6 +864,9 @@ uninstall-am: uninstall-libLTLIBRARIES .PRECIOUS: Makefile +-include $(abs_top_builddir)/crypto/libcrypto_la_objects.mk +-include $(abs_top_builddir)/ssl/libssl_la_objects.mk + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/tls/VERSION b/tls/VERSION index 6e977d9e..2a9f52af 100644 --- a/tls/VERSION +++ b/tls/VERSION @@ -1 +1 @@ -19:7:0 +20:3:0 diff --git a/tls/tls.c b/tls/tls.c index 46ed8180..262ec3db 100644 --- a/tls/tls.c +++ b/tls/tls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.c,v 1.83 2019/04/01 15:58:02 jsing Exp $ */ +/* $OpenBSD: tls.c,v 1.89 2021/02/01 15:35:41 tb Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -326,12 +326,113 @@ tls_cert_pubkey_hash(X509 *cert, char **hash) return (rv); } +static int +tls_keypair_to_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY **pkey) +{ + BIO *bio = NULL; + X509 *x509 = NULL; + char *mem; + size_t len; + int ret = -1; + + *pkey = NULL; + + if (ctx->config->use_fake_private_key) { + mem = keypair->cert_mem; + len = keypair->cert_len; + } else { + mem = keypair->key_mem; + len = keypair->key_len; + } + + if (mem == NULL) + return (0); + + if (len > INT_MAX) { + tls_set_errorx(ctx, ctx->config->use_fake_private_key ? + "cert too long" : "key too long"); + goto err; + } + + if ((bio = BIO_new_mem_buf(mem, len)) == NULL) { + tls_set_errorx(ctx, "failed to create buffer"); + goto err; + } + + if (ctx->config->use_fake_private_key) { + if ((x509 = PEM_read_bio_X509(bio, NULL, tls_password_cb, + NULL)) == NULL) { + tls_set_errorx(ctx, "failed to read X509 certificate"); + goto err; + } + if ((*pkey = X509_get_pubkey(x509)) == NULL) { + tls_set_errorx(ctx, "failed to retrieve pubkey"); + goto err; + } + } else { + if ((*pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb, + NULL)) == NULL) { + tls_set_errorx(ctx, "failed to read private key"); + goto err; + } + } + + ret = 0; + err: + BIO_free(bio); + X509_free(x509); + return (ret); +} + +static int +tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *pkey) +{ + RSA *rsa = NULL; + EC_KEY *eckey = NULL; + int ret = -1; + + /* Only install the pubkey hash if fake private keys are used. */ + if (!ctx->config->skip_private_key_check) + return (0); + + if (keypair->pubkey_hash == NULL) { + tls_set_errorx(ctx, "public key hash not set"); + goto err; + } + + switch (EVP_PKEY_id(pkey)) { + case EVP_PKEY_RSA: + if ((rsa = EVP_PKEY_get1_RSA(pkey)) == NULL || + RSA_set_ex_data(rsa, 0, keypair->pubkey_hash) == 0) { + tls_set_errorx(ctx, "RSA key setup failure"); + goto err; + } + break; + case EVP_PKEY_EC: + if ((eckey = EVP_PKEY_get1_EC_KEY(pkey)) == NULL || + ECDSA_set_ex_data(eckey, 0, keypair->pubkey_hash) == 0) { + tls_set_errorx(ctx, "EC key setup failure"); + goto err; + } + break; + default: + tls_set_errorx(ctx, "incorrect key type"); + goto err; + } + + ret = 0; + + err: + RSA_free(rsa); + EC_KEY_free(eckey); + return (ret); +} + int tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, struct tls_keypair *keypair, int required) { EVP_PKEY *pkey = NULL; - BIO *bio = NULL; if (!required && keypair->cert_mem == NULL && @@ -351,38 +452,15 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, } } - if (keypair->key_mem != NULL) { - if (keypair->key_len > INT_MAX) { - tls_set_errorx(ctx, "key too long"); - goto err; - } - - if ((bio = BIO_new_mem_buf(keypair->key_mem, - keypair->key_len)) == NULL) { - tls_set_errorx(ctx, "failed to create buffer"); - goto err; - } - if ((pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb, - NULL)) == NULL) { - tls_set_errorx(ctx, "failed to read private key"); + if (tls_keypair_to_pkey(ctx, keypair, &pkey) == -1) + goto err; + if (pkey != NULL) { + if (tls_keypair_setup_pkey(ctx, keypair, pkey) == -1) goto err; - } - - if (keypair->pubkey_hash != NULL) { - RSA *rsa; - /* XXX only RSA for now for relayd privsep */ - if ((rsa = EVP_PKEY_get1_RSA(pkey)) != NULL) { - RSA_set_ex_data(rsa, 0, keypair->pubkey_hash); - RSA_free(rsa); - } - } - if (SSL_CTX_use_PrivateKey(ssl_ctx, pkey) != 1) { tls_set_errorx(ctx, "failed to load private key"); goto err; } - BIO_free(bio); - bio = NULL; EVP_PKEY_free(pkey); pkey = NULL; } @@ -397,14 +475,15 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, err: EVP_PKEY_free(pkey); - BIO_free(bio); - return (1); + return (-1); } int tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx) { + SSL_CTX_clear_mode(ssl_ctx, SSL_MODE_AUTO_RETRY); + SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); @@ -414,6 +493,7 @@ tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx) SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1); SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_1); SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_2); + SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_3); if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0) SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1); @@ -421,6 +501,8 @@ tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx) SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1); if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0) SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2); + if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_3) == 0) + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_3); if (ctx->config->alpn != NULL) { if (SSL_CTX_set_alpn_protos(ssl_ctx, ctx->config->alpn, diff --git a/tls/tls.sym b/tls/tls.sym index 4064be1b..42c039d2 100644 --- a/tls/tls.sym +++ b/tls/tls.sym @@ -45,12 +45,14 @@ tls_config_set_session_lifetime tls_config_set_session_fd tls_config_set_verify_depth tls_config_skip_private_key_check +tls_config_use_fake_private_key tls_config_verify tls_config_verify_client tls_config_verify_client_optional tls_configure tls_conn_alpn_selected tls_conn_cipher +tls_conn_cipher_strength tls_conn_servername tls_conn_session_resumed tls_conn_version diff --git a/tls/tls_config.c b/tls/tls_config.c index 6a717abd..9144dad9 100644 --- a/tls/tls_config.c +++ b/tls/tls_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_config.c,v 1.56 2019/04/04 15:09:09 jsing Exp $ */ +/* $OpenBSD: tls_config.c,v 1.63 2021/01/21 22:03:25 eric Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -28,7 +28,7 @@ #include "tls_internal.h" -static const char default_ca_file[] = "/etc/ssl/cert.pem"; +static const char default_ca_file[] = TLS_DEFAULT_CA_FILE; const char * tls_default_ca_cert_file(void) @@ -179,6 +179,8 @@ tls_config_free(struct tls_config *config) free((char *)config->crl_mem); free(config->ecdhecurves); + pthread_mutex_destroy(&config->mutex); + free(config); } @@ -253,6 +255,8 @@ tls_config_parse_protocols(uint32_t *protocols, const char *protostr) proto = TLS_PROTOCOL_TLSv1_1; else if (strcasecmp(p, "tlsv1.2") == 0) proto = TLS_PROTOCOL_TLSv1_2; + else if (strcasecmp(p, "tlsv1.3") == 0) + proto = TLS_PROTOCOL_TLSv1_3; if (proto == 0) { free(s); @@ -349,7 +353,8 @@ tls_config_add_keypair_file_internal(struct tls_config *config, return (-1); if (tls_keypair_set_cert_file(keypair, &config->error, cert_file) != 0) goto err; - if (tls_keypair_set_key_file(keypair, &config->error, key_file) != 0) + if (key_file != NULL && + tls_keypair_set_key_file(keypair, &config->error, key_file) != 0) goto err; if (ocsp_file != NULL && tls_keypair_set_ocsp_staple_file(keypair, &config->error, @@ -376,7 +381,8 @@ tls_config_add_keypair_mem_internal(struct tls_config *config, const uint8_t *ce return (-1); if (tls_keypair_set_cert_mem(keypair, &config->error, cert, cert_len) != 0) goto err; - if (tls_keypair_set_key_mem(keypair, &config->error, key, key_len) != 0) + if (key != NULL && + tls_keypair_set_key_mem(keypair, &config->error, key, key_len) != 0) goto err; if (staple != NULL && tls_keypair_set_ocsp_staple_mem(keypair, &config->error, staple, @@ -801,6 +807,13 @@ tls_config_skip_private_key_check(struct tls_config *config) config->skip_private_key_check = 1; } +void +tls_config_use_fake_private_key(struct tls_config *config) +{ + config->use_fake_private_key = 1; + config->skip_private_key_check = 1; +} + int tls_config_set_ocsp_staple_file(struct tls_config *config, const char *staple_file) { diff --git a/tls/tls_conninfo.c b/tls/tls_conninfo.c index 8e479ed8..4d9ae29e 100644 --- a/tls/tls_conninfo.c +++ b/tls/tls_conninfo.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_conninfo.c,v 1.20 2018/02/10 04:48:44 jsing Exp $ */ +/* $OpenBSD: tls_conninfo.c,v 1.22 2021/01/05 15:57:38 tb Exp $ */ /* * Copyright (c) 2015 Joel Sing * Copyright (c) 2015 Bob Beck @@ -112,9 +112,6 @@ tls_get_peer_cert_times(struct tls *ctx, time_t *notbefore, if (ctx->ssl_peer_cert == NULL) return (-1); - memset(&before_tm, 0, sizeof(before_tm)); - memset(&after_tm, 0, sizeof(after_tm)); - if ((before = X509_get_notBefore(ctx->ssl_peer_cert)) == NULL) goto err; if ((after = X509_get_notAfter(ctx->ssl_peer_cert)) == NULL) @@ -246,6 +243,7 @@ tls_conninfo_populate(struct tls *ctx) goto err; if ((ctx->conninfo->cipher = strdup(tmp)) == NULL) goto err; + ctx->conninfo->cipher_strength = SSL_get_cipher_bits(ctx->ssl_conn, NULL); if (ctx->servername != NULL) { if ((ctx->conninfo->servername = @@ -312,6 +310,14 @@ tls_conn_cipher(struct tls *ctx) return (ctx->conninfo->cipher); } +int +tls_conn_cipher_strength(struct tls *ctx) +{ + if (ctx->conninfo == NULL) + return (0); + return (ctx->conninfo->cipher_strength); +} + const char * tls_conn_servername(struct tls *ctx) { diff --git a/tls/tls_internal.h b/tls/tls_internal.h index 3842439d..5487b123 100644 --- a/tls/tls_internal.h +++ b/tls/tls_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_internal.h,v 1.74 2019/04/01 15:58:02 jsing Exp $ */ +/* $OpenBSD: tls_internal.h,v 1.78 2021/01/21 19:09:10 eric Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas * Copyright (c) 2014 Joel Sing @@ -28,7 +28,11 @@ __BEGIN_HIDDEN_DECLS -#define TLS_CIPHERS_DEFAULT "TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE" +#ifndef TLS_DEFAULT_CA_FILE +#define TLS_DEFAULT_CA_FILE "/etc/ssl/cert.pem" +#endif + +#define TLS_CIPHERS_DEFAULT "TLSv1.3:TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE" #define TLS_CIPHERS_COMPAT "HIGH:!aNULL" #define TLS_CIPHERS_LEGACY "HIGH:MEDIUM:!aNULL" #define TLS_CIPHERS_ALL "ALL:!aNULL:!eNULL" @@ -107,11 +111,13 @@ struct tls_config { int verify_name; int verify_time; int skip_private_key_check; + int use_fake_private_key; }; struct tls_conninfo { char *alpn; char *cipher; + int cipher_strength; char *servername; int session_resumed; char *version; @@ -289,5 +295,6 @@ __END_HIDDEN_DECLS /* XXX this function is not fully hidden so relayd can use it */ void tls_config_skip_private_key_check(struct tls_config *config); +void tls_config_use_fake_private_key(struct tls_config *config); #endif /* HEADER_TLS_INTERNAL_H */ diff --git a/tls/tls_keypair.c b/tls/tls_keypair.c index a98e5c2e..a12d21d0 100644 --- a/tls/tls_keypair.c +++ b/tls/tls_keypair.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_keypair.c,v 1.6 2018/04/07 16:35:34 jsing Exp $ */ +/* $OpenBSD: tls_keypair.c,v 1.8 2021/01/05 17:37:12 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -137,7 +137,7 @@ tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error, { char *errstr = "unknown"; BIO *cert_bio = NULL; - int ssl_err; + unsigned long ssl_err; int rv = -1; X509_free(*cert); @@ -155,7 +155,7 @@ tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error, if ((*cert = PEM_read_bio_X509(cert_bio, NULL, tls_password_cb, NULL)) == NULL) { if ((ssl_err = ERR_peek_error()) != 0) - errstr = ERR_error_string(ssl_err, NULL); + errstr = ERR_error_string(ssl_err, NULL); tls_error_set(error, "failed to load certificate: %s", errstr); goto err; } diff --git a/tls/tls_ocsp.c b/tls/tls_ocsp.c index 17afb8e8..f00e6bc8 100644 --- a/tls/tls_ocsp.c +++ b/tls/tls_ocsp.c @@ -1,3 +1,4 @@ +/* $OpenBSD: tls_ocsp.c,v 1.20 2021/03/23 20:04:29 tb Exp $ */ /* * Copyright (c) 2015 Marko Kreen * Copyright (c) 2016 Bob Beck @@ -217,7 +218,7 @@ tls_ocsp_verify_response(struct tls *ctx, OCSP_RESPONSE *resp) /* now verify */ if (OCSP_basic_verify(br, ctx->ocsp->extra_certs, SSL_CTX_get_cert_store(ctx->ssl_ctx), flags) != 1) { - tls_set_error(ctx, "ocsp verify failed"); + tls_set_errorx(ctx, "ocsp verify failed"); goto err; } diff --git a/apps/openssl/x509v3.cnf b/x509v3.cnf similarity index 100% rename from apps/openssl/x509v3.cnf rename to x509v3.cnf