mirror of
https://git.FreeBSD.org/src.git
synced 2024-10-19 02:29:40 +00:00
Import OpenSSL 1.0.2k.
This commit is contained in:
parent
e656c34a18
commit
5315173646
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/vendor-crypto/openssl/dist/; revision=312823 svn path=/vendor-crypto/openssl/1.0.2k/; revision=312824; tag=vendor/openssl/1.0.2k
61
CHANGES
61
CHANGES
@ -2,6 +2,67 @@
|
|||||||
OpenSSL CHANGES
|
OpenSSL CHANGES
|
||||||
_______________
|
_______________
|
||||||
|
|
||||||
|
Changes between 1.0.2j and 1.0.2k [26 Jan 2017]
|
||||||
|
|
||||||
|
*) Truncated packet could crash via OOB read
|
||||||
|
|
||||||
|
If one side of an SSL/TLS path is running on a 32-bit host and a specific
|
||||||
|
cipher is being used, then a truncated packet can cause that host to
|
||||||
|
perform an out-of-bounds read, usually resulting in a crash.
|
||||||
|
|
||||||
|
This issue was reported to OpenSSL by Robert Święcki of Google.
|
||||||
|
(CVE-2017-3731)
|
||||||
|
[Andy Polyakov]
|
||||||
|
|
||||||
|
*) BN_mod_exp may produce incorrect results on x86_64
|
||||||
|
|
||||||
|
There is a carry propagating bug in the x86_64 Montgomery squaring
|
||||||
|
procedure. No EC algorithms are affected. Analysis suggests that attacks
|
||||||
|
against RSA and DSA as a result of this defect would be very difficult to
|
||||||
|
perform and are not believed likely. Attacks against DH are considered just
|
||||||
|
feasible (although very difficult) because most of the work necessary to
|
||||||
|
deduce information about a private key may be performed offline. The amount
|
||||||
|
of resources required for such an attack would be very significant and
|
||||||
|
likely only accessible to a limited number of attackers. An attacker would
|
||||||
|
additionally need online access to an unpatched system using the target
|
||||||
|
private key in a scenario with persistent DH parameters and a private
|
||||||
|
key that is shared between multiple clients. For example this can occur by
|
||||||
|
default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very
|
||||||
|
similar to CVE-2015-3193 but must be treated as a separate problem.
|
||||||
|
|
||||||
|
This issue was reported to OpenSSL by the OSS-Fuzz project.
|
||||||
|
(CVE-2017-3732)
|
||||||
|
[Andy Polyakov]
|
||||||
|
|
||||||
|
*) Montgomery multiplication may produce incorrect results
|
||||||
|
|
||||||
|
There is a carry propagating bug in the Broadwell-specific Montgomery
|
||||||
|
multiplication procedure that handles input lengths divisible by, but
|
||||||
|
longer than 256 bits. Analysis suggests that attacks against RSA, DSA
|
||||||
|
and DH private keys are impossible. This is because the subroutine in
|
||||||
|
question is not used in operations with the private key itself and an input
|
||||||
|
of the attacker's direct choice. Otherwise the bug can manifest itself as
|
||||||
|
transient authentication and key negotiation failures or reproducible
|
||||||
|
erroneous outcome of public-key operations with specially crafted input.
|
||||||
|
Among EC algorithms only Brainpool P-512 curves are affected and one
|
||||||
|
presumably can attack ECDH key negotiation. Impact was not analyzed in
|
||||||
|
detail, because pre-requisites for attack are considered unlikely. Namely
|
||||||
|
multiple clients have to choose the curve in question and the server has to
|
||||||
|
share the private key among them, neither of which is default behaviour.
|
||||||
|
Even then only clients that chose the curve will be affected.
|
||||||
|
|
||||||
|
This issue was publicly reported as transient failures and was not
|
||||||
|
initially recognized as a security issue. Thanks to Richard Morgan for
|
||||||
|
providing reproducible case.
|
||||||
|
(CVE-2016-7055)
|
||||||
|
[Andy Polyakov]
|
||||||
|
|
||||||
|
*) OpenSSL now fails if it receives an unrecognised record type in TLS1.0
|
||||||
|
or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
|
||||||
|
prevent issues where no progress is being made and the peer continually
|
||||||
|
sends unrecognised record types, using up resources processing them.
|
||||||
|
[Matt Caswell]
|
||||||
|
|
||||||
Changes between 1.0.2i and 1.0.2j [26 Sep 2016]
|
Changes between 1.0.2i and 1.0.2j [26 Sep 2016]
|
||||||
|
|
||||||
*) Missing CRL sanity check
|
*) Missing CRL sanity check
|
||||||
|
55
CONTRIBUTING
55
CONTRIBUTING
@ -1,4 +1,4 @@
|
|||||||
HOW TO CONTRIBUTE TO PATCHES OpenSSL
|
HOW TO CONTRIBUTE PATCHES TO OpenSSL
|
||||||
------------------------------------
|
------------------------------------
|
||||||
|
|
||||||
(Please visit https://www.openssl.org/community/getting-started.html for
|
(Please visit https://www.openssl.org/community/getting-started.html for
|
||||||
@ -11,34 +11,12 @@ OpenSSL community you might want to discuss it on the openssl-dev mailing
|
|||||||
list first. Someone may be already working on the same thing or there
|
list first. Someone may be already working on the same thing or there
|
||||||
may be a good reason as to why that feature isn't implemented.
|
may be a good reason as to why that feature isn't implemented.
|
||||||
|
|
||||||
The best way to submit a patch is to make a pull request on GitHub.
|
To submit a patch, make a pull request on GitHub. If you think the patch
|
||||||
(It is not necessary to send mail to rt@openssl.org to open a ticket!)
|
could use feedback from the community, please start a thread on openssl-dev
|
||||||
If you think the patch could use feedback from the community, please
|
to discuss it.
|
||||||
start a thread on openssl-dev.
|
|
||||||
|
|
||||||
You can also submit patches by sending it as mail to rt@openssl.org.
|
Having addressed the following items before the PR will help make the
|
||||||
Please include the word "PATCH" and an explanation of what the patch
|
acceptance and review process faster:
|
||||||
does in the subject line. If you do this, our preferred format is "git
|
|
||||||
format-patch" output. For example to provide a patch file containing the
|
|
||||||
last commit in your local git repository use the following command:
|
|
||||||
|
|
||||||
% git format-patch --stdout HEAD^ >mydiffs.patch
|
|
||||||
|
|
||||||
Another method of creating an acceptable patch file without using git is as
|
|
||||||
follows:
|
|
||||||
|
|
||||||
% cd openssl-work
|
|
||||||
...make your changes...
|
|
||||||
% ./Configure dist; make clean
|
|
||||||
% cd ..
|
|
||||||
% diff -ur openssl-orig openssl-work >mydiffs.patch
|
|
||||||
|
|
||||||
Note that pull requests are generally easier for the team, and community, to
|
|
||||||
work with. Pull requests benefit from all of the standard GitHub features,
|
|
||||||
including code review tools, simpler integration, and CI build support.
|
|
||||||
|
|
||||||
No matter how a patch is submitted, the following items will help make
|
|
||||||
the acceptance and review process faster:
|
|
||||||
|
|
||||||
1. Anything other than trivial contributions will require a contributor
|
1. Anything other than trivial contributions will require a contributor
|
||||||
licensing agreement, giving us permission to use your code. See
|
licensing agreement, giving us permission to use your code. See
|
||||||
@ -55,21 +33,22 @@ the acceptance and review process faster:
|
|||||||
in the file LICENSE in the source distribution or at
|
in the file LICENSE in the source distribution or at
|
||||||
https://www.openssl.org/source/license.html
|
https://www.openssl.org/source/license.html
|
||||||
|
|
||||||
3. Patches should be as current as possible. When using GitHub, please
|
3. Patches should be as current as possible; expect to have to rebase
|
||||||
expect to have to rebase and update often. Note that we do not accept merge
|
often. We do not accept merge commits; You will be asked to remove
|
||||||
commits. You will be asked to remove them before a patch is considered
|
them before a patch is considered acceptable.
|
||||||
acceptable.
|
|
||||||
|
|
||||||
4. Patches should follow our coding style (see
|
4. Patches should follow our coding style (see
|
||||||
https://www.openssl.org/policies/codingstyle.html) and compile without
|
https://www.openssl.org/policies/codingstyle.html) and compile without
|
||||||
warnings. Where gcc or clang is availble you should use the
|
warnings. Where gcc or clang is availble you should use the
|
||||||
--strict-warnings Configure option. OpenSSL compiles on many varied
|
--strict-warnings Configure option. OpenSSL compiles on many varied
|
||||||
platforms: try to ensure you only use portable features.
|
platforms: try to ensure you only use portable features.
|
||||||
|
Clean builds via Travis and AppVeyor are expected, and done whenever
|
||||||
|
a PR is created or updated.
|
||||||
|
|
||||||
5. When at all possible, patches should include tests. These can either be
|
5. When at all possible, patches should include tests. These can
|
||||||
added to an existing test, or completely new. Please see test/README
|
either be added to an existing test, or completely new. Please see
|
||||||
for information on the test framework.
|
test/README for information on the test framework.
|
||||||
|
|
||||||
6. New features or changed functionality must include documentation. Please
|
6. New features or changed functionality must include
|
||||||
look at the "pod" files in doc/apps, doc/crypto and doc/ssl for examples of
|
documentation. Please look at the "pod" files in doc/apps, doc/crypto
|
||||||
our style.
|
and doc/ssl for examples of our style.
|
||||||
|
34
Configure
34
Configure
@ -7,6 +7,7 @@ eval 'exec perl -S $0 ${1+"$@"}'
|
|||||||
|
|
||||||
require 5.000;
|
require 5.000;
|
||||||
use strict;
|
use strict;
|
||||||
|
use File::Compare;
|
||||||
|
|
||||||
# see INSTALL for instructions.
|
# see INSTALL for instructions.
|
||||||
|
|
||||||
@ -57,12 +58,13 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimenta
|
|||||||
# zlib-dynamic Like "zlib", but the zlib library is expected to be a shared
|
# zlib-dynamic Like "zlib", but the zlib library is expected to be a shared
|
||||||
# library and will be loaded in run-time by the OpenSSL library.
|
# library and will be loaded in run-time by the OpenSSL library.
|
||||||
# sctp include SCTP support
|
# sctp include SCTP support
|
||||||
# 386 generate 80386 code
|
|
||||||
# enable-weak-ssl-ciphers
|
# enable-weak-ssl-ciphers
|
||||||
# Enable EXPORT and LOW SSLv3 ciphers that are disabled by
|
# Enable EXPORT and LOW SSLv3 ciphers that are disabled by
|
||||||
# default. Note, weak SSLv2 ciphers are unconditionally
|
# default. Note, weak SSLv2 ciphers are unconditionally
|
||||||
# disabled.
|
# disabled.
|
||||||
# no-sse2 disables IA-32 SSE2 code, above option implies no-sse2
|
# 386 generate 80386 code in assembly modules
|
||||||
|
# no-sse2 disables IA-32 SSE2 code in assembly modules, the above
|
||||||
|
# mentioned '386' option implies this one
|
||||||
# no-<cipher> build without specified algorithm (rsa, idea, rc5, ...)
|
# no-<cipher> build without specified algorithm (rsa, idea, rc5, ...)
|
||||||
# -<xxx> +<xxx> compiler options are passed through
|
# -<xxx> +<xxx> compiler options are passed through
|
||||||
#
|
#
|
||||||
@ -1792,8 +1794,16 @@ while (<IN>)
|
|||||||
}
|
}
|
||||||
close(IN);
|
close(IN);
|
||||||
close(OUT);
|
close(OUT);
|
||||||
rename($Makefile,"$Makefile.bak") || die "unable to rename $Makefile\n" if -e $Makefile;
|
if ((compare($Makefile, "$Makefile.new"))
|
||||||
rename("$Makefile.new",$Makefile) || die "unable to rename $Makefile.new\n";
|
or file_newer('Configure', $Makefile)
|
||||||
|
or file_newer('config', $Makefile)
|
||||||
|
or file_newer('Makefile.org', $Makefile))
|
||||||
|
{
|
||||||
|
rename($Makefile,"$Makefile.bak") || die "unable to rename $Makefile\n" if -e $Makefile;
|
||||||
|
rename("$Makefile.new",$Makefile) || die "unable to rename $Makefile.new\n";
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{ unlink("$Makefile.new"); }
|
||||||
|
|
||||||
print "CC =$cc\n";
|
print "CC =$cc\n";
|
||||||
print "CFLAG =$cflags\n";
|
print "CFLAG =$cflags\n";
|
||||||
@ -1985,9 +1995,13 @@ print OUT "#ifdef __cplusplus\n";
|
|||||||
print OUT "}\n";
|
print OUT "}\n";
|
||||||
print OUT "#endif\n";
|
print OUT "#endif\n";
|
||||||
close(OUT);
|
close(OUT);
|
||||||
rename("crypto/opensslconf.h","crypto/opensslconf.h.bak") || die "unable to rename crypto/opensslconf.h\n" if -e "crypto/opensslconf.h";
|
if (compare("crypto/opensslconf.h.new","crypto/opensslconf.h"))
|
||||||
rename("crypto/opensslconf.h.new","crypto/opensslconf.h") || die "unable to rename crypto/opensslconf.h.new\n";
|
{
|
||||||
|
rename("crypto/opensslconf.h","crypto/opensslconf.h.bak") || die "unable to rename crypto/opensslconf.h\n" if -e "crypto/opensslconf.h";
|
||||||
|
rename("crypto/opensslconf.h.new","crypto/opensslconf.h") || die "unable to rename crypto/opensslconf.h.new\n";
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{ unlink("crypto/opensslconf.h.new"); }
|
||||||
|
|
||||||
# Fix the date
|
# Fix the date
|
||||||
|
|
||||||
@ -2289,3 +2303,9 @@ sub test_sanity
|
|||||||
print STDERR "No sanity errors detected!\n" if $errorcnt == 0;
|
print STDERR "No sanity errors detected!\n" if $errorcnt == 0;
|
||||||
return $errorcnt;
|
return $errorcnt;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub file_newer
|
||||||
|
{
|
||||||
|
my ($file1, $file2) = @_;
|
||||||
|
return (stat($file1))[9] > (stat($file2))[9]
|
||||||
|
}
|
||||||
|
65
INSTALL
65
INSTALL
@ -74,24 +74,26 @@
|
|||||||
|
|
||||||
no-asm Do not use assembler code.
|
no-asm Do not use assembler code.
|
||||||
|
|
||||||
386 Use the 80386 instruction set only (the default x86 code is
|
386 In 32-bit x86 builds, when generating assembly modules,
|
||||||
more efficient, but requires at least a 486). Note: Use
|
use the 80386 instruction set only (the default x86 code
|
||||||
compiler flags for any other CPU specific configuration,
|
is more efficient, but requires at least a 486). Note:
|
||||||
e.g. "-m32" to build x86 code on an x64 system.
|
This doesn't affect code generated by compiler, you're
|
||||||
|
likely to complement configuration command line with
|
||||||
|
suitable compiler-specific option.
|
||||||
|
|
||||||
no-sse2 Exclude SSE2 code pathes. Normally SSE2 extention is
|
no-sse2 Exclude SSE2 code paths from 32-bit x86 assembly modules.
|
||||||
detected at run-time, but the decision whether or not the
|
Normally SSE2 extension is detected at run-time, but the
|
||||||
machine code will be executed is taken solely on CPU
|
decision whether or not the machine code will be executed
|
||||||
capability vector. This means that if you happen to run OS
|
is taken solely on CPU capability vector. This means that
|
||||||
kernel which does not support SSE2 extension on Intel P4
|
if you happen to run OS kernel which does not support SSE2
|
||||||
processor, then your application might be exposed to
|
extension on Intel P4 processor, then your application
|
||||||
"illegal instruction" exception. There might be a way
|
might be exposed to "illegal instruction" exception.
|
||||||
to enable support in kernel, e.g. FreeBSD kernel can be
|
There might be a way to enable support in kernel, e.g.
|
||||||
compiled with CPU_ENABLE_SSE, and there is a way to
|
FreeBSD kernel can be compiled with CPU_ENABLE_SSE, and
|
||||||
disengage SSE2 code pathes upon application start-up,
|
there is a way to disengage SSE2 code paths upon application
|
||||||
but if you aim for wider "audience" running such kernel,
|
start-up, but if you aim for wider "audience" running
|
||||||
consider no-sse2. Both 386 and no-asm options above imply
|
such kernel, consider no-sse2. Both the 386 and
|
||||||
no-sse2.
|
no-asm options imply no-sse2.
|
||||||
|
|
||||||
no-<cipher> Build without the specified cipher (bf, cast, des, dh, dsa,
|
no-<cipher> Build without the specified cipher (bf, cast, des, dh, dsa,
|
||||||
hmac, md2, md5, mdc2, rc2, rc4, rc5, rsa, sha).
|
hmac, md2, md5, mdc2, rc2, rc4, rc5, rsa, sha).
|
||||||
@ -101,7 +103,12 @@
|
|||||||
-Dxxx, -lxxx, -Lxxx, -fxxx, -mXXX, -Kxxx These system specific options will
|
-Dxxx, -lxxx, -Lxxx, -fxxx, -mXXX, -Kxxx These system specific options will
|
||||||
be passed through to the compiler to allow you to
|
be passed through to the compiler to allow you to
|
||||||
define preprocessor symbols, specify additional libraries,
|
define preprocessor symbols, specify additional libraries,
|
||||||
library directories or other compiler options.
|
library directories or other compiler options. It might be
|
||||||
|
worth noting that some compilers generate code specifically
|
||||||
|
for processor the compiler currently executes on. This is
|
||||||
|
not necessarily what you might have in mind, since it might
|
||||||
|
be unsuitable for execution on other, typically older,
|
||||||
|
processor. Consult your compiler documentation.
|
||||||
|
|
||||||
-DHAVE_CRYPTODEV Enable the BSD cryptodev engine even if we are not using
|
-DHAVE_CRYPTODEV Enable the BSD cryptodev engine even if we are not using
|
||||||
BSD. Useful if you are running ocf-linux or something
|
BSD. Useful if you are running ocf-linux or something
|
||||||
@ -159,18 +166,18 @@
|
|||||||
OpenSSL binary ("openssl"). The libraries will be built in the top-level
|
OpenSSL binary ("openssl"). The libraries will be built in the top-level
|
||||||
directory, and the binary will be in the "apps" directory.
|
directory, and the binary will be in the "apps" directory.
|
||||||
|
|
||||||
If "make" fails, look at the output. There may be reasons for
|
If the build fails, look at the output. There may be reasons
|
||||||
the failure that aren't problems in OpenSSL itself (like missing
|
for the failure that aren't problems in OpenSSL itself (like
|
||||||
standard headers). If it is a problem with OpenSSL itself, please
|
missing standard headers). If you are having problems you can
|
||||||
report the problem to <openssl-bugs@openssl.org> (note that your
|
get help by sending an email to the openssl-users email list (see
|
||||||
message will be recorded in the request tracker publicly readable
|
https://www.openssl.org/community/mailinglists.html for details). If
|
||||||
at https://www.openssl.org/community/index.html#bugs and will be
|
it is a bug with OpenSSL itself, please open an issue on GitHub, at
|
||||||
forwarded to a public mailing list). Include the output of "make
|
https://github.com/openssl/openssl/issues. Please review the existing
|
||||||
report" in your message. Please check out the request tracker. Maybe
|
ones first; maybe the bug was already reported or has already been
|
||||||
the bug was already reported or has already been fixed.
|
fixed.
|
||||||
|
|
||||||
[If you encounter assembler error messages, try the "no-asm"
|
(If you encounter assembler error messages, try the "no-asm"
|
||||||
configuration option as an immediate fix.]
|
configuration option as an immediate fix.)
|
||||||
|
|
||||||
Compiling parts of OpenSSL with gcc and others with the system
|
Compiling parts of OpenSSL with gcc and others with the system
|
||||||
compiler will result in unresolved symbols on some systems.
|
compiler will result in unresolved symbols on some systems.
|
||||||
|
5
Makefile
5
Makefile
@ -4,7 +4,7 @@
|
|||||||
## Makefile for OpenSSL
|
## Makefile for OpenSSL
|
||||||
##
|
##
|
||||||
|
|
||||||
VERSION=1.0.2j
|
VERSION=1.0.2k
|
||||||
MAJOR=1
|
MAJOR=1
|
||||||
MINOR=0.2
|
MINOR=0.2
|
||||||
SHLIB_VERSION_NUMBER=1.0.0
|
SHLIB_VERSION_NUMBER=1.0.0
|
||||||
@ -203,7 +203,8 @@ CLEARENV= TOP= && unset TOP $${LIB+LIB} $${LIBS+LIBS} \
|
|||||||
$${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS} \
|
$${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS} \
|
||||||
$${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS} $${SCRIPTS+SCRIPTS} \
|
$${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS} $${SCRIPTS+SCRIPTS} \
|
||||||
$${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS} \
|
$${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS} \
|
||||||
$${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS}
|
$${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS} \
|
||||||
|
$${APPS+APPS}
|
||||||
|
|
||||||
# LC_ALL=C ensures that error [and other] messages are delivered in
|
# LC_ALL=C ensures that error [and other] messages are delivered in
|
||||||
# same language for uniform treatment.
|
# same language for uniform treatment.
|
||||||
|
@ -201,7 +201,8 @@ CLEARENV= TOP= && unset TOP $${LIB+LIB} $${LIBS+LIBS} \
|
|||||||
$${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS} \
|
$${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS} \
|
||||||
$${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS} $${SCRIPTS+SCRIPTS} \
|
$${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS} $${SCRIPTS+SCRIPTS} \
|
||||||
$${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS} \
|
$${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS} \
|
||||||
$${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS}
|
$${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS} \
|
||||||
|
$${APPS+APPS}
|
||||||
|
|
||||||
# LC_ALL=C ensures that error [and other] messages are delivered in
|
# LC_ALL=C ensures that error [and other] messages are delivered in
|
||||||
# same language for uniform treatment.
|
# same language for uniform treatment.
|
||||||
|
8
NEWS
8
NEWS
@ -5,9 +5,15 @@
|
|||||||
This file gives a brief overview of the major changes between each OpenSSL
|
This file gives a brief overview of the major changes between each OpenSSL
|
||||||
release. For more details please read the CHANGES file.
|
release. For more details please read the CHANGES file.
|
||||||
|
|
||||||
|
Major changes between OpenSSL 1.0.2j and OpenSSL 1.0.2k [26 Jan 2017]
|
||||||
|
|
||||||
|
o Truncated packet could crash via OOB read (CVE-2017-3731)
|
||||||
|
o BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
|
||||||
|
o Montgomery multiplication may produce incorrect results (CVE-2016-7055)
|
||||||
|
|
||||||
Major changes between OpenSSL 1.0.2i and OpenSSL 1.0.2j [26 Sep 2016]
|
Major changes between OpenSSL 1.0.2i and OpenSSL 1.0.2j [26 Sep 2016]
|
||||||
|
|
||||||
o Fix Use After Free for large message sizes (CVE-2016-6309)
|
o Missing CRL sanity check (CVE-2016-7052)
|
||||||
|
|
||||||
Major changes between OpenSSL 1.0.2h and OpenSSL 1.0.2i [22 Sep 2016]
|
Major changes between OpenSSL 1.0.2h and OpenSSL 1.0.2i [22 Sep 2016]
|
||||||
|
|
||||||
|
36
README
36
README
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
OpenSSL 1.0.2j 26 Sep 2016
|
OpenSSL 1.0.2k 26 Jan 2017
|
||||||
|
|
||||||
Copyright (c) 1998-2015 The OpenSSL Project
|
Copyright (c) 1998-2015 The OpenSSL Project
|
||||||
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
|
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
|
||||||
@ -66,13 +66,13 @@
|
|||||||
If you have any problems with OpenSSL then please take the following steps
|
If you have any problems with OpenSSL then please take the following steps
|
||||||
first:
|
first:
|
||||||
|
|
||||||
- Download the current snapshot from ftp://ftp.openssl.org/snapshot/
|
- Download the latest version from the repository
|
||||||
to see if the problem has already been addressed
|
to see if the problem has already been addressed
|
||||||
- Remove ASM versions of libraries
|
- Configure with no-asm
|
||||||
- Remove compiler optimisation flags
|
- Remove compiler optimisation flags
|
||||||
|
|
||||||
If you wish to report a bug then please include the following information in
|
If you wish to report a bug then please include the following information
|
||||||
any bug report:
|
and create an issue on GitHub:
|
||||||
|
|
||||||
- On Unix systems:
|
- On Unix systems:
|
||||||
Self-test report generated by 'make report'
|
Self-test report generated by 'make report'
|
||||||
@ -84,27 +84,9 @@
|
|||||||
- Problem Description (steps that will reproduce the problem, if known)
|
- Problem Description (steps that will reproduce the problem, if known)
|
||||||
- Stack Traceback (if the application dumps core)
|
- Stack Traceback (if the application dumps core)
|
||||||
|
|
||||||
Email the report to:
|
|
||||||
|
|
||||||
rt@openssl.org
|
|
||||||
|
|
||||||
In order to avoid spam, this is a moderated mailing list, and it might
|
|
||||||
take a day for the ticket to show up. (We also scan posts to make sure
|
|
||||||
that security disclosures aren't publically posted by mistake.) Mail
|
|
||||||
to this address is recorded in the public RT (request tracker) database
|
|
||||||
(see https://www.openssl.org/community/index.html#bugs for details) and
|
|
||||||
also forwarded the public openssl-dev mailing list. Confidential mail
|
|
||||||
may be sent to openssl-security@openssl.org (PGP key available from the
|
|
||||||
key servers).
|
|
||||||
|
|
||||||
Please do NOT use this for general assistance or support queries.
|
|
||||||
Just because something doesn't work the way you expect does not mean it
|
Just because something doesn't work the way you expect does not mean it
|
||||||
is necessarily a bug in OpenSSL.
|
is necessarily a bug in OpenSSL.
|
||||||
|
|
||||||
You can also make GitHub pull requests. If you do this, please also send
|
|
||||||
mail to rt@openssl.org with a link to the PR so that we can more easily
|
|
||||||
keep track of it.
|
|
||||||
|
|
||||||
HOW TO CONTRIBUTE TO OpenSSL
|
HOW TO CONTRIBUTE TO OpenSSL
|
||||||
----------------------------
|
----------------------------
|
||||||
|
|
||||||
@ -113,7 +95,7 @@
|
|||||||
LEGALITIES
|
LEGALITIES
|
||||||
----------
|
----------
|
||||||
|
|
||||||
A number of nations, in particular the U.S., restrict the use or export
|
A number of nations restrict the use or export of cryptography. If you
|
||||||
of cryptography. If you are potentially subject to such restrictions
|
are potentially subject to such restrictions you should seek competent
|
||||||
you should seek competent professional legal advice before attempting to
|
professional legal advice before attempting to develop or distribute
|
||||||
develop or distribute cryptographic code.
|
cryptographic code.
|
||||||
|
19
apps/apps.c
19
apps/apps.c
@ -972,7 +972,10 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
|
|||||||
if (!e)
|
if (!e)
|
||||||
BIO_printf(err, "no engine specified\n");
|
BIO_printf(err, "no engine specified\n");
|
||||||
else {
|
else {
|
||||||
pkey = ENGINE_load_private_key(e, file, ui_method, &cb_data);
|
if (ENGINE_init(e)) {
|
||||||
|
pkey = ENGINE_load_private_key(e, file, ui_method, &cb_data);
|
||||||
|
ENGINE_finish(e);
|
||||||
|
}
|
||||||
if (!pkey) {
|
if (!pkey) {
|
||||||
BIO_printf(err, "cannot load %s from engine\n", key_descrip);
|
BIO_printf(err, "cannot load %s from engine\n", key_descrip);
|
||||||
ERR_print_errors(err);
|
ERR_print_errors(err);
|
||||||
@ -1532,11 +1535,13 @@ static ENGINE *try_load_engine(BIO *err, const char *engine, int debug)
|
|||||||
}
|
}
|
||||||
return e;
|
return e;
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
ENGINE *setup_engine(BIO *err, const char *engine, int debug)
|
ENGINE *setup_engine(BIO *err, const char *engine, int debug)
|
||||||
{
|
{
|
||||||
ENGINE *e = NULL;
|
ENGINE *e = NULL;
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_ENGINE
|
||||||
if (engine) {
|
if (engine) {
|
||||||
if (strcmp(engine, "auto") == 0) {
|
if (strcmp(engine, "auto") == 0) {
|
||||||
BIO_printf(err, "enabling auto ENGINE support\n");
|
BIO_printf(err, "enabling auto ENGINE support\n");
|
||||||
@ -1561,13 +1566,19 @@ ENGINE *setup_engine(BIO *err, const char *engine, int debug)
|
|||||||
}
|
}
|
||||||
|
|
||||||
BIO_printf(err, "engine \"%s\" set.\n", ENGINE_get_id(e));
|
BIO_printf(err, "engine \"%s\" set.\n", ENGINE_get_id(e));
|
||||||
|
|
||||||
/* Free our "structural" reference. */
|
|
||||||
ENGINE_free(e);
|
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
return e;
|
return e;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void release_engine(ENGINE *e)
|
||||||
|
{
|
||||||
|
#ifndef OPENSSL_NO_ENGINE
|
||||||
|
if (e != NULL)
|
||||||
|
/* Free our "structural" reference. */
|
||||||
|
ENGINE_free(e);
|
||||||
#endif
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
int load_config(BIO *err, CONF *cnf)
|
int load_config(BIO *err, CONF *cnf)
|
||||||
{
|
{
|
||||||
|
@ -259,9 +259,9 @@ STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format,
|
|||||||
const char *pass, ENGINE *e,
|
const char *pass, ENGINE *e,
|
||||||
const char *cert_descrip);
|
const char *cert_descrip);
|
||||||
X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath);
|
X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath);
|
||||||
# ifndef OPENSSL_NO_ENGINE
|
|
||||||
ENGINE *setup_engine(BIO *err, const char *engine, int debug);
|
ENGINE *setup_engine(BIO *err, const char *engine, int debug);
|
||||||
# endif
|
void release_engine(ENGINE *e);
|
||||||
|
|
||||||
# ifndef OPENSSL_NO_OCSP
|
# ifndef OPENSSL_NO_OCSP
|
||||||
OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
|
OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
|
||||||
|
@ -319,9 +319,7 @@ int MAIN(int argc, char **argv)
|
|||||||
#define BSIZE 256
|
#define BSIZE 256
|
||||||
MS_STATIC char buf[3][BSIZE];
|
MS_STATIC char buf[3][BSIZE];
|
||||||
char *randfile = NULL;
|
char *randfile = NULL;
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
|
||||||
char *engine = NULL;
|
char *engine = NULL;
|
||||||
#endif
|
|
||||||
char *tofree = NULL;
|
char *tofree = NULL;
|
||||||
DB_ATTR db_attr;
|
DB_ATTR db_attr;
|
||||||
|
|
||||||
@ -595,9 +593,7 @@ int MAIN(int argc, char **argv)
|
|||||||
if (!load_config(bio_err, conf))
|
if (!load_config(bio_err, conf))
|
||||||
goto err;
|
goto err;
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
|
||||||
e = setup_engine(bio_err, engine, 0);
|
e = setup_engine(bio_err, engine, 0);
|
||||||
#endif
|
|
||||||
|
|
||||||
/* Lets get the config section we are using */
|
/* Lets get the config section we are using */
|
||||||
if (section == NULL) {
|
if (section == NULL) {
|
||||||
@ -1485,6 +1481,7 @@ int MAIN(int argc, char **argv)
|
|||||||
X509_CRL_free(crl);
|
X509_CRL_free(crl);
|
||||||
NCONF_free(conf);
|
NCONF_free(conf);
|
||||||
NCONF_free(extconf);
|
NCONF_free(extconf);
|
||||||
|
release_engine(e);
|
||||||
OBJ_cleanup();
|
OBJ_cleanup();
|
||||||
apps_shutdown();
|
apps_shutdown();
|
||||||
OPENSSL_EXIT(ret);
|
OPENSSL_EXIT(ret);
|
||||||
@ -2227,7 +2224,6 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey,
|
|||||||
sk = CONF_get_section(parms, "default");
|
sk = CONF_get_section(parms, "default");
|
||||||
if (sk_CONF_VALUE_num(sk) == 0) {
|
if (sk_CONF_VALUE_num(sk) == 0) {
|
||||||
BIO_printf(bio_err, "no name/value pairs found in %s\n", infile);
|
BIO_printf(bio_err, "no name/value pairs found in %s\n", infile);
|
||||||
CONF_free(parms);
|
|
||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -143,9 +143,7 @@ int MAIN(int argc, char **argv)
|
|||||||
const EVP_MD *sign_md = NULL;
|
const EVP_MD *sign_md = NULL;
|
||||||
int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
|
int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
|
||||||
int rctformat = FORMAT_SMIME, keyform = FORMAT_PEM;
|
int rctformat = FORMAT_SMIME, keyform = FORMAT_PEM;
|
||||||
# ifndef OPENSSL_NO_ENGINE
|
|
||||||
char *engine = NULL;
|
char *engine = NULL;
|
||||||
# endif
|
|
||||||
unsigned char *secret_key = NULL, *secret_keyid = NULL;
|
unsigned char *secret_key = NULL, *secret_keyid = NULL;
|
||||||
unsigned char *pwri_pass = NULL, *pwri_tmp = NULL;
|
unsigned char *pwri_pass = NULL, *pwri_tmp = NULL;
|
||||||
size_t secret_keylen = 0, secret_keyidlen = 0;
|
size_t secret_keylen = 0, secret_keyidlen = 0;
|
||||||
@ -665,9 +663,7 @@ int MAIN(int argc, char **argv)
|
|||||||
"cert.pem recipient certificate(s) for encryption\n");
|
"cert.pem recipient certificate(s) for encryption\n");
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
# ifndef OPENSSL_NO_ENGINE
|
|
||||||
e = setup_engine(bio_err, engine, 0);
|
e = setup_engine(bio_err, engine, 0);
|
||||||
# endif
|
|
||||||
|
|
||||||
if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
|
if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
|
||||||
BIO_printf(bio_err, "Error getting password\n");
|
BIO_printf(bio_err, "Error getting password\n");
|
||||||
@ -1170,6 +1166,7 @@ int MAIN(int argc, char **argv)
|
|||||||
EVP_PKEY_free(key);
|
EVP_PKEY_free(key);
|
||||||
CMS_ContentInfo_free(cms);
|
CMS_ContentInfo_free(cms);
|
||||||
CMS_ContentInfo_free(rcms);
|
CMS_ContentInfo_free(rcms);
|
||||||
|
release_engine(e);
|
||||||
BIO_free(rctin);
|
BIO_free(rctin);
|
||||||
BIO_free(in);
|
BIO_free(in);
|
||||||
BIO_free(indata);
|
BIO_free(indata);
|
||||||
|
@ -537,6 +537,7 @@ int MAIN(int argc, char **argv)
|
|||||||
OPENSSL_free(sigbuf);
|
OPENSSL_free(sigbuf);
|
||||||
if (bmd != NULL)
|
if (bmd != NULL)
|
||||||
BIO_free(bmd);
|
BIO_free(bmd);
|
||||||
|
release_engine(e);
|
||||||
apps_shutdown();
|
apps_shutdown();
|
||||||
OPENSSL_EXIT(err);
|
OPENSSL_EXIT(err);
|
||||||
}
|
}
|
||||||
|
@ -94,9 +94,7 @@ int MAIN(int argc, char **argv)
|
|||||||
BIO *in = NULL, *out = NULL;
|
BIO *in = NULL, *out = NULL;
|
||||||
int informat, outformat, check = 0, noout = 0, C = 0, ret = 1;
|
int informat, outformat, check = 0, noout = 0, C = 0, ret = 1;
|
||||||
char *infile, *outfile, *prog;
|
char *infile, *outfile, *prog;
|
||||||
# ifndef OPENSSL_NO_ENGINE
|
|
||||||
char *engine;
|
char *engine;
|
||||||
# endif
|
|
||||||
|
|
||||||
apps_startup();
|
apps_startup();
|
||||||
|
|
||||||
@ -107,9 +105,7 @@ int MAIN(int argc, char **argv)
|
|||||||
if (!load_config(bio_err, NULL))
|
if (!load_config(bio_err, NULL))
|
||||||
goto end;
|
goto end;
|
||||||
|
|
||||||
# ifndef OPENSSL_NO_ENGINE
|
|
||||||
engine = NULL;
|
engine = NULL;
|
||||||
# endif
|
|
||||||
infile = NULL;
|
infile = NULL;
|
||||||
outfile = NULL;
|
outfile = NULL;
|
||||||
informat = FORMAT_PEM;
|
informat = FORMAT_PEM;
|
||||||
@ -183,9 +179,7 @@ int MAIN(int argc, char **argv)
|
|||||||
|
|
||||||
ERR_load_crypto_strings();
|
ERR_load_crypto_strings();
|
||||||
|
|
||||||
# ifndef OPENSSL_NO_ENGINE
|
|
||||||
setup_engine(bio_err, engine, 0);
|
setup_engine(bio_err, engine, 0);
|
||||||
# endif
|
|
||||||
|
|
||||||
in = BIO_new(BIO_s_file());
|
in = BIO_new(BIO_s_file());
|
||||||
out = BIO_new(BIO_s_file());
|
out = BIO_new(BIO_s_file());
|
||||||
|
@ -159,9 +159,8 @@ int MAIN(int argc, char **argv)
|
|||||||
int informat, outformat, check = 0, noout = 0, C = 0, ret = 1;
|
int informat, outformat, check = 0, noout = 0, C = 0, ret = 1;
|
||||||
char *infile, *outfile, *prog;
|
char *infile, *outfile, *prog;
|
||||||
char *inrand = NULL;
|
char *inrand = NULL;
|
||||||
# ifndef OPENSSL_NO_ENGINE
|
|
||||||
char *engine = NULL;
|
char *engine = NULL;
|
||||||
# endif
|
ENGINE *e = NULL;
|
||||||
int num = 0, g = 0;
|
int num = 0, g = 0;
|
||||||
|
|
||||||
apps_startup();
|
apps_startup();
|
||||||
@ -270,9 +269,7 @@ int MAIN(int argc, char **argv)
|
|||||||
|
|
||||||
ERR_load_crypto_strings();
|
ERR_load_crypto_strings();
|
||||||
|
|
||||||
# ifndef OPENSSL_NO_ENGINE
|
e = setup_engine(bio_err, engine, 0);
|
||||||
setup_engine(bio_err, engine, 0);
|
|
||||||
# endif
|
|
||||||
|
|
||||||
if (g && !num)
|
if (g && !num)
|
||||||
num = DEFBITS;
|
num = DEFBITS;
|
||||||
@ -512,6 +509,7 @@ int MAIN(int argc, char **argv)
|
|||||||
BIO_free_all(out);
|
BIO_free_all(out);
|
||||||
if (dh != NULL)
|
if (dh != NULL)
|
||||||
DH_free(dh);
|
DH_free(dh);
|
||||||
|
release_engine(e);
|
||||||
apps_shutdown();
|
apps_shutdown();
|
||||||
OPENSSL_EXIT(ret);
|
OPENSSL_EXIT(ret);
|
||||||
}
|
}
|
||||||
|
@ -106,9 +106,7 @@ int MAIN(int argc, char **argv)
|
|||||||
int informat, outformat, text = 0, noout = 0;
|
int informat, outformat, text = 0, noout = 0;
|
||||||
int pubin = 0, pubout = 0;
|
int pubin = 0, pubout = 0;
|
||||||
char *infile, *outfile, *prog;
|
char *infile, *outfile, *prog;
|
||||||
# ifndef OPENSSL_NO_ENGINE
|
|
||||||
char *engine;
|
char *engine;
|
||||||
# endif
|
|
||||||
char *passargin = NULL, *passargout = NULL;
|
char *passargin = NULL, *passargout = NULL;
|
||||||
char *passin = NULL, *passout = NULL;
|
char *passin = NULL, *passout = NULL;
|
||||||
int modulus = 0;
|
int modulus = 0;
|
||||||
@ -124,9 +122,7 @@ int MAIN(int argc, char **argv)
|
|||||||
if (!load_config(bio_err, NULL))
|
if (!load_config(bio_err, NULL))
|
||||||
goto end;
|
goto end;
|
||||||
|
|
||||||
# ifndef OPENSSL_NO_ENGINE
|
|
||||||
engine = NULL;
|
engine = NULL;
|
||||||
# endif
|
|
||||||
infile = NULL;
|
infile = NULL;
|
||||||
outfile = NULL;
|
outfile = NULL;
|
||||||
informat = FORMAT_PEM;
|
informat = FORMAT_PEM;
|
||||||
@ -239,9 +235,7 @@ int MAIN(int argc, char **argv)
|
|||||||
|
|
||||||
ERR_load_crypto_strings();
|
ERR_load_crypto_strings();
|
||||||
|
|
||||||
# ifndef OPENSSL_NO_ENGINE
|
|
||||||
e = setup_engine(bio_err, engine, 0);
|
e = setup_engine(bio_err, engine, 0);
|
||||||
# endif
|
|
||||||
|
|
||||||
if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
|
if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
|
||||||
BIO_printf(bio_err, "Error getting passwords\n");
|
BIO_printf(bio_err, "Error getting passwords\n");
|
||||||
@ -358,6 +352,7 @@ int MAIN(int argc, char **argv)
|
|||||||
BIO_free_all(out);
|
BIO_free_all(out);
|
||||||
if (dsa != NULL)
|
if (dsa != NULL)
|
||||||
DSA_free(dsa);
|
DSA_free(dsa);
|
||||||
|
release_engine(e);
|
||||||
if (passin)
|
if (passin)
|
||||||
OPENSSL_free(passin);
|
OPENSSL_free(passin);
|
||||||
if (passout)
|
if (passout)
|
||||||
|
@ -121,9 +121,8 @@ int MAIN(int argc, char **argv)
|
|||||||
char *infile, *outfile, *prog, *inrand = NULL;
|
char *infile, *outfile, *prog, *inrand = NULL;
|
||||||
int numbits = -1, num, genkey = 0;
|
int numbits = -1, num, genkey = 0;
|
||||||
int need_rand = 0;
|
int need_rand = 0;
|
||||||
# ifndef OPENSSL_NO_ENGINE
|
|
||||||
char *engine = NULL;
|
char *engine = NULL;
|
||||||
# endif
|
ENGINE *e = NULL;
|
||||||
# ifdef GENCB_TEST
|
# ifdef GENCB_TEST
|
||||||
int timebomb = 0;
|
int timebomb = 0;
|
||||||
# endif
|
# endif
|
||||||
@ -263,9 +262,7 @@ int MAIN(int argc, char **argv)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# ifndef OPENSSL_NO_ENGINE
|
e = setup_engine(bio_err, engine, 0);
|
||||||
setup_engine(bio_err, engine, 0);
|
|
||||||
# endif
|
|
||||||
|
|
||||||
if (need_rand) {
|
if (need_rand) {
|
||||||
app_RAND_load_file(NULL, bio_err, (inrand != NULL));
|
app_RAND_load_file(NULL, bio_err, (inrand != NULL));
|
||||||
@ -433,6 +430,7 @@ int MAIN(int argc, char **argv)
|
|||||||
BIO_free_all(out);
|
BIO_free_all(out);
|
||||||
if (dsa != NULL)
|
if (dsa != NULL)
|
||||||
DSA_free(dsa);
|
DSA_free(dsa);
|
||||||
|
release_engine(e);
|
||||||
apps_shutdown();
|
apps_shutdown();
|
||||||
OPENSSL_EXIT(ret);
|
OPENSSL_EXIT(ret);
|
||||||
}
|
}
|
||||||
|
@ -95,6 +95,7 @@ int MAIN(int argc, char **argv)
|
|||||||
int informat, outformat, text = 0, noout = 0;
|
int informat, outformat, text = 0, noout = 0;
|
||||||
int pubin = 0, pubout = 0, param_out = 0;
|
int pubin = 0, pubout = 0, param_out = 0;
|
||||||
char *infile, *outfile, *prog, *engine;
|
char *infile, *outfile, *prog, *engine;
|
||||||
|
ENGINE *e = NULL;
|
||||||
char *passargin = NULL, *passargout = NULL;
|
char *passargin = NULL, *passargout = NULL;
|
||||||
char *passin = NULL, *passout = NULL;
|
char *passin = NULL, *passout = NULL;
|
||||||
point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED;
|
point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED;
|
||||||
@ -235,9 +236,7 @@ int MAIN(int argc, char **argv)
|
|||||||
|
|
||||||
ERR_load_crypto_strings();
|
ERR_load_crypto_strings();
|
||||||
|
|
||||||
# ifndef OPENSSL_NO_ENGINE
|
e = setup_engine(bio_err, engine, 0);
|
||||||
setup_engine(bio_err, engine, 0);
|
|
||||||
# endif
|
|
||||||
|
|
||||||
if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
|
if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
|
||||||
BIO_printf(bio_err, "Error getting passwords\n");
|
BIO_printf(bio_err, "Error getting passwords\n");
|
||||||
@ -349,6 +348,7 @@ int MAIN(int argc, char **argv)
|
|||||||
BIO_free_all(out);
|
BIO_free_all(out);
|
||||||
if (eckey)
|
if (eckey)
|
||||||
EC_KEY_free(eckey);
|
EC_KEY_free(eckey);
|
||||||
|
release_engine(e);
|
||||||
if (passin)
|
if (passin)
|
||||||
OPENSSL_free(passin);
|
OPENSSL_free(passin);
|
||||||
if (passout)
|
if (passout)
|
||||||
|
@ -131,6 +131,7 @@ int MAIN(int argc, char **argv)
|
|||||||
BIO *in = NULL, *out = NULL;
|
BIO *in = NULL, *out = NULL;
|
||||||
int informat, outformat, noout = 0, C = 0, ret = 1;
|
int informat, outformat, noout = 0, C = 0, ret = 1;
|
||||||
char *engine = NULL;
|
char *engine = NULL;
|
||||||
|
ENGINE *e = NULL;
|
||||||
|
|
||||||
BIGNUM *ec_p = NULL, *ec_a = NULL, *ec_b = NULL,
|
BIGNUM *ec_p = NULL, *ec_a = NULL, *ec_b = NULL,
|
||||||
*ec_gen = NULL, *ec_order = NULL, *ec_cofactor = NULL;
|
*ec_gen = NULL, *ec_order = NULL, *ec_cofactor = NULL;
|
||||||
@ -311,9 +312,7 @@ int MAIN(int argc, char **argv)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# ifndef OPENSSL_NO_ENGINE
|
e = setup_engine(bio_err, engine, 0);
|
||||||
setup_engine(bio_err, engine, 0);
|
|
||||||
# endif
|
|
||||||
|
|
||||||
if (list_curves) {
|
if (list_curves) {
|
||||||
EC_builtin_curve *curves = NULL;
|
EC_builtin_curve *curves = NULL;
|
||||||
@ -620,12 +619,13 @@ int MAIN(int argc, char **argv)
|
|||||||
BN_free(ec_cofactor);
|
BN_free(ec_cofactor);
|
||||||
if (buffer)
|
if (buffer)
|
||||||
OPENSSL_free(buffer);
|
OPENSSL_free(buffer);
|
||||||
|
if (group != NULL)
|
||||||
|
EC_GROUP_free(group);
|
||||||
|
release_engine(e);
|
||||||
if (in != NULL)
|
if (in != NULL)
|
||||||
BIO_free(in);
|
BIO_free(in);
|
||||||
if (out != NULL)
|
if (out != NULL)
|
||||||
BIO_free_all(out);
|
BIO_free_all(out);
|
||||||
if (group != NULL)
|
|
||||||
EC_GROUP_free(group);
|
|
||||||
apps_shutdown();
|
apps_shutdown();
|
||||||
OPENSSL_EXIT(ret);
|
OPENSSL_EXIT(ret);
|
||||||
}
|
}
|
||||||
|
@ -126,9 +126,8 @@ int MAIN(int argc, char **argv)
|
|||||||
NULL, *wbio = NULL;
|
NULL, *wbio = NULL;
|
||||||
#define PROG_NAME_SIZE 39
|
#define PROG_NAME_SIZE 39
|
||||||
char pname[PROG_NAME_SIZE + 1];
|
char pname[PROG_NAME_SIZE + 1];
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
|
||||||
char *engine = NULL;
|
char *engine = NULL;
|
||||||
#endif
|
ENGINE *e = NULL;
|
||||||
const EVP_MD *dgst = NULL;
|
const EVP_MD *dgst = NULL;
|
||||||
int non_fips_allow = 0;
|
int non_fips_allow = 0;
|
||||||
|
|
||||||
@ -322,9 +321,7 @@ int MAIN(int argc, char **argv)
|
|||||||
argv++;
|
argv++;
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
e = setup_engine(bio_err, engine, 0);
|
||||||
setup_engine(bio_err, engine, 0);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
if (cipher && EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
|
if (cipher && EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
|
||||||
BIO_printf(bio_err,
|
BIO_printf(bio_err,
|
||||||
@ -674,6 +671,7 @@ int MAIN(int argc, char **argv)
|
|||||||
if (bzl != NULL)
|
if (bzl != NULL)
|
||||||
BIO_free(bzl);
|
BIO_free(bzl);
|
||||||
#endif
|
#endif
|
||||||
|
release_engine(e);
|
||||||
if (pass)
|
if (pass)
|
||||||
OPENSSL_free(pass);
|
OPENSSL_free(pass);
|
||||||
apps_shutdown();
|
apps_shutdown();
|
||||||
|
@ -96,9 +96,7 @@ int MAIN(int argc, char **argv)
|
|||||||
int g = 2;
|
int g = 2;
|
||||||
char *outfile = NULL;
|
char *outfile = NULL;
|
||||||
char *inrand = NULL;
|
char *inrand = NULL;
|
||||||
# ifndef OPENSSL_NO_ENGINE
|
|
||||||
char *engine = NULL;
|
char *engine = NULL;
|
||||||
# endif
|
|
||||||
BIO *out = NULL;
|
BIO *out = NULL;
|
||||||
|
|
||||||
apps_startup();
|
apps_startup();
|
||||||
@ -162,9 +160,7 @@ int MAIN(int argc, char **argv)
|
|||||||
BIO_printf(bio_err, " the random number generator\n");
|
BIO_printf(bio_err, " the random number generator\n");
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
# ifndef OPENSSL_NO_ENGINE
|
|
||||||
setup_engine(bio_err, engine, 0);
|
setup_engine(bio_err, engine, 0);
|
||||||
# endif
|
|
||||||
|
|
||||||
out = BIO_new(BIO_s_file());
|
out = BIO_new(BIO_s_file());
|
||||||
if (out == NULL) {
|
if (out == NULL) {
|
||||||
|
@ -85,9 +85,8 @@ int MAIN(int argc, char **argv)
|
|||||||
char *passargout = NULL, *passout = NULL;
|
char *passargout = NULL, *passout = NULL;
|
||||||
BIO *out = NULL, *in = NULL;
|
BIO *out = NULL, *in = NULL;
|
||||||
const EVP_CIPHER *enc = NULL;
|
const EVP_CIPHER *enc = NULL;
|
||||||
# ifndef OPENSSL_NO_ENGINE
|
|
||||||
char *engine = NULL;
|
char *engine = NULL;
|
||||||
# endif
|
ENGINE *e = NULL;
|
||||||
|
|
||||||
apps_startup();
|
apps_startup();
|
||||||
|
|
||||||
@ -206,9 +205,7 @@ int MAIN(int argc, char **argv)
|
|||||||
" - a DSA parameter file as generated by the dsaparam command\n");
|
" - a DSA parameter file as generated by the dsaparam command\n");
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
# ifndef OPENSSL_NO_ENGINE
|
e = setup_engine(bio_err, engine, 0);
|
||||||
setup_engine(bio_err, engine, 0);
|
|
||||||
# endif
|
|
||||||
|
|
||||||
if (!app_passwd(bio_err, NULL, passargout, NULL, &passout)) {
|
if (!app_passwd(bio_err, NULL, passargout, NULL, &passout)) {
|
||||||
BIO_printf(bio_err, "Error getting password\n");
|
BIO_printf(bio_err, "Error getting password\n");
|
||||||
@ -273,6 +270,7 @@ int MAIN(int argc, char **argv)
|
|||||||
BIO_free_all(out);
|
BIO_free_all(out);
|
||||||
if (dsa != NULL)
|
if (dsa != NULL)
|
||||||
DSA_free(dsa);
|
DSA_free(dsa);
|
||||||
|
release_engine(e);
|
||||||
if (passout)
|
if (passout)
|
||||||
OPENSSL_free(passout);
|
OPENSSL_free(passout);
|
||||||
apps_shutdown();
|
apps_shutdown();
|
||||||
|
@ -275,9 +275,9 @@ int MAIN(int argc, char **argv)
|
|||||||
if (out)
|
if (out)
|
||||||
BIO_free_all(out);
|
BIO_free_all(out);
|
||||||
BIO_free(in);
|
BIO_free(in);
|
||||||
|
release_engine(e);
|
||||||
if (pass)
|
if (pass)
|
||||||
OPENSSL_free(pass);
|
OPENSSL_free(pass);
|
||||||
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -91,9 +91,7 @@ int MAIN(int, char **);
|
|||||||
int MAIN(int argc, char **argv)
|
int MAIN(int argc, char **argv)
|
||||||
{
|
{
|
||||||
BN_GENCB cb;
|
BN_GENCB cb;
|
||||||
# ifndef OPENSSL_NO_ENGINE
|
|
||||||
ENGINE *e = NULL;
|
ENGINE *e = NULL;
|
||||||
# endif
|
|
||||||
int ret = 1;
|
int ret = 1;
|
||||||
int i, num = DEFBITS;
|
int i, num = DEFBITS;
|
||||||
long l;
|
long l;
|
||||||
@ -101,9 +99,7 @@ int MAIN(int argc, char **argv)
|
|||||||
unsigned long f4 = RSA_F4;
|
unsigned long f4 = RSA_F4;
|
||||||
char *outfile = NULL;
|
char *outfile = NULL;
|
||||||
char *passargout = NULL, *passout = NULL;
|
char *passargout = NULL, *passout = NULL;
|
||||||
# ifndef OPENSSL_NO_ENGINE
|
|
||||||
char *engine = NULL;
|
char *engine = NULL;
|
||||||
# endif
|
|
||||||
char *inrand = NULL;
|
char *inrand = NULL;
|
||||||
BIO *out = NULL;
|
BIO *out = NULL;
|
||||||
BIGNUM *bn = BN_new();
|
BIGNUM *bn = BN_new();
|
||||||
@ -240,9 +236,7 @@ int MAIN(int argc, char **argv)
|
|||||||
BIO_printf(bio_err, "Error getting password\n");
|
BIO_printf(bio_err, "Error getting password\n");
|
||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
# ifndef OPENSSL_NO_ENGINE
|
|
||||||
e = setup_engine(bio_err, engine, 0);
|
e = setup_engine(bio_err, engine, 0);
|
||||||
# endif
|
|
||||||
|
|
||||||
if (outfile == NULL) {
|
if (outfile == NULL) {
|
||||||
BIO_set_fp(out, stdout, BIO_NOCLOSE);
|
BIO_set_fp(out, stdout, BIO_NOCLOSE);
|
||||||
@ -314,6 +308,7 @@ int MAIN(int argc, char **argv)
|
|||||||
RSA_free(rsa);
|
RSA_free(rsa);
|
||||||
if (out)
|
if (out)
|
||||||
BIO_free_all(out);
|
BIO_free_all(out);
|
||||||
|
release_engine(e);
|
||||||
if (passout)
|
if (passout)
|
||||||
OPENSSL_free(passout);
|
OPENSSL_free(passout);
|
||||||
if (ret != 0)
|
if (ret != 0)
|
||||||
|
@ -129,9 +129,7 @@ int MAIN(int argc, char **argv)
|
|||||||
char *inrand = NULL;
|
char *inrand = NULL;
|
||||||
char *macalg = NULL;
|
char *macalg = NULL;
|
||||||
char *CApath = NULL, *CAfile = NULL;
|
char *CApath = NULL, *CAfile = NULL;
|
||||||
# ifndef OPENSSL_NO_ENGINE
|
|
||||||
char *engine = NULL;
|
char *engine = NULL;
|
||||||
# endif
|
|
||||||
|
|
||||||
apps_startup();
|
apps_startup();
|
||||||
|
|
||||||
@ -406,9 +404,7 @@ int MAIN(int argc, char **argv)
|
|||||||
"-LMK Add local machine keyset attribute to private key\n");
|
"-LMK Add local machine keyset attribute to private key\n");
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
# ifndef OPENSSL_NO_ENGINE
|
|
||||||
e = setup_engine(bio_err, engine, 0);
|
e = setup_engine(bio_err, engine, 0);
|
||||||
# endif
|
|
||||||
|
|
||||||
if (passarg) {
|
if (passarg) {
|
||||||
if (export_cert)
|
if (export_cert)
|
||||||
@ -756,6 +752,7 @@ int MAIN(int argc, char **argv)
|
|||||||
# ifdef CRYPTO_MDEBUG
|
# ifdef CRYPTO_MDEBUG
|
||||||
CRYPTO_remove_all_info();
|
CRYPTO_remove_all_info();
|
||||||
# endif
|
# endif
|
||||||
|
release_engine(e);
|
||||||
BIO_free(in);
|
BIO_free(in);
|
||||||
BIO_free_all(out);
|
BIO_free_all(out);
|
||||||
if (canames)
|
if (canames)
|
||||||
@ -1110,4 +1107,6 @@ static int set_pbe(BIO *err, int *ppbe, const char *str)
|
|||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#else
|
||||||
|
static void *dummy = &dummy;
|
||||||
#endif
|
#endif
|
||||||
|
@ -90,9 +90,8 @@ int MAIN(int argc, char **argv)
|
|||||||
char *infile, *outfile, *prog;
|
char *infile, *outfile, *prog;
|
||||||
int print_certs = 0, text = 0, noout = 0, p7_print = 0;
|
int print_certs = 0, text = 0, noout = 0, p7_print = 0;
|
||||||
int ret = 1;
|
int ret = 1;
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
|
||||||
char *engine = NULL;
|
char *engine = NULL;
|
||||||
#endif
|
ENGINE *e = NULL;
|
||||||
|
|
||||||
apps_startup();
|
apps_startup();
|
||||||
|
|
||||||
@ -175,9 +174,7 @@ int MAIN(int argc, char **argv)
|
|||||||
|
|
||||||
ERR_load_crypto_strings();
|
ERR_load_crypto_strings();
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
e = setup_engine(bio_err, engine, 0);
|
||||||
setup_engine(bio_err, engine, 0);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
in = BIO_new(BIO_s_file());
|
in = BIO_new(BIO_s_file());
|
||||||
out = BIO_new(BIO_s_file());
|
out = BIO_new(BIO_s_file());
|
||||||
@ -303,6 +300,7 @@ int MAIN(int argc, char **argv)
|
|||||||
end:
|
end:
|
||||||
if (p7 != NULL)
|
if (p7 != NULL)
|
||||||
PKCS7_free(p7);
|
PKCS7_free(p7);
|
||||||
|
release_engine(e);
|
||||||
if (in != NULL)
|
if (in != NULL)
|
||||||
BIO_free(in);
|
BIO_free(in);
|
||||||
if (out != NULL)
|
if (out != NULL)
|
||||||
|
@ -87,9 +87,7 @@ int MAIN(int argc, char **argv)
|
|||||||
char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL;
|
char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL;
|
||||||
int badarg = 0;
|
int badarg = 0;
|
||||||
int ret = 1;
|
int ret = 1;
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
|
||||||
char *engine = NULL;
|
char *engine = NULL;
|
||||||
#endif
|
|
||||||
|
|
||||||
if (bio_err == NULL)
|
if (bio_err == NULL)
|
||||||
bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
|
bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
|
||||||
@ -223,9 +221,7 @@ int MAIN(int argc, char **argv)
|
|||||||
#endif
|
#endif
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
|
||||||
e = setup_engine(bio_err, engine, 0);
|
e = setup_engine(bio_err, engine, 0);
|
||||||
#endif
|
|
||||||
|
|
||||||
if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
|
if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
|
||||||
BIO_printf(bio_err, "Error getting passwords\n");
|
BIO_printf(bio_err, "Error getting passwords\n");
|
||||||
@ -391,6 +387,7 @@ int MAIN(int argc, char **argv)
|
|||||||
X509_SIG_free(p8);
|
X509_SIG_free(p8);
|
||||||
PKCS8_PRIV_KEY_INFO_free(p8inf);
|
PKCS8_PRIV_KEY_INFO_free(p8inf);
|
||||||
EVP_PKEY_free(pkey);
|
EVP_PKEY_free(pkey);
|
||||||
|
release_engine(e);
|
||||||
BIO_free_all(out);
|
BIO_free_all(out);
|
||||||
BIO_free(in);
|
BIO_free(in);
|
||||||
if (passin)
|
if (passin)
|
||||||
|
@ -79,9 +79,7 @@ int MAIN(int argc, char **argv)
|
|||||||
EVP_PKEY *pkey = NULL;
|
EVP_PKEY *pkey = NULL;
|
||||||
char *passin = NULL, *passout = NULL;
|
char *passin = NULL, *passout = NULL;
|
||||||
int badarg = 0;
|
int badarg = 0;
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
|
||||||
char *engine = NULL;
|
char *engine = NULL;
|
||||||
#endif
|
|
||||||
int ret = 1;
|
int ret = 1;
|
||||||
|
|
||||||
if (bio_err == NULL)
|
if (bio_err == NULL)
|
||||||
@ -178,9 +176,7 @@ int MAIN(int argc, char **argv)
|
|||||||
#endif
|
#endif
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
|
||||||
e = setup_engine(bio_err, engine, 0);
|
e = setup_engine(bio_err, engine, 0);
|
||||||
#endif
|
|
||||||
|
|
||||||
if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
|
if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
|
||||||
BIO_printf(bio_err, "Error getting passwords\n");
|
BIO_printf(bio_err, "Error getting passwords\n");
|
||||||
@ -240,6 +236,7 @@ int MAIN(int argc, char **argv)
|
|||||||
|
|
||||||
end:
|
end:
|
||||||
EVP_PKEY_free(pkey);
|
EVP_PKEY_free(pkey);
|
||||||
|
release_engine(e);
|
||||||
BIO_free_all(out);
|
BIO_free_all(out);
|
||||||
BIO_free(in);
|
BIO_free(in);
|
||||||
if (passin)
|
if (passin)
|
||||||
|
@ -74,9 +74,8 @@ int MAIN(int argc, char **argv)
|
|||||||
int text = 0, noout = 0;
|
int text = 0, noout = 0;
|
||||||
EVP_PKEY *pkey = NULL;
|
EVP_PKEY *pkey = NULL;
|
||||||
int badarg = 0;
|
int badarg = 0;
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
|
||||||
char *engine = NULL;
|
char *engine = NULL;
|
||||||
#endif
|
ENGINE *e = NULL;
|
||||||
int ret = 1;
|
int ret = 1;
|
||||||
|
|
||||||
if (bio_err == NULL)
|
if (bio_err == NULL)
|
||||||
@ -134,9 +133,7 @@ int MAIN(int argc, char **argv)
|
|||||||
#endif
|
#endif
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
e = setup_engine(bio_err, engine, 0);
|
||||||
setup_engine(bio_err, engine, 0);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
if (infile) {
|
if (infile) {
|
||||||
if (!(in = BIO_new_file(infile, "r"))) {
|
if (!(in = BIO_new_file(infile, "r"))) {
|
||||||
@ -178,6 +175,7 @@ int MAIN(int argc, char **argv)
|
|||||||
|
|
||||||
end:
|
end:
|
||||||
EVP_PKEY_free(pkey);
|
EVP_PKEY_free(pkey);
|
||||||
|
release_engine(e);
|
||||||
BIO_free_all(out);
|
BIO_free_all(out);
|
||||||
BIO_free(in);
|
BIO_free(in);
|
||||||
|
|
||||||
|
@ -357,6 +357,7 @@ int MAIN(int argc, char **argv)
|
|||||||
end:
|
end:
|
||||||
if (ctx)
|
if (ctx)
|
||||||
EVP_PKEY_CTX_free(ctx);
|
EVP_PKEY_CTX_free(ctx);
|
||||||
|
release_engine(e);
|
||||||
BIO_free(in);
|
BIO_free(in);
|
||||||
BIO_free_all(out);
|
BIO_free_all(out);
|
||||||
if (buf_in != NULL)
|
if (buf_in != NULL)
|
||||||
|
12
apps/prime.c
12
apps/prime.c
@ -128,16 +128,24 @@ int MAIN(int argc, char **argv)
|
|||||||
BIO_printf(bio_out, "%s\n", s);
|
BIO_printf(bio_out, "%s\n", s);
|
||||||
OPENSSL_free(s);
|
OPENSSL_free(s);
|
||||||
} else {
|
} else {
|
||||||
|
int r;
|
||||||
|
|
||||||
if (hex)
|
if (hex)
|
||||||
BN_hex2bn(&bn, argv[0]);
|
r = BN_hex2bn(&bn, argv[0]);
|
||||||
else
|
else
|
||||||
BN_dec2bn(&bn, argv[0]);
|
r = BN_dec2bn(&bn, argv[0]);
|
||||||
|
|
||||||
|
if(!r) {
|
||||||
|
BIO_printf(bio_err, "Failed to process value (%s)\n", argv[0]);
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
|
||||||
BN_print(bio_out, bn);
|
BN_print(bio_out, bn);
|
||||||
BIO_printf(bio_out, " is %sprime\n",
|
BIO_printf(bio_out, " is %sprime\n",
|
||||||
BN_is_prime_ex(bn, checks, NULL, NULL) ? "" : "not ");
|
BN_is_prime_ex(bn, checks, NULL, NULL) ? "" : "not ");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
end:
|
||||||
BN_free(bn);
|
BN_free(bn);
|
||||||
BIO_free_all(bio_out);
|
BIO_free_all(bio_out);
|
||||||
|
|
||||||
|
@ -86,9 +86,8 @@ int MAIN(int argc, char **argv)
|
|||||||
int hex = 0;
|
int hex = 0;
|
||||||
BIO *out = NULL;
|
BIO *out = NULL;
|
||||||
int num = -1;
|
int num = -1;
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
ENGINE *e = NULL;
|
||||||
char *engine = NULL;
|
char *engine = NULL;
|
||||||
#endif
|
|
||||||
|
|
||||||
apps_startup();
|
apps_startup();
|
||||||
|
|
||||||
@ -162,9 +161,7 @@ int MAIN(int argc, char **argv)
|
|||||||
BIO_printf(bio_err, "-hex - hex encode output\n");
|
BIO_printf(bio_err, "-hex - hex encode output\n");
|
||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
e = setup_engine(bio_err, engine, 0);
|
||||||
setup_engine(bio_err, engine, 0);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
app_RAND_load_file(NULL, bio_err, (inrand != NULL));
|
app_RAND_load_file(NULL, bio_err, (inrand != NULL));
|
||||||
if (inrand != NULL)
|
if (inrand != NULL)
|
||||||
@ -222,6 +219,7 @@ int MAIN(int argc, char **argv)
|
|||||||
|
|
||||||
err:
|
err:
|
||||||
ERR_print_errors(bio_err);
|
ERR_print_errors(bio_err);
|
||||||
|
release_engine(e);
|
||||||
if (out)
|
if (out)
|
||||||
BIO_free_all(out);
|
BIO_free_all(out);
|
||||||
apps_shutdown();
|
apps_shutdown();
|
||||||
|
@ -179,9 +179,7 @@ int MAIN(int argc, char **argv)
|
|||||||
int nodes = 0, kludge = 0, newhdr = 0, subject = 0, pubkey = 0;
|
int nodes = 0, kludge = 0, newhdr = 0, subject = 0, pubkey = 0;
|
||||||
char *infile, *outfile, *prog, *keyfile = NULL, *template =
|
char *infile, *outfile, *prog, *keyfile = NULL, *template =
|
||||||
NULL, *keyout = NULL;
|
NULL, *keyout = NULL;
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
|
||||||
char *engine = NULL;
|
char *engine = NULL;
|
||||||
#endif
|
|
||||||
char *extensions = NULL;
|
char *extensions = NULL;
|
||||||
char *req_exts = NULL;
|
char *req_exts = NULL;
|
||||||
const EVP_CIPHER *cipher = NULL;
|
const EVP_CIPHER *cipher = NULL;
|
||||||
@ -595,9 +593,7 @@ int MAIN(int argc, char **argv)
|
|||||||
if ((in == NULL) || (out == NULL))
|
if ((in == NULL) || (out == NULL))
|
||||||
goto end;
|
goto end;
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
|
||||||
e = setup_engine(bio_err, engine, 0);
|
e = setup_engine(bio_err, engine, 0);
|
||||||
#endif
|
|
||||||
|
|
||||||
if (keyfile != NULL) {
|
if (keyfile != NULL) {
|
||||||
pkey = load_key(bio_err, keyfile, keyform, 0, passin, e,
|
pkey = load_key(bio_err, keyfile, keyform, 0, passin, e,
|
||||||
@ -1040,6 +1036,7 @@ int MAIN(int argc, char **argv)
|
|||||||
X509_REQ_free(req);
|
X509_REQ_free(req);
|
||||||
X509_free(x509ss);
|
X509_free(x509ss);
|
||||||
ASN1_INTEGER_free(serial);
|
ASN1_INTEGER_free(serial);
|
||||||
|
release_engine(e);
|
||||||
if (passargin && passin)
|
if (passargin && passin)
|
||||||
OPENSSL_free(passin);
|
OPENSSL_free(passin);
|
||||||
if (passargout && passout)
|
if (passargout && passout)
|
||||||
|
@ -111,9 +111,7 @@ int MAIN(int argc, char **argv)
|
|||||||
char *infile, *outfile, *prog;
|
char *infile, *outfile, *prog;
|
||||||
char *passargin = NULL, *passargout = NULL;
|
char *passargin = NULL, *passargout = NULL;
|
||||||
char *passin = NULL, *passout = NULL;
|
char *passin = NULL, *passout = NULL;
|
||||||
# ifndef OPENSSL_NO_ENGINE
|
|
||||||
char *engine = NULL;
|
char *engine = NULL;
|
||||||
# endif
|
|
||||||
int modulus = 0;
|
int modulus = 0;
|
||||||
|
|
||||||
int pvk_encr = 2;
|
int pvk_encr = 2;
|
||||||
@ -254,9 +252,7 @@ int MAIN(int argc, char **argv)
|
|||||||
|
|
||||||
ERR_load_crypto_strings();
|
ERR_load_crypto_strings();
|
||||||
|
|
||||||
# ifndef OPENSSL_NO_ENGINE
|
|
||||||
e = setup_engine(bio_err, engine, 0);
|
e = setup_engine(bio_err, engine, 0);
|
||||||
# endif
|
|
||||||
|
|
||||||
if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
|
if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
|
||||||
BIO_printf(bio_err, "Error getting passwords\n");
|
BIO_printf(bio_err, "Error getting passwords\n");
|
||||||
@ -419,6 +415,7 @@ int MAIN(int argc, char **argv)
|
|||||||
} else
|
} else
|
||||||
ret = 0;
|
ret = 0;
|
||||||
end:
|
end:
|
||||||
|
release_engine(e);
|
||||||
if (out != NULL)
|
if (out != NULL)
|
||||||
BIO_free_all(out);
|
BIO_free_all(out);
|
||||||
if (rsa != NULL)
|
if (rsa != NULL)
|
||||||
|
@ -88,9 +88,7 @@ int MAIN(int argc, char **argv)
|
|||||||
ENGINE *e = NULL;
|
ENGINE *e = NULL;
|
||||||
BIO *in = NULL, *out = NULL;
|
BIO *in = NULL, *out = NULL;
|
||||||
char *infile = NULL, *outfile = NULL;
|
char *infile = NULL, *outfile = NULL;
|
||||||
# ifndef OPENSSL_NO_ENGINE
|
|
||||||
char *engine = NULL;
|
char *engine = NULL;
|
||||||
# endif
|
|
||||||
char *keyfile = NULL;
|
char *keyfile = NULL;
|
||||||
char rsa_mode = RSA_VERIFY, key_type = KEY_PRIVKEY;
|
char rsa_mode = RSA_VERIFY, key_type = KEY_PRIVKEY;
|
||||||
int keyform = FORMAT_PEM;
|
int keyform = FORMAT_PEM;
|
||||||
@ -195,9 +193,7 @@ int MAIN(int argc, char **argv)
|
|||||||
BIO_printf(bio_err, "A private key is needed for this operation\n");
|
BIO_printf(bio_err, "A private key is needed for this operation\n");
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
# ifndef OPENSSL_NO_ENGINE
|
|
||||||
e = setup_engine(bio_err, engine, 0);
|
e = setup_engine(bio_err, engine, 0);
|
||||||
# endif
|
|
||||||
if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
|
if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
|
||||||
BIO_printf(bio_err, "Error getting password\n");
|
BIO_printf(bio_err, "Error getting password\n");
|
||||||
goto end;
|
goto end;
|
||||||
@ -327,6 +323,7 @@ int MAIN(int argc, char **argv)
|
|||||||
BIO_write(out, rsa_out, rsa_outlen);
|
BIO_write(out, rsa_out, rsa_outlen);
|
||||||
end:
|
end:
|
||||||
RSA_free(rsa);
|
RSA_free(rsa);
|
||||||
|
release_engine(e);
|
||||||
BIO_free(in);
|
BIO_free(in);
|
||||||
BIO_free_all(out);
|
BIO_free_all(out);
|
||||||
if (rsa_in)
|
if (rsa_in)
|
||||||
|
@ -548,12 +548,12 @@ long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
|
|||||||
|
|
||||||
if (cmd == (BIO_CB_READ | BIO_CB_RETURN)) {
|
if (cmd == (BIO_CB_READ | BIO_CB_RETURN)) {
|
||||||
BIO_printf(out, "read from %p [%p] (%lu bytes => %ld (0x%lX))\n",
|
BIO_printf(out, "read from %p [%p] (%lu bytes => %ld (0x%lX))\n",
|
||||||
(void *)bio, argp, (unsigned long)argi, ret, ret);
|
(void *)bio, (void *)argp, (unsigned long)argi, ret, ret);
|
||||||
BIO_dump(out, argp, (int)ret);
|
BIO_dump(out, argp, (int)ret);
|
||||||
return (ret);
|
return (ret);
|
||||||
} else if (cmd == (BIO_CB_WRITE | BIO_CB_RETURN)) {
|
} else if (cmd == (BIO_CB_WRITE | BIO_CB_RETURN)) {
|
||||||
BIO_printf(out, "write to %p [%p] (%lu bytes => %ld (0x%lX))\n",
|
BIO_printf(out, "write to %p [%p] (%lu bytes => %ld (0x%lX))\n",
|
||||||
(void *)bio, argp, (unsigned long)argi, ret, ret);
|
(void *)bio, (void *)argp, (unsigned long)argi, ret, ret);
|
||||||
BIO_dump(out, argp, (int)ret);
|
BIO_dump(out, argp, (int)ret);
|
||||||
}
|
}
|
||||||
return (ret);
|
return (ret);
|
||||||
|
@ -694,12 +694,12 @@ int MAIN(int argc, char **argv)
|
|||||||
char *inrand = NULL;
|
char *inrand = NULL;
|
||||||
int mbuf_len = 0;
|
int mbuf_len = 0;
|
||||||
struct timeval timeout, *timeoutp;
|
struct timeval timeout, *timeoutp;
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
|
||||||
char *engine_id = NULL;
|
char *engine_id = NULL;
|
||||||
|
ENGINE *e = NULL;
|
||||||
|
#ifndef OPENSSL_NO_ENGINE
|
||||||
char *ssl_client_engine_id = NULL;
|
char *ssl_client_engine_id = NULL;
|
||||||
ENGINE *ssl_client_engine = NULL;
|
ENGINE *ssl_client_engine = NULL;
|
||||||
#endif
|
#endif
|
||||||
ENGINE *e = NULL;
|
|
||||||
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
|
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
|
||||||
struct timeval tv;
|
struct timeval tv;
|
||||||
# if defined(OPENSSL_SYS_BEOS_R5)
|
# if defined(OPENSSL_SYS_BEOS_R5)
|
||||||
@ -1186,8 +1186,8 @@ int MAIN(int argc, char **argv)
|
|||||||
next_proto.data = NULL;
|
next_proto.data = NULL;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
|
||||||
e = setup_engine(bio_err, engine_id, 1);
|
e = setup_engine(bio_err, engine_id, 1);
|
||||||
|
#ifndef OPENSSL_NO_ENGINE
|
||||||
if (ssl_client_engine_id) {
|
if (ssl_client_engine_id) {
|
||||||
ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
|
ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
|
||||||
if (!ssl_client_engine) {
|
if (!ssl_client_engine) {
|
||||||
@ -2123,6 +2123,7 @@ int MAIN(int argc, char **argv)
|
|||||||
OPENSSL_cleanse(mbuf, BUFSIZZ);
|
OPENSSL_cleanse(mbuf, BUFSIZZ);
|
||||||
OPENSSL_free(mbuf);
|
OPENSSL_free(mbuf);
|
||||||
}
|
}
|
||||||
|
release_engine(e);
|
||||||
if (bio_c_out != NULL) {
|
if (bio_c_out != NULL) {
|
||||||
BIO_free(bio_c_out);
|
BIO_free(bio_c_out);
|
||||||
bio_c_out = NULL;
|
bio_c_out = NULL;
|
||||||
|
@ -328,9 +328,7 @@ static char *keymatexportlabel = NULL;
|
|||||||
static int keymatexportlen = 20;
|
static int keymatexportlen = 20;
|
||||||
|
|
||||||
static int hack = 0;
|
static int hack = 0;
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
|
||||||
static char *engine_id = NULL;
|
static char *engine_id = NULL;
|
||||||
#endif
|
|
||||||
static const char *session_id_prefix = NULL;
|
static const char *session_id_prefix = NULL;
|
||||||
|
|
||||||
static int enable_timeouts = 0;
|
static int enable_timeouts = 0;
|
||||||
@ -484,9 +482,7 @@ static void s_server_init(void)
|
|||||||
s_quiet = 0;
|
s_quiet = 0;
|
||||||
s_brief = 0;
|
s_brief = 0;
|
||||||
hack = 0;
|
hack = 0;
|
||||||
# ifndef OPENSSL_NO_ENGINE
|
|
||||||
engine_id = NULL;
|
engine_id = NULL;
|
||||||
# endif
|
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -1603,9 +1599,7 @@ int MAIN(int argc, char *argv[])
|
|||||||
SSL_load_error_strings();
|
SSL_load_error_strings();
|
||||||
OpenSSL_add_ssl_algorithms();
|
OpenSSL_add_ssl_algorithms();
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
|
||||||
e = setup_engine(bio_err, engine_id, 1);
|
e = setup_engine(bio_err, engine_id, 1);
|
||||||
#endif
|
|
||||||
|
|
||||||
if (!app_passwd(bio_err, passarg, dpassarg, &pass, &dpass)) {
|
if (!app_passwd(bio_err, passarg, dpassarg, &pass, &dpass)) {
|
||||||
BIO_printf(bio_err, "Error getting password\n");
|
BIO_printf(bio_err, "Error getting password\n");
|
||||||
@ -2129,6 +2123,7 @@ int MAIN(int argc, char *argv[])
|
|||||||
if (jpake_secret && psk_key)
|
if (jpake_secret && psk_key)
|
||||||
OPENSSL_free(psk_key);
|
OPENSSL_free(psk_key);
|
||||||
#endif
|
#endif
|
||||||
|
release_engine(e);
|
||||||
if (bio_s_out != NULL) {
|
if (bio_s_out != NULL) {
|
||||||
BIO_free(bio_s_out);
|
BIO_free(bio_s_out);
|
||||||
bio_s_out = NULL;
|
bio_s_out = NULL;
|
||||||
|
@ -114,9 +114,7 @@ int MAIN(int argc, char **argv)
|
|||||||
const EVP_MD *sign_md = NULL;
|
const EVP_MD *sign_md = NULL;
|
||||||
int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
|
int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
|
||||||
int keyform = FORMAT_PEM;
|
int keyform = FORMAT_PEM;
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
|
||||||
char *engine = NULL;
|
char *engine = NULL;
|
||||||
#endif
|
|
||||||
|
|
||||||
X509_VERIFY_PARAM *vpm = NULL;
|
X509_VERIFY_PARAM *vpm = NULL;
|
||||||
|
|
||||||
@ -461,9 +459,7 @@ int MAIN(int argc, char **argv)
|
|||||||
"cert.pem recipient certificate(s) for encryption\n");
|
"cert.pem recipient certificate(s) for encryption\n");
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
|
||||||
e = setup_engine(bio_err, engine, 0);
|
e = setup_engine(bio_err, engine, 0);
|
||||||
#endif
|
|
||||||
|
|
||||||
if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
|
if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
|
||||||
BIO_printf(bio_err, "Error getting password\n");
|
BIO_printf(bio_err, "Error getting password\n");
|
||||||
@ -736,6 +732,7 @@ int MAIN(int argc, char **argv)
|
|||||||
X509_free(signer);
|
X509_free(signer);
|
||||||
EVP_PKEY_free(key);
|
EVP_PKEY_free(key);
|
||||||
PKCS7_free(p7);
|
PKCS7_free(p7);
|
||||||
|
release_engine(e);
|
||||||
BIO_free(in);
|
BIO_free(in);
|
||||||
BIO_free(indata);
|
BIO_free(indata);
|
||||||
BIO_free_all(out);
|
BIO_free_all(out);
|
||||||
|
14
apps/speed.c
14
apps/speed.c
@ -372,6 +372,7 @@ int MAIN(int, char **);
|
|||||||
|
|
||||||
int MAIN(int argc, char **argv)
|
int MAIN(int argc, char **argv)
|
||||||
{
|
{
|
||||||
|
ENGINE *e = NULL;
|
||||||
unsigned char *buf = NULL, *buf2 = NULL;
|
unsigned char *buf = NULL, *buf2 = NULL;
|
||||||
int mret = 1;
|
int mret = 1;
|
||||||
long count = 0, save_count = 0;
|
long count = 0, save_count = 0;
|
||||||
@ -669,6 +670,10 @@ int MAIN(int argc, char **argv)
|
|||||||
ecdh_b[i] = NULL;
|
ecdh_b[i] = NULL;
|
||||||
}
|
}
|
||||||
# endif
|
# endif
|
||||||
|
# ifndef OPENSSL_NO_RSA
|
||||||
|
for (i = 0; i < RSA_NUM; i++)
|
||||||
|
rsa_key[i] = NULL;
|
||||||
|
# endif
|
||||||
|
|
||||||
if (bio_err == NULL)
|
if (bio_err == NULL)
|
||||||
if ((bio_err = BIO_new(BIO_s_file())) != NULL)
|
if ((bio_err = BIO_new(BIO_s_file())) != NULL)
|
||||||
@ -677,12 +682,6 @@ int MAIN(int argc, char **argv)
|
|||||||
if (!load_config(bio_err, NULL))
|
if (!load_config(bio_err, NULL))
|
||||||
goto end;
|
goto end;
|
||||||
|
|
||||||
# ifndef OPENSSL_NO_RSA
|
|
||||||
memset(rsa_key, 0, sizeof(rsa_key));
|
|
||||||
for (i = 0; i < RSA_NUM; i++)
|
|
||||||
rsa_key[i] = NULL;
|
|
||||||
# endif
|
|
||||||
|
|
||||||
if ((buf = (unsigned char *)OPENSSL_malloc((int)BUFSIZE)) == NULL) {
|
if ((buf = (unsigned char *)OPENSSL_malloc((int)BUFSIZE)) == NULL) {
|
||||||
BIO_printf(bio_err, "out of memory\n");
|
BIO_printf(bio_err, "out of memory\n");
|
||||||
goto end;
|
goto end;
|
||||||
@ -749,7 +748,7 @@ int MAIN(int argc, char **argv)
|
|||||||
BIO_printf(bio_err, "no engine given\n");
|
BIO_printf(bio_err, "no engine given\n");
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
setup_engine(bio_err, *argv, 0);
|
e = setup_engine(bio_err, *argv, 0);
|
||||||
/*
|
/*
|
||||||
* j will be increased again further down. We just don't want
|
* j will be increased again further down. We just don't want
|
||||||
* speed to confuse an engine with an algorithm, especially when
|
* speed to confuse an engine with an algorithm, especially when
|
||||||
@ -2526,6 +2525,7 @@ int MAIN(int argc, char **argv)
|
|||||||
}
|
}
|
||||||
# endif
|
# endif
|
||||||
|
|
||||||
|
release_engine(e);
|
||||||
apps_shutdown();
|
apps_shutdown();
|
||||||
OPENSSL_EXIT(mret);
|
OPENSSL_EXIT(mret);
|
||||||
}
|
}
|
||||||
|
@ -94,9 +94,7 @@ int MAIN(int argc, char **argv)
|
|||||||
CONF *conf = NULL;
|
CONF *conf = NULL;
|
||||||
NETSCAPE_SPKI *spki = NULL;
|
NETSCAPE_SPKI *spki = NULL;
|
||||||
EVP_PKEY *pkey = NULL;
|
EVP_PKEY *pkey = NULL;
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
|
||||||
char *engine = NULL;
|
char *engine = NULL;
|
||||||
#endif
|
|
||||||
|
|
||||||
apps_startup();
|
apps_startup();
|
||||||
|
|
||||||
@ -185,9 +183,7 @@ int MAIN(int argc, char **argv)
|
|||||||
BIO_printf(bio_err, "Error getting password\n");
|
BIO_printf(bio_err, "Error getting password\n");
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
|
||||||
e = setup_engine(bio_err, engine, 0);
|
e = setup_engine(bio_err, engine, 0);
|
||||||
#endif
|
|
||||||
|
|
||||||
if (keyfile) {
|
if (keyfile) {
|
||||||
pkey = load_key(bio_err,
|
pkey = load_key(bio_err,
|
||||||
@ -305,6 +301,7 @@ int MAIN(int argc, char **argv)
|
|||||||
BIO_free(in);
|
BIO_free(in);
|
||||||
BIO_free_all(out);
|
BIO_free_all(out);
|
||||||
EVP_PKEY_free(pkey);
|
EVP_PKEY_free(pkey);
|
||||||
|
release_engine(e);
|
||||||
if (passin)
|
if (passin)
|
||||||
OPENSSL_free(passin);
|
OPENSSL_free(passin);
|
||||||
apps_shutdown();
|
apps_shutdown();
|
||||||
|
@ -293,9 +293,8 @@ int MAIN(int argc, char **argv)
|
|||||||
int i;
|
int i;
|
||||||
long errorline = -1;
|
long errorline = -1;
|
||||||
char *randfile = NULL;
|
char *randfile = NULL;
|
||||||
# ifndef OPENSSL_NO_ENGINE
|
ENGINE *e = NULL;
|
||||||
char *engine = NULL;
|
char *engine = NULL;
|
||||||
# endif
|
|
||||||
char *tofree = NULL;
|
char *tofree = NULL;
|
||||||
DB_ATTR db_attr;
|
DB_ATTR db_attr;
|
||||||
|
|
||||||
@ -411,9 +410,7 @@ int MAIN(int argc, char **argv)
|
|||||||
|
|
||||||
ERR_load_crypto_strings();
|
ERR_load_crypto_strings();
|
||||||
|
|
||||||
# ifndef OPENSSL_NO_ENGINE
|
e = setup_engine(bio_err, engine, 0);
|
||||||
setup_engine(bio_err, engine, 0);
|
|
||||||
# endif
|
|
||||||
|
|
||||||
if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
|
if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
|
||||||
BIO_printf(bio_err, "Error getting passwords\n");
|
BIO_printf(bio_err, "Error getting passwords\n");
|
||||||
@ -760,6 +757,7 @@ int MAIN(int argc, char **argv)
|
|||||||
if (db)
|
if (db)
|
||||||
free_index(db);
|
free_index(db);
|
||||||
|
|
||||||
|
release_engine(e);
|
||||||
OBJ_cleanup();
|
OBJ_cleanup();
|
||||||
apps_shutdown();
|
apps_shutdown();
|
||||||
OPENSSL_EXIT(ret);
|
OPENSSL_EXIT(ret);
|
||||||
|
@ -89,9 +89,7 @@ int MAIN(int argc, char **argv)
|
|||||||
X509_LOOKUP *lookup = NULL;
|
X509_LOOKUP *lookup = NULL;
|
||||||
X509_VERIFY_PARAM *vpm = NULL;
|
X509_VERIFY_PARAM *vpm = NULL;
|
||||||
int crl_download = 0;
|
int crl_download = 0;
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
|
||||||
char *engine = NULL;
|
char *engine = NULL;
|
||||||
#endif
|
|
||||||
|
|
||||||
cert_ctx = X509_STORE_new();
|
cert_ctx = X509_STORE_new();
|
||||||
if (cert_ctx == NULL)
|
if (cert_ctx == NULL)
|
||||||
@ -160,9 +158,7 @@ int MAIN(int argc, char **argv)
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
|
||||||
e = setup_engine(bio_err, engine, 0);
|
e = setup_engine(bio_err, engine, 0);
|
||||||
#endif
|
|
||||||
|
|
||||||
if (vpm)
|
if (vpm)
|
||||||
X509_STORE_set1_param(cert_ctx, vpm);
|
X509_STORE_set1_param(cert_ctx, vpm);
|
||||||
@ -255,6 +251,7 @@ int MAIN(int argc, char **argv)
|
|||||||
sk_X509_pop_free(untrusted, X509_free);
|
sk_X509_pop_free(untrusted, X509_free);
|
||||||
sk_X509_pop_free(trusted, X509_free);
|
sk_X509_pop_free(trusted, X509_free);
|
||||||
sk_X509_CRL_pop_free(crls, X509_CRL_free);
|
sk_X509_CRL_pop_free(crls, X509_CRL_free);
|
||||||
|
release_engine(e);
|
||||||
apps_shutdown();
|
apps_shutdown();
|
||||||
OPENSSL_EXIT(ret < 0 ? 2 : ret);
|
OPENSSL_EXIT(ret < 0 ? 2 : ret);
|
||||||
}
|
}
|
||||||
|
@ -218,9 +218,7 @@ int MAIN(int argc, char **argv)
|
|||||||
char *checkhost = NULL;
|
char *checkhost = NULL;
|
||||||
char *checkemail = NULL;
|
char *checkemail = NULL;
|
||||||
char *checkip = NULL;
|
char *checkip = NULL;
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
|
||||||
char *engine = NULL;
|
char *engine = NULL;
|
||||||
#endif
|
|
||||||
|
|
||||||
reqfile = 0;
|
reqfile = 0;
|
||||||
|
|
||||||
@ -501,9 +499,7 @@ int MAIN(int argc, char **argv)
|
|||||||
BIO_printf(bio_err, "%s", *pp);
|
BIO_printf(bio_err, "%s", *pp);
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
|
||||||
e = setup_engine(bio_err, engine, 0);
|
e = setup_engine(bio_err, engine, 0);
|
||||||
#endif
|
|
||||||
|
|
||||||
if (need_rand)
|
if (need_rand)
|
||||||
app_RAND_load_file(NULL, bio_err, 0);
|
app_RAND_load_file(NULL, bio_err, 0);
|
||||||
@ -1040,6 +1036,7 @@ int MAIN(int argc, char **argv)
|
|||||||
ASN1_INTEGER_free(sno);
|
ASN1_INTEGER_free(sno);
|
||||||
sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free);
|
sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free);
|
||||||
sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free);
|
sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free);
|
||||||
|
release_engine(e);
|
||||||
if (passin)
|
if (passin)
|
||||||
OPENSSL_free(passin);
|
OPENSSL_free(passin);
|
||||||
apps_shutdown();
|
apps_shutdown();
|
||||||
|
@ -1568,8 +1568,8 @@ ___
|
|||||||
}
|
}
|
||||||
|
|
||||||
########################################################################
|
########################################################################
|
||||||
# void AES_xts_encrypt(const char *inp,char *out,size_t len,
|
# void AES_xts_encrypt(const unsigned char *inp, unsigned char *out,
|
||||||
# const AES_KEY *key1, const AES_KEY *key2,
|
# size_t len, const AES_KEY *key1, const AES_KEY *key2,
|
||||||
# const unsigned char iv[16]);
|
# const unsigned char iv[16]);
|
||||||
#
|
#
|
||||||
{
|
{
|
||||||
@ -1937,8 +1937,8 @@ $code.=<<___;
|
|||||||
br $ra
|
br $ra
|
||||||
.size AES_xts_encrypt,.-AES_xts_encrypt
|
.size AES_xts_encrypt,.-AES_xts_encrypt
|
||||||
___
|
___
|
||||||
# void AES_xts_decrypt(const char *inp,char *out,size_t len,
|
# void AES_xts_decrypt(const unsigned char *inp, unsigned char *out,
|
||||||
# const AES_KEY *key1, const AES_KEY *key2,
|
# size_t len, const AES_KEY *key1, const AES_KEY *key2,
|
||||||
# const unsigned char iv[16]);
|
# const unsigned char iv[16]);
|
||||||
#
|
#
|
||||||
$code.=<<___;
|
$code.=<<___;
|
||||||
|
@ -91,12 +91,11 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
|
|||||||
unsigned char *salt, int saltlen,
|
unsigned char *salt, int saltlen,
|
||||||
unsigned char *aiv, int prf_nid)
|
unsigned char *aiv, int prf_nid)
|
||||||
{
|
{
|
||||||
X509_ALGOR *scheme = NULL, *kalg = NULL, *ret = NULL;
|
X509_ALGOR *scheme = NULL, *ret = NULL;
|
||||||
int alg_nid, keylen;
|
int alg_nid, keylen;
|
||||||
EVP_CIPHER_CTX ctx;
|
EVP_CIPHER_CTX ctx;
|
||||||
unsigned char iv[EVP_MAX_IV_LENGTH];
|
unsigned char iv[EVP_MAX_IV_LENGTH];
|
||||||
PBE2PARAM *pbe2 = NULL;
|
PBE2PARAM *pbe2 = NULL;
|
||||||
ASN1_OBJECT *obj;
|
|
||||||
|
|
||||||
alg_nid = EVP_CIPHER_type(cipher);
|
alg_nid = EVP_CIPHER_type(cipher);
|
||||||
if (alg_nid == NID_undef) {
|
if (alg_nid == NID_undef) {
|
||||||
@ -104,7 +103,6 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
|
|||||||
ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER);
|
ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER);
|
||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
obj = OBJ_nid2obj(alg_nid);
|
|
||||||
|
|
||||||
if (!(pbe2 = PBE2PARAM_new()))
|
if (!(pbe2 = PBE2PARAM_new()))
|
||||||
goto merr;
|
goto merr;
|
||||||
@ -112,7 +110,7 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
|
|||||||
/* Setup the AlgorithmIdentifier for the encryption scheme */
|
/* Setup the AlgorithmIdentifier for the encryption scheme */
|
||||||
scheme = pbe2->encryption;
|
scheme = pbe2->encryption;
|
||||||
|
|
||||||
scheme->algorithm = obj;
|
scheme->algorithm = OBJ_nid2obj(alg_nid);
|
||||||
if (!(scheme->parameter = ASN1_TYPE_new()))
|
if (!(scheme->parameter = ASN1_TYPE_new()))
|
||||||
goto merr;
|
goto merr;
|
||||||
|
|
||||||
@ -188,11 +186,9 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
|
|||||||
err:
|
err:
|
||||||
PBE2PARAM_free(pbe2);
|
PBE2PARAM_free(pbe2);
|
||||||
/* Note 'scheme' is freed as part of pbe2 */
|
/* Note 'scheme' is freed as part of pbe2 */
|
||||||
X509_ALGOR_free(kalg);
|
|
||||||
X509_ALGOR_free(ret);
|
X509_ALGOR_free(ret);
|
||||||
|
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
|
X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
|
||||||
|
@ -254,6 +254,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
|
|||||||
|
|
||||||
for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++) {
|
for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++) {
|
||||||
int nid;
|
int nid;
|
||||||
|
|
||||||
ext = sk_X509_EXTENSION_value(exts, idx);
|
ext = sk_X509_EXTENSION_value(exts, idx);
|
||||||
nid = OBJ_obj2nid(ext->object);
|
nid = OBJ_obj2nid(ext->object);
|
||||||
if (nid == NID_freshest_crl)
|
if (nid == NID_freshest_crl)
|
||||||
@ -263,7 +264,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
|
|||||||
if ((nid == NID_issuing_distribution_point)
|
if ((nid == NID_issuing_distribution_point)
|
||||||
|| (nid == NID_authority_key_identifier)
|
|| (nid == NID_authority_key_identifier)
|
||||||
|| (nid == NID_delta_crl))
|
|| (nid == NID_delta_crl))
|
||||||
break;;
|
continue;
|
||||||
crl->flags |= EXFLAG_CRITICAL;
|
crl->flags |= EXFLAG_CRITICAL;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
@ -1148,18 +1148,17 @@ $code.=<<___;
|
|||||||
mulx 2*8($aptr),%r15,%r13 # ...
|
mulx 2*8($aptr),%r15,%r13 # ...
|
||||||
adox -3*8($tptr),%r11
|
adox -3*8($tptr),%r11
|
||||||
adcx %r15,%r12
|
adcx %r15,%r12
|
||||||
adox $zero,%r12
|
adox -2*8($tptr),%r12
|
||||||
adcx $zero,%r13
|
adcx $zero,%r13
|
||||||
|
adox $zero,%r13
|
||||||
|
|
||||||
mov $bptr,8(%rsp) # off-load &b[i]
|
mov $bptr,8(%rsp) # off-load &b[i]
|
||||||
.byte 0x67
|
|
||||||
mov $mi,%r15
|
mov $mi,%r15
|
||||||
imulq 24(%rsp),$mi # "t[0]"*n0
|
imulq 24(%rsp),$mi # "t[0]"*n0
|
||||||
xor %ebp,%ebp # xor $zero,$zero # cf=0, of=0
|
xor %ebp,%ebp # xor $zero,$zero # cf=0, of=0
|
||||||
|
|
||||||
mulx 3*8($aptr),%rax,%r14
|
mulx 3*8($aptr),%rax,%r14
|
||||||
mov $mi,%rdx
|
mov $mi,%rdx
|
||||||
adox -2*8($tptr),%r12
|
|
||||||
adcx %rax,%r13
|
adcx %rax,%r13
|
||||||
adox -1*8($tptr),%r13
|
adox -1*8($tptr),%r13
|
||||||
adcx $zero,%r14
|
adcx $zero,%r14
|
||||||
|
@ -1925,6 +1925,7 @@ __bn_sqr8x_reduction:
|
|||||||
|
|
||||||
.align 32
|
.align 32
|
||||||
.L8x_tail_done:
|
.L8x_tail_done:
|
||||||
|
xor %rax,%rax
|
||||||
add (%rdx),%r8 # can this overflow?
|
add (%rdx),%r8 # can this overflow?
|
||||||
adc \$0,%r9
|
adc \$0,%r9
|
||||||
adc \$0,%r10
|
adc \$0,%r10
|
||||||
@ -1932,10 +1933,8 @@ __bn_sqr8x_reduction:
|
|||||||
adc \$0,%r12
|
adc \$0,%r12
|
||||||
adc \$0,%r13
|
adc \$0,%r13
|
||||||
adc \$0,%r14
|
adc \$0,%r14
|
||||||
adc \$0,%r15 # can't overflow, because we
|
adc \$0,%r15
|
||||||
# started with "overhung" part
|
adc \$0,%rax
|
||||||
# of multiplication
|
|
||||||
xor %rax,%rax
|
|
||||||
|
|
||||||
neg $carry
|
neg $carry
|
||||||
.L8x_no_tail:
|
.L8x_no_tail:
|
||||||
@ -3375,6 +3374,7 @@ __bn_sqrx8x_reduction:
|
|||||||
|
|
||||||
.align 32
|
.align 32
|
||||||
.Lsqrx8x_tail_done:
|
.Lsqrx8x_tail_done:
|
||||||
|
xor %rax,%rax
|
||||||
add 24+8(%rsp),%r8 # can this overflow?
|
add 24+8(%rsp),%r8 # can this overflow?
|
||||||
adc \$0,%r9
|
adc \$0,%r9
|
||||||
adc \$0,%r10
|
adc \$0,%r10
|
||||||
@ -3382,10 +3382,8 @@ __bn_sqrx8x_reduction:
|
|||||||
adc \$0,%r12
|
adc \$0,%r12
|
||||||
adc \$0,%r13
|
adc \$0,%r13
|
||||||
adc \$0,%r14
|
adc \$0,%r14
|
||||||
adc \$0,%r15 # can't overflow, because we
|
adc \$0,%r15
|
||||||
# started with "overhung" part
|
adc \$0,%rax
|
||||||
# of multiplication
|
|
||||||
mov $carry,%rax # xor %rax,%rax
|
|
||||||
|
|
||||||
sub 16+8(%rsp),$carry # mov 16(%rsp),%cf
|
sub 16+8(%rsp),$carry # mov 16(%rsp),%cf
|
||||||
.Lsqrx8x_no_tail: # %cf is 0 if jumped here
|
.Lsqrx8x_no_tail: # %cf is 0 if jumped here
|
||||||
@ -3400,7 +3398,7 @@ __bn_sqrx8x_reduction:
|
|||||||
adc 8*5($tptr),%r13
|
adc 8*5($tptr),%r13
|
||||||
adc 8*6($tptr),%r14
|
adc 8*6($tptr),%r14
|
||||||
adc 8*7($tptr),%r15
|
adc 8*7($tptr),%r15
|
||||||
adc %rax,%rax # top-most carry
|
adc \$0,%rax # top-most carry
|
||||||
|
|
||||||
mov 32+8(%rsp),%rbx # n0
|
mov 32+8(%rsp),%rbx # n0
|
||||||
mov 8*8($tptr,%rcx),%rdx # modulo-scheduled "%r8"
|
mov 8*8($tptr,%rcx),%rdx # modulo-scheduled "%r8"
|
||||||
|
@ -180,8 +180,9 @@ int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
|
|||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (r != rr)
|
if (r != rr && BN_copy(r, rr) == NULL)
|
||||||
BN_copy(r, rr);
|
goto err;
|
||||||
|
|
||||||
ret = 1;
|
ret = 1;
|
||||||
err:
|
err:
|
||||||
BN_CTX_end(ctx);
|
BN_CTX_end(ctx);
|
||||||
|
@ -1083,8 +1083,9 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
|
|||||||
end:
|
end:
|
||||||
#endif
|
#endif
|
||||||
bn_correct_top(rr);
|
bn_correct_top(rr);
|
||||||
if (r != rr)
|
if (r != rr && BN_copy(r, rr) == NULL)
|
||||||
BN_copy(r, rr);
|
goto err;
|
||||||
|
|
||||||
ret = 1;
|
ret = 1;
|
||||||
err:
|
err:
|
||||||
bn_check_top(r);
|
bn_check_top(r);
|
||||||
|
@ -283,7 +283,8 @@ int BN_is_prime_fasttest_ex(const BIGNUM *a, int checks, BN_CTX *ctx_passed,
|
|||||||
BIGNUM *t;
|
BIGNUM *t;
|
||||||
if ((t = BN_CTX_get(ctx)) == NULL)
|
if ((t = BN_CTX_get(ctx)) == NULL)
|
||||||
goto err;
|
goto err;
|
||||||
BN_copy(t, a);
|
if (BN_copy(t, a) == NULL)
|
||||||
|
goto err;
|
||||||
t->neg = 0;
|
t->neg = 0;
|
||||||
A = t;
|
A = t;
|
||||||
} else
|
} else
|
||||||
|
@ -143,8 +143,9 @@ int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
|
|||||||
rr->top = max - 1;
|
rr->top = max - 1;
|
||||||
else
|
else
|
||||||
rr->top = max;
|
rr->top = max;
|
||||||
if (rr != r)
|
if (r != rr && BN_copy(r, rr) == NULL)
|
||||||
BN_copy(r, rr);
|
goto err;
|
||||||
|
|
||||||
ret = 1;
|
ret = 1;
|
||||||
err:
|
err:
|
||||||
bn_check_top(rr);
|
bn_check_top(rr);
|
||||||
|
@ -401,9 +401,12 @@ static int cms_wrap_init(CMS_KeyAgreeRecipientInfo *kari,
|
|||||||
* Pick a cipher based on content encryption cipher. If it is DES3 use
|
* Pick a cipher based on content encryption cipher. If it is DES3 use
|
||||||
* DES3 wrap otherwise use AES wrap similar to key size.
|
* DES3 wrap otherwise use AES wrap similar to key size.
|
||||||
*/
|
*/
|
||||||
|
#ifndef OPENSSL_NO_DES
|
||||||
if (EVP_CIPHER_type(cipher) == NID_des_ede3_cbc)
|
if (EVP_CIPHER_type(cipher) == NID_des_ede3_cbc)
|
||||||
kekcipher = EVP_des_ede3_wrap();
|
kekcipher = EVP_des_ede3_wrap();
|
||||||
else if (keylen <= 16)
|
else
|
||||||
|
#endif
|
||||||
|
if (keylen <= 16)
|
||||||
kekcipher = EVP_aes_128_wrap();
|
kekcipher = EVP_aes_128_wrap();
|
||||||
else if (keylen <= 24)
|
else if (keylen <= 24)
|
||||||
kekcipher = EVP_aes_192_wrap();
|
kekcipher = EVP_aes_192_wrap();
|
||||||
|
@ -223,6 +223,8 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
|
|||||||
goto err;
|
goto err;
|
||||||
BN_CTX_start(ctx);
|
BN_CTX_start(ctx);
|
||||||
tmp = BN_CTX_get(ctx);
|
tmp = BN_CTX_get(ctx);
|
||||||
|
if (tmp == NULL)
|
||||||
|
goto err;
|
||||||
|
|
||||||
if (dh->priv_key == NULL) {
|
if (dh->priv_key == NULL) {
|
||||||
DHerr(DH_F_COMPUTE_KEY, DH_R_NO_PRIVATE_VALUE);
|
DHerr(DH_F_COMPUTE_KEY, DH_R_NO_PRIVATE_VALUE);
|
||||||
|
@ -180,7 +180,7 @@ static int pkey_dsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
|
|||||||
DSAerr(DSA_F_PKEY_DSA_CTRL, DSA_R_INVALID_DIGEST_TYPE);
|
DSAerr(DSA_F_PKEY_DSA_CTRL, DSA_R_INVALID_DIGEST_TYPE);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
dctx->md = p2;
|
dctx->pmd = p2;
|
||||||
return 1;
|
return 1;
|
||||||
|
|
||||||
case EVP_PKEY_CTRL_MD:
|
case EVP_PKEY_CTRL_MD:
|
||||||
|
@ -267,7 +267,7 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group,
|
|||||||
BN_CTX *ctx)
|
BN_CTX *ctx)
|
||||||
{
|
{
|
||||||
BIGNUM *x1, *x2, *z1, *z2;
|
BIGNUM *x1, *x2, *z1, *z2;
|
||||||
int ret = 0, i;
|
int ret = 0, i, group_top;
|
||||||
BN_ULONG mask, word;
|
BN_ULONG mask, word;
|
||||||
|
|
||||||
if (r == point) {
|
if (r == point) {
|
||||||
@ -297,10 +297,12 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group,
|
|||||||
x2 = &r->X;
|
x2 = &r->X;
|
||||||
z2 = &r->Y;
|
z2 = &r->Y;
|
||||||
|
|
||||||
bn_wexpand(x1, group->field.top);
|
group_top = group->field.top;
|
||||||
bn_wexpand(z1, group->field.top);
|
if (bn_wexpand(x1, group_top) == NULL
|
||||||
bn_wexpand(x2, group->field.top);
|
|| bn_wexpand(z1, group_top) == NULL
|
||||||
bn_wexpand(z2, group->field.top);
|
|| bn_wexpand(x2, group_top) == NULL
|
||||||
|
|| bn_wexpand(z2, group_top) == NULL)
|
||||||
|
goto err;
|
||||||
|
|
||||||
if (!BN_GF2m_mod_arr(x1, &point->X, group->poly))
|
if (!BN_GF2m_mod_arr(x1, &point->X, group->poly))
|
||||||
goto err; /* x1 = x */
|
goto err; /* x1 = x */
|
||||||
@ -329,14 +331,14 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group,
|
|||||||
for (; i >= 0; i--) {
|
for (; i >= 0; i--) {
|
||||||
word = scalar->d[i];
|
word = scalar->d[i];
|
||||||
while (mask) {
|
while (mask) {
|
||||||
BN_consttime_swap(word & mask, x1, x2, group->field.top);
|
BN_consttime_swap(word & mask, x1, x2, group_top);
|
||||||
BN_consttime_swap(word & mask, z1, z2, group->field.top);
|
BN_consttime_swap(word & mask, z1, z2, group_top);
|
||||||
if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx))
|
if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx))
|
||||||
goto err;
|
goto err;
|
||||||
if (!gf2m_Mdouble(group, x1, z1, ctx))
|
if (!gf2m_Mdouble(group, x1, z1, ctx))
|
||||||
goto err;
|
goto err;
|
||||||
BN_consttime_swap(word & mask, x1, x2, group->field.top);
|
BN_consttime_swap(word & mask, x1, x2, group_top);
|
||||||
BN_consttime_swap(word & mask, z1, z2, group->field.top);
|
BN_consttime_swap(word & mask, z1, z2, group_top);
|
||||||
mask >>= 1;
|
mask >>= 1;
|
||||||
}
|
}
|
||||||
mask = BN_TBIT;
|
mask = BN_TBIT;
|
||||||
|
@ -212,7 +212,9 @@ static int ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
|
|||||||
BN_CTX_end(ctx);
|
BN_CTX_end(ctx);
|
||||||
if (ctx)
|
if (ctx)
|
||||||
BN_CTX_free(ctx);
|
BN_CTX_free(ctx);
|
||||||
if (buf)
|
if (buf) {
|
||||||
|
OPENSSL_cleanse(buf, buflen);
|
||||||
OPENSSL_free(buf);
|
OPENSSL_free(buf);
|
||||||
|
}
|
||||||
return (ret);
|
return (ret);
|
||||||
}
|
}
|
||||||
|
@ -868,6 +868,9 @@ void ERR_error_string_n(unsigned long e, char *buf, size_t len)
|
|||||||
const char *ls, *fs, *rs;
|
const char *ls, *fs, *rs;
|
||||||
unsigned long l, f, r;
|
unsigned long l, f, r;
|
||||||
|
|
||||||
|
if (len == 0)
|
||||||
|
return;
|
||||||
|
|
||||||
l = ERR_GET_LIB(e);
|
l = ERR_GET_LIB(e);
|
||||||
f = ERR_GET_FUNC(e);
|
f = ERR_GET_FUNC(e);
|
||||||
r = ERR_GET_REASON(e);
|
r = ERR_GET_REASON(e);
|
||||||
|
@ -155,10 +155,10 @@ void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
|
|||||||
const unsigned char ivec[AES_BLOCK_SIZE]);
|
const unsigned char ivec[AES_BLOCK_SIZE]);
|
||||||
# endif
|
# endif
|
||||||
# ifdef AES_XTS_ASM
|
# ifdef AES_XTS_ASM
|
||||||
void AES_xts_encrypt(const char *inp, char *out, size_t len,
|
void AES_xts_encrypt(const unsigned char *inp, unsigned char *out, size_t len,
|
||||||
const AES_KEY *key1, const AES_KEY *key2,
|
const AES_KEY *key1, const AES_KEY *key2,
|
||||||
const unsigned char iv[16]);
|
const unsigned char iv[16]);
|
||||||
void AES_xts_decrypt(const char *inp, char *out, size_t len,
|
void AES_xts_decrypt(const unsigned char *inp, unsigned char *out, size_t len,
|
||||||
const AES_KEY *key1, const AES_KEY *key2,
|
const AES_KEY *key1, const AES_KEY *key2,
|
||||||
const unsigned char iv[16]);
|
const unsigned char iv[16]);
|
||||||
# endif
|
# endif
|
||||||
|
@ -269,6 +269,8 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
|
|||||||
len = p[arg - 2] << 8 | p[arg - 1];
|
len = p[arg - 2] << 8 | p[arg - 1];
|
||||||
|
|
||||||
if (!ctx->encrypt) {
|
if (!ctx->encrypt) {
|
||||||
|
if (len < MD5_DIGEST_LENGTH)
|
||||||
|
return -1;
|
||||||
len -= MD5_DIGEST_LENGTH;
|
len -= MD5_DIGEST_LENGTH;
|
||||||
p[arg - 2] = len >> 8;
|
p[arg - 2] = len >> 8;
|
||||||
p[arg - 1] = len;
|
p[arg - 1] = len;
|
||||||
|
@ -1370,6 +1370,7 @@ void EVP_add_alg_module(void);
|
|||||||
* The following lines are auto generated by the script mkerr.pl. Any changes
|
* The following lines are auto generated by the script mkerr.pl. Any changes
|
||||||
* made after this point may be overwritten when the script is next run.
|
* made after this point may be overwritten when the script is next run.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
void ERR_load_EVP_strings(void);
|
void ERR_load_EVP_strings(void);
|
||||||
|
|
||||||
/* Error codes for the EVP functions. */
|
/* Error codes for the EVP functions. */
|
||||||
@ -1489,6 +1490,7 @@ void ERR_load_EVP_strings(void);
|
|||||||
# define EVP_R_INPUT_NOT_INITIALIZED 111
|
# define EVP_R_INPUT_NOT_INITIALIZED 111
|
||||||
# define EVP_R_INVALID_DIGEST 152
|
# define EVP_R_INVALID_DIGEST 152
|
||||||
# define EVP_R_INVALID_FIPS_MODE 168
|
# define EVP_R_INVALID_FIPS_MODE 168
|
||||||
|
# define EVP_R_INVALID_KEY 171
|
||||||
# define EVP_R_INVALID_KEY_LENGTH 130
|
# define EVP_R_INVALID_KEY_LENGTH 130
|
||||||
# define EVP_R_INVALID_OPERATION 148
|
# define EVP_R_INVALID_OPERATION 148
|
||||||
# define EVP_R_IV_TOO_LARGE 102
|
# define EVP_R_IV_TOO_LARGE 102
|
||||||
@ -1528,7 +1530,7 @@ void ERR_load_EVP_strings(void);
|
|||||||
# define EVP_R_WRONG_FINAL_BLOCK_LENGTH 109
|
# define EVP_R_WRONG_FINAL_BLOCK_LENGTH 109
|
||||||
# define EVP_R_WRONG_PUBLIC_KEY_TYPE 110
|
# define EVP_R_WRONG_PUBLIC_KEY_TYPE 110
|
||||||
|
|
||||||
#ifdef __cplusplus
|
# ifdef __cplusplus
|
||||||
}
|
}
|
||||||
#endif
|
# endif
|
||||||
#endif
|
#endif
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
/* crypto/evp/evp_err.c */
|
/* crypto/evp/evp_err.c */
|
||||||
/* ====================================================================
|
/* ====================================================================
|
||||||
* Copyright (c) 1999-2013 The OpenSSL Project. All rights reserved.
|
* Copyright (c) 1999-2016 The OpenSSL Project. All rights reserved.
|
||||||
*
|
*
|
||||||
* Redistribution and use in source and binary forms, with or without
|
* Redistribution and use in source and binary forms, with or without
|
||||||
* modification, are permitted provided that the following conditions
|
* modification, are permitted provided that the following conditions
|
||||||
@ -192,6 +192,7 @@ static ERR_STRING_DATA EVP_str_reasons[] = {
|
|||||||
{ERR_REASON(EVP_R_INPUT_NOT_INITIALIZED), "input not initialized"},
|
{ERR_REASON(EVP_R_INPUT_NOT_INITIALIZED), "input not initialized"},
|
||||||
{ERR_REASON(EVP_R_INVALID_DIGEST), "invalid digest"},
|
{ERR_REASON(EVP_R_INVALID_DIGEST), "invalid digest"},
|
||||||
{ERR_REASON(EVP_R_INVALID_FIPS_MODE), "invalid fips mode"},
|
{ERR_REASON(EVP_R_INVALID_FIPS_MODE), "invalid fips mode"},
|
||||||
|
{ERR_REASON(EVP_R_INVALID_KEY), "invalid key"},
|
||||||
{ERR_REASON(EVP_R_INVALID_KEY_LENGTH), "invalid key length"},
|
{ERR_REASON(EVP_R_INVALID_KEY_LENGTH), "invalid key length"},
|
||||||
{ERR_REASON(EVP_R_INVALID_OPERATION), "invalid operation"},
|
{ERR_REASON(EVP_R_INVALID_OPERATION), "invalid operation"},
|
||||||
{ERR_REASON(EVP_R_IV_TOO_LARGE), "iv too large"},
|
{ERR_REASON(EVP_R_IV_TOO_LARGE), "iv too large"},
|
||||||
|
@ -65,20 +65,22 @@
|
|||||||
#include "evp_locl.h"
|
#include "evp_locl.h"
|
||||||
|
|
||||||
#define M_check_autoarg(ctx, arg, arglen, err) \
|
#define M_check_autoarg(ctx, arg, arglen, err) \
|
||||||
if (ctx->pmeth->flags & EVP_PKEY_FLAG_AUTOARGLEN) \
|
if (ctx->pmeth->flags & EVP_PKEY_FLAG_AUTOARGLEN) { \
|
||||||
{ \
|
size_t pksize = (size_t)EVP_PKEY_size(ctx->pkey); \
|
||||||
size_t pksize = (size_t)EVP_PKEY_size(ctx->pkey); \
|
\
|
||||||
if (!arg) \
|
if (pksize == 0) { \
|
||||||
{ \
|
EVPerr(err, EVP_R_INVALID_KEY); /*ckerr_ignore*/ \
|
||||||
*arglen = pksize; \
|
return 0; \
|
||||||
return 1; \
|
} \
|
||||||
} \
|
if (!arg) { \
|
||||||
else if (*arglen < pksize) \
|
*arglen = pksize; \
|
||||||
{ \
|
return 1; \
|
||||||
EVPerr(err, EVP_R_BUFFER_TOO_SMALL); /*ckerr_ignore*/\
|
} \
|
||||||
return 0; \
|
if (*arglen < pksize) { \
|
||||||
} \
|
EVPerr(err, EVP_R_BUFFER_TOO_SMALL); /*ckerr_ignore*/ \
|
||||||
}
|
return 0; \
|
||||||
|
} \
|
||||||
|
}
|
||||||
|
|
||||||
int EVP_PKEY_sign_init(EVP_PKEY_CTX *ctx)
|
int EVP_PKEY_sign_init(EVP_PKEY_CTX *ctx)
|
||||||
{
|
{
|
||||||
|
@ -199,6 +199,7 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKEY *pkey, ENGINE *e, int id)
|
|||||||
EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags)
|
EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags)
|
||||||
{
|
{
|
||||||
EVP_PKEY_METHOD *pmeth;
|
EVP_PKEY_METHOD *pmeth;
|
||||||
|
|
||||||
pmeth = OPENSSL_malloc(sizeof(EVP_PKEY_METHOD));
|
pmeth = OPENSSL_malloc(sizeof(EVP_PKEY_METHOD));
|
||||||
if (!pmeth)
|
if (!pmeth)
|
||||||
return NULL;
|
return NULL;
|
||||||
@ -207,33 +208,6 @@ EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags)
|
|||||||
|
|
||||||
pmeth->pkey_id = id;
|
pmeth->pkey_id = id;
|
||||||
pmeth->flags = flags | EVP_PKEY_FLAG_DYNAMIC;
|
pmeth->flags = flags | EVP_PKEY_FLAG_DYNAMIC;
|
||||||
|
|
||||||
pmeth->init = 0;
|
|
||||||
pmeth->copy = 0;
|
|
||||||
pmeth->cleanup = 0;
|
|
||||||
pmeth->paramgen_init = 0;
|
|
||||||
pmeth->paramgen = 0;
|
|
||||||
pmeth->keygen_init = 0;
|
|
||||||
pmeth->keygen = 0;
|
|
||||||
pmeth->sign_init = 0;
|
|
||||||
pmeth->sign = 0;
|
|
||||||
pmeth->verify_init = 0;
|
|
||||||
pmeth->verify = 0;
|
|
||||||
pmeth->verify_recover_init = 0;
|
|
||||||
pmeth->verify_recover = 0;
|
|
||||||
pmeth->signctx_init = 0;
|
|
||||||
pmeth->signctx = 0;
|
|
||||||
pmeth->verifyctx_init = 0;
|
|
||||||
pmeth->verifyctx = 0;
|
|
||||||
pmeth->encrypt_init = 0;
|
|
||||||
pmeth->encrypt = 0;
|
|
||||||
pmeth->decrypt_init = 0;
|
|
||||||
pmeth->decrypt = 0;
|
|
||||||
pmeth->derive_init = 0;
|
|
||||||
pmeth->derive = 0;
|
|
||||||
pmeth->ctrl = 0;
|
|
||||||
pmeth->ctrl_str = 0;
|
|
||||||
|
|
||||||
return pmeth;
|
return pmeth;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -100,7 +100,7 @@ static void ctr128_inc_aligned(unsigned char *counter)
|
|||||||
--n;
|
--n;
|
||||||
d = data[n] += c;
|
d = data[n] += c;
|
||||||
/* did addition carry? */
|
/* did addition carry? */
|
||||||
c = ((d - c) ^ d) >> (sizeof(size_t) * 8 - 1);
|
c = ((d - c) & ~d) >> (sizeof(size_t) * 8 - 1);
|
||||||
} while (n);
|
} while (n);
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
@ -30,11 +30,11 @@ extern "C" {
|
|||||||
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
|
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
|
||||||
* major minor fix final patch/beta)
|
* major minor fix final patch/beta)
|
||||||
*/
|
*/
|
||||||
# define OPENSSL_VERSION_NUMBER 0x100020afL
|
# define OPENSSL_VERSION_NUMBER 0x100020bfL
|
||||||
# ifdef OPENSSL_FIPS
|
# ifdef OPENSSL_FIPS
|
||||||
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2j-fips 26 Sep 2016"
|
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2k-fips 26 Jan 2017"
|
||||||
# else
|
# else
|
||||||
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2j 26 Sep 2016"
|
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2k 26 Jan 2017"
|
||||||
# endif
|
# endif
|
||||||
# define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
|
# define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
|
||||||
|
|
||||||
|
@ -250,11 +250,18 @@ my %globals;
|
|||||||
$self->{base} =~ s/^[er](.?[0-9xpi])[d]?$/r\1/;
|
$self->{base} =~ s/^[er](.?[0-9xpi])[d]?$/r\1/;
|
||||||
|
|
||||||
# Solaris /usr/ccs/bin/as can't handle multiplications
|
# Solaris /usr/ccs/bin/as can't handle multiplications
|
||||||
# in $self->{label}, new gas requires sign extension...
|
# in $self->{label}...
|
||||||
use integer;
|
use integer;
|
||||||
$self->{label} =~ s/(?<![\w\$\.])(0x?[0-9a-f]+)/oct($1)/egi;
|
$self->{label} =~ s/(?<![\w\$\.])(0x?[0-9a-f]+)/oct($1)/egi;
|
||||||
$self->{label} =~ s/\b([0-9]+\s*[\*\/\%]\s*[0-9]+)\b/eval($1)/eg;
|
$self->{label} =~ s/\b([0-9]+\s*[\*\/\%]\s*[0-9]+)\b/eval($1)/eg;
|
||||||
$self->{label} =~ s/\b([0-9]+)\b/$1<<32>>32/eg;
|
|
||||||
|
# Some assemblers insist on signed presentation of 32-bit
|
||||||
|
# offsets, but sign extension is a tricky business in perl...
|
||||||
|
if ((1<<31)<<1) {
|
||||||
|
$self->{label} =~ s/\b([0-9]+)\b/$1<<32>>32/eg;
|
||||||
|
} else {
|
||||||
|
$self->{label} =~ s/\b([0-9]+)\b/$1>>0/eg;
|
||||||
|
}
|
||||||
|
|
||||||
if (!$self->{label} && $self->{index} && $self->{scale}==1 &&
|
if (!$self->{label} && $self->{index} && $self->{scale}==1 &&
|
||||||
$self->{base} =~ /(rbp|r13)/) {
|
$self->{base} =~ /(rbp|r13)/) {
|
||||||
|
@ -142,7 +142,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
|
|||||||
if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL))
|
if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL))
|
||||||
goto err;
|
goto err;
|
||||||
|
|
||||||
BN_copy(rsa->e, e_value);
|
if (BN_copy(rsa->e, e_value) == NULL)
|
||||||
|
goto err;
|
||||||
|
|
||||||
/* generate p and q */
|
/* generate p and q */
|
||||||
for (;;) {
|
for (;;) {
|
||||||
|
@ -89,17 +89,21 @@ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md) < 0)
|
if (PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md) < 0)
|
||||||
return 0;
|
goto err;
|
||||||
for (i = 0; i < emlen - mdlen; i++)
|
for (i = 0; i < emlen - mdlen; i++)
|
||||||
db[i] ^= dbmask[i];
|
db[i] ^= dbmask[i];
|
||||||
|
|
||||||
if (PKCS1_MGF1(seedmask, mdlen, db, emlen - mdlen, mgf1md) < 0)
|
if (PKCS1_MGF1(seedmask, mdlen, db, emlen - mdlen, mgf1md) < 0)
|
||||||
return 0;
|
goto err;
|
||||||
for (i = 0; i < mdlen; i++)
|
for (i = 0; i < mdlen; i++)
|
||||||
seed[i] ^= seedmask[i];
|
seed[i] ^= seedmask[i];
|
||||||
|
|
||||||
OPENSSL_free(dbmask);
|
OPENSSL_free(dbmask);
|
||||||
return 1;
|
return 1;
|
||||||
|
|
||||||
|
err:
|
||||||
|
OPENSSL_free(dbmask);
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
|
int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
|
||||||
|
@ -373,6 +373,10 @@ static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
|
|||||||
if (rctx->pad_mode == RSA_PKCS1_PADDING)
|
if (rctx->pad_mode == RSA_PKCS1_PADDING)
|
||||||
return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
|
return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
|
||||||
sig, siglen, rsa);
|
sig, siglen, rsa);
|
||||||
|
if (tbslen != (size_t)EVP_MD_size(rctx->md)) {
|
||||||
|
RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
if (rctx->pad_mode == RSA_X931_PADDING) {
|
if (rctx->pad_mode == RSA_X931_PADDING) {
|
||||||
if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig, siglen) <= 0)
|
if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig, siglen) <= 0)
|
||||||
return 0;
|
return 0;
|
||||||
|
@ -3,6 +3,7 @@
|
|||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include <setjmp.h>
|
#include <setjmp.h>
|
||||||
#include <signal.h>
|
#include <signal.h>
|
||||||
|
#include "cryptlib.h"
|
||||||
|
|
||||||
extern unsigned long OPENSSL_s390xcap_P[];
|
extern unsigned long OPENSSL_s390xcap_P[];
|
||||||
|
|
||||||
|
@ -164,7 +164,7 @@ static int general_allocate_string(UI *ui, const char *prompt,
|
|||||||
UI_STRING *s = general_allocate_prompt(ui, prompt, prompt_freeable,
|
UI_STRING *s = general_allocate_prompt(ui, prompt, prompt_freeable,
|
||||||
type, input_flags, result_buf);
|
type, input_flags, result_buf);
|
||||||
|
|
||||||
if (s) {
|
if (s != NULL) {
|
||||||
if (allocate_string_stack(ui) >= 0) {
|
if (allocate_string_stack(ui) >= 0) {
|
||||||
s->_.string_data.result_minsize = minsize;
|
s->_.string_data.result_minsize = minsize;
|
||||||
s->_.string_data.result_maxsize = maxsize;
|
s->_.string_data.result_maxsize = maxsize;
|
||||||
@ -197,8 +197,8 @@ static int general_allocate_boolean(UI *ui,
|
|||||||
} else if (cancel_chars == NULL) {
|
} else if (cancel_chars == NULL) {
|
||||||
UIerr(UI_F_GENERAL_ALLOCATE_BOOLEAN, ERR_R_PASSED_NULL_PARAMETER);
|
UIerr(UI_F_GENERAL_ALLOCATE_BOOLEAN, ERR_R_PASSED_NULL_PARAMETER);
|
||||||
} else {
|
} else {
|
||||||
for (p = ok_chars; *p; p++) {
|
for (p = ok_chars; *p != '\0'; p++) {
|
||||||
if (strchr(cancel_chars, *p)) {
|
if (strchr(cancel_chars, *p) != NULL) {
|
||||||
UIerr(UI_F_GENERAL_ALLOCATE_BOOLEAN,
|
UIerr(UI_F_GENERAL_ALLOCATE_BOOLEAN,
|
||||||
UI_R_COMMON_OK_AND_CANCEL_CHARACTERS);
|
UI_R_COMMON_OK_AND_CANCEL_CHARACTERS);
|
||||||
}
|
}
|
||||||
@ -207,7 +207,7 @@ static int general_allocate_boolean(UI *ui,
|
|||||||
s = general_allocate_prompt(ui, prompt, prompt_freeable,
|
s = general_allocate_prompt(ui, prompt, prompt_freeable,
|
||||||
type, input_flags, result_buf);
|
type, input_flags, result_buf);
|
||||||
|
|
||||||
if (s) {
|
if (s != NULL) {
|
||||||
if (allocate_string_stack(ui) >= 0) {
|
if (allocate_string_stack(ui) >= 0) {
|
||||||
s->_.boolean_data.action_desc = action_desc;
|
s->_.boolean_data.action_desc = action_desc;
|
||||||
s->_.boolean_data.ok_chars = ok_chars;
|
s->_.boolean_data.ok_chars = ok_chars;
|
||||||
@ -243,7 +243,7 @@ int UI_dup_input_string(UI *ui, const char *prompt, int flags,
|
|||||||
{
|
{
|
||||||
char *prompt_copy = NULL;
|
char *prompt_copy = NULL;
|
||||||
|
|
||||||
if (prompt) {
|
if (prompt != NULL) {
|
||||||
prompt_copy = BUF_strdup(prompt);
|
prompt_copy = BUF_strdup(prompt);
|
||||||
if (prompt_copy == NULL) {
|
if (prompt_copy == NULL) {
|
||||||
UIerr(UI_F_UI_DUP_INPUT_STRING, ERR_R_MALLOC_FAILURE);
|
UIerr(UI_F_UI_DUP_INPUT_STRING, ERR_R_MALLOC_FAILURE);
|
||||||
@ -271,7 +271,7 @@ int UI_dup_verify_string(UI *ui, const char *prompt, int flags,
|
|||||||
{
|
{
|
||||||
char *prompt_copy = NULL;
|
char *prompt_copy = NULL;
|
||||||
|
|
||||||
if (prompt) {
|
if (prompt != NULL) {
|
||||||
prompt_copy = BUF_strdup(prompt);
|
prompt_copy = BUF_strdup(prompt);
|
||||||
if (prompt_copy == NULL) {
|
if (prompt_copy == NULL) {
|
||||||
UIerr(UI_F_UI_DUP_VERIFY_STRING, ERR_R_MALLOC_FAILURE);
|
UIerr(UI_F_UI_DUP_VERIFY_STRING, ERR_R_MALLOC_FAILURE);
|
||||||
@ -302,7 +302,7 @@ int UI_dup_input_boolean(UI *ui, const char *prompt, const char *action_desc,
|
|||||||
char *ok_chars_copy = NULL;
|
char *ok_chars_copy = NULL;
|
||||||
char *cancel_chars_copy = NULL;
|
char *cancel_chars_copy = NULL;
|
||||||
|
|
||||||
if (prompt) {
|
if (prompt != NULL) {
|
||||||
prompt_copy = BUF_strdup(prompt);
|
prompt_copy = BUF_strdup(prompt);
|
||||||
if (prompt_copy == NULL) {
|
if (prompt_copy == NULL) {
|
||||||
UIerr(UI_F_UI_DUP_INPUT_BOOLEAN, ERR_R_MALLOC_FAILURE);
|
UIerr(UI_F_UI_DUP_INPUT_BOOLEAN, ERR_R_MALLOC_FAILURE);
|
||||||
@ -310,7 +310,7 @@ int UI_dup_input_boolean(UI *ui, const char *prompt, const char *action_desc,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (action_desc) {
|
if (action_desc != NULL) {
|
||||||
action_desc_copy = BUF_strdup(action_desc);
|
action_desc_copy = BUF_strdup(action_desc);
|
||||||
if (action_desc_copy == NULL) {
|
if (action_desc_copy == NULL) {
|
||||||
UIerr(UI_F_UI_DUP_INPUT_BOOLEAN, ERR_R_MALLOC_FAILURE);
|
UIerr(UI_F_UI_DUP_INPUT_BOOLEAN, ERR_R_MALLOC_FAILURE);
|
||||||
@ -318,7 +318,7 @@ int UI_dup_input_boolean(UI *ui, const char *prompt, const char *action_desc,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ok_chars) {
|
if (ok_chars != NULL) {
|
||||||
ok_chars_copy = BUF_strdup(ok_chars);
|
ok_chars_copy = BUF_strdup(ok_chars);
|
||||||
if (ok_chars_copy == NULL) {
|
if (ok_chars_copy == NULL) {
|
||||||
UIerr(UI_F_UI_DUP_INPUT_BOOLEAN, ERR_R_MALLOC_FAILURE);
|
UIerr(UI_F_UI_DUP_INPUT_BOOLEAN, ERR_R_MALLOC_FAILURE);
|
||||||
@ -326,7 +326,7 @@ int UI_dup_input_boolean(UI *ui, const char *prompt, const char *action_desc,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (cancel_chars) {
|
if (cancel_chars != NULL) {
|
||||||
cancel_chars_copy = BUF_strdup(cancel_chars);
|
cancel_chars_copy = BUF_strdup(cancel_chars);
|
||||||
if (cancel_chars_copy == NULL) {
|
if (cancel_chars_copy == NULL) {
|
||||||
UIerr(UI_F_UI_DUP_INPUT_BOOLEAN, ERR_R_MALLOC_FAILURE);
|
UIerr(UI_F_UI_DUP_INPUT_BOOLEAN, ERR_R_MALLOC_FAILURE);
|
||||||
@ -359,7 +359,7 @@ int UI_dup_info_string(UI *ui, const char *text)
|
|||||||
{
|
{
|
||||||
char *text_copy = NULL;
|
char *text_copy = NULL;
|
||||||
|
|
||||||
if (text) {
|
if (text != NULL) {
|
||||||
text_copy = BUF_strdup(text);
|
text_copy = BUF_strdup(text);
|
||||||
if (text_copy == NULL) {
|
if (text_copy == NULL) {
|
||||||
UIerr(UI_F_UI_DUP_INFO_STRING, ERR_R_MALLOC_FAILURE);
|
UIerr(UI_F_UI_DUP_INFO_STRING, ERR_R_MALLOC_FAILURE);
|
||||||
@ -381,7 +381,7 @@ int UI_dup_error_string(UI *ui, const char *text)
|
|||||||
{
|
{
|
||||||
char *text_copy = NULL;
|
char *text_copy = NULL;
|
||||||
|
|
||||||
if (text) {
|
if (text != NULL) {
|
||||||
text_copy = BUF_strdup(text);
|
text_copy = BUF_strdup(text);
|
||||||
if (text_copy == NULL) {
|
if (text_copy == NULL) {
|
||||||
UIerr(UI_F_UI_DUP_ERROR_STRING, ERR_R_MALLOC_FAILURE);
|
UIerr(UI_F_UI_DUP_ERROR_STRING, ERR_R_MALLOC_FAILURE);
|
||||||
@ -397,7 +397,7 @@ char *UI_construct_prompt(UI *ui, const char *object_desc,
|
|||||||
{
|
{
|
||||||
char *prompt = NULL;
|
char *prompt = NULL;
|
||||||
|
|
||||||
if (ui->meth->ui_construct_prompt)
|
if (ui->meth->ui_construct_prompt != NULL)
|
||||||
prompt = ui->meth->ui_construct_prompt(ui, object_desc, object_name);
|
prompt = ui->meth->ui_construct_prompt(ui, object_desc, object_name);
|
||||||
else {
|
else {
|
||||||
char prompt1[] = "Enter ";
|
char prompt1[] = "Enter ";
|
||||||
@ -408,7 +408,7 @@ char *UI_construct_prompt(UI *ui, const char *object_desc,
|
|||||||
if (object_desc == NULL)
|
if (object_desc == NULL)
|
||||||
return NULL;
|
return NULL;
|
||||||
len = sizeof(prompt1) - 1 + strlen(object_desc);
|
len = sizeof(prompt1) - 1 + strlen(object_desc);
|
||||||
if (object_name)
|
if (object_name != NULL)
|
||||||
len += sizeof(prompt2) - 1 + strlen(object_name);
|
len += sizeof(prompt2) - 1 + strlen(object_name);
|
||||||
len += sizeof(prompt3) - 1;
|
len += sizeof(prompt3) - 1;
|
||||||
|
|
||||||
@ -417,7 +417,7 @@ char *UI_construct_prompt(UI *ui, const char *object_desc,
|
|||||||
return NULL;
|
return NULL;
|
||||||
BUF_strlcpy(prompt, prompt1, len + 1);
|
BUF_strlcpy(prompt, prompt1, len + 1);
|
||||||
BUF_strlcat(prompt, object_desc, len + 1);
|
BUF_strlcat(prompt, object_desc, len + 1);
|
||||||
if (object_name) {
|
if (object_name != NULL) {
|
||||||
BUF_strlcat(prompt, prompt2, len + 1);
|
BUF_strlcat(prompt, prompt2, len + 1);
|
||||||
BUF_strlcat(prompt, object_name, len + 1);
|
BUF_strlcat(prompt, object_name, len + 1);
|
||||||
}
|
}
|
||||||
@ -459,7 +459,8 @@ static int print_error(const char *str, size_t len, UI *ui)
|
|||||||
uis.type = UIT_ERROR;
|
uis.type = UIT_ERROR;
|
||||||
uis.out_string = str;
|
uis.out_string = str;
|
||||||
|
|
||||||
if (ui->meth->ui_write_string && !ui->meth->ui_write_string(ui, &uis))
|
if (ui->meth->ui_write_string != NULL
|
||||||
|
&& ui->meth->ui_write_string(ui, &uis) <= 0)
|
||||||
return -1;
|
return -1;
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -468,24 +469,28 @@ int UI_process(UI *ui)
|
|||||||
{
|
{
|
||||||
int i, ok = 0;
|
int i, ok = 0;
|
||||||
|
|
||||||
if (ui->meth->ui_open_session && !ui->meth->ui_open_session(ui))
|
if (ui->meth->ui_open_session != NULL
|
||||||
return -1;
|
&& ui->meth->ui_open_session(ui) <= 0) {
|
||||||
|
ok = -1;
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
|
||||||
if (ui->flags & UI_FLAG_PRINT_ERRORS)
|
if (ui->flags & UI_FLAG_PRINT_ERRORS)
|
||||||
ERR_print_errors_cb((int (*)(const char *, size_t, void *))
|
ERR_print_errors_cb((int (*)(const char *, size_t, void *))
|
||||||
print_error, (void *)ui);
|
print_error, (void *)ui);
|
||||||
|
|
||||||
for (i = 0; i < sk_UI_STRING_num(ui->strings); i++) {
|
for (i = 0; i < sk_UI_STRING_num(ui->strings); i++) {
|
||||||
if (ui->meth->ui_write_string
|
if (ui->meth->ui_write_string != NULL
|
||||||
&& !ui->meth->ui_write_string(ui,
|
&& (ui->meth->ui_write_string(ui,
|
||||||
sk_UI_STRING_value(ui->strings, i)))
|
sk_UI_STRING_value(ui->strings, i))
|
||||||
|
<= 0))
|
||||||
{
|
{
|
||||||
ok = -1;
|
ok = -1;
|
||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ui->meth->ui_flush)
|
if (ui->meth->ui_flush != NULL)
|
||||||
switch (ui->meth->ui_flush(ui)) {
|
switch (ui->meth->ui_flush(ui)) {
|
||||||
case -1: /* Interrupt/Cancel/something... */
|
case -1: /* Interrupt/Cancel/something... */
|
||||||
ok = -2;
|
ok = -2;
|
||||||
@ -499,7 +504,7 @@ int UI_process(UI *ui)
|
|||||||
}
|
}
|
||||||
|
|
||||||
for (i = 0; i < sk_UI_STRING_num(ui->strings); i++) {
|
for (i = 0; i < sk_UI_STRING_num(ui->strings); i++) {
|
||||||
if (ui->meth->ui_read_string) {
|
if (ui->meth->ui_read_string != NULL) {
|
||||||
switch (ui->meth->ui_read_string(ui,
|
switch (ui->meth->ui_read_string(ui,
|
||||||
sk_UI_STRING_value(ui->strings,
|
sk_UI_STRING_value(ui->strings,
|
||||||
i))) {
|
i))) {
|
||||||
@ -516,7 +521,8 @@ int UI_process(UI *ui)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
err:
|
err:
|
||||||
if (ui->meth->ui_close_session && !ui->meth->ui_close_session(ui))
|
if (ui->meth->ui_close_session != NULL
|
||||||
|
&& ui->meth->ui_close_session(ui) <= 0)
|
||||||
return -1;
|
return -1;
|
||||||
return ok;
|
return ok;
|
||||||
}
|
}
|
||||||
@ -612,49 +618,49 @@ void UI_destroy_method(UI_METHOD *ui_method)
|
|||||||
|
|
||||||
int UI_method_set_opener(UI_METHOD *method, int (*opener) (UI *ui))
|
int UI_method_set_opener(UI_METHOD *method, int (*opener) (UI *ui))
|
||||||
{
|
{
|
||||||
if (method) {
|
if (method != NULL) {
|
||||||
method->ui_open_session = opener;
|
method->ui_open_session = opener;
|
||||||
return 0;
|
return 0;
|
||||||
} else
|
}
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
int UI_method_set_writer(UI_METHOD *method,
|
int UI_method_set_writer(UI_METHOD *method,
|
||||||
int (*writer) (UI *ui, UI_STRING *uis))
|
int (*writer) (UI *ui, UI_STRING *uis))
|
||||||
{
|
{
|
||||||
if (method) {
|
if (method != NULL) {
|
||||||
method->ui_write_string = writer;
|
method->ui_write_string = writer;
|
||||||
return 0;
|
return 0;
|
||||||
} else
|
}
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
int UI_method_set_flusher(UI_METHOD *method, int (*flusher) (UI *ui))
|
int UI_method_set_flusher(UI_METHOD *method, int (*flusher) (UI *ui))
|
||||||
{
|
{
|
||||||
if (method) {
|
if (method != NULL) {
|
||||||
method->ui_flush = flusher;
|
method->ui_flush = flusher;
|
||||||
return 0;
|
return 0;
|
||||||
} else
|
}
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
int UI_method_set_reader(UI_METHOD *method,
|
int UI_method_set_reader(UI_METHOD *method,
|
||||||
int (*reader) (UI *ui, UI_STRING *uis))
|
int (*reader) (UI *ui, UI_STRING *uis))
|
||||||
{
|
{
|
||||||
if (method) {
|
if (method != NULL) {
|
||||||
method->ui_read_string = reader;
|
method->ui_read_string = reader;
|
||||||
return 0;
|
return 0;
|
||||||
} else
|
}
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
int UI_method_set_closer(UI_METHOD *method, int (*closer) (UI *ui))
|
int UI_method_set_closer(UI_METHOD *method, int (*closer) (UI *ui))
|
||||||
{
|
{
|
||||||
if (method) {
|
if (method != NULL) {
|
||||||
method->ui_close_session = closer;
|
method->ui_close_session = closer;
|
||||||
return 0;
|
return 0;
|
||||||
} else
|
}
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
int UI_method_set_prompt_constructor(UI_METHOD *method,
|
int UI_method_set_prompt_constructor(UI_METHOD *method,
|
||||||
@ -664,55 +670,55 @@ int UI_method_set_prompt_constructor(UI_METHOD *method,
|
|||||||
const char
|
const char
|
||||||
*object_name))
|
*object_name))
|
||||||
{
|
{
|
||||||
if (method) {
|
if (method != NULL) {
|
||||||
method->ui_construct_prompt = prompt_constructor;
|
method->ui_construct_prompt = prompt_constructor;
|
||||||
return 0;
|
return 0;
|
||||||
} else
|
}
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
int (*UI_method_get_opener(UI_METHOD *method)) (UI *) {
|
int (*UI_method_get_opener(UI_METHOD *method)) (UI *)
|
||||||
if (method)
|
{
|
||||||
|
if (method != NULL)
|
||||||
return method->ui_open_session;
|
return method->ui_open_session;
|
||||||
else
|
return NULL;
|
||||||
return NULL;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
int (*UI_method_get_writer(UI_METHOD *method)) (UI *, UI_STRING *) {
|
int (*UI_method_get_writer(UI_METHOD *method)) (UI *, UI_STRING *)
|
||||||
if (method)
|
{
|
||||||
|
if (method != NULL)
|
||||||
return method->ui_write_string;
|
return method->ui_write_string;
|
||||||
else
|
return NULL;
|
||||||
return NULL;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
int (*UI_method_get_flusher(UI_METHOD *method)) (UI *) {
|
int (*UI_method_get_flusher(UI_METHOD *method)) (UI *)
|
||||||
if (method)
|
{
|
||||||
|
if (method != NULL)
|
||||||
return method->ui_flush;
|
return method->ui_flush;
|
||||||
else
|
return NULL;
|
||||||
return NULL;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
int (*UI_method_get_reader(UI_METHOD *method)) (UI *, UI_STRING *) {
|
int (*UI_method_get_reader(UI_METHOD *method)) (UI *, UI_STRING *)
|
||||||
if (method)
|
{
|
||||||
|
if (method != NULL)
|
||||||
return method->ui_read_string;
|
return method->ui_read_string;
|
||||||
else
|
return NULL;
|
||||||
return NULL;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
int (*UI_method_get_closer(UI_METHOD *method)) (UI *) {
|
int (*UI_method_get_closer(UI_METHOD *method)) (UI *)
|
||||||
if (method)
|
{
|
||||||
|
if (method != NULL)
|
||||||
return method->ui_close_session;
|
return method->ui_close_session;
|
||||||
else
|
return NULL;
|
||||||
return NULL;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
char *(*UI_method_get_prompt_constructor(UI_METHOD *method)) (UI *,
|
char *(*UI_method_get_prompt_constructor(UI_METHOD *method)) (UI *,
|
||||||
const char *,
|
const char *,
|
||||||
const char *) {
|
const char *)
|
||||||
if (method)
|
{
|
||||||
|
if (method != NULL)
|
||||||
return method->ui_construct_prompt;
|
return method->ui_construct_prompt;
|
||||||
else
|
return NULL;
|
||||||
return NULL;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
enum UI_string_types UI_get_string_type(UI_STRING *uis)
|
enum UI_string_types UI_get_string_type(UI_STRING *uis)
|
||||||
|
@ -440,7 +440,7 @@ static int read_string_inner(UI *ui, UI_STRING *uis, int echo, int strip_nl)
|
|||||||
# else
|
# else
|
||||||
p = fgets(result, maxsize, tty_in);
|
p = fgets(result, maxsize, tty_in);
|
||||||
# endif
|
# endif
|
||||||
if (!p)
|
if (p == NULL)
|
||||||
goto error;
|
goto error;
|
||||||
if (feof(tty_in))
|
if (feof(tty_in))
|
||||||
goto error;
|
goto error;
|
||||||
@ -508,19 +508,32 @@ static int open_console(UI *ui)
|
|||||||
if (errno == EINVAL)
|
if (errno == EINVAL)
|
||||||
is_a_tty = 0;
|
is_a_tty = 0;
|
||||||
else
|
else
|
||||||
|
# endif
|
||||||
|
# ifdef ENODEV
|
||||||
|
/*
|
||||||
|
* MacOS X returns ENODEV (Operation not supported by device),
|
||||||
|
* which seems appropriate.
|
||||||
|
*/
|
||||||
|
if (errno == ENODEV)
|
||||||
|
is_a_tty = 0;
|
||||||
|
else
|
||||||
# endif
|
# endif
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
#ifdef OPENSSL_SYS_VMS
|
#ifdef OPENSSL_SYS_VMS
|
||||||
status = sys$assign(&terminal, &channel, 0, 0);
|
status = sys$assign(&terminal, &channel, 0, 0);
|
||||||
|
|
||||||
|
/* if there isn't a TT device, something is very wrong */
|
||||||
if (status != SS$_NORMAL)
|
if (status != SS$_NORMAL)
|
||||||
return 0;
|
return 0;
|
||||||
status =
|
|
||||||
sys$qiow(0, channel, IO$_SENSEMODE, &iosb, 0, 0, tty_orig, 12, 0, 0,
|
status = sys$qiow(0, channel, IO$_SENSEMODE, &iosb, 0, 0, tty_orig, 12,
|
||||||
0, 0);
|
0, 0, 0, 0);
|
||||||
|
|
||||||
|
/* If IO$_SENSEMODE doesn't work, this is not a terminal device */
|
||||||
if ((status != SS$_NORMAL) || (iosb.iosb$w_value != SS$_NORMAL))
|
if ((status != SS$_NORMAL) || (iosb.iosb$w_value != SS$_NORMAL))
|
||||||
return 0;
|
is_a_tty = 0;
|
||||||
#endif
|
#endif
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
@ -537,14 +550,15 @@ static int noecho_console(UI *ui)
|
|||||||
return 0;
|
return 0;
|
||||||
#endif
|
#endif
|
||||||
#ifdef OPENSSL_SYS_VMS
|
#ifdef OPENSSL_SYS_VMS
|
||||||
tty_new[0] = tty_orig[0];
|
if (is_a_tty) {
|
||||||
tty_new[1] = tty_orig[1] | TT$M_NOECHO;
|
tty_new[0] = tty_orig[0];
|
||||||
tty_new[2] = tty_orig[2];
|
tty_new[1] = tty_orig[1] | TT$M_NOECHO;
|
||||||
status =
|
tty_new[2] = tty_orig[2];
|
||||||
sys$qiow(0, channel, IO$_SETMODE, &iosb, 0, 0, tty_new, 12, 0, 0, 0,
|
status = sys$qiow(0, channel, IO$_SETMODE, &iosb, 0, 0, tty_new, 12,
|
||||||
0);
|
0, 0, 0, 0);
|
||||||
if ((status != SS$_NORMAL) || (iosb.iosb$w_value != SS$_NORMAL))
|
if ((status != SS$_NORMAL) || (iosb.iosb$w_value != SS$_NORMAL))
|
||||||
return 0;
|
return 0;
|
||||||
|
}
|
||||||
#endif
|
#endif
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
@ -561,14 +575,15 @@ static int echo_console(UI *ui)
|
|||||||
return 0;
|
return 0;
|
||||||
#endif
|
#endif
|
||||||
#ifdef OPENSSL_SYS_VMS
|
#ifdef OPENSSL_SYS_VMS
|
||||||
tty_new[0] = tty_orig[0];
|
if (is_a_tty) {
|
||||||
tty_new[1] = tty_orig[1] & ~TT$M_NOECHO;
|
tty_new[0] = tty_orig[0];
|
||||||
tty_new[2] = tty_orig[2];
|
tty_new[1] = tty_orig[1] & ~TT$M_NOECHO;
|
||||||
status =
|
tty_new[2] = tty_orig[2];
|
||||||
sys$qiow(0, channel, IO$_SETMODE, &iosb, 0, 0, tty_new, 12, 0, 0, 0,
|
status = sys$qiow(0, channel, IO$_SETMODE, &iosb, 0, 0, tty_new, 12,
|
||||||
0);
|
0, 0, 0, 0);
|
||||||
if ((status != SS$_NORMAL) || (iosb.iosb$w_value != SS$_NORMAL))
|
if ((status != SS$_NORMAL) || (iosb.iosb$w_value != SS$_NORMAL))
|
||||||
return 0;
|
return 0;
|
||||||
|
}
|
||||||
#endif
|
#endif
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
@ -581,6 +596,8 @@ static int close_console(UI *ui)
|
|||||||
fclose(tty_out);
|
fclose(tty_out);
|
||||||
#ifdef OPENSSL_SYS_VMS
|
#ifdef OPENSSL_SYS_VMS
|
||||||
status = sys$dassgn(channel);
|
status = sys$dassgn(channel);
|
||||||
|
if (status != SS$_NORMAL)
|
||||||
|
return 0;
|
||||||
#endif
|
#endif
|
||||||
CRYPTO_w_unlock(CRYPTO_LOCK_UI);
|
CRYPTO_w_unlock(CRYPTO_LOCK_UI);
|
||||||
|
|
||||||
|
@ -26,6 +26,7 @@ B<openssl> B<ocsp>
|
|||||||
[B<-no_nonce>]
|
[B<-no_nonce>]
|
||||||
[B<-url URL>]
|
[B<-url URL>]
|
||||||
[B<-host host:n>]
|
[B<-host host:n>]
|
||||||
|
[B<-header name value>]
|
||||||
[B<-path>]
|
[B<-path>]
|
||||||
[B<-CApath dir>]
|
[B<-CApath dir>]
|
||||||
[B<-CAfile file>]
|
[B<-CAfile file>]
|
||||||
@ -135,6 +136,14 @@ if the B<host> option is present then the OCSP request is sent to the host
|
|||||||
B<hostname> on port B<port>. B<path> specifies the HTTP path name to use
|
B<hostname> on port B<port>. B<path> specifies the HTTP path name to use
|
||||||
or "/" by default.
|
or "/" by default.
|
||||||
|
|
||||||
|
=item B<-header name value>
|
||||||
|
|
||||||
|
If sending a request to an OCSP server, then the specified header name and
|
||||||
|
value are added to the HTTP request. Note that the B<name> and B<value> must
|
||||||
|
be specified as two separate parameters, not as a single quoted string, and
|
||||||
|
that the header name does not have the trailing colon.
|
||||||
|
Some OCSP responders require a Host header; use this flag to provide it.
|
||||||
|
|
||||||
=item B<-timeout seconds>
|
=item B<-timeout seconds>
|
||||||
|
|
||||||
connection timeout to the OCSP responder in seconds
|
connection timeout to the OCSP responder in seconds
|
||||||
|
@ -10,7 +10,7 @@ EVP_DigestSignInit, EVP_DigestSignUpdate, EVP_DigestSignFinal - EVP signing func
|
|||||||
|
|
||||||
int EVP_DigestSignInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
int EVP_DigestSignInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||||
const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey);
|
const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey);
|
||||||
int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt);
|
int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt);
|
||||||
int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen);
|
int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen);
|
||||||
|
|
||||||
=head1 DESCRIPTION
|
=head1 DESCRIPTION
|
||||||
|
@ -10,7 +10,7 @@ EVP_DigestVerifyInit, EVP_DigestVerifyUpdate, EVP_DigestVerifyFinal - EVP signat
|
|||||||
|
|
||||||
int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||||
const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey);
|
const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey);
|
||||||
int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt);
|
int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt);
|
||||||
int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, size_t siglen);
|
int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, size_t siglen);
|
||||||
|
|
||||||
=head1 DESCRIPTION
|
=head1 DESCRIPTION
|
||||||
|
@ -52,7 +52,7 @@ it is called as B<BN_GENCB_call(cb, 3, 0)>.
|
|||||||
The process is then repeated for prime q with B<BN_GENCB_call(cb, 3, 1)>.
|
The process is then repeated for prime q with B<BN_GENCB_call(cb, 3, 1)>.
|
||||||
|
|
||||||
RSA_generate_key is deprecated (new applications should use
|
RSA_generate_key is deprecated (new applications should use
|
||||||
RSA_generate_key_ex instead). RSA_generate_key works in the same was as
|
RSA_generate_key_ex instead). RSA_generate_key works in the same way as
|
||||||
RSA_generate_key_ex except it uses "old style" call backs. See
|
RSA_generate_key_ex except it uses "old style" call backs. See
|
||||||
L<BN_generate_prime(3)|BN_generate_prime(3)> for further details.
|
L<BN_generate_prime(3)|BN_generate_prime(3)> for further details.
|
||||||
|
|
||||||
|
@ -83,10 +83,9 @@ Process all entries:
|
|||||||
|
|
||||||
Process all commonName entries:
|
Process all commonName entries:
|
||||||
|
|
||||||
int loc;
|
int lastpos = -1;
|
||||||
X509_NAME_ENTRY *e;
|
X509_NAME_ENTRY *e;
|
||||||
|
|
||||||
loc = -1;
|
|
||||||
for (;;)
|
for (;;)
|
||||||
{
|
{
|
||||||
lastpos = X509_NAME_get_index_by_NID(nm, NID_commonName, lastpos);
|
lastpos = X509_NAME_get_index_by_NID(nm, NID_commonName, lastpos);
|
||||||
|
@ -23,9 +23,11 @@ can be extensively customised by use of the B<flags> parameter.
|
|||||||
X509_NAME_print_ex_fp() is identical to X509_NAME_print_ex() except the output is
|
X509_NAME_print_ex_fp() is identical to X509_NAME_print_ex() except the output is
|
||||||
written to FILE pointer B<fp>.
|
written to FILE pointer B<fp>.
|
||||||
|
|
||||||
X509_NAME_oneline() prints an ASCII version of B<a> to B<buf>. At most B<size>
|
X509_NAME_oneline() prints an ASCII version of B<a> to B<buf>.
|
||||||
bytes will be written. If B<buf> is B<NULL> then a buffer is dynamically allocated
|
If B<buf> is B<NULL> then a buffer is dynamically allocated and returned, and
|
||||||
and returned, otherwise B<buf> is returned.
|
B<size> is ignored.
|
||||||
|
Otherwise, at most B<size> bytes will be written, including the ending '\0',
|
||||||
|
and B<buf> is returned.
|
||||||
|
|
||||||
X509_NAME_print() prints out B<name> to B<bp> indenting each line by B<obase>
|
X509_NAME_print() prints out B<name> to B<bp> indenting each line by B<obase>
|
||||||
characters. Multiple lines are used if the output (including indent) exceeds
|
characters. Multiple lines are used if the output (including indent) exceeds
|
||||||
|
@ -30,7 +30,7 @@ server. It can only send exactly one id. The server then either
|
|||||||
agrees to reuse the session or it starts a full handshake (to create a new
|
agrees to reuse the session or it starts a full handshake (to create a new
|
||||||
session).
|
session).
|
||||||
|
|
||||||
A server will lookup up the session in its internal session storage. If the
|
A server will look up the session in its internal session storage. If the
|
||||||
session is not found in internal storage or lookups for the internal storage
|
session is not found in internal storage or lookups for the internal storage
|
||||||
have been deactivated (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP), the server will try
|
have been deactivated (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP), the server will try
|
||||||
the external storage if available.
|
the external storage if available.
|
||||||
|
@ -38,12 +38,13 @@ if and only if B<ret E<gt> 0>.
|
|||||||
|
|
||||||
=item SSL_ERROR_ZERO_RETURN
|
=item SSL_ERROR_ZERO_RETURN
|
||||||
|
|
||||||
The TLS/SSL connection has been closed. If the protocol version is SSL 3.0
|
The TLS/SSL connection has been closed.
|
||||||
or TLS 1.0, this result code is returned only if a closure
|
If the protocol version is SSL 3.0 or higher, this result code is returned only
|
||||||
alert has occurred in the protocol, i.e. if the connection has been
|
if a closure alert has occurred in the protocol, i.e. if the connection has been
|
||||||
closed cleanly. Note that in this case B<SSL_ERROR_ZERO_RETURN>
|
closed cleanly.
|
||||||
does not necessarily indicate that the underlying transport
|
Note that in this case B<SSL_ERROR_ZERO_RETURN> does not necessarily
|
||||||
has been closed.
|
indicate that the underlying transport has been closed.
|
||||||
|
|
||||||
|
|
||||||
=item SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE
|
=item SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE
|
||||||
|
|
||||||
@ -89,12 +90,9 @@ Details depend on the application.
|
|||||||
|
|
||||||
=item SSL_ERROR_SYSCALL
|
=item SSL_ERROR_SYSCALL
|
||||||
|
|
||||||
Some I/O error occurred. The OpenSSL error queue may contain more
|
Some non-recoverable I/O error occurred.
|
||||||
information on the error. If the error queue is empty
|
The OpenSSL error queue may contain more information on the error.
|
||||||
(i.e. ERR_get_error() returns 0), B<ret> can be used to find out more
|
For socket I/O on Unix systems, consult B<errno> for details.
|
||||||
about the error: If B<ret == 0>, an EOF was observed that violates
|
|
||||||
the protocol. If B<ret == -1>, the underlying B<BIO> reported an
|
|
||||||
I/O error (for socket I/O on Unix systems, consult B<errno> for details).
|
|
||||||
|
|
||||||
=item SSL_ERROR_SSL
|
=item SSL_ERROR_SSL
|
||||||
|
|
||||||
|
@ -81,33 +81,29 @@ The following return values can occur:
|
|||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
|
|
||||||
=item E<gt>0
|
=item E<gt> 0
|
||||||
|
|
||||||
The read operation was successful; the return value is the number of
|
The read operation was successful.
|
||||||
bytes actually read from the TLS/SSL connection.
|
The return value is the number of bytes actually read from the TLS/SSL
|
||||||
|
connection.
|
||||||
|
|
||||||
=item Z<>0
|
=item Z<><= 0
|
||||||
|
|
||||||
The read operation was not successful. The reason may either be a clean
|
|
||||||
shutdown due to a "close notify" alert sent by the peer (in which case
|
=item E<lt>0
|
||||||
the SSL_RECEIVED_SHUTDOWN flag in the ssl shutdown state is set
|
|
||||||
(see L<SSL_shutdown(3)|SSL_shutdown(3)>,
|
The read operation was not successful, because either the connection was closed,
|
||||||
L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>). It is also possible, that
|
an error occurred or action must be taken by the calling process.
|
||||||
the peer simply shut down the underlying transport and the shutdown is
|
Call L<SSL_get_error(3)> with the return value B<ret> to find out the reason.
|
||||||
incomplete. Call SSL_get_error() with the return value B<ret> to find out,
|
|
||||||
whether an error occurred or the connection was shut down cleanly
|
|
||||||
(SSL_ERROR_ZERO_RETURN).
|
|
||||||
|
|
||||||
SSLv2 (deprecated) does not support a shutdown alert protocol, so it can
|
SSLv2 (deprecated) does not support a shutdown alert protocol, so it can
|
||||||
only be detected, whether the underlying connection was closed. It cannot
|
only be detected, whether the underlying connection was closed. It cannot
|
||||||
be checked, whether the closure was initiated by the peer or by something
|
be checked, whether the closure was initiated by the peer or by something
|
||||||
else.
|
else.
|
||||||
|
|
||||||
=item E<lt>0
|
Old documentation indicated a difference between 0 and -1, and that -1 was
|
||||||
|
retryable.
|
||||||
The read operation was not successful, because either an error occurred
|
You should instead call SSL_get_error() to find out if it's retryable.
|
||||||
or action must be taken by the calling process. Call SSL_get_error() with the
|
|
||||||
return value B<ret> to find out the reason.
|
|
||||||
|
|
||||||
=back
|
=back
|
||||||
|
|
||||||
|
@ -74,27 +74,24 @@ The following return values can occur:
|
|||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
|
|
||||||
=item E<gt>0
|
=item E<gt> 0
|
||||||
|
|
||||||
The write operation was successful, the return value is the number of
|
The write operation was successful, the return value is the number of
|
||||||
bytes actually written to the TLS/SSL connection.
|
bytes actually written to the TLS/SSL connection.
|
||||||
|
|
||||||
=item Z<>0
|
=item Z<><= 0
|
||||||
|
|
||||||
The write operation was not successful. Probably the underlying connection
|
The write operation was not successful, because either the connection was
|
||||||
was closed. Call SSL_get_error() with the return value B<ret> to find out,
|
closed, an error occurred or action must be taken by the calling process.
|
||||||
whether an error occurred or the connection was shut down cleanly
|
Call SSL_get_error() with the return value B<ret> to find out the reason.
|
||||||
(SSL_ERROR_ZERO_RETURN).
|
|
||||||
|
|
||||||
SSLv2 (deprecated) does not support a shutdown alert protocol, so it can
|
SSLv2 (deprecated) does not support a shutdown alert protocol, so it can
|
||||||
only be detected, whether the underlying connection was closed. It cannot
|
only be detected, whether the underlying connection was closed. It cannot
|
||||||
be checked, why the closure happened.
|
be checked, why the closure happened.
|
||||||
|
|
||||||
=item E<lt>0
|
Old documentation indicated a difference between 0 and -1, and that -1 was
|
||||||
|
retryable.
|
||||||
The write operation was not successful, because either an error occurred
|
You should instead call SSL_get_error() to find out if it's retryable.
|
||||||
or action must be taken by the calling process. Call SSL_get_error() with the
|
|
||||||
return value B<ret> to find out the reason.
|
|
||||||
|
|
||||||
=back
|
=back
|
||||||
|
|
||||||
|
@ -32,7 +32,7 @@ lib: $(LIBOBJ)
|
|||||||
$(MAKE) -f $(TOP)/Makefile.shared -e \
|
$(MAKE) -f $(TOP)/Makefile.shared -e \
|
||||||
LIBNAME=$(LIBNAME) \
|
LIBNAME=$(LIBNAME) \
|
||||||
LIBEXTRAS='$(LIBOBJ)' \
|
LIBEXTRAS='$(LIBOBJ)' \
|
||||||
LIBDEPS='-L$(TOP) -lcrypto' \
|
LIBDEPS='-L$(TOP) -lcrypto $(EX_LIBS)' \
|
||||||
link_o.$(SHLIB_TARGET); \
|
link_o.$(SHLIB_TARGET); \
|
||||||
else \
|
else \
|
||||||
$(AR) $(LIB) $(LIBOBJ); \
|
$(AR) $(LIB) $(LIBOBJ); \
|
||||||
|
@ -756,6 +756,7 @@ int main(int argc, char *argv[])
|
|||||||
BIO *rbio;
|
BIO *rbio;
|
||||||
BIO *wbio;
|
BIO *wbio;
|
||||||
BIO *err;
|
BIO *err;
|
||||||
|
time_t now = 0;
|
||||||
int testresult = 0;
|
int testresult = 0;
|
||||||
int ret;
|
int ret;
|
||||||
int i;
|
int i;
|
||||||
@ -773,7 +774,9 @@ int main(int argc, char *argv[])
|
|||||||
RAND_bytes(master_secret, sizeof(master_secret));
|
RAND_bytes(master_secret, sizeof(master_secret));
|
||||||
RAND_bytes(cookie, sizeof(cookie));
|
RAND_bytes(cookie, sizeof(cookie));
|
||||||
RAND_bytes(server_random + 4, sizeof(server_random) - 4);
|
RAND_bytes(server_random + 4, sizeof(server_random) - 4);
|
||||||
time((void *)server_random);
|
|
||||||
|
now = time(NULL);
|
||||||
|
memcpy(server_random, &now, sizeof(now));
|
||||||
|
|
||||||
sess = client_session();
|
sess = client_session();
|
||||||
if (sess == NULL) {
|
if (sess == NULL) {
|
||||||
|
@ -63,6 +63,9 @@
|
|||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
#include <openssl/buffer.h>
|
#include <openssl/buffer.h>
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Return values are as per SSL_write()
|
||||||
|
*/
|
||||||
int ssl23_write_bytes(SSL *s)
|
int ssl23_write_bytes(SSL *s)
|
||||||
{
|
{
|
||||||
int i, num, tot;
|
int i, num, tot;
|
||||||
@ -77,7 +80,7 @@ int ssl23_write_bytes(SSL *s)
|
|||||||
if (i <= 0) {
|
if (i <= 0) {
|
||||||
s->init_off = tot;
|
s->init_off = tot;
|
||||||
s->init_num = num;
|
s->init_num = num;
|
||||||
return (i);
|
return i;
|
||||||
}
|
}
|
||||||
s->rwstate = SSL_NOTHING;
|
s->rwstate = SSL_NOTHING;
|
||||||
if (i == num)
|
if (i == num)
|
||||||
@ -88,7 +91,10 @@ int ssl23_write_bytes(SSL *s)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/* return regularly only when we have read (at least) 'n' bytes */
|
/* return regularly only when we have read (at least) 'n' bytes
|
||||||
|
*
|
||||||
|
* Return values are as per SSL_read()
|
||||||
|
*/
|
||||||
int ssl23_read_bytes(SSL *s, int n)
|
int ssl23_read_bytes(SSL *s, int n)
|
||||||
{
|
{
|
||||||
unsigned char *p;
|
unsigned char *p;
|
||||||
@ -102,7 +108,7 @@ int ssl23_read_bytes(SSL *s, int n)
|
|||||||
j = BIO_read(s->rbio, (char *)&(p[s->packet_length]),
|
j = BIO_read(s->rbio, (char *)&(p[s->packet_length]),
|
||||||
n - s->packet_length);
|
n - s->packet_length);
|
||||||
if (j <= 0)
|
if (j <= 0)
|
||||||
return (j);
|
return j;
|
||||||
s->rwstate = SSL_NOTHING;
|
s->rwstate = SSL_NOTHING;
|
||||||
s->packet_length += j;
|
s->packet_length += j;
|
||||||
if (s->packet_length >= (unsigned int)n)
|
if (s->packet_length >= (unsigned int)n)
|
||||||
|
@ -254,7 +254,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
|
|||||||
SSL_3DES,
|
SSL_3DES,
|
||||||
SSL_MD5,
|
SSL_MD5,
|
||||||
SSL_SSLV2,
|
SSL_SSLV2,
|
||||||
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
|
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
|
||||||
0,
|
0,
|
||||||
112,
|
112,
|
||||||
168,
|
168,
|
||||||
|
10
ssl/s2_pkt.c
10
ssl/s2_pkt.c
@ -307,6 +307,9 @@ int ssl2_peek(SSL *s, void *buf, int len)
|
|||||||
return ssl2_read_internal(s, buf, len, 1);
|
return ssl2_read_internal(s, buf, len, 1);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Return values are as per SSL_read()
|
||||||
|
*/
|
||||||
static int read_n(SSL *s, unsigned int n, unsigned int max,
|
static int read_n(SSL *s, unsigned int n, unsigned int max,
|
||||||
unsigned int extend)
|
unsigned int extend)
|
||||||
{
|
{
|
||||||
@ -374,7 +377,7 @@ static int read_n(SSL *s, unsigned int n, unsigned int max,
|
|||||||
# endif
|
# endif
|
||||||
if (i <= 0) {
|
if (i <= 0) {
|
||||||
s->s2->rbuf_left += newb;
|
s->s2->rbuf_left += newb;
|
||||||
return (i);
|
return i;
|
||||||
}
|
}
|
||||||
newb += i;
|
newb += i;
|
||||||
}
|
}
|
||||||
@ -441,6 +444,9 @@ int ssl2_write(SSL *s, const void *_buf, int len)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Return values are as per SSL_write()
|
||||||
|
*/
|
||||||
static int write_pending(SSL *s, const unsigned char *buf, unsigned int len)
|
static int write_pending(SSL *s, const unsigned char *buf, unsigned int len)
|
||||||
{
|
{
|
||||||
int i;
|
int i;
|
||||||
@ -477,7 +483,7 @@ static int write_pending(SSL *s, const unsigned char *buf, unsigned int len)
|
|||||||
s->rwstate = SSL_NOTHING;
|
s->rwstate = SSL_NOTHING;
|
||||||
return (s->s2->wpend_ret);
|
return (s->s2->wpend_ret);
|
||||||
} else if (i <= 0)
|
} else if (i <= 0)
|
||||||
return (i);
|
return i;
|
||||||
s->s2->wpend_off += i;
|
s->s2->wpend_off += i;
|
||||||
s->s2->wpend_len -= i;
|
s->s2->wpend_len -= i;
|
||||||
}
|
}
|
||||||
|
@ -1710,12 +1710,6 @@ int ssl3_get_key_exchange(SSL *s)
|
|||||||
}
|
}
|
||||||
p += i;
|
p += i;
|
||||||
|
|
||||||
if (BN_is_zero(dh->p)) {
|
|
||||||
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_P_VALUE);
|
|
||||||
goto f_err;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
if (2 > n - param_len) {
|
if (2 > n - param_len) {
|
||||||
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
|
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
|
||||||
goto f_err;
|
goto f_err;
|
||||||
@ -1736,11 +1730,6 @@ int ssl3_get_key_exchange(SSL *s)
|
|||||||
}
|
}
|
||||||
p += i;
|
p += i;
|
||||||
|
|
||||||
if (BN_is_zero(dh->g)) {
|
|
||||||
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_G_VALUE);
|
|
||||||
goto f_err;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (2 > n - param_len) {
|
if (2 > n - param_len) {
|
||||||
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
|
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
|
||||||
goto f_err;
|
goto f_err;
|
||||||
@ -1767,6 +1756,39 @@ int ssl3_get_key_exchange(SSL *s)
|
|||||||
goto f_err;
|
goto f_err;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*-
|
||||||
|
* Check that p and g are suitable enough
|
||||||
|
*
|
||||||
|
* p is odd
|
||||||
|
* 1 < g < p - 1
|
||||||
|
*/
|
||||||
|
{
|
||||||
|
BIGNUM *tmp = NULL;
|
||||||
|
|
||||||
|
if (!BN_is_odd(dh->p)) {
|
||||||
|
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_P_VALUE);
|
||||||
|
goto f_err;
|
||||||
|
}
|
||||||
|
if (BN_is_negative(dh->g) || BN_is_zero(dh->g)
|
||||||
|
|| BN_is_one(dh->g)) {
|
||||||
|
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_G_VALUE);
|
||||||
|
goto f_err;
|
||||||
|
}
|
||||||
|
if ((tmp = BN_new()) == NULL
|
||||||
|
|| BN_copy(tmp, dh->p) == NULL
|
||||||
|
|| !BN_sub_word(tmp, 1)) {
|
||||||
|
BN_free(tmp);
|
||||||
|
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
if (BN_cmp(dh->g, tmp) >= 0) {
|
||||||
|
BN_free(tmp);
|
||||||
|
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_G_VALUE);
|
||||||
|
goto f_err;
|
||||||
|
}
|
||||||
|
BN_free(tmp);
|
||||||
|
}
|
||||||
|
|
||||||
# ifndef OPENSSL_NO_RSA
|
# ifndef OPENSSL_NO_RSA
|
||||||
if (alg_a & SSL_aRSA)
|
if (alg_a & SSL_aRSA)
|
||||||
pkey =
|
pkey =
|
||||||
|
23
ssl/s3_pkt.c
23
ssl/s3_pkt.c
@ -136,6 +136,9 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
|
|||||||
unsigned int len, int create_empty_fragment);
|
unsigned int len, int create_empty_fragment);
|
||||||
static int ssl3_get_record(SSL *s);
|
static int ssl3_get_record(SSL *s);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Return values are as per SSL_read()
|
||||||
|
*/
|
||||||
int ssl3_read_n(SSL *s, int n, int max, int extend)
|
int ssl3_read_n(SSL *s, int n, int max, int extend)
|
||||||
{
|
{
|
||||||
/*
|
/*
|
||||||
@ -1082,7 +1085,10 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* if s->s3->wbuf.left != 0, we need to call this */
|
/* if s->s3->wbuf.left != 0, we need to call this
|
||||||
|
*
|
||||||
|
* Return values are as per SSL_write(), i.e.
|
||||||
|
*/
|
||||||
int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
|
int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
|
||||||
unsigned int len)
|
unsigned int len)
|
||||||
{
|
{
|
||||||
@ -1122,7 +1128,7 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
|
|||||||
*/
|
*/
|
||||||
wb->left = 0;
|
wb->left = 0;
|
||||||
}
|
}
|
||||||
return (i);
|
return i;
|
||||||
}
|
}
|
||||||
wb->offset += i;
|
wb->offset += i;
|
||||||
wb->left -= i;
|
wb->left -= i;
|
||||||
@ -1593,16 +1599,13 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
|
|||||||
|
|
||||||
switch (rr->type) {
|
switch (rr->type) {
|
||||||
default:
|
default:
|
||||||
#ifndef OPENSSL_NO_TLS
|
|
||||||
/*
|
/*
|
||||||
* TLS up to v1.1 just ignores unknown message types: TLS v1.2 give
|
* TLS 1.0 and 1.1 say you SHOULD ignore unrecognised record types, but
|
||||||
* an unexpected message alert.
|
* TLS 1.2 says you MUST send an unexpected message alert. We use the
|
||||||
|
* TLS 1.2 behaviour for all protocol versions to prevent issues where
|
||||||
|
* no progress is being made and the peer continually sends unrecognised
|
||||||
|
* record types, using up resources processing them.
|
||||||
*/
|
*/
|
||||||
if (s->version >= TLS1_VERSION && s->version <= TLS1_1_VERSION) {
|
|
||||||
rr->length = 0;
|
|
||||||
goto start;
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
al = SSL_AD_UNEXPECTED_MESSAGE;
|
al = SSL_AD_UNEXPECTED_MESSAGE;
|
||||||
SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_RECORD);
|
SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_RECORD);
|
||||||
goto f_err;
|
goto f_err;
|
||||||
|
@ -506,7 +506,7 @@ int ssl3_accept(SSL *s)
|
|||||||
* if SSL_VERIFY_CLIENT_ONCE is set, don't request cert
|
* if SSL_VERIFY_CLIENT_ONCE is set, don't request cert
|
||||||
* during re-negotiation:
|
* during re-negotiation:
|
||||||
*/
|
*/
|
||||||
((s->session->peer != NULL) &&
|
(s->s3->tmp.finish_md_len != 0 &&
|
||||||
(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
|
(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
|
||||||
/*
|
/*
|
||||||
* never request cert in anonymous ciphersuites (see
|
* never request cert in anonymous ciphersuites (see
|
||||||
@ -1465,9 +1465,9 @@ int ssl3_get_client_hello(SSL *s)
|
|||||||
|
|
||||||
/* Handles TLS extensions that we couldn't check earlier */
|
/* Handles TLS extensions that we couldn't check earlier */
|
||||||
if (s->version >= SSL3_VERSION) {
|
if (s->version >= SSL3_VERSION) {
|
||||||
if (ssl_check_clienthello_tlsext_late(s) <= 0) {
|
if (!ssl_check_clienthello_tlsext_late(s, &al)) {
|
||||||
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
|
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
|
||||||
goto err;
|
goto f_err;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1601,6 +1601,9 @@ int ssl3_send_server_key_exchange(SSL *s)
|
|||||||
unsigned int u;
|
unsigned int u;
|
||||||
#endif
|
#endif
|
||||||
#ifndef OPENSSL_NO_DH
|
#ifndef OPENSSL_NO_DH
|
||||||
|
# ifdef OPENSSL_NO_RSA
|
||||||
|
int j;
|
||||||
|
# endif
|
||||||
DH *dh = NULL, *dhp;
|
DH *dh = NULL, *dhp;
|
||||||
#endif
|
#endif
|
||||||
#ifndef OPENSSL_NO_ECDH
|
#ifndef OPENSSL_NO_ECDH
|
||||||
@ -1861,6 +1864,16 @@ int ssl3_send_server_key_exchange(SSL *s)
|
|||||||
if ((i == 2) && (type & SSL_kSRP))
|
if ((i == 2) && (type & SSL_kSRP))
|
||||||
n += 1 + nr[i];
|
n += 1 + nr[i];
|
||||||
else
|
else
|
||||||
|
#endif
|
||||||
|
#ifndef OPENSSL_NO_DH
|
||||||
|
/*
|
||||||
|
* for interoperability with some versions of the Microsoft TLS
|
||||||
|
* stack, we need to zero pad the DHE pub key to the same length
|
||||||
|
* as the prime, so use the length of the prime here
|
||||||
|
*/
|
||||||
|
if ((i == 2) && (type & (SSL_kEDH)))
|
||||||
|
n += 2 + nr[0];
|
||||||
|
else
|
||||||
#endif
|
#endif
|
||||||
n += 2 + nr[i];
|
n += 2 + nr[i];
|
||||||
}
|
}
|
||||||
@ -1895,6 +1908,20 @@ int ssl3_send_server_key_exchange(SSL *s)
|
|||||||
*p = nr[i];
|
*p = nr[i];
|
||||||
p++;
|
p++;
|
||||||
} else
|
} else
|
||||||
|
#endif
|
||||||
|
#ifndef OPENSSL_NO_DH
|
||||||
|
/*
|
||||||
|
* for interoperability with some versions of the Microsoft TLS
|
||||||
|
* stack, we need to zero pad the DHE pub key to the same length
|
||||||
|
* as the prime
|
||||||
|
*/
|
||||||
|
if ((i == 2) && (type & (SSL_kEDH))) {
|
||||||
|
s2n(nr[0], p);
|
||||||
|
for (j = 0; j < (nr[0] - nr[2]); ++j) {
|
||||||
|
*p = 0;
|
||||||
|
++p;
|
||||||
|
}
|
||||||
|
} else
|
||||||
#endif
|
#endif
|
||||||
s2n(nr[i], p);
|
s2n(nr[i], p);
|
||||||
BN_bn2bin(r[i], p);
|
BN_bn2bin(r[i], p);
|
||||||
|
@ -315,7 +315,7 @@ CERT *ssl_cert_dup(CERT *cert)
|
|||||||
OPENSSL_malloc(cert->pkeys[i].serverinfo_length);
|
OPENSSL_malloc(cert->pkeys[i].serverinfo_length);
|
||||||
if (ret->pkeys[i].serverinfo == NULL) {
|
if (ret->pkeys[i].serverinfo == NULL) {
|
||||||
SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE);
|
SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE);
|
||||||
return NULL;
|
goto err;
|
||||||
}
|
}
|
||||||
ret->pkeys[i].serverinfo_length =
|
ret->pkeys[i].serverinfo_length =
|
||||||
cert->pkeys[i].serverinfo_length;
|
cert->pkeys[i].serverinfo_length;
|
||||||
@ -392,9 +392,7 @@ CERT *ssl_cert_dup(CERT *cert)
|
|||||||
|
|
||||||
return (ret);
|
return (ret);
|
||||||
|
|
||||||
#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH)
|
|
||||||
err:
|
err:
|
||||||
#endif
|
|
||||||
#ifndef OPENSSL_NO_RSA
|
#ifndef OPENSSL_NO_RSA
|
||||||
if (ret->rsa_tmp != NULL)
|
if (ret->rsa_tmp != NULL)
|
||||||
RSA_free(ret->rsa_tmp);
|
RSA_free(ret->rsa_tmp);
|
||||||
|
@ -753,6 +753,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
|
|||||||
"tls illegal exporter label"},
|
"tls illegal exporter label"},
|
||||||
{ERR_REASON(SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST),
|
{ERR_REASON(SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST),
|
||||||
"tls invalid ecpointformat list"},
|
"tls invalid ecpointformat list"},
|
||||||
|
{ERR_REASON(SSL_R_TOO_MANY_WARN_ALERTS), "too many warn alerts"},
|
||||||
{ERR_REASON(SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST),
|
{ERR_REASON(SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST),
|
||||||
"tls peer did not respond with certificate list"},
|
"tls peer did not respond with certificate list"},
|
||||||
{ERR_REASON(SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG),
|
{ERR_REASON(SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG),
|
||||||
|
@ -2030,10 +2030,8 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
|
|||||||
ret->rbuf_freelist->len = 0;
|
ret->rbuf_freelist->len = 0;
|
||||||
ret->rbuf_freelist->head = NULL;
|
ret->rbuf_freelist->head = NULL;
|
||||||
ret->wbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST));
|
ret->wbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST));
|
||||||
if (!ret->wbuf_freelist) {
|
if (!ret->wbuf_freelist)
|
||||||
OPENSSL_free(ret->rbuf_freelist);
|
|
||||||
goto err;
|
goto err;
|
||||||
}
|
|
||||||
ret->wbuf_freelist->chunklen = 0;
|
ret->wbuf_freelist->chunklen = 0;
|
||||||
ret->wbuf_freelist->len = 0;
|
ret->wbuf_freelist->len = 0;
|
||||||
ret->wbuf_freelist->head = NULL;
|
ret->wbuf_freelist->head = NULL;
|
||||||
|
@ -1384,7 +1384,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
|
|||||||
int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data,
|
int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data,
|
||||||
unsigned char *limit);
|
unsigned char *limit);
|
||||||
int tls1_set_server_sigalgs(SSL *s);
|
int tls1_set_server_sigalgs(SSL *s);
|
||||||
int ssl_check_clienthello_tlsext_late(SSL *s);
|
int ssl_check_clienthello_tlsext_late(SSL *s, int *al);
|
||||||
int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data,
|
int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data,
|
||||||
unsigned char *d, int n);
|
unsigned char *d, int n);
|
||||||
int ssl_prepare_clienthello_tlsext(SSL *s);
|
int ssl_prepare_clienthello_tlsext(SSL *s);
|
||||||
|
@ -769,6 +769,15 @@ int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c)
|
|||||||
* obtain the same session from an external cache)
|
* obtain the same session from an external cache)
|
||||||
*/
|
*/
|
||||||
s = NULL;
|
s = NULL;
|
||||||
|
} else if (s == NULL &&
|
||||||
|
lh_SSL_SESSION_retrieve(ctx->sessions, c) == NULL) {
|
||||||
|
/* s == NULL can also mean OOM error in lh_SSL_SESSION_insert ... */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* ... so take back the extra reference and also don't add
|
||||||
|
* the session to the SSL_SESSION_list at this time
|
||||||
|
*/
|
||||||
|
s = c;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Put at the head of the queue unless it is already in the cache */
|
/* Put at the head of the queue unless it is already in the cache */
|
||||||
|
291
ssl/t1_lib.c
291
ssl/t1_lib.c
@ -132,6 +132,9 @@ static int ssl_check_clienthello_tlsext_early(SSL *s);
|
|||||||
int ssl_check_serverhello_tlsext(SSL *s);
|
int ssl_check_serverhello_tlsext(SSL *s);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#define CHECKLEN(curr, val, limit) \
|
||||||
|
(((curr) >= (limit)) || (size_t)((limit) - (curr)) < (size_t)(val))
|
||||||
|
|
||||||
SSL3_ENC_METHOD TLSv1_enc_data = {
|
SSL3_ENC_METHOD TLSv1_enc_data = {
|
||||||
tls1_enc,
|
tls1_enc,
|
||||||
tls1_mac,
|
tls1_mac,
|
||||||
@ -1263,8 +1266,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
|
|||||||
|
|
||||||
if (s->tlsext_hostname != NULL) {
|
if (s->tlsext_hostname != NULL) {
|
||||||
/* Add TLS extension servername to the Client Hello message */
|
/* Add TLS extension servername to the Client Hello message */
|
||||||
unsigned long size_str;
|
size_t size_str;
|
||||||
long lenmax;
|
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* check for enough space.
|
* check for enough space.
|
||||||
@ -1274,10 +1276,8 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
|
|||||||
* 2 for hostname length
|
* 2 for hostname length
|
||||||
* + hostname length
|
* + hostname length
|
||||||
*/
|
*/
|
||||||
|
size_str = strlen(s->tlsext_hostname);
|
||||||
if ((lenmax = limit - ret - 9) < 0
|
if (CHECKLEN(ret, 9 + size_str, limit))
|
||||||
|| (size_str =
|
|
||||||
strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
|
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
/* extension type and length */
|
/* extension type and length */
|
||||||
@ -1321,7 +1321,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
|
|||||||
if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
|
if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
|
||||||
* Client Hello message */
|
* Client Hello message */
|
||||||
|
|
||||||
int login_len = strlen(s->srp_ctx.login);
|
size_t login_len = strlen(s->srp_ctx.login);
|
||||||
if (login_len > 255 || login_len == 0) {
|
if (login_len > 255 || login_len == 0) {
|
||||||
SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
||||||
return NULL;
|
return NULL;
|
||||||
@ -1333,7 +1333,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
|
|||||||
* 1 for the srp user identity
|
* 1 for the srp user identity
|
||||||
* + srp user identity length
|
* + srp user identity length
|
||||||
*/
|
*/
|
||||||
if ((limit - ret - 5 - login_len) < 0)
|
if (CHECKLEN(ret, 5 + login_len, limit))
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
/* fill in the extension */
|
/* fill in the extension */
|
||||||
@ -1350,20 +1350,23 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
|
|||||||
/*
|
/*
|
||||||
* Add TLS extension ECPointFormats to the ClientHello message
|
* Add TLS extension ECPointFormats to the ClientHello message
|
||||||
*/
|
*/
|
||||||
long lenmax;
|
|
||||||
const unsigned char *pcurves, *pformats;
|
const unsigned char *pcurves, *pformats;
|
||||||
size_t num_curves, num_formats, curves_list_len;
|
size_t num_curves, num_formats, curves_list_len;
|
||||||
|
|
||||||
tls1_get_formatlist(s, &pformats, &num_formats);
|
tls1_get_formatlist(s, &pformats, &num_formats);
|
||||||
|
|
||||||
if ((lenmax = limit - ret - 5) < 0)
|
|
||||||
return NULL;
|
|
||||||
if (num_formats > (size_t)lenmax)
|
|
||||||
return NULL;
|
|
||||||
if (num_formats > 255) {
|
if (num_formats > 255) {
|
||||||
SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
/*-
|
||||||
|
* check for enough space.
|
||||||
|
* 4 bytes for the ec point formats type and extension length
|
||||||
|
* 1 byte for the length of the formats
|
||||||
|
* + formats length
|
||||||
|
*/
|
||||||
|
if (CHECKLEN(ret, 5 + num_formats, limit))
|
||||||
|
return NULL;
|
||||||
|
|
||||||
s2n(TLSEXT_TYPE_ec_point_formats, ret);
|
s2n(TLSEXT_TYPE_ec_point_formats, ret);
|
||||||
/* The point format list has 1-byte length. */
|
/* The point format list has 1-byte length. */
|
||||||
@ -1379,15 +1382,20 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
|
|||||||
if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves))
|
if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves))
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
if ((lenmax = limit - ret - 6) < 0)
|
|
||||||
return NULL;
|
|
||||||
if (num_curves > (size_t)lenmax / 2)
|
|
||||||
return NULL;
|
|
||||||
if (num_curves > 65532 / 2) {
|
if (num_curves > 65532 / 2) {
|
||||||
SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
curves_list_len = 2 * num_curves;
|
curves_list_len = 2 * num_curves;
|
||||||
|
/*-
|
||||||
|
* check for enough space.
|
||||||
|
* 4 bytes for the ec curves type and extension length
|
||||||
|
* 2 bytes for the curve list length
|
||||||
|
* + curve list length
|
||||||
|
*/
|
||||||
|
if (CHECKLEN(ret, 6 + curves_list_len, limit))
|
||||||
|
return NULL;
|
||||||
|
|
||||||
s2n(TLSEXT_TYPE_elliptic_curves, ret);
|
s2n(TLSEXT_TYPE_elliptic_curves, ret);
|
||||||
s2n(curves_list_len + 2, ret);
|
s2n(curves_list_len + 2, ret);
|
||||||
s2n(curves_list_len, ret);
|
s2n(curves_list_len, ret);
|
||||||
@ -1397,7 +1405,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
|
|||||||
# endif /* OPENSSL_NO_EC */
|
# endif /* OPENSSL_NO_EC */
|
||||||
|
|
||||||
if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
|
if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
|
||||||
int ticklen;
|
size_t ticklen;
|
||||||
if (!s->new_session && s->session && s->session->tlsext_tick)
|
if (!s->new_session && s->session && s->session->tlsext_tick)
|
||||||
ticklen = s->session->tlsext_ticklen;
|
ticklen = s->session->tlsext_ticklen;
|
||||||
else if (s->session && s->tlsext_session_ticket &&
|
else if (s->session && s->tlsext_session_ticket &&
|
||||||
@ -1418,11 +1426,11 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
|
|||||||
* Check for enough room 2 for extension type, 2 for len rest for
|
* Check for enough room 2 for extension type, 2 for len rest for
|
||||||
* ticket
|
* ticket
|
||||||
*/
|
*/
|
||||||
if ((long)(limit - ret - 4 - ticklen) < 0)
|
if (CHECKLEN(ret, 4 + ticklen, limit))
|
||||||
return NULL;
|
return NULL;
|
||||||
s2n(TLSEXT_TYPE_session_ticket, ret);
|
s2n(TLSEXT_TYPE_session_ticket, ret);
|
||||||
s2n(ticklen, ret);
|
s2n(ticklen, ret);
|
||||||
if (ticklen) {
|
if (ticklen > 0) {
|
||||||
memcpy(ret, s->session->tlsext_tick, ticklen);
|
memcpy(ret, s->session->tlsext_tick, ticklen);
|
||||||
ret += ticklen;
|
ret += ticklen;
|
||||||
}
|
}
|
||||||
@ -1433,7 +1441,14 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
|
|||||||
size_t salglen;
|
size_t salglen;
|
||||||
const unsigned char *salg;
|
const unsigned char *salg;
|
||||||
salglen = tls12_get_psigalgs(s, &salg);
|
salglen = tls12_get_psigalgs(s, &salg);
|
||||||
if ((size_t)(limit - ret) < salglen + 6)
|
|
||||||
|
/*-
|
||||||
|
* check for enough space.
|
||||||
|
* 4 bytes for the sigalgs type and extension length
|
||||||
|
* 2 bytes for the sigalg list length
|
||||||
|
* + sigalg list length
|
||||||
|
*/
|
||||||
|
if (CHECKLEN(ret, salglen + 6, limit))
|
||||||
return NULL;
|
return NULL;
|
||||||
s2n(TLSEXT_TYPE_signature_algorithms, ret);
|
s2n(TLSEXT_TYPE_signature_algorithms, ret);
|
||||||
s2n(salglen + 2, ret);
|
s2n(salglen + 2, ret);
|
||||||
@ -1460,30 +1475,42 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
|
|||||||
|
|
||||||
if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
|
if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
|
||||||
int i;
|
int i;
|
||||||
long extlen, idlen, itmp;
|
size_t extlen, idlen;
|
||||||
|
int lentmp;
|
||||||
OCSP_RESPID *id;
|
OCSP_RESPID *id;
|
||||||
|
|
||||||
idlen = 0;
|
idlen = 0;
|
||||||
for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
|
for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
|
||||||
id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
|
id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
|
||||||
itmp = i2d_OCSP_RESPID(id, NULL);
|
lentmp = i2d_OCSP_RESPID(id, NULL);
|
||||||
if (itmp <= 0)
|
if (lentmp <= 0)
|
||||||
return NULL;
|
return NULL;
|
||||||
idlen += itmp + 2;
|
idlen += (size_t)lentmp + 2;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (s->tlsext_ocsp_exts) {
|
if (s->tlsext_ocsp_exts) {
|
||||||
extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
|
lentmp = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
|
||||||
if (extlen < 0)
|
if (lentmp < 0)
|
||||||
return NULL;
|
return NULL;
|
||||||
|
extlen = (size_t)lentmp;
|
||||||
} else
|
} else
|
||||||
extlen = 0;
|
extlen = 0;
|
||||||
|
|
||||||
if ((long)(limit - ret - 7 - extlen - idlen) < 0)
|
|
||||||
return NULL;
|
|
||||||
s2n(TLSEXT_TYPE_status_request, ret);
|
|
||||||
if (extlen + idlen > 0xFFF0)
|
if (extlen + idlen > 0xFFF0)
|
||||||
return NULL;
|
return NULL;
|
||||||
|
/*
|
||||||
|
* 2 bytes for status request type
|
||||||
|
* 2 bytes for status request len
|
||||||
|
* 1 byte for OCSP request type
|
||||||
|
* 2 bytes for length of ids
|
||||||
|
* 2 bytes for length of extensions
|
||||||
|
* + length of ids
|
||||||
|
* + length of extensions
|
||||||
|
*/
|
||||||
|
if (CHECKLEN(ret, 9 + idlen + extlen, limit))
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
s2n(TLSEXT_TYPE_status_request, ret);
|
||||||
s2n(extlen + idlen + 5, ret);
|
s2n(extlen + idlen + 5, ret);
|
||||||
*(ret++) = TLSEXT_STATUSTYPE_ocsp;
|
*(ret++) = TLSEXT_STATUSTYPE_ocsp;
|
||||||
s2n(idlen, ret);
|
s2n(idlen, ret);
|
||||||
@ -1493,9 +1520,9 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
|
|||||||
id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
|
id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
|
||||||
/* skip over id len */
|
/* skip over id len */
|
||||||
ret += 2;
|
ret += 2;
|
||||||
itmp = i2d_OCSP_RESPID(id, &ret);
|
lentmp = i2d_OCSP_RESPID(id, &ret);
|
||||||
/* write id len */
|
/* write id len */
|
||||||
s2n(itmp, q);
|
s2n(lentmp, q);
|
||||||
}
|
}
|
||||||
s2n(extlen, ret);
|
s2n(extlen, ret);
|
||||||
if (extlen > 0)
|
if (extlen > 0)
|
||||||
@ -1503,8 +1530,15 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
|
|||||||
}
|
}
|
||||||
# ifndef OPENSSL_NO_HEARTBEATS
|
# ifndef OPENSSL_NO_HEARTBEATS
|
||||||
/* Add Heartbeat extension */
|
/* Add Heartbeat extension */
|
||||||
if ((limit - ret - 4 - 1) < 0)
|
|
||||||
|
/*-
|
||||||
|
* check for enough space.
|
||||||
|
* 4 bytes for the heartbeat ext type and extension length
|
||||||
|
* 1 byte for the mode
|
||||||
|
*/
|
||||||
|
if (CHECKLEN(ret, 5, limit))
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
s2n(TLSEXT_TYPE_heartbeat, ret);
|
s2n(TLSEXT_TYPE_heartbeat, ret);
|
||||||
s2n(1, ret);
|
s2n(1, ret);
|
||||||
/*-
|
/*-
|
||||||
@ -1524,7 +1558,12 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
|
|||||||
* The client advertises an emtpy extension to indicate its support
|
* The client advertises an emtpy extension to indicate its support
|
||||||
* for Next Protocol Negotiation
|
* for Next Protocol Negotiation
|
||||||
*/
|
*/
|
||||||
if (limit - ret - 4 < 0)
|
|
||||||
|
/*-
|
||||||
|
* check for enough space.
|
||||||
|
* 4 bytes for the NPN ext type and extension length
|
||||||
|
*/
|
||||||
|
if (CHECKLEN(ret, 4, limit))
|
||||||
return NULL;
|
return NULL;
|
||||||
s2n(TLSEXT_TYPE_next_proto_neg, ret);
|
s2n(TLSEXT_TYPE_next_proto_neg, ret);
|
||||||
s2n(0, ret);
|
s2n(0, ret);
|
||||||
@ -1532,7 +1571,13 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
|
|||||||
# endif
|
# endif
|
||||||
|
|
||||||
if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
|
if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
|
||||||
if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
|
/*-
|
||||||
|
* check for enough space.
|
||||||
|
* 4 bytes for the ALPN type and extension length
|
||||||
|
* 2 bytes for the ALPN protocol list length
|
||||||
|
* + ALPN protocol list length
|
||||||
|
*/
|
||||||
|
if (CHECKLEN(ret, 6 + s->alpn_client_proto_list_len, limit))
|
||||||
return NULL;
|
return NULL;
|
||||||
s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
|
s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
|
||||||
s2n(2 + s->alpn_client_proto_list_len, ret);
|
s2n(2 + s->alpn_client_proto_list_len, ret);
|
||||||
@ -1547,7 +1592,12 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
|
|||||||
|
|
||||||
ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
|
ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
|
||||||
|
|
||||||
if ((limit - ret - 4 - el) < 0)
|
/*-
|
||||||
|
* check for enough space.
|
||||||
|
* 4 bytes for the SRTP type and extension length
|
||||||
|
* + SRTP profiles length
|
||||||
|
*/
|
||||||
|
if (CHECKLEN(ret, 4 + el, limit))
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
s2n(TLSEXT_TYPE_use_srtp, ret);
|
s2n(TLSEXT_TYPE_use_srtp, ret);
|
||||||
@ -1587,6 +1637,17 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
|
|||||||
else
|
else
|
||||||
hlen = 0;
|
hlen = 0;
|
||||||
|
|
||||||
|
/*-
|
||||||
|
* check for enough space. Strictly speaking we know we've already
|
||||||
|
* got enough space because to get here the message size is < 0x200,
|
||||||
|
* but we know that we've allocated far more than that in the buffer
|
||||||
|
* - but for consistency and robustness we're going to check anyway.
|
||||||
|
*
|
||||||
|
* 4 bytes for the padding type and extension length
|
||||||
|
* + padding length
|
||||||
|
*/
|
||||||
|
if (CHECKLEN(ret, 4 + hlen, limit))
|
||||||
|
return NULL;
|
||||||
s2n(TLSEXT_TYPE_padding, ret);
|
s2n(TLSEXT_TYPE_padding, ret);
|
||||||
s2n(hlen, ret);
|
s2n(hlen, ret);
|
||||||
memset(ret, 0, hlen);
|
memset(ret, 0, hlen);
|
||||||
@ -1644,7 +1705,12 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
|
|||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((limit - ret - 4 - el) < 0)
|
/*-
|
||||||
|
* check for enough space.
|
||||||
|
* 4 bytes for the reneg type and extension length
|
||||||
|
* + reneg data length
|
||||||
|
*/
|
||||||
|
if (CHECKLEN(ret, 4 + el, limit))
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
s2n(TLSEXT_TYPE_renegotiate, ret);
|
s2n(TLSEXT_TYPE_renegotiate, ret);
|
||||||
@ -1664,19 +1730,23 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
|
|||||||
/*
|
/*
|
||||||
* Add TLS extension ECPointFormats to the ServerHello message
|
* Add TLS extension ECPointFormats to the ServerHello message
|
||||||
*/
|
*/
|
||||||
long lenmax;
|
|
||||||
|
|
||||||
tls1_get_formatlist(s, &plist, &plistlen);
|
tls1_get_formatlist(s, &plist, &plistlen);
|
||||||
|
|
||||||
if ((lenmax = limit - ret - 5) < 0)
|
|
||||||
return NULL;
|
|
||||||
if (plistlen > (size_t)lenmax)
|
|
||||||
return NULL;
|
|
||||||
if (plistlen > 255) {
|
if (plistlen > 255) {
|
||||||
SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*-
|
||||||
|
* check for enough space.
|
||||||
|
* 4 bytes for the ec points format type and extension length
|
||||||
|
* 1 byte for the points format list length
|
||||||
|
* + length of points format list
|
||||||
|
*/
|
||||||
|
if (CHECKLEN(ret, 5 + plistlen, limit))
|
||||||
|
return NULL;
|
||||||
|
|
||||||
s2n(TLSEXT_TYPE_ec_point_formats, ret);
|
s2n(TLSEXT_TYPE_ec_point_formats, ret);
|
||||||
s2n(plistlen + 1, ret);
|
s2n(plistlen + 1, ret);
|
||||||
*(ret++) = (unsigned char)plistlen;
|
*(ret++) = (unsigned char)plistlen;
|
||||||
@ -1691,14 +1761,22 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
|
|||||||
# endif /* OPENSSL_NO_EC */
|
# endif /* OPENSSL_NO_EC */
|
||||||
|
|
||||||
if (s->tlsext_ticket_expected && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
|
if (s->tlsext_ticket_expected && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
|
||||||
if ((long)(limit - ret - 4) < 0)
|
/*-
|
||||||
|
* check for enough space.
|
||||||
|
* 4 bytes for the Ticket type and extension length
|
||||||
|
*/
|
||||||
|
if (CHECKLEN(ret, 4, limit))
|
||||||
return NULL;
|
return NULL;
|
||||||
s2n(TLSEXT_TYPE_session_ticket, ret);
|
s2n(TLSEXT_TYPE_session_ticket, ret);
|
||||||
s2n(0, ret);
|
s2n(0, ret);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (s->tlsext_status_expected) {
|
if (s->tlsext_status_expected) {
|
||||||
if ((long)(limit - ret - 4) < 0)
|
/*-
|
||||||
|
* check for enough space.
|
||||||
|
* 4 bytes for the Status request type and extension length
|
||||||
|
*/
|
||||||
|
if (CHECKLEN(ret, 4, limit))
|
||||||
return NULL;
|
return NULL;
|
||||||
s2n(TLSEXT_TYPE_status_request, ret);
|
s2n(TLSEXT_TYPE_status_request, ret);
|
||||||
s2n(0, ret);
|
s2n(0, ret);
|
||||||
@ -1726,7 +1804,12 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
|
|||||||
|
|
||||||
ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
|
ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
|
||||||
|
|
||||||
if ((limit - ret - 4 - el) < 0)
|
/*-
|
||||||
|
* check for enough space.
|
||||||
|
* 4 bytes for the SRTP profiles type and extension length
|
||||||
|
* + length of the SRTP profiles list
|
||||||
|
*/
|
||||||
|
if (CHECKLEN(ret, 4 + el, limit))
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
s2n(TLSEXT_TYPE_use_srtp, ret);
|
s2n(TLSEXT_TYPE_use_srtp, ret);
|
||||||
@ -1751,16 +1834,23 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
|
|||||||
0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
|
0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
|
||||||
0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
|
0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
|
||||||
};
|
};
|
||||||
if (limit - ret < 36)
|
|
||||||
|
/* check for enough space. */
|
||||||
|
if (CHECKLEN(ret, sizeof(cryptopro_ext), limit))
|
||||||
return NULL;
|
return NULL;
|
||||||
memcpy(ret, cryptopro_ext, 36);
|
memcpy(ret, cryptopro_ext, sizeof(cryptopro_ext));
|
||||||
ret += 36;
|
ret += sizeof(cryptopro_ext);
|
||||||
|
|
||||||
}
|
}
|
||||||
# ifndef OPENSSL_NO_HEARTBEATS
|
# ifndef OPENSSL_NO_HEARTBEATS
|
||||||
/* Add Heartbeat extension if we've received one */
|
/* Add Heartbeat extension if we've received one */
|
||||||
if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) {
|
if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) {
|
||||||
if ((limit - ret - 4 - 1) < 0)
|
/*-
|
||||||
|
* check for enough space.
|
||||||
|
* 4 bytes for the Heartbeat type and extension length
|
||||||
|
* 1 byte for the mode
|
||||||
|
*/
|
||||||
|
if (CHECKLEN(ret, 5, limit))
|
||||||
return NULL;
|
return NULL;
|
||||||
s2n(TLSEXT_TYPE_heartbeat, ret);
|
s2n(TLSEXT_TYPE_heartbeat, ret);
|
||||||
s2n(1, ret);
|
s2n(1, ret);
|
||||||
@ -1789,7 +1879,12 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
|
|||||||
s->
|
s->
|
||||||
ctx->next_protos_advertised_cb_arg);
|
ctx->next_protos_advertised_cb_arg);
|
||||||
if (r == SSL_TLSEXT_ERR_OK) {
|
if (r == SSL_TLSEXT_ERR_OK) {
|
||||||
if ((long)(limit - ret - 4 - npalen) < 0)
|
/*-
|
||||||
|
* check for enough space.
|
||||||
|
* 4 bytes for the NPN type and extension length
|
||||||
|
* + length of protocols list
|
||||||
|
*/
|
||||||
|
if (CHECKLEN(ret, 4 + npalen, limit))
|
||||||
return NULL;
|
return NULL;
|
||||||
s2n(TLSEXT_TYPE_next_proto_neg, ret);
|
s2n(TLSEXT_TYPE_next_proto_neg, ret);
|
||||||
s2n(npalen, ret);
|
s2n(npalen, ret);
|
||||||
@ -1804,9 +1899,16 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
|
|||||||
|
|
||||||
if (s->s3->alpn_selected) {
|
if (s->s3->alpn_selected) {
|
||||||
const unsigned char *selected = s->s3->alpn_selected;
|
const unsigned char *selected = s->s3->alpn_selected;
|
||||||
unsigned len = s->s3->alpn_selected_len;
|
size_t len = s->s3->alpn_selected_len;
|
||||||
|
|
||||||
if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
|
/*-
|
||||||
|
* check for enough space.
|
||||||
|
* 4 bytes for the ALPN type and extension length
|
||||||
|
* 2 bytes for ALPN data length
|
||||||
|
* 1 byte for selected protocol length
|
||||||
|
* + length of the selected protocol
|
||||||
|
*/
|
||||||
|
if (CHECKLEN(ret, 7 + len, limit))
|
||||||
return NULL;
|
return NULL;
|
||||||
s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
|
s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
|
||||||
s2n(3 + len, ret);
|
s2n(3 + len, ret);
|
||||||
@ -1966,11 +2068,10 @@ static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
|
|||||||
|
|
||||||
/*
|
/*
|
||||||
* Process the ALPN extension in a ClientHello.
|
* Process the ALPN extension in a ClientHello.
|
||||||
* ret: a pointer to the TLSEXT return value: SSL_TLSEXT_ERR_*
|
|
||||||
* al: a pointer to the alert value to send in the event of a failure.
|
* al: a pointer to the alert value to send in the event of a failure.
|
||||||
* returns 1 on success, 0 on failure: al/ret set only on failure
|
* returns 1 on success, 0 on failure: al set only on failure
|
||||||
*/
|
*/
|
||||||
static int tls1_alpn_handle_client_hello_late(SSL *s, int *ret, int *al)
|
static int tls1_alpn_handle_client_hello_late(SSL *s, int *al)
|
||||||
{
|
{
|
||||||
const unsigned char *selected = NULL;
|
const unsigned char *selected = NULL;
|
||||||
unsigned char selected_len = 0;
|
unsigned char selected_len = 0;
|
||||||
@ -1986,7 +2087,6 @@ static int tls1_alpn_handle_client_hello_late(SSL *s, int *ret, int *al)
|
|||||||
s->s3->alpn_selected = OPENSSL_malloc(selected_len);
|
s->s3->alpn_selected = OPENSSL_malloc(selected_len);
|
||||||
if (s->s3->alpn_selected == NULL) {
|
if (s->s3->alpn_selected == NULL) {
|
||||||
*al = SSL_AD_INTERNAL_ERROR;
|
*al = SSL_AD_INTERNAL_ERROR;
|
||||||
*ret = SSL_TLSEXT_ERR_ALERT_FATAL;
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
memcpy(s->s3->alpn_selected, selected, selected_len);
|
memcpy(s->s3->alpn_selected, selected, selected_len);
|
||||||
@ -3064,10 +3164,12 @@ int tls1_set_server_sigalgs(SSL *s)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
int ssl_check_clienthello_tlsext_late(SSL *s)
|
/*
|
||||||
|
* Upon success, returns 1.
|
||||||
|
* Upon failure, returns 0 and sets |al| to the appropriate fatal alert.
|
||||||
|
*/
|
||||||
|
int ssl_check_clienthello_tlsext_late(SSL *s, int *al)
|
||||||
{
|
{
|
||||||
int ret = SSL_TLSEXT_ERR_OK;
|
|
||||||
int al;
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* If status request then ask callback what to do. Note: this must be
|
* If status request then ask callback what to do. Note: this must be
|
||||||
@ -3076,58 +3178,41 @@ int ssl_check_clienthello_tlsext_late(SSL *s)
|
|||||||
* influence which certificate is sent
|
* influence which certificate is sent
|
||||||
*/
|
*/
|
||||||
if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
|
if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
|
||||||
int r;
|
int ret;
|
||||||
CERT_PKEY *certpkey;
|
CERT_PKEY *certpkey;
|
||||||
certpkey = ssl_get_server_send_pkey(s);
|
certpkey = ssl_get_server_send_pkey(s);
|
||||||
/* If no certificate can't return certificate status */
|
/* If no certificate can't return certificate status */
|
||||||
if (certpkey == NULL) {
|
if (certpkey != NULL) {
|
||||||
s->tlsext_status_expected = 0;
|
/*
|
||||||
return 1;
|
* Set current certificate to one we will use so SSL_get_certificate
|
||||||
}
|
* et al can pick it up.
|
||||||
/*
|
*/
|
||||||
* Set current certificate to one we will use so SSL_get_certificate
|
s->cert->key = certpkey;
|
||||||
* et al can pick it up.
|
ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
|
||||||
*/
|
switch (ret) {
|
||||||
s->cert->key = certpkey;
|
/* We don't want to send a status request response */
|
||||||
r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
|
case SSL_TLSEXT_ERR_NOACK:
|
||||||
switch (r) {
|
|
||||||
/* We don't want to send a status request response */
|
|
||||||
case SSL_TLSEXT_ERR_NOACK:
|
|
||||||
s->tlsext_status_expected = 0;
|
|
||||||
break;
|
|
||||||
/* status request response should be sent */
|
|
||||||
case SSL_TLSEXT_ERR_OK:
|
|
||||||
if (s->tlsext_ocsp_resp)
|
|
||||||
s->tlsext_status_expected = 1;
|
|
||||||
else
|
|
||||||
s->tlsext_status_expected = 0;
|
s->tlsext_status_expected = 0;
|
||||||
break;
|
break;
|
||||||
/* something bad happened */
|
/* status request response should be sent */
|
||||||
case SSL_TLSEXT_ERR_ALERT_FATAL:
|
case SSL_TLSEXT_ERR_OK:
|
||||||
ret = SSL_TLSEXT_ERR_ALERT_FATAL;
|
if (s->tlsext_ocsp_resp)
|
||||||
al = SSL_AD_INTERNAL_ERROR;
|
s->tlsext_status_expected = 1;
|
||||||
goto err;
|
break;
|
||||||
|
/* something bad happened */
|
||||||
|
case SSL_TLSEXT_ERR_ALERT_FATAL:
|
||||||
|
default:
|
||||||
|
*al = SSL_AD_INTERNAL_ERROR;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
} else
|
|
||||||
s->tlsext_status_expected = 0;
|
|
||||||
|
|
||||||
if (!tls1_alpn_handle_client_hello_late(s, &ret, &al)) {
|
|
||||||
goto err;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
err:
|
if (!tls1_alpn_handle_client_hello_late(s, al)) {
|
||||||
switch (ret) {
|
return 0;
|
||||||
case SSL_TLSEXT_ERR_ALERT_FATAL:
|
|
||||||
ssl3_send_alert(s, SSL3_AL_FATAL, al);
|
|
||||||
return -1;
|
|
||||||
|
|
||||||
case SSL_TLSEXT_ERR_ALERT_WARNING:
|
|
||||||
ssl3_send_alert(s, SSL3_AL_WARNING, al);
|
|
||||||
return 1;
|
|
||||||
|
|
||||||
default:
|
|
||||||
return 1;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
int ssl_check_serverhello_tlsext(SSL *s)
|
int ssl_check_serverhello_tlsext(SSL *s)
|
||||||
|
11
util/domd
11
util/domd
@ -11,7 +11,9 @@ if [ "$1" = "-MD" ]; then
|
|||||||
fi
|
fi
|
||||||
if [ "$MAKEDEPEND" = "" ]; then MAKEDEPEND=makedepend; fi
|
if [ "$MAKEDEPEND" = "" ]; then MAKEDEPEND=makedepend; fi
|
||||||
|
|
||||||
cp Makefile Makefile.save
|
# Preserve Makefile timestamp by moving instead of copying (cp -p is GNU only)
|
||||||
|
mv Makefile Makefile.save
|
||||||
|
cp Makefile.save Makefile
|
||||||
# fake the presence of Kerberos
|
# fake the presence of Kerberos
|
||||||
touch $TOP/krb5.h
|
touch $TOP/krb5.h
|
||||||
if ${MAKEDEPEND} --version 2>&1 | grep "clang" > /dev/null ||
|
if ${MAKEDEPEND} --version 2>&1 | grep "clang" > /dev/null ||
|
||||||
@ -32,7 +34,12 @@ else
|
|||||||
${PERL} $TOP/util/clean-depend.pl < Makefile > Makefile.new
|
${PERL} $TOP/util/clean-depend.pl < Makefile > Makefile.new
|
||||||
RC=$?
|
RC=$?
|
||||||
fi
|
fi
|
||||||
mv Makefile.new Makefile
|
if ! cmp -s Makefile.save Makefile.new; then
|
||||||
|
mv Makefile.new Makefile
|
||||||
|
else
|
||||||
|
mv Makefile.save Makefile
|
||||||
|
rm -f Makefile.new
|
||||||
|
fi
|
||||||
# unfake the presence of Kerberos
|
# unfake the presence of Kerberos
|
||||||
rm $TOP/krb5.h
|
rm $TOP/krb5.h
|
||||||
|
|
||||||
|
@ -55,9 +55,11 @@ if ($^O eq "msys") { $symlink_exists=0 };
|
|||||||
foreach $file (@files) {
|
foreach $file (@files) {
|
||||||
my $err = "";
|
my $err = "";
|
||||||
if ($symlink_exists) {
|
if ($symlink_exists) {
|
||||||
unlink "$from/$file";
|
if (!-l "$from/$file") {
|
||||||
symlink("$to/$file", "$from/$file") or $err = " [$!]";
|
unlink "$from/$file";
|
||||||
} else {
|
symlink("$to/$file", "$from/$file") or $err = " [$!]";
|
||||||
|
}
|
||||||
|
} elsif (-d "$from" && (!-f "$from/$file" || ((stat("$file"))[9] > (stat("$from/$file"))[9]))) {
|
||||||
unlink "$from/$file";
|
unlink "$from/$file";
|
||||||
open (OLD, "<$file") or die "Can't open $file: $!";
|
open (OLD, "<$file") or die "Can't open $file: $!";
|
||||||
open (NEW, ">$from/$file") or die "Can't open $from/$file: $!";
|
open (NEW, ">$from/$file") or die "Can't open $from/$file: $!";
|
||||||
|
Loading…
Reference in New Issue
Block a user