Import OpenSSL 1.1.1n
This commit is contained in:
@@ -7,6 +7,43 @@
|
|||||||
https://github.com/openssl/openssl/commits/ and pick the appropriate
|
https://github.com/openssl/openssl/commits/ and pick the appropriate
|
||||||
release branch.
|
release branch.
|
||||||
|
|
||||||
|
Changes between 1.1.1m and 1.1.1n [15 Mar 2022]
|
||||||
|
|
||||||
|
*) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
|
||||||
|
for non-prime moduli.
|
||||||
|
|
||||||
|
Internally this function is used when parsing certificates that contain
|
||||||
|
elliptic curve public keys in compressed form or explicit elliptic curve
|
||||||
|
parameters with a base point encoded in compressed form.
|
||||||
|
|
||||||
|
It is possible to trigger the infinite loop by crafting a certificate that
|
||||||
|
has invalid explicit curve parameters.
|
||||||
|
|
||||||
|
Since certificate parsing happens prior to verification of the certificate
|
||||||
|
signature, any process that parses an externally supplied certificate may
|
||||||
|
thus be subject to a denial of service attack. The infinite loop can also
|
||||||
|
be reached when parsing crafted private keys as they can contain explicit
|
||||||
|
elliptic curve parameters.
|
||||||
|
|
||||||
|
Thus vulnerable situations include:
|
||||||
|
|
||||||
|
- TLS clients consuming server certificates
|
||||||
|
- TLS servers consuming client certificates
|
||||||
|
- Hosting providers taking certificates or private keys from customers
|
||||||
|
- Certificate authorities parsing certification requests from subscribers
|
||||||
|
- Anything else which parses ASN.1 elliptic curve parameters
|
||||||
|
|
||||||
|
Also any other applications that use the BN_mod_sqrt() where the attacker
|
||||||
|
can control the parameter values are vulnerable to this DoS issue.
|
||||||
|
(CVE-2022-0778)
|
||||||
|
[Tomáš Mráz]
|
||||||
|
|
||||||
|
*) Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489)
|
||||||
|
to the list of ciphersuites providing Perfect Forward Secrecy as
|
||||||
|
required by SECLEVEL >= 3.
|
||||||
|
|
||||||
|
[Dmitry Belyavskiy, Nicola Tuveri]
|
||||||
|
|
||||||
Changes between 1.1.1l and 1.1.1m [14 Dec 2021]
|
Changes between 1.1.1l and 1.1.1m [14 Dec 2021]
|
||||||
|
|
||||||
*) Avoid loading of a dynamic engine twice.
|
*) Avoid loading of a dynamic engine twice.
|
||||||
|
|||||||
@@ -3161,25 +3161,25 @@ sub resolve_config {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
foreach (sort keys %all_keys) {
|
foreach my $key (sort keys %all_keys) {
|
||||||
my $previous = $combined_inheritance{$_};
|
my $previous = $combined_inheritance{$key};
|
||||||
|
|
||||||
# Current target doesn't have a value for the current key?
|
# Current target doesn't have a value for the current key?
|
||||||
# Assign it the default combiner, the rest of this loop body
|
# Assign it the default combiner, the rest of this loop body
|
||||||
# will handle it just like any other coderef.
|
# will handle it just like any other coderef.
|
||||||
if (!exists $table{$target}->{$_}) {
|
if (!exists $table{$target}->{$key}) {
|
||||||
$table{$target}->{$_} = $default_combiner;
|
$table{$target}->{$key} = $default_combiner;
|
||||||
}
|
}
|
||||||
|
|
||||||
$table{$target}->{$_} = process_values($table{$target}->{$_},
|
$table{$target}->{$key} = process_values($table{$target}->{$key},
|
||||||
$combined_inheritance{$_},
|
$combined_inheritance{$key},
|
||||||
$target, $_);
|
$target, $key);
|
||||||
unless(defined($table{$target}->{$_})) {
|
unless(defined($table{$target}->{$key})) {
|
||||||
delete $table{$target}->{$_};
|
delete $table{$target}->{$key};
|
||||||
}
|
}
|
||||||
# if ($extra_checks &&
|
# if ($extra_checks &&
|
||||||
# $previous && !($add_called || $previous ~~ $table{$target}->{$_})) {
|
# $previous && !($add_called || $previous ~~ $table{$target}->{$key})) {
|
||||||
# warn "$_ got replaced in $target\n";
|
# warn "$key got replaced in $target\n";
|
||||||
# }
|
# }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -5,6 +5,11 @@
|
|||||||
This file gives a brief overview of the major changes between each OpenSSL
|
This file gives a brief overview of the major changes between each OpenSSL
|
||||||
release. For more details please read the CHANGES file.
|
release. For more details please read the CHANGES file.
|
||||||
|
|
||||||
|
Major changes between OpenSSL 1.1.1m and OpenSSL 1.1.1n [15 Mar 2022]
|
||||||
|
|
||||||
|
o Fixed a bug in the BN_mod_sqrt() function that can cause it to loop
|
||||||
|
forever for non-prime moduli ([CVE-2022-0778])
|
||||||
|
|
||||||
Major changes between OpenSSL 1.1.1l and OpenSSL 1.1.1m [14 Dec 2021]
|
Major changes between OpenSSL 1.1.1l and OpenSSL 1.1.1m [14 Dec 2021]
|
||||||
|
|
||||||
o None
|
o None
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
OpenSSL 1.1.1m 14 Dec 2021
|
OpenSSL 1.1.1n 15 Mar 2022
|
||||||
|
|
||||||
Copyright (c) 1998-2021 The OpenSSL Project
|
Copyright (c) 1998-2021 The OpenSSL Project
|
||||||
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
|
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
|
||||||
|
|||||||
+7
-3
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
*
|
*
|
||||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
* this file except in compliance with the License. You can obtain a copy
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
@@ -300,9 +300,13 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
|
|||||||
int ui_flags = 0;
|
int ui_flags = 0;
|
||||||
const char *prompt_info = NULL;
|
const char *prompt_info = NULL;
|
||||||
char *prompt;
|
char *prompt;
|
||||||
|
int pw_min_len = PW_MIN_LENGTH;
|
||||||
|
|
||||||
if (cb_data != NULL && cb_data->prompt_info != NULL)
|
if (cb_data != NULL && cb_data->prompt_info != NULL)
|
||||||
prompt_info = cb_data->prompt_info;
|
prompt_info = cb_data->prompt_info;
|
||||||
|
if (cb_data != NULL && cb_data->password != NULL
|
||||||
|
&& *(const char*)cb_data->password != '\0')
|
||||||
|
pw_min_len = 1;
|
||||||
prompt = UI_construct_prompt(ui, "pass phrase", prompt_info);
|
prompt = UI_construct_prompt(ui, "pass phrase", prompt_info);
|
||||||
if (!prompt) {
|
if (!prompt) {
|
||||||
BIO_printf(bio_err, "Out of memory\n");
|
BIO_printf(bio_err, "Out of memory\n");
|
||||||
@@ -317,12 +321,12 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
|
|||||||
(void)UI_add_user_data(ui, cb_data);
|
(void)UI_add_user_data(ui, cb_data);
|
||||||
|
|
||||||
ok = UI_add_input_string(ui, prompt, ui_flags, buf,
|
ok = UI_add_input_string(ui, prompt, ui_flags, buf,
|
||||||
PW_MIN_LENGTH, bufsiz - 1);
|
pw_min_len, bufsiz - 1);
|
||||||
|
|
||||||
if (ok >= 0 && verify) {
|
if (ok >= 0 && verify) {
|
||||||
buff = app_malloc(bufsiz, "password buffer");
|
buff = app_malloc(bufsiz, "password buffer");
|
||||||
ok = UI_add_verify_string(ui, prompt, ui_flags, buff,
|
ok = UI_add_verify_string(ui, prompt, ui_flags, buff,
|
||||||
PW_MIN_LENGTH, bufsiz - 1, buf);
|
pw_min_len, bufsiz - 1, buf);
|
||||||
}
|
}
|
||||||
if (ok >= 0)
|
if (ok >= 0)
|
||||||
do {
|
do {
|
||||||
|
|||||||
+2
-4
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
*
|
*
|
||||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
* this file except in compliance with the License. You can obtain a copy
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
@@ -120,7 +120,6 @@ int main(int argc, char *argv[])
|
|||||||
{
|
{
|
||||||
FUNCTION f, *fp;
|
FUNCTION f, *fp;
|
||||||
LHASH_OF(FUNCTION) *prog = NULL;
|
LHASH_OF(FUNCTION) *prog = NULL;
|
||||||
char **copied_argv = NULL;
|
|
||||||
char *p, *pname;
|
char *p, *pname;
|
||||||
char buf[1024];
|
char buf[1024];
|
||||||
const char *prompt;
|
const char *prompt;
|
||||||
@@ -137,7 +136,7 @@ int main(int argc, char *argv[])
|
|||||||
bio_err = dup_bio_err(FORMAT_TEXT);
|
bio_err = dup_bio_err(FORMAT_TEXT);
|
||||||
|
|
||||||
#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
|
#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
|
||||||
copied_argv = argv = copy_argv(&argc, argv);
|
argv = copy_argv(&argc, argv);
|
||||||
#elif defined(_WIN32)
|
#elif defined(_WIN32)
|
||||||
/*
|
/*
|
||||||
* Replace argv[] with UTF-8 encoded strings.
|
* Replace argv[] with UTF-8 encoded strings.
|
||||||
@@ -258,7 +257,6 @@ int main(int argc, char *argv[])
|
|||||||
}
|
}
|
||||||
ret = 1;
|
ret = 1;
|
||||||
end:
|
end:
|
||||||
OPENSSL_free(copied_argv);
|
|
||||||
OPENSSL_free(default_config_file);
|
OPENSSL_free(default_config_file);
|
||||||
lh_FUNCTION_free(prog);
|
lh_FUNCTION_free(prog);
|
||||||
OPENSSL_free(arg.argv);
|
OPENSSL_free(arg.argv);
|
||||||
|
|||||||
+5
-5
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
|
* Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
*
|
*
|
||||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
* this file except in compliance with the License. You can obtain a copy
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
@@ -407,7 +407,7 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
|
|||||||
n >>= 1;
|
n >>= 1;
|
||||||
}
|
}
|
||||||
if (!EVP_DigestFinal_ex(md, buf, NULL))
|
if (!EVP_DigestFinal_ex(md, buf, NULL))
|
||||||
return NULL;
|
goto err;
|
||||||
|
|
||||||
for (i = 0; i < 1000; i++) {
|
for (i = 0; i < 1000; i++) {
|
||||||
if (!EVP_DigestInit_ex(md2, EVP_md5(), NULL))
|
if (!EVP_DigestInit_ex(md2, EVP_md5(), NULL))
|
||||||
@@ -633,7 +633,7 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
|
|||||||
n >>= 1;
|
n >>= 1;
|
||||||
}
|
}
|
||||||
if (!EVP_DigestFinal_ex(md, buf, NULL))
|
if (!EVP_DigestFinal_ex(md, buf, NULL))
|
||||||
return NULL;
|
goto err;
|
||||||
|
|
||||||
/* P sequence */
|
/* P sequence */
|
||||||
if (!EVP_DigestInit_ex(md2, sha, NULL))
|
if (!EVP_DigestInit_ex(md2, sha, NULL))
|
||||||
@@ -644,7 +644,7 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
|
|||||||
goto err;
|
goto err;
|
||||||
|
|
||||||
if (!EVP_DigestFinal_ex(md2, temp_buf, NULL))
|
if (!EVP_DigestFinal_ex(md2, temp_buf, NULL))
|
||||||
return NULL;
|
goto err;
|
||||||
|
|
||||||
if ((p_bytes = OPENSSL_zalloc(passwd_len)) == NULL)
|
if ((p_bytes = OPENSSL_zalloc(passwd_len)) == NULL)
|
||||||
goto err;
|
goto err;
|
||||||
@@ -661,7 +661,7 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
|
|||||||
goto err;
|
goto err;
|
||||||
|
|
||||||
if (!EVP_DigestFinal_ex(md2, temp_buf, NULL))
|
if (!EVP_DigestFinal_ex(md2, temp_buf, NULL))
|
||||||
return NULL;
|
goto err;
|
||||||
|
|
||||||
if ((s_bytes = OPENSSL_zalloc(salt_len)) == NULL)
|
if ((s_bytes = OPENSSL_zalloc(salt_len)) == NULL)
|
||||||
goto err;
|
goto err;
|
||||||
|
|||||||
@@ -938,6 +938,7 @@ int s_client_main(int argc, char **argv)
|
|||||||
struct timeval tv;
|
struct timeval tv;
|
||||||
#endif
|
#endif
|
||||||
const char *servername = NULL;
|
const char *servername = NULL;
|
||||||
|
char *sname_alloc = NULL;
|
||||||
int noservername = 0;
|
int noservername = 0;
|
||||||
const char *alpn_in = NULL;
|
const char *alpn_in = NULL;
|
||||||
tlsextctx tlsextcbp = { NULL, 0 };
|
tlsextctx tlsextcbp = { NULL, 0 };
|
||||||
@@ -1588,6 +1589,15 @@ int s_client_main(int argc, char **argv)
|
|||||||
"%s: -proxy argument malformed or ambiguous\n", prog);
|
"%s: -proxy argument malformed or ambiguous\n", prog);
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
|
if (servername == NULL && !noservername) {
|
||||||
|
res = BIO_parse_hostserv(connectstr, &sname_alloc, NULL, BIO_PARSE_PRIO_HOST);
|
||||||
|
if (!res) {
|
||||||
|
BIO_printf(bio_err,
|
||||||
|
"%s: -connect argument malformed or ambiguous\n", prog);
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
servername = sname_alloc;
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
int res = 1;
|
int res = 1;
|
||||||
char *tmp_host = host, *tmp_port = port;
|
char *tmp_host = host, *tmp_port = port;
|
||||||
@@ -3149,6 +3159,7 @@ int s_client_main(int argc, char **argv)
|
|||||||
#ifndef OPENSSL_NO_SRP
|
#ifndef OPENSSL_NO_SRP
|
||||||
OPENSSL_free(srp_arg.srppassin);
|
OPENSSL_free(srp_arg.srppassin);
|
||||||
#endif
|
#endif
|
||||||
|
OPENSSL_free(sname_alloc);
|
||||||
OPENSSL_free(connectstr);
|
OPENSSL_free(connectstr);
|
||||||
OPENSSL_free(bindstr);
|
OPENSSL_free(bindstr);
|
||||||
OPENSSL_free(bindhost);
|
OPENSSL_free(bindhost);
|
||||||
|
|||||||
+2
-2
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
*
|
*
|
||||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
* this file except in compliance with the License. You can obtain a copy
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
@@ -147,7 +147,7 @@ int init_client(int *sock, const char *host, const char *port,
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
if (!BIO_connect(*sock, BIO_ADDRINFO_address(ai),
|
if (!BIO_connect(*sock, BIO_ADDRINFO_address(ai),
|
||||||
protocol == IPPROTO_TCP ? BIO_SOCK_NODELAY : 0)) {
|
BIO_ADDRINFO_protocol(ai) == IPPROTO_TCP ? BIO_SOCK_NODELAY : 0)) {
|
||||||
BIO_closesocket(*sock);
|
BIO_closesocket(*sock);
|
||||||
*sock = INVALID_SOCKET;
|
*sock = INVALID_SOCKET;
|
||||||
continue;
|
continue;
|
||||||
|
|||||||
@@ -704,6 +704,7 @@ case "$GUESSOS" in
|
|||||||
__CNF_CPPFLAGS="$__CNF_CPPFLAGS -DL_ENDIAN" ;;
|
__CNF_CPPFLAGS="$__CNF_CPPFLAGS -DL_ENDIAN" ;;
|
||||||
powerpc64-*-*bsd*) OUT="BSD-generic64";
|
powerpc64-*-*bsd*) OUT="BSD-generic64";
|
||||||
__CNF_CPPFLAGS="$__CNF_CPPFLAGS -DB_ENDIAN" ;;
|
__CNF_CPPFLAGS="$__CNF_CPPFLAGS -DB_ENDIAN" ;;
|
||||||
|
riscv64-*-*bsd*) OUT="BSD-riscv64" ;;
|
||||||
sparc64-*-*bsd*) OUT="BSD-sparc64" ;;
|
sparc64-*-*bsd*) OUT="BSD-sparc64" ;;
|
||||||
ia64-*-*bsd*) OUT="BSD-ia64" ;;
|
ia64-*-*bsd*) OUT="BSD-ia64" ;;
|
||||||
x86_64-*-dragonfly*) OUT="BSD-x86_64" ;;
|
x86_64-*-dragonfly*) OUT="BSD-x86_64" ;;
|
||||||
|
|||||||
@@ -2,7 +2,7 @@
|
|||||||
* WARNING: do not edit!
|
* WARNING: do not edit!
|
||||||
* Generated by crypto/asn1/charmap.pl
|
* Generated by crypto/asn1/charmap.pl
|
||||||
*
|
*
|
||||||
* Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
|
* Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
*
|
*
|
||||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
* this file except in compliance with the License. You can obtain a copy
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
|
|||||||
+2
-2
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
|
* Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
*
|
*
|
||||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
* this file except in compliance with the License. You can obtain a copy
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
@@ -744,7 +744,7 @@ int BIO_lookup_ex(const char *host, const char *service, int lookup_type,
|
|||||||
# pragma pointer_size 32
|
# pragma pointer_size 32
|
||||||
#endif
|
#endif
|
||||||
/* Windows doesn't seem to have in_addr_t */
|
/* Windows doesn't seem to have in_addr_t */
|
||||||
#ifdef OPENSSL_SYS_WINDOWS
|
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
|
||||||
static uint32_t he_fallback_address;
|
static uint32_t he_fallback_address;
|
||||||
static const char *he_fallback_addresses[] =
|
static const char *he_fallback_addresses[] =
|
||||||
{ (char *)&he_fallback_address, NULL };
|
{ (char *)&he_fallback_address, NULL };
|
||||||
|
|||||||
+2
-2
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
|
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
*
|
*
|
||||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
* this file except in compliance with the License. You can obtain a copy
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
@@ -32,7 +32,7 @@ int BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1,
|
|||||||
bn_check_top(p2);
|
bn_check_top(p2);
|
||||||
bn_check_top(m);
|
bn_check_top(m);
|
||||||
|
|
||||||
if (!(m->d[0] & 1)) {
|
if (!BN_is_odd(m)) {
|
||||||
BNerr(BN_F_BN_MOD_EXP2_MONT, BN_R_CALLED_WITH_EVEN_MODULUS);
|
BNerr(BN_F_BN_MOD_EXP2_MONT, BN_R_CALLED_WITH_EVEN_MODULUS);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -2,7 +2,7 @@
|
|||||||
* WARNING: do not edit!
|
* WARNING: do not edit!
|
||||||
* Generated by crypto/bn/bn_prime.pl
|
* Generated by crypto/bn/bn_prime.pl
|
||||||
*
|
*
|
||||||
* Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved.
|
* Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
*
|
*
|
||||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
* this file except in compliance with the License. You can obtain a copy
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
|
|||||||
@@ -142,7 +142,7 @@ int BN_hex2bn(BIGNUM **bn, const char *a)
|
|||||||
continue;
|
continue;
|
||||||
|
|
||||||
if (i == 0 || i > INT_MAX / 4)
|
if (i == 0 || i > INT_MAX / 4)
|
||||||
goto err;
|
return 0;
|
||||||
|
|
||||||
num = i + neg;
|
num = i + neg;
|
||||||
if (bn == NULL)
|
if (bn == NULL)
|
||||||
|
|||||||
+15
-9
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
|
* Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
*
|
*
|
||||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
* this file except in compliance with the License. You can obtain a copy
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
|
|||||||
/*
|
/*
|
||||||
* Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks
|
* Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks
|
||||||
* algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number
|
* algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number
|
||||||
* Theory", algorithm 1.5.1). 'p' must be prime!
|
* Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or
|
||||||
|
* an incorrect "result" will be returned.
|
||||||
*/
|
*/
|
||||||
{
|
{
|
||||||
BIGNUM *ret = in;
|
BIGNUM *ret = in;
|
||||||
@@ -301,17 +302,22 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
|
|||||||
goto vrfy;
|
goto vrfy;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* find smallest i such that b^(2^i) = 1 */
|
/* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */
|
||||||
i = 1;
|
for (i = 1; i < e; i++) {
|
||||||
|
if (i == 1) {
|
||||||
if (!BN_mod_sqr(t, b, p, ctx))
|
if (!BN_mod_sqr(t, b, p, ctx))
|
||||||
goto end;
|
goto end;
|
||||||
while (!BN_is_one(t)) {
|
|
||||||
i++;
|
} else {
|
||||||
if (i == e) {
|
if (!BN_mod_mul(t, t, t, p, ctx))
|
||||||
BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
|
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
if (!BN_mod_mul(t, t, t, p, ctx))
|
if (BN_is_one(t))
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
/* If not found, a is not a square or p is not prime. */
|
||||||
|
if (i >= e) {
|
||||||
|
BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -2,7 +2,7 @@
|
|||||||
* WARNING: do not edit!
|
* WARNING: do not edit!
|
||||||
* Generated by crypto/conf/keysets.pl
|
* Generated by crypto/conf/keysets.pl
|
||||||
*
|
*
|
||||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
* this file except in compliance with the License. You can obtain a copy
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
* in the file LICENSE in the source distribution or at
|
* in the file LICENSE in the source distribution or at
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
|
* Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
*
|
*
|
||||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
* this file except in compliance with the License. You can obtain a copy
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
@@ -12,9 +12,6 @@
|
|||||||
|
|
||||||
void ENGINE_load_builtin_engines(void)
|
void ENGINE_load_builtin_engines(void)
|
||||||
{
|
{
|
||||||
/* Some ENGINEs need this */
|
|
||||||
OPENSSL_cpuid_setup();
|
|
||||||
|
|
||||||
OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
|
OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
+11
-2
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
|
* Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
*
|
*
|
||||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
* this file except in compliance with the License. You can obtain a copy
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
@@ -443,8 +443,17 @@ static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx)
|
|||||||
* We fail if the version checker veto'd the load *or* if it is
|
* We fail if the version checker veto'd the load *or* if it is
|
||||||
* deferring to us (by returning its version) and we think it is too
|
* deferring to us (by returning its version) and we think it is too
|
||||||
* old.
|
* old.
|
||||||
|
* Unfortunately the version checker does not distinguish between
|
||||||
|
* engines built for openssl 1.1.x and openssl 3.x, but loading
|
||||||
|
* an engine that is built for openssl 3.x will cause a fatal
|
||||||
|
* error. Detect such engines, since EVP_PKEY_get_base_id is exported
|
||||||
|
* as a function in openssl 3.x, while it is named EVP_PKEY_base_id
|
||||||
|
* in openssl 1.1.x. Therefore we take the presence of that symbol
|
||||||
|
* as an indication that the engine will be incompatible.
|
||||||
*/
|
*/
|
||||||
if (vcheck_res < OSSL_DYNAMIC_OLDEST) {
|
if (vcheck_res < OSSL_DYNAMIC_OLDEST
|
||||||
|
|| DSO_bind_func(ctx->dynamic_dso,
|
||||||
|
"EVP_PKEY_get_base_id") != NULL) {
|
||||||
/* Fail */
|
/* Fail */
|
||||||
ctx->bind_engine = NULL;
|
ctx->bind_engine = NULL;
|
||||||
ctx->v_check = NULL;
|
ctx->v_check = NULL;
|
||||||
|
|||||||
+22
-12
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
*
|
*
|
||||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
* this file except in compliance with the License. You can obtain a copy
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
@@ -15,6 +15,22 @@
|
|||||||
#include "crypto/evp.h"
|
#include "crypto/evp.h"
|
||||||
#include "evp_local.h"
|
#include "evp_local.h"
|
||||||
|
|
||||||
|
|
||||||
|
static void cleanup_old_md_data(EVP_MD_CTX *ctx, int force)
|
||||||
|
{
|
||||||
|
if (ctx->digest != NULL) {
|
||||||
|
if (ctx->digest->cleanup != NULL
|
||||||
|
&& !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_CLEANED))
|
||||||
|
ctx->digest->cleanup(ctx);
|
||||||
|
if (ctx->md_data != NULL && ctx->digest->ctx_size > 0
|
||||||
|
&& (!EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE)
|
||||||
|
|| force)) {
|
||||||
|
OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size);
|
||||||
|
ctx->md_data = NULL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/* This call frees resources associated with the context */
|
/* This call frees resources associated with the context */
|
||||||
int EVP_MD_CTX_reset(EVP_MD_CTX *ctx)
|
int EVP_MD_CTX_reset(EVP_MD_CTX *ctx)
|
||||||
{
|
{
|
||||||
@@ -25,13 +41,8 @@ int EVP_MD_CTX_reset(EVP_MD_CTX *ctx)
|
|||||||
* Don't assume ctx->md_data was cleaned in EVP_Digest_Final, because
|
* Don't assume ctx->md_data was cleaned in EVP_Digest_Final, because
|
||||||
* sometimes only copies of the context are ever finalised.
|
* sometimes only copies of the context are ever finalised.
|
||||||
*/
|
*/
|
||||||
if (ctx->digest && ctx->digest->cleanup
|
cleanup_old_md_data(ctx, 0);
|
||||||
&& !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_CLEANED))
|
|
||||||
ctx->digest->cleanup(ctx);
|
|
||||||
if (ctx->digest && ctx->digest->ctx_size && ctx->md_data
|
|
||||||
&& !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE)) {
|
|
||||||
OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size);
|
|
||||||
}
|
|
||||||
/*
|
/*
|
||||||
* pctx should be freed by the user of EVP_MD_CTX
|
* pctx should be freed by the user of EVP_MD_CTX
|
||||||
* if EVP_MD_CTX_FLAG_KEEP_PKEY_CTX is set
|
* if EVP_MD_CTX_FLAG_KEEP_PKEY_CTX is set
|
||||||
@@ -76,6 +87,7 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
|
|||||||
if (ctx->engine && ctx->digest &&
|
if (ctx->engine && ctx->digest &&
|
||||||
(type == NULL || (type->type == ctx->digest->type)))
|
(type == NULL || (type->type == ctx->digest->type)))
|
||||||
goto skip_to_init;
|
goto skip_to_init;
|
||||||
|
|
||||||
if (type) {
|
if (type) {
|
||||||
/*
|
/*
|
||||||
* Ensure an ENGINE left lying around from last time is cleared (the
|
* Ensure an ENGINE left lying around from last time is cleared (the
|
||||||
@@ -119,10 +131,8 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
if (ctx->digest != type) {
|
if (ctx->digest != type) {
|
||||||
if (ctx->digest && ctx->digest->ctx_size) {
|
cleanup_old_md_data(ctx, 1);
|
||||||
OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size);
|
|
||||||
ctx->md_data = NULL;
|
|
||||||
}
|
|
||||||
ctx->digest = type;
|
ctx->digest = type;
|
||||||
if (!(ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) && type->ctx_size) {
|
if (!(ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) && type->ctx_size) {
|
||||||
ctx->update = type->update;
|
ctx->update = type->update;
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
*
|
*
|
||||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
* this file except in compliance with the License. You can obtain a copy
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
@@ -343,7 +343,8 @@ unsigned long OPENSSL_LH_strhash(const char *c)
|
|||||||
v = n | (*c);
|
v = n | (*c);
|
||||||
n += 0x100;
|
n += 0x100;
|
||||||
r = (int)((v >> 2) ^ v) & 0x0f;
|
r = (int)((v >> 2) ^ v) & 0x0f;
|
||||||
ret = (ret << r) | (ret >> (32 - r));
|
/* cast to uint64_t to avoid 32 bit shift of 32 bit value */
|
||||||
|
ret = (ret << r) | (unsigned long)((uint64_t)ret >> (32 - r));
|
||||||
ret &= 0xFFFFFFFFL;
|
ret &= 0xFFFFFFFFL;
|
||||||
ret ^= v * v;
|
ret ^= v * v;
|
||||||
c++;
|
c++;
|
||||||
@@ -364,7 +365,8 @@ unsigned long openssl_lh_strcasehash(const char *c)
|
|||||||
for (n = 0x100; *c != '\0'; n += 0x100) {
|
for (n = 0x100; *c != '\0'; n += 0x100) {
|
||||||
v = n | ossl_tolower(*c);
|
v = n | ossl_tolower(*c);
|
||||||
r = (int)((v >> 2) ^ v) & 0x0f;
|
r = (int)((v >> 2) ^ v) & 0x0f;
|
||||||
ret = (ret << r) | (ret >> (32 - r));
|
/* cast to uint64_t to avoid 32 bit shift of 32 bit value */
|
||||||
|
ret = (ret << r) | (unsigned long)((uint64_t)ret >> (32 - r));
|
||||||
ret &= 0xFFFFFFFFL;
|
ret &= 0xFFFFFFFFL;
|
||||||
ret ^= v * v;
|
ret ^= v * v;
|
||||||
c++;
|
c++;
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
*
|
*
|
||||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
* this file except in compliance with the License. You can obtain a copy
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
@@ -228,9 +228,10 @@ ASN1_OBJECT *OBJ_nid2obj(int n)
|
|||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
return (ASN1_OBJECT *)&(nid_objs[n]);
|
return (ASN1_OBJECT *)&(nid_objs[n]);
|
||||||
} else if (added == NULL)
|
} else if (added == NULL) {
|
||||||
|
OBJerr(OBJ_F_OBJ_NID2OBJ, OBJ_R_UNKNOWN_NID);
|
||||||
return NULL;
|
return NULL;
|
||||||
else {
|
} else {
|
||||||
ad.type = ADDED_NID;
|
ad.type = ADDED_NID;
|
||||||
ad.obj = &ob;
|
ad.obj = &ob;
|
||||||
ob.nid = n;
|
ob.nid = n;
|
||||||
|
|||||||
@@ -2,7 +2,7 @@
|
|||||||
* WARNING: do not edit!
|
* WARNING: do not edit!
|
||||||
* Generated by crypto/objects/obj_dat.pl
|
* Generated by crypto/objects/obj_dat.pl
|
||||||
*
|
*
|
||||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
* this file except in compliance with the License. You can obtain a copy
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
* in the file LICENSE in the source distribution or at
|
* in the file LICENSE in the source distribution or at
|
||||||
|
|||||||
@@ -2,7 +2,7 @@
|
|||||||
* WARNING: do not edit!
|
* WARNING: do not edit!
|
||||||
* Generated by objxref.pl
|
* Generated by objxref.pl
|
||||||
*
|
*
|
||||||
* Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved.
|
* Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
*
|
*
|
||||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
* this file except in compliance with the License. You can obtain a copy
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
|
* Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
*
|
*
|
||||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
* this file except in compliance with the License. You can obtain a copy
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
@@ -572,6 +572,8 @@ static int echo_console(UI *ui)
|
|||||||
|
|
||||||
static int close_console(UI *ui)
|
static int close_console(UI *ui)
|
||||||
{
|
{
|
||||||
|
int ret = 1;
|
||||||
|
|
||||||
if (tty_in != stdin)
|
if (tty_in != stdin)
|
||||||
fclose(tty_in);
|
fclose(tty_in);
|
||||||
if (tty_out != stderr)
|
if (tty_out != stderr)
|
||||||
@@ -584,12 +586,12 @@ static int close_console(UI *ui)
|
|||||||
BIO_snprintf(tmp_num, sizeof(tmp_num) - 1, "%%X%08X", status);
|
BIO_snprintf(tmp_num, sizeof(tmp_num) - 1, "%%X%08X", status);
|
||||||
UIerr(UI_F_CLOSE_CONSOLE, UI_R_SYSDASSGN_ERROR);
|
UIerr(UI_F_CLOSE_CONSOLE, UI_R_SYSDASSGN_ERROR);
|
||||||
ERR_add_error_data(2, "status=", tmp_num);
|
ERR_add_error_data(2, "status=", tmp_num);
|
||||||
return 0;
|
ret = 0;
|
||||||
}
|
}
|
||||||
# endif
|
# endif
|
||||||
CRYPTO_THREAD_unlock(ui->lock);
|
CRYPTO_THREAD_unlock(ui->lock);
|
||||||
|
|
||||||
return 1;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
# if !defined(OPENSSL_SYS_WINCE)
|
# if !defined(OPENSSL_SYS_WINCE)
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
*
|
*
|
||||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
* this file except in compliance with the License. You can obtain a copy
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
@@ -2201,6 +2201,12 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
|
|||||||
/* If purpose not set use default */
|
/* If purpose not set use default */
|
||||||
if (!purpose)
|
if (!purpose)
|
||||||
purpose = def_purpose;
|
purpose = def_purpose;
|
||||||
|
/*
|
||||||
|
* If purpose is set but we don't have a default then set the default to
|
||||||
|
* the current purpose
|
||||||
|
*/
|
||||||
|
else if (def_purpose == 0)
|
||||||
|
def_purpose = purpose;
|
||||||
/* If we have a purpose then check it is valid */
|
/* If we have a purpose then check it is valid */
|
||||||
if (purpose) {
|
if (purpose) {
|
||||||
X509_PURPOSE *ptmp;
|
X509_PURPOSE *ptmp;
|
||||||
@@ -2213,11 +2219,6 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
|
|||||||
ptmp = X509_PURPOSE_get0(idx);
|
ptmp = X509_PURPOSE_get0(idx);
|
||||||
if (ptmp->trust == X509_TRUST_DEFAULT) {
|
if (ptmp->trust == X509_TRUST_DEFAULT) {
|
||||||
idx = X509_PURPOSE_get_by_id(def_purpose);
|
idx = X509_PURPOSE_get_by_id(def_purpose);
|
||||||
/*
|
|
||||||
* XXX: In the two callers above def_purpose is always 0, which is
|
|
||||||
* not a known value, so idx will always be -1. How is the
|
|
||||||
* X509_TRUST_DEFAULT case actually supposed to be handled?
|
|
||||||
*/
|
|
||||||
if (idx == -1) {
|
if (idx == -1) {
|
||||||
X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
|
X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
|
||||||
X509_R_UNKNOWN_PURPOSE_ID);
|
X509_R_UNKNOWN_PURPOSE_ID);
|
||||||
|
|||||||
+15
-4
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
|
* Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
*
|
*
|
||||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
* this file except in compliance with the License. You can obtain a copy
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
@@ -538,8 +538,11 @@ static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, const ASN1_IA5STRING *email
|
|||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
emtmp = OPENSSL_strndup((char *)email->data, email->length);
|
emtmp = OPENSSL_strndup((char *)email->data, email->length);
|
||||||
if (emtmp == NULL)
|
if (emtmp == NULL) {
|
||||||
|
X509_email_free(*sk);
|
||||||
|
*sk = NULL;
|
||||||
return 0;
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
/* Don't add duplicates */
|
/* Don't add duplicates */
|
||||||
if (sk_OPENSSL_STRING_find(*sk, emtmp) != -1) {
|
if (sk_OPENSSL_STRING_find(*sk, emtmp) != -1) {
|
||||||
@@ -828,8 +831,11 @@ static int do_check_string(const ASN1_STRING *a, int cmp_type, equal_fn equal,
|
|||||||
rv = equal(a->data, a->length, (unsigned char *)b, blen, flags);
|
rv = equal(a->data, a->length, (unsigned char *)b, blen, flags);
|
||||||
else if (a->length == (int)blen && !memcmp(a->data, b, blen))
|
else if (a->length == (int)blen && !memcmp(a->data, b, blen))
|
||||||
rv = 1;
|
rv = 1;
|
||||||
if (rv > 0 && peername)
|
if (rv > 0 && peername != NULL) {
|
||||||
*peername = OPENSSL_strndup((char *)a->data, a->length);
|
*peername = OPENSSL_strndup((char *)a->data, a->length);
|
||||||
|
if (*peername == NULL)
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
int astrlen;
|
int astrlen;
|
||||||
unsigned char *astr;
|
unsigned char *astr;
|
||||||
@@ -842,8 +848,13 @@ static int do_check_string(const ASN1_STRING *a, int cmp_type, equal_fn equal,
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
rv = equal(astr, astrlen, (unsigned char *)b, blen, flags);
|
rv = equal(astr, astrlen, (unsigned char *)b, blen, flags);
|
||||||
if (rv > 0 && peername)
|
if (rv > 0 && peername != NULL) {
|
||||||
*peername = OPENSSL_strndup((char *)astr, astrlen);
|
*peername = OPENSSL_strndup((char *)astr, astrlen);
|
||||||
|
if (*peername == NULL) {
|
||||||
|
OPENSSL_free(astr);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
}
|
||||||
OPENSSL_free(astr);
|
OPENSSL_free(astr);
|
||||||
}
|
}
|
||||||
return rv;
|
return rv;
|
||||||
|
|||||||
+4
-1
@@ -719,6 +719,9 @@ the list of permitted ciphers in a database and only use those.
|
|||||||
|
|
||||||
No revocation checking is done on the signer's certificate.
|
No revocation checking is done on the signer's certificate.
|
||||||
|
|
||||||
|
The B<-binary> option does not work correctly when processing text input which
|
||||||
|
(contrary to the S/MIME specification) uses LF rather than CRLF line endings.
|
||||||
|
|
||||||
=head1 HISTORY
|
=head1 HISTORY
|
||||||
|
|
||||||
The use of multiple B<-signer> options and the B<-resign> command were first
|
The use of multiple B<-signer> options and the B<-resign> command were first
|
||||||
@@ -735,7 +738,7 @@ The -no_alt_chains option was added in OpenSSL 1.0.2b.
|
|||||||
|
|
||||||
=head1 COPYRIGHT
|
=head1 COPYRIGHT
|
||||||
|
|
||||||
Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved.
|
Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
|
||||||
Licensed under the OpenSSL license (the "License"). You may not use
|
Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
this file except in compliance with the License. You can obtain a copy
|
this file except in compliance with the License. You can obtain a copy
|
||||||
|
|||||||
@@ -16,7 +16,7 @@ BIO_get_info_callback, BIO_set_info_callback, BIO_info_cb
|
|||||||
|
|
||||||
long BIO_ctrl(BIO *bp, int cmd, long larg, void *parg);
|
long BIO_ctrl(BIO *bp, int cmd, long larg, void *parg);
|
||||||
long BIO_callback_ctrl(BIO *b, int cmd, BIO_info_cb *cb);
|
long BIO_callback_ctrl(BIO *b, int cmd, BIO_info_cb *cb);
|
||||||
char *BIO_ptr_ctrl(BIO *bp, int cmd, long larg);
|
void *BIO_ptr_ctrl(BIO *bp, int cmd, long larg);
|
||||||
long BIO_int_ctrl(BIO *bp, int cmd, long larg, int iarg);
|
long BIO_int_ctrl(BIO *bp, int cmd, long larg, int iarg);
|
||||||
|
|
||||||
int BIO_reset(BIO *b);
|
int BIO_reset(BIO *b);
|
||||||
@@ -126,7 +126,7 @@ the case of BIO_seek() on a file BIO for a successful operation.
|
|||||||
|
|
||||||
=head1 COPYRIGHT
|
=head1 COPYRIGHT
|
||||||
|
|
||||||
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
|
Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
|
||||||
Licensed under the OpenSSL license (the "License"). You may not use
|
Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
this file except in compliance with the License. You can obtain a copy
|
this file except in compliance with the License. You can obtain a copy
|
||||||
|
|||||||
@@ -21,13 +21,26 @@ any data read through it.
|
|||||||
|
|
||||||
Base64 BIOs do not support BIO_gets() or BIO_puts().
|
Base64 BIOs do not support BIO_gets() or BIO_puts().
|
||||||
|
|
||||||
|
For writing, output is by default divided to lines of length 64
|
||||||
|
characters and there is always a newline at the end of output.
|
||||||
|
|
||||||
|
For reading, first line should be at most 1024
|
||||||
|
characters long. If it is longer then it is ignored completely.
|
||||||
|
Other input lines can be of any length. There must be a newline
|
||||||
|
at the end of input.
|
||||||
|
|
||||||
|
This behavior can be changed with BIO_FLAGS_BASE64_NO_NL flag.
|
||||||
|
|
||||||
BIO_flush() on a base64 BIO that is being written through is
|
BIO_flush() on a base64 BIO that is being written through is
|
||||||
used to signal that no more data is to be encoded: this is used
|
used to signal that no more data is to be encoded: this is used
|
||||||
to flush the final block through the BIO.
|
to flush the final block through the BIO.
|
||||||
|
|
||||||
The flag BIO_FLAGS_BASE64_NO_NL can be set with BIO_set_flags()
|
The flag BIO_FLAGS_BASE64_NO_NL can be set with BIO_set_flags().
|
||||||
to encode the data all on one line or expect the data to be all
|
For writing, it causes all data to be written on one line without
|
||||||
on one line.
|
newline at the end.
|
||||||
|
For reading, it forces the decoder to process the data regardless
|
||||||
|
of newlines. All newlines are ignored and the input does not need
|
||||||
|
to contain any newline at all.
|
||||||
|
|
||||||
=head1 NOTES
|
=head1 NOTES
|
||||||
|
|
||||||
@@ -81,7 +94,7 @@ to reliably determine EOF (for example a MIME boundary).
|
|||||||
|
|
||||||
=head1 COPYRIGHT
|
=head1 COPYRIGHT
|
||||||
|
|
||||||
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
|
Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
|
||||||
Licensed under the OpenSSL license (the "License"). You may not use
|
Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
this file except in compliance with the License. You can obtain a copy
|
this file except in compliance with the License. You can obtain a copy
|
||||||
|
|||||||
+14
-3
@@ -3,7 +3,7 @@
|
|||||||
=head1 NAME
|
=head1 NAME
|
||||||
|
|
||||||
BN_add, BN_sub, BN_mul, BN_sqr, BN_div, BN_mod, BN_nnmod, BN_mod_add,
|
BN_add, BN_sub, BN_mul, BN_sqr, BN_div, BN_mod, BN_nnmod, BN_mod_add,
|
||||||
BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_exp, BN_mod_exp, BN_gcd -
|
BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_mod_sqrt, BN_exp, BN_mod_exp, BN_gcd -
|
||||||
arithmetic operations on BIGNUMs
|
arithmetic operations on BIGNUMs
|
||||||
|
|
||||||
=head1 SYNOPSIS
|
=head1 SYNOPSIS
|
||||||
@@ -36,6 +36,8 @@ arithmetic operations on BIGNUMs
|
|||||||
|
|
||||||
int BN_mod_sqr(BIGNUM *r, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
|
int BN_mod_sqr(BIGNUM *r, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
|
||||||
|
|
||||||
|
BIGNUM *BN_mod_sqrt(BIGNUM *in, BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
|
||||||
|
|
||||||
int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx);
|
int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx);
|
||||||
|
|
||||||
int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
|
int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
|
||||||
@@ -87,6 +89,12 @@ L<BN_mod_mul_reciprocal(3)>.
|
|||||||
BN_mod_sqr() takes the square of I<a> modulo B<m> and places the
|
BN_mod_sqr() takes the square of I<a> modulo B<m> and places the
|
||||||
result in I<r>.
|
result in I<r>.
|
||||||
|
|
||||||
|
BN_mod_sqrt() returns the modular square root of I<a> such that
|
||||||
|
C<in^2 = a (mod p)>. The modulus I<p> must be a
|
||||||
|
prime, otherwise an error or an incorrect "result" will be returned.
|
||||||
|
The result is stored into I<in> which can be NULL. The result will be
|
||||||
|
newly allocated in that case.
|
||||||
|
|
||||||
BN_exp() raises I<a> to the I<p>-th power and places the result in I<r>
|
BN_exp() raises I<a> to the I<p>-th power and places the result in I<r>
|
||||||
(C<r=a^p>). This function is faster than repeated applications of
|
(C<r=a^p>). This function is faster than repeated applications of
|
||||||
BN_mul().
|
BN_mul().
|
||||||
@@ -108,7 +116,10 @@ the arguments.
|
|||||||
|
|
||||||
=head1 RETURN VALUES
|
=head1 RETURN VALUES
|
||||||
|
|
||||||
For all functions, 1 is returned for success, 0 on error. The return
|
The BN_mod_sqrt() returns the result (possibly incorrect if I<p> is
|
||||||
|
not a prime), or NULL.
|
||||||
|
|
||||||
|
For all remaining functions, 1 is returned for success, 0 on error. The return
|
||||||
value should always be checked (e.g., C<if (!BN_add(r,a,b)) goto err;>).
|
value should always be checked (e.g., C<if (!BN_add(r,a,b)) goto err;>).
|
||||||
The error codes can be obtained by L<ERR_get_error(3)>.
|
The error codes can be obtained by L<ERR_get_error(3)>.
|
||||||
|
|
||||||
@@ -119,7 +130,7 @@ L<BN_add_word(3)>, L<BN_set_bit(3)>
|
|||||||
|
|
||||||
=head1 COPYRIGHT
|
=head1 COPYRIGHT
|
||||||
|
|
||||||
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
|
Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
|
||||||
Licensed under the OpenSSL license (the "License"). You may not use
|
Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
this file except in compliance with the License. You can obtain a copy
|
this file except in compliance with the License. You can obtain a copy
|
||||||
|
|||||||
@@ -238,7 +238,8 @@ sk_TYPE_pop(), sk_TYPE_shift(), sk_TYPE_delete() and sk_TYPE_delete_ptr()
|
|||||||
return a pointer to the deleted element or B<NULL> on error.
|
return a pointer to the deleted element or B<NULL> on error.
|
||||||
|
|
||||||
sk_TYPE_insert(), sk_TYPE_push() and sk_TYPE_unshift() return the total
|
sk_TYPE_insert(), sk_TYPE_push() and sk_TYPE_unshift() return the total
|
||||||
number of elements in the stack and 0 if an error occurred.
|
number of elements in the stack and 0 if an error occurred. sk_TYPE_push()
|
||||||
|
further returns -1 if B<sk> is B<NULL>.
|
||||||
|
|
||||||
sk_TYPE_set() returns a pointer to the replacement element or B<NULL> on
|
sk_TYPE_set() returns a pointer to the replacement element or B<NULL> on
|
||||||
error.
|
error.
|
||||||
|
|||||||
+17
-17
@@ -68,13 +68,15 @@ If I<no_name> is 0 then long names and short names will be interpreted
|
|||||||
as well as numerical forms. If I<no_name> is 1 only the numerical form
|
as well as numerical forms. If I<no_name> is 1 only the numerical form
|
||||||
is acceptable.
|
is acceptable.
|
||||||
|
|
||||||
OBJ_obj2txt() converts the B<ASN1_OBJECT> B<a> into a textual representation.
|
OBJ_obj2txt() converts the B<ASN1_OBJECT> I<a> into a textual representation.
|
||||||
The representation is written as a null terminated string to B<buf>
|
Unless I<buf> is NULL,
|
||||||
at most B<buf_len> bytes are written, truncating the result if necessary.
|
the representation is written as a NUL-terminated string to I<buf>, where
|
||||||
The total amount of space required is returned. If B<no_name> is 0 then
|
at most I<buf_len> bytes are written, truncating the result if necessary.
|
||||||
if the object has a long or short name then that will be used, otherwise
|
In any case it returns the total string length, excluding the NUL character,
|
||||||
the numerical form will be used. If B<no_name> is 1 then the numerical
|
required for non-truncated representation, or -1 on error.
|
||||||
form will always be used.
|
If I<no_name> is 0 then if the object has a long or short name
|
||||||
|
then that will be used, otherwise the numerical form will be used.
|
||||||
|
If I<no_name> is 1 then the numerical form will always be used.
|
||||||
|
|
||||||
i2t_ASN1_OBJECT() is the same as OBJ_obj2txt() with the I<no_name> set to zero.
|
i2t_ASN1_OBJECT() is the same as OBJ_obj2txt() with the I<no_name> set to zero.
|
||||||
|
|
||||||
@@ -141,6 +143,13 @@ on error.
|
|||||||
OBJ_obj2nid(), OBJ_ln2nid(), OBJ_sn2nid() and OBJ_txt2nid() return
|
OBJ_obj2nid(), OBJ_ln2nid(), OBJ_sn2nid() and OBJ_txt2nid() return
|
||||||
a NID or B<NID_undef> on error.
|
a NID or B<NID_undef> on error.
|
||||||
|
|
||||||
|
OBJ_add_sigid() returns 1 on success or 0 on error.
|
||||||
|
|
||||||
|
i2t_ASN1_OBJECT() an OBJ_obj2txt() return -1 on error.
|
||||||
|
On success, they return the length of the string written to I<buf> if I<buf> is
|
||||||
|
not NULL and I<buf_len> is big enough, otherwise the total string length.
|
||||||
|
Note that this does not count the trailing NUL character.
|
||||||
|
|
||||||
=head1 EXAMPLES
|
=head1 EXAMPLES
|
||||||
|
|
||||||
Create an object for B<commonName>:
|
Create an object for B<commonName>:
|
||||||
@@ -161,15 +170,6 @@ Create a new object directly:
|
|||||||
|
|
||||||
obj = OBJ_txt2obj("1.2.3.4", 1);
|
obj = OBJ_txt2obj("1.2.3.4", 1);
|
||||||
|
|
||||||
=head1 BUGS
|
|
||||||
|
|
||||||
OBJ_obj2txt() is awkward and messy to use: it doesn't follow the
|
|
||||||
convention of other OpenSSL functions where the buffer can be set
|
|
||||||
to B<NULL> to determine the amount of data that should be written.
|
|
||||||
Instead B<buf> must point to a valid buffer and B<buf_len> should
|
|
||||||
be set to a positive value. A buffer length of 80 should be more
|
|
||||||
than enough to handle any OID encountered in practice.
|
|
||||||
|
|
||||||
=head1 SEE ALSO
|
=head1 SEE ALSO
|
||||||
|
|
||||||
L<ERR_get_error(3)>
|
L<ERR_get_error(3)>
|
||||||
@@ -181,7 +181,7 @@ and should not be used.
|
|||||||
|
|
||||||
=head1 COPYRIGHT
|
=head1 COPYRIGHT
|
||||||
|
|
||||||
Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.
|
Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
|
||||||
Licensed under the OpenSSL license (the "License"). You may not use
|
Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
this file except in compliance with the License. You can obtain a copy
|
this file except in compliance with the License. You can obtain a copy
|
||||||
|
|||||||
@@ -434,7 +434,7 @@ B<SessionTicket>: session ticket support, enabled by default. Inverse of
|
|||||||
B<SSL_OP_NO_TICKET>: that is B<-SessionTicket> is the same as setting
|
B<SSL_OP_NO_TICKET>: that is B<-SessionTicket> is the same as setting
|
||||||
B<SSL_OP_NO_TICKET>.
|
B<SSL_OP_NO_TICKET>.
|
||||||
|
|
||||||
B<Compression>: SSL/TLS compression support, enabled by default. Inverse
|
B<Compression>: SSL/TLS compression support, disabled by default. Inverse
|
||||||
of B<SSL_OP_NO_COMPRESSION>.
|
of B<SSL_OP_NO_COMPRESSION>.
|
||||||
|
|
||||||
B<EmptyFragments>: use empty fragments as a countermeasure against a
|
B<EmptyFragments>: use empty fragments as a countermeasure against a
|
||||||
@@ -694,7 +694,7 @@ B<AllowNoDHEKEX> and B<PrioritizeChaCha> were added in OpenSSL 1.1.1.
|
|||||||
|
|
||||||
=head1 COPYRIGHT
|
=head1 COPYRIGHT
|
||||||
|
|
||||||
Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved.
|
Copyright 2012-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
|
||||||
Licensed under the OpenSSL license (the "License"). You may not use
|
Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
this file except in compliance with the License. You can obtain a copy
|
this file except in compliance with the License. You can obtain a copy
|
||||||
|
|||||||
@@ -11,7 +11,10 @@ X509_STORE_CTX_get0_untrusted, X509_STORE_CTX_set0_untrusted,
|
|||||||
X509_STORE_CTX_get_num_untrusted,
|
X509_STORE_CTX_get_num_untrusted,
|
||||||
X509_STORE_CTX_set_default,
|
X509_STORE_CTX_set_default,
|
||||||
X509_STORE_CTX_set_verify,
|
X509_STORE_CTX_set_verify,
|
||||||
X509_STORE_CTX_verify_fn
|
X509_STORE_CTX_verify_fn,
|
||||||
|
X509_STORE_CTX_set_purpose,
|
||||||
|
X509_STORE_CTX_set_trust,
|
||||||
|
X509_STORE_CTX_purpose_inherit
|
||||||
- X509_STORE_CTX initialisation
|
- X509_STORE_CTX initialisation
|
||||||
|
|
||||||
=head1 SYNOPSIS
|
=head1 SYNOPSIS
|
||||||
@@ -44,6 +47,11 @@ X509_STORE_CTX_verify_fn
|
|||||||
typedef int (*X509_STORE_CTX_verify_fn)(X509_STORE_CTX *);
|
typedef int (*X509_STORE_CTX_verify_fn)(X509_STORE_CTX *);
|
||||||
void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, X509_STORE_CTX_verify_fn verify);
|
void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, X509_STORE_CTX_verify_fn verify);
|
||||||
|
|
||||||
|
int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose);
|
||||||
|
int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust);
|
||||||
|
int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
|
||||||
|
int purpose, int trust);
|
||||||
|
|
||||||
=head1 DESCRIPTION
|
=head1 DESCRIPTION
|
||||||
|
|
||||||
These functions initialise an B<X509_STORE_CTX> structure for subsequent use
|
These functions initialise an B<X509_STORE_CTX> structure for subsequent use
|
||||||
@@ -120,6 +128,65 @@ following signature:
|
|||||||
This function should receive the current X509_STORE_CTX as a parameter and
|
This function should receive the current X509_STORE_CTX as a parameter and
|
||||||
return 1 on success or 0 on failure.
|
return 1 on success or 0 on failure.
|
||||||
|
|
||||||
|
X509 certificates may contain information about what purposes keys contained
|
||||||
|
within them can be used for. For example "TLS WWW Server Authentication" or
|
||||||
|
"Email Protection". This "key usage" information is held internally to the
|
||||||
|
certificate itself. In addition the trust store containing trusted certificates
|
||||||
|
can declare what purposes we trust different certificates for. This "trust"
|
||||||
|
information is not held within the certificate itself but is "meta" information
|
||||||
|
held alongside it. This "meta" information is associated with the certificate
|
||||||
|
after it is issued and could be determined by a system administrator. For
|
||||||
|
example a certificate might declare that it is suitable for use for both
|
||||||
|
"TLS WWW Server Authentication" and "TLS Client Authentication", but a system
|
||||||
|
administrator might only trust it for the former. An X.509 certificate extension
|
||||||
|
exists that can record extended key usage information to supplement the purpose
|
||||||
|
information described above. This extended mechanism is arbitrarily extensible
|
||||||
|
and not well suited for a generic library API; applications that need to
|
||||||
|
validate extended key usage information in certifiates will need to define a
|
||||||
|
custom "purpose" (see below) or supply a nondefault verification callback
|
||||||
|
(L<X509_STORE_set_verify_cb_func(3)>).
|
||||||
|
|
||||||
|
X509_STORE_CTX_set_purpose() sets the purpose for the target certificate being
|
||||||
|
verified in the I<ctx>. Built-in available values for the I<purpose> argument
|
||||||
|
are B<X509_PURPOSE_SSL_CLIENT>, B<X509_PURPOSE_SSL_SERVER>,
|
||||||
|
B<X509_PURPOSE_NS_SSL_SERVER>, B<X509_PURPOSE_SMIME_SIGN>,
|
||||||
|
B<X509_PURPOSE_SMIME_ENCRYPT>, B<X509_PURPOSE_CRL_SIGN>, B<X509_PURPOSE_ANY>,
|
||||||
|
B<X509_PURPOSE_OCSP_HELPER> and B<X509_PURPOSE_TIMESTAMP_SIGN>. It is also
|
||||||
|
possible to create a custom purpose value. Setting a purpose will ensure that
|
||||||
|
the key usage declared within certificates in the chain being verified is
|
||||||
|
consistent with that purpose as well as, potentially, other checks. Every
|
||||||
|
purpose also has an associated default trust value which will also be set at the
|
||||||
|
same time. During verification this trust setting will be verified to check it
|
||||||
|
is consistent with the trust set by the system administrator for certificates in
|
||||||
|
the chain.
|
||||||
|
|
||||||
|
X509_STORE_CTX_set_trust() sets the trust value for the target certificate
|
||||||
|
being verified in the I<ctx>. Built-in available values for the I<trust>
|
||||||
|
argument are B<X509_TRUST_COMPAT>, B<X509_TRUST_SSL_CLIENT>,
|
||||||
|
B<X509_TRUST_SSL_SERVER>, B<X509_TRUST_EMAIL>, B<X509_TRUST_OBJECT_SIGN>,
|
||||||
|
B<X509_TRUST_OCSP_SIGN>, B<X509_TRUST_OCSP_REQUEST> and B<X509_TRUST_TSA>. It is
|
||||||
|
also possible to create a custom trust value. Since X509_STORE_CTX_set_purpose()
|
||||||
|
also sets the trust value it is normally sufficient to only call that function.
|
||||||
|
If both are called then X509_STORE_CTX_set_trust() should be called after
|
||||||
|
X509_STORE_CTX_set_purpose() since the trust setting of the last call will be
|
||||||
|
used.
|
||||||
|
|
||||||
|
It should not normally be necessary for end user applications to call
|
||||||
|
X509_STORE_CTX_purpose_inherit() directly. Typically applications should call
|
||||||
|
X509_STORE_CTX_set_purpose() or X509_STORE_CTX_set_trust() instead. Using this
|
||||||
|
function it is possible to set the purpose and trust values for the I<ctx> at
|
||||||
|
the same time. The I<def_purpose> and I<purpose> arguments can have the same
|
||||||
|
purpose values as described for X509_STORE_CTX_set_purpose() above. The I<trust>
|
||||||
|
argument can have the same trust values as described in
|
||||||
|
X509_STORE_CTX_set_trust() above. Any of the I<def_purpose>, I<purpose> or
|
||||||
|
I<trust> values may also have the value 0 to indicate that the supplied
|
||||||
|
parameter should be ignored. After calling this function the purpose to be used
|
||||||
|
for verification is set from the I<purpose> argument, and the trust is set from
|
||||||
|
the I<trust> argument. If I<trust> is 0 then the trust value will be set from
|
||||||
|
the default trust value for I<purpose>. If the default trust value for the
|
||||||
|
purpose is I<X509_TRUST_DEFAULT> and I<trust> is 0 then the default trust value
|
||||||
|
associated with the I<def_purpose> value is used for the trust setting instead.
|
||||||
|
|
||||||
=head1 NOTES
|
=head1 NOTES
|
||||||
|
|
||||||
The certificates and CRLs in a store are used internally and should B<not>
|
The certificates and CRLs in a store are used internally and should B<not>
|
||||||
@@ -164,7 +231,7 @@ The X509_STORE_CTX_get_num_untrusted() function was added in OpenSSL 1.1.0.
|
|||||||
|
|
||||||
=head1 COPYRIGHT
|
=head1 COPYRIGHT
|
||||||
|
|
||||||
Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.
|
Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
|
||||||
Licensed under the OpenSSL license (the "License"). You may not use
|
Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
this file except in compliance with the License. You can obtain a copy
|
this file except in compliance with the License. You can obtain a copy
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
*
|
*
|
||||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
* this file except in compliance with the License. You can obtain a copy
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
@@ -30,6 +30,8 @@
|
|||||||
# include <sys/un.h>
|
# include <sys/un.h>
|
||||||
# include <tcp.h>
|
# include <tcp.h>
|
||||||
# include <netdb.h>
|
# include <netdb.h>
|
||||||
|
# include <arpa/inet.h>
|
||||||
|
# include <netinet/tcp.h>
|
||||||
# elif defined(_WIN32_WCE) && _WIN32_WCE<410
|
# elif defined(_WIN32_WCE) && _WIN32_WCE<410
|
||||||
# define getservbyname _masked_declaration_getservbyname
|
# define getservbyname _masked_declaration_getservbyname
|
||||||
# endif
|
# endif
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
|
* Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||||
*
|
*
|
||||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
@@ -722,6 +722,7 @@ typedef int (*dynamic_bind_engine) (ENGINE *e, const char *id,
|
|||||||
CRYPTO_set_mem_functions(fns->mem_fns.malloc_fn, \
|
CRYPTO_set_mem_functions(fns->mem_fns.malloc_fn, \
|
||||||
fns->mem_fns.realloc_fn, \
|
fns->mem_fns.realloc_fn, \
|
||||||
fns->mem_fns.free_fn); \
|
fns->mem_fns.free_fn); \
|
||||||
|
OPENSSL_init_crypto(OPENSSL_INIT_NO_ATEXIT, NULL); \
|
||||||
skip_cbs: \
|
skip_cbs: \
|
||||||
if (!fn(e, id)) return 0; \
|
if (!fn(e, id)) return 0; \
|
||||||
return 1; }
|
return 1; }
|
||||||
|
|||||||
@@ -2,7 +2,7 @@
|
|||||||
* WARNING: do not edit!
|
* WARNING: do not edit!
|
||||||
* Generated by crypto/objects/objects.pl
|
* Generated by crypto/objects/objects.pl
|
||||||
*
|
*
|
||||||
* Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
|
* Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
* this file except in compliance with the License. You can obtain a copy
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
* in the file LICENSE in the source distribution or at
|
* in the file LICENSE in the source distribution or at
|
||||||
|
|||||||
@@ -39,8 +39,8 @@ extern "C" {
|
|||||||
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
|
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
|
||||||
* major minor fix final patch/beta)
|
* major minor fix final patch/beta)
|
||||||
*/
|
*/
|
||||||
# define OPENSSL_VERSION_NUMBER 0x101010dfL
|
# define OPENSSL_VERSION_NUMBER 0x101010efL
|
||||||
# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1m 14 Dec 2021"
|
# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1n 15 Mar 2022"
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* The macros below are to be used for shared library (.so, .dll, ...)
|
* The macros below are to be used for shared library (.so, .dll, ...)
|
||||||
|
|||||||
+7
-7
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||||
* Copyright 2005 Nokia. All rights reserved.
|
* Copyright 2005 Nokia. All rights reserved.
|
||||||
*
|
*
|
||||||
@@ -2171,7 +2171,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
|||||||
TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
|
TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
|
||||||
TLS1_RFC_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
|
TLS1_RFC_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
|
||||||
TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
|
TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
|
||||||
SSL_kEDH,
|
SSL_kDHE,
|
||||||
SSL_aDSS,
|
SSL_aDSS,
|
||||||
SSL_CAMELLIA128,
|
SSL_CAMELLIA128,
|
||||||
SSL_SHA256,
|
SSL_SHA256,
|
||||||
@@ -2187,7 +2187,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
|||||||
TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
|
TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
|
||||||
TLS1_RFC_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
|
TLS1_RFC_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
|
||||||
TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
|
TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
|
||||||
SSL_kEDH,
|
SSL_kDHE,
|
||||||
SSL_aRSA,
|
SSL_aRSA,
|
||||||
SSL_CAMELLIA128,
|
SSL_CAMELLIA128,
|
||||||
SSL_SHA256,
|
SSL_SHA256,
|
||||||
@@ -2203,7 +2203,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
|||||||
TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256,
|
TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256,
|
||||||
TLS1_RFC_ADH_WITH_CAMELLIA_128_CBC_SHA256,
|
TLS1_RFC_ADH_WITH_CAMELLIA_128_CBC_SHA256,
|
||||||
TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256,
|
TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256,
|
||||||
SSL_kEDH,
|
SSL_kDHE,
|
||||||
SSL_aNULL,
|
SSL_aNULL,
|
||||||
SSL_CAMELLIA128,
|
SSL_CAMELLIA128,
|
||||||
SSL_SHA256,
|
SSL_SHA256,
|
||||||
@@ -2235,7 +2235,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
|||||||
TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,
|
TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,
|
||||||
TLS1_RFC_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,
|
TLS1_RFC_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,
|
||||||
TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,
|
TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,
|
||||||
SSL_kEDH,
|
SSL_kDHE,
|
||||||
SSL_aDSS,
|
SSL_aDSS,
|
||||||
SSL_CAMELLIA256,
|
SSL_CAMELLIA256,
|
||||||
SSL_SHA256,
|
SSL_SHA256,
|
||||||
@@ -2251,7 +2251,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
|||||||
TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
|
TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
|
||||||
TLS1_RFC_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
|
TLS1_RFC_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
|
||||||
TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
|
TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
|
||||||
SSL_kEDH,
|
SSL_kDHE,
|
||||||
SSL_aRSA,
|
SSL_aRSA,
|
||||||
SSL_CAMELLIA256,
|
SSL_CAMELLIA256,
|
||||||
SSL_SHA256,
|
SSL_SHA256,
|
||||||
@@ -2267,7 +2267,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
|||||||
TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256,
|
TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256,
|
||||||
TLS1_RFC_ADH_WITH_CAMELLIA_256_CBC_SHA256,
|
TLS1_RFC_ADH_WITH_CAMELLIA_256_CBC_SHA256,
|
||||||
TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256,
|
TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256,
|
||||||
SSL_kEDH,
|
SSL_kDHE,
|
||||||
SSL_aNULL,
|
SSL_aNULL,
|
||||||
SSL_CAMELLIA256,
|
SSL_CAMELLIA256,
|
||||||
SSL_SHA256,
|
SSL_SHA256,
|
||||||
|
|||||||
+4
-3
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||||
*
|
*
|
||||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
@@ -901,7 +901,7 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
|
|||||||
int op, int bits, int nid, void *other,
|
int op, int bits, int nid, void *other,
|
||||||
void *ex)
|
void *ex)
|
||||||
{
|
{
|
||||||
int level, minbits;
|
int level, minbits, pfs_mask;
|
||||||
|
|
||||||
minbits = ssl_get_security_level_bits(s, ctx, &level);
|
minbits = ssl_get_security_level_bits(s, ctx, &level);
|
||||||
|
|
||||||
@@ -936,8 +936,9 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
|
|||||||
if (level >= 2 && c->algorithm_enc == SSL_RC4)
|
if (level >= 2 && c->algorithm_enc == SSL_RC4)
|
||||||
return 0;
|
return 0;
|
||||||
/* Level 3: forward secure ciphersuites only */
|
/* Level 3: forward secure ciphersuites only */
|
||||||
|
pfs_mask = SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK;
|
||||||
if (level >= 3 && c->min_tls != TLS1_3_VERSION &&
|
if (level >= 3 && c->min_tls != TLS1_3_VERSION &&
|
||||||
!(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)))
|
!(c->algorithm_mkey & pfs_mask))
|
||||||
return 0;
|
return 0;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user