OpenSSL: Merge OpenSSL 1.1.1o
Merge commit 'cf0ffd7607ed8f39829c6951a65a55fa1eb3aafe'
This commit is contained in:
commit
34252e89a9
@ -7,6 +7,19 @@
|
||||
https://github.com/openssl/openssl/commits/ and pick the appropriate
|
||||
release branch.
|
||||
|
||||
Changes between 1.1.1n and 1.1.1o [3 May 2022]
|
||||
|
||||
*) Fixed a bug in the c_rehash script which was not properly sanitising shell
|
||||
metacharacters to prevent command injection. This script is distributed by
|
||||
some operating systems in a manner where it is automatically executed. On
|
||||
such operating systems, an attacker could execute arbitrary commands with the
|
||||
privileges of the script.
|
||||
|
||||
Use of the c_rehash script is considered obsolete and should be replaced
|
||||
by the OpenSSL rehash command line tool.
|
||||
(CVE-2022-1292)
|
||||
[Tomáš Mráz]
|
||||
|
||||
Changes between 1.1.1m and 1.1.1n [15 Mar 2022]
|
||||
|
||||
*) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
|
||||
|
@ -5,10 +5,15 @@
|
||||
This file gives a brief overview of the major changes between each OpenSSL
|
||||
release. For more details please read the CHANGES file.
|
||||
|
||||
Major changes between OpenSSL 1.1.1n and OpenSSL 1.1.1o [3 May 2022]
|
||||
|
||||
o Fixed a bug in the c_rehash script which was not properly sanitising
|
||||
shell metacharacters to prevent command injection (CVE-2022-1292)
|
||||
|
||||
Major changes between OpenSSL 1.1.1m and OpenSSL 1.1.1n [15 Mar 2022]
|
||||
|
||||
o Fixed a bug in the BN_mod_sqrt() function that can cause it to loop
|
||||
forever for non-prime moduli ([CVE-2022-0778])
|
||||
forever for non-prime moduli (CVE-2022-0778)
|
||||
|
||||
Major changes between OpenSSL 1.1.1l and OpenSSL 1.1.1m [14 Dec 2021]
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
|
||||
OpenSSL 1.1.1n 15 Mar 2022
|
||||
OpenSSL 1.1.1o 3 May 2022
|
||||
|
||||
Copyright (c) 1998-2021 The OpenSSL Project
|
||||
Copyright (c) 1998-2022 The OpenSSL Project
|
||||
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
|
||||
All rights reserved.
|
||||
|
||||
|
@ -307,6 +307,8 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
|
||||
if (cb_data != NULL && cb_data->password != NULL
|
||||
&& *(const char*)cb_data->password != '\0')
|
||||
pw_min_len = 1;
|
||||
else if (!verify)
|
||||
pw_min_len = 0;
|
||||
prompt = UI_construct_prompt(ui, "pass phrase", prompt_info);
|
||||
if (!prompt) {
|
||||
BIO_printf(bio_err, "Out of memory\n");
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -590,6 +590,8 @@ int x509_main(int argc, char **argv)
|
||||
xca = load_cert(CAfile, CAformat, "CA Certificate");
|
||||
if (xca == NULL)
|
||||
goto end;
|
||||
if (!X509_set_issuer_name(x, X509_get_subject_name(xca)))
|
||||
goto end;
|
||||
}
|
||||
|
||||
out = bio_open_default(outfile, 'w', outformat);
|
||||
@ -987,8 +989,6 @@ static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *diges
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (!X509_set_issuer_name(x, X509_get_subject_name(xca)))
|
||||
goto end;
|
||||
if (!X509_set_serialNumber(x, bs))
|
||||
goto end;
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -446,8 +446,10 @@ int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num,
|
||||
snum->neg = num_neg;
|
||||
snum->top = div_n;
|
||||
snum->flags |= BN_FLG_FIXED_TOP;
|
||||
if (rm != NULL)
|
||||
bn_rshift_fixed_top(rm, snum, norm_shift);
|
||||
|
||||
if (rm != NULL && bn_rshift_fixed_top(rm, snum, norm_shift) == 0)
|
||||
goto err;
|
||||
|
||||
BN_CTX_end(ctx);
|
||||
return 1;
|
||||
err:
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -188,13 +188,14 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
|
||||
return ret;
|
||||
}
|
||||
|
||||
BN_RECP_CTX_init(&recp);
|
||||
|
||||
BN_CTX_start(ctx);
|
||||
aa = BN_CTX_get(ctx);
|
||||
val[0] = BN_CTX_get(ctx);
|
||||
if (val[0] == NULL)
|
||||
goto err;
|
||||
|
||||
BN_RECP_CTX_init(&recp);
|
||||
if (m->neg) {
|
||||
/* ignore sign of 'm' */
|
||||
if (!BN_copy(aa, m))
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2015-2016 Cryptography Research, Inc.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
@ -577,6 +577,7 @@ static int recode_wnaf(struct smvt_control *control,
|
||||
int32_t delta = odd & mask;
|
||||
|
||||
assert(position >= 0);
|
||||
assert(pos < 32); /* can't fail since current & 0xFFFF != 0 */
|
||||
if (odd & (1 << (table_bits + 1)))
|
||||
delta -= (1 << (table_bits + 1));
|
||||
current -= delta * (1 << pos);
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2014-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2014, Intel Corporation. All Rights Reserved.
|
||||
* Copyright (c) 2015, CloudFlare, Inc.
|
||||
*
|
||||
@ -973,6 +973,7 @@ __owur static int ecp_nistz256_points_mul(const EC_GROUP *group,
|
||||
return 0;
|
||||
}
|
||||
|
||||
memset(&p, 0, sizeof(p));
|
||||
BN_CTX_start(ctx);
|
||||
|
||||
if (scalar) {
|
||||
|
@ -393,6 +393,26 @@ static int int_load(dynamic_data_ctx *ctx)
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* Unfortunately the version checker does not distinguish between
|
||||
* engines built for openssl 1.1.x and openssl 3.x, but loading
|
||||
* an engine that is built for openssl 3.x will cause a fatal
|
||||
* error. Detect such engines, since EVP_PKEY_get_base_id is exported
|
||||
* as a function in openssl 3.x, while it is named EVP_PKEY_base_id
|
||||
* in openssl 1.1.x. Therefore we take the presence of that symbol
|
||||
* as an indication that the engine will be incompatible.
|
||||
*/
|
||||
static int using_libcrypto_3(dynamic_data_ctx *ctx)
|
||||
{
|
||||
int ret;
|
||||
|
||||
ERR_set_mark();
|
||||
ret = DSO_bind_func(ctx->dynamic_dso, "EVP_PKEY_get_base_id") != NULL;
|
||||
ERR_pop_to_mark();
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx)
|
||||
{
|
||||
ENGINE cpy;
|
||||
@ -442,18 +462,9 @@ static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx)
|
||||
/*
|
||||
* We fail if the version checker veto'd the load *or* if it is
|
||||
* deferring to us (by returning its version) and we think it is too
|
||||
* old.
|
||||
* Unfortunately the version checker does not distinguish between
|
||||
* engines built for openssl 1.1.x and openssl 3.x, but loading
|
||||
* an engine that is built for openssl 3.x will cause a fatal
|
||||
* error. Detect such engines, since EVP_PKEY_get_base_id is exported
|
||||
* as a function in openssl 3.x, while it is named EVP_PKEY_base_id
|
||||
* in openssl 1.1.x. Therefore we take the presence of that symbol
|
||||
* as an indication that the engine will be incompatible.
|
||||
* old. Also fail if this is engine for openssl 3.x.
|
||||
*/
|
||||
if (vcheck_res < OSSL_DYNAMIC_OLDEST
|
||||
|| DSO_bind_func(ctx->dynamic_dso,
|
||||
"EVP_PKEY_get_base_id") != NULL) {
|
||||
if (vcheck_res < OSSL_DYNAMIC_OLDEST || using_libcrypto_3(ctx)) {
|
||||
/* Fail */
|
||||
ctx->bind_engine = NULL;
|
||||
ctx->v_check = NULL;
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -23,7 +23,9 @@
|
||||
#include "internal/constant_time.h"
|
||||
#include "e_os.h"
|
||||
|
||||
#ifndef OPENSSL_NO_ERR
|
||||
static int err_load_strings(const ERR_STRING_DATA *str);
|
||||
#endif
|
||||
|
||||
static void ERR_STATE_free(ERR_STATE *s);
|
||||
#ifndef OPENSSL_NO_ERR
|
||||
@ -76,9 +78,9 @@ static ERR_STRING_DATA ERR_str_functs[] = {
|
||||
{ERR_PACK(0, SYS_F_BIND, 0), "bind"},
|
||||
{ERR_PACK(0, SYS_F_LISTEN, 0), "listen"},
|
||||
{ERR_PACK(0, SYS_F_ACCEPT, 0), "accept"},
|
||||
# ifdef OPENSSL_SYS_WINDOWS
|
||||
#ifdef OPENSSL_SYS_WINDOWS
|
||||
{ERR_PACK(0, SYS_F_WSASTARTUP, 0), "WSAstartup"},
|
||||
# endif
|
||||
#endif
|
||||
{ERR_PACK(0, SYS_F_OPENDIR, 0), "opendir"},
|
||||
{ERR_PACK(0, SYS_F_FREAD, 0), "fread"},
|
||||
{ERR_PACK(0, SYS_F_GETADDRINFO, 0), "getaddrinfo"},
|
||||
@ -141,21 +143,26 @@ static int set_err_thread_local;
|
||||
static CRYPTO_THREAD_LOCAL err_thread_local;
|
||||
|
||||
static CRYPTO_ONCE err_string_init = CRYPTO_ONCE_STATIC_INIT;
|
||||
static CRYPTO_RWLOCK *err_string_lock;
|
||||
static CRYPTO_RWLOCK *err_string_lock = NULL;
|
||||
|
||||
#ifndef OPENSSL_NO_ERR
|
||||
static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *);
|
||||
#endif
|
||||
|
||||
/*
|
||||
* The internal state
|
||||
*/
|
||||
|
||||
#ifndef OPENSSL_NO_ERR
|
||||
static LHASH_OF(ERR_STRING_DATA) *int_error_hash = NULL;
|
||||
#endif
|
||||
static int int_err_library_number = ERR_LIB_USER;
|
||||
|
||||
static unsigned long get_error_values(int inc, int top, const char **file,
|
||||
int *line, const char **data,
|
||||
int *flags);
|
||||
|
||||
#ifndef OPENSSL_NO_ERR
|
||||
static unsigned long err_string_data_hash(const ERR_STRING_DATA *a)
|
||||
{
|
||||
unsigned long ret, l;
|
||||
@ -184,7 +191,6 @@ static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *d)
|
||||
return p;
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_ERR
|
||||
/* 2019-05-21: Russian and Ukrainian locales on Linux require more than 6,5 kB */
|
||||
# define SPACE_SYS_STR_REASONS 8 * 1024
|
||||
# define NUM_SYS_STR_REASONS 127
|
||||
@ -299,6 +305,7 @@ DEFINE_RUN_ONCE_STATIC(do_err_strings_init)
|
||||
err_string_lock = CRYPTO_THREAD_lock_new();
|
||||
if (err_string_lock == NULL)
|
||||
return 0;
|
||||
#ifndef OPENSSL_NO_ERR
|
||||
int_error_hash = lh_ERR_STRING_DATA_new(err_string_data_hash,
|
||||
err_string_data_cmp);
|
||||
if (int_error_hash == NULL) {
|
||||
@ -306,6 +313,7 @@ DEFINE_RUN_ONCE_STATIC(do_err_strings_init)
|
||||
err_string_lock = NULL;
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -315,10 +323,13 @@ void err_cleanup(void)
|
||||
CRYPTO_THREAD_cleanup_local(&err_thread_local);
|
||||
CRYPTO_THREAD_lock_free(err_string_lock);
|
||||
err_string_lock = NULL;
|
||||
#ifndef OPENSSL_NO_ERR
|
||||
lh_ERR_STRING_DATA_free(int_error_hash);
|
||||
int_error_hash = NULL;
|
||||
#endif
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_ERR
|
||||
/*
|
||||
* Legacy; pack in the library.
|
||||
*/
|
||||
@ -342,6 +353,7 @@ static int err_load_strings(const ERR_STRING_DATA *str)
|
||||
CRYPTO_THREAD_unlock(err_string_lock);
|
||||
return 1;
|
||||
}
|
||||
#endif
|
||||
|
||||
int ERR_load_ERR_strings(void)
|
||||
{
|
||||
@ -360,24 +372,31 @@ int ERR_load_ERR_strings(void)
|
||||
|
||||
int ERR_load_strings(int lib, ERR_STRING_DATA *str)
|
||||
{
|
||||
#ifndef OPENSSL_NO_ERR
|
||||
if (ERR_load_ERR_strings() == 0)
|
||||
return 0;
|
||||
|
||||
err_patch(lib, str);
|
||||
err_load_strings(str);
|
||||
#endif
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
int ERR_load_strings_const(const ERR_STRING_DATA *str)
|
||||
{
|
||||
#ifndef OPENSSL_NO_ERR
|
||||
if (ERR_load_ERR_strings() == 0)
|
||||
return 0;
|
||||
err_load_strings(str);
|
||||
#endif
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
int ERR_unload_strings(int lib, ERR_STRING_DATA *str)
|
||||
{
|
||||
#ifndef OPENSSL_NO_ERR
|
||||
if (!RUN_ONCE(&err_string_init, do_err_strings_init))
|
||||
return 0;
|
||||
|
||||
@ -389,14 +408,14 @@ int ERR_unload_strings(int lib, ERR_STRING_DATA *str)
|
||||
for (; str->error; str++)
|
||||
(void)lh_ERR_STRING_DATA_delete(int_error_hash, str);
|
||||
CRYPTO_THREAD_unlock(err_string_lock);
|
||||
#endif
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
void err_free_strings_int(void)
|
||||
{
|
||||
if (!RUN_ONCE(&err_string_init, do_err_strings_init))
|
||||
return;
|
||||
/* obsolete */
|
||||
}
|
||||
|
||||
/********************************************************/
|
||||
@ -636,6 +655,7 @@ char *ERR_error_string(unsigned long e, char *ret)
|
||||
|
||||
const char *ERR_lib_error_string(unsigned long e)
|
||||
{
|
||||
#ifndef OPENSSL_NO_ERR
|
||||
ERR_STRING_DATA d, *p;
|
||||
unsigned long l;
|
||||
|
||||
@ -647,10 +667,14 @@ const char *ERR_lib_error_string(unsigned long e)
|
||||
d.error = ERR_PACK(l, 0, 0);
|
||||
p = int_err_get_item(&d);
|
||||
return ((p == NULL) ? NULL : p->string);
|
||||
#else
|
||||
return NULL;
|
||||
#endif
|
||||
}
|
||||
|
||||
const char *ERR_func_error_string(unsigned long e)
|
||||
{
|
||||
#ifndef OPENSSL_NO_ERR
|
||||
ERR_STRING_DATA d, *p;
|
||||
unsigned long l, f;
|
||||
|
||||
@ -663,10 +687,14 @@ const char *ERR_func_error_string(unsigned long e)
|
||||
d.error = ERR_PACK(l, f, 0);
|
||||
p = int_err_get_item(&d);
|
||||
return ((p == NULL) ? NULL : p->string);
|
||||
#else
|
||||
return NULL;
|
||||
#endif
|
||||
}
|
||||
|
||||
const char *ERR_reason_error_string(unsigned long e)
|
||||
{
|
||||
#ifndef OPENSSL_NO_ERR
|
||||
ERR_STRING_DATA d, *p = NULL;
|
||||
unsigned long l, r;
|
||||
|
||||
@ -683,6 +711,9 @@ const char *ERR_reason_error_string(unsigned long e)
|
||||
p = int_err_get_item(&d);
|
||||
}
|
||||
return ((p == NULL) ? NULL : p->string);
|
||||
#else
|
||||
return NULL;
|
||||
#endif
|
||||
}
|
||||
|
||||
void err_delete_thread_state(void)
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -281,7 +281,7 @@ int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
|
||||
# define PTRDIFF_T size_t
|
||||
#endif
|
||||
|
||||
int is_partially_overlapping(const void *ptr1, const void *ptr2, int len)
|
||||
int is_partially_overlapping(const void *ptr1, const void *ptr2, size_t len)
|
||||
{
|
||||
PTRDIFF_T diff = (PTRDIFF_T)ptr1-(PTRDIFF_T)ptr2;
|
||||
/*
|
||||
@ -299,7 +299,8 @@ static int evp_EncryptDecryptUpdate(EVP_CIPHER_CTX *ctx,
|
||||
unsigned char *out, int *outl,
|
||||
const unsigned char *in, int inl)
|
||||
{
|
||||
int i, j, bl, cmpl = inl;
|
||||
int i, j, bl;
|
||||
size_t cmpl = (size_t)inl;
|
||||
|
||||
if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS))
|
||||
cmpl = (cmpl + 7) / 8;
|
||||
@ -464,8 +465,9 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
|
||||
int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
|
||||
const unsigned char *in, int inl)
|
||||
{
|
||||
int fix_len, cmpl = inl;
|
||||
int fix_len;
|
||||
unsigned int b;
|
||||
size_t cmpl = (size_t)inl;
|
||||
|
||||
/* Prevent accidental use of encryption context when decrypting */
|
||||
if (ctx->encrypt) {
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -65,4 +65,4 @@ struct evp_Encode_Ctx_st {
|
||||
typedef struct evp_pbe_st EVP_PBE_CTL;
|
||||
DEFINE_STACK_OF(EVP_PBE_CTL)
|
||||
|
||||
int is_partially_overlapping(const void *ptr1, const void *ptr2, int len);
|
||||
int is_partially_overlapping(const void *ptr1, const void *ptr2, size_t len);
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -211,7 +211,7 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_load_crypto_nodelete)
|
||||
}
|
||||
|
||||
static CRYPTO_ONCE load_crypto_strings = CRYPTO_ONCE_STATIC_INIT;
|
||||
static int load_crypto_strings_inited = 0;
|
||||
|
||||
DEFINE_RUN_ONCE_STATIC(ossl_init_load_crypto_strings)
|
||||
{
|
||||
int ret = 1;
|
||||
@ -225,7 +225,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_load_crypto_strings)
|
||||
"err_load_crypto_strings_int()\n");
|
||||
# endif
|
||||
ret = err_load_crypto_strings_int();
|
||||
load_crypto_strings_inited = 1;
|
||||
#endif
|
||||
return ret;
|
||||
}
|
||||
@ -549,14 +548,6 @@ void OPENSSL_cleanup(void)
|
||||
async_deinit();
|
||||
}
|
||||
|
||||
if (load_crypto_strings_inited) {
|
||||
#ifdef OPENSSL_INIT_DEBUG
|
||||
fprintf(stderr, "OPENSSL_INIT: OPENSSL_cleanup: "
|
||||
"err_free_strings_int()\n");
|
||||
#endif
|
||||
err_free_strings_int();
|
||||
}
|
||||
|
||||
key = destructor_key.value;
|
||||
destructor_key.sane = -1;
|
||||
CRYPTO_THREAD_cleanup_local(&key);
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -47,6 +47,9 @@ struct OPENSSL_s390xcap_st {
|
||||
unsigned long long kma[2];
|
||||
};
|
||||
|
||||
#if defined(__GNUC__) && defined(__linux)
|
||||
__attribute__ ((visibility("hidden")))
|
||||
#endif
|
||||
extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P;
|
||||
|
||||
/* convert facility bit number or function code to bit mask */
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2010-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2010-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -26,6 +26,9 @@ void OPENSSL_vx_probe(void);
|
||||
|
||||
struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P;
|
||||
|
||||
#if defined(__GNUC__) && defined(__linux)
|
||||
__attribute__ ((visibility("hidden")))
|
||||
#endif
|
||||
void OPENSSL_cpuid_setup(void)
|
||||
{
|
||||
sigset_t oset;
|
||||
|
@ -22,3 +22,13 @@ pub 2048R/0E604491 2013-04-30
|
||||
Key fingerprint = 8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491
|
||||
uid Matt Caswell <matt@openssl.org>
|
||||
uid Matt Caswell <frodo@baggins.org>
|
||||
|
||||
pub rsa4096 2021-02-14
|
||||
B7C1 C143 60F3 53A3 6862 E4D5 231C 84CD DCC6 9C45
|
||||
uid Paul Dale <pauli@openssl.org>
|
||||
|
||||
pub rsa4096 2021-07-16
|
||||
A21F AB74 B008 8AA3 6115 2586 B8EF 1A6B A9DA 2D5C
|
||||
uid Tomáš Mráz <tm@t8m.info>
|
||||
uid Tomáš Mráz <tomas@arleto.cz>
|
||||
uid Tomáš Mráz <tomas@openssl.org>
|
||||
|
@ -42,6 +42,16 @@ basis, see L<SSL_get_default_timeout(3)>.
|
||||
All currently supported protocols have the same default timeout value
|
||||
of 300 seconds.
|
||||
|
||||
This timeout value is used as the ticket lifetime hint for stateless session
|
||||
tickets. It is also used as the timeout value within the ticket itself.
|
||||
|
||||
For TLSv1.3, RFC8446 limits transmission of this value to 1 week (604800
|
||||
seconds).
|
||||
|
||||
For TLSv1.2, tickets generated during an initial handshake use the value
|
||||
as specified. Tickets generated during a resumed handshake have a value
|
||||
of 0 for the ticket lifetime hint.
|
||||
|
||||
=head1 RETURN VALUES
|
||||
|
||||
SSL_CTX_set_timeout() returns the previously set timeout value.
|
||||
@ -58,7 +68,7 @@ L<SSL_get_default_timeout(3)>
|
||||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the OpenSSL license (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -39,8 +39,8 @@ extern "C" {
|
||||
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
|
||||
* major minor fix final patch/beta)
|
||||
*/
|
||||
# define OPENSSL_VERSION_NUMBER 0x101010efL
|
||||
# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1n-freebsd 15 Mar 2022"
|
||||
# define OPENSSL_VERSION_NUMBER 0x101010ffL
|
||||
# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1o-freebsd 3 May 2022"
|
||||
|
||||
/*-
|
||||
* The macros below are to be used for shared library (.so, .dll, ...)
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2005 Nokia. All rights reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
@ -589,6 +589,8 @@ int ssl3_alert_code(int code)
|
||||
return TLS1_AD_NO_APPLICATION_PROTOCOL;
|
||||
case SSL_AD_CERTIFICATE_REQUIRED:
|
||||
return SSL_AD_HANDSHAKE_FAILURE;
|
||||
case SSL_AD_MISSING_EXTENSION:
|
||||
return SSL_AD_HANDSHAKE_FAILURE;
|
||||
default:
|
||||
return -1;
|
||||
}
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -116,7 +116,7 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_base)
|
||||
}
|
||||
|
||||
static CRYPTO_ONCE ssl_strings = CRYPTO_ONCE_STATIC_INIT;
|
||||
static int ssl_strings_inited = 0;
|
||||
|
||||
DEFINE_RUN_ONCE_STATIC(ossl_init_load_ssl_strings)
|
||||
{
|
||||
/*
|
||||
@ -129,7 +129,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_load_ssl_strings)
|
||||
"ERR_load_SSL_strings()\n");
|
||||
# endif
|
||||
ERR_load_SSL_strings();
|
||||
ssl_strings_inited = 1;
|
||||
#endif
|
||||
return 1;
|
||||
}
|
||||
@ -157,20 +156,6 @@ static void ssl_library_stop(void)
|
||||
ssl_comp_free_compression_methods_int();
|
||||
#endif
|
||||
}
|
||||
|
||||
if (ssl_strings_inited) {
|
||||
#ifdef OPENSSL_INIT_DEBUG
|
||||
fprintf(stderr, "OPENSSL_INIT: ssl_library_stop: "
|
||||
"err_free_strings_int()\n");
|
||||
#endif
|
||||
/*
|
||||
* If both crypto and ssl error strings are inited we will end up
|
||||
* calling err_free_strings_int() twice - but that's ok. The second
|
||||
* time will be a no-op. It's easier to do that than to try and track
|
||||
* between the two libraries whether they have both been inited.
|
||||
*/
|
||||
err_free_strings_int();
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||
* Copyright 2005 Nokia. All rights reserved.
|
||||
*
|
||||
@ -2170,6 +2170,7 @@ int SSL_shutdown(SSL *s)
|
||||
if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
|
||||
struct ssl_async_args args;
|
||||
|
||||
memset(&args, 0, sizeof(args));
|
||||
args.s = s;
|
||||
args.type = OTHERFUNC;
|
||||
args.f.func_other = s->method->ssl_shutdown;
|
||||
@ -3799,6 +3800,7 @@ int SSL_do_handshake(SSL *s)
|
||||
if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
|
||||
struct ssl_async_args args;
|
||||
|
||||
memset(&args, 0, sizeof(args));
|
||||
args.s = s;
|
||||
|
||||
ret = ssl_start_async_job(s, &args, ssl_do_handshake_intern);
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2005 Nokia. All rights reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
@ -130,11 +130,11 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
|
||||
}
|
||||
#endif
|
||||
if (x->time != 0L) {
|
||||
if (BIO_printf(bp, "\n Start Time: %ld", x->time) <= 0)
|
||||
if (BIO_printf(bp, "\n Start Time: %lld", (long long)x->time) <= 0)
|
||||
goto err;
|
||||
}
|
||||
if (x->timeout != 0L) {
|
||||
if (BIO_printf(bp, "\n Timeout : %ld (sec)", x->timeout) <= 0)
|
||||
if (BIO_printf(bp, "\n Timeout : %lld (sec)", (long long)x->timeout) <= 0)
|
||||
goto err;
|
||||
}
|
||||
if (BIO_puts(bp, "\n") <= 0)
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||
* Copyright 2005 Nokia. All rights reserved.
|
||||
*
|
||||
@ -1422,6 +1422,11 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
|
||||
&& sversion == TLS1_2_VERSION
|
||||
&& PACKET_remaining(pkt) >= SSL3_RANDOM_SIZE
|
||||
&& memcmp(hrrrandom, PACKET_data(pkt), SSL3_RANDOM_SIZE) == 0) {
|
||||
if (s->hello_retry_request != SSL_HRR_NONE) {
|
||||
SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
|
||||
SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_UNEXPECTED_MESSAGE);
|
||||
goto err;
|
||||
}
|
||||
s->hello_retry_request = SSL_HRR_PENDING;
|
||||
hrr = 1;
|
||||
if (!PACKET_forward(pkt, SSL3_RANDOM_SIZE)) {
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2005-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -218,8 +218,8 @@ int dtls1_do_write(SSL *s, int type)
|
||||
else
|
||||
len = s->init_num;
|
||||
|
||||
if (len > s->max_send_fragment)
|
||||
len = s->max_send_fragment;
|
||||
if (len > ssl_get_max_send_fragment(s))
|
||||
len = ssl_get_max_send_fragment(s);
|
||||
|
||||
/*
|
||||
* XDTLS: this function is too long. split out the CCS part
|
||||
@ -241,7 +241,7 @@ int dtls1_do_write(SSL *s, int type)
|
||||
|
||||
ret = dtls1_write_bytes(s, type, &s->init_buf->data[s->init_off], len,
|
||||
&written);
|
||||
if (ret < 0) {
|
||||
if (ret <= 0) {
|
||||
/*
|
||||
* might need to update MTU here, but we don't know which
|
||||
* previous packet caused the failure -- so can't really
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||
* Copyright 2005 Nokia. All rights reserved.
|
||||
*
|
||||
@ -3820,15 +3820,24 @@ int tls_construct_server_certificate(SSL *s, WPACKET *pkt)
|
||||
static int create_ticket_prequel(SSL *s, WPACKET *pkt, uint32_t age_add,
|
||||
unsigned char *tick_nonce)
|
||||
{
|
||||
uint32_t timeout = (uint32_t)s->session->timeout;
|
||||
|
||||
/*
|
||||
* Ticket lifetime hint: For TLSv1.2 this is advisory only and we leave this
|
||||
* unspecified for resumed session (for simplicity).
|
||||
* Ticket lifetime hint:
|
||||
* In TLSv1.3 we reset the "time" field above, and always specify the
|
||||
* timeout.
|
||||
* timeout, limited to a 1 week period per RFC8446.
|
||||
* For TLSv1.2 this is advisory only and we leave this unspecified for
|
||||
* resumed session (for simplicity).
|
||||
*/
|
||||
if (!WPACKET_put_bytes_u32(pkt,
|
||||
(s->hit && !SSL_IS_TLS13(s))
|
||||
? 0 : s->session->timeout)) {
|
||||
#define ONE_WEEK_SEC (7 * 24 * 60 * 60)
|
||||
|
||||
if (SSL_IS_TLS13(s)) {
|
||||
if (s->session->timeout > ONE_WEEK_SEC)
|
||||
timeout = ONE_WEEK_SEC;
|
||||
} else if (s->hit)
|
||||
timeout = 0;
|
||||
|
||||
if (!WPACKET_put_bytes_u32(pkt, timeout)) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CREATE_TICKET_PREQUEL,
|
||||
ERR_R_INTERNAL_ERROR);
|
||||
return 0;
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2005 Nokia. All rights reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
@ -796,6 +796,8 @@ int tls1_alert_code(int code)
|
||||
return TLS1_AD_NO_APPLICATION_PROTOCOL;
|
||||
case SSL_AD_CERTIFICATE_REQUIRED:
|
||||
return SSL_AD_HANDSHAKE_FAILURE;
|
||||
case SSL_AD_MISSING_EXTENSION:
|
||||
return SSL_AD_HANDSHAKE_FAILURE;
|
||||
default:
|
||||
return -1;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user