Import OpenSSL 1.1.1i.

This commit is contained in:
Jung-uk Kim 2020-12-08 18:10:16 +00:00
parent 92f02b3b0f
commit 970a464089
37 changed files with 277 additions and 130 deletions

36
CHANGES
View File

@ -7,6 +7,38 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch. release branch.
Changes between 1.1.1h and 1.1.1i [8 Dec 2020]
*) Fixed NULL pointer deref in the GENERAL_NAME_cmp function
This function could crash if both GENERAL_NAMEs contain an EDIPARTYNAME.
If an attacker can control both items being compared then this could lead
to a possible denial of service attack. OpenSSL itself uses the
GENERAL_NAME_cmp function for two purposes:
1) Comparing CRL distribution point names between an available CRL and a
CRL distribution point embedded in an X509 certificate
2) When verifying that a timestamp response token signer matches the
timestamp authority name (exposed via the API functions
TS_RESP_verify_response and TS_RESP_verify_token)
(CVE-2020-1971)
[Matt Caswell]
*) Add support for Apple Silicon M1 Macs with the darwin64-arm64-cc target.
[Stuart Carnie]
*) The security callback, which can be customised by application code, supports
the security operation SSL_SECOP_TMP_DH. This is defined to take an EVP_PKEY
in the "other" parameter. In most places this is what is passed. All these
places occur server side. However there was one client side call of this
security operation and it passed a DH object instead. This is incorrect
according to the definition of SSL_SECOP_TMP_DH, and is inconsistent with all
of the other locations. Therefore this client side call has been changed to
pass an EVP_PKEY instead.
[Matt Caswell]
*) In 1.1.1h, an expired trusted (root) certificate was not anymore rejected
when validating a certificate path. This check is restored in 1.1.1i.
[David von Oheimb]
Changes between 1.1.1g and 1.1.1h [22 Sep 2020] Changes between 1.1.1g and 1.1.1h [22 Sep 2020]
*) Certificates with explicit curve parameters are now disallowed in *) Certificates with explicit curve parameters are now disallowed in
@ -32,6 +64,10 @@
on renegotiation. on renegotiation.
[Tomas Mraz] [Tomas Mraz]
*) Accidentally, an expired trusted (root) certificate is not anymore rejected
when validating a certificate path.
[David von Oheimb]
*) The Oracle Developer Studio compiler will start reporting deprecated APIs *) The Oracle Developer Studio compiler will start reporting deprecated APIs
Changes between 1.1.1f and 1.1.1g [21 Apr 2020] Changes between 1.1.1f and 1.1.1g [21 Apr 2020]

4
NEWS
View File

@ -5,6 +5,10 @@
This file gives a brief overview of the major changes between each OpenSSL This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file. release. For more details please read the CHANGES file.
Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [8 Dec 2020]
o Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971)
Major changes between OpenSSL 1.1.1g and OpenSSL 1.1.1h [22 Sep 2020] Major changes between OpenSSL 1.1.1g and OpenSSL 1.1.1h [22 Sep 2020]
o Disallow explicit curve parameters in verifications chains when o Disallow explicit curve parameters in verifications chains when

2
README
View File

@ -1,5 +1,5 @@
OpenSSL 1.1.1h 22 Sep 2020 OpenSSL 1.1.1i 8 Dec 2020
Copyright (c) 1998-2020 The OpenSSL Project Copyright (c) 1998-2020 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -1862,8 +1862,8 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
row[DB_exp_date][tm->length] = '\0'; row[DB_exp_date][tm->length] = '\0';
row[DB_rev_date] = NULL; row[DB_rev_date] = NULL;
row[DB_file] = OPENSSL_strdup("unknown"); row[DB_file] = OPENSSL_strdup("unknown");
if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) || if ((row[DB_type] == NULL) || (row[DB_file] == NULL)
(row[DB_file] == NULL) || (row[DB_name] == NULL)) { || (row[DB_name] == NULL)) {
BIO_printf(bio_err, "Memory allocation failure\n"); BIO_printf(bio_err, "Memory allocation failure\n");
goto end; goto end;
} }

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -545,9 +545,11 @@ int cms_main(int argc, char **argv)
if (key_param == NULL || key_param->idx != keyidx) { if (key_param == NULL || key_param->idx != keyidx) {
cms_key_param *nparam; cms_key_param *nparam;
nparam = app_malloc(sizeof(*nparam), "key param buffer"); nparam = app_malloc(sizeof(*nparam), "key param buffer");
nparam->idx = keyidx; if ((nparam->param = sk_OPENSSL_STRING_new_null()) == NULL) {
if ((nparam->param = sk_OPENSSL_STRING_new_null()) == NULL) OPENSSL_free(nparam);
goto end; goto end;
}
nparam->idx = keyidx;
nparam->next = NULL; nparam->next = NULL;
if (key_first == NULL) if (key_first == NULL)
key_first = nparam; key_first = nparam;

8
config
View File

@ -253,11 +253,8 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
Power*) Power*)
echo "ppc-apple-darwin${VERSION}" echo "ppc-apple-darwin${VERSION}"
;; ;;
x86_64)
echo "x86_64-apple-darwin${VERSION}"
;;
*) *)
echo "i686-apple-darwin${VERSION}" echo "${MACHINE}-apple-darwin${VERSION}"
;; ;;
esac esac
exit 0 exit 0
@ -497,6 +494,9 @@ case "$GUESSOS" in
else else
OUT="darwin64-x86_64-cc" OUT="darwin64-x86_64-cc"
fi ;; fi ;;
$MACHINE-apple-darwin*)
OUT="darwin64-$MACHINE-cc"
;;
armv6+7-*-iphoneos) armv6+7-*-iphoneos)
__CNF_CFLAGS="$__CNF_CFLAGS -arch armv6 -arch armv7" __CNF_CFLAGS="$__CNF_CFLAGS -arch armv6 -arch armv7"
__CNF_CXXFLAGS="$__CNF_CXXFLAGS -arch armv6 -arch armv7" __CNF_CXXFLAGS="$__CNF_CXXFLAGS -arch armv6 -arch armv7"

View File

@ -183,7 +183,12 @@ $code.=<<___;
.Loop192: .Loop192:
vtbl.8 $key,{$in1},$mask vtbl.8 $key,{$in1},$mask
vext.8 $tmp,$zero,$in0,#12 vext.8 $tmp,$zero,$in0,#12
#ifdef __ARMEB__
vst1.32 {$in1},[$out],#16
sub $out,$out,#8
#else
vst1.32 {$in1},[$out],#8 vst1.32 {$in1},[$out],#8
#endif
aese $key,$zero aese $key,$zero
subs $bits,$bits,#1 subs $bits,$bits,#1
@ -715,8 +720,11 @@ $code.=<<___;
ldr $rounds,[$key,#240] ldr $rounds,[$key,#240]
ldr $ctr, [$ivp, #12] ldr $ctr, [$ivp, #12]
#ifdef __ARMEB__
vld1.8 {$dat0},[$ivp]
#else
vld1.32 {$dat0},[$ivp] vld1.32 {$dat0},[$ivp]
#endif
vld1.32 {q8-q9},[$key] // load key schedule... vld1.32 {q8-q9},[$key] // load key schedule...
sub $rounds,$rounds,#4 sub $rounds,$rounds,#4
mov $step,#16 mov $step,#16
@ -732,17 +740,17 @@ $code.=<<___;
#ifndef __ARMEB__ #ifndef __ARMEB__
rev $ctr, $ctr rev $ctr, $ctr
#endif #endif
vorr $dat1,$dat0,$dat0
add $tctr1, $ctr, #1 add $tctr1, $ctr, #1
vorr $dat2,$dat0,$dat0
add $ctr, $ctr, #2
vorr $ivec,$dat0,$dat0 vorr $ivec,$dat0,$dat0
rev $tctr1, $tctr1 rev $tctr1, $tctr1
vmov.32 ${dat1}[3],$tctr1 vmov.32 ${ivec}[3],$tctr1
add $ctr, $ctr, #2
vorr $dat1,$ivec,$ivec
b.ls .Lctr32_tail b.ls .Lctr32_tail
rev $tctr2, $ctr rev $tctr2, $ctr
vmov.32 ${ivec}[3],$tctr2
sub $len,$len,#3 // bias sub $len,$len,#3 // bias
vmov.32 ${dat2}[3],$tctr2 vorr $dat2,$ivec,$ivec
b .Loop3x_ctr32 b .Loop3x_ctr32
.align 4 .align 4
@ -769,11 +777,11 @@ $code.=<<___;
aese $dat1,q8 aese $dat1,q8
aesmc $tmp1,$dat1 aesmc $tmp1,$dat1
vld1.8 {$in0},[$inp],#16 vld1.8 {$in0},[$inp],#16
vorr $dat0,$ivec,$ivec add $tctr0,$ctr,#1
aese $dat2,q8 aese $dat2,q8
aesmc $dat2,$dat2 aesmc $dat2,$dat2
vld1.8 {$in1},[$inp],#16 vld1.8 {$in1},[$inp],#16
vorr $dat1,$ivec,$ivec rev $tctr0,$tctr0
aese $tmp0,q9 aese $tmp0,q9
aesmc $tmp0,$tmp0 aesmc $tmp0,$tmp0
aese $tmp1,q9 aese $tmp1,q9
@ -782,8 +790,6 @@ $code.=<<___;
mov $key_,$key mov $key_,$key
aese $dat2,q9 aese $dat2,q9
aesmc $tmp2,$dat2 aesmc $tmp2,$dat2
vorr $dat2,$ivec,$ivec
add $tctr0,$ctr,#1
aese $tmp0,q12 aese $tmp0,q12
aesmc $tmp0,$tmp0 aesmc $tmp0,$tmp0
aese $tmp1,q12 aese $tmp1,q12
@ -799,20 +805,22 @@ $code.=<<___;
aese $tmp1,q13 aese $tmp1,q13
aesmc $tmp1,$tmp1 aesmc $tmp1,$tmp1
veor $in2,$in2,$rndlast veor $in2,$in2,$rndlast
rev $tctr0,$tctr0 vmov.32 ${ivec}[3], $tctr0
aese $tmp2,q13 aese $tmp2,q13
aesmc $tmp2,$tmp2 aesmc $tmp2,$tmp2
vmov.32 ${dat0}[3], $tctr0 vorr $dat0,$ivec,$ivec
rev $tctr1,$tctr1 rev $tctr1,$tctr1
aese $tmp0,q14 aese $tmp0,q14
aesmc $tmp0,$tmp0 aesmc $tmp0,$tmp0
vmov.32 ${ivec}[3], $tctr1
rev $tctr2,$ctr
aese $tmp1,q14 aese $tmp1,q14
aesmc $tmp1,$tmp1 aesmc $tmp1,$tmp1
vmov.32 ${dat1}[3], $tctr1 vorr $dat1,$ivec,$ivec
rev $tctr2,$ctr vmov.32 ${ivec}[3], $tctr2
aese $tmp2,q14 aese $tmp2,q14
aesmc $tmp2,$tmp2 aesmc $tmp2,$tmp2
vmov.32 ${dat2}[3], $tctr2 vorr $dat2,$ivec,$ivec
subs $len,$len,#3 subs $len,$len,#3
aese $tmp0,q15 aese $tmp0,q15
aese $tmp1,q15 aese $tmp1,q15

View File

@ -1,6 +1,6 @@
/* /*
* Generated by util/mkerr.pl DO NOT EDIT * Generated by util/mkerr.pl DO NOT EDIT
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -49,6 +49,7 @@ static const ERR_STRING_DATA ASN1_str_functs[] = {
"asn1_item_embed_d2i"}, "asn1_item_embed_d2i"},
{ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_ITEM_EMBED_NEW, 0), {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_ITEM_EMBED_NEW, 0),
"asn1_item_embed_new"}, "asn1_item_embed_new"},
{ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_ITEM_EX_I2D, 0), "ASN1_item_ex_i2d"},
{ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_ITEM_FLAGS_I2D, 0), {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_ITEM_FLAGS_I2D, 0),
"asn1_item_flags_i2d"}, "asn1_item_flags_i2d"},
{ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_ITEM_I2D_BIO, 0), "ASN1_item_i2d_bio"}, {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_ITEM_I2D_BIO, 0), "ASN1_item_i2d_bio"},
@ -160,6 +161,7 @@ static const ERR_STRING_DATA ASN1_str_reasons[] = {
"asn1 sig parse error"}, "asn1 sig parse error"},
{ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_AUX_ERROR), "aux error"}, {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_AUX_ERROR), "aux error"},
{ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BAD_OBJECT_HEADER), "bad object header"}, {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BAD_OBJECT_HEADER), "bad object header"},
{ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BAD_TEMPLATE), "bad template"},
{ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BMPSTRING_IS_WRONG_LENGTH), {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BMPSTRING_IS_WRONG_LENGTH),
"bmpstring is wrong length"}, "bmpstring is wrong length"},
{ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BN_LIB), "bn lib"}, {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BN_LIB), "bn lib"},

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -182,6 +182,15 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
tag, aclass, opt, ctx); tag, aclass, opt, ctx);
case ASN1_ITYPE_MSTRING: case ASN1_ITYPE_MSTRING:
/*
* It never makes sense for multi-strings to have implicit tagging, so
* if tag != -1, then this looks like an error in the template.
*/
if (tag != -1) {
ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_BAD_TEMPLATE);
goto err;
}
p = *in; p = *in;
/* Just read in tag and class */ /* Just read in tag and class */
ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL, ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL,
@ -199,6 +208,7 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_MSTRING_NOT_UNIVERSAL); ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_MSTRING_NOT_UNIVERSAL);
goto err; goto err;
} }
/* Check tag matches bit map */ /* Check tag matches bit map */
if (!(ASN1_tag2bit(otag) & it->utype)) { if (!(ASN1_tag2bit(otag) & it->utype)) {
/* If OPTIONAL, assume this is OK */ /* If OPTIONAL, assume this is OK */
@ -215,6 +225,15 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
return ef->asn1_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx); return ef->asn1_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx);
case ASN1_ITYPE_CHOICE: case ASN1_ITYPE_CHOICE:
/*
* It never makes sense for CHOICE types to have implicit tagging, so
* if tag != -1, then this looks like an error in the template.
*/
if (tag != -1) {
ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_BAD_TEMPLATE);
goto err;
}
if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
goto auxerr; goto auxerr;
if (*pval) { if (*pval) {

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -103,9 +103,25 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
return asn1_i2d_ex_primitive(pval, out, it, tag, aclass); return asn1_i2d_ex_primitive(pval, out, it, tag, aclass);
case ASN1_ITYPE_MSTRING: case ASN1_ITYPE_MSTRING:
/*
* It never makes sense for multi-strings to have implicit tagging, so
* if tag != -1, then this looks like an error in the template.
*/
if (tag != -1) {
ASN1err(ASN1_F_ASN1_ITEM_EX_I2D, ASN1_R_BAD_TEMPLATE);
return -1;
}
return asn1_i2d_ex_primitive(pval, out, it, -1, aclass); return asn1_i2d_ex_primitive(pval, out, it, -1, aclass);
case ASN1_ITYPE_CHOICE: case ASN1_ITYPE_CHOICE:
/*
* It never makes sense for CHOICE types to have implicit tagging, so
* if tag != -1, then this looks like an error in the template.
*/
if (tag != -1) {
ASN1err(ASN1_F_ASN1_ITEM_EX_I2D, ASN1_R_BAD_TEMPLATE);
return -1;
}
if (asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it, NULL)) if (asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it, NULL))
return 0; return 0;
i = asn1_get_choice_selector(pval, it); i = asn1_get_choice_selector(pval, it);

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -7,6 +7,10 @@
* https://www.openssl.org/source/license.html * https://www.openssl.org/source/license.html
*/ */
#ifndef _GNU_SOURCE
# define _GNU_SOURCE
#endif
#include <assert.h> #include <assert.h>
#include <string.h> #include <string.h>

View File

@ -125,6 +125,7 @@ $code.=<<___;
.text .text
.extern OPENSSL_armcap_P .extern OPENSSL_armcap_P
.hidden OPENSSL_armcap_P
.align 5 .align 5
.Lsigma: .Lsigma:

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -341,7 +341,7 @@ int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs,
char *ptr; char *ptr;
long len; long len;
len = BIO_get_mem_data(dcont, &ptr); len = BIO_get_mem_data(dcont, &ptr);
tmpin = BIO_new_mem_buf(ptr, len); tmpin = (len == 0) ? dcont : BIO_new_mem_buf(ptr, len);
if (tmpin == NULL) { if (tmpin == NULL) {
CMSerr(CMS_F_CMS_VERIFY, ERR_R_MALLOC_FAILURE); CMSerr(CMS_F_CMS_VERIFY, ERR_R_MALLOC_FAILURE);
goto err2; goto err2;

View File

@ -36,6 +36,7 @@ ASN1_F_ASN1_ITEM_D2I_FP:206:ASN1_item_d2i_fp
ASN1_F_ASN1_ITEM_DUP:191:ASN1_item_dup ASN1_F_ASN1_ITEM_DUP:191:ASN1_item_dup
ASN1_F_ASN1_ITEM_EMBED_D2I:120:asn1_item_embed_d2i ASN1_F_ASN1_ITEM_EMBED_D2I:120:asn1_item_embed_d2i
ASN1_F_ASN1_ITEM_EMBED_NEW:121:asn1_item_embed_new ASN1_F_ASN1_ITEM_EMBED_NEW:121:asn1_item_embed_new
ASN1_F_ASN1_ITEM_EX_I2D:144:ASN1_item_ex_i2d
ASN1_F_ASN1_ITEM_FLAGS_I2D:118:asn1_item_flags_i2d ASN1_F_ASN1_ITEM_FLAGS_I2D:118:asn1_item_flags_i2d
ASN1_F_ASN1_ITEM_I2D_BIO:192:ASN1_item_i2d_bio ASN1_F_ASN1_ITEM_I2D_BIO:192:ASN1_item_i2d_bio
ASN1_F_ASN1_ITEM_I2D_FP:193:ASN1_item_i2d_fp ASN1_F_ASN1_ITEM_I2D_FP:193:ASN1_item_i2d_fp
@ -1771,6 +1772,7 @@ ASN1_R_ASN1_PARSE_ERROR:203:asn1 parse error
ASN1_R_ASN1_SIG_PARSE_ERROR:204:asn1 sig parse error ASN1_R_ASN1_SIG_PARSE_ERROR:204:asn1 sig parse error
ASN1_R_AUX_ERROR:100:aux error ASN1_R_AUX_ERROR:100:aux error
ASN1_R_BAD_OBJECT_HEADER:102:bad object header ASN1_R_BAD_OBJECT_HEADER:102:bad object header
ASN1_R_BAD_TEMPLATE:230:bad template
ASN1_R_BMPSTRING_IS_WRONG_LENGTH:214:bmpstring is wrong length ASN1_R_BMPSTRING_IS_WRONG_LENGTH:214:bmpstring is wrong length
ASN1_R_BN_LIB:105:bn lib ASN1_R_BN_LIB:105:bn lib
ASN1_R_BOOLEAN_IS_WRONG_LENGTH:106:boolean is wrong length ASN1_R_BOOLEAN_IS_WRONG_LENGTH:106:boolean is wrong length

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -203,7 +203,7 @@ static int ok_read(BIO *b, char *out, int outl)
/* /*
* copy start of the next block into proper place * copy start of the next block into proper place
*/ */
if (ctx->buf_len_save - ctx->buf_off_save > 0) { if (ctx->buf_len_save > ctx->buf_off_save) {
ctx->buf_len = ctx->buf_len_save - ctx->buf_off_save; ctx->buf_len = ctx->buf_len_save - ctx->buf_off_save;
memmove(ctx->buf, &(ctx->buf[ctx->buf_off_save]), memmove(ctx->buf, &(ctx->buf[ctx->buf_off_save]),
ctx->buf_len); ctx->buf_len);

View File

@ -63,12 +63,15 @@ typedef u32 u32_a1;
asm ("bswapl %0" \ asm ("bswapl %0" \
: "+r"(ret_)); ret_; }) : "+r"(ret_)); ret_; })
# elif defined(__aarch64__) # elif defined(__aarch64__)
# define BSWAP8(x) ({ u64 ret_; \ # if defined(__BYTE_ORDER__) && defined(__ORDER_LITTLE_ENDIAN__) && \
__BYTE_ORDER__==__ORDER_LITTLE_ENDIAN__
# define BSWAP8(x) ({ u64 ret_; \
asm ("rev %0,%1" \ asm ("rev %0,%1" \
: "=r"(ret_) : "r"(x)); ret_; }) : "=r"(ret_) : "r"(x)); ret_; })
# define BSWAP4(x) ({ u32 ret_; \ # define BSWAP4(x) ({ u32 ret_; \
asm ("rev %w0,%w1" \ asm ("rev %w0,%w1" \
: "=r"(ret_) : "r"(x)); ret_; }) : "=r"(ret_) : "r"(x)); ret_; })
# endif
# elif (defined(__arm__) || defined(__arm)) && !defined(STRICT_ALIGNMENT) # elif (defined(__arm__) || defined(__arm)) && !defined(STRICT_ALIGNMENT)
# define BSWAP8(x) ({ u32 lo_=(u64)(x)>>32,hi_=(x); \ # define BSWAP8(x) ({ u32 lo_=(u64)(x)>>32,hi_=(x); \
asm ("rev %0,%0; rev %1,%1" \ asm ("rev %0,%0; rev %1,%1" \

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -301,7 +301,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
char *ptr; char *ptr;
long len; long len;
len = BIO_get_mem_data(indata, &ptr); len = BIO_get_mem_data(indata, &ptr);
tmpin = BIO_new_mem_buf(ptr, len); tmpin = (len == 0) ? indata : BIO_new_mem_buf(ptr, len);
if (tmpin == NULL) { if (tmpin == NULL) {
PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_MALLOC_FAILURE); PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_MALLOC_FAILURE);
goto err; goto err;

View File

@ -57,10 +57,14 @@ $code.=<<___;
// forward "declarations" are required for Apple // forward "declarations" are required for Apple
.extern OPENSSL_armcap_P .extern OPENSSL_armcap_P
.globl poly1305_blocks .hidden OPENSSL_armcap_P
.globl poly1305_emit
.globl poly1305_init .globl poly1305_init
.hidden poly1305_init
.globl poly1305_blocks
.hidden poly1305_blocks
.globl poly1305_emit
.hidden poly1305_emit
.type poly1305_init,%function .type poly1305_init,%function
.align 5 .align 5
poly1305_init: poly1305_init:
@ -860,8 +864,8 @@ poly1305_blocks_neon:
st1 {$ACC4}[0],[$ctx] st1 {$ACC4}[0],[$ctx]
.Lno_data_neon: .Lno_data_neon:
.inst 0xd50323bf // autiasp
ldr x29,[sp],#80 ldr x29,[sp],#80
.inst 0xd50323bf // autiasp
ret ret
.size poly1305_blocks_neon,.-poly1305_blocks_neon .size poly1305_blocks_neon,.-poly1305_blocks_neon

View File

@ -365,12 +365,19 @@ static ssize_t syscall_random(void *buf, size_t buflen)
* - OpenBSD since 5.6 * - OpenBSD since 5.6
* - Linux since 3.17 with glibc 2.25 * - Linux since 3.17 with glibc 2.25
* - FreeBSD since 12.0 (1200061) * - FreeBSD since 12.0 (1200061)
*
* Note: Sometimes getentropy() can be provided but not implemented
* internally. So we need to check errno for ENOSYS
*/ */
# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux) # if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
extern int getentropy(void *buffer, size_t length) __attribute__((weak)); extern int getentropy(void *buffer, size_t length) __attribute__((weak));
if (getentropy != NULL) if (getentropy != NULL) {
return getentropy(buf, buflen) == 0 ? (ssize_t)buflen : -1; if (getentropy(buf, buflen) == 0)
return (ssize_t)buflen;
if (errno != ENOSYS)
return -1;
}
# else # else
union { union {
void *p; void *p;

View File

@ -176,6 +176,7 @@ $code.=<<___;
.text .text
.extern OPENSSL_armcap_P .extern OPENSSL_armcap_P
.hidden OPENSSL_armcap_P
.globl sha1_block_data_order .globl sha1_block_data_order
.type sha1_block_data_order,%function .type sha1_block_data_order,%function
.align 6 .align 6
@ -329,7 +330,6 @@ $code.=<<___;
#endif #endif
.asciz "SHA1 block transform for ARMv8, CRYPTOGAMS by <appro\@openssl.org>" .asciz "SHA1 block transform for ARMv8, CRYPTOGAMS by <appro\@openssl.org>"
.align 2 .align 2
.comm OPENSSL_armcap_P,4,4
___ ___
}}} }}}

View File

@ -193,6 +193,7 @@ $code.=<<___;
.text .text
.extern OPENSSL_armcap_P .extern OPENSSL_armcap_P
.hidden OPENSSL_armcap_P
.globl $func .globl $func
.type $func,%function .type $func,%function
.align 6 .align 6
@ -840,12 +841,6 @@ $code.=<<___;
___ ___
} }
$code.=<<___;
#ifndef __KERNEL__
.comm OPENSSL_armcap_P,4,4
#endif
___
{ my %opcode = ( { my %opcode = (
"sha256h" => 0x5e004000, "sha256h2" => 0x5e005000, "sha256h" => 0x5e004000, "sha256h2" => 0x5e005000,
"sha256su0" => 0x5e282800, "sha256su1" => 0x5e006000 ); "sha256su0" => 0x5e282800, "sha256su1" => 0x5e006000 );

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -149,7 +149,7 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE)
return ret; return ret;
} }
void *X509at_get0_data_by_OBJ(STACK_OF(X509_ATTRIBUTE) *x, void *X509at_get0_data_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *x,
const ASN1_OBJECT *obj, int lastpos, int type) const ASN1_OBJECT *obj, int lastpos, int type)
{ {
int i; int i;

View File

@ -135,6 +135,8 @@ int X509_cmp(const X509 *a, const X509 *b)
{ {
int rv; int rv;
if (a == b) /* for efficiency */
return 0;
/* ensure hash is valid */ /* ensure hash is valid */
if (X509_check_purpose((X509 *)a, -1, 0) != 1) if (X509_check_purpose((X509 *)a, -1, 0) != 1)
return -2; return -2;

View File

@ -312,8 +312,20 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
return ret; return ret;
} }
static int sk_X509_contains(STACK_OF(X509) *sk, X509 *cert)
{
int i, n = sk_X509_num(sk);
for (i = 0; i < n; i++)
if (X509_cmp(sk_X509_value(sk, i), cert) == 0)
return 1;
return 0;
}
/* /*
* Given a STACK_OF(X509) find the issuer of cert (if any) * Find in given STACK_OF(X509) sk a non-expired issuer cert (if any) of given cert x.
* The issuer must not be the same as x and must not yet be in ctx->chain, where the
* exceptional case x is self-issued and ctx->chain has just one element is allowed.
*/ */
static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
{ {
@ -322,7 +334,13 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
for (i = 0; i < sk_X509_num(sk); i++) { for (i = 0; i < sk_X509_num(sk); i++) {
issuer = sk_X509_value(sk, i); issuer = sk_X509_value(sk, i);
if (ctx->check_issued(ctx, x, issuer)) { /*
* Below check 'issuer != x' is an optimization and safety precaution:
* Candidate issuer cert cannot be the same as the subject cert 'x'.
*/
if (issuer != x && ctx->check_issued(ctx, x, issuer)
&& (((x->ex_flags & EXFLAG_SI) != 0 && sk_X509_num(ctx->chain) == 1)
|| !sk_X509_contains(ctx->chain, issuer))) {
rv = issuer; rv = issuer;
if (x509_check_cert_time(ctx, rv, -1)) if (x509_check_cert_time(ctx, rv, -1))
break; break;
@ -331,30 +349,13 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
return rv; return rv;
} }
/* /* Check that the given certificate 'x' is issued by the certificate 'issuer' */
* Check that the given certificate 'x' is issued by the certificate 'issuer'
* and the issuer is not yet in ctx->chain, where the exceptional case
* that 'x' is self-issued and ctx->chain has just one element is allowed.
*/
static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
{ {
if (x509_likely_issued(issuer, x) != X509_V_OK) return x509_likely_issued(issuer, x) == X509_V_OK;
return 0;
if ((x->ex_flags & EXFLAG_SI) == 0 || sk_X509_num(ctx->chain) != 1) {
int i;
X509 *ch;
for (i = 0; i < sk_X509_num(ctx->chain); i++) {
ch = sk_X509_value(ctx->chain, i);
if (ch == issuer || X509_cmp(ch, issuer) == 0)
return 0;
}
}
return 1;
} }
/* Alternative lookup method: look from a STACK stored in other_ctx */ /* Alternative lookup method: look from a STACK stored in other_ctx */
static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
{ {
*issuer = find_issuer(ctx, ctx->other_ctx, x); *issuer = find_issuer(ctx, ctx->other_ctx, x);
@ -1740,7 +1741,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
if (ctx->bare_ta_signed) { if (ctx->bare_ta_signed) {
xs = xi; xs = xi;
xi = NULL; xi = NULL;
goto check_cert; goto check_cert_time;
} }
if (ctx->check_issued(ctx, xi, xi)) if (ctx->check_issued(ctx, xi, xi))
@ -1748,11 +1749,17 @@ static int internal_verify(X509_STORE_CTX *ctx)
else { else {
if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) { if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
xs = xi; xs = xi;
goto check_cert; goto check_cert_time;
} }
if (n <= 0) if (n <= 0) {
return verify_cb_cert(ctx, xi, 0, if (!verify_cb_cert(ctx, xi, 0,
X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE); X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
return 0;
xs = xi;
goto check_cert_time;
}
n--; n--;
ctx->error_depth = n; ctx->error_depth = n;
xs = sk_X509_value(ctx->chain, n); xs = sk_X509_value(ctx->chain, n);
@ -1811,7 +1818,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
} }
} }
check_cert: check_cert_time: /* in addition to RFC 5280, do also for trusted (root) cert */
/* Calls verify callback as needed */ /* Calls verify callback as needed */
if (!x509_check_cert_time(ctx, xs, n)) if (!x509_check_cert_time(ctx, xs, n))
return 0; return 0;

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -22,8 +22,9 @@ ASN1_SEQUENCE(OTHERNAME) = {
IMPLEMENT_ASN1_FUNCTIONS(OTHERNAME) IMPLEMENT_ASN1_FUNCTIONS(OTHERNAME)
ASN1_SEQUENCE(EDIPARTYNAME) = { ASN1_SEQUENCE(EDIPARTYNAME) = {
ASN1_IMP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0), /* DirectoryString is a CHOICE type so use explicit tagging */
ASN1_IMP_OPT(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1) ASN1_EXP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0),
ASN1_EXP(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1)
} ASN1_SEQUENCE_END(EDIPARTYNAME) } ASN1_SEQUENCE_END(EDIPARTYNAME)
IMPLEMENT_ASN1_FUNCTIONS(EDIPARTYNAME) IMPLEMENT_ASN1_FUNCTIONS(EDIPARTYNAME)
@ -57,6 +58,37 @@ GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a)
(char *)a); (char *)a);
} }
static int edipartyname_cmp(const EDIPARTYNAME *a, const EDIPARTYNAME *b)
{
int res;
if (a == NULL || b == NULL) {
/*
* Shouldn't be possible in a valid GENERAL_NAME, but we handle it
* anyway. OTHERNAME_cmp treats NULL != NULL so we do the same here
*/
return -1;
}
if (a->nameAssigner == NULL && b->nameAssigner != NULL)
return -1;
if (a->nameAssigner != NULL && b->nameAssigner == NULL)
return 1;
/* If we get here then both have nameAssigner set, or both unset */
if (a->nameAssigner != NULL) {
res = ASN1_STRING_cmp(a->nameAssigner, b->nameAssigner);
if (res != 0)
return res;
}
/*
* partyName is required, so these should never be NULL. We treat it in
* the same way as the a == NULL || b == NULL case above
*/
if (a->partyName == NULL || b->partyName == NULL)
return -1;
return ASN1_STRING_cmp(a->partyName, b->partyName);
}
/* Returns 0 if they are equal, != 0 otherwise. */ /* Returns 0 if they are equal, != 0 otherwise. */
int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
{ {
@ -66,8 +98,11 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
return -1; return -1;
switch (a->type) { switch (a->type) {
case GEN_X400: case GEN_X400:
result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
break;
case GEN_EDIPARTY: case GEN_EDIPARTY:
result = ASN1_TYPE_cmp(a->d.other, b->d.other); result = edipartyname_cmp(a->d.ediPartyName, b->d.ediPartyName);
break; break;
case GEN_OTHERNAME: case GEN_OTHERNAME:
@ -114,8 +149,11 @@ void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value)
{ {
switch (type) { switch (type) {
case GEN_X400: case GEN_X400:
a->d.x400Address = value;
break;
case GEN_EDIPARTY: case GEN_EDIPARTY:
a->d.other = value; a->d.ediPartyName = value;
break; break;
case GEN_OTHERNAME: case GEN_OTHERNAME:
@ -149,8 +187,10 @@ void *GENERAL_NAME_get0_value(const GENERAL_NAME *a, int *ptype)
*ptype = a->type; *ptype = a->type;
switch (a->type) { switch (a->type) {
case GEN_X400: case GEN_X400:
return a->d.x400Address;
case GEN_EDIPARTY: case GEN_EDIPARTY:
return a->d.other; return a->d.ediPartyName;
case GEN_OTHERNAME: case GEN_OTHERNAME:
return a->d.otherName; return a->d.otherName;

View File

@ -382,10 +382,14 @@ should be trusted for the supplied purpose.
For compatibility with previous versions of OpenSSL, a certificate with no For compatibility with previous versions of OpenSSL, a certificate with no
trust settings is considered to be valid for all purposes. trust settings is considered to be valid for all purposes.
The final operation is to check the validity of the certificate chain. The validity The final operation is to check the validity of the certificate chain.
period is checked against the current system time and the notBefore and notAfter For each element in the chain, including the root CA certificate,
dates in the certificate. The certificate signatures are also checked at this the validity period as specified by the C<notBefore> and C<notAfter> fields
point. is checked against the current system time.
The B<-attime> flag may be used to use a reference time other than "now."
The certificate signature is checked as well
(except for the signature of the typically self-signed root CA certificate,
which is verified only if the B<-check_ss_sig> option is given).
If all operations complete successfully then certificate is considered valid. If If all operations complete successfully then certificate is considered valid. If
any operation fails then the certificate is not valid. any operation fails then the certificate is not valid.

View File

@ -33,7 +33,7 @@ error occurs if B<a> is shorter than B<n> bits.
BN_is_bit_set() tests if bit B<n> in B<a> is set. BN_is_bit_set() tests if bit B<n> in B<a> is set.
BN_mask_bits() truncates B<a> to an B<n> bit number BN_mask_bits() truncates B<a> to an B<n> bit number
(C<a&=~((~0)E<gt>E<gt>n)>). An error occurs if B<a> already is (C<a&=~((~0)E<lt>E<lt>n)>). An error occurs if B<a> already is
shorter than B<n> bits. shorter than B<n> bits.
BN_lshift() shifts B<a> left by B<n> bits and places the result in BN_lshift() shifts B<a> left by B<n> bits and places the result in

View File

@ -137,9 +137,7 @@ I<If no function to get the issuer is provided, the internal default
function will be used instead.> function will be used instead.>
X509_STORE_set_check_issued() sets the function to check that a given X509_STORE_set_check_issued() sets the function to check that a given
certificate B<x> is issued by the issuer certificate B<issuer> and certificate B<x> is issued by the issuer certificate B<issuer>.
the issuer is not yet in the chain contained in <ctx>, where the exceptional
case that B<x> is self-issued and ctx->chain has just one element is allowed.
This function must return 0 on failure (among others if B<x> hasn't This function must return 0 on failure (among others if B<x> hasn't
been issued with B<issuer>) and 1 on success. been issued with B<issuer>) and 1 on success.
I<If no function to get the issuer is provided, the internal default I<If no function to get the issuer is provided, the internal default

View File

@ -1,6 +1,6 @@
/* /*
* Generated by util/mkerr.pl DO NOT EDIT * Generated by util/mkerr.pl DO NOT EDIT
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -11,9 +11,7 @@
#ifndef HEADER_ASN1ERR_H #ifndef HEADER_ASN1ERR_H
# define HEADER_ASN1ERR_H # define HEADER_ASN1ERR_H
# ifndef HEADER_SYMHACKS_H # include <openssl/symhacks.h>
# include <openssl/symhacks.h>
# endif
# ifdef __cplusplus # ifdef __cplusplus
extern "C" extern "C"
@ -53,6 +51,7 @@ int ERR_load_ASN1_strings(void);
# define ASN1_F_ASN1_ITEM_DUP 191 # define ASN1_F_ASN1_ITEM_DUP 191
# define ASN1_F_ASN1_ITEM_EMBED_D2I 120 # define ASN1_F_ASN1_ITEM_EMBED_D2I 120
# define ASN1_F_ASN1_ITEM_EMBED_NEW 121 # define ASN1_F_ASN1_ITEM_EMBED_NEW 121
# define ASN1_F_ASN1_ITEM_EX_I2D 144
# define ASN1_F_ASN1_ITEM_FLAGS_I2D 118 # define ASN1_F_ASN1_ITEM_FLAGS_I2D 118
# define ASN1_F_ASN1_ITEM_I2D_BIO 192 # define ASN1_F_ASN1_ITEM_I2D_BIO 192
# define ASN1_F_ASN1_ITEM_I2D_FP 193 # define ASN1_F_ASN1_ITEM_I2D_FP 193
@ -145,6 +144,7 @@ int ERR_load_ASN1_strings(void);
# define ASN1_R_ASN1_SIG_PARSE_ERROR 204 # define ASN1_R_ASN1_SIG_PARSE_ERROR 204
# define ASN1_R_AUX_ERROR 100 # define ASN1_R_AUX_ERROR 100
# define ASN1_R_BAD_OBJECT_HEADER 102 # define ASN1_R_BAD_OBJECT_HEADER 102
# define ASN1_R_BAD_TEMPLATE 230
# define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 214 # define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 214
# define ASN1_R_BN_LIB 105 # define ASN1_R_BN_LIB 105
# define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106 # define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106

View File

@ -39,8 +39,8 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta) * major minor fix final patch/beta)
*/ */
# define OPENSSL_VERSION_NUMBER 0x1010108fL # define OPENSSL_VERSION_NUMBER 0x1010109fL
# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1h 22 Sep 2020" # define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1i 8 Dec 2020"
/*- /*-
* The macros below are to be used for shared library (.so, .dll, ...) * The macros below are to be used for shared library (.so, .dll, ...)

View File

@ -933,7 +933,7 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE)
int type, int type,
const unsigned char *bytes, const unsigned char *bytes,
int len); int len);
void *X509at_get0_data_by_OBJ(STACK_OF(X509_ATTRIBUTE) *x, void *X509at_get0_data_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *x,
const ASN1_OBJECT *obj, int lastpos, int type); const ASN1_OBJECT *obj, int lastpos, int type);
X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid, X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
int atrtype, const void *data, int atrtype, const void *data,

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2005-2019 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2005-2020 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -808,8 +808,8 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
wb = &s->rlayer.wbuf[0]; wb = &s->rlayer.wbuf[0];
/* /*
* first check if there is a SSL3_BUFFER still being written out. This * DTLS writes whole datagrams, so there can't be anything left in
* will happen with non blocking IO * the buffer.
*/ */
if (!ossl_assert(SSL3_BUFFER_get_left(wb) == 0)) { if (!ossl_assert(SSL3_BUFFER_get_left(wb) == 0)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_DTLS1_WRITE, SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_DTLS1_WRITE,

View File

@ -4072,9 +4072,10 @@ const SSL_CIPHER *ssl3_get_cipher_by_id(uint32_t id)
const SSL_CIPHER *ssl3_get_cipher_by_std_name(const char *stdname) const SSL_CIPHER *ssl3_get_cipher_by_std_name(const char *stdname)
{ {
SSL_CIPHER *c = NULL, *tbl; SSL_CIPHER *tbl;
SSL_CIPHER *alltabs[] = {tls13_ciphers, ssl3_ciphers}; SSL_CIPHER *alltabs[] = {tls13_ciphers, ssl3_ciphers, ssl3_scsvs};
size_t i, j, tblsize[] = {TLS13_NUM_CIPHERS, SSL3_NUM_CIPHERS}; size_t i, j, tblsize[] = {TLS13_NUM_CIPHERS, SSL3_NUM_CIPHERS,
SSL3_NUM_SCSVS};
/* this is not efficient, necessary to optimize this? */ /* this is not efficient, necessary to optimize this? */
for (j = 0; j < OSSL_NELEM(alltabs); j++) { for (j = 0; j < OSSL_NELEM(alltabs); j++) {
@ -4082,21 +4083,11 @@ const SSL_CIPHER *ssl3_get_cipher_by_std_name(const char *stdname)
if (tbl->stdname == NULL) if (tbl->stdname == NULL)
continue; continue;
if (strcmp(stdname, tbl->stdname) == 0) { if (strcmp(stdname, tbl->stdname) == 0) {
c = tbl; return tbl;
break;
} }
} }
} }
if (c == NULL) { return NULL;
tbl = ssl3_scsvs;
for (i = 0; i < SSL3_NUM_SCSVS; i++, tbl++) {
if (strcmp(stdname, tbl->stdname) == 0) {
c = tbl;
break;
}
}
}
return c;
} }
/* /*

View File

@ -2678,7 +2678,7 @@ const char *SSL_get_servername(const SSL *s, const int type)
* - Otherwise it returns NULL * - Otherwise it returns NULL
* *
* During/after the handshake (TLSv1.2 or below resumption occurred): * During/after the handshake (TLSv1.2 or below resumption occurred):
* - If the session from the orignal handshake had a servername accepted * - If the session from the original handshake had a servername accepted
* by the server then it will return that servername. * by the server then it will return that servername.
* - Otherwise it returns the servername set via * - Otherwise it returns the servername set via
* SSL_set_tlsext_host_name() (or NULL if it was not called). * SSL_set_tlsext_host_name() (or NULL if it was not called).

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2005 Nokia. All rights reserved. * Copyright 2005 Nokia. All rights reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
@ -107,7 +107,7 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
{ {
SSL_SESSION *dest; SSL_SESSION *dest;
dest = OPENSSL_malloc(sizeof(*src)); dest = OPENSSL_malloc(sizeof(*dest));
if (dest == NULL) { if (dest == NULL) {
goto err; goto err;
} }

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved. * Copyright 2005 Nokia. All rights reserved.
* *
@ -2145,17 +2145,19 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey)
} }
bnpub_key = NULL; bnpub_key = NULL;
if (!ssl_security(s, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, dh)) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SKE_DHE,
SSL_R_DH_KEY_TOO_SMALL);
goto err;
}
if (EVP_PKEY_assign_DH(peer_tmp, dh) == 0) { if (EVP_PKEY_assign_DH(peer_tmp, dh) == 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE,
ERR_R_EVP_LIB); ERR_R_EVP_LIB);
goto err; goto err;
} }
dh = NULL;
if (!ssl_security(s, SSL_SECOP_TMP_DH, EVP_PKEY_security_bits(peer_tmp),
0, peer_tmp)) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SKE_DHE,
SSL_R_DH_KEY_TOO_SMALL);
goto err;
}
s->s3->peer_tmp = peer_tmp; s->s3->peer_tmp = peer_tmp;

View File

@ -2577,7 +2577,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
s->s3->tmp.pkey = ssl_generate_pkey(pkdhp); s->s3->tmp.pkey = ssl_generate_pkey(pkdhp);
if (s->s3->tmp.pkey == NULL) { if (s->s3->tmp.pkey == NULL) {
/* SSLfatal() already called */ SSLfatal(s, SSL_AD_INTERNAL_ERROR, 0, ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }