mirror of https://github.com/openssl/openssl
Compare commits
9 Commits
091b4779e8
...
3e93603e5f
Author | SHA1 | Date |
---|---|---|
Naif | 3e93603e5f | |
Neil Horman | 933f57dfe2 | |
Neil Horman | 3dcd85139f | |
Neil Horman | 3059052992 | |
Neil Horman | badda78325 | |
Takehiko Yokota | bde66e828d | |
Jiasheng Jiang | 48e3cf25a8 | |
Viktor Dukhovni | 6d01857040 | |
Naif | 401950944a |
|
@ -11,13 +11,13 @@ for the TLS (formerly SSL), DTLS and QUIC (currently client side only)
|
|||
protocols.
|
||||
|
||||
The protocol implementations are based on a full-strength general purpose
|
||||
cryptographic library, which can also be used stand-alone. Also included is a
|
||||
cryptographic library, which can also be used standalone. Also included is a
|
||||
cryptographic module validated to conform with FIPS standards.
|
||||
|
||||
OpenSSL is descended from the SSLeay library developed by Eric A. Young
|
||||
and Tim J. Hudson.
|
||||
|
||||
The official Home Page of the OpenSSL Project is [www.openssl.org].
|
||||
The official Homepage of the OpenSSL Project is [www.openssl.org].
|
||||
|
||||
Table of Contents
|
||||
=================
|
||||
|
@ -46,7 +46,7 @@ The OpenSSL toolkit includes:
|
|||
basis of the TLS implementation, but can also be used independently.
|
||||
|
||||
- **openssl**
|
||||
the OpenSSL command line tool, a swiss army knife for cryptographic tasks,
|
||||
the OpenSSL command line tool, a Swiss Army knife for cryptographic tasks,
|
||||
testing and analyzing. It can be used for
|
||||
- creation of key parameters
|
||||
- creation of X.509 certificates, CSRs and CRLs
|
||||
|
@ -111,7 +111,7 @@ Build and Install
|
|||
|
||||
After obtaining the Source, have a look at the [INSTALL](INSTALL.md) file for
|
||||
detailed instructions about building and installing OpenSSL. For some
|
||||
platforms, the installation instructions are amended by a platform specific
|
||||
platforms, the installation instructions are amended by a platform-specific
|
||||
document.
|
||||
|
||||
* [Notes for UNIX-like platforms](NOTES-UNIX.md)
|
||||
|
|
|
@ -368,7 +368,6 @@ static CONF_MODULE *module_add(DSO *dso, const char *name,
|
|||
|
||||
err:
|
||||
ossl_rcu_write_unlock(module_list_lock);
|
||||
sk_CONF_MODULE_free(new_modules);
|
||||
if (tmod != NULL) {
|
||||
OPENSSL_free(tmod->name);
|
||||
OPENSSL_free(tmod);
|
||||
|
|
|
@ -230,7 +230,8 @@ HT *ossl_ht_new(HT_CONFIG *conf)
|
|||
err:
|
||||
CRYPTO_THREAD_lock_free(new->atomic_lock);
|
||||
ossl_rcu_lock_free(new->lock);
|
||||
OPENSSL_free(new->md->neighborhood_ptr_to_free);
|
||||
if (new->md != NULL)
|
||||
OPENSSL_free(new->md->neighborhood_ptr_to_free);
|
||||
OPENSSL_free(new->md);
|
||||
OPENSSL_free(new);
|
||||
return NULL;
|
||||
|
|
|
@ -111,14 +111,7 @@ static int by_store_ctrl_ex(X509_LOOKUP *ctx, int cmd, const char *argp,
|
|||
{
|
||||
switch (cmd) {
|
||||
case X509_L_ADD_STORE:
|
||||
/* If no URI is given, use the default cert dir as default URI */
|
||||
if (argp == NULL)
|
||||
argp = ossl_safe_getenv(X509_get_default_cert_dir_env());
|
||||
|
||||
if (argp == NULL)
|
||||
argp = X509_get_default_cert_dir();
|
||||
|
||||
{
|
||||
if (argp != NULL) {
|
||||
STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
|
||||
char *data = OPENSSL_strdup(argp);
|
||||
|
||||
|
@ -131,12 +124,15 @@ static int by_store_ctrl_ex(X509_LOOKUP *ctx, int cmd, const char *argp,
|
|||
}
|
||||
return sk_OPENSSL_STRING_push(uris, data) > 0;
|
||||
}
|
||||
/* NOP if no URI is given. */
|
||||
return 1;
|
||||
case X509_L_LOAD_STORE:
|
||||
/* This is a shortcut for quick loading of specific containers */
|
||||
return cache_objects(ctx, argp, NULL, 0, libctx, propq);
|
||||
default:
|
||||
/* Unsupported command */
|
||||
return 0;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int by_store_ctrl(X509_LOOKUP *ctx, int cmd,
|
||||
|
|
|
@ -30,6 +30,11 @@ int X509_STORE_set_default_paths_ex(X509_STORE *ctx, OSSL_LIB_CTX *libctx,
|
|||
lookup = X509_STORE_add_lookup(ctx, X509_LOOKUP_store());
|
||||
if (lookup == NULL)
|
||||
return 0;
|
||||
/*
|
||||
* The NULL URI argument will activate any default URIs (presently none),
|
||||
* DO NOT pass the default CApath or CAfile, they're already handled above,
|
||||
* likely much more efficiently.
|
||||
*/
|
||||
X509_LOOKUP_add_store_ex(lookup, NULL, libctx, propq);
|
||||
|
||||
/* clear any errors */
|
||||
|
|
|
@ -0,0 +1,23 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||
<plist version="1.0">
|
||||
<dict>
|
||||
<key>NSPrivacyAccessedAPITypes</key>
|
||||
<array>
|
||||
<dict>
|
||||
<key>NSPrivacyAccessedAPIType</key>
|
||||
<string>NSPrivacyAccessedAPICategoryFileTimestamp</string>
|
||||
<key>NSPrivacyAccessedAPITypeReasons</key>
|
||||
<array>
|
||||
<string>C617.1</string>
|
||||
</array>
|
||||
</dict>
|
||||
</array>
|
||||
<key>NSPrivacyCollectedDataTypes</key>
|
||||
<array/>
|
||||
<key>NSPrivacyTrackingDomains</key>
|
||||
<array/>
|
||||
<key>NSPrivacyTracking</key>
|
||||
<false/>
|
||||
</dict>
|
||||
</plist>
|
|
@ -1914,10 +1914,13 @@ int tls_retry_write_records(OSSL_RECORD_LAYER *rl)
|
|||
else
|
||||
ret = OSSL_RECORD_RETURN_SUCCESS;
|
||||
} else {
|
||||
if (BIO_should_retry(rl->bio))
|
||||
if (BIO_should_retry(rl->bio)) {
|
||||
ret = OSSL_RECORD_RETURN_RETRY;
|
||||
else
|
||||
} else {
|
||||
ERR_raise_data(ERR_LIB_SYS, get_last_sys_error(),
|
||||
"tls_retry_write_records failure");
|
||||
ret = OSSL_RECORD_RETURN_FATAL;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_BIO_NOT_SET);
|
||||
|
|
|
@ -2603,7 +2603,8 @@ ossl_ssize_t SSL_sendfile(SSL *s, int fd, off_t offset, size_t size, int flags)
|
|||
BIO_set_retry_write(sc->wbio);
|
||||
else
|
||||
#endif
|
||||
ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED);
|
||||
ERR_raise_data(ERR_LIB_SYS, get_last_sys_error(),
|
||||
"ktls_sendfile failure");
|
||||
return ret;
|
||||
}
|
||||
sc->rwstate = SSL_NOTHING;
|
||||
|
|
|
@ -979,8 +979,12 @@ EXT_RETURN tls_construct_ctos_padding(SSL_CONNECTION *s, WPACKET *pkt,
|
|||
* Add the fixed PSK overhead, the identity length and the binder
|
||||
* length.
|
||||
*/
|
||||
int md_size = EVP_MD_get_size(md);
|
||||
|
||||
if (md_size <= 0)
|
||||
return EXT_RETURN_FAIL;
|
||||
hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen
|
||||
+ EVP_MD_get_size(md);
|
||||
+ md_size;
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1019,7 +1023,8 @@ EXT_RETURN tls_construct_ctos_psk(SSL_CONNECTION *s, WPACKET *pkt,
|
|||
{
|
||||
#ifndef OPENSSL_NO_TLS1_3
|
||||
uint32_t agesec, agems = 0;
|
||||
size_t reshashsize = 0, pskhashsize = 0, binderoffset, msglen;
|
||||
size_t binderoffset, msglen;
|
||||
int reshashsize = 0, pskhashsize = 0;
|
||||
unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL;
|
||||
const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL;
|
||||
int dores = 0;
|
||||
|
@ -1115,6 +1120,8 @@ EXT_RETURN tls_construct_ctos_psk(SSL_CONNECTION *s, WPACKET *pkt,
|
|||
agems += s->session->ext.tick_age_add;
|
||||
|
||||
reshashsize = EVP_MD_get_size(mdres);
|
||||
if (reshashsize <= 0)
|
||||
goto dopsksess;
|
||||
s->ext.tick_identity++;
|
||||
dores = 1;
|
||||
}
|
||||
|
@ -1144,6 +1151,10 @@ EXT_RETURN tls_construct_ctos_psk(SSL_CONNECTION *s, WPACKET *pkt,
|
|||
}
|
||||
|
||||
pskhashsize = EVP_MD_get_size(mdpsk);
|
||||
if (pskhashsize <= 0) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
|
||||
return EXT_RETURN_FAIL;
|
||||
}
|
||||
}
|
||||
|
||||
/* Create the extension, but skip over the binder for now */
|
||||
|
|
|
@ -1020,7 +1020,8 @@ int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
|
|||
X509 *x, size_t chainidx)
|
||||
{
|
||||
PACKET identities, binders, binder;
|
||||
size_t binderoffset, hashsize;
|
||||
size_t binderoffset;
|
||||
int hashsize;
|
||||
SSL_SESSION *sess = NULL;
|
||||
unsigned int id, i, ext = 0;
|
||||
const EVP_MD *md = NULL;
|
||||
|
@ -1221,6 +1222,8 @@ int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
|
|||
|
||||
binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
|
||||
hashsize = EVP_MD_get_size(md);
|
||||
if (hashsize <= 0)
|
||||
goto err;
|
||||
|
||||
if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
|
||||
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
|
||||
|
@ -1234,7 +1237,7 @@ int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
|
|||
}
|
||||
}
|
||||
|
||||
if (PACKET_remaining(&binder) != hashsize) {
|
||||
if (PACKET_remaining(&binder) != (size_t)hashsize) {
|
||||
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
|
||||
goto err;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue