import mingw-openssl-1.0.2k-2.el8
This commit is contained in:
parent
2a905808d2
commit
2432dae79c
@ -1,174 +0,0 @@
|
||||
diff -up openssl-1.0.2a/crypto/fips/fips.c.fips-ctor openssl-1.0.2a/crypto/fips/fips.c
|
||||
--- openssl-1.0.2a/crypto/fips/fips.c.fips-ctor 2015-04-21 17:42:18.702765856 +0200
|
||||
+++ openssl-1.0.2a/crypto/fips/fips.c 2015-04-21 17:42:18.742766794 +0200
|
||||
@@ -60,6 +60,8 @@
|
||||
#include <dlfcn.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
+#include <unistd.h>
|
||||
+#include <errno.h>
|
||||
#include "fips_locl.h"
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
@@ -201,7 +203,9 @@ static char *bin2hex(void *buf, size_t l
|
||||
}
|
||||
|
||||
# define HMAC_PREFIX "."
|
||||
-# define HMAC_SUFFIX ".hmac"
|
||||
+# ifndef HMAC_SUFFIX
|
||||
+# define HMAC_SUFFIX ".hmac"
|
||||
+# endif
|
||||
# define READ_BUFFER_LENGTH 16384
|
||||
|
||||
static char *make_hmac_path(const char *origpath)
|
||||
@@ -279,20 +283,14 @@ static int compute_file_hmac(const char
|
||||
return rv;
|
||||
}
|
||||
|
||||
-static int FIPSCHECK_verify(const char *libname, const char *symbolname)
|
||||
+static int FIPSCHECK_verify(const char *path)
|
||||
{
|
||||
- char path[PATH_MAX + 1];
|
||||
- int rv;
|
||||
+ int rv = 0;
|
||||
FILE *hf;
|
||||
char *hmacpath, *p;
|
||||
char *hmac = NULL;
|
||||
size_t n;
|
||||
|
||||
- rv = get_library_path(libname, symbolname, path, sizeof(path));
|
||||
-
|
||||
- if (rv < 0)
|
||||
- return 0;
|
||||
-
|
||||
hmacpath = make_hmac_path(path);
|
||||
if (hmacpath == NULL)
|
||||
return 0;
|
||||
@@ -343,6 +341,51 @@ static int FIPSCHECK_verify(const char *
|
||||
return 1;
|
||||
}
|
||||
|
||||
+static int verify_checksums(void)
|
||||
+{
|
||||
+ int rv;
|
||||
+ char path[PATH_MAX + 1];
|
||||
+ char *p;
|
||||
+
|
||||
+ /* we need to avoid dlopening libssl, assume both libcrypto and libssl
|
||||
+ are in the same directory */
|
||||
+
|
||||
+ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER,
|
||||
+ "FIPS_mode_set", path, sizeof(path));
|
||||
+ if (rv < 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ rv = FIPSCHECK_verify(path);
|
||||
+ if (!rv)
|
||||
+ return 0;
|
||||
+
|
||||
+ /* replace libcrypto with libssl */
|
||||
+ while ((p = strstr(path, "libcrypto.so")) != NULL) {
|
||||
+ p = stpcpy(p, "libssl");
|
||||
+ memmove(p, p + 3, strlen(p + 2));
|
||||
+ }
|
||||
+
|
||||
+ rv = FIPSCHECK_verify(path);
|
||||
+ if (!rv)
|
||||
+ return 0;
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+# ifndef FIPS_MODULE_PATH
|
||||
+# define FIPS_MODULE_PATH "/etc/system-fips"
|
||||
+# endif
|
||||
+
|
||||
+int FIPS_module_installed(void)
|
||||
+{
|
||||
+ int rv;
|
||||
+ rv = access(FIPS_MODULE_PATH, F_OK);
|
||||
+ if (rv < 0 && errno != ENOENT)
|
||||
+ rv = 0;
|
||||
+
|
||||
+ /* Installed == true */
|
||||
+ return !rv;
|
||||
+}
|
||||
+
|
||||
int FIPS_module_mode_set(int onoff, const char *auth)
|
||||
{
|
||||
int ret = 0;
|
||||
@@ -380,17 +423,7 @@ int FIPS_module_mode_set(int onoff, cons
|
||||
}
|
||||
# endif
|
||||
|
||||
- if (!FIPSCHECK_verify
|
||||
- ("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set")) {
|
||||
- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
|
||||
- FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
|
||||
- fips_selftest_fail = 1;
|
||||
- ret = 0;
|
||||
- goto end;
|
||||
- }
|
||||
-
|
||||
- if (!FIPSCHECK_verify
|
||||
- ("libssl.so." SHLIB_VERSION_NUMBER, "SSL_CTX_new")) {
|
||||
+ if (!verify_checksums()) {
|
||||
FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
|
||||
FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
|
||||
fips_selftest_fail = 1;
|
||||
diff -up openssl-1.0.2a/crypto/fips/fips.h.fips-ctor openssl-1.0.2a/crypto/fips/fips.h
|
||||
--- openssl-1.0.2a/crypto/fips/fips.h.fips-ctor 2015-04-21 17:42:18.739766724 +0200
|
||||
+++ openssl-1.0.2a/crypto/fips/fips.h 2015-04-21 17:42:18.743766818 +0200
|
||||
@@ -74,6 +74,7 @@ extern "C" {
|
||||
|
||||
int FIPS_module_mode_set(int onoff, const char *auth);
|
||||
int FIPS_module_mode(void);
|
||||
+ int FIPS_module_installed(void);
|
||||
const void *FIPS_rand_check(void);
|
||||
int FIPS_selftest(void);
|
||||
int FIPS_selftest_failed(void);
|
||||
diff -up openssl-1.0.2a/crypto/o_init.c.fips-ctor openssl-1.0.2a/crypto/o_init.c
|
||||
--- openssl-1.0.2a/crypto/o_init.c.fips-ctor 2015-04-21 17:42:18.732766559 +0200
|
||||
+++ openssl-1.0.2a/crypto/o_init.c 2015-04-21 17:45:02.662613173 +0200
|
||||
@@ -74,6 +74,9 @@ static void init_fips_mode(void)
|
||||
char buf[2] = "0";
|
||||
int fd;
|
||||
|
||||
+ /* Ensure the selftests always run */
|
||||
+ FIPS_mode_set(1);
|
||||
+
|
||||
if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
|
||||
buf[0] = '1';
|
||||
} else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
|
||||
@@ -85,8 +88,12 @@ static void init_fips_mode(void)
|
||||
* otherwise..
|
||||
*/
|
||||
|
||||
- if (buf[0] == '1') {
|
||||
- FIPS_mode_set(1);
|
||||
+ if (buf[0] != '1') {
|
||||
+ /* drop down to non-FIPS mode if it is not requested */
|
||||
+ FIPS_mode_set(0);
|
||||
+ } else {
|
||||
+ /* abort if selftest failed */
|
||||
+ FIPS_selftest_check();
|
||||
}
|
||||
}
|
||||
#endif
|
||||
@@ -96,13 +103,16 @@ static void init_fips_mode(void)
|
||||
* sets FIPS callbacks
|
||||
*/
|
||||
|
||||
-void OPENSSL_init_library(void)
|
||||
+void __attribute__ ((constructor)) OPENSSL_init_library(void)
|
||||
{
|
||||
static int done = 0;
|
||||
if (done)
|
||||
return;
|
||||
done = 1;
|
||||
#ifdef OPENSSL_FIPS
|
||||
+ if (!FIPS_module_installed()) {
|
||||
+ return;
|
||||
+ }
|
||||
RAND_init_fips();
|
||||
init_fips_mode();
|
||||
if (!FIPS_mode()) {
|
File diff suppressed because it is too large
Load Diff
@ -1,525 +0,0 @@
|
||||
diff -up openssl-1.0.2a/apps/s_apps.h.ipv6-apps openssl-1.0.2a/apps/s_apps.h
|
||||
--- openssl-1.0.2a/apps/s_apps.h.ipv6-apps 2015-04-20 15:01:24.029120104 +0200
|
||||
+++ openssl-1.0.2a/apps/s_apps.h 2015-04-20 15:05:00.353137701 +0200
|
||||
@@ -151,7 +151,7 @@ typedef fd_mask fd_set;
|
||||
#define PORT_STR "4433"
|
||||
#define PROTOCOL "tcp"
|
||||
|
||||
-int do_server(int port, int type, int *ret,
|
||||
+int do_server(char *port, int type, int *ret,
|
||||
int (*cb) (char *hostname, int s, int stype,
|
||||
unsigned char *context), unsigned char *context,
|
||||
int naccept);
|
||||
@@ -167,11 +167,10 @@ int ssl_print_point_formats(BIO *out, SS
|
||||
int ssl_print_curves(BIO *out, SSL *s, int noshared);
|
||||
#endif
|
||||
int ssl_print_tmp_key(BIO *out, SSL *s);
|
||||
-int init_client(int *sock, char *server, int port, int type);
|
||||
+int init_client(int *sock, char *server, char *port, int type);
|
||||
int should_retry(int i);
|
||||
int extract_port(char *str, short *port_ptr);
|
||||
-int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
|
||||
- short *p);
|
||||
+int extract_host_port(char *str, char **host_ptr, char **port_ptr);
|
||||
|
||||
long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
|
||||
int argi, long argl, long ret);
|
||||
diff -up openssl-1.0.2a/apps/s_client.c.ipv6-apps openssl-1.0.2a/apps/s_client.c
|
||||
--- openssl-1.0.2a/apps/s_client.c.ipv6-apps 2015-04-20 15:01:24.022119942 +0200
|
||||
+++ openssl-1.0.2a/apps/s_client.c 2015-04-20 15:06:42.338503234 +0200
|
||||
@@ -662,7 +662,7 @@ int MAIN(int argc, char **argv)
|
||||
int cbuf_len, cbuf_off;
|
||||
int sbuf_len, sbuf_off;
|
||||
fd_set readfds, writefds;
|
||||
- short port = PORT;
|
||||
+ char *port_str = PORT_STR;
|
||||
int full_log = 1;
|
||||
char *host = SSL_HOST_NAME;
|
||||
char *cert_file = NULL, *key_file = NULL, *chain_file = NULL;
|
||||
@@ -785,13 +785,11 @@ int MAIN(int argc, char **argv)
|
||||
} else if (strcmp(*argv, "-port") == 0) {
|
||||
if (--argc < 1)
|
||||
goto bad;
|
||||
- port = atoi(*(++argv));
|
||||
- if (port == 0)
|
||||
- goto bad;
|
||||
+ port_str = *(++argv);
|
||||
} else if (strcmp(*argv, "-connect") == 0) {
|
||||
if (--argc < 1)
|
||||
goto bad;
|
||||
- if (!extract_host_port(*(++argv), &host, NULL, &port))
|
||||
+ if (!extract_host_port(*(++argv), &host, &port_str))
|
||||
goto bad;
|
||||
} else if (strcmp(*argv, "-verify") == 0) {
|
||||
verify = SSL_VERIFY_PEER;
|
||||
@@ -1417,7 +1415,7 @@ int MAIN(int argc, char **argv)
|
||||
|
||||
re_start:
|
||||
|
||||
- if (init_client(&s, host, port, socket_type) == 0) {
|
||||
+ if (init_client(&s, host, port_str, socket_type) == 0) {
|
||||
BIO_printf(bio_err, "connect:errno=%d\n", get_last_socket_error());
|
||||
SHUTDOWN(s);
|
||||
goto end;
|
||||
diff -up openssl-1.0.2a/apps/s_server.c.ipv6-apps openssl-1.0.2a/apps/s_server.c
|
||||
--- openssl-1.0.2a/apps/s_server.c.ipv6-apps 2015-04-20 15:01:24.030120127 +0200
|
||||
+++ openssl-1.0.2a/apps/s_server.c 2015-04-20 15:10:47.245187746 +0200
|
||||
@@ -1061,7 +1061,7 @@ int MAIN(int argc, char *argv[])
|
||||
{
|
||||
X509_VERIFY_PARAM *vpm = NULL;
|
||||
int badarg = 0;
|
||||
- short port = PORT;
|
||||
+ char *port_str = PORT_STR;
|
||||
char *CApath = NULL, *CAfile = NULL;
|
||||
char *chCApath = NULL, *chCAfile = NULL;
|
||||
char *vfyCApath = NULL, *vfyCAfile = NULL;
|
||||
@@ -1148,7 +1148,8 @@ int MAIN(int argc, char *argv[])
|
||||
if ((strcmp(*argv, "-port") == 0) || (strcmp(*argv, "-accept") == 0)) {
|
||||
if (--argc < 1)
|
||||
goto bad;
|
||||
- if (!extract_port(*(++argv), &port))
|
||||
+ port_str = *(++argv);
|
||||
+ if (port_str == NULL || *port_str == '\0')
|
||||
goto bad;
|
||||
} else if (strcmp(*argv, "-naccept") == 0) {
|
||||
if (--argc < 1)
|
||||
@@ -2020,13 +2021,13 @@ int MAIN(int argc, char *argv[])
|
||||
BIO_printf(bio_s_out, "ACCEPT\n");
|
||||
(void)BIO_flush(bio_s_out);
|
||||
if (rev)
|
||||
- do_server(port, socket_type, &accept_socket, rev_body, context,
|
||||
+ do_server(port_str, socket_type, &accept_socket, rev_body, context,
|
||||
naccept);
|
||||
else if (www)
|
||||
- do_server(port, socket_type, &accept_socket, www_body, context,
|
||||
+ do_server(port_str, socket_type, &accept_socket, www_body, context,
|
||||
naccept);
|
||||
else
|
||||
- do_server(port, socket_type, &accept_socket, sv_body, context,
|
||||
+ do_server(port_str, socket_type, &accept_socket, sv_body, context,
|
||||
naccept);
|
||||
print_stats(bio_s_out, ctx);
|
||||
ret = 0;
|
||||
diff -up openssl-1.0.2a/apps/s_socket.c.ipv6-apps openssl-1.0.2a/apps/s_socket.c
|
||||
--- openssl-1.0.2a/apps/s_socket.c.ipv6-apps 2015-03-19 14:30:36.000000000 +0100
|
||||
+++ openssl-1.0.2a/apps/s_socket.c 2015-04-20 15:32:53.960079507 +0200
|
||||
@@ -106,9 +106,7 @@ static struct hostent *GetHostByName(cha
|
||||
static void ssl_sock_cleanup(void);
|
||||
# endif
|
||||
static int ssl_sock_init(void);
|
||||
-static int init_client_ip(int *sock, unsigned char ip[4], int port, int type);
|
||||
-static int init_server(int *sock, int port, int type);
|
||||
-static int init_server_long(int *sock, int port, char *ip, int type);
|
||||
+static int init_server(int *sock, char *port, int type);
|
||||
static int do_accept(int acc_sock, int *sock, char **host);
|
||||
static int host_ip(char *str, unsigned char ip[4]);
|
||||
|
||||
@@ -231,65 +229,66 @@ static int ssl_sock_init(void)
|
||||
return (1);
|
||||
}
|
||||
|
||||
-int init_client(int *sock, char *host, int port, int type)
|
||||
+int init_client(int *sock, char *host, char *port, int type)
|
||||
{
|
||||
- unsigned char ip[4];
|
||||
-
|
||||
- memset(ip, '\0', sizeof ip);
|
||||
- if (!host_ip(host, &(ip[0])))
|
||||
- return 0;
|
||||
- return init_client_ip(sock, ip, port, type);
|
||||
-}
|
||||
-
|
||||
-static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
|
||||
-{
|
||||
- unsigned long addr;
|
||||
- struct sockaddr_in them;
|
||||
- int s, i;
|
||||
+ struct addrinfo *res, *res0, hints;
|
||||
+ char *failed_call = NULL;
|
||||
+ int s;
|
||||
+ int e;
|
||||
|
||||
if (!ssl_sock_init())
|
||||
return (0);
|
||||
|
||||
- memset((char *)&them, 0, sizeof(them));
|
||||
- them.sin_family = AF_INET;
|
||||
- them.sin_port = htons((unsigned short)port);
|
||||
- addr = (unsigned long)
|
||||
- ((unsigned long)ip[0] << 24L) |
|
||||
- ((unsigned long)ip[1] << 16L) |
|
||||
- ((unsigned long)ip[2] << 8L) | ((unsigned long)ip[3]);
|
||||
- them.sin_addr.s_addr = htonl(addr);
|
||||
-
|
||||
- if (type == SOCK_STREAM)
|
||||
- s = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);
|
||||
- else /* ( type == SOCK_DGRAM) */
|
||||
- s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
|
||||
-
|
||||
- if (s == INVALID_SOCKET) {
|
||||
- perror("socket");
|
||||
+ memset(&hints, '\0', sizeof(hints));
|
||||
+ hints.ai_socktype = type;
|
||||
+ hints.ai_flags = AI_ADDRCONFIG;
|
||||
+
|
||||
+ e = getaddrinfo(host, port, &hints, &res);
|
||||
+ if (e) {
|
||||
+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
|
||||
+ if (e == EAI_SYSTEM)
|
||||
+ perror("getaddrinfo");
|
||||
return (0);
|
||||
}
|
||||
+
|
||||
+ res0 = res;
|
||||
+ while (res) {
|
||||
+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
|
||||
+ if (s == INVALID_SOCKET) {
|
||||
+ failed_call = "socket";
|
||||
+ goto nextres;
|
||||
+ }
|
||||
# if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE)
|
||||
- if (type == SOCK_STREAM) {
|
||||
- i = 0;
|
||||
- i = setsockopt(s, SOL_SOCKET, SO_KEEPALIVE, (char *)&i, sizeof(i));
|
||||
- if (i < 0) {
|
||||
- closesocket(s);
|
||||
- perror("keepalive");
|
||||
- return (0);
|
||||
+ if (type == SOCK_STREAM) {
|
||||
+ int i = 0;
|
||||
+ i = setsockopt(s, SOL_SOCKET, SO_KEEPALIVE,
|
||||
+ (char *)&i, sizeof(i));
|
||||
+ if (i < 0) {
|
||||
+ failed_call = "keepalive";
|
||||
+ goto nextres;
|
||||
+ }
|
||||
}
|
||||
- }
|
||||
# endif
|
||||
-
|
||||
- if (connect(s, (struct sockaddr *)&them, sizeof(them)) == -1) {
|
||||
- closesocket(s);
|
||||
- perror("connect");
|
||||
- return (0);
|
||||
+ if (connect(s, (struct sockaddr *)res->ai_addr, res->ai_addrlen) == 0) {
|
||||
+ freeaddrinfo(res0);
|
||||
+ *sock = s;
|
||||
+ return (1);
|
||||
+ }
|
||||
+
|
||||
+ failed_call = "socket";
|
||||
+ nextres:
|
||||
+ if (s != INVALID_SOCKET)
|
||||
+ close(s);
|
||||
+ res = res->ai_next;
|
||||
}
|
||||
- *sock = s;
|
||||
- return (1);
|
||||
+ freeaddrinfo(res0);
|
||||
+ closesocket(s);
|
||||
+
|
||||
+ perror(failed_call);
|
||||
+ return (0);
|
||||
}
|
||||
|
||||
-int do_server(int port, int type, int *ret,
|
||||
+int do_server(char *port, int type, int *ret,
|
||||
int (*cb) (char *hostname, int s, int stype,
|
||||
unsigned char *context), unsigned char *context,
|
||||
int naccept)
|
||||
@@ -328,69 +327,89 @@ int do_server(int port, int type, int *r
|
||||
}
|
||||
}
|
||||
|
||||
-static int init_server_long(int *sock, int port, char *ip, int type)
|
||||
+static int init_server(int *sock, char *port, int type)
|
||||
{
|
||||
- int ret = 0;
|
||||
- struct sockaddr_in server;
|
||||
- int s = -1;
|
||||
+ struct addrinfo *res, *res0 = NULL, hints;
|
||||
+ char *failed_call = NULL;
|
||||
+ int s = INVALID_SOCKET;
|
||||
+ int e;
|
||||
|
||||
if (!ssl_sock_init())
|
||||
return (0);
|
||||
|
||||
- memset((char *)&server, 0, sizeof(server));
|
||||
- server.sin_family = AF_INET;
|
||||
- server.sin_port = htons((unsigned short)port);
|
||||
- if (ip == NULL)
|
||||
- server.sin_addr.s_addr = INADDR_ANY;
|
||||
- else
|
||||
-/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */
|
||||
-# ifndef BIT_FIELD_LIMITS
|
||||
- memcpy(&server.sin_addr.s_addr, ip, 4);
|
||||
-# else
|
||||
- memcpy(&server.sin_addr, ip, 4);
|
||||
-# endif
|
||||
-
|
||||
- if (type == SOCK_STREAM)
|
||||
- s = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);
|
||||
- else /* type == SOCK_DGRAM */
|
||||
- s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
|
||||
+ memset(&hints, '\0', sizeof(hints));
|
||||
+ hints.ai_family = AF_INET6;
|
||||
+ tryipv4:
|
||||
+ hints.ai_socktype = type;
|
||||
+ hints.ai_flags = AI_PASSIVE;
|
||||
+
|
||||
+ e = getaddrinfo(NULL, port, &hints, &res);
|
||||
+ if (e) {
|
||||
+ if (hints.ai_family == AF_INET) {
|
||||
+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
|
||||
+ if (e == EAI_SYSTEM)
|
||||
+ perror("getaddrinfo");
|
||||
+ return (0);
|
||||
+ } else
|
||||
+ res = NULL;
|
||||
+ }
|
||||
|
||||
- if (s == INVALID_SOCKET)
|
||||
- goto err;
|
||||
+ res0 = res;
|
||||
+ while (res) {
|
||||
+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
|
||||
+ if (s == INVALID_SOCKET) {
|
||||
+ failed_call = "socket";
|
||||
+ goto nextres;
|
||||
+ }
|
||||
+ if (hints.ai_family == AF_INET6) {
|
||||
+ int j = 0;
|
||||
+ setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, (void *)&j, sizeof j);
|
||||
+ }
|
||||
# if defined SOL_SOCKET && defined SO_REUSEADDR
|
||||
- {
|
||||
- int j = 1;
|
||||
- setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&j, sizeof j);
|
||||
- }
|
||||
-# endif
|
||||
- if (bind(s, (struct sockaddr *)&server, sizeof(server)) == -1) {
|
||||
-# ifndef OPENSSL_SYS_WINDOWS
|
||||
- perror("bind");
|
||||
+ {
|
||||
+ int j = 1;
|
||||
+ setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&j, sizeof j);
|
||||
+ }
|
||||
# endif
|
||||
- goto err;
|
||||
+
|
||||
+ if (bind(s, (struct sockaddr *)res->ai_addr, res->ai_addrlen) == -1) {
|
||||
+ failed_call = "bind";
|
||||
+ goto nextres;
|
||||
+ }
|
||||
+ if (type == SOCK_STREAM && listen(s, 128) == -1) {
|
||||
+ failed_call = "listen";
|
||||
+ goto nextres;
|
||||
+ }
|
||||
+
|
||||
+ *sock = s;
|
||||
+ return (1);
|
||||
+
|
||||
+ nextres:
|
||||
+ if (s != INVALID_SOCKET)
|
||||
+ close(s);
|
||||
+ res = res->ai_next;
|
||||
}
|
||||
- /* Make it 128 for linux */
|
||||
- if (type == SOCK_STREAM && listen(s, 128) == -1)
|
||||
- goto err;
|
||||
- *sock = s;
|
||||
- ret = 1;
|
||||
- err:
|
||||
- if ((ret == 0) && (s != -1)) {
|
||||
- SHUTDOWN(s);
|
||||
+ if (res0)
|
||||
+ freeaddrinfo(res0);
|
||||
+
|
||||
+ if (s == INVALID_SOCKET) {
|
||||
+ if (hints.ai_family == AF_INET6) {
|
||||
+ hints.ai_family = AF_INET;
|
||||
+ goto tryipv4;
|
||||
+ }
|
||||
+ perror("socket");
|
||||
+ return (0);
|
||||
}
|
||||
- return (ret);
|
||||
-}
|
||||
|
||||
-static int init_server(int *sock, int port, int type)
|
||||
-{
|
||||
- return (init_server_long(sock, port, NULL, type));
|
||||
+ perror(failed_call);
|
||||
+ return (0);
|
||||
}
|
||||
|
||||
static int do_accept(int acc_sock, int *sock, char **host)
|
||||
{
|
||||
+ static struct sockaddr_storage from;
|
||||
+ char buffer[NI_MAXHOST];
|
||||
int ret;
|
||||
- struct hostent *h1, *h2;
|
||||
- static struct sockaddr_in from;
|
||||
int len;
|
||||
/* struct linger ling; */
|
||||
|
||||
@@ -432,134 +451,60 @@ static int do_accept(int acc_sock, int *
|
||||
ling.l_onoff=1;
|
||||
ling.l_linger=0;
|
||||
i=setsockopt(ret,SOL_SOCKET,SO_LINGER,(char *)&ling,sizeof(ling));
|
||||
- if (i < 0) { perror("linger"); return(0); }
|
||||
+ if (i < 0) { closesocket(ret); perror("linger"); return(0); }
|
||||
i=0;
|
||||
i=setsockopt(ret,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
|
||||
- if (i < 0) { perror("keepalive"); return(0); }
|
||||
+ if (i < 0) { closesocket(ret); perror("keepalive"); return(0); }
|
||||
*/
|
||||
|
||||
if (host == NULL)
|
||||
goto end;
|
||||
-# ifndef BIT_FIELD_LIMITS
|
||||
- /* I should use WSAAsyncGetHostByName() under windows */
|
||||
- h1 = gethostbyaddr((char *)&from.sin_addr.s_addr,
|
||||
- sizeof(from.sin_addr.s_addr), AF_INET);
|
||||
-# else
|
||||
- h1 = gethostbyaddr((char *)&from.sin_addr,
|
||||
- sizeof(struct in_addr), AF_INET);
|
||||
-# endif
|
||||
- if (h1 == NULL) {
|
||||
- BIO_printf(bio_err, "bad gethostbyaddr\n");
|
||||
+
|
||||
+ if (getnameinfo((struct sockaddr *)&from, sizeof(from),
|
||||
+ buffer, sizeof(buffer), NULL, 0, 0)) {
|
||||
+ BIO_printf(bio_err, "getnameinfo failed\n");
|
||||
*host = NULL;
|
||||
/* return(0); */
|
||||
} else {
|
||||
- if ((*host = (char *)OPENSSL_malloc(strlen(h1->h_name) + 1)) == NULL) {
|
||||
+ if ((*host = (char *)OPENSSL_malloc(strlen(buffer) + 1)) == NULL) {
|
||||
perror("OPENSSL_malloc");
|
||||
closesocket(ret);
|
||||
return (0);
|
||||
}
|
||||
- BUF_strlcpy(*host, h1->h_name, strlen(h1->h_name) + 1);
|
||||
-
|
||||
- h2 = GetHostByName(*host);
|
||||
- if (h2 == NULL) {
|
||||
- BIO_printf(bio_err, "gethostbyname failure\n");
|
||||
- closesocket(ret);
|
||||
- return (0);
|
||||
- }
|
||||
- if (h2->h_addrtype != AF_INET) {
|
||||
- BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");
|
||||
- closesocket(ret);
|
||||
- return (0);
|
||||
- }
|
||||
+ strcpy(*host, buffer);
|
||||
}
|
||||
end:
|
||||
*sock = ret;
|
||||
return (1);
|
||||
}
|
||||
|
||||
-int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
|
||||
- short *port_ptr)
|
||||
+int extract_host_port(char *str, char **host_ptr, char **port_ptr)
|
||||
{
|
||||
- char *h, *p;
|
||||
+ char *h, *p, *x;
|
||||
|
||||
- h = str;
|
||||
- p = strchr(str, ':');
|
||||
+ x = h = str;
|
||||
+ if (*h == '[') {
|
||||
+ h++;
|
||||
+ p = strchr(h, ']');
|
||||
+ if (p == NULL) {
|
||||
+ BIO_printf(bio_err, "no ending bracket for IPv6 address\n");
|
||||
+ return (0);
|
||||
+ }
|
||||
+ *(p++) = '\0';
|
||||
+ x = p;
|
||||
+ }
|
||||
+ p = strchr(x, ':');
|
||||
if (p == NULL) {
|
||||
BIO_printf(bio_err, "no port defined\n");
|
||||
return (0);
|
||||
}
|
||||
*(p++) = '\0';
|
||||
|
||||
- if ((ip != NULL) && !host_ip(str, ip))
|
||||
- goto err;
|
||||
if (host_ptr != NULL)
|
||||
*host_ptr = h;
|
||||
+ if (port_ptr != NULL)
|
||||
+ *port_ptr = p;
|
||||
|
||||
- if (!extract_port(p, port_ptr))
|
||||
- goto err;
|
||||
- return (1);
|
||||
- err:
|
||||
- return (0);
|
||||
-}
|
||||
-
|
||||
-static int host_ip(char *str, unsigned char ip[4])
|
||||
-{
|
||||
- unsigned int in[4];
|
||||
- int i;
|
||||
-
|
||||
- if (sscanf(str, "%u.%u.%u.%u", &(in[0]), &(in[1]), &(in[2]), &(in[3])) ==
|
||||
- 4) {
|
||||
- for (i = 0; i < 4; i++)
|
||||
- if (in[i] > 255) {
|
||||
- BIO_printf(bio_err, "invalid IP address\n");
|
||||
- goto err;
|
||||
- }
|
||||
- ip[0] = in[0];
|
||||
- ip[1] = in[1];
|
||||
- ip[2] = in[2];
|
||||
- ip[3] = in[3];
|
||||
- } else { /* do a gethostbyname */
|
||||
- struct hostent *he;
|
||||
-
|
||||
- if (!ssl_sock_init())
|
||||
- return (0);
|
||||
-
|
||||
- he = GetHostByName(str);
|
||||
- if (he == NULL) {
|
||||
- BIO_printf(bio_err, "gethostbyname failure\n");
|
||||
- goto err;
|
||||
- }
|
||||
- /* cast to short because of win16 winsock definition */
|
||||
- if ((short)he->h_addrtype != AF_INET) {
|
||||
- BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");
|
||||
- return (0);
|
||||
- }
|
||||
- ip[0] = he->h_addr_list[0][0];
|
||||
- ip[1] = he->h_addr_list[0][1];
|
||||
- ip[2] = he->h_addr_list[0][2];
|
||||
- ip[3] = he->h_addr_list[0][3];
|
||||
- }
|
||||
- return (1);
|
||||
- err:
|
||||
- return (0);
|
||||
-}
|
||||
-
|
||||
-int extract_port(char *str, short *port_ptr)
|
||||
-{
|
||||
- int i;
|
||||
- struct servent *s;
|
||||
-
|
||||
- i = atoi(str);
|
||||
- if (i != 0)
|
||||
- *port_ptr = (unsigned short)i;
|
||||
- else {
|
||||
- s = getservbyname(str, "tcp");
|
||||
- if (s == NULL) {
|
||||
- BIO_printf(bio_err, "getservbyname failure for %s\n", str);
|
||||
- return (0);
|
||||
- }
|
||||
- *port_ptr = ntohs((unsigned short)s->s_port);
|
||||
- }
|
||||
return (1);
|
||||
}
|
||||
|
@ -1,35 +0,0 @@
|
||||
diff -up openssl-1.0.2a/apps/genrsa.c.x931 openssl-1.0.2a/apps/genrsa.c
|
||||
--- openssl-1.0.2a/apps/genrsa.c.x931 2015-04-09 18:18:24.132107287 +0200
|
||||
+++ openssl-1.0.2a/apps/genrsa.c 2015-04-09 18:18:18.852985339 +0200
|
||||
@@ -97,6 +97,7 @@ int MAIN(int argc, char **argv)
|
||||
int ret = 1;
|
||||
int i, num = DEFBITS;
|
||||
long l;
|
||||
+ int use_x931 = 0;
|
||||
const EVP_CIPHER *enc = NULL;
|
||||
unsigned long f4 = RSA_F4;
|
||||
char *outfile = NULL;
|
||||
@@ -139,6 +140,8 @@ int MAIN(int argc, char **argv)
|
||||
f4 = 3;
|
||||
else if (strcmp(*argv, "-F4") == 0 || strcmp(*argv, "-f4") == 0)
|
||||
f4 = RSA_F4;
|
||||
+ else if (strcmp(*argv, "-x931") == 0)
|
||||
+ use_x931 = 1;
|
||||
# ifndef OPENSSL_NO_ENGINE
|
||||
else if (strcmp(*argv, "-engine") == 0) {
|
||||
if (--argc < 1)
|
||||
@@ -278,7 +281,13 @@ int MAIN(int argc, char **argv)
|
||||
if (!rsa)
|
||||
goto err;
|
||||
|
||||
- if (!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))
|
||||
+ if (use_x931) {
|
||||
+ if (!BN_set_word(bn, f4))
|
||||
+ goto err;
|
||||
+ if (!RSA_X931_generate_key_ex(rsa, num, bn, &cb))
|
||||
+ goto err;
|
||||
+ } else if (!BN_set_word(bn, f4)
|
||||
+ || !RSA_generate_key_ex(rsa, num, bn, &cb))
|
||||
goto err;
|
||||
|
||||
app_RAND_write_file(NULL, bio_err);
|
@ -1,83 +0,0 @@
|
||||
diff -up openssl-1.0.2a/crypto/cversion.c.version openssl-1.0.2a/crypto/cversion.c
|
||||
--- openssl-1.0.2a/crypto/cversion.c.version 2015-03-19 14:30:36.000000000 +0100
|
||||
+++ openssl-1.0.2a/crypto/cversion.c 2015-04-21 16:48:56.285535316 +0200
|
||||
@@ -62,7 +62,7 @@
|
||||
# include "buildinf.h"
|
||||
#endif
|
||||
|
||||
-const char *SSLeay_version(int t)
|
||||
+const char *_current_SSLeay_version(int t)
|
||||
{
|
||||
if (t == SSLEAY_VERSION)
|
||||
return OPENSSL_VERSION_TEXT;
|
||||
@@ -101,7 +101,40 @@ const char *SSLeay_version(int t)
|
||||
return ("not available");
|
||||
}
|
||||
|
||||
-unsigned long SSLeay(void)
|
||||
+const char *_original_SSLeay_version(int t)
|
||||
+{
|
||||
+ if (t == SSLEAY_VERSION)
|
||||
+ return "OpenSSL 1.0.0-fips 29 Mar 2010";
|
||||
+ else
|
||||
+ return _current_SSLeay_version(t);
|
||||
+}
|
||||
+
|
||||
+const char *_original101_SSLeay_version(int t)
|
||||
+{
|
||||
+ if (t == SSLEAY_VERSION)
|
||||
+ return "OpenSSL 1.0.1e-fips 11 Feb 2013";
|
||||
+ else
|
||||
+ return _current_SSLeay_version(t);
|
||||
+}
|
||||
+
|
||||
+unsigned long _original_SSLeay(void)
|
||||
+{
|
||||
+ return (0x10000003L);
|
||||
+}
|
||||
+
|
||||
+unsigned long _original101_SSLeay(void)
|
||||
+{
|
||||
+ return (0x1000105fL);
|
||||
+}
|
||||
+
|
||||
+unsigned long _current_SSLeay(void)
|
||||
{
|
||||
return (SSLEAY_VERSION_NUMBER);
|
||||
}
|
||||
+
|
||||
+__asm__(".symver _original_SSLeay,SSLeay@");
|
||||
+__asm__(".symver _original_SSLeay_version,SSLeay_version@");
|
||||
+__asm__(".symver _original101_SSLeay,SSLeay@OPENSSL_1.0.1");
|
||||
+__asm__(".symver _original101_SSLeay_version,SSLeay_version@OPENSSL_1.0.1");
|
||||
+__asm__(".symver _current_SSLeay,SSLeay@@OPENSSL_1.0.2");
|
||||
+__asm__(".symver _current_SSLeay_version,SSLeay_version@@OPENSSL_1.0.2");
|
||||
diff -up openssl-1.0.2a/Makefile.shared.version openssl-1.0.2a/Makefile.shared
|
||||
--- openssl-1.0.2a/Makefile.shared.version 2015-04-21 16:43:02.624170648 +0200
|
||||
+++ openssl-1.0.2a/Makefile.shared 2015-04-21 16:43:02.676171879 +0200
|
||||
@@ -151,7 +151,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \
|
||||
SHLIB_SUFFIX=; \
|
||||
ALLSYMSFLAGS='-Wl,--whole-archive'; \
|
||||
NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
|
||||
- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
|
||||
+ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,--default-symver,--version-script=version.map -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
|
||||
|
||||
DO_GNU_APP=LDFLAGS="$(CFLAGS)"
|
||||
|
||||
diff -up openssl-1.0.2a/version.map.version openssl-1.0.2a/version.map
|
||||
--- openssl-1.0.2a/version.map.version 2015-04-21 16:43:02.676171879 +0200
|
||||
+++ openssl-1.0.2a/version.map 2015-04-21 16:51:49.621630589 +0200
|
||||
@@ -0,0 +1,13 @@
|
||||
+OPENSSL_1.0.1 {
|
||||
+ global:
|
||||
+ SSLeay;
|
||||
+ SSLeay_version;
|
||||
+ local:
|
||||
+ _original*;
|
||||
+ _current*;
|
||||
+};
|
||||
+OPENSSL_1.0.2 {
|
||||
+ global:
|
||||
+ SSLeay;
|
||||
+ SSLeay_version;
|
||||
+} OPENSSL_1.0.1;
|
@ -1,241 +0,0 @@
|
||||
diff -up openssl-1.0.2i/crypto/conf/conf_api.c.secure-getenv openssl-1.0.2i/crypto/conf/conf_api.c
|
||||
--- openssl-1.0.2i/crypto/conf/conf_api.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
|
||||
+++ openssl-1.0.2i/crypto/conf/conf_api.c 2016-09-22 13:51:29.847742209 +0200
|
||||
@@ -63,6 +63,8 @@
|
||||
# define NDEBUG
|
||||
#endif
|
||||
|
||||
+/* for secure_getenv */
|
||||
+#define _GNU_SOURCE
|
||||
#include <assert.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
@@ -141,7 +143,7 @@ char *_CONF_get_string(const CONF *conf,
|
||||
if (v != NULL)
|
||||
return (v->value);
|
||||
if (strcmp(section, "ENV") == 0) {
|
||||
- p = getenv(name);
|
||||
+ p = secure_getenv(name);
|
||||
if (p != NULL)
|
||||
return (p);
|
||||
}
|
||||
@@ -154,7 +156,7 @@ char *_CONF_get_string(const CONF *conf,
|
||||
else
|
||||
return (NULL);
|
||||
} else
|
||||
- return (getenv(name));
|
||||
+ return (secure_getenv(name));
|
||||
}
|
||||
|
||||
#if 0 /* There's no way to provide error checking
|
||||
diff -up openssl-1.0.2i/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.2i/crypto/conf/conf_mod.c
|
||||
--- openssl-1.0.2i/crypto/conf/conf_mod.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
|
||||
+++ openssl-1.0.2i/crypto/conf/conf_mod.c 2016-09-22 13:51:29.847742209 +0200
|
||||
@@ -57,6 +57,8 @@
|
||||
*
|
||||
*/
|
||||
|
||||
+/* for secure_getenv */
|
||||
+#define _GNU_SOURCE
|
||||
#include <stdio.h>
|
||||
#include <ctype.h>
|
||||
#include <openssl/crypto.h>
|
||||
@@ -530,7 +532,7 @@ char *CONF_get1_default_config_file(void
|
||||
char *file;
|
||||
int len;
|
||||
|
||||
- file = getenv("OPENSSL_CONF");
|
||||
+ file = secure_getenv("OPENSSL_CONF");
|
||||
if (file)
|
||||
return BUF_strdup(file);
|
||||
|
||||
diff -up openssl-1.0.2i/crypto/engine/eng_list.c.secure-getenv openssl-1.0.2i/crypto/engine/eng_list.c
|
||||
--- openssl-1.0.2i/crypto/engine/eng_list.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
|
||||
+++ openssl-1.0.2i/crypto/engine/eng_list.c 2016-09-22 13:51:29.847742209 +0200
|
||||
@@ -62,6 +62,8 @@
|
||||
* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
|
||||
*/
|
||||
|
||||
+/* for secure_getenv */
|
||||
+#define _GNU_SOURCE
|
||||
#include "eng_int.h"
|
||||
|
||||
/*
|
||||
@@ -369,10 +371,10 @@ ENGINE *ENGINE_by_id(const char *id)
|
||||
*/
|
||||
if (strcmp(id, "dynamic")) {
|
||||
# ifdef OPENSSL_SYS_VMS
|
||||
- if ((load_dir = getenv("OPENSSL_ENGINES")) == 0)
|
||||
+ if (OPENSSL_issetugid() || (load_dir = getenv("OPENSSL_ENGINES")) == 0)
|
||||
load_dir = "SSLROOT:[ENGINES]";
|
||||
# else
|
||||
- if ((load_dir = getenv("OPENSSL_ENGINES")) == 0)
|
||||
+ if ((load_dir = secure_getenv("OPENSSL_ENGINES")) == 0)
|
||||
load_dir = ENGINESDIR;
|
||||
# endif
|
||||
iterator = ENGINE_by_id("dynamic");
|
||||
diff -up openssl-1.0.2i/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.2i/crypto/md5/md5_dgst.c
|
||||
--- openssl-1.0.2i/crypto/md5/md5_dgst.c.secure-getenv 2016-09-22 13:51:29.840742047 +0200
|
||||
+++ openssl-1.0.2i/crypto/md5/md5_dgst.c 2016-09-22 13:51:29.847742209 +0200
|
||||
@@ -56,6 +56,8 @@
|
||||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
|
||||
+/* for secure_getenv */
|
||||
+#define _GNU_SOURCE
|
||||
#include <stdio.h>
|
||||
#include "md5_locl.h"
|
||||
#include <openssl/opensslv.h>
|
||||
@@ -75,7 +77,8 @@ const char MD5_version[] = "MD5" OPENSSL
|
||||
int MD5_Init(MD5_CTX *c)
|
||||
#ifdef OPENSSL_FIPS
|
||||
{
|
||||
- if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
|
||||
+ if (FIPS_mode()
|
||||
+ && secure_getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
|
||||
OpenSSLDie(__FILE__, __LINE__, "Digest MD5 forbidden in FIPS mode!");
|
||||
return private_MD5_Init(c);
|
||||
}
|
||||
diff -up openssl-1.0.2i/crypto/o_init.c.secure-getenv openssl-1.0.2i/crypto/o_init.c
|
||||
--- openssl-1.0.2i/crypto/o_init.c.secure-getenv 2016-09-22 13:51:29.830741814 +0200
|
||||
+++ openssl-1.0.2i/crypto/o_init.c 2016-09-22 13:51:30.046746834 +0200
|
||||
@@ -53,6 +53,8 @@
|
||||
*
|
||||
*/
|
||||
|
||||
+/* for secure_getenv */
|
||||
+#define _GNU_SOURCE
|
||||
#include <e_os.h>
|
||||
#include <openssl/err.h>
|
||||
#ifdef OPENSSL_FIPS
|
||||
@@ -72,7 +74,7 @@ static void init_fips_mode(void)
|
||||
char buf[2] = "0";
|
||||
int fd;
|
||||
|
||||
- if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
|
||||
+ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
|
||||
buf[0] = '1';
|
||||
} else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
|
||||
while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
|
||||
diff -up openssl-1.0.2i/crypto/rand/randfile.c.secure-getenv openssl-1.0.2i/crypto/rand/randfile.c
|
||||
--- openssl-1.0.2i/crypto/rand/randfile.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
|
||||
+++ openssl-1.0.2i/crypto/rand/randfile.c 2016-09-22 13:53:17.222237626 +0200
|
||||
@@ -55,6 +55,8 @@
|
||||
* copied and put under another distribution licence
|
||||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
+/* for secure_getenv */
|
||||
+#define _GNU_SOURCE
|
||||
|
||||
#include <errno.h>
|
||||
#include <stdio.h>
|
||||
@@ -327,14 +329,12 @@ const char *RAND_file_name(char *buf, si
|
||||
struct stat sb;
|
||||
#endif
|
||||
|
||||
- if (OPENSSL_issetugid() == 0)
|
||||
- s = getenv("RANDFILE");
|
||||
+ s = secure_getenv("RANDFILE");
|
||||
if (s != NULL && *s && strlen(s) + 1 < size) {
|
||||
if (BUF_strlcpy(buf, s, size) >= size)
|
||||
return NULL;
|
||||
} else {
|
||||
- if (OPENSSL_issetugid() == 0)
|
||||
- s = getenv("HOME");
|
||||
+ s = secure_getenv("HOME");
|
||||
#ifdef DEFAULT_HOME
|
||||
if (s == NULL) {
|
||||
s = DEFAULT_HOME;
|
||||
diff -up openssl-1.0.2i/crypto/x509/by_dir.c.secure-getenv openssl-1.0.2i/crypto/x509/by_dir.c
|
||||
--- openssl-1.0.2i/crypto/x509/by_dir.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
|
||||
+++ openssl-1.0.2i/crypto/x509/by_dir.c 2016-09-22 13:51:30.047746858 +0200
|
||||
@@ -56,6 +56,8 @@
|
||||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
|
||||
+/* for secure_getenv */
|
||||
+#define _GNU_SOURCE
|
||||
#include <stdio.h>
|
||||
#include <time.h>
|
||||
#include <errno.h>
|
||||
@@ -128,7 +130,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
|
||||
switch (cmd) {
|
||||
case X509_L_ADD_DIR:
|
||||
if (argl == X509_FILETYPE_DEFAULT) {
|
||||
- dir = (char *)getenv(X509_get_default_cert_dir_env());
|
||||
+ dir = (char *)secure_getenv(X509_get_default_cert_dir_env());
|
||||
if (dir)
|
||||
ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
|
||||
else
|
||||
diff -up openssl-1.0.2i/crypto/x509/by_file.c.secure-getenv openssl-1.0.2i/crypto/x509/by_file.c
|
||||
--- openssl-1.0.2i/crypto/x509/by_file.c.secure-getenv 2016-09-22 13:51:29.812741396 +0200
|
||||
+++ openssl-1.0.2i/crypto/x509/by_file.c 2016-09-22 13:51:30.047746858 +0200
|
||||
@@ -56,6 +56,8 @@
|
||||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
|
||||
+/* for secure_getenv */
|
||||
+#define _GNU_SOURCE
|
||||
#include <stdio.h>
|
||||
#include <time.h>
|
||||
#include <errno.h>
|
||||
@@ -97,7 +99,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx
|
||||
switch (cmd) {
|
||||
case X509_L_FILE_LOAD:
|
||||
if (argl == X509_FILETYPE_DEFAULT) {
|
||||
- file = (char *)getenv(X509_get_default_cert_file_env());
|
||||
+ file = (char *)secure_getenv(X509_get_default_cert_file_env());
|
||||
if (file)
|
||||
ok = (X509_load_cert_crl_file(ctx, file,
|
||||
X509_FILETYPE_PEM) != 0);
|
||||
diff -up openssl-1.0.2i/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.2i/crypto/x509/x509_vfy.c
|
||||
--- openssl-1.0.2i/crypto/x509/x509_vfy.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
|
||||
+++ openssl-1.0.2i/crypto/x509/x509_vfy.c 2016-09-22 13:51:30.048746881 +0200
|
||||
@@ -56,6 +56,8 @@
|
||||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
|
||||
+/* for secure_getenv */
|
||||
+#define _GNU_SOURCE
|
||||
#include <stdio.h>
|
||||
#include <time.h>
|
||||
#include <errno.h>
|
||||
@@ -620,7 +622,7 @@ static int check_chain_extensions(X509_S
|
||||
* A hack to keep people who don't want to modify their software
|
||||
* happy
|
||||
*/
|
||||
- if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
|
||||
+ if (secure_getenv("OPENSSL_ALLOW_PROXY_CERTS"))
|
||||
allow_proxy_certs = 1;
|
||||
purpose = ctx->param->purpose;
|
||||
}
|
||||
diff -up openssl-1.0.2i/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.2i/engines/ccgost/gost_ctl.c
|
||||
--- openssl-1.0.2i/engines/ccgost/gost_ctl.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
|
||||
+++ openssl-1.0.2i/engines/ccgost/gost_ctl.c 2016-09-22 13:51:30.048746881 +0200
|
||||
@@ -6,6 +6,8 @@
|
||||
* Implementation of control commands for GOST engine *
|
||||
* OpenSSL 0.9.9 libraries required *
|
||||
**********************************************************************/
|
||||
+/* for secure_getenv */
|
||||
+#define _GNU_SOURCE
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <openssl/crypto.h>
|
||||
@@ -64,7 +66,7 @@ const char *get_gost_engine_param(int pa
|
||||
if (gost_params[param] != NULL) {
|
||||
return gost_params[param];
|
||||
}
|
||||
- tmp = getenv(gost_envnames[param]);
|
||||
+ tmp = secure_getenv(gost_envnames[param]);
|
||||
if (tmp) {
|
||||
if (gost_params[param])
|
||||
OPENSSL_free(gost_params[param]);
|
||||
@@ -79,7 +81,7 @@ int gost_set_default_param(int param, co
|
||||
const char *tmp;
|
||||
if (param < 0 || param > GOST_PARAM_MAX)
|
||||
return 0;
|
||||
- tmp = getenv(gost_envnames[param]);
|
||||
+ tmp = secure_getenv(gost_envnames[param]);
|
||||
/*
|
||||
* if there is value in the environment, use it, else -passed string *
|
||||
*/
|
File diff suppressed because it is too large
Load Diff
@ -1,65 +0,0 @@
|
||||
diff -up openssl-1.0.2k/crypto/fips/fips_drbg_lib.c.fips-randlock openssl-1.0.2k/crypto/fips/fips_drbg_lib.c
|
||||
--- openssl-1.0.2k/crypto/fips/fips_drbg_lib.c.fips-randlock 2017-03-09 17:59:26.249231181 +0100
|
||||
+++ openssl-1.0.2k/crypto/fips/fips_drbg_lib.c 2017-11-16 09:16:06.188098078 +0100
|
||||
@@ -338,6 +338,12 @@ int FIPS_drbg_reseed(DRBG_CTX *dctx,
|
||||
return drbg_reseed(dctx, adin, adinlen, 1);
|
||||
}
|
||||
|
||||
+void FIPS_drbg_set_reseed(DRBG_CTX *dctx)
|
||||
+{
|
||||
+ if (dctx->status == DRBG_STATUS_READY)
|
||||
+ dctx->reseed_counter = dctx->reseed_interval;
|
||||
+}
|
||||
+
|
||||
static int fips_drbg_check(DRBG_CTX *dctx)
|
||||
{
|
||||
if (dctx->xflags & DRBG_FLAG_TEST)
|
||||
diff -up openssl-1.0.2k/crypto/fips/fips_rand.h.fips-randlock openssl-1.0.2k/crypto/fips/fips_rand.h
|
||||
--- openssl-1.0.2k/crypto/fips/fips_rand.h.fips-randlock 2017-03-09 17:59:26.252231250 +0100
|
||||
+++ openssl-1.0.2k/crypto/fips/fips_rand.h 2017-11-07 10:06:40.241450151 +0100
|
||||
@@ -86,6 +86,7 @@ extern "C" {
|
||||
const unsigned char *pers, size_t perslen);
|
||||
int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin,
|
||||
size_t adinlen);
|
||||
+ void FIPS_drbg_set_reseed(DRBG_CTX *dctx);
|
||||
int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
|
||||
int prediction_resistance,
|
||||
const unsigned char *adin, size_t adinlen);
|
||||
diff -up openssl-1.0.2k/crypto/rand/md_rand.c.fips-randlock openssl-1.0.2k/crypto/rand/md_rand.c
|
||||
--- openssl-1.0.2k/crypto/rand/md_rand.c.fips-randlock 2017-03-09 17:59:26.255231320 +0100
|
||||
+++ openssl-1.0.2k/crypto/rand/md_rand.c 2017-12-06 09:20:23.615879425 +0100
|
||||
@@ -391,10 +391,10 @@ int ssleay_rand_bytes(unsigned char *buf
|
||||
CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
|
||||
crypto_lock_rand = 1;
|
||||
|
||||
- /* always poll for external entropy in FIPS mode, drbg provides the
|
||||
- * expansion
|
||||
+ /* always poll for external entropy in FIPS mode, if run as seed
|
||||
+ * source, drbg provides the expansion
|
||||
*/
|
||||
- if (!initialized || FIPS_module_mode()) {
|
||||
+ if (!initialized || (!lock && FIPS_module_mode())) {
|
||||
RAND_poll();
|
||||
initialized = 1;
|
||||
}
|
||||
diff -up openssl-1.0.2k/crypto/rand/rand_lib.c.fips-randlock openssl-1.0.2k/crypto/rand/rand_lib.c
|
||||
--- openssl-1.0.2k/crypto/rand/rand_lib.c.fips-randlock 2017-03-09 17:59:26.292232183 +0100
|
||||
+++ openssl-1.0.2k/crypto/rand/rand_lib.c 2017-11-07 10:20:08.050403861 +0100
|
||||
@@ -238,7 +238,7 @@ static int drbg_rand_add(DRBG_CTX *ctx,
|
||||
RAND_SSLeay()->add(in, inlen, entropy);
|
||||
if (FIPS_rand_status()) {
|
||||
CRYPTO_w_lock(CRYPTO_LOCK_RAND);
|
||||
- FIPS_drbg_reseed(ctx, NULL, 0);
|
||||
+ FIPS_drbg_set_reseed(ctx);
|
||||
CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
|
||||
}
|
||||
return 1;
|
||||
@@ -249,7 +249,7 @@ static int drbg_rand_seed(DRBG_CTX *ctx,
|
||||
RAND_SSLeay()->seed(in, inlen);
|
||||
if (FIPS_rand_status()) {
|
||||
CRYPTO_w_lock(CRYPTO_LOCK_RAND);
|
||||
- FIPS_drbg_reseed(ctx, NULL, 0);
|
||||
+ FIPS_drbg_set_reseed(ctx);
|
||||
CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
|
||||
}
|
||||
return 1;
|
@ -1,604 +0,0 @@
|
||||
diff -up openssl-1.0.2k/apps/apps.c.starttls openssl-1.0.2k/apps/apps.c
|
||||
--- openssl-1.0.2k/apps/apps.c.starttls 2017-01-26 14:22:03.000000000 +0100
|
||||
+++ openssl-1.0.2k/apps/apps.c 2017-03-09 17:35:35.519765927 +0100
|
||||
@@ -3277,3 +3277,11 @@ int raw_write_stdout(const void *buf, in
|
||||
return write(fileno_stdout(), buf, siz);
|
||||
}
|
||||
#endif
|
||||
+
|
||||
+void make_uppercase(char *string)
|
||||
+{
|
||||
+ int i;
|
||||
+
|
||||
+ for (i = 0; string[i] != '\0'; i++)
|
||||
+ string[i] = toupper((unsigned char)string[i]);
|
||||
+}
|
||||
diff -up openssl-1.0.2k/apps/apps.h.starttls openssl-1.0.2k/apps/apps.h
|
||||
--- openssl-1.0.2k/apps/apps.h.starttls 2017-03-09 17:35:28.632604234 +0100
|
||||
+++ openssl-1.0.2k/apps/apps.h 2017-03-09 17:35:35.520765950 +0100
|
||||
@@ -384,6 +384,8 @@ int raw_write_stdout(const void *, int);
|
||||
# define TM_STOP 1
|
||||
double app_tminterval(int stop, int usertime);
|
||||
|
||||
+void make_uppercase(char *string);
|
||||
+
|
||||
# define OPENSSL_NO_SSL_INTERN
|
||||
|
||||
#endif
|
||||
diff -up openssl-1.0.2k/apps/s_client.c.starttls openssl-1.0.2k/apps/s_client.c
|
||||
--- openssl-1.0.2k/apps/s_client.c.starttls 2017-03-09 17:35:28.684605455 +0100
|
||||
+++ openssl-1.0.2k/apps/s_client.c 2017-03-09 17:52:59.153207946 +0100
|
||||
@@ -134,7 +134,8 @@
|
||||
* OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
|
||||
* OTHERWISE.
|
||||
*/
|
||||
-
|
||||
+/* for strcasestr */
|
||||
+#define _GNU_SOURCE
|
||||
#include <assert.h>
|
||||
#include <ctype.h>
|
||||
#include <stdio.h>
|
||||
@@ -202,6 +203,7 @@ static char *krb5svc = NULL;
|
||||
|
||||
#undef BUFSIZZ
|
||||
#define BUFSIZZ 1024*8
|
||||
+#define S_CLIENT_IRC_READ_TIMEOUT 8
|
||||
|
||||
extern int verify_depth;
|
||||
extern int verify_error;
|
||||
@@ -228,6 +230,7 @@ static void print_stuff(BIO *berr, SSL *
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
static int ocsp_resp_cb(SSL *s, void *arg);
|
||||
#endif
|
||||
+static int ldap_ExtendedResponse_parse(const char *buf, long rem);
|
||||
static BIO *bio_c_out = NULL;
|
||||
static BIO *bio_c_msg = NULL;
|
||||
static int c_quiet = 0;
|
||||
@@ -402,8 +405,14 @@ static void sc_usage(void)
|
||||
BIO_printf(bio_err,
|
||||
" 'prot' defines which one to assume. Currently,\n");
|
||||
BIO_printf(bio_err,
|
||||
- " only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
|
||||
- BIO_printf(bio_err, " are supported.\n");
|
||||
+ " only \"smtp\", \"pop3\", \"imap\", \"ftp\", \"xmpp\",\n");
|
||||
+ BIO_printf(bio_err,
|
||||
+ " \"xmpp-server\", \"irc\", \"postgres\", \"lmtp\", \"nntp\",\n");
|
||||
+ BIO_printf(bio_err, " \"sieve\" and \"ldap\" are supported.\n");
|
||||
+ BIO_printf(bio_err,
|
||||
+ " -xmpphost host - Host to use with \"-starttls xmpp[-server]\"\n");
|
||||
+ BIO_printf(bio_err,
|
||||
+ " -name host - Hostname to use for \"-starttls lmtp\" or \"-starttls smtp\"\n");
|
||||
#ifndef OPENSSL_NO_KRB5
|
||||
BIO_printf(bio_err, " -krb5svc arg - Kerberos service name\n");
|
||||
#endif
|
||||
@@ -657,7 +666,15 @@ enum {
|
||||
PROTO_POP3,
|
||||
PROTO_IMAP,
|
||||
PROTO_FTP,
|
||||
- PROTO_XMPP
|
||||
+ PROTO_TELNET,
|
||||
+ PROTO_XMPP,
|
||||
+ PROTO_XMPP_SERVER,
|
||||
+ PROTO_IRC,
|
||||
+ PROTO_POSTGRES,
|
||||
+ PROTO_LMTP,
|
||||
+ PROTO_NNTP,
|
||||
+ PROTO_SIEVE,
|
||||
+ PROTO_LDAP
|
||||
};
|
||||
|
||||
int MAIN(int, char **);
|
||||
@@ -726,6 +743,8 @@ int MAIN(int argc, char **argv)
|
||||
#endif
|
||||
char *sess_in = NULL;
|
||||
char *sess_out = NULL;
|
||||
+ char *xmpphost = NULL;
|
||||
+ const char *ehlo = "openssl.client.net";
|
||||
struct sockaddr peer;
|
||||
int peerlen = sizeof(peer);
|
||||
int fallback_scsv = 0;
|
||||
@@ -1097,8 +1116,32 @@ int MAIN(int argc, char **argv)
|
||||
starttls_proto = PROTO_FTP;
|
||||
else if (strcmp(*argv, "xmpp") == 0)
|
||||
starttls_proto = PROTO_XMPP;
|
||||
+ else if (strcmp(*argv, "xmpp-server") == 0)
|
||||
+ starttls_proto = PROTO_XMPP_SERVER;
|
||||
+ else if (strcmp(*argv, "telnet") == 0)
|
||||
+ starttls_proto = PROTO_TELNET;
|
||||
+ else if (strcmp(*argv, "irc") == 0)
|
||||
+ starttls_proto = PROTO_IRC;
|
||||
+ else if (strcmp(*argv, "postgres") == 0)
|
||||
+ starttls_proto = PROTO_POSTGRES;
|
||||
+ else if (strcmp(*argv, "lmtp") == 0)
|
||||
+ starttls_proto = PROTO_LMTP;
|
||||
+ else if (strcmp(*argv, "nntp") == 0)
|
||||
+ starttls_proto = PROTO_NNTP;
|
||||
+ else if (strcmp(*argv, "sieve") == 0)
|
||||
+ starttls_proto = PROTO_SIEVE;
|
||||
+ else if (strcmp(*argv, "ldap") == 0)
|
||||
+ starttls_proto = PROTO_LDAP;
|
||||
else
|
||||
goto bad;
|
||||
+ } else if (strcmp(*argv, "-xmpphost") == 0) {
|
||||
+ if (--argc < 1)
|
||||
+ goto bad;
|
||||
+ xmpphost = *(++argv);
|
||||
+ } else if (strcmp(*argv, "-name") == 0) {
|
||||
+ if (--argc < 1)
|
||||
+ goto bad;
|
||||
+ ehlo = *(++argv);
|
||||
}
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
else if (strcmp(*argv, "-engine") == 0) {
|
||||
@@ -1599,19 +1642,24 @@ int MAIN(int argc, char **argv)
|
||||
* BIO into the chain that is removed again later on to not disturb the
|
||||
* rest of the s_client operation.
|
||||
*/
|
||||
- if (starttls_proto == PROTO_SMTP) {
|
||||
+ if (starttls_proto == PROTO_SMTP || starttls_proto == PROTO_LMTP) {
|
||||
int foundit = 0;
|
||||
BIO *fbio = BIO_new(BIO_f_buffer());
|
||||
BIO_push(fbio, sbio);
|
||||
- /* wait for multi-line response to end from SMTP */
|
||||
+ /* Wait for multi-line response to end from LMTP or SMTP */
|
||||
do {
|
||||
mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
|
||||
}
|
||||
while (mbuf_len > 3 && mbuf[3] == '-');
|
||||
- /* STARTTLS command requires EHLO... */
|
||||
- BIO_printf(fbio, "EHLO openssl.client.net\r\n");
|
||||
+ if (starttls_proto == PROTO_LMTP)
|
||||
+ BIO_printf(fbio, "LHLO %s\r\n", ehlo);
|
||||
+ else
|
||||
+ BIO_printf(fbio, "EHLO %s\r\n", ehlo);
|
||||
(void)BIO_flush(fbio);
|
||||
- /* wait for multi-line response to end EHLO SMTP response */
|
||||
+ /*
|
||||
+ * Wait for multi-line response to end LHLO LMTP or EHLO SMTP
|
||||
+ * response.
|
||||
+ */
|
||||
do {
|
||||
mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
|
||||
if (strstr(mbuf, "STARTTLS"))
|
||||
@@ -1630,10 +1678,15 @@ int MAIN(int argc, char **argv)
|
||||
} else if (starttls_proto == PROTO_POP3) {
|
||||
BIO_read(sbio, mbuf, BUFSIZZ);
|
||||
BIO_printf(sbio, "STLS\r\n");
|
||||
- BIO_read(sbio, sbuf, BUFSIZZ);
|
||||
+ mbuf_len = BIO_read(sbio, sbuf, BUFSIZZ);
|
||||
+ if (mbuf_len < 0) {
|
||||
+ BIO_printf(bio_err, "BIO_read failed\n");
|
||||
+ goto end;
|
||||
+ }
|
||||
} else if (starttls_proto == PROTO_IMAP) {
|
||||
int foundit = 0;
|
||||
BIO *fbio = BIO_new(BIO_f_buffer());
|
||||
+
|
||||
BIO_push(fbio, sbio);
|
||||
BIO_gets(fbio, mbuf, BUFSIZZ);
|
||||
/* STARTTLS command requires CAPABILITY... */
|
||||
@@ -1669,27 +1722,287 @@ int MAIN(int argc, char **argv)
|
||||
BIO_printf(sbio, "AUTH TLS\r\n");
|
||||
BIO_read(sbio, sbuf, BUFSIZZ);
|
||||
}
|
||||
- if (starttls_proto == PROTO_XMPP) {
|
||||
+ else if (starttls_proto == PROTO_XMPP || starttls_proto == PROTO_XMPP_SERVER) {
|
||||
int seen = 0;
|
||||
BIO_printf(sbio, "<stream:stream "
|
||||
"xmlns:stream='http://etherx.jabber.org/streams' "
|
||||
- "xmlns='jabber:client' to='%s' version='1.0'>", host);
|
||||
+ "xmlns='jabber:%s' to='%s' version='1.0'>",
|
||||
+ starttls_proto == PROTO_XMPP ? "client" : "server",
|
||||
+ xmpphost ? xmpphost : host);
|
||||
seen = BIO_read(sbio, mbuf, BUFSIZZ);
|
||||
+ if (seen < 0) {
|
||||
+ BIO_printf(bio_err, "BIO_read failed\n");
|
||||
+ goto end;
|
||||
+ }
|
||||
mbuf[seen] = 0;
|
||||
- while (!strstr
|
||||
- (mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")) {
|
||||
- if (strstr(mbuf, "/stream:features>"))
|
||||
- goto shut;
|
||||
+ while (!strcasestr
|
||||
+ (mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")
|
||||
+ && !strcasestr(mbuf,
|
||||
+ "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
|
||||
+ {
|
||||
seen = BIO_read(sbio, mbuf, BUFSIZZ);
|
||||
+
|
||||
+ if (seen <= 0)
|
||||
+ goto shut;
|
||||
+
|
||||
mbuf[seen] = 0;
|
||||
}
|
||||
BIO_printf(sbio,
|
||||
"<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
|
||||
seen = BIO_read(sbio, sbuf, BUFSIZZ);
|
||||
+ if (seen < 0) {
|
||||
+ BIO_printf(bio_err, "BIO_read failed\n");
|
||||
+ goto shut;
|
||||
+ }
|
||||
sbuf[seen] = 0;
|
||||
if (!strstr(sbuf, "<proceed"))
|
||||
goto shut;
|
||||
mbuf[0] = 0;
|
||||
+ } else if (starttls_proto == PROTO_TELNET) {
|
||||
+ static const unsigned char tls_do[] = {
|
||||
+ /* IAC DO START_TLS */
|
||||
+ 255, 253, 46
|
||||
+ };
|
||||
+ static const unsigned char tls_will[] = {
|
||||
+ /* IAC WILL START_TLS */
|
||||
+ 255, 251, 46
|
||||
+ };
|
||||
+ static const unsigned char tls_follows[] = {
|
||||
+ /* IAC SB START_TLS FOLLOWS IAC SE */
|
||||
+ 255, 250, 46, 1, 255, 240
|
||||
+ };
|
||||
+ int bytes;
|
||||
+
|
||||
+ /* Telnet server should demand we issue START_TLS */
|
||||
+ bytes = BIO_read(sbio, mbuf, BUFSIZZ);
|
||||
+ if (bytes != 3 || memcmp(mbuf, tls_do, 3) != 0)
|
||||
+ goto shut;
|
||||
+ /* Agree to issue START_TLS and send the FOLLOWS sub-command */
|
||||
+ BIO_write(sbio, tls_will, 3);
|
||||
+ BIO_write(sbio, tls_follows, 6);
|
||||
+ (void)BIO_flush(sbio);
|
||||
+ /* Telnet server also sent the FOLLOWS sub-command */
|
||||
+ bytes = BIO_read(sbio, mbuf, BUFSIZZ);
|
||||
+ if (bytes != 6 || memcmp(mbuf, tls_follows, 6) != 0)
|
||||
+ goto shut;
|
||||
+ } else if (starttls_proto == PROTO_IRC) {
|
||||
+ int numeric;
|
||||
+ BIO *fbio = BIO_new(BIO_f_buffer());
|
||||
+
|
||||
+ BIO_push(fbio, sbio);
|
||||
+ BIO_printf(fbio, "STARTTLS\r\n");
|
||||
+ (void)BIO_flush(fbio);
|
||||
+ width = SSL_get_fd(con) + 1;
|
||||
+
|
||||
+ do {
|
||||
+ numeric = 0;
|
||||
+
|
||||
+ FD_ZERO(&readfds);
|
||||
+ openssl_fdset(SSL_get_fd(con), &readfds);
|
||||
+ timeout.tv_sec = S_CLIENT_IRC_READ_TIMEOUT;
|
||||
+ timeout.tv_usec = 0;
|
||||
+ /*
|
||||
+ * If the IRCd doesn't respond within
|
||||
+ * S_CLIENT_IRC_READ_TIMEOUT seconds, assume
|
||||
+ * it doesn't support STARTTLS. Many IRCds
|
||||
+ * will not give _any_ sort of response to a
|
||||
+ * STARTTLS command when it's not supported.
|
||||
+ */
|
||||
+ if (!BIO_get_buffer_num_lines(fbio)
|
||||
+ && !BIO_pending(fbio)
|
||||
+ && !BIO_pending(sbio)
|
||||
+ && select(width, (void *)&readfds, NULL, NULL,
|
||||
+ &timeout) < 1) {
|
||||
+ BIO_printf(bio_err,
|
||||
+ "Timeout waiting for response (%d seconds).\n",
|
||||
+ S_CLIENT_IRC_READ_TIMEOUT);
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
|
||||
+ if (mbuf_len < 1 || sscanf(mbuf, "%*s %d", &numeric) != 1)
|
||||
+ break;
|
||||
+ /* :example.net 451 STARTTLS :You have not registered */
|
||||
+ /* :example.net 421 STARTTLS :Unknown command */
|
||||
+ if ((numeric == 451 || numeric == 421)
|
||||
+ && strstr(mbuf, "STARTTLS") != NULL) {
|
||||
+ BIO_printf(bio_err, "STARTTLS not supported: %s", mbuf);
|
||||
+ break;
|
||||
+ }
|
||||
+ if (numeric == 691) {
|
||||
+ BIO_printf(bio_err, "STARTTLS negotiation failed: ");
|
||||
+ ERR_print_errors(bio_err);
|
||||
+ break;
|
||||
+ }
|
||||
+ } while (numeric != 670);
|
||||
+
|
||||
+ (void)BIO_flush(fbio);
|
||||
+ BIO_pop(fbio);
|
||||
+ BIO_free(fbio);
|
||||
+ if (numeric != 670) {
|
||||
+ BIO_printf(bio_err, "Server does not support STARTTLS.\n");
|
||||
+ ret = 1;
|
||||
+ goto shut;
|
||||
+ }
|
||||
+ } else if (starttls_proto == PROTO_POSTGRES) {
|
||||
+ static const unsigned char ssl_request[] = {
|
||||
+ /* Length SSLRequest */
|
||||
+ 0, 0, 0, 8, 4, 210, 22, 47
|
||||
+ };
|
||||
+ int bytes;
|
||||
+
|
||||
+ /* Send SSLRequest packet */
|
||||
+ BIO_write(sbio, ssl_request, 8);
|
||||
+ (void)BIO_flush(sbio);
|
||||
+
|
||||
+ /* Reply will be a single S if SSL is enabled */
|
||||
+ bytes = BIO_read(sbio, sbuf, BUFSIZZ);
|
||||
+ if (bytes != 1 || sbuf[0] != 'S')
|
||||
+ goto shut;
|
||||
+ } else if (starttls_proto == PROTO_NNTP) {
|
||||
+ int foundit = 0;
|
||||
+ BIO *fbio = BIO_new(BIO_f_buffer());
|
||||
+
|
||||
+ BIO_push(fbio, sbio);
|
||||
+ BIO_gets(fbio, mbuf, BUFSIZZ);
|
||||
+ /* STARTTLS command requires CAPABILITIES... */
|
||||
+ BIO_printf(fbio, "CAPABILITIES\r\n");
|
||||
+ (void)BIO_flush(fbio);
|
||||
+ /* wait for multi-line CAPABILITIES response */
|
||||
+ do {
|
||||
+ mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
|
||||
+ if (strstr(mbuf, "STARTTLS"))
|
||||
+ foundit = 1;
|
||||
+ } while (mbuf_len > 1 && mbuf[0] != '.');
|
||||
+ (void)BIO_flush(fbio);
|
||||
+ BIO_pop(fbio);
|
||||
+ BIO_free(fbio);
|
||||
+ if (!foundit)
|
||||
+ BIO_printf(bio_err,
|
||||
+ "Didn't find STARTTLS in server response,"
|
||||
+ " trying anyway...\n");
|
||||
+ BIO_printf(sbio, "STARTTLS\r\n");
|
||||
+ mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ);
|
||||
+ if (mbuf_len < 0) {
|
||||
+ BIO_printf(bio_err, "BIO_read failed\n");
|
||||
+ goto end;
|
||||
+ }
|
||||
+ mbuf[mbuf_len] = '\0';
|
||||
+ if (strstr(mbuf, "382") == NULL) {
|
||||
+ BIO_printf(bio_err, "STARTTLS failed: %s", mbuf);
|
||||
+ goto shut;
|
||||
+ }
|
||||
+ } else if (starttls_proto == PROTO_SIEVE) {
|
||||
+ int foundit = 0;
|
||||
+ BIO *fbio = BIO_new(BIO_f_buffer());
|
||||
+
|
||||
+ BIO_push(fbio, sbio);
|
||||
+ /* wait for multi-line response to end from Sieve */
|
||||
+ do {
|
||||
+ mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
|
||||
+ /*
|
||||
+ * According to RFC 5804 § 1.7, capability
|
||||
+ * is case-insensitive, make it uppercase
|
||||
+ */
|
||||
+ if (mbuf_len > 1 && mbuf[0] == '"') {
|
||||
+ make_uppercase(mbuf);
|
||||
+ if (strncmp(mbuf, "\"STARTTLS\"", 10) == 0)
|
||||
+ foundit = 1;
|
||||
+ }
|
||||
+ } while (mbuf_len > 1 && mbuf[0] == '"');
|
||||
+ (void)BIO_flush(fbio);
|
||||
+ BIO_pop(fbio);
|
||||
+ BIO_free(fbio);
|
||||
+ if (!foundit)
|
||||
+ BIO_printf(bio_err,
|
||||
+ "Didn't find STARTTLS in server response,"
|
||||
+ " trying anyway...\n");
|
||||
+ BIO_printf(sbio, "STARTTLS\r\n");
|
||||
+ mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ);
|
||||
+ if (mbuf_len < 0) {
|
||||
+ BIO_printf(bio_err, "BIO_read failed\n");
|
||||
+ goto end;
|
||||
+ }
|
||||
+ mbuf[mbuf_len] = '\0';
|
||||
+ if (mbuf_len < 2) {
|
||||
+ BIO_printf(bio_err, "STARTTLS failed: %s", mbuf);
|
||||
+ goto shut;
|
||||
+ }
|
||||
+ /*
|
||||
+ * According to RFC 5804 § 2.2, response codes are case-
|
||||
+ * insensitive, make it uppercase but preserve the response.
|
||||
+ */
|
||||
+ strncpy(sbuf, mbuf, 2);
|
||||
+ make_uppercase(sbuf);
|
||||
+ if (strncmp(sbuf, "OK", 2) != 0) {
|
||||
+ BIO_printf(bio_err, "STARTTLS not supported: %s", mbuf);
|
||||
+ goto shut;
|
||||
+ }
|
||||
+ } else if (starttls_proto == PROTO_LDAP) {
|
||||
+ /* StartTLS Operation according to RFC 4511 */
|
||||
+ static char ldap_tls_genconf[] = "asn1=SEQUENCE:LDAPMessage\n"
|
||||
+ "[LDAPMessage]\n"
|
||||
+ "messageID=INTEGER:1\n"
|
||||
+ "extendedReq=EXPLICIT:23A,IMPLICIT:0C,"
|
||||
+ "FORMAT:ASCII,OCT:1.3.6.1.4.1.1466.20037\n";
|
||||
+ long errline = -1;
|
||||
+ char *genstr = NULL;
|
||||
+ int result = -1;
|
||||
+ ASN1_TYPE *atyp = NULL;
|
||||
+ BIO *ldapbio = BIO_new(BIO_s_mem());
|
||||
+ CONF *cnf = NCONF_new(NULL);
|
||||
+
|
||||
+ if (cnf == NULL) {
|
||||
+ BIO_free(ldapbio);
|
||||
+ goto end;
|
||||
+ }
|
||||
+ BIO_puts(ldapbio, ldap_tls_genconf);
|
||||
+ if (NCONF_load_bio(cnf, ldapbio, &errline) <= 0) {
|
||||
+ BIO_free(ldapbio);
|
||||
+ NCONF_free(cnf);
|
||||
+ if (errline <= 0) {
|
||||
+ BIO_printf(bio_err, "NCONF_load_bio failed\n");
|
||||
+ goto end;
|
||||
+ } else {
|
||||
+ BIO_printf(bio_err, "Error on line %ld\n", errline);
|
||||
+ goto end;
|
||||
+ }
|
||||
+ }
|
||||
+ BIO_free(ldapbio);
|
||||
+ genstr = NCONF_get_string(cnf, "default", "asn1");
|
||||
+ if (genstr == NULL) {
|
||||
+ NCONF_free(cnf);
|
||||
+ BIO_printf(bio_err, "NCONF_get_string failed\n");
|
||||
+ goto end;
|
||||
+ }
|
||||
+ atyp = ASN1_generate_nconf(genstr, cnf);
|
||||
+ if (atyp == NULL) {
|
||||
+ NCONF_free(cnf);
|
||||
+ BIO_printf(bio_err, "ASN1_generate_nconf failed\n");
|
||||
+ goto end;
|
||||
+ }
|
||||
+ NCONF_free(cnf);
|
||||
+ /* Send SSLRequest packet */
|
||||
+ BIO_write(sbio, atyp->value.sequence->data,
|
||||
+ atyp->value.sequence->length);
|
||||
+ (void)BIO_flush(sbio);
|
||||
+ ASN1_TYPE_free(atyp);
|
||||
+
|
||||
+ mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ);
|
||||
+ if (mbuf_len < 0) {
|
||||
+ BIO_printf(bio_err, "BIO_read failed\n");
|
||||
+ goto end;
|
||||
+ }
|
||||
+ result = ldap_ExtendedResponse_parse(mbuf, mbuf_len);
|
||||
+ if (result < 0) {
|
||||
+ BIO_printf(bio_err, "ldap_ExtendedResponse_parse failed\n");
|
||||
+ goto shut;
|
||||
+ } else if (result > 0) {
|
||||
+ BIO_printf(bio_err, "STARTTLS failed, LDAP Result Code: %i\n",
|
||||
+ result);
|
||||
+ goto shut;
|
||||
+ }
|
||||
+ mbuf_len = 0;
|
||||
}
|
||||
|
||||
for (;;) {
|
||||
@@ -1738,7 +2051,7 @@ int MAIN(int argc, char **argv)
|
||||
full_log--;
|
||||
|
||||
if (starttls_proto) {
|
||||
- BIO_printf(bio_err, "%s", mbuf);
|
||||
+ BIO_write(bio_err, mbuf, mbuf_len);
|
||||
/* We don't need to know any more */
|
||||
starttls_proto = PROTO_OFF;
|
||||
}
|
||||
@@ -2372,3 +2685,87 @@ static int ocsp_resp_cb(SSL *s, void *ar
|
||||
}
|
||||
|
||||
#endif
|
||||
+
|
||||
+static int ldap_ExtendedResponse_parse(const char *buf, long rem)
|
||||
+{
|
||||
+ const unsigned char *cur, *end;
|
||||
+ long len;
|
||||
+ int tag, xclass, inf, ret = -1;
|
||||
+
|
||||
+ cur = (const unsigned char *)buf;
|
||||
+ end = cur + rem;
|
||||
+
|
||||
+ /*
|
||||
+ * From RFC 4511:
|
||||
+ *
|
||||
+ * LDAPMessage ::= SEQUENCE {
|
||||
+ * messageID MessageID,
|
||||
+ * protocolOp CHOICE {
|
||||
+ * ...
|
||||
+ * extendedResp ExtendedResponse,
|
||||
+ * ... },
|
||||
+ * controls [0] Controls OPTIONAL }
|
||||
+ *
|
||||
+ * ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
|
||||
+ * COMPONENTS OF LDAPResult,
|
||||
+ * responseName [10] LDAPOID OPTIONAL,
|
||||
+ * responseValue [11] OCTET STRING OPTIONAL }
|
||||
+ *
|
||||
+ * LDAPResult ::= SEQUENCE {
|
||||
+ * resultCode ENUMERATED {
|
||||
+ * success (0),
|
||||
+ * ...
|
||||
+ * other (80),
|
||||
+ * ... },
|
||||
+ * matchedDN LDAPDN,
|
||||
+ * diagnosticMessage LDAPString,
|
||||
+ * referral [3] Referral OPTIONAL }
|
||||
+ */
|
||||
+
|
||||
+ /* pull SEQUENCE */
|
||||
+ inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem);
|
||||
+ if (inf != V_ASN1_CONSTRUCTED || tag != V_ASN1_SEQUENCE ||
|
||||
+ (rem = end - cur, len > rem)) {
|
||||
+ BIO_printf(bio_err, "Unexpected LDAP response\n");
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+ rem = len; /* ensure that we don't overstep the SEQUENCE */
|
||||
+
|
||||
+ /* pull MessageID */
|
||||
+ inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem);
|
||||
+ if (inf != V_ASN1_UNIVERSAL || tag != V_ASN1_INTEGER ||
|
||||
+ (rem = end - cur, len > rem)) {
|
||||
+ BIO_printf(bio_err, "No MessageID\n");
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+ cur += len; /* shall we check for MessageId match or just skip? */
|
||||
+
|
||||
+ /* pull [APPLICATION 24] */
|
||||
+ rem = end - cur;
|
||||
+ inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem);
|
||||
+ if (inf != V_ASN1_CONSTRUCTED || xclass != V_ASN1_APPLICATION ||
|
||||
+ tag != 24) {
|
||||
+ BIO_printf(bio_err, "Not ExtendedResponse\n");
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+ /* pull resultCode */
|
||||
+ rem = end - cur;
|
||||
+ inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem);
|
||||
+ if (inf != V_ASN1_UNIVERSAL || tag != V_ASN1_ENUMERATED || len == 0 ||
|
||||
+ (rem = end - cur, len > rem)) {
|
||||
+ BIO_printf(bio_err, "Not LDAPResult\n");
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+ /* len should always be one, but just in case... */
|
||||
+ for (ret = 0, inf = 0; inf < len; inf++) {
|
||||
+ ret <<= 8;
|
||||
+ ret |= cur[inf];
|
||||
+ }
|
||||
+ /* There is more data, but we don't care... */
|
||||
+ end:
|
||||
+ return ret;
|
||||
+}
|
||||
diff -up openssl-1.0.2k/doc/apps/s_client.pod.starttls openssl-1.0.2k/doc/apps/s_client.pod
|
||||
--- openssl-1.0.2k/doc/apps/s_client.pod.starttls 2017-03-09 17:35:28.684605455 +0100
|
||||
+++ openssl-1.0.2k/doc/apps/s_client.pod 2017-03-09 17:42:54.455070967 +0100
|
||||
@@ -46,6 +46,8 @@ B<openssl> B<s_client>
|
||||
[B<-krb5svc service>]
|
||||
[B<-serverpref>]
|
||||
[B<-starttls protocol>]
|
||||
+[B<-xmpphost hostname>]
|
||||
+[B<-name hostname>]
|
||||
[B<-engine id>]
|
||||
[B<-tlsextdebug>]
|
||||
[B<-no_ticket>]
|
||||
@@ -239,7 +241,20 @@ need keys for that principal in its keyt
|
||||
|
||||
send the protocol-specific message(s) to switch to TLS for communication.
|
||||
B<protocol> is a keyword for the intended protocol. Currently, the only
|
||||
-supported keywords are "smtp", "pop3", "imap", and "ftp".
|
||||
+supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server",
|
||||
+"irc", "postgres", "lmtp", "nntp", "sieve" and "ldap".
|
||||
+
|
||||
+=item B<-xmpphost hostname>
|
||||
+
|
||||
+This option, when used with "-starttls xmpp" or "-starttls xmpp-server",
|
||||
+specifies the host for the "to" attribute of the stream element.
|
||||
+If this option is not specified, then the host specified with "-connect"
|
||||
+will be used.
|
||||
+
|
||||
+=item B<-name hostname>
|
||||
+
|
||||
+the host name to use with "-starttls smtp".
|
||||
+If this option is not specified, the default "openssl.client.net" will be used.
|
||||
|
||||
=item B<-tlsextdebug>
|
||||
|
@ -24,7 +24,7 @@
|
||||
|
||||
Name: mingw-openssl
|
||||
Version: 1.0.2k
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Summary: MinGW port of the OpenSSL toolkit
|
||||
|
||||
License: OpenSSL
|
||||
@ -63,28 +63,28 @@ Patch24: openssl-1.0.2a-issuer-hash.patch
|
||||
Patch33: openssl-1.0.0-beta4-ca-dir.patch
|
||||
Patch34: openssl-1.0.2a-x509.patch
|
||||
Patch35: openssl-1.0.2a-version-add-engines.patch
|
||||
Patch39: openssl-1.0.2a-ipv6-apps.patch
|
||||
# Patch39: openssl-1.0.2a-ipv6-apps.patch
|
||||
Patch40: openssl-1.0.2i-fips.patch
|
||||
Patch43: openssl-1.0.2j-krb5keytab.patch
|
||||
Patch45: openssl-1.0.2a-env-zlib.patch
|
||||
Patch47: openssl-1.0.2a-readme-warning.patch
|
||||
Patch49: openssl-1.0.1i-algo-doc.patch
|
||||
Patch50: openssl-1.0.2a-dtls1-abi.patch
|
||||
Patch51: openssl-1.0.2a-version.patch
|
||||
Patch56: openssl-1.0.2a-rsa-x931.patch
|
||||
# Patch51: openssl-1.0.2a-version.patch
|
||||
# Patch56: openssl-1.0.2a-rsa-x931.patch
|
||||
Patch58: openssl-1.0.2a-fips-md5-allow.patch
|
||||
Patch60: openssl-1.0.2a-apps-dgst.patch
|
||||
Patch63: openssl-1.0.2k-starttls.patch
|
||||
# Patch63: openssl-1.0.2k-starttls.patch
|
||||
Patch65: openssl-1.0.2i-chil-fixes.patch
|
||||
Patch66: openssl-1.0.2h-pkgconfig.patch
|
||||
Patch68: openssl-1.0.2i-secure-getenv.patch
|
||||
Patch70: openssl-1.0.2a-fips-ec.patch
|
||||
# Patch68: openssl-1.0.2i-secure-getenv.patch
|
||||
# Patch70: openssl-1.0.2a-fips-ec.patch
|
||||
Patch71: openssl-1.0.2g-manfix.patch
|
||||
Patch72: openssl-1.0.2a-fips-ctor.patch
|
||||
# Patch72: openssl-1.0.2a-fips-ctor.patch
|
||||
Patch73: openssl-1.0.2c-ecc-suiteb.patch
|
||||
Patch74: openssl-1.0.2j-deprecate-algos.patch
|
||||
Patch75: openssl-1.0.2a-compat-symbols.patch
|
||||
Patch76: openssl-1.0.2j-new-fips-reqs.patch
|
||||
# Patch76: openssl-1.0.2j-new-fips-reqs.patch
|
||||
Patch77: openssl-1.0.2j-downgrade-strength.patch
|
||||
Patch78: openssl-1.0.2k-cc-reqs.patch
|
||||
Patch90: openssl-1.0.2i-enc-fail.patch
|
||||
@ -93,7 +93,7 @@ Patch95: openssl-1.0.2e-remove-nistp224.patch
|
||||
Patch96: openssl-1.0.2e-speed-doc.patch
|
||||
Patch97: openssl-1.0.2k-no-ssl2.patch
|
||||
Patch98: openssl-1.0.2k-long-hello.patch
|
||||
Patch99: openssl-1.0.2k-fips-randlock.patch
|
||||
# Patch99: openssl-1.0.2k-fips-randlock.patch
|
||||
# Backported fixes including security fixes
|
||||
Patch80: openssl-1.0.2e-wrap-pad.patch
|
||||
Patch81: openssl-1.0.2a-padlock64.patch
|
||||
@ -548,6 +548,10 @@ find %{buildroot}%{mingw64_prefix} | grep -E '.(exe|dll|pyd)$' | sed 's|^%{build
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon Aug 19 2019 Victor Toso <victortoso@redhat.com> - 1.0.2k-2
|
||||
- Remove not applied patchs from the source list
|
||||
Related: rhbz#1704077
|
||||
|
||||
* Fri Aug 24 2018 Christophe Fergeau <cfergeau@redhat.com> - 1.0.2k-1
|
||||
- Sync with rhel 7.6 OpenSSL 1.0.2k+patches in order to get the latest security
|
||||
fixes
|
||||
|
Loading…
Reference in New Issue
Block a user