From c1d1798abd60f12527b70443cb7d0b9cd78ef7b1 Mon Sep 17 00:00:00 2001 From: Jung-uk Kim Date: Tue, 31 Aug 2021 22:23:22 -0400 Subject: Import OpenSSL 1.1.1l --- apps/crl2p7.c | 18 ++++++++++-------- apps/enc.c | 4 ++-- apps/s_server.c | 13 ++++++++++++- apps/s_socket.c | 12 +++++++++++- 4 files changed, 35 insertions(+), 12 deletions(-) (limited to 'apps') diff --git a/apps/crl2p7.c b/apps/crl2p7.c index 88fabcb22c36..3f619bf5278e 100644 --- a/apps/crl2p7.c +++ b/apps/crl2p7.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -120,19 +120,20 @@ int crl2pkcs7_main(int argc, char **argv) if (!ASN1_INTEGER_set(p7s->version, 1)) goto end; - if ((crl_stack = sk_X509_CRL_new_null()) == NULL) - goto end; - p7s->crl = crl_stack; + if (crl != NULL) { + if ((crl_stack = sk_X509_CRL_new_null()) == NULL) + goto end; + p7s->crl = crl_stack; sk_X509_CRL_push(crl_stack, crl); crl = NULL; /* now part of p7 for OPENSSL_freeing */ } - if ((cert_stack = sk_X509_new_null()) == NULL) - goto end; - p7s->cert = cert_stack; + if (certflst != NULL) { + if ((cert_stack = sk_X509_new_null()) == NULL) + goto end; + p7s->cert = cert_stack; - if (certflst != NULL) for (i = 0; i < sk_OPENSSL_STRING_num(certflst); i++) { certfile = sk_OPENSSL_STRING_value(certflst, i); if (add_certs_from_file(cert_stack, certfile) < 0) { @@ -141,6 +142,7 @@ int crl2pkcs7_main(int argc, char **argv) goto end; } } + } out = bio_open_default(outfile, 'w', outformat); if (out == NULL) diff --git a/apps/enc.c b/apps/enc.c index ddf51e0dba15..65710771a089 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -81,7 +81,7 @@ const OPTIONS enc_options[] = { {"", OPT_CIPHER, '-', "Any supported cipher"}, OPT_R_OPTIONS, #ifdef ZLIB - {"z", OPT_Z, '-', "Use zlib as the 'encryption'"}, + {"z", OPT_Z, '-', "Compress or decompress encrypted data using zlib"}, #endif #ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, diff --git a/apps/s_server.c b/apps/s_server.c index 0ba75999fd28..938e244222d8 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -133,6 +133,17 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity, if (s_debug) BIO_printf(bio_s_out, "psk_server_cb\n"); + + if (SSL_version(ssl) >= TLS1_3_VERSION) { + /* + * This callback is designed for use in TLSv1.2. It is possible to use + * a single callback for all protocol versions - but it is preferred to + * use a dedicated callback for TLSv1.3. For TLSv1.3 we have + * psk_find_session_cb. + */ + return 0; + } + if (identity == NULL) { BIO_printf(bio_err, "Error: client did not send PSK identity\n"); goto out_err; diff --git a/apps/s_socket.c b/apps/s_socket.c index 76f928900207..aee366d5f457 100644 --- a/apps/s_socket.c +++ b/apps/s_socket.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -214,6 +214,8 @@ int do_server(int *accept_sock, const char *host, const char *port, const BIO_ADDRINFO *next; int sock_family, sock_type, sock_protocol, sock_port; const BIO_ADDR *sock_address; + int sock_family_fallback = AF_UNSPEC; + const BIO_ADDR *sock_address_fallback = NULL; int sock_options = BIO_SOCK_REUSEADDR; int ret = 0; @@ -244,6 +246,10 @@ int do_server(int *accept_sock, const char *host, const char *port, && BIO_ADDRINFO_protocol(next) == sock_protocol) { if (sock_family == AF_INET && BIO_ADDRINFO_family(next) == AF_INET6) { + /* In case AF_INET6 is returned but not supported by the + * kernel, retry with the first detected address family */ + sock_family_fallback = sock_family; + sock_address_fallback = sock_address; sock_family = AF_INET6; sock_address = BIO_ADDRINFO_address(next); } else if (sock_family == AF_INET6 @@ -253,6 +259,10 @@ int do_server(int *accept_sock, const char *host, const char *port, } asock = BIO_socket(sock_family, sock_type, sock_protocol, 0); + if (asock == INVALID_SOCKET && sock_family_fallback != AF_UNSPEC) { + asock = BIO_socket(sock_family_fallback, sock_type, sock_protocol, 0); + sock_address = sock_address_fallback; + } if (asock == INVALID_SOCKET || !BIO_listen(asock, sock_address, sock_options)) { BIO_ADDRINFO_free(res); -- cgit v1.2.3