Compare commits
No commits in common. 'i8' and 'c9' have entirely different histories.
@ -1 +1 @@
|
|||||||
SOURCES/stunnel-5.56.tar.gz
|
SOURCES/stunnel-5.62.tar.gz
|
||||||
|
|||||||
@ -1 +1 @@
|
|||||||
a7fa3fb55d698f50f3d54e4fc08588a119f21cad SOURCES/stunnel-5.56.tar.gz
|
e18be56bfee006f5e58de044fda7bdcfaa425b3f SOURCES/stunnel-5.62.tar.gz
|
||||||
|
|||||||
@ -1,11 +0,0 @@
|
|||||||
diff -up stunnel-5.50/tools/stunnel.service.in.systemd-service stunnel-5.50/tools/stunnel.service.in
|
|
||||||
--- stunnel-5.50/tools/stunnel.service.in.systemd-service 2019-01-14 12:17:15.826868965 +0100
|
|
||||||
+++ stunnel-5.50/tools/stunnel.service.in 2019-01-14 12:18:21.186753131 +0100
|
|
||||||
@@ -5,6 +5,7 @@ After=syslog.target network.target
|
|
||||||
[Service]
|
|
||||||
ExecStart=@bindir@/stunnel
|
|
||||||
Type=forking
|
|
||||||
+PrivateTmp=true
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
||||||
@ -1,219 +0,0 @@
|
|||||||
diff -up stunnel-5.56/src/ssl.c.verify-chain stunnel-5.56/src/ssl.c
|
|
||||||
--- stunnel-5.56/src/ssl.c.verify-chain 2021-02-17 00:37:28.950981672 +0100
|
|
||||||
+++ stunnel-5.56/src/ssl.c 2021-02-17 00:37:36.047053139 +0100
|
|
||||||
@@ -1,6 +1,6 @@
|
|
||||||
/*
|
|
||||||
* stunnel TLS offloading and load-balancing proxy
|
|
||||||
- * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
|
||||||
+ * Copyright (C) 1998-2020 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
|
||||||
*
|
|
||||||
* This program is free software; you can redistribute it and/or modify it
|
|
||||||
* under the terms of the GNU General Public License as published by the
|
|
||||||
@@ -39,7 +39,12 @@
|
|
||||||
#include "prototypes.h"
|
|
||||||
|
|
||||||
/* global OpenSSL initialization: compression, engine, entropy */
|
|
||||||
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
|
|
||||||
+NOEXPORT void cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
|
|
||||||
+ int idx, long argl, void *argp);
|
|
||||||
+#if OPENSSL_VERSION_NUMBER>=0x30000000L
|
|
||||||
+NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
|
|
||||||
+ void **from_d, int idx, long argl, void *argp);
|
|
||||||
+#elif OPENSSL_VERSION_NUMBER>=0x10100000L
|
|
||||||
NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
|
|
||||||
void *from_d, int idx, long argl, void *argp);
|
|
||||||
#else
|
|
||||||
@@ -72,7 +77,7 @@ int ssl_init(void) { /* init TLS before
|
|
||||||
index_ssl_ctx_opt=SSL_CTX_get_ex_new_index(0,
|
|
||||||
"SERVICE_OPTIONS pointer", NULL, NULL, NULL);
|
|
||||||
index_session_authenticated=SSL_SESSION_get_ex_new_index(0,
|
|
||||||
- "session authenticated", NULL, NULL, NULL);
|
|
||||||
+ "session authenticated", cb_new_auth, NULL, NULL);
|
|
||||||
index_session_connect_address=SSL_SESSION_get_ex_new_index(0,
|
|
||||||
"session connect address", NULL, cb_dup_addr, cb_free_addr);
|
|
||||||
if(index_ssl_cli<0 || index_ssl_ctx_opt<0 ||
|
|
||||||
@@ -104,17 +109,31 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNU
|
|
||||||
BN_free(dh->p);
|
|
||||||
BN_free(dh->q);
|
|
||||||
BN_free(dh->g);
|
|
||||||
- dh->p = p;
|
|
||||||
- dh->q = q;
|
|
||||||
- dh->g = g;
|
|
||||||
+ dh->p=p;
|
|
||||||
+ dh->q=q;
|
|
||||||
+ dh->g=g;
|
|
||||||
if(q)
|
|
||||||
- dh->length = BN_num_bits(q);
|
|
||||||
+ dh->length=BN_num_bits(q);
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
#endif
|
|
||||||
|
|
||||||
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
|
|
||||||
+NOEXPORT void cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
|
|
||||||
+ int idx, long argl, void *argp) {
|
|
||||||
+ (void)parent; /* squash the unused parameter warning */
|
|
||||||
+ (void)ptr; /* squash the unused parameter warning */
|
|
||||||
+ (void)argl; /* squash the unused parameter warning */
|
|
||||||
+ s_log(LOG_DEBUG, "Initializing application specific data for %s",
|
|
||||||
+ (char *)argp);
|
|
||||||
+ if(!CRYPTO_set_ex_data(ad, idx, (void *)(-1)))
|
|
||||||
+ sslerror("CRYPTO_set_ex_data");
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#if OPENSSL_VERSION_NUMBER>=0x30000000L
|
|
||||||
+NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
|
|
||||||
+ void **from_d, int idx, long argl, void *argp) {
|
|
||||||
+#elif OPENSSL_VERSION_NUMBER>=0x10100000L
|
|
||||||
NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
|
|
||||||
void *from_d, int idx, long argl, void *argp) {
|
|
||||||
#else
|
|
||||||
diff -up stunnel-5.56/src/verify.c.verify-chain stunnel-5.56/src/verify.c
|
|
||||||
--- stunnel-5.56/src/verify.c.verify-chain 2021-02-17 00:37:11.577806692 +0100
|
|
||||||
+++ stunnel-5.56/src/verify.c 2021-02-17 00:37:42.542118546 +0100
|
|
||||||
@@ -1,6 +1,6 @@
|
|
||||||
/*
|
|
||||||
* stunnel TLS offloading and load-balancing proxy
|
|
||||||
- * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
|
||||||
+ * Copyright (C) 1998-2020 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
|
||||||
*
|
|
||||||
* This program is free software; you can redistribute it and/or modify it
|
|
||||||
* under the terms of the GNU General Public License as published by the
|
|
||||||
@@ -214,11 +214,15 @@ NOEXPORT int verify_callback(int preveri
|
|
||||||
s_log(LOG_INFO, "Certificate verification disabled");
|
|
||||||
return 1; /* accept */
|
|
||||||
}
|
|
||||||
- if(verify_checks(c, preverify_ok, callback_ctx)) {
|
|
||||||
+ if(verify_checks(c, preverify_ok, callback_ctx))
|
|
||||||
+ return 1; /* accept */
|
|
||||||
+ if(c->opt->option.client || c->opt->protocol)
|
|
||||||
+ return 0; /* reject */
|
|
||||||
+ if(c->opt->redirect_addr.names) {
|
|
||||||
SSL_SESSION *sess=SSL_get1_session(c->ssl);
|
|
||||||
if(sess) {
|
|
||||||
- int ok=SSL_SESSION_set_ex_data(sess, index_session_authenticated,
|
|
||||||
- (void *)(-1));
|
|
||||||
+ int ok=SSL_SESSION_set_ex_data(sess,
|
|
||||||
+ index_session_authenticated, NULL);
|
|
||||||
SSL_SESSION_free(sess);
|
|
||||||
if(!ok) {
|
|
||||||
sslerror("SSL_SESSION_set_ex_data");
|
|
||||||
@@ -227,10 +231,6 @@ NOEXPORT int verify_callback(int preveri
|
|
||||||
}
|
|
||||||
return 1; /* accept */
|
|
||||||
}
|
|
||||||
- if(c->opt->option.client || c->opt->protocol)
|
|
||||||
- return 0; /* reject */
|
|
||||||
- if(c->opt->redirect_addr.names)
|
|
||||||
- return 1; /* accept */
|
|
||||||
return 0; /* reject */
|
|
||||||
}
|
|
||||||
|
|
||||||
diff -up stunnel-5.56/tests/recipes/028_redirect_chain.verify-chain stunnel-5.56/tests/recipes/028_redirect_chain
|
|
||||||
--- stunnel-5.56/tests/recipes/028_redirect_chain.verify-chain 2021-02-17 00:38:44.823745781 +0100
|
|
||||||
+++ stunnel-5.56/tests/recipes/028_redirect_chain 2021-02-17 00:38:16.143456937 +0100
|
|
||||||
@@ -0,0 +1,50 @@
|
|
||||||
+#!/bin/sh
|
|
||||||
+
|
|
||||||
+# Redirect TLS client connections on certificate-based authentication failures.
|
|
||||||
+# [client_1] -> [server_1] -> [client_2] -> [server_2]
|
|
||||||
+# The success is expected because the client presents the *wrong* certificate
|
|
||||||
+# and the client connection is redirected.
|
|
||||||
+# Checking if the verifyChain option verifies the peer certificate starting from the root CA.
|
|
||||||
+
|
|
||||||
+. $(dirname $0)/../test_library
|
|
||||||
+
|
|
||||||
+start() {
|
|
||||||
+ ../../src/stunnel -fd 0 <<EOT
|
|
||||||
+ debug = debug
|
|
||||||
+ syslog = no
|
|
||||||
+ pid = ${result_path}/stunnel.pid
|
|
||||||
+ output = ${result_path}/stunnel.log
|
|
||||||
+
|
|
||||||
+ [client_1]
|
|
||||||
+ client = yes
|
|
||||||
+ accept = 127.0.0.1:${http1}
|
|
||||||
+ connect = 127.0.0.1:${https1}
|
|
||||||
+ ;cert = ${script_path}/certs/client_cert.pem
|
|
||||||
+;wrong self signed certificate
|
|
||||||
+ cert = ${script_path}/certs/stunnel.pem
|
|
||||||
+
|
|
||||||
+ [client_2]
|
|
||||||
+ client = yes
|
|
||||||
+ accept = 127.0.0.1:${http2}
|
|
||||||
+ connect = 127.0.0.1:${https2}
|
|
||||||
+
|
|
||||||
+ [server_1]
|
|
||||||
+ accept = 127.0.0.1:${https1}
|
|
||||||
+ exec = ${script_path}/execute
|
|
||||||
+ execArgs = execute 028_redirect_chain_error
|
|
||||||
+ redirect = ${http2}
|
|
||||||
+ cert = ${script_path}/certs/server_cert.pem
|
|
||||||
+ verifyChain = yes
|
|
||||||
+ CAfile = ${script_path}/certs/CACert.pem
|
|
||||||
+
|
|
||||||
+ [server_2]
|
|
||||||
+ accept = 127.0.0.1:${https2}
|
|
||||||
+ cert = ${script_path}/certs/server_cert.pem
|
|
||||||
+ exec = ${script_path}/execute
|
|
||||||
+ execArgs = execute 028_redirect_chain
|
|
||||||
+
|
|
||||||
+EOT
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+test_log_for "028_redirect_chain" "execute" "0" "$1" "$2" "$3" 2>> "stderr.log"
|
|
||||||
+exit $?
|
|
||||||
diff -up stunnel-5.56/tests/recipes/029_no_redirect_chain.verify-chain stunnel-5.56/tests/recipes/029_no_redirect_chain
|
|
||||||
--- stunnel-5.56/tests/recipes/029_no_redirect_chain.verify-chain 2021-02-17 00:38:57.819876672 +0100
|
|
||||||
+++ stunnel-5.56/tests/recipes/029_no_redirect_chain 2021-02-17 00:38:24.895545080 +0100
|
|
||||||
@@ -0,0 +1,49 @@
|
|
||||||
+#!/bin/sh
|
|
||||||
+
|
|
||||||
+# Do not redirect TLS client connections on certificate-based authentication success.
|
|
||||||
+# [client_1] -> [server_1]
|
|
||||||
+# The success is expected because the client presents the *correct* certificate
|
|
||||||
+# and the client connection isn't redirected.
|
|
||||||
+# Checking if the verifyChain option verifies the peer certificate starting from the root CA.
|
|
||||||
+
|
|
||||||
+. $(dirname $0)/../test_library
|
|
||||||
+
|
|
||||||
+start() {
|
|
||||||
+ ../../src/stunnel -fd 0 <<EOT
|
|
||||||
+ debug = debug
|
|
||||||
+ syslog = no
|
|
||||||
+ pid = ${result_path}/stunnel.pid
|
|
||||||
+ output = ${result_path}/stunnel.log
|
|
||||||
+
|
|
||||||
+ [client_1]
|
|
||||||
+ client = yes
|
|
||||||
+ accept = 127.0.0.1:${http1}
|
|
||||||
+ connect = 127.0.0.1:${https1}
|
|
||||||
+;correct certificate
|
|
||||||
+ cert = ${script_path}/certs/client_cert.pem
|
|
||||||
+
|
|
||||||
+ [client_2]
|
|
||||||
+ client = yes
|
|
||||||
+ accept = 127.0.0.1:${http2}
|
|
||||||
+ connect = 127.0.0.1:${https2}
|
|
||||||
+
|
|
||||||
+ [server_1]
|
|
||||||
+ accept = 127.0.0.1:${https1}
|
|
||||||
+ exec = ${script_path}/execute
|
|
||||||
+ execArgs = execute 029_no_redirect_chain
|
|
||||||
+ redirect = ${http2}
|
|
||||||
+ cert = ${script_path}/certs/server_cert.pem
|
|
||||||
+ verifyChain = yes
|
|
||||||
+ CAfile = ${script_path}/certs/CACert.pem
|
|
||||||
+
|
|
||||||
+ [server_2]
|
|
||||||
+ accept = 127.0.0.1:${https2}
|
|
||||||
+ cert = ${script_path}/certs/server_cert.pem
|
|
||||||
+ exec = ${script_path}/execute
|
|
||||||
+ execArgs = execute 029_no_redirect_chain_error
|
|
||||||
+
|
|
||||||
+EOT
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+test_log_for "029_no_redirect_chain" "execute" "0" "$1" "$2" "$3" 2>> "stderr.log"
|
|
||||||
+exit $?
|
|
||||||
@ -1,18 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAl3YIPhfFIAAAAAALgAo
|
|
||||||
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC
|
|
||||||
QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW
|
|
||||||
4BTuMw//R+LJhCo2prR6RIxEsYbfzIwkl9NwcE5EPTKse2umTOHsMRfVMpZiKjCl
|
|
||||||
5UC1tLbqUzSjAydQiFwdvcHZAJLWblr84p+CC5hEaS/rwX4PL221gqqrC8Ut7ap3
|
|
||||||
n/v5gCJ8iqnpgZSgHPSGqucG3x1KlZotPnny1RVIjCSHPvoUtocAwJNSChRkyUT0
|
|
||||||
ym8qhUPyOmRhYQZew1haxFJa26yc017dN5QZy+H3uo0zPLXaWJpPjJG/1pBtden4
|
|
||||||
mL+mg8phZZ9MtBtEOK2NTA+4K24vcM+aHoEyMI/dcmi4NN256N5CJZ13tF3LgHNV
|
|
||||||
j0vp1a75p5aAMeRTv7zShegZGvJJciyYJKwRnOAUnHVFDhnsgd05VQHeWC1aFKjM
|
|
||||||
cXwrvHgGn+TG0V29ahnzR7NdVhkuP3etcqx6FuIgcj2omp0Bj4zFRlKSl4x+hY56
|
|
||||||
MTvwksIXZTItHvffiE49ExGPA8OQW3S9Sr+lPFk98xjVuTU/P8GIVNp2kof4ezYN
|
|
||||||
Yhav4mA/KAkMX0fb+Cw6eyZl0aZEPx76hhkKhh2OmR8w3k5X2hetGcXX1/UFEHCm
|
|
||||||
uNCvWwV5Ry6Kc8Zpr8p6fUOh0Se4cNi59c1FKEwMX1hTgLklbIZioiFM/fR0RLOJ
|
|
||||||
PU/Cq+NbaZ3O8Cup7PsVjCDgXTcKcQAdQTOxgfW6f+szmTo5Qx4=
|
|
||||||
=RhpX
|
|
||||||
-----END PGP SIGNATURE-----
|
|
||||||
@ -0,0 +1,19 @@
|
|||||||
|
tests: Adapt to OpenSSL 3.x FIPS mode
|
||||||
|
|
||||||
|
In OpenSSL 3.0 with FIPS enabled, this test no longer fails with
|
||||||
|
a human-readable error message (such as "no ciphers available"), but
|
||||||
|
instead causes an internal error. Extend the success regex list to also
|
||||||
|
accept this result.
|
||||||
|
diff -up stunnel-5.61/tests/plugins/p11_fips_cipher.py.openssl30 stunnel-5.61/tests/plugins/p11_fips_cipher.py
|
||||||
|
--- stunnel-5.61/tests/plugins/p11_fips_cipher.py.openssl30 2022-01-12 15:15:03.211690650 +0100
|
||||||
|
+++ stunnel-5.61/tests/plugins/p11_fips_cipher.py 2022-01-12 15:15:20.937008173 +0100
|
||||||
|
@@ -91,7 +91,8 @@ class FailureCiphersuitesFIPS(StunnelTes
|
||||||
|
self.events.count = 1
|
||||||
|
self.events.success = [
|
||||||
|
"disabled for FIPS",
|
||||||
|
- "no ciphers available"
|
||||||
|
+ "no ciphers available",
|
||||||
|
+ "TLS alert \\(write\\): fatal: internal error"
|
||||||
|
]
|
||||||
|
self.events.failure = [
|
||||||
|
"peer did not return a certificate",
|
||||||
@ -0,0 +1,11 @@
|
|||||||
|
diff -up stunnel-5.61/tools/stunnel.service.in.systemd-service stunnel-5.61/tools/stunnel.service.in
|
||||||
|
--- stunnel-5.61/tools/stunnel.service.in.systemd-service 2022-01-12 14:48:32.474150329 +0100
|
||||||
|
+++ stunnel-5.61/tools/stunnel.service.in 2022-01-12 14:50:15.253984639 +0100
|
||||||
|
@@ -6,6 +6,7 @@ After=syslog.target network-online.targe
|
||||||
|
ExecStart=@bindir@/stunnel
|
||||||
|
ExecReload=/bin/kill -HUP $MAINPID
|
||||||
|
Type=forking
|
||||||
|
+PrivateTmp=true
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
@ -0,0 +1,57 @@
|
|||||||
|
Limit curves defaults in FIPS mode
|
||||||
|
|
||||||
|
Our copy of OpenSSL disables the X25519 and X448 curves in FIPS mode,
|
||||||
|
but stunnel defaults to enabling them and then fails to do so.
|
||||||
|
|
||||||
|
Upstream-Status: Inappropriate [caused by a downstream patch to openssl]
|
||||||
|
diff -up stunnel-5.62/src/options.c.disabled-curves stunnel-5.62/src/options.c
|
||||||
|
--- stunnel-5.62/src/options.c.disabled-curves 2022-02-04 13:46:45.936884124 +0100
|
||||||
|
+++ stunnel-5.62/src/options.c 2022-02-04 13:53:16.346725153 +0100
|
||||||
|
@@ -40,8 +40,10 @@
|
||||||
|
|
||||||
|
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
|
||||||
|
#define DEFAULT_CURVES "X25519:P-256:X448:P-521:P-384"
|
||||||
|
+#define DEFAULT_CURVES_FIPS "P-256:P-521:P-384"
|
||||||
|
#else /* OpenSSL version < 1.1.1 */
|
||||||
|
#define DEFAULT_CURVES "prime256v1"
|
||||||
|
+#define DEFAULT_CURVES_FIPS "prime256v1"
|
||||||
|
#endif /* OpenSSL version >= 1.1.1 */
|
||||||
|
|
||||||
|
#if defined(_WIN32_WCE) && !defined(CONFDIR)
|
||||||
|
@@ -1855,7 +1857,7 @@ NOEXPORT char *parse_service_option(CMD
|
||||||
|
/* curves */
|
||||||
|
switch(cmd) {
|
||||||
|
case CMD_SET_DEFAULTS:
|
||||||
|
- section->curves=str_dup_detached(DEFAULT_CURVES);
|
||||||
|
+ section->curves = NULL;
|
||||||
|
break;
|
||||||
|
case CMD_SET_COPY:
|
||||||
|
section->curves=str_dup_detached(new_service_options.curves);
|
||||||
|
@@ -1870,9 +1872,26 @@ NOEXPORT char *parse_service_option(CMD
|
||||||
|
section->curves=str_dup_detached(arg);
|
||||||
|
return NULL; /* OK */
|
||||||
|
case CMD_INITIALIZE:
|
||||||
|
+ if(!section->curves) {
|
||||||
|
+ /* this is only executed for global options, because
|
||||||
|
+ * section->curves is no longer NULL in sections */
|
||||||
|
+#ifdef USE_FIPS
|
||||||
|
+ if(new_global_options.option.fips)
|
||||||
|
+ section->curves=str_dup_detached(DEFAULT_CURVES_FIPS);
|
||||||
|
+ else
|
||||||
|
+#endif /* USE_FIPS */
|
||||||
|
+ section->curves=str_dup_detached(DEFAULT_CURVES);
|
||||||
|
+ }
|
||||||
|
break;
|
||||||
|
case CMD_PRINT_DEFAULTS:
|
||||||
|
- s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
|
||||||
|
+ if(fips_available()) {
|
||||||
|
+ s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
|
||||||
|
+ DEFAULT_CURVES_FIPS, "(with \"fips = yes\")");
|
||||||
|
+ s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
|
||||||
|
+ DEFAULT_CURVES, "(with \"fips = no\")");
|
||||||
|
+ } else {
|
||||||
|
+ s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
|
||||||
|
+ }
|
||||||
|
break;
|
||||||
|
case CMD_PRINT_HELP:
|
||||||
|
s_log(LOG_NOTICE, "%-22s = ECDH curve names", "curves");
|
||||||
@ -0,0 +1,140 @@
|
|||||||
|
From 6baa5762ea5edb192ec003333d62b1d0e56509bf Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
|
||||||
|
Date: Sun, 11 Sep 2022 23:52:18 +0200
|
||||||
|
Subject: [PATCH] stunnel-5.66
|
||||||
|
|
||||||
|
---
|
||||||
|
src/common.h | 6 +++++-
|
||||||
|
src/ctx.c | 58 +++++++++++++++++++++++++++++++++++++++++++---------
|
||||||
|
2 files changed, 53 insertions(+), 11 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/common.h b/src/common.h
|
||||||
|
index bc37eb5..997e66e 100644
|
||||||
|
--- a/src/common.h
|
||||||
|
+++ b/src/common.h
|
||||||
|
@@ -491,7 +491,7 @@ extern char *sys_errlist[];
|
||||||
|
#include <openssl/dh.h>
|
||||||
|
#if OPENSSL_VERSION_NUMBER<0x10100000L
|
||||||
|
int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
|
||||||
|
-#endif /* OpenSSL older than 1.1.0 */
|
||||||
|
+#endif /* OPENSSL_VERSION_NUMBER<0x10100000L */
|
||||||
|
#endif /* !defined(OPENSSL_NO_DH) */
|
||||||
|
#ifndef OPENSSL_NO_ENGINE
|
||||||
|
#include <openssl/engine.h>
|
||||||
|
@@ -503,8 +503,12 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
|
||||||
|
/* not defined in public headers before OpenSSL 0.9.8 */
|
||||||
|
STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
|
||||||
|
#endif /* !defined(OPENSSL_NO_COMP) */
|
||||||
|
+#if OPENSSL_VERSION_NUMBER>=0x10101000L
|
||||||
|
+#include <openssl/storeerr.h>
|
||||||
|
+#endif /* OPENSSL_VERSION_NUMBER>=0x10101000L */
|
||||||
|
#if OPENSSL_VERSION_NUMBER>=0x30000000L
|
||||||
|
#include <openssl/provider.h>
|
||||||
|
+#include <openssl/proverr.h>
|
||||||
|
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
|
||||||
|
|
||||||
|
#ifndef OPENSSL_VERSION
|
||||||
|
diff --git a/src/ctx.c b/src/ctx.c
|
||||||
|
index a2202b7..cc0806c 100644
|
||||||
|
--- a/src/ctx.c
|
||||||
|
+++ b/src/ctx.c
|
||||||
|
@@ -1001,30 +1001,41 @@ NOEXPORT int ui_retry() {
|
||||||
|
unsigned long err=ERR_peek_error();
|
||||||
|
|
||||||
|
switch(ERR_GET_LIB(err)) {
|
||||||
|
- case ERR_LIB_ASN1:
|
||||||
|
- return 1;
|
||||||
|
- case ERR_LIB_PKCS12:
|
||||||
|
+ case ERR_LIB_EVP: /* 6 */
|
||||||
|
switch(ERR_GET_REASON(err)) {
|
||||||
|
- case PKCS12_R_MAC_VERIFY_FAILURE:
|
||||||
|
+ case EVP_R_BAD_DECRYPT:
|
||||||
|
return 1;
|
||||||
|
default:
|
||||||
|
+ s_log(LOG_ERR, "Unhandled ERR_LIB_EVP error reason: %d",
|
||||||
|
+ ERR_GET_REASON(err));
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
- case ERR_LIB_EVP:
|
||||||
|
+ case ERR_LIB_PEM: /* 9 */
|
||||||
|
switch(ERR_GET_REASON(err)) {
|
||||||
|
- case EVP_R_BAD_DECRYPT:
|
||||||
|
+ case PEM_R_BAD_PASSWORD_READ:
|
||||||
|
+ case PEM_R_BAD_DECRYPT:
|
||||||
|
return 1;
|
||||||
|
default:
|
||||||
|
+ s_log(LOG_ERR, "Unhandled ERR_LIB_PEM error reason: %d",
|
||||||
|
+ ERR_GET_REASON(err));
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
- case ERR_LIB_PEM:
|
||||||
|
+ case ERR_LIB_ASN1: /* 13 */
|
||||||
|
+ return 1;
|
||||||
|
+ case ERR_LIB_PKCS12: /* 35 */
|
||||||
|
switch(ERR_GET_REASON(err)) {
|
||||||
|
- case PEM_R_BAD_PASSWORD_READ:
|
||||||
|
+ case PKCS12_R_MAC_VERIFY_FAILURE:
|
||||||
|
return 1;
|
||||||
|
default:
|
||||||
|
+ s_log(LOG_ERR, "Unhandled ERR_LIB_PKCS12 error reason: %d",
|
||||||
|
+ ERR_GET_REASON(err));
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
- case ERR_LIB_UI:
|
||||||
|
+#ifdef ERR_LIB_DSO /* 37 */
|
||||||
|
+ case ERR_LIB_DSO:
|
||||||
|
+ return 1;
|
||||||
|
+#endif
|
||||||
|
+ case ERR_LIB_UI: /* 40 */
|
||||||
|
switch(ERR_GET_REASON(err)) {
|
||||||
|
case UI_R_RESULT_TOO_LARGE:
|
||||||
|
case UI_R_RESULT_TOO_SMALL:
|
||||||
|
@@ -1033,17 +1044,44 @@ NOEXPORT int ui_retry() {
|
||||||
|
#endif
|
||||||
|
return 1;
|
||||||
|
default:
|
||||||
|
+ s_log(LOG_ERR, "Unhandled ERR_LIB_UI error reason: %d",
|
||||||
|
+ ERR_GET_REASON(err));
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+#ifdef ERR_LIB_OSSL_STORE
|
||||||
|
+ case ERR_LIB_OSSL_STORE: /* 44 - added in OpenSSL 1.1.1 */
|
||||||
|
+ switch(ERR_GET_REASON(err)) {
|
||||||
|
+ case OSSL_STORE_R_BAD_PASSWORD_READ:
|
||||||
|
+ return 1;
|
||||||
|
+ default:
|
||||||
|
+ s_log(LOG_ERR, "Unhandled ERR_LIB_OSSL_STORE error reason: %d",
|
||||||
|
+ ERR_GET_REASON(err));
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+#ifdef ERR_LIB_PROV
|
||||||
|
+ case ERR_LIB_PROV: /* 57 - added in OpenSSL 3.0 */
|
||||||
|
+ switch(ERR_GET_REASON(err)) {
|
||||||
|
+ case PROV_R_BAD_DECRYPT:
|
||||||
|
+ return 1;
|
||||||
|
+ default:
|
||||||
|
+ s_log(LOG_ERR, "Unhandled ERR_LIB_PROV error reason: %d",
|
||||||
|
+ ERR_GET_REASON(err));
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
- case ERR_LIB_USER: /* PKCS#11 hacks */
|
||||||
|
+#endif
|
||||||
|
+ case ERR_LIB_USER: /* 128 - PKCS#11 hacks */
|
||||||
|
switch(ERR_GET_REASON(err)) {
|
||||||
|
case 7UL: /* CKR_ARGUMENTS_BAD */
|
||||||
|
case 0xa0UL: /* CKR_PIN_INCORRECT */
|
||||||
|
return 1;
|
||||||
|
default:
|
||||||
|
+ s_log(LOG_ERR, "Unhandled ERR_LIB_USER error reason: %d",
|
||||||
|
+ ERR_GET_REASON(err));
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
+ s_log(LOG_ERR, "Unhandled error library: %d", ERR_GET_LIB(err));
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.38.1
|
||||||
|
|
||||||
@ -0,0 +1,18 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAmHlyoBfFIAAAAAALgAo
|
||||||
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC
|
||||||
|
QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW
|
||||||
|
4BRqiw//dzBO+CqezKNlkVT5sePEfriVPk0iYa7IyGQ2xclohI3X3A0NaLHhwysa
|
||||||
|
2pFo+myUn5h2qVM6jfuPbXHxDSgDQIcRoEEWpLbVEnVy5vMpVsB5wY4fwfyd3crM
|
||||||
|
2J24XPdODE8H2mB28JXHyQdXehMtzOAMJ57ugUbrU4drNOR8sCRbp+sBChI8JK9Q
|
||||||
|
IYvUoMPMCukFXws0KFEYjRom/FyQlde2Wz9ZPiluRzj6RWPQvQht8EiB7IfPrq2m
|
||||||
|
fiPmOxUnB+Ry6/eaSp7JLlrnL4q5Zhw0HS/pMbWpiB9nPb9SLoKufJ9hYQs5X2h9
|
||||||
|
L85VPMAAAStQ4PcvFYWt/nV03p3agImdMLrwlaMi/Bb95+tk7OoNLu7yz9RQ9QAo
|
||||||
|
SPamduORs4/KhtlMzRf2G8utIQRa4fI47KDOO1+1qRfTH4t/Bf3Fr/gI34AW24ZZ
|
||||||
|
hu2nHqr+UxGkU42HJEhsL9tAvBFr/mBI64sHtAI41e25CkqBQSqD+FxUw5snbVgP
|
||||||
|
XxiM9tNo/UUZpCMnmkAZUqVFKYT10VSFTDo6/LcoMYZf1zzCWch3wJTtf2ZPUJYG
|
||||||
|
6kNpdCEzsXYileL6iCof9+J5hNaNGpsgTi+ljz1jujzOHWGw6hyIWUiYTBGmRAbl
|
||||||
|
Pehbx5RYqQe9gX0nFRRs3o9y9p8B4MLMAvJdhx6vqxgd2H1SDJA=
|
||||||
|
=MLHM
|
||||||
|
-----END PGP SIGNATURE-----
|
||||||
Loading…
Reference in new issue