Compare commits
No commits in common. 'i8' and 'c9' have entirely different histories.
@ -1 +1 @@
|
||||
SOURCES/stunnel-5.56.tar.gz
|
||||
SOURCES/stunnel-5.62.tar.gz
|
||||
|
||||
@ -1 +1 @@
|
||||
a7fa3fb55d698f50f3d54e4fc08588a119f21cad SOURCES/stunnel-5.56.tar.gz
|
||||
e18be56bfee006f5e58de044fda7bdcfaa425b3f SOURCES/stunnel-5.62.tar.gz
|
||||
|
||||
@ -1,11 +0,0 @@
|
||||
diff -up stunnel-5.50/tools/stunnel.service.in.systemd-service stunnel-5.50/tools/stunnel.service.in
|
||||
--- stunnel-5.50/tools/stunnel.service.in.systemd-service 2019-01-14 12:17:15.826868965 +0100
|
||||
+++ stunnel-5.50/tools/stunnel.service.in 2019-01-14 12:18:21.186753131 +0100
|
||||
@@ -5,6 +5,7 @@ After=syslog.target network.target
|
||||
[Service]
|
||||
ExecStart=@bindir@/stunnel
|
||||
Type=forking
|
||||
+PrivateTmp=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@ -1,219 +0,0 @@
|
||||
diff -up stunnel-5.56/src/ssl.c.verify-chain stunnel-5.56/src/ssl.c
|
||||
--- stunnel-5.56/src/ssl.c.verify-chain 2021-02-17 00:37:28.950981672 +0100
|
||||
+++ stunnel-5.56/src/ssl.c 2021-02-17 00:37:36.047053139 +0100
|
||||
@@ -1,6 +1,6 @@
|
||||
/*
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
- * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
+ * Copyright (C) 1998-2020 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
@@ -39,7 +39,12 @@
|
||||
#include "prototypes.h"
|
||||
|
||||
/* global OpenSSL initialization: compression, engine, entropy */
|
||||
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
|
||||
+NOEXPORT void cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
|
||||
+ int idx, long argl, void *argp);
|
||||
+#if OPENSSL_VERSION_NUMBER>=0x30000000L
|
||||
+NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
|
||||
+ void **from_d, int idx, long argl, void *argp);
|
||||
+#elif OPENSSL_VERSION_NUMBER>=0x10100000L
|
||||
NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
|
||||
void *from_d, int idx, long argl, void *argp);
|
||||
#else
|
||||
@@ -72,7 +77,7 @@ int ssl_init(void) { /* init TLS before
|
||||
index_ssl_ctx_opt=SSL_CTX_get_ex_new_index(0,
|
||||
"SERVICE_OPTIONS pointer", NULL, NULL, NULL);
|
||||
index_session_authenticated=SSL_SESSION_get_ex_new_index(0,
|
||||
- "session authenticated", NULL, NULL, NULL);
|
||||
+ "session authenticated", cb_new_auth, NULL, NULL);
|
||||
index_session_connect_address=SSL_SESSION_get_ex_new_index(0,
|
||||
"session connect address", NULL, cb_dup_addr, cb_free_addr);
|
||||
if(index_ssl_cli<0 || index_ssl_ctx_opt<0 ||
|
||||
@@ -104,17 +109,31 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNU
|
||||
BN_free(dh->p);
|
||||
BN_free(dh->q);
|
||||
BN_free(dh->g);
|
||||
- dh->p = p;
|
||||
- dh->q = q;
|
||||
- dh->g = g;
|
||||
+ dh->p=p;
|
||||
+ dh->q=q;
|
||||
+ dh->g=g;
|
||||
if(q)
|
||||
- dh->length = BN_num_bits(q);
|
||||
+ dh->length=BN_num_bits(q);
|
||||
return 1;
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
|
||||
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
|
||||
+NOEXPORT void cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
|
||||
+ int idx, long argl, void *argp) {
|
||||
+ (void)parent; /* squash the unused parameter warning */
|
||||
+ (void)ptr; /* squash the unused parameter warning */
|
||||
+ (void)argl; /* squash the unused parameter warning */
|
||||
+ s_log(LOG_DEBUG, "Initializing application specific data for %s",
|
||||
+ (char *)argp);
|
||||
+ if(!CRYPTO_set_ex_data(ad, idx, (void *)(-1)))
|
||||
+ sslerror("CRYPTO_set_ex_data");
|
||||
+}
|
||||
+
|
||||
+#if OPENSSL_VERSION_NUMBER>=0x30000000L
|
||||
+NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
|
||||
+ void **from_d, int idx, long argl, void *argp) {
|
||||
+#elif OPENSSL_VERSION_NUMBER>=0x10100000L
|
||||
NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
|
||||
void *from_d, int idx, long argl, void *argp) {
|
||||
#else
|
||||
diff -up stunnel-5.56/src/verify.c.verify-chain stunnel-5.56/src/verify.c
|
||||
--- stunnel-5.56/src/verify.c.verify-chain 2021-02-17 00:37:11.577806692 +0100
|
||||
+++ stunnel-5.56/src/verify.c 2021-02-17 00:37:42.542118546 +0100
|
||||
@@ -1,6 +1,6 @@
|
||||
/*
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
- * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
+ * Copyright (C) 1998-2020 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
@@ -214,11 +214,15 @@ NOEXPORT int verify_callback(int preveri
|
||||
s_log(LOG_INFO, "Certificate verification disabled");
|
||||
return 1; /* accept */
|
||||
}
|
||||
- if(verify_checks(c, preverify_ok, callback_ctx)) {
|
||||
+ if(verify_checks(c, preverify_ok, callback_ctx))
|
||||
+ return 1; /* accept */
|
||||
+ if(c->opt->option.client || c->opt->protocol)
|
||||
+ return 0; /* reject */
|
||||
+ if(c->opt->redirect_addr.names) {
|
||||
SSL_SESSION *sess=SSL_get1_session(c->ssl);
|
||||
if(sess) {
|
||||
- int ok=SSL_SESSION_set_ex_data(sess, index_session_authenticated,
|
||||
- (void *)(-1));
|
||||
+ int ok=SSL_SESSION_set_ex_data(sess,
|
||||
+ index_session_authenticated, NULL);
|
||||
SSL_SESSION_free(sess);
|
||||
if(!ok) {
|
||||
sslerror("SSL_SESSION_set_ex_data");
|
||||
@@ -227,10 +231,6 @@ NOEXPORT int verify_callback(int preveri
|
||||
}
|
||||
return 1; /* accept */
|
||||
}
|
||||
- if(c->opt->option.client || c->opt->protocol)
|
||||
- return 0; /* reject */
|
||||
- if(c->opt->redirect_addr.names)
|
||||
- return 1; /* accept */
|
||||
return 0; /* reject */
|
||||
}
|
||||
|
||||
diff -up stunnel-5.56/tests/recipes/028_redirect_chain.verify-chain stunnel-5.56/tests/recipes/028_redirect_chain
|
||||
--- stunnel-5.56/tests/recipes/028_redirect_chain.verify-chain 2021-02-17 00:38:44.823745781 +0100
|
||||
+++ stunnel-5.56/tests/recipes/028_redirect_chain 2021-02-17 00:38:16.143456937 +0100
|
||||
@@ -0,0 +1,50 @@
|
||||
+#!/bin/sh
|
||||
+
|
||||
+# Redirect TLS client connections on certificate-based authentication failures.
|
||||
+# [client_1] -> [server_1] -> [client_2] -> [server_2]
|
||||
+# The success is expected because the client presents the *wrong* certificate
|
||||
+# and the client connection is redirected.
|
||||
+# Checking if the verifyChain option verifies the peer certificate starting from the root CA.
|
||||
+
|
||||
+. $(dirname $0)/../test_library
|
||||
+
|
||||
+start() {
|
||||
+ ../../src/stunnel -fd 0 <<EOT
|
||||
+ debug = debug
|
||||
+ syslog = no
|
||||
+ pid = ${result_path}/stunnel.pid
|
||||
+ output = ${result_path}/stunnel.log
|
||||
+
|
||||
+ [client_1]
|
||||
+ client = yes
|
||||
+ accept = 127.0.0.1:${http1}
|
||||
+ connect = 127.0.0.1:${https1}
|
||||
+ ;cert = ${script_path}/certs/client_cert.pem
|
||||
+;wrong self signed certificate
|
||||
+ cert = ${script_path}/certs/stunnel.pem
|
||||
+
|
||||
+ [client_2]
|
||||
+ client = yes
|
||||
+ accept = 127.0.0.1:${http2}
|
||||
+ connect = 127.0.0.1:${https2}
|
||||
+
|
||||
+ [server_1]
|
||||
+ accept = 127.0.0.1:${https1}
|
||||
+ exec = ${script_path}/execute
|
||||
+ execArgs = execute 028_redirect_chain_error
|
||||
+ redirect = ${http2}
|
||||
+ cert = ${script_path}/certs/server_cert.pem
|
||||
+ verifyChain = yes
|
||||
+ CAfile = ${script_path}/certs/CACert.pem
|
||||
+
|
||||
+ [server_2]
|
||||
+ accept = 127.0.0.1:${https2}
|
||||
+ cert = ${script_path}/certs/server_cert.pem
|
||||
+ exec = ${script_path}/execute
|
||||
+ execArgs = execute 028_redirect_chain
|
||||
+
|
||||
+EOT
|
||||
+}
|
||||
+
|
||||
+test_log_for "028_redirect_chain" "execute" "0" "$1" "$2" "$3" 2>> "stderr.log"
|
||||
+exit $?
|
||||
diff -up stunnel-5.56/tests/recipes/029_no_redirect_chain.verify-chain stunnel-5.56/tests/recipes/029_no_redirect_chain
|
||||
--- stunnel-5.56/tests/recipes/029_no_redirect_chain.verify-chain 2021-02-17 00:38:57.819876672 +0100
|
||||
+++ stunnel-5.56/tests/recipes/029_no_redirect_chain 2021-02-17 00:38:24.895545080 +0100
|
||||
@@ -0,0 +1,49 @@
|
||||
+#!/bin/sh
|
||||
+
|
||||
+# Do not redirect TLS client connections on certificate-based authentication success.
|
||||
+# [client_1] -> [server_1]
|
||||
+# The success is expected because the client presents the *correct* certificate
|
||||
+# and the client connection isn't redirected.
|
||||
+# Checking if the verifyChain option verifies the peer certificate starting from the root CA.
|
||||
+
|
||||
+. $(dirname $0)/../test_library
|
||||
+
|
||||
+start() {
|
||||
+ ../../src/stunnel -fd 0 <<EOT
|
||||
+ debug = debug
|
||||
+ syslog = no
|
||||
+ pid = ${result_path}/stunnel.pid
|
||||
+ output = ${result_path}/stunnel.log
|
||||
+
|
||||
+ [client_1]
|
||||
+ client = yes
|
||||
+ accept = 127.0.0.1:${http1}
|
||||
+ connect = 127.0.0.1:${https1}
|
||||
+;correct certificate
|
||||
+ cert = ${script_path}/certs/client_cert.pem
|
||||
+
|
||||
+ [client_2]
|
||||
+ client = yes
|
||||
+ accept = 127.0.0.1:${http2}
|
||||
+ connect = 127.0.0.1:${https2}
|
||||
+
|
||||
+ [server_1]
|
||||
+ accept = 127.0.0.1:${https1}
|
||||
+ exec = ${script_path}/execute
|
||||
+ execArgs = execute 029_no_redirect_chain
|
||||
+ redirect = ${http2}
|
||||
+ cert = ${script_path}/certs/server_cert.pem
|
||||
+ verifyChain = yes
|
||||
+ CAfile = ${script_path}/certs/CACert.pem
|
||||
+
|
||||
+ [server_2]
|
||||
+ accept = 127.0.0.1:${https2}
|
||||
+ cert = ${script_path}/certs/server_cert.pem
|
||||
+ exec = ${script_path}/execute
|
||||
+ execArgs = execute 029_no_redirect_chain_error
|
||||
+
|
||||
+EOT
|
||||
+}
|
||||
+
|
||||
+test_log_for "029_no_redirect_chain" "execute" "0" "$1" "$2" "$3" 2>> "stderr.log"
|
||||
+exit $?
|
||||
@ -1,18 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAl3YIPhfFIAAAAAALgAo
|
||||
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC
|
||||
QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW
|
||||
4BTuMw//R+LJhCo2prR6RIxEsYbfzIwkl9NwcE5EPTKse2umTOHsMRfVMpZiKjCl
|
||||
5UC1tLbqUzSjAydQiFwdvcHZAJLWblr84p+CC5hEaS/rwX4PL221gqqrC8Ut7ap3
|
||||
n/v5gCJ8iqnpgZSgHPSGqucG3x1KlZotPnny1RVIjCSHPvoUtocAwJNSChRkyUT0
|
||||
ym8qhUPyOmRhYQZew1haxFJa26yc017dN5QZy+H3uo0zPLXaWJpPjJG/1pBtden4
|
||||
mL+mg8phZZ9MtBtEOK2NTA+4K24vcM+aHoEyMI/dcmi4NN256N5CJZ13tF3LgHNV
|
||||
j0vp1a75p5aAMeRTv7zShegZGvJJciyYJKwRnOAUnHVFDhnsgd05VQHeWC1aFKjM
|
||||
cXwrvHgGn+TG0V29ahnzR7NdVhkuP3etcqx6FuIgcj2omp0Bj4zFRlKSl4x+hY56
|
||||
MTvwksIXZTItHvffiE49ExGPA8OQW3S9Sr+lPFk98xjVuTU/P8GIVNp2kof4ezYN
|
||||
Yhav4mA/KAkMX0fb+Cw6eyZl0aZEPx76hhkKhh2OmR8w3k5X2hetGcXX1/UFEHCm
|
||||
uNCvWwV5Ry6Kc8Zpr8p6fUOh0Se4cNi59c1FKEwMX1hTgLklbIZioiFM/fR0RLOJ
|
||||
PU/Cq+NbaZ3O8Cup7PsVjCDgXTcKcQAdQTOxgfW6f+szmTo5Qx4=
|
||||
=RhpX
|
||||
-----END PGP SIGNATURE-----
|
||||
@ -0,0 +1,19 @@
|
||||
tests: Adapt to OpenSSL 3.x FIPS mode
|
||||
|
||||
In OpenSSL 3.0 with FIPS enabled, this test no longer fails with
|
||||
a human-readable error message (such as "no ciphers available"), but
|
||||
instead causes an internal error. Extend the success regex list to also
|
||||
accept this result.
|
||||
diff -up stunnel-5.61/tests/plugins/p11_fips_cipher.py.openssl30 stunnel-5.61/tests/plugins/p11_fips_cipher.py
|
||||
--- stunnel-5.61/tests/plugins/p11_fips_cipher.py.openssl30 2022-01-12 15:15:03.211690650 +0100
|
||||
+++ stunnel-5.61/tests/plugins/p11_fips_cipher.py 2022-01-12 15:15:20.937008173 +0100
|
||||
@@ -91,7 +91,8 @@ class FailureCiphersuitesFIPS(StunnelTes
|
||||
self.events.count = 1
|
||||
self.events.success = [
|
||||
"disabled for FIPS",
|
||||
- "no ciphers available"
|
||||
+ "no ciphers available",
|
||||
+ "TLS alert \\(write\\): fatal: internal error"
|
||||
]
|
||||
self.events.failure = [
|
||||
"peer did not return a certificate",
|
||||
@ -0,0 +1,11 @@
|
||||
diff -up stunnel-5.61/tools/stunnel.service.in.systemd-service stunnel-5.61/tools/stunnel.service.in
|
||||
--- stunnel-5.61/tools/stunnel.service.in.systemd-service 2022-01-12 14:48:32.474150329 +0100
|
||||
+++ stunnel-5.61/tools/stunnel.service.in 2022-01-12 14:50:15.253984639 +0100
|
||||
@@ -6,6 +6,7 @@ After=syslog.target network-online.targe
|
||||
ExecStart=@bindir@/stunnel
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
Type=forking
|
||||
+PrivateTmp=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@ -0,0 +1,57 @@
|
||||
Limit curves defaults in FIPS mode
|
||||
|
||||
Our copy of OpenSSL disables the X25519 and X448 curves in FIPS mode,
|
||||
but stunnel defaults to enabling them and then fails to do so.
|
||||
|
||||
Upstream-Status: Inappropriate [caused by a downstream patch to openssl]
|
||||
diff -up stunnel-5.62/src/options.c.disabled-curves stunnel-5.62/src/options.c
|
||||
--- stunnel-5.62/src/options.c.disabled-curves 2022-02-04 13:46:45.936884124 +0100
|
||||
+++ stunnel-5.62/src/options.c 2022-02-04 13:53:16.346725153 +0100
|
||||
@@ -40,8 +40,10 @@
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
|
||||
#define DEFAULT_CURVES "X25519:P-256:X448:P-521:P-384"
|
||||
+#define DEFAULT_CURVES_FIPS "P-256:P-521:P-384"
|
||||
#else /* OpenSSL version < 1.1.1 */
|
||||
#define DEFAULT_CURVES "prime256v1"
|
||||
+#define DEFAULT_CURVES_FIPS "prime256v1"
|
||||
#endif /* OpenSSL version >= 1.1.1 */
|
||||
|
||||
#if defined(_WIN32_WCE) && !defined(CONFDIR)
|
||||
@@ -1855,7 +1857,7 @@ NOEXPORT char *parse_service_option(CMD
|
||||
/* curves */
|
||||
switch(cmd) {
|
||||
case CMD_SET_DEFAULTS:
|
||||
- section->curves=str_dup_detached(DEFAULT_CURVES);
|
||||
+ section->curves = NULL;
|
||||
break;
|
||||
case CMD_SET_COPY:
|
||||
section->curves=str_dup_detached(new_service_options.curves);
|
||||
@@ -1870,9 +1872,26 @@ NOEXPORT char *parse_service_option(CMD
|
||||
section->curves=str_dup_detached(arg);
|
||||
return NULL; /* OK */
|
||||
case CMD_INITIALIZE:
|
||||
+ if(!section->curves) {
|
||||
+ /* this is only executed for global options, because
|
||||
+ * section->curves is no longer NULL in sections */
|
||||
+#ifdef USE_FIPS
|
||||
+ if(new_global_options.option.fips)
|
||||
+ section->curves=str_dup_detached(DEFAULT_CURVES_FIPS);
|
||||
+ else
|
||||
+#endif /* USE_FIPS */
|
||||
+ section->curves=str_dup_detached(DEFAULT_CURVES);
|
||||
+ }
|
||||
break;
|
||||
case CMD_PRINT_DEFAULTS:
|
||||
- s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
|
||||
+ if(fips_available()) {
|
||||
+ s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
|
||||
+ DEFAULT_CURVES_FIPS, "(with \"fips = yes\")");
|
||||
+ s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
|
||||
+ DEFAULT_CURVES, "(with \"fips = no\")");
|
||||
+ } else {
|
||||
+ s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
|
||||
+ }
|
||||
break;
|
||||
case CMD_PRINT_HELP:
|
||||
s_log(LOG_NOTICE, "%-22s = ECDH curve names", "curves");
|
||||
@ -0,0 +1,140 @@
|
||||
From 6baa5762ea5edb192ec003333d62b1d0e56509bf Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
|
||||
Date: Sun, 11 Sep 2022 23:52:18 +0200
|
||||
Subject: [PATCH] stunnel-5.66
|
||||
|
||||
---
|
||||
src/common.h | 6 +++++-
|
||||
src/ctx.c | 58 +++++++++++++++++++++++++++++++++++++++++++---------
|
||||
2 files changed, 53 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/src/common.h b/src/common.h
|
||||
index bc37eb5..997e66e 100644
|
||||
--- a/src/common.h
|
||||
+++ b/src/common.h
|
||||
@@ -491,7 +491,7 @@ extern char *sys_errlist[];
|
||||
#include <openssl/dh.h>
|
||||
#if OPENSSL_VERSION_NUMBER<0x10100000L
|
||||
int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
|
||||
-#endif /* OpenSSL older than 1.1.0 */
|
||||
+#endif /* OPENSSL_VERSION_NUMBER<0x10100000L */
|
||||
#endif /* !defined(OPENSSL_NO_DH) */
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
#include <openssl/engine.h>
|
||||
@@ -503,8 +503,12 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
|
||||
/* not defined in public headers before OpenSSL 0.9.8 */
|
||||
STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
|
||||
#endif /* !defined(OPENSSL_NO_COMP) */
|
||||
+#if OPENSSL_VERSION_NUMBER>=0x10101000L
|
||||
+#include <openssl/storeerr.h>
|
||||
+#endif /* OPENSSL_VERSION_NUMBER>=0x10101000L */
|
||||
#if OPENSSL_VERSION_NUMBER>=0x30000000L
|
||||
#include <openssl/provider.h>
|
||||
+#include <openssl/proverr.h>
|
||||
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
|
||||
|
||||
#ifndef OPENSSL_VERSION
|
||||
diff --git a/src/ctx.c b/src/ctx.c
|
||||
index a2202b7..cc0806c 100644
|
||||
--- a/src/ctx.c
|
||||
+++ b/src/ctx.c
|
||||
@@ -1001,30 +1001,41 @@ NOEXPORT int ui_retry() {
|
||||
unsigned long err=ERR_peek_error();
|
||||
|
||||
switch(ERR_GET_LIB(err)) {
|
||||
- case ERR_LIB_ASN1:
|
||||
- return 1;
|
||||
- case ERR_LIB_PKCS12:
|
||||
+ case ERR_LIB_EVP: /* 6 */
|
||||
switch(ERR_GET_REASON(err)) {
|
||||
- case PKCS12_R_MAC_VERIFY_FAILURE:
|
||||
+ case EVP_R_BAD_DECRYPT:
|
||||
return 1;
|
||||
default:
|
||||
+ s_log(LOG_ERR, "Unhandled ERR_LIB_EVP error reason: %d",
|
||||
+ ERR_GET_REASON(err));
|
||||
return 0;
|
||||
}
|
||||
- case ERR_LIB_EVP:
|
||||
+ case ERR_LIB_PEM: /* 9 */
|
||||
switch(ERR_GET_REASON(err)) {
|
||||
- case EVP_R_BAD_DECRYPT:
|
||||
+ case PEM_R_BAD_PASSWORD_READ:
|
||||
+ case PEM_R_BAD_DECRYPT:
|
||||
return 1;
|
||||
default:
|
||||
+ s_log(LOG_ERR, "Unhandled ERR_LIB_PEM error reason: %d",
|
||||
+ ERR_GET_REASON(err));
|
||||
return 0;
|
||||
}
|
||||
- case ERR_LIB_PEM:
|
||||
+ case ERR_LIB_ASN1: /* 13 */
|
||||
+ return 1;
|
||||
+ case ERR_LIB_PKCS12: /* 35 */
|
||||
switch(ERR_GET_REASON(err)) {
|
||||
- case PEM_R_BAD_PASSWORD_READ:
|
||||
+ case PKCS12_R_MAC_VERIFY_FAILURE:
|
||||
return 1;
|
||||
default:
|
||||
+ s_log(LOG_ERR, "Unhandled ERR_LIB_PKCS12 error reason: %d",
|
||||
+ ERR_GET_REASON(err));
|
||||
return 0;
|
||||
}
|
||||
- case ERR_LIB_UI:
|
||||
+#ifdef ERR_LIB_DSO /* 37 */
|
||||
+ case ERR_LIB_DSO:
|
||||
+ return 1;
|
||||
+#endif
|
||||
+ case ERR_LIB_UI: /* 40 */
|
||||
switch(ERR_GET_REASON(err)) {
|
||||
case UI_R_RESULT_TOO_LARGE:
|
||||
case UI_R_RESULT_TOO_SMALL:
|
||||
@@ -1033,17 +1044,44 @@ NOEXPORT int ui_retry() {
|
||||
#endif
|
||||
return 1;
|
||||
default:
|
||||
+ s_log(LOG_ERR, "Unhandled ERR_LIB_UI error reason: %d",
|
||||
+ ERR_GET_REASON(err));
|
||||
+ return 0;
|
||||
+ }
|
||||
+#ifdef ERR_LIB_OSSL_STORE
|
||||
+ case ERR_LIB_OSSL_STORE: /* 44 - added in OpenSSL 1.1.1 */
|
||||
+ switch(ERR_GET_REASON(err)) {
|
||||
+ case OSSL_STORE_R_BAD_PASSWORD_READ:
|
||||
+ return 1;
|
||||
+ default:
|
||||
+ s_log(LOG_ERR, "Unhandled ERR_LIB_OSSL_STORE error reason: %d",
|
||||
+ ERR_GET_REASON(err));
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
+#ifdef ERR_LIB_PROV
|
||||
+ case ERR_LIB_PROV: /* 57 - added in OpenSSL 3.0 */
|
||||
+ switch(ERR_GET_REASON(err)) {
|
||||
+ case PROV_R_BAD_DECRYPT:
|
||||
+ return 1;
|
||||
+ default:
|
||||
+ s_log(LOG_ERR, "Unhandled ERR_LIB_PROV error reason: %d",
|
||||
+ ERR_GET_REASON(err));
|
||||
return 0;
|
||||
}
|
||||
- case ERR_LIB_USER: /* PKCS#11 hacks */
|
||||
+#endif
|
||||
+ case ERR_LIB_USER: /* 128 - PKCS#11 hacks */
|
||||
switch(ERR_GET_REASON(err)) {
|
||||
case 7UL: /* CKR_ARGUMENTS_BAD */
|
||||
case 0xa0UL: /* CKR_PIN_INCORRECT */
|
||||
return 1;
|
||||
default:
|
||||
+ s_log(LOG_ERR, "Unhandled ERR_LIB_USER error reason: %d",
|
||||
+ ERR_GET_REASON(err));
|
||||
return 0;
|
||||
}
|
||||
default:
|
||||
+ s_log(LOG_ERR, "Unhandled error library: %d", ERR_GET_LIB(err));
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
--
|
||||
2.38.1
|
||||
|
||||
@ -0,0 +1,18 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAmHlyoBfFIAAAAAALgAo
|
||||
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC
|
||||
QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW
|
||||
4BRqiw//dzBO+CqezKNlkVT5sePEfriVPk0iYa7IyGQ2xclohI3X3A0NaLHhwysa
|
||||
2pFo+myUn5h2qVM6jfuPbXHxDSgDQIcRoEEWpLbVEnVy5vMpVsB5wY4fwfyd3crM
|
||||
2J24XPdODE8H2mB28JXHyQdXehMtzOAMJ57ugUbrU4drNOR8sCRbp+sBChI8JK9Q
|
||||
IYvUoMPMCukFXws0KFEYjRom/FyQlde2Wz9ZPiluRzj6RWPQvQht8EiB7IfPrq2m
|
||||
fiPmOxUnB+Ry6/eaSp7JLlrnL4q5Zhw0HS/pMbWpiB9nPb9SLoKufJ9hYQs5X2h9
|
||||
L85VPMAAAStQ4PcvFYWt/nV03p3agImdMLrwlaMi/Bb95+tk7OoNLu7yz9RQ9QAo
|
||||
SPamduORs4/KhtlMzRf2G8utIQRa4fI47KDOO1+1qRfTH4t/Bf3Fr/gI34AW24ZZ
|
||||
hu2nHqr+UxGkU42HJEhsL9tAvBFr/mBI64sHtAI41e25CkqBQSqD+FxUw5snbVgP
|
||||
XxiM9tNo/UUZpCMnmkAZUqVFKYT10VSFTDo6/LcoMYZf1zzCWch3wJTtf2ZPUJYG
|
||||
6kNpdCEzsXYileL6iCof9+J5hNaNGpsgTi+ljz1jujzOHWGw6hyIWUiYTBGmRAbl
|
||||
Pehbx5RYqQe9gX0nFRRs3o9y9p8B4MLMAvJdhx6vqxgd2H1SDJA=
|
||||
=MLHM
|
||||
-----END PGP SIGNATURE-----
|
||||
Loading…
Reference in new issue