AppleM1: Update openssl to v1.1.1l

2025-03-09 15:49:59 +00:00 · 2022-08-14 19:05:01 +08:00 · 2022-08-14 19:05:01 +08:00 · b787656eea
commit b787656eea
parent 1fe12b8e8c
990 changed files with 13406 additions and 18710 deletions
--- a/trunk/3rdparty/openssl-1.1-fit/apps/ocsp.c
+++ b/trunk/3rdparty/openssl-1.1-fit/apps/ocsp.c
@ -1,5 +1,5 @@
 /*
- * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
@ -9,65 +9,62 @@

 #include <openssl/opensslconf.h>

-#ifdef OPENSSL_NO_OCSP
-NON_EMPTY_TRANSLATION_UNIT
-#else
-# ifdef OPENSSL_SYS_VMS
-#  define _XOPEN_SOURCE_EXTENDED/* So fd_set and friends get properly defined
+#ifdef OPENSSL_SYS_VMS
+# define _XOPEN_SOURCE_EXTENDED/* So fd_set and friends get properly defined
                                 * on OpenVMS */
-# endif
+#endif

-# include <stdio.h>
-# include <stdlib.h>
-# include <string.h>
-# include <time.h>
-# include <ctype.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <ctype.h>

 /* Needs to be included before the openssl headers */
-# include "apps.h"
-# include "progs.h"
-# include "internal/sockets.h"
-# include <openssl/e_os2.h>
-# include <openssl/crypto.h>
-# include <openssl/err.h>
-# include <openssl/ssl.h>
-# include <openssl/evp.h>
-# include <openssl/bn.h>
-# include <openssl/x509v3.h>
-# include <openssl/rand.h>
+#include "apps.h"
+#include "progs.h"
+#include "internal/sockets.h"
+#include <openssl/e_os2.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+#include <openssl/evp.h>
+#include <openssl/bn.h>
+#include <openssl/x509v3.h>
+#include <openssl/rand.h>

 #ifndef HAVE_FORK
-# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS)
-#  define HAVE_FORK 0
-# else
-#  define HAVE_FORK 1
-# endif
+#if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS)
+# define HAVE_FORK 0
+#else
+# define HAVE_FORK 1
+#endif
 #endif

 #if HAVE_FORK
-# undef NO_FORK
+#undef NO_FORK
 #else
-# define NO_FORK
+#define NO_FORK
 #endif

-# if !defined(NO_FORK) && !defined(OPENSSL_NO_SOCK) \
+#if !defined(NO_FORK) && !defined(OPENSSL_NO_SOCK) \
     && !defined(OPENSSL_NO_POSIX_IO)
-#  define OCSP_DAEMON
-#  include <sys/types.h>
-#  include <sys/wait.h>
-#  include <syslog.h>
-#  include <signal.h>
-#  define MAXERRLEN 1000 /* limit error text sent to syslog to 1000 bytes */
-# else
-#  undef LOG_INFO
-#  undef LOG_WARNING
-#  undef LOG_ERR
-#  define LOG_INFO      0
-#  define LOG_WARNING   1
-#  define LOG_ERR       2
-# endif
+# define OCSP_DAEMON
+# include <sys/types.h>
+# include <sys/wait.h>
+# include <syslog.h>
+# include <signal.h>
+# define MAXERRLEN 1000 /* limit error text sent to syslog to 1000 bytes */
+#else
+# undef LOG_INFO
+# undef LOG_WARNING
+# undef LOG_ERR
+# define LOG_INFO      0
+# define LOG_WARNING   1
+# define LOG_ERR       2
+#endif

-# if defined(OPENSSL_SYS_VXWORKS)
+#if defined(OPENSSL_SYS_VXWORKS)
 /* not supported */
 int setpgid(pid_t pid, pid_t pgid)
 {
@ -80,9 +77,9 @@ pid_t fork(void)
    errno = ENOSYS;
    return (pid_t) -1;
 }
-# endif
+#endif
 /* Maximum leeway in validity period: default 5 minutes */
-# define MAX_VALIDITY_PERIOD    (5 * 60)
+#define MAX_VALIDITY_PERIOD    (5 * 60)

 static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,
                         const EVP_MD *cert_id_md, X509 *issuer,
@ -109,20 +106,20 @@ static void log_message(int level, const char *fmt, ...);
 static char *prog;
 static int multi = 0;

-# ifdef OCSP_DAEMON
+#ifdef OCSP_DAEMON
 static int acfd = (int) INVALID_SOCKET;
 static int index_changed(CA_DB *);
 static void spawn_loop(void);
 static int print_syslog(const char *str, size_t len, void *levPtr);
-static void sock_timeout(int signum);
-# endif
+static void socket_timeout(int signum);
+#endif

-# ifndef OPENSSL_NO_SOCK
+#ifndef OPENSSL_NO_SOCK
 static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host,
                                      const char *path,
                                      const STACK_OF(CONF_VALUE) *headers,
                                      OCSP_REQUEST *req, int req_timeout);
-# endif
+#endif

 typedef enum OPTION_choice {
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@ -160,9 +157,9 @@ const OPTIONS ocsp_options[] = {
     "Don't include any certificates in response"},
    {"resp_key_id", OPT_RESP_KEY_ID, '-',
     "Identify response by signing certificate key ID"},
-# ifdef OCSP_DAEMON
+#ifdef OCSP_DAEMON
    {"multi", OPT_MULTI, 'p', "run multiple responder processes"},
-# endif
+#endif
    {"no_certs", OPT_NO_CERTS, '-',
     "Don't include any certificates in signed request"},
    {"no_signature_verify", OPT_NO_SIGNATURE_VERIFY, '-',
@ -511,9 +508,9 @@ int ocsp_main(int argc, char **argv)
            trailing_md = 1;
            break;
        case OPT_MULTI:
-# ifdef OCSP_DAEMON
+#ifdef OCSP_DAEMON
            multi = atoi(opt_arg());
-# endif
+#endif
            break;
        }
    }
@ -593,11 +590,11 @@ int ocsp_main(int argc, char **argv)
        }
    }

-# ifdef OCSP_DAEMON
+#ifdef OCSP_DAEMON
    if (multi && acbio != NULL)
        spawn_loop();
    if (acbio != NULL && req_timeout > 0)
-        signal(SIGALRM, sock_timeout);
+        signal(SIGALRM, socket_timeout);
 #endif

    if (acbio != NULL)
@ -606,7 +603,7 @@ int ocsp_main(int argc, char **argv)
 redo_accept:

    if (acbio != NULL) {
-# ifdef OCSP_DAEMON
+#ifdef OCSP_DAEMON
        if (index_changed(rdb)) {
            CA_DB *newrdb = load_index(ridx_filename, NULL);

@ -619,7 +616,7 @@ redo_accept:
                            ridx_filename);
            }
        }
-# endif
+#endif

        req = NULL;
        if (!do_responder(&req, &cbio, acbio, req_timeout))
@ -641,8 +638,10 @@ redo_accept:
        goto end;
    }

-    if (req != NULL && add_nonce)
-        OCSP_request_add1_nonce(req, NULL, -1);
+    if (req != NULL && add_nonce) {
+        if (!OCSP_request_add1_nonce(req, NULL, -1))
+            goto end;
+    }

    if (signfile != NULL) {
        if (keyfile == NULL)
@ -686,16 +685,16 @@ redo_accept:
        if (cbio != NULL)
            send_ocsp_response(cbio, resp);
    } else if (host != NULL) {
-# ifndef OPENSSL_NO_SOCK
+#ifndef OPENSSL_NO_SOCK
        resp = process_responder(req, host, path,
                                 port, use_ssl, headers, req_timeout);
        if (resp == NULL)
            goto end;
-# else
+#else
        BIO_printf(bio_err,
                   "Error creating connect BIO - sockets not supported.\n");
        goto end;
-# endif
+#endif
    } else if (respin != NULL) {
        derbio = bio_open_default(respin, 'r', FORMAT_ASN1);
        if (derbio == NULL)
@ -838,7 +837,7 @@ log_message(int level, const char *fmt, ...)
    va_list ap;

    va_start(ap, fmt);
-# ifdef OCSP_DAEMON
+#ifdef OCSP_DAEMON
    if (multi) {
        char buf[1024];
        if (vsnprintf(buf, sizeof(buf), fmt, ap) > 0) {
@ -847,7 +846,7 @@ log_message(int level, const char *fmt, ...)
        if (level >= LOG_ERR)
            ERR_print_errors_cb(print_syslog, &level);
    }
-# endif
+#endif
    if (!multi) {
        BIO_printf(bio_err, "%s: ", prog);
        BIO_vprintf(bio_err, fmt, ap);
@ -856,7 +855,7 @@ log_message(int level, const char *fmt, ...)
    va_end(ap);
 }

-# ifdef OCSP_DAEMON
+#ifdef OCSP_DAEMON

 static int print_syslog(const char *str, size_t len, void *levPtr)
 {
@ -1009,7 +1008,7 @@ static void spawn_loop(void)
    syslog(LOG_INFO, "terminating on signal: %d", termsig);
    killall(0, kidpids);
 }
-# endif
+#endif

 static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,
                         const EVP_MD *cert_id_md, X509 *issuer,
@ -1245,7 +1244,10 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req
            goto end;
        }
    }
-    OCSP_basic_sign_ctx(bs, rcert, mctx, rother, flags);
+    if (!OCSP_basic_sign_ctx(bs, rcert, mctx, rother, flags)) {
+        *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, bs);
+        goto end;
+    }

    if (badsig) {
        const ASN1_OCTET_STRING *sig = OCSP_resp_get0_signature(bs);
@ -1286,11 +1288,11 @@ static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser)

 static BIO *init_responder(const char *port)
 {
-# ifdef OPENSSL_NO_SOCK
+#ifdef OPENSSL_NO_SOCK
    BIO_printf(bio_err,
               "Error setting up accept BIO - sockets not supported.\n");
    return NULL;
-# else
+#else
    BIO *acbio = NULL, *bufbio = NULL;

    bufbio = BIO_new(BIO_f_buffer());
@ -1317,10 +1319,10 @@ static BIO *init_responder(const char *port)
    BIO_free_all(acbio);
    BIO_free(bufbio);
    return NULL;
-# endif
+#endif
 }

-# ifndef OPENSSL_NO_SOCK
+#ifndef OPENSSL_NO_SOCK
 /*
 * Decode %xx URL-decoding in-place. Ignores mal-formed sequences.
 */
@ -1344,22 +1346,22 @@ static int urldecode(char *p)
    *out = '\0';
    return (int)(out - save);
 }
-# endif
+#endif

-# ifdef OCSP_DAEMON
-static void sock_timeout(int signum)
+#ifdef OCSP_DAEMON
+static void socket_timeout(int signum)
 {
    if (acfd != (int)INVALID_SOCKET)
        (void)shutdown(acfd, SHUT_RD);
 }
-# endif
+#endif

 static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
                        int timeout)
 {
-# ifdef OPENSSL_NO_SOCK
+#ifdef OPENSSL_NO_SOCK
    return 0;
-# else
+#else
    int len;
    OCSP_REQUEST *req = NULL;
    char inbuf[2048], reqbuf[2048];
@ -1377,12 +1379,12 @@ static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
    *pcbio = cbio;
    client = BIO_get_peer_name(cbio);

-#  ifdef OCSP_DAEMON
+# ifdef OCSP_DAEMON
    if (timeout > 0) {
        (void) BIO_get_fd(cbio, &acfd);
        alarm(timeout);
    }
-#  endif
+# endif

    /* Read the request line. */
    len = BIO_gets(cbio, reqbuf, sizeof(reqbuf));
@ -1411,9 +1413,11 @@ static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
        *q = '\0';

        /*
-         * Skip "GET / HTTP..." requests often used by load-balancers
+         * Skip "GET / HTTP..." requests often used by load-balancers.  Note:
+         * 'p' was incremented above to point to the first byte *after* the
+         * leading slash, so with 'GET / ' it is now an empty string.
         */
-        if (p[1] == '\0')
+        if (p[0] == '\0')
            goto out;

        len = urldecode(p);
@ -1443,11 +1447,11 @@ static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
            break;
    }

-#  ifdef OCSP_DAEMON
+# ifdef OCSP_DAEMON
    /* Clear alarm before we close the client socket */
    alarm(0);
    timeout = 0;
-#  endif
+# endif

    /* Try to read OCSP request */
    if (getbio != NULL) {
@ -1463,13 +1467,13 @@ static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
    *preq = req;

 out:
-#  ifdef OCSP_DAEMON
+# ifdef OCSP_DAEMON
    if (timeout > 0)
        alarm(0);
    acfd = (int)INVALID_SOCKET;
-#  endif
-    return 1;
 # endif
+    return 1;
+#endif
 }

 static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
@ -1485,7 +1489,7 @@ static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
    return 1;
 }

-# ifndef OPENSSL_NO_SOCK
+#ifndef OPENSSL_NO_SOCK
 static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host,
                                      const char *path,
                                      const STACK_OF(CONF_VALUE) *headers,
@ -1616,6 +1620,4 @@ OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
    SSL_CTX_free(ctx);
    return resp;
 }
-# endif
-
 #endif