aboutsummaryrefslogtreecommitdiff
path: root/crypto/openssl/apps
diff options
context:
space:
mode:
authorJung-uk Kim <jkim@FreeBSD.org>2019-02-26 19:31:33 +0000
committerJung-uk Kim <jkim@FreeBSD.org>2019-02-26 19:31:33 +0000
commit6935a639f0f999de98b970a3cf26b0dc80b1798b (patch)
tree4549bd7ef0d8a5d43b6278ae71c08e155435c33f /crypto/openssl/apps
parent50792eb553bf2cebaea3ddaea066100ab9e51f2d (diff)
parent851f7386fd78b9787f4f6669ad271886a2a003f1 (diff)
downloadsrc-6935a639f0f999de98b970a3cf26b0dc80b1798b.tar.gz
src-6935a639f0f999de98b970a3cf26b0dc80b1798b.zip
Notes
Diffstat (limited to 'crypto/openssl/apps')
-rw-r--r--crypto/openssl/apps/apps.c6
-rw-r--r--crypto/openssl/apps/ct_log_list.cnf4
-rw-r--r--crypto/openssl/apps/dh1024.pem2
-rw-r--r--crypto/openssl/apps/dh2048.pem4
-rw-r--r--crypto/openssl/apps/dh4096.pem4
-rw-r--r--crypto/openssl/apps/ocsp.c34
-rw-r--r--crypto/openssl/apps/openssl.cnf4
-rw-r--r--crypto/openssl/apps/pkcs12.c9
-rw-r--r--crypto/openssl/apps/rehash.c22
-rw-r--r--crypto/openssl/apps/s_cb.c6
-rw-r--r--crypto/openssl/apps/s_client.c96
-rw-r--r--crypto/openssl/apps/s_server.c23
-rw-r--r--crypto/openssl/apps/speed.c8
-rw-r--r--crypto/openssl/apps/verify.c15
14 files changed, 197 insertions, 40 deletions
diff --git a/crypto/openssl/apps/apps.c b/crypto/openssl/apps/apps.c
index 653e3973e04d..36cb0b278337 100644
--- a/crypto/openssl/apps/apps.c
+++ b/crypto/openssl/apps/apps.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -1561,7 +1561,7 @@ CA_DB *load_index(const char *dbfile, DB_ATTR *db_attr)
#else
BIO_snprintf(buf, sizeof(buf), "%s-attr", dbfile);
#endif
- dbattr_conf = app_load_config(buf);
+ dbattr_conf = app_load_config_quiet(buf);
retdb = app_malloc(sizeof(*retdb), "new DB");
retdb->db = tmpdb;
@@ -2196,7 +2196,7 @@ double app_tminterval(int stop, int usertime)
return ret;
}
-#elif defined(OPENSSL_SYSTEM_VXWORKS)
+#elif defined(OPENSSL_SYS_VXWORKS)
# include <time.h>
double app_tminterval(int stop, int usertime)
diff --git a/crypto/openssl/apps/ct_log_list.cnf b/crypto/openssl/apps/ct_log_list.cnf
index 650aa22da59c..e643cfdbdf3f 100644
--- a/crypto/openssl/apps/ct_log_list.cnf
+++ b/crypto/openssl/apps/ct_log_list.cnf
@@ -2,8 +2,8 @@
# that are to be trusted.
# Google's list of logs can be found here:
-# www.certificate-transparency.org/known-logs
+# www.certificate-transparency.org/known-logs
# A Python program to convert the log list to OpenSSL's format can be
# found here:
-# https://github.com/google/certificate-transparency/blob/master/python/utilities/log_list/print_log_list.py
+# https://github.com/google/certificate-transparency/blob/master/python/utilities/log_list/print_log_list.py
# Use the "--openssl_output" flag.
diff --git a/crypto/openssl/apps/dh1024.pem b/crypto/openssl/apps/dh1024.pem
index f1a5e180aa95..813e8a4a4822 100644
--- a/crypto/openssl/apps/dh1024.pem
+++ b/crypto/openssl/apps/dh1024.pem
@@ -4,7 +4,7 @@ Sgh5jjQE3e+VGbPNOkMbMCsKbfJfFDdP4TVtbVHCReSFtXZiXn7G9ExC6aY37WsL
/1y29Aa37e44a/taiZ+lrp8kEXxLH+ZJKGZR7OZTgf//////////AgEC
-----END DH PARAMETERS-----
-These are the 1024-bit DH parameters from "Internet Key Exchange
+These are the 1024-bit DH parameters from "Internet Key Exchange
Protocol Version 2 (IKEv2)": https://tools.ietf.org/html/rfc5996
See https://tools.ietf.org/html/rfc2412 for how they were generated.
diff --git a/crypto/openssl/apps/dh2048.pem b/crypto/openssl/apps/dh2048.pem
index e899f2e0296d..288a20997e5a 100644
--- a/crypto/openssl/apps/dh2048.pem
+++ b/crypto/openssl/apps/dh2048.pem
@@ -7,8 +7,8 @@ fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
5RXSJhiY+gUQFXKOWoqsqmj//////////wIBAg==
-----END DH PARAMETERS-----
-These are the 2048-bit DH parameters from "More Modular Exponential
-(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)":
+These are the 2048-bit DH parameters from "More Modular Exponential
+(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)":
https://tools.ietf.org/html/rfc3526
See https://tools.ietf.org/html/rfc2412 for how they were generated.
diff --git a/crypto/openssl/apps/dh4096.pem b/crypto/openssl/apps/dh4096.pem
index adada2b55815..08560e1284e2 100644
--- a/crypto/openssl/apps/dh4096.pem
+++ b/crypto/openssl/apps/dh4096.pem
@@ -12,8 +12,8 @@ ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O
HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0BjGZ//////////8CAQI=
-----END DH PARAMETERS-----
-These are the 4096-bit DH parameters from "More Modular Exponential
-(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)":
+These are the 4096-bit DH parameters from "More Modular Exponential
+(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)":
https://tools.ietf.org/html/rfc3526
See https://tools.ietf.org/html/rfc2412 for how they were generated.
diff --git a/crypto/openssl/apps/ocsp.c b/crypto/openssl/apps/ocsp.c
index 7fd78624bbcc..e8aeb11cc51d 100644
--- a/crypto/openssl/apps/ocsp.c
+++ b/crypto/openssl/apps/ocsp.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -36,7 +36,21 @@ NON_EMPTY_TRANSLATION_UNIT
# include <openssl/x509v3.h>
# include <openssl/rand.h>
-# if defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_NO_SOCK) \
+#ifndef HAVE_FORK
+# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS)
+# define HAVE_FORK 0
+# else
+# define HAVE_FORK 1
+# endif
+#endif
+
+#if HAVE_FORK
+# undef NO_FORK
+#else
+# define NO_FORK
+#endif
+
+# if !defined(NO_FORK) && !defined(OPENSSL_NO_SOCK) \
&& !defined(OPENSSL_NO_POSIX_IO)
# define OCSP_DAEMON
# include <sys/types.h>
@@ -53,6 +67,20 @@ NON_EMPTY_TRANSLATION_UNIT
# define LOG_ERR 2
# endif
+# if defined(OPENSSL_SYS_VXWORKS)
+/* not supported */
+int setpgid(pid_t pid, pid_t pgid)
+{
+ errno = ENOSYS;
+ return 0;
+}
+/* not supported */
+pid_t fork(void)
+{
+ errno = ENOSYS;
+ return (pid_t) -1;
+}
+# endif
/* Maximum leeway in validity period: default 5 minutes */
# define MAX_VALIDITY_PERIOD (5 * 60)
@@ -863,6 +891,7 @@ static void killall(int ret, pid_t *kidpids)
for (i = 0; i < multi; ++i)
if (kidpids[i] != 0)
(void)kill(kidpids[i], SIGTERM);
+ OPENSSL_free(kidpids);
sleep(1);
exit(ret);
}
@@ -977,7 +1006,6 @@ static void spawn_loop(void)
}
/* The loop above can only break on termsig */
- OPENSSL_free(kidpids);
syslog(LOG_INFO, "terminating on signal: %d", termsig);
killall(0, kidpids);
}
diff --git a/crypto/openssl/apps/openssl.cnf b/crypto/openssl/apps/openssl.cnf
index 24538651ebb7..d67a4241af78 100644
--- a/crypto/openssl/apps/openssl.cnf
+++ b/crypto/openssl/apps/openssl.cnf
@@ -19,7 +19,7 @@ oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
-# extensions =
+# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
@@ -116,7 +116,7 @@ x509_extensions = v3_ca # The extensions to add to the self signed cert
# input_password = secret
# output_password = secret
-# This sets a mask for permitted string types. There are several options.
+# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
diff --git a/crypto/openssl/apps/pkcs12.c b/crypto/openssl/apps/pkcs12.c
index c8fc452ec6d2..719a309a860c 100644
--- a/crypto/openssl/apps/pkcs12.c
+++ b/crypto/openssl/apps/pkcs12.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -311,6 +311,13 @@ int pkcs12_main(int argc, char **argv)
if (cpass != NULL) {
mpass = cpass;
noprompt = 1;
+ if (twopass) {
+ if (export_cert)
+ BIO_printf(bio_err, "Option -twopass cannot be used with -passout or -password\n");
+ else
+ BIO_printf(bio_err, "Option -twopass cannot be used with -passin or -password\n");
+ goto end;
+ }
} else {
cpass = pass;
mpass = macpass;
diff --git a/crypto/openssl/apps/rehash.c b/crypto/openssl/apps/rehash.c
index bb41d3129f9c..2b769fbceb87 100644
--- a/crypto/openssl/apps/rehash.c
+++ b/crypto/openssl/apps/rehash.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2013-2014 Timo Teräs <timo.teras@gmail.com>
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -51,6 +51,26 @@
# endif
# define MAX_COLLISIONS 256
+# if defined(OPENSSL_SYS_VXWORKS)
+/*
+ * VxWorks has no symbolic links
+ */
+
+# define lstat(path, buf) stat(path, buf)
+
+int symlink(const char *target, const char *linkpath)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+ssize_t readlink(const char *pathname, char *buf, size_t bufsiz)
+{
+ errno = ENOSYS;
+ return -1;
+}
+# endif
+
typedef struct hentry_st {
struct hentry_st *next;
char *filename;
diff --git a/crypto/openssl/apps/s_cb.c b/crypto/openssl/apps/s_cb.c
index 2d4568f40ccb..d0e332a7088a 100644
--- a/crypto/openssl/apps/s_cb.c
+++ b/crypto/openssl/apps/s_cb.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -24,7 +24,7 @@
#define COOKIE_SECRET_LENGTH 16
-VERIFY_CB_ARGS verify_args = { 0, 0, X509_V_OK, 0 };
+VERIFY_CB_ARGS verify_args = { -1, 0, X509_V_OK, 0 };
#ifndef OPENSSL_NO_SOCK
static unsigned char cookie_secret[COOKIE_SECRET_LENGTH];
@@ -63,7 +63,7 @@ int verify_callback(int ok, X509_STORE_CTX *ctx)
if (!ok) {
BIO_printf(bio_err, "verify error:num=%d:%s\n", err,
X509_verify_cert_error_string(err));
- if (verify_args.depth >= depth) {
+ if (verify_args.depth < 0 || verify_args.depth >= depth) {
if (!verify_args.return_error)
ok = 1;
verify_args.error = err;
diff --git a/crypto/openssl/apps/s_client.c b/crypto/openssl/apps/s_client.c
index dcaa10cf44eb..4dd6e2fef4e4 100644
--- a/crypto/openssl/apps/s_client.c
+++ b/crypto/openssl/apps/s_client.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2005 Nokia. All rights reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -74,6 +74,7 @@ static void print_stuff(BIO *berr, SSL *con, int full);
static int ocsp_resp_cb(SSL *s, void *arg);
#endif
static int ldap_ExtendedResponse_parse(const char *buf, long rem);
+static int is_dNS_name(const char *host);
static int saved_errno;
@@ -596,6 +597,7 @@ typedef enum OPTION_choice {
#endif
OPT_DANE_TLSA_RRDATA, OPT_DANE_EE_NO_NAME,
OPT_ENABLE_PHA,
+ OPT_SCTP_LABEL_BUG,
OPT_R_ENUM
} OPTION_CHOICE;
@@ -750,6 +752,7 @@ const OPTIONS s_client_options[] = {
#endif
#ifndef OPENSSL_NO_SCTP
{"sctp", OPT_SCTP, '-', "Use SCTP"},
+ {"sctp_label_bug", OPT_SCTP_LABEL_BUG, '-', "Enable SCTP label length bug"},
#endif
#ifndef OPENSSL_NO_SSL_TRACE
{"trace", OPT_TRACE, '-', "Show trace output of protocol messages"},
@@ -976,6 +979,9 @@ int s_client_main(int argc, char **argv)
#endif
char *psksessf = NULL;
int enable_pha = 0;
+#ifndef OPENSSL_NO_SCTP
+ int sctp_label_bug = 0;
+#endif
FD_ZERO(&readfds);
FD_ZERO(&writefds);
@@ -1121,6 +1127,7 @@ int s_client_main(int argc, char **argv)
goto opthelp;
break;
case OPT_VERIFY_RET_ERROR:
+ verify = SSL_VERIFY_PEER;
verify_args.return_error = 1;
break;
case OPT_VERIFY_QUIET:
@@ -1323,6 +1330,11 @@ int s_client_main(int argc, char **argv)
protocol = IPPROTO_SCTP;
#endif
break;
+ case OPT_SCTP_LABEL_BUG:
+#ifndef OPENSSL_NO_SCTP
+ sctp_label_bug = 1;
+#endif
+ break;
case OPT_TIMEOUT:
#ifndef OPENSSL_NO_DTLS
enable_timeouts = 1;
@@ -1707,6 +1719,11 @@ int s_client_main(int argc, char **argv)
}
}
+#ifndef OPENSSL_NO_SCTP
+ if (protocol == IPPROTO_SCTP && sctp_label_bug == 1)
+ SSL_CTX_set_mode(ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG);
+#endif
+
if (min_version != 0
&& SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
goto end;
@@ -1975,9 +1992,11 @@ int s_client_main(int argc, char **argv)
SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV);
if (!noservername && (servername != NULL || dane_tlsa_domain == NULL)) {
- if (servername == NULL)
- servername = (host == NULL) ? "localhost" : host;
- if (!SSL_set_tlsext_host_name(con, servername)) {
+ if (servername == NULL) {
+ if(host == NULL || is_dNS_name(host))
+ servername = (host == NULL) ? "localhost" : host;
+ }
+ if (servername != NULL && !SSL_set_tlsext_host_name(con, servername)) {
BIO_printf(bio_err, "Unable to set TLS servername extension.\n");
ERR_print_errors(bio_err);
goto end;
@@ -3031,9 +3050,7 @@ int s_client_main(int argc, char **argv)
BIO_printf(bio_err, "RENEGOTIATING\n");
SSL_renegotiate(con);
cbuf_len = 0;
- }
-
- if (!c_ign_eof && (cbuf[0] == 'K' || cbuf[0] == 'k' )
+ } else if (!c_ign_eof && (cbuf[0] == 'K' || cbuf[0] == 'k' )
&& cmdletters) {
BIO_printf(bio_err, "KEYUPDATE\n");
SSL_key_update(con,
@@ -3459,4 +3476,69 @@ static int ldap_ExtendedResponse_parse(const char *buf, long rem)
return ret;
}
+/*
+ * Host dNS Name verifier: used for checking that the hostname is in dNS format
+ * before setting it as SNI
+ */
+static int is_dNS_name(const char *host)
+{
+ const size_t MAX_LABEL_LENGTH = 63;
+ size_t i;
+ int isdnsname = 0;
+ size_t length = strlen(host);
+ size_t label_length = 0;
+ int all_numeric = 1;
+
+ /*
+ * Deviation from strict DNS name syntax, also check names with '_'
+ * Check DNS name syntax, any '-' or '.' must be internal,
+ * and on either side of each '.' we can't have a '-' or '.'.
+ *
+ * If the name has just one label, we don't consider it a DNS name.
+ */
+ for (i = 0; i < length && label_length < MAX_LABEL_LENGTH; ++i) {
+ char c = host[i];
+
+ if ((c >= 'a' && c <= 'z')
+ || (c >= 'A' && c <= 'Z')
+ || c == '_') {
+ label_length += 1;
+ all_numeric = 0;
+ continue;
+ }
+
+ if (c >= '0' && c <= '9') {
+ label_length += 1;
+ continue;
+ }
+
+ /* Dot and hyphen cannot be first or last. */
+ if (i > 0 && i < length - 1) {
+ if (c == '-') {
+ label_length += 1;
+ continue;
+ }
+ /*
+ * Next to a dot the preceding and following characters must not be
+ * another dot or a hyphen. Otherwise, record that the name is
+ * plausible, since it has two or more labels.
+ */
+ if (c == '.'
+ && host[i + 1] != '.'
+ && host[i - 1] != '-'
+ && host[i + 1] != '-') {
+ label_length = 0;
+ isdnsname = 1;
+ continue;
+ }
+ }
+ isdnsname = 0;
+ break;
+ }
+
+ /* dNS name must not be all numeric and labels must be shorter than 64 characters. */
+ isdnsname &= !all_numeric && !(label_length == MAX_LABEL_LENGTH);
+
+ return isdnsname;
+}
#endif /* OPENSSL_NO_SOCK */
diff --git a/crypto/openssl/apps/s_server.c b/crypto/openssl/apps/s_server.c
index ac7dca607ba4..929a08bd85b0 100644
--- a/crypto/openssl/apps/s_server.c
+++ b/crypto/openssl/apps/s_server.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@@ -751,7 +751,7 @@ typedef enum OPTION_choice {
OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN,
OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN,
OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_RECV_MAX_EARLY, OPT_EARLY_DATA,
- OPT_S_NUM_TICKETS, OPT_ANTI_REPLAY, OPT_NO_ANTI_REPLAY,
+ OPT_S_NUM_TICKETS, OPT_ANTI_REPLAY, OPT_NO_ANTI_REPLAY, OPT_SCTP_LABEL_BUG,
OPT_R_ENUM,
OPT_S_ENUM,
OPT_V_ENUM,
@@ -938,6 +938,7 @@ const OPTIONS s_server_options[] = {
#endif
#ifndef OPENSSL_NO_SCTP
{"sctp", OPT_SCTP, '-', "Use SCTP"},
+ {"sctp_label_bug", OPT_SCTP_LABEL_BUG, '-', "Enable SCTP label length bug"},
#endif
#ifndef OPENSSL_NO_DH
{"no_dhe", OPT_NO_DHE, '-', "Disable ephemeral DH"},
@@ -1047,6 +1048,9 @@ int s_server_main(int argc, char *argv[])
const char *keylog_file = NULL;
int max_early_data = -1, recv_max_early_data = -1;
char *psksessf = NULL;
+#ifndef OPENSSL_NO_SCTP
+ int sctp_label_bug = 0;
+#endif
/* Init of few remaining global variables */
local_argc = argc;
@@ -1407,7 +1411,7 @@ int s_server_main(int argc, char *argv[])
for (p = psk_key = opt_arg(); *p; p++) {
if (isxdigit(_UC(*p)))
continue;
- BIO_printf(bio_err, "Not a hex number '%s'\n", *argv);
+ BIO_printf(bio_err, "Not a hex number '%s'\n", psk_key);
goto end;
}
break;
@@ -1490,6 +1494,11 @@ int s_server_main(int argc, char *argv[])
protocol = IPPROTO_SCTP;
#endif
break;
+ case OPT_SCTP_LABEL_BUG:
+#ifndef OPENSSL_NO_SCTP
+ sctp_label_bug = 1;
+#endif
+ break;
case OPT_TIMEOUT:
#ifndef OPENSSL_NO_DTLS
enable_timeouts = 1;
@@ -1792,6 +1801,12 @@ int s_server_main(int argc, char *argv[])
goto end;
}
}
+
+#ifndef OPENSSL_NO_SCTP
+ if (protocol == IPPROTO_SCTP && sctp_label_bug == 1)
+ SSL_CTX_set_mode(ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG);
+#endif
+
if (min_version != 0
&& SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
goto end;
@@ -2754,6 +2769,8 @@ static int init_ssl_connection(SSL *con)
BIO_ADDR_free(client);
return 0;
}
+
+ (void)BIO_ctrl_set_connected(wbio, client);
BIO_ADDR_free(client);
dtlslisten = 0;
} else {
diff --git a/crypto/openssl/apps/speed.c b/crypto/openssl/apps/speed.c
index 40e990408ab9..506737d05fc6 100644
--- a/crypto/openssl/apps/speed.c
+++ b/crypto/openssl/apps/speed.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -100,7 +100,7 @@
#include <openssl/modes.h>
#ifndef HAVE_FORK
-# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS)
+# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_VXWORKS)
# define HAVE_FORK 0
# else
# define HAVE_FORK 1
@@ -1499,11 +1499,11 @@ int speed_main(int argc, char **argv)
{"nistp192", NID_X9_62_prime192v1, 192},
{"nistp224", NID_secp224r1, 224},
{"nistp256", NID_X9_62_prime256v1, 256},
- {"nistp384", NID_secp384r1, 384},
+ {"nistp384", NID_secp384r1, 384},
{"nistp521", NID_secp521r1, 521},
/* Binary Curves */
{"nistk163", NID_sect163k1, 163},
- {"nistk233", NID_sect233k1, 233},
+ {"nistk233", NID_sect233k1, 233},
{"nistk283", NID_sect283k1, 283},
{"nistk409", NID_sect409k1, 409},
{"nistk571", NID_sect571k1, 571},
diff --git a/crypto/openssl/apps/verify.c b/crypto/openssl/apps/verify.c
index 38377a57e4a9..1f9385606046 100644
--- a/crypto/openssl/apps/verify.c
+++ b/crypto/openssl/apps/verify.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -286,16 +286,19 @@ static int cb(int ok, X509_STORE_CTX *ctx)
cert_error,
X509_STORE_CTX_get_error_depth(ctx),
X509_verify_cert_error_string(cert_error));
+
+ /*
+ * Pretend that some errors are ok, so they don't stop further
+ * processing of the certificate chain. Setting ok = 1 does this.
+ * After X509_verify_cert() is done, we verify that there were
+ * no actual errors, even if the returned value was positive.
+ */
switch (cert_error) {
case X509_V_ERR_NO_EXPLICIT_POLICY:
policies_print(ctx);
/* fall thru */
case X509_V_ERR_CERT_HAS_EXPIRED:
-
- /*
- * since we are just checking the certificates, it is ok if they
- * are self signed. But we should still warn the user.
- */
+ /* Continue even if the leaf is a self signed cert */
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
/* Continue after extension errors too */
case X509_V_ERR_INVALID_CA: