diff options
| author | June McEnroe <june@causal.agency> | 2026-06-01 14:50:25 -0400 |
|---|---|---|
| committer | June McEnroe <june@causal.agency> | 2026-06-01 14:50:25 -0400 |
| commit | 8a5bd6dcd6f7780354ed2e297edfddfec0273253 (patch) | |
| tree | d6a47d1f9ce63cf523a845f426d0b879bc008eda | |
| parent | Import LibreSSL 4.2.1 (diff) | |
| download | libretls-8a5bd6dcd6f7780354ed2e297edfddfec0273253.tar.gz libretls-8a5bd6dcd6f7780354ed2e297edfddfec0273253.zip | |
Import LibreSSL 4.3.0
Diffstat (limited to '')
| -rw-r--r-- | LIBTLS_VERSION | 2 | ||||
| -rw-r--r-- | VERSION | 2 | ||||
| -rw-r--r-- | compat/posix_win.c | 3 | ||||
| -rw-r--r-- | configure.ac | 2 | ||||
| -rw-r--r-- | include/compat/netinet/ip.h | 4 | ||||
| -rw-r--r-- | man/Makefile.am | 30 | ||||
| -rw-r--r-- | tls.c | 4 | ||||
| -rw-r--r-- | tls_client.c | 4 | ||||
| -rw-r--r-- | tls_config.c | 6 | ||||
| -rw-r--r-- | tls_conninfo.c | 6 | ||||
| -rw-r--r-- | tls_keypair.c | 13 | ||||
| -rw-r--r-- | tls_ocsp.c | 19 | ||||
| -rw-r--r-- | tls_server.c | 10 | ||||
| -rw-r--r-- | tls_signer.c | 18 | ||||
| -rw-r--r-- | tls_util.c | 4 | ||||
| -rw-r--r-- | tls_verify.c | 6 |
16 files changed, 68 insertions, 65 deletions
diff --git a/LIBTLS_VERSION b/LIBTLS_VERSION index dce3f46..01222bc 100644 --- a/LIBTLS_VERSION +++ b/LIBTLS_VERSION @@ -1 +1 @@ -33:1:0 +33:2:0 diff --git a/VERSION b/VERSION index fae6e3d..8089590 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.2.1 +4.3.0 diff --git a/compat/posix_win.c b/compat/posix_win.c index 572e527..bc0fa36 100644 --- a/compat/posix_win.c +++ b/compat/posix_win.c @@ -89,6 +89,9 @@ posix_open(const char *path, ...) flags &= ~O_NONBLOCK; const int fh = open(path, flags, mode); + if (fh == -1) { + return fh; + } // Set high bit to mark file descriptor as a file handle return fh + 0x80000000; diff --git a/configure.ac b/configure.ac index 8d347b0..eb2b9ce 100644 --- a/configure.ac +++ b/configure.ac @@ -115,6 +115,8 @@ AC_ARG_ENABLE([asm], AS_HELP_STRING([--disable-asm], [Disable assembly])) AM_CONDITIONAL([OPENSSL_NO_ASM], [test "x$enable_asm" = "xno"]) # Conditionally enable assembly by default +AM_CONDITIONAL([HOST_ASM_ELF_AARCH64], + [test "x$HOST_ABI" = "xelf" -a "$host_cpu" = "aarch64" -a "x$enable_asm" != "xno"]) AM_CONDITIONAL([HOST_ASM_ELF_MIPS], [test "x$HOST_ABI" = "xelf" -a "$host_cpu" = "mips" -a "x$enable_asm" != "xno"]) AM_CONDITIONAL([HOST_ASM_ELF_MIPS64], diff --git a/include/compat/netinet/ip.h b/include/compat/netinet/ip.h index 29f17f3..100e006 100644 --- a/include/compat/netinet/ip.h +++ b/include/compat/netinet/ip.h @@ -44,6 +44,10 @@ #define IPTOS_DSCP_AF43 0x98 #endif +#ifndef IPTOS_DSCP_VA +#define IPTOS_DSCP_VA 0xb0 +#endif + #ifndef IPTOS_DSCP_EF #define IPTOS_DSCP_EF 0xb8 #endif diff --git a/man/Makefile.am b/man/Makefile.am index 4d7479c..4778950 100644 --- a/man/Makefile.am +++ b/man/Makefile.am @@ -2360,6 +2360,7 @@ install-data-hook: ln -sf "SSL_SESSION_get_time.3" "$(DESTDIR)$(mandir)/man3/SSL_set_time.3" ln -sf "SSL_SESSION_get_time.3" "$(DESTDIR)$(mandir)/man3/SSL_set_timeout.3" ln -sf "SSL_SESSION_has_ticket.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get_ticket_lifetime_hint.3" + ln -sf "SSL_SESSION_new.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_dup.3" ln -sf "SSL_SESSION_print.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_print_fp.3" ln -sf "SSL_SESSION_set1_id_context.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get0_id_context.3" ln -sf "SSL_alert_type_string.3" "$(DESTDIR)$(mandir)/man3/SSL_alert_desc_string.3" @@ -2738,6 +2739,7 @@ install-data-hook: ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get0_peername.3" ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get_depth.3" ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get_flags.3" + ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get_hostflags.3" ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get_time.3" ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set1_email.3" ln -sf "X509_VERIFY_PARAM_set_flags.3" "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set1_host.3" @@ -2892,19 +2894,6 @@ install-data-hook: ln -sf "X509v3_get_ext_by_NID.3" "$(DESTDIR)$(mandir)/man3/X509v3_get_ext_count.3" ln -sf "a2i_ipadd.3" "$(DESTDIR)$(mandir)/man3/a2i_IPADDRESS.3" ln -sf "a2i_ipadd.3" "$(DESTDIR)$(mandir)/man3/a2i_IPADDRESS_NC.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_add_words.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_div_words.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_expand.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_mul_add_words.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_mul_comba4.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_mul_comba8.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_mul_normal.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_mul_words.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_sqr_comba4.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_sqr_comba8.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_sqr_words.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_sub_words.3" - ln -sf "bn_dump.3" "$(DESTDIR)$(mandir)/man3/bn_wexpand.3" ln -sf "d2i_ASN1_NULL.3" "$(DESTDIR)$(mandir)/man3/i2d_ASN1_NULL.3" ln -sf "d2i_ASN1_OBJECT.3" "$(DESTDIR)$(mandir)/man3/OBJ_get0_data.3" ln -sf "d2i_ASN1_OBJECT.3" "$(DESTDIR)$(mandir)/man3/OBJ_length.3" @@ -5133,6 +5122,7 @@ uninstall-local: -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_time.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_timeout.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get_ticket_lifetime_hint.3" + -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_dup.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_print_fp.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get0_id_context.3" -rm -f "$(DESTDIR)$(mandir)/man3/SSL_alert_desc_string.3" @@ -5511,6 +5501,7 @@ uninstall-local: -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get0_peername.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get_depth.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get_flags.3" + -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get_hostflags.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_get_time.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set1_email.3" -rm -f "$(DESTDIR)$(mandir)/man3/X509_VERIFY_PARAM_set1_host.3" @@ -5665,19 +5656,6 @@ uninstall-local: -rm -f "$(DESTDIR)$(mandir)/man3/X509v3_get_ext_count.3" -rm -f "$(DESTDIR)$(mandir)/man3/a2i_IPADDRESS.3" -rm -f "$(DESTDIR)$(mandir)/man3/a2i_IPADDRESS_NC.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_add_words.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_div_words.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_expand.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_mul_add_words.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_mul_comba4.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_mul_comba8.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_mul_normal.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_mul_words.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_sqr_comba4.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_sqr_comba8.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_sqr_words.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_sub_words.3" - -rm -f "$(DESTDIR)$(mandir)/man3/bn_wexpand.3" -rm -f "$(DESTDIR)$(mandir)/man3/i2d_ASN1_NULL.3" -rm -f "$(DESTDIR)$(mandir)/man3/OBJ_get0_data.3" -rm -f "$(DESTDIR)$(mandir)/man3/OBJ_length.3" diff --git a/tls.c b/tls.c index 41bb06d..02ff337 100644 --- a/tls.c +++ b/tls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.c,v 1.104 2024/04/08 20:47:32 tb Exp $ */ +/* $OpenBSD: tls.c,v 1.105 2026/04/16 07:28:00 tb Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -686,7 +686,7 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify) if (xi->crl == NULL) continue; if (!X509_STORE_add_crl(store, xi->crl)) { - tls_set_error(ctx, TLS_ERROR_UNKNOWN, + tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "failed to add crl"); goto err; } diff --git a/tls_client.c b/tls_client.c index 97e1d40..7de9927 100644 --- a/tls_client.c +++ b/tls_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_client.c,v 1.51 2024/03/26 08:54:48 joshua Exp $ */ +/* $OpenBSD: tls_client.c,v 1.52 2026/04/16 07:28:00 tb Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -115,7 +115,7 @@ tls_connect_servername(struct tls *ctx, const char *host, const char *port, hints.ai_family = AF_UNSPEC; hints.ai_flags = AI_ADDRCONFIG; if ((s = getaddrinfo(h, p, &hints, &res0)) != 0) { - tls_set_error(ctx, TLS_ERROR_UNKNOWN, + tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "%s", gai_strerror(s)); goto err; } diff --git a/tls_config.c b/tls_config.c index 5774d40..76421bf 100644 --- a/tls_config.c +++ b/tls_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_config.c,v 1.71 2024/08/02 15:00:01 tb Exp $ */ +/* $OpenBSD: tls_config.c,v 1.73 2026/04/16 07:33:11 tb Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -49,7 +49,7 @@ tls_config_load_file(struct tls_error *error, const char *filetype, *buf = NULL; *len = 0; - if ((fd = open(filename, O_RDONLY)) == -1) { + if ((fd = open(filename, O_RDONLY|O_CLOEXEC)) == -1) { tls_error_set(error, TLS_ERROR_UNKNOWN, "failed to open %s file '%s'", filetype, filename); @@ -65,7 +65,7 @@ tls_config_load_file(struct tls_error *error, const char *filetype, goto err; *len = (size_t)st.st_size; if ((*buf = malloc(*len)) == NULL) { - tls_error_set(error, TLS_ERROR_UNKNOWN, + tls_error_setx(error, TLS_ERROR_OUT_OF_MEMORY, "failed to allocate buffer for %s file", filetype); goto err; diff --git a/tls_conninfo.c b/tls_conninfo.c index 8fb56c9..5707ec6 100644 --- a/tls_conninfo.c +++ b/tls_conninfo.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_conninfo.c,v 1.28 2024/12/10 08:40:30 tb Exp $ */ +/* $OpenBSD: tls_conninfo.c,v 1.29 2026/03/28 11:33:33 tb Exp $ */ /* * Copyright (c) 2015 Joel Sing <jsing@openbsd.org> * Copyright (c) 2015 Bob Beck <beck@openbsd.org> @@ -89,7 +89,7 @@ tls_get_peer_cert_hash(struct tls *ctx, char **hash) static int tls_get_peer_cert_issuer(struct tls *ctx, char **issuer) { - X509_NAME *name = NULL; + const X509_NAME *name = NULL; *issuer = NULL; if (ctx->ssl_peer_cert == NULL) @@ -105,7 +105,7 @@ tls_get_peer_cert_issuer(struct tls *ctx, char **issuer) static int tls_get_peer_cert_subject(struct tls *ctx, char **subject) { - X509_NAME *name = NULL; + const X509_NAME *name = NULL; *subject = NULL; if (ctx->ssl_peer_cert == NULL) diff --git a/tls_keypair.c b/tls_keypair.c index ffda91d..8b1beda 100644 --- a/tls_keypair.c +++ b/tls_keypair.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_keypair.c,v 1.9 2024/03/26 06:24:52 joshua Exp $ */ +/* $OpenBSD: tls_keypair.c,v 1.12 2026/04/16 07:29:53 tb Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -144,13 +144,18 @@ tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error, *cert = NULL; if (keypair->cert_mem == NULL) { - tls_error_set(error, TLS_ERROR_UNKNOWN, + tls_error_setx(error, TLS_ERROR_UNKNOWN, "keypair has no certificate"); goto err; } + if (keypair->cert_len > INT_MAX) { + tls_error_setx(error, TLS_ERROR_INVALID_ARGUMENT, + "certificate too long"); + goto err; + } if ((cert_bio = BIO_new_mem_buf(keypair->cert_mem, keypair->cert_len)) == NULL) { - tls_error_set(error, TLS_ERROR_UNKNOWN, + tls_error_setx(error, TLS_ERROR_UNKNOWN, "failed to create certificate bio"); goto err; } @@ -158,7 +163,7 @@ tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error, NULL)) == NULL) { if ((ssl_err = ERR_peek_error()) != 0) errstr = ERR_error_string(ssl_err, NULL); - tls_error_set(error, TLS_ERROR_UNKNOWN, + tls_error_setx(error, TLS_ERROR_UNKNOWN, "failed to load certificate: %s", errstr); goto err; } diff --git a/tls_ocsp.c b/tls_ocsp.c index bfd06e3..b8d855c 100644 --- a/tls_ocsp.c +++ b/tls_ocsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_ocsp.c,v 1.26 2024/03/26 06:24:52 joshua Exp $ */ +/* $OpenBSD: tls_ocsp.c,v 1.29 2026/04/16 07:35:25 tb Exp $ */ /* * Copyright (c) 2015 Marko Kreen <markokr@gmail.com> * Copyright (c) 2016 Bob Beck <beck@openbsd.org> @@ -85,7 +85,7 @@ tls_ocsp_fill_info(struct tls *ctx, int response_status, int cert_status, ctx->ocsp->ocsp_result = NULL; if ((info = calloc(1, sizeof (struct tls_ocsp_result))) == NULL) { - tls_set_error(ctx, TLS_ERROR_OUT_OF_MEMORY, "out of memory"); + tls_set_errorx(ctx, TLS_ERROR_OUT_OF_MEMORY, "out of memory"); return -1; } info->response_status = response_status; @@ -102,19 +102,19 @@ tls_ocsp_fill_info(struct tls *ctx, int response_status, int cert_status, info->revocation_time = info->this_update = info->next_update = -1; if (revtime != NULL && tls_ocsp_asn1_parse_time(ctx, revtime, &info->revocation_time) != 0) { - tls_set_error(ctx, TLS_ERROR_UNKNOWN, + tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "unable to parse revocation time in OCSP reply"); goto err; } if (thisupd != NULL && tls_ocsp_asn1_parse_time(ctx, thisupd, &info->this_update) != 0) { - tls_set_error(ctx, TLS_ERROR_UNKNOWN, + tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "unable to parse this update time in OCSP reply"); goto err; } if (nextupd != NULL && tls_ocsp_asn1_parse_time(ctx, nextupd, &info->next_update) != 0) { - tls_set_error(ctx, TLS_ERROR_UNKNOWN, + tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "unable to parse next update time in OCSP reply"); goto err; } @@ -130,7 +130,7 @@ static OCSP_CERTID * tls_ocsp_get_certid(X509 *main_cert, STACK_OF(X509) *extra_certs, SSL_CTX *ssl_ctx) { - X509_NAME *issuer_name; + const X509_NAME *issuer_name; X509 *issuer; X509_STORE_CTX *storectx = NULL; X509_OBJECT *obj = NULL; @@ -141,7 +141,8 @@ tls_ocsp_get_certid(X509 *main_cert, STACK_OF(X509) *extra_certs, goto out; if (extra_certs != NULL) { - issuer = X509_find_by_subject(extra_certs, issuer_name); + issuer = X509_find_by_subject(extra_certs, + (X509_NAME *)issuer_name); if (issuer != NULL) { cid = OCSP_cert_to_id(NULL, main_cert, issuer); goto out; @@ -155,7 +156,7 @@ tls_ocsp_get_certid(X509 *main_cert, STACK_OF(X509) *extra_certs, if (X509_STORE_CTX_init(storectx, store, main_cert, extra_certs) != 1) goto out; if ((obj = X509_STORE_CTX_get_obj_by_subject(storectx, X509_LU_X509, - issuer_name)) == NULL) + (X509_NAME *)issuer_name)) == NULL) goto out; cid = OCSP_cert_to_id(NULL, main_cert, X509_OBJECT_get0_X509(obj)); @@ -304,7 +305,7 @@ tls_ocsp_process_response_internal(struct tls *ctx, const unsigned char *respons if (resp == NULL) { tls_ocsp_free(ctx->ocsp); ctx->ocsp = NULL; - tls_set_error(ctx, TLS_ERROR_UNKNOWN, + tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "unable to parse OCSP response"); return -1; } diff --git a/tls_server.c b/tls_server.c index 42a6973..570020d 100644 --- a/tls_server.c +++ b/tls_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_server.c,v 1.52 2025/06/04 10:25:30 tb Exp $ */ +/* $OpenBSD: tls_server.c,v 1.53 2026/04/16 07:28:00 tb Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -242,12 +242,12 @@ tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx, if (SSL_CTX_set_tlsext_servername_callback(*ssl_ctx, tls_servername_cb) != 1) { - tls_set_error(ctx, TLS_ERROR_UNKNOWN, + tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "failed to set servername callback"); goto err; } if (SSL_CTX_set_tlsext_servername_arg(*ssl_ctx, ctx) != 1) { - tls_set_error(ctx, TLS_ERROR_UNKNOWN, + tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "failed to set servername callback arg"); goto err; } @@ -298,7 +298,7 @@ tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx, SSL_CTX_clear_options(*ssl_ctx, SSL_OP_NO_TICKET); if (!SSL_CTX_set_tlsext_ticket_key_cb(*ssl_ctx, tls_server_ticket_cb)) { - tls_set_error(ctx, TLS_ERROR_UNKNOWN, + tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "failed to set the TLS ticket callback"); goto err; } @@ -306,7 +306,7 @@ tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx, if (SSL_CTX_set_session_id_context(*ssl_ctx, ctx->config->session_id, sizeof(ctx->config->session_id)) != 1) { - tls_set_error(ctx, TLS_ERROR_UNKNOWN, + tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "failed to set session id context"); goto err; } diff --git a/tls_signer.c b/tls_signer.c index 2573803..2d66354 100644 --- a/tls_signer.c +++ b/tls_signer.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_signer.c,v 1.13 2024/06/11 16:35:24 op Exp $ */ +/* $OpenBSD: tls_signer.c,v 1.15 2026/04/16 07:35:25 tb Exp $ */ /* * Copyright (c) 2021 Eric Faurot <eric@openbsd.org> * @@ -99,6 +99,11 @@ tls_signer_add_keypair_mem(struct tls_signer *signer, const uint8_t *cert, char *hash = NULL; /* Compute certificate hash */ + if (cert_len > INT_MAX) { + tls_error_setx(&signer->error, TLS_ERROR_INVALID_ARGUMENT, + "certificate too long"); + goto err; + } if ((bio = BIO_new_mem_buf(cert, cert_len)) == NULL) { tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN, "failed to create certificate bio"); @@ -124,6 +129,11 @@ tls_signer_add_keypair_mem(struct tls_signer *signer, const uint8_t *cert, bio = NULL; /* Read private key */ + if (key_len > INT_MAX) { + tls_error_setx(&signer->error, TLS_ERROR_INVALID_ARGUMENT, + "private key too long"); + goto err; + } if ((bio = BIO_new_mem_buf(key, key_len)) == NULL) { tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN, "failed to create key bio"); @@ -137,7 +147,7 @@ tls_signer_add_keypair_mem(struct tls_signer *signer, const uint8_t *cert, } if ((skey = calloc(1, sizeof(*skey))) == NULL) { - tls_error_set(&signer->error, TLS_ERROR_OUT_OF_MEMORY, + tls_error_setx(&signer->error, TLS_ERROR_OUT_OF_MEMORY, "out of memory"); goto err; } @@ -223,7 +233,7 @@ tls_sign_rsa(struct tls_signer *signer, struct tls_signer_key *skey, return (-1); } if ((signature = calloc(1, rsa_size)) == NULL) { - tls_error_set(&signer->error, TLS_ERROR_OUT_OF_MEMORY, + tls_error_setx(&signer->error, TLS_ERROR_OUT_OF_MEMORY, "out of memory"); return (-1); } @@ -271,7 +281,7 @@ tls_sign_ecdsa(struct tls_signer *signer, struct tls_signer_key *skey, return (-1); } if ((signature = calloc(1, signature_len)) == NULL) { - tls_error_set(&signer->error, TLS_ERROR_OUT_OF_MEMORY, + tls_error_setx(&signer->error, TLS_ERROR_OUT_OF_MEMORY, "out of memory"); return (-1); } diff --git a/tls_util.c b/tls_util.c index b276d2c..d93efb8 100644 --- a/tls_util.c +++ b/tls_util.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_util.c,v 1.16 2023/05/14 07:26:25 op Exp $ */ +/* $OpenBSD: tls_util.c,v 1.17 2026/03/10 05:26:04 deraadt Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> @@ -162,7 +162,7 @@ tls_load_file(const char *name, size_t *len, char *password) *len = 0; - if ((fd = open(name, O_RDONLY)) == -1) + if ((fd = open(name, O_RDONLY|O_CLOEXEC)) == -1) return (NULL); /* Just load the file into memory without decryption */ diff --git a/tls_verify.c b/tls_verify.c index 2935278..de95ab8 100644 --- a/tls_verify.c +++ b/tls_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_verify.c,v 1.32 2024/12/10 08:40:30 tb Exp $ */ +/* $OpenBSD: tls_verify.c,v 1.33 2026/03/28 11:33:33 tb Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> * @@ -214,10 +214,10 @@ tls_get_common_name_internal(X509 *cert, char **out_common_name, unsigned int *out_tlserr, const char **out_errstr) { unsigned char *utf8_bytes = NULL; - X509_NAME *subject_name; + const X509_NAME *subject_name; char *common_name = NULL; int common_name_len; - ASN1_STRING *data; + const ASN1_STRING *data; int lastpos = -1; int rv = -1; |