diff options
author | June McEnroe <june@causal.agency> | 2021-10-14 21:28:19 -0400 |
---|---|---|
committer | June McEnroe <june@causal.agency> | 2021-10-14 21:28:19 -0400 |
commit | 9993c88024f45401d84bfa7267620aa97328c1d0 (patch) | |
tree | 34097d0fd1f5d289f9fbc812a3cb5e3dc5afbc83 | |
parent | Merge LibreSSL 3.3.4 (diff) | |
parent | Import LibreSSL 3.4.1 (diff) | |
download | libretls-9993c88024f45401d84bfa7267620aa97328c1d0.tar.gz libretls-9993c88024f45401d84bfa7267620aa97328c1d0.zip |
Merge LibreSSL 3.4.1 3.4.1
-rw-r--r-- | LIBTLS_VERSION | 2 | ||||
-rw-r--r-- | VERSION | 2 | ||||
-rw-r--r-- | libtls.pc.in | 3 | ||||
-rw-r--r-- | m4/check-hardening-options.m4 | 4 | ||||
-rw-r--r-- | man/tls_load_file.3 | 30 | ||||
-rw-r--r-- | tls.c | 2 | ||||
-rw-r--r-- | tls_client.c | 27 | ||||
-rw-r--r-- | tls_server.c | 6 | ||||
-rw-r--r-- | tls_util.c | 4 |
9 files changed, 45 insertions, 35 deletions
diff --git a/LIBTLS_VERSION b/LIBTLS_VERSION index 2a9f52a..2005c06 100644 --- a/LIBTLS_VERSION +++ b/LIBTLS_VERSION @@ -1 +1 @@ -20:3:0 +22:0:0 diff --git a/VERSION b/VERSION index 9c303ae..bc5999b 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -3.3.4 +3.4.1 diff --git a/libtls.pc.in b/libtls.pc.in index 987daf0..f4f1f90 100644 --- a/libtls.pc.in +++ b/libtls.pc.in @@ -8,9 +8,6 @@ includedir=@includedir@ Name: LibreTLS-libtls Description: Secure communications using the TLS socket protocol. Version: @VERSION@ -Requires: -Requires.private: -Conflicts: Libs: -L${libdir} -ltls Libs.private: @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ @PLATFORM_LDADD@ Cflags: -I${includedir} diff --git a/m4/check-hardening-options.m4 b/m4/check-hardening-options.m4 index 869f00b..c8ab12e 100644 --- a/m4/check-hardening-options.m4 +++ b/m4/check-hardening-options.m4 @@ -73,7 +73,9 @@ AC_DEFUN([CHECK_C_HARDENING_OPTIONS], [ CHECK_CFLAG([[-fno-strict-overflow]]) # _FORTIFY_SOURCE replaces builtin functions with safer versions. - AX_ADD_FORTIFY_SOURCE + AS_IF([test "x$HOST_OS" != "xwin"], [ + AX_ADD_FORTIFY_SOURCE + ]) # Enable read only relocations CHECK_LDFLAG([[-Wl,-z,relro]]) diff --git a/man/tls_load_file.3 b/man/tls_load_file.3 index d836a04..6f82759 100644 --- a/man/tls_load_file.3 +++ b/man/tls_load_file.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tls_load_file.3,v 1.11 2018/11/29 14:24:23 tedu Exp $ +.\" $OpenBSD: tls_load_file.3,v 1.13 2021/06/22 20:01:19 jmc Exp $ .\" .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> .\" Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org> @@ -17,7 +17,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: November 29 2018 $ +.Dd $Mdocdate: June 22 2021 $ .Dt TLS_LOAD_FILE 3 .Os .Sh NAME @@ -217,8 +217,7 @@ call, ensuring that the memory contents is discarded. returns the path of the file that contains the default root certificates. .Pp .Fn tls_config_set_ca_file -sets the filename used to load a file -containing the root certificates. +loads a file containing the root certificates. .Pp .Fn tls_config_set_ca_path sets the path (directory) which should be searched for root @@ -228,52 +227,51 @@ certificates. sets the root certificates directly from memory. .Pp .Fn tls_config_set_cert_file -sets file from which the public certificate will be read. +loads a file containing the public certificate. .Pp .Fn tls_config_set_cert_mem sets the public certificate directly from memory. .Pp .Fn tls_config_set_crl_file -sets the filename used to load a file containing the -Certificate Revocation List (CRL). +loads a file containing the Certificate Revocation List (CRL). .Pp .Fn tls_config_set_crl_mem sets the CRL directly from memory. .Pp .Fn tls_config_set_key_file -sets the file from which the private key will be read. +loads a file containing the private key. .Pp .Fn tls_config_set_key_mem directly sets the private key from memory. .Pp .Fn tls_config_set_ocsp_staple_file -sets a DER-encoded OCSP response to be stapled during the TLS handshake from -the specified file. +loads a file containing a DER-encoded OCSP response to be stapled +during the TLS handshake. .Pp .Fn tls_config_set_ocsp_staple_mem sets a DER-encoded OCSP response to be stapled during the TLS handshake from memory. .Pp .Fn tls_config_set_keypair_file -sets the files from which the public certificate, and private key will be read. +loads two files from which the public certificate and private key will be read. .Pp .Fn tls_config_set_keypair_mem -directly sets the public certificate, and private key from memory. +directly sets the public certificate and private key from memory. .Pp .Fn tls_config_set_keypair_ocsp_file -sets the files from which the public certificate, private key, and DER-encoded -OCSP staple will be read. +loads three files containing the public certificate, private key, +and DER-encoded OCSP staple. .Pp .Fn tls_config_set_keypair_ocsp_mem directly sets the public certificate, private key, and DER-encoded OCSP staple from memory. .Pp .Fn tls_config_add_keypair_file -adds an additional public certificate, and private key from the specified files, +adds an additional public certificate and private key from the specified files, used as an alternative certificate for Server Name Indication (server only). .Pp .Fn tls_config_add_keypair_mem -adds an additional public certificate, and private key from memory, used as an +adds an additional public certificate and private key from memory, used as an alternative certificate for Server Name Indication (server only). .Pp .Fn tls_config_add_keypair_ocsp_file diff --git a/tls.c b/tls.c index 261d27f..fabf790 100644 --- a/tls.c +++ b/tls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.c,v 1.89 2021/02/01 15:35:41 tb Exp $ */ +/* $OpenBSD: tls.c,v 1.90 2021/10/02 09:46:48 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * diff --git a/tls_client.c b/tls_client.c index 0743495..47ebc40 100644 --- a/tls_client.c +++ b/tls_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_client.c,v 1.45 2018/03/19 16:34:47 jsing Exp $ */ +/* $OpenBSD: tls_client.c,v 1.47 2021/06/01 20:26:11 tb Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -280,6 +280,7 @@ static int tls_connect_common(struct tls *ctx, const char *servername) { union tls_addr addrbuf; + size_t servername_len; int rv = -1; if ((ctx->flags & TLS_CLIENT) == 0) { @@ -292,6 +293,17 @@ tls_connect_common(struct tls *ctx, const char *servername) tls_set_errorx(ctx, "out of memory"); goto err; } + + /* + * If there's a trailing dot, remove it. While an FQDN includes + * the terminating dot representing the zero-length label of + * the root (RFC 8499, section 2), the SNI explicitly does not + * include it (RFC 6066, section 3). + */ + servername_len = strlen(ctx->servername); + if (servername_len > 0 && + ctx->servername[servername_len - 1] == '.') + ctx->servername[servername_len - 1] = '\0'; } if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) { @@ -307,7 +319,7 @@ tls_connect_common(struct tls *ctx, const char *servername) goto err; if (ctx->config->verify_name) { - if (servername == NULL) { + if (ctx->servername == NULL) { tls_set_errorx(ctx, "server name not specified"); goto err; } @@ -351,13 +363,14 @@ tls_connect_common(struct tls *ctx, const char *servername) } /* - * RFC4366 (SNI): Literal IPv4 and IPv6 addresses are not + * RFC 6066 (SNI): Literal IPv4 and IPv6 addresses are not * permitted in "HostName". */ - if (servername != NULL && - inet_pton(AF_INET, servername, &addrbuf) != 1 && - inet_pton(AF_INET6, servername, &addrbuf) != 1) { - if (SSL_set_tlsext_host_name(ctx->ssl_conn, servername) == 0) { + if (ctx->servername != NULL && + inet_pton(AF_INET, ctx->servername, &addrbuf) != 1 && + inet_pton(AF_INET6, ctx->servername, &addrbuf) != 1) { + if (SSL_set_tlsext_host_name(ctx->ssl_conn, + ctx->servername) == 0) { tls_set_errorx(ctx, "server name indication failure"); goto err; } diff --git a/tls_server.c b/tls_server.c index 98a8389..831255a 100644 --- a/tls_server.c +++ b/tls_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_server.c,v 1.45 2019/05/13 22:36:01 bcook Exp $ */ +/* $OpenBSD: tls_server.c,v 1.47 2021/06/14 03:53:59 tb Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -110,7 +110,7 @@ tls_servername_cb(SSL *ssl, int *al, void *arg) inet_pton(AF_INET6, name, &addrbuf) == 1) return (SSL_TLSEXT_ERR_NOACK); - free((char *)conn_ctx->servername); + free(conn_ctx->servername); if ((conn_ctx->servername = strdup(name)) == NULL) goto err; @@ -134,7 +134,7 @@ tls_servername_cb(SSL *ssl, int *al, void *arg) * There is no way to tell libssl that an internal failure occurred. * The only option we have is to return a fatal alert. */ - *al = TLS1_AD_INTERNAL_ERROR; + *al = SSL_AD_INTERNAL_ERROR; return (SSL_TLSEXT_ERR_ALERT_FATAL); } diff --git a/tls_util.c b/tls_util.c index 7511792..782d6fc 100644 --- a/tls_util.c +++ b/tls_util.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_util.c,v 1.14 2019/04/13 18:47:58 tb Exp $ */ +/* $OpenBSD: tls_util.c,v 1.15 2021/08/16 13:54:38 tb Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> @@ -93,7 +93,7 @@ tls_host_port(const char *hostport, char **host, char **port) *p++ = '\0'; } - /* Find the port seperator. */ + /* Find the port separator. */ if ((p = strchr(p, ':')) == NULL) goto done; |