summary refs log tree commit diff
diff options
context:
space:
mode:
authorJune McEnroe <june@causal.agency>2021-10-14 21:28:19 -0400
committerJune McEnroe <june@causal.agency>2021-10-14 21:28:19 -0400
commit9993c88024f45401d84bfa7267620aa97328c1d0 (patch)
tree34097d0fd1f5d289f9fbc812a3cb5e3dc5afbc83
parentMerge LibreSSL 3.3.4 (diff)
parentImport LibreSSL 3.4.1 (diff)
downloadlibretls-9993c88024f45401d84bfa7267620aa97328c1d0.tar.gz
libretls-9993c88024f45401d84bfa7267620aa97328c1d0.zip
Merge LibreSSL 3.4.1 3.4.1
-rw-r--r--LIBTLS_VERSION2
-rw-r--r--VERSION2
-rw-r--r--libtls.pc.in3
-rw-r--r--m4/check-hardening-options.m44
-rw-r--r--man/tls_load_file.330
-rw-r--r--tls.c2
-rw-r--r--tls_client.c27
-rw-r--r--tls_server.c6
-rw-r--r--tls_util.c4
9 files changed, 45 insertions, 35 deletions
diff --git a/LIBTLS_VERSION b/LIBTLS_VERSION
index 2a9f52a..2005c06 100644
--- a/LIBTLS_VERSION
+++ b/LIBTLS_VERSION
@@ -1 +1 @@
-20:3:0
+22:0:0
diff --git a/VERSION b/VERSION
index 9c303ae..bc5999b 100644
--- a/VERSION
+++ b/VERSION
@@ -1,2 +1,2 @@
-3.3.4
+3.4.1
 
diff --git a/libtls.pc.in b/libtls.pc.in
index 987daf0..f4f1f90 100644
--- a/libtls.pc.in
+++ b/libtls.pc.in
@@ -8,9 +8,6 @@ includedir=@includedir@
 Name: LibreTLS-libtls
 Description: Secure communications using the TLS socket protocol.
 Version: @VERSION@
-Requires:
-Requires.private:
-Conflicts:
 Libs: -L${libdir} -ltls
 Libs.private: @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ @PLATFORM_LDADD@
 Cflags: -I${includedir}
diff --git a/m4/check-hardening-options.m4 b/m4/check-hardening-options.m4
index 869f00b..c8ab12e 100644
--- a/m4/check-hardening-options.m4
+++ b/m4/check-hardening-options.m4
@@ -73,7 +73,9 @@ AC_DEFUN([CHECK_C_HARDENING_OPTIONS], [
 		CHECK_CFLAG([[-fno-strict-overflow]])
 
 		# _FORTIFY_SOURCE replaces builtin functions with safer versions.
-		AX_ADD_FORTIFY_SOURCE
+		AS_IF([test "x$HOST_OS" != "xwin"], [
+			AX_ADD_FORTIFY_SOURCE
+		])
 
 		# Enable read only relocations
 		CHECK_LDFLAG([[-Wl,-z,relro]])
diff --git a/man/tls_load_file.3 b/man/tls_load_file.3
index d836a04..6f82759 100644
--- a/man/tls_load_file.3
+++ b/man/tls_load_file.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_load_file.3,v 1.11 2018/11/29 14:24:23 tedu Exp $
+.\" $OpenBSD: tls_load_file.3,v 1.13 2021/06/22 20:01:19 jmc Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\" Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@@ -17,7 +17,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 29 2018 $
+.Dd $Mdocdate: June 22 2021 $
 .Dt TLS_LOAD_FILE 3
 .Os
 .Sh NAME
@@ -217,8 +217,7 @@ call, ensuring that the memory contents is discarded.
 returns the path of the file that contains the default root certificates.
 .Pp
 .Fn tls_config_set_ca_file
-sets the filename used to load a file
-containing the root certificates.
+loads a file containing the root certificates.
 .Pp
 .Fn tls_config_set_ca_path
 sets the path (directory) which should be searched for root
@@ -228,52 +227,51 @@ certificates.
 sets the root certificates directly from memory.
 .Pp
 .Fn tls_config_set_cert_file
-sets file from which the public certificate will be read.
+loads a file containing the public certificate.
 .Pp
 .Fn tls_config_set_cert_mem
 sets the public certificate directly from memory.
 .Pp
 .Fn tls_config_set_crl_file
-sets the filename used to load a file containing the
-Certificate Revocation List (CRL).
+loads a file containing the Certificate Revocation List (CRL).
 .Pp
 .Fn tls_config_set_crl_mem
 sets the CRL directly from memory.
 .Pp
 .Fn tls_config_set_key_file
-sets the file from which the private key will be read.
+loads a file containing the private key.
 .Pp
 .Fn tls_config_set_key_mem
 directly sets the private key from memory.
 .Pp
 .Fn tls_config_set_ocsp_staple_file
-sets a DER-encoded OCSP response to be stapled during the TLS handshake from
-the specified file.
+loads a file containing a DER-encoded OCSP response to be stapled
+during the TLS handshake.
 .Pp
 .Fn tls_config_set_ocsp_staple_mem
 sets a DER-encoded OCSP response to be stapled during the TLS handshake from
 memory.
 .Pp
 .Fn tls_config_set_keypair_file
-sets the files from which the public certificate, and private key will be read.
+loads two files from which the public certificate and private key will be read.
 .Pp
 .Fn tls_config_set_keypair_mem
-directly sets the public certificate, and private key from memory.
+directly sets the public certificate and private key from memory.
 .Pp
 .Fn tls_config_set_keypair_ocsp_file
-sets the files from which the public certificate, private key, and DER-encoded
-OCSP staple will be read.
+loads three files containing the public certificate, private key,
+and DER-encoded OCSP staple.
 .Pp
 .Fn tls_config_set_keypair_ocsp_mem
 directly sets the public certificate, private key, and DER-encoded OCSP staple
 from memory.
 .Pp
 .Fn tls_config_add_keypair_file
-adds an additional public certificate, and private key from the specified files,
+adds an additional public certificate and private key from the specified files,
 used as an alternative certificate for Server Name Indication (server only).
 .Pp
 .Fn tls_config_add_keypair_mem
-adds an additional public certificate, and private key from memory, used as an
+adds an additional public certificate and private key from memory, used as an
 alternative certificate for Server Name Indication (server only).
 .Pp
 .Fn tls_config_add_keypair_ocsp_file
diff --git a/tls.c b/tls.c
index 261d27f..fabf790 100644
--- a/tls.c
+++ b/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.89 2021/02/01 15:35:41 tb Exp $ */
+/* $OpenBSD: tls.c,v 1.90 2021/10/02 09:46:48 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
diff --git a/tls_client.c b/tls_client.c
index 0743495..47ebc40 100644
--- a/tls_client.c
+++ b/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.45 2018/03/19 16:34:47 jsing Exp $ */
+/* $OpenBSD: tls_client.c,v 1.47 2021/06/01 20:26:11 tb Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -280,6 +280,7 @@ static int
 tls_connect_common(struct tls *ctx, const char *servername)
 {
 	union tls_addr addrbuf;
+	size_t servername_len;
 	int rv = -1;
 
 	if ((ctx->flags & TLS_CLIENT) == 0) {
@@ -292,6 +293,17 @@ tls_connect_common(struct tls *ctx, const char *servername)
 			tls_set_errorx(ctx, "out of memory");
 			goto err;
 		}
+
+		/*
+		 * If there's a trailing dot, remove it. While an FQDN includes
+		 * the terminating dot representing the zero-length label of
+		 * the root (RFC 8499, section 2), the SNI explicitly does not
+		 * include it (RFC 6066, section 3).
+		 */
+		servername_len = strlen(ctx->servername);
+		if (servername_len > 0 &&
+		    ctx->servername[servername_len - 1] == '.')
+			ctx->servername[servername_len - 1] = '\0';
 	}
 
 	if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) {
@@ -307,7 +319,7 @@ tls_connect_common(struct tls *ctx, const char *servername)
 		goto err;
 
 	if (ctx->config->verify_name) {
-		if (servername == NULL) {
+		if (ctx->servername == NULL) {
 			tls_set_errorx(ctx, "server name not specified");
 			goto err;
 		}
@@ -351,13 +363,14 @@ tls_connect_common(struct tls *ctx, const char *servername)
 	}
 
 	/*
-	 * RFC4366 (SNI): Literal IPv4 and IPv6 addresses are not
+	 * RFC 6066 (SNI): Literal IPv4 and IPv6 addresses are not
 	 * permitted in "HostName".
 	 */
-	if (servername != NULL &&
-	    inet_pton(AF_INET, servername, &addrbuf) != 1 &&
-	    inet_pton(AF_INET6, servername, &addrbuf) != 1) {
-		if (SSL_set_tlsext_host_name(ctx->ssl_conn, servername) == 0) {
+	if (ctx->servername != NULL &&
+	    inet_pton(AF_INET, ctx->servername, &addrbuf) != 1 &&
+	    inet_pton(AF_INET6, ctx->servername, &addrbuf) != 1) {
+		if (SSL_set_tlsext_host_name(ctx->ssl_conn,
+		    ctx->servername) == 0) {
 			tls_set_errorx(ctx, "server name indication failure");
 			goto err;
 		}
diff --git a/tls_server.c b/tls_server.c
index 98a8389..831255a 100644
--- a/tls_server.c
+++ b/tls_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_server.c,v 1.45 2019/05/13 22:36:01 bcook Exp $ */
+/* $OpenBSD: tls_server.c,v 1.47 2021/06/14 03:53:59 tb Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -110,7 +110,7 @@ tls_servername_cb(SSL *ssl, int *al, void *arg)
             inet_pton(AF_INET6, name, &addrbuf) == 1)
 		return (SSL_TLSEXT_ERR_NOACK);
 
-	free((char *)conn_ctx->servername);
+	free(conn_ctx->servername);
 	if ((conn_ctx->servername = strdup(name)) == NULL)
 		goto err;
 
@@ -134,7 +134,7 @@ tls_servername_cb(SSL *ssl, int *al, void *arg)
 	 * There is no way to tell libssl that an internal failure occurred.
 	 * The only option we have is to return a fatal alert.
 	 */
-	*al = TLS1_AD_INTERNAL_ERROR;
+	*al = SSL_AD_INTERNAL_ERROR;
 	return (SSL_TLSEXT_ERR_ALERT_FATAL);
 }
 
diff --git a/tls_util.c b/tls_util.c
index 7511792..782d6fc 100644
--- a/tls_util.c
+++ b/tls_util.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_util.c,v 1.14 2019/04/13 18:47:58 tb Exp $ */
+/* $OpenBSD: tls_util.c,v 1.15 2021/08/16 13:54:38 tb Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
@@ -93,7 +93,7 @@ tls_host_port(const char *hostport, char **host, char **port)
 		*p++ = '\0';
 	}
 
-	/* Find the port seperator. */
+	/* Find the port separator. */
 	if ((p = strchr(p, ':')) == NULL)
 		goto done;