summary refs log tree commit diff
diff options
context:
space:
mode:
authorJune McEnroe <june@causal.agency>2023-10-11 19:26:04 -0400
committerJune McEnroe <june@causal.agency>2023-10-11 19:26:04 -0400
commit60da345ee97c2f374d11b94f5954397b152ca8b5 (patch)
tree95426d50e299fdfba6350353dcbbaba5961a7376
parentMerge LibreSSL 3.7.3 (diff)
parentImport LibreSSL 3.8.0 (diff)
downloadlibretls-60da345ee97c2f374d11b94f5954397b152ca8b5.tar.gz
libretls-60da345ee97c2f374d11b94f5954397b152ca8b5.zip
Merge LibreSSL 3.8.0
-rw-r--r--LIBTLS_VERSION2
-rw-r--r--Makefile.am2
-rw-r--r--VERSION2
-rw-r--r--tls.c38
-rw-r--r--tls_bio_cb.c2
-rw-r--r--tls_client.c2
-rw-r--r--tls_config.c2
-rw-r--r--tls_conninfo.c2
-rw-r--r--tls_internal.h3
-rw-r--r--tls_ocsp.c4
-rw-r--r--tls_server.c4
-rw-r--r--tls_signer.c6
-rw-r--r--tls_util.c2
-rw-r--r--tls_verify.c26
14 files changed, 56 insertions, 41 deletions
diff --git a/LIBTLS_VERSION b/LIBTLS_VERSION
index bc4eb71..6e2f32a 100644
--- a/LIBTLS_VERSION
+++ b/LIBTLS_VERSION
@@ -1 +1 @@
-26:2:0
+27:0:0
diff --git a/Makefile.am b/Makefile.am
index 741cacb..bfcf55e 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -21,7 +21,7 @@ EXTRA_libtls_la_DEPENDENCIES = libtls_la_objects.mk
 
 libtls_la_objects.mk: Makefile
 	@echo "libtls_la_objects= $(libtls_la_OBJECTS)" \
-	  | sed 's/  */ $$\(abs_top_builddir\)\/tls\//g' \
+	  | sed -e 's/ *$$//' -e 's/  */ $$\(abs_top_builddir\)\/tls\//g' \
 	  > libtls_la_objects.mk
 
 libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@ -no-undefined -export-symbols $(top_srcdir)/tls.sym
diff --git a/VERSION b/VERSION
index 517c2b6..6641052 100644
--- a/VERSION
+++ b/VERSION
@@ -1,2 +1,2 @@
-3.7.3
+3.8.0
 
diff --git a/tls.c b/tls.c
index 6883c58..18b93ef 100644
--- a/tls.c
+++ b/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.94 2022/02/08 19:13:50 tb Exp $ */
+/* $OpenBSD: tls.c,v 1.96 2023/05/25 07:46:21 op Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -470,12 +470,18 @@ tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *p
 			tls_set_errorx(ctx, "RSA key setup failure");
 			goto err;
 		}
-		if (ctx->config->sign_cb == NULL)
-			break;
-		if ((rsa_method = tls_signer_rsa_method()) == NULL ||
-		    RSA_set_ex_data(rsa, 1, ctx->config) == 0 ||
-		    RSA_set_method(rsa, rsa_method) == 0) {
-			tls_set_errorx(ctx, "failed to setup RSA key");
+		if (ctx->config->sign_cb != NULL) {
+			rsa_method = tls_signer_rsa_method();
+			if (rsa_method == NULL ||
+			    RSA_set_ex_data(rsa, 1, ctx->config) == 0 ||
+			    RSA_set_method(rsa, rsa_method) == 0) {
+				tls_set_errorx(ctx, "failed to setup RSA key");
+				goto err;
+			}
+		}
+		/* Reset the key to work around caching in OpenSSL 3. */
+		if (EVP_PKEY_set1_RSA(pkey, rsa) == 0) {
+			tls_set_errorx(ctx, "failed to set RSA key");
 			goto err;
 		}
 		break;
@@ -485,12 +491,18 @@ tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *p
 			tls_set_errorx(ctx, "EC key setup failure");
 			goto err;
 		}
-		if (ctx->config->sign_cb == NULL)
-			break;
-		if ((ecdsa_method = tls_signer_ecdsa_method()) == NULL ||
-		    EC_KEY_set_ex_data(eckey, 1, ctx->config) == 0 ||
-		    EC_KEY_set_method(eckey, ecdsa_method) == 0) {
-			tls_set_errorx(ctx, "failed to setup EC key");
+		if (ctx->config->sign_cb != NULL) {
+			ecdsa_method = tls_signer_ecdsa_method();
+			if (ecdsa_method == NULL ||
+			    EC_KEY_set_ex_data(eckey, 1, ctx->config) == 0 ||
+			    EC_KEY_set_method(eckey, ecdsa_method) == 0) {
+				tls_set_errorx(ctx, "failed to setup EC key");
+				goto err;
+			}
+		}
+		/* Reset the key to work around caching in OpenSSL 3. */
+		if (EVP_PKEY_set1_EC_KEY(pkey, eckey) == 0) {
+			tls_set_errorx(ctx, "failed to set EC key");
 			goto err;
 		}
 		break;
diff --git a/tls_bio_cb.c b/tls_bio_cb.c
index 9dd435a..8a1edfd 100644
--- a/tls_bio_cb.c
+++ b/tls_bio_cb.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_bio_cb.c,v 1.20 2022/01/10 23:39:48 tb Exp $ */
+/* $OpenBSD: tls_bio_cb.c,v 1.21 2023/05/14 07:26:25 op Exp $ */
 /*
  * Copyright (c) 2016 Tobias Pape <tobias@netshed.de>
  *
diff --git a/tls_client.c b/tls_client.c
index b1d2a44..deb24eb 100644
--- a/tls_client.c
+++ b/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.48 2021/10/21 08:38:11 tb Exp $ */
+/* $OpenBSD: tls_client.c,v 1.49 2023/05/14 07:26:25 op Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
diff --git a/tls_config.c b/tls_config.c
index 38ed1bb..864ef29 100644
--- a/tls_config.c
+++ b/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.65 2022/01/25 21:51:24 eric Exp $ */
+/* $OpenBSD: tls_config.c,v 1.66 2023/05/14 07:26:25 op Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
diff --git a/tls_conninfo.c b/tls_conninfo.c
index 72d60c2..0a295a2 100644
--- a/tls_conninfo.c
+++ b/tls_conninfo.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_conninfo.c,v 1.22 2021/01/05 15:57:38 tb Exp $ */
+/* $OpenBSD: tls_conninfo.c,v 1.23 2023/05/14 07:26:25 op Exp $ */
 /*
  * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
diff --git a/tls_internal.h b/tls_internal.h
index a0680f4..7424750 100644
--- a/tls_internal.h
+++ b/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.80 2022/03/24 15:56:34 tb Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.81 2023/04/09 18:26:26 tb Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -298,7 +298,6 @@ EC_KEY_METHOD *tls_signer_ecdsa_method(void);
 
 #define TLS_PADDING_NONE			0
 #define TLS_PADDING_RSA_PKCS1			1
-#define TLS_PADDING_RSA_X9_31			2
 
 int tls_config_set_sign_cb(struct tls_config *_config, tls_sign_cb _cb,
     void *_cb_arg);
diff --git a/tls_ocsp.c b/tls_ocsp.c
index f1c54ab..7670d1f 100644
--- a/tls_ocsp.c
+++ b/tls_ocsp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tls_ocsp.c,v 1.22 2021/10/31 16:39:32 tb Exp $ */
+/*	$OpenBSD: tls_ocsp.c,v 1.23 2023/05/14 07:26:25 op Exp $ */
 /*
  * Copyright (c) 2015 Marko Kreen <markokr@gmail.com>
  * Copyright (c) 2016 Bob Beck <beck@openbsd.org>
@@ -22,6 +22,8 @@
 #include <arpa/inet.h>
 #include <netinet/in.h>
 
+#include <string.h>
+
 #include <openssl/err.h>
 #include <openssl/ocsp.h>
 #include <openssl/x509.h>
diff --git a/tls_server.c b/tls_server.c
index ebf76bc..11303ca 100644
--- a/tls_server.c
+++ b/tls_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_server.c,v 1.48 2022/01/19 11:10:55 inoguchi Exp $ */
+/* $OpenBSD: tls_server.c,v 1.49 2023/05/14 07:26:25 op Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -20,6 +20,8 @@
 
 #include <arpa/inet.h>
 
+#include <string.h>
+
 #include <openssl/ec.h>
 #include <openssl/err.h>
 #include <openssl/ssl.h>
diff --git a/tls_signer.c b/tls_signer.c
index 9311cfe..97e5e38 100644
--- a/tls_signer.c
+++ b/tls_signer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_signer.c,v 1.4 2022/02/01 17:18:38 jsing Exp $ */
+/* $OpenBSD: tls_signer.c,v 1.5 2023/04/09 18:26:26 tb Exp $ */
 /*
  * Copyright (c) 2021 Eric Faurot <eric@openbsd.org>
  *
@@ -194,8 +194,6 @@ tls_sign_rsa(struct tls_signer *signer, struct tls_signer_key *skey,
 		rsa_padding = RSA_NO_PADDING;
 	} else if (padding_type == TLS_PADDING_RSA_PKCS1) {
 		rsa_padding = RSA_PKCS1_PADDING;
-	} else if (padding_type == TLS_PADDING_RSA_X9_31) {
-		rsa_padding = RSA_X931_PADDING;
 	} else {
 		tls_error_setx(&signer->error, "invalid RSA padding type (%d)",
 		    padding_type);
@@ -332,8 +330,6 @@ tls_rsa_priv_enc(int from_len, const unsigned char *from, unsigned char *to,
 		padding_type = TLS_PADDING_NONE;
 	} else if (rsa_padding == RSA_PKCS1_PADDING) {
 		padding_type = TLS_PADDING_RSA_PKCS1;
-	} else if (rsa_padding == RSA_X931_PADDING) {
-		padding_type = TLS_PADDING_RSA_X9_31;
 	} else {
 		goto err;
 	}
diff --git a/tls_util.c b/tls_util.c
index 782d6fc..79efc53 100644
--- a/tls_util.c
+++ b/tls_util.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_util.c,v 1.15 2021/08/16 13:54:38 tb Exp $ */
+/* $OpenBSD: tls_util.c,v 1.16 2023/05/14 07:26:25 op Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
diff --git a/tls_verify.c b/tls_verify.c
index dbc37d8..0cb86f6 100644
--- a/tls_verify.c
+++ b/tls_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_verify.c,v 1.20 2018/02/05 00:52:24 jsing Exp $ */
+/* $OpenBSD: tls_verify.c,v 1.23 2023/05/11 07:35:27 tb Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  *
@@ -115,7 +115,7 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
 
 	count = sk_GENERAL_NAME_num(altname_stack);
 	for (i = 0; i < count; i++) {
-		GENERAL_NAME	*altname;
+		GENERAL_NAME *altname;
 
 		altname = sk_GENERAL_NAME_value(altname_stack, i);
 
@@ -126,8 +126,8 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
 			continue;
 
 		if (type == GEN_DNS) {
-			const unsigned char	*data;
-			int		 format, len;
+			const unsigned char *data;
+			int format, len;
 
 			format = ASN1_STRING_type(altname->d.dNSName);
 			if (format == V_ASN1_IA5STRING) {
@@ -171,8 +171,8 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
 			}
 
 		} else if (type == GEN_IPADD) {
-			const unsigned char	*data;
-			int		 datalen;
+			const unsigned char *data;
+			int datalen;
 
 			datalen = ASN1_STRING_length(altname->d.iPAddress);
 			data = ASN1_STRING_get0_data(altname->d.iPAddress);
@@ -209,7 +209,7 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name,
 	char *common_name = NULL;
 	union tls_addr addrbuf;
 	int common_name_len;
-	int rv = 0;
+	int rv = -1;
 
 	*cn_match = 0;
 
@@ -223,8 +223,10 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name,
 		goto done;
 
 	common_name = calloc(common_name_len + 1, 1);
-	if (common_name == NULL)
-		goto done;
+	if (common_name == NULL) {
+		tls_set_error(ctx, "out of memory");
+		goto err;
+	}
 
 	X509_NAME_get_text_by_NID(subject_name, NID_commonName, common_name,
 	    common_name_len + 1);
@@ -235,8 +237,7 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name,
 		tls_set_errorx(ctx, "error verifying name '%s': "
 		    "NUL byte in Common Name field, "
 		    "probably a malicious certificate", name);
-		rv = -1;
-		goto done;
+		goto err;
 	}
 
 	/*
@@ -254,6 +255,9 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name,
 		*cn_match = 1;
 
  done:
+	rv = 0;
+
+ err:
 	free(common_name);
 	return rv;
 }