diff options
-rw-r--r-- | LIBTLS_VERSION | 2 | ||||
-rw-r--r-- | Makefile.am | 2 | ||||
-rw-r--r-- | VERSION | 2 | ||||
-rw-r--r-- | tls.c | 38 | ||||
-rw-r--r-- | tls_bio_cb.c | 2 | ||||
-rw-r--r-- | tls_client.c | 2 | ||||
-rw-r--r-- | tls_config.c | 2 | ||||
-rw-r--r-- | tls_conninfo.c | 2 | ||||
-rw-r--r-- | tls_internal.h | 3 | ||||
-rw-r--r-- | tls_ocsp.c | 4 | ||||
-rw-r--r-- | tls_server.c | 4 | ||||
-rw-r--r-- | tls_signer.c | 6 | ||||
-rw-r--r-- | tls_util.c | 2 | ||||
-rw-r--r-- | tls_verify.c | 26 |
14 files changed, 56 insertions, 41 deletions
diff --git a/LIBTLS_VERSION b/LIBTLS_VERSION index bc4eb71..6e2f32a 100644 --- a/LIBTLS_VERSION +++ b/LIBTLS_VERSION @@ -1 +1 @@ -26:2:0 +27:0:0 diff --git a/Makefile.am b/Makefile.am index 741cacb..bfcf55e 100644 --- a/Makefile.am +++ b/Makefile.am @@ -21,7 +21,7 @@ EXTRA_libtls_la_DEPENDENCIES = libtls_la_objects.mk libtls_la_objects.mk: Makefile @echo "libtls_la_objects= $(libtls_la_OBJECTS)" \ - | sed 's/ */ $$\(abs_top_builddir\)\/tls\//g' \ + | sed -e 's/ *$$//' -e 's/ */ $$\(abs_top_builddir\)\/tls\//g' \ > libtls_la_objects.mk libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@ -no-undefined -export-symbols $(top_srcdir)/tls.sym diff --git a/VERSION b/VERSION index 517c2b6..6641052 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -3.7.3 +3.8.0 diff --git a/tls.c b/tls.c index 6883c58..18b93ef 100644 --- a/tls.c +++ b/tls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.c,v 1.94 2022/02/08 19:13:50 tb Exp $ */ +/* $OpenBSD: tls.c,v 1.96 2023/05/25 07:46:21 op Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -470,12 +470,18 @@ tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *p tls_set_errorx(ctx, "RSA key setup failure"); goto err; } - if (ctx->config->sign_cb == NULL) - break; - if ((rsa_method = tls_signer_rsa_method()) == NULL || - RSA_set_ex_data(rsa, 1, ctx->config) == 0 || - RSA_set_method(rsa, rsa_method) == 0) { - tls_set_errorx(ctx, "failed to setup RSA key"); + if (ctx->config->sign_cb != NULL) { + rsa_method = tls_signer_rsa_method(); + if (rsa_method == NULL || + RSA_set_ex_data(rsa, 1, ctx->config) == 0 || + RSA_set_method(rsa, rsa_method) == 0) { + tls_set_errorx(ctx, "failed to setup RSA key"); + goto err; + } + } + /* Reset the key to work around caching in OpenSSL 3. */ + if (EVP_PKEY_set1_RSA(pkey, rsa) == 0) { + tls_set_errorx(ctx, "failed to set RSA key"); goto err; } break; @@ -485,12 +491,18 @@ tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *p tls_set_errorx(ctx, "EC key setup failure"); goto err; } - if (ctx->config->sign_cb == NULL) - break; - if ((ecdsa_method = tls_signer_ecdsa_method()) == NULL || - EC_KEY_set_ex_data(eckey, 1, ctx->config) == 0 || - EC_KEY_set_method(eckey, ecdsa_method) == 0) { - tls_set_errorx(ctx, "failed to setup EC key"); + if (ctx->config->sign_cb != NULL) { + ecdsa_method = tls_signer_ecdsa_method(); + if (ecdsa_method == NULL || + EC_KEY_set_ex_data(eckey, 1, ctx->config) == 0 || + EC_KEY_set_method(eckey, ecdsa_method) == 0) { + tls_set_errorx(ctx, "failed to setup EC key"); + goto err; + } + } + /* Reset the key to work around caching in OpenSSL 3. */ + if (EVP_PKEY_set1_EC_KEY(pkey, eckey) == 0) { + tls_set_errorx(ctx, "failed to set EC key"); goto err; } break; diff --git a/tls_bio_cb.c b/tls_bio_cb.c index 9dd435a..8a1edfd 100644 --- a/tls_bio_cb.c +++ b/tls_bio_cb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_bio_cb.c,v 1.20 2022/01/10 23:39:48 tb Exp $ */ +/* $OpenBSD: tls_bio_cb.c,v 1.21 2023/05/14 07:26:25 op Exp $ */ /* * Copyright (c) 2016 Tobias Pape <tobias@netshed.de> * diff --git a/tls_client.c b/tls_client.c index b1d2a44..deb24eb 100644 --- a/tls_client.c +++ b/tls_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_client.c,v 1.48 2021/10/21 08:38:11 tb Exp $ */ +/* $OpenBSD: tls_client.c,v 1.49 2023/05/14 07:26:25 op Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * diff --git a/tls_config.c b/tls_config.c index 38ed1bb..864ef29 100644 --- a/tls_config.c +++ b/tls_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_config.c,v 1.65 2022/01/25 21:51:24 eric Exp $ */ +/* $OpenBSD: tls_config.c,v 1.66 2023/05/14 07:26:25 op Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * diff --git a/tls_conninfo.c b/tls_conninfo.c index 72d60c2..0a295a2 100644 --- a/tls_conninfo.c +++ b/tls_conninfo.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_conninfo.c,v 1.22 2021/01/05 15:57:38 tb Exp $ */ +/* $OpenBSD: tls_conninfo.c,v 1.23 2023/05/14 07:26:25 op Exp $ */ /* * Copyright (c) 2015 Joel Sing <jsing@openbsd.org> * Copyright (c) 2015 Bob Beck <beck@openbsd.org> diff --git a/tls_internal.h b/tls_internal.h index a0680f4..7424750 100644 --- a/tls_internal.h +++ b/tls_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_internal.h,v 1.80 2022/03/24 15:56:34 tb Exp $ */ +/* $OpenBSD: tls_internal.h,v 1.81 2023/04/09 18:26:26 tb Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> @@ -298,7 +298,6 @@ EC_KEY_METHOD *tls_signer_ecdsa_method(void); #define TLS_PADDING_NONE 0 #define TLS_PADDING_RSA_PKCS1 1 -#define TLS_PADDING_RSA_X9_31 2 int tls_config_set_sign_cb(struct tls_config *_config, tls_sign_cb _cb, void *_cb_arg); diff --git a/tls_ocsp.c b/tls_ocsp.c index f1c54ab..7670d1f 100644 --- a/tls_ocsp.c +++ b/tls_ocsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_ocsp.c,v 1.22 2021/10/31 16:39:32 tb Exp $ */ +/* $OpenBSD: tls_ocsp.c,v 1.23 2023/05/14 07:26:25 op Exp $ */ /* * Copyright (c) 2015 Marko Kreen <markokr@gmail.com> * Copyright (c) 2016 Bob Beck <beck@openbsd.org> @@ -22,6 +22,8 @@ #include <arpa/inet.h> #include <netinet/in.h> +#include <string.h> + #include <openssl/err.h> #include <openssl/ocsp.h> #include <openssl/x509.h> diff --git a/tls_server.c b/tls_server.c index ebf76bc..11303ca 100644 --- a/tls_server.c +++ b/tls_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_server.c,v 1.48 2022/01/19 11:10:55 inoguchi Exp $ */ +/* $OpenBSD: tls_server.c,v 1.49 2023/05/14 07:26:25 op Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -20,6 +20,8 @@ #include <arpa/inet.h> +#include <string.h> + #include <openssl/ec.h> #include <openssl/err.h> #include <openssl/ssl.h> diff --git a/tls_signer.c b/tls_signer.c index 9311cfe..97e5e38 100644 --- a/tls_signer.c +++ b/tls_signer.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_signer.c,v 1.4 2022/02/01 17:18:38 jsing Exp $ */ +/* $OpenBSD: tls_signer.c,v 1.5 2023/04/09 18:26:26 tb Exp $ */ /* * Copyright (c) 2021 Eric Faurot <eric@openbsd.org> * @@ -194,8 +194,6 @@ tls_sign_rsa(struct tls_signer *signer, struct tls_signer_key *skey, rsa_padding = RSA_NO_PADDING; } else if (padding_type == TLS_PADDING_RSA_PKCS1) { rsa_padding = RSA_PKCS1_PADDING; - } else if (padding_type == TLS_PADDING_RSA_X9_31) { - rsa_padding = RSA_X931_PADDING; } else { tls_error_setx(&signer->error, "invalid RSA padding type (%d)", padding_type); @@ -332,8 +330,6 @@ tls_rsa_priv_enc(int from_len, const unsigned char *from, unsigned char *to, padding_type = TLS_PADDING_NONE; } else if (rsa_padding == RSA_PKCS1_PADDING) { padding_type = TLS_PADDING_RSA_PKCS1; - } else if (rsa_padding == RSA_X931_PADDING) { - padding_type = TLS_PADDING_RSA_X9_31; } else { goto err; } diff --git a/tls_util.c b/tls_util.c index 782d6fc..79efc53 100644 --- a/tls_util.c +++ b/tls_util.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_util.c,v 1.15 2021/08/16 13:54:38 tb Exp $ */ +/* $OpenBSD: tls_util.c,v 1.16 2023/05/14 07:26:25 op Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> diff --git a/tls_verify.c b/tls_verify.c index dbc37d8..0cb86f6 100644 --- a/tls_verify.c +++ b/tls_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_verify.c,v 1.20 2018/02/05 00:52:24 jsing Exp $ */ +/* $OpenBSD: tls_verify.c,v 1.23 2023/05/11 07:35:27 tb Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> * @@ -115,7 +115,7 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name, count = sk_GENERAL_NAME_num(altname_stack); for (i = 0; i < count; i++) { - GENERAL_NAME *altname; + GENERAL_NAME *altname; altname = sk_GENERAL_NAME_value(altname_stack, i); @@ -126,8 +126,8 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name, continue; if (type == GEN_DNS) { - const unsigned char *data; - int format, len; + const unsigned char *data; + int format, len; format = ASN1_STRING_type(altname->d.dNSName); if (format == V_ASN1_IA5STRING) { @@ -171,8 +171,8 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name, } } else if (type == GEN_IPADD) { - const unsigned char *data; - int datalen; + const unsigned char *data; + int datalen; datalen = ASN1_STRING_length(altname->d.iPAddress); data = ASN1_STRING_get0_data(altname->d.iPAddress); @@ -209,7 +209,7 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name, char *common_name = NULL; union tls_addr addrbuf; int common_name_len; - int rv = 0; + int rv = -1; *cn_match = 0; @@ -223,8 +223,10 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name, goto done; common_name = calloc(common_name_len + 1, 1); - if (common_name == NULL) - goto done; + if (common_name == NULL) { + tls_set_error(ctx, "out of memory"); + goto err; + } X509_NAME_get_text_by_NID(subject_name, NID_commonName, common_name, common_name_len + 1); @@ -235,8 +237,7 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name, tls_set_errorx(ctx, "error verifying name '%s': " "NUL byte in Common Name field, " "probably a malicious certificate", name); - rv = -1; - goto done; + goto err; } /* @@ -254,6 +255,9 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name, *cn_match = 1; done: + rv = 0; + + err: free(common_name); return rv; } |