system/freebsd-src
system/freebsd-src
1
0
Fork 0
mirror of https://github.com/freebsd/freebsd-src synced 2024-07-21 10:19:04 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

OpenSSL: Merge OpenSSL 1.1.1o

Browse source 
Merge commit 'cf0ffd7607ed8f39829c6951a65a55fa1eb3aafe'
This commit is contained in:
Jung-uk Kim 2022-05-03 15:07:06 -04:00
parent d461deeaa4 cf0ffd7607
commit 34252e89a9
27 changed files with 180 additions and 89 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
crypto/openssl/CHANGES
View file

@ -7,6 +7,19 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
Changes between 1.1.1n and 1.1.1o [3 May 2022]
*) Fixed a bug in the c_rehash script which was not properly sanitising shell
metacharacters to prevent command injection. This script is distributed by
some operating systems in a manner where it is automatically executed. On
such operating systems, an attacker could execute arbitrary commands with the
privileges of the script.
Use of the c_rehash script is considered obsolete and should be replaced
by the OpenSSL rehash command line tool.
(CVE-2022-1292)
[Tomáš Mráz]
Changes between 1.1.1m and 1.1.1n [15 Mar 2022]
*) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever

7
crypto/openssl/NEWS
View file

@ -5,10 +5,15 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
Major changes between OpenSSL 1.1.1n and OpenSSL 1.1.1o [3 May 2022]
o Fixed a bug in the c_rehash script which was not properly sanitising
shell metacharacters to prevent command injection (CVE-2022-1292)
Major changes between OpenSSL 1.1.1m and OpenSSL 1.1.1n [15 Mar 2022]
o Fixed a bug in the BN_mod_sqrt() function that can cause it to loop
forever for non-prime moduli ([CVE-2022-0778])
forever for non-prime moduli (CVE-2022-0778)
Major changes between OpenSSL 1.1.1l and OpenSSL 1.1.1m [14 Dec 2021]

4
crypto/openssl/README
View file

@ -1,7 +1,7 @@
OpenSSL 1.1.1n 15 Mar 2022
OpenSSL 1.1.1o 3 May 2022
Copyright (c) 1998-2021 The OpenSSL Project
Copyright (c) 1998-2022 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
All rights reserved.

2
crypto/openssl/apps/apps.c
View file

@ -307,6 +307,8 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
if (cb_data != NULL && cb_data->password != NULL
&& *(const char*)cb_data->password != '\0')
pw_min_len = 1;
else if (!verify)
pw_min_len = 0;
prompt = UI_construct_prompt(ui, "pass phrase", prompt_info);
if (!prompt) {
BIO_printf(bio_err, "Out of memory\n");

6
crypto/openssl/apps/x509.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -590,6 +590,8 @@ int x509_main(int argc, char **argv)
xca = load_cert(CAfile, CAformat, "CA Certificate");
if (xca == NULL)
goto end;
if (!X509_set_issuer_name(x, X509_get_subject_name(xca)))
goto end;
}
out = bio_open_default(outfile, 'w', outformat);
@ -987,8 +989,6 @@ static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *diges
goto end;
}
if (!X509_set_issuer_name(x, X509_get_subject_name(xca)))
goto end;
if (!X509_set_serialNumber(x, bs))
goto end;

8
crypto/openssl/crypto/bn/bn_div.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -446,8 +446,10 @@ int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num,
snum->neg = num_neg;
snum->top = div_n;
snum->flags |= BN_FLG_FIXED_TOP;
if (rm != NULL)
bn_rshift_fixed_top(rm, snum, norm_shift);
if (rm != NULL && bn_rshift_fixed_top(rm, snum, norm_shift) == 0)
goto err;
BN_CTX_end(ctx);
return 1;
err:

5
crypto/openssl/crypto/bn/bn_exp.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -188,13 +188,14 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
return ret;
}
BN_RECP_CTX_init(&recp);
BN_CTX_start(ctx);
aa = BN_CTX_get(ctx);
val[0] = BN_CTX_get(ctx);
if (val[0] == NULL)
goto err;
BN_RECP_CTX_init(&recp);
if (m->neg) {
/* ignore sign of 'm' */
if (!BN_copy(aa, m))

3
crypto/openssl/crypto/ec/curve448/curve448.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2015-2016 Cryptography Research, Inc.
*
* Licensed under the OpenSSL license (the "License"). You may not use
@ -577,6 +577,7 @@ static int recode_wnaf(struct smvt_control *control,
int32_t delta = odd & mask;
assert(position >= 0);
assert(pos < 32); /* can't fail since current & 0xFFFF != 0 */
if (odd & (1 << (table_bits + 1)))
delta -= (1 << (table_bits + 1));
current -= delta * (1 << pos);

3
crypto/openssl/crypto/ec/ecp_nistz256.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2014-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2014, Intel Corporation. All Rights Reserved.
* Copyright (c) 2015, CloudFlare, Inc.
*
@ -973,6 +973,7 @@ __owur static int ecp_nistz256_points_mul(const EC_GROUP *group,
return 0;
}
memset(&p, 0, sizeof(p));
BN_CTX_start(ctx);
if (scalar) {

33
crypto/openssl/crypto/engine/eng_dyn.c
View file

@ -393,6 +393,26 @@ static int int_load(dynamic_data_ctx *ctx)
return 0;
}
/*
* Unfortunately the version checker does not distinguish between
* engines built for openssl 1.1.x and openssl 3.x, but loading
* an engine that is built for openssl 3.x will cause a fatal
* error. Detect such engines, since EVP_PKEY_get_base_id is exported
* as a function in openssl 3.x, while it is named EVP_PKEY_base_id
* in openssl 1.1.x. Therefore we take the presence of that symbol
* as an indication that the engine will be incompatible.
*/
static int using_libcrypto_3(dynamic_data_ctx *ctx)
{
int ret;
ERR_set_mark();
ret = DSO_bind_func(ctx->dynamic_dso, "EVP_PKEY_get_base_id") != NULL;
ERR_pop_to_mark();
return ret;
}
static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx)
{
ENGINE cpy;
@ -442,18 +462,9 @@ static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx)
/*
* We fail if the version checker veto'd the load *or* if it is
* deferring to us (by returning its version) and we think it is too
* old.
* Unfortunately the version checker does not distinguish between
* engines built for openssl 1.1.x and openssl 3.x, but loading
* an engine that is built for openssl 3.x will cause a fatal
* error. Detect such engines, since EVP_PKEY_get_base_id is exported
* as a function in openssl 3.x, while it is named EVP_PKEY_base_id
* in openssl 1.1.x. Therefore we take the presence of that symbol
* as an indication that the engine will be incompatible.
* old. Also fail if this is engine for openssl 3.x.
*/
if (vcheck_res < OSSL_DYNAMIC_OLDEST
|| DSO_bind_func(ctx->dynamic_dso,
"EVP_PKEY_get_base_id") != NULL) {
if (vcheck_res < OSSL_DYNAMIC_OLDEST || using_libcrypto_3(ctx)) {
/* Fail */
ctx->bind_engine = NULL;
ctx->v_check = NULL;

45
crypto/openssl/crypto/err/err.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -23,7 +23,9 @@
#include "internal/constant_time.h"
#include "e_os.h"
#ifndef OPENSSL_NO_ERR
static int err_load_strings(const ERR_STRING_DATA *str);
#endif
static void ERR_STATE_free(ERR_STATE *s);
#ifndef OPENSSL_NO_ERR
@ -76,9 +78,9 @@ static ERR_STRING_DATA ERR_str_functs[] = {
{ERR_PACK(0, SYS_F_BIND, 0), "bind"},
{ERR_PACK(0, SYS_F_LISTEN, 0), "listen"},
{ERR_PACK(0, SYS_F_ACCEPT, 0), "accept"},
# ifdef OPENSSL_SYS_WINDOWS
#ifdef OPENSSL_SYS_WINDOWS
{ERR_PACK(0, SYS_F_WSASTARTUP, 0), "WSAstartup"},
# endif
#endif
{ERR_PACK(0, SYS_F_OPENDIR, 0), "opendir"},
{ERR_PACK(0, SYS_F_FREAD, 0), "fread"},
{ERR_PACK(0, SYS_F_GETADDRINFO, 0), "getaddrinfo"},
@ -141,21 +143,26 @@ static int set_err_thread_local;
static CRYPTO_THREAD_LOCAL err_thread_local;
static CRYPTO_ONCE err_string_init = CRYPTO_ONCE_STATIC_INIT;
static CRYPTO_RWLOCK *err_string_lock;
static CRYPTO_RWLOCK *err_string_lock = NULL;
#ifndef OPENSSL_NO_ERR
static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *);
#endif
/*
* The internal state
*/
#ifndef OPENSSL_NO_ERR
static LHASH_OF(ERR_STRING_DATA) *int_error_hash = NULL;
#endif
static int int_err_library_number = ERR_LIB_USER;
static unsigned long get_error_values(int inc, int top, const char **file,
int *line, const char **data,
int *flags);
#ifndef OPENSSL_NO_ERR
static unsigned long err_string_data_hash(const ERR_STRING_DATA *a)
{
unsigned long ret, l;
@ -184,7 +191,6 @@ static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *d)
return p;
}
#ifndef OPENSSL_NO_ERR
/* 2019-05-21: Russian and Ukrainian locales on Linux require more than 6,5 kB */
# define SPACE_SYS_STR_REASONS 8 * 1024
# define NUM_SYS_STR_REASONS 127
@ -299,6 +305,7 @@ DEFINE_RUN_ONCE_STATIC(do_err_strings_init)
err_string_lock = CRYPTO_THREAD_lock_new();
if (err_string_lock == NULL)
return 0;
#ifndef OPENSSL_NO_ERR
int_error_hash = lh_ERR_STRING_DATA_new(err_string_data_hash,
err_string_data_cmp);
if (int_error_hash == NULL) {
@ -306,6 +313,7 @@ DEFINE_RUN_ONCE_STATIC(do_err_strings_init)
err_string_lock = NULL;
return 0;
}
#endif
return 1;
}
@ -315,10 +323,13 @@ void err_cleanup(void)
CRYPTO_THREAD_cleanup_local(&err_thread_local);
CRYPTO_THREAD_lock_free(err_string_lock);
err_string_lock = NULL;
#ifndef OPENSSL_NO_ERR
lh_ERR_STRING_DATA_free(int_error_hash);
int_error_hash = NULL;
#endif
}
#ifndef OPENSSL_NO_ERR
/*
* Legacy; pack in the library.
*/
@ -342,6 +353,7 @@ static int err_load_strings(const ERR_STRING_DATA *str)
CRYPTO_THREAD_unlock(err_string_lock);
return 1;
}
#endif
int ERR_load_ERR_strings(void)
{
@ -360,24 +372,31 @@ int ERR_load_ERR_strings(void)
int ERR_load_strings(int lib, ERR_STRING_DATA *str)
{
#ifndef OPENSSL_NO_ERR
if (ERR_load_ERR_strings() == 0)
return 0;
err_patch(lib, str);
err_load_strings(str);
#endif
return 1;
}
int ERR_load_strings_const(const ERR_STRING_DATA *str)
{
#ifndef OPENSSL_NO_ERR
if (ERR_load_ERR_strings() == 0)
return 0;
err_load_strings(str);
#endif
return 1;
}
int ERR_unload_strings(int lib, ERR_STRING_DATA *str)
{
#ifndef OPENSSL_NO_ERR
if (!RUN_ONCE(&err_string_init, do_err_strings_init))
return 0;
@ -389,14 +408,14 @@ int ERR_unload_strings(int lib, ERR_STRING_DATA *str)
for (; str->error; str++)
(void)lh_ERR_STRING_DATA_delete(int_error_hash, str);
CRYPTO_THREAD_unlock(err_string_lock);
#endif
return 1;
}
void err_free_strings_int(void)
{
if (!RUN_ONCE(&err_string_init, do_err_strings_init))
return;
/* obsolete */
}
/********************************************************/
@ -636,6 +655,7 @@ char *ERR_error_string(unsigned long e, char *ret)
const char *ERR_lib_error_string(unsigned long e)
{
#ifndef OPENSSL_NO_ERR
ERR_STRING_DATA d, *p;
unsigned long l;
@ -647,10 +667,14 @@ const char *ERR_lib_error_string(unsigned long e)
d.error = ERR_PACK(l, 0, 0);
p = int_err_get_item(&d);
return ((p == NULL) ? NULL : p->string);
#else
return NULL;
#endif
}
const char *ERR_func_error_string(unsigned long e)
{
#ifndef OPENSSL_NO_ERR
ERR_STRING_DATA d, *p;
unsigned long l, f;
@ -663,10 +687,14 @@ const char *ERR_func_error_string(unsigned long e)
d.error = ERR_PACK(l, f, 0);
p = int_err_get_item(&d);
return ((p == NULL) ? NULL : p->string);
#else
return NULL;
#endif
}
const char *ERR_reason_error_string(unsigned long e)
{
#ifndef OPENSSL_NO_ERR
ERR_STRING_DATA d, *p = NULL;
unsigned long l, r;
@ -683,6 +711,9 @@ const char *ERR_reason_error_string(unsigned long e)
p = int_err_get_item(&d);
}
return ((p == NULL) ? NULL : p->string);
#else
return NULL;
#endif
}
void err_delete_thread_state(void)

10
crypto/openssl/crypto/evp/evp_enc.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -281,7 +281,7 @@ int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
# define PTRDIFF_T size_t
#endif
int is_partially_overlapping(const void *ptr1, const void *ptr2, int len)
int is_partially_overlapping(const void *ptr1, const void *ptr2, size_t len)
{
PTRDIFF_T diff = (PTRDIFF_T)ptr1-(PTRDIFF_T)ptr2;
/*
@ -299,7 +299,8 @@ static int evp_EncryptDecryptUpdate(EVP_CIPHER_CTX *ctx,
unsigned char *out, int *outl,
const unsigned char *in, int inl)
{
int i, j, bl, cmpl = inl;
int i, j, bl;
size_t cmpl = (size_t)inl;
if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS))
cmpl = (cmpl + 7) / 8;
@ -464,8 +465,9 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
const unsigned char *in, int inl)
{
int fix_len, cmpl = inl;
int fix_len;
unsigned int b;
size_t cmpl = (size_t)inl;
/* Prevent accidental use of encryption context when decrypting */
if (ctx->encrypt) {

4
crypto/openssl/crypto/evp/evp_local.h
View file

@ -1,5 +1,5 @@
/*
* Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -65,4 +65,4 @@ struct evp_Encode_Ctx_st {
typedef struct evp_pbe_st EVP_PBE_CTL;
DEFINE_STACK_OF(EVP_PBE_CTL)
int is_partially_overlapping(const void *ptr1, const void *ptr2, int len);
int is_partially_overlapping(const void *ptr1, const void *ptr2, size_t len);

13
crypto/openssl/crypto/init.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -211,7 +211,7 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_load_crypto_nodelete)
}
static CRYPTO_ONCE load_crypto_strings = CRYPTO_ONCE_STATIC_INIT;
static int load_crypto_strings_inited = 0;
DEFINE_RUN_ONCE_STATIC(ossl_init_load_crypto_strings)
{
int ret = 1;
@ -225,7 +225,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_load_crypto_strings)
"err_load_crypto_strings_int()\n");
# endif
ret = err_load_crypto_strings_int();
load_crypto_strings_inited = 1;
#endif
return ret;
}
@ -549,14 +548,6 @@ void OPENSSL_cleanup(void)
async_deinit();
}
if (load_crypto_strings_inited) {
#ifdef OPENSSL_INIT_DEBUG
fprintf(stderr, "OPENSSL_INIT: OPENSSL_cleanup: "
"err_free_strings_int()\n");
#endif
err_free_strings_int();
}
key = destructor_key.value;
destructor_key.sane = -1;
CRYPTO_THREAD_cleanup_local(&key);

5
crypto/openssl/crypto/s390x_arch.h
View file

@ -1,5 +1,5 @@
/*
* Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -47,6 +47,9 @@ struct OPENSSL_s390xcap_st {
unsigned long long kma[2];
};
#if defined(__GNUC__) && defined(__linux)
__attribute__ ((visibility("hidden")))
#endif
extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P;
/* convert facility bit number or function code to bit mask */

5
crypto/openssl/crypto/s390xcap.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2010-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2010-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -26,6 +26,9 @@ void OPENSSL_vx_probe(void);
struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P;
#if defined(__GNUC__) && defined(__linux)
__attribute__ ((visibility("hidden")))
#endif
void OPENSSL_cpuid_setup(void)
{
sigset_t oset;

10
crypto/openssl/doc/fingerprints.txt
View file

@ -22,3 +22,13 @@ pub 2048R/0E604491 2013-04-30
Key fingerprint = 8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491
uid Matt Caswell <matt@openssl.org>
uid Matt Caswell <frodo@baggins.org>
pub rsa4096 2021-02-14
B7C1 C143 60F3 53A3 6862 E4D5 231C 84CD DCC6 9C45
uid Paul Dale <pauli@openssl.org>
pub rsa4096 2021-07-16
A21F AB74 B008 8AA3 6115 2586 B8EF 1A6B A9DA 2D5C
uid Tomáš Mráz <tm@t8m.info>
uid Tomáš Mráz <tomas@arleto.cz>
uid Tomáš Mráz <tomas@openssl.org>

12
crypto/openssl/doc/man3/SSL_CTX_set_timeout.pod
View file

@ -42,6 +42,16 @@ basis, see L<SSL_get_default_timeout(3)>.
All currently supported protocols have the same default timeout value
of 300 seconds.
This timeout value is used as the ticket lifetime hint for stateless session
tickets. It is also used as the timeout value within the ticket itself.
For TLSv1.3, RFC8446 limits transmission of this value to 1 week (604800
seconds).
For TLSv1.2, tickets generated during an initial handshake use the value
as specified. Tickets generated during a resumed handshake have a value
of 0 for the ticket lifetime hint.
=head1 RETURN VALUES
SSL_CTX_set_timeout() returns the previously set timeout value.
@ -58,7 +68,7 @@ L<SSL_get_default_timeout(3)>
=head1 COPYRIGHT
Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

6
crypto/openssl/include/openssl/opensslv.h
View file

@ -1,5 +1,5 @@
/*
* Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -39,8 +39,8 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
# define OPENSSL_VERSION_NUMBER 0x101010efL
# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1n-freebsd 15 Mar 2022"
# define OPENSSL_VERSION_NUMBER 0x101010ffL
# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1o-freebsd 3 May 2022"
/*-
* The macros below are to be used for shared library (.so, .dll, ...)

4
crypto/openssl/ssl/s3_enc.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2005 Nokia. All rights reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
@ -589,6 +589,8 @@ int ssl3_alert_code(int code)
return TLS1_AD_NO_APPLICATION_PROTOCOL;
case SSL_AD_CERTIFICATE_REQUIRED:
return SSL_AD_HANDSHAKE_FAILURE;
case SSL_AD_MISSING_EXTENSION:
return SSL_AD_HANDSHAKE_FAILURE;
default:
return -1;
}

19
crypto/openssl/ssl/ssl_init.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -116,7 +116,7 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_base)
}
static CRYPTO_ONCE ssl_strings = CRYPTO_ONCE_STATIC_INIT;
static int ssl_strings_inited = 0;
DEFINE_RUN_ONCE_STATIC(ossl_init_load_ssl_strings)
{
/*
@ -129,7 +129,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_load_ssl_strings)
"ERR_load_SSL_strings()\n");
# endif
ERR_load_SSL_strings();
ssl_strings_inited = 1;
#endif
return 1;
}
@ -157,20 +156,6 @@ static void ssl_library_stop(void)
ssl_comp_free_compression_methods_int();
#endif
}
if (ssl_strings_inited) {
#ifdef OPENSSL_INIT_DEBUG
fprintf(stderr, "OPENSSL_INIT: ssl_library_stop: "
"err_free_strings_int()\n");
#endif
/*
* If both crypto and ssl error strings are inited we will end up
* calling err_free_strings_int() twice - but that's ok. The second
* time will be a no-op. It's easier to do that than to try and track
* between the two libraries whether they have both been inited.
*/
err_free_strings_int();
}
}
/*

4
crypto/openssl/ssl/ssl_lib.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@ -2170,6 +2170,7 @@ int SSL_shutdown(SSL *s)
if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
struct ssl_async_args args;
memset(&args, 0, sizeof(args));
args.s = s;
args.type = OTHERFUNC;
args.f.func_other = s->method->ssl_shutdown;
@ -3799,6 +3800,7 @@ int SSL_do_handshake(SSL *s)
if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
struct ssl_async_args args;
memset(&args, 0, sizeof(args));
args.s = s;
ret = ssl_start_async_job(s, &args, ssl_do_handshake_intern);

6
crypto/openssl/ssl/ssl_txt.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2005 Nokia. All rights reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
@ -130,11 +130,11 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
}
#endif
if (x->time != 0L) {
if (BIO_printf(bp, "\n Start Time: %ld", x->time) <= 0)
if (BIO_printf(bp, "\n Start Time: %lld", (long long)x->time) <= 0)
goto err;
}
if (x->timeout != 0L) {
if (BIO_printf(bp, "\n Timeout : %ld (sec)", x->timeout) <= 0)
if (BIO_printf(bp, "\n Timeout : %lld (sec)", (long long)x->timeout) <= 0)
goto err;
}
if (BIO_puts(bp, "\n") <= 0)

7
crypto/openssl/ssl/statem/statem_clnt.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@ -1422,6 +1422,11 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
&& sversion == TLS1_2_VERSION
&& PACKET_remaining(pkt) >= SSL3_RANDOM_SIZE
&& memcmp(hrrrandom, PACKET_data(pkt), SSL3_RANDOM_SIZE) == 0) {
if (s->hello_retry_request != SSL_HRR_NONE) {
SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_UNEXPECTED_MESSAGE);
goto err;
}
s->hello_retry_request = SSL_HRR_PENDING;
hrr = 1;
if (!PACKET_forward(pkt, SSL3_RANDOM_SIZE)) {

8
crypto/openssl/ssl/statem/statem_dtls.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2005-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -218,8 +218,8 @@ int dtls1_do_write(SSL *s, int type)
else
len = s->init_num;
if (len > s->max_send_fragment)
len = s->max_send_fragment;
if (len > ssl_get_max_send_fragment(s))
len = ssl_get_max_send_fragment(s);
/*
* XDTLS: this function is too long. split out the CCS part
@ -241,7 +241,7 @@ int dtls1_do_write(SSL *s, int type)
ret = dtls1_write_bytes(s, type, &s->init_buf->data[s->init_off], len,
&written);
if (ret < 0) {
if (ret <= 0) {
/*
* might need to update MTU here, but we don't know which
* previous packet caused the failure -- so can't really

23
crypto/openssl/ssl/statem/statem_srvr.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@ -3820,15 +3820,24 @@ int tls_construct_server_certificate(SSL *s, WPACKET *pkt)
static int create_ticket_prequel(SSL *s, WPACKET *pkt, uint32_t age_add,
unsigned char *tick_nonce)
{
uint32_t timeout = (uint32_t)s->session->timeout;
/*
* Ticket lifetime hint: For TLSv1.2 this is advisory only and we leave this
* unspecified for resumed session (for simplicity).
* Ticket lifetime hint:
* In TLSv1.3 we reset the "time" field above, and always specify the
* timeout.
* timeout, limited to a 1 week period per RFC8446.
* For TLSv1.2 this is advisory only and we leave this unspecified for
* resumed session (for simplicity).
*/
if (!WPACKET_put_bytes_u32(pkt,
(s->hit && !SSL_IS_TLS13(s))
? 0 : s->session->timeout)) {
#define ONE_WEEK_SEC (7 * 24 * 60 * 60)
if (SSL_IS_TLS13(s)) {
if (s->session->timeout > ONE_WEEK_SEC)
timeout = ONE_WEEK_SEC;
} else if (s->hit)
timeout = 0;
if (!WPACKET_put_bytes_u32(pkt, timeout)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CREATE_TICKET_PREQUEL,
ERR_R_INTERNAL_ERROR);
return 0;

4
crypto/openssl/ssl/t1_enc.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2005 Nokia. All rights reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
@ -796,6 +796,8 @@ int tls1_alert_code(int code)
return TLS1_AD_NO_APPLICATION_PROTOCOL;
case SSL_AD_CERTIFICATE_REQUIRED:
return SSL_AD_HANDSHAKE_FAILURE;
case SSL_AD_MISSING_EXTENSION:
return SSL_AD_HANDSHAKE_FAILURE;
default:
return -1;
}