src - FreeBSD source tree

diff options


context:
space:
mode:

author	Jung-uk Kim <jkim@FreeBSD.org>	2022-05-03 19:07:06 +0000
committer	Jung-uk Kim <jkim@FreeBSD.org>	2022-05-03 20:34:47 +0000
commit	2e121bd7c73932ac52332b53ebd7824965e6a7b4 (patch)
tree	767cce7a3576f95d728c4e268b2985249d68afd4
parent	2e9ad6042bef1c474fd99f57001fd76c7f17fc53 (diff)
download	src-2e121bd7c73932ac52332b53ebd7824965e6a7b4.tar.gz src-2e121bd7c73932ac52332b53ebd7824965e6a7b4.zip

OpenSSL: Merge OpenSSL 1.1.1o

Approved by: re (gjb, implicit, security) (cherry picked from commit 34252e89a96c8d498d7537ade16d20602bf2106a) (cherry picked from commit 1b7b799f9ebaa6d558523498005ca0e698051274)

Diffstat

-rw-r--r--

crypto/openssl/CHANGES

-rw-r--r--

crypto/openssl/NEWS

-rw-r--r--

crypto/openssl/README

-rw-r--r--

crypto/openssl/apps/apps.c

-rw-r--r--

crypto/openssl/apps/x509.c

-rw-r--r--

crypto/openssl/crypto/bn/bn_div.c

-rw-r--r--

crypto/openssl/crypto/bn/bn_exp.c

-rw-r--r--

crypto/openssl/crypto/ec/curve448/curve448.c

-rw-r--r--

crypto/openssl/crypto/ec/ecp_nistz256.c

-rw-r--r--

crypto/openssl/crypto/engine/eng_dyn.c

-rw-r--r--

crypto/openssl/crypto/err/err.c

-rw-r--r--

crypto/openssl/crypto/evp/evp_enc.c

-rw-r--r--

crypto/openssl/crypto/evp/evp_local.h

-rw-r--r--

crypto/openssl/crypto/init.c

-rw-r--r--

crypto/openssl/crypto/s390x_arch.h

-rw-r--r--

crypto/openssl/crypto/s390xcap.c

-rw-r--r--

crypto/openssl/doc/fingerprints.txt

-rw-r--r--

crypto/openssl/doc/man3/SSL_CTX_set_timeout.pod

-rw-r--r--

crypto/openssl/include/openssl/opensslv.h

-rw-r--r--

crypto/openssl/ssl/s3_enc.c

-rw-r--r--

crypto/openssl/ssl/ssl_init.c

-rw-r--r--

crypto/openssl/ssl/ssl_lib.c

-rw-r--r--

crypto/openssl/ssl/ssl_txt.c

-rw-r--r--

crypto/openssl/ssl/statem/statem_clnt.c

-rw-r--r--

crypto/openssl/ssl/statem/statem_dtls.c

-rw-r--r--

crypto/openssl/ssl/statem/statem_srvr.c

-rw-r--r--

crypto/openssl/ssl/t1_enc.c

27 files changed, 180 insertions, 89 deletions

diff --git a/crypto/openssl/CHANGES b/crypto/openssl/CHANGES
index f6e01b982581..98961effc058 100644
--- a/crypto/openssl/CHANGES
+++ b/crypto/openssl/CHANGES

@@ -7,6 +7,19 @@

https://github.com/openssl/openssl/commits/ and pick the appropriate

release branch.

+ Changes between 1.1.1n and 1.1.1o [3 May 2022]

+ *) Fixed a bug in the c_rehash script which was not properly sanitising shell

+ metacharacters to prevent command injection. This script is distributed by

+ some operating systems in a manner where it is automatically executed. On

+ such operating systems, an attacker could execute arbitrary commands with the

+ privileges of the script.

+ Use of the c_rehash script is considered obsolete and should be replaced

+ by the OpenSSL rehash command line tool.

+ (CVE-2022-1292)

+ [Tomáš Mráz]

Changes between 1.1.1m and 1.1.1n [15 Mar 2022]

*) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever

diff --git a/crypto/openssl/NEWS b/crypto/openssl/NEWS
index f4ac262888ad..d32cf5bb48dd 100644
--- a/crypto/openssl/NEWS
+++ b/crypto/openssl/NEWS

@@ -5,10 +5,15 @@

This file gives a brief overview of the major changes between each OpenSSL

release. For more details please read the CHANGES file.

+ Major changes between OpenSSL 1.1.1n and OpenSSL 1.1.1o [3 May 2022]

+ o Fixed a bug in the c_rehash script which was not properly sanitising

+ shell metacharacters to prevent command injection (CVE-2022-1292)

Major changes between OpenSSL 1.1.1m and OpenSSL 1.1.1n [15 Mar 2022]

o Fixed a bug in the BN_mod_sqrt() function that can cause it to loop

- forever for non-prime moduli ([CVE-2022-0778])

+ forever for non-prime moduli (CVE-2022-0778)

Major changes between OpenSSL 1.1.1l and OpenSSL 1.1.1m [14 Dec 2021]

diff --git a/crypto/openssl/README b/crypto/openssl/README
index 3e100933f388..a56311a4d186 100644
--- a/crypto/openssl/README
+++ b/crypto/openssl/README

@@ -1,7 +1,7 @@

- OpenSSL 1.1.1n 15 Mar 2022

+ OpenSSL 1.1.1o 3 May 2022

diff --git a/crypto/openssl/apps/apps.c b/crypto/openssl/apps/apps.c
index 1a92271595f1..db5b48e4cf2f 100644
--- a/crypto/openssl/apps/apps.c
+++ b/crypto/openssl/apps/apps.c

@@ -307,6 +307,8 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)

if (cb_data != NULL && cb_data->password != NULL

&& *(const char*)cb_data->password != '\0')

pw_min_len = 1;

+ else if (!verify)

+ pw_min_len = 0;

prompt = UI_construct_prompt(ui, "pass phrase", prompt_info);

if (!prompt) {

BIO_printf(bio_err, "Out of memory\n");

diff --git a/crypto/openssl/apps/x509.c b/crypto/openssl/apps/x509.c
index 1043eba0c8a0..1f53504209de 100644
--- a/crypto/openssl/apps/x509.c
+++ b/crypto/openssl/apps/x509.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -590,6 +590,8 @@ int x509_main(int argc, char **argv)

xca = load_cert(CAfile, CAformat, "CA Certificate");

if (xca == NULL)

goto end;

+ if (!X509_set_issuer_name(x, X509_get_subject_name(xca)))

+ goto end;

}

out = bio_open_default(outfile, 'w', outformat);

@@ -987,8 +989,6 @@ static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *diges

goto end;

}

- if (!X509_set_issuer_name(x, X509_get_subject_name(xca)))

- goto end;

if (!X509_set_serialNumber(x, bs))

goto end;

diff --git a/crypto/openssl/crypto/bn/bn_div.c b/crypto/openssl/crypto/bn/bn_div.c
index 0da9f39b31a9..4273618825cc 100644
--- a/crypto/openssl/crypto/bn/bn_div.c
+++ b/crypto/openssl/crypto/bn/bn_div.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -446,8 +446,10 @@ int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num,

snum->neg = num_neg;

snum->top = div_n;

snum->flags |= BN_FLG_FIXED_TOP;

- if (rm != NULL)

- bn_rshift_fixed_top(rm, snum, norm_shift);

+ if (rm != NULL && bn_rshift_fixed_top(rm, snum, norm_shift) == 0)

+ goto err;

BN_CTX_end(ctx);

return 1;

err:

diff --git a/crypto/openssl/crypto/bn/bn_exp.c b/crypto/openssl/crypto/bn/bn_exp.c
index 9531acfc3c94..8c54ab005ca6 100644
--- a/crypto/openssl/crypto/bn/bn_exp.c
+++ b/crypto/openssl/crypto/bn/bn_exp.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -188,13 +188,14 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,

return ret;

}

+ BN_RECP_CTX_init(&recp);

BN_CTX_start(ctx);

aa = BN_CTX_get(ctx);

val[0] = BN_CTX_get(ctx);

if (val[0] == NULL)

goto err;

- BN_RECP_CTX_init(&recp);

if (m->neg) {

/* ignore sign of 'm' */

if (!BN_copy(aa, m))

diff --git a/crypto/openssl/crypto/ec/curve448/curve448.c b/crypto/openssl/crypto/ec/curve448/curve448.c
index 12d97f06795b..3d4db44564e9 100644
--- a/crypto/openssl/crypto/ec/curve448/curve448.c
+++ b/crypto/openssl/crypto/ec/curve448/curve448.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

@@ -577,6 +577,7 @@ static int recode_wnaf(struct smvt_control *control,

int32_t delta = odd & mask;

assert(position >= 0);

+ assert(pos < 32); /* can't fail since current & 0xFFFF != 0 */

if (odd & (1 << (table_bits + 1)))

delta -= (1 << (table_bits + 1));

current -= delta * (1 << pos);

diff --git a/crypto/openssl/crypto/ec/ecp_nistz256.c b/crypto/openssl/crypto/ec/ecp_nistz256.c
index 5005249b05ea..cfad3e15b0bf 100644
--- a/crypto/openssl/crypto/ec/ecp_nistz256.c
+++ b/crypto/openssl/crypto/ec/ecp_nistz256.c

@@ -1,5 +1,5 @@

@@ -973,6 +973,7 @@ __owur static int ecp_nistz256_points_mul(const EC_GROUP *group,

return 0;

}

+ memset(&p, 0, sizeof(p));

BN_CTX_start(ctx);

if (scalar) {

diff --git a/crypto/openssl/crypto/engine/eng_dyn.c b/crypto/openssl/crypto/engine/eng_dyn.c
index 6a0ddc162d00..27d7b893cdad 100644
--- a/crypto/openssl/crypto/engine/eng_dyn.c
+++ b/crypto/openssl/crypto/engine/eng_dyn.c

@@ -393,6 +393,26 @@ static int int_load(dynamic_data_ctx *ctx)

return 0;

}

+/*

+ * Unfortunately the version checker does not distinguish between

+ * engines built for openssl 1.1.x and openssl 3.x, but loading

+ * an engine that is built for openssl 3.x will cause a fatal

+ * error. Detect such engines, since EVP_PKEY_get_base_id is exported

+ * as a function in openssl 3.x, while it is named EVP_PKEY_base_id

+ * in openssl 1.1.x. Therefore we take the presence of that symbol

+ * as an indication that the engine will be incompatible.

+ */

+static int using_libcrypto_3(dynamic_data_ctx *ctx)

+ int ret;

+ ERR_set_mark();

+ ret = DSO_bind_func(ctx->dynamic_dso, "EVP_PKEY_get_base_id") != NULL;

+ ERR_pop_to_mark();

+ return ret;

static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx)

{

ENGINE cpy;

@@ -442,18 +462,9 @@ static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx)

* We fail if the version checker veto'd the load *or* if it is

* deferring to us (by returning its version) and we think it is too

- * old.

- * Unfortunately the version checker does not distinguish between

- * engines built for openssl 1.1.x and openssl 3.x, but loading

- * an engine that is built for openssl 3.x will cause a fatal

- * error. Detect such engines, since EVP_PKEY_get_base_id is exported

- * as a function in openssl 3.x, while it is named EVP_PKEY_base_id

- * in openssl 1.1.x. Therefore we take the presence of that symbol

- * as an indication that the engine will be incompatible.

+ * old. Also fail if this is engine for openssl 3.x.

- if (vcheck_res < OSSL_DYNAMIC_OLDEST

- || DSO_bind_func(ctx->dynamic_dso,

- "EVP_PKEY_get_base_id") != NULL) {

+ if (vcheck_res < OSSL_DYNAMIC_OLDEST || using_libcrypto_3(ctx)) {

/* Fail */

ctx->bind_engine = NULL;

ctx->v_check = NULL;

diff --git a/crypto/openssl/crypto/err/err.c b/crypto/openssl/crypto/err/err.c
index bd116e249acb..239a3cea9cc2 100644
--- a/crypto/openssl/crypto/err/err.c
+++ b/crypto/openssl/crypto/err/err.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -23,7 +23,9 @@

#include "internal/constant_time.h"

#include "e_os.h"

+#ifndef OPENSSL_NO_ERR

static int err_load_strings(const ERR_STRING_DATA *str);

+#endif

static void ERR_STATE_free(ERR_STATE *s);

#ifndef OPENSSL_NO_ERR

@@ -76,9 +78,9 @@ static ERR_STRING_DATA ERR_str_functs[] = {

{ERR_PACK(0, SYS_F_BIND, 0), "bind"},

{ERR_PACK(0, SYS_F_LISTEN, 0), "listen"},

{ERR_PACK(0, SYS_F_ACCEPT, 0), "accept"},

-# ifdef OPENSSL_SYS_WINDOWS

+#ifdef OPENSSL_SYS_WINDOWS

{ERR_PACK(0, SYS_F_WSASTARTUP, 0), "WSAstartup"},

-# endif

+#endif

{ERR_PACK(0, SYS_F_OPENDIR, 0), "opendir"},

{ERR_PACK(0, SYS_F_FREAD, 0), "fread"},

{ERR_PACK(0, SYS_F_GETADDRINFO, 0), "getaddrinfo"},

@@ -141,21 +143,26 @@ static int set_err_thread_local;

static CRYPTO_THREAD_LOCAL err_thread_local;

static CRYPTO_ONCE err_string_init = CRYPTO_ONCE_STATIC_INIT;

-static CRYPTO_RWLOCK *err_string_lock;

+static CRYPTO_RWLOCK *err_string_lock = NULL;

+#ifndef OPENSSL_NO_ERR

static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *);

+#endif

* The internal state

+#ifndef OPENSSL_NO_ERR

static LHASH_OF(ERR_STRING_DATA) *int_error_hash = NULL;

+#endif

static int int_err_library_number = ERR_LIB_USER;

static unsigned long get_error_values(int inc, int top, const char **file,

int *line, const char **data,

int *flags);

+#ifndef OPENSSL_NO_ERR

static unsigned long err_string_data_hash(const ERR_STRING_DATA *a)

{

unsigned long ret, l;

@@ -184,7 +191,6 @@ static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *d)

return p;

}

-#ifndef OPENSSL_NO_ERR

/* 2019-05-21: Russian and Ukrainian locales on Linux require more than 6,5 kB */

# define SPACE_SYS_STR_REASONS 8 * 1024

# define NUM_SYS_STR_REASONS 127

@@ -299,6 +305,7 @@ DEFINE_RUN_ONCE_STATIC(do_err_strings_init)

err_string_lock = CRYPTO_THREAD_lock_new();

if (err_string_lock == NULL)

return 0;

+#ifndef OPENSSL_NO_ERR

int_error_hash = lh_ERR_STRING_DATA_new(err_string_data_hash,

err_string_data_cmp);

if (int_error_hash == NULL) {

@@ -306,6 +313,7 @@ DEFINE_RUN_ONCE_STATIC(do_err_strings_init)

err_string_lock = NULL;

return 0;

}

+#endif

return 1;

}

@@ -315,10 +323,13 @@ void err_cleanup(void)

CRYPTO_THREAD_cleanup_local(&err_thread_local);

CRYPTO_THREAD_lock_free(err_string_lock);

err_string_lock = NULL;

+#ifndef OPENSSL_NO_ERR

lh_ERR_STRING_DATA_free(int_error_hash);

int_error_hash = NULL;

+#endif

}

+#ifndef OPENSSL_NO_ERR

* Legacy; pack in the library.

@@ -342,6 +353,7 @@ static int err_load_strings(const ERR_STRING_DATA *str)

CRYPTO_THREAD_unlock(err_string_lock);

return 1;

}

+#endif

int ERR_load_ERR_strings(void)

{

@@ -360,24 +372,31 @@ int ERR_load_ERR_strings(void)

int ERR_load_strings(int lib, ERR_STRING_DATA *str)

{

+#ifndef OPENSSL_NO_ERR

if (ERR_load_ERR_strings() == 0)

return 0;

err_patch(lib, str);

err_load_strings(str);

+#endif

return 1;

}

int ERR_load_strings_const(const ERR_STRING_DATA *str)

{

+#ifndef OPENSSL_NO_ERR

if (ERR_load_ERR_strings() == 0)

return 0;

err_load_strings(str);

+#endif

return 1;

}

int ERR_unload_strings(int lib, ERR_STRING_DATA *str)

{

+#ifndef OPENSSL_NO_ERR

if (!RUN_ONCE(&err_string_init, do_err_strings_init))

return 0;

@@ -389,14 +408,14 @@ int ERR_unload_strings(int lib, ERR_STRING_DATA *str)

for (; str->error; str++)

(void)lh_ERR_STRING_DATA_delete(int_error_hash, str);

CRYPTO_THREAD_unlock(err_string_lock);

+#endif

return 1;

}

void err_free_strings_int(void)

{

- if (!RUN_ONCE(&err_string_init, do_err_strings_init))

- return;

+ /* obsolete */

}

/********************************************************/

@@ -636,6 +655,7 @@ char *ERR_error_string(unsigned long e, char *ret)

const char *ERR_lib_error_string(unsigned long e)

{

+#ifndef OPENSSL_NO_ERR

ERR_STRING_DATA d, *p;

unsigned long l;

@@ -647,10 +667,14 @@ const char *ERR_lib_error_string(unsigned long e)

d.error = ERR_PACK(l, 0, 0);

p = int_err_get_item(&d);

return ((p == NULL) ? NULL : p->string);

+#else

+ return NULL;

+#endif

}

const char *ERR_func_error_string(unsigned long e)

{

+#ifndef OPENSSL_NO_ERR

ERR_STRING_DATA d, *p;

unsigned long l, f;

@@ -663,10 +687,14 @@ const char *ERR_func_error_string(unsigned long e)

d.error = ERR_PACK(l, f, 0);

p = int_err_get_item(&d);

return ((p == NULL) ? NULL : p->string);

+#else

+ return NULL;

+#endif

}

const char *ERR_reason_error_string(unsigned long e)

{

+#ifndef OPENSSL_NO_ERR

ERR_STRING_DATA d, *p = NULL;

unsigned long l, r;

@@ -683,6 +711,9 @@ const char *ERR_reason_error_string(unsigned long e)

p = int_err_get_item(&d);

}

return ((p == NULL) ? NULL : p->string);

+#else

+ return NULL;

+#endif

}

void err_delete_thread_state(void)

diff --git a/crypto/openssl/crypto/evp/evp_enc.c b/crypto/openssl/crypto/evp/evp_enc.c
index d835968f253c..e756624b2cdf 100644
--- a/crypto/openssl/crypto/evp/evp_enc.c
+++ b/crypto/openssl/crypto/evp/evp_enc.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -281,7 +281,7 @@ int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,

# define PTRDIFF_T size_t

#endif

-int is_partially_overlapping(const void *ptr1, const void *ptr2, int len)

+int is_partially_overlapping(const void *ptr1, const void *ptr2, size_t len)

{

PTRDIFF_T diff = (PTRDIFF_T)ptr1-(PTRDIFF_T)ptr2;

@@ -299,7 +299,8 @@ static int evp_EncryptDecryptUpdate(EVP_CIPHER_CTX *ctx,

unsigned char *out, int *outl,

const unsigned char *in, int inl)

{

- int i, j, bl, cmpl = inl;

+ int i, j, bl;

+ size_t cmpl = (size_t)inl;

if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS))

cmpl = (cmpl + 7) / 8;

@@ -464,8 +465,9 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)

int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,

const unsigned char *in, int inl)

{

- int fix_len, cmpl = inl;

+ int fix_len;

unsigned int b;

+ size_t cmpl = (size_t)inl;

/* Prevent accidental use of encryption context when decrypting */

if (ctx->encrypt) {

diff --git a/crypto/openssl/crypto/evp/evp_local.h b/crypto/openssl/crypto/evp/evp_local.h
index f1589d682894..b59beee49fa8 100644
--- a/crypto/openssl/crypto/evp/evp_local.h
+++ b/crypto/openssl/crypto/evp/evp_local.h

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -65,4 +65,4 @@ struct evp_Encode_Ctx_st {

typedef struct evp_pbe_st EVP_PBE_CTL;

DEFINE_STACK_OF(EVP_PBE_CTL)

-int is_partially_overlapping(const void *ptr1, const void *ptr2, int len);

+int is_partially_overlapping(const void *ptr1, const void *ptr2, size_t len);

diff --git a/crypto/openssl/crypto/init.c b/crypto/openssl/crypto/init.c
index 1b0d523beae0..b23af7977cd2 100644
--- a/crypto/openssl/crypto/init.c
+++ b/crypto/openssl/crypto/init.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -211,7 +211,7 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_load_crypto_nodelete)

}

static CRYPTO_ONCE load_crypto_strings = CRYPTO_ONCE_STATIC_INIT;

-static int load_crypto_strings_inited = 0;

DEFINE_RUN_ONCE_STATIC(ossl_init_load_crypto_strings)

{

int ret = 1;

@@ -225,7 +225,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_load_crypto_strings)

"err_load_crypto_strings_int()\n");

# endif

ret = err_load_crypto_strings_int();

- load_crypto_strings_inited = 1;

#endif

return ret;

}

@@ -549,14 +548,6 @@ void OPENSSL_cleanup(void)

async_deinit();

}

- if (load_crypto_strings_inited) {

-#ifdef OPENSSL_INIT_DEBUG

- fprintf(stderr, "OPENSSL_INIT: OPENSSL_cleanup: "

- "err_free_strings_int()\n");

-#endif

- err_free_strings_int();

- }

key = destructor_key.value;

destructor_key.sane = -1;

CRYPTO_THREAD_cleanup_local(&key);

diff --git a/crypto/openssl/crypto/s390x_arch.h b/crypto/openssl/crypto/s390x_arch.h
index 4d2cc02eb3d3..64e7ebb5662e 100644
--- a/crypto/openssl/crypto/s390x_arch.h
+++ b/crypto/openssl/crypto/s390x_arch.h

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -47,6 +47,9 @@ struct OPENSSL_s390xcap_st {

unsigned long long kma[2];

};

+#if defined(__GNUC__) && defined(__linux)

+__attribute__ ((visibility("hidden")))

+#endif

extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P;

/* convert facility bit number or function code to bit mask */

diff --git a/crypto/openssl/crypto/s390xcap.c b/crypto/openssl/crypto/s390xcap.c
index 5d58b2d807b4..1097c703b4fb 100644
--- a/crypto/openssl/crypto/s390xcap.c
+++ b/crypto/openssl/crypto/s390xcap.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -26,6 +26,9 @@ void OPENSSL_vx_probe(void);

struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P;

+#if defined(__GNUC__) && defined(__linux)

+__attribute__ ((visibility("hidden")))

+#endif

void OPENSSL_cpuid_setup(void)

{

sigset_t oset;

diff --git a/crypto/openssl/doc/fingerprints.txt b/crypto/openssl/doc/fingerprints.txt
index 51e76c8f71b9..3604fbdc658c 100644
--- a/crypto/openssl/doc/fingerprints.txt
+++ b/crypto/openssl/doc/fingerprints.txt

@@ -22,3 +22,13 @@ pub 2048R/0E604491 2013-04-30

Key fingerprint = 8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491

uid Matt Caswell <matt@openssl.org>

uid Matt Caswell <frodo@baggins.org>

+pub rsa4096 2021-02-14

+ B7C1 C143 60F3 53A3 6862 E4D5 231C 84CD DCC6 9C45

+uid Paul Dale <pauli@openssl.org>

+pub rsa4096 2021-07-16

+ A21F AB74 B008 8AA3 6115 2586 B8EF 1A6B A9DA 2D5C

+uid Tomáš Mráz <tm@t8m.info>

+uid Tomáš Mráz <tomas@arleto.cz>

+uid Tomáš Mráz <tomas@openssl.org>

diff --git a/crypto/openssl/doc/man3/SSL_CTX_set_timeout.pod b/crypto/openssl/doc/man3/SSL_CTX_set_timeout.pod
index c32585e45f92..e76353cfd4b9 100644
--- a/crypto/openssl/doc/man3/SSL_CTX_set_timeout.pod
+++ b/crypto/openssl/doc/man3/SSL_CTX_set_timeout.pod

@@ -42,6 +42,16 @@ basis, see L<SSL_get_default_timeout(3)>.

All currently supported protocols have the same default timeout value

of 300 seconds.

+This timeout value is used as the ticket lifetime hint for stateless session

+tickets. It is also used as the timeout value within the ticket itself.

+For TLSv1.3, RFC8446 limits transmission of this value to 1 week (604800

+seconds).

+For TLSv1.2, tickets generated during an initial handshake use the value

+as specified. Tickets generated during a resumed handshake have a value

+of 0 for the ticket lifetime hint.

=head1 RETURN VALUES

SSL_CTX_set_timeout() returns the previously set timeout value.

@@ -58,7 +68,7 @@ L<SSL_get_default_timeout(3)>

=head1 COPYRIGHT

Licensed under the OpenSSL license (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/crypto/openssl/include/openssl/opensslv.h b/crypto/openssl/include/openssl/opensslv.h
index cef157da5f64..7acc112982c7 100644
--- a/crypto/openssl/include/openssl/opensslv.h
+++ b/crypto/openssl/include/openssl/opensslv.h

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -39,8 +39,8 @@ extern "C" {

* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for

* major minor fix final patch/beta)

-# define OPENSSL_VERSION_NUMBER 0x101010efL

-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1n-freebsd 15 Mar 2022"

+# define OPENSSL_VERSION_NUMBER 0x101010ffL

+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1o-freebsd 3 May 2022"

/*-

* The macros below are to be used for shared library (.so, .dll, ...)

diff --git a/crypto/openssl/ssl/s3_enc.c b/crypto/openssl/ssl/s3_enc.c
index 8a89f512fe60..7b119b452fd7 100644
--- a/crypto/openssl/ssl/s3_enc.c
+++ b/crypto/openssl/ssl/s3_enc.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

@@ -589,6 +589,8 @@ int ssl3_alert_code(int code)

return TLS1_AD_NO_APPLICATION_PROTOCOL;

case SSL_AD_CERTIFICATE_REQUIRED:

return SSL_AD_HANDSHAKE_FAILURE;

+ case SSL_AD_MISSING_EXTENSION:

+ return SSL_AD_HANDSHAKE_FAILURE;

default:

return -1;

}

diff --git a/crypto/openssl/ssl/ssl_init.c b/crypto/openssl/ssl/ssl_init.c
index d083d9597091..a5d45480c9e0 100644
--- a/crypto/openssl/ssl/ssl_init.c
+++ b/crypto/openssl/ssl/ssl_init.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -116,7 +116,7 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_base)

}

static CRYPTO_ONCE ssl_strings = CRYPTO_ONCE_STATIC_INIT;

-static int ssl_strings_inited = 0;

DEFINE_RUN_ONCE_STATIC(ossl_init_load_ssl_strings)

{

@@ -129,7 +129,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_load_ssl_strings)

"ERR_load_SSL_strings()\n");

# endif

ERR_load_SSL_strings();

- ssl_strings_inited = 1;

#endif

return 1;

}

@@ -157,20 +156,6 @@ static void ssl_library_stop(void)

ssl_comp_free_compression_methods_int();

#endif

}

- if (ssl_strings_inited) {

-#ifdef OPENSSL_INIT_DEBUG

- fprintf(stderr, "OPENSSL_INIT: ssl_library_stop: "

- "err_free_strings_int()\n");

-#endif

- /*

- * If both crypto and ssl error strings are inited we will end up

- * calling err_free_strings_int() twice - but that's ok. The second

- * time will be a no-op. It's easier to do that than to try and track

- * between the two libraries whether they have both been inited.

- */

- err_free_strings_int();

- }

}

diff --git a/crypto/openssl/ssl/ssl_lib.c b/crypto/openssl/ssl/ssl_lib.c
index ff5a9e05660b..1fbad29b233c 100644
--- a/crypto/openssl/ssl/ssl_lib.c
+++ b/crypto/openssl/ssl/ssl_lib.c

@@ -1,5 +1,5 @@

@@ -2170,6 +2170,7 @@ int SSL_shutdown(SSL *s)

if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {

struct ssl_async_args args;

+ memset(&args, 0, sizeof(args));

args.s = s;

args.type = OTHERFUNC;

args.f.func_other = s->method->ssl_shutdown;

@@ -3799,6 +3800,7 @@ int SSL_do_handshake(SSL *s)

if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {

struct ssl_async_args args;

+ memset(&args, 0, sizeof(args));

args.s = s;

ret = ssl_start_async_job(s, &args, ssl_do_handshake_intern);

diff --git a/crypto/openssl/ssl/ssl_txt.c b/crypto/openssl/ssl/ssl_txt.c
index 457bc8b3c20a..759e1873e6b1 100644
--- a/crypto/openssl/ssl/ssl_txt.c
+++ b/crypto/openssl/ssl/ssl_txt.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

@@ -130,11 +130,11 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)

}

#endif

if (x->time != 0L) {

- if (BIO_printf(bp, "\n Start Time: %ld", x->time) <= 0)

+ if (BIO_printf(bp, "\n Start Time: %lld", (long long)x->time) <= 0)

goto err;

}

if (x->timeout != 0L) {

- if (BIO_printf(bp, "\n Timeout : %ld (sec)", x->timeout) <= 0)

+ if (BIO_printf(bp, "\n Timeout : %lld (sec)", (long long)x->timeout) <= 0)

goto err;

}

if (BIO_puts(bp, "\n") <= 0)

diff --git a/crypto/openssl/ssl/statem/statem_clnt.c b/crypto/openssl/ssl/statem/statem_clnt.c
index d1a39698124b..d19c44e8d984 100644
--- a/crypto/openssl/ssl/statem/statem_clnt.c
+++ b/crypto/openssl/ssl/statem/statem_clnt.c

@@ -1,5 +1,5 @@

@@ -1422,6 +1422,11 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)

&& sversion == TLS1_2_VERSION

&& PACKET_remaining(pkt) >= SSL3_RANDOM_SIZE

&& memcmp(hrrrandom, PACKET_data(pkt), SSL3_RANDOM_SIZE) == 0) {

+ if (s->hello_retry_request != SSL_HRR_NONE) {

+ SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,

+ SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_UNEXPECTED_MESSAGE);

+ goto err;

+ }

s->hello_retry_request = SSL_HRR_PENDING;

hrr = 1;

if (!PACKET_forward(pkt, SSL3_RANDOM_SIZE)) {

diff --git a/crypto/openssl/ssl/statem/statem_dtls.c b/crypto/openssl/ssl/statem/statem_dtls.c
index 8e3fb686ee27..8fe6cea72359 100644
--- a/crypto/openssl/ssl/statem/statem_dtls.c
+++ b/crypto/openssl/ssl/statem/statem_dtls.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -218,8 +218,8 @@ int dtls1_do_write(SSL *s, int type)

else

len = s->init_num;

- if (len > s->max_send_fragment)

- len = s->max_send_fragment;

+ if (len > ssl_get_max_send_fragment(s))

+ len = ssl_get_max_send_fragment(s);

* XDTLS: this function is too long. split out the CCS part

@@ -241,7 +241,7 @@ int dtls1_do_write(SSL *s, int type)

ret = dtls1_write_bytes(s, type, &s->init_buf->data[s->init_off], len,

&written);

- if (ret < 0) {

+ if (ret <= 0) {

* might need to update MTU here, but we don't know which

* previous packet caused the failure -- so can't really

diff --git a/crypto/openssl/ssl/statem/statem_srvr.c b/crypto/openssl/ssl/statem/statem_srvr.c
index d701c46b43b5..43f77a58992f 100644
--- a/crypto/openssl/ssl/statem/statem_srvr.c
+++ b/crypto/openssl/ssl/statem/statem_srvr.c

@@ -1,5 +1,5 @@

@@ -3820,15 +3820,24 @@ int tls_construct_server_certificate(SSL *s, WPACKET *pkt)

static int create_ticket_prequel(SSL *s, WPACKET *pkt, uint32_t age_add,

unsigned char *tick_nonce)

{

+ uint32_t timeout = (uint32_t)s->session->timeout;

- * Ticket lifetime hint: For TLSv1.2 this is advisory only and we leave this

- * unspecified for resumed session (for simplicity).

+ * Ticket lifetime hint:

* In TLSv1.3 we reset the "time" field above, and always specify the

- * timeout.

+ * timeout, limited to a 1 week period per RFC8446.

+ * For TLSv1.2 this is advisory only and we leave this unspecified for

+ * resumed session (for simplicity).

- if (!WPACKET_put_bytes_u32(pkt,

- (s->hit && !SSL_IS_TLS13(s))

- ? 0 : s->session->timeout)) {

+#define ONE_WEEK_SEC (7 * 24 * 60 * 60)

+ if (SSL_IS_TLS13(s)) {

+ if (s->session->timeout > ONE_WEEK_SEC)

+ timeout = ONE_WEEK_SEC;

+ } else if (s->hit)

+ timeout = 0;

+ if (!WPACKET_put_bytes_u32(pkt, timeout)) {

SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CREATE_TICKET_PREQUEL,

ERR_R_INTERNAL_ERROR);

return 0;

diff --git a/crypto/openssl/ssl/t1_enc.c b/crypto/openssl/ssl/t1_enc.c
index 7d2eb381af1a..422dde31262a 100644
--- a/crypto/openssl/ssl/t1_enc.c
+++ b/crypto/openssl/ssl/t1_enc.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

@@ -796,6 +796,8 @@ int tls1_alert_code(int code)

return TLS1_AD_NO_APPLICATION_PROTOCOL;

case SSL_AD_CERTIFICATE_REQUIRED:

return SSL_AD_HANDSHAKE_FAILURE;

+ case SSL_AD_MISSING_EXTENSION:

+ return SSL_AD_HANDSHAKE_FAILURE;

default:

return -1;

}