src - FreeBSD source tree

diff options


context:
space:
mode:

author	Jung-uk Kim <jkim@FreeBSD.org>	2021-03-25 15:45:19 +0000
committer	Jung-uk Kim <jkim@FreeBSD.org>	2021-03-25 15:45:19 +0000
commit	b6c1fdcdf5033d20c61cc77d66f58f31cc65e2ba (patch)
tree	0b8571c7d3c4477ae6c4b2c9b84d061a461ee128 /crypto/openssl
parent	f073ab8712a032faecf1fb94c4491fd555461ad8 (diff)
parent	94fa08a4bcdfbb3434b025d67d014af3b18e5380 (diff)
download	src-b6c1fdcdf5033d20c61cc77d66f58f31cc65e2ba.tar.gz src-b6c1fdcdf5033d20c61cc77d66f58f31cc65e2ba.zip

OpenSSL: Merge OpenSSL 1.1.1k

Merge commit '94fa08a4bcdfbb3434b025d67d014af3b18e5380'

Diffstat (limited to 'crypto/openssl')

-rw-r--r--

crypto/openssl/CHANGES

-rw-r--r--

crypto/openssl/NEWS

-rw-r--r--

crypto/openssl/README

-rw-r--r--

crypto/openssl/apps/s_cb.c

-rw-r--r--

crypto/openssl/apps/s_time.c

-rw-r--r--

crypto/openssl/crypto/asn1/asn1_par.c

-rw-r--r--

crypto/openssl/crypto/asn1/bio_ndef.c

-rw-r--r--

crypto/openssl/crypto/engine/eng_devcrypto.c

-rw-r--r--

crypto/openssl/crypto/evp/evp_enc.c

-rw-r--r--

crypto/openssl/crypto/modes/cbc128.c

-rw-r--r--

crypto/openssl/crypto/modes/gcm128.c

-rw-r--r--

crypto/openssl/crypto/o_time.c

-rw-r--r--

crypto/openssl/crypto/rand/rand_lib.c

-rw-r--r--

crypto/openssl/crypto/rsa/rsa_ssl.c

-rw-r--r--

crypto/openssl/crypto/x509/x509_vfy.c

-rw-r--r--

crypto/openssl/include/openssl/opensslv.h

-rw-r--r--

crypto/openssl/ssl/s3_lib.c

-rw-r--r--

crypto/openssl/ssl/ssl_lib.c

-rw-r--r--

crypto/openssl/ssl/statem/extensions.c

-rw-r--r--

crypto/openssl/ssl/statem/extensions_clnt.c

-rw-r--r--

crypto/openssl/ssl/statem/statem_clnt.c

-rw-r--r--

crypto/openssl/ssl/statem/statem_srvr.c

22 files changed, 166 insertions, 44 deletions

diff --git a/crypto/openssl/CHANGES b/crypto/openssl/CHANGES
index a4a63a9bea22..7f8057bb6f0a 100644
--- a/crypto/openssl/CHANGES
+++ b/crypto/openssl/CHANGES

@@ -7,6 +7,50 @@

https://github.com/openssl/openssl/commits/ and pick the appropriate

release branch.

+ Changes between 1.1.1j and 1.1.1k [25 Mar 2021]

+ *) Fixed a problem with verifying a certificate chain when using the

+ X509_V_FLAG_X509_STRICT flag. This flag enables additional security checks

+ of the certificates present in a certificate chain. It is not set by

+ default.

+ Starting from OpenSSL version 1.1.1h a check to disallow certificates in

+ the chain that have explicitly encoded elliptic curve parameters was added

+ as an additional strict check.

+ An error in the implementation of this check meant that the result of a

+ previous check to confirm that certificates in the chain are valid CA

+ certificates was overwritten. This effectively bypasses the check

+ that non-CA certificates must not be able to issue other certificates.

+ If a "purpose" has been configured then there is a subsequent opportunity

+ for checks that the certificate is a valid CA. All of the named "purpose"

+ values implemented in libcrypto perform this check. Therefore, where

+ a purpose is set the certificate chain will still be rejected even when the

+ strict flag has been used. A purpose is set by default in libssl client and

+ server certificate verification routines, but it can be overridden or

+ removed by an application.

+ In order to be affected, an application must explicitly set the

+ X509_V_FLAG_X509_STRICT verification flag and either not set a purpose

+ for the certificate verification or, in the case of TLS client or server

+ applications, override the default purpose.

+ (CVE-2021-3450)

+ [Tomáš Mráz]

+ *) Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously

+ crafted renegotiation ClientHello message from a client. If a TLSv1.2

+ renegotiation ClientHello omits the signature_algorithms extension (where

+ it was present in the initial ClientHello), but includes a

+ signature_algorithms_cert extension then a NULL pointer dereference will

+ result, leading to a crash and a denial of service attack.

+ A server is only vulnerable if it has TLSv1.2 and renegotiation enabled

+ (which is the default configuration). OpenSSL TLS clients are not impacted

+ by this issue.

+ (CVE-2021-3449)

+ [Peter Kästle and Samuel Sapalski]

Changes between 1.1.1i and 1.1.1j [16 Feb 2021]

*) Fixed the X509_issuer_and_serial_hash() function. It attempts to

diff --git a/crypto/openssl/NEWS b/crypto/openssl/NEWS
index 3cce52506645..05991a0c214a 100644
--- a/crypto/openssl/NEWS
+++ b/crypto/openssl/NEWS

@@ -5,6 +5,14 @@

This file gives a brief overview of the major changes between each OpenSSL

release. For more details please read the CHANGES file.

+ Major changes between OpenSSL 1.1.1j and OpenSSL 1.1.1k [25 Mar 2021]

+ o Fixed a problem with verifying a certificate chain when using the

+ X509_V_FLAG_X509_STRICT flag (CVE-2021-3450)

+ o Fixed an issue where an OpenSSL TLS server may crash if sent a

+ maliciously crafted renegotiation ClientHello message from a client

+ (CVE-2021-3449)

Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [16 Feb 2021]

o Fixed a NULL pointer deref in the X509_issuer_and_serial_hash()

diff --git a/crypto/openssl/README b/crypto/openssl/README
index da5629f92c81..b92a8bd3a4b5 100644
--- a/crypto/openssl/README
+++ b/crypto/openssl/README

@@ -1,7 +1,7 @@

- OpenSSL 1.1.1j 16 Feb 2021

+ OpenSSL 1.1.1k 25 Mar 2021

diff --git a/crypto/openssl/apps/s_cb.c b/crypto/openssl/apps/s_cb.c
index 6406ddfb9e1b..dee1b2e5b4f6 100644
--- a/crypto/openssl/apps/s_cb.c
+++ b/crypto/openssl/apps/s_cb.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -934,7 +934,8 @@ static int set_cert_cb(SSL *ssl, void *arg)

if (!SSL_build_cert_chain(ssl, 0))

return 0;

} else if (exc->chain != NULL) {

- SSL_set1_chain(ssl, exc->chain);

+ if (!SSL_set1_chain(ssl, exc->chain))

+ return 0;

}

exc = exc->prev;

diff --git a/crypto/openssl/apps/s_time.c b/crypto/openssl/apps/s_time.c
index 628e65b26e19..1235e545c20a 100644
--- a/crypto/openssl/apps/s_time.c
+++ b/crypto/openssl/apps/s_time.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -263,7 +263,8 @@ int s_time_main(int argc, char **argv)

nConn, totalTime, ((double)nConn / totalTime), bytes_read);

printf

("%d connections in %ld real seconds, %ld bytes read per connection\n",

- nConn, (long)time(NULL) - finishtime + maxtime, bytes_read / nConn);

+ nConn, (long)time(NULL) - finishtime + maxtime,

+ nConn > 0 ? bytes_read / nConn : 0l);

* Now loop and time connections using the same session id over and over

diff --git a/crypto/openssl/crypto/asn1/asn1_par.c b/crypto/openssl/crypto/asn1/asn1_par.c
index 3f10c7cb94c5..a32fa47f2206 100644
--- a/crypto/openssl/crypto/asn1/asn1_par.c
+++ b/crypto/openssl/crypto/asn1/asn1_par.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -325,6 +325,7 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,

}

if (BIO_puts(bp, "]") <= 0)

goto end;

+ dump_cont = 0;

}

if (!nl) {

diff --git a/crypto/openssl/crypto/asn1/bio_ndef.c b/crypto/openssl/crypto/asn1/bio_ndef.c
index 6222c99074de..d7d7d80eea91 100644
--- a/crypto/openssl/crypto/asn1/bio_ndef.c
+++ b/crypto/openssl/crypto/asn1/bio_ndef.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -113,6 +113,8 @@ static int ndef_prefix(BIO *b, unsigned char **pbuf, int *plen, void *parg)

ndef_aux = *(NDEF_SUPPORT **)parg;

derlen = ASN1_item_ndef_i2d(ndef_aux->val, NULL, ndef_aux->it);

+ if (derlen < 0)

+ return 0;

if ((p = OPENSSL_malloc(derlen)) == NULL) {

ASN1err(ASN1_F_NDEF_PREFIX, ERR_R_MALLOC_FAILURE);

return 0;

diff --git a/crypto/openssl/crypto/engine/eng_devcrypto.c b/crypto/openssl/crypto/engine/eng_devcrypto.c
index 49e9ce1af33b..84a3b7dbec75 100644
--- a/crypto/openssl/crypto/engine/eng_devcrypto.c
+++ b/crypto/openssl/crypto/engine/eng_devcrypto.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -758,8 +758,9 @@ static int devcrypto_unload(ENGINE *e)

void engine_load_devcrypto_int()

{

ENGINE *e = NULL;

+ int fd;

- if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0) {

+ if ((fd = open("/dev/crypto", O_RDWR, 0)) < 0) {

#ifndef ENGINE_DEVCRYPTO_DEBUG

if (errno != ENOENT)

#endif

@@ -767,6 +768,18 @@ void engine_load_devcrypto_int()

return;

}

+#ifdef CRIOGET

+ if (ioctl(fd, CRIOGET, &cfd) < 0) {

+ fprintf(stderr, "Could not create crypto fd: %s\n", strerror(errno));

+ close(fd);

+ cfd = -1;

+ return;

+ }

+ close(fd);

+#else

+ cfd = fd;

+#endif

if ((e = ENGINE_new()) == NULL

|| !ENGINE_set_destroy_function(e, devcrypto_unload)) {

ENGINE_free(e);

diff --git a/crypto/openssl/crypto/evp/evp_enc.c b/crypto/openssl/crypto/evp/evp_enc.c
index 0843caf4f0a4..e3c165d48e08 100644
--- a/crypto/openssl/crypto/evp/evp_enc.c
+++ b/crypto/openssl/crypto/evp/evp_enc.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

diff --git a/crypto/openssl/crypto/modes/cbc128.c b/crypto/openssl/crypto/modes/cbc128.c
index c85e37c6a546..15a14be70872 100644
--- a/crypto/openssl/crypto/modes/cbc128.c
+++ b/crypto/openssl/crypto/modes/cbc128.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -69,7 +69,8 @@ void CRYPTO_cbc128_encrypt(const unsigned char *in, unsigned char *out,

in += 16;

out += 16;

}

- memcpy(ivec, iv, 16);

+ if (ivec != iv)

+ memcpy(ivec, iv, 16);

}

void CRYPTO_cbc128_decrypt(const unsigned char *in, unsigned char *out,

@@ -114,7 +115,8 @@ void CRYPTO_cbc128_decrypt(const unsigned char *in, unsigned char *out,

out += 16;

}

- memcpy(ivec, iv, 16);

+ if (ivec != iv)

+ memcpy(ivec, iv, 16);

} else {

if (STRICT_ALIGNMENT &&

((size_t)in | (size_t)out | (size_t)ivec) % sizeof(size_t) != 0) {

diff --git a/crypto/openssl/crypto/modes/gcm128.c b/crypto/openssl/crypto/modes/gcm128.c
index 0c0bf3cda5b5..8304efff48be 100644
--- a/crypto/openssl/crypto/modes/gcm128.c
+++ b/crypto/openssl/crypto/modes/gcm128.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -1385,8 +1385,8 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,

else

ctx->Yi.d[3] = ctr;

for (i = 0; i < 16 / sizeof(size_t); ++i) {

- size_t c = in[i];

- out[i] = c ^ ctx->EKi.t[i];

+ size_t c = in_t[i];

+ out_t[i] = c ^ ctx->EKi.t[i];

ctx->Xi.t[i] ^= c;

}

GCM_MUL(ctx);

diff --git a/crypto/openssl/crypto/o_time.c b/crypto/openssl/crypto/o_time.c
index 3502edda6238..3fa70c45af83 100644
--- a/crypto/openssl/crypto/o_time.c
+++ b/crypto/openssl/crypto/o_time.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -133,8 +133,8 @@ int OPENSSL_gmtime_diff(int *pday, int *psec,

static int julian_adj(const struct tm *tm, int off_day, long offset_sec,

long *pday, int *psec)

{

- int offset_hms, offset_day;

- long time_jd;

+ int offset_hms;

+ long offset_day, time_jd;

int time_year, time_month, time_day;

/* split offset into days and day seconds */

offset_day = offset_sec / SECS_PER_DAY;

diff --git a/crypto/openssl/crypto/rand/rand_lib.c b/crypto/openssl/crypto/rand/rand_lib.c
index ba3a29e58468..5c72fad8ca26 100644
--- a/crypto/openssl/crypto/rand/rand_lib.c
+++ b/crypto/openssl/crypto/rand/rand_lib.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -432,9 +432,13 @@ err:

RAND_POOL *rand_pool_new(int entropy_requested, int secure,

size_t min_len, size_t max_len)

{

- RAND_POOL *pool = OPENSSL_zalloc(sizeof(*pool));

+ RAND_POOL *pool;

size_t min_alloc_size = RAND_POOL_MIN_ALLOCATION(secure);

+ if (!RUN_ONCE(&rand_init, do_rand_init))

+ return NULL;

+ pool = OPENSSL_zalloc(sizeof(*pool));

if (pool == NULL) {

RANDerr(RAND_F_RAND_POOL_NEW, ERR_R_MALLOC_FAILURE);

return NULL;

diff --git a/crypto/openssl/crypto/rsa/rsa_ssl.c b/crypto/openssl/crypto/rsa/rsa_ssl.c
index ecdb3cee1fa3..e1c755ae460b 100644
--- a/crypto/openssl/crypto/rsa/rsa_ssl.c
+++ b/crypto/openssl/crypto/rsa/rsa_ssl.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

diff --git a/crypto/openssl/crypto/x509/x509_vfy.c b/crypto/openssl/crypto/x509/x509_vfy.c
index 0c71b2e8b4ad..20a36e763c5d 100644
--- a/crypto/openssl/crypto/x509/x509_vfy.c
+++ b/crypto/openssl/crypto/x509/x509_vfy.c

@@ -524,15 +524,19 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)

ret = 1;

break;

}

- if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) && num > 1) {

+ if (ret > 0

+ && (ctx->param->flags & X509_V_FLAG_X509_STRICT) && num > 1) {

/* Check for presence of explicit elliptic curve parameters */

ret = check_curve(x);

- if (ret < 0)

+ if (ret < 0) {

ctx->error = X509_V_ERR_UNSPECIFIED;

- else if (ret == 0)

+ ret = 0;

+ } else if (ret == 0) {

ctx->error = X509_V_ERR_EC_KEY_EXPLICIT_PARAMS;

+ }

}

- if ((x->ex_flags & EXFLAG_CA) == 0

+ if (ret > 0

+ && (x->ex_flags & EXFLAG_CA) == 0

&& x->ex_pathlen != -1

&& (ctx->param->flags & X509_V_FLAG_X509_STRICT)) {

ctx->error = X509_V_ERR_INVALID_EXTENSION;

diff --git a/crypto/openssl/include/openssl/opensslv.h b/crypto/openssl/include/openssl/opensslv.h
index 5eeb751672aa..ec4a1123f131 100644
--- a/crypto/openssl/include/openssl/opensslv.h
+++ b/crypto/openssl/include/openssl/opensslv.h

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -39,8 +39,8 @@ extern "C" {

* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for

* major minor fix final patch/beta)

-# define OPENSSL_VERSION_NUMBER 0x101010afL

-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1j-freebsd 16 Feb 2021"

+# define OPENSSL_VERSION_NUMBER 0x101010bfL

+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1k-freebsd 25 Mar 2021"

/*-

* The macros below are to be used for shared library (.so, .dll, ...)

diff --git a/crypto/openssl/ssl/s3_lib.c b/crypto/openssl/ssl/s3_lib.c
index 4511b52c9afc..b256a4b93503 100644
--- a/crypto/openssl/ssl/s3_lib.c
+++ b/crypto/openssl/ssl/s3_lib.c

@@ -1,5 +1,5 @@

@@ -4629,6 +4629,7 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen,

OPENSSL_clear_free(s->s3->tmp.psk, psklen);

s->s3->tmp.psk = NULL;

+ s->s3->tmp.psklen = 0;

if (!s->method->ssl3_enc->generate_master_secret(s,

s->session->master_key, pskpms, pskpmslen,

&s->session->master_key_length)) {

@@ -4658,8 +4659,10 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen,

else

OPENSSL_cleanse(pms, pmslen);

}

- if (s->server == 0)

+ if (s->server == 0) {

s->s3->tmp.pms = NULL;

+ s->s3->tmp.pmslen = 0;

+ }

return ret;

}

diff --git a/crypto/openssl/ssl/ssl_lib.c b/crypto/openssl/ssl/ssl_lib.c
index 382f4b6d7b58..3fc6549c80e3 100644
--- a/crypto/openssl/ssl/ssl_lib.c
+++ b/crypto/openssl/ssl/ssl_lib.c

@@ -1,5 +1,5 @@

@@ -781,8 +781,10 @@ SSL *SSL_new(SSL_CTX *ctx)

s->ext.ecpointformats =

OPENSSL_memdup(ctx->ext.ecpointformats,

ctx->ext.ecpointformats_len);

- if (!s->ext.ecpointformats)

+ if (!s->ext.ecpointformats) {

+ s->ext.ecpointformats_len = 0;

goto err;

+ }

s->ext.ecpointformats_len =

ctx->ext.ecpointformats_len;

}

@@ -791,8 +793,10 @@ SSL *SSL_new(SSL_CTX *ctx)

OPENSSL_memdup(ctx->ext.supportedgroups,

ctx->ext.supportedgroups_len

* sizeof(*ctx->ext.supportedgroups));

- if (!s->ext.supportedgroups)

+ if (!s->ext.supportedgroups) {

+ s->ext.supportedgroups_len = 0;

goto err;

+ }

s->ext.supportedgroups_len = ctx->ext.supportedgroups_len;

}

#endif

@@ -802,8 +806,10 @@ SSL *SSL_new(SSL_CTX *ctx)

if (s->ctx->ext.alpn) {

s->ext.alpn = OPENSSL_malloc(s->ctx->ext.alpn_len);

- if (s->ext.alpn == NULL)

+ if (s->ext.alpn == NULL) {

+ s->ext.alpn_len = 0;

goto err;

+ }

memcpy(s->ext.alpn, s->ctx->ext.alpn, s->ctx->ext.alpn_len);

s->ext.alpn_len = s->ctx->ext.alpn_len;

}

@@ -2923,6 +2929,7 @@ int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,

OPENSSL_free(ctx->ext.alpn);

ctx->ext.alpn = OPENSSL_memdup(protos, protos_len);

if (ctx->ext.alpn == NULL) {

+ ctx->ext.alpn_len = 0;

SSLerr(SSL_F_SSL_CTX_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE);

return 1;

}

@@ -2942,6 +2949,7 @@ int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos,

OPENSSL_free(ssl->ext.alpn);

ssl->ext.alpn = OPENSSL_memdup(protos, protos_len);

if (ssl->ext.alpn == NULL) {

+ ssl->ext.alpn_len = 0;

SSLerr(SSL_F_SSL_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE);

return 1;

}

diff --git a/crypto/openssl/ssl/statem/extensions.c b/crypto/openssl/ssl/statem/extensions.c
index 9f51a6eb28d9..e1a3b1db67a1 100644
--- a/crypto/openssl/ssl/statem/extensions.c
+++ b/crypto/openssl/ssl/statem/extensions.c

@@ -336,6 +336,8 @@ static const EXTENSION_DEFINITION ext_defs[] = {

tls_construct_stoc_key_share, tls_construct_ctos_key_share,

final_key_share

+#else

+ INVALID_EXTENSION,

#endif

{

/* Must be after key_share */

@@ -1137,6 +1139,7 @@ static int init_sig_algs(SSL *s, unsigned int context)

/* Clear any signature algorithms extension received */

OPENSSL_free(s->s3->tmp.peer_sigalgs);

s->s3->tmp.peer_sigalgs = NULL;

+ s->s3->tmp.peer_sigalgslen = 0;

return 1;

}

@@ -1146,6 +1149,7 @@ static int init_sig_algs_cert(SSL *s, unsigned int context)

/* Clear any signature algorithms extension received */

OPENSSL_free(s->s3->tmp.peer_cert_sigalgs);

s->s3->tmp.peer_cert_sigalgs = NULL;

+ s->s3->tmp.peer_cert_sigalgslen = 0;

return 1;

}

diff --git a/crypto/openssl/ssl/statem/extensions_clnt.c b/crypto/openssl/ssl/statem/extensions_clnt.c
index bcce0f1d9534..ce8a75794c3a 100644
--- a/crypto/openssl/ssl/statem/extensions_clnt.c
+++ b/crypto/openssl/ssl/statem/extensions_clnt.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -816,6 +816,7 @@ EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt,

OPENSSL_free(s->psksession_id);

s->psksession_id = OPENSSL_memdup(id, idlen);

if (s->psksession_id == NULL) {

+ s->psksession_id_len = 0;

SSLfatal(s, SSL_AD_INTERNAL_ERROR,

SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR);

return EXT_RETURN_FAIL;

@@ -1375,6 +1376,7 @@ int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,

OPENSSL_free(s->ext.peer_ecpointformats);

s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len);

if (s->ext.peer_ecpointformats == NULL) {

+ s->ext.peer_ecpointformats_len = 0;

SSLfatal(s, SSL_AD_INTERNAL_ERROR,

SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);

return 0;

@@ -1492,8 +1494,13 @@ int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x,

s->ext.scts_len = (uint16_t)size;

if (size > 0) {

s->ext.scts = OPENSSL_malloc(size);

- if (s->ext.scts == NULL

- || !PACKET_copy_bytes(pkt, s->ext.scts, size)) {

+ if (s->ext.scts == NULL) {

+ s->ext.scts_len = 0;

+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SCT,

+ ERR_R_MALLOC_FAILURE);

+ return 0;

+ }

+ if (!PACKET_copy_bytes(pkt, s->ext.scts, size)) {

SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SCT,

ERR_R_INTERNAL_ERROR);

return 0;

@@ -1592,6 +1599,7 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,

OPENSSL_free(s->ext.npn);

s->ext.npn = OPENSSL_malloc(selected_len);

if (s->ext.npn == NULL) {

+ s->ext.npn_len = 0;

SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_NPN,

ERR_R_INTERNAL_ERROR);

return 0;

@@ -1632,6 +1640,7 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,

OPENSSL_free(s->s3->alpn_selected);

s->s3->alpn_selected = OPENSSL_malloc(len);

if (s->s3->alpn_selected == NULL) {

+ s->s3->alpn_selected_len = 0;

SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,

ERR_R_INTERNAL_ERROR);

return 0;

@@ -1663,6 +1672,7 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,

s->session->ext.alpn_selected =

OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len);

if (s->session->ext.alpn_selected == NULL) {

+ s->session->ext.alpn_selected_len = 0;

SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,

ERR_R_INTERNAL_ERROR);

return 0;

diff --git a/crypto/openssl/ssl/statem/statem_clnt.c b/crypto/openssl/ssl/statem/statem_clnt.c
index d84cc0460f4e..de58f1a4b7e9 100644
--- a/crypto/openssl/ssl/statem/statem_clnt.c
+++ b/crypto/openssl/ssl/statem/statem_clnt.c

@@ -2462,6 +2462,7 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt)

s->s3->tmp.ctype_len = 0;

OPENSSL_free(s->pha_context);

s->pha_context = NULL;

+ s->pha_context_len = 0;

if (!PACKET_get_length_prefixed_1(pkt, &reqctx) ||

!PACKET_memdup(&reqctx, &s->pha_context, &s->pha_context_len)) {

@@ -2771,16 +2772,17 @@ int tls_process_cert_status_body(SSL *s, PACKET *pkt)

}

s->ext.ocsp.resp = OPENSSL_malloc(resplen);

if (s->ext.ocsp.resp == NULL) {

+ s->ext.ocsp.resp_len = 0;

SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY,

ERR_R_MALLOC_FAILURE);

return 0;

}

+ s->ext.ocsp.resp_len = resplen;

if (!PACKET_copy_bytes(pkt, s->ext.ocsp.resp, resplen)) {

SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY,

SSL_R_LENGTH_MISMATCH);

return 0;

}

- s->ext.ocsp.resp_len = resplen;

return 1;

}

@@ -2905,6 +2907,7 @@ static int tls_construct_cke_psk_preamble(SSL *s, WPACKET *pkt)

if (psklen > PSK_MAX_PSK_LEN) {

SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,

SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);

+ psklen = PSK_MAX_PSK_LEN; /* Avoid overrunning the array on cleanse */

goto err;

} else if (psklen == 0) {

SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,

@@ -3350,9 +3353,11 @@ int tls_construct_client_key_exchange(SSL *s, WPACKET *pkt)

err:

OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen);

s->s3->tmp.pms = NULL;

+ s->s3->tmp.pmslen = 0;

#ifndef OPENSSL_NO_PSK

OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);

s->s3->tmp.psk = NULL;

+ s->s3->tmp.psklen = 0;

#endif

return 0;

}

@@ -3427,6 +3432,7 @@ int tls_client_key_exchange_post_work(SSL *s)

err:

OPENSSL_clear_free(pms, pmslen);

s->s3->tmp.pms = NULL;

+ s->s3->tmp.pmslen = 0;

return 0;

}

diff --git a/crypto/openssl/ssl/statem/statem_srvr.c b/crypto/openssl/ssl/statem/statem_srvr.c
index cf45a40ce4e3..fec12f613004 100644
--- a/crypto/openssl/ssl/statem/statem_srvr.c
+++ b/crypto/openssl/ssl/statem/statem_srvr.c

@@ -1,5 +1,5 @@

@@ -2178,6 +2178,7 @@ int tls_handle_alpn(SSL *s)

OPENSSL_free(s->s3->alpn_selected);

s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len);

if (s->s3->alpn_selected == NULL) {

+ s->s3->alpn_selected_len = 0;

SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_HANDLE_ALPN,

ERR_R_INTERNAL_ERROR);

return 0;

@@ -2853,9 +2854,16 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt)

if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {

OPENSSL_free(s->pha_context);

s->pha_context_len = 32;

- if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL

- || RAND_bytes(s->pha_context, s->pha_context_len) <= 0

- || !WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) {

+ if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL) {

+ s->pha_context_len = 0;

+ SSLfatal(s, SSL_AD_INTERNAL_ERROR,

+ SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,

+ ERR_R_INTERNAL_ERROR);

+ return 0;

+ }

+ if (RAND_bytes(s->pha_context, s->pha_context_len) <= 0

+ || !WPACKET_sub_memcpy_u8(pkt, s->pha_context,

+ s->pha_context_len)) {

SSLfatal(s, SSL_AD_INTERNAL_ERROR,

SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,

ERR_R_INTERNAL_ERROR);

@@ -2969,6 +2977,7 @@ static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt)

OPENSSL_cleanse(psk, psklen);

if (s->s3->tmp.psk == NULL) {

+ s->s3->tmp.psklen = 0;

SSLfatal(s, SSL_AD_INTERNAL_ERROR,

SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE);

return 0;

@@ -3508,6 +3517,7 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)

#ifndef OPENSSL_NO_PSK

OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);

s->s3->tmp.psk = NULL;

+ s->s3->tmp.psklen = 0;

#endif

return MSG_PROCESS_ERROR;

}

@@ -4117,6 +4127,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)

s->session->ext.alpn_selected =

OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len);

if (s->session->ext.alpn_selected == NULL) {

+ s->session->ext.alpn_selected_len = 0;

SSLfatal(s, SSL_AD_INTERNAL_ERROR,

SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,

ERR_R_MALLOC_FAILURE);