aboutsummaryrefslogtreecommitdiff
path: root/ssl
diff options
context:
space:
mode:
authorJung-uk Kim <jkim@FreeBSD.org>2021-12-14 18:30:54 +0000
committerJung-uk Kim <jkim@FreeBSD.org>2021-12-14 18:30:54 +0000
commit56eae1b760adf10835560a9ee595549a1f10410f (patch)
tree3669bea49de5b47517bb53f6d62d7359df20d3a6 /ssl
parentc1d1798abd60f12527b70443cb7d0b9cd78ef7b1 (diff)
downloadsrc-vendor/openssl.tar.gz
src-vendor/openssl.zip
Diffstat (limited to 'ssl')
-rw-r--r--ssl/bio_ssl.c7
-rw-r--r--ssl/record/ssl3_record.c2
-rw-r--r--ssl/s3_cbc.c4
-rw-r--r--ssl/ssl_asn1.c4
-rw-r--r--ssl/ssl_ciph.c3
-rw-r--r--ssl/ssl_lib.c2
-rw-r--r--ssl/ssl_local.h2
-rw-r--r--ssl/statem/README2
-rw-r--r--ssl/statem/extensions_clnt.c5
-rw-r--r--ssl/statem/extensions_cust.c13
-rw-r--r--ssl/statem/statem_lib.c4
11 files changed, 28 insertions, 20 deletions
diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c
index c4239345b633..67097d5cca41 100644
--- a/ssl/bio_ssl.c
+++ b/ssl/bio_ssl.c
@@ -76,13 +76,12 @@ static int ssl_free(BIO *a)
if (a == NULL)
return 0;
bs = BIO_get_data(a);
- if (bs->ssl != NULL)
- SSL_shutdown(bs->ssl);
if (BIO_get_shutdown(a)) {
+ if (bs->ssl != NULL)
+ SSL_shutdown(bs->ssl);
if (BIO_get_init(a))
SSL_free(bs->ssl);
- /* Clear all flags */
- BIO_clear_flags(a, ~0);
+ BIO_clear_flags(a, ~0); /* Clear all flags */
BIO_set_init(a, 0);
}
OPENSSL_free(bs);
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index e6a8bbd71073..f158544789bb 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -1039,7 +1039,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending)
if (SSL_IS_DTLS(s)) {
/* DTLS does not support pipelining */
- unsigned char dtlsseq[9], *p = dtlsseq;
+ unsigned char dtlsseq[8], *p = dtlsseq;
s2n(sending ? DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer) :
DTLS_RECORD_LAYER_get_r_epoch(&s->rlayer), p);
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
index aa7d63f84a9f..c95dcd9fdec1 100644
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2012-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2012-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -128,7 +128,7 @@ char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
unsigned char *md_out,
size_t *md_out_size,
- const unsigned char header[13],
+ const unsigned char *header,
const unsigned char *data,
size_t data_plus_mac_size,
size_t data_plus_mac_plus_padding_size,
diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c
index 799fee771ba5..926436410050 100644
--- a/ssl/ssl_asn1.c
+++ b/ssl/ssl_asn1.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2005 Nokia. All rights reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -225,7 +225,7 @@ static int ssl_session_strndup(char **pdst, ASN1_OCTET_STRING *src)
static int ssl_session_memcpy(unsigned char *dst, size_t *pdstlen,
ASN1_OCTET_STRING *src, size_t maxlen)
{
- if (src == NULL) {
+ if (src == NULL || src->length == 0) {
*pdstlen = 0;
return 1;
}
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 735a483c6448..55f919fcd58a 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@@ -1601,6 +1601,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
if (!sk_SSL_CIPHER_push(cipherstack,
sk_SSL_CIPHER_value(tls13_ciphersuites, i))) {
+ OPENSSL_free(co_list);
sk_SSL_CIPHER_free(cipherstack);
return NULL;
}
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index ffd0a0bc6d17..9c411a329396 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1684,6 +1684,8 @@ static int ssl_start_async_job(SSL *s, struct ssl_async_args *args,
if (s->waitctx == NULL)
return -1;
}
+
+ s->rwstate = SSL_NOTHING;
switch (ASYNC_start_job(&s->job, s->waitctx, &ret, func, args,
sizeof(struct ssl_async_args))) {
case ASYNC_ERR:
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index f92472117a1b..9f346e30e8f4 100644
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -2622,7 +2622,7 @@ __owur char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx);
__owur int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
unsigned char *md_out,
size_t *md_out_size,
- const unsigned char header[13],
+ const unsigned char *header,
const unsigned char *data,
size_t data_plus_mac_size,
size_t data_plus_mac_plus_padding_size,
diff --git a/ssl/statem/README b/ssl/statem/README
index 86cc06637291..bafe33060c92 100644
--- a/ssl/statem/README
+++ b/ssl/statem/README
@@ -55,7 +55,7 @@ Conceptually the state machine component is designed as follows:
| | | |
____________V_______V________ ________V______V_______________
| | | |
- | statem_both.c | | statem_dtls.c |
+ | statem_lib.c | | statem_dtls.c |
| | | |
| Non core functions common | | Non core functions common to |
| to both servers and clients | | both DTLS servers and clients |
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index ce8a75794c3a..9d38ac23b5f0 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -1741,7 +1741,9 @@ int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
/* Ignore if inappropriate ciphersuite */
if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
&& s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
- && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
+ && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4
+ && s->s3->tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT
+ && s->s3->tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT12)
s->ext.use_etm = 1;
return 1;
@@ -1872,6 +1874,7 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
if (skey == NULL || EVP_PKEY_copy_parameters(skey, ckey) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
ERR_R_MALLOC_FAILURE);
+ EVP_PKEY_free(skey);
return 0;
}
if (!EVP_PKEY_set1_tls_encodedpoint(skey, PACKET_data(&encoded_pt),
diff --git a/ssl/statem/extensions_cust.c b/ssl/statem/extensions_cust.c
index a0ba18efa704..1fe226f9f264 100644
--- a/ssl/statem/extensions_cust.c
+++ b/ssl/statem/extensions_cust.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2014-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -146,11 +146,12 @@ int custom_ext_parse(SSL *s, unsigned int context, unsigned int ext_type,
}
/*
- * Extensions received in the ClientHello are marked with the
- * SSL_EXT_FLAG_RECEIVED. This is so we know to add the equivalent
- * extensions in the ServerHello/EncryptedExtensions message
+ * Extensions received in the ClientHello or CertificateRequest are marked
+ * with the SSL_EXT_FLAG_RECEIVED. This is so we know to add the equivalent
+ * extensions in the response messages
*/
- if ((context & SSL_EXT_CLIENT_HELLO) != 0)
+ if ((context & (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST))
+ != 0)
meth->ext_flags |= SSL_EXT_FLAG_RECEIVED;
/* If no parse function set return success */
@@ -192,7 +193,7 @@ int custom_ext_add(SSL *s, int context, WPACKET *pkt, X509 *x, size_t chainidx,
| SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
| SSL_EXT_TLS1_3_CERTIFICATE
| SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST)) != 0) {
- /* Only send extensions present in ClientHello. */
+ /* Only send extensions present in ClientHello/CertificateRequest */
if (!(meth->ext_flags & SSL_EXT_FLAG_RECEIVED))
continue;
}
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index c3b6f8f4569a..695caab3d628 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -2410,6 +2410,8 @@ int tls13_save_handshake_digest_for_pha(SSL *s)
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA,
ERR_R_INTERNAL_ERROR);
+ EVP_MD_CTX_free(s->pha_dgst);
+ s->pha_dgst = NULL;
return 0;
}
}