aboutsummaryrefslogtreecommitdiffstats
path: root/crypto/openssl/ssl
diff options
context:
space:
mode:
authorJung-uk Kim <jkim@FreeBSD.org>2020-09-25 22:43:14 +0000
committerJung-uk Kim <jkim@FreeBSD.org>2020-09-25 22:43:14 +0000
commit7fc1f569abf7c799c6334297ee020a01b5d3d71e (patch)
tree6494fa45d06ccd27128ac6675e338eb0ee59ac62 /crypto/openssl/ssl
parent2367fca656edb8ea52e6a2f7d8ef63e3a38966d6 (diff)
downloadsrc-7fc1f569abf7c799c6334297ee020a01b5d3d71e.tar.gz
src-7fc1f569abf7c799c6334297ee020a01b5d3d71e.zip
MFS: r366176
Merge OpenSSL 1.1.1h. Approved by: re (gjb)
Notes
Notes: svn path=/releng/12.2/; revision=366177
Diffstat (limited to 'crypto/openssl/ssl')
-rw-r--r--crypto/openssl/ssl/bio_ssl.c3
-rw-r--r--crypto/openssl/ssl/record/ssl3_buffer.c4
-rw-r--r--crypto/openssl/ssl/ssl_conf.c9
-rw-r--r--crypto/openssl/ssl/ssl_lib.c22
-rw-r--r--crypto/openssl/ssl/ssl_rsa.c28
-rw-r--r--crypto/openssl/ssl/statem/extensions.c14
-rw-r--r--crypto/openssl/ssl/statem/extensions_srvr.c2
-rw-r--r--crypto/openssl/ssl/statem/statem_lib.c35
-rw-r--r--crypto/openssl/ssl/t1_lib.c74
-rw-r--r--crypto/openssl/ssl/t1_trce.c23
-rw-r--r--crypto/openssl/ssl/tls13_enc.c11
11 files changed, 117 insertions, 108 deletions
diff --git a/crypto/openssl/ssl/bio_ssl.c b/crypto/openssl/ssl/bio_ssl.c
index ab9e6668cd57..53129bfb8811 100644
--- a/crypto/openssl/ssl/bio_ssl.c
+++ b/crypto/openssl/ssl/bio_ssl.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -284,6 +284,7 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr)
ssl_free(b);
if (!ssl_new(b))
return 0;
+ bs = BIO_get_data(b);
}
BIO_set_shutdown(b, num);
ssl = (SSL *)ptr;
diff --git a/crypto/openssl/ssl/record/ssl3_buffer.c b/crypto/openssl/ssl/record/ssl3_buffer.c
index 605f8f9b75be..9b2a6964c689 100644
--- a/crypto/openssl/ssl/record/ssl3_buffer.c
+++ b/crypto/openssl/ssl/record/ssl3_buffer.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -94,7 +94,7 @@ int ssl3_setup_write_buffer(SSL *s, size_t numwpipes, size_t len)
headerlen = SSL3_RT_HEADER_LENGTH;
#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
- align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1);
+ align = SSL3_ALIGN_PAYLOAD - 1;
#endif
len = ssl_get_max_send_fragment(s)
diff --git a/crypto/openssl/ssl/ssl_conf.c b/crypto/openssl/ssl/ssl_conf.c
index 8ef29bb34535..0a3fef7c8c14 100644
--- a/crypto/openssl/ssl/ssl_conf.c
+++ b/crypto/openssl/ssl/ssl_conf.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2012-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -305,6 +305,13 @@ static int protocol_from_string(const char *value)
const char *name;
int version;
};
+ /*
+ * Note: To avoid breaking previously valid configurations, we must retain
+ * legacy entries in this table even if the underlying protocol is no
+ * longer supported. This also means that the constants SSL3_VERSION, ...
+ * need to be retained indefinitely. This table can only grow, never
+ * shrink.
+ */
static const struct protocol_versions versions[] = {
{"None", 0},
{"SSLv3", SSL3_VERSION},
diff --git a/crypto/openssl/ssl/ssl_lib.c b/crypto/openssl/ssl/ssl_lib.c
index 7c7e59789ccd..b1df374817c7 100644
--- a/crypto/openssl/ssl/ssl_lib.c
+++ b/crypto/openssl/ssl/ssl_lib.c
@@ -1200,6 +1200,8 @@ void SSL_free(SSL *s)
OPENSSL_free(s->ext.ocsp.resp);
OPENSSL_free(s->ext.alpn);
OPENSSL_free(s->ext.tls13_cookie);
+ if (s->clienthello != NULL)
+ OPENSSL_free(s->clienthello->pre_proc_exts);
OPENSSL_free(s->clienthello);
OPENSSL_free(s->pha_context);
EVP_MD_CTX_free(s->pha_dgst);
@@ -2895,7 +2897,8 @@ int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
const unsigned char *context, size_t contextlen,
int use_context)
{
- if (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER)
+ if (s->session == NULL
+ || (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER))
return -1;
return s->method->ssl3_enc->export_keying_material(s, out, olen, label,
@@ -3824,6 +3827,8 @@ SSL *SSL_dup(SSL *s)
goto err;
ret->version = s->version;
ret->options = s->options;
+ ret->min_proto_version = s->min_proto_version;
+ ret->max_proto_version = s->max_proto_version;
ret->mode = s->mode;
SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s));
SSL_set_read_ahead(ret, SSL_get_read_ahead(s));
@@ -3839,21 +3844,6 @@ SSL *SSL_dup(SSL *s)
if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data))
goto err;
- /* setup rbio, and wbio */
- if (s->rbio != NULL) {
- if (!BIO_dup_state(s->rbio, (char *)&ret->rbio))
- goto err;
- }
- if (s->wbio != NULL) {
- if (s->wbio != s->rbio) {
- if (!BIO_dup_state(s->wbio, (char *)&ret->wbio))
- goto err;
- } else {
- BIO_up_ref(ret->rbio);
- ret->wbio = ret->rbio;
- }
- }
-
ret->server = s->server;
if (s->handshake_func) {
if (s->server)
diff --git a/crypto/openssl/ssl/ssl_rsa.c b/crypto/openssl/ssl/ssl_rsa.c
index b9693527b3d2..6457c0c0efa3 100644
--- a/crypto/openssl/ssl/ssl_rsa.c
+++ b/crypto/openssl/ssl/ssl_rsa.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -148,15 +148,6 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
EVP_PKEY_copy_parameters(pktmp, pkey);
ERR_clear_error();
-#ifndef OPENSSL_NO_RSA
- /*
- * Don't check the public/private key, this is mostly for smart
- * cards.
- */
- if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA
- && RSA_flags(EVP_PKEY_get0_RSA(pkey)) & RSA_METHOD_FLAG_NO_CHECK) ;
- else
-#endif
if (!X509_check_private_key(c->pkeys[i].x509, pkey)) {
X509_free(c->pkeys[i].x509);
c->pkeys[i].x509 = NULL;
@@ -342,16 +333,6 @@ static int ssl_set_cert(CERT *c, X509 *x)
EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey);
ERR_clear_error();
-#ifndef OPENSSL_NO_RSA
- /*
- * Don't check the public/private key, this is mostly for smart
- * cards.
- */
- if (EVP_PKEY_id(c->pkeys[i].privatekey) == EVP_PKEY_RSA
- && RSA_flags(EVP_PKEY_get0_RSA(c->pkeys[i].privatekey)) &
- RSA_METHOD_FLAG_NO_CHECK) ;
- else
-#endif /* OPENSSL_NO_RSA */
if (!X509_check_private_key(x, c->pkeys[i].privatekey)) {
/*
* don't fail for a cert/key mismatch, just free current private
@@ -1082,13 +1063,6 @@ static int ssl_set_cert_and_key(SSL *ssl, SSL_CTX *ctx, X509 *x509, EVP_PKEY *pr
EVP_PKEY_copy_parameters(pubkey, privatekey);
} /* else both have parameters */
- /* Copied from ssl_set_cert/pkey */
-#ifndef OPENSSL_NO_RSA
- if ((EVP_PKEY_id(privatekey) == EVP_PKEY_RSA) &&
- ((RSA_flags(EVP_PKEY_get0_RSA(privatekey)) & RSA_METHOD_FLAG_NO_CHECK)))
- /* no-op */ ;
- else
-#endif
/* check that key <-> cert match */
if (EVP_PKEY_cmp(pubkey, privatekey) != 1) {
SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_PRIVATE_KEY_MISMATCH);
diff --git a/crypto/openssl/ssl/statem/extensions.c b/crypto/openssl/ssl/statem/extensions.c
index 4ef8b417b820..c785ab785d38 100644
--- a/crypto/openssl/ssl/statem/extensions.c
+++ b/crypto/openssl/ssl/statem/extensions.c
@@ -1168,14 +1168,26 @@ static int init_etm(SSL *s, unsigned int context)
static int init_ems(SSL *s, unsigned int context)
{
- if (!s->server)
+ if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
+ s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS;
+ }
return 1;
}
static int final_ems(SSL *s, unsigned int context, int sent)
{
+ /*
+ * Check extended master secret extension is not dropped on
+ * renegotiation.
+ */
+ if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)
+ && (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) {
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
+ SSL_R_INCONSISTENT_EXTMS);
+ return 0;
+ }
if (!s->server && s->hit) {
/*
* Check extended master secret extension is consistent with
diff --git a/crypto/openssl/ssl/statem/extensions_srvr.c b/crypto/openssl/ssl/statem/extensions_srvr.c
index 3b07c6b940f4..3c7395c0eb26 100644
--- a/crypto/openssl/ssl/statem/extensions_srvr.c
+++ b/crypto/openssl/ssl/statem/extensions_srvr.c
@@ -1151,7 +1151,7 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
if (sesstmp == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
- return 0;
+ goto err;
}
SSL_SESSION_free(sess);
sess = sesstmp;
diff --git a/crypto/openssl/ssl/statem/statem_lib.c b/crypto/openssl/ssl/statem/statem_lib.c
index 43d6fd5de941..364f77f08a4e 100644
--- a/crypto/openssl/ssl/statem/statem_lib.c
+++ b/crypto/openssl/ssl/statem/statem_lib.c
@@ -1341,6 +1341,7 @@ int tls_get_message_body(SSL *s, size_t *len)
static const X509ERR2ALERT x509table[] = {
{X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
{X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
+ {X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE},
{X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
{X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
{X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
@@ -1656,11 +1657,22 @@ int ssl_check_version_downgrade(SSL *s)
*/
int ssl_set_version_bound(int method_version, int version, int *bound)
{
+ int valid_tls;
+ int valid_dtls;
+
if (version == 0) {
*bound = version;
return 1;
}
+ valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION;
+ valid_dtls =
+ DTLS_VERSION_LE(version, DTLS_MAX_VERSION) &&
+ DTLS_VERSION_GE(version, DTLS1_BAD_VER);
+
+ if (!valid_tls && !valid_dtls)
+ return 0;
+
/*-
* Restrict TLS methods to TLS protocol versions.
* Restrict DTLS methods to DTLS protocol versions.
@@ -1671,31 +1683,24 @@ int ssl_set_version_bound(int method_version, int version, int *bound)
* configurations. If the MIN (supported) version ever rises, the user's
* "floor" remains valid even if no longer available. We don't expect the
* MAX ceiling to ever get lower, so making that variable makes sense.
+ *
+ * We ignore attempts to set bounds on version-inflexible methods,
+ * returning success.
*/
switch (method_version) {
default:
- /*
- * XXX For fixed version methods, should we always fail and not set any
- * bounds, always succeed and not set any bounds, or set the bounds and
- * arrange to fail later if they are not met? At present fixed-version
- * methods are not subject to controls that disable individual protocol
- * versions.
- */
- return 0;
+ break;
case TLS_ANY_VERSION:
- if (version < SSL3_VERSION || version > TLS_MAX_VERSION)
- return 0;
+ if (valid_tls)
+ *bound = version;
break;
case DTLS_ANY_VERSION:
- if (DTLS_VERSION_GT(version, DTLS_MAX_VERSION) ||
- DTLS_VERSION_LT(version, DTLS1_BAD_VER))
- return 0;
+ if (valid_dtls)
+ *bound = version;
break;
}
-
- *bound = version;
return 1;
}
diff --git a/crypto/openssl/ssl/t1_lib.c b/crypto/openssl/ssl/t1_lib.c
index 76b4baa38893..48d46f8a48bd 100644
--- a/crypto/openssl/ssl/t1_lib.c
+++ b/crypto/openssl/ssl/t1_lib.c
@@ -2439,46 +2439,48 @@ int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
#ifndef OPENSSL_NO_DH
DH *ssl_get_auto_dh(SSL *s)
{
+ DH *dhp = NULL;
+ BIGNUM *p = NULL, *g = NULL;
int dh_secbits = 80;
- if (s->cert->dh_tmp_auto == 2)
- return DH_get_1024_160();
- if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
- if (s->s3->tmp.new_cipher->strength_bits == 256)
- dh_secbits = 128;
- else
- dh_secbits = 80;
- } else {
- if (s->s3->tmp.cert == NULL)
- return NULL;
- dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
+ if (s->cert->dh_tmp_auto != 2) {
+ if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
+ if (s->s3->tmp.new_cipher->strength_bits == 256)
+ dh_secbits = 128;
+ else
+ dh_secbits = 80;
+ } else {
+ if (s->s3->tmp.cert == NULL)
+ return NULL;
+ dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
+ }
}
- if (dh_secbits >= 128) {
- DH *dhp = DH_new();
- BIGNUM *p, *g;
- if (dhp == NULL)
- return NULL;
- g = BN_new();
- if (g == NULL || !BN_set_word(g, 2)) {
- DH_free(dhp);
- BN_free(g);
- return NULL;
- }
- if (dh_secbits >= 192)
- p = BN_get_rfc3526_prime_8192(NULL);
- else
- p = BN_get_rfc3526_prime_3072(NULL);
- if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
- DH_free(dhp);
- BN_free(p);
- BN_free(g);
- return NULL;
- }
- return dhp;
+ dhp = DH_new();
+ if (dhp == NULL)
+ return NULL;
+ g = BN_new();
+ if (g == NULL || !BN_set_word(g, 2)) {
+ DH_free(dhp);
+ BN_free(g);
+ return NULL;
+ }
+ if (dh_secbits >= 192)
+ p = BN_get_rfc3526_prime_8192(NULL);
+ else if (dh_secbits >= 152)
+ p = BN_get_rfc3526_prime_4096(NULL);
+ else if (dh_secbits >= 128)
+ p = BN_get_rfc3526_prime_3072(NULL);
+ else if (dh_secbits >= 112)
+ p = BN_get_rfc3526_prime_2048(NULL);
+ else
+ p = BN_get_rfc2409_prime_1024(NULL);
+ if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
+ DH_free(dhp);
+ BN_free(p);
+ BN_free(g);
+ return NULL;
}
- if (dh_secbits >= 112)
- return DH_get_2048_224();
- return DH_get_1024_160();
+ return dhp;
}
#endif
diff --git a/crypto/openssl/ssl/t1_trce.c b/crypto/openssl/ssl/t1_trce.c
index 5c84339314cd..e2c397b75657 100644
--- a/crypto/openssl/ssl/t1_trce.c
+++ b/crypto/openssl/ssl/t1_trce.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2012-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -656,7 +656,10 @@ static int ssl_print_random(BIO *bio, int indent,
if (*pmsglen < 32)
return 0;
- tm = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
+ tm = ((unsigned int)p[0] << 24)
+ | ((unsigned int)p[1] << 16)
+ | ((unsigned int)p[2] << 8)
+ | (unsigned int)p[3];
p += 4;
BIO_indent(bio, indent, 80);
BIO_puts(bio, "Random:\n");
@@ -864,8 +867,10 @@ static int ssl_print_extension(BIO *bio, int indent, int server,
break;
if (extlen != 4)
return 0;
- max_early_data = (ext[0] << 24) | (ext[1] << 16) | (ext[2] << 8)
- | ext[3];
+ max_early_data = ((unsigned int)ext[0] << 24)
+ | ((unsigned int)ext[1] << 16)
+ | ((unsigned int)ext[2] << 8)
+ | (unsigned int)ext[3];
BIO_indent(bio, indent + 2, 80);
BIO_printf(bio, "max_early_data=%u\n", max_early_data);
break;
@@ -1356,7 +1361,10 @@ static int ssl_print_ticket(BIO *bio, int indent, const SSL *ssl,
}
if (msglen < 4)
return 0;
- tick_life = (msg[0] << 24) | (msg[1] << 16) | (msg[2] << 8) | msg[3];
+ tick_life = ((unsigned int)msg[0] << 24)
+ | ((unsigned int)msg[1] << 16)
+ | ((unsigned int)msg[2] << 8)
+ | (unsigned int)msg[3];
msglen -= 4;
msg += 4;
BIO_indent(bio, indent + 2, 80);
@@ -1367,7 +1375,10 @@ static int ssl_print_ticket(BIO *bio, int indent, const SSL *ssl,
if (msglen < 4)
return 0;
ticket_age_add =
- (msg[0] << 24) | (msg[1] << 16) | (msg[2] << 8) | msg[3];
+ ((unsigned int)msg[0] << 24)
+ | ((unsigned int)msg[1] << 16)
+ | ((unsigned int)msg[2] << 8)
+ | (unsigned int)msg[3];
msglen -= 4;
msg += 4;
BIO_indent(bio, indent + 2, 80);
diff --git a/crypto/openssl/ssl/tls13_enc.c b/crypto/openssl/ssl/tls13_enc.c
index 86754dc9677c..b8fb07f210ef 100644
--- a/crypto/openssl/ssl/tls13_enc.c
+++ b/crypto/openssl/ssl/tls13_enc.c
@@ -390,11 +390,18 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md,
uint32_t algenc;
ivlen = EVP_CCM_TLS_IV_LEN;
- if (s->s3->tmp.new_cipher == NULL) {
+ if (s->s3->tmp.new_cipher != NULL) {
+ algenc = s->s3->tmp.new_cipher->algorithm_enc;
+ } else if (s->session->cipher != NULL) {
/* We've not selected a cipher yet - we must be doing early data */
algenc = s->session->cipher->algorithm_enc;
+ } else if (s->psksession != NULL && s->psksession->cipher != NULL) {
+ /* We must be doing early data with out-of-band PSK */
+ algenc = s->psksession->cipher->algorithm_enc;
} else {
- algenc = s->s3->tmp.new_cipher->algorithm_enc;
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV,
+ ERR_R_EVP_LIB);
+ goto err;
}
if (algenc & (SSL_AES128CCM8 | SSL_AES256CCM8))
taglen = EVP_CCM8_TLS_TAG_LEN;