src - FreeBSD source tree

diff options


context:
space:
mode:

author	Enji Cooper <ngie@FreeBSD.org>	2025-07-11 00:18:38 +0000
committer	Enji Cooper <ngie@FreeBSD.org>	2025-07-11 00:18:38 +0000
commit	ecf8229ffeb17a05c78fab6b973b0cccb84e25c5 (patch)
tree	da8cf5ccc84d9bc3fbadcf674c7d501f9ca7ab5d /ssl
parent	1c34280346af8284acdc0eae39496811d37df25d (diff)

vendor/openssl/3.0.17 vendor/openssl-3.0

Diffstat (limited to 'ssl')

-rw-r--r--

ssl/record/rec_layer_d1.c

-rw-r--r--

ssl/record/rec_layer_s3.c

-rw-r--r--

ssl/s3_lib.c

-rw-r--r--

ssl/ssl_cert.c

-rw-r--r--

ssl/ssl_sess.c

-rw-r--r--

ssl/statem/extensions_srvr.c

-rw-r--r--

ssl/statem/statem_lib.c

7 files changed, 61 insertions, 28 deletions

diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c
index 79de0219ec7b..3e5ec6aec4dd 100644
--- a/ssl/record/rec_layer_d1.c
+++ b/ssl/record/rec_layer_d1.c

@@ -1,5 +1,5 @@

* Licensed under the Apache License 2.0 (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -606,6 +606,17 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,

#endif

s->shutdown |= SSL_RECEIVED_SHUTDOWN;

return 0;

+ } else if (alert_descr == SSL_AD_NO_RENEGOTIATION) {

+ /*

+ * This is a warning but we receive it if we requested

+ * renegotiation and the peer denied it. Terminate with a fatal

+ * alert because if the application tried to renegotiate it

+ * presumably had a good reason and expects it to succeed. In

+ * the future we might have a renegotiation where we don't care

+ * if the peer refused it where we carry on.

+ */

+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_NO_RENEGOTIATION);

+ return -1;

}

} else if (alert_level == SSL3_AL_FATAL) {

s->rwstate = SSL_NOTHING;

diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 779e998bb6ee..89ab1f4f1a44 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c

@@ -1,5 +1,5 @@

* Licensed under the Apache License 2.0 (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -1613,10 +1613,10 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,

* This is a warning but we receive it if we requested

* renegotiation and the peer denied it. Terminate with a fatal

- * alert because if application tried to renegotiate it

+ * alert because if the application tried to renegotiate it

* presumably had a good reason and expects it to succeed. In

- * future we might have a renegotiation where we don't care if

- * the peer refused it where we carry on.

+ * the future we might have a renegotiation where we don't care

+ * if the peer refused it where we carry on.

SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_NO_RENEGOTIATION);

return -1;

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index bcfe57b46f08..7c76ae13db76 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c

@@ -1,5 +1,5 @@

@@ -4820,7 +4820,10 @@ int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int gensecret)

}

if (EVP_PKEY_derive(pctx, pms, &pmslen) <= 0) {

- SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);

+ /*

+ * the public key was probably a weak key

+ */

+ SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);

goto err;

}

@@ -4923,7 +4926,7 @@ int ssl_encapsulate(SSL *s, EVP_PKEY *pubkey,

}

if (EVP_PKEY_encapsulate(pctx, ct, &ctlen, pms, &pmslen) <= 0) {

- SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);

+ SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);

goto err;

}

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 2e2d09a32ee4..a8d6df924bce 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c

@@ -1,5 +1,5 @@

* Licensed under the Apache License 2.0 (the "License"). You may not use

@@ -812,16 +812,17 @@ static int add_uris_recursive(STACK_OF(X509_NAME) *stack,

OSSL_STORE_CTX *ctx = NULL;

X509 *x = NULL;

X509_NAME *xn = NULL;

+ OSSL_STORE_INFO *info = NULL;

if ((ctx = OSSL_STORE_open(uri, NULL, NULL, NULL, NULL)) == NULL)

goto err;

while (!OSSL_STORE_eof(ctx) && !OSSL_STORE_error(ctx)) {

- OSSL_STORE_INFO *info = OSSL_STORE_load(ctx);

- int infotype = info == 0 ? 0 : OSSL_STORE_INFO_get_type(info);

+ int infotype;

- if (info == NULL)

+ if ((info = OSSL_STORE_load(ctx)) == NULL)

continue;

+ infotype = OSSL_STORE_INFO_get_type(info);

if (infotype == OSSL_STORE_INFO_NAME) {

@@ -846,6 +847,7 @@ static int add_uris_recursive(STACK_OF(X509_NAME) *stack,

}

OSSL_STORE_INFO_free(info);

+ info = NULL;

}

ERR_clear_error();

@@ -853,6 +855,7 @@ static int add_uris_recursive(STACK_OF(X509_NAME) *stack,

err:

ok = 0;

+ OSSL_STORE_INFO_free(info);

done:

OSSL_STORE_close(ctx);

diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index ec937a321c30..72b6dae677e3 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c

@@ -1,5 +1,5 @@

* Licensed under the Apache License 2.0 (the "License"). You may not use

@@ -612,6 +612,8 @@ int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello)

SSL_TICKET_STATUS r;

if (SSL_IS_TLS13(s)) {

+ SSL_SESSION_free(s->session);

+ s->session = NULL;

* By default we will send a new ticket. This can be overridden in the

* ticket processing.

@@ -624,6 +626,7 @@ int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello)

hello->pre_proc_exts, NULL, 0))

return -1;

+ /* If we resumed, s->session will now be set */

ret = s->session;

} else {

/* sets s->ext.ticket_expected */

diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 72c00574be68..b8d55e144cfc 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c

@@ -1,5 +1,5 @@

* Licensed under the Apache License 2.0 (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -275,7 +275,13 @@ int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt,

return 0;

}

- if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {

+ /*

+ * We use this routine on both clients and servers, and when clients

+ * get asked for PHA we need to always save the sigalgs regardless

+ * of whether it was a resumption or not.

+ */

+ if ((!s->server || (s->server && !s->hit))

+ && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {

SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);

return 0;

}

@@ -294,7 +300,13 @@ int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,

return 0;

}

- if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {

+ /*

+ * We use this routine on both clients and servers, and when clients

+ * get asked for PHA we need to always save the sigalgs regardless

+ * of whether it was a resumption or not.

+ */

+ if ((!s->server || (s->server && !s->hit))

+ && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {

SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);

return 0;

}

diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 6f0eaa5d6c0d..422d0428d465 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c

@@ -1,5 +1,5 @@

* Licensed under the Apache License 2.0 (the "License"). You may not use

@@ -1967,23 +1967,24 @@ int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions)

real_max = ver_max;

/* Check for downgrades */

- if (s->version == TLS1_2_VERSION && real_max > s->version) {

- if (memcmp(tls12downgrade,

+ if (!SSL_IS_DTLS(s) && real_max > s->version) {

+ /* Signal applies to all versions */

+ if (memcmp(tls11downgrade,

s->s3.server_random + SSL3_RANDOM_SIZE

- - sizeof(tls12downgrade),

- sizeof(tls12downgrade)) == 0) {

+ - sizeof(tls11downgrade),

+ sizeof(tls11downgrade)) == 0) {

s->version = origv;

SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,

SSL_R_INAPPROPRIATE_FALLBACK);

return 0;

}

- } else if (!SSL_IS_DTLS(s)

- && s->version < TLS1_2_VERSION

- && real_max > s->version) {

- if (memcmp(tls11downgrade,

- s->s3.server_random + SSL3_RANDOM_SIZE

- - sizeof(tls11downgrade),

- sizeof(tls11downgrade)) == 0) {

+ /* Only when accepting TLS1.3 */

+ if (real_max == TLS1_3_VERSION

+ && memcmp(tls12downgrade,

+ s->s3.server_random + SSL3_RANDOM_SIZE

+ - sizeof(tls12downgrade),

+ sizeof(tls12downgrade)) == 0) {

s->version = origv;

SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,

SSL_R_INAPPROPRIATE_FALLBACK);