sync

lib/libssl/Makefile

@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.79 2023/05/05 21:23:02 tb Exp $
+# $OpenBSD: Makefile,v 1.80 2023/07/06 07:56:32 beck Exp $
 
 .include <bsd.own.mk>
 .ifndef NOMAN
@@ -19,10 +19,6 @@ CFLAGS+= -DLIBRESSL_INTERNAL
 .ifdef NAMESPACE
 CFLAGS+= -DLIBRESSL_NAMESPACE
 .endif
-.ifdef TLS1_3
-CFLAGS+= -DLIBRESSL_HAS_TLS1_3_CLIENT
-CFLAGS+= -DLIBRESSL_HAS_TLS1_3_SERVER
-.endif
 .ifdef TLS1_3_DEBUG
 CFLAGS+= -DTLS13_DEBUG
 .endif

lib/libssl/d1_pkt.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_pkt.c,v 1.127 2022/11/26 16:08:55 tb Exp $ */
+/* $OpenBSD: d1_pkt.c,v 1.128 2023/07/02 20:16:47 tb Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -206,16 +206,16 @@ dtls1_copy_record(SSL *s, DTLS1_RECORD_DATA_INTERNAL *rdata)
 static int
 dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
 {
-	DTLS1_RECORD_DATA_INTERNAL *rdata;
-	pitem *item;
+	DTLS1_RECORD_DATA_INTERNAL *rdata = NULL;
+	pitem *item = NULL;
 
 	/* Limit the size of the queue to prevent DOS attacks */
 	if (pqueue_size(queue->q) >= 100)
 		return 0;
 
-	rdata = malloc(sizeof(DTLS1_RECORD_DATA_INTERNAL));
-	item = pitem_new(priority, rdata);
-	if (rdata == NULL || item == NULL)
+	if ((rdata = malloc(sizeof(*rdata))) == NULL)
+		goto init_err;
+	if ((item = pitem_new(priority, rdata)) == NULL)
 		goto init_err;
 
 	rdata->packet = s->packet;
@@ -252,16 +252,16 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
 static int
 dtls1_buffer_rcontent(SSL *s, rcontent_pqueue *queue, unsigned char *priority)
 {
-	DTLS1_RCONTENT_DATA_INTERNAL *rdata;
-	pitem *item;
+	DTLS1_RCONTENT_DATA_INTERNAL *rdata = NULL;
+	pitem *item = NULL;
 
 	/* Limit the size of the queue to prevent DOS attacks */
 	if (pqueue_size(queue->q) >= 100)
 		return 0;
 
-	rdata = malloc(sizeof(DTLS1_RCONTENT_DATA_INTERNAL));
-	item = pitem_new(priority, rdata);
-	if (rdata == NULL || item == NULL)
+	if ((rdata = malloc(sizeof(*rdata))) == NULL)
+		goto init_err;
+	if ((item = pitem_new(priority, rdata)) == NULL)
 		goto init_err;
 
 	rdata->rcontent = s->s3->rcontent;

lib/libssl/hidden/openssl/ssl.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssl.h,v 1.1 2022/11/11 11:25:18 beck Exp $	*/
+/*	$OpenBSD: ssl.h,v 1.2 2023/07/05 21:14:54 bcook Exp $	*/
 /*
  * Copyright (c) 2022 Philip Guenther <guenther@openbsd.org>
  *
@@ -18,7 +18,11 @@
 #ifndef _LIBSSL_SSL_H_
 #define _LIBSSL_SSL_H_
 
+#ifndef _MSC_VER
 #include_next <openssl/ssl.h>
+#else
+#include "../include/openssl/ssl.h"
+#endif
 #include "ssl_namespace.h"
 
 LSSL_USED(BIO_f_ssl);

lib/libssl/s3_lib.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.244 2023/05/26 13:44:05 tb Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.245 2023/07/02 17:21:32 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1672,7 +1672,7 @@ ssl3_clear(SSL *s)
 	s->s3->in_read_app_data = 0;
 
 	s->packet_length = 0;
-	s->version = TLS1_VERSION;
+	s->version = TLS1_2_VERSION;
 
 	s->s3->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT);
 }

lib/libssl/ssl_local.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_local.h,v 1.6 2023/05/26 13:44:05 tb Exp $ */
+/* $OpenBSD: ssl_local.h,v 1.7 2023/07/06 07:56:32 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -174,18 +174,6 @@ __BEGIN_HIDDEN_DECLS
 #define LIBRESSL_HAS_DTLS1_2
 #endif
 
-#ifndef LIBRESSL_HAS_TLS1_3_CLIENT
-#define LIBRESSL_HAS_TLS1_3_CLIENT
-#endif
-
-#ifndef LIBRESSL_HAS_TLS1_3_SERVER
-#define LIBRESSL_HAS_TLS1_3_SERVER
-#endif
-
-#if defined(LIBRESSL_HAS_TLS1_3_CLIENT) || defined(LIBRESSL_HAS_TLS1_3_SERVER)
-#define LIBRESSL_HAS_TLS1_3
-#endif
-
 /* LOCAL STUFF */
 
 #define SSL_DECRYPT	0

lib/libssl/ssl_methods.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_methods.c,v 1.29 2022/11/26 16:08:56 tb Exp $ */
+/* $OpenBSD: ssl_methods.c,v 1.30 2023/07/06 07:56:32 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -240,7 +240,6 @@ DTLS_server_method(void)
 	return &DTLS_method_data;
 }
 
-#if defined(LIBRESSL_HAS_TLS1_3_CLIENT) && defined(LIBRESSL_HAS_TLS1_3_SERVER)
 static const SSL_METHOD TLS_method_data = {
 	.dtls = 0,
 	.server = 1,
@@ -261,7 +260,6 @@ static const SSL_METHOD TLS_method_data = {
 	.get_cipher = ssl3_get_cipher,
 	.enc_flags = TLSV1_3_ENC_FLAGS,
 };
-#endif
 
 static const SSL_METHOD TLS_legacy_method_data = {
 	.dtls = 0,
@@ -284,7 +282,6 @@ static const SSL_METHOD TLS_legacy_method_data = {
 	.enc_flags = TLSV1_2_ENC_FLAGS,
 };
 
-#if defined(LIBRESSL_HAS_TLS1_3_CLIENT)
 static const SSL_METHOD TLS_client_method_data = {
 	.dtls = 0,
 	.server = 0,
@@ -306,30 +303,6 @@ static const SSL_METHOD TLS_client_method_data = {
 	.enc_flags = TLSV1_3_ENC_FLAGS,
 };
 
-#else
-
-static const SSL_METHOD TLS_legacy_client_method_data = {
-	.dtls = 0,
-	.server = 0,
-	.version = TLS1_2_VERSION,
-	.min_tls_version = TLS1_VERSION,
-	.max_tls_version = TLS1_2_VERSION,
-	.ssl_new = tls1_new,
-	.ssl_clear = tls1_clear,
-	.ssl_free = tls1_free,
-	.ssl_accept = ssl3_accept,
-	.ssl_connect = ssl3_connect,
-	.ssl_shutdown = ssl3_shutdown,
-	.ssl_renegotiate = ssl_undefined_function,
-	.ssl_renegotiate_check = ssl_ok,
-	.ssl_pending = ssl3_pending,
-	.ssl_read_bytes = ssl3_read_bytes,
-	.ssl_write_bytes = ssl3_write_bytes,
-	.get_cipher = ssl3_get_cipher,
-	.enc_flags = TLSV1_2_ENC_FLAGS,
-};
-#endif
-
 static const SSL_METHOD TLSv1_method_data = {
 	.dtls = 0,
 	.server = 1,
@@ -459,21 +432,13 @@ static const SSL_METHOD TLSv1_2_client_method_data = {
 const SSL_METHOD *
 TLS_client_method(void)
 {
-#if defined(LIBRESSL_HAS_TLS1_3_CLIENT)
 	return (&TLS_client_method_data);
-#else
-	return (&TLS_legacy_client_method_data);
-#endif
 }
 
 const SSL_METHOD *
 TLS_method(void)
 {
-#if defined(LIBRESSL_HAS_TLS1_3_CLIENT) && defined(LIBRESSL_HAS_TLS1_3_SERVER)
 	return (&TLS_method_data);
-#else
-	return tls_legacy_method();
-#endif
 }
 
 const SSL_METHOD *

lib/libssl/ssl_versions.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_versions.c,v 1.26 2022/11/26 16:08:56 tb Exp $ */
+/* $OpenBSD: ssl_versions.c,v 1.27 2023/07/02 17:21:32 beck Exp $ */
 /*
  * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
  *
@@ -150,11 +150,7 @@ ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
 			options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2;
 	}
 
-	if ((options & SSL_OP_NO_TLSv1) == 0)
-		min_version = TLS1_VERSION;
-	else if ((options & SSL_OP_NO_TLSv1_1) == 0)
-		min_version = TLS1_1_VERSION;
-	else if ((options & SSL_OP_NO_TLSv1_2) == 0)
+	if ((options & SSL_OP_NO_TLSv1_2) == 0)
 		min_version = TLS1_2_VERSION;
 	else if ((options & SSL_OP_NO_TLSv1_3) == 0)
 		min_version = TLS1_3_VERSION;
@@ -162,10 +158,6 @@ ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
 	if ((options & SSL_OP_NO_TLSv1_3) && min_version < TLS1_3_VERSION)
 		max_version = TLS1_2_VERSION;
 	if ((options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION)
-		max_version = TLS1_1_VERSION;
-	if ((options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION)
-		max_version = TLS1_VERSION;
-	if ((options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION)
 		max_version = 0;
 
 	/* Everything has been disabled... */