sync with OpenBSD -current

lib/libssl/ssl.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.230 2022/12/26 07:31:44 jmc Exp $ */
+/* $OpenBSD: ssl.h,v 1.231 2023/11/19 15:51:49 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -610,9 +610,6 @@ void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx,
     int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
 int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509,
     EVP_PKEY **pkey);
-#ifndef OPENSSL_NO_ENGINE
-int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e);
-#endif
 void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
     int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie,
     unsigned int *cookie_len));

lib/libssl/ssl_ciph.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_ciph.c,v 1.136 2023/07/08 16:40:13 beck Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.137 2023/11/19 15:51:49 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -145,10 +145,6 @@
 #include <openssl/objects.h>
 #include <openssl/opensslconf.h>
 
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
-
 #include "ssl_local.h"
 
 #define CIPHER_ADD	1

lib/libssl/ssl_clnt.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.161 2023/07/08 16:40:13 beck Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.162 2023/11/19 15:50:29 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -161,9 +161,6 @@
 #include <openssl/objects.h>
 #include <openssl/opensslconf.h>
 
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
 #ifndef OPENSSL_NO_GOST
 #include <openssl/gost.h>
 #endif
@@ -2527,20 +2524,10 @@ ssl3_check_finished(SSL *s)
 static int
 ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
 {
-	int	i = 0;
+	if (s->ctx->client_cert_cb == NULL)
+		return 0;
 
-#ifndef OPENSSL_NO_ENGINE
-	if (s->ctx->client_cert_engine) {
-		i = ENGINE_load_ssl_client_cert(
-		    s->ctx->client_cert_engine, s,
-		    SSL_get_client_CA_list(s), px509, ppkey, NULL, NULL, NULL);
-		if (i != 0)
-			return (i);
-	}
-#endif
-	if (s->ctx->client_cert_cb)
-		i = s->ctx->client_cert_cb(s, px509, ppkey);
-	return (i);
+	return s->ctx->client_cert_cb(s, px509, ppkey);
 }
 
 static int

lib/libssl/ssl_lib.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.314 2023/09/19 01:22:31 tb Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.315 2023/11/19 15:51:49 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -154,10 +154,6 @@
 #include <openssl/opensslconf.h>
 #include <openssl/x509v3.h>
 
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
-
 #include "bytestring.h"
 #include "dtls_local.h"
 #include "ssl_local.h"
@@ -2164,26 +2160,6 @@ SSL_CTX_new(const SSL_METHOD *meth)
 	ret->tlsext_status_cb = 0;
 	ret->tlsext_status_arg = NULL;
 
-#ifndef OPENSSL_NO_ENGINE
-	ret->client_cert_engine = NULL;
-#ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
-#define eng_strx(x)	#x
-#define eng_str(x)	eng_strx(x)
-	/* Use specific client engine automatically... ignore errors */
-	{
-		ENGINE *eng;
-		eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
-		if (!eng) {
-			ERR_clear_error();
-			ENGINE_load_builtin_engines();
-			eng = ENGINE_by_id(eng_str(
-			    OPENSSL_SSL_CLIENT_ENGINE_AUTO));
-		}
-		if (!eng || !SSL_CTX_set_client_cert_engine(ret, eng))
-			ERR_clear_error();
-	}
-#endif
-#endif
 	/*
 	 * Default is to connect to non-RI servers. When RI is more widely
 	 * deployed might change this.
@@ -2241,10 +2217,6 @@ SSL_CTX_free(SSL_CTX *ctx)
 		sk_SRTP_PROTECTION_PROFILE_free(ctx->srtp_profiles);
 #endif
 
-#ifndef OPENSSL_NO_ENGINE
-	ENGINE_finish(ctx->client_cert_engine);
-#endif
-
 	free(ctx->tlsext_ecpointformatlist);
 	free(ctx->tlsext_supportedgroups);
 

lib/libssl/ssl_local.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_local.h,v 1.7 2023/07/06 07:56:32 beck Exp $ */
+/* $OpenBSD: ssl_local.h,v 1.8 2023/11/19 15:51:49 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -865,12 +865,6 @@ struct ssl_ctx_st {
 	 */
 	unsigned int max_send_fragment;
 
-#ifndef OPENSSL_NO_ENGINE
-	/* Engine to pass requests for client certs to
-	 */
-	ENGINE *client_cert_engine;
-#endif
-
 	/* RFC 4507 session ticket keys */
 	unsigned char tlsext_tick_key_name[16];
 	unsigned char tlsext_tick_hmac_key[16];

lib/libssl/ssl_sess.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.122 2023/07/08 16:40:13 beck Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.123 2023/11/19 15:51:49 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -138,10 +138,6 @@
 #include <openssl/lhash.h>
 #include <openssl/opensslconf.h>
 
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
-
 #include "ssl_local.h"
 
 static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
@@ -1320,25 +1316,6 @@ int
 }
 LSSL_ALIAS(SSL_CTX_get_client_cert_cb);
 
-#ifndef OPENSSL_NO_ENGINE
-int
-SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
-{
-	if (!ENGINE_init(e)) {
-		SSLerrorx(ERR_R_ENGINE_LIB);
-		return 0;
-	}
-	if (!ENGINE_get_ssl_client_cert_function(e)) {
-		SSLerrorx(SSL_R_NO_CLIENT_CERT_METHOD);
-		ENGINE_finish(e);
-		return 0;
-	}
-	ctx->client_cert_engine = e;
-	return 1;
-}
-LSSL_ALIAS(SSL_CTX_set_client_cert_engine);
-#endif
-
 void
 SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
     int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len))

lib/libssl/ssl_srvr.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.156 2023/07/08 16:40:13 beck Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.157 2023/11/18 10:51:09 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2343,7 +2343,7 @@ ssl3_send_newsession_ticket(SSL *s)
 	unsigned int hlen;
 	EVP_CIPHER_CTX *ctx = NULL;
 	HMAC_CTX *hctx = NULL;
-	int len;
+	int iv_len, len;
 
 	/*
 	 * New Session Ticket - RFC 5077, section 3.3.
@@ -2426,7 +2426,9 @@ ssl3_send_newsession_ticket(SSL *s)
 			goto err;
 		if (!CBB_add_bytes(&ticket, key_name, sizeof(key_name)))
 			goto err;
-		if (!CBB_add_bytes(&ticket, iv, EVP_CIPHER_CTX_iv_length(ctx)))
+		if ((iv_len = EVP_CIPHER_CTX_iv_length(ctx)) < 0)
+			goto err;
+		if (!CBB_add_bytes(&ticket, iv, iv_len))
 			goto err;
 		if (!CBB_add_bytes(&ticket, enc_session, enc_session_len))
 			goto err;

lib/libssl/t1_lib.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.197 2022/11/26 16:08:56 tb Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.198 2023/11/18 10:51:09 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -987,7 +987,7 @@ tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess)
 	HMAC_CTX *hctx = NULL;
 	EVP_CIPHER_CTX *cctx = NULL;
 	SSL_CTX *tctx = s->initial_ctx;
-	int slen, hlen;
+	int slen, hlen, iv_len;
 	int alert_desc = SSL_AD_INTERNAL_ERROR;
 	int ret = TLS1_TICKET_FATAL_ERROR;
 
@@ -1027,12 +1027,13 @@ tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess)
 			s->tlsext_ticket_expected = 1;
 		}
 
+		if ((iv_len = EVP_CIPHER_CTX_iv_length(cctx)) < 0)
+			goto err;
 		/*
 		 * Now that the cipher context is initialised, we can extract
 		 * the IV since its length is known.
 		 */
-		if (!CBS_get_bytes(ticket, &ticket_iv,
-		    EVP_CIPHER_CTX_iv_length(cctx)))
+		if (!CBS_get_bytes(ticket, &ticket_iv, iv_len))
 			goto derr;
 	} else {
 		/* Check that the key name matches. */
@@ -1040,8 +1041,9 @@ tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess)
 		    tctx->tlsext_tick_key_name,
 		    sizeof(tctx->tlsext_tick_key_name)))
 			goto derr;
-		if (!CBS_get_bytes(ticket, &ticket_iv,
-		    EVP_CIPHER_iv_length(EVP_aes_128_cbc())))
+		if ((iv_len = EVP_CIPHER_iv_length(EVP_aes_128_cbc())) < 0)
+			goto err;
+		if (!CBS_get_bytes(ticket, &ticket_iv, iv_len))
 			goto derr;
 		if (!EVP_DecryptInit_ex(cctx, EVP_aes_128_cbc(), NULL,
 		    tctx->tlsext_tick_aes_key, CBS_data(&ticket_iv)))