Changeset 97372 in vbox for trunk/src/libs/openssl-3.0.7/ssl/t1_lib.c

Timestamp:

Nov 2, 2022 7:40:16 AM (3 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

154372

Message:

libs: Switch to openssl-3.0.7, bugref:10317

Location:

trunk/src/libs/openssl-3.0.7

Files:

• . (modified) (1 prop)
• ssl/t1_lib.c (modified) (10 diffs)

trunk/src/libs/openssl-3.0.7

@@ -15 +15 @@
 /vendor/openssl/3.0.2:150728-150729
 /vendor/openssl/3.0.3:151497-151729
-/vendor/openssl/current:147554-151496
+/vendor/openssl/3.0.7:154371
+/vendor/openssl/current:147554-154370

@@ -15 +15 @@
 /vendor/openssl/3.0.2:150728-150729
 /vendor/openssl/3.0.3:151497-151729
-/vendor/openssl/current:147554-151496
+/vendor/openssl/3.0.7:154371
+/vendor/openssl/current:147554-154370

trunk/src/libs/openssl-3.0.7/ssl/t1_lib.c

@@ -345 +345 @@
      */
     ret = 1;
+    ERR_set_mark();
     keymgmt = EVP_KEYMGMT_fetch(ctx->libctx, ginf->algorithm, ctx->propq);
     if (keymgmt != NULL) {
@@ -366 +367 @@
         EVP_KEYMGMT_free(keymgmt);
     }
+    ERR_pop_to_mark();
  err:
     if (ginf != NULL) {
@@ -371 +373 @@
         OPENSSL_free(ginf->realname);
         OPENSSL_free(ginf->algorithm);
-        ginf->tlsname = ginf->realname = NULL;
+        ginf->algorithm = ginf->tlsname = ginf->realname = NULL;
     }
     return ret;
@@ -725 +727 @@
 
     gid = tls1_group_name2id(garg->ctx, etmp);
-    if (gid == 0)
-        return 0;
+    if (gid == 0) {
+        ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
+                       "group '%s' cannot be set", etmp);
+        return 0;
+    }
     for (i = 0; i < garg->gidcnt; i++)
         if (garg->gid_arr[i] == gid)
@@ -1782 +1787 @@
     unsigned char *sdec;
     const unsigned char *p;
-    int slen, renew_ticket = 0, declen;
+    int slen, ivlen, renew_ticket = 0, declen;
     SSL_TICKET_STATUS ret = SSL_TICKET_FATAL_ERR_OTHER;
     size_t mlen;
@@ -1895 +1900 @@
     }
 
+    ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
+    if (ivlen < 0) {
+        ret = SSL_TICKET_FATAL_ERR_OTHER;
+        goto end;
+    }
+
     /* Sanity check ticket length: must exceed keyname + IV + HMAC */
-    if (eticklen <=
-        TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_get_iv_length(ctx) + mlen) {
+    if (eticklen <= TLSEXT_KEYNAME_LENGTH + ivlen + mlen) {
         ret = SSL_TICKET_NO_DECRYPT;
         goto end;
@@ -1915 +1925 @@
     /* Attempt to decrypt session data */
     /* Move p after IV to start of encrypted ticket, update length */
-    p = etick + TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_get_iv_length(ctx);
-    eticklen -= TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_get_iv_length(ctx);
+    p = etick + TLSEXT_KEYNAME_LENGTH + ivlen;
+    eticklen -= TLSEXT_KEYNAME_LENGTH + ivlen;
     sdec = OPENSSL_malloc(eticklen);
     if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p,
@@ -2817 +2827 @@
         ca_dn = s->s3.tmp.peer_ca_names;
 
-        if (!sk_X509_NAME_num(ca_dn))
+        if (ca_dn == NULL
+            || sk_X509_NAME_num(ca_dn) == 0
+            || ssl_check_ca_name(ca_dn, x))
             rv |= CERT_PKEY_ISSUER_NAME;
-
-        if (!(rv & CERT_PKEY_ISSUER_NAME)) {
-            if (ssl_check_ca_name(ca_dn, x))
-                rv |= CERT_PKEY_ISSUER_NAME;
-        }
-        if (!(rv & CERT_PKEY_ISSUER_NAME)) {
+        else
             for (i = 0; i < sk_X509_num(chain); i++) {
                 X509 *xtmp = sk_X509_value(chain, i);
+
                 if (ssl_check_ca_name(ca_dn, xtmp)) {
                     rv |= CERT_PKEY_ISSUER_NAME;
@@ -2832 +2840 @@
                 }
             }
-        }
+
         if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
             goto end;
@@ -3012 +3020 @@
     if (x == NULL) {
         x = sk_X509_value(sk, 0);
+        if (x == NULL)
+            return ERR_R_INTERNAL_ERROR;
         start_idx = 1;
     } else

@@ -15 +15 @@
 /vendor/openssl/3.0.2:150728-150729
 /vendor/openssl/3.0.3:151497-151729
-/vendor/openssl/current:147554-151496
+/vendor/openssl/3.0.7:154371
+/vendor/openssl/current:147554-154370