This is errata/6.8/013_libressl.patch.siglibressl-v3.2.4

Various interoperability issues and memory leaks were discovered in
libcrypto and libssl.

The new verifier is not bug compatible with the old verifier and caused
many issues by failing to propagate errors correctly, returning different
error codes than some software was trained to expect and otherwise failing
when it shouldn't. While much of this is fixed in -current, it's still not
perfect, so switching back to the legacy verifier is preferable at this
point.

Other included fixes:

* Unbreak DTLS retransmissions for flights that include a CCS
* Only check BIO_should_read() on read and BIO_should_write() on write
* Implement autochain for the TLSv1.3 server
* Use the legacy verifier for AUTO_CHAIN
* Implement exporter for TLSv1.3
* Free alert_data and phh_data in tls13_record_layer_free()
* Plug leak in x509_verify_chain_dup()
* Free the policy tree in x509_vfy_check_policy()

Original commits by jsing and tb

ok inoguchi jsing

12 files changed, 172 insertions, 28 deletions

diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index 0c32cd04b7..be70ff8372 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.13 2020/09/26 15:44:06 jsing Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.13.4.1 2021/02/03 07:06:13 tb Exp $ */
 /*
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
  *
@@ -81,7 +81,7 @@ x509_verify_chain_dup(struct x509_verify_chain *chain)
 {
         struct x509_verify_chain *new_chain;
 
-        if ((new_chain = x509_verify_chain_new()) == NULL)
+        if ((new_chain = calloc(1, sizeof(*chain))) == NULL)
                 goto err;
         if ((new_chain->certs = X509_chain_up_ref(chain->certs)) == NULL)
                 goto err;
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index fe1431ce49..931adb84bc 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.81 2020/09/26 02:06:28 deraadt Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.81.4.1 2021/02/03 07:06:13 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1794,6 +1794,11 @@ x509_vfy_check_policy(X509_STORE_CTX *ctx)
 
         if (ctx->parent)
                 return 1;
+
+        /* X509_policy_check always allocates a new tree. */
+        X509_policy_tree_free(ctx->tree);
+        ctx->tree = NULL;
+
         ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
             ctx->param->policies, ctx->param->flags);
         if (ret == 0) {
diff --git a/src/lib/libcrypto/x509/x509_vpm.c b/src/lib/libcrypto/x509/x509_vpm.c
index 448ee20984..d4715228dc 100644
--- a/src/lib/libcrypto/x509/x509_vpm.c
+++ b/src/lib/libcrypto/x509/x509_vpm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vpm.c,v 1.22 2020/09/14 08:10:04 beck Exp $ */
+/* $OpenBSD: x509_vpm.c,v 1.22.4.1 2021/02/03 07:06:13 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2004.
  */
@@ -177,7 +177,7 @@ x509_verify_param_zero(X509_VERIFY_PARAM *param)
         param->trust = 0;
         /*param->inh_flags = X509_VP_FLAG_DEFAULT;*/
         param->inh_flags = 0;
-        param->flags = 0;
+        param->flags = X509_V_FLAG_LEGACY_VERIFY;
         param->depth = -1;
         if (param->policies) {
                 sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c
index 3d2516ce41..92d86da679 100644
--- a/src/lib/libssl/d1_both.c
+++ b/src/lib/libssl/d1_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_both.c,v 1.60 2020/09/26 14:43:17 jsing Exp $ */
+/* $OpenBSD: d1_both.c,v 1.60.4.1 2021/02/03 07:06:13 tb Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -1060,18 +1060,18 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
             frag->msg_header.frag_len);
 
         /* save current state */
-        saved_state.enc_write_ctx = s->internal->enc_write_ctx;
-        saved_state.write_hash = s->internal->write_hash;
         saved_state.session = s->session;
         saved_state.epoch = D1I(s)->w_epoch;
 
         D1I(s)->retransmitting = 1;
 
         /* restore state in which the message was originally sent */
-        s->internal->enc_write_ctx = frag->msg_header.saved_retransmit_state.enc_write_ctx;
-        s->internal->write_hash = frag->msg_header.saved_retransmit_state.write_hash;
         s->session = frag->msg_header.saved_retransmit_state.session;
         D1I(s)->w_epoch = frag->msg_header.saved_retransmit_state.epoch;
+        if (!tls12_record_layer_set_write_cipher_hash(s->internal->rl,
+            frag->msg_header.saved_retransmit_state.enc_write_ctx,
+            frag->msg_header.saved_retransmit_state.write_hash, 0))
+                return 0;
 
         if (frag->msg_header.saved_retransmit_state.epoch ==
             saved_state.epoch - 1) {
@@ -1085,10 +1085,11 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
             SSL3_RT_CHANGE_CIPHER_SPEC : SSL3_RT_HANDSHAKE);
 
         /* restore current state */
-        s->internal->enc_write_ctx = saved_state.enc_write_ctx;
-        s->internal->write_hash = saved_state.write_hash;
         s->session = saved_state.session;
         D1I(s)->w_epoch = saved_state.epoch;
+        if (!tls12_record_layer_set_write_cipher_hash(s->internal->rl,
+            s->internal->enc_write_ctx, s->internal->write_hash, 0))
+                return 0;
 
         if (frag->msg_header.saved_retransmit_state.epoch ==
             saved_state.epoch - 1) {
diff --git a/src/lib/libssl/ssl_both.c b/src/lib/libssl/ssl_both.c
index 5da450b5ce..5b64044e22 100644
--- a/src/lib/libssl/ssl_both.c
+++ b/src/lib/libssl/ssl_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_both.c,v 1.20 2020/09/24 18:12:00 jsing Exp $ */
+/* $OpenBSD: ssl_both.c,v 1.20.4.1 2021/02/03 07:06:13 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -408,6 +408,8 @@ ssl3_output_cert_chain(SSL *s, CBB *cbb, CERT_PKEY *cpk)
                         SSLerror(s, ERR_R_X509_LIB);
                         goto err;
                 }
+                X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xs_ctx),
+                    X509_V_FLAG_LEGACY_VERIFY);
                 X509_verify_cert(xs_ctx);
                 ERR_clear_error();
                 chain = xs_ctx->chain;
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 6e375e1c09..1cf64d1301 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.234 2020/09/24 18:12:00 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.234.4.1 2021/02/03 07:06:13 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1710,8 +1710,17 @@ SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
     const char *label, size_t llen, const unsigned char *p, size_t plen,
     int use_context)
 {
-        return (tls1_export_keying_material(s, out, olen,
-            label, llen, p, plen, use_context));
+        if (s->internal->tls13 != NULL && s->version == TLS1_3_VERSION) {
+                if (!use_context) {
+                        p = NULL;
+                        plen = 0;
+                }
+                return tls13_exporter(s->internal->tls13, label, llen, p, plen,
+                    out, olen);
+        }
+
+        return (tls1_export_keying_material(s, out, olen, label, llen, p, plen,
+            use_context));
 }
 
 static unsigned long
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index 03a1a6b4b1..bdb554cbc2 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.86 2020/07/30 16:23:17 tb Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.86.4.1 2021/02/03 07:06:14 tb Exp $ */
 /*
  * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
  * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -148,6 +148,16 @@ void tls13_secrets_destroy(struct tls13_secrets *secrets);
 int tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest,
     const struct tls13_secret *secret, const char *label,
     const struct tls13_secret *context);
+int tls13_hkdf_expand_label_with_length(struct tls13_secret *out,
+    const EVP_MD *digest, const struct tls13_secret *secret,
+    const uint8_t *label, size_t label_len, const struct tls13_secret *context);
+
+int tls13_derive_secret(struct tls13_secret *out, const EVP_MD *digest,
+    const struct tls13_secret *secret, const char *label,   
+    const struct tls13_secret *context);
+int tls13_derive_secret_with_label_length(struct tls13_secret *out,
+    const EVP_MD *digest, const struct tls13_secret *secret,
+    const uint8_t *label, size_t label_len, const struct tls13_secret *context);
 
 int tls13_derive_early_secrets(struct tls13_secrets *secrets, uint8_t *psk,
     size_t psk_len, const struct tls13_secret *context);
@@ -412,6 +422,10 @@ int tls13_error_setx(struct tls13_error *error, int code, int subcode,
         tls13_error_setx(&(ctx)->error, (code), (subcode), __FILE__, __LINE__, \
             (fmt), __VA_ARGS__)
 
+int tls13_exporter(struct tls13_ctx *ctx, const uint8_t *label, size_t label_len,
+    const uint8_t *context_value, size_t context_value_len, uint8_t *out,
+    size_t out_len);
+
 extern const uint8_t tls13_downgrade_12[8];
 extern const uint8_t tls13_downgrade_11[8];
 extern const uint8_t tls13_hello_retry_request_hash[32];
diff --git a/src/lib/libssl/tls13_key_schedule.c b/src/lib/libssl/tls13_key_schedule.c
index 91f59e46f9..d112351530 100644
--- a/src/lib/libssl/tls13_key_schedule.c
+++ b/src/lib/libssl/tls13_key_schedule.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_key_schedule.c,v 1.8 2019/11/17 21:01:08 beck Exp $ */
+/* $OpenBSD: tls13_key_schedule.c,v 1.8.6.1 2021/02/03 07:06:14 tb Exp $ */
 /* Copyright (c) 2018, Bob Beck <beck@openbsd.org>
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -174,6 +174,15 @@ tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest,
     const struct tls13_secret *secret, const char *label,
     const struct tls13_secret *context)
 {
+        return tls13_hkdf_expand_label_with_length(out, digest, secret, label,
+            strlen(label), context);
+}
+
+int
+tls13_hkdf_expand_label_with_length(struct tls13_secret *out,
+    const EVP_MD *digest, const struct tls13_secret *secret,
+    const uint8_t *label, size_t label_len, const struct tls13_secret *context)
+{
         const char tls13_plabel[] = "tls13 ";
         uint8_t *hkdf_label;
         size_t hkdf_label_len;
@@ -188,7 +197,7 @@ tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest,
                 goto err;
         if (!CBB_add_bytes(&child, tls13_plabel, strlen(tls13_plabel)))
                 goto err;
-        if (!CBB_add_bytes(&child, label, strlen(label)))
+        if (!CBB_add_bytes(&child, label, label_len))
                 goto err;
         if (!CBB_add_u8_length_prefixed(&cbb, &child))
                 goto err;
@@ -207,7 +216,7 @@ tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest,
         return(0);
 }
 
-static int
+int
 tls13_derive_secret(struct tls13_secret *out, const EVP_MD *digest,
     const struct tls13_secret *secret, const char *label,
     const struct tls13_secret *context)
@@ -216,6 +225,15 @@ tls13_derive_secret(struct tls13_secret *out, const EVP_MD *digest,
 }
 
 int
+tls13_derive_secret_with_label_length(struct tls13_secret *out,
+    const EVP_MD *digest, const struct tls13_secret *secret, const uint8_t *label,
+    size_t label_len, const struct tls13_secret *context)
+{
+        return tls13_hkdf_expand_label_with_length(out, digest, secret, label,
+            label_len, context);
+}
+
+int
 tls13_derive_early_secrets(struct tls13_secrets *secrets,
     uint8_t *psk, size_t psk_len, const struct tls13_secret *context)
 {
diff --git a/src/lib/libssl/tls13_legacy.c b/src/lib/libssl/tls13_legacy.c
index 317a1cb0f5..468f4edfc4 100644
--- a/src/lib/libssl/tls13_legacy.c
+++ b/src/lib/libssl/tls13_legacy.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_legacy.c,v 1.13 2020/09/13 15:04:35 jsing Exp $ */
+/*      $OpenBSD: tls13_legacy.c,v 1.13.4.1 2021/02/03 07:06:14 tb Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -40,8 +40,6 @@ tls13_legacy_wire_read(SSL *ssl, uint8_t *buf, size_t len)
         if ((n = BIO_read(ssl->rbio, buf, len)) <= 0) {
                 if (BIO_should_read(ssl->rbio))
                         return TLS13_IO_WANT_POLLIN;
-                if (BIO_should_write(ssl->rbio))
-                        return TLS13_IO_WANT_POLLOUT;
                 if (n == 0)
                         return TLS13_IO_EOF;
 
@@ -79,8 +77,6 @@ tls13_legacy_wire_write(SSL *ssl, const uint8_t *buf, size_t len)
         errno = 0;
 
         if ((n = BIO_write(ssl->wbio, buf, len)) <= 0) {
-                if (BIO_should_read(ssl->wbio))
-                        return TLS13_IO_WANT_POLLIN;
                 if (BIO_should_write(ssl->wbio))
                         return TLS13_IO_WANT_POLLOUT;
 
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
index 590426ad8a..af3de58f93 100644
--- a/src/lib/libssl/tls13_lib.c
+++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_lib.c,v 1.54 2020/09/11 15:03:36 jsing Exp $ */
+/*      $OpenBSD: tls13_lib.c,v 1.54.4.1 2021/02/03 07:06:14 tb Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -579,3 +579,75 @@ tls13_clienthello_hash_validate(struct tls13_ctx *ctx)
         return 1;
 }
 
+int
+tls13_exporter(struct tls13_ctx *ctx, const uint8_t *label, size_t label_len,
+    const uint8_t *context_value, size_t context_value_len, uint8_t *out,
+    size_t out_len)
+{
+        struct tls13_secret context, export_out, export_secret;
+        struct tls13_secrets *secrets = ctx->hs->secrets;
+        EVP_MD_CTX *md_ctx = NULL;
+        unsigned int md_out_len;
+        int md_len;
+        int ret = 0;
+
+        /*
+         * RFC 8446 Section 7.5.
+         */
+
+        memset(&context, 0, sizeof(context));
+        memset(&export_secret, 0, sizeof(export_secret));
+
+        export_out.data = out;
+        export_out.len = out_len;
+
+        if (!ctx->handshake_completed)
+                return 0;
+
+        md_len = EVP_MD_size(secrets->digest);
+        if (md_len <= 0 || md_len > EVP_MAX_MD_SIZE)
+                goto err;
+
+        if ((export_secret.data = calloc(1, md_len)) == NULL)
+                goto err;
+        export_secret.len = md_len;
+
+        if ((context.data = calloc(1, md_len)) == NULL)
+                goto err;
+        context.len = md_len;
+
+        /* In TLSv1.3 no context is equivalent to an empty context. */
+        if (context_value == NULL) {
+                context_value = "";
+                context_value_len = 0;
+        }
+
+        if ((md_ctx = EVP_MD_CTX_new()) == NULL)
+                goto err;
+        if (!EVP_DigestInit_ex(md_ctx, secrets->digest, NULL))
+                goto err;
+        if (!EVP_DigestUpdate(md_ctx, context_value, context_value_len))
+                goto err;
+        if (!EVP_DigestFinal_ex(md_ctx, context.data, &md_out_len))
+                goto err;
+        if (md_len != md_out_len)
+                goto err;
+
+        if (!tls13_derive_secret_with_label_length(&export_secret,
+            secrets->digest, &secrets->exporter_master, label, label_len,
+            &secrets->empty_hash))
+                goto err;
+
+        if (!tls13_hkdf_expand_label(&export_out, secrets->digest,
+            &export_secret, "exporter", &context))
+                goto err;
+
+        ret = 1;
+
+ err:
+        EVP_MD_CTX_free(md_ctx);
+        freezero(context.data, context.len);
+        freezero(export_secret.data, export_secret.len);
+
+        return ret;
+}
diff --git a/src/lib/libssl/tls13_record_layer.c b/src/lib/libssl/tls13_record_layer.c
index 1d75d9e5a4..6e1548ea14 100644
--- a/src/lib/libssl/tls13_record_layer.c
+++ b/src/lib/libssl/tls13_record_layer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_record_layer.c,v 1.53 2020/09/11 15:03:36 jsing Exp $ */
+/* $OpenBSD: tls13_record_layer.c,v 1.53.4.1 2021/02/03 07:06:14 tb Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -135,6 +135,9 @@ tls13_record_layer_free(struct tls13_record_layer *rl)
         if (rl == NULL)
                 return;
 
+        freezero(rl->alert_data, rl->alert_len);
+        freezero(rl->phh_data, rl->phh_len);
+
         tls13_record_layer_rbuf_free(rl);
 
         tls13_record_layer_rrec_free(rl);
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index a5c03b610c..f9b557d2ac 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.61 2020/07/03 04:12:51 tb Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.61.4.1 2021/02/03 07:06:14 tb Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -611,6 +611,7 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
         SSL *s = ctx->ssl;
         CBB cert_request_context, cert_list;
         const struct ssl_sigalg *sigalg;
+        X509_STORE_CTX *xsc = NULL;
         STACK_OF(X509) *chain;
         CERT_PKEY *cpk;
         X509 *cert;
@@ -633,6 +634,18 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
         if ((chain = cpk->chain) == NULL)
                 chain = s->ctx->extra_certs;
 
+        if (chain == NULL && !(s->internal->mode & SSL_MODE_NO_AUTO_CHAIN)) {
+                if ((xsc = X509_STORE_CTX_new()) == NULL)
+                        goto err;
+                if (!X509_STORE_CTX_init(xsc, s->ctx->cert_store, cpk->x509, NULL))
+                        goto err;
+                X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xsc),
+                    X509_V_FLAG_LEGACY_VERIFY);
+                X509_verify_cert(xsc);
+                ERR_clear_error();
+                chain = xsc->chain;
+        }
+
         if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context))
                 goto err;
         if (!CBB_add_u24_length_prefixed(cbb, &cert_list))
@@ -643,6 +656,15 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
 
         for (i = 0; i < sk_X509_num(chain); i++) {
                 cert = sk_X509_value(chain, i);
+
+                /*
+                 * In the case of auto chain, the leaf certificate will be at
+                 * the top of the chain - skip over it as we've already added
+                 * it earlier.
+                 */
+                if (i == 0 && cert == cpk->x509)
+                        continue;
+
                 /*
                  * XXX we don't send extensions with chain certs to avoid sending
                  * a leaf ocsp stape with the chain certs.  This needs to get
@@ -658,6 +680,8 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
         ret = 1;
 
  err:
+        X509_STORE_CTX_free(xsc);
+
         return ret;
 }