system/freebsd-src
system/freebsd-src
1
0
Fork 0
mirror of https://github.com/freebsd/freebsd-src synced 2024-07-22 02:37:15 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

openssl: Vendor import of OpenSSL-3.0.9

Browse source 
Summary:

Release notes can be found at
https://www.openssl.org/news/openssl-3.0-notes.html .

Obtained from:  https://www.openssl.org/source/openssl-3.0.9.tar.gz

Test Plan:
```
$ git status
On branch vendor/openssl-3.0
Your branch is up to date with 'origin/vendor/openssl-3.0'.

nothing to commit, working tree clean
$ (cd ..; fetch http://www.openssl.org/source/openssl-${OSSLVER}.tar.gz http://www.openssl.org/source/openssl-${OSSLVER}.tar.gz.asc)
openssl-3.0.9.tar.gz                                    14 MB   74 MBps    01s
openssl-3.0.9.tar.gz.asc                               833  B   10 MBps    00s
$ set | egrep '(XLIST|OSSLVER)='
OSSLVER=3.0.9
XLIST=FREEBSD-Xlist
$ gpg --list-keys
/home/khorben/.gnupg/pubring.kbx
--------------------------------
pub   rsa4096 2021-07-16 [SC] [expires: 2031-07-14]
      A21FAB74B0088AA361152586B8EF1A6BA9DA2D5C
uid           [ unknown] Tomáš Mráz <tm@t8m.info>
uid           [ unknown] Tomáš Mráz <tomas@arleto.cz>
uid           [ unknown] Tomáš Mráz <tomas@openssl.org>
sub   rsa4096 2021-07-16 [S] [expires: 2027-07-15]
sub   rsa4096 2021-07-16 [E] [expires: 2031-07-14]

$ gpg --verify ../openssl-${OSSLVER}.tar.gz.asc ../openssl-${OSSLVER}.tar.gz
gpg: Signature made Tue May 30 14:32:24 2023 CEST
gpg:                using RSA key DC7032662AF885E2F47F243F527466A21CA79E6D
gpg: Good signature from "Tomáš Mráz <tm@t8m.info>" [unknown]
gpg:                 aka "Tomáš Mráz <tomas@arleto.cz>" [unknown]
gpg:                 aka "Tomáš Mráz <tomas@openssl.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: A21F AB74 B008 8AA3 6115  2586 B8EF 1A6B A9DA 2D5C
     Subkey fingerprint: DC70 3266 2AF8 85E2 F47F  243F 5274 66A2 1CA7 9E6D

$ tar -x -X $XLIST -f ../openssl-${OSSLVER}.tar.gz -C ..
$ rsync --exclude FREEBSD.* --delete -avzz ../openssl-${OSSLVER}/* .
[...]
$ diff -arq ../openssl-${OSSLVER}  .
Only in .: .git
Only in .: FREEBSD-Xlist
Only in .: FREEBSD-upgrade
$ git status FREEBSD*
On branch vendor/openssl-3.0
Your branch is up to date with 'origin/vendor/openssl-3.0'.

nothing to commit, working tree clean
```
This commit is contained in:
Pierre Pronchery 2023-06-01 00:06:50 +02:00 committed by Ed Maste
parent e4520c8bd1
commit b84c4564ef
181 changed files with 2746 additions and 1762 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

81
CHANGES.md
View file

@ -28,6 +28,80 @@ breaking changes, and mappings for the large list of deprecated functions.
[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
### Changes between 3.0.8 and 3.0.9 [30 May 2023]
* Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
numeric text form. For gigantic sub-identifiers, this would take a very
long time, the time complexity being O(n^2) where n is the size of that
sub-identifier. ([CVE-2023-2650])
To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT
IDENTIFIER to canonical numeric text form if the size of that OBJECT
IDENTIFIER is 586 bytes or less, and fail otherwise.
The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT
IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at
most 128 sub-identifiers, and that the maximum value that each sub-
identifier may have is 2^32-1 (4294967295 decimal).
For each byte of every sub-identifier, only the 7 lower bits are part of
the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with
these restrictions may occupy is 32 * 128 / 7, which is approximately 586
bytes.
Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
*Richard Levitte*
* Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which
happens if the buffer size is 4 mod 5 in 16 byte AES blocks. This can
trigger a crash of an application using AES-XTS decryption if the memory
just after the buffer being decrypted is not mapped.
Thanks to Anton Romanov (Amazon) for discovering the issue.
([CVE-2023-1255])
*Nevine Ebeid*
* Reworked the Fix for the Timing Oracle in RSA Decryption ([CVE-2022-4304]).
The previous fix for this timing side channel turned out to cause
a severe 2-3x performance regression in the typical use case
compared to 3.0.7. The new fix uses existing constant time
code paths, and restores the previous performance level while
fully eliminating all existing timing side channels.
The fix was developed by Bernd Edlinger with testing support
by Hubert Kario.
*Bernd Edlinger*
* Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
that it does not enable policy checking. Thanks to David Benjamin for
discovering this issue.
([CVE-2023-0466])
*Tomáš Mráz*
* Fixed an issue where invalid certificate policies in leaf certificates are
silently ignored by OpenSSL and other certificate policy checks are skipped
for that certificate. A malicious CA could use this to deliberately assert
invalid certificate policies in order to circumvent policy checking on the
certificate altogether.
([CVE-2023-0465])
*Matt Caswell*
* Limited the number of nodes created in a policy tree to mitigate
against CVE-2023-0464. The default limit is set to 1000 nodes, which
should be sufficient for most installations. If required, the limit
can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build
time define to a desired maximum number of nodes or zero to allow
unlimited growth.
([CVE-2023-0464])
*Paul Dale*
### Changes between 3.0.7 and 3.0.8 [7 Feb 2023]
* Fixed NULL dereference during PKCS7 data verification.
@ -19578,6 +19652,11 @@ ndif
<!-- Links -->
[CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650
[CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255
[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
[CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465
[CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464
[CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401
[CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286
[CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217
@ -19588,7 +19667,7 @@ ndif
[CVE-2022-4203]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4203
[CVE-2022-3996]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3996
[CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274
[CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274
[CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2097
[CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971
[CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967
[CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563

2
Configure
View file

@ -1423,7 +1423,7 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
}
if ($target =~ /linux.*-mips/ && !$disabled{asm}
&& !grep { $_ !~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {
&& !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {
# minimally required architecture flags for assembly modules
my $value;
$value = '-mips2' if ($target =~ /mips32/);

19
NEWS.md
View file

@ -18,6 +18,17 @@ OpenSSL Releases
OpenSSL 3.0
-----------
### Major changes between OpenSSL 3.0.8 and OpenSSL 3.0.9 [30 May 2023]
* Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT
IDENTIFIER sub-identities. ([CVE-2023-2650])
* Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms
([CVE-2023-1255])
* Fixed documentation of X509_VERIFY_PARAM_add0_policy() ([CVE-2023-0466])
* Fixed handling of invalid certificate policies in leaf certificates
([CVE-2023-0465])
* Limited the number of nodes created in a policy tree ([CVE-2023-0464])
### Major changes between OpenSSL 3.0.7 and OpenSSL 3.0.8 [7 Feb 2023]
* Fixed NULL dereference during PKCS7 data verification ([CVE-2023-0401])
@ -1430,6 +1441,12 @@ OpenSSL 0.9.x
* Support for various new platforms
<!-- Links -->
[CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650
[CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255
[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
[CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465
[CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464
[CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401
[CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286
[CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217
@ -1440,7 +1457,7 @@ OpenSSL 0.9.x
[CVE-2022-4203]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4203
[CVE-2022-3996]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3996
[CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274
[CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274
[CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2097
[CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971
[CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967
[CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563

14
NOTES-NONSTOP.md
View file

@ -44,6 +44,20 @@ instead of `nsx` in the set above.
You cannot build for TNS/E for FIPS, so you must specify the `no-fips`
option to `./Configure`.
Linking and Loading Considerations
----------------------------------
Because of how the NonStop Common Runtime Environment (CRE) works, there are
restrictions on how programs can link and load with OpenSSL libraries.
On current NonStop platforms, programs cannot both statically link OpenSSL
libraries and dynamically load OpenSSL shared libraries concurrently. If this
is done, there is a high probability of encountering a SIGSEGV condition
relating to `atexit()` processing when a shared library is unloaded and when
the program terminates. This limitation applies to all OpenSSL shared library
components.
A resolution to this situation is under investigation.
About Prefix and OpenSSLDir
---------------------------

17
NOTES-VMS.md
View file

@ -83,6 +83,23 @@ When done, we recommend that you turn that flag back off:
$ set image /flag=nocall_debug [.test]evp_test.exe
About assembler acceleration
----------------------------
OpenSSL has assembler acceleration for a number of BIGNUM and crypto
routines. The VMS config targets tries to look for a selection of
assemblers and will use what they find. If none of the assemblers are
found, OpenSSL will be built as if `no-asm` was configured.
### For Itanium / IA64 / I64
- There is only one assembler, a port of Intel's `ias`, found in the
HP Open Source Tools CD, available through [DECUSlib](http://www.decuslib.com).
It's assumed to be set up as per the instructions, where `disk` and
`dir` are expected to be adapted to local conditions:
$ ias :== $disk:[dir]iasi64.exe
Checking the distribution
-------------------------

4
VERSION.dat
View file

@ -1,7 +1,7 @@
MAJOR=3
MINOR=0
PATCH=8
PATCH=9
PRE_RELEASE_TAG=
BUILD_METADATA=
RELEASE_DATE="7 Feb 2023"
RELEASE_DATE="30 May 2023"
SHLIB_VERSION=3

144
apps/cmp.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2019
* Copyright Siemens AG 2015-2019
*
@ -158,6 +158,7 @@ static char *opt_reqin = NULL;
static int opt_reqin_new_tid = 0;
static char *opt_reqout = NULL;
static char *opt_rspin = NULL;
static int rspin_in_use = 0;
static char *opt_rspout = NULL;
static int opt_use_mock_srv = 0;
@ -371,7 +372,7 @@ const OPTIONS cmp_options[] = {
OPT_SECTION("Server authentication"),
{"trusted", OPT_TRUSTED, 's',
"Certificates to trust as chain roots when verifying signed CMP responses"},
"Certificates to use as trust anchors when verifying signed CMP responses"},
{OPT_MORE_STR, 0, 0, "unless -srvcert is given"},
{"untrusted", OPT_UNTRUSTED, 's',
"Intermediate CA certs for chain construction for CMP/TLS/enrolled certs"},
@ -417,7 +418,7 @@ const OPTIONS cmp_options[] = {
{OPT_MORE_STR, 0, 0,
"This can be used as the default CMP signer cert chain to include"},
{"unprotected_requests", OPT_UNPROTECTED_REQUESTS, '-',
"Send messages without CMP-level protection"},
"Send request messages without CMP-level protection"},
OPT_SECTION("Credentials format"),
{"certform", OPT_CERTFORM, 's',
@ -462,13 +463,16 @@ const OPTIONS cmp_options[] = {
"Do not interactively prompt for input when a password is required etc."},
{"repeat", OPT_REPEAT, 'p',
"Invoke the transaction the given positive number of times. Default 1"},
{"reqin", OPT_REQIN, 's', "Take sequence of CMP requests from file(s)"},
{"reqin", OPT_REQIN, 's',
"Take sequence of CMP requests to send to server from file(s)"},
{"reqin_new_tid", OPT_REQIN_NEW_TID, '-',
"Use fresh transactionID for CMP requests read from -reqin"},
{"reqout", OPT_REQOUT, 's', "Save sequence of CMP requests to file(s)"},
{"reqout", OPT_REQOUT, 's',
"Save sequence of CMP requests created by the client to file(s)"},
{"rspin", OPT_RSPIN, 's',
"Process sequence of CMP responses provided in file(s), skipping server"},
{"rspout", OPT_RSPOUT, 's', "Save sequence of CMP responses to file(s)"},
{"rspout", OPT_RSPOUT, 's',
"Save sequence of actually used CMP responses to file(s)"},
{"use_mock_srv", OPT_USE_MOCK_SRV, '-',
"Use internal mock server at API level, bypassing socket-based HTTP"},
@ -754,12 +758,12 @@ static int write_PKIMESSAGE(const OSSL_CMP_MSG *msg, char **filenames)
}
/* read DER-encoded OSSL_CMP_MSG from the specified file name item */
static OSSL_CMP_MSG *read_PKIMESSAGE(char **filenames)
static OSSL_CMP_MSG *read_PKIMESSAGE(const char *desc, char **filenames)
{
char *file;
OSSL_CMP_MSG *ret;
if (filenames == NULL) {
if (filenames == NULL || desc == NULL) {
CMP_err("NULL arg to read_PKIMESSAGE");
return NULL;
}
@ -774,6 +778,8 @@ static OSSL_CMP_MSG *read_PKIMESSAGE(char **filenames)
ret = OSSL_CMP_MSG_read(file, app_get0_libctx(), app_get0_propq());
if (ret == NULL)
CMP_err1("cannot read PKIMessage from file '%s'", file);
else
CMP_info2("%s %s", desc, file);
return ret;
}
@ -795,7 +801,7 @@ static OSSL_CMP_MSG *read_write_req_resp(OSSL_CMP_CTX *ctx,
&& !write_PKIMESSAGE(req, &opt_reqout))
goto err;
if (opt_reqin != NULL && opt_rspin == NULL) {
if ((req_new = read_PKIMESSAGE(&opt_reqin)) == NULL)
if ((req_new = read_PKIMESSAGE("actually sending", &opt_reqin)) == NULL)
goto err;
/*-
* The transaction ID in req_new read from opt_reqin may not be fresh.
@ -805,22 +811,44 @@ static OSSL_CMP_MSG *read_write_req_resp(OSSL_CMP_CTX *ctx,
if (opt_reqin_new_tid
&& !OSSL_CMP_MSG_update_transactionID(ctx, req_new))
goto err;
/*
* Except for first request, need to satisfy recipNonce check by server.
* Unfortunately requires re-protection if protection is required.
*/
if (!OSSL_CMP_MSG_update_recipNonce(ctx, req_new))
goto err;
}
if (opt_rspin != NULL) {
res = read_PKIMESSAGE(&opt_rspin);
res = read_PKIMESSAGE("actually using", &opt_rspin);
} else {
const OSSL_CMP_MSG *actual_req = opt_reqin != NULL ? req_new : req;
const OSSL_CMP_MSG *actual_req = req_new != NULL ? req_new : req;
res = opt_use_mock_srv
? OSSL_CMP_CTX_server_perform(ctx, actual_req)
: OSSL_CMP_MSG_http_perform(ctx, actual_req);
if (opt_use_mock_srv) {
if (rspin_in_use)
CMP_warn("too few -rspin filename arguments; resorting to using mock server");
res = OSSL_CMP_CTX_server_perform(ctx, actual_req);
} else {
#ifndef OPENSSL_NO_SOCK
if (opt_server == NULL) {
CMP_err("missing -server or -use_mock_srv option, or too few -rspin filename arguments");
goto err;
}
if (rspin_in_use)
CMP_warn("too few -rspin filename arguments; resorting to contacting server");
res = OSSL_CMP_MSG_http_perform(ctx, actual_req);
#else
CMP_err("-server not supported on no-sock build; missing -use_mock_srv option or too few -rspin filename arguments");
#endif
}
rspin_in_use = 0;
}
if (res == NULL)
goto err;
if (opt_reqin != NULL || prev_opt_rspin != NULL) {
/* need to satisfy nonce and transactionID checks */
if (req_new != NULL || prev_opt_rspin != NULL) {
/* need to satisfy nonce and transactionID checks by client */
ASN1_OCTET_STRING *nonce;
ASN1_OCTET_STRING *tid;
@ -1024,10 +1052,10 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine)
goto err;
}
} else if (opt_srv_cert == NULL) {
CMP_err("mock server credentials must be given if -use_mock_srv or -port is used");
CMP_err("server credentials (-srv_secret or -srv_cert) must be given if -use_mock_srv or -port is used");
goto err;
} else {
CMP_warn("mock server will not be able to handle PBM-protected requests since -srv_secret is not given");
CMP_warn("server will not be able to handle PBM-protected requests since -srv_secret is not given");
}
if (opt_srv_secret == NULL
@ -1121,7 +1149,7 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine)
goto err;
if (opt_send_error)
(void)ossl_cmp_mock_srv_set_send_error(srv_ctx, 1);
(void)ossl_cmp_mock_srv_set_sendError(srv_ctx, 1);
if (opt_send_unprotected)
(void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_UNPROTECTED_SEND, 1);
@ -1283,7 +1311,9 @@ static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, const char *host,
/* disable any cert status/revocation checking etc. */
X509_VERIFY_PARAM_clear_flags(tls_vpm,
~(X509_V_FLAG_USE_CHECK_TIME
| X509_V_FLAG_NO_CHECK_TIME));
| X509_V_FLAG_NO_CHECK_TIME
| X509_V_FLAG_PARTIAL_CHAIN
| X509_V_FLAG_POLICY_CHECK));
}
CMP_debug("trying to build cert chain for own TLS cert");
if (SSL_CTX_build_cert_chain(ssl_ctx,
@ -1498,10 +1528,25 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
CMP_warn("no -subject given; no -csr or -oldcert or -cert available for fallback");
if (opt_cmd == CMP_IR || opt_cmd == CMP_CR || opt_cmd == CMP_KUR) {
if (opt_newkey == NULL && opt_key == NULL && opt_csr == NULL) {
CMP_err("missing -newkey (or -key) to be certified and no -csr given");
if (opt_newkey == NULL
&& opt_key == NULL && opt_csr == NULL && opt_oldcert == NULL) {
CMP_err("missing -newkey (or -key) to be certified and no -csr, -oldcert, or -cert given for fallback public key");
return 0;
}
if (opt_newkey == NULL
&& opt_popo != OSSL_CRMF_POPO_NONE
&& opt_popo != OSSL_CRMF_POPO_RAVERIFIED) {
if (opt_csr != NULL) {
CMP_err1("no -newkey option given with private key for POPO, -csr option only provides public key%s",
opt_key == NULL ? "" :
", and -key option superseded by by -csr");
return 0;
}
if (opt_key == NULL) {
CMP_err("missing -newkey (or -key) option for POPO");
return 0;
}
}
if (opt_certout == NULL) {
CMP_err("-certout not given, nowhere to save newly enrolled certificate");
return 0;
@ -1897,8 +1942,11 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
(void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_TOTAL_TIMEOUT,
opt_total_timeout);
if (opt_reqin != NULL && opt_rspin != NULL)
CMP_warn("-reqin is ignored since -rspin is present");
if (opt_rspin != NULL) {
rspin_in_use = 1;
if (opt_reqin != NULL)
CMP_warn("-reqin is ignored since -rspin is present");
}
if (opt_reqin_new_tid && opt_reqin == NULL)
CMP_warn("-reqin_new_tid is ignored since -reqin is not present");
if (opt_reqin != NULL || opt_reqout != NULL
@ -1923,12 +1971,14 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
if ((info = OPENSSL_zalloc(sizeof(*info))) == NULL)
goto err;
(void)OSSL_CMP_CTX_set_http_cb_arg(ctx, info);
info->server = opt_server;
info->port = server_port;
info->ssl_ctx = setup_ssl_ctx(ctx, host, engine);
info->server = host;
host = NULL; /* prevent deallocation */
if ((info->port = OPENSSL_strdup(server_port)) == NULL)
goto err;
/* workaround for callback design flaw, see #17088: */
info->use_proxy = proxy_host != NULL;
info->timeout = OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_MSG_TIMEOUT);
info->ssl_ctx = setup_ssl_ctx(ctx, host, engine);
if (info->ssl_ctx == NULL)
goto err;
@ -1952,7 +2002,9 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
/* not printing earlier, to minimize confusion in case setup fails before */
if (opt_rspin != NULL)
CMP_info("will not contact any server since -rspin is given");
CMP_info2("will contact %s%s "
"only if -rspin argument gives too few filenames",
server_buf, proxy_buf);
else
CMP_info2("will contact %s%s", server_buf, proxy_buf);
@ -2847,8 +2899,16 @@ int cmp_main(int argc, char **argv)
CMP_err("-tls_used option not supported with -port option");
goto err;
}
if (opt_use_mock_srv || opt_server != NULL || opt_rspin != NULL) {
CMP_err("cannot use -port with -use_mock_srv, -server, or -rspin options");
if (opt_server != NULL || opt_use_mock_srv) {
CMP_err("The -port option excludes -server and -use_mock_srv");
goto err;
}
if (opt_reqin != NULL || opt_reqout != NULL) {
CMP_err("The -port option does not support -reqin and -reqout");
goto err;
}
if (opt_rspin != NULL || opt_rspout != NULL) {
CMP_err("The -port option does not support -rspin and -rspout");
goto err;
}
}
@ -2857,10 +2917,6 @@ int cmp_main(int argc, char **argv)
goto err;
}
#endif
if (opt_rspin != NULL && opt_use_mock_srv) {
CMP_err("cannot use both -rspin and -use_mock_srv options");
goto err;
}
if (opt_use_mock_srv
#ifndef OPENSSL_NO_SOCK
@ -2881,8 +2937,8 @@ int cmp_main(int argc, char **argv)
}
#ifndef OPENSSL_NO_SOCK
if (opt_tls_used && (opt_use_mock_srv || opt_rspin != NULL)) {
CMP_warn("ignoring -tls_used option since -use_mock_srv or -rspin is given");
if (opt_tls_used && (opt_use_mock_srv || opt_server == NULL)) {
CMP_warn("ignoring -tls_used option since -use_mock_srv is given or -server is not given");
opt_tls_used = 0;
}
@ -2893,11 +2949,11 @@ int cmp_main(int argc, char **argv)
/* act as CMP client, possibly using internal mock server */
if (opt_server != NULL) {
if (opt_rspin != NULL) {
CMP_warn("ignoring -server option since -rspin is given");
opt_server = NULL;
}
if (opt_rspin != NULL) {
if (opt_server != NULL)
CMP_warn("-server option is not used if enough filenames given for -rspin");
if (opt_use_mock_srv)
CMP_warn("-use_mock_srv option is not used if enough filenames given for -rspin");
}
#endif
@ -3010,7 +3066,11 @@ int cmp_main(int argc, char **argv)
/* cannot free info already here, as it may be used indirectly by: */
OSSL_CMP_CTX_free(cmp_ctx);
#ifndef OPENSSL_NO_SOCK
APP_HTTP_TLS_INFO_free(info);
if (info != NULL) {
OPENSSL_free((char *)info->server);
OPENSSL_free((char *)info->port);
APP_HTTP_TLS_INFO_free(info);
}
#endif
}
X509_VERIFY_PARAM_free(vpm);

9
apps/dgst.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -487,8 +487,11 @@ static void show_digests(const OBJ_NAME *name, void *arg)
/* Filter out message digests that we cannot use */
md = EVP_MD_fetch(app_get0_libctx(), name->name, app_get0_propq());
if (md == NULL)
return;
if (md == NULL) {
md = EVP_get_digestbyname(name->name);
if (md == NULL)
return;
}
BIO_printf(dec->bio, "-%-25s", name->name);
if (++dec->n == 3) {

17
apps/enc.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -30,6 +30,10 @@
#define SIZE (512)
#define BSIZE (8*1024)
#define PBKDF2_ITER_DEFAULT 10000
#define STR(a) XSTR(a)
#define XSTR(a) #a
static int set_hex(const char *in, unsigned char *out, int size);
static void show_ciphers(const OBJ_NAME *name, void *bio_);
@ -88,8 +92,13 @@ const OPTIONS enc_options[] = {
{"S", OPT_UPPER_S, 's', "Salt, in hex"},
{"iv", OPT_IV, 's', "IV in hex"},
{"md", OPT_MD, 's', "Use specified digest to create a key from the passphrase"},
{"iter", OPT_ITER, 'p', "Specify the iteration count and force use of PBKDF2"},
{"pbkdf2", OPT_PBKDF2, '-', "Use password-based key derivation function 2"},
{"iter", OPT_ITER, 'p',
"Specify the iteration count and force the use of PBKDF2"},
{OPT_MORE_STR, 0, 0, "Default: " STR(PBKDF2_ITER_DEFAULT)},
{"pbkdf2", OPT_PBKDF2, '-',
"Use password-based key derivation function 2 (PBKDF2)"},
{OPT_MORE_STR, 0, 0,
"Use -iter to change the iteration count from " STR(PBKDF2_ITER_DEFAULT)},
{"none", OPT_NONE, '-', "Don't encrypt"},
#ifdef ZLIB
{"z", OPT_Z, '-', "Compress or decompress encrypted data using zlib"},
@ -272,7 +281,7 @@ int enc_main(int argc, char **argv)
case OPT_PBKDF2:
pbkdf2 = 1;
if (iter == 0) /* do not overwrite a chosen value */
iter = 10000;
iter = PBKDF2_ITER_DEFAULT;
break;
case OPT_NONE:
cipher = NULL;

4
apps/include/cmp_mock_srv.h
View file

@ -1,5 +1,5 @@
/*
* Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Siemens AG 2018-2020
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
@ -27,7 +27,7 @@ int ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX *srv_ctx,
STACK_OF(X509) *caPubs);
int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status,
int fail_info, const char *text);
int ossl_cmp_mock_srv_set_send_error(OSSL_CMP_SRV_CTX *srv_ctx, int val);
int ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype);
int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count);
int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec);

10
apps/lib/apps.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -2474,6 +2474,10 @@ BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail)
if (connect) {
SSL *ssl;
BIO *sbio = NULL;
X509_STORE *ts = SSL_CTX_get_cert_store(ssl_ctx);
X509_VERIFY_PARAM *vpm = X509_STORE_get0_param(ts);
const char *host = vpm == NULL ? NULL :
X509_VERIFY_PARAM_get0_host(vpm, 0 /* first hostname */);
/* adapt after fixing callback design flaw, see #17088 */
if ((info->use_proxy
@ -2488,8 +2492,8 @@ BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail)
return NULL;
}
/* adapt after fixing callback design flaw, see #17088 */
SSL_set_tlsext_host_name(ssl, info->server); /* not critical to do */
if (vpm != NULL)
SSL_set_tlsext_host_name(ssl, host /* may be NULL */);
SSL_set_connect_state(ssl);
BIO_set_ssl(sbio, ssl, BIO_CLOSE);

46
apps/lib/cmp_mock_srv.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Siemens AG 2018-2020
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
@ -14,7 +14,7 @@
#include <openssl/cmp.h>
#include <openssl/err.h>
#include <openssl/cmperr.h>
/* the context for the CMP mock server */
typedef struct
{
@ -22,9 +22,8 @@ typedef struct
STACK_OF(X509) *chainOut; /* chain of certOut to add to extraCerts field */
STACK_OF(X509) *caPubsOut; /* certs to return in caPubs field of ip msg */
OSSL_CMP_PKISI *statusOut; /* status for ip/cp/kup/rp msg unless polling */
int sendError; /* send error response also on valid requests */
int sendError; /* send error response on given request type */
OSSL_CMP_MSG *certReq; /* ir/cr/p10cr/kur remembered while polling */
int certReqId; /* id of last ir/cr/kur, used for polling */
int pollCount; /* number of polls before actual cert response */
int curr_pollCount; /* number of polls so far for current request */
int checkAfterTime; /* time the client should wait between polling */
@ -54,7 +53,7 @@ static mock_srv_ctx *mock_srv_ctx_new(void)
if ((ctx->statusOut = OSSL_CMP_PKISI_new()) == NULL)
goto err;
ctx->certReqId = -1;
ctx->sendError = -1;
/* all other elements are initialized to 0 or NULL, respectively */
return ctx;
@ -130,7 +129,7 @@ int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status,
return 1;
}
int ossl_cmp_mock_srv_set_send_error(OSSL_CMP_SRV_CTX *srv_ctx, int val)
int ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype)
{
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
@ -138,7 +137,8 @@ int ossl_cmp_mock_srv_set_send_error(OSSL_CMP_SRV_CTX *srv_ctx, int val)
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
ctx->sendError = val != 0;
/* might check bodytype, but this would require exporting all body types */
ctx->sendError = bodytype;
return 1;
}
@ -172,7 +172,7 @@ int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec)
static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
const OSSL_CMP_MSG *cert_req,
int certReqId,
ossl_unused int certReqId,
const OSSL_CRMF_MSG *crm,
const X509_REQ *p10cr,
X509 **certOut,
@ -187,7 +187,8 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return NULL;
}
if (ctx->sendError) {
if (ctx->sendError == 1
|| ctx->sendError == OSSL_CMP_MSG_get_bodytype(cert_req)) {
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
return NULL;
}
@ -195,7 +196,6 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
*certOut = NULL;
*chainOut = NULL;
*caPubs = NULL;
ctx->certReqId = certReqId;
if (ctx->pollCount > 0 && ctx->curr_pollCount == 0) {
/* start polling */
@ -270,7 +270,8 @@ static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return NULL;
}
if (ctx->sendError || ctx->certOut == NULL) {
if (ctx->certOut == NULL || ctx->sendError == 1
|| ctx->sendError == OSSL_CMP_MSG_get_bodytype(rr)) {
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
return NULL;
}
@ -301,7 +302,9 @@ static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
if (sk_OSSL_CMP_ITAV_num(in) > 1 || ctx->sendError) {
if (ctx->sendError == 1
|| ctx->sendError == OSSL_CMP_MSG_get_bodytype(genm)
|| sk_OSSL_CMP_ITAV_num(in) > 1) {
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
return 0;
}
@ -358,7 +361,8 @@ static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error,
}
static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
const OSSL_CMP_MSG *certConf, int certReqId,
const OSSL_CMP_MSG *certConf,
ossl_unused int certReqId,
const ASN1_OCTET_STRING *certHash,
const OSSL_CMP_PKISI *si)
{
@ -369,17 +373,13 @@ static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
if (ctx->sendError || ctx->certOut == NULL) {
if (ctx->sendError == 1
|| ctx->sendError == OSSL_CMP_MSG_get_bodytype(certConf)
|| ctx->certOut == NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
return 0;
}
if (certReqId != ctx->certReqId) {
/* in case of error, invalid reqId -1 */
ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID);
return 0;
}
if ((digest = X509_digest_sig(ctx->certOut, NULL, NULL)) == NULL)
return 0;
if (ASN1_OCTET_STRING_cmp(certHash, digest) != 0) {
@ -392,7 +392,8 @@ static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
}
static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
const OSSL_CMP_MSG *pollReq, int certReqId,
const OSSL_CMP_MSG *pollReq,
ossl_unused int certReqId,
OSSL_CMP_MSG **certReq, int64_t *check_after)
{
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
@ -402,7 +403,8 @@ static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
if (ctx->sendError) {
if (ctx->sendError == 1
|| ctx->sendError == OSSL_CMP_MSG_get_bodytype(pollReq)) {
*certReq = NULL;
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
return 0;

4
apps/openssl.cnf
View file

@ -356,7 +356,7 @@ cmd = ir # default operation, can be overridden on cmd line with, e.g., kur
# Certificate enrollment
subject = "/CN=openssl-cmp-test"
newkey = insta.priv.pem
out_trusted = insta.ca.crt
out_trusted = apps/insta.ca.crt # does not include keyUsage digitalSignature
certout = insta.cert.pem
[pbm] # Password-based protection for Insta CA
@ -366,7 +366,7 @@ secret = $insta::secret # pass:insta
[signature] # Signature-based protection for Insta CA
# Server authentication
trusted = insta.ca.crt # does not include keyUsage digitalSignature
trusted = $insta::out_trusted # apps/insta.ca.crt
# Client authentication
secret = # disable PBM

9
apps/rehash.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2013-2014 Timo Teräs <timo.teras@gmail.com>
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
@ -340,6 +340,11 @@ static int ends_with_dirsep(const char *path)
return *path == '/';
}
static int sk_strcmp(const char * const *a, const char * const *b)
{
return strcmp(*a, *b);
}
/*
* Process a directory; return number of errors found.
*/
@ -369,7 +374,7 @@ static int do_dir(const char *dirname, enum Hash h)
if (verbose)
BIO_printf(bio_out, "Doing %s\n", dirname);
if ((files = sk_OPENSSL_STRING_new_null()) == NULL) {
if ((files = sk_OPENSSL_STRING_new(sk_strcmp)) == NULL) {
BIO_printf(bio_err, "Skipping %s, out of memory\n", dirname);
errs = 1;
goto err;

3
apps/s_server.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@ -229,6 +229,7 @@ static int psk_find_session_cb(SSL *ssl, const unsigned char *identity,
|| !SSL_SESSION_set_cipher(tmpsess, cipher)
|| !SSL_SESSION_set_protocol_version(tmpsess, SSL_version(ssl))) {
OPENSSL_free(key);
SSL_SESSION_free(tmpsess);
return 0;
}
OPENSSL_free(key);

28
crypto/aes/asm/aesv8-armx.pl
View file

@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2014-2022 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2014-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@ -2261,10 +2261,10 @@ $code.=<<___ if ($flavour =~ /64/);
b.ne .Lxts_enc_big_size
// Encrypt the iv with key2, as the first XEX iv.
ldr $rounds,[$key2,#240]
vld1.8 {$dat},[$key2],#16
vld1.32 {$dat},[$key2],#16
vld1.8 {$iv0},[$ivp]
sub $rounds,$rounds,#2
vld1.8 {$dat1},[$key2],#16
vld1.32 {$dat1},[$key2],#16
.Loop_enc_iv_enc:
aese $iv0,$dat
@ -2866,9 +2866,9 @@ $code.=<<___ if ($flavour =~ /64/);
// Encrypt the composite block to get the last second encrypted text block
ldr $rounds,[$key1,#240] // load key schedule...
vld1.8 {$dat},[$key1],#16
vld1.32 {$dat},[$key1],#16
sub $rounds,$rounds,#2
vld1.8 {$dat1},[$key1],#16 // load key schedule...
vld1.32 {$dat1},[$key1],#16 // load key schedule...
.Loop_final_enc:
aese $tmpin,$dat0
aesmc $tmpin,$tmpin
@ -2937,10 +2937,10 @@ $code.=<<___ if ($flavour =~ /64/);
b.ne .Lxts_dec_big_size
// Encrypt the iv with key2, as the first XEX iv.
ldr $rounds,[$key2,#240]
vld1.8 {$dat},[$key2],#16
vld1.32 {$dat},[$key2],#16
vld1.8 {$iv0},[$ivp]
sub $rounds,$rounds,#2
vld1.8 {$dat1},[$key2],#16
vld1.32 {$dat1},[$key2],#16
.Loop_dec_small_iv_enc:
aese $iv0,$dat
@ -3020,10 +3020,10 @@ $code.=<<___ if ($flavour =~ /64/);
// Encrypt the iv with key2, as the first XEX iv
ldr $rounds,[$key2,#240]
vld1.8 {$dat},[$key2],#16
vld1.32 {$dat},[$key2],#16
vld1.8 {$iv0},[$ivp]
sub $rounds,$rounds,#2
vld1.8 {$dat1},[$key2],#16
vld1.32 {$dat1},[$key2],#16
.Loop_dec_iv_enc:
aese $iv0,$dat
@ -3353,7 +3353,7 @@ $code.=<<___ if ($flavour =~ /64/);
.align 4
.Lxts_dec_tail4x:
add $inp,$inp,#16
vld1.32 {$dat0},[$inp],#16
tst $tailcnt,#0xf
veor $tmp1,$dat1,$tmp0
vst1.8 {$tmp1},[$out],#16
veor $tmp2,$dat2,$tmp2
@ -3362,6 +3362,8 @@ $code.=<<___ if ($flavour =~ /64/);
veor $tmp4,$dat4,$tmp4
vst1.8 {$tmp3-$tmp4},[$out],#32
b.eq .Lxts_dec_abort
vld1.8 {$dat0},[$inp],#16
b .Lxts_done
.align 4
.Lxts_outer_dec_tail:
@ -3539,7 +3541,7 @@ $code.=<<___ if ($flavour =~ /64/);
// Processing the last two blocks with cipher stealing.
mov x7,x3
cbnz x2,.Lxts_dec_1st_done
vld1.32 {$dat0},[$inp],#16
vld1.8 {$dat0},[$inp],#16
// Decrypt the last secod block to get the last plain text block
.Lxts_dec_1st_done:
@ -3584,9 +3586,9 @@ $code.=<<___ if ($flavour =~ /64/);
// Decrypt the composite block to get the last second plain text block
ldr $rounds,[$key_,#240]
vld1.8 {$dat},[$key_],#16
vld1.32 {$dat},[$key_],#16
sub $rounds,$rounds,#2
vld1.8 {$dat1},[$key_],#16
vld1.32 {$dat1},[$key_],#16
.Loop_final_dec:
aesd $tmpin,$dat0
aesimc $tmpin,$tmpin

6
crypto/aes/asm/bsaes-armv7.pl
View file

@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2012-2021 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2012-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@ -14,7 +14,7 @@
# details see http://www.openssl.org/~appro/cryptogams/.
#
# Specific modes and adaptation for Linux kernel by Ard Biesheuvel
# of Linaro. Permission to use under GPL terms is granted.
# of Linaro.
# ====================================================================
# Bit-sliced AES for ARM NEON
@ -1447,7 +1447,7 @@ ossl_bsaes_ctr32_encrypt_blocks:
.align 2
0: add r12, $key, #248
vld1.8 {@XMM[0]}, [$ctr] @ load counter
adrl $ctr, .LREVM0SR @ borrow $ctr
add $ctr, $const, #.LREVM0SR-.LM0 @ borrow $ctr
vldmia r12, {@XMM[4]} @ load round0 key
sub sp, #0x10 @ place for adjusted round0 key
#endif

8
crypto/asn1/a_bitstr.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -148,6 +148,9 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
int w, v, iv;
unsigned char *c;
if (n < 0)
return 0;
w = n / 8;
v = 1 << (7 - (n & 0x07));
iv = ~v;
@ -182,6 +185,9 @@ int ASN1_BIT_STRING_get_bit(const ASN1_BIT_STRING *a, int n)
{
int w, v;
if (n < 0)
return 0;
w = n / 8;
v = 1 << (7 - (n & 0x07));
if ((a == NULL) || (a->length < (w + 1)) || (a->data == NULL))

4
crypto/asn1/asn1_parse.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -50,7 +50,7 @@ static int asn1_print_info(BIO *bp, long offset, int depth, int hl, long len,
pop_f_prefix = 1;
}
saved_indent = BIO_get_indent(bp);
if (BIO_set_prefix(bp, str) <= 0 || BIO_set_indent(bp, indent) < 0)
if (BIO_set_prefix(bp, str) <= 0 || BIO_set_indent(bp, indent) <= 0)
goto err;
}

4
crypto/asn1/asn_pack.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -29,7 +29,7 @@ ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_STRING **oct)
OPENSSL_free(octmp->data);
octmp->data = NULL;
if ((octmp->length = ASN1_item_i2d(obj, &octmp->data, it)) == 0) {
if ((octmp->length = ASN1_item_i2d(obj, &octmp->data, it)) <= 0) {
ERR_raise(ERR_LIB_ASN1, ASN1_R_ENCODE_ERROR);
goto err;
}

4
crypto/bio/bio_lib.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -784,7 +784,7 @@ BIO *BIO_dup_chain(BIO *in)
/* This will let SSL_s_sock() work with stdin/stdout */
new_bio->num = bio->num;
if (!BIO_dup_state(bio, (char *)new_bio)) {
if (BIO_dup_state(bio, (char *)new_bio) <= 0) {
BIO_free(new_bio);
goto err;
}

4
crypto/bio/bss_acpt.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -566,7 +566,7 @@ BIO *BIO_new_accept(const char *str)
ret = BIO_new(BIO_s_accept());
if (ret == NULL)
return NULL;
if (BIO_set_accept_name(ret, str))
if (BIO_set_accept_name(ret, str) > 0)
return ret;
BIO_free(ret);
return NULL;

108
crypto/bn/bn_asm.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -381,25 +381,33 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
#ifndef OPENSSL_SMALL_FOOTPRINT
while (n & ~3) {
t1 = a[0];
t2 = b[0];
r[0] = (t1 - t2 - c) & BN_MASK2;
if (t1 != t2)
c = (t1 < t2);
t2 = (t1 - c) & BN_MASK2;
c = (t2 > t1);
t1 = b[0];
t1 = (t2 - t1) & BN_MASK2;
r[0] = t1;
c += (t1 > t2);
t1 = a[1];
t2 = b[1];
r[1] = (t1 - t2 - c) & BN_MASK2;
if (t1 != t2)
c = (t1 < t2);
t2 = (t1 - c) & BN_MASK2;
c = (t2 > t1);
t1 = b[1];
t1 = (t2 - t1) & BN_MASK2;
r[1] = t1;
c += (t1 > t2);
t1 = a[2];
t2 = b[2];
r[2] = (t1 - t2 - c) & BN_MASK2;
if (t1 != t2)
c = (t1 < t2);
t2 = (t1 - c) & BN_MASK2;
c = (t2 > t1);
t1 = b[2];
t1 = (t2 - t1) & BN_MASK2;
r[2] = t1;
c += (t1 > t2);
t1 = a[3];
t2 = b[3];
r[3] = (t1 - t2 - c) & BN_MASK2;
if (t1 != t2)
c = (t1 < t2);
t2 = (t1 - c) & BN_MASK2;
c = (t2 > t1);
t1 = b[3];
t1 = (t2 - t1) & BN_MASK2;
r[3] = t1;
c += (t1 > t2);
a += 4;
b += 4;
r += 4;
@ -408,10 +416,12 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
#endif
while (n) {
t1 = a[0];
t2 = b[0];
r[0] = (t1 - t2 - c) & BN_MASK2;
if (t1 != t2)
c = (t1 < t2);
t2 = (t1 - c) & BN_MASK2;
c = (t2 > t1);
t1 = b[0];
t1 = (t2 - t1) & BN_MASK2;
r[0] = t1;
c += (t1 > t2);
a++;
b++;
r++;
@ -446,7 +456,7 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
t += c0; /* no carry */ \
c0 = (BN_ULONG)Lw(t); \
hi = (BN_ULONG)Hw(t); \
c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \
} while(0)
# define mul_add_c2(a,b,c0,c1,c2) do { \
@ -455,11 +465,11 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
BN_ULLONG tt = t+c0; /* no carry */ \
c0 = (BN_ULONG)Lw(tt); \
hi = (BN_ULONG)Hw(tt); \
c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \
t += c0; /* no carry */ \
c0 = (BN_ULONG)Lw(t); \
hi = (BN_ULONG)Hw(t); \
c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \
} while(0)
# define sqr_add_c(a,i,c0,c1,c2) do { \
@ -468,7 +478,7 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
t += c0; /* no carry */ \
c0 = (BN_ULONG)Lw(t); \
hi = (BN_ULONG)Hw(t); \
c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \
} while(0)
# define sqr_add_c2(a,i,j,c0,c1,c2) \
@ -483,26 +493,26 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
BN_ULONG ta = (a), tb = (b); \
BN_ULONG lo, hi; \
BN_UMULT_LOHI(lo,hi,ta,tb); \
c0 += lo; hi += (c0<lo)?1:0; \
c1 += hi; c2 += (c1<hi)?1:0; \
c0 += lo; hi += (c0<lo); \
c1 += hi; c2 += (c1<hi); \
} while(0)
# define mul_add_c2(a,b,c0,c1,c2) do { \
BN_ULONG ta = (a), tb = (b); \
BN_ULONG lo, hi, tt; \
BN_UMULT_LOHI(lo,hi,ta,tb); \
c0 += lo; tt = hi+((c0<lo)?1:0); \
c1 += tt; c2 += (c1<tt)?1:0; \
c0 += lo; hi += (c0<lo)?1:0; \
c1 += hi; c2 += (c1<hi)?1:0; \
c0 += lo; tt = hi + (c0<lo); \
c1 += tt; c2 += (c1<tt); \
c0 += lo; hi += (c0<lo); \
c1 += hi; c2 += (c1<hi); \
} while(0)
# define sqr_add_c(a,i,c0,c1,c2) do { \
BN_ULONG ta = (a)[i]; \
BN_ULONG lo, hi; \
BN_UMULT_LOHI(lo,hi,ta,ta); \
c0 += lo; hi += (c0<lo)?1:0; \
c1 += hi; c2 += (c1<hi)?1:0; \
c0 += lo; hi += (c0<lo); \
c1 += hi; c2 += (c1<hi); \
} while(0)
# define sqr_add_c2(a,i,j,c0,c1,c2) \
@ -517,26 +527,26 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
BN_ULONG ta = (a), tb = (b); \
BN_ULONG lo = ta * tb; \
BN_ULONG hi = BN_UMULT_HIGH(ta,tb); \
c0 += lo; hi += (c0<lo)?1:0; \
c1 += hi; c2 += (c1<hi)?1:0; \
c0 += lo; hi += (c0<lo); \
c1 += hi; c2 += (c1<hi); \
} while(0)
# define mul_add_c2(a,b,c0,c1,c2) do { \
BN_ULONG ta = (a), tb = (b), tt; \
BN_ULONG lo = ta * tb; \
BN_ULONG hi = BN_UMULT_HIGH(ta,tb); \
c0 += lo; tt = hi + ((c0<lo)?1:0); \
c1 += tt; c2 += (c1<tt)?1:0; \
c0 += lo; hi += (c0<lo)?1:0; \
c1 += hi; c2 += (c1<hi)?1:0; \
c0 += lo; tt = hi + (c0<lo); \
c1 += tt; c2 += (c1<tt); \
c0 += lo; hi += (c0<lo); \
c1 += hi; c2 += (c1<hi); \
} while(0)
# define sqr_add_c(a,i,c0,c1,c2) do { \
BN_ULONG ta = (a)[i]; \
BN_ULONG lo = ta * ta; \
BN_ULONG hi = BN_UMULT_HIGH(ta,ta); \
c0 += lo; hi += (c0<lo)?1:0; \
c1 += hi; c2 += (c1<hi)?1:0; \
c0 += lo; hi += (c0<lo); \
c1 += hi; c2 += (c1<hi); \
} while(0)
# define sqr_add_c2(a,i,j,c0,c1,c2) \
@ -551,8 +561,8 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
BN_ULONG lo = LBITS(a), hi = HBITS(a); \
BN_ULONG bl = LBITS(b), bh = HBITS(b); \
mul64(lo,hi,bl,bh); \
c0 = (c0+lo)&BN_MASK2; if (c0<lo) hi++; \
c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
c0 = (c0+lo)&BN_MASK2; hi += (c0<lo); \
c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \
} while(0)
# define mul_add_c2(a,b,c0,c1,c2) do { \
@ -561,17 +571,17 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
BN_ULONG bl = LBITS(b), bh = HBITS(b); \
mul64(lo,hi,bl,bh); \
tt = hi; \
c0 = (c0+lo)&BN_MASK2; if (c0<lo) tt++; \
c1 = (c1+tt)&BN_MASK2; if (c1<tt) c2++; \
c0 = (c0+lo)&BN_MASK2; if (c0<lo) hi++; \
c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
c0 = (c0+lo)&BN_MASK2; tt += (c0<lo); \
c1 = (c1+tt)&BN_MASK2; c2 += (c1<tt); \
c0 = (c0+lo)&BN_MASK2; hi += (c0<lo); \
c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \
} while(0)
# define sqr_add_c(a,i,c0,c1,c2) do { \
BN_ULONG lo, hi; \
sqr64(lo,hi,(a)[i]); \
c0 = (c0+lo)&BN_MASK2; if (c0<lo) hi++; \
c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
c0 = (c0+lo)&BN_MASK2; hi += (c0<lo); \
c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \
} while(0)
# define sqr_add_c2(a,i,j,c0,c1,c2) \

17
crypto/bn/bn_blind.c
View file

@ -13,6 +13,20 @@
#define BN_BLINDING_COUNTER 32
struct bn_blinding_st {
BIGNUM *A;
BIGNUM *Ai;
BIGNUM *e;
BIGNUM *mod; /* just a reference */
CRYPTO_THREAD_ID tid;
int counter;
unsigned long flags;
BN_MONT_CTX *m_ctx;
int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
CRYPTO_RWLOCK *lock;
};
BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
{
BN_BLINDING *ret = NULL;
@ -177,7 +191,8 @@ int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b,
n->top = (int)(rtop & ~mask) | (ntop & mask);
n->flags |= (BN_FLG_FIXED_TOP & ~mask);
}
ret = BN_mod_mul_montgomery(n, n, r, b->m_ctx, ctx);
ret = bn_mul_mont_fixed_top(n, n, r, b->m_ctx, ctx);
bn_correct_top_consttime(n);
} else {
ret = BN_mod_mul(n, n, r, b->mod, ctx);
}

24
crypto/bn/bn_lib.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -1021,6 +1021,28 @@ BIGNUM *bn_wexpand(BIGNUM *a, int words)
return (words <= a->dmax) ? a : bn_expand2(a, words);
}
void bn_correct_top_consttime(BIGNUM *a)
{
int j, atop;
BN_ULONG limb;
unsigned int mask;
for (j = 0, atop = 0; j < a->dmax; j++) {
limb = a->d[j];
limb |= 0 - limb;
limb >>= BN_BITS2 - 1;
limb = 0 - limb;
mask = (unsigned int)limb;
mask &= constant_time_msb(j - a->top);
atop = constant_time_select_int(mask, j + 1, atop);
}
mask = constant_time_eq_int(atop, 0);
a->top = atop;
a->neg = constant_time_select_int(mask, 0, a->neg);
a->flags &= ~BN_FLG_FIXED_TOP;
}
void bn_correct_top(BIGNUM *a)
{
BN_ULONG *ftl;

58
crypto/bn/bn_local.h
View file

@ -290,20 +290,6 @@ struct bn_gencb_st {
} cb;
};
struct bn_blinding_st {
BIGNUM *A;
BIGNUM *Ai;
BIGNUM *e;
BIGNUM *mod; /* just a reference */
CRYPTO_THREAD_ID tid;
int counter;
unsigned long flags;
BN_MONT_CTX *m_ctx;
int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
CRYPTO_RWLOCK *lock;
};
/*-
* BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions
*
@ -378,24 +364,6 @@ struct bn_blinding_st {
# define BN_MUL_LOW_RECURSIVE_SIZE_NORMAL (32)/* 32 */
# define BN_MONT_CTX_SET_SIZE_WORD (64)/* 32 */
/*
* 2011-02-22 SMS. In various places, a size_t variable or a type cast to
* size_t was used to perform integer-only operations on pointers. This
* failed on VMS with 64-bit pointers (CC /POINTER_SIZE = 64) because size_t
* is still only 32 bits. What's needed in these cases is an integer type
* with the same size as a pointer, which size_t is not certain to be. The
* only fix here is VMS-specific.
*/
# if defined(OPENSSL_SYS_VMS)
# if __INITIAL_POINTER_SIZE == 64
# define PTR_SIZE_INT long long
# else /* __INITIAL_POINTER_SIZE == 64 */
# define PTR_SIZE_INT int
# endif /* __INITIAL_POINTER_SIZE == 64 [else] */
# elif !defined(PTR_SIZE_INT) /* defined(OPENSSL_SYS_VMS) */
# define PTR_SIZE_INT size_t
# endif /* defined(OPENSSL_SYS_VMS) [else] */
# if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) && !defined(PEDANTIC)
/*
* BN_UMULT_HIGH section.
@ -536,10 +504,10 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,
ret = (r); \
BN_UMULT_LOHI(low,high,w,tmp); \
ret += (c); \
(c) = (ret<(c))?1:0; \
(c) = (ret<(c)); \
(c) += high; \
ret += low; \
(c) += (ret<low)?1:0; \
(c) += (ret<low); \
(r) = ret; \
}
@ -548,7 +516,7 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,
BN_UMULT_LOHI(low,high,w,ta); \
ret = low + (c); \
(c) = high; \
(c) += (ret<low)?1:0; \
(c) += (ret<low); \
(r) = ret; \
}
@ -564,10 +532,10 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,
high= BN_UMULT_HIGH(w,tmp); \
ret += (c); \
low = (w) * tmp; \
(c) = (ret<(c))?1:0; \
(c) = (ret<(c)); \
(c) += high; \
ret += low; \
(c) += (ret<low)?1:0; \
(c) += (ret<low); \
(r) = ret; \
}
@ -577,7 +545,7 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,
high= BN_UMULT_HIGH(w,ta); \
ret = low + (c); \
(c) = high; \
(c) += (ret<low)?1:0; \
(c) += (ret<low); \
(r) = ret; \
}
@ -610,10 +578,10 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,
lt=(bl)*(lt); \
m1=(bl)*(ht); \
ht =(bh)*(ht); \
m=(m+m1)&BN_MASK2; if (m < m1) ht+=L2HBITS((BN_ULONG)1); \
m=(m+m1)&BN_MASK2; ht += L2HBITS((BN_ULONG)(m < m1)); \
ht+=HBITS(m); \
m1=L2HBITS(m); \
lt=(lt+m1)&BN_MASK2; if (lt < m1) ht++; \
lt=(lt+m1)&BN_MASK2; ht += (lt < m1); \
(l)=lt; \
(h)=ht; \
}
@ -630,7 +598,7 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,
h*=h; \
h+=(m&BN_MASK2h1)>>(BN_BITS4-1); \
m =(m&BN_MASK2l)<<(BN_BITS4+1); \
l=(l+m)&BN_MASK2; if (l < m) h++; \
l=(l+m)&BN_MASK2; h += (l < m); \
(lo)=l; \
(ho)=h; \
}
@ -644,9 +612,9 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,
mul64(l,h,(bl),(bh)); \
\
/* non-multiply part */ \
l=(l+(c))&BN_MASK2; if (l < (c)) h++; \
l=(l+(c))&BN_MASK2; h += (l < (c)); \
(c)=(r); \
l=(l+(c))&BN_MASK2; if (l < (c)) h++; \
l=(l+(c))&BN_MASK2; h += (l < (c)); \
(c)=h&BN_MASK2; \
(r)=l; \
}
@ -660,7 +628,7 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,
mul64(l,h,(bl),(bh)); \
\
/* non-multiply part */ \
l+=(c); if ((l&BN_MASK2) < (c)) h++; \
l+=(c); h += ((l&BN_MASK2) < (c)); \
(c)=h&BN_MASK2; \
(r)=l&BN_MASK2; \
}
@ -690,7 +658,7 @@ BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
int cl, int dl);
int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
const BN_ULONG *np, const BN_ULONG *n0, int num);
void bn_correct_top_consttime(BIGNUM *a);
BIGNUM *int_bn_mod_inverse(BIGNUM *in,
const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx,
int *noinv);

87
crypto/bn/bn_nist.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -338,7 +338,6 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
sizeof(unsigned int)];
} buf;
BN_ULONG c_d[BN_NIST_192_TOP], *res;
PTR_SIZE_INT mask;
static const BIGNUM ossl_bignum_nist_p_192_sqr = {
(BN_ULONG *)_nist_p_192_sqr,
OSSL_NELEM(_nist_p_192_sqr),
@ -439,13 +438,9 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
* 'tmp=result-modulus; if (!carry || !borrow) result=tmp;'
* this is what happens below, but without explicit if:-) a.
*/
mask =
0 - (PTR_SIZE_INT) bn_sub_words(c_d, r_d, _nist_p_192[0],
BN_NIST_192_TOP);
mask &= 0 - (PTR_SIZE_INT) carry;
res = c_d;
res = (BN_ULONG *)
(((PTR_SIZE_INT) res & ~mask) | ((PTR_SIZE_INT) r_d & mask));
res = (bn_sub_words(c_d, r_d, _nist_p_192[0], BN_NIST_192_TOP) && carry)
? r_d
: c_d;
nist_cp_bn(r_d, res, BN_NIST_192_TOP);
r->top = BN_NIST_192_TOP;
bn_correct_top(r);
@ -479,11 +474,7 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
sizeof(unsigned int)];
} buf;
BN_ULONG c_d[BN_NIST_224_TOP], *res;
PTR_SIZE_INT mask;
union {
bn_addsub_f f;
PTR_SIZE_INT p;
} u;
bn_addsub_f adjust;
static const BIGNUM ossl_bignum_nist_p_224_sqr = {
(BN_ULONG *)_nist_p_224_sqr,
OSSL_NELEM(_nist_p_224_sqr),
@ -597,7 +588,7 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
# endif
}
#endif
u.f = bn_sub_words;
adjust = bn_sub_words;
if (carry > 0) {
carry =
(int)bn_sub_words(r_d, r_d, _nist_p_224[carry - 1],
@ -616,19 +607,14 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
carry =
(int)bn_add_words(r_d, r_d, _nist_p_224[-carry - 1],
BN_NIST_224_TOP);
mask = 0 - (PTR_SIZE_INT) carry;
u.p = ((PTR_SIZE_INT) bn_sub_words & mask) |
((PTR_SIZE_INT) bn_add_words & ~mask);
adjust = carry ? bn_sub_words : bn_add_words;
} else
carry = 1;
/* otherwise it's effectively same as in BN_nist_mod_192... */
mask =
0 - (PTR_SIZE_INT) (*u.f) (c_d, r_d, _nist_p_224[0], BN_NIST_224_TOP);
mask &= 0 - (PTR_SIZE_INT) carry;
res = c_d;
res = (BN_ULONG *)(((PTR_SIZE_INT) res & ~mask) |
((PTR_SIZE_INT) r_d & mask));
res = ((*adjust) (c_d, r_d, _nist_p_224[0], BN_NIST_224_TOP) && carry)
? r_d
: c_d;
nist_cp_bn(r_d, res, BN_NIST_224_TOP);
r->top = BN_NIST_224_TOP;
bn_correct_top(r);
@ -660,11 +646,7 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
sizeof(unsigned int)];
} buf;
BN_ULONG c_d[BN_NIST_256_TOP], *res;
PTR_SIZE_INT mask;
union {
bn_addsub_f f;
PTR_SIZE_INT p;
} u;
bn_addsub_f adjust;
static const BIGNUM ossl_bignum_nist_p_256_sqr = {
(BN_ULONG *)_nist_p_256_sqr,
OSSL_NELEM(_nist_p_256_sqr),
@ -850,7 +832,7 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
}
#endif
/* see BN_nist_mod_224 for explanation */
u.f = bn_sub_words;
adjust = bn_sub_words;
if (carry > 0)
carry =
(int)bn_sub_words(r_d, r_d, _nist_p_256[carry - 1],
@ -859,18 +841,13 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
carry =
(int)bn_add_words(r_d, r_d, _nist_p_256[-carry - 1],
BN_NIST_256_TOP);
mask = 0 - (PTR_SIZE_INT) carry;
u.p = ((PTR_SIZE_INT) bn_sub_words & mask) |
((PTR_SIZE_INT) bn_add_words & ~mask);
adjust = carry ? bn_sub_words : bn_add_words;
} else
carry = 1;
mask =
0 - (PTR_SIZE_INT) (*u.f) (c_d, r_d, _nist_p_256[0], BN_NIST_256_TOP);
mask &= 0 - (PTR_SIZE_INT) carry;
res = c_d;
res = (BN_ULONG *)(((PTR_SIZE_INT) res & ~mask) |
((PTR_SIZE_INT) r_d & mask));
res = ((*adjust) (c_d, r_d, _nist_p_256[0], BN_NIST_256_TOP) && carry)
? r_d
: c_d;
nist_cp_bn(r_d, res, BN_NIST_256_TOP);
r->top = BN_NIST_256_TOP;
bn_correct_top(r);
@ -906,11 +883,7 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
sizeof(unsigned int)];
} buf;
BN_ULONG c_d[BN_NIST_384_TOP], *res;
PTR_SIZE_INT mask;
union {
bn_addsub_f f;
PTR_SIZE_INT p;
} u;
bn_addsub_f adjust;
static const BIGNUM ossl_bignum_nist_p_384_sqr = {
(BN_ULONG *)_nist_p_384_sqr,
OSSL_NELEM(_nist_p_384_sqr),
@ -1131,7 +1104,7 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
}
#endif
/* see BN_nist_mod_224 for explanation */
u.f = bn_sub_words;
adjust = bn_sub_words;
if (carry > 0)
carry =
(int)bn_sub_words(r_d, r_d, _nist_p_384[carry - 1],
@ -1140,18 +1113,13 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
carry =
(int)bn_add_words(r_d, r_d, _nist_p_384[-carry - 1],
BN_NIST_384_TOP);
mask = 0 - (PTR_SIZE_INT) carry;
u.p = ((PTR_SIZE_INT) bn_sub_words & mask) |
((PTR_SIZE_INT) bn_add_words & ~mask);
adjust = carry ? bn_sub_words : bn_add_words;
} else
carry = 1;
mask =
0 - (PTR_SIZE_INT) (*u.f) (c_d, r_d, _nist_p_384[0], BN_NIST_384_TOP);
mask &= 0 - (PTR_SIZE_INT) carry;
res = c_d;
res = (BN_ULONG *)(((PTR_SIZE_INT) res & ~mask) |
((PTR_SIZE_INT) r_d & mask));
res = ((*adjust) (c_d, r_d, _nist_p_384[0], BN_NIST_384_TOP) && carry)
? r_d
: c_d;
nist_cp_bn(r_d, res, BN_NIST_384_TOP);
r->top = BN_NIST_384_TOP;
bn_correct_top(r);
@ -1168,7 +1136,6 @@ int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
{
int top = a->top, i;
BN_ULONG *r_d, *a_d = a->d, t_d[BN_NIST_521_TOP], val, tmp, *res;
PTR_SIZE_INT mask;
static const BIGNUM ossl_bignum_nist_p_521_sqr = {
(BN_ULONG *)_nist_p_521_sqr,
OSSL_NELEM(_nist_p_521_sqr),
@ -1221,12 +1188,10 @@ int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
r_d[i] &= BN_NIST_521_TOP_MASK;
bn_add_words(r_d, r_d, t_d, BN_NIST_521_TOP);
mask =
0 - (PTR_SIZE_INT) bn_sub_words(t_d, r_d, _nist_p_521,
BN_NIST_521_TOP);
res = t_d;
res = (BN_ULONG *)(((PTR_SIZE_INT) res & ~mask) |
((PTR_SIZE_INT) r_d & mask));
res = bn_sub_words(t_d, r_d, _nist_p_521,
BN_NIST_521_TOP)
? r_d
: t_d;
nist_cp_bn(r_d, res, BN_NIST_521_TOP);
r->top = BN_NIST_521_TOP;
bn_correct_top(r);

4
crypto/bn/bn_rsa_fips186_4.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
@ -318,7 +318,7 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin,
* sqrt(2) * 2^(nlen/2-1) <= Random X <= (2^(nlen/2)) - 1.
*/
if (!BN_priv_rand_range_ex(X, range, 0, ctx) || !BN_add(X, X, base))
goto end;
goto err;
}
/* (Step 4) Y = X + ((R - X) mod 2r1r2) */
if (!BN_mod_sub(Y, R, X, r1r2x2, ctx) || !BN_add(Y, Y, X))

2
crypto/bn/build.info
View file

@ -105,7 +105,7 @@ $COMMON=bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c \
bn_mod.c bn_conv.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \
bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_sqr.c \
bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \
bn_intern.c bn_dh.c bn_rsa_fips186_4.c bn_const.c rsa_sup_mul.c
bn_intern.c bn_dh.c bn_rsa_fips186_4.c bn_const.c
SOURCE[../../libcrypto]=$COMMON $BNASM bn_print.c bn_err.c bn_srp.c
DEFINE[../../libcrypto]=$BNDEF
IF[{- !$disabled{'deprecated-0.9.8'} -}]

604
crypto/bn/rsa_sup_mul.c
View file

@ -1,604 +0,0 @@
#include <openssl/e_os2.h>
#include <stddef.h>
#include <sys/types.h>
#include <string.h>
#include <openssl/bn.h>
#include <openssl/err.h>
#include <openssl/rsaerr.h>
#include "internal/endian.h"
#include "internal/numbers.h"
#include "internal/constant_time.h"
#include "bn_local.h"
# if BN_BYTES == 8
typedef uint64_t limb_t;
# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16
typedef uint128_t limb2_t;
# define HAVE_LIMB2_T
# endif
# define LIMB_BIT_SIZE 64
# define LIMB_BYTE_SIZE 8
# elif BN_BYTES == 4
typedef uint32_t limb_t;
typedef uint64_t limb2_t;
# define LIMB_BIT_SIZE 32
# define LIMB_BYTE_SIZE 4
# define HAVE_LIMB2_T
# else
# error "Not supported"
# endif
/*
* For multiplication we're using schoolbook multiplication,
* so if we have two numbers, each with 6 "digits" (words)
* the multiplication is calculated as follows:
* A B C D E F
* x I J K L M N
* --------------
* N*F
* N*E
* N*D
* N*C
* N*B
* N*A
* M*F
* M*E
* M*D
* M*C
* M*B
* M*A
* L*F
* L*E
* L*D
* L*C
* L*B
* L*A
* K*F
* K*E
* K*D
* K*C
* K*B
* K*A
* J*F
* J*E
* J*D
* J*C
* J*B
* J*A
* I*F
* I*E
* I*D
* I*C
* I*B
* + I*A
* ==========================
* N*B N*D N*F
* + N*A N*C N*E
* + M*B M*D M*F
* + M*A M*C M*E
* + L*B L*D L*F
* + L*A L*C L*E
* + K*B K*D K*F
* + K*A K*C K*E
* + J*B J*D J*F
* + J*A J*C J*E
* + I*B I*D I*F
* + I*A I*C I*E
*
* 1+1 1+3 1+5
* 1+0 1+2 1+4
* 0+1 0+3 0+5
* 0+0 0+2 0+4
*
* 0 1 2 3 4 5 6
* which requires n^2 multiplications and 2n full length additions
* as we can keep every other result of limb multiplication in two separate
* limbs
*/
#if defined HAVE_LIMB2_T
static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
{
limb2_t t;
/*
* this is idiomatic code to tell compiler to use the native mul
* those three lines will actually compile to single instruction
*/
t = (limb2_t)a * b;
*hi = t >> LIMB_BIT_SIZE;
*lo = (limb_t)t;
}
#elif (BN_BYTES == 8) && (defined _MSC_VER)
/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */
#pragma intrinsic(_umul128)
static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
{
*lo = _umul128(a, b, hi);
}
#else
/*
* if the compiler doesn't have either a 128bit data type nor a "return
* high 64 bits of multiplication"
*/
static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
{
limb_t a_low = (limb_t)(uint32_t)a;
limb_t a_hi = a >> 32;
limb_t b_low = (limb_t)(uint32_t)b;
limb_t b_hi = b >> 32;
limb_t p0 = a_low * b_low;
limb_t p1 = a_low * b_hi;
limb_t p2 = a_hi * b_low;
limb_t p3 = a_hi * b_hi;
uint32_t cy = (uint32_t)(((p0 >> 32) + (uint32_t)p1 + (uint32_t)p2) >> 32);
*lo = p0 + (p1 << 32) + (p2 << 32);
*hi = p3 + (p1 >> 32) + (p2 >> 32) + cy;
}
#endif
/* add two limbs with carry in, return carry out */
static ossl_inline limb_t _add_limb(limb_t *ret, limb_t a, limb_t b, limb_t carry)
{
limb_t carry1, carry2, t;
/*
* `c = a + b; if (c < a)` is idiomatic code that makes compilers
* use add with carry on assembly level
*/
*ret = a + carry;
if (*ret < a)
carry1 = 1;
else
carry1 = 0;
t = *ret;
*ret = t + b;
if (*ret < t)
carry2 = 1;
else
carry2 = 0;
return carry1 + carry2;
}
/*
* add two numbers of the same size, return overflow
*
* add a to b, place result in ret; all arrays need to be n limbs long
* return overflow from addition (0 or 1)
*/
static ossl_inline limb_t add(limb_t *ret, limb_t *a, limb_t *b, size_t n)
{
limb_t c = 0;
ossl_ssize_t i;
for(i = n - 1; i > -1; i--)
c = _add_limb(&ret[i], a[i], b[i], c);
return c;
}
/*
* return number of limbs necessary for temporary values
* when multiplying numbers n limbs large
*/
static ossl_inline size_t mul_limb_numb(size_t n)
{
return 2 * n * 2;
}
/*
* multiply two numbers of the same size
*
* multiply a by b, place result in ret; a and b need to be n limbs long
* ret needs to be 2*n limbs long, tmp needs to be mul_limb_numb(n) limbs
* long
*/
static void limb_mul(limb_t *ret, limb_t *a, limb_t *b, size_t n, limb_t *tmp)
{
limb_t *r_odd, *r_even;
size_t i, j, k;
r_odd = tmp;
r_even = &tmp[2 * n];
memset(ret, 0, 2 * n * sizeof(limb_t));
for (i = 0; i < n; i++) {
for (k = 0; k < i + n + 1; k++) {
r_even[k] = 0;
r_odd[k] = 0;
}
for (j = 0; j < n; j++) {
/*
* place results from even and odd limbs in separate arrays so that
* we don't have to calculate overflow every time we get individual
* limb multiplication result
*/
if (j % 2 == 0)
_mul_limb(&r_even[i + j], &r_even[i + j + 1], a[i], b[j]);
else
_mul_limb(&r_odd[i + j], &r_odd[i + j + 1], a[i], b[j]);
}
/*
* skip the least significant limbs when adding multiples of
* more significant limbs (they're zero anyway)
*/
add(ret, ret, r_even, n + i + 1);
add(ret, ret, r_odd, n + i + 1);
}
}
/* modifies the value in place by performing a right shift by one bit */
static ossl_inline void rshift1(limb_t *val, size_t n)
{
limb_t shift_in = 0, shift_out = 0;
size_t i;
for (i = 0; i < n; i++) {
shift_out = val[i] & 1;
val[i] = shift_in << (LIMB_BIT_SIZE - 1) | (val[i] >> 1);
shift_in = shift_out;
}
}
/* extend the LSB of flag to all bits of limb */
static ossl_inline limb_t mk_mask(limb_t flag)
{
flag |= flag << 1;
flag |= flag << 2;
flag |= flag << 4;
flag |= flag << 8;
flag |= flag << 16;
#if (LIMB_BYTE_SIZE == 8)
flag |= flag << 32;
#endif
return flag;
}
/*
* copy from either a or b to ret based on flag
* when flag == 0, then copies from b
* when flag == 1, then copies from a
*/
static ossl_inline void cselect(limb_t flag, limb_t *ret, limb_t *a, limb_t *b, size_t n)
{
/*
* would be more efficient with non volatile mask, but then gcc
* generates code with jumps
*/
volatile limb_t mask;
size_t i;
mask = mk_mask(flag);
for (i = 0; i < n; i++) {
#if (LIMB_BYTE_SIZE == 8)
ret[i] = constant_time_select_64(mask, a[i], b[i]);
#else
ret[i] = constant_time_select_32(mask, a[i], b[i]);
#endif
}
}
static limb_t _sub_limb(limb_t *ret, limb_t a, limb_t b, limb_t borrow)
{
limb_t borrow1, borrow2, t;
/*
* while it doesn't look constant-time, this is idiomatic code
* to tell compilers to use the carry bit from subtraction
*/
*ret = a - borrow;
if (*ret > a)
borrow1 = 1;
else
borrow1 = 0;
t = *ret;
*ret = t - b;
if (*ret > t)
borrow2 = 1;
else
borrow2 = 0;
return borrow1 + borrow2;
}
/*
* place the result of a - b into ret, return the borrow bit.
* All arrays need to be n limbs long
*/
static limb_t sub(limb_t *ret, limb_t *a, limb_t *b, size_t n)
{
limb_t borrow = 0;
ossl_ssize_t i;
for (i = n - 1; i > -1; i--)
borrow = _sub_limb(&ret[i], a[i], b[i], borrow);
return borrow;
}
/* return the number of limbs necessary to allocate for the mod() tmp operand */
static ossl_inline size_t mod_limb_numb(size_t anum, size_t modnum)
{
return (anum + modnum) * 3;
}
/*
* calculate a % mod, place the result in ret
* size of a is defined by anum, size of ret and mod is modnum,
* size of tmp is returned by mod_limb_numb()
*/
static void mod(limb_t *ret, limb_t *a, size_t anum, limb_t *mod,
size_t modnum, limb_t *tmp)
{
limb_t *atmp, *modtmp, *rettmp;
limb_t res;
size_t i;
memset(tmp, 0, mod_limb_numb(anum, modnum) * LIMB_BYTE_SIZE);
atmp = tmp;
modtmp = &tmp[anum + modnum];
rettmp = &tmp[(anum + modnum) * 2];
for (i = modnum; i <modnum + anum; i++)
atmp[i] = a[i-modnum];
for (i = 0; i < modnum; i++)
modtmp[i] = mod[i];
for (i = 0; i < anum * LIMB_BIT_SIZE; i++) {
rshift1(modtmp, anum + modnum);
res = sub(rettmp, atmp, modtmp, anum+modnum);
cselect(res, atmp, atmp, rettmp, anum+modnum);
}
memcpy(ret, &atmp[anum], sizeof(limb_t) * modnum);
}
/* necessary size of tmp for a _mul_add_limb() call with provided anum */
static ossl_inline size_t _mul_add_limb_numb(size_t anum)
{
return 2 * (anum + 1);
}
/* multiply a by m, add to ret, return carry */
static limb_t _mul_add_limb(limb_t *ret, limb_t *a, size_t anum,
limb_t m, limb_t *tmp)
{
limb_t carry = 0;
limb_t *r_odd, *r_even;
size_t i;
memset(tmp, 0, sizeof(limb_t) * (anum + 1) * 2);
r_odd = tmp;
r_even = &tmp[anum + 1];
for (i = 0; i < anum; i++) {
/*
* place the results from even and odd limbs in separate arrays
* so that we have to worry about carry just once
*/
if (i % 2 == 0)
_mul_limb(&r_even[i], &r_even[i + 1], a[i], m);
else
_mul_limb(&r_odd[i], &r_odd[i + 1], a[i], m);
}
/* assert: add() carry here will be equal zero */
add(r_even, r_even, r_odd, anum + 1);
/*
* while here it will not overflow as the max value from multiplication
* is -2 while max overflow from addition is 1, so the max value of
* carry is -1 (i.e. max int)
*/
carry = add(ret, ret, &r_even[1], anum) + r_even[0];
return carry;
}
static ossl_inline size_t mod_montgomery_limb_numb(size_t modnum)
{
return modnum * 2 + _mul_add_limb_numb(modnum);
}
/*
* calculate a % mod, place result in ret
* assumes that a is in Montgomery form with the R (Montgomery modulus) being
* smallest power of two big enough to fit mod and that's also a power
* of the count of number of bits in limb_t (B).
* For calculation, we also need n', such that mod * n' == -1 mod B.
* anum must be <= 2 * modnum
* ret needs to be modnum words long
* tmp needs to be mod_montgomery_limb_numb(modnum) limbs long
*/
static void mod_montgomery(limb_t *ret, limb_t *a, size_t anum, limb_t *mod,
size_t modnum, limb_t ni0, limb_t *tmp)
{
limb_t carry, v;
limb_t *res, *rp, *tmp2;
ossl_ssize_t i;
res = tmp;
/*
* for intermediate result we need an integer twice as long as modulus
* but keep the input in the least significant limbs
*/
memset(res, 0, sizeof(limb_t) * (modnum * 2));
memcpy(&res[modnum * 2 - anum], a, sizeof(limb_t) * anum);
rp = &res[modnum];
tmp2 = &res[modnum * 2];
carry = 0;
/* add multiples of the modulus to the value until R divides it cleanly */
for (i = modnum; i > 0; i--, rp--) {
v = _mul_add_limb(rp, mod, modnum, rp[modnum-1] * ni0, tmp2);
v = v + carry + rp[-1];
carry |= (v != rp[-1]);
carry &= (v <= rp[-1]);
rp[-1] = v;
}
/* perform the final reduction by mod... */
carry -= sub(ret, rp, mod, modnum);
/* ...conditionally */
cselect(carry, ret, rp, ret, modnum);
}
/* allocated buffer should be freed afterwards */
static void BN_to_limb(const BIGNUM *bn, limb_t *buf, size_t limbs)
{
int i;
int real_limbs = (BN_num_bytes(bn) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
limb_t *ptr = buf + (limbs - real_limbs);
for (i = 0; i < real_limbs; i++)
ptr[i] = bn->d[real_limbs - i - 1];
}
#if LIMB_BYTE_SIZE == 8
static ossl_inline uint64_t be64(uint64_t host)
{
uint64_t big = 0;
DECLARE_IS_ENDIAN;
if (!IS_LITTLE_ENDIAN)
return host;
big |= (host & 0xff00000000000000) >> 56;
big |= (host & 0x00ff000000000000) >> 40;
big |= (host & 0x0000ff0000000000) >> 24;
big |= (host & 0x000000ff00000000) >> 8;
big |= (host & 0x00000000ff000000) << 8;
big |= (host & 0x0000000000ff0000) << 24;
big |= (host & 0x000000000000ff00) << 40;
big |= (host & 0x00000000000000ff) << 56;
return big;
}
#else
/* Not all platforms have htobe32(). */
static ossl_inline uint32_t be32(uint32_t host)
{
uint32_t big = 0;
DECLARE_IS_ENDIAN;
if (!IS_LITTLE_ENDIAN)
return host;
big |= (host & 0xff000000) >> 24;
big |= (host & 0x00ff0000) >> 8;
big |= (host & 0x0000ff00) << 8;
big |= (host & 0x000000ff) << 24;
return big;
}
#endif
/*
* We assume that intermediate, possible_arg2, blinding, and ctx are used
* similar to BN_BLINDING_invert_ex() arguments.
* to_mod is RSA modulus.
* buf and num is the serialization buffer and its length.
*
* Here we use classic/Montgomery multiplication and modulo. After the calculation finished
* we serialize the new structure instead of BIGNUMs taking endianness into account.
*/
int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate,
const BN_BLINDING *blinding,
const BIGNUM *possible_arg2,
const BIGNUM *to_mod, BN_CTX *ctx,
unsigned char *buf, int num)
{
limb_t *l_im = NULL, *l_mul = NULL, *l_mod = NULL;
limb_t *l_ret = NULL, *l_tmp = NULL, l_buf;
size_t l_im_count = 0, l_mul_count = 0, l_size = 0, l_mod_count = 0;
size_t l_tmp_count = 0;
int ret = 0;
size_t i;
unsigned char *tmp;
const BIGNUM *arg1 = intermediate;
const BIGNUM *arg2 = (possible_arg2 == NULL) ? blinding->Ai : possible_arg2;
l_im_count = (BN_num_bytes(arg1) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
l_mul_count = (BN_num_bytes(arg2) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
l_mod_count = (BN_num_bytes(to_mod) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
l_size = l_im_count > l_mul_count ? l_im_count : l_mul_count;
l_im = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE);
l_mul = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE);
l_mod = OPENSSL_zalloc(l_mod_count * LIMB_BYTE_SIZE);
if ((l_im == NULL) || (l_mul == NULL) || (l_mod == NULL))
goto err;
BN_to_limb(arg1, l_im, l_size);
BN_to_limb(arg2, l_mul, l_size);
BN_to_limb(to_mod, l_mod, l_mod_count);
l_ret = OPENSSL_malloc(2 * l_size * LIMB_BYTE_SIZE);
if (blinding->m_ctx != NULL) {
l_tmp_count = mul_limb_numb(l_size) > mod_montgomery_limb_numb(l_mod_count) ?
mul_limb_numb(l_size) : mod_montgomery_limb_numb(l_mod_count);
l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE);
} else {
l_tmp_count = mul_limb_numb(l_size) > mod_limb_numb(2 * l_size, l_mod_count) ?
mul_limb_numb(l_size) : mod_limb_numb(2 * l_size, l_mod_count);
l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE);
}
if ((l_ret == NULL) || (l_tmp == NULL))
goto err;
if (blinding->m_ctx != NULL) {
limb_mul(l_ret, l_im, l_mul, l_size, l_tmp);
mod_montgomery(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count,
blinding->m_ctx->n0[0], l_tmp);
} else {
limb_mul(l_ret, l_im, l_mul, l_size, l_tmp);
mod(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, l_tmp);
}
/* modulus size in bytes can be equal to num but after limbs conversion it becomes bigger */
if (num < BN_num_bytes(to_mod)) {
ERR_raise(ERR_LIB_BN, ERR_R_PASSED_INVALID_ARGUMENT);
goto err;
}
memset(buf, 0, num);
tmp = buf + num - BN_num_bytes(to_mod);
for (i = 0; i < l_mod_count; i++) {
#if LIMB_BYTE_SIZE == 8
l_buf = be64(l_ret[i]);
#else
l_buf = be32(l_ret[i]);
#endif
if (i == 0) {
int delta = LIMB_BYTE_SIZE - ((l_mod_count * LIMB_BYTE_SIZE) - num);
memcpy(tmp, ((char *)&l_buf) + LIMB_BYTE_SIZE - delta, delta);
tmp += delta;
} else {
memcpy(tmp, &l_buf, LIMB_BYTE_SIZE);
tmp += LIMB_BYTE_SIZE;
}
}
ret = num;
err:
OPENSSL_free(l_im);
OPENSSL_free(l_mul);
OPENSSL_free(l_mod);
OPENSSL_free(l_tmp);
OPENSSL_free(l_ret);
return ret;
}

4
crypto/build.info
View file

@ -97,9 +97,7 @@ $UTIL_COMMON=\
context.c sparse_array.c asn1_dsa.c packet.c param_build.c \
param_build_set.c der_writer.c threads_lib.c params_dup.c
IF[{- !$disabled{shared} -}]
SOURCE[../libssl]=sparse_array.c
ENDIF
SHARED_SOURCE[../libssl]=sparse_array.c
SOURCE[../libcrypto]=$UTIL_COMMON \
mem.c mem_sec.c \

68
crypto/cmp/cmp_client.c
View file

@ -64,10 +64,10 @@ static int unprotected_exception(const OSSL_CMP_CTX *ctx,
break;
default:
if (IS_CREP(rcvd_type)) {
int any_rid = OSSL_CMP_CERTREQID_NONE;
OSSL_CMP_CERTREPMESSAGE *crepmsg = rep->body->value.ip;
OSSL_CMP_CERTRESPONSE *crep =
ossl_cmp_certrepmessage_get0_certresponse(crepmsg,
-1 /* any rid */);
ossl_cmp_certrepmessage_get0_certresponse(crepmsg, any_rid);
if (sk_OSSL_CMP_CERTRESPONSE_num(crepmsg->response) > 1)
return -1;
@ -357,15 +357,16 @@ static int poll_for_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
* Send certConf for IR, CR or KUR sequences and check response,
* not modifying ctx->status during the certConf exchange
*/
int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int fail_info,
const char *txt)
int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int certReqId,
int fail_info, const char *txt)
{
OSSL_CMP_MSG *certConf;
OSSL_CMP_MSG *PKIconf = NULL;
int res = 0;
/* OSSL_CMP_certConf_new() also checks if all necessary options are set */
if ((certConf = ossl_cmp_certConf_new(ctx, fail_info, txt)) == NULL)
certConf = ossl_cmp_certConf_new(ctx, certReqId, fail_info, txt);
if (certConf == NULL)
goto err;
res = send_receive_check(ctx, certConf, &PKIconf, OSSL_CMP_PKIBODY_PKICONF);
@ -411,12 +412,10 @@ static X509 *get1_cert_status(OSSL_CMP_CTX *ctx, int bodytype,
{
char buf[OSSL_CMP_PKISI_BUFLEN];
X509 *crt = NULL;
EVP_PKEY *privkey;
if (!ossl_assert(ctx != NULL && crep != NULL))
return NULL;
privkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1);
switch (ossl_cmp_pkisi_get_status(crep->status)) {
case OSSL_CMP_PKISTATUS_waiting:
ossl_cmp_err(ctx,
@ -454,7 +453,7 @@ static X509 *get1_cert_status(OSSL_CMP_CTX *ctx, int bodytype,
ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_PKISTATUS);
goto err;
}
crt = ossl_cmp_certresponse_get1_cert(crep, ctx, privkey);
crt = ossl_cmp_certresponse_get1_cert(ctx, crep);
if (crt == NULL) /* according to PKIStatus, we can expect a cert */
ERR_raise(ERR_LIB_CMP, CMP_R_CERTIFICATE_NOT_FOUND);
@ -493,18 +492,46 @@ int OSSL_CMP_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info,
if (fail_info != 0) /* accept any error flagged by CMP core library */
return fail_info;
ossl_cmp_debug(ctx, "trying to build chain for newly enrolled cert");
chain = X509_build_chain(cert, ctx->untrusted, out_trusted /* maybe NULL */,
0, ctx->libctx, ctx->propq);
if (out_trusted == NULL) {
ossl_cmp_debug(ctx, "trying to build chain for newly enrolled cert");
chain = X509_build_chain(cert, ctx->untrusted, out_trusted,
0, ctx->libctx, ctx->propq);
} else {
X509_STORE_CTX *csc = X509_STORE_CTX_new_ex(ctx->libctx, ctx->propq);
ossl_cmp_debug(ctx, "validating newly enrolled cert");
if (csc == NULL)
goto err;
if (!X509_STORE_CTX_init(csc, out_trusted, cert, ctx->untrusted))
goto err;
/* disable any cert status/revocation checking etc. */
X509_VERIFY_PARAM_clear_flags(X509_STORE_CTX_get0_param(csc),
~(X509_V_FLAG_USE_CHECK_TIME
| X509_V_FLAG_NO_CHECK_TIME
| X509_V_FLAG_PARTIAL_CHAIN
| X509_V_FLAG_POLICY_CHECK));
if (X509_verify_cert(csc) <= 0)
goto err;
if (!ossl_x509_add_certs_new(&chain, X509_STORE_CTX_get0_chain(csc),
X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP
| X509_ADD_FLAG_NO_SS)) {
sk_X509_free(chain);
chain = NULL;
}
err:
X509_STORE_CTX_free(csc);
}
if (sk_X509_num(chain) > 0)
X509_free(sk_X509_shift(chain)); /* remove leaf (EE) cert */
if (out_trusted != NULL) {
if (chain == NULL) {
ossl_cmp_err(ctx, "failed building chain for newly enrolled cert");
ossl_cmp_err(ctx, "failed to validate newly enrolled cert");
fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_incorrectData;
} else {
ossl_cmp_debug(ctx,
"succeeded building proper chain for newly enrolled cert");
"success validating newly enrolled cert");
}
} else if (chain == NULL) {
ossl_cmp_warn(ctx, "could not build approximate chain for newly enrolled cert, resorting to received extraCerts");
@ -521,6 +548,7 @@ int OSSL_CMP_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info,
/*-
* Perform the generic handling of certificate responses for IR/CR/KUR/P10CR.
* |rid| must be OSSL_CMP_CERTREQID_NONE if not available, namely for p10cr
* Returns -1 on receiving pollRep if sleep == 0, setting the checkAfter value.
* Returns 1 on success and provides the received PKIMESSAGE in *resp.
* Returns 0 on error (which includes the case that timeout has been reached).
@ -530,7 +558,7 @@ static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
OSSL_CMP_MSG **resp, int *checkAfter,
int req_type, int expected_type)
{
EVP_PKEY *rkey = OSSL_CMP_CTX_get0_newPkey(ctx /* may be NULL */, 0);
EVP_PKEY *rkey = ossl_cmp_ctx_get0_newPubkey(ctx);
int fail_info = 0; /* no failure */
const char *txt = NULL;
OSSL_CMP_CERTREPMESSAGE *crepmsg;
@ -554,10 +582,9 @@ static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
return 0;
if (!save_statusInfo(ctx, crep->status))
return 0;
if (rid == -1) {
/* for OSSL_CMP_PKIBODY_P10CR learn CertReqId from response */
if (rid == OSSL_CMP_CERTREQID_NONE) { /* used for OSSL_CMP_PKIBODY_P10CR */
rid = ossl_cmp_asn1_get_int(crep->certReqId);
if (rid == -1) {
if (rid != OSSL_CMP_CERTREQID_NONE) {
ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID);
return 0;
}
@ -621,7 +648,7 @@ static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
"rejecting newly enrolled cert with subject: %s", subj);
if (!ctx->disableConfirm
&& !ossl_cmp_hdr_has_implicitConfirm((*resp)->header)) {
if (!ossl_cmp_exchange_certConf(ctx, fail_info, txt))
if (!ossl_cmp_exchange_certConf(ctx, rid, fail_info, txt))
ret = 0;
}
@ -630,6 +657,7 @@ static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
ERR_raise_data(ERR_LIB_CMP, CMP_R_CERTIFICATE_NOT_ACCEPTED,
"rejecting newly enrolled cert with subject: %s; %s",
subj, txt);
ctx->status = OSSL_CMP_PKISTATUS_rejection;
ret = 0;
}
OPENSSL_free(subj);
@ -662,7 +690,7 @@ int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type,
{
OSSL_CMP_MSG *rep = NULL;
int is_p10 = req_type == OSSL_CMP_PKIBODY_P10CR;
int rid = is_p10 ? -1 : OSSL_CMP_CERTREQID;
int rid = is_p10 ? OSSL_CMP_CERTREQID_NONE : OSSL_CMP_CERTREQID;
int rep_type = is_p10 ? OSSL_CMP_PKIBODY_CP : req_type + 1;
int res = 0;
@ -704,7 +732,7 @@ X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type,
OSSL_CMP_MSG *rep = NULL;
int is_p10 = req_type == OSSL_CMP_PKIBODY_P10CR;
int rid = is_p10 ? -1 : OSSL_CMP_CERTREQID;
int rid = is_p10 ? OSSL_CMP_CERTREQID_NONE : OSSL_CMP_CERTREQID;
int rep_type = is_p10 ? OSSL_CMP_PKIBODY_CP : req_type + 1;
X509 *result = NULL;

26
crypto/cmp/cmp_ctx.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2019
* Copyright Siemens AG 2015-2019
*
@ -457,8 +457,8 @@ int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx,
}
/* Set or clear the password to be used for protecting messages with PBMAC */
int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, const unsigned char *sec,
const int len)
int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx,
const unsigned char *sec, int len)
{
ASN1_OCTET_STRING *secretValue = NULL;
if (ctx == NULL) {
@ -669,13 +669,13 @@ int OSSL_CMP_CTX_set1_##FIELD(OSSL_CMP_CTX *ctx, TYPE *val) \
*/
DEFINE_OSSL_CMP_CTX_set1_up_ref(srvCert, X509)
/* Set the X509 name of the recipient. Set in the PKIHeader */
/* Set the X509 name of the recipient to be placed in the PKIHeader */
DEFINE_OSSL_CMP_CTX_set1(recipient, X509_NAME)
/* Store the X509 name of the expected sender in the PKIHeader of responses */
DEFINE_OSSL_CMP_CTX_set1(expected_sender, X509_NAME)
/* Set the X509 name of the issuer. Set in the PKIHeader */
/* Set the X509 name of the issuer to be placed in the certTemplate */
DEFINE_OSSL_CMP_CTX_set1(issuer, X509_NAME)
/*
@ -834,6 +834,7 @@ int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX *ctx, int priv, EVP_PKEY *pkey)
}
/* Get the private/public key to use for cert enrollment, or NULL on error */
/* In case |priv| == 0, better use ossl_cmp_ctx_get0_newPubkey() below */
EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv)
{
if (ctx == NULL) {
@ -848,6 +849,21 @@ EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv)
return ctx->pkey; /* may be NULL */
}
EVP_PKEY *ossl_cmp_ctx_get0_newPubkey(const OSSL_CMP_CTX *ctx)
{
if (!ossl_assert(ctx != NULL))
return NULL;
if (ctx->newPkey != NULL)
return ctx->newPkey;
if (ctx->p10CSR != NULL)
return X509_REQ_get0_pubkey(ctx->p10CSR);
if (ctx->oldCert != NULL)
return X509_get0_pubkey(ctx->oldCert);
if (ctx->cert != NULL)
return X509_get0_pubkey(ctx->cert);
return ctx->pkey;
}
/* Set the given transactionID to the context */
int OSSL_CMP_CTX_set1_transactionID(OSSL_CMP_CTX *ctx,
const ASN1_OCTET_STRING *id)

5
crypto/cmp/cmp_err.c
View file

@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -95,7 +95,10 @@ static const ERR_STRING_DATA CMP_str_reasons[] = {
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_PBM_SECRET), "missing pbm secret"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_PRIVATE_KEY),
"missing private key"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_PRIVATE_KEY_FOR_POPO),
"missing private key for popo"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_PROTECTION), "missing protection"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_PUBLIC_KEY), "missing public key"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_REFERENCE_CERT),
"missing reference cert"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_SECRET), "missing secret"},

19
crypto/cmp/cmp_local.h
View file

@ -1,5 +1,5 @@
/*
* Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2019
* Copyright Siemens AG 2015-2019
*
@ -789,6 +789,7 @@ int ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX *ctx,
STACK_OF(X509) *extraCertsIn);
int ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX *ctx,
const ASN1_OCTET_STRING *nonce);
EVP_PKEY *ossl_cmp_ctx_get0_newPubkey(const OSSL_CMP_CTX *ctx);
/* from cmp_status.c */
int ossl_cmp_pkisi_get_status(const OSSL_CMP_PKISI *si);
@ -852,7 +853,9 @@ int ossl_cmp_hdr_init(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr);
# define OSSL_CMP_PKIBODY_POLLREP 26
# define OSSL_CMP_PKIBODY_TYPE_MAX OSSL_CMP_PKIBODY_POLLREP
/* certReqId for the first - and so far only - certificate request */
# define OSSL_CMP_CERTREQID 0
# define OSSL_CMP_CERTREQID 0
# define OSSL_CMP_CERTREQID_NONE -1
# define OSSL_CMP_CERTREQID_INVALID -2
/* sequence id for the first - and so far only - revocation request */
# define OSSL_CMP_REVREQSID 0
int ossl_cmp_msg_set0_libctx(OSSL_CMP_MSG *msg, OSSL_LIB_CTX *libctx,
@ -885,8 +888,8 @@ OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si,
int unprotected);
int ossl_cmp_certstatus_set0_certHash(OSSL_CMP_CERTSTATUS *certStatus,
ASN1_OCTET_STRING *hash);
OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info,
const char *text);
OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int certReqId,
int fail_info, const char *text);
OSSL_CMP_MSG *ossl_cmp_pollReq_new(OSSL_CMP_CTX *ctx, int crid);
OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid,
int64_t poll_after);
@ -900,8 +903,8 @@ ossl_cmp_pollrepcontent_get0_pollrep(const OSSL_CMP_POLLREPCONTENT *prc,
OSSL_CMP_CERTRESPONSE *
ossl_cmp_certrepmessage_get0_certresponse(const OSSL_CMP_CERTREPMESSAGE *crm,
int rid);
X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CERTRESPONSE *crep,
const OSSL_CMP_CTX *ctx, EVP_PKEY *pkey);
X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CTX *ctx,
const OSSL_CMP_CERTRESPONSE *crep);
OSSL_CMP_MSG *ossl_cmp_msg_load(const char *file);
/* from cmp_protect.c */
@ -922,8 +925,8 @@ int ossl_cmp_verify_popo(const OSSL_CMP_CTX *ctx,
const OSSL_CMP_MSG *msg, int accept_RAVerified);
/* from cmp_client.c */
int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int fail_info,
const char *txt);
int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int certReqId,
int fail_info, const char *txt);
int ossl_cmp_exchange_error(OSSL_CMP_CTX *ctx, int status, int fail_info,
const char *txt, int errorCode, const char *detail);

66
crypto/cmp/cmp_msg.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2019
* Copyright Siemens AG 2015-2019
*
@ -274,7 +274,7 @@ OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid)
OSSL_CRMF_MSG *crm = NULL;
X509 *refcert = ctx->oldCert != NULL ? ctx->oldCert : ctx->cert;
/* refcert defaults to current client cert */
EVP_PKEY *rkey = OSSL_CMP_CTX_get0_newPkey(ctx, 0);
EVP_PKEY *rkey = ossl_cmp_ctx_get0_newPubkey(ctx);
STACK_OF(GENERAL_NAME) *default_sans = NULL;
const X509_NAME *ref_subj =
refcert != NULL ? X509_get_subject_name(refcert) : NULL;
@ -286,15 +286,9 @@ OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid)
/* RFC5280: subjectAltName MUST be critical if subject is null */
X509_EXTENSIONS *exts = NULL;
if (rkey == NULL && ctx->p10CSR != NULL)
rkey = X509_REQ_get0_pubkey(ctx->p10CSR);
if (rkey == NULL && refcert != NULL)
rkey = X509_get0_pubkey(refcert);
if (rkey == NULL)
rkey = ctx->pkey; /* default is independent of ctx->oldCert */
if (rkey == NULL) {
#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PUBLIC_KEY);
return NULL;
#endif
}
@ -411,15 +405,9 @@ OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int type,
if (type != OSSL_CMP_PKIBODY_P10CR) {
EVP_PKEY *privkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1);
/*
* privkey is NULL in case ctx->newPkey does not include a private key.
* We then may try to use ctx->pkey as fallback/default, but only
* if ctx-> newPkey does not include a (non-matching) public key:
*/
if (privkey == NULL && OSSL_CMP_CTX_get0_newPkey(ctx, 0) == NULL)
privkey = ctx->pkey; /* default is independent of ctx->oldCert */
if (ctx->popoMethod == OSSL_CRMF_POPO_SIGNATURE && privkey == NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY);
/* privkey is ctx->newPkey (if private, else NULL) or ctx->pkey */
if (ctx->popoMethod >= OSSL_CRMF_POPO_SIGNATURE && privkey == NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY_FOR_POPO);
goto err;
}
if (crm == NULL) {
@ -794,15 +782,17 @@ int ossl_cmp_certstatus_set0_certHash(OSSL_CMP_CERTSTATUS *certStatus,
return 1;
}
OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info,
const char *text)
OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int certReqId,
int fail_info, const char *text)
{
OSSL_CMP_MSG *msg = NULL;
OSSL_CMP_CERTSTATUS *certStatus = NULL;
ASN1_OCTET_STRING *certHash = NULL;
OSSL_CMP_PKISI *sinfo;
if (!ossl_assert(ctx != NULL && ctx->newCert != NULL))
if (!ossl_assert(ctx != NULL && ctx->newCert != NULL
&& (certReqId == OSSL_CMP_CERTREQID
|| certReqId == OSSL_CMP_CERTREQID_NONE)))
return NULL;
if ((unsigned)fail_info > OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN) {
@ -816,10 +806,13 @@ OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info,
if ((certStatus = OSSL_CMP_CERTSTATUS_new()) == NULL)
goto err;
/* consume certStatus into msg right away so it gets deallocated with msg */
if (!sk_OSSL_CMP_CERTSTATUS_push(msg->body->value.certConf, certStatus))
if (sk_OSSL_CMP_CERTSTATUS_push(msg->body->value.certConf, certStatus) < 1) {
OSSL_CMP_CERTSTATUS_free(certStatus);
goto err;
}
/* set the ID of the certReq */
if (!ASN1_INTEGER_set(certStatus->certReqId, OSSL_CMP_CERTREQID))
if (!ASN1_INTEGER_set(certStatus->certReqId, certReqId))
goto err;
/*
* The hash of the certificate, using the same hash algorithm
@ -965,12 +958,12 @@ static int suitable_rid(const ASN1_INTEGER *certReqId, int rid)
{
int trid;
if (rid == -1)
if (rid == OSSL_CMP_CERTREQID_NONE)
return 1;
trid = ossl_cmp_asn1_get_int(certReqId);
if (trid == -1) {
if (trid == OSSL_CMP_CERTREQID_NONE) {
ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID);
return 0;
}
@ -1031,14 +1024,15 @@ ossl_cmp_certrepmessage_get0_certresponse(const OSSL_CMP_CERTREPMESSAGE *crm,
/*-
* Retrieve the newly enrolled certificate from the given certResponse crep.
* In case of indirect POPO uses the libctx and propq from ctx and private key.
* Uses libctx and propq from ctx, in case of indirect POPO also private key.
* Returns a pointer to a copy of the found certificate, or NULL if not found.
*/
X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CERTRESPONSE *crep,
const OSSL_CMP_CTX *ctx, EVP_PKEY *pkey)
X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CTX *ctx,
const OSSL_CMP_CERTRESPONSE *crep)
{
OSSL_CMP_CERTORENCCERT *coec;
X509 *crt = NULL;
EVP_PKEY *pkey;
if (!ossl_assert(crep != NULL && ctx != NULL))
return NULL;
@ -1051,6 +1045,8 @@ X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CERTRESPONSE *crep,
break;
case OSSL_CMP_CERTORENCCERT_ENCRYPTEDCERT:
/* cert encrypted for indirect PoP; RFC 4210, 5.2.8.2 */
pkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1);
/* pkey is ctx->newPkey (if private, else NULL) or ctx->pkey */
if (pkey == NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY);
return NULL;
@ -1084,6 +1080,20 @@ int OSSL_CMP_MSG_update_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
|| ossl_cmp_msg_protect(ctx, msg);
}
int OSSL_CMP_MSG_update_recipNonce(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
{
if (ctx == NULL || msg == NULL || msg->header == NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
if (ctx->recipNonce == NULL) /* nothing to do for 1st msg in transaction */
return 1;
if (!ossl_cmp_asn1_octet_string_set1(&msg->header->recipNonce,
ctx->recipNonce))
return 0;
return msg->header->protectionAlg == NULL || ossl_cmp_msg_protect(ctx, msg);
}
OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file, OSSL_LIB_CTX *libctx,
const char *propq)
{

4
crypto/cmp/cmp_protect.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2019
* Copyright Siemens AG 2015-2019
*
@ -129,6 +129,7 @@ ASN1_BIT_STRING *ossl_cmp_calc_protection(const OSSL_CMP_CTX *ctx,
}
}
/* ctx is not const just because ctx->chain may get adapted */
int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
{
if (!ossl_assert(ctx != NULL && msg != NULL))
@ -251,6 +252,7 @@ static int set_senderKID(const OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg,
return id == NULL || ossl_cmp_hdr_set1_senderKID(msg->header, id);
}
/* ctx is not const just because ctx->chain may get adapted */
int ossl_cmp_msg_protect(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
{
if (!ossl_assert(ctx != NULL && msg != NULL))

45
crypto/cmp/cmp_server.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2019
* Copyright Siemens AG 2015-2019
*
@ -22,8 +22,9 @@
/* the context for the generic CMP server */
struct ossl_cmp_srv_ctx_st
{
OSSL_CMP_CTX *ctx; /* Client CMP context, partly reused for srv */
void *custom_ctx; /* pointer to specific server context */
void *custom_ctx; /* pointer to application-specific server context */
OSSL_CMP_CTX *ctx; /* Client CMP context, reusing transactionID etc. */
int certReqId; /* id of last ir/cr/kur, OSSL_CMP_CERTREQID_NONE for p10cr */
OSSL_CMP_SRV_cert_request_cb_t process_cert_request;
OSSL_CMP_SRV_rr_cb_t process_rr;
@ -57,6 +58,7 @@ OSSL_CMP_SRV_CTX *OSSL_CMP_SRV_CTX_new(OSSL_LIB_CTX *libctx, const char *propq)
if ((ctx->ctx = OSSL_CMP_CTX_new(libctx, propq)) == NULL)
goto err;
ctx->certReqId = OSSL_CMP_CERTREQID_INVALID;
/* all other elements are initialized to 0 or NULL, respectively */
return ctx;
@ -184,7 +186,7 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
}
if (OSSL_CMP_MSG_get_bodytype(req) == OSSL_CMP_PKIBODY_P10CR) {
certReqId = OSSL_CMP_CERTREQID;
certReqId = OSSL_CMP_CERTREQID_NONE; /* p10cr does not include an Id */
p10cr = req->body->value.p10cr;
} else {
OSSL_CRMF_MSGS *reqs = req->body->value.ir; /* same for cr and kur */
@ -199,7 +201,12 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
return NULL;
}
certReqId = OSSL_CRMF_MSG_get_certReqId(crm);
if (certReqId != OSSL_CMP_CERTREQID) {
ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID);
return 0;
}
}
srv_ctx->certReqId = certReqId;
if (!ossl_cmp_verify_popo(srv_ctx->ctx, req, srv_ctx->acceptRAVerified)) {
/* Proof of possession could not be verified */
@ -356,6 +363,10 @@ static OSSL_CMP_MSG *process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
ASN1_OCTET_STRING *certHash = status->certHash;
OSSL_CMP_PKISI *si = status->statusInfo;
if (certReqId != srv_ctx->certReqId) {
ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID);
return NULL;
}
if (!srv_ctx->process_certConf(srv_ctx, req, certReqId, certHash, si))
return NULL; /* reason code may be: CMP_R_CERTHASH_UNMATCHED */
@ -394,8 +405,12 @@ static OSSL_CMP_MSG *process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
return NULL;
}
pr = sk_OSSL_CMP_POLLREQ_value(prc, 0);
pr = sk_OSSL_CMP_POLLREQ_value(prc, OSSL_CMP_CERTREQID);
certReqId = ossl_cmp_asn1_get_int(pr->certReqId);
if (certReqId != srv_ctx->certReqId) {
ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID);
return NULL;
}
if (!srv_ctx->process_pollReq(srv_ctx, req, certReqId,
&certReq, &check_after))
return NULL;
@ -446,7 +461,7 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx,
ASN1_OCTET_STRING *backup_secret;
OSSL_CMP_PKIHEADER *hdr;
int req_type, rsp_type;
int res;
int req_verified = 0;
OSSL_CMP_MSG *rsp = NULL;
if (srv_ctx == NULL || srv_ctx->ctx == NULL
@ -506,12 +521,12 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx,
}
}
res = ossl_cmp_msg_check_update(ctx, req, unprotected_exception,
srv_ctx->acceptUnprotected);
req_verified = ossl_cmp_msg_check_update(ctx, req, unprotected_exception,
srv_ctx->acceptUnprotected);
if (ctx->secretValue != NULL && ctx->pkey != NULL
&& ossl_cmp_hdr_get_protection_nid(hdr) != NID_id_PasswordBasedMAC)
ctx->secretValue = NULL; /* use MSG_SIG_ALG when protecting rsp */
if (!res)
if (!req_verified)
goto err;
switch (req_type) {
@ -568,9 +583,15 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx,
int fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_badRequest;
OSSL_CMP_PKISI *si = NULL;
if (ctx->transactionID == NULL) {
/* ignore any (extra) error in next two function calls: */
(void)OSSL_CMP_CTX_set1_transactionID(ctx, hdr->transactionID);
if (!req_verified) {
/*
* Above ossl_cmp_msg_check_update() was not successfully executed,
* which normally would set ctx->transactionID and ctx->recipNonce.
* So anyway try to provide the right transactionID and recipNonce,
* while ignoring any (extra) error in next two function calls.
*/
if (ctx->transactionID == NULL)
(void)OSSL_CMP_CTX_set1_transactionID(ctx, hdr->transactionID);
(void)ossl_cmp_ctx_set1_recipNonce(ctx, hdr->senderNonce);
}

19
crypto/cmp/cmp_vfy.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2020
* Copyright Siemens AG 2015-2020
*
@ -323,11 +323,11 @@ static int check_cert_path_3gpp(const OSSL_CMP_CTX *ctx,
* verify that the newly enrolled certificate (which assumed rid ==
* OSSL_CMP_CERTREQID) can also be validated with the same trusted store
*/
EVP_PKEY *pkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1);
OSSL_CMP_CERTRESPONSE *crep =
ossl_cmp_certrepmessage_get0_certresponse(msg->body->value.ip,
OSSL_CMP_CERTREQID);
X509 *newcrt = ossl_cmp_certresponse_get1_cert(crep, ctx, pkey);
X509 *newcrt = ossl_cmp_certresponse_get1_cert(ctx, crep);
/*
* maybe better use get_cert_status() from cmp_client.c, which catches
* errors
@ -642,7 +642,6 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg)
return 0;
}
/*-
* Check received message (i.e., response by server or request from client)
* Any msg->extraCerts are prepended to ctx->untrusted.
@ -765,6 +764,11 @@ int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg,
#endif
}
/* if not yet present, learn transactionID */
if (ctx->transactionID == NULL
&& !OSSL_CMP_CTX_set1_transactionID(ctx, hdr->transactionID))
return 0;
/*
* RFC 4210 section 5.1.1 states: the recipNonce is copied from
* the senderNonce of the previous message in the transaction.
@ -773,11 +777,6 @@ int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg,
if (!ossl_cmp_ctx_set1_recipNonce(ctx, hdr->senderNonce))
return 0;
/* if not yet present, learn transactionID */
if (ctx->transactionID == NULL
&& !OSSL_CMP_CTX_set1_transactionID(ctx, hdr->transactionID))
return -1;
/*
* Store any provided extraCerts in ctx for future use,
* such that they are available to ctx->certConf_cb and
@ -788,7 +787,7 @@ int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg,
/* this allows self-signed certs */
X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP
| X509_ADD_FLAG_PREPEND))
return -1;
return 0;
if (ossl_cmp_hdr_get_protection_nid(hdr) == NID_id_PasswordBasedMAC) {
/*

4
crypto/cms/cms_dh.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -309,7 +309,7 @@ static int dh_cms_encrypt(CMS_RecipientInfo *ri)
*/
penc = NULL;
penclen = i2d_X509_ALGOR(wrap_alg, &penc);
if (penc == NULL || penclen == 0)
if (penclen <= 0)
goto err;
wrap_str = ASN1_STRING_new();
if (wrap_str == NULL)

20
crypto/cms/cms_ec.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -8,6 +8,7 @@
*/
#include <assert.h>
#include <limits.h>
#include <openssl/cms.h>
#include <openssl/err.h>
#include <openssl/decoder.h>
@ -257,7 +258,7 @@ static int ecdh_cms_encrypt(CMS_RecipientInfo *ri)
ASN1_STRING *wrap_str;
ASN1_OCTET_STRING *ukm;
unsigned char *penc = NULL;
size_t penclen;
int penclen;
int rv = 0;
int ecdh_nid, kdf_type, kdf_nid, wrap_nid;
const EVP_MD *kdf_md;
@ -274,15 +275,18 @@ static int ecdh_cms_encrypt(CMS_RecipientInfo *ri)
/* Is everything uninitialised? */
if (aoid == OBJ_nid2obj(NID_undef)) {
/* Set the key */
size_t enckeylen;
penclen = EVP_PKEY_get1_encoded_public_key(pkey, &penc);
ASN1_STRING_set0(pubkey, penc, penclen);
enckeylen = EVP_PKEY_get1_encoded_public_key(pkey, &penc);
if (enckeylen > INT_MAX || enckeylen == 0)
goto err;
ASN1_STRING_set0(pubkey, penc, (int)enckeylen);
pubkey->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
pubkey->flags |= ASN1_STRING_FLAG_BITS_LEFT;
penc = NULL;
X509_ALGOR_set0(talg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey),
V_ASN1_UNDEF, NULL);
(void)X509_ALGOR_set0(talg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey),
V_ASN1_UNDEF, NULL); /* cannot fail */
}
/* See if custom parameters set */
@ -346,7 +350,7 @@ static int ecdh_cms_encrypt(CMS_RecipientInfo *ri)
penclen = CMS_SharedInfo_encode(&penc, wrap_alg, ukm, keylen);
if (penclen == 0)
if (penclen <= 0)
goto err;
if (EVP_PKEY_CTX_set0_ecdh_kdf_ukm(pctx, penc, penclen) <= 0)
@ -358,7 +362,7 @@ static int ecdh_cms_encrypt(CMS_RecipientInfo *ri)
* of another AlgorithmIdentifier.
*/
penclen = i2d_X509_ALGOR(wrap_alg, &penc);
if (penc == NULL || penclen == 0)
if (penclen <= 0)
goto err;
wrap_str = ASN1_STRING_new();
if (wrap_str == NULL)

4
crypto/cms/cms_env.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -138,7 +138,7 @@ int ossl_cms_env_asn1_ctrl(CMS_RecipientInfo *ri, int cmd)
return 1;
}
CMS_EncryptedContentInfo* ossl_cms_get0_env_enc_content(const CMS_ContentInfo *cms)
CMS_EncryptedContentInfo *ossl_cms_get0_env_enc_content(const CMS_ContentInfo *cms)
{
switch (cms_get_enveloped_type(cms)) {
case CMS_ENVELOPED_STANDARD:

15
crypto/cms/cms_lib.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -432,7 +432,7 @@ BIO *ossl_cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm,
(void)ERR_pop_to_mark();
mdbio = BIO_new(BIO_f_md());
if (mdbio == NULL || !BIO_set_md(mdbio, digest)) {
if (mdbio == NULL || BIO_set_md(mdbio, digest) <= 0) {
ERR_raise(ERR_LIB_CMS, CMS_R_MD_BIO_INIT_ERROR);
goto err;
}
@ -615,11 +615,12 @@ int CMS_add0_crl(CMS_ContentInfo *cms, X509_CRL *crl)
int CMS_add1_crl(CMS_ContentInfo *cms, X509_CRL *crl)
{
int r;
r = CMS_add0_crl(cms, crl);
if (r > 0)
X509_CRL_up_ref(crl);
return r;
if (!X509_CRL_up_ref(crl))
return 0;
if (CMS_add0_crl(cms, crl))
return 1;
X509_CRL_free(crl);
return 0;
}
STACK_OF(X509) *CMS_get1_certs(CMS_ContentInfo *cms)

73
crypto/cms/cms_smime.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -701,14 +701,21 @@ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk,
X509 *cert, X509 *peer)
{
STACK_OF(CMS_RecipientInfo) *ris;
STACK_OF(CMS_RecipientInfo) *ris = CMS_get0_RecipientInfos(cms);
CMS_RecipientInfo *ri;
int i, r, cms_pkey_ri_type;
int debug = 0, match_ri = 0;
CMS_EncryptedContentInfo *ec = ossl_cms_get0_env_enc_content(cms);
ris = CMS_get0_RecipientInfos(cms);
if (ris != NULL)
debug = ossl_cms_get0_env_enc_content(cms)->debug;
/* Prevent mem leak on earlier CMS_decrypt_set1_{pkey_and_peer,password} */
if (ec != NULL) {
OPENSSL_clear_free(ec->key, ec->keylen);
ec->key = NULL;
ec->keylen = 0;
}
if (ris != NULL && ec != NULL)
debug = ec->debug;
cms_pkey_ri_type = ossl_cms_pkey_get_ri_type(pk);
if (cms_pkey_ri_type == CMS_RECIPINFO_NONE) {
@ -731,11 +738,8 @@ int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk,
if (r < 0)
return 0;
}
/*
* If we have a cert try matching RecipientInfo otherwise try them
* all.
*/
else if (cert == NULL|| !CMS_RecipientInfo_ktri_cert_cmp(ri, cert)) {
/* If we have a cert, try matching RecipientInfo, else try them all */
else if (cert == NULL || !CMS_RecipientInfo_ktri_cert_cmp(ri, cert)) {
EVP_PKEY_up_ref(pk);
CMS_RecipientInfo_set0_pkey(ri, pk);
r = CMS_RecipientInfo_decrypt(cms, ri);
@ -772,7 +776,8 @@ int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk,
return 1;
}
ERR_raise(ERR_LIB_CMS, CMS_R_NO_MATCHING_RECIPIENT);
if (!match_ri)
ERR_raise(ERR_LIB_CMS, CMS_R_NO_MATCHING_RECIPIENT);
return 0;
}
@ -783,7 +788,7 @@ int CMS_decrypt_set1_key(CMS_ContentInfo *cms,
{
STACK_OF(CMS_RecipientInfo) *ris;
CMS_RecipientInfo *ri;
int i, r;
int i, r, match_ri = 0;
ris = CMS_get0_RecipientInfos(cms);
for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++) {
@ -791,11 +796,10 @@ int CMS_decrypt_set1_key(CMS_ContentInfo *cms,
if (CMS_RecipientInfo_type(ri) != CMS_RECIPINFO_KEK)
continue;
/*
* If we have an id try matching RecipientInfo otherwise try them
* all.
*/
if (id == NULL || (CMS_RecipientInfo_kekri_id_cmp(ri, id, idlen) == 0)) {
/* If we have an id, try matching RecipientInfo, else try them all */
if (id == NULL
|| (CMS_RecipientInfo_kekri_id_cmp(ri, id, idlen) == 0)) {
match_ri = 1;
CMS_RecipientInfo_set0_key(ri, key, keylen);
r = CMS_RecipientInfo_decrypt(cms, ri);
CMS_RecipientInfo_set0_key(ri, NULL, 0);
@ -809,7 +813,8 @@ int CMS_decrypt_set1_key(CMS_ContentInfo *cms,
}
}
ERR_raise(ERR_LIB_CMS, CMS_R_NO_MATCHING_RECIPIENT);
if (!match_ri)
ERR_raise(ERR_LIB_CMS, CMS_R_NO_MATCHING_RECIPIENT);
return 0;
}
@ -817,15 +822,25 @@ int CMS_decrypt_set1_key(CMS_ContentInfo *cms,
int CMS_decrypt_set1_password(CMS_ContentInfo *cms,
unsigned char *pass, ossl_ssize_t passlen)
{
STACK_OF(CMS_RecipientInfo) *ris;
STACK_OF(CMS_RecipientInfo) *ris = CMS_get0_RecipientInfos(cms);
CMS_RecipientInfo *ri;
int i, r;
int i, r, match_ri = 0;
CMS_EncryptedContentInfo *ec = ossl_cms_get0_env_enc_content(cms);
/* Prevent mem leak on earlier CMS_decrypt_set1_{pkey_and_peer,password} */
if (ec != NULL) {
OPENSSL_clear_free(ec->key, ec->keylen);
ec->key = NULL;
ec->keylen = 0;
}
ris = CMS_get0_RecipientInfos(cms);
for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++) {
ri = sk_CMS_RecipientInfo_value(ris, i);
if (CMS_RecipientInfo_type(ri) != CMS_RECIPINFO_PASS)
continue;
/* Must try each PasswordRecipientInfo */
match_ri = 1;
CMS_RecipientInfo_set0_password(ri, pass, passlen);
r = CMS_RecipientInfo_decrypt(cms, ri);
CMS_RecipientInfo_set0_password(ri, NULL, 0);
@ -833,7 +848,8 @@ int CMS_decrypt_set1_password(CMS_ContentInfo *cms,
return 1;
}
ERR_raise(ERR_LIB_CMS, CMS_R_NO_MATCHING_RECIPIENT);
if (!match_ri)
ERR_raise(ERR_LIB_CMS, CMS_R_NO_MATCHING_RECIPIENT);
return 0;
}
@ -843,7 +859,7 @@ int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert,
{
int r;
BIO *cont;
CMS_EncryptedContentInfo *ec;
int nid = OBJ_obj2nid(CMS_get0_type(cms));
if (nid != NID_pkcs7_enveloped
@ -853,14 +869,9 @@ int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert,
}
if (dcont == NULL && !check_content(cms))
return 0;
if (flags & CMS_DEBUG_DECRYPT)
ossl_cms_get0_env_enc_content(cms)->debug = 1;
else
ossl_cms_get0_env_enc_content(cms)->debug = 0;
if (cert == NULL)
ossl_cms_get0_env_enc_content(cms)->havenocert = 1;
else
ossl_cms_get0_env_enc_content(cms)->havenocert = 0;
ec = ossl_cms_get0_env_enc_content(cms);
ec->debug = (flags & CMS_DEBUG_DECRYPT) != 0;
ec->havenocert = cert == NULL;
if (pk == NULL && cert == NULL && dcont == NULL && out == NULL)
return 1;
if (pk != NULL && !CMS_decrypt_set1_pkey(cms, pk, cert))

19
crypto/conf/conf_def.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -226,6 +226,9 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
char *dirpath = NULL;
OPENSSL_DIR_CTX *dirctx = NULL;
#endif
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
int numincludes = 0;
#endif
if ((buff = BUF_MEM_new()) == NULL) {
ERR_raise(ERR_LIB_CONF, ERR_R_BUF_LIB);
@ -442,6 +445,20 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
const char *include_dir = ossl_safe_getenv("OPENSSL_CONF_INCLUDE");
char *include_path = NULL;
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
/*
* The include processing below can cause the "conf" fuzzer to
* timeout due to the fuzzer inserting large and complicated
* includes - with a large amount of time spent in
* OPENSSL_strlcat/OPENSSL_strcpy. This is not a security
* concern because config files should never come from untrusted
* sources. We just set an arbitrary limit on the allowed
* number of includes when fuzzing to prevent this timeout.
*/
if (numincludes++ > 10)
goto err;
#endif
if (include_dir == NULL)
include_dir = conf->includedir;

7
crypto/dsa/dsa_backend.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -173,7 +173,10 @@ DSA *ossl_dsa_key_from_pkcs8(const PKCS8_PRIV_KEY_INFO *p8inf,
ERR_raise(ERR_LIB_DSA, DSA_R_BN_ERROR);
goto dsaerr;
}
DSA_set0_key(dsa, dsa_pubkey, dsa_privkey);
if (!DSA_set0_key(dsa, dsa_pubkey, dsa_privkey)) {
ERR_raise(ERR_LIB_DSA, ERR_R_INTERNAL_ERROR);
goto dsaerr;
}
goto done;

3
crypto/dsa/dsa_err.c
View file

@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -36,6 +36,7 @@ static const ERR_STRING_DATA DSA_str_reasons[] = {
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_Q_NOT_PRIME), "q not prime"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_SEED_LEN_SMALL),
"seed_len is less than the length of q"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_TOO_MANY_RETRIES), "too many retries"},
{0, NULL}
};

35
crypto/dsa/dsa_ossl.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -21,6 +21,9 @@
#include "dsa_local.h"
#include <openssl/asn1.h>
#define MIN_DSA_SIGN_QBITS 128
#define MAX_DSA_SIGN_RETRIES 8
static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
BIGNUM **rp);
@ -75,6 +78,7 @@ DSA_SIG *ossl_dsa_do_sign_int(const unsigned char *dgst, int dlen, DSA *dsa)
int reason = ERR_R_BN_LIB;
DSA_SIG *ret = NULL;
int rv = 0;
int retries = 0;
if (dsa->params.p == NULL
|| dsa->params.q == NULL
@ -129,7 +133,10 @@ DSA_SIG *ossl_dsa_do_sign_int(const unsigned char *dgst, int dlen, DSA *dsa)
* s := blind^-1 * k^-1 * (blind * m + blind * r * priv_key) mod q
*/
/* Generate a blinding value */
/*
* Generate a blinding value
* The size of q is tested in dsa_sign_setup() so there should not be an infinite loop here.
*/
do {
if (!BN_priv_rand_ex(blind, BN_num_bits(dsa->params.q) - 1,
BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, 0, ctx))
@ -164,14 +171,19 @@ DSA_SIG *ossl_dsa_do_sign_int(const unsigned char *dgst, int dlen, DSA *dsa)
goto err;
/*
* Redo if r or s is zero as required by FIPS 186-3: this is very
* unlikely.
* Redo if r or s is zero as required by FIPS 186-4: Section 4.6
* This is very unlikely.
* Limit the retries so there is no possibility of an infinite
* loop for bad domain parameter values.
*/
if (BN_is_zero(ret->r) || BN_is_zero(ret->s))
if (BN_is_zero(ret->r) || BN_is_zero(ret->s)) {
if (retries++ > MAX_DSA_SIGN_RETRIES) {
reason = DSA_R_TOO_MANY_RETRIES;
goto err;
}
goto redo;
}
rv = 1;
err:
if (rv == 0) {
ERR_raise(ERR_LIB_DSA, reason);
@ -212,7 +224,10 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
/* Reject obviously invalid parameters */
if (BN_is_zero(dsa->params.p)
|| BN_is_zero(dsa->params.q)
|| BN_is_zero(dsa->params.g)) {
|| BN_is_zero(dsa->params.g)
|| BN_is_negative(dsa->params.p)
|| BN_is_negative(dsa->params.q)
|| BN_is_negative(dsa->params.g)) {
ERR_raise(ERR_LIB_DSA, DSA_R_INVALID_PARAMETERS);
return 0;
}
@ -220,7 +235,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
ERR_raise(ERR_LIB_DSA, DSA_R_MISSING_PRIVATE_KEY);
return 0;
}
k = BN_new();
l = BN_new();
if (k == NULL || l == NULL)
@ -236,7 +250,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
/* Preallocate space */
q_bits = BN_num_bits(dsa->params.q);
q_words = bn_get_top(dsa->params.q);
if (!bn_wexpand(k, q_words + 2)
if (q_bits < MIN_DSA_SIGN_QBITS
|| !bn_wexpand(k, q_words + 2)
|| !bn_wexpand(l, q_words + 2))
goto err;

4
crypto/dsa/dsa_sign.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -165,7 +165,7 @@ int ossl_dsa_sign_int(int type, const unsigned char *dgst, int dlen,
*siglen = 0;
return 0;
}
*siglen = i2d_DSA_SIG(s, &sig);
*siglen = i2d_DSA_SIG(s, sig != NULL ? &sig : NULL);
DSA_SIG_free(s);
return 1;
}

3
crypto/ec/asm/ecp_nistp521-ppc64.pl
View file

@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@ -140,6 +140,7 @@ ___
}
$code.=<<___;
.machine "any"
.text
___

3
crypto/ec/ec_err.c
View file

@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -108,6 +108,7 @@ static const ERR_STRING_DATA EC_str_reasons[] = {
"random number generation failed"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_SHARED_INFO_ERROR), "shared info error"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_SLOT_FULL), "slot full"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_TOO_MANY_RETRIES), "too many retries"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_UNDEFINED_GENERATOR), "undefined generator"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_UNDEFINED_ORDER), "undefined order"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_UNKNOWN_COFACTOR), "unknown cofactor"},

23
crypto/ec/ecdsa_ossl.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -20,6 +20,15 @@
#include "crypto/bn.h"
#include "ec_local.h"
#define MIN_ECDSA_SIGN_ORDERBITS 64
/*
* It is highly unlikely that a retry will happen,
* Multiple retries would indicate that something is wrong
* with the group parameters (which would normally only happen
* with a bad custom group).
*/
#define MAX_ECDSA_SIGN_RETRIES 8
int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
BIGNUM **rp)
{
@ -66,7 +75,7 @@ int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen,
*siglen = 0;
return 0;
}
*siglen = i2d_ECDSA_SIG(s, &sig);
*siglen = i2d_ECDSA_SIG(s, sig != NULL ? &sig : NULL);
ECDSA_SIG_free(s);
return 1;
}
@ -120,7 +129,9 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
/* Preallocate space */
order_bits = BN_num_bits(order);
if (!BN_set_bit(k, order_bits)
/* Check the number of bits here so that an infinite loop is not possible */
if (order_bits < MIN_ECDSA_SIGN_ORDERBITS
|| !BN_set_bit(k, order_bits)
|| !BN_set_bit(r, order_bits)
|| !BN_set_bit(X, order_bits))
goto err;
@ -195,6 +206,7 @@ ECDSA_SIG *ossl_ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len,
EC_KEY *eckey)
{
int ok = 0, i;
int retries = 0;
BIGNUM *kinv = NULL, *s, *m = NULL;
const BIGNUM *order, *ckinv;
BN_CTX *ctx = NULL;
@ -304,6 +316,11 @@ ECDSA_SIG *ossl_ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len,
ERR_raise(ERR_LIB_EC, EC_R_NEED_NEW_SETUP_VALUES);
goto err;
}
/* Avoid infinite loops cause by invalid group parameters */
if (retries++ > MAX_ECDSA_SIGN_RETRIES) {
ERR_raise(ERR_LIB_EC, EC_R_TOO_MANY_RETRIES);
goto err;
}
} else {
/* s != 0 => we have a valid signature */
break;

4
crypto/ec/ecx_meth.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -712,7 +712,7 @@ const EVP_PKEY_ASN1_METHOD ossl_ed448_asn1_meth = {
static int pkey_ecx_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
{
ECX_KEY *ecx = ossl_ecx_key_op(NULL, NULL, 0, ctx->pmeth->pkey_id,
KEY_OP_PUBLIC, NULL, NULL);
KEY_OP_KEYGEN, NULL, NULL);
if (ecx != NULL) {
EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, ecx);

7
crypto/engine/eng_lib.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -140,8 +140,9 @@ void engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb)
if (!int_cleanup_check(1))
return;
item = int_cleanup_item(cb);
if (item)
sk_ENGINE_CLEANUP_ITEM_insert(cleanup_stack, item, 0);
if (item != NULL)
if (sk_ENGINE_CLEANUP_ITEM_insert(cleanup_stack, item, 0) <= 0)
OPENSSL_free(item);
}
void engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb)

6
crypto/err/openssl.txt
View file

@ -1,4 +1,4 @@
# Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@ -233,7 +233,9 @@ CMP_R_MISSING_KEY_USAGE_DIGITALSIGNATURE:142:missing key usage digitalsignature
CMP_R_MISSING_P10CSR:121:missing p10csr
CMP_R_MISSING_PBM_SECRET:166:missing pbm secret
CMP_R_MISSING_PRIVATE_KEY:131:missing private key
CMP_R_MISSING_PRIVATE_KEY_FOR_POPO:190:missing private key for popo
CMP_R_MISSING_PROTECTION:143:missing protection
CMP_R_MISSING_PUBLIC_KEY:183:missing public key
CMP_R_MISSING_REFERENCE_CERT:168:missing reference cert
CMP_R_MISSING_SECRET:178:missing secret
CMP_R_MISSING_SENDER_IDENTIFICATION:111:missing sender identification
@ -514,6 +516,7 @@ DSA_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
DSA_R_P_NOT_PRIME:115:p not prime
DSA_R_Q_NOT_PRIME:113:q not prime
DSA_R_SEED_LEN_SMALL:110:seed_len is less than the length of q
DSA_R_TOO_MANY_RETRIES:116:too many retries
DSO_R_CTRL_FAILED:100:control command failed
DSO_R_DSO_ALREADY_LOADED:110:dso already loaded
DSO_R_EMPTY_FILE_STRUCTURE:113:empty file structure
@ -597,6 +600,7 @@ EC_R_POINT_IS_NOT_ON_CURVE:107:point is not on curve
EC_R_RANDOM_NUMBER_GENERATION_FAILED:158:random number generation failed
EC_R_SHARED_INFO_ERROR:150:shared info error
EC_R_SLOT_FULL:108:slot full
EC_R_TOO_MANY_RETRIES:176:too many retries
EC_R_UNDEFINED_GENERATOR:113:undefined generator
EC_R_UNDEFINED_ORDER:128:undefined order
EC_R_UNKNOWN_COFACTOR:164:unknown cofactor

64
crypto/evp/ctrl_params_translate.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -387,7 +387,7 @@ static int default_fixup_args(enum state state,
{
int ret;
if ((ret = default_check(state, translation, ctx)) < 0)
if ((ret = default_check(state, translation, ctx)) <= 0)
return ret;
switch (state) {
@ -1136,6 +1136,7 @@ static int fix_ec_paramgen_curve_nid(enum state state,
const struct translation_st *translation,
struct translation_ctx_st *ctx)
{
char *p2 = NULL;
int ret;
if ((ret = default_check(state, translation, ctx)) <= 0)
@ -1148,13 +1149,25 @@ static int fix_ec_paramgen_curve_nid(enum state state,
if (state == PRE_CTRL_TO_PARAMS) {
ctx->p2 = (char *)OBJ_nid2sn(ctx->p1);
ctx->p1 = 0;
} else if (state == PRE_PARAMS_TO_CTRL) {
/*
* We're translating from params to ctrl and setting the curve name.
* The ctrl function needs it to be a NID, but meanwhile, we need
* space to get the curve name from the param. |ctx->name_buf| is
* sufficient for that.
* The double indirection is necessary for default_fixup_args()'s
* call of OSSL_PARAM_get_utf8_string() to be done correctly.
*/
p2 = ctx->name_buf;
ctx->p2 = &p2;
ctx->sz = sizeof(ctx->name_buf);
}
if ((ret = default_fixup_args(state, translation, ctx)) <= 0)
return ret;
if (state == PRE_PARAMS_TO_CTRL) {
ctx->p1 = OBJ_sn2nid(ctx->p2);
ctx->p1 = OBJ_sn2nid(p2);
ctx->p2 = NULL;
}
@ -2140,6 +2153,46 @@ static const struct translation_st evp_pkey_ctx_translations[] = {
EVP_PKEY_CTRL_GET_EC_KDF_UKM, NULL, NULL,
OSSL_EXCHANGE_PARAM_KDF_UKM, OSSL_PARAM_OCTET_PTR, NULL },
/*-
* SM2
* ==
*/
{ SET, EVP_PKEY_SM2, 0, EVP_PKEY_OP_PARAMGEN | EVP_PKEY_OP_KEYGEN,
EVP_PKEY_CTRL_EC_PARAM_ENC, "ec_param_enc", NULL,
OSSL_PKEY_PARAM_EC_ENCODING, OSSL_PARAM_UTF8_STRING, fix_ec_param_enc },
{ SET, EVP_PKEY_SM2, 0, EVP_PKEY_OP_PARAMGEN | EVP_PKEY_OP_KEYGEN,
EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID, "ec_paramgen_curve", NULL,
OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING,
fix_ec_paramgen_curve_nid },
/*
* EVP_PKEY_CTRL_EC_ECDH_COFACTOR and EVP_PKEY_CTRL_EC_KDF_TYPE are used
* both for setting and getting. The fixup function has to handle this...
*/
{ NONE, EVP_PKEY_SM2, 0, EVP_PKEY_OP_DERIVE,
EVP_PKEY_CTRL_EC_ECDH_COFACTOR, "ecdh_cofactor_mode", NULL,
OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE, OSSL_PARAM_INTEGER,
fix_ecdh_cofactor },
{ NONE, EVP_PKEY_SM2, 0, EVP_PKEY_OP_DERIVE,
EVP_PKEY_CTRL_EC_KDF_TYPE, NULL, NULL,
OSSL_EXCHANGE_PARAM_KDF_TYPE, OSSL_PARAM_UTF8_STRING, fix_ec_kdf_type },
{ SET, EVP_PKEY_SM2, 0, EVP_PKEY_OP_DERIVE,
EVP_PKEY_CTRL_EC_KDF_MD, "ecdh_kdf_md", NULL,
OSSL_EXCHANGE_PARAM_KDF_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md },
{ GET, EVP_PKEY_SM2, 0, EVP_PKEY_OP_DERIVE,
EVP_PKEY_CTRL_GET_EC_KDF_MD, NULL, NULL,
OSSL_EXCHANGE_PARAM_KDF_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md },
{ SET, EVP_PKEY_SM2, 0, EVP_PKEY_OP_DERIVE,
EVP_PKEY_CTRL_EC_KDF_OUTLEN, NULL, NULL,
OSSL_EXCHANGE_PARAM_KDF_OUTLEN, OSSL_PARAM_UNSIGNED_INTEGER, NULL },
{ GET, EVP_PKEY_SM2, 0, EVP_PKEY_OP_DERIVE,
EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN, NULL, NULL,
OSSL_EXCHANGE_PARAM_KDF_OUTLEN, OSSL_PARAM_UNSIGNED_INTEGER, NULL },
{ SET, EVP_PKEY_SM2, 0, EVP_PKEY_OP_DERIVE,
EVP_PKEY_CTRL_EC_KDF_UKM, NULL, NULL,
OSSL_EXCHANGE_PARAM_KDF_UKM, OSSL_PARAM_OCTET_STRING, NULL },
{ GET, EVP_PKEY_SM2, 0, EVP_PKEY_OP_DERIVE,
EVP_PKEY_CTRL_GET_EC_KDF_UKM, NULL, NULL,
OSSL_EXCHANGE_PARAM_KDF_UKM, OSSL_PARAM_OCTET_PTR, NULL },
/*-
* RSA
* ===
@ -2307,8 +2360,12 @@ static const struct translation_st evp_pkey_ctx_translations[] = {
*/
{ SET, EVP_PKEY_X25519, EVP_PKEY_X25519, EVP_PKEY_OP_KEYGEN, -1, NULL, NULL,
OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, fix_group_ecx },
{ SET, EVP_PKEY_X25519, EVP_PKEY_X25519, EVP_PKEY_OP_PARAMGEN, -1, NULL, NULL,
OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, fix_group_ecx },
{ SET, EVP_PKEY_X448, EVP_PKEY_X448, EVP_PKEY_OP_KEYGEN, -1, NULL, NULL,
OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, fix_group_ecx },
{ SET, EVP_PKEY_X448, EVP_PKEY_X448, EVP_PKEY_OP_PARAMGEN, -1, NULL, NULL,
OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, fix_group_ecx },
};
static const struct translation_st evp_pkey_translations[] = {
@ -2721,6 +2778,7 @@ static int evp_pkey_ctx_setget_params_to_ctrl(EVP_PKEY_CTX *pctx,
if (translation->fixup_args != NULL)
fixup = translation->fixup_args;
ctx.action_type = translation->action_type;
ctx.ctrl_cmd = translation->ctrl_num;
}
ctx.pctx = pctx;
ctx.params = params;

6
crypto/evp/digest.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -447,7 +447,7 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *isize)
if (isize != NULL) {
if (size <= UINT_MAX) {
*isize = (int)size;
*isize = (unsigned int)size;
} else {
ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
ret = 0;
@ -762,7 +762,7 @@ int EVP_MD_CTX_get_params(EVP_MD_CTX *ctx, OSSL_PARAM params[])
return pctx->op.sig.signature->get_ctx_md_params(pctx->op.sig.algctx,
params);
if (ctx->digest != NULL && ctx->digest->get_params != NULL)
if (ctx->digest != NULL && ctx->digest->get_ctx_params != NULL)
return ctx->digest->get_ctx_params(ctx->algctx, params);
return 0;

6
crypto/evp/ec_ctrl.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -283,7 +283,9 @@ int EVP_PKEY_CTX_get0_ecdh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **pukm)
*/
int EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx, int nid)
{
return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, EVP_PKEY_OP_TYPE_GEN,
int keytype = nid == EVP_PKEY_SM2 ? EVP_PKEY_SM2 : EVP_PKEY_EC;
return EVP_PKEY_CTX_ctrl(ctx, keytype, EVP_PKEY_OP_TYPE_GEN,
EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID,
nid, NULL);
}

4
crypto/evp/evp_pbe.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -136,7 +136,7 @@ int EVP_PBE_CipherInit_ex(ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
md = md_fetch = EVP_MD_fetch(libctx, OBJ_nid2sn(md_nid), propq);
/* Fallback to legacy method */
if (md == NULL)
EVP_get_digestbynid(md_nid);
md = EVP_get_digestbynid(md_nid);
if (md == NULL) {
(void)ERR_clear_last_mark();

4
crypto/evp/keymgmt_meth.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -378,7 +378,7 @@ void *evp_keymgmt_gen(const EVP_KEYMGMT *keymgmt, void *genctx,
void evp_keymgmt_gen_cleanup(const EVP_KEYMGMT *keymgmt, void *genctx)
{
if (keymgmt->gen != NULL)
if (keymgmt->gen_cleanup != NULL)
keymgmt->gen_cleanup(genctx);
}

21
crypto/evp/p_lib.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -1324,6 +1324,8 @@ static int evp_pkey_asn1_ctrl(EVP_PKEY *pkey, int op, int arg1, void *arg2)
int EVP_PKEY_get_default_digest_nid(EVP_PKEY *pkey, int *pnid)
{
if (pkey == NULL)
return 0;
return evp_pkey_asn1_ctrl(pkey, ASN1_PKEY_CTRL_DEFAULT_MD_NID, 0, pnid);
}
@ -1374,7 +1376,9 @@ int EVP_PKEY_digestsign_supports_digest(EVP_PKEY *pkey, OSSL_LIB_CTX *libctx,
int EVP_PKEY_set1_encoded_public_key(EVP_PKEY *pkey, const unsigned char *pub,
size_t publen)
{
if (pkey != NULL && evp_pkey_is_provided(pkey))
if (pkey == NULL)
return 0;
if (evp_pkey_is_provided(pkey))
return
EVP_PKEY_set_octet_string_param(pkey,
OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
@ -1393,7 +1397,9 @@ size_t EVP_PKEY_get1_encoded_public_key(EVP_PKEY *pkey, unsigned char **ppub)
{
int rv;
if (pkey != NULL && evp_pkey_is_provided(pkey)) {
if (pkey == NULL)
return 0;
if (evp_pkey_is_provided(pkey)) {
size_t return_size = OSSL_PARAM_UNMODIFIED;
unsigned char *buf;
@ -2172,7 +2178,14 @@ int EVP_PKEY_get_bn_param(const EVP_PKEY *pkey, const char *key_name,
goto err;
ret = OSSL_PARAM_get_BN(params, bn);
err:
OPENSSL_free(buf);
if (buf != NULL) {
if (OSSL_PARAM_modified(params))
OPENSSL_clear_free(buf, buf_sz);
else
OPENSSL_free(buf);
} else if (OSSL_PARAM_modified(params)) {
OPENSSL_cleanse(buffer, params[0].data_size);
}
return ret;
}

30
crypto/evp/pmeth_lib.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -509,8 +509,11 @@ EVP_PKEY_CTX *EVP_PKEY_CTX_dup(const EVP_PKEY_CTX *pctx)
if (pctx->op.kex.algctx != NULL) {
if (!ossl_assert(pctx->op.kex.exchange != NULL))
goto err;
rctx->op.kex.algctx
= pctx->op.kex.exchange->dupctx(pctx->op.kex.algctx);
if (pctx->op.kex.exchange->dupctx != NULL)
rctx->op.kex.algctx
= pctx->op.kex.exchange->dupctx(pctx->op.kex.algctx);
if (rctx->op.kex.algctx == NULL) {
EVP_KEYEXCH_free(rctx->op.kex.exchange);
rctx->op.kex.exchange = NULL;
@ -527,8 +530,11 @@ EVP_PKEY_CTX *EVP_PKEY_CTX_dup(const EVP_PKEY_CTX *pctx)
if (pctx->op.sig.algctx != NULL) {
if (!ossl_assert(pctx->op.sig.signature != NULL))
goto err;
rctx->op.sig.algctx
= pctx->op.sig.signature->dupctx(pctx->op.sig.algctx);
if (pctx->op.sig.signature->dupctx != NULL)
rctx->op.sig.algctx
= pctx->op.sig.signature->dupctx(pctx->op.sig.algctx);
if (rctx->op.sig.algctx == NULL) {
EVP_SIGNATURE_free(rctx->op.sig.signature);
rctx->op.sig.signature = NULL;
@ -545,8 +551,11 @@ EVP_PKEY_CTX *EVP_PKEY_CTX_dup(const EVP_PKEY_CTX *pctx)
if (pctx->op.ciph.algctx != NULL) {
if (!ossl_assert(pctx->op.ciph.cipher != NULL))
goto err;
rctx->op.ciph.algctx
= pctx->op.ciph.cipher->dupctx(pctx->op.ciph.algctx);
if (pctx->op.ciph.cipher->dupctx != NULL)
rctx->op.ciph.algctx
= pctx->op.ciph.cipher->dupctx(pctx->op.ciph.algctx);
if (rctx->op.ciph.algctx == NULL) {
EVP_ASYM_CIPHER_free(rctx->op.ciph.cipher);
rctx->op.ciph.cipher = NULL;
@ -563,8 +572,11 @@ EVP_PKEY_CTX *EVP_PKEY_CTX_dup(const EVP_PKEY_CTX *pctx)
if (pctx->op.encap.algctx != NULL) {
if (!ossl_assert(pctx->op.encap.kem != NULL))
goto err;
rctx->op.encap.algctx
= pctx->op.encap.kem->dupctx(pctx->op.encap.algctx);
if (pctx->op.encap.kem->dupctx != NULL)
rctx->op.encap.algctx
= pctx->op.encap.kem->dupctx(pctx->op.encap.algctx);
if (rctx->op.encap.algctx == NULL) {
EVP_KEM_free(rctx->op.encap.kem);
rctx->op.encap.kem = NULL;

3
crypto/ffc/ffc_backend.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -111,6 +111,7 @@ int ossl_ffc_params_fromdata(FFC_PARAMS *ffc, const OSSL_PARAM params[])
if (p1 != NULL) {
if (p1->data_type != OSSL_PARAM_UTF8_STRING)
goto err;
props = p1->data;
}
if (!ossl_ffc_set_digest(ffc, prm->data, props))
goto err;

4
crypto/ffc/ffc_params.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -182,6 +182,8 @@ int ossl_ffc_params_copy(FFC_PARAMS *dst, const FFC_PARAMS *src)
|| !ffc_bn_cpy(&dst->j, src->j))
return 0;
dst->mdname = src->mdname;
dst->mdprops = src->mdprops;
OPENSSL_free(dst->seed);
dst->seedlen = src->seedlen;
if (src->seed != NULL) {

13
crypto/http/http_client.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Siemens AG 2018-2020
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
@ -1122,7 +1122,7 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy,
char *port;
char *path;
int use_ssl;
OSSL_HTTP_REQ_CTX *rctx;
OSSL_HTTP_REQ_CTX *rctx = NULL;
BIO *resp = NULL;
time_t max_time = timeout > 0 ? time(NULL) + timeout : 0;
@ -1148,10 +1148,12 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy,
NULL /* req */,
expected_ct, expect_asn1, max_resp_len,
-1 /* use same max time (timeout) */,
0 /* no keep_alive */))
0 /* no keep_alive */)) {
OSSL_HTTP_REQ_CTX_free(rctx);
else
rctx = NULL;
} else {
resp = OSSL_HTTP_exchange(rctx, &redirection_url);
}
}
OPENSSL_free(path);
if (resp == NULL && redirection_url != NULL) {
@ -1166,6 +1168,7 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy,
OPENSSL_free(host);
OPENSSL_free(port);
(void)OSSL_HTTP_close(rctx, 1);
rctx = NULL;
BIO_free(resp);
OPENSSL_free(current_url);
return NULL;
@ -1175,6 +1178,7 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy,
OPENSSL_free(host);
OPENSSL_free(port);
(void)OSSL_HTTP_close(rctx, 1);
rctx = NULL;
continue;
}
/* if redirection not allowed, ignore it */
@ -1184,6 +1188,7 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy,
OPENSSL_free(port);
if (!OSSL_HTTP_close(rctx, resp != NULL)) {
BIO_free(resp);
rctx = NULL;
resp = NULL;
}
break;

11
crypto/http/http_lib.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -253,9 +253,9 @@ static int use_proxy(const char *no_proxy, const char *server)
* compatible with other HTTP client implementations like wget, curl and git
*/
if (no_proxy == NULL)
no_proxy = getenv("no_proxy");
no_proxy = ossl_safe_getenv("no_proxy");
if (no_proxy == NULL)
no_proxy = getenv(OPENSSL_NO_PROXY);
no_proxy = ossl_safe_getenv(OPENSSL_NO_PROXY);
if (no_proxy != NULL)
found = strstr(no_proxy, server);
@ -275,10 +275,9 @@ const char *OSSL_HTTP_adapt_proxy(const char *proxy, const char *no_proxy,
* compatible with other HTTP client implementations like wget, curl and git
*/
if (proxy == NULL)
proxy = getenv(use_ssl ? "https_proxy" : "http_proxy");
proxy = ossl_safe_getenv(use_ssl ? "https_proxy" : "http_proxy");
if (proxy == NULL)
proxy = getenv(use_ssl ? OPENSSL_HTTP_PROXY :
OPENSSL_HTTPS_PROXY);
proxy = ossl_safe_getenv(use_ssl ? OPENSSL_HTTP_PROXY : OPENSSL_HTTPS_PROXY);
if (proxy == NULL || *proxy == '\0' || !use_proxy(no_proxy, server))
return NULL;

789
crypto/modes/asm/aes-gcm-armv8_64.pl
View file

File diff suppressed because it is too large Load diff

21
crypto/objects/obj_dat.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -443,6 +443,25 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
first = 1;
bl = NULL;
/*
* RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs:
*
* > 3.5. OBJECT IDENTIFIER values
* >
* > An OBJECT IDENTIFIER value is an ordered list of non-negative
* > numbers. For the SMIv2, each number in the list is referred to as a
* > sub-identifier, there are at most 128 sub-identifiers in a value,
* > and each sub-identifier has a maximum value of 2^32-1 (4294967295
* > decimal).
*
* So a legitimate OID according to this RFC is at most (32 * 128 / 7),
* i.e. 586 bytes long.
*
* Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
*/
if (len > 586)
goto err;
while (len > 0) {
l = 0;
use_bn = 0;

13
crypto/property/property.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
@ -510,14 +510,15 @@ int ossl_method_store_fetch(OSSL_METHOD_STORE *store,
int ret = 0;
int j, best = -1, score, optional;
#ifndef FIPS_MODULE
if (!OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL))
return 0;
#endif
if (nid <= 0 || method == NULL || store == NULL)
return 0;
#ifndef FIPS_MODULE
if (ossl_lib_ctx_is_default(store->ctx)
&& !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL))
return 0;
#endif
/* This only needs to be a read lock, because the query won't create anything */
if (!ossl_property_read_lock(store))
return 0;

8
crypto/rand/rand_lib.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -272,7 +272,13 @@ void RAND_add(const void *buf, int num, double randomness)
# endif
drbg = RAND_get0_primary(NULL);
if (drbg != NULL && num > 0)
# ifdef OPENSSL_RAND_SEED_NONE
/* Without an entropy source, we have to rely on the user */
EVP_RAND_reseed(drbg, 0, buf, num, NULL, 0);
# else
/* With an entropy source, we downgrade this to additional input */
EVP_RAND_reseed(drbg, 0, NULL, 0, buf, num);
# endif
}
# if !defined(OPENSSL_NO_DEPRECATED_1_1_0)

18
crypto/rsa/rsa_chk.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -124,13 +124,17 @@ static int rsa_validate_keypair_multiprime(const RSA *key, BN_GENCB *cb)
ret = -1;
goto err;
}
if (!BN_div(m, NULL, l, m, ctx)) { /* remainder is 0 */
ret = -1;
goto err;
}
for (idx = 0; idx < ex_primes; idx++) {
pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx);
if (!BN_sub(k, pinfo->r, BN_value_one())) {
ret = -1;
goto err;
}
if (!BN_mul(l, l, k, ctx)) {
if (!BN_mul(l, m, k, ctx)) {
ret = -1;
goto err;
}
@ -138,12 +142,12 @@ static int rsa_validate_keypair_multiprime(const RSA *key, BN_GENCB *cb)
ret = -1;
goto err;
}
if (!BN_div(m, NULL, l, m, ctx)) { /* remainder is 0 */
ret = -1;
goto err;
}
}
if (!BN_div(k, NULL, l, m, ctx)) { /* remainder is 0 */
ret = -1;
goto err;
}
if (!BN_mod_mul(i, key->d, key->e, k, ctx)) {
if (!BN_mod_mul(i, key->d, key->e, m, ctx)) {
ret = -1;
goto err;
}

32
crypto/rsa/rsa_ossl.c
View file

@ -234,6 +234,7 @@ static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
* will only read the modulus from BN_BLINDING. In both cases it's safe
* to access the blinding without a lock.
*/
BN_set_flags(f, BN_FLG_CONSTTIME);
return BN_BLINDING_invert_ex(f, unblind, b, ctx);
}
@ -416,6 +417,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
goto err;
}
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
rsa->n, ctx))
goto err;
if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
if (blinding == NULL) {
@ -453,13 +459,6 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
goto err;
}
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
rsa->n, ctx)) {
BN_free(d);
goto err;
}
if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
rsa->_method_mod_n)) {
BN_free(d);
@ -469,20 +468,13 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
BN_free(d);
}
if (blinding) {
/*
* ossl_bn_rsa_do_unblind() combines blinding inversion and
* 0-padded BN BE serialization
*/
j = ossl_bn_rsa_do_unblind(ret, blinding, unblind, rsa->n, ctx,
buf, num);
if (j == 0)
if (blinding)
if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
goto err;
} else {
j = BN_bn2binpad(ret, buf, num);
if (j < 0)
goto err;
}
j = BN_bn2binpad(ret, buf, num);
if (j < 0)
goto err;
switch (padding) {
case RSA_PKCS1_PADDING:

11
crypto/rsa/rsa_sp800_56b_gen.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
@ -361,6 +361,7 @@ int ossl_rsa_sp800_56b_generate_key(RSA *rsa, int nbits, const BIGNUM *efixed,
BN_CTX *ctx = NULL;
BIGNUM *e = NULL;
RSA_ACVP_TEST *info = NULL;
BIGNUM *tmp;
#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
info = rsa->acvp_test;
@ -392,6 +393,14 @@ int ossl_rsa_sp800_56b_generate_key(RSA *rsa, int nbits, const BIGNUM *efixed,
/* (Step 2) Generate prime factors */
if (!ossl_rsa_fips186_4_gen_prob_primes(rsa, info, nbits, e, ctx, cb))
goto err;
/* p>q check and skipping in case of acvp test */
if (info == NULL && BN_cmp(rsa->p, rsa->q) < 0) {
tmp = rsa->p;
rsa->p = rsa->q;
rsa->q = tmp;
}
/* (Steps 3-5) Compute params d, n, dP, dQ, qInv */
ok = ossl_rsa_sp800_56b_derive_params_from_pq(rsa, nbits, e, ctx);
if (ok < 0)

4
crypto/sm2/sm2_sign.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2017 Ribose Inc. All Rights Reserved.
* Ported from Ribose contributions from Botan.
*
@ -454,7 +454,7 @@ int ossl_sm2_internal_sign(const unsigned char *dgst, int dgstlen,
goto done;
}
sigleni = i2d_ECDSA_SIG(s, &sig);
sigleni = i2d_ECDSA_SIG(s, sig != NULL ? &sig : NULL);
if (sigleni < 0) {
ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR);
goto done;

6
crypto/ui/ui_lib.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -528,6 +528,10 @@ int UI_process(UI *ui)
ok = 0;
break;
}
} else {
ui->flags &= ~UI_FLAG_REDOABLE;
ok = -2;
goto err;
}
}

6
crypto/ui/ui_util.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -32,7 +32,7 @@ int UI_UTIL_read_pw_string(char *buf, int length, const char *prompt,
int UI_UTIL_read_pw(char *buf, char *buff, int size, const char *prompt,
int verify)
{
int ok = 0;
int ok = -2;
UI *ui;
if (size < 1)
@ -47,8 +47,6 @@ int UI_UTIL_read_pw(char *buf, char *buff, int size, const char *prompt,
ok = UI_process(ui);
UI_free(ui);
}
if (ok > 0)
ok = 0;
return ok;
}

10
crypto/x509/pcy_local.h
View file

@ -1,5 +1,5 @@
/*
* Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st {
};
struct X509_POLICY_TREE_st {
/* The number of nodes in the tree */
size_t node_count;
/* The maximum number of nodes in the tree */
size_t node_maximum;
/* This is the tree 'level' data */
X509_POLICY_LEVEL *levels;
int nlevel;
@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
X509_POLICY_DATA *data,
X509_POLICY_NODE *parent,
X509_POLICY_TREE *tree);
X509_POLICY_TREE *tree,
int extra_data);
void ossl_policy_node_free(X509_POLICY_NODE *node);
int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl,
const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);

26
crypto/x509/pcy_node.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level,
X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
X509_POLICY_DATA *data,
X509_POLICY_NODE *parent,
X509_POLICY_TREE *tree)
X509_POLICY_TREE *tree,
int extra_data)
{
X509_POLICY_NODE *node;
/* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */
if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum)
return NULL;
node = OPENSSL_zalloc(sizeof(*node));
if (node == NULL) {
ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
@ -70,7 +75,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
}
node->data = data;
node->parent = parent;
if (level) {
if (level != NULL) {
if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
if (level->anyPolicy)
goto node_error;
@ -90,24 +95,33 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
}
}
if (tree) {
if (extra_data) {
if (tree->extra_data == NULL)
tree->extra_data = sk_X509_POLICY_DATA_new_null();
if (tree->extra_data == NULL){
ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
goto node_error;
goto extra_data_error;
}
if (!sk_X509_POLICY_DATA_push(tree->extra_data, data)) {
ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
goto node_error;
goto extra_data_error;
}
}
tree->node_count++;
if (parent)
parent->nchild++;
return node;
extra_data_error:
if (level != NULL) {
if (level->anyPolicy == node)
level->anyPolicy = NULL;
else
(void) sk_X509_POLICY_NODE_pop(level->nodes);
}
node_error:
ossl_policy_node_free(node);
return NULL;

54
crypto/x509/pcy_tree.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -14,6 +14,19 @@
#include "pcy_local.h"
/*
* If the maximum number of nodes in the policy tree isn't defined, set it to
* a generous default of 1000 nodes.
*
* Defining this to be zero means unlimited policy tree growth which opens the
* door on CVE-2023-0464.
*/
#ifndef OPENSSL_POLICY_TREE_NODES_MAX
# define OPENSSL_POLICY_TREE_NODES_MAX 1000
#endif
static void exnode_free(X509_POLICY_NODE *node);
static void expected_print(BIO *channel,
X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node,
int indent)
@ -163,6 +176,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
return X509_PCY_TREE_INTERNAL;
}
/* Limit the growth of the tree to mitigate CVE-2023-0464 */
tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX;
/*
* http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3.
*
@ -180,7 +196,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
if ((data = ossl_policy_data_new(NULL,
OBJ_nid2obj(NID_any_policy), 0)) == NULL)
goto bad_tree;
if (ossl_policy_level_add_node(level, data, NULL, tree) == NULL) {
if (ossl_policy_level_add_node(level, data, NULL, tree, 1) == NULL) {
ossl_policy_data_free(data);
goto bad_tree;
}
@ -239,7 +255,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
* Return value: 1 on success, 0 otherwise
*/
static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
X509_POLICY_DATA *data)
X509_POLICY_DATA *data,
X509_POLICY_TREE *tree)
{
X509_POLICY_LEVEL *last = curr - 1;
int i, matched = 0;
@ -249,13 +266,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i);
if (ossl_policy_node_match(last, node, data->valid_policy)) {
if (ossl_policy_level_add_node(curr, data, node, NULL) == NULL)
if (ossl_policy_level_add_node(curr, data, node, tree, 0) == NULL)
return 0;
matched = 1;
}
}
if (!matched && last->anyPolicy) {
if (ossl_policy_level_add_node(curr, data, last->anyPolicy, NULL) == NULL)
if (ossl_policy_level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL)
return 0;
}
return 1;
@ -268,7 +285,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
* Return value: 1 on success, 0 otherwise.
*/
static int tree_link_nodes(X509_POLICY_LEVEL *curr,
const X509_POLICY_CACHE *cache)
const X509_POLICY_CACHE *cache,
X509_POLICY_TREE *tree)
{
int i;
@ -276,7 +294,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i);
/* Look for matching nodes in previous level */
if (!tree_link_matching_nodes(curr, data))
if (!tree_link_matching_nodes(curr, data, tree))
return 0;
}
return 1;
@ -307,7 +325,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
/* Curr may not have anyPolicy */
data->qualifier_set = cache->anyPolicy->qualifier_set;
data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
if (ossl_policy_level_add_node(curr, data, node, tree) == NULL) {
if (ossl_policy_level_add_node(curr, data, node, tree, 1) == NULL) {
ossl_policy_data_free(data);
return 0;
}
@ -370,7 +388,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
/* Finally add link to anyPolicy */
if (last->anyPolicy &&
ossl_policy_level_add_node(curr, cache->anyPolicy,
last->anyPolicy, NULL) == NULL)
last->anyPolicy, tree, 0) == NULL)
return 0;
return 1;
}
@ -553,15 +571,23 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
| POLICY_DATA_FLAG_EXTRA_NODE;
node = ossl_policy_level_add_node(NULL, extra, anyPolicy->parent,
tree);
tree, 1);
if (node == NULL) {
ossl_policy_data_free(extra);
return 0;
}
}
if (!tree->user_policies) {
tree->user_policies = sk_X509_POLICY_NODE_new_null();
if (!tree->user_policies)
return 1;
if (!tree->user_policies) {
exnode_free(node);
return 0;
}
}
if (!sk_X509_POLICY_NODE_push(tree->user_policies, node))
if (!sk_X509_POLICY_NODE_push(tree->user_policies, node)) {
exnode_free(node);
return 0;
}
}
return 1;
}
@ -580,7 +606,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree)
for (i = 1; i < tree->nlevel; i++, curr++) {
cache = ossl_policy_cache_set(curr->cert);
if (!tree_link_nodes(curr, cache))
if (!tree_link_nodes(curr, cache, tree))
return X509_PCY_TREE_INTERNAL;
if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)

7
crypto/x509/x509_txt.c
View file

@ -179,7 +179,7 @@ const char *X509_verify_cert_error_string(long n)
case X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH:
return "subject signature algorithm and issuer public key algorithm mismatch";
case X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY:
return "cert info siganature and signature algorithm mismatch";
return "cert info signature and signature algorithm mismatch";
case X509_V_ERR_INVALID_CA:
return "invalid CA certificate";
case X509_V_ERR_PATHLEN_INVALID_FOR_NON_CA:
@ -213,6 +213,11 @@ const char *X509_verify_cert_error_string(long n)
case X509_V_ERR_EC_KEY_EXPLICIT_PARAMS:
return "Certificate public key has explicit ECC parameters";
/*
* Entries must be kept consistent with include/openssl/x509_vfy.h.in
* and with doc/man3/X509_STORE_CTX_get_error.pod
*/
default:
/* Printing an error number into a static buffer is not thread-safe */
return "unknown certificate verification error";

16
crypto/x509/x509_vfy.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *ctx)
goto memerr;
/* Invalid or inconsistent extensions */
if (ret == X509_PCY_TREE_INVALID) {
int i;
int i, cbcalled = 0;
/* Locate certificates with bad extensions and notify callback. */
for (i = 1; i < sk_X509_num(ctx->chain); i++) {
for (i = 0; i < sk_X509_num(ctx->chain); i++) {
X509 *x = sk_X509_value(ctx->chain, i);
if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0)
cbcalled = 1;
CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0,
ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION);
}
if (!cbcalled) {
/* Should not be able to get here */
ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
return 0;
}
/* The callback ignored the error so we return success */
return 1;
}
if (ret == X509_PCY_TREE_FAILURE) {
@ -3413,7 +3421,7 @@ static int check_curve(X509 *cert)
ret = EVP_PKEY_get_int_param(pkey,
OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS,
&val);
return ret < 0 ? ret : !val;
return ret == 1 ? !val : -1;
}
return 1;

12
doc/build.info
View file

@ -4145,6 +4145,10 @@ DEPEND[html/man7/EVP_CIPHER-IDEA.html]=man7/EVP_CIPHER-IDEA.pod
GENERATE[html/man7/EVP_CIPHER-IDEA.html]=man7/EVP_CIPHER-IDEA.pod
DEPEND[man/man7/EVP_CIPHER-IDEA.7]=man7/EVP_CIPHER-IDEA.pod
GENERATE[man/man7/EVP_CIPHER-IDEA.7]=man7/EVP_CIPHER-IDEA.pod
DEPEND[html/man7/EVP_CIPHER-NULL.html]=man7/EVP_CIPHER-NULL.pod
GENERATE[html/man7/EVP_CIPHER-NULL.html]=man7/EVP_CIPHER-NULL.pod
DEPEND[man/man7/EVP_CIPHER-NULL.7]=man7/EVP_CIPHER-NULL.pod
GENERATE[man/man7/EVP_CIPHER-NULL.7]=man7/EVP_CIPHER-NULL.pod
DEPEND[html/man7/EVP_CIPHER-RC2.html]=man7/EVP_CIPHER-RC2.pod
GENERATE[html/man7/EVP_CIPHER-RC2.html]=man7/EVP_CIPHER-RC2.pod
DEPEND[man/man7/EVP_CIPHER-RC2.7]=man7/EVP_CIPHER-RC2.pod
@ -4289,6 +4293,10 @@ DEPEND[html/man7/EVP_MD-MDC2.html]=man7/EVP_MD-MDC2.pod
GENERATE[html/man7/EVP_MD-MDC2.html]=man7/EVP_MD-MDC2.pod
DEPEND[man/man7/EVP_MD-MDC2.7]=man7/EVP_MD-MDC2.pod
GENERATE[man/man7/EVP_MD-MDC2.7]=man7/EVP_MD-MDC2.pod
DEPEND[html/man7/EVP_MD-NULL.html]=man7/EVP_MD-NULL.pod
GENERATE[html/man7/EVP_MD-NULL.html]=man7/EVP_MD-NULL.pod
DEPEND[man/man7/EVP_MD-NULL.7]=man7/EVP_MD-NULL.pod
GENERATE[man/man7/EVP_MD-NULL.7]=man7/EVP_MD-NULL.pod
DEPEND[html/man7/EVP_MD-RIPEMD160.html]=man7/EVP_MD-RIPEMD160.pod
GENERATE[html/man7/EVP_MD-RIPEMD160.html]=man7/EVP_MD-RIPEMD160.pod
DEPEND[man/man7/EVP_MD-RIPEMD160.7]=man7/EVP_MD-RIPEMD160.pod
@ -4619,6 +4627,7 @@ html/man7/EVP_CIPHER-CAST.html \
html/man7/EVP_CIPHER-CHACHA.html \
html/man7/EVP_CIPHER-DES.html \
html/man7/EVP_CIPHER-IDEA.html \
html/man7/EVP_CIPHER-NULL.html \
html/man7/EVP_CIPHER-RC2.html \
html/man7/EVP_CIPHER-RC4.html \
html/man7/EVP_CIPHER-RC5.html \
@ -4655,6 +4664,7 @@ html/man7/EVP_MD-MD4.html \
html/man7/EVP_MD-MD5-SHA1.html \
html/man7/EVP_MD-MD5.html \
html/man7/EVP_MD-MDC2.html \
html/man7/EVP_MD-NULL.html \
html/man7/EVP_MD-RIPEMD160.html \
html/man7/EVP_MD-SHA1.html \
html/man7/EVP_MD-SHA2.html \
@ -4743,6 +4753,7 @@ man/man7/EVP_CIPHER-CAST.7 \
man/man7/EVP_CIPHER-CHACHA.7 \
man/man7/EVP_CIPHER-DES.7 \
man/man7/EVP_CIPHER-IDEA.7 \
man/man7/EVP_CIPHER-NULL.7 \
man/man7/EVP_CIPHER-RC2.7 \
man/man7/EVP_CIPHER-RC4.7 \
man/man7/EVP_CIPHER-RC5.7 \
@ -4779,6 +4790,7 @@ man/man7/EVP_MD-MD4.7 \
man/man7/EVP_MD-MD5-SHA1.7 \
man/man7/EVP_MD-MD5.7 \
man/man7/EVP_MD-MDC2.7 \
man/man7/EVP_MD-NULL.7 \
man/man7/EVP_MD-RIPEMD160.7 \
man/man7/EVP_MD-SHA1.7 \
man/man7/EVP_MD-SHA2.7 \

3
doc/fingerprints.txt
View file

@ -12,6 +12,9 @@ in the file named openssl-1.0.1h.tar.gz.asc.
The following is the list of fingerprints for the keys that are
currently in use to sign OpenSSL distributions:
OpenSSL OMC:
EFC0 A467 D613 CB83 C7ED 6D30 D894 E2CE 8B3D 79F5
Richard Levitte:
7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C

11
doc/internal/man3/ossl_cmp_certreq_new.pod
View file

@ -30,8 +30,8 @@ ossl_cmp_error_new
OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si,
const OSSL_CRMF_CERTID *cid,
int unprotectedErrors);
OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info,
const char *text);
OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int certReqId,
int fail_info, const char *text);
OSSL_CMP_MSG *ossl_cmp_pkiconf_new(OSSL_CMP_CTX *ctx);
OSSL_CMP_MSG *ossl_cmp_pollReq_new(OSSL_CMP_CTX *ctx, int crid);
OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid, int poll_after);
@ -124,8 +124,9 @@ It does not protect the message if the B<status> value in I<si> is B<rejected>
and I<unprotectedErrors> is nonzero.
ossl_cmp_certConf_new() creates a Certificate Confirmation message for the last
received certificate. PKIStatus defaults to B<accepted> if the I<fail_info> bit
field is 0. Else it is taken as the failInfo of the PKIStatusInfo, PKIStatus is
received certificate with the given I<certReqId>.
The PKIStatus defaults to B<accepted> if the I<fail_info> bit field is 0.
Otherwise it is taken as the failInfo of the PKIStatusInfo, PKIStatus is
set to B<rejected>, and I<text> is copied to statusString unless it is NULL.
ossl_cmp_pkiconf_new() creates a PKI Confirmation message.
@ -167,7 +168,7 @@ The OpenSSL CMP support was added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

26
doc/internal/man3/ossl_cmp_mock_srv_new.pod
View file

@ -8,7 +8,7 @@ ossl_cmp_mock_srv_set1_certOut,
ossl_cmp_mock_srv_set1_chainOut,
ossl_cmp_mock_srv_set1_caPubsOut,
ossl_cmp_mock_srv_set_statusInfo,
ossl_cmp_mock_srv_set_send_error,
ossl_cmp_mock_srv_set_sendError,
ossl_cmp_mock_srv_set_pollCount,
ossl_cmp_mock_srv_set_checkAfterTime
- functions used for testing with CMP mock server
@ -27,7 +27,7 @@ ossl_cmp_mock_srv_set_checkAfterTime
STACK_OF(X509) *caPubs);
int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status,
int fail_info, const char *text);
int ossl_cmp_mock_srv_set_send_error(OSSL_CMP_SRV_CTX *srv_ctx, int val);
int ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype);
int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count);
int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec);
@ -39,25 +39,27 @@ I<propq>, both of which may be NULL to select the defaults.
ossl_cmp_mock_srv_free() deallocates the contexts for the CMP mock server.
OSSL_CMP_SRV_CTX_set1_certOut() sets the certificate to be returned in
ossl_cmp_mock_srv_set1_certOut() sets the certificate to be returned in
cp/ip/kup.
OSSL_CMP_SRV_CTX_set1_chainOut() sets the certificate chain to be added to
ossl_cmp_mock_srv_set1_chainOut() sets the certificate chain to be added to
the extraCerts in a cp/ip/kup.
It should to useful to validate B<certOut>.
It should be useful for the validation of the certificate given via
ossl_cmp_mock_srv_set1_certOut().
OSSL_CMP_SRV_CTX_set1_caPubsOut() sets the caPubs to be returned in an ip.
ossl_cmp_mock_srv_set1_caPubsOut() sets the caPubs to be returned in an ip.
OSSL_CMP_SRV_CTX_set_statusInfo() sets the status info to be returned.
ossl_cmp_mock_srv_set_statusInfo() sets the status info to be returned.
OSSL_CMP_SRV_CTX_set_send_error() enables enforcement of error responses.
ossl_cmp_mock_srv_set_sendError() enables enforcement of error responses
for requests of the given I<bodytype>, or for all requests if I<bodytype> is 1.
A I<bodytype> of -1 can be used to disable this feature, which is the default.
OSSL_CMP_SRV_CTX_set_pollCount() sets the number of polls before cert response.
ossl_cmp_mock_srv_set_pollCount() sets the number of polls before cert response.
OSSL_CMP_SRV_CTX_set_checkAfterTime() sets the number of seconds
ossl_cmp_mock_srv_set_checkAfterTime() sets the number of seconds
the client should wait for the next poll.
=head1 NOTES
CMP is defined in RFC 4210 (and CRMF in RFC 4211).
@ -77,7 +79,7 @@ The OpenSSL CMP support was added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

8
doc/internal/man3/ossl_cmp_msg_protect.pod
View file

@ -25,7 +25,7 @@ using the credentials, library context, and property criteria in the I<ctx>.
ossl_cmp_msg_protect() (re-)protects the given message I<msg> using an algorithm
depending on the available context information given in the I<ctx>.
If there is a secretValue it selects PBMAC, else if there is a protection cert
it selects Signature and uses L<ossl_cmp_msg_add_extraCerts(3)>.
it selects Signature and uses ossl_cmp_msg_add_extraCerts (see below).
It also sets the protectionAlg field in the message header accordingly.
ossl_cmp_msg_add_extraCerts() adds elements to the extraCerts field in I<msg>.
@ -40,6 +40,10 @@ of the chain, i.e, the trust anchor (unless it is part of extraCertsOut).
CMP is defined in RFC 4210 (and CRMF in RFC 4211).
The I<ctx> parameter of ossl_cmp_msg_add_extraCerts()
and thus also of ossl_cmp_msg_protect() cannot be made I<const>
because I<ctx->chain> may get adapted to cache the chain of the CMP signer cert.
=head1 RETURN VALUES
ossl_cmp_calc_protection() returns the protection on success, else NULL.
@ -52,7 +56,7 @@ The OpenSSL CMP support was added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

8
doc/internal/man3/ossl_cmp_pkisi_get_status.pod
View file

@ -43,8 +43,8 @@ ossl_cmp_pkisi_check_pkifailureinfo
# define OSSL_CMP_PKIFAILUREINFO_duplicateCertReq 26
# define OSSL_CMP_PKIFAILUREINFO_MAX 26
X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CERTRESPONSE *crep,
const OSSL_CMP_CTX *ctx, EVP_PKEY *pkey);
X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CTX *ctx,
const OSSL_CMP_CERTRESPONSE *crep);
int ossl_cmp_pkisi_get_status(const OSSL_CMP_PKISI *si);
const char *ossl_cmp_PKIStatus_to_string(int status);
OSSL_CMP_PKIFREETEXT *ossl_cmp_pkisi_get0_statusString(const OSSL_CMP_PKISI *si);
@ -55,7 +55,7 @@ ossl_cmp_pkisi_check_pkifailureinfo
ossl_cmp_certresponse_get1_cert() returns a pointer to a copy of the newly
enrolled certificate from the given certResponse I<crep>, or NULL on error.
In case of indirect POPO uses data from the I<ctx> and the private key I<pkey>.
Uses data from I<ctx>, which in case of indirect POPO includes the private key.
ossl_cmp_pkisi_get_status() returns the PKIStatus of I<si>, or -1 on error.
@ -89,7 +89,7 @@ The OpenSSL CMP support was added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

148
doc/man1/openssl-cmp.pod.in
View file

@ -248,12 +248,16 @@ e.g., C<1.2.3.4:int:56789>.
=item B<-newkey> I<filename>|I<uri>
The source of the private or public key for the certificate requested
in Initialization Request (IR), Certification Request(CR), or
Key Update Request (KUR).
The source of the private or public key for the certificate being requested.
Defaults to the public key in the PKCS#10 CSR given with the B<-csr> option,
the public key of the reference certificate, or the current client key.
The public portion of the key is placed in the certification request.
Unless B<-cmd> I<p10cr>, B<-popo> I<-1>, or B<-popo> I<0> is given, the
private key will be needed as well to provide the proof of possession (POPO),
where the B<-key> option may provide a fallback.
=item B<-newkeypass> I<arg>
Pass phrase source for the key given with the B<-newkey> option.
@ -344,7 +348,7 @@ Flag the policies given with B<-policy_oids> as critical.
=item B<-popo> I<number>
Proof-of-Possession (POPO) method to use for IR/CR/KUR; values: C<-1>..<2> where
Proof-of-possession (POPO) method to use for IR/CR/KUR; values: C<-1>..<2> where
C<-1> = NONE, C<0> = RAVERIFIED, C<1> = SIGNATURE (default), C<2> = KEYENC.
Note that a signature-based POPO can only be produced if a private key
@ -354,15 +358,22 @@ is provided via the B<-newkey> or B<-key> options.
PKCS#10 CSR in PEM or DER format containing a certificate request.
With B<-cmd> I<p10cr> it is used directly in a legacy P10CR message.
When used with B<-cmd> I<ir>, I<cr>, or I<kur>,
it is transformed into the respective regular CMP request,
while its public key is ignored if I<-newkey> is given.
It may also be used with B<-cmd> I<rr> to specify the certificate to be revoked
it is transformed into the respective regular CMP request.
In this case, a private key must be provided (with B<-newkey> or B<-key>)
for the proof of possession (unless B<-popo> I<-1> or B<-popo> I<0> is used)
and the respective public key is placed in the certification request
(rather than taking over the public key contained in the PKCS#10 CSR).
PKCS#10 CSR input may also be used with B<-cmd> I<rr>
to specify the certificate to be revoked
via the included subject name and public key.
=item B<-out_trusted> I<filenames>|I<uris>
Trusted certificate(s) to use for validating the newly enrolled certificate.
During this verification, any certificate status checking is disabled.
Multiple sources may be given, separated by commas and/or whitespace
(where in the latter case the whole argument must be enclosed in "...").
@ -408,6 +419,7 @@ For RR the certificate to be revoked can also be specified using B<-csr>.
The reference certificate, if any, is also used for
deriving default subject DN and Subject Alternative Names and the
default issuer entry in the requested certificate template of an IR/CR/KUR.
Its public key is used as a fallback in the template of certification requests.
Its subject is used as sender of outgoing messages if B<-cert> is not given.
Its issuer is used as default recipient in CMP message headers
if neither B<-recipient>, B<-srvcert>, nor B<-issuer> is given.
@ -443,7 +455,8 @@ Reason numbers defined in RFC 5280 are:
The DNS hostname or IP address and optionally port
of the CMP server to connect to using HTTP(S).
This excludes I<-port> and I<-use_mock_srv> and is ignored with I<-rspin>.
This option excludes I<-port> and I<-use_mock_srv>.
It is ignored if I<-rspin> is given with enough filename arguments.
The scheme C<https> may be given only if the B<-tls_used> option is used.
In this case the default port is 443, else 80.
@ -523,15 +536,15 @@ Default is 0.
=item B<-trusted> I<filenames>|I<uris>
When validating signature-based protection of CMP response messages,
these are the CA certificate(s) to trust while checking certificate chains
during CMP server authentication.
This option gives more flexibility than the B<-srvcert> option because the
server-side CMP signer certificate is not pinned but may be any certificate
for which a chain to one of the given trusted certificates can be constructed.
The certificate(s), typically of root CAs, the client shall use as trust anchors
when validating signature-based protection of CMP response messages.
This option is ignored if the B<-srvcert> option is given as well.
It provides more flexibility than B<-srvcert> because the CMP protection
certificate of the server is not pinned but may be any certificate
from which a chain to one of the given trust anchors can be constructed.
If no B<-trusted>, B<-srvcert>, and B<-secret> option is given
then protected response messages from the server are not authenticated.
If none of B<-trusted>, B<-srvcert>, and B<-secret> is given, message validation
errors will be thrown unless B<-unprotected_errors> permits an exception.
Multiple sources may be given, separated by commas and/or whitespace
(where in the latter case the whole argument must be enclosed in "...").
@ -546,24 +559,24 @@ have no effect on the certificate verification enabled via this option.
Non-trusted intermediate CA certificate(s).
Any extra certificates given with the B<-cert> option are appended to it.
All these certificates may be useful for cert path construction
for the CMP client certificate (to include in the extraCerts field of outgoing
messages) and for the TLS client certificate (if TLS is enabled)
for the own CMP signer certificate (to include in the extraCerts field of
request messages) and for the TLS client certificate (if TLS is enabled)
as well as for chain building
when validating the CMP server certificate (checking signature-based
when validating server certificates (checking signature-based
CMP message protection) and when validating newly enrolled certificates.
Multiple sources may be given, separated by commas and/or whitespace.
Each file may contain multiple certificates.
Multiple filenames or URLs may be given, separated by commas and/or whitespace.
Each source may contain multiple certificates.
=item B<-srvcert> I<filename>|I<uri>
The specific CMP server certificate to expect and directly trust (even if it is
expired) when validating signature-based protection of CMP response messages.
May be set alternatively to the B<-trusted> option to pin the accepted server.
expired) when verifying signature-based protection of CMP response messages.
This pins the accepted server and results in ignoring the B<-trusted> option.
If set, the subject of the certificate is also used
as default value for the recipient of CMP requests
and as default value for the expected sender of incoming CMP messages.
and as default value for the expected sender of CMP responses.
=item B<-expect_sender> I<name>
@ -583,8 +596,8 @@ For details see the description of the B<-subject> option.
=item B<-ignore_keyusage>
Ignore key usage restrictions in CMP signer certificates when validating
signature-based protection of incoming CMP messages,
else C<digitalSignature> must be allowed for signer certificate.
signature-based protection of incoming CMP messages.
By default, C<digitalSignature> must be allowed by CMP signer certificates.
=item B<-unprotected_errors>
@ -659,17 +672,25 @@ L<openssl-passphrase-options(1)>.
The client's current CMP signer certificate.
Requires the corresponding key to be given with B<-key>.
The subject and the public key contained in this certificate
serve as fallback values in the certificate template of IR/CR/KUR messages.
The subject of this certificate will be used as sender of outgoing CMP messages,
while the subject of B<-oldcert> or B<-subjectName> may provide fallback values.
The issuer of this certificate is used as one of the recipient fallback values
and as fallback issuer entry in the certificate template of IR/CR/KUR.
and as fallback issuer entry in the certificate template of IR/CR/KUR messages.
When using signature-based message protection, this "protection certificate"
will be included first in the extraCerts field of outgoing messages
and the signature is done with the corresponding key.
In Initialization Request (IR) messages this can be used for authenticating
using an external entity certificate as defined in appendix E.7 of RFC 4210.
For Key Update Request (KUR) messages this is also used as
the certificate to be updated if the B<-oldcert> option is not given.
If the file includes further certs, they are appended to the untrusted certs
because they typically constitute the chain of the client certificate, which
is included in the extraCerts field in signature-protected request messages.
@ -695,6 +716,8 @@ the B<-cert> option.
This will be used for signature-based message protection unless
the B<-secret> option indicating PBM or B<-unprotected_requests> is given.
It is also used as a fallback for the B<-newkey> option with IR/CR/KUR messages.
=item B<-keypass> I<arg>
Pass phrase source for the private key given with the B<-key> option.
@ -709,7 +732,7 @@ L<openssl-passphrase-options(1)>.
Specifies name of supported digest to use in RFC 4210's MSG_SIG_ALG
and as the one-way function (OWF) in MSG_MAC_ALG.
If applicable, this is used for message protection and
Proof-of-Possession (POPO) signatures.
proof-of-possession (POPO) signatures.
To see the list of supported digests, use C<openssl list -digest-commands>.
Defaults to C<sha256>.
@ -732,7 +755,7 @@ Each source may contain multiple certificates.
=item B<-unprotected_requests>
Send messages without CMP-level protection.
Send request messages without CMP-level protection.
=back
@ -801,11 +824,14 @@ B<-tls_key>.
=item B<-tls_used>
Enable using TLS (even when other TLS_related options are not set)
when connecting to CMP server via HTTP.
This option is not supported with the I<-port> option
and is ignored with the I<-use_mock_srv> and I<-rspin> options
or if the I<-server> option is not given.
Enable using TLS (even when other TLS-related options are not set)
for message exchange with CMP server via HTTP.
This option is not supported with the I<-port> option.
It is ignored if the I<-server> option is not given or I<-use_mock_srv> is given
or I<-rspin> is given with enough filename arguments.
The following TLS-related options are ignored
if B<-tls_used> is not given or does not take effect.
=item B<-tls_cert> I<filename>|I<uri>
@ -867,46 +893,71 @@ Default is one invocation.
=item B<-reqin> I<filenames>
Take sequence of CMP requests from file(s).
Take the sequence of CMP requests to send to the server from the given file(s)
rather than from the sequence of requests produced internally.
This option is ignored if the B<-rspin> option is given
because in the latter case no requests are actually sent.
Multiple filenames may be given, separated by commas and/or whitespace
(where in the latter case the whole argument must be enclosed in "...").
As many files are read as needed for a complete transaction.
The files are read as far as needed to complete the transaction
and filenames have been provided. If more requests are needed,
the remaining ones are taken from the items at the respective position
in the sequence of requests produced internally.
The client needs to update the recipNonce field in the given requests (except
for the first one) in order to satisfy the checks to be performed by the server.
This causes re-protection (if protecting requests is required).
=item B<-reqin_new_tid>
Use a fresh transactionID for CMP request messages read using B<-reqin>,
which requires re-protecting them as far as they were protected before.
which causes their reprotection (if protecting requests is required).
This may be needed in case the sequence of requests is reused
and the CMP server complains that the transaction ID has already been used.
=item B<-reqout> I<filenames>
Save sequence of CMP requests to file(s).
Save the sequence of CMP requests created by the client to the given file(s).
These requests are not sent to the server if the B<-reqin> option is used, too.
Multiple filenames may be given, separated by commas and/or whitespace.
As many files are written as needed to store the complete transaction.
Files are written as far as needed to save the transaction
and filenames have been provided.
If the transaction contains more requests, the remaining ones are not saved.
=item B<-rspin> I<filenames>
Process sequence of CMP responses provided in file(s), skipping server.
This excludes I<-server>, I<-port>, and I<-use_mock_srv>.
Process the sequence of CMP responses provided in the given file(s),
not contacting any given server,
as long as enough filenames are provided to complete the transaction.
Multiple filenames may be given, separated by commas and/or whitespace.
As many files are read as needed for the complete transaction.
Any server specified via the I<-server> or I<-use_mock_srv> options is contacted
only if more responses are needed to complete the transaction.
In this case the transaction will fail
unless the server has been prepared to continue the already started transaction.
=item B<-rspout> I<filenames>
Save sequence of CMP responses to file(s).
Save the sequence of actually used CMP responses to the given file(s).
These have been received from the server unless B<-rspin> takes effect.
Multiple filenames may be given, separated by commas and/or whitespace.
As many files are written as needed to store the complete transaction.
Files are written as far as needed to save the responses
contained in the transaction and filenames have been provided.
If the transaction contains more responses, the remaining ones are not saved.
=item B<-use_mock_srv>
Test the client using the internal CMP server mock-up at API level,
bypassing socket-based transfer via HTTP.
This excludes I<-server>, I<-port>, and I<-rspin>.
This excludes the B<-server> and B<-port> options.
=back
@ -917,7 +968,9 @@ This excludes I<-server>, I<-port>, and I<-rspin>.
=item B<-port> I<number>
Act as HTTP-based CMP server mock-up listening on the given port.
This excludes I<-server>, I<-rspin>, and I<-use_mock_srv>.
This excludes the B<-server> and B<-use_mock_srv> options.
The B<-rspin>, B<-rspout>, B<-reqin>, and B<-reqout> options
so far are not supported in this mode.
=item B<-max_msgs> I<number>
@ -1022,10 +1075,11 @@ Accept missing or invalid protection of requests.
=item B<-accept_unprot_err>
Accept unprotected error messages from client.
So far this has no effect because the server does not accept any error messages.
=item B<-accept_raverified>
Accept RAVERIFED as proof-of-possession (POPO).
Accept RAVERIFED as proof of possession (POPO).
=back

3
doc/man1/openssl-enc.pod.in
View file

@ -129,7 +129,8 @@ This option enables the use of PBKDF2 algorithm to derive the key.
=item B<-pbkdf2>
Use PBKDF2 algorithm with default iteration count unless otherwise specified.
Use PBKDF2 algorithm with a default iteration count of 10000
unless otherwise specified by the B<-iter> command line option.
=item B<-nosalt>

6
doc/man1/openssl.pod
View file

@ -568,10 +568,12 @@ When a specific TLS version is required, only that version will be offered or
accepted.
Only one specific protocol can be given and it cannot be combined with any of
the B<no_> options.
The B<no_*> options do not work with B<s_time> and B<ciphers> commands but work with
B<s_client> and B<s_server> commands.
=item B<-dtls>, B<-dtls1>, B<-dtls1_2>
These options specify to use DTLS instead of DLTS.
These options specify to use DTLS instead of TLS.
With B<-dtls>, clients will negotiate any supported DTLS protocol version.
Use the B<-dtls1> or B<-dtls1_2> options to support only DTLS1.0 or DTLS1.2,
respectively.
@ -831,7 +833,7 @@ that program with no arguments is now equivalent to C<openssl help>.
=head1 COPYRIGHT
Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

4
doc/man3/ASN1_STRING_new.pod
View file

@ -27,7 +27,7 @@ If I<a> is NULL nothing is done.
=head1 NOTES
Other string types call the B<ASN1_STRING> functions. For example
ASN1_OCTET_STRING_new() calls ASN1_STRING_type(V_ASN1_OCTET_STRING).
ASN1_OCTET_STRING_new() calls ASN1_STRING_type_new(V_ASN1_OCTET_STRING).
=head1 RETURN VALUES
@ -42,7 +42,7 @@ L<ERR_get_error(3)>
=head1 COPYRIGHT
Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

8
doc/man3/CMS_EncryptedData_decrypt.pod
View file

@ -21,10 +21,10 @@ to and I<flags> is an optional set of flags.
I<dcont> is used in the rare case where the encrypted content is detached. It
will normally be set to NULL.
The following flags can be passed in the B<flags> parameter.
The following flags can be passed in the I<flags> parameter.
If the B<CMS_TEXT> flag is set MIME headers for type B<text/plain> are deleted
from the content. If the content is not of type B<text/plain> then an error is
If the B<CMS_TEXT> flag is set MIME headers for type C<text/plain> are deleted
from the content. If the content is not of type C<text/plain> then an error is
returned.
=head1 RETURN VALUES
@ -39,7 +39,7 @@ L<ERR_get_error(3)>, L<CMS_EncryptedData_encrypt(3)>
=head1 COPYRIGHT
Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

12
doc/man3/CMS_add0_cert.pod
View file

@ -20,6 +20,8 @@ CMS_add0_cert, CMS_add1_cert, CMS_get1_certs, CMS_add0_crl, CMS_add1_crl, CMS_ge
=head1 DESCRIPTION
CMS_add0_cert() and CMS_add1_cert() add certificate I<cert> to I<cms>.
This is used by L<CMS_sign_ex(3)> and L<CMS_sign(3)> and may be used before
calling L<CMS_verify(3)> to help chain building in certificate validation.
I<cms> must be of type signed data or (authenticated) enveloped data.
For signed data, such a certificate can be used when signing or verifying
to fill in the signer certificate or to provide an extra CA certificate
@ -29,7 +31,8 @@ CMS_get1_certs() returns all certificates in I<cms>.
CMS_add0_crl() and CMS_add1_crl() add CRL I<crl> to I<cms>.
I<cms> must be of type signed data or (authenticated) enveloped data.
For signed data, such a CRL may be used in certificate validation.
For signed data, such a CRL may be used in certificate validation
with L<CMS_verify(3)>.
It may be given both for inclusion when signing a CMS message
and when verifying a signed CMS message.
@ -48,8 +51,7 @@ As the I<0> implies CMS_add0_cert() adds I<cert> internally to I<cms> and it
must not be freed up after the call as opposed to CMS_add1_cert() where I<cert>
must be freed up.
The same certificate or CRL must not be added to the same cms structure more
than once.
The same certificate must not be added to the same cms structure more than once.
=head1 RETURN VALUES
@ -63,12 +65,12 @@ in practice is if the I<cms> type is invalid.
=head1 SEE ALSO
L<ERR_get_error(3)>,
L<CMS_sign(3)>,
L<CMS_sign(3)>, L<CMS_sign_ex(3)>, L<CMS_verify(3)>,
L<CMS_encrypt(3)>
=head1 COPYRIGHT
Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

74
doc/man3/CMS_decrypt.pod
View file

@ -2,8 +2,9 @@
=head1 NAME
CMS_decrypt, CMS_decrypt_set1_pkey_and_peer, CMS_decrypt_set1_pkey - decrypt
content from a CMS envelopedData structure
CMS_decrypt, CMS_decrypt_set1_pkey_and_peer,
CMS_decrypt_set1_pkey, CMS_decrypt_set1_password
- decrypt content from a CMS envelopedData structure
=head1 SYNOPSIS
@ -14,23 +15,41 @@ content from a CMS envelopedData structure
int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms,
EVP_PKEY *pk, X509 *cert, X509 *peer);
int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert);
int CMS_decrypt_set1_password(CMS_ContentInfo *cms,
unsigned char *pass, ossl_ssize_t passlen);
=head1 DESCRIPTION
CMS_decrypt() extracts and decrypts the content from a CMS EnvelopedData
or AuthEnvelopedData structure. B<pkey> is the private key of the recipient,
B<cert> is the recipient's certificate, B<out> is a BIO to write the content to
and B<flags> is an optional set of flags.
The B<dcont> parameter is used in the rare case where the encrypted content
CMS_decrypt() extracts the decrypted content from a CMS EnvelopedData
or AuthEnvelopedData structure.
It uses CMS_decrypt_set1_pkey() to decrypt the content
with the recipient private key I<pkey> if I<pkey> is not NULL.
In this case, it is recommended to provide the associated certificate
in I<cert> - see the NOTES below.
I<out> is a BIO to write the content to and
I<flags> is an optional set of flags.
If I<pkey> is NULL the function assumes that decryption was already done
(e.g., using CMS_decrypt_set1_pkey() or CMS_decrypt_set1_password()) and just
provides the content unless I<cert>, I<dcont>, and I<out> are NULL as well.
The I<dcont> parameter is used in the rare case where the encrypted content
is detached. It will normally be set to NULL.
CMS_decrypt_set1_pkey_and_peer() associates the private key B<pkey>, the
corresponding certificate B<cert> and the originator certificate B<peer> with
the CMS_ContentInfo structure B<cms>.
CMS_decrypt_set1_pkey_and_peer() decrypts the CMS_ContentInfo structure I<cms>
using the private key I<pkey>, the corresponding certificate I<cert>, which is
recommended to be supplied but may be NULL,
and the (optional) originator certificate I<peer>.
On success, it also records in I<cms> the decryption key I<pkey>, and this
should be followed by C<CMS_decrypt(cms, NULL, NULL, dcont, out, flags)>.
This call deallocates any decryption key stored in I<cms>.
CMS_decrypt_set1_pkey() associates the private key B<pkey>, corresponding
certificate B<cert> with the CMS_ContentInfo structure B<cms>.
CMS_decrypt_set1_pkey() is the same as
CMS_decrypt_set1_pkey_and_peer() with I<peer> being NULL.
CMS_decrypt_set1_password() decrypts the CMS_ContentInfo structure I<cms>
using the secret I<pass> of length I<passlen>.
On success, it also records in I<cms> the decryption key used, and this
should be followed by C<CMS_decrypt(cms, NULL, NULL, dcont, out, flags)>.
This call deallocates any decryption key stored in I<cms>.
=head1 NOTES
@ -38,7 +57,7 @@ Although the recipients certificate is not needed to decrypt the data it is
needed to locate the appropriate (of possible several) recipients in the CMS
structure.
If B<cert> is set to NULL all possible recipients are tried. This case however
If I<cert> is set to NULL all possible recipients are tried. This case however
is problematic. To thwart the MMA attack (Bleichenbacher's attack on
PKCS #1 v1.5 RSA padding) all recipients are tried whether they succeed or
not. If no recipient succeeds then a random symmetric key is used to decrypt
@ -54,26 +73,32 @@ open to attack.
It is possible to determine the correct recipient key by other means (for
example looking them up in a database) and setting them in the CMS structure
in advance using the CMS utility functions such as CMS_set1_pkey(). In this
case both B<cert> and B<pkey> should be set to NULL.
in advance using the CMS utility functions such as CMS_set1_pkey(),
or use CMS_decrypt_set1_password() if the recipient has a symmetric key.
In these cases both I<cert> and I<pkey> should be set to NULL.
To process KEKRecipientInfo types CMS_set1_key() or CMS_RecipientInfo_set0_key()
and CMS_RecipientInfo_decrypt() should be called before CMS_decrypt() and
B<cert> and B<pkey> set to NULL.
I<cert> and I<pkey> set to NULL.
The following flags can be passed in the B<flags> parameter.
The following flags can be passed in the I<flags> parameter.
If the B<CMS_TEXT> flag is set MIME headers for type B<text/plain> are deleted
from the content. If the content is not of type B<text/plain> then an error is
If the B<CMS_TEXT> flag is set MIME headers for type C<text/plain> are deleted
from the content. If the content is not of type C<text/plain> then an error is
returned.
=head1 RETURN VALUES
CMS_decrypt() returns either 1 for success or 0 for failure.
The error can be obtained from ERR_get_error(3)
CMS_decrypt(), CMS_decrypt_set1_pkey_and_peer(),
CMS_decrypt_set1_pkey(), and CMS_decrypt_set1_password()
return either 1 for success or 0 for failure.
The error can be obtained from ERR_get_error(3).
=head1 BUGS
The B<set1_> part of these function names is misleading
and should better read: B<with_>.
The lack of single pass processing and the need to hold all data in memory as
mentioned in CMS_verify() also applies to CMS_decrypt().
@ -83,11 +108,12 @@ L<ERR_get_error(3)>, L<CMS_encrypt(3)>
=head1 HISTORY
B<CMS_decrypt_set1_pkey_and_peer> was added in OpenSSL 3.0.
CMS_decrypt_set1_pkey_and_peer() and CMS_decrypt_set1_password()
were added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

2
doc/man3/EC_GROUP_copy.pod
View file

@ -129,7 +129,7 @@ point_conversion_form_t is an enum defined as follows:
For POINT_CONVERSION_UNCOMPRESSED the point is encoded as an octet signifying the UNCOMPRESSED form has been used followed by
the octets for x, followed by the octets for y.
For any given x co-ordinate for a point on a curve it is possible to derive two possible y values. For
For any given x coordinate for a point on a curve it is possible to derive two possible y values. For
POINT_CONVERSION_COMPRESSED the point is encoded as an octet signifying that the COMPRESSED form has been used AND which of
the two possible solutions for y has been used, followed by the octets for x.

4
doc/man3/EC_KEY_new.pod
View file

@ -128,7 +128,7 @@ EC_KEY_check_key() performs various sanity checks on the EC_KEY object to
confirm that it is valid.
EC_KEY_set_public_key_affine_coordinates() sets the public key for I<key> based
on its affine co-ordinates; i.e., it constructs an EC_POINT object based on
on its affine coordinates; i.e., it constructs an EC_POINT object based on
the supplied I<x> and I<y> values and sets the public key to be this
EC_POINT. It also performs certain sanity checks on the key to confirm
that it is valid.
@ -235,7 +235,7 @@ For replacement see L<EVP_PKEY-EC(7)>.
=head1 COPYRIGHT
Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2013-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

4
doc/man3/EC_POINT_add.pod
View file

@ -44,7 +44,7 @@ EC_POINT_is_on_curve tests whether the supplied point is on the curve or not.
EC_POINT_cmp compares the two supplied points and tests whether or not they are equal.
The functions EC_POINT_make_affine and EC_POINTs_make_affine force the internal representation of the EC_POINT(s) into the affine
co-ordinate system. In the case of EC_POINTs_make_affine the value B<num> provides the number of points in the array B<points> to be
coordinate system. In the case of EC_POINTs_make_affine the value B<num> provides the number of points in the array B<points> to be
forced. These functions were deprecated in OpenSSL 3.0 and should no longer be used.
Modern versions automatically perform this conversion when needed.
@ -90,7 +90,7 @@ were deprecated in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2013-2021 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2013-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

28
doc/man3/EC_POINT_new.pod
View file

@ -124,9 +124,9 @@ public concept.
A valid point on a curve is the special point at infinity. A point is set to
be at infinity by calling EC_POINT_set_to_infinity().
The affine co-ordinates for a point describe a point in terms of its x and y
The affine coordinates for a point describe a point in terms of its x and y
position. The function EC_POINT_set_affine_coordinates() sets the B<x> and B<y>
co-ordinates for the point B<p> defined over the curve given in B<group>. The
coordinates for the point B<p> defined over the curve given in B<group>. The
function EC_POINT_get_affine_coordinates() sets B<x> and B<y>, either of which
may be NULL, to the corresponding coordinates of B<p>.
@ -140,27 +140,27 @@ EC_POINT_get_affine_coordinates_GF2m() are synonyms for
EC_POINT_get_affine_coordinates(). They are defined for backwards compatibility
only and should not be used.
As well as the affine co-ordinates, a point can alternatively be described in
terms of its Jacobian projective co-ordinates (for Fp curves only). Jacobian
projective co-ordinates are expressed as three values x, y and z. Working in
this co-ordinate system provides more efficient point multiplication
operations. A mapping exists between Jacobian projective co-ordinates and
affine co-ordinates. A Jacobian projective co-ordinate (x, y, z) can be written
as an affine co-ordinate as (x/(z^2), y/(z^3)). Conversion to Jacobian
projective from affine co-ordinates is simple. The co-ordinate (x, y) is mapped
As well as the affine coordinates, a point can alternatively be described in
terms of its Jacobian projective coordinates (for Fp curves only). Jacobian
projective coordinates are expressed as three values x, y and z. Working in
this coordinate system provides more efficient point multiplication
operations. A mapping exists between Jacobian projective coordinates and
affine coordinates. A Jacobian projective coordinate (x, y, z) can be written
as an affine coordinate as (x/(z^2), y/(z^3)). Conversion to Jacobian
projective from affine coordinates is simple. The coordinate (x, y) is mapped
to (x, y, 1). Although deprecated in OpenSSL 3.0 and should no longer be used,
to set or get the projective co-ordinates in older versions use
to set or get the projective coordinates in older versions use
EC_POINT_set_Jprojective_coordinates_GFp() and
EC_POINT_get_Jprojective_coordinates_GFp() respectively.
Modern versions should instead use EC_POINT_set_affine_coordinates() and
EC_POINT_get_affine_coordinates(), performing the conversion manually using the
above maps in such rare circumstances.
Points can also be described in terms of their compressed co-ordinates. For a
Points can also be described in terms of their compressed coordinates. For a
point (x, y), for any given value for x such that the point is on the curve
there will only ever be two possible values for y. Therefore, a point can be set
using the EC_POINT_set_compressed_coordinates() function where B<x> is the x
co-ordinate and B<y_bit> is a value 0 or 1 to identify which of the two
coordinate and B<y_bit> is a value 0 or 1 to identify which of the two
possible values for y should be used.
The functions EC_POINT_set_compressed_coordinates_GFp() and
@ -269,7 +269,7 @@ added in OpenSSL 1.1.1.
=head1 COPYRIGHT
Copyright 2013-2021 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2013-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

2
doc/man3/EVP_EncryptInit.pod
View file

@ -1065,7 +1065,7 @@ with an L<OSSL_PARAM(3)> item with the key
When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() get called
with an L<OSSL_PARAM(3)> item with the key
"tlsaadpad" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_AAD>)
"tlsaad" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_AAD>)
followed by EVP_CIPHER_CTX_get_params() with a key of
"tlsaadpad" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD>).

16
doc/man3/EVP_PKEY_set1_RSA.pod
View file

@ -62,13 +62,16 @@ see L<openssl_user_macros(7)>:
EVP_PKEY_get_base_id() returns the type of I<pkey>. For example
an RSA key will return B<EVP_PKEY_RSA>.
EVP_PKEY_get_id() returns the actual OID associated with I<pkey>.
Historically keys using the same algorithm could use different OIDs.
For example an RSA key could use the OIDs corresponding to
EVP_PKEY_get_id() returns the actual NID associated with I<pkey>
only if the I<pkey> type isn't implemented just in a L<provider(7)>.
Historically keys using the same algorithm could use different NIDs.
For example an RSA key could use the NIDs corresponding to
the NIDs B<NID_rsaEncryption> (equivalent to B<EVP_PKEY_RSA>) or
B<NID_rsa> (equivalent to B<EVP_PKEY_RSA2>). The use of
alternative non-standard OIDs is now rare so B<EVP_PKEY_RSA2> et al are not
alternative non-standard NIDs is now rare so B<EVP_PKEY_RSA2> et al are not
often seen in practice.
EVP_PKEY_get_id() returns -1 (B<EVP_PKEY_KEYMGMT>) if the I<pkey> is
only implemented in a L<provider(7)>.
EVP_PKEY_type() returns the underlying type of the NID I<type>. For example
EVP_PKEY_type(EVP_PKEY_RSA2) will return B<EVP_PKEY_RSA>.
@ -142,6 +145,9 @@ EVP_PKEY_get_id(), EVP_PKEY_get_base_id(), EVP_PKEY_type()
For EVP_PKEY key type checking purposes, L<EVP_PKEY_is_a(3)> is more generic.
For purposes of retrieving the name of the B<EVP_PKEY> the function
L<EVP_PKEY_get0_type_name(3)> is more generally useful.
The keys returned from the functions EVP_PKEY_get0_RSA(), EVP_PKEY_get0_DSA(),
EVP_PKEY_get0_DH() and EVP_PKEY_get0_EC_KEY() were changed to have a "const"
return type in OpenSSL 3.0. As described above the keys returned may be cached
@ -222,7 +228,7 @@ It was removed in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

Some files were not shown because too many files have changed in this diff Show more