upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-02-18 18:20:26 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

OpenSSL: Merge OpenSSL 1.1.1u

Browse source 
(cherry picked from commit 8ecb489345f08012fdc92a202a40119891cac330)
This commit is contained in:
Jung-uk Kim 2023-05-30 10:24:15 -04:00
parent 60bd7f97b6
commit 8f1ef87a6b
29 changed files with 344 additions and 772 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

58
crypto/openssl/CHANGES
View file

@ -7,6 +7,64 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
Changes between 1.1.1t and 1.1.1u [30 May 2023]
*) Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
numeric text form. For gigantic sub-identifiers, this would take a very
long time, the time complexity being O(n^2) where n is the size of that
sub-identifier. (CVE-2023-2650)
To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT
IDENTIFIER to canonical numeric text form if the size of that OBJECT
IDENTIFIER is 586 bytes or less, and fail otherwise.
The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT
IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at
most 128 sub-identifiers, and that the maximum value that each sub-
identifier may have is 2^32-1 (4294967295 decimal).
For each byte of every sub-identifier, only the 7 lower bits are part of
the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with
these restrictions may occupy is 32 * 128 / 7, which is approximately 586
bytes.
Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
[Richard Levitte]
*) Reworked the Fix for the Timing Oracle in RSA Decryption (CVE-2022-4304).
The previous fix for this timing side channel turned out to cause
a severe 2-3x performance regression in the typical use case
compared to 1.1.1s. The new fix uses existing constant time
code paths, and restores the previous performance level while
fully eliminating all existing timing side channels.
The fix was developed by Bernd Edlinger with testing support
by Hubert Kario.
[Bernd Edlinger]
*) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
that it does not enable policy checking. Thanks to
David Benjamin for discovering this issue. (CVE-2023-0466)
[Tomas Mraz]
*) Fixed an issue where invalid certificate policies in leaf certificates are
silently ignored by OpenSSL and other certificate policy checks are skipped
for that certificate. A malicious CA could use this to deliberately assert
invalid certificate policies in order to circumvent policy checking on the
certificate altogether. (CVE-2023-0465)
[Matt Caswell]
*) Limited the number of nodes created in a policy tree to mitigate
against CVE-2023-0464. The default limit is set to 1000 nodes, which
should be sufficient for most installations. If required, the limit
can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build
time define to a desired maximum number of nodes or zero to allow
unlimited growth. (CVE-2023-0464)
[Paul Dale]
Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
*) Fixed X.400 address type confusion in X.509 GeneralName.

2
crypto/openssl/Configure
View file

@ -1246,7 +1246,7 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
}
if ($target =~ /linux.*-mips/ && !$disabled{asm}
&& !grep { $_ !~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {
&& !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {
# minimally required architecture flags for assembly modules
my $value;
$value = '-mips2' if ($target =~ /mips32/);

9
crypto/openssl/NEWS
View file

@ -5,6 +5,15 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [30 May 2023]
o Mitigate for very slow `OBJ_obj2txt()` performance with gigantic
OBJECT IDENTIFIER sub-identities. (CVE-2023-2650)
o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
o Fixed handling of invalid certificate policies in leaf certificates
(CVE-2023-0465)
o Limited the number of nodes created in a policy tree ([CVE-2023-0464])
Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023]
o Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)

4
crypto/openssl/README
View file

@ -1,7 +1,7 @@
OpenSSL 1.1.1t 7 Feb 2023
OpenSSL 1.1.1u 30 May 2023
Copyright (c) 1998-2022 The OpenSSL Project
Copyright (c) 1998-2023 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
All rights reserved.

4
crypto/openssl/crypto/aes/asm/bsaes-armv7.pl
View file

@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2012-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@ -14,7 +14,7 @@
# details see http://www.openssl.org/~appro/cryptogams/.
#
# Specific modes and adaptation for Linux kernel by Ard Biesheuvel
# of Linaro. Permission to use under GPL terms is granted.
# of Linaro.
# ====================================================================
# Bit-sliced AES for ARM NEON

8
crypto/openssl/crypto/asn1/a_bitstr.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -148,6 +148,9 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
int w, v, iv;
unsigned char *c;
if (n < 0)
return 0;
w = n / 8;
v = 1 << (7 - (n & 0x07));
iv = ~v;
@ -182,6 +185,9 @@ int ASN1_BIT_STRING_get_bit(const ASN1_BIT_STRING *a, int n)
{
int w, v;
if (n < 0)
return 0;
w = n / 8;
v = 1 << (7 - (n & 0x07));
if ((a == NULL) || (a->length < (w + 1)) || (a->data == NULL))

1
crypto/openssl/crypto/bio/b_print.c
View file

@ -305,7 +305,6 @@ _dopr(char **sbuffer,
case 'G':
case 'g':
/* not implemented for UEFI */
ERR_raise(ERR_LIB_BIO, ERR_R_UNSUPPORTED);
return 0;
#endif
case 'c':

108
crypto/openssl/crypto/bn/bn_asm.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -381,25 +381,33 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
#ifndef OPENSSL_SMALL_FOOTPRINT
while (n & ~3) {
t1 = a[0];
t2 = b[0];
r[0] = (t1 - t2 - c) & BN_MASK2;
if (t1 != t2)
c = (t1 < t2);
t2 = (t1 - c) & BN_MASK2;
c = (t2 > t1);
t1 = b[0];
t1 = (t2 - t1) & BN_MASK2;
r[0] = t1;
c += (t1 > t2);
t1 = a[1];
t2 = b[1];
r[1] = (t1 - t2 - c) & BN_MASK2;
if (t1 != t2)
c = (t1 < t2);
t2 = (t1 - c) & BN_MASK2;
c = (t2 > t1);
t1 = b[1];
t1 = (t2 - t1) & BN_MASK2;
r[1] = t1;
c += (t1 > t2);
t1 = a[2];
t2 = b[2];
r[2] = (t1 - t2 - c) & BN_MASK2;
if (t1 != t2)
c = (t1 < t2);
t2 = (t1 - c) & BN_MASK2;
c = (t2 > t1);
t1 = b[2];
t1 = (t2 - t1) & BN_MASK2;
r[2] = t1;
c += (t1 > t2);
t1 = a[3];
t2 = b[3];
r[3] = (t1 - t2 - c) & BN_MASK2;
if (t1 != t2)
c = (t1 < t2);
t2 = (t1 - c) & BN_MASK2;
c = (t2 > t1);
t1 = b[3];
t1 = (t2 - t1) & BN_MASK2;
r[3] = t1;
c += (t1 > t2);
a += 4;
b += 4;
r += 4;
@ -408,10 +416,12 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
#endif
while (n) {
t1 = a[0];
t2 = b[0];
r[0] = (t1 - t2 - c) & BN_MASK2;
if (t1 != t2)
c = (t1 < t2);
t2 = (t1 - c) & BN_MASK2;
c = (t2 > t1);
t1 = b[0];
t1 = (t2 - t1) & BN_MASK2;
r[0] = t1;
c += (t1 > t2);
a++;
b++;
r++;
@ -446,7 +456,7 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
t += c0; /* no carry */ \
c0 = (BN_ULONG)Lw(t); \
hi = (BN_ULONG)Hw(t); \
c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \
} while(0)
# define mul_add_c2(a,b,c0,c1,c2) do { \
@ -455,11 +465,11 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
BN_ULLONG tt = t+c0; /* no carry */ \
c0 = (BN_ULONG)Lw(tt); \
hi = (BN_ULONG)Hw(tt); \
c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \
t += c0; /* no carry */ \
c0 = (BN_ULONG)Lw(t); \
hi = (BN_ULONG)Hw(t); \
c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \
} while(0)
# define sqr_add_c(a,i,c0,c1,c2) do { \
@ -468,7 +478,7 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
t += c0; /* no carry */ \
c0 = (BN_ULONG)Lw(t); \
hi = (BN_ULONG)Hw(t); \
c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \
} while(0)
# define sqr_add_c2(a,i,j,c0,c1,c2) \
@ -483,26 +493,26 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
BN_ULONG ta = (a), tb = (b); \
BN_ULONG lo, hi; \
BN_UMULT_LOHI(lo,hi,ta,tb); \
c0 += lo; hi += (c0<lo)?1:0; \
c1 += hi; c2 += (c1<hi)?1:0; \
c0 += lo; hi += (c0<lo); \
c1 += hi; c2 += (c1<hi); \
} while(0)
# define mul_add_c2(a,b,c0,c1,c2) do { \
BN_ULONG ta = (a), tb = (b); \
BN_ULONG lo, hi, tt; \
BN_UMULT_LOHI(lo,hi,ta,tb); \
c0 += lo; tt = hi+((c0<lo)?1:0); \
c1 += tt; c2 += (c1<tt)?1:0; \
c0 += lo; hi += (c0<lo)?1:0; \
c1 += hi; c2 += (c1<hi)?1:0; \
c0 += lo; tt = hi + (c0<lo); \
c1 += tt; c2 += (c1<tt); \
c0 += lo; hi += (c0<lo); \
c1 += hi; c2 += (c1<hi); \
} while(0)
# define sqr_add_c(a,i,c0,c1,c2) do { \
BN_ULONG ta = (a)[i]; \
BN_ULONG lo, hi; \
BN_UMULT_LOHI(lo,hi,ta,ta); \
c0 += lo; hi += (c0<lo)?1:0; \
c1 += hi; c2 += (c1<hi)?1:0; \
c0 += lo; hi += (c0<lo); \
c1 += hi; c2 += (c1<hi); \
} while(0)
# define sqr_add_c2(a,i,j,c0,c1,c2) \
@ -517,26 +527,26 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
BN_ULONG ta = (a), tb = (b); \
BN_ULONG lo = ta * tb; \
BN_ULONG hi = BN_UMULT_HIGH(ta,tb); \
c0 += lo; hi += (c0<lo)?1:0; \
c1 += hi; c2 += (c1<hi)?1:0; \
c0 += lo; hi += (c0<lo); \
c1 += hi; c2 += (c1<hi); \
} while(0)
# define mul_add_c2(a,b,c0,c1,c2) do { \
BN_ULONG ta = (a), tb = (b), tt; \
BN_ULONG lo = ta * tb; \
BN_ULONG hi = BN_UMULT_HIGH(ta,tb); \
c0 += lo; tt = hi + ((c0<lo)?1:0); \
c1 += tt; c2 += (c1<tt)?1:0; \
c0 += lo; hi += (c0<lo)?1:0; \
c1 += hi; c2 += (c1<hi)?1:0; \
c0 += lo; tt = hi + (c0<lo); \
c1 += tt; c2 += (c1<tt); \
c0 += lo; hi += (c0<lo); \
c1 += hi; c2 += (c1<hi); \
} while(0)
# define sqr_add_c(a,i,c0,c1,c2) do { \
BN_ULONG ta = (a)[i]; \
BN_ULONG lo = ta * ta; \
BN_ULONG hi = BN_UMULT_HIGH(ta,ta); \
c0 += lo; hi += (c0<lo)?1:0; \
c1 += hi; c2 += (c1<hi)?1:0; \
c0 += lo; hi += (c0<lo); \
c1 += hi; c2 += (c1<hi); \
} while(0)
# define sqr_add_c2(a,i,j,c0,c1,c2) \
@ -551,8 +561,8 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
BN_ULONG lo = LBITS(a), hi = HBITS(a); \
BN_ULONG bl = LBITS(b), bh = HBITS(b); \
mul64(lo,hi,bl,bh); \
c0 = (c0+lo)&BN_MASK2; if (c0<lo) hi++; \
c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
c0 = (c0+lo)&BN_MASK2; hi += (c0<lo); \
c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \
} while(0)
# define mul_add_c2(a,b,c0,c1,c2) do { \
@ -561,17 +571,17 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
BN_ULONG bl = LBITS(b), bh = HBITS(b); \
mul64(lo,hi,bl,bh); \
tt = hi; \
c0 = (c0+lo)&BN_MASK2; if (c0<lo) tt++; \
c1 = (c1+tt)&BN_MASK2; if (c1<tt) c2++; \
c0 = (c0+lo)&BN_MASK2; if (c0<lo) hi++; \
c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
c0 = (c0+lo)&BN_MASK2; tt += (c0<lo); \
c1 = (c1+tt)&BN_MASK2; c2 += (c1<tt); \
c0 = (c0+lo)&BN_MASK2; hi += (c0<lo); \
c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \
} while(0)
# define sqr_add_c(a,i,c0,c1,c2) do { \
BN_ULONG lo, hi; \
sqr64(lo,hi,(a)[i]); \
c0 = (c0+lo)&BN_MASK2; if (c0<lo) hi++; \
c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
c0 = (c0+lo)&BN_MASK2; hi += (c0<lo); \
c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \
} while(0)
# define sqr_add_c2(a,i,j,c0,c1,c2) \

17
crypto/openssl/crypto/bn/bn_blind.c
View file

@ -13,6 +13,20 @@
#define BN_BLINDING_COUNTER 32
struct bn_blinding_st {
BIGNUM *A;
BIGNUM *Ai;
BIGNUM *e;
BIGNUM *mod; /* just a reference */
CRYPTO_THREAD_ID tid;
int counter;
unsigned long flags;
BN_MONT_CTX *m_ctx;
int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
CRYPTO_RWLOCK *lock;
};
BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
{
BN_BLINDING *ret = NULL;
@ -177,7 +191,8 @@ int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b,
n->top = (int)(rtop & ~mask) | (ntop & mask);
n->flags |= (BN_FLG_FIXED_TOP & ~mask);
}
ret = BN_mod_mul_montgomery(n, n, r, b->m_ctx, ctx);
ret = bn_mul_mont_fixed_top(n, n, r, b->m_ctx, ctx);
bn_correct_top_consttime(n);
} else {
ret = BN_mod_mul(n, n, r, b->mod, ctx);
}

2
crypto/openssl/crypto/bn/bn_err.c
View file

@ -73,8 +73,6 @@ static const ERR_STRING_DATA BN_str_functs[] = {
{ERR_PACK(ERR_LIB_BN, BN_F_BN_SET_WORDS, 0), "bn_set_words"},
{ERR_PACK(ERR_LIB_BN, BN_F_BN_STACK_PUSH, 0), "BN_STACK_push"},
{ERR_PACK(ERR_LIB_BN, BN_F_BN_USUB, 0), "BN_usub"},
{ERR_PACK(ERR_LIB_BN, BN_F_OSSL_BN_RSA_DO_UNBLIND, 0),
"ossl_bn_rsa_do_unblind"},
{0, NULL}
};

24
crypto/openssl/crypto/bn/bn_lib.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -1001,6 +1001,28 @@ BIGNUM *bn_wexpand(BIGNUM *a, int words)
return (words <= a->dmax) ? a : bn_expand2(a, words);
}
void bn_correct_top_consttime(BIGNUM *a)
{
int j, atop;
BN_ULONG limb;
unsigned int mask;
for (j = 0, atop = 0; j < a->dmax; j++) {
limb = a->d[j];
limb |= 0 - limb;
limb >>= BN_BITS2 - 1;
limb = 0 - limb;
mask = (unsigned int)limb;
mask &= constant_time_msb(j - a->top);
atop = constant_time_select_int(mask, j + 1, atop);
}
mask = constant_time_eq_int(atop, 0);
a->top = atop;
a->neg = constant_time_select_int(mask, 0, a->neg);
a->flags &= ~BN_FLG_FIXED_TOP;
}
void bn_correct_top(BIGNUM *a)
{
BN_ULONG *ftl;

40
crypto/openssl/crypto/bn/bn_local.h
View file

@ -283,20 +283,6 @@ struct bn_gencb_st {
} cb;
};
struct bn_blinding_st {
BIGNUM *A;
BIGNUM *Ai;
BIGNUM *e;
BIGNUM *mod; /* just a reference */
CRYPTO_THREAD_ID tid;
int counter;
unsigned long flags;
BN_MONT_CTX *m_ctx;
int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
CRYPTO_RWLOCK *lock;
};
/*-
* BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions
*
@ -529,10 +515,10 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,
ret = (r); \
BN_UMULT_LOHI(low,high,w,tmp); \
ret += (c); \
(c) = (ret<(c))?1:0; \
(c) = (ret<(c)); \
(c) += high; \
ret += low; \
(c) += (ret<low)?1:0; \
(c) += (ret<low); \
(r) = ret; \
}
@ -541,7 +527,7 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,
BN_UMULT_LOHI(low,high,w,ta); \
ret = low + (c); \
(c) = high; \
(c) += (ret<low)?1:0; \
(c) += (ret<low); \
(r) = ret; \
}
@ -557,10 +543,10 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,
high= BN_UMULT_HIGH(w,tmp); \
ret += (c); \
low = (w) * tmp; \
(c) = (ret<(c))?1:0; \
(c) = (ret<(c)); \
(c) += high; \
ret += low; \
(c) += (ret<low)?1:0; \
(c) += (ret<low); \
(r) = ret; \
}
@ -570,7 +556,7 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,
high= BN_UMULT_HIGH(w,ta); \
ret = low + (c); \
(c) = high; \
(c) += (ret<low)?1:0; \
(c) += (ret<low); \
(r) = ret; \
}
@ -603,10 +589,10 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,
lt=(bl)*(lt); \
m1=(bl)*(ht); \
ht =(bh)*(ht); \
m=(m+m1)&BN_MASK2; if (m < m1) ht+=L2HBITS((BN_ULONG)1); \
m=(m+m1)&BN_MASK2; ht += L2HBITS((BN_ULONG)(m < m1)); \
ht+=HBITS(m); \
m1=L2HBITS(m); \
lt=(lt+m1)&BN_MASK2; if (lt < m1) ht++; \
lt=(lt+m1)&BN_MASK2; ht += (lt < m1); \
(l)=lt; \
(h)=ht; \
}
@ -623,7 +609,7 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,
h*=h; \
h+=(m&BN_MASK2h1)>>(BN_BITS4-1); \
m =(m&BN_MASK2l)<<(BN_BITS4+1); \
l=(l+m)&BN_MASK2; if (l < m) h++; \
l=(l+m)&BN_MASK2; h += (l < m); \
(lo)=l; \
(ho)=h; \
}
@ -637,9 +623,9 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,
mul64(l,h,(bl),(bh)); \
\
/* non-multiply part */ \
l=(l+(c))&BN_MASK2; if (l < (c)) h++; \
l=(l+(c))&BN_MASK2; h += (l < (c)); \
(c)=(r); \
l=(l+(c))&BN_MASK2; if (l < (c)) h++; \
l=(l+(c))&BN_MASK2; h += (l < (c)); \
(c)=h&BN_MASK2; \
(r)=l; \
}
@ -653,7 +639,7 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,
mul64(l,h,(bl),(bh)); \
\
/* non-multiply part */ \
l+=(c); if ((l&BN_MASK2) < (c)) h++; \
l+=(c); h += ((l&BN_MASK2) < (c)); \
(c)=h&BN_MASK2; \
(r)=l&BN_MASK2; \
}
@ -683,7 +669,7 @@ BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
int cl, int dl);
int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
const BN_ULONG *np, const BN_ULONG *n0, int num);
void bn_correct_top_consttime(BIGNUM *a);
BIGNUM *int_bn_mod_inverse(BIGNUM *in,
const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx,
int *noinv);

3
crypto/openssl/crypto/bn/build.info
View file

@ -5,8 +5,7 @@ SOURCE[../../libcrypto]=\
bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c \
{- $target{bn_asm_src} -} \
bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \
bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c \
rsa_sup_mul.c
bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c
INCLUDE[bn_exp.o]=..

614
crypto/openssl/crypto/bn/rsa_sup_mul.c
View file

@ -1,614 +0,0 @@
#include <openssl/e_os2.h>
#include <stddef.h>
#include <sys/types.h>
#include <string.h>
#include <openssl/bn.h>
#include <openssl/err.h>
#include <openssl/rsaerr.h>
#include "internal/numbers.h"
#include "internal/constant_time.h"
#include "bn_local.h"
# if BN_BYTES == 8
typedef uint64_t limb_t;
# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16
/* nonstandard; implemented by gcc on 64-bit platforms */
typedef __uint128_t limb2_t;
# define HAVE_LIMB2_T
# endif
# define LIMB_BIT_SIZE 64
# define LIMB_BYTE_SIZE 8
# elif BN_BYTES == 4
typedef uint32_t limb_t;
typedef uint64_t limb2_t;
# define LIMB_BIT_SIZE 32
# define LIMB_BYTE_SIZE 4
# define HAVE_LIMB2_T
# else
# error "Not supported"
# endif
/*
* For multiplication we're using schoolbook multiplication,
* so if we have two numbers, each with 6 "digits" (words)
* the multiplication is calculated as follows:
* A B C D E F
* x I J K L M N
* --------------
* N*F
* N*E
* N*D
* N*C
* N*B
* N*A
* M*F
* M*E
* M*D
* M*C
* M*B
* M*A
* L*F
* L*E
* L*D
* L*C
* L*B
* L*A
* K*F
* K*E
* K*D
* K*C
* K*B
* K*A
* J*F
* J*E
* J*D
* J*C
* J*B
* J*A
* I*F
* I*E
* I*D
* I*C
* I*B
* + I*A
* ==========================
* N*B N*D N*F
* + N*A N*C N*E
* + M*B M*D M*F
* + M*A M*C M*E
* + L*B L*D L*F
* + L*A L*C L*E
* + K*B K*D K*F
* + K*A K*C K*E
* + J*B J*D J*F
* + J*A J*C J*E
* + I*B I*D I*F
* + I*A I*C I*E
*
* 1+1 1+3 1+5
* 1+0 1+2 1+4
* 0+1 0+3 0+5
* 0+0 0+2 0+4
*
* 0 1 2 3 4 5 6
* which requires n^2 multiplications and 2n full length additions
* as we can keep every other result of limb multiplication in two separate
* limbs
*/
#if defined HAVE_LIMB2_T
static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
{
limb2_t t;
/*
* this is idiomatic code to tell compiler to use the native mul
* those three lines will actually compile to single instruction
*/
t = (limb2_t)a * b;
*hi = t >> LIMB_BIT_SIZE;
*lo = (limb_t)t;
}
#elif (BN_BYTES == 8) && (defined _MSC_VER)
/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */
#pragma intrinsic(_umul128)
static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
{
*lo = _umul128(a, b, hi);
}
#else
/*
* if the compiler doesn't have either a 128bit data type nor a "return
* high 64 bits of multiplication"
*/
static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
{
limb_t a_low = (limb_t)(uint32_t)a;
limb_t a_hi = a >> 32;
limb_t b_low = (limb_t)(uint32_t)b;
limb_t b_hi = b >> 32;
limb_t p0 = a_low * b_low;
limb_t p1 = a_low * b_hi;
limb_t p2 = a_hi * b_low;
limb_t p3 = a_hi * b_hi;
uint32_t cy = (uint32_t)(((p0 >> 32) + (uint32_t)p1 + (uint32_t)p2) >> 32);
*lo = p0 + (p1 << 32) + (p2 << 32);
*hi = p3 + (p1 >> 32) + (p2 >> 32) + cy;
}
#endif
/* add two limbs with carry in, return carry out */
static ossl_inline limb_t _add_limb(limb_t *ret, limb_t a, limb_t b, limb_t carry)
{
limb_t carry1, carry2, t;
/*
* `c = a + b; if (c < a)` is idiomatic code that makes compilers
* use add with carry on assembly level
*/
*ret = a + carry;
if (*ret < a)
carry1 = 1;
else
carry1 = 0;
t = *ret;
*ret = t + b;
if (*ret < t)
carry2 = 1;
else
carry2 = 0;
return carry1 + carry2;
}
/*
* add two numbers of the same size, return overflow
*
* add a to b, place result in ret; all arrays need to be n limbs long
* return overflow from addition (0 or 1)
*/
static ossl_inline limb_t add(limb_t *ret, limb_t *a, limb_t *b, size_t n)
{
limb_t c = 0;
ossl_ssize_t i;
for(i = n - 1; i > -1; i--)
c = _add_limb(&ret[i], a[i], b[i], c);
return c;
}
/*
* return number of limbs necessary for temporary values
* when multiplying numbers n limbs large
*/
static ossl_inline size_t mul_limb_numb(size_t n)
{
return 2 * n * 2;
}
/*
* multiply two numbers of the same size
*
* multiply a by b, place result in ret; a and b need to be n limbs long
* ret needs to be 2*n limbs long, tmp needs to be mul_limb_numb(n) limbs
* long
*/
static void limb_mul(limb_t *ret, limb_t *a, limb_t *b, size_t n, limb_t *tmp)
{
limb_t *r_odd, *r_even;
size_t i, j, k;
r_odd = tmp;
r_even = &tmp[2 * n];
memset(ret, 0, 2 * n * sizeof(limb_t));
for (i = 0; i < n; i++) {
for (k = 0; k < i + n + 1; k++) {
r_even[k] = 0;
r_odd[k] = 0;
}
for (j = 0; j < n; j++) {
/*
* place results from even and odd limbs in separate arrays so that
* we don't have to calculate overflow every time we get individual
* limb multiplication result
*/
if (j % 2 == 0)
_mul_limb(&r_even[i + j], &r_even[i + j + 1], a[i], b[j]);
else
_mul_limb(&r_odd[i + j], &r_odd[i + j + 1], a[i], b[j]);
}
/*
* skip the least significant limbs when adding multiples of
* more significant limbs (they're zero anyway)
*/
add(ret, ret, r_even, n + i + 1);
add(ret, ret, r_odd, n + i + 1);
}
}
/* modifies the value in place by performing a right shift by one bit */
static ossl_inline void rshift1(limb_t *val, size_t n)
{
limb_t shift_in = 0, shift_out = 0;
size_t i;
for (i = 0; i < n; i++) {
shift_out = val[i] & 1;
val[i] = shift_in << (LIMB_BIT_SIZE - 1) | (val[i] >> 1);
shift_in = shift_out;
}
}
/* extend the LSB of flag to all bits of limb */
static ossl_inline limb_t mk_mask(limb_t flag)
{
flag |= flag << 1;
flag |= flag << 2;
flag |= flag << 4;
flag |= flag << 8;
flag |= flag << 16;
#if (LIMB_BYTE_SIZE == 8)
flag |= flag << 32;
#endif
return flag;
}
/*
* copy from either a or b to ret based on flag
* when flag == 0, then copies from b
* when flag == 1, then copies from a
*/
static ossl_inline void cselect(limb_t flag, limb_t *ret, limb_t *a, limb_t *b, size_t n)
{
/*
* would be more efficient with non volatile mask, but then gcc
* generates code with jumps
*/
volatile limb_t mask;
size_t i;
mask = mk_mask(flag);
for (i = 0; i < n; i++) {
#if (LIMB_BYTE_SIZE == 8)
ret[i] = constant_time_select_64(mask, a[i], b[i]);
#else
ret[i] = constant_time_select_32(mask, a[i], b[i]);
#endif
}
}
static limb_t _sub_limb(limb_t *ret, limb_t a, limb_t b, limb_t borrow)
{
limb_t borrow1, borrow2, t;
/*
* while it doesn't look constant-time, this is idiomatic code
* to tell compilers to use the carry bit from subtraction
*/
*ret = a - borrow;
if (*ret > a)
borrow1 = 1;
else
borrow1 = 0;
t = *ret;
*ret = t - b;
if (*ret > t)
borrow2 = 1;
else
borrow2 = 0;
return borrow1 + borrow2;
}
/*
* place the result of a - b into ret, return the borrow bit.
* All arrays need to be n limbs long
*/
static limb_t sub(limb_t *ret, limb_t *a, limb_t *b, size_t n)
{
limb_t borrow = 0;
ossl_ssize_t i;
for (i = n - 1; i > -1; i--)
borrow = _sub_limb(&ret[i], a[i], b[i], borrow);
return borrow;
}
/* return the number of limbs necessary to allocate for the mod() tmp operand */
static ossl_inline size_t mod_limb_numb(size_t anum, size_t modnum)
{
return (anum + modnum) * 3;
}
/*
* calculate a % mod, place the result in ret
* size of a is defined by anum, size of ret and mod is modnum,
* size of tmp is returned by mod_limb_numb()
*/
static void mod(limb_t *ret, limb_t *a, size_t anum, limb_t *mod,
size_t modnum, limb_t *tmp)
{
limb_t *atmp, *modtmp, *rettmp;
limb_t res;
size_t i;
memset(tmp, 0, mod_limb_numb(anum, modnum) * LIMB_BYTE_SIZE);
atmp = tmp;
modtmp = &tmp[anum + modnum];
rettmp = &tmp[(anum + modnum) * 2];
for (i = modnum; i <modnum + anum; i++)
atmp[i] = a[i-modnum];
for (i = 0; i < modnum; i++)
modtmp[i] = mod[i];
for (i = 0; i < anum * LIMB_BIT_SIZE; i++) {
rshift1(modtmp, anum + modnum);
res = sub(rettmp, atmp, modtmp, anum+modnum);
cselect(res, atmp, atmp, rettmp, anum+modnum);
}
memcpy(ret, &atmp[anum], sizeof(limb_t) * modnum);
}
/* necessary size of tmp for a _mul_add_limb() call with provided anum */
static ossl_inline size_t _mul_add_limb_numb(size_t anum)
{
return 2 * (anum + 1);
}
/* multiply a by m, add to ret, return carry */
static limb_t _mul_add_limb(limb_t *ret, limb_t *a, size_t anum,
limb_t m, limb_t *tmp)
{
limb_t carry = 0;
limb_t *r_odd, *r_even;
size_t i;
memset(tmp, 0, sizeof(limb_t) * (anum + 1) * 2);
r_odd = tmp;
r_even = &tmp[anum + 1];
for (i = 0; i < anum; i++) {
/*
* place the results from even and odd limbs in separate arrays
* so that we have to worry about carry just once
*/
if (i % 2 == 0)
_mul_limb(&r_even[i], &r_even[i + 1], a[i], m);
else
_mul_limb(&r_odd[i], &r_odd[i + 1], a[i], m);
}
/* assert: add() carry here will be equal zero */
add(r_even, r_even, r_odd, anum + 1);
/*
* while here it will not overflow as the max value from multiplication
* is -2 while max overflow from addition is 1, so the max value of
* carry is -1 (i.e. max int)
*/
carry = add(ret, ret, &r_even[1], anum) + r_even[0];
return carry;
}
static ossl_inline size_t mod_montgomery_limb_numb(size_t modnum)
{
return modnum * 2 + _mul_add_limb_numb(modnum);
}
/*
* calculate a % mod, place result in ret
* assumes that a is in Montgomery form with the R (Montgomery modulus) being
* smallest power of two big enough to fit mod and that's also a power
* of the count of number of bits in limb_t (B).
* For calculation, we also need n', such that mod * n' == -1 mod B.
* anum must be <= 2 * modnum
* ret needs to be modnum words long
* tmp needs to be mod_montgomery_limb_numb(modnum) limbs long
*/
static void mod_montgomery(limb_t *ret, limb_t *a, size_t anum, limb_t *mod,
size_t modnum, limb_t ni0, limb_t *tmp)
{
limb_t carry, v;
limb_t *res, *rp, *tmp2;
ossl_ssize_t i;
res = tmp;
/*
* for intermediate result we need an integer twice as long as modulus
* but keep the input in the least significant limbs
*/
memset(res, 0, sizeof(limb_t) * (modnum * 2));
memcpy(&res[modnum * 2 - anum], a, sizeof(limb_t) * anum);
rp = &res[modnum];
tmp2 = &res[modnum * 2];
carry = 0;
/* add multiples of the modulus to the value until R divides it cleanly */
for (i = modnum; i > 0; i--, rp--) {
v = _mul_add_limb(rp, mod, modnum, rp[modnum - 1] * ni0, tmp2);
v = v + carry + rp[-1];
carry |= (v != rp[-1]);
carry &= (v <= rp[-1]);
rp[-1] = v;
}
/* perform the final reduction by mod... */
carry -= sub(ret, rp, mod, modnum);
/* ...conditionally */
cselect(carry, ret, rp, ret, modnum);
}
/* allocated buffer should be freed afterwards */
static void BN_to_limb(const BIGNUM *bn, limb_t *buf, size_t limbs)
{
int i;
int real_limbs = (BN_num_bytes(bn) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
limb_t *ptr = buf + (limbs - real_limbs);
for (i = 0; i < real_limbs; i++)
ptr[i] = bn->d[real_limbs - i - 1];
}
#if LIMB_BYTE_SIZE == 8
static ossl_inline uint64_t be64(uint64_t host)
{
const union {
long one;
char little;
} is_endian = { 1 };
if (is_endian.little) {
uint64_t big = 0;
big |= (host & 0xff00000000000000) >> 56;
big |= (host & 0x00ff000000000000) >> 40;
big |= (host & 0x0000ff0000000000) >> 24;
big |= (host & 0x000000ff00000000) >> 8;
big |= (host & 0x00000000ff000000) << 8;
big |= (host & 0x0000000000ff0000) << 24;
big |= (host & 0x000000000000ff00) << 40;
big |= (host & 0x00000000000000ff) << 56;
return big;
} else {
return host;
}
}
#else
/* Not all platforms have htobe32(). */
static ossl_inline uint32_t be32(uint32_t host)
{
const union {
long one;
char little;
} is_endian = { 1 };
if (is_endian.little) {
uint32_t big = 0;
big |= (host & 0xff000000) >> 24;
big |= (host & 0x00ff0000) >> 8;
big |= (host & 0x0000ff00) << 8;
big |= (host & 0x000000ff) << 24;
return big;
} else {
return host;
}
}
#endif
/*
* We assume that intermediate, possible_arg2, blinding, and ctx are used
* similar to BN_BLINDING_invert_ex() arguments.
* to_mod is RSA modulus.
* buf and num is the serialization buffer and its length.
*
* Here we use classic/Montgomery multiplication and modulo. After the calculation finished
* we serialize the new structure instead of BIGNUMs taking endianness into account.
*/
int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate,
const BN_BLINDING *blinding,
const BIGNUM *possible_arg2,
const BIGNUM *to_mod, BN_CTX *ctx,
unsigned char *buf, int num)
{
limb_t *l_im = NULL, *l_mul = NULL, *l_mod = NULL;
limb_t *l_ret = NULL, *l_tmp = NULL, l_buf;
size_t l_im_count = 0, l_mul_count = 0, l_size = 0, l_mod_count = 0;
size_t l_tmp_count = 0;
int ret = 0;
size_t i;
unsigned char *tmp;
const BIGNUM *arg1 = intermediate;
const BIGNUM *arg2 = (possible_arg2 == NULL) ? blinding->Ai : possible_arg2;
l_im_count = (BN_num_bytes(arg1) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
l_mul_count = (BN_num_bytes(arg2) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
l_mod_count = (BN_num_bytes(to_mod) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
l_size = l_im_count > l_mul_count ? l_im_count : l_mul_count;
l_im = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE);
l_mul = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE);
l_mod = OPENSSL_zalloc(l_mod_count * LIMB_BYTE_SIZE);
if ((l_im == NULL) || (l_mul == NULL) || (l_mod == NULL))
goto err;
BN_to_limb(arg1, l_im, l_size);
BN_to_limb(arg2, l_mul, l_size);
BN_to_limb(to_mod, l_mod, l_mod_count);
l_ret = OPENSSL_malloc(2 * l_size * LIMB_BYTE_SIZE);
if (blinding->m_ctx != NULL) {
l_tmp_count = mul_limb_numb(l_size) > mod_montgomery_limb_numb(l_mod_count) ?
mul_limb_numb(l_size) : mod_montgomery_limb_numb(l_mod_count);
l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE);
} else {
l_tmp_count = mul_limb_numb(l_size) > mod_limb_numb(2 * l_size, l_mod_count) ?
mul_limb_numb(l_size) : mod_limb_numb(2 * l_size, l_mod_count);
l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE);
}
if ((l_ret == NULL) || (l_tmp == NULL))
goto err;
if (blinding->m_ctx != NULL) {
limb_mul(l_ret, l_im, l_mul, l_size, l_tmp);
mod_montgomery(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count,
blinding->m_ctx->n0[0], l_tmp);
} else {
limb_mul(l_ret, l_im, l_mul, l_size, l_tmp);
mod(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, l_tmp);
}
/* modulus size in bytes can be equal to num but after limbs conversion it becomes bigger */
if (num < BN_num_bytes(to_mod)) {
BNerr(BN_F_OSSL_BN_RSA_DO_UNBLIND, ERR_R_PASSED_INVALID_ARGUMENT);
goto err;
}
memset(buf, 0, num);
tmp = buf + num - BN_num_bytes(to_mod);
for (i = 0; i < l_mod_count; i++) {
#if LIMB_BYTE_SIZE == 8
l_buf = be64(l_ret[i]);
#else
l_buf = be32(l_ret[i]);
#endif
if (i == 0) {
int delta = LIMB_BYTE_SIZE - ((l_mod_count * LIMB_BYTE_SIZE) - num);
memcpy(tmp, ((char *)&l_buf) + LIMB_BYTE_SIZE - delta, delta);
tmp += delta;
} else {
memcpy(tmp, &l_buf, LIMB_BYTE_SIZE);
tmp += LIMB_BYTE_SIZE;
}
}
ret = num;
err:
OPENSSL_free(l_im);
OPENSSL_free(l_mul);
OPENSSL_free(l_mod);
OPENSSL_free(l_tmp);
OPENSSL_free(l_ret);
return ret;
}

7
crypto/openssl/crypto/conf/conf_sap.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -43,16 +43,19 @@ void OPENSSL_config(const char *appname)
int openssl_config_int(const OPENSSL_INIT_SETTINGS *settings)
{
int ret = 0;
#if defined(OPENSSL_INIT_DEBUG) || !defined(OPENSSL_SYS_UEFI)
const char *filename;
const char *appname;
unsigned long flags;
#endif
if (openssl_configured)
return 1;
#if defined(OPENSSL_INIT_DEBUG) || !defined(OPENSSL_SYS_UEFI)
filename = settings ? settings->filename : NULL;
appname = settings ? settings->appname : NULL;
flags = settings ? settings->flags : DEFAULT_CONF_MFLAGS;
#endif
#ifdef OPENSSL_INIT_DEBUG
fprintf(stderr, "OPENSSL_INIT: openssl_config_int(%s, %s, %lu)\n",

3
crypto/openssl/crypto/err/openssl.txt
View file

@ -1,4 +1,4 @@
# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@ -232,7 +232,6 @@ BN_F_BN_RSHIFT:146:BN_rshift
BN_F_BN_SET_WORDS:144:bn_set_words
BN_F_BN_STACK_PUSH:148:BN_STACK_push
BN_F_BN_USUB:115:BN_usub
BN_F_OSSL_BN_RSA_DO_UNBLIND:151:ossl_bn_rsa_do_unblind
BUF_F_BUF_MEM_GROW:100:BUF_MEM_grow
BUF_F_BUF_MEM_GROW_CLEAN:105:BUF_MEM_grow_clean
BUF_F_BUF_MEM_NEW:101:BUF_MEM_new

21
crypto/openssl/crypto/objects/obj_dat.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -428,6 +428,25 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
first = 1;
bl = NULL;
/*
* RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs:
*
* > 3.5. OBJECT IDENTIFIER values
* >
* > An OBJECT IDENTIFIER value is an ordered list of non-negative
* > numbers. For the SMIv2, each number in the list is referred to as a
* > sub-identifier, there are at most 128 sub-identifiers in a value,
* > and each sub-identifier has a maximum value of 2^32-1 (4294967295
* > decimal).
*
* So a legitimate OID according to this RFC is at most (32 * 128 / 7),
* i.e. 586 bytes long.
*
* Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
*/
if (len > 586)
goto err;
while (len > 0) {
l = 0;
use_bn = 0;

30
crypto/openssl/crypto/rsa/rsa_ossl.c
View file

@ -226,6 +226,7 @@ static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
* will only read the modulus from BN_BLINDING. In both cases it's safe
* to access the blinding without a lock.
*/
BN_set_flags(f, BN_FLG_CONSTTIME);
return BN_BLINDING_invert_ex(f, unblind, b, ctx);
}
@ -412,6 +413,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
goto err;
}
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
rsa->n, ctx))
goto err;
if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
if (blinding == NULL) {
@ -449,13 +455,6 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
goto err;
}
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
rsa->n, ctx)) {
BN_free(d);
goto err;
}
if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
rsa->_method_mod_n)) {
BN_free(d);
@ -465,20 +464,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
BN_free(d);
}
if (blinding) {
/*
* ossl_bn_rsa_do_unblind() combines blinding inversion and
* 0-padded BN BE serialization
*/
j = ossl_bn_rsa_do_unblind(ret, blinding, unblind, rsa->n, ctx,
buf, num);
if (j == 0)
if (blinding)
if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
goto err;
} else {
j = BN_bn2binpad(ret, buf, num);
if (j < 0)
goto err;
}
j = BN_bn2binpad(ret, buf, num);
switch (padding) {
case RSA_PKCS1_PADDING:

6
crypto/openssl/crypto/ui/ui_lib.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -529,6 +529,10 @@ int UI_process(UI *ui)
ok = 0;
break;
}
} else {
ui->flags &= ~UI_FLAG_REDOABLE;
ok = -2;
goto err;
}
}

6
crypto/openssl/crypto/ui/ui_util.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -32,7 +32,7 @@ int UI_UTIL_read_pw_string(char *buf, int length, const char *prompt,
int UI_UTIL_read_pw(char *buf, char *buff, int size, const char *prompt,
int verify)
{
int ok = 0;
int ok = -2;
UI *ui;
if (size < 1)
@ -47,8 +47,6 @@ int UI_UTIL_read_pw(char *buf, char *buff, int size, const char *prompt,
ok = UI_process(ui);
UI_free(ui);
}
if (ok > 0)
ok = 0;
return ok;
}

13
crypto/openssl/crypto/x509/x509_vfy.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -1649,18 +1649,25 @@ static int check_policy(X509_STORE_CTX *ctx)
}
/* Invalid or inconsistent extensions */
if (ret == X509_PCY_TREE_INVALID) {
int i;
int i, cbcalled = 0;
/* Locate certificates with bad extensions and notify callback. */
for (i = 1; i < sk_X509_num(ctx->chain); i++) {
for (i = 0; i < sk_X509_num(ctx->chain); i++) {
X509 *x = sk_X509_value(ctx->chain, i);
if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
continue;
cbcalled = 1;
if (!verify_cb_cert(ctx, x, i,
X509_V_ERR_INVALID_POLICY_EXTENSION))
return 0;
}
if (!cbcalled) {
/* Should not be able to get here */
X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR);
return 0;
}
/* The callback ignored the error so we return success */
return 1;
}
if (ret == X509_PCY_TREE_FAILURE) {

10
crypto/openssl/crypto/x509v3/pcy_local.h
View file

@ -1,5 +1,5 @@
/*
* Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st {
};
struct X509_POLICY_TREE_st {
/* The number of nodes in the tree */
size_t node_count;
/* The maximum number of nodes in the tree */
size_t node_maximum;
/* This is the tree 'level' data */
X509_POLICY_LEVEL *levels;
int nlevel;
@ -159,7 +164,8 @@ X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
X509_POLICY_DATA *data,
X509_POLICY_NODE *parent,
X509_POLICY_TREE *tree);
X509_POLICY_TREE *tree,
int extra_data);
void policy_node_free(X509_POLICY_NODE *node);
int policy_node_match(const X509_POLICY_LEVEL *lvl,
const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);

26
crypto/openssl/crypto/x509v3/pcy_node.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -59,10 +59,15 @@ X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
X509_POLICY_DATA *data,
X509_POLICY_NODE *parent,
X509_POLICY_TREE *tree)
X509_POLICY_TREE *tree,
int extra_data)
{
X509_POLICY_NODE *node;
/* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */
if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum)
return NULL;
node = OPENSSL_zalloc(sizeof(*node));
if (node == NULL) {
X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE);
@ -70,7 +75,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
}
node->data = data;
node->parent = parent;
if (level) {
if (level != NULL) {
if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
if (level->anyPolicy)
goto node_error;
@ -90,24 +95,33 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
}
}
if (tree) {
if (extra_data) {
if (tree->extra_data == NULL)
tree->extra_data = sk_X509_POLICY_DATA_new_null();
if (tree->extra_data == NULL){
X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE);
goto node_error;
goto extra_data_error;
}
if (!sk_X509_POLICY_DATA_push(tree->extra_data, data)) {
X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE);
goto node_error;
goto extra_data_error;
}
}
tree->node_count++;
if (parent)
parent->nchild++;
return node;
extra_data_error:
if (level != NULL) {
if (level->anyPolicy == node)
level->anyPolicy = NULL;
else
(void) sk_X509_POLICY_NODE_pop(level->nodes);
}
node_error:
policy_node_free(node);
return NULL;

56
crypto/openssl/crypto/x509v3/pcy_tree.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -13,6 +13,20 @@
#include "pcy_local.h"
/*
* If the maximum number of nodes in the policy tree isn't defined, set it to
* a generous default of 1000 nodes.
*
* Defining this to be zero means unlimited policy tree growth which opens the
* door on CVE-2023-0464.
*/
#ifndef OPENSSL_POLICY_TREE_NODES_MAX
# define OPENSSL_POLICY_TREE_NODES_MAX 1000
#endif
static void exnode_free(X509_POLICY_NODE *node);
/*
* Enable this to print out the complete policy tree at various point during
* evaluation.
@ -168,6 +182,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
return X509_PCY_TREE_INTERNAL;
}
/* Limit the growth of the tree to mitigate CVE-2023-0464 */
tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX;
/*
* http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3.
*
@ -184,7 +201,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
level = tree->levels;
if ((data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0)) == NULL)
goto bad_tree;
if (level_add_node(level, data, NULL, tree) == NULL) {
if (level_add_node(level, data, NULL, tree, 1) == NULL) {
policy_data_free(data);
goto bad_tree;
}
@ -243,7 +260,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
* Return value: 1 on success, 0 otherwise
*/
static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
X509_POLICY_DATA *data)
X509_POLICY_DATA *data,
X509_POLICY_TREE *tree)
{
X509_POLICY_LEVEL *last = curr - 1;
int i, matched = 0;
@ -253,13 +271,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i);
if (policy_node_match(last, node, data->valid_policy)) {
if (level_add_node(curr, data, node, NULL) == NULL)
if (level_add_node(curr, data, node, tree, 0) == NULL)
return 0;
matched = 1;
}
}
if (!matched && last->anyPolicy) {
if (level_add_node(curr, data, last->anyPolicy, NULL) == NULL)
if (level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL)
return 0;
}
return 1;
@ -272,7 +290,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
* Return value: 1 on success, 0 otherwise.
*/
static int tree_link_nodes(X509_POLICY_LEVEL *curr,
const X509_POLICY_CACHE *cache)
const X509_POLICY_CACHE *cache,
X509_POLICY_TREE *tree)
{
int i;
@ -280,7 +299,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i);
/* Look for matching nodes in previous level */
if (!tree_link_matching_nodes(curr, data))
if (!tree_link_matching_nodes(curr, data, tree))
return 0;
}
return 1;
@ -311,7 +330,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
/* Curr may not have anyPolicy */
data->qualifier_set = cache->anyPolicy->qualifier_set;
data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
if (level_add_node(curr, data, node, tree) == NULL) {
if (level_add_node(curr, data, node, tree, 1) == NULL) {
policy_data_free(data);
return 0;
}
@ -373,7 +392,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
}
/* Finally add link to anyPolicy */
if (last->anyPolicy &&
level_add_node(curr, cache->anyPolicy, last->anyPolicy, NULL) == NULL)
level_add_node(curr, cache->anyPolicy, last->anyPolicy, tree, 0) == NULL)
return 0;
return 1;
}
@ -555,15 +574,24 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
extra->qualifier_set = anyPolicy->data->qualifier_set;
extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
| POLICY_DATA_FLAG_EXTRA_NODE;
node = level_add_node(NULL, extra, anyPolicy->parent, tree);
node = level_add_node(NULL, extra, anyPolicy->parent,
tree, 1);
if (node == NULL) {
policy_data_free(extra);
return 0;
}
}
if (!tree->user_policies) {
tree->user_policies = sk_X509_POLICY_NODE_new_null();
if (!tree->user_policies)
return 1;
if (!tree->user_policies) {
exnode_free(node);
return 0;
}
}
if (!sk_X509_POLICY_NODE_push(tree->user_policies, node))
if (!sk_X509_POLICY_NODE_push(tree->user_policies, node)) {
exnode_free(node);
return 0;
}
}
return 1;
}
@ -582,7 +610,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree)
for (i = 1; i < tree->nlevel; i++, curr++) {
cache = policy_cache_set(curr->cert);
if (!tree_link_nodes(curr, cache))
if (!tree_link_nodes(curr, cache, tree))
return X509_PCY_TREE_INTERNAL;
if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)

5
crypto/openssl/doc/fingerprints.txt
View file

@ -12,6 +12,11 @@ in the file named openssl-1.0.1h.tar.gz.asc.
The following is the list of fingerprints for the keys that are
currently in use to sign OpenSSL distributions:
pub rsa4096 2014-10-04
Key fingerprint = EFC0 A467 D613 CB83 C7ED 6D30 D894 E2CE 8B3D 79F5
uid OpenSSL OMC <openssl-omc@openssl.org>
uid OpenSSL Security <openssl-security@openssl.org>
pub 4096R/7DF9EE8C 2014-10-04
Key fingerprint = 7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C
uid Richard Levitte <richard@opensslfoundation.com>

11
crypto/openssl/doc/man3/X509_VERIFY_PARAM_set_flags.pod
View file

@ -92,8 +92,9 @@ B<trust>.
X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
B<t>. Normally the current time is used.
X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
by default) and adds B<policy> to the acceptable policy set.
X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
Contrary to preexisting documentation of this function it does not enable
policy checking.
X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
by default) and sets the acceptable policy set to B<policies>. Any existing
@ -377,9 +378,13 @@ and has no effect.
The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
The function X509_VERIFY_PARAM_add0_policy() was historically documented as
enabling policy checking however the implementation has never done this.
The documentation was changed to align with the implementation.
=head1 COPYRIGHT
Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2009-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

17
crypto/openssl/engines/e_padlock.c
View file

@ -1,5 +1,5 @@
/*
* Copyright 2004-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -144,6 +144,19 @@ static int padlock_init(ENGINE *e)
return (padlock_use_rng || padlock_use_ace);
}
# ifndef AES_ASM
static int padlock_aes_set_encrypt_key(const unsigned char *userKey,
const int bits,
AES_KEY *key);
static int padlock_aes_set_decrypt_key(const unsigned char *userKey,
const int bits,
AES_KEY *key);
# define AES_ASM
# define AES_set_encrypt_key padlock_aes_set_encrypt_key
# define AES_set_decrypt_key padlock_aes_set_decrypt_key
# include "../crypto/aes/aes_core.c"
# endif
/*
* This stuff is needed if this ENGINE is being compiled into a
* self-contained shared-library.
@ -639,12 +652,10 @@ padlock_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
AES_set_decrypt_key(key, key_len, &cdata->ks);
else
AES_set_encrypt_key(key, key_len, &cdata->ks);
# ifndef AES_ASM
/*
* OpenSSL C functions use byte-swapped extended key.
*/
padlock_key_bswap(&cdata->ks);
# endif
cdata->cword.b.keygen = 1;
break;

5
crypto/openssl/include/crypto/bn.h
View file

@ -86,10 +86,5 @@ int bn_lshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
const BIGNUM *d, BN_CTX *ctx);
int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate,
const BN_BLINDING *blinding,
const BIGNUM *possible_arg2,
const BIGNUM *to_mod, BN_CTX *ctx,
unsigned char *buf, int num);
#endif

6
crypto/openssl/include/openssl/opensslv.h
View file

@ -1,5 +1,5 @@
/*
* Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -39,8 +39,8 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
# define OPENSSL_VERSION_NUMBER 0x1010114fL
# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1t-freebsd 7 Feb 2023"
# define OPENSSL_VERSION_NUMBER 0x1010115fL
# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1u-freebsd 30 May 2023"
/*-
* The macros below are to be used for shared library (.so, .dll, ...)