From b8d090603d160864c3d4bb550e3d9ae5fa8e39fc Mon Sep 17 00:00:00 2001 From: Hassaan Pasha Date: Wed, 16 Mar 2022 04:49:31 +0000 Subject: [PATCH] deps: upgrade openssl sources to quictls/openssl-3.0.2+quic MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This updates all sources in deps/openssl/openssl by: $ git clone git@github.com:quictls/openssl.git $ cd openssl $ cd ../node/deps/openssl $ rm -rf openssl $ cp -R ../openssl openssl $ rm -rf openssl/.git* openssl/.travis* $ git add --all openssl $ git commit openssl PR-URL: https://github.com/nodejs/node/pull/42356 Refs: https://mta.openssl.org/pipermail/openssl-announce/2022-March/000217.html Reviewed-By: Richard Lau Reviewed-By: Antoine du Hamel Reviewed-By: Darshan Sen Reviewed-By: Tobias Nießen Reviewed-By: Michael Dawson --- deps/openssl/openssl/CHANGES.md | 58 +++- .../openssl/Configurations/10-main.conf | 7 + .../openssl/Configurations/15-android.conf | 1 + .../openssl/Configurations/descrip.mms.tmpl | 73 ++++- .../openssl/Configurations/unix-Makefile.tmpl | 27 +- .../Configurations/windows-makefile.tmpl | 16 +- deps/openssl/openssl/Configure | 22 +- deps/openssl/openssl/NEWS.md | 5 + deps/openssl/openssl/README-FIPS.md | 2 +- deps/openssl/openssl/README-OpenSSL.md | 13 +- deps/openssl/openssl/README-PROVIDERS.md | 4 +- deps/openssl/openssl/README.md | 2 +- deps/openssl/openssl/VERSION.dat | 4 +- deps/openssl/openssl/apps/ciphers.c | 4 +- deps/openssl/openssl/apps/cmp.c | 145 +++++---- .../openssl/apps/include/engine_loader.h | 4 +- deps/openssl/openssl/apps/lib/apps.c | 71 +++-- deps/openssl/openssl/apps/lib/engine_loader.c | 4 +- deps/openssl/openssl/apps/lib/s_socket.c | 4 +- deps/openssl/openssl/apps/ocsp.c | 8 +- deps/openssl/openssl/apps/passwd.c | 10 +- deps/openssl/openssl/apps/pkeyutl.c | 28 +- deps/openssl/openssl/apps/progs.pl | 4 +- deps/openssl/openssl/apps/rehash.c | 8 +- deps/openssl/openssl/apps/req.c | 14 +- deps/openssl/openssl/apps/s_client.c | 79 ++++- deps/openssl/openssl/apps/s_server.c | 95 +++++- deps/openssl/openssl/apps/speed.c | 11 +- deps/openssl/openssl/apps/verify.c | 3 +- deps/openssl/openssl/apps/x509.c | 6 +- deps/openssl/openssl/crypto/aes/aes_core.c | 4 +- deps/openssl/openssl/crypto/asn1/d2i_pu.c | 4 +- deps/openssl/openssl/crypto/asn1/i2d_evp.c | 4 +- .../openssl/crypto/async/arch/async_posix.h | 18 +- deps/openssl/openssl/crypto/bio/bio_addr.c | 4 +- deps/openssl/openssl/crypto/bio/bio_print.c | 22 +- deps/openssl/openssl/crypto/bio/bss_core.c | 20 +- deps/openssl/openssl/crypto/bn/bn_conv.c | 6 +- deps/openssl/openssl/crypto/bn/bn_exp2.c | 4 +- deps/openssl/openssl/crypto/bn/bn_ppc.c | 4 +- deps/openssl/openssl/crypto/bn/bn_sqrt.c | 32 +- deps/openssl/openssl/crypto/bn/rsaz_exp_x2.c | 6 +- deps/openssl/openssl/crypto/cmp/cmp_msg.c | 19 +- deps/openssl/openssl/crypto/context.c | 13 +- deps/openssl/openssl/crypto/core_namemap.c | 23 +- deps/openssl/openssl/crypto/dh/dh_ameth.c | 4 +- deps/openssl/openssl/crypto/dh/dh_backend.c | 19 +- deps/openssl/openssl/crypto/dh/dh_key.c | 13 +- deps/openssl/openssl/crypto/dsa/dsa_ameth.c | 4 +- deps/openssl/openssl/crypto/dsa/dsa_backend.c | 13 +- .../crypto/ec/asm/ecp_nistp521-ppc64.pl | 4 +- .../ec/curve448/arch_64/arch_intrinsics.h | 4 +- .../crypto/ec/curve448/arch_64/f_impl.h | 4 +- .../crypto/ec/curve448/arch_64/f_impl64.c | 4 +- deps/openssl/openssl/crypto/ec/ec_lib.c | 6 +- deps/openssl/openssl/crypto/ec/ec_print.c | 2 +- .../openssl/crypto/ec/ecp_s390x_nistp.c | 6 +- .../crypto/encode_decode/decoder_meth.c | 12 +- .../crypto/encode_decode/encoder_meth.c | 12 +- .../crypto/encode_decode/encoder_pkey.c | 7 +- deps/openssl/openssl/crypto/engine/eng_dyn.c | 13 +- .../crypto/evp/ctrl_params_translate.c | 25 +- deps/openssl/openssl/crypto/evp/digest.c | 72 +++-- deps/openssl/openssl/crypto/evp/evp_enc.c | 15 +- deps/openssl/openssl/crypto/evp/evp_fetch.c | 12 +- deps/openssl/openssl/crypto/evp/exchange.c | 26 +- deps/openssl/openssl/crypto/evp/keymgmt_lib.c | 4 +- deps/openssl/openssl/crypto/evp/m_sigver.c | 8 +- deps/openssl/openssl/crypto/evp/mac_meth.c | 9 + deps/openssl/openssl/crypto/evp/pmeth_gn.c | 13 +- deps/openssl/openssl/crypto/ffc/ffc_backend.c | 3 +- .../openssl/openssl/crypto/http/http_client.c | 15 +- deps/openssl/openssl/crypto/lhash/lh_stats.c | 27 +- deps/openssl/openssl/crypto/lhash/lhash.c | 63 +++- .../openssl/crypto/lhash/lhash_local.h | 5 +- deps/openssl/openssl/crypto/mem.c | 16 +- deps/openssl/openssl/crypto/o_str.c | 12 +- .../openssl/crypto/objects/obj_compat.h | 8 + deps/openssl/openssl/crypto/objects/obj_dat.h | 2 +- deps/openssl/openssl/crypto/passphrase.c | 38 ++- deps/openssl/openssl/crypto/pem/pem_lib.c | 19 +- deps/openssl/openssl/crypto/pem/pem_pk8.c | 4 +- .../openssl/crypto/property/property.c | 10 +- .../openssl/crypto/property/property_string.c | 2 +- deps/openssl/openssl/crypto/provider_core.c | 14 +- deps/openssl/openssl/crypto/rand/rand_egd.c | 2 +- deps/openssl/openssl/crypto/rand/rand_lib.c | 9 +- deps/openssl/openssl/crypto/rsa/rsa_ameth.c | 6 +- deps/openssl/openssl/crypto/rsa/rsa_backend.c | 14 +- deps/openssl/openssl/crypto/rsa/rsa_ossl.c | 6 +- .../openssl/openssl/crypto/store/store_meth.c | 12 +- .../openssl/crypto/store/store_result.c | 21 +- deps/openssl/openssl/crypto/threads_pthread.c | 21 +- deps/openssl/openssl/crypto/trace.c | 5 +- deps/openssl/openssl/crypto/ui/ui_openssl.c | 8 +- deps/openssl/openssl/crypto/ui/ui_util.c | 11 +- deps/openssl/openssl/crypto/x509/v3_crld.c | 3 +- deps/openssl/openssl/crypto/x509/v3_sxnet.c | 10 +- deps/openssl/openssl/crypto/x509/v3_utl.c | 19 +- deps/openssl/openssl/crypto/x509/x509_lu.c | 34 ++- deps/openssl/openssl/crypto/x509/x509_trust.c | 12 +- deps/openssl/openssl/crypto/x509/x509_vfy.c | 13 +- deps/openssl/openssl/demos/README.txt | 7 + deps/openssl/openssl/demos/cipher/Makefile | 7 +- deps/openssl/openssl/demos/cipher/ariacbc.c | 178 +++++++++++ deps/openssl/openssl/demos/cms/cms_ver.c | 13 +- .../openssl/openssl/demos/digest/EVP_MD_xof.c | 132 ++++++++ deps/openssl/openssl/demos/digest/Makefile | 7 +- deps/openssl/openssl/demos/keyexch/x25519.c | 278 +++++++++++++++++ deps/openssl/openssl/demos/mac/Makefile | 23 ++ deps/openssl/openssl/demos/mac/poly1305.c | 209 +++++++++++++ deps/openssl/openssl/demos/mac/siphash.c | 129 ++++++++ .../openssl/demos/pkey/EVP_PKEY_EC_keygen.c | 4 +- .../openssl/demos/pkey/EVP_PKEY_RSA_keygen.c | 289 ++++++++++++++++++ deps/openssl/openssl/demos/pkey/Makefile | 9 +- deps/openssl/openssl/demos/signature/Makefile | 8 +- .../openssl/openssl/demos/signature/rsa_pss.h | 256 ++++++++++++++++ .../openssl/demos/signature/rsa_pss_direct.c | 204 +++++++++++++ .../openssl/demos/signature/rsa_pss_hash.c | 189 ++++++++++++ deps/openssl/openssl/demos/smime/smver.c | 14 +- .../fixup-CHANGES.md-postrelease.pl | 2 +- .../release-aux/fixup-NEWS.md-postrelease.pl | 2 +- .../openssl-announce-pre-release.tmpl | 2 +- deps/openssl/openssl/dev/release.sh | 8 +- deps/openssl/openssl/doc/build.info | 12 + .../doc/internal/man3/OSSL_METHOD_STORE.pod | 8 +- .../openssl/doc/man1/openssl-cmp.pod.in | 30 +- .../openssl/doc/man1/openssl-dgst.pod.in | 26 +- .../openssl/doc/man1/openssl-kdf.pod.in | 4 +- .../openssl/doc/man1/openssl-speed.pod.in | 4 +- deps/openssl/openssl/doc/man3/BIO_ctrl.pod | 4 +- .../openssl/openssl/doc/man3/BIO_f_base64.pod | 21 +- deps/openssl/openssl/doc/man3/BN_add.pod | 17 +- .../openssl/doc/man3/DEFINE_STACK_OF.pod | 1 + .../openssl/doc/man3/ERR_get_error.pod | 4 +- .../doc/man3/EVP_PKEY_gettable_params.pod | 17 +- deps/openssl/openssl/doc/man3/OBJ_nid2obj.pod | 3 +- .../openssl/doc/man3/OPENSSL_hexchar2int.pod | 9 +- .../openssl/doc/man3/OSSL_CMP_CTX_new.pod | 12 +- .../doc/man3/OSSL_CMP_MSG_get0_header.pod | 40 ++- .../OSSL_CRMF_MSG_set1_regCtrl_regToken.pod | 6 +- .../openssl/doc/man3/OSSL_HTTP_transfer.pod | 18 +- .../openssl/doc/man3/OpenSSL_version.pod | 54 ++-- .../doc/man3/PEM_read_bio_PrivateKey.pod | 7 +- .../openssl/openssl/doc/man3/SSL_CONF_cmd.pod | 8 +- .../man3/SSL_CTX_set_cert_verify_callback.pod | 25 +- .../doc/man3/SSL_CTX_set_tmp_dh_callback.pod | 4 +- .../openssl/doc/man3/SSL_CTX_set_verify.pod | 17 +- .../openssl/doc/man3/SSL_get_certificate.pod | 73 +++++ .../openssl/doc/man3/SSL_set_retry_verify.pod | 70 +++++ deps/openssl/openssl/doc/man3/SSL_want.pod | 6 +- .../openssl/doc/man3/X509V3_get_d2i.pod | 68 +++-- .../openssl/doc/man3/X509_STORE_CTX_new.pod | 71 ++++- .../doc/man3/X509_VERIFY_PARAM_set_flags.pod | 6 +- .../openssl/doc/man3/X509_check_host.pod | 5 +- .../openssl/doc/man3/X509_verify_cert.pod | 6 +- .../openssl/doc/man7/EVP_KEYEXCH-DH.pod | 39 ++- .../openssl/doc/man7/EVP_KEYEXCH-ECDH.pod | 29 +- .../openssl/doc/man7/EVP_MD-BLAKE2.pod | 4 +- deps/openssl/openssl/doc/man7/crypto.pod | 9 +- .../openssl/doc/man7/provider-base.pod | 5 +- .../openssl/doc/man7/provider-keyexch.pod | 44 ++- deps/openssl/openssl/fuzz/asn1.c | 27 +- deps/openssl/openssl/fuzz/fuzz_rand.c | 4 +- deps/openssl/openssl/fuzz/oids.txt | 2 +- deps/openssl/openssl/include/crypto/bn_conf.h | 1 - deps/openssl/openssl/include/crypto/dh.h | 7 +- deps/openssl/openssl/include/crypto/dsa.h | 9 +- .../openssl/openssl/include/crypto/dso_conf.h | 1 - deps/openssl/openssl/include/crypto/evp.h | 4 +- deps/openssl/openssl/include/crypto/pem.h | 4 +- deps/openssl/openssl/include/crypto/rsa.h | 7 +- deps/openssl/openssl/include/internal/bio.h | 4 +- .../openssl/include/internal/sockets.h | 4 +- .../openssl/include/internal/tsan_assist.h | 10 +- deps/openssl/openssl/include/openssl/asn1.h | 1 - deps/openssl/openssl/include/openssl/asn1t.h | 1 - deps/openssl/openssl/include/openssl/bio.h | 1 - deps/openssl/openssl/include/openssl/bio.h.in | 4 +- deps/openssl/openssl/include/openssl/cmp.h | 1 - deps/openssl/openssl/include/openssl/cms.h | 1 - deps/openssl/openssl/include/openssl/conf.h | 1 - .../openssl/include/openssl/configuration.h | 1 - deps/openssl/openssl/include/openssl/crmf.h | 1 - deps/openssl/openssl/include/openssl/crypto.h | 1 - .../openssl/include/openssl/crypto.h.in | 4 +- deps/openssl/openssl/include/openssl/ct.h | 1 - deps/openssl/openssl/include/openssl/ec.h | 5 +- deps/openssl/openssl/include/openssl/engine.h | 3 +- deps/openssl/openssl/include/openssl/err.h | 1 - deps/openssl/openssl/include/openssl/ess.h | 1 - deps/openssl/openssl/include/openssl/evp.h | 6 +- .../openssl/openssl/include/openssl/fipskey.h | 1 - deps/openssl/openssl/include/openssl/lhash.h | 1 - deps/openssl/openssl/include/openssl/ocsp.h | 1 - .../openssl/include/openssl/opensslv.h | 1 - deps/openssl/openssl/include/openssl/pkcs12.h | 1 - deps/openssl/openssl/include/openssl/pkcs7.h | 1 - .../openssl/include/openssl/safestack.h | 1 - .../openssl/include/openssl/self_test.h | 9 +- deps/openssl/openssl/include/openssl/srp.h | 1 - deps/openssl/openssl/include/openssl/ssl.h | 1 - deps/openssl/openssl/include/openssl/ssl.h.in | 5 +- deps/openssl/openssl/include/openssl/ui.h | 1 - deps/openssl/openssl/include/openssl/x509.h | 1 - .../openssl/include/openssl/x509_vfy.h | 1 - deps/openssl/openssl/include/openssl/x509v3.h | 1 - deps/openssl/openssl/os-dep/haiku.h | 9 + .../openssl/providers/common/der/DIGESTS.asn1 | 7 + .../openssl/providers/common/der/DSA.asn1 | 7 + .../openssl/providers/common/der/EC.asn1 | 7 + .../openssl/providers/common/der/ECX.asn1 | 6 + .../openssl/providers/common/der/NIST.asn1 | 7 + .../openssl/providers/common/der/RSA.asn1 | 7 + .../openssl/providers/common/der/SM2.asn1 | 7 + .../openssl/providers/common/der/wrap.asn1 | 7 + .../openssl/providers/fips-sources.checksums | 86 +++--- deps/openssl/openssl/providers/fips.checksum | 2 +- .../openssl/providers/fips/self_test_data.inc | 14 +- .../implementations/ciphers/cipher_tdes.c | 8 +- .../ciphers/cipher_tdes_default.c | 4 +- .../encode_decode/decode_der2key.c | 25 +- .../encode_decode/decode_epki2pki.c | 8 +- .../encode_decode/decode_msblob2key.c | 5 +- .../encode_decode/decode_pem2der.c | 8 +- .../encode_decode/decode_pvk2key.c | 5 +- .../encode_decode/encode_key2blob.c | 8 +- .../encode_decode/encode_key2ms.c | 14 +- .../encode_decode/encode_key2text.c | 5 +- .../encode_decode/endecoder_common.c | 7 +- .../implementations/exchange/dh_exch.c | 35 ++- .../implementations/keymgmt/dh_kmgmt.c | 22 +- .../implementations/keymgmt/dsa_kmgmt.c | 34 ++- .../keymgmt/ec_kmgmt_imexport.inc | 9 + .../implementations/keymgmt/ecx_kmgmt.c | 22 +- .../implementations/keymgmt/rsa_kmgmt.c | 39 ++- .../providers/implementations/rands/drbg.c | 6 +- .../implementations/storemgmt/file_store.c | 2 +- deps/openssl/openssl/ssl/record/ssl3_record.c | 51 ++-- deps/openssl/openssl/ssl/s3_lib.c | 14 +- deps/openssl/openssl/ssl/ssl_cert.c | 7 +- deps/openssl/openssl/ssl/ssl_lib.c | 52 +++- deps/openssl/openssl/ssl/ssl_local.h | 35 ++- deps/openssl/openssl/ssl/ssl_sess.c | 13 +- deps/openssl/openssl/ssl/statem/extensions.c | 15 +- .../openssl/ssl/statem/extensions_clnt.c | 6 +- .../openssl/ssl/statem/extensions_srvr.c | 8 +- deps/openssl/openssl/ssl/statem/statem_clnt.c | 23 +- deps/openssl/openssl/ssl/statem/statem_lib.c | 19 +- deps/openssl/openssl/ssl/statem/statem_srvr.c | 6 +- deps/openssl/openssl/ssl/t1_enc.c | 4 +- deps/openssl/openssl/ssl/t1_lib.c | 21 +- deps/openssl/openssl/test/acvp_test.c | 4 +- deps/openssl/openssl/test/bio_enc_test.c | 54 +++- deps/openssl/openssl/test/bntest.c | 58 +++- .../openssl/test/certs/leaf-encrypted.key | 30 ++ deps/openssl/openssl/test/cmp_vfy_test.c | 4 +- deps/openssl/openssl/test/crltest.c | 26 +- deps/openssl/openssl/test/ct_test.c | 5 +- deps/openssl/openssl/test/dane-cross.in | 4 +- deps/openssl/openssl/test/defltfips_test.c | 9 + deps/openssl/openssl/test/dhtest.c | 30 +- deps/openssl/openssl/test/enginetest.c | 3 +- deps/openssl/openssl/test/evp_extra_test.c | 87 +++++- deps/openssl/openssl/test/evp_extra_test2.c | 154 +++++++++- .../openssl/test/evp_pkey_dparams_test.c | 185 ++++++++++- .../openssl/test/evp_pkey_provided_test.c | 58 +++- deps/openssl/openssl/test/evp_test.c | 73 ++++- deps/openssl/openssl/test/helpers/handshake.c | 14 +- .../openssl/test/helpers/handshake_srp.c | 18 +- .../test/helpers/predefined_dhparams.c | 23 +- .../test/helpers/predefined_dhparams.h | 3 +- deps/openssl/openssl/test/hmactest.c | 31 ++ deps/openssl/openssl/test/pbetest.c | 4 +- deps/openssl/openssl/test/property_test.c | 2 +- deps/openssl/openssl/test/provfetchtest.c | 21 +- .../test/recipes/01-test_symbol_presence.t | 2 +- .../test/recipes/03-test_internal_sm3.t | 4 +- .../test/recipes/10-test_bn_data/bnmod.txt | 14 +- .../openssl/test/recipes/15-test_gendhparam.t | 20 +- .../openssl/test/recipes/15-test_genrsa.t | 9 +- .../openssl/test/recipes/20-test_dgst.t | 8 +- .../openssl/test/recipes/25-test_req.t | 18 +- .../30-test_evp_data/evpciph_des3_common.txt | 17 +- .../30-test_evp_data/evppkey_ffdhe.txt | 23 +- .../test/recipes/70-test_verify_extra.t | 10 +- .../openssl/test/recipes/80-test_ssl_old.t | 65 +++- deps/openssl/openssl/test/run_tests.pl | 12 +- deps/openssl/openssl/test/sanitytest.c | 9 +- deps/openssl/openssl/test/sm3_internal_test.c | 4 +- deps/openssl/openssl/test/ssl_old_test.c | 51 +++- deps/openssl/openssl/test/sslapitest.c | 35 ++- deps/openssl/openssl/test/threadstest.c | 4 +- deps/openssl/openssl/test/tls-provider.c | 5 +- deps/openssl/openssl/test/upcallstest.c | 9 + deps/openssl/openssl/test/verify_extra_test.c | 123 +++++++- deps/openssl/openssl/util/missingcrypto.txt | 4 - deps/openssl/openssl/util/missingssl.txt | 2 - deps/openssl/openssl/util/other.syms | 3 +- .../openssl/util/perl/OpenSSL/config.pm | 11 +- .../openssl/util/perl/OpenSSL/copyright.pm | 6 +- 301 files changed, 5458 insertions(+), 1187 deletions(-) create mode 100644 deps/openssl/openssl/demos/cipher/ariacbc.c create mode 100644 deps/openssl/openssl/demos/digest/EVP_MD_xof.c create mode 100644 deps/openssl/openssl/demos/keyexch/x25519.c create mode 100644 deps/openssl/openssl/demos/mac/Makefile create mode 100644 deps/openssl/openssl/demos/mac/poly1305.c create mode 100644 deps/openssl/openssl/demos/mac/siphash.c create mode 100644 deps/openssl/openssl/demos/pkey/EVP_PKEY_RSA_keygen.c create mode 100644 deps/openssl/openssl/demos/signature/rsa_pss.h create mode 100644 deps/openssl/openssl/demos/signature/rsa_pss_direct.c create mode 100644 deps/openssl/openssl/demos/signature/rsa_pss_hash.c create mode 100644 deps/openssl/openssl/doc/man3/SSL_get_certificate.pod create mode 100644 deps/openssl/openssl/doc/man3/SSL_set_retry_verify.pod delete mode 100644 deps/openssl/openssl/include/crypto/bn_conf.h delete mode 100644 deps/openssl/openssl/include/crypto/dso_conf.h delete mode 100644 deps/openssl/openssl/include/openssl/asn1.h delete mode 100644 deps/openssl/openssl/include/openssl/asn1t.h delete mode 100644 deps/openssl/openssl/include/openssl/bio.h delete mode 100644 deps/openssl/openssl/include/openssl/cmp.h delete mode 100644 deps/openssl/openssl/include/openssl/cms.h delete mode 100644 deps/openssl/openssl/include/openssl/conf.h delete mode 100644 deps/openssl/openssl/include/openssl/configuration.h delete mode 100644 deps/openssl/openssl/include/openssl/crmf.h delete mode 100644 deps/openssl/openssl/include/openssl/crypto.h delete mode 100644 deps/openssl/openssl/include/openssl/ct.h delete mode 100644 deps/openssl/openssl/include/openssl/err.h delete mode 100644 deps/openssl/openssl/include/openssl/ess.h delete mode 100644 deps/openssl/openssl/include/openssl/fipskey.h delete mode 100644 deps/openssl/openssl/include/openssl/lhash.h delete mode 100644 deps/openssl/openssl/include/openssl/ocsp.h delete mode 100644 deps/openssl/openssl/include/openssl/opensslv.h delete mode 100644 deps/openssl/openssl/include/openssl/pkcs12.h delete mode 100644 deps/openssl/openssl/include/openssl/pkcs7.h delete mode 100644 deps/openssl/openssl/include/openssl/safestack.h delete mode 100644 deps/openssl/openssl/include/openssl/srp.h delete mode 100644 deps/openssl/openssl/include/openssl/ssl.h delete mode 100644 deps/openssl/openssl/include/openssl/ui.h delete mode 100644 deps/openssl/openssl/include/openssl/x509.h delete mode 100644 deps/openssl/openssl/include/openssl/x509_vfy.h delete mode 100644 deps/openssl/openssl/include/openssl/x509v3.h create mode 100644 deps/openssl/openssl/test/certs/leaf-encrypted.key diff --git a/deps/openssl/openssl/CHANGES.md b/deps/openssl/openssl/CHANGES.md index 43b3bb89d615b8..f6e519d9afd62d 100644 --- a/deps/openssl/openssl/CHANGES.md +++ b/deps/openssl/openssl/CHANGES.md @@ -28,12 +28,68 @@ breaking changes, and mappings for the large list of deprecated functions. [Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod -### Changes between 3.0.0 and 3.0.0+quic [7 Sun 2021] +### Changes between 3.0.2 and 3.0.2+quic [15 Mar 2022] * Add QUIC API support from BoringSSL. *Todd Short* +### Changes between 3.0.1 and 3.0.2 [15 Mar 2022] + + * Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever + for non-prime moduli. + + Internally this function is used when parsing certificates that contain + elliptic curve public keys in compressed form or explicit elliptic curve + parameters with a base point encoded in compressed form. + + It is possible to trigger the infinite loop by crafting a certificate that + has invalid explicit curve parameters. + + Since certificate parsing happens prior to verification of the certificate + signature, any process that parses an externally supplied certificate may thus + be subject to a denial of service attack. The infinite loop can also be + reached when parsing crafted private keys as they can contain explicit + elliptic curve parameters. + + Thus vulnerable situations include: + + - TLS clients consuming server certificates + - TLS servers consuming client certificates + - Hosting providers taking certificates or private keys from customers + - Certificate authorities parsing certification requests from subscribers + - Anything else which parses ASN.1 elliptic curve parameters + + Also any other applications that use the BN_mod_sqrt() where the attacker + can control the parameter values are vulnerable to this DoS issue. + ([CVE-2022-0778]) + + *Tomáš Mráz* + + * Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489) + to the list of ciphersuites providing Perfect Forward Secrecy as + required by SECLEVEL >= 3. + + *Dmitry Belyavskiy, Nicola Tuveri* + + * Made the AES constant time code for no-asm configurations + optional due to the resulting 95% performance degradation. + The AES constant time code can be enabled, for no assembly + builds, with: ./config no-asm -DOPENSSL_AES_CONST_TIME + + *Paul Dale* + + * Fixed PEM_write_bio_PKCS8PrivateKey() to make it possible to use empty + passphrase strings. + + *Darshan Sen* + + * The negative return value handling of the certificate verification callback + was reverted. The replacement is to set the verification retry state with + the SSL_set_retry_verify() function. + + *Tomáš Mráz* + ### Changes between 3.0.0 and 3.0.1 [14 Dec 2021] * Fixed invalid handling of X509_verify_cert() internal errors in libssl diff --git a/deps/openssl/openssl/Configurations/10-main.conf b/deps/openssl/openssl/Configurations/10-main.conf index 8414b34ed9af7d..a7294d2ad1b1a2 100644 --- a/deps/openssl/openssl/Configurations/10-main.conf +++ b/deps/openssl/openssl/Configurations/10-main.conf @@ -1062,6 +1062,13 @@ my %targets = ( perlasm_scheme => "elf", }, + # riscv64 below refers to contemporary RISCV Architecture + # specifications, + "BSD-riscv64" => { + inherit_from => [ "BSD-generic64"], + perlasm_scheme => "linux64", + }, + "bsdi-elf-gcc" => { inherit_from => [ "BASE_unix" ], CC => "gcc", diff --git a/deps/openssl/openssl/Configurations/15-android.conf b/deps/openssl/openssl/Configurations/15-android.conf index 0b6b6d6832da07..41ad9223e0945d 100644 --- a/deps/openssl/openssl/Configurations/15-android.conf +++ b/deps/openssl/openssl/Configurations/15-android.conf @@ -261,6 +261,7 @@ my %targets = ( bn_ops => add("RC4_INT"), asm_arch => 'x86', perlasm_scheme => "android", + ex_libs => add(threads("-latomic")), }, "android-x86_64" => { inherit_from => [ "android" ], diff --git a/deps/openssl/openssl/Configurations/descrip.mms.tmpl b/deps/openssl/openssl/Configurations/descrip.mms.tmpl index c8197337650604..c202bd44319f67 100644 --- a/deps/openssl/openssl/Configurations/descrip.mms.tmpl +++ b/deps/openssl/openssl/Configurations/descrip.mms.tmpl @@ -553,7 +553,6 @@ distclean : clean - DELETE descrip.mms;* depend : descrip.mms -descrip.mms : FORCE @ ! {- output_off() if $disabled{makedepend}; "" -} @ $(PERL) {- sourcefile("util", "add-depends.pl") -} "{- $config{makedep_scheme} -}" @ ! {- output_on() if $disabled{makedepend}; "" -} @@ -755,7 +754,16 @@ debug_logicals : # Building targets ################################################### -configdata.pm : $(SRCDIR)Configure $(SRCDIR)config.com {- join(" ", @{$config{build_file_templates}}, @{$config{build_infos}}, @{$config{conf_files}}) -} +descrip.mms : configdata.pm {- join(" ", @{$config{build_file_templates}}) -} + perl configdata.pm + @ WRITE SYS$OUTPUT "*************************************************" + @ WRITE SYS$OUTPUT "*** ***" + @ WRITE SYS$OUTPUT "*** Please run the same mms command again ***" + @ WRITE SYS$OUTPUT "*** ***" + @ WRITE SYS$OUTPUT "*************************************************" + @ PIPE ( EXIT %X10000000 ) + +configdata.pm : $(SRCDIR)Configure $(SRCDIR)config.com {- join(" ", @{$config{build_infos}}, @{$config{conf_files}}) -} perl configdata.pm -r @ WRITE SYS$OUTPUT "*************************************************" @ WRITE SYS$OUTPUT "*** ***" @@ -871,6 +879,59 @@ EOF return ($filename, $scripture); } + # On VMS, (some) header file directories include the files + # __DECC_INCLUDE_EPILOGUE.H and __DECC_INCLUDE_PROLOGUE.H. + # When header files are generated, and the build directory + # isn't the same as the source directory, these files must + # be copied alongside the generated header file, or their + # effect will be lost. + # We use the same include file cache as make_includefile + # to check if the scripture to copy these files has already + # been generated. + sub make_decc_include_files { + my $outd = shift; + my $ind = shift; + + # If the build directory and the source directory are the + # same, there's no need to copy the prologue and epilogue + # files. + return ('') if $outd eq $ind; + + my $outprologue = catfile($outd, '__DECC_INCLUDE_PROLOGUE.H'); + my $outepilogue = catfile($outd, '__DECC_INCLUDE_EPILOGUE.H'); + my $inprologue = catfile($ind, '__DECC_INCLUDE_PROLOGUE.H'); + my $inepilogue = catfile($ind, '__DECC_INCLUDE_EPILOGUE.H'); + my @filenames = (); + my $scripture = ''; + + if ($includefile_cache{$outprologue}) { + push @filenames, $outprologue; + } elsif (-f $inprologue) { + my $local_scripture .= <<"EOF"; +$outprologue : $inprologue + COPY $inprologue $outprologue +EOF + $includefile_cache{$outprologue} = $local_scripture; + + push @filenames, $outprologue; + $scripture .= $local_scripture; + } + if ($includefile_cache{$outepilogue}) { + push @filenames, $outepilogue; + } elsif (-f $inepilogue) { + my $local_scripture .= <<"EOF"; +$outepilogue : $inepilogue + COPY $inepilogue $outepilogue +EOF + $includefile_cache{$outepilogue} = $local_scripture; + + push @filenames, $outepilogue; + $scripture .= $local_scripture; + } + + return (@filenames, $scripture); + } + sub generatetarget { my %args = @_; my $deps = join(" ", compute_platform_depends(@{$args{deps}})); @@ -984,12 +1045,18 @@ EOF my @perlmodules = ( 'configdata.pm', grep { $_ =~ m|\.pm$| } @{$args{deps}} ); my %perlmoduleincs = map { '"-I'.dirname($_).'"' => 1 } @perlmodules; - $deps = join(' ', $deps, compute_platform_depends(@perlmodules)); + my @decc_include_data + = make_decc_include_files(dirname($args{src}), dirname($gen0)); + my $decc_include_scripture = pop @decc_include_data; + $deps = join(' ', $deps, @decc_include_data, + compute_platform_depends(@perlmodules)); @perlmodules = map { '"-M'.basename($_, '.pm').'"' } @perlmodules; my $perlmodules = join(' ', '', sort keys %perlmoduleincs, @perlmodules); + return <<"EOF"; $args{src} : $gen0 $deps \$(PERL)$perlmodules $dofile "-o$target{build_file}" $gen0$gen_args > \$\@ +$decc_include_scripture EOF } elsif (grep { $_ eq $gen0 } @{$unified_info{programs}}) { # diff --git a/deps/openssl/openssl/Configurations/unix-Makefile.tmpl b/deps/openssl/openssl/Configurations/unix-Makefile.tmpl index 52d2f6a64e9d80..3e779960671ba5 100644 --- a/deps/openssl/openssl/Configurations/unix-Makefile.tmpl +++ b/deps/openssl/openssl/Configurations/unix-Makefile.tmpl @@ -582,7 +582,7 @@ clean: libclean $(RM) $(MANDOCS3) $(RM) $(MANDOCS5) $(RM) $(MANDOCS7) - $(RM) $(PROGRAMS) $(TESTPROGS) $(MODULES) $(SCRIPTS) + $(RM) $(PROGRAMS) $(TESTPROGS) $(MODULES) $(FIPSMODULE) $(SCRIPTS) $(RM) $(GENERATED_MANDATORY) $(GENERATED) -find . -name '*{- platform->depext() -}' \! -name '.*' \! -type d -exec $(RM) {} \; -find . -name '*{- platform->objext() -}' \! -name '.*' \! -type d -exec $(RM) {} \; @@ -599,7 +599,7 @@ distclean: clean # We check if any depfile is newer than Makefile and decide to # concatenate only if that is true. -depend: +depend: Makefile @: {- output_off() if $disabled{makedepend}; "" -} @$(PERL) $(SRCDIR)/util/add-depends.pl "{- $makedep_scheme -}" @: {- output_on() if $disabled{makedepend}; "" -} @@ -1153,7 +1153,7 @@ generate_crypto_objects: crypto/objects/obj_mac.num \ crypto/objects/obj_xref.txt \ > crypto/objects/obj_xref.h ) - ( cd $(SRCDIR); cat crypto/objects/obj_compat.h >> include/openssl/obj_mac.h ) + ( cd $(SRCDIR); sed -e '1,8d' crypto/objects/obj_compat.h >> include/openssl/obj_mac.h ) generate_crypto_conf: ( cd $(SRCDIR); $(PERL) crypto/conf/keysets.pl \ @@ -1371,13 +1371,13 @@ tar: link-utils: $(BLDDIR)/util/opensslwrap.sh $(BLDDIR)/apps/openssl.cnf -$(BLDDIR)/util/opensslwrap.sh: configdata.pm +$(BLDDIR)/util/opensslwrap.sh: Makefile @if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \ mkdir -p "$(BLDDIR)/util"; \ ln -sf "../$(SRCDIR)/util/`basename "$@"`" "$(BLDDIR)/util"; \ fi -$(BLDDIR)/apps/openssl.cnf: configdata.pm +$(BLDDIR)/apps/openssl.cnf: Makefile @if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \ mkdir -p "$(BLDDIR)/apps"; \ ln -sf "../$(SRCDIR)/apps/`basename "$@"`" "$(BLDDIR)/apps"; \ @@ -1387,7 +1387,8 @@ FORCE: # Building targets ################################################### -libcrypto.pc libssl.pc openssl.pc: configdata.pm $(LIBS) {- join(" ",map { platform->sharedlib_simple($_) // platform->sharedlib_import($_) // platform->sharedlib($_) // () } @{$unified_info{libraries}}) -} +libcrypto.pc libssl.pc openssl.pc: Makefile $(LIBS) {- join(" ",map { platform->sharedlib_simple($_) // platform->sharedlib_import($_) // platform->sharedlib($_) // () } @{$unified_info{libraries}}) -} + libcrypto.pc: @ ( echo 'prefix=$(INSTALLTOP)'; \ echo 'exec_prefix=$${prefix}'; \ @@ -1438,10 +1439,22 @@ openssl.pc: echo 'Version: '$(VERSION); \ echo 'Requires: libssl libcrypto' ) > openssl.pc +Makefile: configdata.pm \ + {- join(" \\\n" . ' ' x 10, + fill_lines(" ", $COLUMNS - 10, + @{$config{build_file_templates}})) -} + @echo "Detected changed: $?" + $(PERL) configdata.pm + @echo "**************************************************" + @echo "*** ***" + @echo "*** Please run the same make command again ***" + @echo "*** ***" + @echo "**************************************************" + @false + configdata.pm: $(SRCDIR)/Configure $(SRCDIR)/config \ {- join(" \\\n" . ' ' x 15, fill_lines(" ", $COLUMNS - 15, - @{$config{build_file_templates}}, @{$config{build_infos}}, @{$config{conf_files}})) -} @echo "Detected changed: $?" diff --git a/deps/openssl/openssl/Configurations/windows-makefile.tmpl b/deps/openssl/openssl/Configurations/windows-makefile.tmpl index 4718f118e395a7..2167180e144a83 100644 --- a/deps/openssl/openssl/Configurations/windows-makefile.tmpl +++ b/deps/openssl/openssl/Configurations/windows-makefile.tmpl @@ -481,7 +481,7 @@ distclean: clean -del /Q /F configdata.pm -del /Q /F makefile -depend: +depend: makefile @ {- output_off() if $disabled{makedepend}; "\@rem" -} @ "$(PERL)" "$(SRCDIR)\util\add-depends.pl" "{- $target{makedep_scheme} -}" @ {- output_on() if $disabled{makedepend}; "\@rem" -} @@ -643,13 +643,23 @@ uninstall_image_docs: copy-utils: $(BLDDIR)\apps\openssl.cnf -$(BLDDIR)\apps\openssl.cnf: configdata.pm +$(BLDDIR)\apps\openssl.cnf: makefile @if NOT EXIST "$(BLDDIR)\apps" mkdir "$(BLDDIR)\apps" @if NOT "$(SRCDIR)"=="$(BLDDIR)" copy "$(SRCDIR)\apps\$(@F)" "$(BLDDIR)\apps" # Building targets ################################################### -configdata.pm: "$(SRCDIR)\Configure" {- join(" ", map { '"'.$_.'"' } @{$config{build_file_templates}}, @{$config{build_infos}}, @{$config{conf_files}}) -} +makefile: configdata.pm {- join(" ", map { '"'.$_.'"' } @{$config{build_file_templates}}) -} + @$(ECHO) "Detected changed: $?" + "$(PERL)" configdata.pm + @$(ECHO) "**************************************************" + @$(ECHO) "*** ***" + @$(ECHO) "*** Please run the same make command again ***" + @$(ECHO) "*** ***" + @$(ECHO) "**************************************************" + @exit 1 + +configdata.pm: "$(SRCDIR)\Configure" {- join(" ", map { '"'.$_.'"' } @{$config{build_infos}}, @{$config{conf_files}}) -} @$(ECHO) "Detected changed: $?" "$(PERL)" configdata.pm -r @$(ECHO) "**************************************************" diff --git a/deps/openssl/openssl/Configure b/deps/openssl/openssl/Configure index 6991ce13683f11..c4381a02fc0b18 100755 --- a/deps/openssl/openssl/Configure +++ b/deps/openssl/openssl/Configure @@ -3172,25 +3172,25 @@ sub resolve_config { } } - foreach (sort keys %all_keys) { - my $previous = $combined_inheritance{$_}; + foreach my $key (sort keys %all_keys) { + my $previous = $combined_inheritance{$key}; # Current target doesn't have a value for the current key? # Assign it the default combiner, the rest of this loop body # will handle it just like any other coderef. - if (!exists $table{$target}->{$_}) { - $table{$target}->{$_} = $default_combiner; + if (!exists $table{$target}->{$key}) { + $table{$target}->{$key} = $default_combiner; } - $table{$target}->{$_} = process_values($table{$target}->{$_}, - $combined_inheritance{$_}, - $target, $_); - unless(defined($table{$target}->{$_})) { - delete $table{$target}->{$_}; + $table{$target}->{$key} = process_values($table{$target}->{$key}, + $combined_inheritance{$key}, + $target, $key); + unless(defined($table{$target}->{$key})) { + delete $table{$target}->{$key}; } # if ($extra_checks && -# $previous && !($add_called || $previous ~~ $table{$target}->{$_})) { -# warn "$_ got replaced in $target\n"; +# $previous && !($add_called || $previous ~~ $table{$target}->{$key})) { +# warn "$key got replaced in $target\n"; # } } diff --git a/deps/openssl/openssl/NEWS.md b/deps/openssl/openssl/NEWS.md index c27423e584e316..b9bd0dcc762e92 100644 --- a/deps/openssl/openssl/NEWS.md +++ b/deps/openssl/openssl/NEWS.md @@ -18,6 +18,11 @@ OpenSSL Releases OpenSSL 3.0 ----------- +### Major changes between OpenSSL 3.0.1 and OpenSSL 3.0.2 [15 Mar 2022] + + * Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever + for non-prime moduli ([CVE-2022-0778]) + ### Major changes between OpenSSL 3.0.0 and OpenSSL 3.0.1 [14 Dec 2021] * Fixed invalid handling of X509_verify_cert() internal errors in libssl diff --git a/deps/openssl/openssl/README-FIPS.md b/deps/openssl/openssl/README-FIPS.md index a8be9ddb317f1b..d8c3cd3dd07608 100644 --- a/deps/openssl/openssl/README-FIPS.md +++ b/deps/openssl/openssl/README-FIPS.md @@ -64,4 +64,4 @@ Using the FIPS Module in applications Documentation about using the FIPS module is available on the [fips_module(7)] manual page. - [fips_module(7)]: https://www.openssl.org/docs/manmaster/man7/fips_module.html + [fips_module(7)]: https://www.openssl.org/docs/man3.0/man7/fips_module.html diff --git a/deps/openssl/openssl/README-OpenSSL.md b/deps/openssl/openssl/README-OpenSSL.md index 680faea76f1cca..f2f4fd39ad05bb 100644 --- a/deps/openssl/openssl/README-OpenSSL.md +++ b/deps/openssl/openssl/README-OpenSSL.md @@ -113,8 +113,8 @@ document. * [Notes on Perl](NOTES-PERL.md) * [Notes on Valgrind](NOTES-VALGRIND.md) -Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well as -known issues are available on the [OpenSSL 3.0 Wiki] page. +Specific notes on upgrading to OpenSSL 3.0 from previous versions can be found +in the [migration_guide(7ossl)] manual page. Documentation ============= @@ -126,6 +126,7 @@ The manual pages for the master branch and all current stable releases are available online. - [OpenSSL master](https://www.openssl.org/docs/manmaster) +- [OpenSSL 3.0](https://www.openssl.org/docs/man3.0) - [OpenSSL 1.1.1](https://www.openssl.org/docs/man1.1.1) Wiki @@ -165,7 +166,7 @@ attempting to develop or distribute cryptographic code. Copyright ========= -Copyright (c) 1998-2021 The OpenSSL Project +Copyright (c) 1998-2022 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson @@ -193,9 +194,9 @@ All rights reserved. "OpenSSL Wiki" -[OpenSSL 3.0 Wiki]: - - "OpenSSL 3.0 Wiki" +[migration_guide(7ossl)]: + + "OpenSSL Migration Guide" [RFC 8446]: diff --git a/deps/openssl/openssl/README-PROVIDERS.md b/deps/openssl/openssl/README-PROVIDERS.md index 33533f671c7d56..25e49c8618f7cc 100644 --- a/deps/openssl/openssl/README-PROVIDERS.md +++ b/deps/openssl/openssl/README-PROVIDERS.md @@ -20,7 +20,7 @@ distribute their own providers which can be added to OpenSSL dynamically. Documentation about writing providers is available on the [provider(7)] manual page. - [provider(7)]: https://www.openssl.org/docs/manmaster/man7/provider.html + [provider(7)]: https://www.openssl.org/docs/man3.0/man7/provider.html The Default Provider -------------------- @@ -88,7 +88,7 @@ Providers to be loaded can be specified in the OpenSSL config file. See the [config(5)] manual page for information about how to configure providers via the config file, and how to automatically activate them. - [config(5)]: https://www.openssl.org/docs/manmaster/man5/config.html + [config(5)]: https://www.openssl.org/docs/man3.0/man5/config.html The following is a minimal config file example to load and activate both the legacy and the default provider in the default library context. diff --git a/deps/openssl/openssl/README.md b/deps/openssl/openssl/README.md index f960fd8e675420..a6534012f7fff5 100644 --- a/deps/openssl/openssl/README.md +++ b/deps/openssl/openssl/README.md @@ -4,7 +4,7 @@ What This Is This is a fork of [OpenSSL](https://www.openssl.org) to enable QUIC. In addition to the website, the official source distribution is at . The OpenSSL `README` can be found at -[README-OpenSSL.md](https://github.com/quictls/openssl/blob/openssl-3.0.1%2Bquic/README-OpenSSL.md) +[README-OpenSSL.md](https://github.com/quictls/openssl/blob/openssl-3.0.2%2Bquic/README-OpenSSL.md) This fork adds APIs that can be used by QUIC implementations for connection handshakes. Quoting the IETF Working group diff --git a/deps/openssl/openssl/VERSION.dat b/deps/openssl/openssl/VERSION.dat index 442559b71c9b78..d577b940c4d69c 100644 --- a/deps/openssl/openssl/VERSION.dat +++ b/deps/openssl/openssl/VERSION.dat @@ -1,7 +1,7 @@ MAJOR=3 MINOR=0 -PATCH=1 +PATCH=2 PRE_RELEASE_TAG= BUILD_METADATA=quic -RELEASE_DATE="14 Dec 2021" +RELEASE_DATE="15 Mar 2022" SHLIB_VERSION=81.3 diff --git a/deps/openssl/openssl/apps/ciphers.c b/deps/openssl/openssl/apps/ciphers.c index 9c494224a11f27..4dc3fa94549add 100644 --- a/deps/openssl/openssl/apps/ciphers.c +++ b/deps/openssl/openssl/apps/ciphers.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -187,7 +187,7 @@ int ciphers_main(int argc, char **argv) goto end; } - ctx = SSL_CTX_new(meth); + ctx = SSL_CTX_new_ex(app_get0_libctx(), app_get0_propq(), meth); if (ctx == NULL) goto err; if (SSL_CTX_set_min_proto_version(ctx, min_version) == 0) diff --git a/deps/openssl/openssl/apps/cmp.c b/deps/openssl/openssl/apps/cmp.c index 01a437fe482748..9ea5cee4124da1 100644 --- a/deps/openssl/openssl/apps/cmp.c +++ b/deps/openssl/openssl/apps/cmp.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * @@ -161,7 +161,7 @@ static char *opt_rspin = NULL; static char *opt_rspout = NULL; static int opt_use_mock_srv = 0; -/* server-side debugging */ +/* mock server */ #ifndef OPENSSL_NO_SOCK static char *opt_port = NULL; static int opt_max_msgs = 0; @@ -287,7 +287,7 @@ const OPTIONS cmp_options[] = { {"subject", OPT_SUBJECT, 's', "Distinguished Name (DN) of subject to use in the requested cert template"}, {OPT_MORE_STR, 0, 0, - "For kur, default is subject of -csr arg or else of reference cert (see -oldcert)"}, + "For kur, default is subject of -csr arg or reference cert (see -oldcert)"}, {OPT_MORE_STR, 0, 0, "this default is used for ir and cr only if no Subject Alt Names are set"}, {"issuer", OPT_ISSUER, 's', @@ -336,7 +336,7 @@ const OPTIONS cmp_options[] = { {OPT_MORE_STR, 0, 0, "also used as reference (defaulting to -cert) for subject DN and SANs."}, {OPT_MORE_STR, 0, 0, - "Its issuer is used as recipient unless -recipient, -srvcert, or -issuer given"}, + "Issuer is used as recipient unless -recipient, -srvcert, or -issuer given"}, {"revreason", OPT_REVREASON, 'n', "Reason code to include in revocation request (rr); possible values:"}, {OPT_MORE_STR, 0, 0, @@ -470,14 +470,16 @@ const OPTIONS cmp_options[] = { "Process sequence of CMP responses provided in file(s), skipping server"}, {"rspout", OPT_RSPOUT, 's', "Save sequence of CMP responses to file(s)"}, - {"use_mock_srv", OPT_USE_MOCK_SRV, '-', "Use mock server at API level, bypassing HTTP"}, + {"use_mock_srv", OPT_USE_MOCK_SRV, '-', + "Use internal mock server at API level, bypassing socket-based HTTP"}, OPT_SECTION("Mock server"), #ifdef OPENSSL_NO_SOCK {OPT_MORE_STR, 0, 0, "NOTE: -port and -max_msgs not supported due to no-sock build"}, #else - {"port", OPT_PORT, 's', "Act as HTTP mock server listening on given port"}, + {"port", OPT_PORT, 's', + "Act as HTTP-based mock server listening on given port"}, {"max_msgs", OPT_MAX_MSGS, 'N', "max number of messages handled by HTTP mock server. Default: 0 = unlimited"}, #endif @@ -1000,7 +1002,7 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine) if (opt_srv_ref == NULL) { if (opt_srv_cert == NULL) { /* opt_srv_cert should determine the sender */ - CMP_err("must give -srv_ref for server if no -srv_cert given"); + CMP_err("must give -srv_ref for mock server if no -srv_cert given"); goto err; } } else { @@ -1011,7 +1013,7 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine) if (opt_srv_secret != NULL) { int res; - char *pass_str = get_passwd(opt_srv_secret, "PBMAC secret of server"); + char *pass_str = get_passwd(opt_srv_secret, "PBMAC secret of mock server"); if (pass_str != NULL) { cleanse(opt_srv_secret); @@ -1022,10 +1024,10 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine) goto err; } } else if (opt_srv_cert == NULL) { - CMP_err("server credentials must be given if -use_mock_srv or -port is used"); + CMP_err("mock server credentials must be given if -use_mock_srv or -port is used"); goto err; } else { - CMP_warn("server will not be able to handle PBM-protected requests since -srv_secret is not given"); + CMP_warn("mock server will not be able to handle PBM-protected requests since -srv_secret is not given"); } if (opt_srv_secret == NULL @@ -1035,7 +1037,7 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine) } if (opt_srv_cert != NULL) { X509 *srv_cert = load_cert_pwd(opt_srv_cert, opt_srv_keypass, - "certificate of the server"); + "certificate of the mock server"); if (srv_cert == NULL || !OSSL_CMP_CTX_set1_cert(ctx, srv_cert)) { X509_free(srv_cert); @@ -1046,7 +1048,7 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine) if (opt_srv_key != NULL) { EVP_PKEY *pkey = load_key_pwd(opt_srv_key, opt_keyform, opt_srv_keypass, - engine, "private key for server cert"); + engine, "private key for mock server cert"); if (pkey == NULL || !OSSL_CMP_CTX_set1_pkey(ctx, pkey)) { EVP_PKEY_free(pkey); @@ -1058,14 +1060,14 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine) if (opt_srv_trusted != NULL) { X509_STORE *ts = - load_trusted(opt_srv_trusted, 0, "certs trusted by server"); + load_trusted(opt_srv_trusted, 0, "certs trusted by mock server"); if (ts == NULL || !OSSL_CMP_CTX_set0_trustedStore(ctx, ts)) { X509_STORE_free(ts); goto err; } } else { - CMP_warn("server will not be able to handle signature-protected requests since -srv_trusted is not given"); + CMP_warn("mock server will not be able to handle signature-protected requests since -srv_trusted is not given"); } if (!setup_certs(opt_srv_untrusted, "untrusted certificates for mock server", ctx, @@ -1073,8 +1075,7 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine) goto err; if (opt_rsp_cert == NULL) { - CMP_err("must give -rsp_cert for mock server"); - goto err; + CMP_warn("no -rsp_cert given for mock server"); } else { X509 *cert = load_cert_pwd(opt_rsp_cert, opt_keypass, "cert to be returned by the mock server"); @@ -1805,13 +1806,31 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) static char server_port[32] = { '\0' }; const char *proxy_host = NULL; #endif - char server_buf[200] = { '\0' }; - char proxy_buf[200] = { '\0' }; + char server_buf[200] = "mock server"; + char proxy_buf[200] = ""; + if (!opt_use_mock_srv && opt_rspin == NULL) { /* note: -port is not given */ #ifndef OPENSSL_NO_SOCK - if (opt_server == NULL) { - CMP_err("missing -server option"); + if (opt_server == NULL) { + CMP_err("missing -server or -use_mock_srv or -rspin option"); + goto err; + } +#else + CMP_err("missing -use_mock_srv or -rspin option; -server option is not supported due to no-sock build"); goto err; +#endif + } +#ifndef OPENSSL_NO_SOCK + if (opt_server == NULL) { + if (opt_proxy != NULL) + CMP_warn("ignoring -proxy option since -server is not given"); + if (opt_no_proxy != NULL) + CMP_warn("ignoring -no_proxy option since -server is not given"); + if (opt_tls_used) { + CMP_warn("ignoring -tls_used option since -server is not given"); + opt_tls_used = 0; + } + goto set_path; } if (!OSSL_HTTP_parse_url(opt_server, &ssl, NULL /* user */, &host, &port, &portnum, &path, NULL /* q */, NULL /* frag */)) { @@ -1841,6 +1860,7 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) if (proxy_host != NULL) (void)BIO_snprintf(proxy_buf, sizeof(proxy_buf), " via %s", proxy_host); + set_path: #endif if (!OSSL_CMP_CTX_set1_serverPath(ctx, used_path)) @@ -1886,11 +1906,6 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) (void)OSSL_CMP_CTX_set_transfer_cb(ctx, read_write_req_resp); #ifndef OPENSSL_NO_SOCK - if ((opt_tls_cert != NULL || opt_tls_key != NULL - || opt_tls_keypass != NULL || opt_tls_extra != NULL - || opt_tls_trusted != NULL || opt_tls_host != NULL) - && !opt_tls_used) - CMP_warn("TLS options(s) given but not -tls_used"); if (opt_tls_used) { APP_HTTP_TLS_INFO *info; @@ -1904,19 +1919,18 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) goto err; } } - if (opt_use_mock_srv) { - CMP_err("cannot use TLS options together with -use_mock_srv"); - goto err; - } + if ((info = OPENSSL_zalloc(sizeof(*info))) == NULL) goto err; (void)OSSL_CMP_CTX_set_http_cb_arg(ctx, info); /* info will be freed along with CMP ctx */ info->server = opt_server; info->port = server_port; - info->use_proxy = opt_proxy != NULL; + /* workaround for callback design flaw, see #17088: */ + info->use_proxy = proxy_host != NULL; info->timeout = OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_MSG_TIMEOUT); info->ssl_ctx = setup_ssl_ctx(ctx, host, engine); + if (info->ssl_ctx == NULL) goto err; (void)OSSL_CMP_CTX_set_http_cb(ctx, app_http_tls_cb); @@ -1938,7 +1952,10 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) goto err; /* not printing earlier, to minimize confusion in case setup fails before */ - CMP_info2("will contact %s%s", server_buf, proxy_buf); + if (opt_rspin != NULL) + CMP_info("will not contact any server since -rspin is given"); + else + CMP_info2("will contact %s%s", server_buf, proxy_buf); ret = 1; @@ -2692,9 +2709,6 @@ int cmp_main(int argc, char **argv) int i; X509 *newcert = NULL; ENGINE *engine = NULL; -#ifndef OPENSSL_NO_SOCK - char mock_server[] = "mock server:1"; -#endif OSSL_CMP_CTX *srv_cmp_ctx = NULL; int ret = 0; /* default: failure */ @@ -2785,27 +2799,41 @@ int cmp_main(int argc, char **argv) } } + cmp_ctx = OSSL_CMP_CTX_new(app_get0_libctx(), app_get0_propq()); + if (cmp_ctx == NULL) + goto err; + OSSL_CMP_CTX_set_log_verbosity(cmp_ctx, opt_verbosity); + if (!OSSL_CMP_CTX_set_log_cb(cmp_ctx, print_to_bio_out)) { + CMP_err1("cannot set up error reporting and logging for %s", prog); + goto err; + } + #ifndef OPENSSL_NO_SOCK + if ((opt_tls_cert != NULL || opt_tls_key != NULL + || opt_tls_keypass != NULL || opt_tls_extra != NULL + || opt_tls_trusted != NULL || opt_tls_host != NULL) + && !opt_tls_used) + CMP_warn("Ingnoring TLS options(s) since -tls_used is not given"); if (opt_port != NULL) { - if (opt_use_mock_srv) { - CMP_err("cannot use both -port and -use_mock_srv options"); + if (opt_tls_used) { + CMP_err("-tls_used option not supported with -port option"); goto err; } - if (opt_server != NULL) { - CMP_err("cannot use both -port and -server options"); + if (opt_use_mock_srv || opt_server != NULL || opt_rspin != NULL) { + CMP_err("cannot use -port with -use_mock_srv, -server, or -rspin options"); goto err; } } -#endif - - cmp_ctx = OSSL_CMP_CTX_new(app_get0_libctx(), app_get0_propq()); - if (cmp_ctx == NULL) + if (opt_server != NULL && opt_use_mock_srv) { + CMP_err("cannot use both -server and -use_mock_srv options"); goto err; - OSSL_CMP_CTX_set_log_verbosity(cmp_ctx, opt_verbosity); - if (!OSSL_CMP_CTX_set_log_cb(cmp_ctx, print_to_bio_out)) { - CMP_err1("cannot set up error reporting and logging for %s", prog); + } +#endif + if (opt_rspin != NULL && opt_use_mock_srv) { + CMP_err("cannot use both -rspin and -use_mock_srv options"); goto err; } + if (opt_use_mock_srv #ifndef OPENSSL_NO_SOCK || opt_port != NULL @@ -2824,29 +2852,26 @@ int cmp_main(int argc, char **argv) OSSL_CMP_CTX_set_log_verbosity(srv_cmp_ctx, opt_verbosity); } - #ifndef OPENSSL_NO_SOCK + if (opt_tls_used && (opt_use_mock_srv || opt_rspin != NULL)) { + CMP_warn("ignoring -tls_used option since -use_mock_srv or -rspin is given"); + opt_tls_used = 0; + } + if (opt_port != NULL) { /* act as very basic CMP HTTP server */ ret = cmp_server(srv_cmp_ctx); goto err; } -#endif - /* else act as CMP client */ - if (opt_use_mock_srv) { -#ifndef OPENSSL_NO_SOCK - if (opt_server != NULL) { - CMP_err("cannot use both -use_mock_srv and -server options"); - goto err; - } - if (opt_proxy != NULL) { - CMP_err("cannot use both -use_mock_srv and -proxy options"); - goto err; + /* act as CMP client, possibly using internal mock server */ + + if (opt_server != NULL) { + if (opt_rspin != NULL) { + CMP_warn("ignoring -server option since -rspin is given"); + opt_server = NULL; } - opt_server = mock_server; - opt_proxy = "API"; -#endif } +#endif if (!setup_client_ctx(cmp_ctx, engine)) { CMP_err("cannot set up CMP context"); diff --git a/deps/openssl/openssl/apps/include/engine_loader.h b/deps/openssl/openssl/apps/include/engine_loader.h index 11598639a5f688..fa80fc96567c74 100644 --- a/deps/openssl/openssl/apps/include/engine_loader.h +++ b/deps/openssl/openssl/apps/include/engine_loader.h @@ -1,7 +1,7 @@ /* - * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html diff --git a/deps/openssl/openssl/apps/lib/apps.c b/deps/openssl/openssl/apps/lib/apps.c index e01633c5b540b8..30da6e8a8cb896 100644 --- a/deps/openssl/openssl/apps/lib/apps.c +++ b/deps/openssl/openssl/apps/lib/apps.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -291,7 +291,7 @@ static char *app_get_pass(const char *arg, int keepbio) i = atoi(arg + 3); if (i >= 0) pwdbio = BIO_new_fd(i, BIO_NOCLOSE); - if ((i < 0) || !pwdbio) { + if ((i < 0) || pwdbio == NULL) { BIO_printf(bio_err, "Can't access file descriptor %s\n", arg + 3); return NULL; } @@ -299,6 +299,12 @@ static char *app_get_pass(const char *arg, int keepbio) * Can't do BIO_gets on an fd BIO so add a buffering BIO */ btmp = BIO_new(BIO_f_buffer()); + if (btmp == NULL) { + BIO_free_all(pwdbio); + pwdbio = NULL; + BIO_printf(bio_err, "Out of memory\n"); + return NULL; + } pwdbio = BIO_push(btmp, pwdbio); #endif } else if (strcmp(arg, "stdin") == 0) { @@ -696,10 +702,13 @@ int load_cert_certs(const char *uri, if (ret) { if (pcert != NULL) warn_cert(uri, *pcert, 0, vpm); - warn_certs(uri, *pcerts, 1, vpm); + if (pcerts != NULL) + warn_certs(uri, *pcerts, 1, vpm); } else { - sk_X509_pop_free(*pcerts, X509_free); - *pcerts = NULL; + if (pcerts != NULL) { + sk_X509_pop_free(*pcerts, X509_free); + *pcerts = NULL; + } } return ret; } @@ -2442,16 +2451,18 @@ static const char *tls_error_hint(void) } /* HTTP callback function that supports TLS connection also via HTTPS proxy */ -BIO *app_http_tls_cb(BIO *hbio, void *arg, int connect, int detail) +BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail) { + APP_HTTP_TLS_INFO *info = (APP_HTTP_TLS_INFO *)arg; + SSL_CTX *ssl_ctx = info->ssl_ctx; + if (connect && detail) { /* connecting with TLS */ - APP_HTTP_TLS_INFO *info = (APP_HTTP_TLS_INFO *)arg; - SSL_CTX *ssl_ctx = info->ssl_ctx; SSL *ssl; BIO *sbio = NULL; + /* adapt after fixing callback design flaw, see #17088 */ if ((info->use_proxy - && !OSSL_HTTP_proxy_connect(hbio, info->server, info->port, + && !OSSL_HTTP_proxy_connect(bio, info->server, info->port, NULL, NULL, /* no proxy credentials */ info->timeout, bio_err, opt_getprog())) || (sbio = BIO_new(BIO_f_ssl())) == NULL) { @@ -2462,23 +2473,33 @@ BIO *app_http_tls_cb(BIO *hbio, void *arg, int connect, int detail) return NULL; } - SSL_set_tlsext_host_name(ssl, info->server); + /* adapt after fixing callback design flaw, see #17088 */ + SSL_set_tlsext_host_name(ssl, info->server); /* not critical to do */ SSL_set_connect_state(ssl); BIO_set_ssl(sbio, ssl, BIO_CLOSE); - hbio = BIO_push(sbio, hbio); - } else if (!connect && !detail) { /* disconnecting after error */ - const char *hint = tls_error_hint(); + bio = BIO_push(sbio, bio); + } + if (!connect) { + const char *hint; + BIO *cbio; - if (hint != NULL) - ERR_add_error_data(2, " : ", hint); - /* - * If we pop sbio and BIO_free() it this may lead to libssl double free. - * Rely on BIO_free_all() done by OSSL_HTTP_transfer() in http_client.c - */ + if (!detail) { /* disconnecting after error */ + hint = tls_error_hint(); + if (hint != NULL) + ERR_add_error_data(2, " : ", hint); + } + if (ssl_ctx != NULL) { + (void)ERR_set_mark(); + BIO_ssl_shutdown(bio); + cbio = BIO_pop(bio); /* connect+HTTP BIO */ + BIO_free(bio); /* SSL BIO */ + (void)ERR_pop_to_mark(); /* hide SSL_R_READ_BIO_NOT_SET etc. */ + bio = cbio; + } } - return hbio; + return bio; } void APP_HTTP_TLS_INFO_free(APP_HTTP_TLS_INFO *info) @@ -2518,7 +2539,8 @@ ASN1_VALUE *app_http_get_asn1(const char *url, const char *proxy, info.server = server; info.port = port; - info.use_proxy = proxy != NULL; + info.use_proxy = /* workaround for callback design flaw, see #17088 */ + OSSL_HTTP_adapt_proxy(proxy, no_proxy, server, use_ssl) != NULL; info.timeout = timeout; info.ssl_ctx = ssl_ctx; mem = OSSL_HTTP_get(url, proxy, no_proxy, NULL /* bio */, NULL /* rbio */, @@ -2544,18 +2566,21 @@ ASN1_VALUE *app_http_post_asn1(const char *host, const char *port, const char *expected_content_type, long timeout, const ASN1_ITEM *rsp_it) { + int use_ssl = ssl_ctx != NULL; APP_HTTP_TLS_INFO info; BIO *rsp, *req_mem = ASN1_item_i2d_mem_bio(req_it, req); ASN1_VALUE *res; if (req_mem == NULL) return NULL; + info.server = host; info.port = port; - info.use_proxy = proxy != NULL; + info.use_proxy = /* workaround for callback design flaw, see #17088 */ + OSSL_HTTP_adapt_proxy(proxy, no_proxy, host, use_ssl) != NULL; info.timeout = timeout; info.ssl_ctx = ssl_ctx; - rsp = OSSL_HTTP_transfer(NULL, host, port, path, ssl_ctx != NULL, + rsp = OSSL_HTTP_transfer(NULL, host, port, path, use_ssl, proxy, no_proxy, NULL /* bio */, NULL /* rbio */, app_http_tls_cb, &info, 0 /* buf_size */, headers, content_type, req_mem, diff --git a/deps/openssl/openssl/apps/lib/engine_loader.c b/deps/openssl/openssl/apps/lib/engine_loader.c index b2a11d438df876..c093f31e1b395a 100644 --- a/deps/openssl/openssl/apps/lib/engine_loader.c +++ b/deps/openssl/openssl/apps/lib/engine_loader.c @@ -1,7 +1,7 @@ /* - * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html diff --git a/deps/openssl/openssl/apps/lib/s_socket.c b/deps/openssl/openssl/apps/lib/s_socket.c index dbeebb54c5b723..059afe47b90491 100644 --- a/deps/openssl/openssl/apps/lib/s_socket.c +++ b/deps/openssl/openssl/apps/lib/s_socket.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -162,7 +162,7 @@ int init_client(int *sock, const char *host, const char *port, #endif if (!BIO_connect(*sock, BIO_ADDRINFO_address(ai), - protocol == IPPROTO_TCP ? BIO_SOCK_NODELAY : 0)) { + BIO_ADDRINFO_protocol(ai) == IPPROTO_TCP ? BIO_SOCK_NODELAY : 0)) { BIO_closesocket(*sock); *sock = INVALID_SOCKET; continue; diff --git a/deps/openssl/openssl/apps/ocsp.c b/deps/openssl/openssl/apps/ocsp.c index 7a5f84e527d0ea..05c6873238410a 100644 --- a/deps/openssl/openssl/apps/ocsp.c +++ b/deps/openssl/openssl/apps/ocsp.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1176,10 +1176,12 @@ static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser) bn = ASN1_INTEGER_to_BN(ser, NULL); OPENSSL_assert(bn); /* FIXME: should report an error at this * point and abort */ - if (BN_is_zero(bn)) + if (BN_is_zero(bn)) { itmp = OPENSSL_strdup("00"); - else + OPENSSL_assert(itmp); + } else { itmp = BN_bn2hex(bn); + } row[DB_serial] = itmp; BN_free(bn); rrow = TXT_DB_get_by_index(db->db, DB_serial, row); diff --git a/deps/openssl/openssl/apps/passwd.c b/deps/openssl/openssl/apps/passwd.c index 65cbd9e4939629..64b2e76c147ae4 100644 --- a/deps/openssl/openssl/apps/passwd.c +++ b/deps/openssl/openssl/apps/passwd.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -410,7 +410,7 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt) n >>= 1; } if (!EVP_DigestFinal_ex(md, buf, NULL)) - return NULL; + goto err; for (i = 0; i < 1000; i++) { if (!EVP_DigestInit_ex(md2, EVP_md5(), NULL)) @@ -636,7 +636,7 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt) n >>= 1; } if (!EVP_DigestFinal_ex(md, buf, NULL)) - return NULL; + goto err; /* P sequence */ if (!EVP_DigestInit_ex(md2, sha, NULL)) @@ -647,7 +647,7 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt) goto err; if (!EVP_DigestFinal_ex(md2, temp_buf, NULL)) - return NULL; + goto err; if ((p_bytes = OPENSSL_zalloc(passwd_len)) == NULL) goto err; @@ -664,7 +664,7 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt) goto err; if (!EVP_DigestFinal_ex(md2, temp_buf, NULL)) - return NULL; + goto err; if ((s_bytes = OPENSSL_zalloc(salt_len)) == NULL) goto err; diff --git a/deps/openssl/openssl/apps/pkeyutl.c b/deps/openssl/openssl/apps/pkeyutl.c index 73012e3069532d..518a74166153fd 100644 --- a/deps/openssl/openssl/apps/pkeyutl.c +++ b/deps/openssl/openssl/apps/pkeyutl.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -464,23 +464,23 @@ int pkeyutl_main(int argc, char **argv) } goto end; } - if (kdflen != 0) { - buf_outlen = kdflen; - rv = 1; + if (rawin) { + /* rawin allocates the buffer in do_raw_keyop() */ + rv = do_raw_keyop(pkey_op, mctx, pkey, in, filesize, NULL, 0, + &buf_out, (size_t *)&buf_outlen); } else { - if (rawin) { - /* rawin allocates the buffer in do_raw_keyop() */ - rv = do_raw_keyop(pkey_op, mctx, pkey, in, filesize, NULL, 0, - &buf_out, (size_t *)&buf_outlen); + if (kdflen != 0) { + buf_outlen = kdflen; + rv = 1; } else { rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen, buf_in, (size_t)buf_inlen); - if (rv > 0 && buf_outlen != 0) { - buf_out = app_malloc(buf_outlen, "buffer output"); - rv = do_keyop(ctx, pkey_op, - buf_out, (size_t *)&buf_outlen, - buf_in, (size_t)buf_inlen); - } + } + if (rv > 0 && buf_outlen != 0) { + buf_out = app_malloc(buf_outlen, "buffer output"); + rv = do_keyop(ctx, pkey_op, + buf_out, (size_t *)&buf_outlen, + buf_in, (size_t)buf_inlen); } } if (rv <= 0) { diff --git a/deps/openssl/openssl/apps/progs.pl b/deps/openssl/openssl/apps/progs.pl index 8a5759a961cbed..29f9be13ca088d 100644 --- a/deps/openssl/openssl/apps/progs.pl +++ b/deps/openssl/openssl/apps/progs.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -21,7 +21,7 @@ my %commands = (); my $cmdre = qr/^\s*int\s+([a-z_][a-z0-9_]*)_main\(\s*int\s+argc\s*,/; my $apps_openssl = shift @ARGV; -my $YEAR = [localtime()]->[5] + 1900; +my $YEAR = [gmtime($ENV{SOURCE_DATE_EPOCH} || time())]->[5] + 1900; # because the program apps/openssl has object files as sources, and # they then have the corresponding C files as source, we need to chain diff --git a/deps/openssl/openssl/apps/rehash.c b/deps/openssl/openssl/apps/rehash.c index 7fe01de11c0b6c..fb6c08c420cade 100644 --- a/deps/openssl/openssl/apps/rehash.c +++ b/deps/openssl/openssl/apps/rehash.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2013-2014 Timo Teräs * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -168,6 +168,12 @@ static int add_entry(enum Type type, unsigned int hash, const char *filename, *ep = nilhentry; ep->old_id = ~0; ep->filename = OPENSSL_strdup(filename); + if (ep->filename == NULL) { + OPENSSL_free(ep); + ep = NULL; + BIO_printf(bio_err, "out of memory\n"); + return 1; + } if (bp->last_entry) bp->last_entry->next = ep; if (bp->first_entry == NULL) diff --git a/deps/openssl/openssl/apps/req.c b/deps/openssl/openssl/apps/req.c index fd9826a5a8df2f..71a5ab20cacda4 100644 --- a/deps/openssl/openssl/apps/req.c +++ b/deps/openssl/openssl/apps/req.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -775,8 +775,9 @@ int req_main(int argc, char **argv) } } if (newreq || gen_x509) { - if (pkey == NULL /* can happen only if !newreq */) { - BIO_printf(bio_err, "Must provide a signature key using -key\n"); + if (CAcert == NULL && pkey == NULL) { + BIO_printf(bio_err, "Must provide a signature key using -key or" + " provide -CA / -CAkey\n"); goto end; } @@ -1594,6 +1595,13 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr, *pkeytype = OPENSSL_strndup(keytype, keytypelen); else *pkeytype = OPENSSL_strdup(keytype); + + if (*pkeytype == NULL) { + BIO_printf(bio_err, "Out of memory\n"); + EVP_PKEY_free(param); + return NULL; + } + if (keylen >= 0) *pkeylen = keylen; diff --git a/deps/openssl/openssl/apps/s_client.c b/deps/openssl/openssl/apps/s_client.c index 30a9b34ccb6fb5..2b248be485a73b 100644 --- a/deps/openssl/openssl/apps/s_client.c +++ b/deps/openssl/openssl/apps/s_client.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2005 Nokia. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -805,7 +805,7 @@ int s_client_main(int argc, char **argv) char *cert_file = NULL, *key_file = NULL, *chain_file = NULL; char *chCApath = NULL, *chCAfile = NULL, *chCAstore = NULL, *host = NULL; char *thost = NULL, *tport = NULL; - char *port = OPENSSL_strdup(PORT); + char *port = NULL; char *bindhost = NULL, *bindport = NULL; char *passarg = NULL, *pass = NULL; char *vfyCApath = NULL, *vfyCAfile = NULL, *vfyCAstore = NULL; @@ -843,6 +843,7 @@ int s_client_main(int argc, char **argv) struct timeval tv; #endif const char *servername = NULL; + char *sname_alloc = NULL; int noservername = 0; const char *alpn_in = NULL; tlsextctx tlsextcbp = { NULL, 0 }; @@ -903,10 +904,11 @@ int s_client_main(int argc, char **argv) c_debug = 0; c_showcerts = 0; c_nbio = 0; + port = OPENSSL_strdup(PORT); vpm = X509_VERIFY_PARAM_new(); cctx = SSL_CONF_CTX_new(); - if (vpm == NULL || cctx == NULL) { + if (port == NULL || vpm == NULL || cctx == NULL) { BIO_printf(bio_err, "%s: out of memory\n", opt_getprog()); goto end; } @@ -1131,6 +1133,10 @@ int s_client_main(int argc, char **argv) break; case OPT_MSGFILE: bio_c_msg = BIO_new_file(opt_arg(), "w"); + if (bio_c_msg == NULL) { + BIO_printf(bio_err, "Error writing file %s\n", opt_arg()); + goto end; + } break; case OPT_TRACE: #ifndef OPENSSL_NO_SSL_TRACE @@ -1530,6 +1536,14 @@ int s_client_main(int argc, char **argv) goto opthelp; } + if (servername == NULL && !noservername) { + servername = sname_alloc = OPENSSL_strdup(host); + if (sname_alloc == NULL) { + BIO_printf(bio_err, "%s: out of memory\n", prog); + goto end; + } + } + /* Retain the original target host:port for use in the HTTP proxy connect string */ thost = OPENSSL_strdup(host); tport = OPENSSL_strdup(port); @@ -1651,10 +1665,21 @@ int s_client_main(int argc, char **argv) if (bio_c_out == NULL) { if (c_quiet && !c_debug) { bio_c_out = BIO_new(BIO_s_null()); - if (c_msg && bio_c_msg == NULL) + if (c_msg && bio_c_msg == NULL) { bio_c_msg = dup_bio_out(FORMAT_TEXT); - } else if (bio_c_out == NULL) + if (bio_c_msg == NULL) { + BIO_printf(bio_err, "Out of memory\n"); + goto end; + } + } + } else { bio_c_out = dup_bio_out(FORMAT_TEXT); + } + + if (bio_c_out == NULL) { + BIO_printf(bio_err, "Unable to create BIO\n"); + goto end; + } } #ifndef OPENSSL_NO_SRP if (!app_passwd(srppass, NULL, &srp_arg.srppassin, NULL)) { @@ -2017,14 +2042,16 @@ int s_client_main(int argc, char **argv) #endif sbio = BIO_new_dgram(sock, BIO_NOCLOSE); - if ((peer_info.addr = BIO_ADDR_new()) == NULL) { + if (sbio == NULL || (peer_info.addr = BIO_ADDR_new()) == NULL) { BIO_printf(bio_err, "memory allocation failure\n"); + BIO_free(sbio); BIO_closesocket(sock); goto end; } if (!BIO_sock_info(sock, BIO_SOCK_INFO_ADDRESS, &peer_info)) { BIO_printf(bio_err, "getsockname:errno=%d\n", get_last_socket_error()); + BIO_free(sbio); BIO_ADDR_free(peer_info.addr); BIO_closesocket(sock); goto end; @@ -2065,10 +2092,22 @@ int s_client_main(int argc, char **argv) #endif /* OPENSSL_NO_DTLS */ sbio = BIO_new_socket(sock, BIO_NOCLOSE); + if (sbio == NULL) { + BIO_printf(bio_err, "Unable to create BIO\n"); + ERR_print_errors(bio_err); + BIO_closesocket(sock); + goto end; + } + if (nbio_test) { BIO *test; test = BIO_new(BIO_f_nbio_test()); + if (test == NULL) { + BIO_printf(bio_err, "Unable to create BIO\n"); + BIO_free(sbio); + goto shut; + } sbio = BIO_push(test, sbio); } @@ -2135,6 +2174,10 @@ int s_client_main(int argc, char **argv) int foundit = 0; BIO *fbio = BIO_new(BIO_f_buffer()); + if (fbio == NULL) { + BIO_printf(bio_err, "Unable to create BIO\n"); + goto shut; + } BIO_push(fbio, sbio); /* Wait for multi-line response to end from LMTP or SMTP */ do { @@ -2183,6 +2226,10 @@ int s_client_main(int argc, char **argv) int foundit = 0; BIO *fbio = BIO_new(BIO_f_buffer()); + if (fbio == NULL) { + BIO_printf(bio_err, "Unable to create BIO\n"); + goto shut; + } BIO_push(fbio, sbio); BIO_gets(fbio, mbuf, BUFSIZZ); /* STARTTLS command requires CAPABILITY... */ @@ -2210,6 +2257,10 @@ int s_client_main(int argc, char **argv) { BIO *fbio = BIO_new(BIO_f_buffer()); + if (fbio == NULL) { + BIO_printf(bio_err, "Unable to create BIO\n"); + goto shut; + } BIO_push(fbio, sbio); /* wait for multi-line response to end from FTP */ do { @@ -2304,6 +2355,10 @@ int s_client_main(int argc, char **argv) int numeric; BIO *fbio = BIO_new(BIO_f_buffer()); + if (fbio == NULL) { + BIO_printf(bio_err, "Unable to create BIO\n"); + goto end; + } BIO_push(fbio, sbio); BIO_printf(fbio, "STARTTLS\r\n"); (void)BIO_flush(fbio); @@ -2464,6 +2519,10 @@ int s_client_main(int argc, char **argv) int foundit = 0; BIO *fbio = BIO_new(BIO_f_buffer()); + if (fbio == NULL) { + BIO_printf(bio_err, "Unable to create BIO\n"); + goto end; + } BIO_push(fbio, sbio); BIO_gets(fbio, mbuf, BUFSIZZ); /* STARTTLS command requires CAPABILITIES... */ @@ -2504,6 +2563,10 @@ int s_client_main(int argc, char **argv) int foundit = 0; BIO *fbio = BIO_new(BIO_f_buffer()); + if (fbio == NULL) { + BIO_printf(bio_err, "Unable to create BIO\n"); + goto end; + } BIO_push(fbio, sbio); /* wait for multi-line response to end from Sieve */ do { @@ -2563,8 +2626,9 @@ int s_client_main(int argc, char **argv) BIO *ldapbio = BIO_new(BIO_s_mem()); CONF *cnf = NCONF_new(NULL); - if (cnf == NULL) { + if (ldapbio == NULL || cnf == NULL) { BIO_free(ldapbio); + NCONF_free(cnf); goto end; } BIO_puts(ldapbio, ldap_tls_genconf); @@ -3038,6 +3102,7 @@ int s_client_main(int argc, char **argv) #ifndef OPENSSL_NO_SRP OPENSSL_free(srp_arg.srppassin); #endif + OPENSSL_free(sname_alloc); OPENSSL_free(connectstr); OPENSSL_free(bindstr); OPENSSL_free(bindhost); diff --git a/deps/openssl/openssl/apps/s_server.c b/deps/openssl/openssl/apps/s_server.c index d95bf14cbf50b4..ccaec3124bf4c6 100644 --- a/deps/openssl/openssl/apps/s_server.c +++ b/deps/openssl/openssl/apps/s_server.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -1006,7 +1006,7 @@ int s_server_main(int argc, char *argv[]) int socket_family = AF_UNSPEC, socket_type = SOCK_STREAM, protocol = 0; int state = 0, crl_format = FORMAT_UNDEF, crl_download = 0; char *host = NULL; - char *port = OPENSSL_strdup(PORT); + char *port = NULL; unsigned char *context = NULL; OPTION_CHOICE o; EVP_PKEY *s_key2 = NULL; @@ -1069,9 +1069,10 @@ int s_server_main(int argc, char *argv[]) async = 0; use_sendfile = 0; + port = OPENSSL_strdup(PORT); cctx = SSL_CONF_CTX_new(); vpm = X509_VERIFY_PARAM_new(); - if (cctx == NULL || vpm == NULL) + if (port == NULL || cctx == NULL || vpm == NULL) goto end; SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CMDLINE); @@ -1389,6 +1390,10 @@ int s_server_main(int argc, char *argv[]) break; case OPT_MSGFILE: bio_s_msg = BIO_new_file(opt_arg(), "w"); + if (bio_s_msg == NULL) { + BIO_printf(bio_err, "Error writing file %s\n", opt_arg()); + goto end; + } break; case OPT_TRACE: #ifndef OPENSSL_NO_SSL_TRACE @@ -1800,13 +1805,21 @@ int s_server_main(int argc, char *argv[]) if (bio_s_out == NULL) { if (s_quiet && !s_debug) { bio_s_out = BIO_new(BIO_s_null()); - if (s_msg && bio_s_msg == NULL) + if (s_msg && bio_s_msg == NULL) { bio_s_msg = dup_bio_out(FORMAT_TEXT); + if (bio_s_msg == NULL) { + BIO_printf(bio_err, "Out of memory\n"); + goto end; + } + } } else { - if (bio_s_out == NULL) - bio_s_out = dup_bio_out(FORMAT_TEXT); + bio_s_out = dup_bio_out(FORMAT_TEXT); } } + + if (bio_s_out == NULL) + goto end; + if (nocert) { s_cert_file = NULL; s_key_file = NULL; @@ -2344,6 +2357,11 @@ static int sv_body(int s, int stype, int prot, unsigned char *context) else # endif sbio = BIO_new_dgram(s, BIO_NOCLOSE); + if (sbio == NULL) { + BIO_printf(bio_err, "Unable to create BIO\n"); + ERR_print_errors(bio_err); + goto err; + } if (enable_timeouts) { timeout.tv_sec = 0; @@ -2393,6 +2411,13 @@ static int sv_body(int s, int stype, int prot, unsigned char *context) BIO *test; test = BIO_new(BIO_f_nbio_test()); + if (test == NULL) { + BIO_printf(bio_err, "Unable to create BIO\n"); + ret = -1; + BIO_free(sbio); + goto err; + } + sbio = BIO_push(test, sbio); } @@ -2976,13 +3001,21 @@ static int www_body(int s, int stype, int prot, unsigned char *context) int total_bytes = 0; #endif int width; +#ifndef OPENSSL_NO_KTLS + int use_sendfile_for_req = use_sendfile; +#endif fd_set readfds; const char *opmode; +#ifdef CHARSET_EBCDIC + BIO *filter; +#endif /* Set width for a select call if needed */ width = s + 1; - buf = app_malloc(bufsize, "server www buffer"); + /* as we use BIO_gets(), and it always null terminates data, we need + * to allocate 1 byte longer buffer to fit the full 2^14 byte record */ + buf = app_malloc(bufsize + 1, "server www buffer"); io = BIO_new(BIO_f_buffer()); ssl_bio = BIO_new(BIO_f_ssl()); if ((io == NULL) || (ssl_bio == NULL)) @@ -3015,10 +3048,21 @@ static int www_body(int s, int stype, int prot, unsigned char *context) } sbio = BIO_new_socket(s, BIO_NOCLOSE); + if (sbio == NULL) { + SSL_free(con); + goto err; + } + if (s_nbio_test) { BIO *test; test = BIO_new(BIO_f_nbio_test()); + if (test == NULL) { + SSL_free(con); + BIO_free(sbio); + goto err; + } + sbio = BIO_push(test, sbio); } SSL_set_bio(con, sbio, sbio); @@ -3029,7 +3073,11 @@ static int www_body(int s, int stype, int prot, unsigned char *context) BIO_push(io, ssl_bio); ssl_bio = NULL; #ifdef CHARSET_EBCDIC - io = BIO_push(BIO_new(BIO_f_ebcdic_filter()), io); + filter = BIO_new(BIO_f_ebcdic_filter()); + if (filter == NULL) + goto err; + + io = BIO_push(filter, io); #endif if (s_debug) { @@ -3047,7 +3095,7 @@ static int www_body(int s, int stype, int prot, unsigned char *context) } for (;;) { - i = BIO_gets(io, buf, bufsize - 1); + i = BIO_gets(io, buf, bufsize + 1); if (i < 0) { /* error */ if (!BIO_should_retry(io) && !SSL_waiting_for_async(con)) { if (!s_quiet) @@ -3112,7 +3160,7 @@ static int www_body(int s, int stype, int prot, unsigned char *context) * we're expecting to come from the client. If they haven't * sent one there's not much we can do. */ - BIO_gets(io, buf, bufsize - 1); + BIO_gets(io, buf, bufsize + 1); } BIO_puts(io, @@ -3293,7 +3341,11 @@ static int www_body(int s, int stype, int prot, unsigned char *context) } /* send the file */ #ifndef OPENSSL_NO_KTLS - if (use_sendfile) { + if (use_sendfile_for_req && !BIO_get_ktls_send(SSL_get_wbio(con))) { + BIO_printf(bio_err, "Warning: sendfile requested but KTLS is not available\n"); + use_sendfile_for_req = 0; + } + if (use_sendfile_for_req) { FILE *fp = NULL; int fd; struct stat st; @@ -3400,8 +3452,13 @@ static int rev_body(int s, int stype, int prot, unsigned char *context) int ret = 1; SSL *con; BIO *io, *ssl_bio, *sbio; +#ifdef CHARSET_EBCDIC + BIO *filter; +#endif - buf = app_malloc(bufsize, "server rev buffer"); + /* as we use BIO_gets(), and it always null terminates data, we need + * to allocate 1 byte longer buffer to fit the full 2^14 byte record */ + buf = app_malloc(bufsize + 1, "server rev buffer"); io = BIO_new(BIO_f_buffer()); ssl_bio = BIO_new(BIO_f_ssl()); if ((io == NULL) || (ssl_bio == NULL)) @@ -3427,6 +3484,12 @@ static int rev_body(int s, int stype, int prot, unsigned char *context) } sbio = BIO_new_socket(s, BIO_NOCLOSE); + if (sbio == NULL) { + SSL_free(con); + ERR_print_errors(bio_err); + goto err; + } + SSL_set_bio(con, sbio, sbio); SSL_set_accept_state(con); @@ -3435,7 +3498,11 @@ static int rev_body(int s, int stype, int prot, unsigned char *context) BIO_push(io, ssl_bio); ssl_bio = NULL; #ifdef CHARSET_EBCDIC - io = BIO_push(BIO_new(BIO_f_ebcdic_filter()), io); + filter = BIO_new(BIO_f_ebcdic_filter()); + if (filter == NULL) + goto err; + + io = BIO_push(filter, io); #endif if (s_debug) { @@ -3476,7 +3543,7 @@ static int rev_body(int s, int stype, int prot, unsigned char *context) print_ssl_summary(con); for (;;) { - i = BIO_gets(io, buf, bufsize - 1); + i = BIO_gets(io, buf, bufsize + 1); if (i < 0) { /* error */ if (!BIO_should_retry(io)) { if (!s_quiet) diff --git a/deps/openssl/openssl/apps/speed.c b/deps/openssl/openssl/apps/speed.c index ada559228d5a08..d252b41ca431c4 100644 --- a/deps/openssl/openssl/apps/speed.c +++ b/deps/openssl/openssl/apps/speed.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -29,6 +29,7 @@ #include #include "apps.h" #include "progs.h" +#include "internal/numbers.h" #include #include #include @@ -451,7 +452,7 @@ static const OPT_PAIR sm2_choices[SM2_NUM] = { static double sm2_results[SM2_NUM][2]; /* 2 ops: sign then verify */ #endif /* OPENSSL_NO_SM2 */ -#define COND(unused_cond) (run && count < 0x7fffffff) +#define COND(unused_cond) (run && count < INT_MAX) #define COUNT(d) (count) typedef struct loopargs_st { @@ -1774,6 +1775,10 @@ int speed_main(int argc, char **argv) buflen = lengths[size_num - 1]; if (buflen < 36) /* size of random vector in RSA benchmark */ buflen = 36; + if (INT_MAX - (MAX_MISALIGNMENT + 1) < buflen) { + BIO_printf(bio_err, "Error: buffer size too large\n"); + goto end; + } buflen += MAX_MISALIGNMENT + 1; loopargs[i].buf_malloc = app_malloc(buflen, "input buffer"); loopargs[i].buf2_malloc = app_malloc(buflen, "input buffer"); @@ -3617,7 +3622,7 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher, int lengths_single, for (j = 0; j < num; j++) { print_message(alg_name, 0, mblengths[j], seconds->sym); Time_F(START); - for (count = 0; run && count < 0x7fffffff; count++) { + for (count = 0; run && count < INT_MAX; count++) { unsigned char aad[EVP_AEAD_TLS1_AAD_LEN]; EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param; size_t len = mblengths[j]; diff --git a/deps/openssl/openssl/apps/verify.c b/deps/openssl/openssl/apps/verify.c index acf80c65c4e125..3aae931f69dfbe 100644 --- a/deps/openssl/openssl/apps/verify.c +++ b/deps/openssl/openssl/apps/verify.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -263,6 +263,7 @@ static int check(X509_STORE *ctx, const char *file, if (x509_ctrl_string(x, opt) <= 0) { BIO_printf(bio_err, "parameter error \"%s\"\n", opt); ERR_print_errors(bio_err); + X509_free(x); return 0; } } diff --git a/deps/openssl/openssl/apps/x509.c b/deps/openssl/openssl/apps/x509.c index 2880ae792a046b..f09f1d1b3ba964 100644 --- a/deps/openssl/openssl/apps/x509.c +++ b/deps/openssl/openssl/apps/x509.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -706,9 +706,9 @@ int x509_main(int argc, char **argv) : "Certificate request self-signature did not match the contents\n"); goto end; } - BIO_printf(out, "Certificate request self-signature ok\n"); + BIO_printf(bio_err, "Certificate request self-signature ok\n"); - print_name(out, "subject=", X509_REQ_get_subject_name(req)); + print_name(bio_err, "subject=", X509_REQ_get_subject_name(req)); } else if (!x509toreq && ext_copy != EXT_COPY_UNSET) { BIO_printf(bio_err, "Warning: ignoring -copy_extensions since neither -x509toreq nor -req is given\n"); } diff --git a/deps/openssl/openssl/crypto/aes/aes_core.c b/deps/openssl/openssl/crypto/aes/aes_core.c index 7b9989fd470aa4..3413ce8f4378a8 100644 --- a/deps/openssl/openssl/crypto/aes/aes_core.c +++ b/deps/openssl/openssl/crypto/aes/aes_core.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -50,7 +50,7 @@ #include #include "aes_local.h" -#if !defined(OPENSSL_NO_AES_CONST_TIME) && !defined(AES_ASM) +#if defined(OPENSSL_AES_CONST_TIME) && !defined(AES_ASM) # if (defined(_WIN32) || defined(_WIN64)) && !defined(__MINGW32__) # define U64(C) C##UI64 diff --git a/deps/openssl/openssl/crypto/asn1/d2i_pu.c b/deps/openssl/openssl/crypto/asn1/d2i_pu.c index 1be114b8a2a21c..cf7825c439034f 100644 --- a/deps/openssl/openssl/crypto/asn1/d2i_pu.c +++ b/deps/openssl/openssl/crypto/asn1/d2i_pu.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -54,7 +54,7 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp, goto err; } - switch (EVP_PKEY_get_id(ret)) { + switch (EVP_PKEY_get_base_id(ret)) { case EVP_PKEY_RSA: if ((ret->pkey.rsa = d2i_RSAPublicKey(NULL, pp, length)) == NULL) { ERR_raise(ERR_LIB_ASN1, ERR_R_ASN1_LIB); diff --git a/deps/openssl/openssl/crypto/asn1/i2d_evp.c b/deps/openssl/openssl/crypto/asn1/i2d_evp.c index 8b36388263c35f..0d66411be8fd00 100644 --- a/deps/openssl/openssl/crypto/asn1/i2d_evp.c +++ b/deps/openssl/openssl/crypto/asn1/i2d_evp.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -131,7 +131,7 @@ int i2d_PublicKey(const EVP_PKEY *a, unsigned char **pp) return i2d_provided(a, EVP_PKEY_PUBLIC_KEY, output_info, pp); } - switch (EVP_PKEY_get_id(a)) { + switch (EVP_PKEY_get_base_id(a)) { case EVP_PKEY_RSA: return i2d_RSAPublicKey(EVP_PKEY_get0_RSA(a), pp); #ifndef OPENSSL_NO_DSA diff --git a/deps/openssl/openssl/crypto/async/arch/async_posix.h b/deps/openssl/openssl/crypto/async/arch/async_posix.h index ab7637f69e7676..a17c6b8e68af2d 100644 --- a/deps/openssl/openssl/crypto/async/arch/async_posix.h +++ b/deps/openssl/openssl/crypto/async/arch/async_posix.h @@ -1,5 +1,5 @@ /* - * Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -25,12 +25,26 @@ # define ASYNC_POSIX # define ASYNC_ARCH -# ifdef __CET__ +# if defined(__CET__) || defined(__ia64__) /* * When Intel CET is enabled, makecontext will create a different * shadow stack for each context. async_fibre_swapcontext cannot * use _longjmp. It must call swapcontext to swap shadow stack as * well as normal stack. + * On IA64 the register stack engine is not saved across setjmp/longjmp. Here + * swapcontext() performs correctly. + */ +# define USE_SWAPCONTEXT +# endif +# if defined(__aarch64__) && defined(__clang__) \ + && defined(__ARM_FEATURE_BTI_DEFAULT) && __ARM_FEATURE_BTI_DEFAULT == 1 +/* + * setjmp/longjmp don't currently work with BTI on all libc implementations + * when compiled by clang. This is because clang doesn't put a BTI after the + * call to setjmp where it returns the second time. This then fails on libc + * implementations - notably glibc - which use an indirect jump to there. + * So use the swapcontext implementation, which does work. + * See https://github.com/llvm/llvm-project/issues/48888. */ # define USE_SWAPCONTEXT # endif diff --git a/deps/openssl/openssl/crypto/bio/bio_addr.c b/deps/openssl/openssl/crypto/bio/bio_addr.c index d18c849ade158b..a80774bbd7cac9 100644 --- a/deps/openssl/openssl/crypto/bio/bio_addr.c +++ b/deps/openssl/openssl/crypto/bio/bio_addr.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -752,7 +752,7 @@ int BIO_lookup_ex(const char *host, const char *service, int lookup_type, # pragma pointer_size 32 #endif /* Windows doesn't seem to have in_addr_t */ -#ifdef OPENSSL_SYS_WINDOWS +#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) static uint32_t he_fallback_address; static const char *he_fallback_addresses[] = { (char *)&he_fallback_address, NULL }; diff --git a/deps/openssl/openssl/crypto/bio/bio_print.c b/deps/openssl/openssl/crypto/bio/bio_print.c index 1ea9a1a3c6923d..4c9c3af7cfd606 100644 --- a/deps/openssl/openssl/crypto/bio/bio_print.c +++ b/deps/openssl/openssl/crypto/bio/bio_print.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -13,6 +13,7 @@ #include "crypto/ctype.h" #include "internal/numbers.h" #include +#include /* * Copyright Patrick Powell 1995 @@ -31,8 +32,10 @@ static int fmtstr(char **, char **, size_t *, size_t *, const char *, int, int, int); static int fmtint(char **, char **, size_t *, size_t *, int64_t, int, int, int, int); +#ifndef OPENSSL_SYS_UEFI static int fmtfp(char **, char **, size_t *, size_t *, LDOUBLE, int, int, int, int); +#endif static int doapr_outch(char **, char **, size_t *, size_t *, int); static int _dopr(char **sbuffer, char **buffer, size_t *maxlen, size_t *retlen, int *truncated, @@ -88,7 +91,9 @@ _dopr(char **sbuffer, { char ch; int64_t value; +#ifndef OPENSSL_SYS_UEFI LDOUBLE fvalue; +#endif char *strvalue; int min; int max; @@ -259,6 +264,7 @@ _dopr(char **sbuffer, min, max, flags)) return 0; break; +#ifndef OPENSSL_SYS_UEFI case 'f': if (cflags == DP_C_LDOUBLE) fvalue = va_arg(args, LDOUBLE); @@ -292,6 +298,16 @@ _dopr(char **sbuffer, flags, G_FORMAT)) return 0; break; +#else + case 'f': + case 'E': + case 'e': + case 'G': + case 'g': + /* not implemented for UEFI */ + ERR_raise(ERR_LIB_BIO, ERR_R_UNSUPPORTED); + return 0; +#endif case 'c': if (!doapr_outch(sbuffer, buffer, &currlen, maxlen, va_arg(args, int))) @@ -512,6 +528,8 @@ fmtint(char **sbuffer, return 1; } +#ifndef OPENSSL_SYS_UEFI + static LDOUBLE abs_val(LDOUBLE value) { LDOUBLE result = value; @@ -807,6 +825,8 @@ fmtfp(char **sbuffer, return 1; } +#endif /* OPENSSL_SYS_UEFI */ + #define BUFFER_INC 1024 static int diff --git a/deps/openssl/openssl/crypto/bio/bss_core.c b/deps/openssl/openssl/crypto/bio/bss_core.c index de774e2b005f46..7a84b20460c8e1 100644 --- a/deps/openssl/openssl/crypto/bio/bss_core.c +++ b/deps/openssl/openssl/crypto/bio/bss_core.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -48,7 +48,7 @@ static int bio_core_read_ex(BIO *bio, char *data, size_t data_len, { BIO_CORE_GLOBALS *bcgbl = get_globals(bio->libctx); - if (bcgbl->c_bio_read_ex == NULL) + if (bcgbl == NULL || bcgbl->c_bio_read_ex == NULL) return 0; return bcgbl->c_bio_read_ex(BIO_get_data(bio), data, data_len, bytes_read); } @@ -58,7 +58,7 @@ static int bio_core_write_ex(BIO *bio, const char *data, size_t data_len, { BIO_CORE_GLOBALS *bcgbl = get_globals(bio->libctx); - if (bcgbl->c_bio_write_ex == NULL) + if (bcgbl == NULL || bcgbl->c_bio_write_ex == NULL) return 0; return bcgbl->c_bio_write_ex(BIO_get_data(bio), data, data_len, written); } @@ -67,7 +67,7 @@ static long bio_core_ctrl(BIO *bio, int cmd, long num, void *ptr) { BIO_CORE_GLOBALS *bcgbl = get_globals(bio->libctx); - if (bcgbl->c_bio_ctrl == NULL) + if (bcgbl == NULL || bcgbl->c_bio_ctrl == NULL) return -1; return bcgbl->c_bio_ctrl(BIO_get_data(bio), cmd, num, ptr); } @@ -76,7 +76,7 @@ static int bio_core_gets(BIO *bio, char *buf, int size) { BIO_CORE_GLOBALS *bcgbl = get_globals(bio->libctx); - if (bcgbl->c_bio_gets == NULL) + if (bcgbl == NULL || bcgbl->c_bio_gets == NULL) return -1; return bcgbl->c_bio_gets(BIO_get_data(bio), buf, size); } @@ -85,7 +85,7 @@ static int bio_core_puts(BIO *bio, const char *str) { BIO_CORE_GLOBALS *bcgbl = get_globals(bio->libctx); - if (bcgbl->c_bio_puts == NULL) + if (bcgbl == NULL || bcgbl->c_bio_puts == NULL) return -1; return bcgbl->c_bio_puts(BIO_get_data(bio), str); } @@ -101,6 +101,9 @@ static int bio_core_free(BIO *bio) { BIO_CORE_GLOBALS *bcgbl = get_globals(bio->libctx); + if (bcgbl == NULL) + return 0; + BIO_set_init(bio, 0); bcgbl->c_bio_free(BIO_get_data(bio)); @@ -133,7 +136,7 @@ BIO *BIO_new_from_core_bio(OSSL_LIB_CTX *libctx, OSSL_CORE_BIO *corebio) BIO_CORE_GLOBALS *bcgbl = get_globals(libctx); /* Check the library context has been initialised with the callbacks */ - if (bcgbl->c_bio_write_ex == NULL && bcgbl->c_bio_read_ex == NULL) + if (bcgbl == NULL || (bcgbl->c_bio_write_ex == NULL && bcgbl->c_bio_read_ex == NULL)) return NULL; if ((outbio = BIO_new_ex(libctx, BIO_s_core())) == NULL) @@ -151,6 +154,9 @@ int ossl_bio_init_core(OSSL_LIB_CTX *libctx, const OSSL_DISPATCH *fns) { BIO_CORE_GLOBALS *bcgbl = get_globals(libctx); + if (bcgbl == NULL) + return 0; + for (; fns->function_id != 0; fns++) { switch (fns->function_id) { case OSSL_FUNC_BIO_READ_EX: diff --git a/deps/openssl/openssl/crypto/bn/bn_conv.c b/deps/openssl/openssl/crypto/bn/bn_conv.c index 4af546a25b8e24..75054f5d6a6c74 100644 --- a/deps/openssl/openssl/crypto/bn/bn_conv.c +++ b/deps/openssl/openssl/crypto/bn/bn_conv.c @@ -142,7 +142,7 @@ int BN_hex2bn(BIGNUM **bn, const char *a) continue; if (i == 0 || i > INT_MAX / 4) - goto err; + return 0; num = i + neg; if (bn == NULL) @@ -154,6 +154,10 @@ int BN_hex2bn(BIGNUM **bn, const char *a) return 0; } else { ret = *bn; + if (BN_get_flags(ret, BN_FLG_STATIC_DATA)) { + ERR_raise(ERR_LIB_BN, ERR_R_PASSED_INVALID_ARGUMENT); + return 0; + } BN_zero(ret); } diff --git a/deps/openssl/openssl/crypto/bn/bn_exp2.c b/deps/openssl/openssl/crypto/bn/bn_exp2.c index 4713503d07c3aa..f5e29fd14de300 100644 --- a/deps/openssl/openssl/crypto/bn/bn_exp2.c +++ b/deps/openssl/openssl/crypto/bn/bn_exp2.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -32,7 +32,7 @@ int BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1, bn_check_top(p2); bn_check_top(m); - if (!(m->d[0] & 1)) { + if (!BN_is_odd(m)) { ERR_raise(ERR_LIB_BN, BN_R_CALLED_WITH_EVEN_MODULUS); return 0; } diff --git a/deps/openssl/openssl/crypto/bn/bn_ppc.c b/deps/openssl/openssl/crypto/bn/bn_ppc.c index 05c0c4cb9250bc..1e9421bee213d6 100644 --- a/deps/openssl/openssl/crypto/bn/bn_ppc.c +++ b/deps/openssl/openssl/crypto/bn/bn_ppc.c @@ -1,5 +1,5 @@ /* - * Copyright 2009-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -40,7 +40,7 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, * no opportunity to figure it out... */ -#if defined(_ARCH_PPC64) +#if defined(_ARCH_PPC64) && !defined(__ILP32__) if (num == 6) { if (OPENSSL_ppccap_P & PPC_MADD300) return bn_mul_mont_300_fixed_n6(rp, ap, bp, np, n0, num); diff --git a/deps/openssl/openssl/crypto/bn/bn_sqrt.c b/deps/openssl/openssl/crypto/bn/bn_sqrt.c index b663ae5ec51728..5c77e72132d426 100644 --- a/deps/openssl/openssl/crypto/bn/bn_sqrt.c +++ b/deps/openssl/openssl/crypto/bn/bn_sqrt.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) /* * Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks * algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number - * Theory", algorithm 1.5.1). 'p' must be prime! + * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or + * an incorrect "result" will be returned. */ { BIGNUM *ret = in; @@ -303,18 +304,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) goto vrfy; } - /* find smallest i such that b^(2^i) = 1 */ - i = 1; - if (!BN_mod_sqr(t, b, p, ctx)) - goto end; - while (!BN_is_one(t)) { - i++; - if (i == e) { - ERR_raise(ERR_LIB_BN, BN_R_NOT_A_SQUARE); - goto end; + /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */ + for (i = 1; i < e; i++) { + if (i == 1) { + if (!BN_mod_sqr(t, b, p, ctx)) + goto end; + + } else { + if (!BN_mod_mul(t, t, t, p, ctx)) + goto end; } - if (!BN_mod_mul(t, t, t, p, ctx)) - goto end; + if (BN_is_one(t)) + break; + } + /* If not found, a is not a square or p is not prime. */ + if (i >= e) { + ERR_raise(ERR_LIB_BN, BN_R_NOT_A_SQUARE); + goto end; } /* t := y^2^(e - i - 1) */ diff --git a/deps/openssl/openssl/crypto/bn/rsaz_exp_x2.c b/deps/openssl/openssl/crypto/bn/rsaz_exp_x2.c index 15db0c1f05aa9c..0e0aff1f85d770 100644 --- a/deps/openssl/openssl/crypto/bn/rsaz_exp_x2.c +++ b/deps/openssl/openssl/crypto/bn/rsaz_exp_x2.c @@ -318,6 +318,8 @@ static void RSAZ_exp52x20_x2_256(BN_ULONG *out, /* [2][20] */ int exp_chunk_no = exp_bit_no / 64; int exp_chunk_shift = exp_bit_no % 64; + BN_ULONG red_table_idx_0, red_table_idx_1; + /* * If rem == 0, then * exp_bit_no = modulus_bitsize - exp_win_size @@ -329,8 +331,8 @@ static void RSAZ_exp52x20_x2_256(BN_ULONG *out, /* [2][20] */ OPENSSL_assert(rem != 0); /* Process 1-st exp window - just init result */ - BN_ULONG red_table_idx_0 = expz[0][exp_chunk_no]; - BN_ULONG red_table_idx_1 = expz[1][exp_chunk_no]; + red_table_idx_0 = expz[0][exp_chunk_no]; + red_table_idx_1 = expz[1][exp_chunk_no]; /* * The function operates with fixed moduli sizes divisible by 64, * thus table index here is always in supported range [0, EXP_WIN_SIZE). diff --git a/deps/openssl/openssl/crypto/cmp/cmp_msg.c b/deps/openssl/openssl/crypto/cmp/cmp_msg.c index 84a272fe2b062e..2da95248adbd22 100644 --- a/deps/openssl/openssl/crypto/cmp/cmp_msg.c +++ b/deps/openssl/openssl/crypto/cmp/cmp_msg.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * @@ -260,7 +260,7 @@ static const X509_NAME *determine_subj(OSSL_CMP_CTX *ctx, if (ctx->subjectName != NULL) return IS_NULL_DN(ctx->subjectName) ? NULL : ctx->subjectName; - if (ref_subj != NULL && (for_KUR || !HAS_SAN(ctx))) + if (ref_subj != NULL && (ctx->p10CSR != NULL || for_KUR || !HAS_SAN(ctx))) /* * For KUR, copy subject from the reference. * For IR or CR, do the same only if there is no subjectAltName. @@ -289,6 +289,8 @@ OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid) if (rkey == NULL && ctx->p10CSR != NULL) rkey = X509_REQ_get0_pubkey(ctx->p10CSR); + if (rkey == NULL && refcert != NULL) + rkey = X509_get0_pubkey(refcert); if (rkey == NULL) rkey = ctx->pkey; /* default is independent of ctx->oldCert */ if (rkey == NULL) { @@ -327,12 +329,15 @@ OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid) } /* extensions */ - if (refcert != NULL && !ctx->SubjectAltName_nodefault) - default_sans = X509V3_get_d2i(X509_get0_extensions(refcert), - NID_subject_alt_name, NULL, NULL); if (ctx->p10CSR != NULL && (exts = X509_REQ_get_extensions(ctx->p10CSR)) == NULL) goto err; + if (!ctx->SubjectAltName_nodefault && !HAS_SAN(ctx) && refcert != NULL + && (default_sans = X509V3_get_d2i(X509_get0_extensions(refcert), + NID_subject_alt_name, NULL, NULL)) + != NULL + && !add1_extension(&exts, NID_subject_alt_name, crit, default_sans)) + goto err; if (ctx->reqExtensions != NULL /* augment/override existing ones */ && !add_extensions(&exts, ctx->reqExtensions)) goto err; @@ -340,9 +345,6 @@ OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid) && !add1_extension(&exts, NID_subject_alt_name, crit, ctx->subjectAltNames)) goto err; - if (!HAS_SAN(ctx) && default_sans != NULL - && !add1_extension(&exts, NID_subject_alt_name, crit, default_sans)) - goto err; if (ctx->policies != NULL && !add1_extension(&exts, NID_certificate_policies, ctx->setPoliciesCritical, ctx->policies)) @@ -566,6 +568,7 @@ OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx) if (!sk_OSSL_CMP_REVDETAILS_push(msg->body->value.rr, rd)) goto err; rd = NULL; + /* Revocation Passphrase according to section 5.3.19.9 could be set here */ if (!ossl_cmp_msg_protect(ctx, msg)) goto err; diff --git a/deps/openssl/openssl/crypto/context.c b/deps/openssl/openssl/crypto/context.c index bba8e4208b1a0b..3333af4c534e33 100644 --- a/deps/openssl/openssl/crypto/context.c +++ b/deps/openssl/openssl/crypto/context.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -93,10 +93,8 @@ static int context_init(OSSL_LIB_CTX *ctx) exdata_done = 1; if (!ossl_crypto_new_ex_data_ex(ctx, CRYPTO_EX_INDEX_OSSL_LIB_CTX, NULL, - &ctx->data)) { - ossl_crypto_cleanup_all_ex_data_int(ctx); + &ctx->data)) goto err; - } /* Everything depends on properties, so we also pre-initialise that */ if (!ossl_property_parse_init(ctx)) @@ -106,9 +104,11 @@ static int context_init(OSSL_LIB_CTX *ctx) err: if (exdata_done) ossl_crypto_cleanup_all_ex_data_int(ctx); + for (i = 0; i < OSSL_LIB_CTX_MAX_INDEXES; i++) + CRYPTO_THREAD_lock_free(ctx->index_locks[i]); CRYPTO_THREAD_lock_free(ctx->oncelock); CRYPTO_THREAD_lock_free(ctx->lock); - ctx->lock = NULL; + memset(ctx, '\0', sizeof(*ctx)); return 0; } @@ -156,6 +156,7 @@ DEFINE_RUN_ONCE_STATIC(default_context_do_init) void ossl_lib_ctx_default_deinit(void) { context_deinit(&default_context_int); + CRYPTO_THREAD_cleanup_local(&default_context_thread_local); } static OSSL_LIB_CTX *get_thread_default_context(void) @@ -189,7 +190,7 @@ OSSL_LIB_CTX *OSSL_LIB_CTX_new(void) OSSL_LIB_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); if (ctx != NULL && !context_init(ctx)) { - OSSL_LIB_CTX_free(ctx); + OPENSSL_free(ctx); ctx = NULL; } return ctx; diff --git a/deps/openssl/openssl/crypto/core_namemap.c b/deps/openssl/openssl/crypto/core_namemap.c index e1da724bd2f4df..55248affc66306 100644 --- a/deps/openssl/openssl/crypto/core_namemap.c +++ b/deps/openssl/openssl/crypto/core_namemap.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -37,11 +37,7 @@ struct ossl_namemap_st { CRYPTO_RWLOCK *lock; LHASH_OF(NAMENUM_ENTRY) *namenum; /* Name->number mapping */ -#ifdef tsan_ld_acq - TSAN_QUALIFIER int max_number; /* Current max number TSAN version */ -#else - int max_number; /* Current max number plain version */ -#endif + TSAN_QUALIFIER int max_number; /* Current max number */ }; /* LHASH callbacks */ @@ -99,10 +95,7 @@ static const OSSL_LIB_CTX_METHOD stored_namemap_method = { int ossl_namemap_empty(OSSL_NAMEMAP *namemap) { -#ifdef tsan_ld_acq - /* Have TSAN support */ - return namemap == NULL || tsan_load(&namemap->max_number) == 0; -#else +#ifdef TSAN_REQUIRES_LOCKING /* No TSAN support */ int rv; @@ -114,6 +107,9 @@ int ossl_namemap_empty(OSSL_NAMEMAP *namemap) rv = namemap->max_number == 0; CRYPTO_THREAD_unlock(namemap->lock); return rv; +#else + /* Have TSAN support */ + return namemap == NULL || tsan_load(&namemap->max_number) == 0; #endif } @@ -260,6 +256,7 @@ static int namemap_add_name_n(OSSL_NAMEMAP *namemap, int number, || (namenum->name = OPENSSL_strndup(name, name_len)) == NULL) goto err; + /* The tsan_counter use here is safe since we're under lock */ namenum->number = number != 0 ? number : 1 + tsan_counter(&namemap->max_number); (void)lh_NAMENUM_ENTRY_insert(namemap->namenum, namenum); @@ -409,14 +406,16 @@ static void get_legacy_cipher_names(const OBJ_NAME *on, void *arg) { const EVP_CIPHER *cipher = (void *)OBJ_NAME_get(on->name, on->type); - get_legacy_evp_names(NID_undef, EVP_CIPHER_get_type(cipher), NULL, arg); + if (cipher != NULL) + get_legacy_evp_names(NID_undef, EVP_CIPHER_get_type(cipher), NULL, arg); } static void get_legacy_md_names(const OBJ_NAME *on, void *arg) { const EVP_MD *md = (void *)OBJ_NAME_get(on->name, on->type); - get_legacy_evp_names(0, EVP_MD_get_type(md), NULL, arg); + if (md != NULL) + get_legacy_evp_names(0, EVP_MD_get_type(md), NULL, arg); } static void get_legacy_pkey_meth_names(const EVP_PKEY_ASN1_METHOD *ameth, diff --git a/deps/openssl/openssl/crypto/dh/dh_ameth.c b/deps/openssl/openssl/crypto/dh/dh_ameth.c index 38d8e7a38f610b..b2ff8c3eb5e0f1 100644 --- a/deps/openssl/openssl/crypto/dh/dh_ameth.c +++ b/deps/openssl/openssl/crypto/dh/dh_ameth.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -511,7 +511,7 @@ static int dh_pkey_import_from_type(const OSSL_PARAM params[], void *vpctx, DH_set_flags(dh, type == EVP_PKEY_DH ? DH_FLAG_TYPE_DH : DH_FLAG_TYPE_DHX); if (!ossl_dh_params_fromdata(dh, params) - || !ossl_dh_key_fromdata(dh, params) + || !ossl_dh_key_fromdata(dh, params, 1) || !EVP_PKEY_assign(pkey, type, dh)) { DH_free(dh); return 0; diff --git a/deps/openssl/openssl/crypto/dh/dh_backend.c b/deps/openssl/openssl/crypto/dh/dh_backend.c index 7bd5c617debc1d..726843fd30cd64 100644 --- a/deps/openssl/openssl/crypto/dh/dh_backend.c +++ b/deps/openssl/openssl/crypto/dh/dh_backend.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -63,7 +63,7 @@ int ossl_dh_params_fromdata(DH *dh, const OSSL_PARAM params[]) return 1; } -int ossl_dh_key_fromdata(DH *dh, const OSSL_PARAM params[]) +int ossl_dh_key_fromdata(DH *dh, const OSSL_PARAM params[], int include_private) { const OSSL_PARAM *param_priv_key, *param_pub_key; BIGNUM *priv_key = NULL, *pub_key = NULL; @@ -74,10 +74,13 @@ int ossl_dh_key_fromdata(DH *dh, const OSSL_PARAM params[]) param_priv_key = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY); param_pub_key = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PUB_KEY); - if ((param_priv_key != NULL - && !OSSL_PARAM_get_BN(param_priv_key, &priv_key)) - || (param_pub_key != NULL - && !OSSL_PARAM_get_BN(param_pub_key, &pub_key))) + if (include_private + && param_priv_key != NULL + && !OSSL_PARAM_get_BN(param_priv_key, &priv_key)) + goto err; + + if (param_pub_key != NULL + && !OSSL_PARAM_get_BN(param_pub_key, &pub_key)) goto err; if (!DH_set0_key(dh, pub_key, priv_key)) @@ -103,7 +106,8 @@ int ossl_dh_params_todata(DH *dh, OSSL_PARAM_BLD *bld, OSSL_PARAM params[]) return 1; } -int ossl_dh_key_todata(DH *dh, OSSL_PARAM_BLD *bld, OSSL_PARAM params[]) +int ossl_dh_key_todata(DH *dh, OSSL_PARAM_BLD *bld, OSSL_PARAM params[], + int include_private) { const BIGNUM *priv = NULL, *pub = NULL; @@ -112,6 +116,7 @@ int ossl_dh_key_todata(DH *dh, OSSL_PARAM_BLD *bld, OSSL_PARAM params[]) DH_get0_key(dh, &pub, &priv); if (priv != NULL + && include_private && !ossl_param_build_set_bn(bld, params, OSSL_PKEY_PARAM_PRIV_KEY, priv)) return 0; if (pub != NULL diff --git a/deps/openssl/openssl/crypto/dh/dh_key.c b/deps/openssl/openssl/crypto/dh/dh_key.c index 6b8cd550f25fd0..4e9705beef733b 100644 --- a/deps/openssl/openssl/crypto/dh/dh_key.c +++ b/deps/openssl/openssl/crypto/dh/dh_key.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -375,20 +375,17 @@ int ossl_dh_buf2key(DH *dh, const unsigned char *buf, size_t len) int err_reason = DH_R_BN_ERROR; BIGNUM *pubkey = NULL; const BIGNUM *p; - size_t p_size; + int ret; if ((pubkey = BN_bin2bn(buf, len, NULL)) == NULL) goto err; DH_get0_pqg(dh, &p, NULL, NULL); - if (p == NULL || (p_size = BN_num_bytes(p)) == 0) { + if (p == NULL || BN_num_bytes(p) == 0) { err_reason = DH_R_NO_PARAMETERS_SET; goto err; } - /* - * As per Section 4.2.8.1 of RFC 8446 fail if DHE's - * public key is of size not equal to size of p - */ - if (BN_is_zero(pubkey) || p_size != len) { + /* Prevent small subgroup attacks per RFC 8446 Section 4.2.8.1 */ + if (!ossl_dh_check_pub_key_partial(dh, pubkey, &ret)) { err_reason = DH_R_INVALID_PUBKEY; goto err; } diff --git a/deps/openssl/openssl/crypto/dsa/dsa_ameth.c b/deps/openssl/openssl/crypto/dsa/dsa_ameth.c index 53417bff6a4716..234fc44ed7db75 100644 --- a/deps/openssl/openssl/crypto/dsa/dsa_ameth.c +++ b/deps/openssl/openssl/crypto/dsa/dsa_ameth.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -485,7 +485,7 @@ static int dsa_pkey_import_from(const OSSL_PARAM params[], void *vpctx) } if (!ossl_dsa_ffc_params_fromdata(dsa, params) - || !ossl_dsa_key_fromdata(dsa, params) + || !ossl_dsa_key_fromdata(dsa, params, 1) || !EVP_PKEY_assign_DSA(pkey, dsa)) { DSA_free(dsa); return 0; diff --git a/deps/openssl/openssl/crypto/dsa/dsa_backend.c b/deps/openssl/openssl/crypto/dsa/dsa_backend.c index 5e3ff851544ec7..f9a71bdc9e0bb6 100644 --- a/deps/openssl/openssl/crypto/dsa/dsa_backend.c +++ b/deps/openssl/openssl/crypto/dsa/dsa_backend.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -27,16 +27,19 @@ * implementations alike. */ -int ossl_dsa_key_fromdata(DSA *dsa, const OSSL_PARAM params[]) +int ossl_dsa_key_fromdata(DSA *dsa, const OSSL_PARAM params[], + int include_private) { - const OSSL_PARAM *param_priv_key, *param_pub_key; + const OSSL_PARAM *param_priv_key = NULL, *param_pub_key; BIGNUM *priv_key = NULL, *pub_key = NULL; if (dsa == NULL) return 0; - param_priv_key = - OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY); + if (include_private) { + param_priv_key = + OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY); + } param_pub_key = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PUB_KEY); diff --git a/deps/openssl/openssl/crypto/ec/asm/ecp_nistp521-ppc64.pl b/deps/openssl/openssl/crypto/ec/asm/ecp_nistp521-ppc64.pl index e97d803d26f409..4260e24a1f577d 100755 --- a/deps/openssl/openssl/crypto/ec/asm/ecp_nistp521-ppc64.pl +++ b/deps/openssl/openssl/crypto/ec/asm/ecp_nistp521-ppc64.pl @@ -1,7 +1,7 @@ #! /usr/bin/env perl -# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. # -# Licensed under the OpenSSL license (the "License"). You may not use +# Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy # in the file LICENSE in the source distribution or at # https://www.openssl.org/source/license.html diff --git a/deps/openssl/openssl/crypto/ec/curve448/arch_64/arch_intrinsics.h b/deps/openssl/openssl/crypto/ec/curve448/arch_64/arch_intrinsics.h index 2d9d5c7931714a..e12b8cf2262402 100644 --- a/deps/openssl/openssl/crypto/ec/curve448/arch_64/arch_intrinsics.h +++ b/deps/openssl/openssl/crypto/ec/curve448/arch_64/arch_intrinsics.h @@ -1,8 +1,8 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2016 Cryptography Research, Inc. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html diff --git a/deps/openssl/openssl/crypto/ec/curve448/arch_64/f_impl.h b/deps/openssl/openssl/crypto/ec/curve448/arch_64/f_impl.h index 12bdb841ba153c..faaeb8d9944b53 100644 --- a/deps/openssl/openssl/crypto/ec/curve448/arch_64/f_impl.h +++ b/deps/openssl/openssl/crypto/ec/curve448/arch_64/f_impl.h @@ -1,8 +1,8 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2014-2016 Cryptography Research, Inc. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html diff --git a/deps/openssl/openssl/crypto/ec/curve448/arch_64/f_impl64.c b/deps/openssl/openssl/crypto/ec/curve448/arch_64/f_impl64.c index 7653545ee72302..8f7a7dd391bd8d 100644 --- a/deps/openssl/openssl/crypto/ec/curve448/arch_64/f_impl64.c +++ b/deps/openssl/openssl/crypto/ec/curve448/arch_64/f_impl64.c @@ -1,8 +1,8 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2014 Cryptography Research, Inc. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html diff --git a/deps/openssl/openssl/crypto/ec/ec_lib.c b/deps/openssl/openssl/crypto/ec/ec_lib.c index 3d3cf9696204fb..2ee8284eaff3f1 100644 --- a/deps/openssl/openssl/crypto/ec/ec_lib.c +++ b/deps/openssl/openssl/crypto/ec/ec_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -1710,8 +1710,8 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], ptmp = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_ENCODING); if (ptmp != NULL && !ossl_ec_encoding_param2id(ptmp, &encoding_flag)) { - ECerr(0, EC_R_INVALID_ENCODING); - return 0; + ERR_raise(ERR_LIB_EC, EC_R_INVALID_ENCODING); + goto err; } if (encoding_flag == OPENSSL_EC_NAMED_CURVE) { ERR_raise(ERR_LIB_EC, EC_R_INVALID_ENCODING); diff --git a/deps/openssl/openssl/crypto/ec/ec_print.c b/deps/openssl/openssl/crypto/ec/ec_print.c index d791e15b4839dd..ffe112052fbd62 100644 --- a/deps/openssl/openssl/crypto/ec/ec_print.c +++ b/deps/openssl/openssl/crypto/ec/ec_print.c @@ -68,7 +68,7 @@ EC_POINT *EC_POINT_hex2point(const EC_GROUP *group, len = strlen(hex) / 2; oct_buf = OPENSSL_malloc(len); if (oct_buf == NULL) - return NULL; + goto err; if (!OPENSSL_hexstr2buf_ex(oct_buf, len, &oct_buf_len, hex, '\0') || !EC_POINT_oct2point(group, pt, oct_buf, oct_buf_len, ctx)) diff --git a/deps/openssl/openssl/crypto/ec/ecp_s390x_nistp.c b/deps/openssl/openssl/crypto/ec/ecp_s390x_nistp.c index 5c70b2d67840c2..0c10196ea34eca 100644 --- a/deps/openssl/openssl/crypto/ec/ecp_s390x_nistp.c +++ b/deps/openssl/openssl/crypto/ec/ecp_s390x_nistp.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -116,7 +116,7 @@ static int ec_GFp_s390x_nistp_mul(const EC_GROUP *group, EC_POINT *r, /* Otherwise use default. */ if (rc == -1) rc = ossl_ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx); - OPENSSL_cleanse(param + S390X_OFF_SCALAR(len), len); + OPENSSL_cleanse(param, sizeof(param)); BN_CTX_end(ctx); BN_CTX_free(new_ctx); return rc; @@ -212,7 +212,7 @@ static ECDSA_SIG *ecdsa_s390x_nistp_sign_sig(const unsigned char *dgst, ok = 1; ret: - OPENSSL_cleanse(param + S390X_OFF_K(len), 2 * len); + OPENSSL_cleanse(param, sizeof(param)); if (ok != 1) { ECDSA_SIG_free(sig); sig = NULL; diff --git a/deps/openssl/openssl/crypto/encode_decode/decoder_meth.c b/deps/openssl/openssl/crypto/encode_decode/decoder_meth.c index 6d444373147dbd..cb53343c54d005 100644 --- a/deps/openssl/openssl/crypto/encode_decode/decoder_meth.c +++ b/deps/openssl/openssl/crypto/encode_decode/decoder_meth.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -339,6 +339,7 @@ inner_ossl_decoder_fetch(struct decoder_data_st *methdata, int id, { OSSL_METHOD_STORE *store = get_decoder_store(methdata->libctx); OSSL_NAMEMAP *namemap = ossl_namemap_stored(methdata->libctx); + const char *const propq = properties != NULL ? properties : ""; void *method = NULL; int unsupported = 0; @@ -367,7 +368,7 @@ inner_ossl_decoder_fetch(struct decoder_data_st *methdata, int id, unsupported = 1; if (id == 0 - || !ossl_method_store_cache_get(store, NULL, id, properties, &method)) { + || !ossl_method_store_cache_get(store, NULL, id, propq, &method)) { OSSL_METHOD_CONSTRUCT_METHOD mcm = { get_tmp_decoder_store, get_decoder_from_store, @@ -375,13 +376,14 @@ inner_ossl_decoder_fetch(struct decoder_data_st *methdata, int id, construct_decoder, destruct_decoder }; + OSSL_PROVIDER *prov = NULL; methdata->id = id; methdata->names = name; - methdata->propquery = properties; + methdata->propquery = propq; methdata->flag_construct_error_occurred = 0; if ((method = ossl_method_construct(methdata->libctx, OSSL_OP_DECODER, - NULL, 0 /* !force_cache */, + &prov, 0 /* !force_cache */, &mcm, methdata)) != NULL) { /* * If construction did create a method for us, we know that @@ -392,7 +394,7 @@ inner_ossl_decoder_fetch(struct decoder_data_st *methdata, int id, if (id == 0 && name != NULL) id = ossl_namemap_name2num(namemap, name); if (id != 0) - ossl_method_store_cache_set(store, NULL, id, properties, method, + ossl_method_store_cache_set(store, prov, id, propq, method, up_ref_decoder, free_decoder); } diff --git a/deps/openssl/openssl/crypto/encode_decode/encoder_meth.c b/deps/openssl/openssl/crypto/encode_decode/encoder_meth.c index 9c0214db6bc741..eb8fd2f457a0c0 100644 --- a/deps/openssl/openssl/crypto/encode_decode/encoder_meth.c +++ b/deps/openssl/openssl/crypto/encode_decode/encoder_meth.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -349,6 +349,7 @@ inner_ossl_encoder_fetch(struct encoder_data_st *methdata, int id, { OSSL_METHOD_STORE *store = get_encoder_store(methdata->libctx); OSSL_NAMEMAP *namemap = ossl_namemap_stored(methdata->libctx); + const char *const propq = properties != NULL ? properties : ""; void *method = NULL; int unsupported = 0; @@ -377,7 +378,7 @@ inner_ossl_encoder_fetch(struct encoder_data_st *methdata, int id, unsupported = 1; if (id == 0 - || !ossl_method_store_cache_get(store, NULL, id, properties, &method)) { + || !ossl_method_store_cache_get(store, NULL, id, propq, &method)) { OSSL_METHOD_CONSTRUCT_METHOD mcm = { get_tmp_encoder_store, get_encoder_from_store, @@ -385,13 +386,14 @@ inner_ossl_encoder_fetch(struct encoder_data_st *methdata, int id, construct_encoder, destruct_encoder }; + OSSL_PROVIDER *prov = NULL; methdata->id = id; methdata->names = name; - methdata->propquery = properties; + methdata->propquery = propq; methdata->flag_construct_error_occurred = 0; if ((method = ossl_method_construct(methdata->libctx, OSSL_OP_ENCODER, - NULL, 0 /* !force_cache */, + &prov, 0 /* !force_cache */, &mcm, methdata)) != NULL) { /* * If construction did create a method for us, we know that @@ -401,7 +403,7 @@ inner_ossl_encoder_fetch(struct encoder_data_st *methdata, int id, */ if (id == 0) id = ossl_namemap_name2num(namemap, name); - ossl_method_store_cache_set(store, NULL, id, properties, method, + ossl_method_store_cache_set(store, prov, id, propq, method, up_ref_encoder, free_encoder); } diff --git a/deps/openssl/openssl/crypto/encode_decode/encoder_pkey.c b/deps/openssl/openssl/crypto/encode_decode/encoder_pkey.c index 109dfa80cd8b1c..c37edf966d7e13 100644 --- a/deps/openssl/openssl/crypto/encode_decode/encoder_pkey.c +++ b/deps/openssl/openssl/crypto/encode_decode/encoder_pkey.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -254,6 +254,11 @@ static int ossl_encoder_ctx_setup_for_pkey(OSSL_ENCODER_CTX *ctx, * First, collect the keymgmt names, then the encoders that match. */ keymgmt_data.names = sk_OPENSSL_CSTRING_new_null(); + if (keymgmt_data.names == NULL) { + ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_MALLOC_FAILURE); + goto err; + } + keymgmt_data.error_occurred = 0; EVP_KEYMGMT_names_do_all(pkey->keymgmt, collect_name, &keymgmt_data); if (keymgmt_data.error_occurred) { diff --git a/deps/openssl/openssl/crypto/engine/eng_dyn.c b/deps/openssl/openssl/crypto/engine/eng_dyn.c index c8a54f7d44427a..3c0f960fc525a8 100644 --- a/deps/openssl/openssl/crypto/engine/eng_dyn.c +++ b/deps/openssl/openssl/crypto/engine/eng_dyn.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -451,8 +451,17 @@ static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx) * We fail if the version checker veto'd the load *or* if it is * deferring to us (by returning its version) and we think it is too * old. + * Unfortunately the version checker does not distinguish between + * engines built for openssl 1.1.x and openssl 3.x, but loading + * an engine that is built for openssl 1.1.x will cause a fatal + * error. Detect such engines, since EVP_PKEY_base_id is exported + * as a function in openssl 1.1.x, while it is a macro in openssl 3.x, + * and therefore only the symbol EVP_PKEY_get_base_id is available + * in openssl 3.x. */ - if (vcheck_res < OSSL_DYNAMIC_OLDEST) { + if (vcheck_res < OSSL_DYNAMIC_OLDEST + || DSO_bind_func(ctx->dynamic_dso, + "EVP_PKEY_base_id") != NULL) { /* Fail */ ctx->bind_engine = NULL; ctx->v_check = NULL; diff --git a/deps/openssl/openssl/crypto/evp/ctrl_params_translate.c b/deps/openssl/openssl/crypto/evp/ctrl_params_translate.c index f6a2d1d0f857c2..961ca116b32fb7 100644 --- a/deps/openssl/openssl/crypto/evp/ctrl_params_translate.c +++ b/deps/openssl/openssl/crypto/evp/ctrl_params_translate.c @@ -1,5 +1,5 @@ /* - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1004,8 +1004,11 @@ static int fix_dh_nid(enum state state, return 0; if (state == PRE_CTRL_TO_PARAMS) { - ctx->p2 = (char *)ossl_ffc_named_group_get_name - (ossl_ffc_uid_to_dh_named_group(ctx->p1)); + if ((ctx->p2 = (char *)ossl_ffc_named_group_get_name + (ossl_ffc_uid_to_dh_named_group(ctx->p1))) == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_VALUE); + return 0; + } ctx->p1 = 0; } @@ -1028,16 +1031,24 @@ static int fix_dh_nid5114(enum state state, switch (state) { case PRE_CTRL_TO_PARAMS: - ctx->p2 = (char *)ossl_ffc_named_group_get_name - (ossl_ffc_uid_to_dh_named_group(ctx->p1)); + if ((ctx->p2 = (char *)ossl_ffc_named_group_get_name + (ossl_ffc_uid_to_dh_named_group(ctx->p1))) == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_VALUE); + return 0; + } + ctx->p1 = 0; break; case PRE_CTRL_STR_TO_PARAMS: if (ctx->p2 == NULL) return 0; - ctx->p2 = (char *)ossl_ffc_named_group_get_name - (ossl_ffc_uid_to_dh_named_group(atoi(ctx->p2))); + if ((ctx->p2 = (char *)ossl_ffc_named_group_get_name + (ossl_ffc_uid_to_dh_named_group(atoi(ctx->p2)))) == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_VALUE); + return 0; + } + ctx->p1 = 0; break; diff --git a/deps/openssl/openssl/crypto/evp/digest.c b/deps/openssl/openssl/crypto/evp/digest.c index d3a28fa3515f70..de9a1dcda55d66 100644 --- a/deps/openssl/openssl/crypto/evp/digest.c +++ b/deps/openssl/openssl/crypto/evp/digest.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -25,8 +25,22 @@ #include "crypto/evp.h" #include "evp_local.h" +static void cleanup_old_md_data(EVP_MD_CTX *ctx, int force) +{ + if (ctx->digest != NULL) { + if (ctx->digest->cleanup != NULL + && !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_CLEANED)) + ctx->digest->cleanup(ctx); + if (ctx->md_data != NULL && ctx->digest->ctx_size > 0 + && (!EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE) + || force)) { + OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size); + ctx->md_data = NULL; + } + } +} -void evp_md_ctx_clear_digest(EVP_MD_CTX *ctx, int force) +void evp_md_ctx_clear_digest(EVP_MD_CTX *ctx, int force, int keep_fetched) { if (ctx->algctx != NULL) { if (ctx->digest != NULL && ctx->digest->freectx != NULL) @@ -41,12 +55,7 @@ void evp_md_ctx_clear_digest(EVP_MD_CTX *ctx, int force) * Don't assume ctx->md_data was cleaned in EVP_Digest_Final, because * sometimes only copies of the context are ever finalised. */ - if (ctx->digest && ctx->digest->cleanup - && !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_CLEANED)) - ctx->digest->cleanup(ctx); - if (ctx->digest && ctx->digest->ctx_size && ctx->md_data - && (!EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE) || force)) - OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size); + cleanup_old_md_data(ctx, force); if (force) ctx->digest = NULL; @@ -56,13 +65,14 @@ void evp_md_ctx_clear_digest(EVP_MD_CTX *ctx, int force) #endif /* Non legacy code, this has to be later than the ctx->digest cleaning */ - EVP_MD_free(ctx->fetched_digest); - ctx->fetched_digest = NULL; - ctx->reqdigest = NULL; + if (!keep_fetched) { + EVP_MD_free(ctx->fetched_digest); + ctx->fetched_digest = NULL; + ctx->reqdigest = NULL; + } } -/* This call frees resources associated with the context */ -int EVP_MD_CTX_reset(EVP_MD_CTX *ctx) +static int evp_md_ctx_reset_ex(EVP_MD_CTX *ctx, int keep_fetched) { if (ctx == NULL) return 1; @@ -78,12 +88,19 @@ int EVP_MD_CTX_reset(EVP_MD_CTX *ctx) } #endif - evp_md_ctx_clear_digest(ctx, 0); - OPENSSL_cleanse(ctx, sizeof(*ctx)); + evp_md_ctx_clear_digest(ctx, 0, keep_fetched); + if (!keep_fetched) + OPENSSL_cleanse(ctx, sizeof(*ctx)); return 1; } +/* This call frees resources associated with the context */ +int EVP_MD_CTX_reset(EVP_MD_CTX *ctx) +{ + return evp_md_ctx_reset_ex(ctx, 0); +} + #ifndef FIPS_MODULE EVP_MD_CTX *evp_md_ctx_new_ex(EVP_PKEY *pkey, const ASN1_OCTET_STRING *id, OSSL_LIB_CTX *libctx, const char *propq) @@ -207,7 +224,8 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type, #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE) || tmpimpl != NULL #endif - || (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) != 0) { + || (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) != 0 + || type->origin == EVP_ORIG_METH) { if (ctx->digest == ctx->fetched_digest) ctx->digest = NULL; EVP_MD_free(ctx->fetched_digest); @@ -215,10 +233,7 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type, goto legacy; } - if (ctx->digest != NULL && ctx->digest->ctx_size > 0) { - OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size); - ctx->md_data = NULL; - } + cleanup_old_md_data(ctx, 1); /* Start of non-legacy code below */ @@ -307,10 +322,8 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type, } #endif if (ctx->digest != type) { - if (ctx->digest && ctx->digest->ctx_size) { - OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size); - ctx->md_data = NULL; - } + cleanup_old_md_data(ctx, 1); + ctx->digest = type; if (!(ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) && type->ctx_size) { ctx->update = type->update; @@ -507,6 +520,7 @@ int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in) int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) { + int digest_change = 0; unsigned char *tmp_buf; if (in == NULL) { @@ -520,7 +534,7 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) if (out->fetched_digest != NULL) EVP_MD_free(out->fetched_digest); *out = *in; - return 1; + goto clone_pkey; } if (in->digest->prov == NULL @@ -532,15 +546,16 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) return 0; } - EVP_MD_CTX_reset(out); - if (out->fetched_digest != NULL) + evp_md_ctx_reset_ex(out, 1); + digest_change = (out->fetched_digest != in->fetched_digest); + if (digest_change && out->fetched_digest != NULL) EVP_MD_free(out->fetched_digest); *out = *in; /* NULL out pointers in case of error */ out->pctx = NULL; out->algctx = NULL; - if (in->fetched_digest != NULL) + if (digest_change && in->fetched_digest != NULL) EVP_MD_up_ref(in->fetched_digest); if (in->algctx != NULL) { @@ -551,6 +566,7 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) } } + clone_pkey: /* copied EVP_MD_CTX should free the copied EVP_PKEY_CTX */ EVP_MD_CTX_clear_flags(out, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX); #ifndef FIPS_MODULE diff --git a/deps/openssl/openssl/crypto/evp/evp_enc.c b/deps/openssl/openssl/crypto/evp/evp_enc.c index 519cab3f2b1ea4..d0cf7d995fe633 100644 --- a/deps/openssl/openssl/crypto/evp/evp_enc.c +++ b/deps/openssl/openssl/crypto/evp/evp_enc.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -595,7 +595,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, const unsigned char *in, int inl) { int ret; - size_t soutl; + size_t soutl, inl_ = (size_t)inl; int blocksize; if (outl != NULL) { @@ -625,9 +625,10 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, ERR_raise(ERR_LIB_EVP, EVP_R_UPDATE_ERROR); return 0; } + ret = ctx->cipher->cupdate(ctx->algctx, out, &soutl, - inl + (blocksize == 1 ? 0 : blocksize), in, - (size_t)inl); + inl_ + (size_t)(blocksize == 1 ? 0 : blocksize), + in, inl_); if (ret) { if (soutl > INT_MAX) { @@ -743,7 +744,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, { int fix_len, cmpl = inl, ret; unsigned int b; - size_t soutl; + size_t soutl, inl_ = (size_t)inl; int blocksize; if (outl != NULL) { @@ -773,8 +774,8 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, return 0; } ret = ctx->cipher->cupdate(ctx->algctx, out, &soutl, - inl + (blocksize == 1 ? 0 : blocksize), in, - (size_t)inl); + inl_ + (size_t)(blocksize == 1 ? 0 : blocksize), + in, inl_); if (ret) { if (soutl > INT_MAX) { diff --git a/deps/openssl/openssl/crypto/evp/evp_fetch.c b/deps/openssl/openssl/crypto/evp/evp_fetch.c index 80da3fa4bf8e34..c126ea177e6251 100644 --- a/deps/openssl/openssl/crypto/evp/evp_fetch.c +++ b/deps/openssl/openssl/crypto/evp/evp_fetch.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -247,6 +247,7 @@ inner_evp_generic_fetch(struct evp_method_data_st *methdata, { OSSL_METHOD_STORE *store = get_evp_method_store(methdata->libctx); OSSL_NAMEMAP *namemap = ossl_namemap_stored(methdata->libctx); + const char *const propq = properties != NULL ? properties : ""; uint32_t meth_id = 0; void *method = NULL; int unsupported = 0; @@ -299,8 +300,7 @@ inner_evp_generic_fetch(struct evp_method_data_st *methdata, unsupported = 1; if (meth_id == 0 - || !ossl_method_store_cache_get(store, prov, meth_id, properties, - &method)) { + || !ossl_method_store_cache_get(store, prov, meth_id, propq, &method)) { OSSL_METHOD_CONSTRUCT_METHOD mcm = { get_tmp_evp_method_store, get_evp_method_from_store, @@ -312,7 +312,7 @@ inner_evp_generic_fetch(struct evp_method_data_st *methdata, methdata->operation_id = operation_id; methdata->name_id = name_id; methdata->names = name; - methdata->propquery = properties; + methdata->propquery = propq; methdata->method_from_algorithm = new_method; methdata->refcnt_up_method = up_ref_method; methdata->destruct_method = free_method; @@ -330,7 +330,7 @@ inner_evp_generic_fetch(struct evp_method_data_st *methdata, name_id = ossl_namemap_name2num(namemap, name); meth_id = evp_method_id(name_id, operation_id); if (name_id != 0) - ossl_method_store_cache_set(store, prov, meth_id, properties, + ossl_method_store_cache_set(store, prov, meth_id, propq, method, up_ref_method, free_method); } @@ -349,7 +349,7 @@ inner_evp_generic_fetch(struct evp_method_data_st *methdata, ERR_raise_data(ERR_LIB_EVP, code, "%s, Algorithm (%s : %d), Properties (%s)", ossl_lib_ctx_get_descriptor(methdata->libctx), - name = NULL ? "" : name, name_id, + name == NULL ? "" : name, name_id, properties == NULL ? "" : properties); } diff --git a/deps/openssl/openssl/crypto/evp/exchange.c b/deps/openssl/openssl/crypto/evp/exchange.c index e2ca30c94d06eb..8eb13ad5dda66b 100644 --- a/deps/openssl/openssl/crypto/evp/exchange.c +++ b/deps/openssl/openssl/crypto/evp/exchange.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -306,7 +306,7 @@ int EVP_PKEY_derive_init_ex(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]) /* * Ensure that the key is provided, either natively, or as a cached * export. We start by fetching the keymgmt with the same name as - * |ctx->pkey|, but from the provider of the exchange method, using + * |ctx->keymgmt|, but from the provider of the exchange method, using * the same property query as when fetching the exchange method. * With the keymgmt we found (if we did), we try to export |ctx->pkey| * to it (evp_pkey_export_to_provider() is smart enough to only actually @@ -380,6 +380,7 @@ int EVP_PKEY_derive_set_peer_ex(EVP_PKEY_CTX *ctx, EVP_PKEY *peer, int ret = 0, check; void *provkey = NULL; EVP_PKEY_CTX *check_ctx = NULL; + EVP_KEYMGMT *tmp_keymgmt = NULL, *tmp_keymgmt_tofree = NULL; if (ctx == NULL) { ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER); @@ -404,8 +405,25 @@ int EVP_PKEY_derive_set_peer_ex(EVP_PKEY_CTX *ctx, EVP_PKEY *peer, return -1; } - provkey = evp_pkey_export_to_provider(peer, ctx->libctx, &ctx->keymgmt, - ctx->propquery); + /* + * Ensure that the |peer| is provided, either natively, or as a cached + * export. We start by fetching the keymgmt with the same name as + * |ctx->keymgmt|, but from the provider of the exchange method, using + * the same property query as when fetching the exchange method. + * With the keymgmt we found (if we did), we try to export |peer| + * to it (evp_pkey_export_to_provider() is smart enough to only actually + * export it if |tmp_keymgmt| is different from |peer|'s keymgmt) + */ + tmp_keymgmt_tofree = tmp_keymgmt = + evp_keymgmt_fetch_from_prov((OSSL_PROVIDER *) + EVP_KEYEXCH_get0_provider(ctx->op.kex.exchange), + EVP_KEYMGMT_get0_name(ctx->keymgmt), + ctx->propquery); + if (tmp_keymgmt != NULL) + provkey = evp_pkey_export_to_provider(peer, ctx->libctx, + &tmp_keymgmt, ctx->propquery); + EVP_KEYMGMT_free(tmp_keymgmt_tofree); + /* * If making the key provided wasn't possible, legacy may be able to pick * it up diff --git a/deps/openssl/openssl/crypto/evp/keymgmt_lib.c b/deps/openssl/openssl/crypto/evp/keymgmt_lib.c index 2a73e9a2be9485..82aa771c381e35 100644 --- a/deps/openssl/openssl/crypto/evp/keymgmt_lib.c +++ b/deps/openssl/openssl/crypto/evp/keymgmt_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -370,7 +370,7 @@ int evp_keymgmt_util_match(EVP_PKEY *pk1, EVP_PKEY *pk2, int selection) * but also to determine if we should attempt a cross export * the other way. There's no point doing it both ways. */ - int ok = 1; + int ok = 0; /* Complex case, where the keymgmt differ */ if (keymgmt1 != NULL diff --git a/deps/openssl/openssl/crypto/evp/m_sigver.c b/deps/openssl/openssl/crypto/evp/m_sigver.c index 9188edbc215fbb..76a6814b424bec 100644 --- a/deps/openssl/openssl/crypto/evp/m_sigver.c +++ b/deps/openssl/openssl/crypto/evp/m_sigver.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -231,7 +231,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, * We're about to get a new digest so clear anything associated with * an old digest. */ - evp_md_ctx_clear_digest(ctx, 1); + evp_md_ctx_clear_digest(ctx, 1, 0); /* legacy code support for engines */ ERR_set_mark(); @@ -480,14 +480,14 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, if (sigret == NULL || (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) != 0) return pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx, sigret, siglen, - (siglen == NULL) ? 0 : *siglen); + sigret == NULL ? 0 : *siglen); dctx = EVP_PKEY_CTX_dup(pctx); if (dctx == NULL) return 0; r = dctx->op.sig.signature->digest_sign_final(dctx->op.sig.algctx, sigret, siglen, - (siglen == NULL) ? 0 : *siglen); + *siglen); EVP_PKEY_CTX_free(dctx); return r; diff --git a/deps/openssl/openssl/crypto/evp/mac_meth.c b/deps/openssl/openssl/crypto/evp/mac_meth.c index 99b1e3b0035a22..85fe7704fde27a 100644 --- a/deps/openssl/openssl/crypto/evp/mac_meth.c +++ b/deps/openssl/openssl/crypto/evp/mac_meth.c @@ -1,3 +1,12 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + #include #include #include diff --git a/deps/openssl/openssl/crypto/evp/pmeth_gn.c b/deps/openssl/openssl/crypto/evp/pmeth_gn.c index af3d990869d889..8e4940ed595620 100644 --- a/deps/openssl/openssl/crypto/evp/pmeth_gn.c +++ b/deps/openssl/openssl/crypto/evp/pmeth_gn.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -128,7 +128,6 @@ static int ossl_callback_to_pkey_gencb(const OSSL_PARAM params[], void *arg) int EVP_PKEY_generate(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey) { int ret = 0; - OSSL_CALLBACK cb; EVP_PKEY *allocated_pkey = NULL; /* Legacy compatible keygen callback info, only used with provider impls */ int gentmp[2]; @@ -365,6 +364,7 @@ int EVP_PKEY_fromdata(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey, int selection, OSSL_PARAM params[]) { void *keydata = NULL; + EVP_PKEY *allocated_pkey = NULL; if (ctx == NULL || (ctx->operation & EVP_PKEY_OP_FROMDATA) == 0) { ERR_raise(ERR_LIB_EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); @@ -375,7 +375,7 @@ int EVP_PKEY_fromdata(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey, int selection, return -1; if (*ppkey == NULL) - *ppkey = EVP_PKEY_new(); + allocated_pkey = *ppkey = EVP_PKEY_new(); if (*ppkey == NULL) { ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE); @@ -383,8 +383,13 @@ int EVP_PKEY_fromdata(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey, int selection, } keydata = evp_keymgmt_util_fromdata(*ppkey, ctx->keymgmt, selection, params); - if (keydata == NULL) + if (keydata == NULL) { + if (allocated_pkey != NULL) { + *ppkey = NULL; + EVP_PKEY_free(allocated_pkey); + } return 0; + } /* keydata is cached in *ppkey, so we need not bother with it further */ return 1; } diff --git a/deps/openssl/openssl/crypto/ffc/ffc_backend.c b/deps/openssl/openssl/crypto/ffc/ffc_backend.c index b22718693427f3..9a013d95d35916 100644 --- a/deps/openssl/openssl/crypto/ffc/ffc_backend.c +++ b/deps/openssl/openssl/crypto/ffc/ffc_backend.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -37,6 +37,7 @@ int ossl_ffc_params_fromdata(FFC_PARAMS *ffc, const OSSL_PARAM params[]) const DH_NAMED_GROUP *group = NULL; if (prm->data_type != OSSL_PARAM_UTF8_STRING + || prm->data == NULL || (group = ossl_ffc_name_to_dh_named_group(prm->data)) == NULL || !ossl_ffc_named_group_set_pqg(ffc, group)) #endif diff --git a/deps/openssl/openssl/crypto/http/http_client.c b/deps/openssl/openssl/crypto/http/http_client.c index 7f8d8fc8d7d5a5..33e7b82b9e8c78 100644 --- a/deps/openssl/openssl/crypto/http/http_client.c +++ b/deps/openssl/openssl/crypto/http/http_client.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright Siemens AG 2018-2020 * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -947,6 +947,7 @@ OSSL_HTTP_REQ_CTX *OSSL_HTTP_open(const char *server, const char *port, } /* now overall_timeout is guaranteed to be >= 0 */ + /* adapt in order to fix callback design flaw, see #17088 */ /* callback can be used to wrap or prepend TLS session */ if (bio_update_fn != NULL) { BIO *orig_bio = cbio; @@ -1197,11 +1198,17 @@ BIO *OSSL_HTTP_transfer(OSSL_HTTP_REQ_CTX **prctx, int OSSL_HTTP_close(OSSL_HTTP_REQ_CTX *rctx, int ok) { + BIO *wbio; int ret = 1; - /* callback can be used to clean up TLS session on disconnect */ - if (rctx != NULL && rctx->upd_fn != NULL) - ret = (*rctx->upd_fn)(rctx->wbio, rctx->upd_arg, 0, ok) != NULL; + /* callback can be used to finish TLS session and free its BIO */ + if (rctx != NULL && rctx->upd_fn != NULL) { + wbio = (*rctx->upd_fn)(rctx->wbio, rctx->upd_arg, + 0 /* disconnect */, ok); + ret = wbio != NULL; + if (ret) + rctx->wbio = wbio; + } OSSL_HTTP_REQ_CTX_free(rctx); return ret; } diff --git a/deps/openssl/openssl/crypto/lhash/lh_stats.c b/deps/openssl/openssl/crypto/lhash/lh_stats.c index 5e38c42580aa97..47c4e932e5ec59 100644 --- a/deps/openssl/openssl/crypto/lhash/lh_stats.c +++ b/deps/openssl/openssl/crypto/lhash/lh_stats.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -61,6 +61,14 @@ void OPENSSL_LH_node_usage_stats(const OPENSSL_LHASH *lh, FILE *fp) void OPENSSL_LH_stats_bio(const OPENSSL_LHASH *lh, BIO *out) { + int omit_tsan = 0; + +#ifdef TSAN_REQUIRES_LOCKING + if (!CRYPTO_THREAD_read_lock(lh->tsan_lock)) { + BIO_printf(out, "unable to lock table, omitting TSAN counters\n"); + omit_tsan = 1; + } +#endif BIO_printf(out, "num_items = %lu\n", lh->num_items); BIO_printf(out, "num_nodes = %u\n", lh->num_nodes); BIO_printf(out, "num_alloc_nodes = %u\n", lh->num_alloc_nodes); @@ -68,15 +76,22 @@ void OPENSSL_LH_stats_bio(const OPENSSL_LHASH *lh, BIO *out) BIO_printf(out, "num_expand_reallocs = %lu\n", lh->num_expand_reallocs); BIO_printf(out, "num_contracts = %lu\n", lh->num_contracts); BIO_printf(out, "num_contract_reallocs = %lu\n", lh->num_contract_reallocs); - BIO_printf(out, "num_hash_calls = %lu\n", lh->num_hash_calls); - BIO_printf(out, "num_comp_calls = %lu\n", lh->num_comp_calls); + if (!omit_tsan) { + BIO_printf(out, "num_hash_calls = %lu\n", lh->num_hash_calls); + BIO_printf(out, "num_comp_calls = %lu\n", lh->num_comp_calls); + } BIO_printf(out, "num_insert = %lu\n", lh->num_insert); BIO_printf(out, "num_replace = %lu\n", lh->num_replace); BIO_printf(out, "num_delete = %lu\n", lh->num_delete); BIO_printf(out, "num_no_delete = %lu\n", lh->num_no_delete); - BIO_printf(out, "num_retrieve = %lu\n", lh->num_retrieve); - BIO_printf(out, "num_retrieve_miss = %lu\n", lh->num_retrieve_miss); - BIO_printf(out, "num_hash_comps = %lu\n", lh->num_hash_comps); + if (!omit_tsan) { + BIO_printf(out, "num_retrieve = %lu\n", lh->num_retrieve); + BIO_printf(out, "num_retrieve_miss = %lu\n", lh->num_retrieve_miss); + BIO_printf(out, "num_hash_comps = %lu\n", lh->num_hash_comps); +#ifdef TSAN_REQUIRES_LOCKING + CRYPTO_THREAD_unlock(lh->tsan_lock); +#endif + } } void OPENSSL_LH_node_stats_bio(const OPENSSL_LHASH *lh, BIO *out) diff --git a/deps/openssl/openssl/crypto/lhash/lhash.c b/deps/openssl/openssl/crypto/lhash/lhash.c index 63cf46af6ebb5a..002cca07eae05c 100644 --- a/deps/openssl/openssl/crypto/lhash/lhash.c +++ b/deps/openssl/openssl/crypto/lhash/lhash.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -44,6 +44,22 @@ static int expand(OPENSSL_LHASH *lh); static void contract(OPENSSL_LHASH *lh); static OPENSSL_LH_NODE **getrn(OPENSSL_LHASH *lh, const void *data, unsigned long *rhash); +static ossl_inline int tsan_lock(const OPENSSL_LHASH *lh) +{ +#ifdef TSAN_REQUIRES_LOCKING + if (!CRYPTO_THREAD_write_lock(lh->tsan_lock)) + return 0; +#endif + return 1; +} + +static ossl_inline void tsan_unlock(const OPENSSL_LHASH *lh) +{ +#ifdef TSAN_REQUIRES_LOCKING + CRYPTO_THREAD_unlock(lh->tsan_lock); +#endif +} + OPENSSL_LHASH *OPENSSL_LH_new(OPENSSL_LH_HASHFUNC h, OPENSSL_LH_COMPFUNC c) { OPENSSL_LHASH *ret; @@ -58,6 +74,10 @@ OPENSSL_LHASH *OPENSSL_LH_new(OPENSSL_LH_HASHFUNC h, OPENSSL_LH_COMPFUNC c) } if ((ret->b = OPENSSL_zalloc(sizeof(*ret->b) * MIN_NODES)) == NULL) goto err; +#ifdef TSAN_REQUIRES_LOCKING + if ((ret->tsan_lock = CRYPTO_THREAD_lock_new()) == NULL) + goto err; +#endif ret->comp = ((c == NULL) ? (OPENSSL_LH_COMPFUNC)strcmp : c); ret->hash = ((h == NULL) ? (OPENSSL_LH_HASHFUNC)OPENSSL_LH_strhash : h); ret->num_nodes = MIN_NODES / 2; @@ -79,6 +99,9 @@ void OPENSSL_LH_free(OPENSSL_LHASH *lh) return; OPENSSL_LH_flush(lh); +#ifdef TSAN_REQUIRES_LOCKING + CRYPTO_THREAD_lock_free(lh->tsan_lock); +#endif OPENSSL_free(lh->b); OPENSSL_free(lh); } @@ -166,21 +189,20 @@ void *OPENSSL_LH_retrieve(OPENSSL_LHASH *lh, const void *data) { unsigned long hash; OPENSSL_LH_NODE **rn; - void *ret; + /*- + * This should be atomic without tsan. + * It's not clear why it was done this way and not elsewhere. + */ tsan_store((TSAN_QUALIFIER int *)&lh->error, 0); rn = getrn(lh, data, &hash); - if (*rn == NULL) { - tsan_counter(&lh->num_retrieve_miss); - return NULL; - } else { - ret = (*rn)->data; - tsan_counter(&lh->num_retrieve); + if (tsan_lock(lh)) { + tsan_counter(*rn == NULL ? &lh->num_retrieve_miss : &lh->num_retrieve); + tsan_unlock(lh); } - - return ret; + return *rn == NULL ? NULL : (*rn)->data; } static void doall_util_fn(OPENSSL_LHASH *lh, int use_arg, @@ -307,9 +329,14 @@ static OPENSSL_LH_NODE **getrn(OPENSSL_LHASH *lh, OPENSSL_LH_NODE **ret, *n1; unsigned long hash, nn; OPENSSL_LH_COMPFUNC cf; + int do_tsan = 1; +#ifdef TSAN_REQUIRES_LOCKING + do_tsan = tsan_lock(lh); +#endif hash = (*(lh->hash)) (data); - tsan_counter(&lh->num_hash_calls); + if (do_tsan) + tsan_counter(&lh->num_hash_calls); *rhash = hash; nn = hash % lh->pmax; @@ -319,16 +346,20 @@ static OPENSSL_LH_NODE **getrn(OPENSSL_LHASH *lh, cf = lh->comp; ret = &(lh->b[(int)nn]); for (n1 = *ret; n1 != NULL; n1 = n1->next) { - tsan_counter(&lh->num_hash_comps); + if (do_tsan) + tsan_counter(&lh->num_hash_comps); if (n1->hash != hash) { ret = &(n1->next); continue; } - tsan_counter(&lh->num_comp_calls); + if (do_tsan) + tsan_counter(&lh->num_comp_calls); if (cf(n1->data, data) == 0) break; ret = &(n1->next); } + if (do_tsan) + tsan_unlock(lh); return ret; } @@ -352,7 +383,8 @@ unsigned long OPENSSL_LH_strhash(const char *c) v = n | (*c); n += 0x100; r = (int)((v >> 2) ^ v) & 0x0f; - ret = (ret << r) | (ret >> (32 - r)); + /* cast to uint64_t to avoid 32 bit shift of 32 bit value */ + ret = (ret << r) | (unsigned long)((uint64_t)ret >> (32 - r)); ret &= 0xFFFFFFFFL; ret ^= v * v; c++; @@ -373,7 +405,8 @@ unsigned long ossl_lh_strcasehash(const char *c) for (n = 0x100; *c != '\0'; n += 0x100) { v = n | ossl_tolower(*c); r = (int)((v >> 2) ^ v) & 0x0f; - ret = (ret << r) | (ret >> (32 - r)); + /* cast to uint64_t to avoid 32 bit shift of 32 bit value */ + ret = (ret << r) | (unsigned long)((uint64_t)ret >> (32 - r)); ret &= 0xFFFFFFFFL; ret ^= v * v; c++; diff --git a/deps/openssl/openssl/crypto/lhash/lhash_local.h b/deps/openssl/openssl/crypto/lhash/lhash_local.h index ad9dd4d346ebd5..61687c5ce2b1f2 100644 --- a/deps/openssl/openssl/crypto/lhash/lhash_local.h +++ b/deps/openssl/openssl/crypto/lhash/lhash_local.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -41,4 +41,7 @@ struct lhash_st { TSAN_QUALIFIER unsigned long num_retrieve_miss; TSAN_QUALIFIER unsigned long num_hash_comps; int error; +#ifdef TSAN_REQUIRES_LOCKING + CRYPTO_RWLOCK *tsan_lock; +#endif }; diff --git a/deps/openssl/openssl/crypto/mem.c b/deps/openssl/openssl/crypto/mem.c index d682a3686f47df..2cf240061af4f1 100644 --- a/deps/openssl/openssl/crypto/mem.c +++ b/deps/openssl/openssl/crypto/mem.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -26,11 +26,17 @@ static CRYPTO_free_fn free_impl = CRYPTO_free; #if !defined(OPENSSL_NO_CRYPTO_MDEBUG) && !defined(FIPS_MODULE) # include "internal/tsan_assist.h" +# ifdef TSAN_REQUIRES_LOCKING +# define INCREMENT(x) /* empty */ +# define LOAD(x) 0 +# else /* TSAN_REQUIRES_LOCKING */ static TSAN_QUALIFIER int malloc_count; static TSAN_QUALIFIER int realloc_count; static TSAN_QUALIFIER int free_count; -# define INCREMENT(x) tsan_counter(&(x)) +# define INCREMENT(x) tsan_counter(&(x)) +# define LOAD(x) tsan_load(&x) +# endif /* TSAN_REQUIRES_LOCKING */ static char *md_failstring; static long md_count; @@ -79,11 +85,11 @@ void CRYPTO_get_mem_functions(CRYPTO_malloc_fn *malloc_fn, void CRYPTO_get_alloc_counts(int *mcount, int *rcount, int *fcount) { if (mcount != NULL) - *mcount = tsan_load(&malloc_count); + *mcount = LOAD(malloc_count); if (rcount != NULL) - *rcount = tsan_load(&realloc_count); + *rcount = LOAD(realloc_count); if (fcount != NULL) - *fcount = tsan_load(&free_count); + *fcount = LOAD(free_count); } /* diff --git a/deps/openssl/openssl/crypto/o_str.c b/deps/openssl/openssl/crypto/o_str.c index d7aa665ad8f67a..5c4e4e7781cfe7 100644 --- a/deps/openssl/openssl/crypto/o_str.c +++ b/deps/openssl/openssl/crypto/o_str.c @@ -1,5 +1,5 @@ /* - * Copyright 2003-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2003-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -215,7 +215,7 @@ unsigned char *OPENSSL_hexstr2buf(const char *str, long *buflen) return ossl_hexstr2buf_sep(str, buflen, DEFAULT_SEPARATOR); } -static int buf2hexstr_sep(char *str, size_t str_n, size_t *strlen, +static int buf2hexstr_sep(char *str, size_t str_n, size_t *strlength, const unsigned char *buf, size_t buflen, const char sep) { @@ -226,8 +226,8 @@ static int buf2hexstr_sep(char *str, size_t str_n, size_t *strlen, int has_sep = (sep != CH_ZERO); size_t len = has_sep ? buflen * 3 : 1 + buflen * 2; - if (strlen != NULL) - *strlen = len; + if (strlength != NULL) + *strlength = len; if (str == NULL) return 1; @@ -253,11 +253,11 @@ static int buf2hexstr_sep(char *str, size_t str_n, size_t *strlen, return 1; } -int OPENSSL_buf2hexstr_ex(char *str, size_t str_n, size_t *strlen, +int OPENSSL_buf2hexstr_ex(char *str, size_t str_n, size_t *strlength, const unsigned char *buf, size_t buflen, const char sep) { - return buf2hexstr_sep(str, str_n, strlen, buf, buflen, sep); + return buf2hexstr_sep(str, str_n, strlength, buf, buflen, sep); } char *ossl_buf2hexstr_sep(const unsigned char *buf, long buflen, char sep) diff --git a/deps/openssl/openssl/crypto/objects/obj_compat.h b/deps/openssl/openssl/crypto/objects/obj_compat.h index cbe4438695361d..7d890d1c0b85cd 100644 --- a/deps/openssl/openssl/crypto/objects/obj_compat.h +++ b/deps/openssl/openssl/crypto/objects/obj_compat.h @@ -1,3 +1,11 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ #ifndef OPENSSL_NO_DEPRECATED_3_0 diff --git a/deps/openssl/openssl/crypto/objects/obj_dat.h b/deps/openssl/openssl/crypto/objects/obj_dat.h index 5d638fb05d2318..59d156117a0031 100644 --- a/deps/openssl/openssl/crypto/objects/obj_dat.h +++ b/deps/openssl/openssl/crypto/objects/obj_dat.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/objects/obj_dat.pl * - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at diff --git a/deps/openssl/openssl/crypto/passphrase.c b/deps/openssl/openssl/crypto/passphrase.c index d61e2494405ac4..fcc40f6dab5369 100644 --- a/deps/openssl/openssl/crypto/passphrase.c +++ b/deps/openssl/openssl/crypto/passphrase.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -41,7 +41,8 @@ int ossl_pw_set_passphrase(struct ossl_passphrase_data_st *data, ossl_pw_clear_passphrase_data(data); data->type = is_expl_passphrase; data->_.expl_passphrase.passphrase_copy = - OPENSSL_memdup(passphrase, passphrase_len); + passphrase_len != 0 ? OPENSSL_memdup(passphrase, passphrase_len) + : OPENSSL_malloc(1); if (data->_.expl_passphrase.passphrase_copy == NULL) { ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); return 0; @@ -109,7 +110,8 @@ int ossl_pw_disable_passphrase_caching(struct ossl_passphrase_data_st *data) * UI_METHOD processor. It differs from UI_UTIL_read_pw() like this: * * 1. It constructs a prompt on its own, based on |prompt_info|. - * 2. It allocates a buffer for verification on its own. + * 2. It allocates a buffer for password and verification on its own + * to compensate for NUL terminator in UI password strings. * 3. It raises errors. * 4. It reports back the length of the prompted pass phrase. */ @@ -117,8 +119,8 @@ static int do_ui_passphrase(char *pass, size_t pass_size, size_t *pass_len, const char *prompt_info, int verify, const UI_METHOD *ui_method, void *ui_data) { - char *prompt = NULL, *vpass = NULL; - int prompt_idx = -1, verify_idx = -1; + char *prompt = NULL, *ipass = NULL, *vpass = NULL; + int prompt_idx = -1, verify_idx = -1, res; UI *ui = NULL; int ret = 0; @@ -145,9 +147,16 @@ static int do_ui_passphrase(char *pass, size_t pass_size, size_t *pass_len, goto end; } + /* Get a buffer for verification prompt */ + ipass = OPENSSL_zalloc(pass_size + 1); + if (ipass == NULL) { + ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); + goto end; + } + prompt_idx = UI_add_input_string(ui, prompt, UI_INPUT_FLAG_DEFAULT_PWD, - pass, 0, pass_size - 1) - 1; + ipass, 0, pass_size) - 1; if (prompt_idx < 0) { ERR_raise(ERR_LIB_CRYPTO, ERR_R_UI_LIB); goto end; @@ -155,15 +164,15 @@ static int do_ui_passphrase(char *pass, size_t pass_size, size_t *pass_len, if (verify) { /* Get a buffer for verification prompt */ - vpass = OPENSSL_zalloc(pass_size); + vpass = OPENSSL_zalloc(pass_size + 1); if (vpass == NULL) { ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); goto end; } verify_idx = UI_add_verify_string(ui, prompt, UI_INPUT_FLAG_DEFAULT_PWD, - vpass, 0, pass_size - 1, - pass) - 1; + vpass, 0, pass_size, + ipass) - 1; if (verify_idx < 0) { ERR_raise(ERR_LIB_CRYPTO, ERR_R_UI_LIB); goto end; @@ -178,13 +187,20 @@ static int do_ui_passphrase(char *pass, size_t pass_size, size_t *pass_len, ERR_raise(ERR_LIB_CRYPTO, ERR_R_UI_LIB); break; default: - *pass_len = (size_t)UI_get_result_length(ui, prompt_idx); + res = UI_get_result_length(ui, prompt_idx); + if (res < 0) { + ERR_raise(ERR_LIB_CRYPTO, ERR_R_UI_LIB); + break; + } + *pass_len = (size_t)res; + memcpy(pass, ipass, *pass_len); ret = 1; break; } end: - OPENSSL_free(vpass); + OPENSSL_clear_free(vpass, pass_size + 1); + OPENSSL_clear_free(ipass, pass_size + 1); OPENSSL_free(prompt); UI_free(ui); return ret; diff --git a/deps/openssl/openssl/crypto/pem/pem_lib.c b/deps/openssl/openssl/crypto/pem/pem_lib.c index 3948021702fbb9..50975070198f8a 100644 --- a/deps/openssl/openssl/crypto/pem/pem_lib.c +++ b/deps/openssl/openssl/crypto/pem/pem_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -974,19 +974,22 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header, headerlen = BIO_get_mem_data(headerB, NULL); *header = pem_malloc(headerlen + 1, flags); *data = pem_malloc(len, flags); - if (*header == NULL || *data == NULL) { - pem_free(*header, flags, 0); - pem_free(*data, flags, 0); - goto end; - } - BIO_read(headerB, *header, headerlen); + if (*header == NULL || *data == NULL) + goto out_free; + if (headerlen != 0 && BIO_read(headerB, *header, headerlen) != headerlen) + goto out_free; (*header)[headerlen] = '\0'; - BIO_read(dataB, *data, len); + if (BIO_read(dataB, *data, len) != len) + goto out_free; *len_out = len; *name_out = name; name = NULL; ret = 1; + goto end; +out_free: + pem_free(*header, flags, 0); + pem_free(*data, flags, 0); end: EVP_ENCODE_CTX_free(ctx); pem_free(name, flags, 0); diff --git a/deps/openssl/openssl/crypto/pem/pem_pk8.c b/deps/openssl/openssl/crypto/pem/pem_pk8.c index 4742f02fef22c6..1592e351edef16 100644 --- a/deps/openssl/openssl/crypto/pem/pem_pk8.c +++ b/deps/openssl/openssl/crypto/pem/pem_pk8.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -136,7 +136,7 @@ static int do_pk8pkey(BIO *bp, const EVP_PKEY *x, int isder, int nid, if (enc || (nid != -1)) { if (kstr == NULL) { klen = cb(buf, PEM_BUFSIZE, 1, u); - if (klen <= 0) { + if (klen < 0) { ERR_raise(ERR_LIB_PEM, PEM_R_READ_KEY); goto legacy_end; } diff --git a/deps/openssl/openssl/crypto/property/property.c b/deps/openssl/openssl/crypto/property/property.c index c087e741edc7f3..509191a8936a76 100644 --- a/deps/openssl/openssl/crypto/property/property.c +++ b/deps/openssl/openssl/crypto/property/property.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -596,7 +596,7 @@ int ossl_method_store_cache_get(OSSL_METHOD_STORE *store, OSSL_PROVIDER *prov, QUERY elem, *r; int res = 0; - if (nid <= 0 || store == NULL) + if (nid <= 0 || store == NULL || prop_query == NULL) return 0; if (!ossl_property_read_lock(store)) @@ -605,7 +605,7 @@ int ossl_method_store_cache_get(OSSL_METHOD_STORE *store, OSSL_PROVIDER *prov, if (alg == NULL) goto err; - elem.query = prop_query != NULL ? prop_query : ""; + elem.query = prop_query; elem.provider = prov; r = lh_QUERY_retrieve(alg->cache, &elem); if (r == NULL) @@ -629,10 +629,8 @@ int ossl_method_store_cache_set(OSSL_METHOD_STORE *store, OSSL_PROVIDER *prov, size_t len; int res = 1; - if (nid <= 0 || store == NULL) + if (nid <= 0 || store == NULL || prop_query == NULL) return 0; - if (prop_query == NULL) - return 1; if (!ossl_assert(prov != NULL)) return 0; diff --git a/deps/openssl/openssl/crypto/property/property_string.c b/deps/openssl/openssl/crypto/property/property_string.c index 38deab5af0f768..ef87a6a7823581 100644 --- a/deps/openssl/openssl/crypto/property/property_string.c +++ b/deps/openssl/openssl/crypto/property/property_string.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/deps/openssl/openssl/crypto/provider_core.c b/deps/openssl/openssl/crypto/provider_core.c index cb4c07c781ac4e..177358f054abbc 100644 --- a/deps/openssl/openssl/crypto/provider_core.c +++ b/deps/openssl/openssl/crypto/provider_core.c @@ -603,6 +603,9 @@ int ossl_provider_add_to_store(OSSL_PROVIDER *prov, OSSL_PROVIDER **actualprov, OSSL_PROVIDER tmpl = { 0, }; OSSL_PROVIDER *actualtmp = NULL; + if (actualprov != NULL) + *actualprov = NULL; + if ((store = get_provider_store(prov->libctx)) == NULL) return 0; @@ -659,7 +662,7 @@ int ossl_provider_add_to_store(OSSL_PROVIDER *prov, OSSL_PROVIDER **actualprov, err: CRYPTO_THREAD_unlock(store->lock); if (actualprov != NULL) - ossl_provider_free(actualtmp); + ossl_provider_free(*actualprov); return 0; } @@ -1945,9 +1948,13 @@ static int core_obj_add_sigid(const OSSL_CORE_HANDLE *prov, const char *pkey_name) { int sign_nid = OBJ_txt2nid(sign_name); - int digest_nid = OBJ_txt2nid(digest_name); + int digest_nid = NID_undef; int pkey_nid = OBJ_txt2nid(pkey_name); + if (digest_name != NULL && digest_name[0] != '\0' + && (digest_nid = OBJ_txt2nid(digest_name)) == NID_undef) + return 0; + if (sign_nid == NID_undef) return 0; @@ -1958,8 +1965,7 @@ static int core_obj_add_sigid(const OSSL_CORE_HANDLE *prov, if (OBJ_find_sigid_algs(sign_nid, NULL, NULL)) return 1; - if (digest_nid == NID_undef - || pkey_nid == NID_undef) + if (pkey_nid == NID_undef) return 0; return OBJ_add_sigid(sign_nid, digest_nid, pkey_nid); diff --git a/deps/openssl/openssl/crypto/rand/rand_egd.c b/deps/openssl/openssl/crypto/rand/rand_egd.c index dc1833169c9909..2067ececaf09cb 100644 --- a/deps/openssl/openssl/crypto/rand/rand_egd.c +++ b/deps/openssl/openssl/crypto/rand/rand_egd.c @@ -80,7 +80,7 @@ int hpns_socket(int family, # define AF_UNIX_PORTABILITY "$ZAFN2" # define AF_UNIX_COMPATIBILITY "$ZPLS" - if (!_arg_present(transport) || transport != NULL || transport[0] == '\0') + if (!_arg_present(transport) || transport == NULL || transport[0] == '\0') return socket(family, type, protocol); socket_transport_name_get(AF_UNIX, current_transport, 20); diff --git a/deps/openssl/openssl/crypto/rand/rand_lib.c b/deps/openssl/openssl/crypto/rand/rand_lib.c index 8f76c8a5f024ec..afe3521186caeb 100644 --- a/deps/openssl/openssl/crypto/rand/rand_lib.c +++ b/deps/openssl/openssl/crypto/rand/rand_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -529,6 +529,8 @@ static EVP_RAND_CTX *rand_new_seed(OSSL_LIB_CTX *libctx) EVP_RAND_CTX *ctx; char *name; + if (dgbl == NULL) + return NULL; name = dgbl->seed_name != NULL ? dgbl->seed_name : "SEED-SRC"; rand = EVP_RAND_fetch(libctx, name, dgbl->seed_propq); if (rand == NULL) { @@ -560,6 +562,8 @@ static EVP_RAND_CTX *rand_new_drbg(OSSL_LIB_CTX *libctx, EVP_RAND_CTX *parent, OSSL_PARAM params[7], *p = params; char *name, *cipher; + if (dgbl == NULL) + return NULL; name = dgbl->rng_name != NULL ? dgbl->rng_name : "CTR-DRBG"; rand = EVP_RAND_fetch(libctx, name, dgbl->rng_propq); if (rand == NULL) { @@ -759,6 +763,9 @@ static int random_conf_init(CONF_IMODULE *md, const CONF *cnf) return 0; } + if (dgbl == NULL) + return 0; + for (i = 0; i < sk_CONF_VALUE_num(elist); i++) { cval = sk_CONF_VALUE_value(elist, i); if (strcasecmp(cval->name, "random") == 0) { diff --git a/deps/openssl/openssl/crypto/rsa/rsa_ameth.c b/deps/openssl/openssl/crypto/rsa/rsa_ameth.c index b1580ca48cf2e9..aabeb32736cec0 100644 --- a/deps/openssl/openssl/crypto/rsa/rsa_ameth.c +++ b/deps/openssl/openssl/crypto/rsa/rsa_ameth.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -742,7 +742,7 @@ static int rsa_int_export_to(const EVP_PKEY *from, int rsa_type, if (RSA_get0_n(rsa) == NULL || RSA_get0_e(rsa) == NULL) goto err; - if (!ossl_rsa_todata(rsa, tmpl, NULL)) + if (!ossl_rsa_todata(rsa, tmpl, NULL, 1)) goto err; selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY; @@ -835,7 +835,7 @@ static int rsa_int_import_from(const OSSL_PARAM params[], void *vpctx, goto err; } - if (!ossl_rsa_fromdata(rsa, params)) + if (!ossl_rsa_fromdata(rsa, params, 1)) goto err; switch (rsa_type) { diff --git a/deps/openssl/openssl/crypto/rsa/rsa_backend.c b/deps/openssl/openssl/crypto/rsa/rsa_backend.c index 46283265d2746c..ad1623dd1444e3 100644 --- a/deps/openssl/openssl/crypto/rsa/rsa_backend.c +++ b/deps/openssl/openssl/crypto/rsa/rsa_backend.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -60,9 +60,9 @@ static int collect_numbers(STACK_OF(BIGNUM) *numbers, return 1; } -int ossl_rsa_fromdata(RSA *rsa, const OSSL_PARAM params[]) +int ossl_rsa_fromdata(RSA *rsa, const OSSL_PARAM params[], int include_private) { - const OSSL_PARAM *param_n, *param_e, *param_d; + const OSSL_PARAM *param_n, *param_e, *param_d = NULL; BIGNUM *n = NULL, *e = NULL, *d = NULL; STACK_OF(BIGNUM) *factors = NULL, *exps = NULL, *coeffs = NULL; int is_private = 0; @@ -72,7 +72,8 @@ int ossl_rsa_fromdata(RSA *rsa, const OSSL_PARAM params[]) param_n = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_N); param_e = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_E); - param_d = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_D); + if (include_private) + param_d = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_D); if ((param_n != NULL && !OSSL_PARAM_get_BN(param_n, &n)) || (param_e != NULL && !OSSL_PARAM_get_BN(param_e, &e)) @@ -118,7 +119,8 @@ int ossl_rsa_fromdata(RSA *rsa, const OSSL_PARAM params[]) DEFINE_SPECIAL_STACK_OF_CONST(BIGNUM_const, BIGNUM) -int ossl_rsa_todata(RSA *rsa, OSSL_PARAM_BLD *bld, OSSL_PARAM params[]) +int ossl_rsa_todata(RSA *rsa, OSSL_PARAM_BLD *bld, OSSL_PARAM params[], + int include_private) { int ret = 0; const BIGNUM *rsa_d = NULL, *rsa_n = NULL, *rsa_e = NULL; @@ -137,7 +139,7 @@ int ossl_rsa_todata(RSA *rsa, OSSL_PARAM_BLD *bld, OSSL_PARAM params[]) goto err; /* Check private key data integrity */ - if (rsa_d != NULL) { + if (include_private && rsa_d != NULL) { int numprimes = sk_BIGNUM_const_num(factors); int numexps = sk_BIGNUM_const_num(exps); int numcoeffs = sk_BIGNUM_const_num(coeffs); diff --git a/deps/openssl/openssl/crypto/rsa/rsa_ossl.c b/deps/openssl/openssl/crypto/rsa/rsa_ossl.c index c417a4b8f6dd80..381c659352ad14 100644 --- a/deps/openssl/openssl/crypto/rsa/rsa_ossl.c +++ b/deps/openssl/openssl/crypto/rsa/rsa_ossl.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -213,7 +213,9 @@ static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, */ int ret; - BN_BLINDING_lock(b); + if (!BN_BLINDING_lock(b)) + return 0; + ret = BN_BLINDING_convert_ex(f, unblind, b, ctx); BN_BLINDING_unlock(b); diff --git a/deps/openssl/openssl/crypto/store/store_meth.c b/deps/openssl/openssl/crypto/store/store_meth.c index e79ec871fd79c9..db13f62c66eace 100644 --- a/deps/openssl/openssl/crypto/store/store_meth.c +++ b/deps/openssl/openssl/crypto/store/store_meth.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -280,6 +280,7 @@ inner_loader_fetch(struct loader_data_st *methdata, int id, { OSSL_METHOD_STORE *store = get_loader_store(methdata->libctx); OSSL_NAMEMAP *namemap = ossl_namemap_stored(methdata->libctx); + const char *const propq = properties != NULL ? properties : ""; void *method = NULL; int unsupported = 0; @@ -309,7 +310,7 @@ inner_loader_fetch(struct loader_data_st *methdata, int id, unsupported = 1; if (id == 0 - || !ossl_method_store_cache_get(store, NULL, id, properties, &method)) { + || !ossl_method_store_cache_get(store, NULL, id, propq, &method)) { OSSL_METHOD_CONSTRUCT_METHOD mcm = { get_tmp_loader_store, get_loader_from_store, @@ -317,13 +318,14 @@ inner_loader_fetch(struct loader_data_st *methdata, int id, construct_loader, destruct_loader }; + OSSL_PROVIDER *prov = NULL; methdata->scheme_id = id; methdata->scheme = scheme; - methdata->propquery = properties; + methdata->propquery = propq; methdata->flag_construct_error_occurred = 0; if ((method = ossl_method_construct(methdata->libctx, OSSL_OP_STORE, - NULL, 0 /* !force_cache */, + &prov, 0 /* !force_cache */, &mcm, methdata)) != NULL) { /* * If construction did create a method for us, we know that there @@ -332,7 +334,7 @@ inner_loader_fetch(struct loader_data_st *methdata, int id, */ if (id == 0) id = ossl_namemap_name2num(namemap, scheme); - ossl_method_store_cache_set(store, NULL, id, properties, method, + ossl_method_store_cache_set(store, prov, id, propq, method, up_ref_loader, free_loader); } diff --git a/deps/openssl/openssl/crypto/store/store_result.c b/deps/openssl/openssl/crypto/store/store_result.c index 3a0dc9dfba9357..1306b270bbaf5e 100644 --- a/deps/openssl/openssl/crypto/store/store_result.c +++ b/deps/openssl/openssl/crypto/store/store_result.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -525,7 +525,7 @@ static int try_pkcs12(struct extracted_param_data_st *data, OSSL_STORE_INFO **v, if (p12 != NULL) { char *pass = NULL; - char tpass[PEM_BUFSIZE]; + char tpass[PEM_BUFSIZE + 1]; size_t tpass_len; EVP_PKEY *pkey = NULL; X509 *cert = NULL; @@ -547,17 +547,23 @@ static int try_pkcs12(struct extracted_param_data_st *data, OSSL_STORE_INFO **v, OSSL_PARAM_END }; - if (!ossl_pw_get_passphrase(tpass, sizeof(tpass), &tpass_len, + if (!ossl_pw_get_passphrase(tpass, sizeof(tpass) - 1, + &tpass_len, pw_params, 0, &ctx->pwdata)) { ERR_raise(ERR_LIB_OSSL_STORE, OSSL_STORE_R_PASSPHRASE_CALLBACK_ERROR); goto p12_end; } pass = tpass; - if (!PKCS12_verify_mac(p12, pass, strlen(pass))) { + /* + * ossl_pw_get_passphrase() does not NUL terminate but + * we must do it for PKCS12_parse() + */ + pass[tpass_len] = '\0'; + if (!PKCS12_verify_mac(p12, pass, tpass_len)) { ERR_raise_data(ERR_LIB_OSSL_STORE, OSSL_STORE_R_ERROR_VERIFYING_PKCS12_MAC, - strlen(pass) == 0 ? "empty password" : + tpass_len == 0 ? "empty password" : "maybe wrong password"); goto p12_end; } @@ -613,9 +619,10 @@ static int try_pkcs12(struct extracted_param_data_st *data, OSSL_STORE_INFO **v, } ctx->cached_info = infos; } + p12_end: + OPENSSL_cleanse(tpass, sizeof(tpass)); + PKCS12_free(p12); } - p12_end: - PKCS12_free(p12); *v = sk_OSSL_STORE_INFO_shift(ctx->cached_info); } diff --git a/deps/openssl/openssl/crypto/threads_pthread.c b/deps/openssl/openssl/crypto/threads_pthread.c index 9f00d8be5eae6d..64247d29adef4d 100644 --- a/deps/openssl/openssl/crypto/threads_pthread.c +++ b/deps/openssl/openssl/crypto/threads_pthread.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -261,26 +261,9 @@ int CRYPTO_atomic_load(uint64_t *val, uint64_t *ret, CRYPTO_RWLOCK *lock) return 1; } # ifndef FIPS_MODULE -# ifdef OPENSSL_SYS_UNIX - -static pthread_once_t fork_once_control = PTHREAD_ONCE_INIT; - -static void fork_once_func(void) -{ -# ifndef OPENSSL_NO_DEPRECATED_3_0 - pthread_atfork(OPENSSL_fork_prepare, - OPENSSL_fork_parent, OPENSSL_fork_child); -# endif -} -# endif - int openssl_init_fork_handlers(void) { -# ifdef OPENSSL_SYS_UNIX - if (pthread_once(&fork_once_control, fork_once_func) == 0) - return 1; -# endif - return 0; + return 1; } # endif /* FIPS_MODULE */ diff --git a/deps/openssl/openssl/crypto/trace.c b/deps/openssl/openssl/crypto/trace.c index f012b617abc68f..40941990e673de 100644 --- a/deps/openssl/openssl/crypto/trace.c +++ b/deps/openssl/openssl/crypto/trace.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -136,6 +136,7 @@ static const struct trace_category_st trace_categories[] = { TRACE_CATEGORY_(PKCS12_DECRYPT), TRACE_CATEGORY_(X509V3_POLICY), TRACE_CATEGORY_(BN_CTX), + TRACE_CATEGORY_(CMP), TRACE_CATEGORY_(STORE), TRACE_CATEGORY_(DECODER), TRACE_CATEGORY_(ENCODER), @@ -496,6 +497,8 @@ void OSSL_trace_end(int category, BIO * channel) char *suffix = NULL; category = ossl_trace_get_category(category); + if (category < 0) + return; suffix = trace_channels[category].suffix; if (channel != NULL && ossl_assert(channel == current_channel)) { diff --git a/deps/openssl/openssl/crypto/ui/ui_openssl.c b/deps/openssl/openssl/crypto/ui/ui_openssl.c index 8cf7a21d767576..8007f2f70c8728 100644 --- a/deps/openssl/openssl/crypto/ui/ui_openssl.c +++ b/deps/openssl/openssl/crypto/ui/ui_openssl.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -551,6 +551,8 @@ static int echo_console(UI *ui) static int close_console(UI *ui) { + int ret = 1; + if (tty_in != stdin) fclose(tty_in); if (tty_out != stderr) @@ -560,12 +562,12 @@ static int close_console(UI *ui) if (status != SS$_NORMAL) { ERR_raise_data(ERR_LIB_UI, UI_R_SYSDASSGN_ERROR, "status=%%X%08X", status); - return 0; + ret = 0; } # endif CRYPTO_THREAD_unlock(ui->lock); - return 1; + return ret; } # if !defined(OPENSSL_SYS_WINCE) diff --git a/deps/openssl/openssl/crypto/ui/ui_util.c b/deps/openssl/openssl/crypto/ui/ui_util.c index 58769d68a3ae4e..54fa43f0cc2e88 100644 --- a/deps/openssl/openssl/crypto/ui/ui_util.c +++ b/deps/openssl/openssl/crypto/ui/ui_util.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -73,9 +73,12 @@ static void ui_new_method_data(void *parent, void *ptr, CRYPTO_EX_DATA *ad, static int ui_dup_method_data(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from, void **pptr, int idx, long argl, void *argp) { - if (*pptr != NULL) + if (*pptr != NULL) { *pptr = OPENSSL_memdup(*pptr, sizeof(struct pem_password_cb_data)); - return 1; + if (*pptr != NULL) + return 1; + } + return 0; } static void ui_free_method_data(void *parent, void *ptr, CRYPTO_EX_DATA *ad, @@ -114,7 +117,7 @@ static int ui_read(UI *ui, UI_STRING *uis) if (len >= 0) result[len] = '\0'; - if (len <= 0) + if (len < 0) return len; if (UI_set_result_ex(ui, uis, result, len) >= 0) return 1; diff --git a/deps/openssl/openssl/crypto/x509/v3_crld.c b/deps/openssl/openssl/crypto/x509/v3_crld.c index bc755f5f0dbe1b..0289df4de78945 100644 --- a/deps/openssl/openssl/crypto/x509/v3_crld.c +++ b/deps/openssl/openssl/crypto/x509/v3_crld.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -83,6 +83,7 @@ static int set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx, return -1; dnsect = X509V3_get_section(ctx, cnf->value); if (!dnsect) { + X509_NAME_free(nm); ERR_raise(ERR_LIB_X509V3, X509V3_R_SECTION_NOT_FOUND); return -1; } diff --git a/deps/openssl/openssl/crypto/x509/v3_sxnet.c b/deps/openssl/openssl/crypto/x509/v3_sxnet.c index 3e5ae048be5bf5..ad62a6d168c1d8 100644 --- a/deps/openssl/openssl/crypto/x509/v3_sxnet.c +++ b/deps/openssl/openssl/crypto/x509/v3_sxnet.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -167,11 +167,12 @@ int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, const char *user, goto err; if (!ASN1_INTEGER_set(sx->version, 0)) goto err; - *psx = sx; } else sx = *psx; if (SXNET_get_id_INTEGER(sx, zone)) { ERR_raise(ERR_LIB_X509V3, X509V3_R_DUPLICATE_ZONE_ID); + if (*psx == NULL) + SXNET_free(sx); return 0; } @@ -185,13 +186,14 @@ int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, const char *user, if (!sk_SXNETID_push(sx->ids, id)) goto err; id->zone = zone; + *psx = sx; return 1; err: ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); SXNETID_free(id); - SXNET_free(sx); - *psx = NULL; + if (*psx == NULL) + SXNET_free(sx); return 0; } diff --git a/deps/openssl/openssl/crypto/x509/v3_utl.c b/deps/openssl/openssl/crypto/x509/v3_utl.c index a70917a39bde03..734e083a7a72e5 100644 --- a/deps/openssl/openssl/crypto/x509/v3_utl.c +++ b/deps/openssl/openssl/crypto/x509/v3_utl.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -539,8 +539,11 @@ static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, return 0; emtmp = OPENSSL_strndup((char *)email->data, email->length); - if (emtmp == NULL) + if (emtmp == NULL) { + X509_email_free(*sk); + *sk = NULL; return 0; + } /* Don't add duplicates */ if (sk_OPENSSL_STRING_find(*sk, emtmp) != -1) { @@ -833,8 +836,11 @@ static int do_check_string(const ASN1_STRING *a, int cmp_type, equal_fn equal, rv = equal(a->data, a->length, (unsigned char *)b, blen, flags); else if (a->length == (int)blen && !memcmp(a->data, b, blen)) rv = 1; - if (rv > 0 && peername) + if (rv > 0 && peername != NULL) { *peername = OPENSSL_strndup((char *)a->data, a->length); + if (*peername == NULL) + return -1; + } } else { int astrlen; unsigned char *astr; @@ -847,8 +853,13 @@ static int do_check_string(const ASN1_STRING *a, int cmp_type, equal_fn equal, return -1; } rv = equal(astr, astrlen, (unsigned char *)b, blen, flags); - if (rv > 0 && peername) + if (rv > 0 && peername != NULL) { *peername = OPENSSL_strndup((char *)astr, astrlen); + if (*peername == NULL) { + OPENSSL_free(astr); + return -1; + } + } OPENSSL_free(astr); } return rv; diff --git a/deps/openssl/openssl/crypto/x509/x509_lu.c b/deps/openssl/openssl/crypto/x509/x509_lu.c index 3b76b92f713856..d8927bda070689 100644 --- a/deps/openssl/openssl/crypto/x509/x509_lu.c +++ b/deps/openssl/openssl/crypto/x509/x509_lu.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -321,7 +321,9 @@ int X509_STORE_CTX_get_by_subject(const X509_STORE_CTX *vs, stmp.type = X509_LU_NONE; stmp.data.ptr = NULL; - X509_STORE_lock(store); + if (!X509_STORE_lock(store)) + return 0; + tmp = X509_OBJECT_retrieve_by_subject(store->objs, type, name); X509_STORE_unlock(store); @@ -371,7 +373,12 @@ static int x509_store_add(X509_STORE *store, void *x, int crl) { return 0; } - X509_STORE_lock(store); + if (!X509_STORE_lock(store)) { + obj->type = X509_LU_NONE; + X509_OBJECT_free(obj); + return 0; + } + if (X509_OBJECT_retrieve_match(store->objs, obj)) { ret = 1; } else { @@ -553,7 +560,9 @@ STACK_OF(X509) *X509_STORE_get1_all_certs(X509_STORE *store) } if ((sk = sk_X509_new_null()) == NULL) return NULL; - X509_STORE_lock(store); + if (!X509_STORE_lock(store)) + goto out_free; + objs = X509_STORE_get0_objects(store); for (i = 0; i < sk_X509_OBJECT_num(objs); i++) { X509 *cert = X509_OBJECT_get0_X509(sk_X509_OBJECT_value(objs, i)); @@ -567,6 +576,7 @@ STACK_OF(X509) *X509_STORE_get1_all_certs(X509_STORE *store) err: X509_STORE_unlock(store); + out_free: sk_X509_pop_free(sk, X509_free); return NULL; } @@ -583,7 +593,9 @@ STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx, if (store == NULL) return NULL; - X509_STORE_lock(store); + if (!X509_STORE_lock(store)) + return NULL; + idx = x509_object_idx_cnt(store->objs, X509_LU_X509, nm, &cnt); if (idx < 0) { /* @@ -601,7 +613,8 @@ STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx, return NULL; } X509_OBJECT_free(xobj); - X509_STORE_lock(store); + if (!X509_STORE_lock(store)) + return NULL; idx = x509_object_idx_cnt(store->objs, X509_LU_X509, nm, &cnt); if (idx < 0) { X509_STORE_unlock(store); @@ -642,7 +655,10 @@ STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(const X509_STORE_CTX *ctx, return NULL; } X509_OBJECT_free(xobj); - X509_STORE_lock(store); + if (!X509_STORE_lock(store)) { + sk_X509_CRL_free(sk); + return NULL; + } idx = x509_object_idx_cnt(store->objs, X509_LU_CRL, nm, &cnt); if (idx < 0) { X509_STORE_unlock(store); @@ -744,7 +760,9 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) /* Find index of first currently valid cert accepted by 'check_issued' */ ret = 0; - X509_STORE_lock(store); + if (!X509_STORE_lock(store)) + return 0; + idx = x509_object_idx_cnt(store->objs, X509_LU_X509, xn, &nmatch); if (idx != -1) { /* should be true as we've had at least one match */ /* Look through all matching certs for suitable issuer */ diff --git a/deps/openssl/openssl/crypto/x509/x509_trust.c b/deps/openssl/openssl/crypto/x509/x509_trust.c index ff578aee73d461..fd77b0c6fe6162 100644 --- a/deps/openssl/openssl/crypto/x509/x509_trust.c +++ b/deps/openssl/openssl/crypto/x509/x509_trust.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -72,7 +72,7 @@ int X509_check_trust(X509 *x, int id, int flags) return obj_trust(NID_anyExtendedKeyUsage, x, flags | X509_TRUST_DO_SS_COMPAT); idx = X509_TRUST_get_by_id(id); - if (idx == -1) + if (idx < 0) return default_trust(id, x, flags); pt = X509_TRUST_get0(idx); return pt->check_trust(pt, x, flags); @@ -112,7 +112,7 @@ int X509_TRUST_get_by_id(int id) int X509_TRUST_set(int *t, int trust) { - if (X509_TRUST_get_by_id(trust) == -1) { + if (X509_TRUST_get_by_id(trust) < 0) { ERR_raise(ERR_LIB_X509, X509_R_INVALID_TRUST); return 0; } @@ -134,7 +134,7 @@ int X509_TRUST_add(int id, int flags, int (*ck) (X509_TRUST *, X509 *, int), /* Get existing entry if any */ idx = X509_TRUST_get_by_id(id); /* Need a new entry */ - if (idx == -1) { + if (idx < 0) { if ((trtmp = OPENSSL_malloc(sizeof(*trtmp))) == NULL) { ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE); return 0; @@ -162,7 +162,7 @@ int X509_TRUST_add(int id, int flags, int (*ck) (X509_TRUST *, X509 *, int), trtmp->arg2 = arg2; /* If its a new entry manage the dynamic table */ - if (idx == -1) { + if (idx < 0) { if (trtable == NULL && (trtable = sk_X509_TRUST_new(tr_cmp)) == NULL) { ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE); @@ -175,7 +175,7 @@ int X509_TRUST_add(int id, int flags, int (*ck) (X509_TRUST *, X509 *, int), } return 1; err: - if (idx == -1) { + if (idx < 0) { OPENSSL_free(trtmp->name); OPENSSL_free(trtmp); } diff --git a/deps/openssl/openssl/crypto/x509/x509_vfy.c b/deps/openssl/openssl/crypto/x509/x509_vfy.c index ff3ca83de6d5cf..2f175ca517f5dd 100644 --- a/deps/openssl/openssl/crypto/x509/x509_vfy.c +++ b/deps/openssl/openssl/crypto/x509/x509_vfy.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -2230,6 +2230,12 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, /* If purpose not set use default */ if (purpose == 0) purpose = def_purpose; + /* + * If purpose is set but we don't have a default then set the default to + * the current purpose + */ + else if (def_purpose == 0) + def_purpose = purpose; /* If we have a purpose then check it is valid */ if (purpose != 0) { X509_PURPOSE *ptmp; @@ -2242,11 +2248,6 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, ptmp = X509_PURPOSE_get0(idx); if (ptmp->trust == X509_TRUST_DEFAULT) { idx = X509_PURPOSE_get_by_id(def_purpose); - /* - * XXX: In the two callers above def_purpose is always 0, which is - * not a known value, so idx will always be -1. How is the - * X509_TRUST_DEFAULT case actually supposed to be handled? - */ if (idx == -1) { ERR_raise(ERR_LIB_X509, X509_R_UNKNOWN_PURPOSE_ID); return 0; diff --git a/deps/openssl/openssl/demos/README.txt b/deps/openssl/openssl/demos/README.txt index 291094bf9d5e97..dae5c881d23e6b 100644 --- a/deps/openssl/openssl/demos/README.txt +++ b/deps/openssl/openssl/demos/README.txt @@ -10,12 +10,14 @@ certs: Demonstration of creating certs, using OCSP cipher: aesgcm.c Demonstration of symmetric cipher GCM mode encrypt/decrypt aesccm.c Demonstration of symmetric cipher CCM mode encrypt/decrypt +ariacbc.c Demonstration of symmetric cipher CBC mode encrypt/decrypt cms: digest: EVP_MD_demo.c Compute a digest from multiple buffers EVP_MD_stdin.c Compute a digest with data read from stdin +EVP_MD_xof.c Compute a digest using the SHAKE256 XOF EVP_f_md.c Compute a digest using BIO and EVP_f_md kdf: @@ -25,9 +27,12 @@ scrypt.c Demonstration of SCRYPT password based key derivation mac: gmac.c Demonstration of GMAC message authentication +poly1305.c Demonstration of Poly1305-AES message authentication +siphash.c Demonstration of SIPHASH message authentication pkey: EVP_PKEY_EC_keygen.c Generate an EC key. +EVP_PKEY_RSA_keygen.c Generate an RSA key. smime: @@ -37,3 +42,5 @@ pkwrite.c Add a password to an existing PKCS12 file. signature: EVP_Signature_demo.c Compute and verify a signature from multiple buffers +rsa_pss_direct.c Compute and verify an RSA-PSS signature from a hash +rsa_pss_hash.c Compute and verify an RSA-PSS signature over a buffer diff --git a/deps/openssl/openssl/demos/cipher/Makefile b/deps/openssl/openssl/demos/cipher/Makefile index c2e10a1ded0ed8..b4f08a3746169f 100644 --- a/deps/openssl/openssl/demos/cipher/Makefile +++ b/deps/openssl/openssl/demos/cipher/Makefile @@ -11,13 +11,14 @@ CFLAGS = $(OPENSSL_INCS_LOCATION) LDFLAGS = $(OPENSSL_LIBS_LOCATION) -lssl -lcrypto -all: aesccm aesgcm +all: aesccm aesgcm ariacbc aesccm: aesccm.o aesgcm: aesgcm.o +ariacbc: ariacbc.o -aesccm aesgcm: +aesccm aesgcm ariacbc: $(CC) $(CFLAGS) -o $@ $< $(LDFLAGS) clean: - $(RM) aesccm aesgcm *.o + $(RM) aesccm aesgcm ariacbc *.o diff --git a/deps/openssl/openssl/demos/cipher/ariacbc.c b/deps/openssl/openssl/demos/cipher/ariacbc.c new file mode 100644 index 00000000000000..8999fe6e701d24 --- /dev/null +++ b/deps/openssl/openssl/demos/cipher/ariacbc.c @@ -0,0 +1,178 @@ +/* + * Copyright 2012-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * Simple ARIA CBC encryption demonstration program. + */ + +#include +#include +#include +#include +#include +#include + +/* ARIA key */ +static const unsigned char cbc_key[] = { + 0xee, 0xbc, 0x1f, 0x57, 0x48, 0x7f, 0x51, 0x92, 0x1c, 0x04, 0x65, 0x66, + 0x5f, 0x8a, 0xe6, 0xd1, 0x65, 0x8b, 0xb2, 0x6d, 0xe6, 0xf8, 0xa0, 0x69, + 0xa3, 0x52, 0x02, 0x93, 0xa5, 0x72, 0x07, 0x8f +}; + +/* Unique initialisation vector */ +static const unsigned char cbc_iv[] = { + 0x99, 0xaa, 0x3e, 0x68, 0xed, 0x81, 0x73, 0xa0, 0xee, 0xd0, 0x66, 0x84, + 0x99, 0xaa, 0x3e, 0x68, +}; + +/* Example plaintext to encrypt */ +static const unsigned char cbc_pt[] = { + 0xf5, 0x6e, 0x87, 0x05, 0x5b, 0xc3, 0x2d, 0x0e, 0xeb, 0x31, 0xb2, 0xea, + 0xcc, 0x2b, 0xf2, 0xa5 +}; + +/* Expected ciphertext value */ +static const unsigned char cbc_ct[] = { + 0x9a, 0x44, 0xe6, 0x85, 0x94, 0x26, 0xff, 0x30, 0x03, 0xd3, 0x7e, 0xc6, + 0xb5, 0x4a, 0x09, 0x66, 0x39, 0x28, 0xf3, 0x67, 0x14, 0xbc, 0xe8, 0xe2, + 0xcf, 0x31, 0xb8, 0x60, 0x42, 0x72, 0x6d, 0xc8 +}; + +/* + * A library context and property query can be used to select & filter + * algorithm implementations. If they are NULL then the default library + * context and properties are used. + */ +OSSL_LIB_CTX *libctx = NULL; +const char *propq = NULL; + +int aria_cbc_encrypt(void) +{ + int ret = 0; + EVP_CIPHER_CTX *ctx; + EVP_CIPHER *cipher = NULL; + int outlen, tmplen; + size_t cbc_ivlen = sizeof(cbc_iv); + unsigned char outbuf[1024]; + unsigned char outtag[16]; + + printf("ARIA CBC Encrypt:\n"); + printf("Plaintext:\n"); + BIO_dump_fp(stdout, cbc_pt, sizeof(cbc_pt)); + + /* Create a context for the encrypt operation */ + if ((ctx = EVP_CIPHER_CTX_new()) == NULL) + goto err; + + /* Fetch the cipher implementation */ + if ((cipher = EVP_CIPHER_fetch(libctx, "ARIA-256-CBC", propq)) == NULL) + goto err; + + /* + * Initialise an encrypt operation with the cipher/mode, key and IV. + * We are not setting any custom params so let params be just NULL. + */ + if (!EVP_EncryptInit_ex2(ctx, cipher, cbc_key, cbc_iv, /* params */ NULL)) + goto err; + + /* Encrypt plaintext */ + if (!EVP_EncryptUpdate(ctx, outbuf, &outlen, cbc_pt, sizeof(cbc_pt))) + goto err; + + /* Finalise: there can be some additional output from padding */ + if (!EVP_EncryptFinal_ex(ctx, outbuf + outlen, &tmplen)) + goto err; + outlen += tmplen; + + /* Output encrypted block */ + printf("Ciphertext (outlen:%d):\n", outlen); + BIO_dump_fp(stdout, outbuf, outlen); + + if (sizeof(cbc_ct) == outlen && !CRYPTO_memcmp(outbuf, cbc_ct, outlen)) + printf("Final ciphertext matches expected ciphertext\n"); + else + printf("Final ciphertext differs from expected ciphertext\n"); + + ret = 1; +err: + if (!ret) + ERR_print_errors_fp(stderr); + + EVP_CIPHER_free(cipher); + EVP_CIPHER_CTX_free(ctx); + + return ret; +} + +int aria_cbc_decrypt(void) +{ + int ret = 0; + EVP_CIPHER_CTX *ctx; + EVP_CIPHER *cipher = NULL; + int outlen, tmplen, rv; + size_t cbc_ivlen = sizeof(cbc_iv); + unsigned char outbuf[1024]; + + printf("ARIA CBC Decrypt:\n"); + printf("Ciphertext:\n"); + BIO_dump_fp(stdout, cbc_ct, sizeof(cbc_ct)); + + if ((ctx = EVP_CIPHER_CTX_new()) == NULL) + goto err; + + /* Fetch the cipher implementation */ + if ((cipher = EVP_CIPHER_fetch(libctx, "ARIA-256-CBC", propq)) == NULL) + goto err; + + /* + * Initialise an encrypt operation with the cipher/mode, key and IV. + * We are not setting any custom params so let params be just NULL. + */ + if (!EVP_DecryptInit_ex2(ctx, cipher, cbc_key, cbc_iv, /* params */ NULL)) + goto err; + + /* Decrypt plaintext */ + if (!EVP_DecryptUpdate(ctx, outbuf, &outlen, cbc_ct, sizeof(cbc_ct))) + goto err; + + /* Finalise: there can be some additional output from padding */ + if (!EVP_DecryptFinal_ex(ctx, outbuf + outlen, &tmplen)) + goto err; + outlen += tmplen; + + /* Output decrypted block */ + printf("Plaintext (outlen:%d):\n", outlen); + BIO_dump_fp(stdout, outbuf, outlen); + + if (sizeof(cbc_pt) == outlen && !CRYPTO_memcmp(outbuf, cbc_pt, outlen)) + printf("Final plaintext matches original plaintext\n"); + else + printf("Final plaintext differs from original plaintext\n"); + + ret = 1; +err: + if (!ret) + ERR_print_errors_fp(stderr); + + EVP_CIPHER_free(cipher); + EVP_CIPHER_CTX_free(ctx); + + return ret; +} + +int main(int argc, char **argv) +{ + if (!aria_cbc_encrypt()) + return 1; + + if (!aria_cbc_decrypt()) + return 1; + + return 0; +} diff --git a/deps/openssl/openssl/demos/cms/cms_ver.c b/deps/openssl/openssl/demos/cms/cms_ver.c index cd2b01e1b097d5..3c0a7aa19edec5 100644 --- a/deps/openssl/openssl/demos/cms/cms_ver.c +++ b/deps/openssl/openssl/demos/cms/cms_ver.c @@ -27,16 +27,18 @@ int main(int argc, char **argv) /* Set up trusted CA certificate store */ st = X509_STORE_new(); + if (st == NULL) + goto err; /* Read in CA certificate */ tbio = BIO_new_file("cacert.pem", "r"); - if (!tbio) + if (tbio == NULL) goto err; cacert = PEM_read_bio_X509(tbio, NULL, 0, NULL); - if (!cacert) + if (cacert == NULL) goto err; if (!X509_STORE_add_cert(st, cacert)) @@ -46,18 +48,18 @@ int main(int argc, char **argv) in = BIO_new_file("smout.txt", "r"); - if (!in) + if (in == NULL) goto err; /* parse message */ cms = SMIME_read_CMS(in, &cont); - if (!cms) + if (cms == NULL) goto err; /* File to output verified content to */ out = BIO_new_file("smver.txt", "w"); - if (!out) + if (out == NULL) goto err; if (!CMS_verify(cms, NULL, st, cont, out, 0)) { @@ -76,6 +78,7 @@ int main(int argc, char **argv) ERR_print_errors_fp(stderr); } + X509_STORE_free(st); CMS_ContentInfo_free(cms); X509_free(cacert); BIO_free(in); diff --git a/deps/openssl/openssl/demos/digest/EVP_MD_xof.c b/deps/openssl/openssl/demos/digest/EVP_MD_xof.c new file mode 100644 index 00000000000000..f31c047164b1d4 --- /dev/null +++ b/deps/openssl/openssl/demos/digest/EVP_MD_xof.c @@ -0,0 +1,132 @@ +/*- + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include +#include + +/* + * Example of using an extendable-output hash function (XOF). A XOF is a hash + * function with configurable output length and which can generate an + * arbitrarily large output. + * + * This example uses SHAKE256, an extendable output variant of SHA3 (Keccak). + * + * To generate different output lengths, you can pass a single integer argument + * on the command line, which is the output size in bytes. By default, a 20-byte + * output is generated and (for this length only) a known answer test is + * performed. + */ + +/* Our input to the XOF hash function. */ +const char message[] = "This is a test message."; + +/* Expected output when an output length of 20 bytes is used. */ +static const char known_answer[] = { + 0x52, 0x97, 0x93, 0x78, 0x27, 0x58, 0x7d, 0x62, + 0x8b, 0x00, 0x25, 0xb5, 0xec, 0x39, 0x5e, 0x2d, + 0x7f, 0x3e, 0xd4, 0x19 +}; + +/* + * A property query used for selecting the SHAKE256 implementation. + */ +static const char *propq = NULL; + +int main(int argc, char **argv) +{ + int rv = 1; + OSSL_LIB_CTX *libctx = NULL; + EVP_MD *md = NULL; + EVP_MD_CTX *ctx = NULL; + unsigned int digest_len = 20; + int digest_len_i; + unsigned char *digest = NULL; + + /* Allow digest length to be changed for demonstration purposes. */ + if (argc > 1) { + digest_len_i = atoi(argv[1]); + if (digest_len_i <= 0) { + fprintf(stderr, "Specify a non-negative digest length\n"); + goto end; + } + + digest_len = (unsigned int)digest_len_i; + } + + /* + * Retrieve desired algorithm. This must be a hash algorithm which supports + * XOF. + */ + md = EVP_MD_fetch(libctx, "SHAKE256", propq); + if (md == NULL) { + fprintf(stderr, "Failed to retrieve SHAKE256 algorithm\n"); + goto end; + } + + /* Create context. */ + ctx = EVP_MD_CTX_new(); + if (ctx == NULL) { + fprintf(stderr, "Failed to create digest context\n"); + goto end; + } + + /* Initialize digest context. */ + if (EVP_DigestInit(ctx, md) == 0) { + fprintf(stderr, "Failed to initialize digest\n"); + goto end; + } + + /* + * Feed our message into the digest function. + * This may be called multiple times. + */ + if (EVP_DigestUpdate(ctx, message, sizeof(message)) == 0) { + fprintf(stderr, "Failed to hash input message\n"); + goto end; + } + + /* Allocate enough memory for our digest length. */ + digest = OPENSSL_malloc(digest_len); + if (digest == NULL) { + fprintf(stderr, "Failed to allocate memory for digest\n"); + goto end; + } + + /* Get computed digest. The digest will be of whatever length we specify. */ + if (EVP_DigestFinalXOF(ctx, digest, digest_len) == 0) { + fprintf(stderr, "Failed to finalize hash\n"); + goto end; + } + + printf("Output digest:\n"); + BIO_dump_indent_fp(stdout, digest, digest_len, 2); + + /* If digest length is 20 bytes, check it matches our known answer. */ + if (digest_len == 20) { + /* + * Always use a constant-time function such as CRYPTO_memcmp + * when comparing cryptographic values. Do not use memcmp(3). + */ + if (CRYPTO_memcmp(digest, known_answer, sizeof(known_answer)) != 0) { + fprintf(stderr, "Output does not match expected result\n"); + goto end; + } + } + + rv = 0; +end: + OPENSSL_free(digest); + EVP_MD_CTX_free(ctx); + EVP_MD_free(md); + OSSL_LIB_CTX_free(libctx); + return rv; +} diff --git a/deps/openssl/openssl/demos/digest/Makefile b/deps/openssl/openssl/demos/digest/Makefile index bcd4c4353bca88..0bfb6dd5f04470 100644 --- a/deps/openssl/openssl/demos/digest/Makefile +++ b/deps/openssl/openssl/demos/digest/Makefile @@ -3,20 +3,21 @@ # # LD_LIBRARY_PATH=../.. ./EVP_MD_demo -CFLAGS = -I../../include -g +CFLAGS = -I../../include -g -Wall LDFLAGS = -L../.. LDLIBS = -lcrypto -all: EVP_MD_demo EVP_MD_stdin BIO_f_md +all: EVP_MD_demo EVP_MD_stdin EVP_MD_xof BIO_f_md %.o: %.c $(CC) $(CFLAGS) -c $< EVP_MD_demo: EVP_MD_demo.o EVP_MD_stdin: EVP_MD_stdin.o +EVP_MD_xof: EVP_MD_xof.o BIO_f_md: BIO_f_md.o test: ; clean: - $(RM) *.o EVP_MD_demo EVP_MD_stdin BIO_f_md + $(RM) *.o EVP_MD_demo EVP_MD_stdin EVP_MD_xof BIO_f_md diff --git a/deps/openssl/openssl/demos/keyexch/x25519.c b/deps/openssl/openssl/demos/keyexch/x25519.c new file mode 100644 index 00000000000000..bd35e0a98c1453 --- /dev/null +++ b/deps/openssl/openssl/demos/keyexch/x25519.c @@ -0,0 +1,278 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include + +/* + * This is a demonstration of key exchange using X25519. + * + * The variables beginning `peer1_` / `peer2_` are data which would normally be + * accessible to that peer. + * + * Ordinarily you would use random keys, which are demonstrated + * below when use_kat=0. A known answer test is demonstrated + * when use_kat=1. + */ + +/* A property query used for selecting the X25519 implementation. */ +static const char *propq = NULL; + +static const unsigned char peer1_privk_data[32] = { + 0x80, 0x5b, 0x30, 0x20, 0x25, 0x4a, 0x70, 0x2c, + 0xad, 0xa9, 0x8d, 0x7d, 0x47, 0xf8, 0x1b, 0x20, + 0x89, 0xd2, 0xf9, 0x14, 0xac, 0x92, 0x27, 0xf2, + 0x10, 0x7e, 0xdb, 0x21, 0xbd, 0x73, 0x73, 0x5d +}; + +static const unsigned char peer2_privk_data[32] = { + 0xf8, 0x84, 0x19, 0x69, 0x79, 0x13, 0x0d, 0xbd, + 0xb1, 0x76, 0xd7, 0x0e, 0x7e, 0x0f, 0xb6, 0xf4, + 0x8c, 0x4a, 0x8c, 0x5f, 0xd8, 0x15, 0x09, 0x0a, + 0x71, 0x78, 0x74, 0x92, 0x0f, 0x85, 0xc8, 0x43 +}; + +static const unsigned char expected_result[32] = { + 0x19, 0x71, 0x26, 0x12, 0x74, 0xb5, 0xb1, 0xce, + 0x77, 0xd0, 0x79, 0x24, 0xb6, 0x0a, 0x5c, 0x72, + 0x0c, 0xa6, 0x56, 0xc0, 0x11, 0xeb, 0x43, 0x11, + 0x94, 0x3b, 0x01, 0x45, 0xca, 0x19, 0xfe, 0x09 +}; + +typedef struct peer_data_st { + const char *name; /* name of peer */ + EVP_PKEY *privk; /* privk generated for peer */ + unsigned char pubk_data[32]; /* generated pubk to send to other peer */ + + unsigned char *secret; /* allocated shared secret buffer */ + size_t secret_len; +} PEER_DATA; + +/* + * Prepare for X25519 key exchange. The public key to be sent to the remote peer + * is put in pubk_data, which should be a 32-byte buffer. Returns 1 on success. + */ +static int keyexch_x25519_before( + OSSL_LIB_CTX *libctx, + const unsigned char *kat_privk_data, + PEER_DATA *local_peer) +{ + int rv = 0; + size_t pubk_data_len = 0; + + /* Generate or load X25519 key for the peer */ + if (kat_privk_data != NULL) + local_peer->privk = + EVP_PKEY_new_raw_private_key_ex(libctx, "X25519", propq, + kat_privk_data, + sizeof(peer1_privk_data)); + else + local_peer->privk = EVP_PKEY_Q_keygen(libctx, propq, "X25519"); + + if (local_peer->privk == NULL) { + fprintf(stderr, "Could not load or generate private key\n"); + goto end; + } + + /* Get public key corresponding to the private key */ + if (EVP_PKEY_get_octet_string_param(local_peer->privk, + OSSL_PKEY_PARAM_PUB_KEY, + local_peer->pubk_data, + sizeof(local_peer->pubk_data), + &pubk_data_len) == 0) { + fprintf(stderr, "EVP_PKEY_get_octet_string_param() failed\n"); + goto end; + } + + /* X25519 public keys are always 32 bytes */ + if (pubk_data_len != 32) { + fprintf(stderr, "EVP_PKEY_get_octet_string_param() " + "yielded wrong length\n"); + goto end; + } + + rv = 1; +end: + if (rv == 0) { + EVP_PKEY_free(local_peer->privk); + local_peer->privk = NULL; + } + + return rv; +} + +/* + * Complete X25519 key exchange. remote_peer_pubk_data should be the 32 byte + * public key value received from the remote peer. On success, returns 1 and the + * secret is pointed to by *secret. The caller must free it. + */ +static int keyexch_x25519_after( + OSSL_LIB_CTX *libctx, + int use_kat, + PEER_DATA *local_peer, + const unsigned char *remote_peer_pubk_data) +{ + int rv = 0; + EVP_PKEY *remote_peer_pubk = NULL; + EVP_PKEY_CTX *ctx = NULL; + + local_peer->secret = NULL; + + /* Load public key for remote peer. */ + remote_peer_pubk = + EVP_PKEY_new_raw_public_key_ex(libctx, "X25519", propq, + remote_peer_pubk_data, 32); + if (remote_peer_pubk == NULL) { + fprintf(stderr, "EVP_PKEY_new_raw_public_key_ex() failed\n"); + goto end; + } + + /* Create key exchange context. */ + ctx = EVP_PKEY_CTX_new_from_pkey(libctx, local_peer->privk, propq); + if (ctx == NULL) { + fprintf(stderr, "EVP_PKEY_CTX_new_from_pkey() failed\n"); + goto end; + } + + /* Initialize derivation process. */ + if (EVP_PKEY_derive_init(ctx) == 0) { + fprintf(stderr, "EVP_PKEY_derive_init() failed\n"); + goto end; + } + + /* Configure each peer with the other peer's public key. */ + if (EVP_PKEY_derive_set_peer(ctx, remote_peer_pubk) == 0) { + fprintf(stderr, "EVP_PKEY_derive_set_peer() failed\n"); + goto end; + } + + /* Determine the secret length. */ + if (EVP_PKEY_derive(ctx, NULL, &local_peer->secret_len) == 0) { + fprintf(stderr, "EVP_PKEY_derive() failed\n"); + goto end; + } + + /* + * We are using X25519, so the secret generated will always be 32 bytes. + * However for exposition, the code below demonstrates a generic + * implementation for arbitrary lengths. + */ + if (local_peer->secret_len != 32) { /* unreachable */ + fprintf(stderr, "Secret is always 32 bytes for X25519\n"); + goto end; + } + + /* Allocate memory for shared secrets. */ + local_peer->secret = OPENSSL_malloc(local_peer->secret_len); + if (local_peer->secret == NULL) { + fprintf(stderr, "Could not allocate memory for secret\n"); + goto end; + } + + /* Derive the shared secret. */ + if (EVP_PKEY_derive(ctx, local_peer->secret, + &local_peer->secret_len) == 0) { + fprintf(stderr, "EVP_PKEY_derive() failed\n"); + goto end; + } + + printf("Shared secret (%s):\n", local_peer->name); + BIO_dump_indent_fp(stdout, local_peer->secret, local_peer->secret_len, 2); + putchar('\n'); + + rv = 1; +end: + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(remote_peer_pubk); + if (rv == 0) { + OPENSSL_clear_free(local_peer->secret, local_peer->secret_len); + local_peer->secret = NULL; + } + + return rv; +} + +static int keyexch_x25519(int use_kat) +{ + int rv = 0; + OSSL_LIB_CTX *libctx = NULL; + PEER_DATA peer1 = {"peer 1"}, peer2 = {"peer 2"}; + + /* + * Each peer generates its private key and sends its public key + * to the other peer. The private key is stored locally for + * later use. + */ + if (keyexch_x25519_before(libctx, use_kat ? peer1_privk_data : NULL, + &peer1) == 0) + return 0; + + if (keyexch_x25519_before(libctx, use_kat ? peer2_privk_data : NULL, + &peer2) == 0) + return 0; + + /* + * Each peer uses the other peer's public key to perform key exchange. + * After this succeeds, each peer has the same secret in its + * PEER_DATA. + */ + if (keyexch_x25519_after(libctx, use_kat, &peer1, peer2.pubk_data) == 0) + return 0; + + if (keyexch_x25519_after(libctx, use_kat, &peer2, peer1.pubk_data) == 0) + return 0; + + /* + * Here we demonstrate the secrets are equal for exposition purposes. + * + * Although in practice you will generally not need to compare secrets + * produced through key exchange, if you do compare cryptographic secrets, + * always do so using a constant-time function such as CRYPTO_memcmp, never + * using memcmp(3). + */ + if (CRYPTO_memcmp(peer1.secret, peer2.secret, peer1.secret_len) != 0) { + fprintf(stderr, "Negotiated secrets do not match\n"); + goto end; + } + + /* If we are doing the KAT, the secret should equal our reference result. */ + if (use_kat && CRYPTO_memcmp(peer1.secret, expected_result, + peer1.secret_len) != 0) { + fprintf(stderr, "Did not get expected result\n"); + goto end; + } + + rv = 1; +end: + /* The secrets are sensitive, so ensure they are erased before freeing. */ + OPENSSL_clear_free(peer1.secret, peer1.secret_len); + OPENSSL_clear_free(peer2.secret, peer2.secret_len); + + EVP_PKEY_free(peer1.privk); + EVP_PKEY_free(peer2.privk); + OSSL_LIB_CTX_free(libctx); + return rv; +} + +int main(int argc, char **argv) +{ + /* Test X25519 key exchange with known result. */ + printf("Key exchange using known answer (deterministic):\n"); + if (keyexch_x25519(1) == 0) + return 1; + + /* Test X25519 key exchange with random keys. */ + printf("Key exchange using random keys:\n"); + if (keyexch_x25519(0) == 0) + return 1; + + return 0; +} diff --git a/deps/openssl/openssl/demos/mac/Makefile b/deps/openssl/openssl/demos/mac/Makefile new file mode 100644 index 00000000000000..86fb323291d21e --- /dev/null +++ b/deps/openssl/openssl/demos/mac/Makefile @@ -0,0 +1,23 @@ +# Quick instruction: +# To build against an OpenSSL built in the source tree, do this: +# +# make OPENSSL_INCS_LOCATION=-I../../include OPENSSL_LIBS_LOCATION=-L../.. +# +# To run the demos when linked with a shared library (default): +# +# LD_LIBRARY_PATH=../.. ./gmac +# LD_LIBRARY_PATH=../.. ./poly1305 + +CFLAGS = $(OPENSSL_INCS_LOCATION) -Wall +LDFLAGS = $(OPENSSL_LIBS_LOCATION) -lssl -lcrypto + +all: gmac poly1305 + +gmac: gmac.o +poly1305: poly1305.o + +gmac poly1305: + $(CC) $(CFLAGS) -o $@ $< $(LDFLAGS) + +clean: + $(RM) gmac poly1305 *.o diff --git a/deps/openssl/openssl/demos/mac/poly1305.c b/deps/openssl/openssl/demos/mac/poly1305.c new file mode 100644 index 00000000000000..1aa95e583dadde --- /dev/null +++ b/deps/openssl/openssl/demos/mac/poly1305.c @@ -0,0 +1,209 @@ +/* + * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include +#include +#include +#include + +/* + * This is a demonstration of how to compute Poly1305-AES using the OpenSSL + * Poly1305 and AES providers and the EVP API. + * + * Please note that: + * + * - Poly1305 must never be used alone and must be used in conjunction with + * another primitive which processes the input nonce to be secure; + * + * - you must never pass a nonce to the Poly1305 primitive directly; + * + * - Poly1305 exhibits catastrophic failure (that is, can be broken) if a + * nonce is ever reused for a given key. + * + * If you are looking for a general purpose MAC, you should consider using a + * different MAC and looking at one of the other examples, unless you have a + * good familiarity with the details and caveats of Poly1305. + * + * This example uses AES, as described in the original paper, "The Poly1305-AES + * message authentication code": + * https://cr.yp.to/mac/poly1305-20050329.pdf + * + * The test vectors below are from that paper. + */ + +/* + * Hard coding the key into an application is very bad. + * It is done here solely for educational purposes. + * These are the "r" and "k" inputs to Poly1305-AES. + */ +static const unsigned char test_r[] = { + 0x85, 0x1f, 0xc4, 0x0c, 0x34, 0x67, 0xac, 0x0b, + 0xe0, 0x5c, 0xc2, 0x04, 0x04, 0xf3, 0xf7, 0x00 +}; + +static const unsigned char test_k[] = { + 0xec, 0x07, 0x4c, 0x83, 0x55, 0x80, 0x74, 0x17, + 0x01, 0x42, 0x5b, 0x62, 0x32, 0x35, 0xad, 0xd6 +}; + +/* + * Hard coding a nonce must not be done under any circumstances and is done here + * purely for demonstration purposes. Please note that Poly1305 exhibits + * catastrophic failure (that is, can be broken) if a nonce is ever reused for a + * given key. + */ +static const unsigned char test_n[] = { + 0xfb, 0x44, 0x73, 0x50, 0xc4, 0xe8, 0x68, 0xc5, + 0x2a, 0xc3, 0x27, 0x5c, 0xf9, 0xd4, 0x32, 0x7e +}; + +/* Input message. */ +static const unsigned char test_m[] = { + 0xf3, 0xf6 +}; + +static const unsigned char expected_output[] = { + 0xf4, 0xc6, 0x33, 0xc3, 0x04, 0x4f, 0xc1, 0x45, + 0xf8, 0x4f, 0x33, 0x5c, 0xb8, 0x19, 0x53, 0xde +}; + +/* + * A property query used for selecting the POLY1305 implementation. + */ +static char *propq = NULL; + +int main(int argc, char **argv) +{ + int rv = EXIT_FAILURE; + EVP_CIPHER *aes = NULL; + EVP_CIPHER_CTX *aesctx = NULL; + EVP_MAC *mac = NULL; + EVP_MAC_CTX *mctx = NULL; + unsigned char composite_key[32]; + unsigned char out[16]; + OSSL_LIB_CTX *library_context = NULL; + size_t out_len = 0; + int aes_len = 0; + + library_context = OSSL_LIB_CTX_new(); + if (library_context == NULL) { + fprintf(stderr, "OSSL_LIB_CTX_new() returned NULL\n"); + goto end; + } + + /* Fetch the Poly1305 implementation */ + mac = EVP_MAC_fetch(library_context, "POLY1305", propq); + if (mac == NULL) { + fprintf(stderr, "EVP_MAC_fetch() returned NULL\n"); + goto end; + } + + /* Create a context for the Poly1305 operation */ + mctx = EVP_MAC_CTX_new(mac); + if (mctx == NULL) { + fprintf(stderr, "EVP_MAC_CTX_new() returned NULL\n"); + goto end; + } + + /* Fetch the AES implementation */ + aes = EVP_CIPHER_fetch(library_context, "AES-128-ECB", propq); + if (aes == NULL) { + fprintf(stderr, "EVP_CIPHER_fetch() returned NULL\n"); + goto end; + } + + /* Create a context for AES */ + aesctx = EVP_CIPHER_CTX_new(); + if (aesctx == NULL) { + fprintf(stderr, "EVP_CIPHER_CTX_new() returned NULL\n"); + goto end; + } + + /* Initialize the AES cipher with the 128-bit key k */ + if (!EVP_EncryptInit_ex(aesctx, aes, NULL, test_k, NULL)) { + fprintf(stderr, "EVP_EncryptInit_ex() failed\n"); + goto end; + } + + /* + * Disable padding for the AES cipher. We do not strictly need to do this as + * we are encrypting a single block and thus there are no alignment or + * padding concerns, but this ensures that the operation below fails if + * padding would be required for some reason, which in this circumstance + * would indicate an implementation bug. + */ + if (!EVP_CIPHER_CTX_set_padding(aesctx, 0)) { + fprintf(stderr, "EVP_CIPHER_CTX_set_padding() failed\n"); + goto end; + } + + /* + * Computes the value AES_k(n) which we need for our Poly1305-AES + * computation below. + */ + if (!EVP_EncryptUpdate(aesctx, composite_key + 16, &aes_len, + test_n, sizeof(test_n))) { + fprintf(stderr, "EVP_EncryptUpdate() failed\n"); + goto end; + } + + /* + * The Poly1305 provider expects the key r to be passed as the first 16 + * bytes of the "key" and the processed nonce (that is, AES_k(n)) to be + * passed as the second 16 bytes of the "key". We already put the processed + * nonce in the correct place above, so copy r into place. + */ + memcpy(composite_key, test_r, 16); + + /* Initialise the Poly1305 operation */ + if (!EVP_MAC_init(mctx, composite_key, sizeof(composite_key), NULL)) { + fprintf(stderr, "EVP_MAC_init() failed\n"); + goto end; + } + + /* Make one or more calls to process the data to be authenticated */ + if (!EVP_MAC_update(mctx, test_m, sizeof(test_m))) { + fprintf(stderr, "EVP_MAC_update() failed\n"); + goto end; + } + + /* Make one call to the final to get the MAC */ + if (!EVP_MAC_final(mctx, out, &out_len, sizeof(out))) { + fprintf(stderr, "EVP_MAC_final() failed\n"); + goto end; + } + + printf("Generated MAC:\n"); + BIO_dump_indent_fp(stdout, out, out_len, 2); + putchar('\n'); + + if (out_len != sizeof(expected_output)) { + fprintf(stderr, "Generated MAC has an unexpected length\n"); + goto end; + } + + if (CRYPTO_memcmp(expected_output, out, sizeof(expected_output)) != 0) { + fprintf(stderr, "Generated MAC does not match expected value\n"); + goto end; + } + + rv = EXIT_SUCCESS; +end: + EVP_CIPHER_CTX_free(aesctx); + EVP_CIPHER_free(aes); + EVP_MAC_CTX_free(mctx); + EVP_MAC_free(mac); + OSSL_LIB_CTX_free(library_context); + if (rv != EXIT_SUCCESS) + ERR_print_errors_fp(stderr); + return rv; +} diff --git a/deps/openssl/openssl/demos/mac/siphash.c b/deps/openssl/openssl/demos/mac/siphash.c new file mode 100644 index 00000000000000..4d36a9d4868b86 --- /dev/null +++ b/deps/openssl/openssl/demos/mac/siphash.c @@ -0,0 +1,129 @@ +/* + * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include +#include +#include + +/* + * Taken from the test vector from the paper "SipHash: a fast short-input PRF". + * https://www.aumasson.jp/siphash/siphash.pdf + */ + +/* + * Hard coding the key into an application is very bad. + * It is done here solely for educational purposes. + */ +static unsigned char key[] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f +}; + +static unsigned char data[] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e +}; + +static const unsigned char expected_output[] = { + 0xe5, 0x45, 0xbe, 0x49, 0x61, 0xca, 0x29, 0xa1 +}; + +/* + * A property query used for selecting the SIPHASH implementation. + */ +static char *propq = NULL; + +int main(int argc, char **argv) +{ + int rv = EXIT_FAILURE; + EVP_MAC *mac = NULL; + EVP_MAC_CTX *mctx = NULL; + unsigned char out[8]; + OSSL_PARAM params[4], *p = params; + OSSL_LIB_CTX *library_context = NULL; + unsigned int digest_len = 8, c_rounds = 2, d_rounds = 4; + size_t out_len = 0; + + library_context = OSSL_LIB_CTX_new(); + if (library_context == NULL) { + fprintf(stderr, "OSSL_LIB_CTX_new() returned NULL\n"); + goto end; + } + + /* Fetch the SipHash implementation */ + mac = EVP_MAC_fetch(library_context, "SIPHASH", propq); + if (mac == NULL) { + fprintf(stderr, "EVP_MAC_fetch() returned NULL\n"); + goto end; + } + + /* Create a context for the SipHash operation */ + mctx = EVP_MAC_CTX_new(mac); + if (mctx == NULL) { + fprintf(stderr, "EVP_MAC_CTX_new() returned NULL\n"); + goto end; + } + + /* SipHash can support either 8 or 16-byte digests. */ + *p++ = OSSL_PARAM_construct_uint(OSSL_MAC_PARAM_SIZE, &digest_len); + + /* + * The number of C-rounds and D-rounds is configurable. Standard SipHash + * uses values of 2 and 4 respectively. The following lines are unnecessary + * as they set the default, but demonstrate how to change these values. + */ + *p++ = OSSL_PARAM_construct_uint(OSSL_MAC_PARAM_C_ROUNDS, &c_rounds); + *p++ = OSSL_PARAM_construct_uint(OSSL_MAC_PARAM_D_ROUNDS, &d_rounds); + + *p = OSSL_PARAM_construct_end(); + + /* Initialise the SIPHASH operation */ + if (!EVP_MAC_init(mctx, key, sizeof(key), params)) { + fprintf(stderr, "EVP_MAC_init() failed\n"); + goto end; + } + + /* Make one or more calls to process the data to be authenticated */ + if (!EVP_MAC_update(mctx, data, sizeof(data))) { + fprintf(stderr, "EVP_MAC_update() failed\n"); + goto end; + } + + /* Make one call to the final to get the MAC */ + if (!EVP_MAC_final(mctx, out, &out_len, sizeof(out))) { + fprintf(stderr, "EVP_MAC_final() failed\n"); + goto end; + } + + printf("Generated MAC:\n"); + BIO_dump_indent_fp(stdout, out, out_len, 2); + putchar('\n'); + + if (out_len != sizeof(expected_output)) { + fprintf(stderr, "Generated MAC has an unexpected length\n"); + goto end; + } + + if (CRYPTO_memcmp(expected_output, out, sizeof(expected_output)) != 0) { + fprintf(stderr, "Generated MAC does not match expected value\n"); + goto end; + } + + rv = EXIT_SUCCESS; +end: + EVP_MAC_CTX_free(mctx); + EVP_MAC_free(mac); + OSSL_LIB_CTX_free(library_context); + if (rv != EXIT_SUCCESS) + ERR_print_errors_fp(stderr); + return rv; +} diff --git a/deps/openssl/openssl/demos/pkey/EVP_PKEY_EC_keygen.c b/deps/openssl/openssl/demos/pkey/EVP_PKEY_EC_keygen.c index 14efaea53ac823..fa862bdaa07ef6 100644 --- a/deps/openssl/openssl/demos/pkey/EVP_PKEY_EC_keygen.c +++ b/deps/openssl/openssl/demos/pkey/EVP_PKEY_EC_keygen.c @@ -1,5 +1,5 @@ /*- - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -89,7 +89,7 @@ static int get_key_values(EVP_PKEY *pkey) unsigned char out_pubkey[80]; unsigned char out_privkey[80]; BIGNUM *out_priv = NULL; - size_t i, out_pubkey_len, out_privkey_len = 0; + size_t out_pubkey_len, out_privkey_len = 0; if (!EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME, out_curvename, sizeof(out_curvename), diff --git a/deps/openssl/openssl/demos/pkey/EVP_PKEY_RSA_keygen.c b/deps/openssl/openssl/demos/pkey/EVP_PKEY_RSA_keygen.c new file mode 100644 index 00000000000000..fbecfb6bdb0ab7 --- /dev/null +++ b/deps/openssl/openssl/demos/pkey/EVP_PKEY_RSA_keygen.c @@ -0,0 +1,289 @@ +/*- + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * Example showing how to generate an RSA key pair. + * + * When generating an RSA key, you must specify the number of bits in the key. A + * reasonable value would be 4096. Avoid using values below 2048. These values + * are reasonable as of 2022. + */ + +#include +#include +#include +#include +#include +#include +#include + +/* A property query used for selecting algorithm implementations. */ +static const char *propq = NULL; + +/* + * Generates an RSA public-private key pair and returns it. + * The number of bits is specified by the bits argument. + * + * This uses the long way of generating an RSA key. + */ +static EVP_PKEY *generate_rsa_key_long(OSSL_LIB_CTX *libctx, unsigned int bits) +{ + EVP_PKEY_CTX *genctx = NULL; + EVP_PKEY *pkey = NULL; + unsigned int primes = 2; + + /* Create context using RSA algorithm. "RSA-PSS" could also be used here. */ + genctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", propq); + if (genctx == NULL) { + fprintf(stderr, "EVP_PKEY_CTX_new_from_name() failed\n"); + goto cleanup; + } + + /* Initialize context for key generation purposes. */ + if (EVP_PKEY_keygen_init(genctx) <= 0) { + fprintf(stderr, "EVP_PKEY_keygen_init() failed\n"); + goto cleanup; + } + + /* + * Here we set the number of bits to use in the RSA key. + * See comment at top of file for information on appropriate values. + */ + if (EVP_PKEY_CTX_set_rsa_keygen_bits(genctx, bits) <= 0) { + fprintf(stderr, "EVP_PKEY_CTX_set_rsa_keygen_bits() failed\n"); + goto cleanup; + } + + /* + * It is possible to create an RSA key using more than two primes. + * Do not do this unless you know why you need this. + * You ordinarily do not need to specify this, as the default is two. + * + * Both of these parameters can also be set via EVP_PKEY_CTX_set_params, but + * these functions provide a more concise way to do so. + */ + if (EVP_PKEY_CTX_set_rsa_keygen_primes(genctx, primes) <= 0) { + fprintf(stderr, "EVP_PKEY_CTX_set_rsa_keygen_primes() failed\n"); + goto cleanup; + } + + /* + * Generating an RSA key with a number of bits large enough to be secure for + * modern applications can take a fairly substantial amount of time (e.g. + * one second). If you require fast key generation, consider using an EC key + * instead. + * + * If you require progress information during the key generation process, + * you can set a progress callback using EVP_PKEY_set_cb; see the example in + * EVP_PKEY_generate(3). + */ + fprintf(stderr, "Generating RSA key, this may take some time...\n"); + if (EVP_PKEY_generate(genctx, &pkey) <= 0) { + fprintf(stderr, "EVP_PKEY_generate() failed\n"); + goto cleanup; + } + + /* pkey is now set to an object representing the generated key pair. */ + +cleanup: + EVP_PKEY_CTX_free(genctx); + return pkey; +} + +/* + * Generates an RSA public-private key pair and returns it. + * The number of bits is specified by the bits argument. + * + * This uses a more concise way of generating an RSA key, which is suitable for + * simple cases. It is used if -s is passed on the command line, otherwise the + * long method above is used. The ability to choose between these two methods is + * shown here only for demonstration; the results are equivalent. + */ +static EVP_PKEY *generate_rsa_key_short(OSSL_LIB_CTX *libctx, unsigned int bits) +{ + EVP_PKEY *pkey = NULL; + + fprintf(stderr, "Generating RSA key, this may take some time...\n"); + pkey = EVP_PKEY_Q_keygen(libctx, propq, "RSA", (size_t)bits); + + if (pkey == NULL) + fprintf(stderr, "EVP_PKEY_Q_keygen() failed\n"); + + return pkey; +} + +/* + * Prints information on an EVP_PKEY object representing an RSA key pair. + */ +static int dump_key(const EVP_PKEY *pkey) +{ + int rv = 0; + int bits = 0; + BIGNUM *n = NULL, *e = NULL, *d = NULL, *p = NULL, *q = NULL; + + /* + * Retrieve value of n. This value is not secret and forms part of the + * public key. + * + * Calling EVP_PKEY_get_bn_param with a NULL BIGNUM pointer causes + * a new BIGNUM to be allocated, so these must be freed subsequently. + */ + if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_N, &n) == 0) { + fprintf(stderr, "Failed to retrieve n\n"); + goto cleanup; + } + + /* + * Retrieve value of e. This value is not secret and forms part of the + * public key. It is typically 65537 and need not be changed. + */ + if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &e) == 0) { + fprintf(stderr, "Failed to retrieve e\n"); + goto cleanup; + } + + /* + * Retrieve value of d. This value is secret and forms part of the private + * key. It must not be published. + */ + if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_D, &d) == 0) { + fprintf(stderr, "Failed to retrieve d\n"); + goto cleanup; + } + + /* + * Retrieve value of the first prime factor, commonly known as p. This value + * is secret and forms part of the private key. It must not be published. + */ + if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &p) == 0) { + fprintf(stderr, "Failed to retrieve p\n"); + goto cleanup; + } + + /* + * Retrieve value of the second prime factor, commonly known as q. This value + * is secret and forms part of the private key. It must not be published. + * + * If you are creating an RSA key with more than two primes for special + * applications, you can retrieve these primes with + * OSSL_PKEY_PARAM_RSA_FACTOR3, etc. + */ + if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &q) == 0) { + fprintf(stderr, "Failed to retrieve q\n"); + goto cleanup; + } + + /* + * We can also retrieve the key size in bits for informational purposes. + */ + if (EVP_PKEY_get_int_param(pkey, OSSL_PKEY_PARAM_BITS, &bits) == 0) { + fprintf(stderr, "Failed to retrieve bits\n"); + goto cleanup; + } + + /* Output hexadecimal representations of the BIGNUM objects. */ + fprintf(stdout, "\nNumber of bits: %d\n\n", bits); + fprintf(stderr, "Public values:\n"); + fprintf(stdout, " n = 0x"); + BN_print_fp(stdout, n); + fprintf(stdout, "\n"); + + fprintf(stdout, " e = 0x"); + BN_print_fp(stdout, e); + fprintf(stdout, "\n\n"); + + fprintf(stdout, "Private values:\n"); + fprintf(stdout, " d = 0x"); + BN_print_fp(stdout, d); + fprintf(stdout, "\n"); + + fprintf(stdout, " p = 0x"); + BN_print_fp(stdout, p); + fprintf(stdout, "\n"); + + fprintf(stdout, " q = 0x"); + BN_print_fp(stdout, q); + fprintf(stdout, "\n\n"); + + /* Output a PEM encoding of the public key. */ + if (PEM_write_PUBKEY(stdout, pkey) == 0) { + fprintf(stderr, "Failed to output PEM-encoded public key\n"); + goto cleanup; + } + + /* + * Output a PEM encoding of the private key. Please note that this output is + * not encrypted. You may wish to use the arguments to specify encryption of + * the key if you are storing it on disk. See PEM_write_PrivateKey(3). + */ + if (PEM_write_PrivateKey(stdout, pkey, NULL, NULL, 0, NULL, NULL) == 0) { + fprintf(stderr, "Failed to output PEM-encoded private key\n"); + goto cleanup; + } + + rv = 1; +cleanup: + BN_free(n); /* not secret */ + BN_free(e); /* not secret */ + BN_clear_free(d); /* secret - scrub before freeing */ + BN_clear_free(p); /* secret - scrub before freeing */ + BN_clear_free(q); /* secret - scrub before freeing */ + return rv; +} + +int main(int argc, char **argv) +{ + int rv = 1; + OSSL_LIB_CTX *libctx = NULL; + EVP_PKEY *pkey = NULL; + unsigned int bits = 4096; + int bits_i, use_short = 0; + + /* usage: [-s] [] */ + if (argc > 1 && strcmp(argv[1], "-s") == 0) { + --argc; + ++argv; + use_short = 1; + } + + if (argc > 1) { + bits_i = atoi(argv[1]); + if (bits < 512) { + fprintf(stderr, "Invalid RSA key size\n"); + return 1; + } + + bits = (unsigned int)bits_i; + } + + /* Avoid using key sizes less than 2048 bits; see comment at top of file. */ + if (bits < 2048) + fprintf(stderr, "Warning: very weak key size\n\n"); + + /* Generate RSA key. */ + if (use_short) + pkey = generate_rsa_key_short(libctx, bits); + else + pkey = generate_rsa_key_long(libctx, bits); + + if (pkey == NULL) + goto cleanup; + + /* Dump the integers comprising the key. */ + if (dump_key(pkey) == 0) { + fprintf(stderr, "Failed to dump key\n"); + goto cleanup; + } + + rv = 0; +cleanup: + EVP_PKEY_free(pkey); + OSSL_LIB_CTX_free(libctx); + return rv; +} diff --git a/deps/openssl/openssl/demos/pkey/Makefile b/deps/openssl/openssl/demos/pkey/Makefile index 35cdca229a89c5..f19c0d14f4e4d9 100644 --- a/deps/openssl/openssl/demos/pkey/Makefile +++ b/deps/openssl/openssl/demos/pkey/Makefile @@ -2,19 +2,22 @@ # To run the demos when linked with a shared library (default): # # LD_LIBRARY_PATH=../.. ./EVP_PKEY_EC_keygen +# LD_LIBRARY_PATH=../.. ./EVP_PKEY_RSA_keygen -CFLAGS = -I../../include -g +CFLAGS = -I../../include -g -Wall LDFLAGS = -L../.. LDLIBS = -lcrypto -all: EVP_PKEY_EC_keygen +all: EVP_PKEY_EC_keygen EVP_PKEY_RSA_keygen %.o: %.c $(CC) $(CFLAGS) -c $< EVP_PKEY_EC_keygen: EVP_PKEY_EC_keygen.o +EVP_PKEY_RSA_keygen: EVP_PKEY_RSA_keygen.o + test: ; clean: - $(RM) *.o EVP_PKEY_EC_keygen + $(RM) *.o EVP_PKEY_EC_keygen EVP_PKEY_RSA_keygen diff --git a/deps/openssl/openssl/demos/signature/Makefile b/deps/openssl/openssl/demos/signature/Makefile index b4071c2edcd884..563ec7799fb8b4 100644 --- a/deps/openssl/openssl/demos/signature/Makefile +++ b/deps/openssl/openssl/demos/signature/Makefile @@ -3,18 +3,20 @@ # # LD_LIBRARY_PATH=../.. ./EVP_Signature_demo -CFLAGS = -I../../include -g +CFLAGS = -I../../include -g -Wall LDFLAGS = -L../.. LDLIBS = -lcrypto -all: EVP_Signature_demo +all: EVP_Signature_demo rsa_pss_direct rsa_pss_hash %.o: %.c $(CC) $(CFLAGS) -c $< EVP_Signature_demo: EVP_Signature_demo.o +rsa_pss_direct: rsa_pss_direct.o +rsa_pss_hash: rsa_pss_hash.o test: ; clean: - $(RM) *.o EVP_Signature_demo + $(RM) *.o EVP_Signature_demo rsa_pss_direct rsa_pss_hash diff --git a/deps/openssl/openssl/demos/signature/rsa_pss.h b/deps/openssl/openssl/demos/signature/rsa_pss.h new file mode 100644 index 00000000000000..bdab9f891e3c0a --- /dev/null +++ b/deps/openssl/openssl/demos/signature/rsa_pss.h @@ -0,0 +1,256 @@ +/*- + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* 4096-bit RSA private key, DER. */ +static const unsigned char rsa_priv_key[] = { + 0x30, 0x82, 0x09, 0x28, 0x02, 0x01, 0x00, 0x02, 0x82, 0x02, 0x01, 0x00, + 0xa3, 0x14, 0xe4, 0xb8, 0xd8, 0x58, 0x0d, 0xab, 0xd7, 0x87, 0xa4, 0xf6, + 0x84, 0x51, 0x74, 0x60, 0x4c, 0xe3, 0x60, 0x28, 0x89, 0x49, 0x65, 0x18, + 0x5c, 0x8f, 0x1a, 0x1b, 0xe9, 0xdb, 0xc1, 0xc1, 0xf7, 0x08, 0x27, 0x44, + 0xe5, 0x9d, 0x9a, 0x33, 0xc3, 0xac, 0x5a, 0xca, 0xba, 0x20, 0x5a, 0x9e, + 0x3a, 0x18, 0xb5, 0x3d, 0xe3, 0x9d, 0x94, 0x58, 0xa7, 0xa9, 0x5a, 0x0b, + 0x4f, 0xb8, 0xe5, 0xa3, 0x7b, 0x01, 0x11, 0x0f, 0x16, 0x11, 0xb8, 0x65, + 0x2f, 0xa8, 0x95, 0xf7, 0x58, 0x2c, 0xec, 0x1d, 0x41, 0xad, 0xd1, 0x12, + 0xca, 0x4a, 0x80, 0x35, 0x35, 0x43, 0x7e, 0xe0, 0x97, 0xfc, 0x86, 0x8f, + 0xcf, 0x4b, 0xdc, 0xbc, 0x15, 0x2c, 0x8e, 0x90, 0x84, 0x26, 0x83, 0xc1, + 0x96, 0x97, 0xf4, 0xd7, 0x90, 0xce, 0xfe, 0xd4, 0xf3, 0x70, 0x22, 0xa8, + 0xb0, 0x1f, 0xed, 0x08, 0xd7, 0xc5, 0xc0, 0xd6, 0x41, 0x6b, 0x24, 0x68, + 0x5c, 0x07, 0x1f, 0x44, 0x97, 0xd8, 0x6e, 0x18, 0x93, 0x67, 0xc3, 0xba, + 0x3a, 0xaf, 0xfd, 0xc2, 0x65, 0x00, 0x21, 0x63, 0xdf, 0xb7, 0x28, 0x68, + 0xd6, 0xc0, 0x20, 0x86, 0x92, 0xed, 0x68, 0x6a, 0x27, 0x3a, 0x07, 0xec, + 0x66, 0x00, 0xfe, 0x51, 0x51, 0x86, 0x41, 0x6f, 0x83, 0x69, 0xd2, 0xf0, + 0xe6, 0xf7, 0x61, 0xda, 0x12, 0x45, 0x53, 0x09, 0xdf, 0xf8, 0x42, 0xc7, + 0x30, 0x6a, 0xe5, 0xd8, 0x2b, 0xa2, 0x49, 0x7a, 0x05, 0x10, 0xee, 0xb2, + 0x59, 0x0a, 0xe5, 0xbe, 0xf8, 0x4d, 0x0f, 0xa8, 0x9e, 0x63, 0x81, 0x39, + 0x32, 0xaa, 0xfd, 0xa8, 0x03, 0xf6, 0xd8, 0xc6, 0xaa, 0x02, 0x93, 0x03, + 0xeb, 0x15, 0xd3, 0x38, 0xc8, 0x1a, 0x78, 0xcf, 0xf3, 0xa7, 0x9f, 0x98, + 0x4b, 0x91, 0x5b, 0x79, 0xf8, 0x4e, 0x53, 0xaf, 0x0c, 0x65, 0xe9, 0xb0, + 0x93, 0xc2, 0xcb, 0x5d, 0x3c, 0x5f, 0x6e, 0x39, 0xd2, 0x58, 0x23, 0x50, + 0xe5, 0x2e, 0xef, 0x12, 0x00, 0xa4, 0x59, 0x13, 0x2b, 0x2f, 0x2c, 0x0a, + 0x7b, 0x36, 0x89, 0xc5, 0xe5, 0x8f, 0x95, 0x5e, 0x14, 0x0f, 0x0f, 0x94, + 0x5a, 0xe9, 0xdc, 0x0b, 0x49, 0x14, 0xbe, 0x0a, 0x70, 0x45, 0xc1, 0x7c, + 0xbf, 0x83, 0x70, 0xfd, 0x3d, 0x99, 0xe6, 0x8a, 0xf5, 0x9c, 0x09, 0x71, + 0x84, 0x9a, 0x18, 0xa0, 0xe0, 0x6c, 0x43, 0x5c, 0x7e, 0x48, 0x33, 0xc8, + 0xbe, 0x5d, 0xdd, 0xd8, 0x77, 0xe3, 0xe7, 0x6b, 0x34, 0x4b, 0xa2, 0xb7, + 0x54, 0x07, 0x72, 0x2e, 0xab, 0xa9, 0x91, 0x1e, 0x4b, 0xe3, 0xb5, 0xd8, + 0xfa, 0x35, 0x64, 0x8a, 0xe9, 0x03, 0xa1, 0xa8, 0x26, 0xbd, 0x72, 0x58, + 0x10, 0x6a, 0xec, 0x1a, 0xf6, 0x1e, 0xb8, 0xc0, 0x46, 0x19, 0x31, 0x2c, + 0xca, 0xf9, 0x6a, 0xd7, 0x2e, 0xd0, 0xa7, 0x2c, 0x60, 0x58, 0xc4, 0x8f, + 0x46, 0x63, 0x61, 0x8d, 0x29, 0x6f, 0xe2, 0x5f, 0xe2, 0x43, 0x90, 0x9c, + 0xe6, 0xfc, 0x08, 0x41, 0xc8, 0xb5, 0x23, 0x56, 0x24, 0x3e, 0x3a, 0x2c, + 0x41, 0x22, 0x43, 0xda, 0x22, 0x15, 0x2b, 0xad, 0xd0, 0xfa, 0xc8, 0x47, + 0x44, 0xe6, 0x2a, 0xf9, 0x38, 0x90, 0x13, 0x62, 0x22, 0xea, 0x06, 0x8c, + 0x44, 0x9c, 0xd6, 0xca, 0x50, 0x93, 0xe9, 0xd4, 0x03, 0xd8, 0x3e, 0x71, + 0x36, 0x4b, 0xaa, 0xab, 0xbb, 0xe2, 0x48, 0x66, 0x26, 0x53, 0xb1, 0x6d, + 0x3b, 0x82, 0x2c, 0x8c, 0x25, 0x05, 0xf0, 0xf8, 0xcf, 0x55, 0xbf, 0x8e, + 0x29, 0xf7, 0x54, 0x5b, 0x6f, 0x30, 0x54, 0xa6, 0xad, 0x46, 0xff, 0x22, + 0x95, 0xb1, 0x87, 0x98, 0x00, 0x51, 0x69, 0x15, 0x07, 0xbd, 0x3d, 0x9c, + 0x6e, 0xaa, 0xaa, 0x3b, 0x0b, 0x74, 0x65, 0x4c, 0x04, 0xe0, 0x80, 0x3e, + 0xaf, 0x5e, 0x10, 0xd6, 0x9b, 0x28, 0x37, 0x6f, 0x02, 0x03, 0x01, 0x00, + 0x01, 0x02, 0x82, 0x02, 0x00, 0x09, 0x6e, 0xf8, 0xf8, 0x14, 0x53, 0xab, + 0x9e, 0xc8, 0x1d, 0xe9, 0x95, 0xf4, 0xfb, 0x7d, 0x3e, 0xe0, 0xd3, 0xba, + 0x49, 0x3d, 0xff, 0xc7, 0xe0, 0x4b, 0xe2, 0x5f, 0x41, 0x44, 0x1a, 0xd9, + 0x2f, 0x6e, 0x29, 0xc3, 0x93, 0xc1, 0xb0, 0x87, 0x2d, 0xfd, 0x60, 0xa7, + 0xf3, 0xd8, 0x26, 0x6c, 0xf7, 0x80, 0x26, 0xd3, 0xbd, 0x1b, 0xc0, 0x8e, + 0xc7, 0x3e, 0x13, 0x96, 0xc8, 0xd6, 0xb8, 0xbc, 0x57, 0xe3, 0x92, 0xa1, + 0x38, 0xfd, 0x2e, 0xd3, 0x3a, 0xcf, 0x31, 0xf2, 0x52, 0xd7, 0x7f, 0xe9, + 0xbc, 0x9b, 0x83, 0x01, 0x78, 0x13, 0xc9, 0x91, 0x77, 0x02, 0x78, 0xc0, + 0x0b, 0x1f, 0xdf, 0x94, 0xad, 0x16, 0xf1, 0xad, 0x78, 0x17, 0xc5, 0x77, + 0x0d, 0xb7, 0x07, 0x3f, 0x51, 0xe0, 0x73, 0x33, 0xcf, 0x90, 0x69, 0xd8, + 0xe5, 0xda, 0x9b, 0x1e, 0xf6, 0x21, 0x12, 0x07, 0xb5, 0x1e, 0x3e, 0x2b, + 0x34, 0x79, 0x9e, 0x48, 0x01, 0xdd, 0x68, 0xf0, 0x0f, 0x18, 0xb5, 0x85, + 0x50, 0xd8, 0x9e, 0x04, 0xfd, 0x6d, 0xcd, 0xa6, 0x61, 0x2b, 0x54, 0x81, + 0x99, 0xf4, 0x63, 0xf4, 0xeb, 0x73, 0x98, 0xb3, 0x88, 0xf5, 0x50, 0xd4, + 0x5c, 0x67, 0x9e, 0x7c, 0xbc, 0xd8, 0xfd, 0xaf, 0xb8, 0x66, 0x7d, 0xdc, + 0xa5, 0x25, 0xb5, 0xe6, 0x64, 0xd7, 0x07, 0x72, 0x5a, 0x99, 0xf9, 0xf6, + 0x9e, 0xb8, 0x9c, 0xf4, 0xc7, 0xee, 0xee, 0x10, 0x13, 0x9c, 0x1a, 0x8c, + 0x23, 0x89, 0xcd, 0x7b, 0xf1, 0x47, 0x23, 0x51, 0x3c, 0xe5, 0xc2, 0x17, + 0x68, 0xca, 0x98, 0xb8, 0xed, 0xe5, 0x17, 0x6d, 0x0a, 0xde, 0x07, 0xd6, + 0x6c, 0x4f, 0x83, 0x4c, 0x9b, 0xca, 0x6a, 0x7d, 0xc8, 0x68, 0x12, 0xd7, + 0xf0, 0x37, 0x88, 0xf7, 0xbb, 0x68, 0x8b, 0xa4, 0xfd, 0xfe, 0x36, 0x11, + 0xb3, 0x2b, 0x85, 0x6d, 0xaa, 0x30, 0x31, 0xf1, 0x6f, 0x80, 0x72, 0x42, + 0x23, 0xfe, 0x93, 0x88, 0xcc, 0x1e, 0x4b, 0x53, 0x4f, 0x8e, 0x24, 0x67, + 0x4a, 0x72, 0xb6, 0x3c, 0x13, 0x00, 0x11, 0x4f, 0xe1, 0x30, 0xd6, 0xe7, + 0x45, 0x8f, 0xaf, 0xdd, 0xe5, 0xaa, 0xb7, 0x02, 0x17, 0x04, 0xf8, 0xd2, + 0xc1, 0x7b, 0x6c, 0x92, 0xec, 0x76, 0x94, 0x1b, 0xb0, 0xe4, 0xc3, 0x0c, + 0x9e, 0xee, 0xb5, 0xdc, 0x97, 0xca, 0x10, 0x1d, 0x17, 0x96, 0x45, 0xd4, + 0x04, 0x0c, 0xea, 0xca, 0x45, 0xfc, 0x52, 0x54, 0x82, 0x9b, 0xdf, 0x64, + 0xd6, 0x59, 0x6c, 0x12, 0x70, 0xf0, 0x19, 0xd8, 0x46, 0xbb, 0x08, 0x43, + 0x81, 0xa1, 0x73, 0xa8, 0x00, 0xc9, 0x4e, 0xb9, 0xd5, 0xfd, 0x42, 0x5f, + 0xcf, 0x94, 0x14, 0x18, 0xab, 0x9d, 0x11, 0xd0, 0xbd, 0x44, 0x88, 0x2c, + 0xd8, 0x29, 0xec, 0x94, 0x70, 0xf9, 0x42, 0x14, 0xf4, 0xb0, 0x3f, 0xfe, + 0x27, 0x16, 0x43, 0x59, 0x90, 0x14, 0x48, 0x61, 0x8c, 0x91, 0xd9, 0x37, + 0x41, 0xef, 0xf1, 0xe9, 0x15, 0x4a, 0x4f, 0x5e, 0x1f, 0x50, 0x25, 0x20, + 0x2d, 0xa6, 0xf8, 0x79, 0x0d, 0x92, 0xb0, 0x00, 0x0b, 0xa2, 0xfb, 0xc3, + 0x7b, 0x0f, 0xa6, 0xff, 0x75, 0x5d, 0x70, 0xaa, 0xcf, 0x0a, 0xdf, 0xe1, + 0xfc, 0x32, 0x53, 0x1e, 0xf6, 0xe6, 0x69, 0x9f, 0x09, 0xd0, 0xc8, 0xab, + 0xaf, 0xec, 0xb0, 0x04, 0xfa, 0x83, 0xe2, 0x29, 0x23, 0x54, 0x37, 0x87, + 0x63, 0x47, 0x75, 0x9b, 0xdb, 0x1f, 0x4f, 0x1b, 0x6b, 0xa6, 0xe2, 0x67, + 0x1c, 0xb4, 0x74, 0x9e, 0x48, 0x77, 0x61, 0xc2, 0x9a, 0x3e, 0x6b, 0x89, + 0xa9, 0x68, 0x74, 0x27, 0x01, 0x29, 0xd6, 0x46, 0xe8, 0x0f, 0xd0, 0x33, + 0x22, 0x00, 0x45, 0x6c, 0xde, 0x32, 0x28, 0x42, 0x57, 0xaf, 0x70, 0x28, + 0xa0, 0xd5, 0x99, 0xbb, 0x1f, 0xd7, 0x3c, 0x84, 0x20, 0x70, 0x1f, 0xe3, + 0xa9, 0x02, 0x82, 0x01, 0x01, 0x00, 0xe6, 0x68, 0xfe, 0x5f, 0x75, 0x71, + 0x2a, 0xd8, 0xcf, 0x0d, 0x1d, 0xf4, 0xa1, 0x06, 0x8b, 0xa5, 0x70, 0x6f, + 0x29, 0x03, 0xf3, 0x50, 0xd3, 0x83, 0x39, 0xf9, 0xf6, 0xe5, 0x79, 0x7a, + 0x29, 0x75, 0xde, 0xda, 0x6a, 0x98, 0x7c, 0x33, 0xf8, 0x64, 0xca, 0x86, + 0x5a, 0xda, 0x55, 0x5b, 0x4d, 0x7b, 0x1a, 0xe5, 0x5d, 0x19, 0x7d, 0xf3, + 0x57, 0x49, 0x3d, 0x7a, 0xe8, 0x3f, 0x5a, 0x40, 0x8c, 0x15, 0xc7, 0xb0, + 0x53, 0xf8, 0x63, 0x42, 0x17, 0x7c, 0x20, 0xb9, 0xfc, 0xff, 0x27, 0xd0, + 0xc2, 0x0c, 0x45, 0x52, 0x1b, 0x75, 0x1f, 0x89, 0x87, 0xc4, 0xa8, 0x07, + 0x3b, 0x73, 0x16, 0xc7, 0xd7, 0x77, 0x2e, 0x47, 0xa2, 0x7d, 0x12, 0xb4, + 0x25, 0x24, 0x5e, 0xa5, 0xb2, 0x12, 0x76, 0x65, 0xd1, 0xcd, 0xa4, 0x66, + 0x33, 0x2d, 0xed, 0xb2, 0x85, 0xb0, 0xb3, 0x33, 0x56, 0x18, 0x5a, 0xb3, + 0x75, 0x43, 0x4d, 0x40, 0x14, 0x22, 0x55, 0xf6, 0x5a, 0x0c, 0x6a, 0xb3, + 0xc3, 0x8a, 0x9b, 0x76, 0x1e, 0x23, 0x8d, 0x4a, 0x8f, 0x38, 0x21, 0x25, + 0x43, 0x45, 0xf6, 0x25, 0x46, 0xdb, 0xae, 0x42, 0x43, 0x74, 0x69, 0x15, + 0x46, 0xf0, 0x3a, 0x41, 0x4f, 0x9f, 0xfe, 0xda, 0x07, 0x0b, 0x38, 0xbe, + 0x6b, 0xad, 0xc2, 0xef, 0x5b, 0x97, 0x18, 0x42, 0x13, 0xac, 0x13, 0x15, + 0x70, 0x7b, 0xe2, 0x00, 0xbb, 0x41, 0x22, 0x99, 0xe5, 0xd3, 0x67, 0xfe, + 0xfd, 0xbd, 0x8e, 0xc3, 0xca, 0x60, 0x59, 0x3d, 0x8f, 0x85, 0x76, 0x41, + 0xf0, 0xb8, 0x09, 0x1a, 0x48, 0x50, 0xe4, 0x9c, 0x4a, 0x56, 0x02, 0x60, + 0x76, 0xff, 0xde, 0xd4, 0x8e, 0x76, 0xa3, 0x9c, 0x30, 0xb4, 0xa4, 0x73, + 0xe6, 0xb0, 0x70, 0xac, 0x67, 0x5f, 0x25, 0xd2, 0x94, 0xc5, 0x25, 0xb6, + 0xbf, 0xf6, 0x0b, 0xd8, 0x9f, 0x35, 0x8c, 0x20, 0xb6, 0xdd, 0x02, 0x82, + 0x01, 0x01, 0x00, 0xb5, 0x31, 0x9e, 0xa2, 0x10, 0x38, 0xca, 0x2b, 0x07, + 0xc9, 0x3f, 0x0f, 0x18, 0x2c, 0x98, 0x7f, 0x15, 0x87, 0x92, 0x93, 0x2e, + 0xce, 0x6b, 0x11, 0x42, 0x2a, 0x94, 0x3e, 0x31, 0xd0, 0xf5, 0xae, 0x9d, + 0xc7, 0x67, 0x51, 0x3c, 0x0a, 0x52, 0x04, 0x94, 0x86, 0x2e, 0x50, 0x32, + 0xe1, 0x48, 0x83, 0x85, 0xe8, 0x82, 0x04, 0x2f, 0x25, 0xbc, 0xea, 0xfc, + 0x3d, 0x4b, 0xd1, 0x53, 0x90, 0x61, 0x97, 0x47, 0x73, 0xcd, 0x1f, 0xa9, + 0x5a, 0x3f, 0xfb, 0xbf, 0xc3, 0xd5, 0x19, 0xb6, 0xd3, 0x59, 0x57, 0x37, + 0xd9, 0x09, 0x29, 0xd3, 0x80, 0xc4, 0xae, 0x52, 0xce, 0xce, 0x82, 0x29, + 0x6b, 0x95, 0x44, 0x69, 0x33, 0xfd, 0x6a, 0x6d, 0x65, 0xf7, 0xa9, 0xc0, + 0x65, 0x25, 0x91, 0x05, 0xdf, 0x07, 0xbe, 0x61, 0x5c, 0xaa, 0x8f, 0x87, + 0xc8, 0x43, 0xd7, 0x30, 0xd0, 0x8b, 0x25, 0xaf, 0xb8, 0x5d, 0x50, 0x4e, + 0x31, 0x4a, 0xc9, 0x79, 0x56, 0xbf, 0x8d, 0xcc, 0x40, 0xa7, 0xea, 0xd4, + 0xf7, 0x66, 0x86, 0xe2, 0x0b, 0xf3, 0x13, 0xbc, 0xdc, 0x0d, 0x62, 0x28, + 0x4e, 0xb7, 0x31, 0xb4, 0x5a, 0x9b, 0x97, 0x65, 0x76, 0x24, 0xbb, 0xef, + 0x90, 0x1b, 0xdb, 0x93, 0x98, 0xae, 0xce, 0xb0, 0x69, 0x82, 0x49, 0x94, + 0xc0, 0xc3, 0x8f, 0x9c, 0x5d, 0x26, 0x45, 0xa0, 0xad, 0x15, 0x3b, 0x6e, + 0xda, 0x6e, 0x78, 0xc1, 0x78, 0xc3, 0x15, 0x8e, 0x64, 0xaf, 0x50, 0xa6, + 0xb7, 0xd9, 0xfb, 0x8f, 0x68, 0xa0, 0x2d, 0x59, 0xa9, 0xce, 0x5b, 0xa7, + 0x91, 0x36, 0xb8, 0x05, 0x28, 0x31, 0x25, 0xc7, 0x7e, 0xa4, 0x68, 0x9d, + 0xea, 0x5c, 0x71, 0x10, 0x84, 0xab, 0xc4, 0xd7, 0xbe, 0x7d, 0xe9, 0x4a, + 0x11, 0x22, 0xa6, 0xd5, 0xa3, 0x6e, 0x46, 0x07, 0x70, 0x78, 0xcc, 0xd5, + 0xbc, 0xfe, 0xc4, 0x39, 0x58, 0xf4, 0xbb, 0x02, 0x82, 0x01, 0x01, 0x00, + 0xaa, 0x0c, 0x73, 0x30, 0x20, 0x8d, 0x15, 0x02, 0x4e, 0x4d, 0x6f, 0xfe, + 0x4b, 0x99, 0x79, 0x16, 0xf0, 0x94, 0x19, 0xc1, 0x40, 0xa2, 0x36, 0x78, + 0x73, 0x21, 0x78, 0x86, 0x83, 0xd1, 0x15, 0x28, 0x59, 0x00, 0xfa, 0x0a, + 0xf0, 0x1f, 0xab, 0x03, 0x38, 0x35, 0x50, 0x78, 0x32, 0xe6, 0xdf, 0x98, + 0x2b, 0x91, 0x7b, 0xd4, 0x84, 0x90, 0x43, 0xab, 0x5a, 0x24, 0x8b, 0xa3, + 0xb6, 0x08, 0x4d, 0x5b, 0x05, 0xb5, 0xad, 0x43, 0x74, 0x7e, 0x22, 0xb7, + 0x09, 0xb0, 0x3a, 0x78, 0x55, 0xfa, 0x4c, 0x3c, 0xa2, 0x2c, 0xa6, 0xf7, + 0x19, 0xff, 0x76, 0xa4, 0x3d, 0x1e, 0x99, 0x51, 0xa7, 0x4e, 0x76, 0x47, + 0x0f, 0x70, 0xef, 0x0b, 0x3f, 0xf2, 0x94, 0x36, 0xf3, 0x63, 0x76, 0xb9, + 0x09, 0x88, 0xbb, 0xfe, 0xf9, 0x86, 0x33, 0xdf, 0x81, 0xbe, 0x6f, 0xcc, + 0xa9, 0x75, 0x09, 0xe5, 0x8f, 0x8b, 0x42, 0xd0, 0x19, 0x03, 0x61, 0xd8, + 0xb5, 0x78, 0xcb, 0x9c, 0xbe, 0x63, 0x4d, 0xbd, 0xce, 0x5e, 0xae, 0x7f, + 0xae, 0x97, 0x88, 0x7b, 0xf4, 0x7a, 0x7b, 0xdb, 0xf6, 0x7e, 0x2c, 0x7d, + 0x95, 0x6e, 0x72, 0x3a, 0x48, 0x13, 0xdb, 0xf7, 0x10, 0x07, 0x83, 0xac, + 0xa1, 0x7a, 0x68, 0x18, 0x70, 0x18, 0x99, 0x7f, 0xf4, 0x8e, 0x93, 0x1a, + 0x40, 0x5d, 0x04, 0x07, 0xcb, 0x4d, 0xd7, 0x66, 0x96, 0xb5, 0xd3, 0x7d, + 0x8e, 0xfb, 0xe6, 0x12, 0xd0, 0x7d, 0xf0, 0xe7, 0x25, 0xa6, 0x7a, 0x86, + 0x01, 0x56, 0xdd, 0xc5, 0xb2, 0x31, 0x98, 0x67, 0x3a, 0xd0, 0x9a, 0xee, + 0x98, 0xca, 0x80, 0x52, 0x5a, 0x0e, 0xb7, 0xc4, 0xbf, 0xc0, 0x40, 0x24, + 0x6f, 0x3b, 0xa6, 0xf6, 0xab, 0x28, 0x9e, 0xe9, 0x39, 0x3f, 0x04, 0x4b, + 0xc4, 0xae, 0x55, 0xfd, 0xea, 0x87, 0xa5, 0xc5, 0x01, 0x99, 0x2e, 0x67, + 0x66, 0xb3, 0xfe, 0x41, 0x02, 0x82, 0x01, 0x00, 0x05, 0x26, 0x96, 0xf2, + 0xd6, 0x71, 0x36, 0xd6, 0x08, 0x4f, 0xa1, 0x3a, 0x45, 0x9e, 0xa6, 0xeb, + 0x1d, 0xea, 0x8f, 0xb1, 0x1d, 0x68, 0x82, 0xc4, 0xa7, 0xd3, 0xdc, 0x08, + 0xf4, 0x93, 0x93, 0x18, 0x56, 0xa5, 0xdf, 0x7b, 0x00, 0xb0, 0xee, 0x69, + 0xf0, 0xea, 0xeb, 0x90, 0x1e, 0x12, 0x27, 0x64, 0x8d, 0xbe, 0xf1, 0x4b, + 0x3b, 0x27, 0xe0, 0x79, 0xf1, 0x97, 0xb0, 0x7b, 0x0f, 0xdc, 0x0f, 0xda, + 0x24, 0x0e, 0xd7, 0xaa, 0xe9, 0xbe, 0x86, 0x09, 0x1b, 0x07, 0x6f, 0x1c, + 0x5f, 0x05, 0x1d, 0x0a, 0x0c, 0xad, 0x5f, 0xc4, 0x4f, 0x9d, 0xde, 0x79, + 0x72, 0x23, 0x2c, 0xdd, 0xa8, 0x5d, 0xc5, 0x8d, 0x7f, 0x4c, 0x1a, 0x0d, + 0x17, 0x75, 0x09, 0x98, 0x4a, 0xbe, 0xd5, 0x55, 0x8d, 0x0c, 0x2d, 0x05, + 0x2d, 0x71, 0x5b, 0xeb, 0xde, 0x99, 0x43, 0xcc, 0x6f, 0x37, 0xce, 0x6c, + 0xd0, 0xd4, 0xf5, 0xda, 0x1d, 0x8e, 0xeb, 0x28, 0x55, 0x09, 0xb1, 0x42, + 0x4f, 0xa7, 0x1a, 0xde, 0xe3, 0x14, 0xf1, 0x56, 0x2e, 0x40, 0xd6, 0xb5, + 0x1d, 0xee, 0x47, 0x77, 0x1d, 0xdc, 0x36, 0xfa, 0xf3, 0xbc, 0x8b, 0xa5, + 0xbf, 0x1d, 0x9f, 0xa7, 0xb4, 0x04, 0xad, 0xb6, 0x0d, 0x39, 0x0e, 0xe7, + 0x13, 0x3e, 0xbc, 0x94, 0x68, 0xe5, 0x1d, 0xea, 0x0c, 0x30, 0xdd, 0xb0, + 0xa7, 0x03, 0xa4, 0x91, 0xde, 0xf1, 0xd8, 0xa8, 0x18, 0x1f, 0xdd, 0xb3, + 0xd4, 0x2b, 0x6a, 0x8c, 0x69, 0x60, 0xda, 0x92, 0x7b, 0x1e, 0x27, 0x47, + 0x82, 0xbf, 0xff, 0xfc, 0xbd, 0x03, 0xb4, 0xc1, 0x80, 0x6c, 0x07, 0x11, + 0xa2, 0xdd, 0x27, 0xc1, 0x4d, 0x93, 0xe6, 0xf2, 0xd3, 0xdc, 0x61, 0xa1, + 0xa3, 0xdc, 0x67, 0x69, 0xe5, 0x50, 0x1d, 0x63, 0x0e, 0xb9, 0xa9, 0x9d, + 0xd6, 0x02, 0x4d, 0x7c, 0xcd, 0x2a, 0xa5, 0x37, 0x60, 0xc5, 0xf5, 0x97, + 0x02, 0x82, 0x01, 0x00, 0x14, 0x8b, 0x04, 0xdb, 0x4e, 0x41, 0x4a, 0xcd, + 0x86, 0x2e, 0x5f, 0x13, 0xb3, 0x48, 0x1e, 0x00, 0xdf, 0x8d, 0x0b, 0x35, + 0x51, 0x51, 0x1b, 0x16, 0x3d, 0x49, 0x4e, 0xe1, 0xee, 0x4d, 0xc7, 0x03, + 0xc0, 0xf6, 0x5c, 0x6c, 0x36, 0xe8, 0x22, 0xa5, 0x79, 0xb4, 0x4c, 0xce, + 0xa8, 0x45, 0x12, 0x2c, 0xf3, 0x6a, 0xcd, 0x33, 0xbd, 0xd0, 0x84, 0x4d, + 0xf7, 0x8f, 0xb5, 0x80, 0x1f, 0x18, 0x52, 0xad, 0xad, 0xce, 0xcd, 0x94, + 0xc9, 0xc6, 0xb4, 0xd2, 0x14, 0x29, 0xe4, 0xc7, 0x40, 0xf1, 0x0b, 0x85, + 0x43, 0xaf, 0x11, 0xd3, 0x46, 0x0a, 0xb1, 0x15, 0x87, 0x1f, 0x4e, 0x2e, + 0xc1, 0x11, 0xe9, 0x24, 0x70, 0x40, 0xba, 0x0b, 0x0e, 0x4a, 0xac, 0x45, + 0x21, 0xcc, 0x6d, 0xa4, 0x1d, 0x55, 0x33, 0x89, 0x4c, 0x65, 0x21, 0x23, + 0xab, 0x61, 0x31, 0xcb, 0x11, 0x65, 0xb3, 0x80, 0xa4, 0x5a, 0x2b, 0xf1, + 0x65, 0xdb, 0x4c, 0x58, 0x5a, 0xbe, 0xf3, 0x15, 0xcd, 0x94, 0xa1, 0xe4, + 0xcb, 0x30, 0xfa, 0xe1, 0x28, 0x51, 0x52, 0xd2, 0xb8, 0xb4, 0x8c, 0xfc, + 0x3a, 0xcc, 0xd1, 0x19, 0xa2, 0x27, 0x36, 0xfa, 0xc4, 0x23, 0x96, 0xb9, + 0xc7, 0x74, 0xca, 0xf1, 0x45, 0x1f, 0x4b, 0xc2, 0x77, 0x4d, 0x32, 0x3f, + 0xab, 0x7a, 0xd9, 0x2b, 0x22, 0x1d, 0xcb, 0x24, 0x58, 0x29, 0xa3, 0xb8, + 0x92, 0xdb, 0x1c, 0xda, 0x84, 0x01, 0xca, 0x6d, 0x4a, 0x50, 0xd4, 0x2b, + 0x79, 0xfa, 0xc5, 0x4c, 0x9d, 0x79, 0x49, 0xf1, 0xde, 0xbd, 0x3f, 0x50, + 0xa7, 0xa6, 0xc6, 0xc7, 0x99, 0x61, 0x9b, 0xda, 0x38, 0xdc, 0xbe, 0x85, + 0x75, 0x81, 0xb9, 0x0f, 0x33, 0xd0, 0xd4, 0xd0, 0xaa, 0xbd, 0x32, 0xc9, + 0x62, 0xe8, 0x21, 0x24, 0xeb, 0x03, 0x73, 0x46, 0xb3, 0x84, 0x65, 0xf2, + 0x40, 0x7d, 0x1b, 0x1b, 0x8f, 0x86, 0x7c, 0xe7 +}; + +/* The corresponding public key, DER. */ +static const unsigned char rsa_pub_key[] = { + 0x30, 0x82, 0x02, 0x0a, 0x02, 0x82, 0x02, 0x01, 0x00, 0xa3, 0x14, 0xe4, + 0xb8, 0xd8, 0x58, 0x0d, 0xab, 0xd7, 0x87, 0xa4, 0xf6, 0x84, 0x51, 0x74, + 0x60, 0x4c, 0xe3, 0x60, 0x28, 0x89, 0x49, 0x65, 0x18, 0x5c, 0x8f, 0x1a, + 0x1b, 0xe9, 0xdb, 0xc1, 0xc1, 0xf7, 0x08, 0x27, 0x44, 0xe5, 0x9d, 0x9a, + 0x33, 0xc3, 0xac, 0x5a, 0xca, 0xba, 0x20, 0x5a, 0x9e, 0x3a, 0x18, 0xb5, + 0x3d, 0xe3, 0x9d, 0x94, 0x58, 0xa7, 0xa9, 0x5a, 0x0b, 0x4f, 0xb8, 0xe5, + 0xa3, 0x7b, 0x01, 0x11, 0x0f, 0x16, 0x11, 0xb8, 0x65, 0x2f, 0xa8, 0x95, + 0xf7, 0x58, 0x2c, 0xec, 0x1d, 0x41, 0xad, 0xd1, 0x12, 0xca, 0x4a, 0x80, + 0x35, 0x35, 0x43, 0x7e, 0xe0, 0x97, 0xfc, 0x86, 0x8f, 0xcf, 0x4b, 0xdc, + 0xbc, 0x15, 0x2c, 0x8e, 0x90, 0x84, 0x26, 0x83, 0xc1, 0x96, 0x97, 0xf4, + 0xd7, 0x90, 0xce, 0xfe, 0xd4, 0xf3, 0x70, 0x22, 0xa8, 0xb0, 0x1f, 0xed, + 0x08, 0xd7, 0xc5, 0xc0, 0xd6, 0x41, 0x6b, 0x24, 0x68, 0x5c, 0x07, 0x1f, + 0x44, 0x97, 0xd8, 0x6e, 0x18, 0x93, 0x67, 0xc3, 0xba, 0x3a, 0xaf, 0xfd, + 0xc2, 0x65, 0x00, 0x21, 0x63, 0xdf, 0xb7, 0x28, 0x68, 0xd6, 0xc0, 0x20, + 0x86, 0x92, 0xed, 0x68, 0x6a, 0x27, 0x3a, 0x07, 0xec, 0x66, 0x00, 0xfe, + 0x51, 0x51, 0x86, 0x41, 0x6f, 0x83, 0x69, 0xd2, 0xf0, 0xe6, 0xf7, 0x61, + 0xda, 0x12, 0x45, 0x53, 0x09, 0xdf, 0xf8, 0x42, 0xc7, 0x30, 0x6a, 0xe5, + 0xd8, 0x2b, 0xa2, 0x49, 0x7a, 0x05, 0x10, 0xee, 0xb2, 0x59, 0x0a, 0xe5, + 0xbe, 0xf8, 0x4d, 0x0f, 0xa8, 0x9e, 0x63, 0x81, 0x39, 0x32, 0xaa, 0xfd, + 0xa8, 0x03, 0xf6, 0xd8, 0xc6, 0xaa, 0x02, 0x93, 0x03, 0xeb, 0x15, 0xd3, + 0x38, 0xc8, 0x1a, 0x78, 0xcf, 0xf3, 0xa7, 0x9f, 0x98, 0x4b, 0x91, 0x5b, + 0x79, 0xf8, 0x4e, 0x53, 0xaf, 0x0c, 0x65, 0xe9, 0xb0, 0x93, 0xc2, 0xcb, + 0x5d, 0x3c, 0x5f, 0x6e, 0x39, 0xd2, 0x58, 0x23, 0x50, 0xe5, 0x2e, 0xef, + 0x12, 0x00, 0xa4, 0x59, 0x13, 0x2b, 0x2f, 0x2c, 0x0a, 0x7b, 0x36, 0x89, + 0xc5, 0xe5, 0x8f, 0x95, 0x5e, 0x14, 0x0f, 0x0f, 0x94, 0x5a, 0xe9, 0xdc, + 0x0b, 0x49, 0x14, 0xbe, 0x0a, 0x70, 0x45, 0xc1, 0x7c, 0xbf, 0x83, 0x70, + 0xfd, 0x3d, 0x99, 0xe6, 0x8a, 0xf5, 0x9c, 0x09, 0x71, 0x84, 0x9a, 0x18, + 0xa0, 0xe0, 0x6c, 0x43, 0x5c, 0x7e, 0x48, 0x33, 0xc8, 0xbe, 0x5d, 0xdd, + 0xd8, 0x77, 0xe3, 0xe7, 0x6b, 0x34, 0x4b, 0xa2, 0xb7, 0x54, 0x07, 0x72, + 0x2e, 0xab, 0xa9, 0x91, 0x1e, 0x4b, 0xe3, 0xb5, 0xd8, 0xfa, 0x35, 0x64, + 0x8a, 0xe9, 0x03, 0xa1, 0xa8, 0x26, 0xbd, 0x72, 0x58, 0x10, 0x6a, 0xec, + 0x1a, 0xf6, 0x1e, 0xb8, 0xc0, 0x46, 0x19, 0x31, 0x2c, 0xca, 0xf9, 0x6a, + 0xd7, 0x2e, 0xd0, 0xa7, 0x2c, 0x60, 0x58, 0xc4, 0x8f, 0x46, 0x63, 0x61, + 0x8d, 0x29, 0x6f, 0xe2, 0x5f, 0xe2, 0x43, 0x90, 0x9c, 0xe6, 0xfc, 0x08, + 0x41, 0xc8, 0xb5, 0x23, 0x56, 0x24, 0x3e, 0x3a, 0x2c, 0x41, 0x22, 0x43, + 0xda, 0x22, 0x15, 0x2b, 0xad, 0xd0, 0xfa, 0xc8, 0x47, 0x44, 0xe6, 0x2a, + 0xf9, 0x38, 0x90, 0x13, 0x62, 0x22, 0xea, 0x06, 0x8c, 0x44, 0x9c, 0xd6, + 0xca, 0x50, 0x93, 0xe9, 0xd4, 0x03, 0xd8, 0x3e, 0x71, 0x36, 0x4b, 0xaa, + 0xab, 0xbb, 0xe2, 0x48, 0x66, 0x26, 0x53, 0xb1, 0x6d, 0x3b, 0x82, 0x2c, + 0x8c, 0x25, 0x05, 0xf0, 0xf8, 0xcf, 0x55, 0xbf, 0x8e, 0x29, 0xf7, 0x54, + 0x5b, 0x6f, 0x30, 0x54, 0xa6, 0xad, 0x46, 0xff, 0x22, 0x95, 0xb1, 0x87, + 0x98, 0x00, 0x51, 0x69, 0x15, 0x07, 0xbd, 0x3d, 0x9c, 0x6e, 0xaa, 0xaa, + 0x3b, 0x0b, 0x74, 0x65, 0x4c, 0x04, 0xe0, 0x80, 0x3e, 0xaf, 0x5e, 0x10, + 0xd6, 0x9b, 0x28, 0x37, 0x6f, 0x02, 0x03, 0x01, 0x00, 0x01 +}; diff --git a/deps/openssl/openssl/demos/signature/rsa_pss_direct.c b/deps/openssl/openssl/demos/signature/rsa_pss_direct.c new file mode 100644 index 00000000000000..1ecfa9d89747e7 --- /dev/null +++ b/deps/openssl/openssl/demos/signature/rsa_pss_direct.c @@ -0,0 +1,204 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include "rsa_pss.h" + +/* + * The digest to be signed. This should be the output of a hash function. + * Here we sign an all-zeroes digest for demonstration purposes. + */ +static const unsigned char test_digest[32] = {0}; + +/* A property query used for selecting algorithm implementations. */ +static const char *propq = NULL; + +/* + * This function demonstrates RSA signing of a SHA-256 digest using the PSS + * padding scheme. You must already have hashed the data you want to sign. + * For a higher-level demonstration which does the hashing for you, see + * rsa_pss_hash.c. + * + * For more information, see RFC 8017 section 9.1. The digest passed in + * (test_digest above) corresponds to the 'mHash' value. + */ +static int sign(OSSL_LIB_CTX *libctx, unsigned char **sig, size_t *sig_len) +{ + int rv = 0; + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *ctx = NULL; + EVP_MD *md = NULL; + const unsigned char *ppriv_key = NULL; + + *sig = NULL; + + /* Load DER-encoded RSA private key. */ + ppriv_key = rsa_priv_key; + pkey = d2i_PrivateKey_ex(EVP_PKEY_RSA, NULL, &ppriv_key, + sizeof(rsa_priv_key), libctx, propq); + if (pkey == NULL) { + fprintf(stderr, "Failed to load private key\n"); + goto end; + } + + /* Fetch hash algorithm we want to use. */ + md = EVP_MD_fetch(libctx, "SHA256", propq); + if (md == NULL) { + fprintf(stderr, "Failed to fetch hash algorithm\n"); + goto end; + } + + /* Create signing context. */ + ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, propq); + if (ctx == NULL) { + fprintf(stderr, "Failed to create signing context\n"); + goto end; + } + + /* Initialize context for signing and set options. */ + if (EVP_PKEY_sign_init(ctx) == 0) { + fprintf(stderr, "Failed to initialize signing context\n"); + goto end; + } + + if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PSS_PADDING) == 0) { + fprintf(stderr, "Failed to configure padding\n"); + goto end; + } + + if (EVP_PKEY_CTX_set_signature_md(ctx, md) == 0) { + fprintf(stderr, "Failed to configure digest type\n"); + goto end; + } + + /* Determine length of signature. */ + if (EVP_PKEY_sign(ctx, NULL, sig_len, + test_digest, sizeof(test_digest)) == 0) { + fprintf(stderr, "Failed to get signature length\n"); + goto end; + } + + /* Allocate memory for signature. */ + *sig = OPENSSL_malloc(*sig_len); + if (*sig == NULL) { + fprintf(stderr, "Failed to allocate memory for signature\n"); + goto end; + } + + /* Generate signature. */ + if (EVP_PKEY_sign(ctx, *sig, sig_len, + test_digest, sizeof(test_digest)) != 1) { + fprintf(stderr, "Failed to sign\n"); + goto end; + } + + rv = 1; +end: + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); + EVP_MD_free(md); + + if (rv == 0) + OPENSSL_free(*sig); + + return rv; +} + +/* + * This function demonstrates verification of an RSA signature over a SHA-256 + * digest using the PSS signature scheme. + */ +static int verify(OSSL_LIB_CTX *libctx, const unsigned char *sig, size_t sig_len) +{ + int rv = 0; + const unsigned char *ppub_key = NULL; + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *ctx = NULL; + EVP_MD *md = NULL; + + /* Load DER-encoded RSA public key. */ + ppub_key = rsa_pub_key; + pkey = d2i_PublicKey(EVP_PKEY_RSA, NULL, &ppub_key, sizeof(rsa_pub_key)); + if (pkey == NULL) { + fprintf(stderr, "Failed to load public key\n"); + goto end; + } + + /* Fetch hash algorithm we want to use. */ + md = EVP_MD_fetch(libctx, "SHA256", propq); + if (md == NULL) { + fprintf(stderr, "Failed to fetch hash algorithm\n"); + goto end; + } + + /* Create verification context. */ + ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, propq); + if (ctx == NULL) { + fprintf(stderr, "Failed to create verification context\n"); + goto end; + } + + /* Initialize context for verification and set options. */ + if (EVP_PKEY_verify_init(ctx) == 0) { + fprintf(stderr, "Failed to initialize verification context\n"); + goto end; + } + + if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PSS_PADDING) == 0) { + fprintf(stderr, "Failed to configure padding\n"); + goto end; + } + + if (EVP_PKEY_CTX_set_signature_md(ctx, md) == 0) { + fprintf(stderr, "Failed to configure digest type\n"); + goto end; + } + + /* Verify signature. */ + if (EVP_PKEY_verify(ctx, sig, sig_len, + test_digest, sizeof(test_digest)) == 0) { + fprintf(stderr, "Failed to verify signature; " + "signature may be invalid\n"); + goto end; + } + + rv = 1; +end: + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); + EVP_MD_free(md); + return rv; +} + +int main(int argc, char **argv) +{ + int rv = 1; + OSSL_LIB_CTX *libctx = NULL; + unsigned char *sig = NULL; + size_t sig_len = 0; + + if (sign(libctx, &sig, &sig_len) == 0) + goto end; + + if (verify(libctx, sig, sig_len) == 0) + goto end; + + rv = 0; +end: + OPENSSL_free(sig); + OSSL_LIB_CTX_free(libctx); + return rv; +} diff --git a/deps/openssl/openssl/demos/signature/rsa_pss_hash.c b/deps/openssl/openssl/demos/signature/rsa_pss_hash.c new file mode 100644 index 00000000000000..e1d4e7cc9d0b5e --- /dev/null +++ b/deps/openssl/openssl/demos/signature/rsa_pss_hash.c @@ -0,0 +1,189 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include "rsa_pss.h" + +/* The data to be signed. This will be hashed. */ +static const char test_message[] = + "This is an example message to be signed."; + +/* A property query used for selecting algorithm implementations. */ +static const char *propq = NULL; + +/* + * This function demonstrates RSA signing of an arbitrary-length message. + * Hashing is performed automatically. In this example, SHA-256 is used. If you + * have already hashed your message and simply want to sign the hash directly, + * see rsa_pss_direct.c. + */ +static int sign(OSSL_LIB_CTX *libctx, unsigned char **sig, size_t *sig_len) +{ + int rv = 0; + EVP_PKEY *pkey = NULL; + EVP_MD_CTX *mctx = NULL; + OSSL_PARAM params[2], *p = params; + const unsigned char *ppriv_key = NULL; + + *sig = NULL; + + /* Load DER-encoded RSA private key. */ + ppriv_key = rsa_priv_key; + pkey = d2i_PrivateKey_ex(EVP_PKEY_RSA, NULL, &ppriv_key, + sizeof(rsa_priv_key), libctx, propq); + if (pkey == NULL) { + fprintf(stderr, "Failed to load private key\n"); + goto end; + } + + /* Create MD context used for signing. */ + mctx = EVP_MD_CTX_new(); + if (mctx == NULL) { + fprintf(stderr, "Failed to create MD context\n"); + goto end; + } + + /* Initialize MD context for signing. */ + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, + OSSL_PKEY_RSA_PAD_MODE_PSS, 0); + *p = OSSL_PARAM_construct_end(); + + if (EVP_DigestSignInit_ex(mctx, NULL, "SHA256", libctx, propq, + pkey, params) == 0) { + fprintf(stderr, "Failed to initialize signing context\n"); + goto end; + } + + /* + * Feed data to be signed into the algorithm. This may + * be called multiple times. + */ + if (EVP_DigestSignUpdate(mctx, test_message, sizeof(test_message)) == 0) { + fprintf(stderr, "Failed to hash message into signing context\n"); + goto end; + } + + /* Determine signature length. */ + if (EVP_DigestSignFinal(mctx, NULL, sig_len) == 0) { + fprintf(stderr, "Failed to get signature length\n"); + goto end; + } + + /* Allocate memory for signature. */ + *sig = OPENSSL_malloc(*sig_len); + if (*sig == NULL) { + fprintf(stderr, "Failed to allocate memory for signature\n"); + goto end; + } + + /* Generate signature. */ + if (EVP_DigestSignFinal(mctx, *sig, sig_len) == 0) { + fprintf(stderr, "Failed to sign\n"); + goto end; + } + + rv = 1; +end: + EVP_MD_CTX_free(mctx); + EVP_PKEY_free(pkey); + + if (rv == 0) + OPENSSL_free(*sig); + + return rv; +} + +/* + * This function demonstrates verification of an RSA signature over an + * arbitrary-length message using the PSS signature scheme. Hashing is performed + * automatically. + */ +static int verify(OSSL_LIB_CTX *libctx, const unsigned char *sig, size_t sig_len) +{ + int rv = 0; + EVP_PKEY *pkey = NULL; + EVP_MD_CTX *mctx = NULL; + OSSL_PARAM params[2], *p = params; + const unsigned char *ppub_key = NULL; + + /* Load DER-encoded RSA public key. */ + ppub_key = rsa_pub_key; + pkey = d2i_PublicKey(EVP_PKEY_RSA, NULL, &ppub_key, sizeof(rsa_pub_key)); + if (pkey == NULL) { + fprintf(stderr, "Failed to load public key\n"); + goto end; + } + + /* Create MD context used for verification. */ + mctx = EVP_MD_CTX_new(); + if (mctx == NULL) { + fprintf(stderr, "Failed to create MD context\n"); + goto end; + } + + /* Initialize MD context for verification. */ + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, + OSSL_PKEY_RSA_PAD_MODE_PSS, 0); + *p = OSSL_PARAM_construct_end(); + + if (EVP_DigestVerifyInit_ex(mctx, NULL, "SHA256", libctx, propq, + pkey, params) == 0) { + fprintf(stderr, "Failed to initialize signing context\n"); + goto end; + } + + /* + * Feed data to be signed into the algorithm. This may + * be called multiple times. + */ + if (EVP_DigestVerifyUpdate(mctx, test_message, sizeof(test_message)) == 0) { + fprintf(stderr, "Failed to hash message into signing context\n"); + goto end; + } + + /* Verify signature. */ + if (EVP_DigestVerifyFinal(mctx, sig, sig_len) == 0) { + fprintf(stderr, "Failed to verify signature; " + "signature may be invalid\n"); + goto end; + } + + rv = 1; +end: + EVP_MD_CTX_free(mctx); + EVP_PKEY_free(pkey); + return rv; +} + +int main(int argc, char **argv) +{ + int rv = 1; + OSSL_LIB_CTX *libctx = NULL; + unsigned char *sig = NULL; + size_t sig_len = 0; + + if (sign(libctx, &sig, &sig_len) == 0) + goto end; + + if (verify(libctx, sig, sig_len) == 0) + goto end; + + rv = 0; +end: + OPENSSL_free(sig); + OSSL_LIB_CTX_free(libctx); + return rv; +} diff --git a/deps/openssl/openssl/demos/smime/smver.c b/deps/openssl/openssl/demos/smime/smver.c index 601462a041612b..5d552b18082ab5 100644 --- a/deps/openssl/openssl/demos/smime/smver.c +++ b/deps/openssl/openssl/demos/smime/smver.c @@ -27,16 +27,18 @@ int main(int argc, char **argv) /* Set up trusted CA certificate store */ st = X509_STORE_new(); + if (st == NULL) + goto err; /* Read in signer certificate and private key */ tbio = BIO_new_file("cacert.pem", "r"); - if (!tbio) + if (tbio == NULL) goto err; cacert = PEM_read_bio_X509(tbio, NULL, 0, NULL); - if (!cacert) + if (cacert == NULL) goto err; if (!X509_STORE_add_cert(st, cacert)) @@ -46,18 +48,18 @@ int main(int argc, char **argv) in = BIO_new_file("smout.txt", "r"); - if (!in) + if (in == NULL) goto err; /* Sign content */ p7 = SMIME_read_PKCS7(in, &cont); - if (!p7) + if (p7 == NULL) goto err; /* File to output verified content to */ out = BIO_new_file("smver.txt", "w"); - if (!out) + if (out == NULL) goto err; if (!PKCS7_verify(p7, NULL, st, cont, out, 0)) { @@ -74,6 +76,8 @@ int main(int argc, char **argv) fprintf(stderr, "Error Verifying Data\n"); ERR_print_errors_fp(stderr); } + + X509_STORE_free(st); PKCS7_free(p7); X509_free(cacert); BIO_free(in); diff --git a/deps/openssl/openssl/dev/release-aux/fixup-CHANGES.md-postrelease.pl b/deps/openssl/openssl/dev/release-aux/fixup-CHANGES.md-postrelease.pl index 0fb2e9134f9be1..bb971898ca2f9c 100644 --- a/deps/openssl/openssl/dev/release-aux/fixup-CHANGES.md-postrelease.pl +++ b/deps/openssl/openssl/dev/release-aux/fixup-CHANGES.md-postrelease.pl @@ -20,7 +20,7 @@ BEGIN $_ = <<_____ ### Changes between $v2 and $RELEASE_TEXT [xx XXX xxxx] - * + * none yet ### Changes between $v1 and $v2 [$PREV_RELEASE_DATE] _____ diff --git a/deps/openssl/openssl/dev/release-aux/fixup-NEWS.md-postrelease.pl b/deps/openssl/openssl/dev/release-aux/fixup-NEWS.md-postrelease.pl index ff41ab29df569b..9231872f89ce77 100644 --- a/deps/openssl/openssl/dev/release-aux/fixup-NEWS.md-postrelease.pl +++ b/deps/openssl/openssl/dev/release-aux/fixup-NEWS.md-postrelease.pl @@ -20,7 +20,7 @@ BEGIN $_ = <<_____ ### Major changes between OpenSSL $v2 and OpenSSL $RELEASE_TEXT [under development] - * + * none ### Major changes between OpenSSL $v1 and OpenSSL $v2 [$PREV_RELEASE_DATE] _____ diff --git a/deps/openssl/openssl/dev/release-aux/openssl-announce-pre-release.tmpl b/deps/openssl/openssl/dev/release-aux/openssl-announce-pre-release.tmpl index 470a42bdd34c92..a4a7581ea709f8 100644 --- a/deps/openssl/openssl/dev/release-aux/openssl-announce-pre-release.tmpl +++ b/deps/openssl/openssl/dev/release-aux/openssl-announce-pre-release.tmpl @@ -15,7 +15,7 @@ Specific notes on upgrading to OpenSSL $series from previous versions are available in the OpenSSL Migration Guide, here: - https://www.openssl.org/docs/manmaster/man7/migration_guide.html + https://www.openssl.org/docs/man3.0/man7/migration_guide.html The $label release is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under diff --git a/deps/openssl/openssl/dev/release.sh b/deps/openssl/openssl/dev/release.sh index 4b778f3b751938..94d9db0eeb8e7d 100755 --- a/deps/openssl/openssl/dev/release.sh +++ b/deps/openssl/openssl/dev/release.sh @@ -1,5 +1,5 @@ #! /bin/bash -e -# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -9,6 +9,10 @@ # This is the most shell agnostic way to specify that POSIX rules. POSIXLY_CORRECT=1 +# Force C locale because some commands (like date +%b) relies +# on the current locale. +export LC_ALL=C + usage () { cat < function is called to increment the reference count of the method and the I function is called to decrement it. +=head1 NOTES + +The I argument to ossl_method_store_cache_get() and +ossl_method_store_cache_set() is not allowed to be NULL. Use "" for an +empty property definition or query. + =head1 RETURN VALUES ossl_method_store_new() returns a new method store object or NULL on failure. @@ -119,7 +125,7 @@ This functionality was added to OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this diff --git a/deps/openssl/openssl/doc/man1/openssl-cmp.pod.in b/deps/openssl/openssl/doc/man1/openssl-cmp.pod.in index 420c194a6c70fe..ee62833f8e9da0 100644 --- a/deps/openssl/openssl/doc/man1/openssl-cmp.pod.in +++ b/deps/openssl/openssl/doc/man1/openssl-cmp.pod.in @@ -251,8 +251,8 @@ e.g., C<1.2.3.4:int:56789>. The source of the private or public key for the certificate requested in Initialization Request (IR), Certification Request(CR), or Key Update Request (KUR). -Default is the public key in the PKCS#10 CSR given with the B<-csr> option, -if any, or else the current client key, if given. +Defaults to the public key in the PKCS#10 CSR given with the B<-csr> option, +the public key of the reference certificate, or the current client key. =item B<-newkeypass> I @@ -440,8 +440,10 @@ Reason numbers defined in RFC 5280 are: =item B<-server> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]> -The IP address or DNS hostname and optionally port -of the CMP server to connect to using HTTP(S) transport. +The DNS hostname or IP address and optionally port +of the CMP server to connect to using HTTP(S). +This excludes I<-port> and I<-use_mock_srv> and is ignored with I<-rspin>. + The scheme C may be given only if the B<-tls_used> option is used. In this case the default port is 443, else 80. The optional userinfo and fragment components are ignored. @@ -458,6 +460,7 @@ selected by B<-tls_used>), as well as any path, userinfo, and query, and fragmen components. Defaults to the environment variable C if set, else C in case no TLS is used, otherwise C if set, else C. +This option is ignored if I<-server> is not given. =item B<-no_proxy> I @@ -465,6 +468,7 @@ List of IP addresses and/or DNS names of servers not to use an HTTP(S) proxy for, separated by commas and/or whitespace (where in the latter case the whole argument must be enclosed in "..."). Default is from the environment variable C if set, else C. +This option is ignored if I<-server> is not given. =item B<-recipient> I @@ -795,7 +799,10 @@ B<-tls_key>. =item B<-tls_used> Enable using TLS (even when other TLS_related options are not set) -when connecting to CMP server. +when connecting to CMP server via HTTP. +This option is not supported with the I<-port> option +and is ignored with the I<-use_mock_srv> and I<-rspin> options +or if the I<-server> option is not given. =item B<-tls_cert> I|I @@ -880,6 +887,7 @@ As many files are written as needed to store the complete transaction. =item B<-rspin> I Process sequence of CMP responses provided in file(s), skipping server. +This excludes I<-server>, I<-port>, and I<-use_mock_srv>. Multiple filenames may be given, separated by commas and/or whitespace. As many files are read as needed for the complete transaction. @@ -893,8 +901,9 @@ As many files are written as needed to store the complete transaction. =item B<-use_mock_srv> -Use the internal mock server for testing the client. -This works at API level, bypassing HTTP transport. +Test the client using the internal CMP server mock-up at API level, +bypassing socket-based transfer via HTTP. +This excludes I<-server>, I<-port>, and I<-rspin>. =back @@ -904,7 +913,8 @@ This works at API level, bypassing HTTP transport. =item B<-port> I -Act as CMP HTTP server mock-up listening on the given port. +Act as HTTP-based CMP server mock-up listening on the given port. +This excludes I<-server>, I<-rspin>, and I<-use_mock_srv>. =item B<-max_msgs> I @@ -1221,9 +1231,9 @@ The B<-engine option> was deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/deps/openssl/openssl/doc/man1/openssl-dgst.pod.in b/deps/openssl/openssl/doc/man1/openssl-dgst.pod.in index f493e83b4182fe..8a091131cfb9ba 100644 --- a/deps/openssl/openssl/doc/man1/openssl-dgst.pod.in +++ b/deps/openssl/openssl/doc/man1/openssl-dgst.pod.in @@ -9,11 +9,11 @@ openssl-dgst - perform digest operations B B|I [B<-I>] +[B<-list>] [B<-help>] [B<-c>] [B<-d>] [B<-debug>] -[B<-list>] [B<-hex>] [B<-binary>] [B<-xoflen> I] @@ -47,7 +47,7 @@ The generic name, B, may be used with an option specifying the algorithm to be used. The default digest is B. A supported I name may also be used as the sub-command name. -To see the list of supported algorithms, use C +To see the list of supported algorithms, use C =head1 OPTIONS @@ -59,8 +59,11 @@ Print out a usage message. =item B<-I> -Specifies name of a supported digest to be used. To see the list of -supported digests, use the command C. +Specifies name of a supported digest to be used. See option B<-list> below : + +=item B<-list> + +Prints out a list of supported message digests. =item B<-c> @@ -71,10 +74,6 @@ the B<-hex> option is given as well. Print out BIO debugging information. -=item B<-list> - -Prints out a list of supported message digests. - =item B<-hex> Digest is to be output as a hex dump. This is the default case for a "normal" @@ -206,12 +205,19 @@ used. =head1 EXAMPLES To create a hex-encoded message digest of a file: + openssl dgst -md5 -hex file.txt + or + openssl md5 file.txt To sign a file using SHA-256 with binary file output: + openssl dgst -sha256 -sign privatekey.pem -out signature.sign file.txt + or + openssl sha256 -sign privatekey.pem -out signature.sign file.txt To verify a signature: + openssl dgst -sha256 -verify publickey.pem \ -signature signature.sign \ file.txt @@ -221,7 +227,7 @@ To verify a signature: The digest mechanisms that are available will depend on the options used when building OpenSSL. -The C command can be used to list them. +The C command can be used to list them. New or agile applications should use probably use SHA-256. Other digests, particularly SHA-1 and MD5, are still widely used for interoperating @@ -259,7 +265,7 @@ The B<-engine> and B<-engine_impl> options were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man1/openssl-kdf.pod.in b/deps/openssl/openssl/doc/man1/openssl-kdf.pod.in index 2880d1ff9d8afb..23776378a1be30 100644 --- a/deps/openssl/openssl/doc/man1/openssl-kdf.pod.in +++ b/deps/openssl/openssl/doc/man1/openssl-kdf.pod.in @@ -166,7 +166,7 @@ Use PBKDF2 to create a hex-encoded derived key from a password and salt: Use scrypt to create a hex-encoded derived key from a password and salt: openssl kdf -keylen 64 -kdfopt pass:password -kdfopt salt:NaCl \ - -kdfopt N:1024 -kdfopt r:8 -kdfopt p:16 \ + -kdfopt n:1024 -kdfopt r:8 -kdfopt p:16 \ -kdfopt maxmem_bytes:10485760 SCRYPT =head1 NOTES @@ -195,7 +195,7 @@ Added in OpenSSL 3.0 =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man1/openssl-speed.pod.in b/deps/openssl/openssl/doc/man1/openssl-speed.pod.in index bfe992797a556d..70ef38712ef98f 100644 --- a/deps/openssl/openssl/doc/man1/openssl-speed.pod.in +++ b/deps/openssl/openssl/doc/man1/openssl-speed.pod.in @@ -101,6 +101,8 @@ Run benchmarks for I seconds. =item B<-bytes> I Run benchmarks on I-byte buffers. Affects ciphers, digests and the CSPRNG. +The limit on the size of the buffer is INT_MAX - 64 bytes, which for a 32-bit +int would be 2147483583 bytes. =item B<-mr> @@ -134,7 +136,7 @@ The B<-engine> option was deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/BIO_ctrl.pod b/deps/openssl/openssl/doc/man3/BIO_ctrl.pod index bcdeac6f7bddce..84efd23746bb2a 100644 --- a/deps/openssl/openssl/doc/man3/BIO_ctrl.pod +++ b/deps/openssl/openssl/doc/man3/BIO_ctrl.pod @@ -17,7 +17,7 @@ BIO_get_ktls_recv long BIO_ctrl(BIO *bp, int cmd, long larg, void *parg); long BIO_callback_ctrl(BIO *b, int cmd, BIO_info_cb *cb); - char *BIO_ptr_ctrl(BIO *bp, int cmd, long larg); + void *BIO_ptr_ctrl(BIO *bp, int cmd, long larg); long BIO_int_ctrl(BIO *bp, int cmd, long larg, int iarg); int BIO_reset(BIO *b); @@ -146,7 +146,7 @@ OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/BIO_f_base64.pod b/deps/openssl/openssl/doc/man3/BIO_f_base64.pod index 69de0077f72da6..0bfa4afd0c9cb8 100644 --- a/deps/openssl/openssl/doc/man3/BIO_f_base64.pod +++ b/deps/openssl/openssl/doc/man3/BIO_f_base64.pod @@ -21,13 +21,26 @@ any data read through it. Base64 BIOs do not support BIO_gets() or BIO_puts(). +For writing, output is by default divided to lines of length 64 +characters and there is always a newline at the end of output. + +For reading, first line should be at most 1024 +characters long. If it is longer then it is ignored completely. +Other input lines can be of any length. There must be a newline +at the end of input. + +This behavior can be changed with BIO_FLAGS_BASE64_NO_NL flag. + BIO_flush() on a base64 BIO that is being written through is used to signal that no more data is to be encoded: this is used to flush the final block through the BIO. -The flag BIO_FLAGS_BASE64_NO_NL can be set with BIO_set_flags() -to encode the data all on one line or expect the data to be all -on one line. +The flag BIO_FLAGS_BASE64_NO_NL can be set with BIO_set_flags(). +For writing, it causes all data to be written on one line without +newline at the end. +For reading, it forces the decoder to process the data regardless +of newlines. All newlines are ignored and the input does not need +to contain any newline at all. =head1 NOTES @@ -81,7 +94,7 @@ to reliably determine EOF (for example a MIME boundary). =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/BN_add.pod b/deps/openssl/openssl/doc/man3/BN_add.pod index 62d3ee72054ca6..9561d554318f18 100644 --- a/deps/openssl/openssl/doc/man3/BN_add.pod +++ b/deps/openssl/openssl/doc/man3/BN_add.pod @@ -3,7 +3,7 @@ =head1 NAME BN_add, BN_sub, BN_mul, BN_sqr, BN_div, BN_mod, BN_nnmod, BN_mod_add, -BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_exp, BN_mod_exp, BN_gcd - +BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_mod_sqrt, BN_exp, BN_mod_exp, BN_gcd - arithmetic operations on BIGNUMs =head1 SYNOPSIS @@ -36,6 +36,8 @@ arithmetic operations on BIGNUMs int BN_mod_sqr(BIGNUM *r, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx); + BIGNUM *BN_mod_sqrt(BIGNUM *in, BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); + int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx); int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p, @@ -87,6 +89,12 @@ L. BN_mod_sqr() takes the square of I modulo B and places the result in I. +BN_mod_sqrt() returns the modular square root of I such that +C. The modulus I

must be a +prime, otherwise an error or an incorrect "result" will be returned. +The result is stored into I which can be NULL. The result will be +newly allocated in that case. + BN_exp() raises I to the I

-th power and places the result in I (C). This function is faster than repeated applications of BN_mul(). @@ -108,7 +116,10 @@ the arguments. =head1 RETURN VALUES -For all functions, 1 is returned for success, 0 on error. The return +The BN_mod_sqrt() returns the result (possibly incorrect if I

is +not a prime), or NULL. + +For all remaining functions, 1 is returned for success, 0 on error. The return value should always be checked (e.g., C). The error codes can be obtained by L. @@ -119,7 +130,7 @@ L, L =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/DEFINE_STACK_OF.pod b/deps/openssl/openssl/doc/man3/DEFINE_STACK_OF.pod index ec9eda81c6f83c..9cec9989249133 100644 --- a/deps/openssl/openssl/doc/man3/DEFINE_STACK_OF.pod +++ b/deps/openssl/openssl/doc/man3/DEFINE_STACK_OF.pod @@ -266,6 +266,7 @@ on error. B_insert>(), B_push>() and B_unshift>() return the total number of elements in the stack and 0 if an error occurred. +B_push>() further returns -1 if I is NULL. B_set>() returns a pointer to the replacement element or NULL on error. diff --git a/deps/openssl/openssl/doc/man3/ERR_get_error.pod b/deps/openssl/openssl/doc/man3/ERR_get_error.pod index 6518458907d9a0..038296ac64ccd3 100644 --- a/deps/openssl/openssl/doc/man3/ERR_get_error.pod +++ b/deps/openssl/openssl/doc/man3/ERR_get_error.pod @@ -31,7 +31,7 @@ ERR_get_error_line_data, ERR_peek_error_line_data, ERR_peek_last_error_line_data const char **func, const char **data, int *flags); unsigned long ERR_peek_error_all(const char **file, int *line, - const char *func, + const char **func, const char **data, int *flags); unsigned long ERR_peek_last_error_all(const char **file, int *line, const char *func, @@ -132,7 +132,7 @@ and ERR_peek_last_error_line_data() became deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/EVP_PKEY_gettable_params.pod b/deps/openssl/openssl/doc/man3/EVP_PKEY_gettable_params.pod index 23ac4bd8b06793..f7884af86fefcd 100644 --- a/deps/openssl/openssl/doc/man3/EVP_PKEY_gettable_params.pod +++ b/deps/openssl/openssl/doc/man3/EVP_PKEY_gettable_params.pod @@ -37,11 +37,22 @@ EVP_PKEY_gettable_params() returns a constant list of I indicating the names and types of key parameters that can be retrieved. See L for information about parameters. +An B of type B or +B is of arbitrary length. Such a parameter can be +obtained using any of the functions EVP_PKEY_get_int_param(), +EVP_PKEY_get_size_t_param() or EVP_PKEY_get_bn_param(). Attempting to +obtain an integer value that does not fit into a native C B type will cause +EVP_PKEY_get_int_param() to fail. Similarly attempting to obtain an integer +value that is negative or does not fit into a native C B type using +EVP_PKEY_get_size_t_param() will also fail. + EVP_PKEY_get_int_param() retrieves a key I integer value I<*out> -associated with a name of I. +associated with a name of I if it fits into C type. For +parameters that do not fit into C use EVP_PKEY_get_bn_param(). EVP_PKEY_get_size_t_param() retrieves a key I size_t value I<*out> -associated with a name of I. +associated with a name of I if it fits into C type. For +parameters that do not fit into C use EVP_PKEY_get_bn_param(). EVP_PKEY_get_bn_param() retrieves a key I BIGNUM value I<**bn> associated with a name of I. If I<*bn> is NULL then the BIGNUM @@ -115,7 +126,7 @@ These functions were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/OBJ_nid2obj.pod b/deps/openssl/openssl/doc/man3/OBJ_nid2obj.pod index 482cc320c778d4..94eb6cc5899f97 100644 --- a/deps/openssl/openssl/doc/man3/OBJ_nid2obj.pod +++ b/deps/openssl/openssl/doc/man3/OBJ_nid2obj.pod @@ -101,7 +101,8 @@ given NID with two other NIDs - one representing the underlying signature algorithm and the other representing a digest algorithm to be used in conjunction with it. I represents the NID for the composite "Signature Algorithm", I is the NID for the digest algorithm and I is the -NID for the underlying signature algorithm. +NID for the underlying signature algorithm. As there are signature algorithms +that do not require a digest, NID_undef is a valid I. OBJ_cleanup() releases any resources allocated by creating new objects. diff --git a/deps/openssl/openssl/doc/man3/OPENSSL_hexchar2int.pod b/deps/openssl/openssl/doc/man3/OPENSSL_hexchar2int.pod index a112815127bd13..9ca57063f879b8 100644 --- a/deps/openssl/openssl/doc/man3/OPENSSL_hexchar2int.pod +++ b/deps/openssl/openssl/doc/man3/OPENSSL_hexchar2int.pod @@ -15,8 +15,9 @@ OPENSSL_buf2hexstr_ex, OPENSSL_buf2hexstr int OPENSSL_hexstr2buf_ex(unsigned char *buf, size_t buf_n, long *buflen, const char *str, const char sep); unsigned char *OPENSSL_hexstr2buf(const char *str, long *len); - int OPENSSL_buf2hexstr_ex(char *str, size_t str_n, size_t *strlen, - const unsigned char *buf, long buflen, const char sep); + int OPENSSL_buf2hexstr_ex(char *str, size_t str_n, size_t *strlength, + const unsigned char *buf, long buflen, + const char sep); char *OPENSSL_buf2hexstr(const unsigned char *buf, long buflen); =head1 DESCRIPTION @@ -47,7 +48,7 @@ in the given I. The character I is the separator between the bytes, setting this to '\0' means that there is no separator. I gives the size of the of the string buffer. -If I is not NULL, it is filled in with the result length. +If I is not NULL, it is filled in with the result length. To find out how large the result will be, call this function with NULL for I. @@ -70,7 +71,7 @@ success, or 0 on error. =head1 COPYRIGHT -Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/OSSL_CMP_CTX_new.pod b/deps/openssl/openssl/doc/man3/OSSL_CMP_CTX_new.pod index 51ac68d1a7bd8c..33c73170a072b5 100644 --- a/deps/openssl/openssl/doc/man3/OSSL_CMP_CTX_new.pod +++ b/deps/openssl/openssl/doc/man3/OSSL_CMP_CTX_new.pod @@ -538,7 +538,7 @@ OSSL_CMP_CTX_push1_subjectAltName() adds the given X509 name to the list of alternate names on the certificate template request. This cannot be used if any Subject Alternative Name extension is set via OSSL_CMP_CTX_set0_reqExtensions(). -By default, unless OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT has been set, +By default, unless B has been set, the Subject Alternative Names are copied from the reference certificate, see OSSL_CMP_CTX_set1_oldCert(). If set and the subject DN is not set with OSSL_CMP_CTX_set1_subjectName() then @@ -559,14 +559,16 @@ to the X509_EXTENSIONS of the requested certificate template. OSSL_CMP_CTX_set1_oldCert() sets the old certificate to be updated in Key Update Requests (KUR) or to be revoked in Revocation Requests (RR). It must be given for RR, else it defaults to the CMP signer certificate. -The reference certificate determined in this way, if any, is also used for -deriving default subject DN and Subject Alternative Names and the +The I determined in this way, if any, is also used for +deriving default subject DN, public key, Subject Alternative Names, and the default issuer entry in the requested certificate template of IR/CR/KUR. The subject of the reference certificate is used as the sender field value in CMP message headers. Its issuer is used as default recipient in CMP message headers. -OSSL_CMP_CTX_set1_p10CSR() sets the PKCS#10 CSR to be used in P10CR. +OSSL_CMP_CTX_set1_p10CSR() sets the PKCS#10 CSR to use in P10CR messages. +If such a CSR is provided, its subject, public key, and extension fields are +also used as fallback values for the certificate template of IR/CR/KUR messages. OSSL_CMP_CTX_push0_genm_ITAV() adds I to the stack in the I which will be the body of a General Message sent with this context. @@ -756,7 +758,7 @@ The OpenSSL CMP support was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/OSSL_CMP_MSG_get0_header.pod b/deps/openssl/openssl/doc/man3/OSSL_CMP_MSG_get0_header.pod index 741349cd6e3f54..cc211a3945fc56 100644 --- a/deps/openssl/openssl/doc/man3/OSSL_CMP_MSG_get0_header.pod +++ b/deps/openssl/openssl/doc/man3/OSSL_CMP_MSG_get0_header.pod @@ -36,12 +36,40 @@ in the header of the given message according to the CMP_CTX. This requires re-protecting the message (if it was protected). OSSL_CMP_CTX_setup_CRM() creates a CRMF certificate request message +from various information provided in the CMP context argument I for inclusion in a CMP request message based on details contained in I. -If the CMP context does not include a subject name set via -L but includes a reference certificate -then it copies the subject DN from there -if I is set or the I does not include a subjectAltName. -The I defines the request identifier to use, which typically is 0. +The I argument defines the request identifier to use, which typically is 0. + +The subject DN to include in the certificate template is determined as follows. +If I includes a subject name set via L, +this name is used. +Otherwise, if a PKCS#10 CSR is given in I, its subject is used. +Otherwise, if a reference certificate is given in I +(see L), its subject is used if I +is nonzero or the I does not include a Subject Alternative Name. + +The public key to include is taken from any value set via +L, +otherwise the public key of any PKCS#10 CSR is given in I, +otherwise the public key of any reference certificate given in I, +otherwise it is derived from the client private key if given in I. + +The set of X.509 extensions to include is computed as follows. +If a PKCS#10 CSR is present in I, default extensions are taken from there, +otherwise the empty set is taken as the initial value. +If there is a reference certificate in I and contains Subject Alternative +Names (SANs) and B is not set, +these override any SANs from the PKCS#10 CSR. +The extensions are further augmented or overridden by any extensions with the +same OIDs included in the I via L. +The SANs are further overridden by any SANs included in I via +L. +Finally, policies are overridden by any policies included in I via +L. + +OSSL_CMP_CTX_setup_CRM() also sets the sets the regToken control B +for KUR messages using the issuer name and serial number of the reference +certificate, if present. OSSL_CMP_MSG_read() loads a DER-encoded OSSL_CMP_MSG from I. @@ -83,7 +111,7 @@ The OpenSSL CMP support was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod b/deps/openssl/openssl/doc/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod index 96281b67a88dcf..2a0fa04e473e05 100644 --- a/deps/openssl/openssl/doc/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod +++ b/deps/openssl/openssl/doc/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod @@ -89,8 +89,8 @@ section 6.3. OSSL_CRMF_MSG_set1_regCtrl_protocolEncrKey() sets the protocolEncrKey control in the given I copying the given I as value. See RFC 4211 section 6.6. -OSSL_CRMF_MSG_set1_regCtrl_oldCertID() sets the oldCertID control in the given -I copying the given I as value. See RFC 4211, section 6.5. +OSSL_CRMF_MSG_set1_regCtrl_oldCertID() sets the B regToken control in +the given I copying the given I as value. See RFC 4211, section 6.5. OSSL_CRMF_CERTID_gen produces an OSSL_CRMF_CERTID_gen structure copying the given I name and I number. @@ -121,7 +121,7 @@ The OpenSSL CRMF support was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/OSSL_HTTP_transfer.pod b/deps/openssl/openssl/doc/man3/OSSL_HTTP_transfer.pod index 7fcd71dbe03b56..7e823db3eab525 100644 --- a/deps/openssl/openssl/doc/man3/OSSL_HTTP_transfer.pod +++ b/deps/openssl/openssl/doc/man3/OSSL_HTTP_transfer.pod @@ -113,17 +113,25 @@ or NULL to indicate failure, in which case it should not modify the BIO. Here is a simple example that supports TLS connections (but not via a proxy): - BIO *http_tls_cb(BIO *hbio, void *arg, int connect, int detail) + BIO *http_tls_cb(BIO *bio, void *arg, int connect, int detail) { if (connect && detail) { /* connecting with TLS */ SSL_CTX *ctx = (SSL_CTX *)arg; BIO *sbio = BIO_new_ssl(ctx, 1); - hbio = sbio != NULL ? BIO_push(sbio, hbio) : NULL; - } else if (!connect && !detail) { /* disconnecting after error */ - /* optionally add diagnostics here */ + bio = sbio != NULL ? BIO_push(sbio, bio) : NULL; + } else if (!connect) { /* disconnecting */ + BIO *hbio; + + if (!detail) { /* an error has occurred */ + /* optionally add diagnostics here */ + } + BIO_ssl_shutdown(bio); + hbio = BIO_pop(bio); + BIO_free(bio); /* SSL BIO */ + bio = hbio; } - return hbio; + return bio; } After disconnect the modified BIO will be deallocated using BIO_free_all(). diff --git a/deps/openssl/openssl/doc/man3/OpenSSL_version.pod b/deps/openssl/openssl/doc/man3/OpenSSL_version.pod index 2bcc17a46293e4..946bb151bafeb1 100644 --- a/deps/openssl/openssl/doc/man3/OpenSSL_version.pod +++ b/deps/openssl/openssl/doc/man3/OpenSSL_version.pod @@ -38,8 +38,6 @@ OpenSSL_version_num, OPENSSL_info const char *OPENSSL_info(int t); -Deprecated: - /* from openssl/opensslv.h */ #define OPENSSL_VERSION_NUMBER 0xnnnnnnnnL @@ -81,6 +79,25 @@ version for the headers in use is at least at the given pre-requisite major header version number (B.B) is greater than or equal to B.B. +B is a combination of the major, minor and +patch version into a single integer 0xMNN00PP0L, where: + +=over 4 + +=item M + +is the number from B, in hexadecimal notation + +=item NN + +is the number from B, in hexadecimal notation + +=item PP + +is the number from B, in hexadecimal notation + +=back + =head2 Functions OPENSSL_version_major(), OPENSSL_version_minor(), OPENSSL_version_patch(), @@ -206,35 +223,6 @@ QUIC enabled. For an unknown I, NULL is returned. -=head1 BACKWARD COMPATIBILITY - -For compatibility, some older macros and functions are retained or -synthesised. -They are all considered deprecated. - -=head2 Macros - -B is a combination of the major, minor and -patch version into a single integer 0xMNN00PP0L, where: - -=over 4 - -=item M - -is the number from B, in hexadecimal notation - -=item NN - -is the number from B, in hexadecimal notation - -=item PP - -is the number from B, in hexadecimal notation - -=back - -=head2 Functions - OpenSSL_version_num() returns the value of B. =head1 RETURN VALUES @@ -256,11 +244,11 @@ L =head1 HISTORY The macros and functions described here were added in OpenSSL 3.0, -with the exception of the L ones. +except for OPENSSL_VERSION_NUMBER and OpenSSL_version_num(). =head1 COPYRIGHT -Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/PEM_read_bio_PrivateKey.pod b/deps/openssl/openssl/doc/man3/PEM_read_bio_PrivateKey.pod index a71907b1701694..d4878f67df47ce 100644 --- a/deps/openssl/openssl/doc/man3/PEM_read_bio_PrivateKey.pod +++ b/deps/openssl/openssl/doc/man3/PEM_read_bio_PrivateKey.pod @@ -335,7 +335,7 @@ I bytes at I are used as the passphrase and I is ignored. If the I parameters is set to NULL and the I parameter is not -NULL then the I parameter is interpreted as a null terminated string +NULL then the I parameter is interpreted as a NUL terminated string to use as the passphrase. If both I and I are NULL then the default callback routine is used which will typically prompt for the passphrase on the current terminal with echoing turned off. @@ -355,7 +355,8 @@ value as the I parameter passed to the PEM routine. It allows arbitrary data to be passed to the callback by the application (for example a window handle in a GUI application). The callback I return the number of characters in the passphrase or -1 if -an error occurred. +an error occurred. The passphrase can be arbitrary data; in the case where it +is a string, it is not NUL terminated. See the L section below. Some implementations may need to use cryptographic algorithms during their operation. If this is the case and I and I parameters have been @@ -573,7 +574,7 @@ PEM_write_bio_DHparams() and PEM_write_DHparams() were deprecated in 3.0. =head1 COPYRIGHT -Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/SSL_CONF_cmd.pod b/deps/openssl/openssl/doc/man3/SSL_CONF_cmd.pod index 7971d6e0b5e798..9c703e0de1d4b4 100644 --- a/deps/openssl/openssl/doc/man3/SSL_CONF_cmd.pod +++ b/deps/openssl/openssl/doc/man3/SSL_CONF_cmd.pod @@ -460,7 +460,7 @@ B: session ticket support, enabled by default. Inverse of B: that is B<-SessionTicket> is the same as setting B. -B: SSL/TLS compression support, enabled by default. Inverse +B: SSL/TLS compression support, disabled by default. Inverse of B. B: use empty fragments as a countermeasure against a @@ -496,7 +496,6 @@ Equivalent to B. B: permits the use of unsafe legacy renegotiation for OpenSSL clients only. Equivalent to B. -Set by default. B: use encrypt-then-mac extension, enabled by default. Inverse of B: that is, @@ -731,9 +730,12 @@ B and B where added in OpenSSL 1.1.0. B and B were added in OpenSSL 1.1.1. +The B option is no longer set by default from +OpenSSL 3.0. + =head1 COPYRIGHT -Copyright 2012-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2012-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/SSL_CTX_set_cert_verify_callback.pod b/deps/openssl/openssl/doc/man3/SSL_CTX_set_cert_verify_callback.pod index fdeeaee6d75589..be59a548cbd9ea 100644 --- a/deps/openssl/openssl/doc/man3/SSL_CTX_set_cert_verify_callback.pod +++ b/deps/openssl/openssl/doc/man3/SSL_CTX_set_cert_verify_callback.pod @@ -36,16 +36,18 @@ In server mode, a return value of 0 leads to handshake failure. In client mode, the behaviour is as follows. All values, including 0, are ignored if the verification mode is B. -Otherwise, when the return value is 0, the handshake will fail. - -In client mode I may also return -1, -typically on failure verifying the server certificate. -This makes the handshake suspend and return control to the calling application -with B. -The app can for instance fetch further certificates or cert status information -needed for the verification. -Calling L again resumes the connection attempt -by retrying the server certificate verification step. +Otherwise, when the return value is less than or equal to 0, the handshake will +fail. + +In client mode I may also call the L +function on the B object set in the I ex data (see +L) and return 1. This would be +typically done in case the certificate verification was not yet able +to succeed. This makes the handshake suspend and return control to the +calling application with B. The app can for +instance fetch further certificates or cert status information needed for +the verification. Calling L again resumes the connection +attempt by retrying the server certificate verification step. This process may even be repeated if need be. In any case a viable verification result value must be reflected @@ -89,11 +91,12 @@ SSL_CTX_set_cert_verify_callback() does not provide diagnostic information. L, L, L, L, +L, L =head1 COPYRIGHT -Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/SSL_CTX_set_tmp_dh_callback.pod b/deps/openssl/openssl/doc/man3/SSL_CTX_set_tmp_dh_callback.pod index aacf82a80fba79..4daf78b8d3341e 100644 --- a/deps/openssl/openssl/doc/man3/SSL_CTX_set_tmp_dh_callback.pod +++ b/deps/openssl/openssl/doc/man3/SSL_CTX_set_tmp_dh_callback.pod @@ -11,7 +11,7 @@ SSL_set_tmp_dh_callback, SSL_set_tmp_dh #include - long SSL_CTX_set_dh_auto(SSL *s, int onoff); + long SSL_CTX_set_dh_auto(SSL_CTX *ctx, int onoff); long SSL_set_dh_auto(SSL *s, int onoff); int SSL_CTX_set0_tmp_dh_pkey(SSL_CTX *ctx, EVP_PKEY *dhpkey); int SSL_set0_tmp_dh_pkey(SSL *s, EVP_PKEY *dhpkey); @@ -112,7 +112,7 @@ L, L =head1 COPYRIGHT -Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/SSL_CTX_set_verify.pod b/deps/openssl/openssl/doc/man3/SSL_CTX_set_verify.pod index e3271aff01a844..abf1740e361e67 100644 --- a/deps/openssl/openssl/doc/man3/SSL_CTX_set_verify.pod +++ b/deps/openssl/openssl/doc/man3/SSL_CTX_set_verify.pod @@ -44,6 +44,21 @@ L. Within the callback function, B can be called to get the data index of the current SSL object that is doing the verification. +In client mode B may also call the L +function on the B object set in the I ex data (see +L) and return 1. +This would be typically done in case the certificate verification was not yet +able to succeed. +This makes the handshake suspend and return control to the calling application +with B. +The application can for instance fetch further certificates or cert status +information needed for the verification. +Note that the handshake may still be aborted if a subsequent invocation of the +callback (e.g. at a lower depth, or for a separate error condition) returns 0. +Calling L again resumes the connection attempt by retrying the +server certificate verification step. +This process may even be repeated if need be. + SSL_CTX_set_verify_depth() sets the maximum B for the certificate chain verification that shall be allowed for B. @@ -348,7 +363,7 @@ and SSL_set_post_handshake_auth() functions were added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/SSL_get_certificate.pod b/deps/openssl/openssl/doc/man3/SSL_get_certificate.pod new file mode 100644 index 00000000000000..a57917c8133914 --- /dev/null +++ b/deps/openssl/openssl/doc/man3/SSL_get_certificate.pod @@ -0,0 +1,73 @@ +=pod + +=head1 NAME + +SSL_get_certificate, SSL_get_privatekey - retrieve TLS/SSL certificate and +private key + +=head1 SYNOPSIS + + #include + + X509 *SSL_get_certificate(const SSL *s); + EVP_PKEY *SSL_get_privatekey(const SSL *s); + +=head1 DESCRIPTION + +SSL_get_certificate() returns a pointer to an B object representing a +certificate used as the local peer's identity. + +Multiple certificates can be configured; for example, a server might have both +RSA and ECDSA certificates. The certificate which is returned by +SSL_get_certificate() is determined as follows: + +=over 4 + +=item + +If it is called before certificate selection has occurred, it returns the most +recently added certificate, or NULL if no certificate has been added. + +=item + +After certificate selection has occurred, it returns the certificate which was +selected during the handshake, or NULL if no certificate was selected (for +example, on a client where no client certificate is in use). + +=back + +Certificate selection occurs during the handshake; therefore, the value returned +by SSL_get_certificate() during any callback made during the handshake process +will depend on whether that callback is made before or after certificate +selection occurs. + +A specific use for SSL_get_certificate() is inside a callback set via a call to +L. This callback occurs after certificate +selection, where it can be used to examine a server's chosen certificate, for +example for the purpose of identifying a certificate's OCSP responder URL so +that an OCSP response can be obtained. + +SSL_get_privatekey() returns a pointer to the B object corresponding +to the certificate returned by SSL_get_certificate(), if any. + +=head1 RETURN VALUES + +These functions return pointers to their respective objects, or NULL if no such +object is available. Returned objects are owned by the SSL object and should not +be freed by users of these functions. + +=head1 SEE ALSO + +L, L + +=head1 COPYRIGHT + +Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut + diff --git a/deps/openssl/openssl/doc/man3/SSL_set_retry_verify.pod b/deps/openssl/openssl/doc/man3/SSL_set_retry_verify.pod new file mode 100644 index 00000000000000..4eb7f449ed592f --- /dev/null +++ b/deps/openssl/openssl/doc/man3/SSL_set_retry_verify.pod @@ -0,0 +1,70 @@ +=pod + +=head1 NAME + +SSL_set_retry_verify - indicate that certificate verification should be retried + +=head1 SYNOPSIS + + #include + + int SSL_set_retry_verify(SSL *ssl); + +=head1 DESCRIPTION + +SSL_set_retry_verify() should be called from the certificate verification +callback on a client when the application wants to indicate that the handshake +should be suspended and the control should be returned to the application. +L will return 1 as a consequence until the handshake +is resumed again by the application, retrying the verification step. + +Please refer to L for further details. + +=head1 NOTES + +The effect of calling SSL_set_retry_verify() outside of the certificate +verification callback on the client side is undefined. + +=head1 RETURN VALUES + +SSL_set_retry verify() returns 1 on success, 0 otherwise. + +=head1 EXAMPLES + +The following code snippet shows how to obtain the B object associated +with the B to call the SSL_set_retry_verify() function: + + int idx = SSL_get_ex_data_X509_STORE_CTX_idx(); + SSL *ssl; + + /* this should not happen but check anyway */ + if (idx < 0 + || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL) + return 0; + + if (/* we need to retry verification callback */) + return SSL_set_retry_verify(ssl); + + /* do normal processing of the verification callback */ + +=head1 SEE ALSO + +L, L, L, +L + +=head1 HISTORY + +SSL_set_retry_verify() was added in OpenSSL 3.0.2 to replace backwards +incompatible handling of a negative return value from the verification +callback. + +=head1 COPYRIGHT + +Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/deps/openssl/openssl/doc/man3/SSL_want.pod b/deps/openssl/openssl/doc/man3/SSL_want.pod index 831094ae0a6987..1d274fd342a236 100644 --- a/deps/openssl/openssl/doc/man3/SSL_want.pod +++ b/deps/openssl/openssl/doc/man3/SSL_want.pod @@ -70,8 +70,8 @@ A call to L should return B. =item SSL_RETRY_VERIFY -The operation did not complete because an application callback set by -SSL_CTX_set_cert_verify_callback() has asked to be called again. +The operation did not complete because a certificate verification callback +has asked to be called again via L. A call to L should return B. =item SSL_ASYNC_PAUSED @@ -110,7 +110,7 @@ were added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/X509V3_get_d2i.pod b/deps/openssl/openssl/doc/man3/X509V3_get_d2i.pod index 981eab14b87416..7c3b2c960432b2 100644 --- a/deps/openssl/openssl/doc/man3/X509V3_get_d2i.pod +++ b/deps/openssl/openssl/doc/man3/X509V3_get_d2i.pod @@ -2,11 +2,12 @@ =head1 NAME -X509_get0_extensions, X509_CRL_get0_extensions, X509_REVOKED_get0_extensions, X509V3_get_d2i, X509V3_add1_i2d, X509V3_EXT_d2i, X509V3_EXT_i2d, -X509_get_ext_d2i, X509_add1_ext_i2d, X509_CRL_get_ext_d2i, -X509_CRL_add1_ext_i2d, X509_REVOKED_get_ext_d2i, -X509_REVOKED_add1_ext_i2d - X509 extension decode and encode functions +X509_get_ext_d2i, X509_add1_ext_i2d, +X509_CRL_get_ext_d2i, X509_CRL_add1_ext_i2d, +X509_REVOKED_get_ext_d2i, X509_REVOKED_add1_ext_i2d, +X509_get0_extensions, X509_CRL_get0_extensions, +X509_REVOKED_get0_extensions - X509 extension decode and encode functions =head1 SYNOPSIS @@ -38,37 +39,37 @@ X509_REVOKED_add1_ext_i2d - X509 extension decode and encode functions =head1 DESCRIPTION -X509V3_get_ext_d2i() looks for an extension with OID B in the extensions -B and, if found, decodes it. If B is B then only one +X509V3_get_d2i() looks for an extension with OID I in the extensions +I and, if found, decodes it. If I is NULL then only one occurrence of an extension is permissible otherwise the first extension after -index B<*idx> is returned and B<*idx> updated to the location of the extension. -If B is not B then B<*crit> is set to a status value: -2 if the -extension occurs multiple times (this is only returned if B is B), +index I<*idx> is returned and I<*idx> updated to the location of the extension. +If I is not NULL then I<*crit> is set to a status value: -2 if the +extension occurs multiple times (this is only returned if I is NULL), -1 if the extension could not be found, 0 if the extension is found and is not critical and 1 if critical. A pointer to an extension specific structure -or B is returned. +or NULL is returned. -X509V3_add1_i2d() adds extension B to STACK B<*x> (allocating a new -STACK if necessary) using OID B and criticality B according -to B. +X509V3_add1_i2d() adds extension I to STACK I<*x> (allocating a new +STACK if necessary) using OID I and criticality I according +to I. X509V3_EXT_d2i() attempts to decode the ASN.1 data contained in extension -B and returns a pointer to an extension specific structure or B +I and returns a pointer to an extension specific structure or NULL if the extension could not be decoded (invalid syntax or not supported). -X509V3_EXT_i2d() encodes the extension specific structure B -with OID B and criticality B. +X509V3_EXT_i2d() encodes the extension specific structure I +with OID I and criticality I. X509_get_ext_d2i() and X509_add1_ext_i2d() operate on the extensions of -certificate B, they are otherwise identical to X509V3_get_d2i() and +certificate I, they are otherwise identical to X509V3_get_d2i() and X509V3_add_i2d(). X509_CRL_get_ext_d2i() and X509_CRL_add1_ext_i2d() operate on the extensions -of CRL B, they are otherwise identical to X509V3_get_d2i() and +of CRL I, they are otherwise identical to X509V3_get_d2i() and X509V3_add_i2d(). X509_REVOKED_get_ext_d2i() and X509_REVOKED_add1_ext_i2d() operate on the -extensions of B structure B (i.e for CRL entry extensions), +extensions of B structure I (i.e for CRL entry extensions), they are otherwise identical to X509V3_get_d2i() and X509V3_add_i2d(). X509_get0_extensions(), X509_CRL_get0_extensions() and @@ -78,9 +79,9 @@ of a certificate a CRL or a CRL entry respectively. =head1 NOTES In almost all cases an extension can occur at most once and multiple -occurrences is an error. Therefore, the B parameter is usually B. +occurrences is an error. Therefore, the I parameter is usually NULL. -The B parameter may be one of the following values. +The I parameter may be one of the following values. B appends a new extension only if the extension does not already exist. An error is returned if the extension does already @@ -99,14 +100,15 @@ B appends a new extension only if the extension does not already exist. An error B returned if the extension does already exist. -B extension B is deleted: no new extension is added. +B extension I is deleted: no new extension is added. -If B is ored with B: any error returned will not +If B is ored with I: any error returned will not be added to the error queue. -The function X509V3_get_d2i() will return B if the extension is not +The function X509V3_get_d2i() and its variants +will return NULL if the extension is not found, occurs multiple times or cannot be decoded. It is possible to -determine the precise reason by checking the value of B<*crit>. +determine the precise reason by checking the value of I<*crit>. =head1 SUPPORTED EXTENSIONS @@ -195,17 +197,17 @@ The following extensions are used by certificate transparency, RFC6962 =head1 RETURN VALUES -X509V3_EXT_d2i() and *X509V3_get_d2i() return a pointer to an extension -specific structure or B if an error occurs. +X509V3_get_d2i(), its variants, and X509V3_EXT_d2i() return +a pointer to an extension specific structure or NULL if an error occurs. -X509V3_EXT_i2d() returns a pointer to an B structure -or B if an error occurs. - -X509V3_add1_i2d() returns 1 if the operation is successful and 0 if it -fails due to a non-fatal error (extension not found, already exists, +X509V3_add1_i2d() and its variants return 1 if the operation is successful +and 0 if it fails due to a non-fatal error (extension not found, already exists, cannot be encoded) or -1 due to a fatal error such as a memory allocation failure. +X509V3_EXT_i2d() returns a pointer to an B structure +or NULL if an error occurs. + X509_get0_extensions(), X509_CRL_get0_extensions() and X509_REVOKED_get0_extensions() return a stack of extensions. They return NULL if no extensions are present. @@ -231,7 +233,7 @@ L =head1 COPYRIGHT -Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/X509_STORE_CTX_new.pod b/deps/openssl/openssl/doc/man3/X509_STORE_CTX_new.pod index 56a36bfecdc1f7..69f763dcdc04a8 100644 --- a/deps/openssl/openssl/doc/man3/X509_STORE_CTX_new.pod +++ b/deps/openssl/openssl/doc/man3/X509_STORE_CTX_new.pod @@ -11,7 +11,10 @@ X509_STORE_CTX_get_num_untrusted, X509_STORE_CTX_get0_chain, X509_STORE_CTX_set0_verified_chain, X509_STORE_CTX_set_default, X509_STORE_CTX_set_verify, -X509_STORE_CTX_verify_fn +X509_STORE_CTX_verify_fn, +X509_STORE_CTX_set_purpose, +X509_STORE_CTX_set_trust, +X509_STORE_CTX_purpose_inherit - X509_STORE_CTX initialisation =head1 SYNOPSIS @@ -45,6 +48,11 @@ X509_STORE_CTX_verify_fn typedef int (*X509_STORE_CTX_verify_fn)(X509_STORE_CTX *); void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, X509_STORE_CTX_verify_fn verify); + int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose); + int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust); + int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, + int purpose, int trust); + =head1 DESCRIPTION These functions initialise an B structure for subsequent use @@ -155,6 +163,65 @@ following signature: This function should receive the current X509_STORE_CTX as a parameter and return 1 on success or 0 on failure. +X509 certificates may contain information about what purposes keys contained +within them can be used for. For example "TLS WWW Server Authentication" or +"Email Protection". This "key usage" information is held internally to the +certificate itself. In addition the trust store containing trusted certificates +can declare what purposes we trust different certificates for. This "trust" +information is not held within the certificate itself but is "meta" information +held alongside it. This "meta" information is associated with the certificate +after it is issued and could be determined by a system administrator. For +example a certificate might declare that it is suitable for use for both +"TLS WWW Server Authentication" and "TLS Client Authentication", but a system +administrator might only trust it for the former. An X.509 certificate extension +exists that can record extended key usage information to supplement the purpose +information described above. This extended mechanism is arbitrarily extensible +and not well suited for a generic library API; applications that need to +validate extended key usage information in certifiates will need to define a +custom "purpose" (see below) or supply a nondefault verification callback +(L). + +X509_STORE_CTX_set_purpose() sets the purpose for the target certificate being +verified in the I. Built-in available values for the I argument +are B, B, +B, B, +B, B, B, +B and B. It is also +possible to create a custom purpose value. Setting a purpose will ensure that +the key usage declared within certificates in the chain being verified is +consistent with that purpose as well as, potentially, other checks. Every +purpose also has an associated default trust value which will also be set at the +same time. During verification this trust setting will be verified to check it +is consistent with the trust set by the system administrator for certificates in +the chain. + +X509_STORE_CTX_set_trust() sets the trust value for the target certificate +being verified in the I. Built-in available values for the I +argument are B, B, +B, B, B, +B, B and B. It is +also possible to create a custom trust value. Since X509_STORE_CTX_set_purpose() +also sets the trust value it is normally sufficient to only call that function. +If both are called then X509_STORE_CTX_set_trust() should be called after +X509_STORE_CTX_set_purpose() since the trust setting of the last call will be +used. + +It should not normally be necessary for end user applications to call +X509_STORE_CTX_purpose_inherit() directly. Typically applications should call +X509_STORE_CTX_set_purpose() or X509_STORE_CTX_set_trust() instead. Using this +function it is possible to set the purpose and trust values for the I at +the same time. The I and I arguments can have the same +purpose values as described for X509_STORE_CTX_set_purpose() above. The I +argument can have the same trust values as described in +X509_STORE_CTX_set_trust() above. Any of the I, I or +I values may also have the value 0 to indicate that the supplied +parameter should be ignored. After calling this function the purpose to be used +for verification is set from the I argument, and the trust is set from +the I argument. If I is 0 then the trust value will be set from +the default trust value for I. If the default trust value for the +purpose is I and I is 0 then the default trust value +associated with the I value is used for the trust setting instead. + =head1 NOTES The certificates and CRLs in a store are used internally and should B @@ -202,7 +269,7 @@ There is no need to call X509_STORE_CTX_cleanup() explicitly since OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2009-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/deps/openssl/openssl/doc/man3/X509_VERIFY_PARAM_set_flags.pod index 1213627be7f45a..5c0ca3075b3835 100644 --- a/deps/openssl/openssl/doc/man3/X509_VERIFY_PARAM_set_flags.pod +++ b/deps/openssl/openssl/doc/man3/X509_VERIFY_PARAM_set_flags.pod @@ -249,8 +249,8 @@ certificate. An error occurs if a suitable CRL cannot be found. B enables CRL checking for the entire certificate chain. -B disabled critical extension checking. By default -any unhandled critical extensions in certificates or (if checked) CRLs results +B disables critical extension checking. By default +any unhandled critical extensions in certificates or (if checked) CRLs result in a fatal error. If this flag is set unhandled critical extensions are ignored. B setting this option for anything other than debugging purposes can be a security risk. Finer control over which extensions are @@ -401,7 +401,7 @@ and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2009-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/X509_check_host.pod b/deps/openssl/openssl/doc/man3/X509_check_host.pod index 9002fb22e61d6f..0156194c9915e1 100644 --- a/deps/openssl/openssl/doc/man3/X509_check_host.pod +++ b/deps/openssl/openssl/doc/man3/X509_check_host.pod @@ -62,7 +62,8 @@ X509_check_ip() checks if the certificate matches a specified IPv4 or IPv6 address. The B

array is in binary format, in network byte order. The length is either 4 (IPv4) or 16 (IPv6). Only explicitly marked addresses in the certificates are considered; IP -addresses stored in DNS names and Common Names are ignored. +addresses stored in DNS names and Common Names are ignored. There are +currently no B that would affect the behavior of this call. X509_check_ip_asc() is similar, except that the NUL-terminated string B
is first converted to the internal representation. @@ -153,7 +154,7 @@ These functions were added in OpenSSL 1.0.2. =head1 COPYRIGHT -Copyright 2012-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2012-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/X509_verify_cert.pod b/deps/openssl/openssl/doc/man3/X509_verify_cert.pod index a14a0b25c4885f..d54acfdb0bd47a 100644 --- a/deps/openssl/openssl/doc/man3/X509_verify_cert.pod +++ b/deps/openssl/openssl/doc/man3/X509_verify_cert.pod @@ -52,9 +52,7 @@ A negative return value from X509_verify_cert() can occur if it is invoked incorrectly, such as with no certificate set in I, or when it is called twice in succession without reinitialising I for the second call. A negative return value can also happen due to internal resource problems -or because an internal inconsistency has been detected -or if a retry operation is requested during internal lookups -(which never happens with standard lookup methods). +or because an internal inconsistency has been detected. Applications must interpret any return value <= 0 as an error. The X509_STORE_CTX_verify() behaves like X509_verify_cert() except that its @@ -91,7 +89,7 @@ X509_build_chain() and X509_STORE_CTX_verify() were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2009-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man7/EVP_KEYEXCH-DH.pod b/deps/openssl/openssl/doc/man7/EVP_KEYEXCH-DH.pod index fc38531ae9d9a8..a6927afefb24e9 100644 --- a/deps/openssl/openssl/doc/man7/EVP_KEYEXCH-DH.pod +++ b/deps/openssl/openssl/doc/man7/EVP_KEYEXCH-DH.pod @@ -15,20 +15,40 @@ Key exchange support for the B key type. =item "pad" (B) +Sets the padding mode for the associated key exchange ctx. +Setting a value of 1 will turn padding on. +Setting a value of 0 will turn padding off. +If padding is off then the derived shared secret may be smaller than the +largest possible secret size. +If padding is on then the derived shared secret will have its first bytes +filled with zeros where necessary to make the shared secret the same size as +the largest possible secret size. +The padding mode parameter is ignored (and padding implicitly enabled) when +the KDF type is set to "X942KDF-ASN1" (B). + +=item "kdf-type" (B) + +See L. + +=item "kdf-digest" (B) + +See L. + +=item "kdf-digest-props" (B) + +See L. + +=item "kdf-outlen" (B) + See L. =item "kdf-ukm" (B) -Sets the User Key Material to be used as part of the selected Key Derivation -Function associated with the given key exchange ctx. +See L. -=item "kdf-ukm" (B) +=item "cekalg" (B) -Gets a pointer to the User Key Material to be used as part of the selected -Key Derivation Function associated with the given key exchange ctx. Providers -usually do not need to support this gettable parameter as its sole purpose -is to support functionality of the deprecated EVP_PKEY_CTX_get0_dh_kdf_ukm() -function. +See L. =back @@ -58,6 +78,7 @@ To convert the received peer's public key from DER format on the host: To derive a shared secret on the host using the host's key and the peer's public key: + /* It is assumed that the host_key and peer_pub_key are set up */ void derive_secret(EVP_KEY *host_key, EVP_PKEY *peer_pub_key) { @@ -101,7 +122,7 @@ L, =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man7/EVP_KEYEXCH-ECDH.pod b/deps/openssl/openssl/doc/man7/EVP_KEYEXCH-ECDH.pod index a710625f223133..3d630d91bf65ff 100644 --- a/deps/openssl/openssl/doc/man7/EVP_KEYEXCH-ECDH.pod +++ b/deps/openssl/openssl/doc/man7/EVP_KEYEXCH-ECDH.pod @@ -33,38 +33,23 @@ per-key basis. =item "kdf-type" (B) -Sets or gets the Key Derivation Function type to apply within the associated key -exchange ctx. +See L. =item "kdf-digest" (B) -Sets or gets the Digest algorithm to be used as part of the Key Derivation Function -associated with the given key exchange ctx. +See L. =item "kdf-digest-props" (B) -Sets properties to be used upon look up of the implementation for the selected -Digest algorithm for the Key Derivation Function associated with the given key -exchange ctx. +See L. =item "kdf-outlen" (B) -Sets or gets the desired size for the output of the chosen Key Derivation Function -associated with the given key exchange ctx. -The length of the "kdf-outlen" parameter should not exceed that of a B. +See L. =item "kdf-ukm" (B) -Sets the User Key Material to be used as part of the selected Key Derivation -Function associated with the given key exchange ctx. - -=item "kdf-ukm" (B) - -Gets a pointer to the User Key Material to be used as part of the selected -Key Derivation Function associated with the given key exchange ctx. Providers -usually do not need to support this gettable parameter as its sole purpose -is to support functionality of the deprecated EVP_PKEY_CTX_get0_ecdh_kdf_ukm() -function. +See L. =back @@ -88,7 +73,7 @@ key but also using X963KDF with a user key material: size_t secret_len = out_len; unsigned int pad = 1; OSSL_PARAM params[6]; - EVP_PKET_CTX *dctx = EVP_PKEY_CTX_new_from_pkey(NULL, host_key, NULL); + EVP_PKEY_CTX *dctx = EVP_PKEY_CTX_new_from_pkey(NULL, host_key, NULL); EVP_PKEY_derive_init(dctx); @@ -122,7 +107,7 @@ L, =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man7/EVP_MD-BLAKE2.pod b/deps/openssl/openssl/doc/man7/EVP_MD-BLAKE2.pod index be3b0b9286e738..f72d3da1ce8e13 100644 --- a/deps/openssl/openssl/doc/man7/EVP_MD-BLAKE2.pod +++ b/deps/openssl/openssl/doc/man7/EVP_MD-BLAKE2.pod @@ -6,7 +6,7 @@ EVP_MD-BLAKE2 - The BLAKE2 EVP_MD implementation =head1 DESCRIPTION -Support for computing SHA2 digests through the B API. +Support for computing BLAKE2 digests through the B API. =head2 Identities @@ -36,7 +36,7 @@ L, L =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man7/crypto.pod b/deps/openssl/openssl/doc/man7/crypto.pod index 2b09ad8903a21e..d6c80fbf754de2 100644 --- a/deps/openssl/openssl/doc/man7/crypto.pod +++ b/deps/openssl/openssl/doc/man7/crypto.pod @@ -380,6 +380,7 @@ encryption/decryption, signatures, message authentication codes, etc. #include #include #include + #include int main(void) { @@ -390,6 +391,7 @@ encryption/decryption, signatures, message authentication codes, etc. }; unsigned int len = 0; unsigned char *outdigest = NULL; + int ret = 1; /* Create a context for the digest operation */ ctx = EVP_MD_CTX_new(); @@ -430,11 +432,16 @@ encryption/decryption, signatures, message authentication codes, etc. /* Print out the digest result */ BIO_dump_fp(stdout, outdigest, len); + ret = 0; + err: /* Clean up all the resources we allocated */ OPENSSL_free(outdigest); EVP_MD_free(sha256); EVP_MD_CTX_free(ctx); + if (ret != 0) + ERR_print_errors_fp(stderr); + return ret; } =head1 CONFIGURATION @@ -497,7 +504,7 @@ L, L =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man7/provider-base.pod b/deps/openssl/openssl/doc/man7/provider-base.pod index f928934ab71e64..2696cf7195f825 100644 --- a/deps/openssl/openssl/doc/man7/provider-base.pod +++ b/deps/openssl/openssl/doc/man7/provider-base.pod @@ -277,8 +277,9 @@ function L, except that the objects are identified by name rather than a numeric NID. Any name (OID, short name or long name) can be used to identify the object. It will treat as success the case where the composite signature algorithm already exists (even if registered against a different -underlying signature or digest algorithm). It returns 1 on success or 0 on -failure. +underlying signature or digest algorithm). For I, NULL or an +empty string is permissible for signature algorithms that do not need a digest +to operate correctly. The function returns 1 on success or 0 on failure. This function is not thread safe. CRYPTO_malloc(), CRYPTO_zalloc(), CRYPTO_free(), CRYPTO_clear_free(), diff --git a/deps/openssl/openssl/doc/man7/provider-keyexch.pod b/deps/openssl/openssl/doc/man7/provider-keyexch.pod index f85f3cac508173..48d27988f5394a 100644 --- a/deps/openssl/openssl/doc/man7/provider-keyexch.pod +++ b/deps/openssl/openssl/doc/man7/provider-keyexch.pod @@ -170,16 +170,40 @@ as follows. =over 4 -=item "pad" (B) +=item "kdf-type" (B) -Sets the padding mode for the associated key exchange ctx. -Setting a value of 1 will turn padding on. -Setting a value of 0 will turn padding off. -If padding is off then the derived shared secret may be smaller than the largest -possible secret size. -If padding is on then the derived shared secret will have its first bytes filled -with 0s where necessary to make the shared secret the same size as the largest -possible secret size. +Sets or gets the Key Derivation Function type to apply within the associated key +exchange ctx. + +=item "kdf-digest" (B) + +Sets or gets the Digest algorithm to be used as part of the Key Derivation Function +associated with the given key exchange ctx. + +=item "kdf-digest-props" (B) + +Sets properties to be used upon look up of the implementation for the selected +Digest algorithm for the Key Derivation Function associated with the given key +exchange ctx. + +=item "kdf-outlen" (B) + +Sets or gets the desired size for the output of the chosen Key Derivation Function +associated with the given key exchange ctx. +The length of the "kdf-outlen" parameter should not exceed that of a B. + +=item "kdf-ukm" (B) + +Sets the User Key Material to be used as part of the selected Key Derivation +Function associated with the given key exchange ctx. + +=item "kdf-ukm" (B) + +Gets a pointer to the User Key Material to be used as part of the selected +Key Derivation Function associated with the given key exchange ctx. Providers +usually do not need to support this gettable parameter as its sole purpose +is to support functionality of the deprecated EVP_PKEY_CTX_get0_ecdh_kdf_ukm() +and EVP_PKEY_CTX_get0_dh_kdf_ukm() functions. =back @@ -205,7 +229,7 @@ The provider KEYEXCH interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/fuzz/asn1.c b/deps/openssl/openssl/fuzz/asn1.c index 8ce9a57c255dff..69978cd0543664 100644 --- a/deps/openssl/openssl/fuzz/asn1.c +++ b/deps/openssl/openssl/fuzz/asn1.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -218,8 +218,10 @@ static ASN1_PCTX *pctx; int len2; \ BIO *bio = BIO_new(BIO_s_null()); \ \ - PRINT(bio, type); \ - BIO_free(bio); \ + if (bio != NULL) { \ + PRINT(bio, type); \ + BIO_free(bio); \ + } \ len2 = I2D(type, &der); \ if (len2 != 0) {} \ OPENSSL_free(der); \ @@ -235,8 +237,10 @@ static ASN1_PCTX *pctx; if (type != NULL) { \ BIO *bio = BIO_new(BIO_s_null()); \ \ - PRINT(bio, type, 0); \ - BIO_free(bio); \ + if (bio != NULL) { \ + PRINT(bio, type, 0); \ + BIO_free(bio); \ + } \ I2D(type, &der); \ OPENSSL_free(der); \ TYPE ## _free(type); \ @@ -251,8 +255,10 @@ static ASN1_PCTX *pctx; if (type != NULL) { \ BIO *bio = BIO_new(BIO_s_null()); \ \ - PRINT(bio, type, 0, pctx); \ - BIO_free(bio); \ + if (bio != NULL) { \ + PRINT(bio, type, 0, pctx); \ + BIO_free(bio); \ + } \ I2D(type, &der); \ OPENSSL_free(der); \ TYPE ## _free(type); \ @@ -307,9 +313,10 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len) if (o != NULL) { BIO *bio = BIO_new(BIO_s_null()); - - ASN1_item_print(bio, o, 4, i, pctx); - BIO_free(bio); + if (bio != NULL) { + ASN1_item_print(bio, o, 4, i, pctx); + BIO_free(bio); + } ASN1_item_i2d(o, &der, i); OPENSSL_free(der); ASN1_item_free(o, i); diff --git a/deps/openssl/openssl/fuzz/fuzz_rand.c b/deps/openssl/openssl/fuzz/fuzz_rand.c index 5bd343d8ae999a..6d160b09211095 100644 --- a/deps/openssl/openssl/fuzz/fuzz_rand.c +++ b/deps/openssl/openssl/fuzz/fuzz_rand.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -146,6 +146,8 @@ static int fuzz_rand_provider_init(const OSSL_CORE_HANDLE *handle, const OSSL_DISPATCH **out, void **provctx) { *provctx = OSSL_LIB_CTX_new(); + if (*provctx == NULL) + return 0; *out = fuzz_rand_method; return 1; } diff --git a/deps/openssl/openssl/fuzz/oids.txt b/deps/openssl/openssl/fuzz/oids.txt index f0dbc30fc3b88a..36c79212bb755e 100644 --- a/deps/openssl/openssl/fuzz/oids.txt +++ b/deps/openssl/openssl/fuzz/oids.txt @@ -1,7 +1,7 @@ # WARNING: do not edit! # Generated by fuzz/mkfuzzoids.pl # -# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/include/crypto/bn_conf.h b/deps/openssl/openssl/include/crypto/bn_conf.h deleted file mode 100644 index 79400c6472a49c..00000000000000 --- a/deps/openssl/openssl/include/crypto/bn_conf.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/bn_conf.h" diff --git a/deps/openssl/openssl/include/crypto/dh.h b/deps/openssl/openssl/include/crypto/dh.h index f6be4ae006af15..51232d18c2446b 100644 --- a/deps/openssl/openssl/include/crypto/dh.h +++ b/deps/openssl/openssl/include/crypto/dh.h @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -32,9 +32,10 @@ int ossl_dh_is_named_safe_prime_group(const DH *dh); FFC_PARAMS *ossl_dh_get0_params(DH *dh); int ossl_dh_get0_nid(const DH *dh); int ossl_dh_params_fromdata(DH *dh, const OSSL_PARAM params[]); -int ossl_dh_key_fromdata(DH *dh, const OSSL_PARAM params[]); +int ossl_dh_key_fromdata(DH *dh, const OSSL_PARAM params[], int include_private); int ossl_dh_params_todata(DH *dh, OSSL_PARAM_BLD *bld, OSSL_PARAM params[]); -int ossl_dh_key_todata(DH *dh, OSSL_PARAM_BLD *bld, OSSL_PARAM params[]); +int ossl_dh_key_todata(DH *dh, OSSL_PARAM_BLD *bld, OSSL_PARAM params[], + int include_private); DH *ossl_dh_key_from_pkcs8(const PKCS8_PRIV_KEY_INFO *p8inf, OSSL_LIB_CTX *libctx, const char *propq); int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); diff --git a/deps/openssl/openssl/include/crypto/dsa.h b/deps/openssl/openssl/include/crypto/dsa.h index eedbd8c7d1049e..260c30fa4b0ffd 100644 --- a/deps/openssl/openssl/include/crypto/dsa.h +++ b/deps/openssl/openssl/include/crypto/dsa.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,8 +7,8 @@ * https://www.openssl.org/source/license.html */ -#ifndef OSSL_CRYPTO_DSAERR_H -# define OSSL_CRYPTO_DSAERR_H +#ifndef OSSL_CRYPTO_DSA_H +# define OSSL_CRYPTO_DSA_H # pragma once # include @@ -30,7 +30,8 @@ int ossl_dsa_sign_int(int type, const unsigned char *dgst, int dlen, FFC_PARAMS *ossl_dsa_get0_params(DSA *dsa); int ossl_dsa_ffc_params_fromdata(DSA *dsa, const OSSL_PARAM params[]); -int ossl_dsa_key_fromdata(DSA *dsa, const OSSL_PARAM params[]); +int ossl_dsa_key_fromdata(DSA *dsa, const OSSL_PARAM params[], + int include_private); DSA *ossl_dsa_key_from_pkcs8(const PKCS8_PRIV_KEY_INFO *p8inf, OSSL_LIB_CTX *libctx, const char *propq); diff --git a/deps/openssl/openssl/include/crypto/dso_conf.h b/deps/openssl/openssl/include/crypto/dso_conf.h deleted file mode 100644 index e7f2afa9872320..00000000000000 --- a/deps/openssl/openssl/include/crypto/dso_conf.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/dso_conf.h" diff --git a/deps/openssl/openssl/include/crypto/evp.h b/deps/openssl/openssl/include/crypto/evp.h index c5d3a930f74977..206ac2633766af 100644 --- a/deps/openssl/openssl/include/crypto/evp.h +++ b/deps/openssl/openssl/include/crypto/evp.h @@ -1,5 +1,5 @@ /* - * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -900,7 +900,7 @@ int evp_set_default_properties_int(OSSL_LIB_CTX *libctx, const char *propq, int loadconfig, int mirrored); char *evp_get_global_properties_str(OSSL_LIB_CTX *libctx, int loadconfig); -void evp_md_ctx_clear_digest(EVP_MD_CTX *ctx, int force); +void evp_md_ctx_clear_digest(EVP_MD_CTX *ctx, int force, int keep_digest); /* Three possible states: */ # define EVP_PKEY_STATE_UNKNOWN 0 diff --git a/deps/openssl/openssl/include/crypto/pem.h b/deps/openssl/openssl/include/crypto/pem.h index 840dc18f064460..2cb4253d6a1462 100644 --- a/deps/openssl/openssl/include/crypto/pem.h +++ b/deps/openssl/openssl/include/crypto/pem.h @@ -1,7 +1,7 @@ /* - * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html diff --git a/deps/openssl/openssl/include/crypto/rsa.h b/deps/openssl/openssl/include/crypto/rsa.h index 100e7ceb0590a6..949873d0ee38b7 100644 --- a/deps/openssl/openssl/include/crypto/rsa.h +++ b/deps/openssl/openssl/include/crypto/rsa.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -65,8 +65,9 @@ int ossl_rsa_get0_all_params(RSA *r, STACK_OF(BIGNUM_const) *primes, int ossl_rsa_is_foreign(const RSA *rsa); RSA *ossl_rsa_dup(const RSA *rsa, int selection); -int ossl_rsa_todata(RSA *rsa, OSSL_PARAM_BLD *bld, OSSL_PARAM params[]); -int ossl_rsa_fromdata(RSA *rsa, const OSSL_PARAM params[]); +int ossl_rsa_todata(RSA *rsa, OSSL_PARAM_BLD *bld, OSSL_PARAM params[], + int include_private); +int ossl_rsa_fromdata(RSA *rsa, const OSSL_PARAM params[], int include_private); int ossl_rsa_pss_params_30_todata(const RSA_PSS_PARAMS_30 *pss, OSSL_PARAM_BLD *bld, OSSL_PARAM params[]); int ossl_rsa_pss_params_30_fromdata(RSA_PSS_PARAMS_30 *pss_params, diff --git a/deps/openssl/openssl/include/internal/bio.h b/deps/openssl/openssl/include/internal/bio.h index 2d36a7b980f2f1..547a73d02d4ee4 100644 --- a/deps/openssl/openssl/include/internal/bio.h +++ b/deps/openssl/openssl/include/internal/bio.h @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -48,9 +48,9 @@ int bread_conv(BIO *bio, char *data, size_t datal, size_t *read); * BIO_FLAGS_KTLS_TX_CTRL_MSG means we are about to send a ctrl message next. * BIO_FLAGS_KTLS_RX means we are using ktls with this BIO for receiving. */ -# define BIO_FLAGS_KTLS_TX 0x800 # define BIO_FLAGS_KTLS_TX_CTRL_MSG 0x1000 # define BIO_FLAGS_KTLS_RX 0x2000 +# define BIO_FLAGS_KTLS_TX 0x4000 /* KTLS related controls and flags */ # define BIO_set_ktls_flag(b, is_tx) \ diff --git a/deps/openssl/openssl/include/internal/sockets.h b/deps/openssl/openssl/include/internal/sockets.h index 6e882fa6aafdf2..4701eb7e0e483a 100644 --- a/deps/openssl/openssl/include/internal/sockets.h +++ b/deps/openssl/openssl/include/internal/sockets.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -32,6 +32,8 @@ # include # include # include +# include +# include # elif defined(_WIN32_WCE) && _WIN32_WCE<410 # define getservbyname _masked_declaration_getservbyname # endif diff --git a/deps/openssl/openssl/include/internal/tsan_assist.h b/deps/openssl/openssl/include/internal/tsan_assist.h index f8285b1d8518dd..60ecbd5f04f309 100644 --- a/deps/openssl/openssl/include/internal/tsan_assist.h +++ b/deps/openssl/openssl/include/internal/tsan_assist.h @@ -1,5 +1,5 @@ /* - * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -130,7 +130,13 @@ #ifndef TSAN_QUALIFIER -# define TSAN_QUALIFIER volatile +# ifdef OPENSSL_THREADS +# define TSAN_QUALIFIER volatile +# define TSAN_REQUIRES_LOCKING +# else /* OPENSSL_THREADS */ +# define TSAN_QUALIFIER +# endif /* OPENSSL_THREADS */ + # define tsan_load(ptr) (*(ptr)) # define tsan_store(ptr, val) (*(ptr) = (val)) # define tsan_counter(ptr) ((*(ptr))++) diff --git a/deps/openssl/openssl/include/openssl/asn1.h b/deps/openssl/openssl/include/openssl/asn1.h deleted file mode 100644 index cd9fc7cc706c37..00000000000000 --- a/deps/openssl/openssl/include/openssl/asn1.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/asn1.h" diff --git a/deps/openssl/openssl/include/openssl/asn1t.h b/deps/openssl/openssl/include/openssl/asn1t.h deleted file mode 100644 index 6ff4f574949bbd..00000000000000 --- a/deps/openssl/openssl/include/openssl/asn1t.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/asn1t.h" diff --git a/deps/openssl/openssl/include/openssl/bio.h b/deps/openssl/openssl/include/openssl/bio.h deleted file mode 100644 index dcece3cb4d6ebf..00000000000000 --- a/deps/openssl/openssl/include/openssl/bio.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/bio.h" diff --git a/deps/openssl/openssl/include/openssl/bio.h.in b/deps/openssl/openssl/include/openssl/bio.h.in index 2c65b7e1a79b08..9c3a868aae62ec 100644 --- a/deps/openssl/openssl/include/openssl/bio.h.in +++ b/deps/openssl/openssl/include/openssl/bio.h.in @@ -1,7 +1,7 @@ /* * {- join("\n * ", @autowarntext) -} * - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -209,6 +209,8 @@ extern "C" { # define BIO_FLAGS_NONCLEAR_RST 0x400 # define BIO_FLAGS_IN_EOF 0x800 +/* the BIO FLAGS values 0x1000 to 0x4000 are reserved for internal KTLS flags */ + typedef union bio_addr_st BIO_ADDR; typedef struct bio_addrinfo_st BIO_ADDRINFO; diff --git a/deps/openssl/openssl/include/openssl/cmp.h b/deps/openssl/openssl/include/openssl/cmp.h deleted file mode 100644 index 7c8a6dc96fc360..00000000000000 --- a/deps/openssl/openssl/include/openssl/cmp.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/cmp.h" diff --git a/deps/openssl/openssl/include/openssl/cms.h b/deps/openssl/openssl/include/openssl/cms.h deleted file mode 100644 index 33a00775c9fa76..00000000000000 --- a/deps/openssl/openssl/include/openssl/cms.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/cms.h" diff --git a/deps/openssl/openssl/include/openssl/conf.h b/deps/openssl/openssl/include/openssl/conf.h deleted file mode 100644 index 2712886cafcd78..00000000000000 --- a/deps/openssl/openssl/include/openssl/conf.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/conf.h" diff --git a/deps/openssl/openssl/include/openssl/configuration.h b/deps/openssl/openssl/include/openssl/configuration.h deleted file mode 100644 index 8ffad996047c5e..00000000000000 --- a/deps/openssl/openssl/include/openssl/configuration.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/configuration.h" diff --git a/deps/openssl/openssl/include/openssl/crmf.h b/deps/openssl/openssl/include/openssl/crmf.h deleted file mode 100644 index 4103852ecb21c2..00000000000000 --- a/deps/openssl/openssl/include/openssl/crmf.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/crmf.h" diff --git a/deps/openssl/openssl/include/openssl/crypto.h b/deps/openssl/openssl/include/openssl/crypto.h deleted file mode 100644 index 6d0e701ebd3c19..00000000000000 --- a/deps/openssl/openssl/include/openssl/crypto.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/crypto.h" diff --git a/deps/openssl/openssl/include/openssl/crypto.h.in b/deps/openssl/openssl/include/openssl/crypto.h.in index 724e2ca5da792a..c56885d2d6ffd2 100644 --- a/deps/openssl/openssl/include/openssl/crypto.h.in +++ b/deps/openssl/openssl/include/openssl/crypto.h.in @@ -1,7 +1,7 @@ /* * {- join("\n * ", @autowarntext) -} * - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -125,7 +125,7 @@ int CRYPTO_atomic_load(uint64_t *val, uint64_t *ret, CRYPTO_RWLOCK *lock); size_t OPENSSL_strlcpy(char *dst, const char *src, size_t siz); size_t OPENSSL_strlcat(char *dst, const char *src, size_t siz); size_t OPENSSL_strnlen(const char *str, size_t maxlen); -int OPENSSL_buf2hexstr_ex(char *str, size_t str_n, size_t *strlen, +int OPENSSL_buf2hexstr_ex(char *str, size_t str_n, size_t *strlength, const unsigned char *buf, size_t buflen, const char sep); char *OPENSSL_buf2hexstr(const unsigned char *buf, long buflen); diff --git a/deps/openssl/openssl/include/openssl/ct.h b/deps/openssl/openssl/include/openssl/ct.h deleted file mode 100644 index 7ebb84387135be..00000000000000 --- a/deps/openssl/openssl/include/openssl/ct.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/ct.h" diff --git a/deps/openssl/openssl/include/openssl/ec.h b/deps/openssl/openssl/include/openssl/ec.h index f59b4f92885216..44d71932db631e 100644 --- a/deps/openssl/openssl/include/openssl/ec.h +++ b/deps/openssl/openssl/include/openssl/ec.h @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -20,6 +20,8 @@ # include # include +# include + # ifdef __cplusplus extern "C" { # endif @@ -1548,6 +1550,7 @@ OSSL_DEPRECATEDIN_3_0 void EC_KEY_METHOD_get_verify # define EVP_EC_gen(curve) \ EVP_PKEY_Q_keygen(NULL, NULL, "EC", (char *)(strstr(curve, ""))) + /* strstr is used to enable type checking for the variadic string arg */ # define ECParameters_dup(x) ASN1_dup_of(EC_KEY, i2d_ECParameters, \ d2i_ECParameters, x) diff --git a/deps/openssl/openssl/include/openssl/engine.h b/deps/openssl/openssl/include/openssl/engine.h index 25c3cf7c1985ba..c965800855553d 100644 --- a/deps/openssl/openssl/include/openssl/engine.h +++ b/deps/openssl/openssl/include/openssl/engine.h @@ -1,5 +1,5 @@ /* - * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -801,6 +801,7 @@ typedef int (*dynamic_bind_engine) (ENGINE *e, const char *id, CRYPTO_set_mem_functions(fns->mem_fns.malloc_fn, \ fns->mem_fns.realloc_fn, \ fns->mem_fns.free_fn); \ + OPENSSL_init_crypto(OPENSSL_INIT_NO_ATEXIT, NULL); \ skip_cbs: \ if (!fn(e, id)) return 0; \ return 1; } diff --git a/deps/openssl/openssl/include/openssl/err.h b/deps/openssl/openssl/include/openssl/err.h deleted file mode 100644 index bf482070474781..00000000000000 --- a/deps/openssl/openssl/include/openssl/err.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/err.h" diff --git a/deps/openssl/openssl/include/openssl/ess.h b/deps/openssl/openssl/include/openssl/ess.h deleted file mode 100644 index 64cc016225119f..00000000000000 --- a/deps/openssl/openssl/include/openssl/ess.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/ess.h" diff --git a/deps/openssl/openssl/include/openssl/evp.h b/deps/openssl/openssl/include/openssl/evp.h index 1850381720ca19..49e8e1df786516 100644 --- a/deps/openssl/openssl/include/openssl/evp.h +++ b/deps/openssl/openssl/include/openssl/evp.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -205,8 +205,8 @@ int (*EVP_MD_meth_get_ctrl(const EVP_MD *md))(EVP_MD_CTX *ctx, int cmd, * don't accidentally reuse the values for other purposes. */ -# define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW 0x0008/* Allow use of non FIPS - * digest in FIPS mode */ +/* This flag has no effect from openssl-3.0 onwards */ +# define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW 0x0008 /* * The following PAD options are also currently ignored in 1.0.0, digest diff --git a/deps/openssl/openssl/include/openssl/fipskey.h b/deps/openssl/openssl/include/openssl/fipskey.h deleted file mode 100644 index c012013d98d4e8..00000000000000 --- a/deps/openssl/openssl/include/openssl/fipskey.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/fipskey.h" diff --git a/deps/openssl/openssl/include/openssl/lhash.h b/deps/openssl/openssl/include/openssl/lhash.h deleted file mode 100644 index 8d824f5cfe6274..00000000000000 --- a/deps/openssl/openssl/include/openssl/lhash.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/lhash.h" diff --git a/deps/openssl/openssl/include/openssl/ocsp.h b/deps/openssl/openssl/include/openssl/ocsp.h deleted file mode 100644 index 5b13afedf36bb6..00000000000000 --- a/deps/openssl/openssl/include/openssl/ocsp.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/ocsp.h" diff --git a/deps/openssl/openssl/include/openssl/opensslv.h b/deps/openssl/openssl/include/openssl/opensslv.h deleted file mode 100644 index 078cfba40fbe73..00000000000000 --- a/deps/openssl/openssl/include/openssl/opensslv.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/opensslv.h" diff --git a/deps/openssl/openssl/include/openssl/pkcs12.h b/deps/openssl/openssl/include/openssl/pkcs12.h deleted file mode 100644 index 2d7e2c08e99175..00000000000000 --- a/deps/openssl/openssl/include/openssl/pkcs12.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/pkcs12.h" diff --git a/deps/openssl/openssl/include/openssl/pkcs7.h b/deps/openssl/openssl/include/openssl/pkcs7.h deleted file mode 100644 index b553f9d0f053b0..00000000000000 --- a/deps/openssl/openssl/include/openssl/pkcs7.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/pkcs7.h" diff --git a/deps/openssl/openssl/include/openssl/safestack.h b/deps/openssl/openssl/include/openssl/safestack.h deleted file mode 100644 index 989eafb33023b9..00000000000000 --- a/deps/openssl/openssl/include/openssl/safestack.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/safestack.h" diff --git a/deps/openssl/openssl/include/openssl/self_test.h b/deps/openssl/openssl/include/openssl/self_test.h index 77c600a0d13b7c..ee4949e5a640dd 100644 --- a/deps/openssl/openssl/include/openssl/self_test.h +++ b/deps/openssl/openssl/include/openssl/self_test.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -73,10 +73,6 @@ extern "C" { # define OSSL_SELF_TEST_DESC_KDF_TLS13_EXPAND "TLS13_KDF_EXPAND" # define OSSL_SELF_TEST_DESC_RNG "RNG" -# ifdef __cplusplus -} -# endif - void OSSL_SELF_TEST_set_callback(OSSL_LIB_CTX *libctx, OSSL_CALLBACK *cb, void *cbarg); void OSSL_SELF_TEST_get_callback(OSSL_LIB_CTX *libctx, OSSL_CALLBACK **cb, @@ -90,4 +86,7 @@ void OSSL_SELF_TEST_onbegin(OSSL_SELF_TEST *st, const char *type, int OSSL_SELF_TEST_oncorrupt_byte(OSSL_SELF_TEST *st, unsigned char *bytes); void OSSL_SELF_TEST_onend(OSSL_SELF_TEST *st, int ret); +# ifdef __cplusplus +} +# endif #endif /* OPENSSL_SELF_TEST_H */ diff --git a/deps/openssl/openssl/include/openssl/srp.h b/deps/openssl/openssl/include/openssl/srp.h deleted file mode 100644 index 9df42dad4c3127..00000000000000 --- a/deps/openssl/openssl/include/openssl/srp.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/srp.h" diff --git a/deps/openssl/openssl/include/openssl/ssl.h b/deps/openssl/openssl/include/openssl/ssl.h deleted file mode 100644 index eb74ca98a9759a..00000000000000 --- a/deps/openssl/openssl/include/openssl/ssl.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/ssl.h" diff --git a/deps/openssl/openssl/include/openssl/ssl.h.in b/deps/openssl/openssl/include/openssl/ssl.h.in index d0d5ad69c00e7b..cd8ecac6235a39 100644 --- a/deps/openssl/openssl/include/openssl/ssl.h.in +++ b/deps/openssl/openssl/include/openssl/ssl.h.in @@ -1,7 +1,7 @@ /* * {- join("\n * ", @autowarntext) -} * - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -1308,6 +1308,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) # define SSL_CTRL_GET_SIGNATURE_NID 132 # define SSL_CTRL_GET_TMP_KEY 133 # define SSL_CTRL_GET_NEGOTIATED_GROUP 134 +# define SSL_CTRL_SET_RETRY_VERIFY 136 # define SSL_CERT_SET_FIRST 1 # define SSL_CERT_SET_NEXT 2 # define SSL_CERT_SET_SERVER 3 @@ -2130,6 +2131,8 @@ __owur int SSL_get_ex_data_X509_STORE_CTX_idx(void); SSL_CTX_ctrl(ctx,SSL_CTRL_SET_MAX_PIPELINES,m,NULL) # define SSL_set_max_pipelines(ssl,m) \ SSL_ctrl(ssl,SSL_CTRL_SET_MAX_PIPELINES,m,NULL) +# define SSL_set_retry_verify(ssl) \ + (SSL_ctrl(ssl,SSL_CTRL_SET_RETRY_VERIFY,0,NULL) > 0) void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len); void SSL_set_default_read_buffer_len(SSL *s, size_t len); diff --git a/deps/openssl/openssl/include/openssl/ui.h b/deps/openssl/openssl/include/openssl/ui.h deleted file mode 100644 index f5edb766b4fc6c..00000000000000 --- a/deps/openssl/openssl/include/openssl/ui.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/ui.h" diff --git a/deps/openssl/openssl/include/openssl/x509.h b/deps/openssl/openssl/include/openssl/x509.h deleted file mode 100644 index ed28bd68cb2474..00000000000000 --- a/deps/openssl/openssl/include/openssl/x509.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/x509.h" diff --git a/deps/openssl/openssl/include/openssl/x509_vfy.h b/deps/openssl/openssl/include/openssl/x509_vfy.h deleted file mode 100644 index 9270a3ee09750a..00000000000000 --- a/deps/openssl/openssl/include/openssl/x509_vfy.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/x509_vfy.h" diff --git a/deps/openssl/openssl/include/openssl/x509v3.h b/deps/openssl/openssl/include/openssl/x509v3.h deleted file mode 100644 index 5629ae9a3a90af..00000000000000 --- a/deps/openssl/openssl/include/openssl/x509v3.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/x509v3.h" diff --git a/deps/openssl/openssl/os-dep/haiku.h b/deps/openssl/openssl/os-dep/haiku.h index 7e908efaaf4004..18e8a59baf6b39 100644 --- a/deps/openssl/openssl/os-dep/haiku.h +++ b/deps/openssl/openssl/os-dep/haiku.h @@ -1,2 +1,11 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + #include #include diff --git a/deps/openssl/openssl/providers/common/der/DIGESTS.asn1 b/deps/openssl/openssl/providers/common/der/DIGESTS.asn1 index bd955df8f25233..7251a9e1367e13 100644 --- a/deps/openssl/openssl/providers/common/der/DIGESTS.asn1 +++ b/deps/openssl/openssl/providers/common/der/DIGESTS.asn1 @@ -1,3 +1,10 @@ +-- Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +-- +-- Licensed under the Apache License 2.0 (the "License"). You may not use +-- this file except in compliance with the License. You can obtain a copy +-- in the file LICENSE in the source distribution or at +-- https://www.openssl.org/source/license.html + -- ------------------------------------------------------------------- -- From https://tools.ietf.org/html/rfc4055#section-2.1 diff --git a/deps/openssl/openssl/providers/common/der/DSA.asn1 b/deps/openssl/openssl/providers/common/der/DSA.asn1 index 84b677a40f5bf1..2c90294aefadf1 100644 --- a/deps/openssl/openssl/providers/common/der/DSA.asn1 +++ b/deps/openssl/openssl/providers/common/der/DSA.asn1 @@ -1,3 +1,10 @@ +-- Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +-- +-- Licensed under the Apache License 2.0 (the "License"). You may not use +-- this file except in compliance with the License. You can obtain a copy +-- in the file LICENSE in the source distribution or at +-- https://www.openssl.org/source/license.html + -- ------------------------------------------------------------------- -- Taken from RFC 3279, 3 ASN.1 Module -- (https://www.rfc-editor.org/rfc/rfc3279.html#section-3) diff --git a/deps/openssl/openssl/providers/common/der/EC.asn1 b/deps/openssl/openssl/providers/common/der/EC.asn1 index d55a69273f4bcf..417103b81b8326 100644 --- a/deps/openssl/openssl/providers/common/der/EC.asn1 +++ b/deps/openssl/openssl/providers/common/der/EC.asn1 @@ -1,3 +1,10 @@ +-- Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +-- +-- Licensed under the Apache License 2.0 (the "License"). You may not use +-- this file except in compliance with the License. You can obtain a copy +-- in the file LICENSE in the source distribution or at +-- https://www.openssl.org/source/license.html + -- ------------------------------------------------------------------- -- Taken from RFC 3279, 3 ASN.1 Module -- (https://www.rfc-editor.org/rfc/rfc3279.html#section-3) diff --git a/deps/openssl/openssl/providers/common/der/ECX.asn1 b/deps/openssl/openssl/providers/common/der/ECX.asn1 index 72d1b451ae5cf7..be258044be97cd 100644 --- a/deps/openssl/openssl/providers/common/der/ECX.asn1 +++ b/deps/openssl/openssl/providers/common/der/ECX.asn1 @@ -1,3 +1,9 @@ +-- Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +-- +-- Licensed under the Apache License 2.0 (the "License"). You may not use +-- this file except in compliance with the License. You can obtain a copy +-- in the file LICENSE in the source distribution or at +-- https://www.openssl.org/source/license.html -- ------------------------------------------------------------------- -- Taken from RFC 8410, 9 ASN.1 Module diff --git a/deps/openssl/openssl/providers/common/der/NIST.asn1 b/deps/openssl/openssl/providers/common/der/NIST.asn1 index 3e43848495f216..eafac387934793 100644 --- a/deps/openssl/openssl/providers/common/der/NIST.asn1 +++ b/deps/openssl/openssl/providers/common/der/NIST.asn1 @@ -1,3 +1,10 @@ +-- Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +-- +-- Licensed under the Apache License 2.0 (the "License"). You may not use +-- this file except in compliance with the License. You can obtain a copy +-- in the file LICENSE in the source distribution or at +-- https://www.openssl.org/source/license.html + -- ------------------------------------------------------------------- -- Taken from https://csrc.nist.gov/projects/computer-security-objects-register/algorithm-registration diff --git a/deps/openssl/openssl/providers/common/der/RSA.asn1 b/deps/openssl/openssl/providers/common/der/RSA.asn1 index e3cd714d1c90c7..3695ee7ad14ad4 100644 --- a/deps/openssl/openssl/providers/common/der/RSA.asn1 +++ b/deps/openssl/openssl/providers/common/der/RSA.asn1 @@ -1,3 +1,10 @@ +-- Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +-- +-- Licensed under the Apache License 2.0 (the "License"). You may not use +-- this file except in compliance with the License. You can obtain a copy +-- in the file LICENSE in the source distribution or at +-- https://www.openssl.org/source/license.html + -- ------------------------------------------------------------------- -- Taken from RFC 8017, Appendix C -- (https://www.rfc-editor.org/rfc/rfc8017.html#appendix-C) diff --git a/deps/openssl/openssl/providers/common/der/SM2.asn1 b/deps/openssl/openssl/providers/common/der/SM2.asn1 index f90e11f04ae12e..f3f173c42c9475 100644 --- a/deps/openssl/openssl/providers/common/der/SM2.asn1 +++ b/deps/openssl/openssl/providers/common/der/SM2.asn1 @@ -1,3 +1,10 @@ +-- Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +-- +-- Licensed under the Apache License 2.0 (the "License"). You may not use +-- this file except in compliance with the License. You can obtain a copy +-- in the file LICENSE in the source distribution or at +-- https://www.openssl.org/source/license.html + oscca OBJECT IDENTIFIER ::= { iso(1) member-body(2) cn(156) 10197 } sm-scheme OBJECT IDENTIFIER ::= { oscca 1 } diff --git a/deps/openssl/openssl/providers/common/der/wrap.asn1 b/deps/openssl/openssl/providers/common/der/wrap.asn1 index 006ea0b16c5882..07e23b440ea0d2 100644 --- a/deps/openssl/openssl/providers/common/der/wrap.asn1 +++ b/deps/openssl/openssl/providers/common/der/wrap.asn1 @@ -1,3 +1,10 @@ +-- Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +-- +-- Licensed under the Apache License 2.0 (the "License"). You may not use +-- this file except in compliance with the License. You can obtain a copy +-- in the file LICENSE in the source distribution or at +-- https://www.openssl.org/source/license.html + -- ------------------------------------------------------------------- -- Taken from RFC 3370, Section 4.3.1 Triple-DES Key Wrap -- (https://tools.ietf.org/html/rfc3370) diff --git a/deps/openssl/openssl/providers/fips-sources.checksums b/deps/openssl/openssl/providers/fips-sources.checksums index 383e923f737e29..9b9fd1ff43ca21 100644 --- a/deps/openssl/openssl/providers/fips-sources.checksums +++ b/deps/openssl/openssl/providers/fips-sources.checksums @@ -1,5 +1,5 @@ 0e22ea0cf34ef3871e30df0bc302dc29352d38001d1622ddb78a27a374b6aee8 crypto/aes/aes_cbc.c -cfd71afe1588c2c362b77fa7f6cddf77a517c49856df086b01391bbae3f779c4 crypto/aes/aes_core.c +c049a936d74100fcced225f575d46662792a6a0039777d2d4df0cf61eff90a68 crypto/aes/aes_core.c 3fac41ce96acb9189eac2d5571425c3ff33a34c884ae7e275e1fd3068b5fc662 crypto/aes/aes_ecb.c c1e674d08683a25bc053f6233f73a0d0b3a90aafe591ff57b702c7da1582e4a5 crypto/aes/aes_local.h a2466f18da5847c7d9fbced17524633c10ce024671a72f53f9c9c55b9b9923dd crypto/aes/aes_misc.c @@ -69,12 +69,12 @@ da7f7780d27eed164797e5334cd45b35d9c113e86afaca051463aef9a8fd787c crypto/bn/asm/ 3962dfaa0142e67115ab84f7809d46d59bd122758be09a081b08b2e0d4743b2e crypto/bn/bn_asm.c 3e86e6e5777499703420afade11dd23a7c6912f8eccd08da47308c7aadd7459d crypto/bn/bn_blind.c 7b761d541e3b7f6a3f2b14a09b2b3836a079a845cf67a54db4853e3fd38277c6 crypto/bn/bn_const.c -69b864ae1f230c6c1cbc8f512031a107fcc43651aeceafcb6647b2b222a6f7f8 crypto/bn/bn_conv.c +58b587e20404efa408b31a88ba9c357059ced709bea78c07deb91df7b687db81 crypto/bn/bn_conv.c 2893b6d03d4850d09c15959941b0759bbb50d8c20e873bed088e7cde4e15a65a crypto/bn/bn_ctx.c d94295953ab91469fe2b9da2a542b8ea11ac38551ecde8f8202b7f645c2dea16 crypto/bn/bn_dh.c a837ba52750ab30a57b6dd2fd4cf901e18a891a189b089f83add2f5dc8138eb7 crypto/bn/bn_div.c 160ea2c916774d6a7f8130e0a05cad7c0a954b4726c15017b3df67e3285231f3 crypto/bn/bn_exp.c -617d0fd580faf72aa144f9489d6d102e2a1c4953713ac31a2b1feea4fabb2f6c crypto/bn/bn_exp2.c +ec2b6e3af6df473a23e7f1a8522f2554cb0eb5d34e3282458c4a66d242278434 crypto/bn/bn_exp2.c b32d83cee8c00d837a7e4fb8af3f5cf17cb8d2419302e8f5fbcf62119092e874 crypto/bn/bn_gcd.c 4d6cc7ed36978247a191df1eea0120f8ee97b639ba228793dabe5a8355a1a609 crypto/bn/bn_gf2m.c 081e8a6abc23599307dab3b1a92113a65e0bf8717cbc40c970c7469350bc4581 crypto/bn/bn_intern.c @@ -93,18 +93,18 @@ c56ad3073108a0de21c5820a48beae2bccdbf5aa8075ec21738878222eb9adc3 crypto/bn/bn_p 9d8c10645db51c3baedf57d5f0f32b67fc7eba223c192bc1ae7d87af40307e59 crypto/bn/bn_rsa_fips186_4.c 704b0b4723e5c9e9bae5f3e35f9ae8ae8dca3383929e954de9e5169845abfdb2 crypto/bn/bn_shift.c 622e90766b29e0d25f46474429aebda8eba2246835b9e85dc26da7cdbd49334f crypto/bn/bn_sqr.c -8e397a44eefa00ecb85fafc11fe8c883b3bb1572d6ac136373946d472fbe2490 crypto/bn/bn_sqrt.c +42c8ce944c889abcfcf089d0ad2744b7587696d8d7785efa91b3f7ec53dc062a crypto/bn/bn_sqrt.c 24e62baa56e02f2db6454e10168b7c7fa7638db9221b9acda1803d43f38f36e0 crypto/bn/bn_word.c 3a85d20f80c4d96b3704e58b173fc876ec81f19eac805ae2b125c138c91c86c4 crypto/bn/rsaz_exp.c affabb87861653b216e746d6c2fce5c2ac395b0ca570d439508e9f5e102ee340 crypto/bn/rsaz_exp.h -e18b943bfc1623597d6233421c358f3453bb0f026f28ae11cfd3b3c484c0bc4b crypto/bn/rsaz_exp_x2.c +46e6c75a334558586ab3610bbea0e5565273888bf60d891ae7b24251c6688aef crypto/bn/rsaz_exp_x2.c 834db8ff36006e5cb53e09ca6c44290124bd23692f4341ea6563b66fcade4cea crypto/bsearch.c c39334b70e1394e43f378ae8d31b6e6dc125e4d9181e6536d38e649c4eaadb75 crypto/buffer/buffer.c 23d46ae37a8d9452c0c88418d2cb8350153f8c2c6060234130a2e429da2370e0 crypto/cmac/cmac.c -b352903e60908dc7287051983e2068508715b4d9f3f46575540295010908bfa0 crypto/context.c +7f24e4937e0af857e233afbb6a7f25b09b1e5674185242a5cc8f579a45bbf1da crypto/context.c 83b8912fb01bacfe0b5269c7afa69db7e1718530cce1ed27870abef1407951d6 crypto/core_algorithm.c 60321d1af7bf9697d969438f6b319fbcb4fdc1a47a0b056d02b971973a8550ca crypto/core_fetch.c -4982395fa843f62c83b95f81e1f5622d799a2fe17108bde44cdab935b77e8ae1 crypto/core_namemap.c +7d090f71175f28fdc400455fdbc68340a545556d16cb1f6251ac92ebb63a38c1 crypto/core_namemap.c 469e2f53b5f76cd487a60d3d4c44c8fc3a6c4d08405597ba664661ba485508d3 crypto/cpuid.c 71f0fff881eb4c5505fb17662f0ea4bbff24c6858c045a013ad8f786b07da5c4 crypto/cryptlib.c a3d146afa1d66cc3bbfdc7c106f262b679bb5aecce54e8dee732ae9b3e3333db crypto/ctype.c @@ -116,15 +116,15 @@ eeef5722ad56bf1af2ff71681bcc8b8525bc7077e973c98cee920ce9bcc66c81 crypto/des/ecb 499513b3ad386fe694c4e04b3c8a9fd4c4e18fc44bb6c4f94d6bf2d9362a3a5a crypto/des/ncbc_enc.c 61926e30dd940616e80936d1c94c5f522daf0d475fb3a40a9e589e78f322901e crypto/des/set_key.c 8344811b14d151f6cd40a7bc45c8f4a1106252b119c1d5e6a589a023f39b107d crypto/des/spr.h -0209b1ff430e2c237bf96e2e283c24df4b6708014c5a7005b295c28733d2a8ce crypto/dh/dh_backend.c +816472a54c273906d0a2b58650e0b9d28cc2c8023d120f0d77160f1fe34c4ca3 crypto/dh/dh_backend.c 832e5a1caf9cb0dacfd937fc59252aaac7c5c1bf0ae1a9ebf3c3af6e59dcf4c0 crypto/dh/dh_check.c 7838e9a35870b0fbcba0aff2f52a2439f64d026e9922bce6e5978c2f22c51120 crypto/dh/dh_gen.c 70f4cf3485a38cd7d22aa3e965bfe950905f8efec1622e832592a6728498fd78 crypto/dh/dh_group_params.c 7809cbfd5570db17dcb4bd8f0cf9c5f94337096d39da453d0624c08f071e809f crypto/dh/dh_kdf.c -c71b8691416a61c306ea0973ca22570a56d3e9e93618a3eb2fd7b9d9a789ca44 crypto/dh/dh_key.c +0afa7dd237f9b21b0cfb0de10505facd57eb07ded905d888d43a1de2356d4002 crypto/dh/dh_key.c b0046b2c4e1d74ff4e93f2486a00f63728909b8a75cbdd29b9100e607f97995c crypto/dh/dh_lib.c 8300775d88db0a1aa26a77eb49d6c4f7252e7fee69e1440de4c40edadc9da044 crypto/dh/dh_local.h -27d0ea795bb7f571ba37b7460eee63608b9089a95337491c0980b91135563e15 crypto/dsa/dsa_backend.c +bbcf4fc3067ac462a27d7277973180b7dc140df9262a686c7fbe4318ca01f7b8 crypto/dsa/dsa_backend.c b9c5992089203123c3fae46e39bb4d05e19854087bca7a30ad1f82a3505deec7 crypto/dsa/dsa_check.c ae727bf6319eb57e682de35d75ea357921987953b3688365c710e7fba51c7c58 crypto/dsa/dsa_gen.c b1de1624e590dbf76f76953802ff162cc8de7c5e2eaba897313c866424d6902b crypto/dsa/dsa_key.c @@ -167,7 +167,7 @@ c07fa05c6885e59913e2ce345ff52ef9dfb0418842de3affa6163ad3e71f9c1b crypto/ec/ec_b 8cfd0dcfb5acbf6105691a2d5e2826dba1ff3906707bc9dd6ff9bffcc306468f crypto/ec/ec_cvt.c 28726bc957ea821639b1023e5bff0e77ced61bae31f96c165e33aadfe0bc5c9a crypto/ec/ec_key.c 7e40fc646863e0675bbb90f075b809f61bdf0600d8095c8366858d9533ab7700 crypto/ec/ec_kmeth.c -2db28a620fa62889c816dca25bb1153c99af2e8604beb3b1655495da96f2c965 crypto/ec/ec_lib.c +074a5345ea71ff3fdfb8e0be360391a7640719f1a8a4eae8580c8f02e57af880 crypto/ec/ec_lib.c a8a4690e42b4af60aad822aa8b16196df337906af53ea4db926707f7b596ff27 crypto/ec/ec_local.h fa901b996eb0e460359cd470843bdb03af7a77a2f1136c5e1d30daef70f3e4d2 crypto/ec/ec_mult.c 129c6b42417bfcf582f4a959cfd65433e6f85b158274f4fa38f9c62615ac9166 crypto/ec/ec_oct.c @@ -186,30 +186,30 @@ b4b7c683279454ba41438f50a015cb63ef056ccb9be0168918dfbae00313dc68 crypto/ec/ecp_ 22c44f561ab42d1bd7fd3a3c538ebaba375a704f98056b035e7949d73963c580 crypto/ec/ecx_key.c 28abc295dad8888b5482eb61d31cd78dd80545ecb67dc6f9446a36deb8c40a5e crypto/evp/asymcipher.c 0e75a058dcbbb62cfe39fec6c4a85385dc1a8fce794e4278ce6cebb29763b82b crypto/evp/dh_support.c -e696c10cc2ed2fc5552e659b343af751b9edc3b4dbce1a2108d21e8b10424657 crypto/evp/digest.c +7fca5ec7c5723b799a7d84d5803071b8f495511e1baf89d430e6800a5228cdad crypto/evp/digest.c 5e2c5d865029ae86855f15e162360d091f28ca0d4c67260700c90aa25faf308b crypto/evp/ec_support.c -37b5e0bdb30a24c925a26f818828fd3b4ab4c1725f84797260556c0f47f2b76d crypto/evp/evp_enc.c -d8162b57e041e83da55efe6f073d156a00b8d7a3b2fb7782b05295f2c0ea3c14 crypto/evp/evp_fetch.c +2724dc804304135bc874bd305e14b811169a9e4a62176220a0d5e83f152c2546 crypto/evp/evp_enc.c +0cd2765bf33d998f96d6e8193b2bf27293bcc6a37b7bef7dfd6ec54952ad3c8f crypto/evp/evp_fetch.c 029df8bb80a2fb45c22765234b9041ffce82735108e0b11580fd3fbd805362dd crypto/evp/evp_lib.c 9ac3d97d756ec008db16dd1952115b551f32b2d0590d9a85e1c87d1c78620257 crypto/evp/evp_local.h e822c16fc4dc30f2c86e8598c721a9ddfe46d318ce78f4e8e883cdcf8b936221 crypto/evp/evp_rand.c 2a128617ec0178e9eeacbe41d75a5530755f41ea524cd124607543cf73456a0c crypto/evp/evp_utils.c -5496cf34a1643923ff434e4ae16ee203a626b36685e98201dec30547857847d8 crypto/evp/exchange.c +06442eff7fd25971d247fa3a769c6df56f5eb8cdedbd764cd2daa7e0c7ab3f2f crypto/evp/exchange.c a3164e3247e2a38f4f9a20db463779b5260e4e6639ac8eec6e960b265fc8cce5 crypto/evp/kdf_lib.c 1d72f5506984df1df8606e8c7045f041cf517223e2e1b50c4da8ba8bf1c6c186 crypto/evp/kdf_meth.c 38715a14f202e7d24602e5cc19d2f78abbd9f5fa3dde8d7b2bfded907690e18f crypto/evp/kem.c -787105780e2aa625bfedfbfd7167be16f743883d02a897969695ad8e637298af crypto/evp/keymgmt_lib.c +724d2ac784d6f22cb0a382abc23ac0f2d76f2f6831fcd09e101f6f27d0c3e4ed crypto/evp/keymgmt_lib.c 3d0a2c5fea0d9bb01a09e1eabc041e3bc76ba4ee90bc0af54ef414e7ca3a531f crypto/evp/keymgmt_meth.c e1a052839b8b70dca20dbac1282d61abd1c415bf4fb6afb56b811e8770d8a2e1 crypto/evp/m_sigver.c 5b8b0bcd4b720b66ce6bc54090ec333891126bb7f6cce4502daf2333668c3db9 crypto/evp/mac_lib.c e7e8eb5683cd3fbd409df888020dc353b65ac291361829cc4131d5bc86c9fcb3 crypto/evp/mac_meth.c b976077a1f880768f2f0a1c996a53dfdd363605e4977c56fb37e9c1f84f35aa6 crypto/evp/p_lib.c 3b4228b92eebd04616ecc3ee58684095313dd5ffd1b43cf698a7d6c202cb4622 crypto/evp/pmeth_check.c -bbce11755bcc5ba2ee8e9c1eb95905447136f614fdc2b0f74cf785fe81ead6a5 crypto/evp/pmeth_gn.c +1f0e9e94e9b0ad322956521b438b78d44cfcd8eb974e8921d05f9e21ba1c05cf crypto/evp/pmeth_gn.c 76511fba789089a50ef87774817a5482c33633a76a94ecf7b6e8eb915585575d crypto/evp/pmeth_lib.c f3a5cbbccb1078cf1fafd74c4caa9f30827081832fbe6dfa5579b17ef809776c crypto/evp/signature.c b06cb8fd4bd95aae1f66e1e145269c82169257f1a60ef0f78f80a3d4c5131fac crypto/ex_data.c -00ca3b72cd56308aabb2826b6a400c675526afa7efca052d39c74b2ac6d137d8 crypto/ffc/ffc_backend.c +324feb067d0f8deb4334f3e6518f570114cb388c85b24f9232bd931a64ff0a9e crypto/ffc/ffc_backend.c ead786b4f5689ab69d6cca5d49e513e0f90cb558b67e6c5898255f2671f1393d crypto/ffc/ffc_dh.c 82abf1f9645336b7dff5e3fa153899280ecaa27b3dad50e6a9ba94d871961888 crypto/ffc/ffc_key_generate.c 084ae8e68a9df5785376bb961a998036336ed13092ffd1c4258b56e6a7e0478b crypto/ffc/ffc_key_validate.c @@ -219,8 +219,8 @@ ead786b4f5689ab69d6cca5d49e513e0f90cb558b67e6c5898255f2671f1393d crypto/ffc/ffc 0a4fc92e408b0562cf95c480df93a9907a318a2c92356642903a5d50ed04fd88 crypto/hmac/hmac.c 0395c1b0834f2f4a0ca1756385f4dc1a4ef6fb925b2db3743df7f57256c5166f crypto/hmac/hmac_local.h f897493b50f4e9dd4cacb2a7accda6683c10ece602641874cdff1dac7128a751 crypto/initthread.c -e82f2213ac9438af20a2b19743c6c790d841acf89429868c9d1770f3f06a597a crypto/lhash/lhash.c -95ceca6a32b1d8a2e3a172121e7b3379267867a8c1d2b5cf2c1fbb16d1f8424c crypto/lhash/lhash_local.h +f0782ee92b6ebf5a0e66b970ecfbd9c9c6fc4a35ccd055967fbb402577c234ab crypto/lhash/lhash.c +73d63f91fbaba47649231636c5afdf76d049a46436fde9fbb2e107cf16bb879e crypto/lhash/lhash_local.h f866aafae928db1b439ac950dc90744a2397dfe222672fe68b3798396190c8b0 crypto/mem_clr.c 183bdca6f855182d7d2c78a5c961b34283f85ea69ac828b700605ee82546397d crypto/modes/asm/aes-gcm-armv8_64.pl 1d686af304f94743038f916125effcb51790c025f3165d8d37b526bbeee781f0 crypto/modes/asm/aesni-gcm-x86_64.pl @@ -243,7 +243,7 @@ af1c034152d82b29cb7c938c8516cfd136b62bac0908c1d40eb50790d23b288c crypto/modes/c bdf25257b15eca206be4d950d2dd807ca5f058f91f54edbd7a0d312ed83eef8e crypto/modes/ofb128.c e55a816c356b2d526bc6e40c8b81afa02576e4d44c7d7b6bbe444fb8b01aad41 crypto/modes/wrap128.c 608a04f387be2a509b4d4ad414b7015ab833e56b85020e692e193160f36883a2 crypto/modes/xts128.c -ca8f63ee71797f51c2bf5629190897306b3308882feb3d64c982239f18e8b738 crypto/o_str.c +ecb4a6f28a0acdb00cb654612e26cd4c825d9f83b15d42cefc1ccd47b00f8eb0 crypto/o_str.c 7b8d9f5dfe00460df5fbcfd4a5f2f36128020ebd2ced85ff5071b91f98740b2e crypto/packet.c cc4483ec9ba7a30908e3a433a6817e2f211d4c1f69c206e6bae24bbd39a68281 crypto/param_build.c c2fe815fb3fd5efe9a6544cae55f9469063a0f6fb728361737b927f6182ae0bb crypto/param_build_set.c @@ -251,18 +251,18 @@ c2fe815fb3fd5efe9a6544cae55f9469063a0f6fb728361737b927f6182ae0bb crypto/param_b 4f2a8c9acf5898fdc1e4bf98813049947221cd9a1db04faaa490250591f54cb4 crypto/params_dup.c a0097ff2da8955fe15ba204cb54f3fd48a06f846e2b9826f507b26acf65715c3 crypto/params_from_text.c 2140778d5f35e503e22b173736e18ff84406f6657463e8ff9e7b91a78aa686d3 crypto/property/defn_cache.c -b09bfc2cdde7ab703b54630a67cc8d01ca92af402be246e5a9f82d176abd9442 crypto/property/property.c +9153343b26e5c2c4f6009d37a12d6af85681ed0c7d3f58de2ace44dfd789a59b crypto/property/property.c a2c69527b60692a8b07cfdfe7e75f654daa092411d5de5e02b446a4ef3752855 crypto/property/property_local.h c3217b73871d93d81ab9f15e9f1fc37ea609bbe4bbc0c1b84ec62a99c91f6756 crypto/property/property_parse.c a7cefda6a117550e2c76e0f307565ce1e11640b11ba10c80e469a837fd1212a3 crypto/property/property_query.c 065698c8d88a5facc0cbc02a3bd0c642c94687a8c5dd79901c942138b406067d crypto/property/property_string.c -c56fb722699e1148dc392bad8069292e6521e7498c8aa9572661af118ff59e16 crypto/provider_core.c +01d2e5be52d94efdff4329281b3609c7fa57162ab6143492c380c96952df1396 crypto/provider_core.c d0af10d4091b2032aac1b7db80f8c2e14fa7176592716b25b9437ab6b53c0a89 crypto/provider_local.h 5ba2e1c74ddcd0453d02e32612299d1eef18eff8493a7606c15d0dc3738ad1d9 crypto/provider_predefined.c -5d16318d3a36b06145af74afa3523109768990a33457c81895c7ab8a830654f8 crypto/rand/rand_lib.c +4e6b7d1d8278067c18bcb5e3ac9b7fe7e9b1d0d03bc5a276275483f541d1a12c crypto/rand/rand_lib.c fd03b9bb2c23470fa40880ed3bf9847bb17d50592101a78c0ad7a0f121209788 crypto/rand/rand_local.h f0c8792a99132e0b9c027cfa7370f45594a115934cdc9e8f23bdd64abecaf7fd crypto/rsa/rsa_acvp_test_params.c -8b93871f1f0392704d29028b8c93281be62cf02d0f79f9831bdabcd7a378df5b crypto/rsa/rsa_backend.c +054f8e32eabb218d219a5fa8cb40f6e76bc5a395d03e4f83c5f2b703a5a476b9 crypto/rsa/rsa_backend.c 38a102cd1da1f6ca5a46e6a22f018237964336274385f5c70cbedcaa6997647e crypto/rsa/rsa_chk.c e32cfa04221a2a3ea33f7bcb93ee51b84cbeba97e94c1fbf6e420b24f97fc9ce crypto/rsa/rsa_crpt.c 21794dcb6bfebcf9a14d4f8aa7fab8f745b595433b388b55f46ba6e615d90f98 crypto/rsa/rsa_gen.c @@ -271,7 +271,7 @@ a65e85be5269d8cb88e86b3413c978fa8994419a671092cbf104ff1a08fda23b crypto/rsa/rsa cf0b75cd54b61b9b9a290ef18d0ddce9fb26a029a54eb3f720d9b25188440f00 crypto/rsa/rsa_mp_names.c 5c60f6e05db82e13178d805deb1947b8eee4a905e6e77523d3b288da70a46bb5 crypto/rsa/rsa_none.c 33de2accc3af530fd0a4758eb83d5e1d994bf49bac4512b01387dbae656e1a7d crypto/rsa/rsa_oaep.c -a2fd2e4e31ec53d01a575ccaf03bad5a270412ff66804cf0b5fa40492b89181d crypto/rsa/rsa_ossl.c +1b58825809bb9c5fc9e876d71e5b787b08f034eaee3c30eb20d30a1d889bdbd5 crypto/rsa/rsa_ossl.c be3f39c1fcb777d6c0122061f9ef735d10a6bee95d67fcc1ca6ae2a664022d2b crypto/rsa/rsa_pk1.c 174a42e156be48927fe6d6bf0d95575619b8e643a99761275bff933bc3449722 crypto/rsa/rsa_pss.c bf6d300b7e7e9e512a47c5bd1f8713806ae3033a140d83dfae4a16ad58d11170 crypto/rsa/rsa_schemes.c @@ -344,22 +344,22 @@ d13560a5f8a66d7b956d54cd6bf24eade529d686992d243bfb312376a57b475e e_os.h e69b2b20fb415e24b970941c84a62b752b5d0175bc68126e467f7cc970495504 include/crypto/cryptlib.h 5ee1ea30382bef9869f29b6610665ca304f3b9cf3653746a2d02c64b1a24f103 include/crypto/ctype.h 89693e0a7528a9574e1d2f80644b29e3b895d3684111dd07c18cc5bed28b45b7 include/crypto/des_platform.h -830da1513661794e979f7cca2bba1792224e3b3d20d4f10f6f5c6566d9b7e723 include/crypto/dh.h -7ddd70f02371c7bd190414369d2bbe7c9c6d2de085dfe1e3eab0c4082f803ca1 include/crypto/dsa.h +daf508bb7ed5783f1c8c622f0c230e179244dd3f584e1223a19ab95930fbcb4f include/crypto/dh.h +20d99c9a740e4d7d67e23fa4ae4c6a39d114e486c66ad41b65d91a8244cd1dea include/crypto/dsa.h 2ea47c059e84ce9d14cc31f4faf45f64d631de9e2937aa1d7a83de5571c63574 include/crypto/ec.h edbfae8720502a4708983b60eac72aa04f031059f197ada31627cb5e72812858 include/crypto/ecx.h -782ea27154525789cd49afd36a8056457dfab4ea662481b502363cc0a55ed34e include/crypto/evp.h +cca363846ac7ef1f6196e5ac858d03bf78545af2de4f83a0150575c037813e4b include/crypto/evp.h bbe5e52d84e65449a13e42cd2d6adce59b8ed6e73d6950917aa77dc1f3f5dff6 include/crypto/lhash.h 162812058c69f65a824906193057cd3edeabc22f51a4220aea7cb9064379a9b6 include/crypto/md32_common.h f12bfc145290444bcc7bf408874bded348e742443c145b8b5bc70ae558d96c31 include/crypto/modes.h 0e4472433ca4008aa4fc9234761be70f323a22a4519bb9d62728dc001d606f04 include/crypto/rand.h 90930fc8788d6e04e57829346e0405293ac7a678c3cef23d0692c742e9586d09 include/crypto/rand_pool.h -bd5ce686c97a8a3a0e3d7ca1e4f16706fd51df5da9673169303a4428d62da233 include/crypto/rsa.h +306abf9d327a9e63fff2cdef730275abc4d2781254a032b1f370f3428eb5a2ef include/crypto/rsa.h 32f0149ab1d82fddbdfbbc44e3078b4a4cc6936d35187e0f8d02cc0bc19f2401 include/crypto/security_bits.h 0f743762f646656b5480648c05632575fe8acc7506460c63e0fcdf42cf20c08a include/crypto/sha.h 7676b02824b2d68df6bddeb251e9b8a8fa2e35a95dad9a7ebeca53f9ab8d2dad include/crypto/sparse_array.h 5bfeea62d21b7cb43d9a819c5cd2800f02ea019687a8331abf313d615889ad37 include/crypto/types.h -a1778b610a244f49317a09e1e6c78b5fb68bc6d003ffdea0f6eefe5733ee5b5f include/internal/bio.h +782a83d4e489fd865e2768a20bfa31e78c2071fd0ceeb9eb077276ae2bcc6590 include/internal/bio.h 92aacb3e49288f91b44f97e41933e88fe455706e1dd21a365683c2ab545db131 include/internal/constant_time.h 71ddae419297069056065ab71f32fe88b09ddbe4db2200a759fedd8ad4349628 include/internal/core.h d7ddeab97434a21cb2cad1935a3cb130f6cd0b3c75322463d431c5eab3ab1ae1 include/internal/cryptlib.h @@ -383,7 +383,7 @@ dd7ddecf30bef3002313e6b776ce34d660931e783b2f6edacf64c7c6e729e688 include/intern 24f41a1985fa305833c3f58030c494d2563d15fc922cdf3eeb6a7ea8c135a880 include/internal/symhacks.h 640cc6a2aae208073a7f495c08b4c5006a69e8ac1c2d9aaaafd56b0e74d5f859 include/internal/thread_once.h 415b725d7f949a6191ab7bb30b48931bafc01c7aa93607e529fabbc853a4ddc5 include/internal/tlsgroups.h -b24938409313384024524cbde837690d83119bcb70fb289b38cb7efa8e082852 include/internal/tsan_assist.h +fc0f9199487ef278b9fd317d1572db3e3fb95e182055f0e49c4d8faf78ed7dd2 include/internal/tsan_assist.h 2b38fb6e65d549aca3b2c76907daf67124f395251c0261dec26faa54da8d6d73 include/openssl/aes.h 98aa2fc5eae9ef2a36d3d0053212696d58893baa083fa1fcf720660fb4bc0a9f include/openssl/asn1.h.in d4733dcd490b3a2554eaf859d1ea964fe76f7d24f78e42be1094bdad6dee7429 include/openssl/asn1err.h @@ -402,7 +402,7 @@ f20c3c845129a129f5e0b1dae970d86a5c96ab49f2e3f6f364734521e9e1abe3 include/openss df5e60af861665675e4a00d40d15e36884f940e3379c7b45c9f717eaf1942697 include/openssl/core.h 00110e80b9b4f621c604ea99f05e7a75d3db4721fc2779224e6fa7e52f06e345 include/openssl/core_dispatch.h cbd9d7855ca3ba4240207fc025c22bbfef7411116446ff63511e336a0559bed0 include/openssl/core_names.h -d165f5c61bfe17ba366a3ba94afb30d3c8ce6b21e9cff59a15f3622f2654ae49 include/openssl/crypto.h.in +8880892256a4d2dd7a9be91f23518f71e5037dbd377cd41bdb4c1f3cb3c7ee2d include/openssl/crypto.h.in 1d1697bd3e35920ff9eaec23c29472d727a7fc4d108150957f41f6f5ecf80f1a include/openssl/cryptoerr.h bbc82260cbcadd406091f39b9e3b5ea63146d9a4822623ead16fa12c43ab9fc6 include/openssl/cryptoerr_legacy.h fa3e6b6c2e6222424b9cd7005e3c5499a2334c831cd5d6a29256ce945be8cb1d include/openssl/des.h @@ -412,7 +412,7 @@ fa3e6b6c2e6222424b9cd7005e3c5499a2334c831cd5d6a29256ce945be8cb1d include/openss 335eb40a33cd1e95e7783bda2d031ec2bcf02cff8aa804ba3484d1354452b7ea include/openssl/dsaerr.h 41bf49e64e1c341a8c17778147ddeba35e88dfd7ff131db6210e801ef25a8fd5 include/openssl/e_os2.h bc9ec2be442a4f49980ba2c63c8f0da701de1f6e23d7db35d781658f833dd7b9 include/openssl/ebcdic.h -0ad64e592528898c84f2a16e2a03749774b908b3a9944a7f9aa54b1f95094dfb include/openssl/ec.h +33b6321d1c6b7b1621198346946401bb81472054aa236b03c6f22f247248d2ad include/openssl/ec.h cbbf74efc7fdb020f06840c856ad7fe97553944f4cc3c197fbb004de38158048 include/openssl/ecerr.h 61c76ee3f12ed0e42503a56421ca00f1cb9a0f4caa5f9c4421c374bcd45917d7 include/openssl/encoder.h 69dd983f45b8ccd551f084796519446552963a18c52b70470d978b597c81b2dc include/openssl/encodererr.h @@ -441,7 +441,7 @@ b97e8ad49b38683817387596aefec0abd5f4d572643beef48be4f7acba26768d include/openss c1015b77c444a3816d2ea7ad770f1c3b79a1e54887930af6dd662895701f3323 include/openssl/rsa.h 2f339ba2f22b8faa406692289a6e51fdbbb04b03f85cf3ca849835e58211ad23 include/openssl/rsaerr.h 6586f2187991731835353de0ffad0b6b57609b495e53d0f32644491ece629eb2 include/openssl/safestack.h.in -2702c0c5b8df31f764aa97d44c8a2b00b4b91c3482fd8ca5e1c5c91dfc61dc58 include/openssl/self_test.h +af5cc56fb31161ccd87cf925f3d3f22119dfbca78bc39a2e2d65d78bfcf0f0c6 include/openssl/self_test.h 2964274ab32b1ba8578a06b06663db2eda4317ae806369271d889176bb5a7d04 include/openssl/sha.h c169a015d7be52b7b99dd41c418a48d97e52ad21687c39c512a83a7c3f3ddb70 include/openssl/stack.h 22d7584ad609e30e818b54dca1dfae8dea38913fffedd25cd540c550372fb9a6 include/openssl/symhacks.h @@ -485,7 +485,7 @@ abd5997bc33b681a4ab275978b92aebca0806a4a3f0c2f41dacf11b3b6f4e101 providers/fips a4dc9bf2d77e34175737b7b8d28fbe90815ac0e2904e3ac2d9e2a271f345ef20 providers/fips/fipsprov.c fdbaf748044ce54f13e673b92db876e32436e4d5644f443cc43d063112a89676 providers/fips/self_test.c f822a03138e8b83ccaa910b89d72f31691da6778bf6638181f993ec7ae1167e3 providers/fips/self_test.h -7a23cc81ca7542325634891d1982c70e68a27914b088a51ca60249d54031bfc2 providers/fips/self_test_data.inc +5b3379a3d382c4dad37841dbd58b77ed5ff712b0a37c485771b828fa9b39c351 providers/fips/self_test_data.inc 2f4f23ebc2c7ed5ef71c98ca71f06b639112a1dea04784c46af58083482c150f providers/fips/self_test_kats.c f054b24ea53ad5db41dd7f37f20f42166ed68b832121a94858cb0173b1aaeb1d providers/implementations/asymciphers/rsa_enc.c 4db1826ecce8b60cb641bcd7a61430ec8cef73d2fe3cbc06aa33526afe1c954a providers/implementations/ciphers/cipher_aes.c @@ -515,7 +515,7 @@ c4a2499b214d7cf786dafaaee5c8c6963b3d5d1c27c144eec4b460f839074a3b providers/impl f358c4121a8a223e2c6cf009fd28b8a195520279016462890214e8858880f632 providers/implementations/ciphers/cipher_aes_xts_hw.c f2e7404005e0602c4cc90b49b7af7453aa5b8644720ca1028d93e78bc28a7c09 providers/implementations/ciphers/cipher_cts.c 74640ce402acc704af72e055fb7f27e6aa8efd417babc56f710478e571d8631c providers/implementations/ciphers/cipher_cts.h -06d8f86ec724075e7f72dabfb675b5c85a93c01997e4142fbaa8482e617f4ae5 providers/implementations/ciphers/cipher_tdes.c +fcc3bb0637864252402aaa9d543209909df9a39611127f777b168bc888498dc0 providers/implementations/ciphers/cipher_tdes.c 77709f7fc3f7c08986cd4f0ebf2ef6e44bacb975c1483ef444b3cf5e5071f9d6 providers/implementations/ciphers/cipher_tdes.h 9e07260067083c76d26eb0dd8a8bb4a8dac678812644ff88951a0661be70d9fd providers/implementations/ciphers/cipher_tdes_common.c 50645122f08ef4891cd96cace833bd550be7f5278ab785515fd61fe8993c8c25 providers/implementations/ciphers/cipher_tdes_hw.c @@ -530,7 +530,7 @@ c4b1cb143de15acc396ce2e03fdd165defd25ebc831de9cdfacf408ea883c666 providers/impl 39b47b6ef9d71852964c26e07ef0e9b23f04c7493b1b16ba7c3dba7074b6b70d providers/implementations/digests/digestcommon.c 80551b53302d95faea257df3edbdbd02d48427ce42da2c4335f998456400d057 providers/implementations/digests/sha2_prov.c de342d04be6af69037922d5c97bdc40c0c27f6740636e72786a765d0d8ad9173 providers/implementations/digests/sha3_prov.c -007d431b3cdb53374c5f5aaef2fcb557e213c23f26e55ebdd32b53527f3f4826 providers/implementations/exchange/dh_exch.c +b5f94d597df72ca58486c59b2a70b4057d13f09528f861ed41a84b7125b54a82 providers/implementations/exchange/dh_exch.c 9c46dc0d859875fcc0bc3d61a7b610cd3520b1bf63718775c1124f54a1fe5f24 providers/implementations/exchange/ecdh_exch.c 9bf87b8429398a6465c7e9f749a33b84974303a458736b56f3359b30726d3969 providers/implementations/exchange/ecx_exch.c 06ba83a8a8235bcdbda56f82b017cb19361469fe47c23cc6218a7e9b88ae6513 providers/implementations/exchange/kdf_exch.c @@ -554,20 +554,20 @@ abe2b0f3711eaa34846e155cffc9242e4051c45de896f747afd5ac9d87f637dc providers/impl 3c46ec0e14be09a133d709c3a1c3d5ab05a4f1ed5385c3e7a1afb2f0ee47ef7a providers/implementations/kdfs/tls1_prf.c 27bb6ee5e2d00c545635c0c29402b10e74a1831adbc9800c159cbe04f2bfa2f7 providers/implementations/kdfs/x942kdf.c f419a9f6b17cfba1543a3690326188ac8335db66807c58de211a3d69e18f7d4d providers/implementations/kem/rsa_kem.c -6878218c16d5c9c308a414af67790e11912ced638ba9e64668912ec98ca20d9d providers/implementations/keymgmt/dh_kmgmt.c -4f9e8263d529f619766be73a11223b8a3dfaf46b506c17b44d8a1cd9d2eaee54 providers/implementations/keymgmt/dsa_kmgmt.c +7628cfd7c88f37faa557c671a78ff56266691d64075104a514a28cb6fb9a6816 providers/implementations/keymgmt/dh_kmgmt.c +68d5cad49334ad0ee6948329b3784bb43eede84c3bc59ff22cbbe7aed9292672 providers/implementations/keymgmt/dsa_kmgmt.c 3e2798d299d6571c973fc75468e2ac025b7c893ae2f15f14e057430325622a69 providers/implementations/keymgmt/ec_kmgmt.c 258ae17bb2dd87ed1511a8eb3fe99eed9b77f5c2f757215ff6b3d0e8791fc251 providers/implementations/keymgmt/ec_kmgmt_imexport.inc -085e1cf54941fa1c1e423b4a75b820945a1c05d1c347d4910d9a772b8c9d9f3a providers/implementations/keymgmt/ecx_kmgmt.c +8871260c1b05832efa8363e5546210004da1683fee74da6c749ebba802b40f2b providers/implementations/keymgmt/ecx_kmgmt.c 053a2be39a87f50b877ebdbbf799cf5faf8b2de33b04311d819d212ee1ea329b providers/implementations/keymgmt/kdf_legacy_kmgmt.c 260c560930c5aca61225a40ed49dfbb905f2b1fa50728d1388e946358f9d5e18 providers/implementations/keymgmt/mac_legacy_kmgmt.c -9c16e76419aeb422d189ff7c5bf9a07f37abb54043dd47e48d450d68329de933 providers/implementations/keymgmt/rsa_kmgmt.c +d469be20a6d1a3744c1a2d5c26cb3b8ff6339a2242d4ef6e5ed9531551f717c1 providers/implementations/keymgmt/rsa_kmgmt.c 79da66d4b696388d7eab6b2126bccc88908915813d79c4305b8b4d545a500469 providers/implementations/macs/cmac_prov.c 41464d1e640434bb3ff9998f093829d5e2c1963d68033dca7d31e5ab75365fb1 providers/implementations/macs/gmac_prov.c 282c1065f18c87073529ed1bdc2c0b3a1967701728084de6632ddc72c671d209 providers/implementations/macs/hmac_prov.c aa7ba1d39ea4e3347294eb50b4dfcb895ef1a22bd6117d3b076a74e9ff11c242 providers/implementations/macs/kmac_prov.c bf30274dd6b528ae913984775bd8f29c6c48c0ef06d464d0f738217727b7aa5c providers/implementations/rands/crngt.c -f8d24c882fda71c117a00bf4e6c7ffb6b88946c16a816249a5a7499dbdff712d providers/implementations/rands/drbg.c +c7236e6e2e8adce14f8206da0ceef63c7974d4ba1a7dd71b94fa100cac6b46ba providers/implementations/rands/drbg.c b1e7a0b2610aaab5800af7ede0df13a184f4a321a4084652cdb509357c55783b providers/implementations/rands/drbg_ctr.c a05adc3f6d9d6f948e5ead75f0522ed3164cb5b2d301169242f3cb97c4a7fac3 providers/implementations/rands/drbg_hash.c 0876dfae991028c569631938946e458e6829cacf4cfb673d2b144ae50a3160bb providers/implementations/rands/drbg_hmac.c diff --git a/deps/openssl/openssl/providers/fips.checksum b/deps/openssl/openssl/providers/fips.checksum index d6a8665160ab50..6b70dc01a59b59 100644 --- a/deps/openssl/openssl/providers/fips.checksum +++ b/deps/openssl/openssl/providers/fips.checksum @@ -1 +1 @@ -a59d74b7f6b55bd9d58d55876562fdd00d28dbb3c942ae80ccea859da4624f1d providers/fips-sources.checksums +0223646a9f0ba5ca3bd4dc320fe5a647c8b4d48cc1e273b09acceeabc035c19e providers/fips-sources.checksums diff --git a/deps/openssl/openssl/providers/fips/self_test_data.inc b/deps/openssl/openssl/providers/fips/self_test_data.inc index dd39ab5252a042..5f057d5679f1aa 100644 --- a/deps/openssl/openssl/providers/fips/self_test_data.inc +++ b/deps/openssl/openssl/providers/fips/self_test_data.inc @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -18,7 +18,7 @@ { name, OSSL_PARAM_OCTET_STRING, ITM(data) } #define ST_KAT_PARAM_UTF8STRING(name, data) \ { name, OSSL_PARAM_UTF8_STRING, ITM_STR(data) } -#define ST_KAT_PARAM_UTF8CHAR(name, data) \ +#define ST_KAT_PARAM_UTF8CHAR(name, data) \ { name, OSSL_PARAM_UTF8_STRING, ITM(data) } #define ST_KAT_PARAM_INT(name, i) \ { name, OSSL_PARAM_INTEGER, ITM(i) } @@ -1291,9 +1291,15 @@ static const ST_KAT_PARAM rsa_priv_key[] = { ST_KAT_PARAM_END() }; +/*- + * Using OSSL_PKEY_RSA_PAD_MODE_NONE directly in the expansion of the + * ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient + * HP/UX PA-RISC compilers. + */ +static const char pad_mode_none[] = OSSL_PKEY_RSA_PAD_MODE_NONE; + static const ST_KAT_PARAM rsa_enc_params[] = { - ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, - OSSL_PKEY_RSA_PAD_MODE_NONE), + ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_none), ST_KAT_PARAM_END() }; diff --git a/deps/openssl/openssl/providers/implementations/ciphers/cipher_tdes.c b/deps/openssl/openssl/providers/implementations/ciphers/cipher_tdes.c index e63c143755536e..2e5f8c3f05bbe4 100644 --- a/deps/openssl/openssl/providers/implementations/ciphers/cipher_tdes.c +++ b/deps/openssl/openssl/providers/implementations/ciphers/cipher_tdes.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -19,11 +19,7 @@ #include "cipher_tdes.h" #include "prov/implementations.h" -/* - * NOTE: ECB mode does not use an IV - but existing test code is setting - * an IV. Fixing this could potentially make applications break. - */ /* ossl_tdes_ede3_ecb_functions */ -IMPLEMENT_tdes_cipher(ede3, EDE3, ecb, ECB, TDES_FLAGS, 64*3, 64, 64, block); +IMPLEMENT_tdes_cipher(ede3, EDE3, ecb, ECB, TDES_FLAGS, 64*3, 64, 0, block); /* ossl_tdes_ede3_cbc_functions */ IMPLEMENT_tdes_cipher(ede3, EDE3, cbc, CBC, TDES_FLAGS, 64*3, 64, 64, block); diff --git a/deps/openssl/openssl/providers/implementations/ciphers/cipher_tdes_default.c b/deps/openssl/openssl/providers/implementations/ciphers/cipher_tdes_default.c index 0e75d0ff1144ae..3b8908ff398820 100644 --- a/deps/openssl/openssl/providers/implementations/ciphers/cipher_tdes_default.c +++ b/deps/openssl/openssl/providers/implementations/ciphers/cipher_tdes_default.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -26,7 +26,7 @@ IMPLEMENT_tdes_cipher(ede3, EDE3, cfb1, CFB, TDES_FLAGS, 64*3, 8, 64, stream); IMPLEMENT_tdes_cipher(ede3, EDE3, cfb8, CFB, TDES_FLAGS, 64*3, 8, 64, stream); /* ossl_tdes_ede2_ecb_functions */ -IMPLEMENT_tdes_cipher(ede2, EDE2, ecb, ECB, TDES_FLAGS, 64*2, 64, 64, block); +IMPLEMENT_tdes_cipher(ede2, EDE2, ecb, ECB, TDES_FLAGS, 64*2, 64, 0, block); /* ossl_tdes_ede2_cbc_functions */ IMPLEMENT_tdes_cipher(ede2, EDE2, cbc, CBC, TDES_FLAGS, 64*2, 64, 64, block); /* ossl_tdes_ede2_ofb_functions */ diff --git a/deps/openssl/openssl/providers/implementations/encode_decode/decode_der2key.c b/deps/openssl/openssl/providers/implementations/encode_decode/decode_der2key.c index 356e65b403a9c2..f6d293f2b8c057 100644 --- a/deps/openssl/openssl/providers/implementations/encode_decode/decode_der2key.c +++ b/deps/openssl/openssl/providers/implementations/encode_decode/decode_der2key.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -204,19 +204,24 @@ static int der2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, if (!ok) goto next; - ok = 0; /* Assume that we fail */ + ok = 0; /* Assume that we fail */ + ERR_set_mark(); if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { derp = der; if (ctx->desc->d2i_PKCS8 != NULL) { key = ctx->desc->d2i_PKCS8(NULL, &derp, der_len, ctx); - if (ctx->flag_fatal) + if (ctx->flag_fatal) { + ERR_clear_last_mark(); goto end; + } } else if (ctx->desc->d2i_private_key != NULL) { key = ctx->desc->d2i_private_key(NULL, &derp, der_len); } - if (key == NULL && ctx->selection != 0) + if (key == NULL && ctx->selection != 0) { + ERR_clear_last_mark(); goto next; + } } if (key == NULL && (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { derp = der; @@ -224,16 +229,24 @@ static int der2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, key = ctx->desc->d2i_PUBKEY(NULL, &derp, der_len); else key = ctx->desc->d2i_public_key(NULL, &derp, der_len); - if (key == NULL && ctx->selection != 0) + if (key == NULL && ctx->selection != 0) { + ERR_clear_last_mark(); goto next; + } } if (key == NULL && (selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0) { derp = der; if (ctx->desc->d2i_key_params != NULL) key = ctx->desc->d2i_key_params(NULL, &derp, der_len); - if (key == NULL && ctx->selection != 0) + if (key == NULL && ctx->selection != 0) { + ERR_clear_last_mark(); goto next; + } } + if (key == NULL) + ERR_clear_last_mark(); + else + ERR_pop_to_mark(); /* * Last minute check to see if this was the correct type of key. This diff --git a/deps/openssl/openssl/providers/implementations/encode_decode/decode_epki2pki.c b/deps/openssl/openssl/providers/implementations/encode_decode/decode_epki2pki.c index 66f4ff659d2c88..9cea80b616d658 100644 --- a/deps/openssl/openssl/providers/implementations/encode_decode/decode_epki2pki.c +++ b/deps/openssl/openssl/providers/implementations/encode_decode/decode_epki2pki.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -68,8 +68,12 @@ static int epki2pki_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, PKCS8_PRIV_KEY_INFO *p8inf = NULL; const X509_ALGOR *alg = NULL; BIO *in = ossl_bio_new_from_core_bio(ctx->provctx, cin); - int ok = (asn1_d2i_read_bio(in, &mem) >= 0); + int ok = 0; + if (in == NULL) + return 0; + + ok = (asn1_d2i_read_bio(in, &mem) >= 0); BIO_free(in); /* We return "empty handed". This is not an error. */ diff --git a/deps/openssl/openssl/providers/implementations/encode_decode/decode_msblob2key.c b/deps/openssl/openssl/providers/implementations/encode_decode/decode_msblob2key.c index 0508e68b3287fb..501957faba0117 100644 --- a/deps/openssl/openssl/providers/implementations/encode_decode/decode_msblob2key.c +++ b/deps/openssl/openssl/providers/implementations/encode_decode/decode_msblob2key.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -93,6 +93,9 @@ static int msblob2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, void *key = NULL; int ok = 0; + if (in == NULL) + return 0; + if (BIO_read(in, hdr_buf, 16) != 16) { ERR_raise(ERR_LIB_PEM, PEM_R_KEYBLOB_TOO_SHORT); goto next; diff --git a/deps/openssl/openssl/providers/implementations/encode_decode/decode_pem2der.c b/deps/openssl/openssl/providers/implementations/encode_decode/decode_pem2der.c index 6c537d26ae4b23..bc937ffb9d2750 100644 --- a/deps/openssl/openssl/providers/implementations/encode_decode/decode_pem2der.c +++ b/deps/openssl/openssl/providers/implementations/encode_decode/decode_pem2der.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -33,7 +33,11 @@ static int read_pem(PROV_CTX *provctx, OSSL_CORE_BIO *cin, unsigned char **data, long *len) { BIO *in = ossl_bio_new_from_core_bio(provctx, cin); - int ok = (PEM_read_bio(in, pem_name, pem_header, data, len) > 0); + int ok; + + if (in == NULL) + return 0; + ok = (PEM_read_bio(in, pem_name, pem_header, data, len) > 0); BIO_free(in); return ok; diff --git a/deps/openssl/openssl/providers/implementations/encode_decode/decode_pvk2key.c b/deps/openssl/openssl/providers/implementations/encode_decode/decode_pvk2key.c index 32206fe84d9446..c6424165b03bf7 100644 --- a/deps/openssl/openssl/providers/implementations/encode_decode/decode_pvk2key.c +++ b/deps/openssl/openssl/providers/implementations/encode_decode/decode_pvk2key.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -88,6 +88,9 @@ static int pvk2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, void *key = NULL; int ok = 0; + if (in == NULL) + return 0; + ctx->selection = selection; if ((selection == 0 diff --git a/deps/openssl/openssl/providers/implementations/encode_decode/encode_key2blob.c b/deps/openssl/openssl/providers/implementations/encode_decode/encode_key2blob.c index 19a7d171db1f43..550bceb09f5896 100644 --- a/deps/openssl/openssl/providers/implementations/encode_decode/encode_key2blob.c +++ b/deps/openssl/openssl/providers/implementations/encode_decode/encode_key2blob.c @@ -1,5 +1,5 @@ /* - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -30,7 +30,11 @@ static int write_blob(void *provctx, OSSL_CORE_BIO *cout, void *data, int len) { BIO *out = ossl_bio_new_from_core_bio(provctx, cout); - int ret = BIO_write(out, data, len); + int ret; + + if (out == NULL) + return 0; + ret = BIO_write(out, data, len); BIO_free(out); return ret; diff --git a/deps/openssl/openssl/providers/implementations/encode_decode/encode_key2ms.c b/deps/openssl/openssl/providers/implementations/encode_decode/encode_key2ms.c index 81528fefb67463..fe8c2dce431681 100644 --- a/deps/openssl/openssl/providers/implementations/encode_decode/encode_key2ms.c +++ b/deps/openssl/openssl/providers/implementations/encode_decode/encode_key2ms.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -39,8 +39,11 @@ static int write_msblob(struct key2ms_ctx_st *ctx, OSSL_CORE_BIO *cout, EVP_PKEY *pkey, int ispub) { BIO *out = ossl_bio_new_from_core_bio(ctx->provctx, cout); - int ret = - ispub ? i2b_PublicKey_bio(out, pkey) : i2b_PrivateKey_bio(out, pkey); + int ret; + + if (out == NULL) + return 0; + ret = ispub ? i2b_PublicKey_bio(out, pkey) : i2b_PrivateKey_bio(out, pkey); BIO_free(out); return ret; @@ -50,14 +53,15 @@ static int write_pvk(struct key2ms_ctx_st *ctx, OSSL_CORE_BIO *cout, EVP_PKEY *pkey) { BIO *out = NULL; - int ret = 0; + int ret; OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); out = ossl_bio_new_from_core_bio(ctx->provctx, cout); + if (out == NULL) + return 0; ret = i2b_PVK_bio_ex(out, pkey, ctx->pvk_encr_level, ossl_pw_pvk_password, &ctx->pwdata, libctx, NULL); BIO_free(out); - return ret; } diff --git a/deps/openssl/openssl/providers/implementations/encode_decode/encode_key2text.c b/deps/openssl/openssl/providers/implementations/encode_decode/encode_key2text.c index f8f9712e9618bc..80d6f7b35fdcd2 100644 --- a/deps/openssl/openssl/providers/implementations/encode_decode/encode_key2text.c +++ b/deps/openssl/openssl/providers/implementations/encode_decode/encode_key2text.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -80,6 +80,9 @@ static int print_labeled_bignum(BIO *out, const char *label, const BIGNUM *bn) } hex_str = BN_bn2hex(bn); + if (hex_str == NULL) + return 0; + p = hex_str; if (*p == '-') { ++p; diff --git a/deps/openssl/openssl/providers/implementations/encode_decode/endecoder_common.c b/deps/openssl/openssl/providers/implementations/encode_decode/endecoder_common.c index 7071bcc23ac7a2..c4ea2f853cfc05 100644 --- a/deps/openssl/openssl/providers/implementations/encode_decode/endecoder_common.c +++ b/deps/openssl/openssl/providers/implementations/encode_decode/endecoder_common.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -89,8 +89,11 @@ int ossl_read_der(PROV_CTX *provctx, OSSL_CORE_BIO *cin, unsigned char **data, { BUF_MEM *mem = NULL; BIO *in = ossl_bio_new_from_core_bio(provctx, cin); - int ok = (asn1_d2i_read_bio(in, &mem) >= 0); + int ok; + if (in == NULL) + return 0; + ok = (asn1_d2i_read_bio(in, &mem) >= 0); if (ok) { *data = (unsigned char *)mem->data; *len = (long)mem->length; diff --git a/deps/openssl/openssl/providers/implementations/exchange/dh_exch.c b/deps/openssl/openssl/providers/implementations/exchange/dh_exch.c index ea05b3177e89b2..1d8a2e27b30e2e 100644 --- a/deps/openssl/openssl/providers/implementations/exchange/dh_exch.c +++ b/deps/openssl/openssl/providers/implementations/exchange/dh_exch.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -141,7 +141,7 @@ static int dh_set_peer(void *vpdhctx, void *vdh) static int dh_plain_derive(void *vpdhctx, unsigned char *secret, size_t *secretlen, - size_t outlen) + size_t outlen, unsigned int pad) { PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx; int ret; @@ -164,7 +164,7 @@ static int dh_plain_derive(void *vpdhctx, } DH_get0_key(pdhctx->dhpeer, &pub_key, NULL); - if (pdhctx->pad) + if (pad) ret = DH_compute_key_padded(secret, pub_key, pdhctx->dh); else ret = DH_compute_key(secret, pub_key, pdhctx->dh); @@ -192,13 +192,13 @@ static int dh_X9_42_kdf_derive(void *vpdhctx, unsigned char *secret, ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); return 0; } - if (!dh_plain_derive(pdhctx, NULL, &stmplen, 0)) + if (!dh_plain_derive(pdhctx, NULL, &stmplen, 0, 1)) return 0; if ((stmp = OPENSSL_secure_malloc(stmplen)) == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); return 0; } - if (!dh_plain_derive(pdhctx, stmp, &stmplen, stmplen)) + if (!dh_plain_derive(pdhctx, stmp, &stmplen, stmplen, 1)) goto err; /* Do KDF stuff */ @@ -229,7 +229,8 @@ static int dh_derive(void *vpdhctx, unsigned char *secret, switch (pdhctx->kdf_type) { case PROV_DH_KDF_NONE: - return dh_plain_derive(pdhctx, secret, psecretlen, outlen); + return dh_plain_derive(pdhctx, secret, psecretlen, outlen, + pdhctx->pad); case PROV_DH_KDF_X9_42_ASN1: return dh_X9_42_kdf_derive(pdhctx, secret, psecretlen, outlen); default: @@ -292,7 +293,12 @@ static void *dh_dupctx(void *vpdhctx) if (dstctx->kdf_ukm == NULL) goto err; } - dstctx->kdf_cekalg = OPENSSL_strdup(srcctx->kdf_cekalg); + + if (srcctx->kdf_cekalg != NULL) { + dstctx->kdf_cekalg = OPENSSL_strdup(srcctx->kdf_cekalg); + if (dstctx->kdf_cekalg == NULL) + goto err; + } return dstctx; err: @@ -389,9 +395,16 @@ static int dh_set_ctx_params(void *vpdhctx, const OSSL_PARAM params[]) p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_CEK_ALG); if (p != NULL) { str = name; - if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(name))) - return 0; - pdhctx->kdf_cekalg = OPENSSL_strdup(name); + + OPENSSL_free(pdhctx->kdf_cekalg); + pdhctx->kdf_cekalg = NULL; + if (p->data != NULL && p->data_size != 0) { + if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(name))) + return 0; + pdhctx->kdf_cekalg = OPENSSL_strdup(name); + if (pdhctx->kdf_cekalg == NULL) + return 0; + } } return 1; } @@ -414,12 +427,12 @@ static const OSSL_PARAM *dh_settable_ctx_params(ossl_unused void *vpdhctx, } static const OSSL_PARAM known_gettable_ctx_params[] = { - OSSL_PARAM_int(OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE, NULL), OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_TYPE, NULL, 0), OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST, NULL, 0), OSSL_PARAM_size_t(OSSL_EXCHANGE_PARAM_KDF_OUTLEN, NULL), OSSL_PARAM_DEFN(OSSL_EXCHANGE_PARAM_KDF_UKM, OSSL_PARAM_OCTET_PTR, NULL, 0), + OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_CEK_ALG, NULL, 0), OSSL_PARAM_END }; diff --git a/deps/openssl/openssl/providers/implementations/keymgmt/dh_kmgmt.c b/deps/openssl/openssl/providers/implementations/keymgmt/dh_kmgmt.c index 98eb882e3fa0a0..88fddf51deb8fd 100644 --- a/deps/openssl/openssl/providers/implementations/keymgmt/dh_kmgmt.c +++ b/deps/openssl/openssl/providers/implementations/keymgmt/dh_kmgmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -201,8 +201,12 @@ static int dh_import(void *keydata, int selection, const OSSL_PARAM params[]) if ((selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0) ok = ok && ossl_dh_params_fromdata(dh, params); - if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) - ok = ok && ossl_dh_key_fromdata(dh, params); + if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { + int include_private = + selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0; + + ok = ok && ossl_dh_key_fromdata(dh, params, include_private); + } return ok; } @@ -224,8 +228,13 @@ static int dh_export(void *keydata, int selection, OSSL_CALLBACK *param_cb, if ((selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0) ok = ok && ossl_dh_params_todata(dh, tmpl, NULL); - if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) - ok = ok && ossl_dh_key_todata(dh, tmpl, NULL); + + if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { + int include_private = + selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0; + + ok = ok && ossl_dh_key_todata(dh, tmpl, NULL, include_private); + } if (!ok || (params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL) { @@ -323,7 +332,7 @@ static ossl_inline int dh_get_params(void *key, OSSL_PARAM params[]) } return ossl_dh_params_todata(dh, NULL, params) - && ossl_dh_key_todata(dh, NULL, params); + && ossl_dh_key_todata(dh, NULL, params, 1); } static const OSSL_PARAM dh_params[] = { @@ -532,6 +541,7 @@ static int dh_gen_common_set_params(void *genctx, const OSSL_PARAM params[]) const DH_NAMED_GROUP *group = NULL; if (p->data_type != OSSL_PARAM_UTF8_STRING + || p->data == NULL || (group = ossl_ffc_name_to_dh_named_group(p->data)) == NULL || ((gctx->group_nid = ossl_ffc_named_group_get_uid(group)) == NID_undef)) { diff --git a/deps/openssl/openssl/providers/implementations/keymgmt/dsa_kmgmt.c b/deps/openssl/openssl/providers/implementations/keymgmt/dsa_kmgmt.c index 1e1b168f7d2005..885bd62eeaae87 100644 --- a/deps/openssl/openssl/providers/implementations/keymgmt/dsa_kmgmt.c +++ b/deps/openssl/openssl/providers/implementations/keymgmt/dsa_kmgmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -96,7 +96,8 @@ static int dsa_gen_type_name2id(const char *name) return -1; } -static int dsa_key_todata(DSA *dsa, OSSL_PARAM_BLD *bld, OSSL_PARAM params[]) +static int dsa_key_todata(DSA *dsa, OSSL_PARAM_BLD *bld, OSSL_PARAM params[], + int include_private) { const BIGNUM *priv = NULL, *pub = NULL; @@ -104,7 +105,8 @@ static int dsa_key_todata(DSA *dsa, OSSL_PARAM_BLD *bld, OSSL_PARAM params[]) return 0; DSA_get0_key(dsa, &pub, &priv); - if (priv != NULL + if (include_private + && priv != NULL && !ossl_param_build_set_bn(bld, params, OSSL_PKEY_PARAM_PRIV_KEY, priv)) return 0; if (pub != NULL @@ -200,8 +202,12 @@ static int dsa_import(void *keydata, int selection, const OSSL_PARAM params[]) if ((selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0) ok = ok && ossl_dsa_ffc_params_fromdata(dsa, params); - if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) - ok = ok && ossl_dsa_key_fromdata(dsa, params); + if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { + int include_private = + selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0; + + ok = ok && ossl_dsa_key_fromdata(dsa, params, include_private); + } return ok; } @@ -210,17 +216,25 @@ static int dsa_export(void *keydata, int selection, OSSL_CALLBACK *param_cb, void *cbarg) { DSA *dsa = keydata; - OSSL_PARAM_BLD *tmpl = OSSL_PARAM_BLD_new(); + OSSL_PARAM_BLD *tmpl; OSSL_PARAM *params = NULL; int ok = 1; if (!ossl_prov_is_running() || dsa == NULL) - goto err; + return 0; + + tmpl = OSSL_PARAM_BLD_new(); + if (tmpl == NULL) + return 0; if ((selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0) ok = ok && ossl_ffc_params_todata(ossl_dsa_get0_params(dsa), tmpl, NULL); - if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) - ok = ok && dsa_key_todata(dsa, tmpl, NULL); + if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { + int include_private = + selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0; + + ok = ok && dsa_key_todata(dsa, tmpl, NULL, include_private); + } if (!ok || (params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL) @@ -309,7 +323,7 @@ static ossl_inline int dsa_get_params(void *key, OSSL_PARAM params[]) && !OSSL_PARAM_set_utf8_string(p, DSA_DEFAULT_MD)) return 0; return ossl_ffc_params_todata(ossl_dsa_get0_params(dsa), NULL, params) - && dsa_key_todata(dsa, NULL, params); + && dsa_key_todata(dsa, NULL, params, 1); } static const OSSL_PARAM dsa_params[] = { diff --git a/deps/openssl/openssl/providers/implementations/keymgmt/ec_kmgmt_imexport.inc b/deps/openssl/openssl/providers/implementations/keymgmt/ec_kmgmt_imexport.inc index 58eb09a3e4653c..b142e0df0c466e 100644 --- a/deps/openssl/openssl/providers/implementations/keymgmt/ec_kmgmt_imexport.inc +++ b/deps/openssl/openssl/providers/implementations/keymgmt/ec_kmgmt_imexport.inc @@ -1,3 +1,12 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html +*/ + /* * This file is meant to be included from ec_kmgmt.c */ diff --git a/deps/openssl/openssl/providers/implementations/keymgmt/ecx_kmgmt.c b/deps/openssl/openssl/providers/implementations/keymgmt/ecx_kmgmt.c index 2be95086924baa..99d685735e2f73 100644 --- a/deps/openssl/openssl/providers/implementations/keymgmt/ecx_kmgmt.c +++ b/deps/openssl/openssl/providers/implementations/keymgmt/ecx_kmgmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -194,7 +194,7 @@ static int ecx_import(void *keydata, int selection, const OSSL_PARAM params[]) { ECX_KEY *key = keydata; int ok = 1; - int include_private = 0; + int include_private; if (!ossl_prov_is_running() || key == NULL) return 0; @@ -202,14 +202,14 @@ static int ecx_import(void *keydata, int selection, const OSSL_PARAM params[]) if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0) return 0; - include_private = ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0); + include_private = selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0; ok = ok && ossl_ecx_key_fromdata(key, params, include_private); return ok; } static int key_to_params(ECX_KEY *key, OSSL_PARAM_BLD *tmpl, - OSSL_PARAM params[]) + OSSL_PARAM params[], int include_private) { if (key == NULL) return 0; @@ -219,7 +219,8 @@ static int key_to_params(ECX_KEY *key, OSSL_PARAM_BLD *tmpl, key->pubkey, key->keylen)) return 0; - if (key->privkey != NULL + if (include_private + && key->privkey != NULL && !ossl_param_build_set_octet_string(tmpl, params, OSSL_PKEY_PARAM_PRIV_KEY, key->privkey, key->keylen)) @@ -243,9 +244,12 @@ static int ecx_export(void *keydata, int selection, OSSL_CALLBACK *param_cb, if (tmpl == NULL) return 0; - if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0 - && !key_to_params(key, tmpl, NULL)) - goto err; + if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { + int include_private = ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0); + + if (!key_to_params(key, tmpl, NULL, include_private)) + goto err; + } params = OSSL_PARAM_BLD_to_param(tmpl); if (params == NULL) @@ -295,7 +299,7 @@ static int ecx_get_params(void *key, OSSL_PARAM params[], int bits, int secbits, return 0; } - return key_to_params(ecx, NULL, params); + return key_to_params(ecx, NULL, params, 1); } static int ed_get_params(void *key, OSSL_PARAM params[]) diff --git a/deps/openssl/openssl/providers/implementations/keymgmt/rsa_kmgmt.c b/deps/openssl/openssl/providers/implementations/keymgmt/rsa_kmgmt.c index b1c3011f1452d8..1528e43adb0dd4 100644 --- a/deps/openssl/openssl/providers/implementations/keymgmt/rsa_kmgmt.c +++ b/deps/openssl/openssl/providers/implementations/keymgmt/rsa_kmgmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -190,8 +190,12 @@ static int rsa_import(void *keydata, int selection, const OSSL_PARAM params[]) &pss_defaults_set, params, rsa_type, ossl_rsa_get0_libctx(rsa)); - if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) - ok = ok && ossl_rsa_fromdata(rsa, params); + if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { + int include_private = + selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0; + + ok = ok && ossl_rsa_fromdata(rsa, params, include_private); + } return ok; } @@ -218,8 +222,12 @@ static int rsa_export(void *keydata, int selection, if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0) ok = ok && (ossl_rsa_pss_params_30_is_unrestricted(pss_params) || ossl_rsa_pss_params_30_todata(pss_params, tmpl, NULL)); - if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) - ok = ok && ossl_rsa_todata(rsa, tmpl, NULL); + if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { + int include_private = + selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0; + + ok = ok && ossl_rsa_todata(rsa, tmpl, NULL, include_private); + } if (!ok || (params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL) @@ -363,7 +371,7 @@ static int rsa_get_params(void *key, OSSL_PARAM params[]) } return (rsa_type != RSA_FLAG_TYPE_RSASSAPSS || ossl_rsa_pss_params_30_todata(pss_params, NULL, params)) - && ossl_rsa_todata(rsa, NULL, params); + && ossl_rsa_todata(rsa, NULL, params, 1); } static const OSSL_PARAM rsa_params[] = { @@ -454,19 +462,24 @@ static void *gen_init(void *provctx, int selection, int rsa_type, gctx->libctx = libctx; if ((gctx->pub_exp = BN_new()) == NULL || !BN_set_word(gctx->pub_exp, RSA_F4)) { - BN_free(gctx->pub_exp); - OPENSSL_free(gctx); - return NULL; + goto err; } gctx->nbits = 2048; gctx->primes = RSA_DEFAULT_PRIME_NUM; gctx->rsa_type = rsa_type; + } else { + goto err; } - if (!rsa_gen_set_params(gctx, params)) { - OPENSSL_free(gctx); - return NULL; - } + + if (!rsa_gen_set_params(gctx, params)) + goto err; return gctx; + +err: + if (gctx != NULL) + BN_free(gctx->pub_exp); + OPENSSL_free(gctx); + return NULL; } static void *rsa_gen_init(void *provctx, int selection, diff --git a/deps/openssl/openssl/providers/implementations/rands/drbg.c b/deps/openssl/openssl/providers/implementations/rands/drbg.c index 8b899b99b17dc0..c8fe66aa573f42 100644 --- a/deps/openssl/openssl/providers/implementations/rands/drbg.c +++ b/deps/openssl/openssl/providers/implementations/rands/drbg.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -837,6 +837,10 @@ PROV_DRBG *ossl_rand_drbg_new goto err; } } +#ifdef TSAN_REQUIRES_LOCKING + if (!ossl_drbg_enable_locking(drbg)) + goto err; +#endif return drbg; err: diff --git a/deps/openssl/openssl/providers/implementations/storemgmt/file_store.c b/deps/openssl/openssl/providers/implementations/storemgmt/file_store.c index 34cb70fdf838c3..fef2b1d2900f1a 100644 --- a/deps/openssl/openssl/providers/implementations/storemgmt/file_store.c +++ b/deps/openssl/openssl/providers/implementations/storemgmt/file_store.c @@ -175,7 +175,7 @@ static void *file_open_dir(const char *path, const char *uri, void *provctx) if ((ctx = new_file_ctx(IS_DIR, uri, provctx)) == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); - goto err; + return NULL; } ctx->_.dir.last_entry = OPENSSL_DIR_read(&ctx->_.dir.ctx, path); diff --git a/deps/openssl/openssl/ssl/record/ssl3_record.c b/deps/openssl/openssl/ssl/record/ssl3_record.c index c713f231cabc24..d8ef018741a1f4 100644 --- a/deps/openssl/openssl/ssl/record/ssl3_record.c +++ b/deps/openssl/openssl/ssl/record/ssl3_record.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -191,7 +191,7 @@ int ssl3_get_record(SSL *s) rr = RECORD_LAYER_get_rrec(&s->rlayer); rbuf = RECORD_LAYER_get_rbuf(&s->rlayer); - is_ktls_left = (rbuf->left > 0); + is_ktls_left = (SSL3_BUFFER_get_left(rbuf) > 0); max_recs = s->max_pipelines; if (max_recs == 0) max_recs = 1; @@ -408,7 +408,11 @@ int ssl3_get_record(SSL *s) len -= SSL3_RT_MAX_COMPRESSED_OVERHEAD; #endif - if (thisrr->length > len && !BIO_get_ktls_recv(s->rbio)) { + /* KTLS may use all of the buffer */ + if (BIO_get_ktls_recv(s->rbio) && !is_ktls_left) + len = SSL3_BUFFER_get_left(rbuf); + + if (thisrr->length > len) { SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); return -1; @@ -711,16 +715,27 @@ int ssl3_get_record(SSL *s) goto end; } + /* + * Usually thisrr->length is the length of a single record, but when + * KTLS handles the decryption, thisrr->length may be larger than + * SSL3_RT_MAX_PLAIN_LENGTH because the kernel may have coalesced + * multiple records. + * Therefore we have to rely on KTLS to check the plaintext length + * limit in the kernel. + */ if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH - && !BIO_get_ktls_recv(s->rbio)) { + && (!BIO_get_ktls_recv(s->rbio) || is_ktls_left)) { SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG); goto end; } - /* If received packet overflows current Max Fragment Length setting */ + /* + * Check if the received packet overflows the current + * Max Fragment Length setting. + * Note: USE_MAX_FRAGMENT_LENGTH_EXT and KTLS are mutually exclusive. + */ if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session) - && thisrr->length > GET_MAX_FRAGMENT_LENGTH(s->session) - && !BIO_get_ktls_recv(s->rbio)) { + && thisrr->length > GET_MAX_FRAGMENT_LENGTH(s->session)) { SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG); goto end; } @@ -1392,6 +1407,7 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) int tlstree_mac = sending ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_TLSTREE) : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_TLSTREE); int t; + int ret = 0; if (sending) { seq = RECORD_LAYER_get_write_sequence(&ssl->rlayer); @@ -1412,15 +1428,13 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) } else { hmac = EVP_MD_CTX_new(); if (hmac == NULL || !EVP_MD_CTX_copy(hmac, hash)) { - EVP_MD_CTX_free(hmac); - return 0; + goto end; } mac_ctx = hmac; } if (!SSL_IS_DTLS(ssl) && tlstree_mac && EVP_MD_CTX_ctrl(mac_ctx, EVP_MD_CTRL_TLSTREE, 0, seq) <= 0) { - EVP_MD_CTX_free(hmac); - return 0; + goto end; } if (SSL_IS_DTLS(ssl)) { @@ -1450,19 +1464,17 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) *p++ = OSSL_PARAM_construct_end(); if (!EVP_PKEY_CTX_set_params(EVP_MD_CTX_get_pkey_ctx(mac_ctx), - tls_hmac_params)) - return 0; + tls_hmac_params)) { + goto end; + } } if (EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)) <= 0 || EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length) <= 0 || EVP_DigestSignFinal(mac_ctx, md, &md_size) <= 0) { - EVP_MD_CTX_free(hmac); - return 0; + goto end; } - EVP_MD_CTX_free(hmac); - OSSL_TRACE_BEGIN(TLS) { BIO_printf(trc_out, "seq:\n"); BIO_dump_indent(trc_out, seq, 8, 4); @@ -1481,7 +1493,10 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) BIO_printf(trc_out, "md:\n"); BIO_dump_indent(trc_out, md, md_size, 4); } OSSL_TRACE_END(TLS); - return 1; + ret = 1; + end: + EVP_MD_CTX_free(hmac); + return ret; } int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) diff --git a/deps/openssl/openssl/ssl/s3_lib.c b/deps/openssl/openssl/ssl/s3_lib.c index 0ce747bd4c8bf4..2c160d2d6a2878 100644 --- a/deps/openssl/openssl/ssl/s3_lib.c +++ b/deps/openssl/openssl/ssl/s3_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -2168,7 +2168,7 @@ static SSL_CIPHER ssl3_ciphers[] = { TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256, TLS1_RFC_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256, TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256, - SSL_kEDH, + SSL_kDHE, SSL_aDSS, SSL_CAMELLIA128, SSL_SHA256, @@ -2184,7 +2184,7 @@ static SSL_CIPHER ssl3_ciphers[] = { TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, TLS1_RFC_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, - SSL_kEDH, + SSL_kDHE, SSL_aRSA, SSL_CAMELLIA128, SSL_SHA256, @@ -2200,7 +2200,7 @@ static SSL_CIPHER ssl3_ciphers[] = { TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256, TLS1_RFC_ADH_WITH_CAMELLIA_128_CBC_SHA256, TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256, - SSL_kEDH, + SSL_kDHE, SSL_aNULL, SSL_CAMELLIA128, SSL_SHA256, @@ -2232,7 +2232,7 @@ static SSL_CIPHER ssl3_ciphers[] = { TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256, TLS1_RFC_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256, TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256, - SSL_kEDH, + SSL_kDHE, SSL_aDSS, SSL_CAMELLIA256, SSL_SHA256, @@ -2248,7 +2248,7 @@ static SSL_CIPHER ssl3_ciphers[] = { TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, TLS1_RFC_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, - SSL_kEDH, + SSL_kDHE, SSL_aRSA, SSL_CAMELLIA256, SSL_SHA256, @@ -2264,7 +2264,7 @@ static SSL_CIPHER ssl3_ciphers[] = { TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256, TLS1_RFC_ADH_WITH_CAMELLIA_256_CBC_SHA256, TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256, - SSL_kEDH, + SSL_kDHE, SSL_aNULL, SSL_CAMELLIA256, SSL_SHA256, diff --git a/deps/openssl/openssl/ssl/ssl_cert.c b/deps/openssl/openssl/ssl/ssl_cert.c index 21ce1684814cf8..8d90fa54df7b56 100644 --- a/deps/openssl/openssl/ssl/ssl_cert.c +++ b/deps/openssl/openssl/ssl/ssl_cert.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -1001,7 +1001,7 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, int op, int bits, int nid, void *other, void *ex) { - int level, minbits; + int level, minbits, pfs_mask; minbits = ssl_get_security_level_bits(s, ctx, &level); @@ -1036,8 +1036,9 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, if (level >= 2 && c->algorithm_enc == SSL_RC4) return 0; /* Level 3: forward secure ciphersuites only */ + pfs_mask = SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK; if (level >= 3 && c->min_tls != TLS1_3_VERSION && - !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH))) + !(c->algorithm_mkey & pfs_mask)) return 0; break; } diff --git a/deps/openssl/openssl/ssl/ssl_lib.c b/deps/openssl/openssl/ssl/ssl_lib.c index 718af4aa91bca7..9b1998a93d5aef 100644 --- a/deps/openssl/openssl/ssl/ssl_lib.c +++ b/deps/openssl/openssl/ssl/ssl_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -2478,6 +2478,9 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) return 1; case SSL_CTRL_GET_RI_SUPPORT: return s->s3.send_connection_binding; + case SSL_CTRL_SET_RETRY_VERIFY: + s->rwstate = SSL_RETRY_VERIFY; + return 1; case SSL_CTRL_CERT_FLAGS: return (s->cert->cert_flags |= larg); case SSL_CTRL_CLEAR_CERT_FLAGS: @@ -2536,6 +2539,17 @@ LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx) return ctx->sessions; } +static int ssl_tsan_load(SSL_CTX *ctx, TSAN_QUALIFIER int *stat) +{ + int res = 0; + + if (ssl_tsan_lock(ctx)) { + res = tsan_load(stat); + ssl_tsan_unlock(ctx); + } + return res; +} + long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) { long l; @@ -2591,27 +2605,27 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_SESS_NUMBER: return lh_SSL_SESSION_num_items(ctx->sessions); case SSL_CTRL_SESS_CONNECT: - return tsan_load(&ctx->stats.sess_connect); + return ssl_tsan_load(ctx, &ctx->stats.sess_connect); case SSL_CTRL_SESS_CONNECT_GOOD: - return tsan_load(&ctx->stats.sess_connect_good); + return ssl_tsan_load(ctx, &ctx->stats.sess_connect_good); case SSL_CTRL_SESS_CONNECT_RENEGOTIATE: - return tsan_load(&ctx->stats.sess_connect_renegotiate); + return ssl_tsan_load(ctx, &ctx->stats.sess_connect_renegotiate); case SSL_CTRL_SESS_ACCEPT: - return tsan_load(&ctx->stats.sess_accept); + return ssl_tsan_load(ctx, &ctx->stats.sess_accept); case SSL_CTRL_SESS_ACCEPT_GOOD: - return tsan_load(&ctx->stats.sess_accept_good); + return ssl_tsan_load(ctx, &ctx->stats.sess_accept_good); case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE: - return tsan_load(&ctx->stats.sess_accept_renegotiate); + return ssl_tsan_load(ctx, &ctx->stats.sess_accept_renegotiate); case SSL_CTRL_SESS_HIT: - return tsan_load(&ctx->stats.sess_hit); + return ssl_tsan_load(ctx, &ctx->stats.sess_hit); case SSL_CTRL_SESS_CB_HIT: - return tsan_load(&ctx->stats.sess_cb_hit); + return ssl_tsan_load(ctx, &ctx->stats.sess_cb_hit); case SSL_CTRL_SESS_MISSES: - return tsan_load(&ctx->stats.sess_miss); + return ssl_tsan_load(ctx, &ctx->stats.sess_miss); case SSL_CTRL_SESS_TIMEOUTS: - return tsan_load(&ctx->stats.sess_timeout); + return ssl_tsan_load(ctx, &ctx->stats.sess_timeout); case SSL_CTRL_SESS_CACHE_FULL: - return tsan_load(&ctx->stats.sess_cache_full); + return ssl_tsan_load(ctx, &ctx->stats.sess_cache_full); case SSL_CTRL_MODE: return (ctx->mode |= larg); case SSL_CTRL_CLEAR_MODE: @@ -3284,6 +3298,14 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, return NULL; } +#ifdef TSAN_REQUIRES_LOCKING + ret->tsan_lock = CRYPTO_THREAD_lock_new(); + if (ret->tsan_lock == NULL) { + ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); + goto err; + } +#endif + ret->libctx = libctx; if (propq != NULL) { ret->propq = OPENSSL_strdup(propq); @@ -3550,6 +3572,9 @@ void SSL_CTX_free(SSL_CTX *a) OPENSSL_free(a->sigalg_lookup_cache); CRYPTO_THREAD_lock_free(a->lock); +#ifdef TSAN_REQUIRES_LOCKING + CRYPTO_THREAD_lock_free(a->tsan_lock); +#endif OPENSSL_free(a->propq); @@ -3818,11 +3843,12 @@ void ssl_update_cache(SSL *s, int mode) /* auto flush every 255 connections */ if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) && ((i & mode) == mode)) { TSAN_QUALIFIER int *stat; + if (mode & SSL_SESS_CACHE_CLIENT) stat = &s->session_ctx->stats.sess_connect_good; else stat = &s->session_ctx->stats.sess_accept_good; - if ((tsan_load(stat) & 0xff) == 0xff) + if ((ssl_tsan_load(s->session_ctx, stat) & 0xff) == 0xff) SSL_CTX_flush_sessions(s->session_ctx, (unsigned long)time(NULL)); } } diff --git a/deps/openssl/openssl/ssl/ssl_local.h b/deps/openssl/openssl/ssl/ssl_local.h index 93a825db326fb6..3dae12226b3077 100644 --- a/deps/openssl/openssl/ssl/ssl_local.h +++ b/deps/openssl/openssl/ssl/ssl_local.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -820,6 +820,9 @@ int ssl_hmac_final(SSL_HMAC *ctx, unsigned char *md, size_t *len, size_t ssl_hmac_size(const SSL_HMAC *ctx); int ssl_get_EC_curve_nid(const EVP_PKEY *pkey); +__owur int tls13_set_encoded_pub_key(EVP_PKEY *pkey, + const unsigned char *enckey, + size_t enckeylen); typedef struct tls_group_info_st { char *tlsname; /* Curve Name as in TLS specs */ @@ -907,6 +910,9 @@ struct ssl_ctx_st { * other processes - spooky * :-) */ } stats; +#ifdef TSAN_REQUIRES_LOCKING + CRYPTO_RWLOCK *tsan_lock; +#endif CRYPTO_REF_COUNT references; @@ -2908,4 +2914,31 @@ void ssl_session_calculate_timeout(SSL_SESSION* ss); # define ssl3_setup_buffers SSL_test_functions()->p_ssl3_setup_buffers # endif + +/* Some helper routines to support TSAN operations safely */ +static ossl_unused ossl_inline int ssl_tsan_lock(const SSL_CTX *ctx) +{ +#ifdef TSAN_REQUIRES_LOCKING + if (!CRYPTO_THREAD_write_lock(ctx->tsan_lock)) + return 0; +#endif + return 1; +} + +static ossl_unused ossl_inline void ssl_tsan_unlock(const SSL_CTX *ctx) +{ +#ifdef TSAN_REQUIRES_LOCKING + CRYPTO_THREAD_unlock(ctx->tsan_lock); +#endif +} + +static ossl_unused ossl_inline void ssl_tsan_counter(const SSL_CTX *ctx, + TSAN_QUALIFIER int *stat) +{ + if (ssl_tsan_lock(ctx)) { + tsan_counter(stat); + ssl_tsan_unlock(ctx); + } +} + #endif diff --git a/deps/openssl/openssl/ssl/ssl_sess.c b/deps/openssl/openssl/ssl/ssl_sess.c index 0e756c37c1ace1..085dcfba6ce200 100644 --- a/deps/openssl/openssl/ssl/ssl_sess.c +++ b/deps/openssl/openssl/ssl/ssl_sess.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2005 Nokia. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -502,7 +502,7 @@ SSL_SESSION *lookup_sess_in_cache(SSL *s, const unsigned char *sess_id, } CRYPTO_THREAD_unlock(s->session_ctx->lock); if (ret == NULL) - tsan_counter(&s->session_ctx->stats.sess_miss); + ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_miss); } if (ret == NULL && s->session_ctx->get_session_cb != NULL) { @@ -511,7 +511,8 @@ SSL_SESSION *lookup_sess_in_cache(SSL *s, const unsigned char *sess_id, ret = s->session_ctx->get_session_cb(s, sess_id, sess_id_len, ©); if (ret != NULL) { - tsan_counter(&s->session_ctx->stats.sess_cb_hit); + ssl_tsan_counter(s->session_ctx, + &s->session_ctx->stats.sess_cb_hit); /* * Increment reference count now if the session callback asks us @@ -642,7 +643,7 @@ int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello) } if (sess_timedout(time(NULL), ret)) { - tsan_counter(&s->session_ctx->stats.sess_timeout); + ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_timeout); if (try_session_cache) { /* session was from the cache, so remove it */ SSL_CTX_remove_session(s->session_ctx, ret); @@ -669,7 +670,7 @@ int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello) s->session = ret; } - tsan_counter(&s->session_ctx->stats.sess_hit); + ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_hit); s->verify_result = s->session->verify_result; return 1; @@ -769,7 +770,7 @@ int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c) if (!remove_session_lock(ctx, ctx->session_cache_tail, 0)) break; else - tsan_counter(&ctx->stats.sess_cache_full); + ssl_tsan_counter(ctx, &ctx->stats.sess_cache_full); } } } diff --git a/deps/openssl/openssl/ssl/statem/extensions.c b/deps/openssl/openssl/ssl/statem/extensions.c index d45e00ad99c768..2d60ad69d7691c 100644 --- a/deps/openssl/openssl/ssl/statem/extensions.c +++ b/deps/openssl/openssl/ssl/statem/extensions.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -925,6 +925,15 @@ static int final_renegotiate(SSL *s, unsigned int context, int sent) return 1; } +static ossl_inline void ssl_tsan_decr(const SSL_CTX *ctx, + TSAN_QUALIFIER int *stat) +{ + if (ssl_tsan_lock(ctx)) { + tsan_decr(stat); + ssl_tsan_unlock(ctx); + } +} + static int init_server_name(SSL *s, unsigned int context) { if (s->server) { @@ -982,8 +991,8 @@ static int final_server_name(SSL *s, unsigned int context, int sent) */ if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx && s->hello_retry_request == SSL_HRR_NONE) { - tsan_counter(&s->ctx->stats.sess_accept); - tsan_decr(&s->session_ctx->stats.sess_accept); + ssl_tsan_counter(s->ctx, &s->ctx->stats.sess_accept); + ssl_tsan_decr(s->session_ctx, &s->session_ctx->stats.sess_accept); } /* diff --git a/deps/openssl/openssl/ssl/statem/extensions_clnt.c b/deps/openssl/openssl/ssl/statem/extensions_clnt.c index 7b46074232798c..234a24d2061fbc 100644 --- a/deps/openssl/openssl/ssl/statem/extensions_clnt.c +++ b/deps/openssl/openssl/ssl/statem/extensions_clnt.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1878,8 +1878,8 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, return 0; } - if (EVP_PKEY_set1_encoded_public_key(skey, PACKET_data(&encoded_pt), - PACKET_remaining(&encoded_pt)) <= 0) { + if (tls13_set_encoded_pub_key(skey, PACKET_data(&encoded_pt), + PACKET_remaining(&encoded_pt)) <= 0) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT); EVP_PKEY_free(skey); return 0; diff --git a/deps/openssl/openssl/ssl/statem/extensions_srvr.c b/deps/openssl/openssl/ssl/statem/extensions_srvr.c index 0b6e843e8a145b..46e4aca56fbcbb 100644 --- a/deps/openssl/openssl/ssl/statem/extensions_srvr.c +++ b/deps/openssl/openssl/ssl/statem/extensions_srvr.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -663,9 +663,9 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, /* Cache the selected group ID in the SSL_SESSION */ s->session->kex_group = group_id; - if (EVP_PKEY_set1_encoded_public_key(s->s3.peer_tmp, - PACKET_data(&encoded_pt), - PACKET_remaining(&encoded_pt)) <= 0) { + if (tls13_set_encoded_pub_key(s->s3.peer_tmp, + PACKET_data(&encoded_pt), + PACKET_remaining(&encoded_pt)) <= 0) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT); return 0; } diff --git a/deps/openssl/openssl/ssl/statem/statem_clnt.c b/deps/openssl/openssl/ssl/statem/statem_clnt.c index 1cdf53390e80cb..12a6b06a49e70b 100644 --- a/deps/openssl/openssl/ssl/statem/statem_clnt.c +++ b/deps/openssl/openssl/ssl/statem/statem_clnt.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -1577,7 +1577,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) * overwritten if the server refuses resumption. */ if (s->session->session_id_length > 0) { - tsan_counter(&s->session_ctx->stats.sess_miss); + ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_miss); if (!ssl_get_new_session(s, 0)) { /* SSLfatal() already called */ goto err; @@ -1867,9 +1867,10 @@ WORK_STATE tls_post_process_server_certificate(SSL *s, WORK_STATE wst) size_t certidx; int i; + if (s->rwstate == SSL_RETRY_VERIFY) + s->rwstate = SSL_NOTHING; i = ssl_verify_cert_chain(s, s->session->peer_chain); - if (i == -1) { - s->rwstate = SSL_RETRY_VERIFY; + if (i > 0 && s->rwstate == SSL_RETRY_VERIFY) { return WORK_MORE_A; } /* @@ -1886,7 +1887,7 @@ WORK_STATE tls_post_process_server_certificate(SSL *s, WORK_STATE wst) * (less clean) historic behaviour of performing validation if any flag is * set. The *documented* interface remains the same. */ - if (s->verify_mode != SSL_VERIFY_NONE && i == 0) { + if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) { SSLfatal(s, ssl_x509err2alert(s->verify_result), SSL_R_CERTIFICATE_VERIFY_FAILED); return WORK_ERROR; @@ -2934,7 +2935,7 @@ static int tls_construct_cke_dhe(SSL *s, WPACKET *pkt) encoded_pub_len = EVP_PKEY_get1_encoded_public_key(ckey, &encoded_pub); if (encoded_pub_len == 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - EVP_PKEY_free(skey); + EVP_PKEY_free(ckey); return EXT_RETURN_FAIL; } @@ -3082,7 +3083,7 @@ static int tls_construct_cke_gost(SSL *s, WPACKET *pkt) EVP_MD_CTX_free(ukm_hash); ukm_hash = NULL; if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, - EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) { + EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); goto err; } @@ -3195,7 +3196,7 @@ static int tls_construct_cke_gost18(SSL *s, WPACKET *pkt) if (peer_cert == NULL) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); - return 0; + goto err; } pkey_ctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, @@ -3203,7 +3204,7 @@ static int tls_construct_cke_gost18(SSL *s, WPACKET *pkt) s->ctx->propq); if (pkey_ctx == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); - return 0; + goto err; } if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0 ) { @@ -3213,13 +3214,13 @@ static int tls_construct_cke_gost18(SSL *s, WPACKET *pkt) /* Reuse EVP_PKEY_CTRL_SET_IV, make choice in engine code */ if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, - EVP_PKEY_CTRL_SET_IV, 32, rnd_dgst) < 0) { + EVP_PKEY_CTRL_SET_IV, 32, rnd_dgst) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); goto err; } if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, - EVP_PKEY_CTRL_CIPHER, cipher_nid, NULL) < 0) { + EVP_PKEY_CTRL_CIPHER, cipher_nid, NULL) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); goto err; } diff --git a/deps/openssl/openssl/ssl/statem/statem_lib.c b/deps/openssl/openssl/ssl/statem/statem_lib.c index b8bbe765847371..e995f281180ec6 100644 --- a/deps/openssl/openssl/ssl/statem/statem_lib.c +++ b/deps/openssl/openssl/ssl/statem/statem_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -195,18 +195,19 @@ int tls_setup_handshake(SSL *s) } if (SSL_IS_FIRST_HANDSHAKE(s)) { /* N.B. s->session_ctx == s->ctx here */ - tsan_counter(&s->session_ctx->stats.sess_accept); + ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_accept); } else { /* N.B. s->ctx may not equal s->session_ctx */ - tsan_counter(&s->ctx->stats.sess_accept_renegotiate); + ssl_tsan_counter(s->ctx, &s->ctx->stats.sess_accept_renegotiate); s->s3.tmp.cert_request = 0; } } else { if (SSL_IS_FIRST_HANDSHAKE(s)) - tsan_counter(&s->session_ctx->stats.sess_connect); + ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_connect); else - tsan_counter(&s->session_ctx->stats.sess_connect_renegotiate); + ssl_tsan_counter(s->session_ctx, + &s->session_ctx->stats.sess_connect_renegotiate); /* mark client_random uninitialized */ memset(s->s3.client_random, 0, sizeof(s->s3.client_random)); @@ -1130,7 +1131,7 @@ WORK_STATE tls_finish_handshake(SSL *s, ossl_unused WORK_STATE wst, ssl_update_cache(s, SSL_SESS_CACHE_SERVER); /* N.B. s->ctx may not equal s->session_ctx */ - tsan_counter(&s->ctx->stats.sess_accept_good); + ssl_tsan_counter(s->ctx, &s->ctx->stats.sess_accept_good); s->handshake_func = ossl_statem_accept; } else { if (SSL_IS_TLS13(s)) { @@ -1149,10 +1150,12 @@ WORK_STATE tls_finish_handshake(SSL *s, ossl_unused WORK_STATE wst, ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); } if (s->hit) - tsan_counter(&s->session_ctx->stats.sess_hit); + ssl_tsan_counter(s->session_ctx, + &s->session_ctx->stats.sess_hit); s->handshake_func = ossl_statem_connect; - tsan_counter(&s->session_ctx->stats.sess_connect_good); + ssl_tsan_counter(s->session_ctx, + &s->session_ctx->stats.sess_connect_good); } if (SSL_IS_DTLS(s)) { diff --git a/deps/openssl/openssl/ssl/statem/statem_srvr.c b/deps/openssl/openssl/ssl/statem/statem_srvr.c index 90f3a99b1c32ab..677c1be5801356 100644 --- a/deps/openssl/openssl/ssl/statem/statem_srvr.c +++ b/deps/openssl/openssl/ssl/statem/statem_srvr.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -3264,13 +3264,13 @@ static int tls_process_cke_gost18(SSL *s, PACKET *pkt) /* Reuse EVP_PKEY_CTRL_SET_IV, make choice in engine code depending on size */ if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_DECRYPT, - EVP_PKEY_CTRL_SET_IV, 32, rnd_dgst) < 0) { + EVP_PKEY_CTRL_SET_IV, 32, rnd_dgst) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); goto err; } if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_DECRYPT, - EVP_PKEY_CTRL_CIPHER, cipher_nid, NULL) < 0) { + EVP_PKEY_CTRL_CIPHER, cipher_nid, NULL) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); goto err; } diff --git a/deps/openssl/openssl/ssl/t1_enc.c b/deps/openssl/openssl/ssl/t1_enc.c index 51688d4f2eac70..237a19cd936703 100644 --- a/deps/openssl/openssl/ssl/t1_enc.c +++ b/deps/openssl/openssl/ssl/t1_enc.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2005 Nokia. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -122,7 +122,7 @@ static int count_unprocessed_records(SSL *s) return -1; /* Read until next record */ - if (PACKET_get_length_prefixed_2(&pkt, &subpkt)) + if (!PACKET_get_length_prefixed_2(&pkt, &subpkt)) return -1; count += 1; diff --git a/deps/openssl/openssl/ssl/t1_lib.c b/deps/openssl/openssl/ssl/t1_lib.c index fc32bb35567fdd..41fddf22a7278d 100644 --- a/deps/openssl/openssl/ssl/t1_lib.c +++ b/deps/openssl/openssl/ssl/t1_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -3477,3 +3477,22 @@ int ssl_get_EC_curve_nid(const EVP_PKEY *pkey) return NID_undef; } + +__owur int tls13_set_encoded_pub_key(EVP_PKEY *pkey, + const unsigned char *enckey, + size_t enckeylen) +{ + if (EVP_PKEY_is_a(pkey, "DH")) { + int bits = EVP_PKEY_get_bits(pkey); + + if (bits <= 0 || enckeylen != (size_t)bits / 8) + /* the encoded key must be padded to the length of the p */ + return 0; + } else if (EVP_PKEY_is_a(pkey, "EC")) { + if (enckeylen < 3 /* point format and at least 1 byte for x and y */ + || enckey[0] != 0x04) + return 0; + } + + return EVP_PKEY_set1_encoded_public_key(pkey, enckey, enckeylen); +} diff --git a/deps/openssl/openssl/test/acvp_test.c b/deps/openssl/openssl/test/acvp_test.c index d8425f0d2071cb..bbc77d0ae610d6 100644 --- a/deps/openssl/openssl/test/acvp_test.c +++ b/deps/openssl/openssl/test/acvp_test.c @@ -218,7 +218,7 @@ static int get_ecdsa_sig_rs_bytes(const unsigned char *sig, size_t sig_len, r1 = ECDSA_SIG_get0_r(sign); s1 = ECDSA_SIG_get0_s(sign); if (r1 == NULL || s1 == NULL) - return 0; + goto err; r1_len = BN_num_bytes(r1); s1_len = BN_num_bytes(s1); @@ -560,7 +560,7 @@ static int get_dsa_sig_rs_bytes(const unsigned char *sig, size_t sig_len, return 0; DSA_SIG_get0(sign, &r1, &s1); if (r1 == NULL || s1 == NULL) - return 0; + goto err; r1_len = BN_num_bytes(r1); s1_len = BN_num_bytes(s1); diff --git a/deps/openssl/openssl/test/bio_enc_test.c b/deps/openssl/openssl/test/bio_enc_test.c index b383cdce1c53ff..accb74e7df415d 100644 --- a/deps/openssl/openssl/test/bio_enc_test.c +++ b/deps/openssl/openssl/test/bio_enc_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -38,7 +38,7 @@ static const unsigned char IV[] = { static int do_bio_cipher(const EVP_CIPHER* cipher, const unsigned char* key, const unsigned char* iv) { - BIO *b; + BIO *b, *mem; static unsigned char inp[BUF_SIZE] = { 0 }; unsigned char out[BUF_SIZE], ref[BUF_SIZE]; int i, lref, len; @@ -54,8 +54,11 @@ static int do_bio_cipher(const EVP_CIPHER* cipher, const unsigned char* key, if (!TEST_ptr(b)) return 0; if (!TEST_true(BIO_set_cipher(b, cipher, key, iv, ENCRYPT))) - return 0; - BIO_push(b, BIO_new_mem_buf(inp, DATA_SIZE)); + goto err; + mem = BIO_new_mem_buf(inp, DATA_SIZE); + if (!TEST_ptr(mem)) + goto err; + BIO_push(b, mem); lref = BIO_read(b, ref, sizeof(ref)); BIO_free_all(b); @@ -66,16 +69,19 @@ static int do_bio_cipher(const EVP_CIPHER* cipher, const unsigned char* key, return 0; if (!TEST_true(BIO_set_cipher(b, cipher, key, iv, ENCRYPT))) { TEST_info("Split encrypt failed @ operation %d", i); - return 0; + goto err; } - BIO_push(b, BIO_new_mem_buf(inp, DATA_SIZE)); + mem = BIO_new_mem_buf(inp, DATA_SIZE); + if (!TEST_ptr(mem)) + goto err; + BIO_push(b, mem); memset(out, 0, sizeof(out)); out[i] = ~ref[i]; len = BIO_read(b, out, i); /* check for overstep */ if (!TEST_uchar_eq(out[i], (unsigned char)~ref[i])) { TEST_info("Encrypt overstep check failed @ operation %d", i); - return 0; + goto err; } len += BIO_read(b, out + len, sizeof(out) - len); BIO_free_all(b); @@ -95,9 +101,12 @@ static int do_bio_cipher(const EVP_CIPHER* cipher, const unsigned char* key, return 0; if (!TEST_true(BIO_set_cipher(b, cipher, key, iv, ENCRYPT))) { TEST_info("Small chunk encrypt failed @ operation %d", i); - return 0; + goto err; } - BIO_push(b, BIO_new_mem_buf(inp, DATA_SIZE)); + mem = BIO_new_mem_buf(inp, DATA_SIZE); + if (!TEST_ptr(mem)) + goto err; + BIO_push(b, mem); memset(out, 0, sizeof(out)); for (len = 0; (delta = BIO_read(b, out + len, i)); ) { len += delta; @@ -117,9 +126,12 @@ static int do_bio_cipher(const EVP_CIPHER* cipher, const unsigned char* key, if (!TEST_ptr(b)) return 0; if (!TEST_true(BIO_set_cipher(b, cipher, key, iv, DECRYPT))) - return 0; + goto err; /* Use original reference output as input */ - BIO_push(b, BIO_new_mem_buf(ref, lref)); + mem = BIO_new_mem_buf(ref, lref); + if (!TEST_ptr(mem)) + goto err; + BIO_push(b, mem); (void)BIO_flush(b); memset(out, 0, sizeof(out)); len = BIO_read(b, out, sizeof(out)); @@ -135,16 +147,19 @@ static int do_bio_cipher(const EVP_CIPHER* cipher, const unsigned char* key, return 0; if (!TEST_true(BIO_set_cipher(b, cipher, key, iv, DECRYPT))) { TEST_info("Split decrypt failed @ operation %d", i); - return 0; + goto err; } - BIO_push(b, BIO_new_mem_buf(ref, lref)); + mem = BIO_new_mem_buf(ref, lref); + if (!TEST_ptr(mem)) + goto err; + BIO_push(b, mem); memset(out, 0, sizeof(out)); out[i] = ~ref[i]; len = BIO_read(b, out, i); /* check for overstep */ if (!TEST_uchar_eq(out[i], (unsigned char)~ref[i])) { TEST_info("Decrypt overstep check failed @ operation %d", i); - return 0; + goto err; } len += BIO_read(b, out + len, sizeof(out) - len); BIO_free_all(b); @@ -164,9 +179,12 @@ static int do_bio_cipher(const EVP_CIPHER* cipher, const unsigned char* key, return 0; if (!TEST_true(BIO_set_cipher(b, cipher, key, iv, DECRYPT))) { TEST_info("Small chunk decrypt failed @ operation %d", i); - return 0; + goto err; } - BIO_push(b, BIO_new_mem_buf(ref, lref)); + mem = BIO_new_mem_buf(ref, lref); + if (!TEST_ptr(mem)) + goto err; + BIO_push(b, mem); memset(out, 0, sizeof(out)); for (len = 0; (delta = BIO_read(b, out + len, i)); ) { len += delta; @@ -180,6 +198,10 @@ static int do_bio_cipher(const EVP_CIPHER* cipher, const unsigned char* key, } return 1; + +err: + BIO_free_all(b); + return 0; } static int do_test_bio_cipher(const EVP_CIPHER* cipher, int idx) diff --git a/deps/openssl/openssl/test/bntest.c b/deps/openssl/openssl/test/bntest.c index fa9fc07ceff924..4c1ee0c13b6d1e 100644 --- a/deps/openssl/openssl/test/bntest.c +++ b/deps/openssl/openssl/test/bntest.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1732,8 +1732,17 @@ static int file_modsqrt(STANZA *s) || !TEST_ptr(ret2 = BN_new())) goto err; + if (BN_is_negative(mod_sqrt)) { + /* A negative testcase */ + if (!TEST_ptr_null(BN_mod_sqrt(ret, a, p, ctx))) + goto err; + + st = 1; + goto err; + } + /* There are two possible answers. */ - if (!TEST_true(BN_mod_sqrt(ret, a, p, ctx)) + if (!TEST_ptr(BN_mod_sqrt(ret, a, p, ctx)) || !TEST_true(BN_sub(ret2, p, ret))) goto err; @@ -2881,6 +2890,50 @@ static int test_mod_exp_consttime(int i) return res; } +/* + * Regression test to ensure BN_mod_exp2_mont fails safely if argument m is + * zero. + */ +static int test_mod_exp2_mont(void) +{ + int res = 0; + BIGNUM *exp_result = NULL; + BIGNUM *exp_a1 = NULL, *exp_p1 = NULL, *exp_a2 = NULL, *exp_p2 = NULL, + *exp_m = NULL; + + if (!TEST_ptr(exp_result = BN_new()) + || !TEST_ptr(exp_a1 = BN_new()) + || !TEST_ptr(exp_p1 = BN_new()) + || !TEST_ptr(exp_a2 = BN_new()) + || !TEST_ptr(exp_p2 = BN_new()) + || !TEST_ptr(exp_m = BN_new())) + goto err; + + if (!TEST_true(BN_one(exp_a1)) + || !TEST_true(BN_one(exp_p1)) + || !TEST_true(BN_one(exp_a2)) + || !TEST_true(BN_one(exp_p2))) + goto err; + + BN_zero(exp_m); + + /* input of 0 is even, so must fail */ + if (!TEST_int_eq(BN_mod_exp2_mont(exp_result, exp_a1, exp_p1, exp_a2, + exp_p2, exp_m, ctx, NULL), 0)) + goto err; + + res = 1; + +err: + BN_free(exp_result); + BN_free(exp_a1); + BN_free(exp_p1); + BN_free(exp_a2); + BN_free(exp_p2); + BN_free(exp_m); + return res; +} + static int file_test_run(STANZA *s) { static const FILETEST filetests[] = { @@ -3022,6 +3075,7 @@ int setup_tests(void) ADD_TEST(test_gcd_prime); ADD_ALL_TESTS(test_mod_exp, (int)OSSL_NELEM(ModExpTests)); ADD_ALL_TESTS(test_mod_exp_consttime, (int)OSSL_NELEM(ModExpTests)); + ADD_TEST(test_mod_exp2_mont); if (stochastic) ADD_TEST(test_rand_range); } else { diff --git a/deps/openssl/openssl/test/certs/leaf-encrypted.key b/deps/openssl/openssl/test/certs/leaf-encrypted.key new file mode 100644 index 00000000000000..99a802dbe6ad01 --- /dev/null +++ b/deps/openssl/openssl/test/certs/leaf-encrypted.key @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIEBBNanZFjs8CAggA +MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAECBBDr8bhquxPf762O3jk0LAtJBIIE +0FQB7c06dpoHn1KBn8jTzsLIdVR0SeKUvq4edZfUPbB/6go97j48BwSzAaXY7BNL +90GRMrNNjKZDLeNf0wwf1+67YX7neGnb+LdxpQdqEjOTGQdwTx9SG6XIqT8x4R67 +rI2DQqI937FSor9292koXQNM9Asoenn6kOCITaa8chsPdKCtFjfVmqZRMaewr5PW +W1rooFuCVAIfgBOOaEeN7OMTJRdAGtWWOJqyLB29gXxwaI1+PnXmkHPgRGXZYz7W +N5lTp1xvFPY+Rp/cK0DfeR5MrMYSVvrXbi6usjteJ2h0Rzcy8SY6Jnvuaoowi+rj +lDUP0K/51tTQBd6bpsvcmc2cBx+7pg4BAkf9SnuKQpYCWPjiwrCiDJIP/o5GYIn2 +m/3K2pLahjOeGZAmhGUi0fZPZhaq37IQKwuzLDuYw1CkR7LhaJcJ9V1vXMPePgCY ++BvjFG5z0mLDwUNvzCHQokav3Z/QT6CfOgTL10qKuBgylT1d5Cw7bfv8Lnc6C/YK +aVXosCaKTJO8r4t7NgJX4PYQP/DZIl5CJIoUzJkrAkShLwcGtXMHVNSWx4LS60QY +lfjz80cWWE6Tx/XjBkae0AQJW8S9nDB8/X80ox8jJ/sdd5XNZqUQhDxBP5/4GiAS +pZlgp/IwssoG5HUnwn/4AUgD7Gdo5QRqFlkXeCFlHgjBrEHBkevHECRHAdWwrK7X +5td662K1B9hm6EfA1R51jiOKBuM0bwYtI+tpmpT5zeDGeaOWuPUYPUFjfo9xt1Lx +cmX3ouBt34uT/cQesPxP8gJwRdo0KqPK+KLjtQazXmHFu+FStZ29gUvhqAw9kcxq +ps9neGAl3DJgYbB1QqqefGqFWBhJzt4toqxcgm6Z0PJSYQlxJEC3yWWs5w5wfLJJ +KGfnpsY1IGYsbw9Caa84XqnzHosGWx724GJeb3YSwwMj311oMi9s8J/d/NpJZHOu +uk/mQWezCfdEFSnkOtIDJWTQUtRtRfIZQp243c25E3/rJySuSoMfn4eolAGurse8 +6r7SEJ6MUjCTd3ZcA+XZAtFxPQnNBYm691hvGE6uclxYy9L6bmws9dosNlpCyvIQ ++OYdB9Mvx9hs0KwAWZ6bnIxa3tc6Ob9mxV7ycMS43d4ShEqzy44DZD02Z0iQIRym +1AoGwgLbc2d9NouUiw2ur5n6ByYCTHwmMSAstVovuBoS2XDF23BzLL7KuCnkHH0y ++M6CRaXW0ceTP4DfEvBphxfj4NNEZpjm8j6ERvnnQvC5tRAaMglhg1WOvUVUtPg5 +cJPIiSn+yVuoFDnLKJ53N9NzDtUKSBQgwNGyVVPTzpfxLmjg00bNQ7eyoRr6uK0l +ezmHemo52JpCaBGV01tnvVKzGouFN/KxP9GxvPQY8UQxVkE+E/p0UjGOpNLIDmzl +/qVKxky9lMBoHc+neeCbOrtgwkyYgpPkKlmTTsi/yUxpbUmobFZJTUbOWrpeRbw3 +Pt9u8NeVmD4Ys/NenHIJwksOqmWxSy7IjJpzQsee1CZXV7McAYsg24tP4Bdj9aGT +hsMyiaiNB+rjkNxhUCm39nJsaN1AoTZ3Br1UYfHrfocif12yNGOEBy2swfjQIGNH +fjGk3px34MZZv3S0bM/ZPi9ankzAZnf8qkHoDVtsP+Gk +-----END ENCRYPTED PRIVATE KEY----- diff --git a/deps/openssl/openssl/test/cmp_vfy_test.c b/deps/openssl/openssl/test/cmp_vfy_test.c index a4800903637309..5aa6a008ccbb0f 100644 --- a/deps/openssl/openssl/test/cmp_vfy_test.c +++ b/deps/openssl/openssl/test/cmp_vfy_test.c @@ -51,11 +51,13 @@ static time_t test_time_valid = 0, test_time_after_expiration = 0; static CMP_VFY_TEST_FIXTURE *set_up(const char *const test_case_name) { - X509_STORE *ts = X509_STORE_new(); + X509_STORE *ts; CMP_VFY_TEST_FIXTURE *fixture; if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture)))) return NULL; + + ts = X509_STORE_new(); fixture->test_case_name = test_case_name; if (ts == NULL || !TEST_ptr(fixture->cmp_ctx = OSSL_CMP_CTX_new(libctx, NULL)) diff --git a/deps/openssl/openssl/test/crltest.c b/deps/openssl/openssl/test/crltest.c index 5d255d368a1ca5..d17fac43f82a31 100644 --- a/deps/openssl/openssl/test/crltest.c +++ b/deps/openssl/openssl/test/crltest.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -200,9 +200,16 @@ static BIO *glue2bio(const char **pem, char **out) */ static X509_CRL *CRL_from_strings(const char **pem) { + X509_CRL *crl; char *p; BIO *b = glue2bio(pem, &p); - X509_CRL *crl = PEM_read_bio_X509_CRL(b, NULL, NULL, NULL); + + if (b == NULL) { + OPENSSL_free(p); + return NULL; + } + + crl = PEM_read_bio_X509_CRL(b, NULL, NULL, NULL); OPENSSL_free(p); BIO_free(b); @@ -214,9 +221,16 @@ static X509_CRL *CRL_from_strings(const char **pem) */ static X509 *X509_from_strings(const char **pem) { + X509 *x; char *p; BIO *b = glue2bio(pem, &p); - X509 *x = PEM_read_bio_X509(b, NULL, NULL, NULL); + + if (b == NULL) { + OPENSSL_free(p); + return NULL; + } + + x = PEM_read_bio_X509(b, NULL, NULL, NULL); OPENSSL_free(p); BIO_free(b); @@ -363,6 +377,12 @@ static int test_reuse_crl(void) char *p; BIO *b = glue2bio(kRevokedCRL, &p); + if (b == NULL) { + OPENSSL_free(p); + X509_CRL_free(reused_crl); + return 0; + } + reused_crl = PEM_read_bio_X509_CRL(b, &reused_crl, NULL, NULL); OPENSSL_free(p); diff --git a/deps/openssl/openssl/test/ct_test.c b/deps/openssl/openssl/test/ct_test.c index d1799fa7a23683..26d5bc1084503d 100644 --- a/deps/openssl/openssl/test/ct_test.c +++ b/deps/openssl/openssl/test/ct_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -449,6 +449,9 @@ static int test_encode_tls_sct(void) SETUP_CT_TEST_FIXTURE(); fixture->sct_list = sk_SCT_new_null(); + if (fixture->sct_list == NULL) + return 0; + if (!TEST_ptr(sct = SCT_new_from_base64(SCT_VERSION_V1, log_id, CT_LOG_ENTRY_TYPE_X509, timestamp, extensions, signature))) diff --git a/deps/openssl/openssl/test/dane-cross.in b/deps/openssl/openssl/test/dane-cross.in index 81252a110e9669..63c37fbf330ae6 100644 --- a/deps/openssl/openssl/test/dane-cross.in +++ b/deps/openssl/openssl/test/dane-cross.in @@ -1,6 +1,6 @@ -# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. # -# Licensed under the OpenSSL license (the "License"). You may not use +# Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy # in the file LICENSE in the source distribution or at # https://www.openssl.org/source/license.html diff --git a/deps/openssl/openssl/test/defltfips_test.c b/deps/openssl/openssl/test/defltfips_test.c index 8b6dc0d6f1f6ba..9def654c5d3a36 100644 --- a/deps/openssl/openssl/test/defltfips_test.c +++ b/deps/openssl/openssl/test/defltfips_test.c @@ -1,3 +1,12 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + #include #include #include diff --git a/deps/openssl/openssl/test/dhtest.c b/deps/openssl/openssl/test/dhtest.c index 71c95b186f2c5e..7b587f3cfa8fad 100644 --- a/deps/openssl/openssl/test/dhtest.c +++ b/deps/openssl/openssl/test/dhtest.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -744,6 +744,33 @@ static int dh_rfc5114_fix_nid_test(void) /* Tested function is called here */ if (!TEST_int_eq(EVP_PKEY_CTX_set_dhx_rfc5114(paramgen_ctx, 3), 1)) goto err; + /* Negative test */ + if (!TEST_int_eq(EVP_PKEY_CTX_set_dhx_rfc5114(paramgen_ctx, 99), 0)) + goto err; + /* If we're still running then the test passed. */ + ok = 1; +err: + EVP_PKEY_CTX_free(paramgen_ctx); + return ok; +} + +static int dh_set_dh_nid_test(void) +{ + int ok = 0; + EVP_PKEY_CTX *paramgen_ctx; + + /* Run the test. Success is any time the test does not cause a SIGSEGV interrupt */ + paramgen_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, 0); + if (!TEST_ptr(paramgen_ctx)) + goto err; + if (!TEST_int_eq(EVP_PKEY_paramgen_init(paramgen_ctx), 1)) + goto err; + /* Tested function is called here */ + if (!TEST_int_eq(EVP_PKEY_CTX_set_dh_nid(paramgen_ctx, NID_ffdhe2048), 1)) + goto err; + /* Negative test */ + if (!TEST_int_eq(EVP_PKEY_CTX_set_dh_nid(paramgen_ctx, NID_secp521r1), 0)) + goto err; /* If we're still running then the test passed. */ ok = 1; err: @@ -898,6 +925,7 @@ int setup_tests(void) ADD_TEST(dh_get_nid); ADD_TEST(dh_load_pkcs3_namedgroup_privlen_test); ADD_TEST(dh_rfc5114_fix_nid_test); + ADD_TEST(dh_set_dh_nid_test); #endif return 1; } diff --git a/deps/openssl/openssl/test/enginetest.c b/deps/openssl/openssl/test/enginetest.c index 04e61743a1b05a..8ba999b0176bc9 100644 --- a/deps/openssl/openssl/test/enginetest.c +++ b/deps/openssl/openssl/test/enginetest.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -24,6 +24,7 @@ # include # include # include +# include static void display_engine_list(void) { diff --git a/deps/openssl/openssl/test/evp_extra_test.c b/deps/openssl/openssl/test/evp_extra_test.c index 47ef35ca679991..113ec2bd66ad19 100644 --- a/deps/openssl/openssl/test/evp_extra_test.c +++ b/deps/openssl/openssl/test/evp_extra_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -4179,6 +4179,90 @@ static int test_evp_md_cipher_meth(void) return testresult; } +typedef struct { + int data; +} custom_dgst_ctx; + +static int custom_md_init_called = 0; +static int custom_md_cleanup_called = 0; + +static int custom_md_init(EVP_MD_CTX *ctx) +{ + custom_dgst_ctx *p = EVP_MD_CTX_md_data(ctx); + + if (p == NULL) + return 0; + + custom_md_init_called++; + return 1; +} + +static int custom_md_cleanup(EVP_MD_CTX *ctx) +{ + custom_dgst_ctx *p = EVP_MD_CTX_md_data(ctx); + + if (p == NULL) + /* Nothing to do */ + return 1; + + custom_md_cleanup_called++; + return 1; +} + +static int test_custom_md_meth(void) +{ + EVP_MD_CTX *mdctx = NULL; + EVP_MD *tmp = NULL; + char mess[] = "Test Message\n"; + unsigned char md_value[EVP_MAX_MD_SIZE]; + unsigned int md_len; + int testresult = 0; + int nid; + + /* + * We are testing deprecated functions. We don't support a non-default + * library context in this test. + */ + if (testctx != NULL) + return 1; + + custom_md_init_called = custom_md_cleanup_called = 0; + + nid = OBJ_create("1.3.6.1.4.1.16604.998866.1", "custom-md", "custom-md"); + if (!TEST_int_ne(nid, NID_undef)) + goto err; + tmp = EVP_MD_meth_new(nid, NID_undef); + if (!TEST_ptr(tmp)) + goto err; + + if (!TEST_true(EVP_MD_meth_set_init(tmp, custom_md_init)) + || !TEST_true(EVP_MD_meth_set_cleanup(tmp, custom_md_cleanup)) + || !TEST_true(EVP_MD_meth_set_app_datasize(tmp, + sizeof(custom_dgst_ctx)))) + goto err; + + mdctx = EVP_MD_CTX_new(); + if (!TEST_ptr(mdctx) + /* + * Initing our custom md and then initing another md should + * result in the init and cleanup functions of the custom md + * from being called. + */ + || !TEST_true(EVP_DigestInit_ex(mdctx, tmp, NULL)) + || !TEST_true(EVP_DigestInit_ex(mdctx, EVP_sha256(), NULL)) + || !TEST_true(EVP_DigestUpdate(mdctx, mess, strlen(mess))) + || !TEST_true(EVP_DigestFinal_ex(mdctx, md_value, &md_len)) + || !TEST_int_eq(custom_md_init_called, 1) + || !TEST_int_eq(custom_md_cleanup_called, 1)) + goto err; + + testresult = 1; + err: + EVP_MD_CTX_free(mdctx); + EVP_MD_meth_free(tmp); + return testresult; +} + # ifndef OPENSSL_NO_DYNAMIC_ENGINE /* Test we can create a signature keys with an associated ENGINE */ static int test_signatures_with_engine(int tst) @@ -4473,6 +4557,7 @@ int setup_tests(void) #ifndef OPENSSL_NO_DEPRECATED_3_0 ADD_ALL_TESTS(test_custom_pmeth, 12); ADD_TEST(test_evp_md_cipher_meth); + ADD_TEST(test_custom_md_meth); # ifndef OPENSSL_NO_DYNAMIC_ENGINE /* Tests only support the default libctx */ diff --git a/deps/openssl/openssl/test/evp_extra_test2.c b/deps/openssl/openssl/test/evp_extra_test2.c index b70c168d9db14b..55a18c2f5471fc 100644 --- a/deps/openssl/openssl/test/evp_extra_test2.c +++ b/deps/openssl/openssl/test/evp_extra_test2.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -255,6 +255,136 @@ static APK_DATA keydata[] = { #endif }; +static int pkey_has_private(EVP_PKEY *key, const char *privtag, + int use_octstring) +{ + int ret = 0; + + if (use_octstring) { + unsigned char buf[64]; + + ret = EVP_PKEY_get_octet_string_param(key, privtag, buf, sizeof(buf), + NULL); + } else { + BIGNUM *bn = NULL; + + ret = EVP_PKEY_get_bn_param(key, privtag, &bn); + BN_free(bn); + } + return ret; +} + +static int do_pkey_tofrom_data_select(EVP_PKEY *key, const char *keytype) +{ + int ret = 0; + OSSL_PARAM *pub_params = NULL, *keypair_params = NULL; + EVP_PKEY *fromkey = NULL, *fromkeypair = NULL; + EVP_PKEY_CTX *fromctx = NULL; + const char *privtag = strcmp(keytype, "RSA") == 0 ? "d" : "priv"; + const int use_octstring = strcmp(keytype, "X25519") == 0; + + /* + * Select only the public key component when using EVP_PKEY_todata() and + * check that the resulting param array does not contain a private key. + */ + if (!TEST_int_eq(EVP_PKEY_todata(key, EVP_PKEY_PUBLIC_KEY, &pub_params), 1) + || !TEST_ptr_null(OSSL_PARAM_locate(pub_params, privtag))) + goto end; + /* + * Select the keypair when using EVP_PKEY_todata() and check that + * the param array contains a private key. + */ + if (!TEST_int_eq(EVP_PKEY_todata(key, EVP_PKEY_KEYPAIR, &keypair_params), 1) + || !TEST_ptr(OSSL_PARAM_locate(keypair_params, privtag))) + goto end; + + /* + * Select only the public key when using EVP_PKEY_fromdata() and check that + * the resulting key does not contain a private key. + */ + if (!TEST_ptr(fromctx = EVP_PKEY_CTX_new_from_name(mainctx, keytype, NULL)) + || !TEST_int_eq(EVP_PKEY_fromdata_init(fromctx), 1) + || !TEST_int_eq(EVP_PKEY_fromdata(fromctx, &fromkey, EVP_PKEY_PUBLIC_KEY, + keypair_params), 1) + || !TEST_false(pkey_has_private(fromkey, privtag, use_octstring))) + goto end; + /* + * Select the keypair when using EVP_PKEY_fromdata() and check that + * the resulting key contains a private key. + */ + if (!TEST_int_eq(EVP_PKEY_fromdata(fromctx, &fromkeypair, + EVP_PKEY_KEYPAIR, keypair_params), 1) + || !TEST_true(pkey_has_private(fromkeypair, privtag, use_octstring))) + goto end; + ret = 1; +end: + EVP_PKEY_free(fromkeypair); + EVP_PKEY_free(fromkey); + EVP_PKEY_CTX_free(fromctx); + OSSL_PARAM_free(keypair_params); + OSSL_PARAM_free(pub_params); + return ret; +} + +#ifndef OPENSSL_NO_DH +static int test_dh_tofrom_data_select(void) +{ + int ret; + OSSL_PARAM params[2]; + EVP_PKEY *key = NULL; + EVP_PKEY_CTX *gctx = NULL; + + params[0] = OSSL_PARAM_construct_utf8_string("group", "ffdhe2048", 0); + params[1] = OSSL_PARAM_construct_end(); + ret = TEST_ptr(gctx = EVP_PKEY_CTX_new_from_name(mainctx, "DHX", NULL)) + && TEST_int_gt(EVP_PKEY_keygen_init(gctx), 0) + && TEST_true(EVP_PKEY_CTX_set_params(gctx, params)) + && TEST_int_gt(EVP_PKEY_generate(gctx, &key), 0) + && TEST_true(do_pkey_tofrom_data_select(key, "DHX")); + EVP_PKEY_free(key); + EVP_PKEY_CTX_free(gctx); + return ret; +} +#endif + +#ifndef OPENSSL_NO_EC +static int test_ec_tofrom_data_select(void) +{ + int ret; + EVP_PKEY *key = NULL; + + ret = TEST_ptr(key = EVP_PKEY_Q_keygen(mainctx, NULL, "EC", "P-256")) + && TEST_true(do_pkey_tofrom_data_select(key, "EC")); + EVP_PKEY_free(key); + return ret; +} + +static int test_ecx_tofrom_data_select(void) +{ + int ret; + EVP_PKEY *key = NULL; + + ret = TEST_ptr(key = EVP_PKEY_Q_keygen(mainctx, NULL, "X25519")) + && TEST_true(do_pkey_tofrom_data_select(key, "X25519")); + EVP_PKEY_free(key); + return ret; +} +#endif + +static int test_rsa_tofrom_data_select(void) +{ + int ret; + EVP_PKEY *key = NULL; + const unsigned char *pdata = kExampleRSAKeyDER; + int pdata_len = sizeof(kExampleRSAKeyDER); + + ret = TEST_ptr(key = d2i_AutoPrivateKey_ex(NULL, &pdata, pdata_len, + mainctx, NULL)) + && TEST_true(do_pkey_tofrom_data_select(key, "RSA")); + EVP_PKEY_free(key); + return ret; +} + /* This is the equivalent of test_d2i_AutoPrivateKey in evp_extra_test */ static int test_d2i_AutoPrivateKey_ex(int i) { @@ -661,6 +791,20 @@ static int do_check_int(OSSL_PARAM params[], const char *key, int expected) && TEST_int_eq(val, expected); } +static int test_dsa_tofrom_data_select(void) +{ + int ret; + EVP_PKEY *key = NULL; + const unsigned char *pkeydata = dsa_key; + + ret = TEST_ptr(key = d2i_AutoPrivateKey_ex(NULL, &pkeydata, sizeof(dsa_key), + mainctx, NULL)) + && TEST_true(do_pkey_tofrom_data_select(key, "DSA")); + + EVP_PKEY_free(key); + return ret; +} + static int test_dsa_todata(void) { EVP_PKEY *pkey = NULL; @@ -881,12 +1025,20 @@ int setup_tests(void) ADD_ALL_TESTS(test_d2i_AutoPrivateKey_ex, OSSL_NELEM(keydata)); #ifndef OPENSSL_NO_EC ADD_ALL_TESTS(test_d2i_PrivateKey_ex, 2); + ADD_TEST(test_ec_tofrom_data_select); + ADD_TEST(test_ecx_tofrom_data_select); #else ADD_ALL_TESTS(test_d2i_PrivateKey_ex, 1); #endif #ifndef OPENSSL_NO_DSA ADD_TEST(test_dsa_todata); + ADD_TEST(test_dsa_tofrom_data_select); +#endif +#ifndef OPENSSL_NO_DH + ADD_TEST(test_dh_tofrom_data_select); #endif + ADD_TEST(test_rsa_tofrom_data_select); + ADD_TEST(test_pkey_todata_null); ADD_TEST(test_pkey_export_null); ADD_TEST(test_pkey_export); diff --git a/deps/openssl/openssl/test/evp_pkey_dparams_test.c b/deps/openssl/openssl/test/evp_pkey_dparams_test.c index 2b6bd31a66cde1..07b7d6c745885b 100644 --- a/deps/openssl/openssl/test/evp_pkey_dparams_test.c +++ b/deps/openssl/openssl/test/evp_pkey_dparams_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -26,6 +26,13 @@ #endif #ifndef OPENSSL_NO_KEYPARAMS + +struct pubkey { + int bad; + const unsigned char *key_bin; + size_t key_bin_len; +}; + # ifndef OPENSSL_NO_DH static const unsigned char dhparam_bin[] = { 0x30,0x82,0x01,0x08,0x02,0x82,0x01,0x01,0x00,0xc0,0xd1,0x2e,0x14,0x18,0xbd,0x03, @@ -46,6 +53,79 @@ static const unsigned char dhparam_bin[] = { 0x06,0x7f,0x7f,0xd7,0x7b,0x42,0x5b,0xba,0x93,0x7a,0xeb,0x43,0x5f,0xce,0x59,0x26, 0xe8,0x76,0xdc,0xee,0xe2,0xbe,0x36,0x7a,0x83,0x02,0x01,0x02 }; +static const unsigned char dhkey_1[] = { + 0x7a, 0x49, 0xcb, 0xc3, 0x25, 0x67, 0x7a, 0x61, + 0xd0, 0x60, 0x81, 0x0f, 0xf6, 0xbd, 0x38, 0x82, + 0xe7, 0x38, 0x8c, 0xe9, 0xd1, 0x04, 0x33, 0xbf, + 0x8a, 0x03, 0x63, 0xb3, 0x05, 0x04, 0xb5, 0x1f, + 0xba, 0x9f, 0x1a, 0x5f, 0x31, 0x3e, 0x96, 0x79, + 0x88, 0x7d, 0x3f, 0x59, 0x6d, 0x3b, 0xf3, 0x2f, + 0xf2, 0xa6, 0x43, 0x48, 0x64, 0x5a, 0x6a, 0x32, + 0x1f, 0x24, 0x37, 0x62, 0x54, 0x3a, 0x7d, 0xab, + 0x26, 0x77, 0x7c, 0xec, 0x57, 0x3c, 0xa4, 0xbd, + 0x96, 0x9d, 0xaa, 0x3b, 0x0e, 0x9a, 0x55, 0x7e, + 0x1d, 0xb4, 0x47, 0x5b, 0xea, 0x20, 0x3c, 0x6d, + 0xbe, 0xd6, 0x70, 0x7d, 0xa8, 0x9e, 0x84, 0xb4, + 0x03, 0x52, 0xf2, 0x08, 0x4c, 0x98, 0xd3, 0x4f, + 0x58, 0xb3, 0xdf, 0xb4, 0xe6, 0xdc, 0x2c, 0x43, + 0x55, 0xd1, 0xce, 0x2a, 0xb3, 0xfc, 0xe0, 0x29, + 0x97, 0xd8, 0xd8, 0x62, 0xc6, 0x87, 0x0a, 0x1b, + 0xfd, 0x72, 0x74, 0xe0, 0xa9, 0xfb, 0xfa, 0x91, + 0xf2, 0xc1, 0x09, 0x93, 0xea, 0x63, 0xf6, 0x9a, + 0x4b, 0xdf, 0x4e, 0xdf, 0x6b, 0xf9, 0xeb, 0xf6, + 0x66, 0x3c, 0xfd, 0x6f, 0x68, 0xcb, 0xdb, 0x6e, + 0x40, 0x65, 0xf7, 0xf2, 0x46, 0xe5, 0x0d, 0x9a, + 0xd9, 0x6f, 0xcf, 0x28, 0x22, 0x8f, 0xca, 0x0b, + 0x30, 0xa0, 0x9e, 0xa5, 0x13, 0xba, 0x72, 0x7f, + 0x85, 0x3d, 0x02, 0x9c, 0x97, 0x8e, 0x6f, 0xea, + 0x6d, 0x35, 0x4e, 0xd1, 0x78, 0x7d, 0x73, 0x60, + 0x92, 0xa9, 0x12, 0xf4, 0x2a, 0xac, 0x17, 0x97, + 0xf3, 0x7b, 0x79, 0x08, 0x69, 0xd1, 0x9e, 0xb5, + 0xf8, 0x2a, 0x0a, 0x2b, 0x00, 0x7b, 0x16, 0x8d, + 0x41, 0x82, 0x3a, 0x72, 0x58, 0x57, 0x80, 0x65, + 0xae, 0x17, 0xbc, 0x3a, 0x5b, 0x7e, 0x5c, 0x2d, + 0xae, 0xb2, 0xc2, 0x26, 0x20, 0x9a, 0xaa, 0x57, + 0x4b, 0x7d, 0x43, 0x41, 0x96, 0x3f, 0xf0, 0x0d +}; +/* smaller but still valid key */ +static const unsigned char dhkey_2[] = { + 0x73, 0xb2, 0x22, 0x91, 0x27, 0xb9, 0x45, 0xb0, + 0xfd, 0x17, 0x66, 0x79, 0x9b, 0x32, 0x71, 0x92, + 0x97, 0x1d, 0x70, 0x02, 0x37, 0x70, 0x79, 0x63, + 0xed, 0x11, 0x22, 0xe9, 0xe6, 0xf8, 0xeb, 0xd7, + 0x90, 0x00, 0xe6, 0x5c, 0x47, 0x02, 0xfb, 0x13, + 0xca, 0x29, 0x14, 0x1e, 0xf4, 0x61, 0x58, 0xf6, + 0xaa, 0xbb, 0xcf, 0xa7, 0x82, 0x9a, 0x9e, 0x7c, + 0x4a, 0x05, 0x42, 0xed, 0x55, 0xd8, 0x08, 0x37, + 0x06, 0x49, 0x9b, 0xda, 0xb3, 0xb9, 0xc9, 0xc0, + 0x56, 0x26, 0xda, 0x60, 0x1d, 0xbc, 0x06, 0x0b, + 0xb0, 0x94, 0x4b, 0x4e, 0x95, 0xf9, 0xb4, 0x2f, + 0x4e, 0xad, 0xf8, 0xab, 0x2d, 0x19, 0xa2, 0xe6, + 0x6d, 0x11, 0xfd, 0x9b, 0x5a, 0x2a, 0xb0, 0x81, + 0x42, 0x4d, 0x86, 0x76, 0xd5, 0x9e, 0xaf, 0xf9, + 0x6f, 0x79, 0xab, 0x1d, 0xfe, 0xd8, 0xc8, 0xba, + 0xb6, 0xce, 0x03, 0x61, 0x48, 0x53, 0xd8, 0x0b, + 0x83, 0xf0, 0xb0, 0x46, 0xa0, 0xea, 0x46, 0x60, + 0x7a, 0x39, 0x4e, 0x46, 0x6a, 0xbb, 0x07, 0x6c, + 0x8c, 0x7d, 0xb7, 0x7d, 0x5b, 0xe5, 0x24, 0xa5, + 0xab, 0x41, 0x8a, 0xc4, 0x63, 0xf9, 0xce, 0x20, + 0x6f, 0x58, 0x4f, 0x0e, 0x42, 0x82, 0x9e, 0x17, + 0x53, 0xa6, 0xd6, 0x42, 0x3e, 0x80, 0x66, 0x6f, + 0x2a, 0x1c, 0x30, 0x08, 0x01, 0x99, 0x5a, 0x4f, + 0x72, 0x16, 0xed, 0xb0, 0xd6, 0x8c, 0xf0, 0x7a, + 0x33, 0x15, 0xc4, 0x95, 0x65, 0xba, 0x11, 0x37, + 0xa0, 0xcc, 0xe7, 0x45, 0x65, 0x4f, 0x17, 0x0a, + 0x2c, 0x62, 0xc0, 0x65, 0x3b, 0x65, 0x2a, 0x56, + 0xf7, 0x29, 0x8a, 0x9b, 0x1b, 0xbb, 0x0c, 0x40, + 0xcd, 0x66, 0x4b, 0x4f, 0x2f, 0xba, 0xdb, 0x59, + 0x93, 0x6d, 0x34, 0xf3, 0x8d, 0xde, 0x68, 0x99, + 0x78, 0xfc, 0xac, 0x95, 0xd9, 0xa3, 0x74, 0xe6, + 0x24, 0x96, 0x98, 0x6f, 0x64, 0x71, 0x76 +}; +/* 1 is not a valid key */ +static const unsigned char dhkey_3[] = { + 0x01 +}; # endif # ifndef OPENSSL_NO_DSA @@ -92,21 +172,73 @@ static const unsigned char dsaparam_bin[] = { static const unsigned char ecparam_bin[] = { 0x06,0x08,0x2a,0x86,0x48,0xce,0x3d,0x03,0x01,0x07 }; +static const unsigned char eckey_1[] = { + 0x04, 0xc8, 0x65, 0x45, 0x63, 0x73, 0xe5, 0x0a, + 0x61, 0x1d, 0xcf, 0x60, 0x76, 0x2c, 0xe7, 0x36, + 0x0b, 0x76, 0xc2, 0x92, 0xfc, 0xa4, 0x56, 0xee, + 0xc2, 0x62, 0x05, 0x00, 0x80, 0xe4, 0x4f, 0x07, + 0x3b, 0xf4, 0x59, 0xb8, 0xc3, 0xb3, 0x1f, 0x77, + 0x36, 0x16, 0x4c, 0x72, 0x2a, 0xc0, 0x89, 0x89, + 0xd6, 0x16, 0x14, 0xee, 0x2f, 0x5a, 0xde, 0x9e, + 0x83, 0xc5, 0x78, 0xd0, 0x0b, 0x69, 0xb4, 0xb9, + 0xf1 +}; +/* a modified key */ +static const unsigned char eckey_2[] = { + 0x04, 0xc8, 0x65, 0x45, 0x63, 0x73, 0xe5, 0x0a, + 0x61, 0x1d, 0xcf, 0x60, 0x76, 0x2c, 0xe7, 0x36, + 0x0b, 0x77, 0xc2, 0x92, 0xfc, 0xa4, 0x56, 0xee, + 0xc2, 0x62, 0x05, 0x00, 0x80, 0xe4, 0x4f, 0x07, + 0x3b, 0xf4, 0x59, 0xb8, 0xc3, 0xb3, 0x1f, 0x77, + 0x36, 0x16, 0x4c, 0x72, 0x2a, 0xc0, 0x89, 0x89, + 0xd6, 0x16, 0x14, 0xee, 0x2f, 0x5a, 0xde, 0x9e, + 0x83, 0xc5, 0x78, 0xd0, 0x0b, 0x69, 0xb4, 0xb9, + 0xf1 +}; +/* an added byte */ +static const unsigned char eckey_3[] = { + 0x04, 0xc8, 0x65, 0x45, 0x63, 0x73, 0xe5, 0x0a, + 0x61, 0x1d, 0xcf, 0x60, 0x76, 0x2c, 0xe7, 0x36, + 0x0b, 0x76, 0xc2, 0x92, 0xfc, 0xa4, 0x56, 0xee, + 0xc2, 0x62, 0x05, 0x00, 0x80, 0xe4, 0x4f, 0x07, + 0x3b, 0xf4, 0x59, 0xb8, 0xc3, 0xb3, 0x1f, 0x77, + 0x36, 0x16, 0x4c, 0x72, 0x2a, 0xc0, 0x89, 0x89, + 0xd6, 0x16, 0x14, 0xee, 0x2f, 0x5a, 0xde, 0x9e, + 0x83, 0xc5, 0x78, 0xd0, 0x0b, 0x69, 0xb4, 0xb9, + 0xf1, 0xaa +}; # endif +#define NUM_KEYS 10 + static const struct { int type; const unsigned char *param_bin; size_t param_bin_len; + struct pubkey keys[NUM_KEYS]; } pkey_params [] = { # ifndef OPENSSL_NO_DH - { EVP_PKEY_DH, dhparam_bin, sizeof(dhparam_bin) }, + { EVP_PKEY_DH, dhparam_bin, sizeof(dhparam_bin), + { { 0, dhkey_1, sizeof(dhkey_1) }, + { 0, dhkey_2, sizeof(dhkey_2) }, + { 1, dhkey_3, sizeof(dhkey_3) }, + { 1, dhkey_1, 0 }, + { 1, dhparam_bin, sizeof(dhparam_bin) } + } + }, # endif # ifndef OPENSSL_NO_DSA { EVP_PKEY_DSA, dsaparam_bin, sizeof(dsaparam_bin) }, # endif # ifndef OPENSSL_NO_EC - { EVP_PKEY_EC, ecparam_bin, sizeof(ecparam_bin) } + { EVP_PKEY_EC, ecparam_bin, sizeof(ecparam_bin), + { { 0, eckey_1, sizeof(eckey_1) }, + { 1, eckey_2, sizeof(eckey_2) }, + { 1, eckey_3, sizeof(eckey_3) }, + { 1, eckey_1, 0 }, + { 1, eckey_1, sizeof(eckey_1) - 1 } + } + } # endif }; @@ -114,13 +246,11 @@ static int params_bio_test(int id) { int ret, out_len; BIO *in = NULL, *out = NULL; - EVP_PKEY_CTX *ctx = NULL; EVP_PKEY *in_key = NULL, *out_key = NULL; unsigned char *out_bin; int type = pkey_params[id].type; - ret = TEST_ptr(ctx = EVP_PKEY_CTX_new_id(type, NULL)) - && TEST_ptr(in = BIO_new_mem_buf(pkey_params[id].param_bin, + ret = TEST_ptr(in = BIO_new_mem_buf(pkey_params[id].param_bin, (int)pkey_params[id].param_bin_len)) /* Load in pkey params from binary */ && TEST_ptr(d2i_KeyParams_bio(type, &in_key, in)) @@ -137,7 +267,47 @@ static int params_bio_test(int id) BIO_free(out); EVP_PKEY_free(in_key); EVP_PKEY_free(out_key); - EVP_PKEY_CTX_free(ctx); + return ret; +} + +static int set_enc_pubkey_test(int id) +{ + int ret, i; + BIO *in = NULL; + EVP_PKEY *in_key = NULL; + int type = pkey_params[id].type; + const struct pubkey *keys = pkey_params[id].keys; + + if (keys[0].key_bin == NULL) + return TEST_skip("Not applicable test"); + + ret = TEST_ptr(in = BIO_new_mem_buf(pkey_params[id].param_bin, + (int)pkey_params[id].param_bin_len)) + /* Load in pkey params from binary */ + && TEST_ptr(d2i_KeyParams_bio(type, &in_key, in)); + + for (i = 0; ret && i < NUM_KEYS && keys[i].key_bin != NULL; i++) { + if (keys[i].bad) { + ERR_set_mark(); + ret = ret + && TEST_int_le(EVP_PKEY_set1_encoded_public_key(in_key, + keys[i].key_bin, + keys[i].key_bin_len), + 0); + ERR_pop_to_mark(); + } else { + ret = ret + && TEST_int_gt(EVP_PKEY_set1_encoded_public_key(in_key, + keys[i].key_bin, + keys[i].key_bin_len), + 0); + } + if (!ret) + TEST_info("Test key index #%d", i); + } + + BIO_free(in); + EVP_PKEY_free(in_key); return ret; } #endif @@ -148,6 +318,7 @@ int setup_tests(void) TEST_note("No DH/DSA/EC support"); #else ADD_ALL_TESTS(params_bio_test, OSSL_NELEM(pkey_params)); + ADD_ALL_TESTS(set_enc_pubkey_test, OSSL_NELEM(pkey_params)); #endif return 1; } diff --git a/deps/openssl/openssl/test/evp_pkey_provided_test.c b/deps/openssl/openssl/test/evp_pkey_provided_test.c index 8b5c7b34577d51..87d3e826e33e86 100644 --- a/deps/openssl/openssl/test/evp_pkey_provided_test.c +++ b/deps/openssl/openssl/test/evp_pkey_provided_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -128,6 +128,16 @@ static int compare_with_file(const char *alg, int type, BIO *membio) return ret; } +static int pass_cb(char *buf, int size, int rwflag, void *u) +{ + return 0; +} + +static int pass_cb_error(char *buf, int size, int rwflag, void *u) +{ + return -1; +} + static int test_print_key_using_pem(const char *alg, const EVP_PKEY *pk) { BIO *membio = BIO_new(BIO_s_mem()); @@ -140,6 +150,35 @@ static int test_print_key_using_pem(const char *alg, const EVP_PKEY *pk) !TEST_true(PEM_write_bio_PrivateKey(bio_out, pk, EVP_aes_256_cbc(), (unsigned char *)"pass", 4, NULL, NULL)) + /* Output zero-length passphrase encrypted private key in PEM form */ + || !TEST_true(PEM_write_bio_PKCS8PrivateKey(bio_out, pk, + EVP_aes_256_cbc(), + (const char *)~0, 0, + NULL, NULL)) + || !TEST_true(PEM_write_bio_PKCS8PrivateKey(bio_out, pk, + EVP_aes_256_cbc(), + NULL, 0, NULL, "")) + || !TEST_true(PEM_write_bio_PKCS8PrivateKey(bio_out, pk, + EVP_aes_256_cbc(), + NULL, 0, pass_cb, NULL)) + || !TEST_false(PEM_write_bio_PKCS8PrivateKey(bio_out, pk, + EVP_aes_256_cbc(), + NULL, 0, pass_cb_error, + NULL)) +#ifndef OPENSSL_NO_DES + || !TEST_true(PEM_write_bio_PKCS8PrivateKey_nid( + bio_out, pk, NID_pbe_WithSHA1And3_Key_TripleDES_CBC, + (const char *)~0, 0, NULL, NULL)) + || !TEST_true(PEM_write_bio_PKCS8PrivateKey_nid( + bio_out, pk, NID_pbe_WithSHA1And3_Key_TripleDES_CBC, NULL, 0, + NULL, "")) + || !TEST_true(PEM_write_bio_PKCS8PrivateKey_nid( + bio_out, pk, NID_pbe_WithSHA1And3_Key_TripleDES_CBC, NULL, 0, + pass_cb, NULL)) + || !TEST_false(PEM_write_bio_PKCS8PrivateKey_nid( + bio_out, pk, NID_pbe_WithSHA1And3_Key_TripleDES_CBC, NULL, 0, + pass_cb_error, NULL)) +#endif /* Private key in text form */ || !TEST_int_gt(EVP_PKEY_print_private(membio, pk, 0, NULL), 0) || !TEST_true(compare_with_file(alg, PRIV_TEXT, membio)) @@ -1113,8 +1152,6 @@ static int test_fromdata_ecx(int tst) return ret; } -#define CURVE_NAME 2 - static int test_fromdata_ec(void) { int ret = 0; @@ -1126,6 +1163,11 @@ static int test_fromdata_ec(void) OSSL_PARAM *fromdata_params = NULL; const char *alg = "EC"; const char *curve = "prime256v1"; + const char bad_curve[] = "nonexistent-curve"; + OSSL_PARAM nokey_params[2] = { + OSSL_PARAM_END, + OSSL_PARAM_END + }; /* UNCOMPRESSED FORMAT */ static const unsigned char ec_pub_keydata[] = { POINT_CONVERSION_UNCOMPRESSED, @@ -1179,6 +1221,16 @@ static int test_fromdata_ec(void) if (!TEST_ptr(ctx)) goto err; + /* try importing parameters with bad curve first */ + nokey_params[0] = + OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, + (char *)bad_curve, sizeof(bad_curve)); + if (!TEST_int_eq(EVP_PKEY_fromdata_init(ctx), 1) + || !TEST_int_eq(EVP_PKEY_fromdata(ctx, &pk, EVP_PKEY_KEY_PARAMETERS, + nokey_params), 0) + || !TEST_ptr_null(pk)) + goto err; + if (!TEST_int_eq(EVP_PKEY_fromdata_init(ctx), 1) || !TEST_int_eq(EVP_PKEY_fromdata(ctx, &pk, EVP_PKEY_KEYPAIR, fromdata_params), 1)) diff --git a/deps/openssl/openssl/test/evp_test.c b/deps/openssl/openssl/test/evp_test.c index eda8c827f901da..7a5b9345e0dbbf 100644 --- a/deps/openssl/openssl/test/evp_test.c +++ b/deps/openssl/openssl/test/evp_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -574,7 +574,9 @@ static int cipher_test_init(EVP_TEST *t, const char *alg) } ERR_clear_last_mark(); - cdat = OPENSSL_zalloc(sizeof(*cdat)); + if (!TEST_ptr(cdat = OPENSSL_zalloc(sizeof(*cdat)))) + return 0; + cdat->cipher = cipher; cdat->fetched_cipher = fetched_cipher; cdat->enc = -1; @@ -1175,11 +1177,22 @@ static int mac_test_init(EVP_TEST *t, const char *alg) return 0; } - mdat = OPENSSL_zalloc(sizeof(*mdat)); + if (!TEST_ptr(mdat = OPENSSL_zalloc(sizeof(*mdat)))) + return 0; + mdat->type = type; - mdat->mac_name = OPENSSL_strdup(alg); + if (!TEST_ptr(mdat->mac_name = OPENSSL_strdup(alg))) { + OPENSSL_free(mdat); + return 0; + } + mdat->mac = mac; - mdat->controls = sk_OPENSSL_STRING_new_null(); + if (!TEST_ptr(mdat->controls = sk_OPENSSL_STRING_new_null())) { + OPENSSL_free(mdat->mac_name); + OPENSSL_free(mdat); + return 0; + } + mdat->output_size = mdat->block_size = -1; t->data = mdat; return 1; @@ -1843,6 +1856,51 @@ static int pderive_test_parse(EVP_TEST *t, return parse_bin(value, &kdata->output, &kdata->output_len); if (strcmp(keyword, "Ctrl") == 0) return pkey_test_ctrl(t, kdata->ctx, value); + if (strcmp(keyword, "KDFType") == 0) { + OSSL_PARAM params[2]; + + params[0] = OSSL_PARAM_construct_utf8_string(OSSL_EXCHANGE_PARAM_KDF_TYPE, + (char *)value, 0); + params[1] = OSSL_PARAM_construct_end(); + if (EVP_PKEY_CTX_set_params(kdata->ctx, params) == 0) + return -1; + return 1; + } + if (strcmp(keyword, "KDFDigest") == 0) { + OSSL_PARAM params[2]; + + params[0] = OSSL_PARAM_construct_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST, + (char *)value, 0); + params[1] = OSSL_PARAM_construct_end(); + if (EVP_PKEY_CTX_set_params(kdata->ctx, params) == 0) + return -1; + return 1; + } + if (strcmp(keyword, "CEKAlg") == 0) { + OSSL_PARAM params[2]; + + params[0] = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CEK_ALG, + (char *)value, 0); + params[1] = OSSL_PARAM_construct_end(); + if (EVP_PKEY_CTX_set_params(kdata->ctx, params) == 0) + return -1; + return 1; + } + if (strcmp(keyword, "KDFOutlen") == 0) { + OSSL_PARAM params[2]; + char *endptr; + size_t outlen = (size_t)strtoul(value, &endptr, 0); + + if (endptr[0] != '\0') + return -1; + + params[0] = OSSL_PARAM_construct_size_t(OSSL_EXCHANGE_PARAM_KDF_OUTLEN, + &outlen); + params[1] = OSSL_PARAM_construct_end(); + if (EVP_PKEY_CTX_set_params(kdata->ctx, params) == 0) + return -1; + return 1; + } return 0; } @@ -1858,7 +1916,8 @@ static int pderive_test_run(EVP_TEST *t) goto err; } - if (EVP_PKEY_derive(dctx, NULL, &got_len) <= 0) { + if (EVP_PKEY_derive(dctx, NULL, &got_len) <= 0 + || !TEST_size_t_ne(got_len, 0)) { t->err = "DERIVE_ERROR"; goto err; } @@ -2516,7 +2575,7 @@ static int rand_test_run(EVP_TEST *t) item->pr_entropyB_len); params[1] = OSSL_PARAM_construct_end(); if (!TEST_true(EVP_RAND_CTX_set_params(expected->parent, params))) - return 0; + goto err; } if (!TEST_true(EVP_RAND_generate (expected->ctx, got, got_len, diff --git a/deps/openssl/openssl/test/helpers/handshake.c b/deps/openssl/openssl/test/helpers/handshake.c index d44aa4baafe23b..64b6919f70303d 100644 --- a/deps/openssl/openssl/test/helpers/handshake.c +++ b/deps/openssl/openssl/test/helpers/handshake.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -305,10 +305,18 @@ static int verify_reject_cb(X509_STORE_CTX *ctx, void *arg) { static int n_retries = 0; static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg) { + int idx = SSL_get_ex_data_X509_STORE_CTX_idx(); + SSL *ssl; + + /* this should not happen but check anyway */ + if (idx < 0 + || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL) + return 0; + if (--n_retries < 0) return 1; - X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION); - return -1; + + return SSL_set_retry_verify(ssl); } static int verify_accept_cb(X509_STORE_CTX *ctx, void *arg) { diff --git a/deps/openssl/openssl/test/helpers/handshake_srp.c b/deps/openssl/openssl/test/helpers/handshake_srp.c index f18e5c81a67f36..43a5a4fd605a54 100644 --- a/deps/openssl/openssl/test/helpers/handshake_srp.c +++ b/deps/openssl/openssl/test/helpers/handshake_srp.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -49,6 +49,13 @@ int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, SSL_CTX_set_srp_username_callback(server_ctx, server_srp_cb); server_ctx_data->srp_user = OPENSSL_strdup(extra->server.srp_user); server_ctx_data->srp_password = OPENSSL_strdup(extra->server.srp_password); + if (server_ctx_data->srp_user == NULL || server_ctx_data->srp_password == NULL) { + OPENSSL_free(server_ctx_data->srp_user); + OPENSSL_free(server_ctx_data->srp_password); + server_ctx_data->srp_user = NULL; + server_ctx_data->srp_password = NULL; + return 0; + } SSL_CTX_set_srp_cb_arg(server_ctx, server_ctx_data); } if (extra->server2.srp_user != NULL) { @@ -57,6 +64,13 @@ int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, SSL_CTX_set_srp_username_callback(server2_ctx, server_srp_cb); server2_ctx_data->srp_user = OPENSSL_strdup(extra->server2.srp_user); server2_ctx_data->srp_password = OPENSSL_strdup(extra->server2.srp_password); + if (server2_ctx_data->srp_user == NULL || server2_ctx_data->srp_password == NULL) { + OPENSSL_free(server2_ctx_data->srp_user); + OPENSSL_free(server2_ctx_data->srp_password); + server2_ctx_data->srp_user = NULL; + server2_ctx_data->srp_password = NULL; + return 0; + } SSL_CTX_set_srp_cb_arg(server2_ctx, server2_ctx_data); } if (extra->client.srp_user != NULL) { @@ -65,6 +79,8 @@ int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, return 0; SSL_CTX_set_srp_client_pwd_callback(client_ctx, client_srp_cb); client_ctx_data->srp_password = OPENSSL_strdup(extra->client.srp_password); + if (client_ctx_data->srp_password == NULL) + return 0; SSL_CTX_set_srp_cb_arg(client_ctx, client_ctx_data); } return 1; diff --git a/deps/openssl/openssl/test/helpers/predefined_dhparams.c b/deps/openssl/openssl/test/helpers/predefined_dhparams.c index ebb9c8891d326c..4bdadc41432b11 100644 --- a/deps/openssl/openssl/test/helpers/predefined_dhparams.c +++ b/deps/openssl/openssl/test/helpers/predefined_dhparams.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -170,4 +170,25 @@ EVP_PKEY *get_dh2048(OSSL_LIB_CTX *libctx) return dhpkey; } +EVP_PKEY *get_dh4096(OSSL_LIB_CTX *libctx) +{ + BIGNUM *p = NULL, *g = NULL; + EVP_PKEY *dhpkey = NULL; + + g = BN_new(); + if (g == NULL || !BN_set_word(g, 2)) + goto err; + + p = BN_get_rfc3526_prime_4096(NULL); + if (p == NULL) + goto err; + + dhpkey = get_dh_from_pg_bn(libctx, "DH", p, g, NULL); + + err: + BN_free(p); + BN_free(g); + return dhpkey; +} + #endif diff --git a/deps/openssl/openssl/test/helpers/predefined_dhparams.h b/deps/openssl/openssl/test/helpers/predefined_dhparams.h index 29d33ce1eb275c..f0e87090620ccd 100644 --- a/deps/openssl/openssl/test/helpers/predefined_dhparams.h +++ b/deps/openssl/openssl/test/helpers/predefined_dhparams.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -14,4 +14,5 @@ EVP_PKEY *get_dh512(OSSL_LIB_CTX *libctx); EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx); EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libct); EVP_PKEY *get_dh2048(OSSL_LIB_CTX *libctx); +EVP_PKEY *get_dh4096(OSSL_LIB_CTX *libctx); #endif diff --git a/deps/openssl/openssl/test/hmactest.c b/deps/openssl/openssl/test/hmactest.c index 63954a1183c672..8f5bf32f870899 100644 --- a/deps/openssl/openssl/test/hmactest.c +++ b/deps/openssl/openssl/test/hmactest.c @@ -245,6 +245,36 @@ static int test_hmac_copy(void) return ret; } +static int test_hmac_copy_uninited(void) +{ + const unsigned char key[24] = {0}; + const unsigned char ct[166] = {0}; + EVP_PKEY *pkey = NULL; + EVP_MD_CTX *ctx = NULL; + EVP_MD_CTX *ctx_tmp = NULL; + int res = 0; + + if (!TEST_ptr(ctx = EVP_MD_CTX_new()) + || !TEST_ptr(pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, + key, sizeof(key))) + || !TEST_true(EVP_DigestSignInit(ctx, NULL, EVP_sha1(), NULL, pkey)) + || !TEST_ptr(ctx_tmp = EVP_MD_CTX_new()) + || !TEST_true(EVP_MD_CTX_copy(ctx_tmp, ctx))) + goto err; + EVP_MD_CTX_free(ctx); + ctx = ctx_tmp; + ctx_tmp = NULL; + + if (!TEST_true(EVP_DigestSignUpdate(ctx, ct, sizeof(ct)))) + goto err; + res = 1; + err: + EVP_MD_CTX_free(ctx); + EVP_MD_CTX_free(ctx_tmp); + EVP_PKEY_free(pkey); + return res; +} + # ifndef OPENSSL_NO_MD5 static char *pt(unsigned char *md, unsigned int len) { @@ -266,6 +296,7 @@ int setup_tests(void) ADD_TEST(test_hmac_bad); ADD_TEST(test_hmac_run); ADD_TEST(test_hmac_copy); + ADD_TEST(test_hmac_copy_uninited); return 1; } diff --git a/deps/openssl/openssl/test/pbetest.c b/deps/openssl/openssl/test/pbetest.c index 33d23d4b7104b9..d73ae66fa536af 100644 --- a/deps/openssl/openssl/test/pbetest.c +++ b/deps/openssl/openssl/test/pbetest.c @@ -1,7 +1,7 @@ /* - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html diff --git a/deps/openssl/openssl/test/property_test.c b/deps/openssl/openssl/test/property_test.c index ad44cf15130845..844315c2261dfe 100644 --- a/deps/openssl/openssl/test/property_test.c +++ b/deps/openssl/openssl/test/property_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/deps/openssl/openssl/test/provfetchtest.c b/deps/openssl/openssl/test/provfetchtest.c index 95ae87910e6189..11a59ab63ed1be 100644 --- a/deps/openssl/openssl/test/provfetchtest.c +++ b/deps/openssl/openssl/test/provfetchtest.c @@ -1,5 +1,5 @@ /* - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -225,6 +225,7 @@ static int dummy_provider_init(const OSSL_CORE_HANDLE *handle, * Test 1: Encoder * Test 2: Store loader * Test 3: EVP_RAND + * Test 4-7: As above, but additionally with a query string */ static int fetch_test(int tst) { @@ -236,6 +237,7 @@ static int fetch_test(int tst) OSSL_STORE_LOADER *loader = NULL; int testresult = 0; unsigned char buf[32]; + int query = tst > 3; if (!TEST_ptr(libctx)) goto err; @@ -246,24 +248,29 @@ static int fetch_test(int tst) || !TEST_ptr(dummyprov = OSSL_PROVIDER_load(libctx, "dummy-prov"))) goto err; - switch(tst) { + switch (tst % 4) { case 0: - decoder = OSSL_DECODER_fetch(libctx, "DUMMY", NULL); + decoder = OSSL_DECODER_fetch(libctx, "DUMMY", + query ? "provider=dummy" : NULL); if (!TEST_ptr(decoder)) goto err; break; case 1: - encoder = OSSL_ENCODER_fetch(libctx, "DUMMY", NULL); + encoder = OSSL_ENCODER_fetch(libctx, "DUMMY", + query ? "provider=dummy" : NULL); if (!TEST_ptr(encoder)) goto err; break; case 2: - loader = OSSL_STORE_LOADER_fetch(libctx, "DUMMY", NULL); + loader = OSSL_STORE_LOADER_fetch(libctx, "DUMMY", + query ? "provider=dummy" : NULL); if (!TEST_ptr(loader)) goto err; break; case 3: - if (!TEST_true(RAND_set_DRBG_type(libctx, "DUMMY", NULL, NULL, NULL)) + if (!TEST_true(RAND_set_DRBG_type(libctx, "DUMMY", + query ? "provider=dummy" : NULL, + NULL, NULL)) || !TEST_int_ge(RAND_bytes_ex(libctx, buf, sizeof(buf), 0), 1)) goto err; break; @@ -284,7 +291,7 @@ static int fetch_test(int tst) int setup_tests(void) { - ADD_ALL_TESTS(fetch_test, 4); + ADD_ALL_TESTS(fetch_test, 8); return 1; } diff --git a/deps/openssl/openssl/test/recipes/01-test_symbol_presence.t b/deps/openssl/openssl/test/recipes/01-test_symbol_presence.t index efe0760c25227e..5530ade0addddb 100644 --- a/deps/openssl/openssl/test/recipes/01-test_symbol_presence.t +++ b/deps/openssl/openssl/test/recipes/01-test_symbol_presence.t @@ -76,7 +76,7 @@ foreach my $libname (@libnames) { # Drop the first space and everything following it s| .*||; # Drop OpenSSL dynamic version information if there is any - s|\@\@OPENSSL_[0-9._]+[a-z]?$||; + s|\@\@.+$||; # Return the result $_ } diff --git a/deps/openssl/openssl/test/recipes/03-test_internal_sm3.t b/deps/openssl/openssl/test/recipes/03-test_internal_sm3.t index 9cda58d66eec2a..574a7c4121266e 100644 --- a/deps/openssl/openssl/test/recipes/03-test_internal_sm3.t +++ b/deps/openssl/openssl/test/recipes/03-test_internal_sm3.t @@ -1,8 +1,8 @@ #! /usr/bin/env perl -# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. # Copyright 2021 [UnionTech](https://www.uniontech.com). All Rights Reserved. # -# Licensed under the OpenSSL license (the "License"). You may not use +# Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy # in the file LICENSE in the source distribution or at # https://www.openssl.org/source/license.html diff --git a/deps/openssl/openssl/test/recipes/10-test_bn_data/bnmod.txt b/deps/openssl/openssl/test/recipes/10-test_bn_data/bnmod.txt index e22d656091f9d0..6b040d395ca131 100644 --- a/deps/openssl/openssl/test/recipes/10-test_bn_data/bnmod.txt +++ b/deps/openssl/openssl/test/recipes/10-test_bn_data/bnmod.txt @@ -1,4 +1,4 @@ -# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -2799,3 +2799,15 @@ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f ModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186 A = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81 P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f + +# Negative testcases for BN_mod_sqrt() + +# This one triggers an infinite loop with unfixed implementation +# It should just fail. +ModSqrt = -1 +A = 20a7ee +P = 460201 + +ModSqrt = -1 +A = 65bebdb00a96fc814ec44b81f98b59fba3c30203928fa5214c51e0a97091645280c947b005847f239758482b9bfc45b066fde340d1fe32fc9c1bf02e1b2d0ed +P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f diff --git a/deps/openssl/openssl/test/recipes/15-test_gendhparam.t b/deps/openssl/openssl/test/recipes/15-test_gendhparam.t index b5fe6448891cdb..18ff86e63f9e62 100644 --- a/deps/openssl/openssl/test/recipes/15-test_gendhparam.t +++ b/deps/openssl/openssl/test/recipes/15-test_gendhparam.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -118,12 +118,12 @@ my @testdata = ( # expect => [ 'BEGIN DH PARAMETERS', 'G: 5' ], # message => 'DH safe prime generator using an alias', # }, - { + { algorithm => 'DHX', pkeyopts => [ 'type:generator', 'safeprime-generator:5'], expect => [ 'ERROR' ], message => 'safe prime generator should fail for DHX', - }, + } ); plan skip_all => "DH isn't supported in this build" if disabled("dh"); @@ -140,9 +140,17 @@ foreach my $test (@testdata) { push(@pkeyopts, '-pkeyopt'); push(@pkeyopts, $_); } - my @lines = run(app(['openssl', 'genpkey', '-genparam', + my @lines; + if ($expected[0] eq 'ERROR') { + @lines = run(app(['openssl', 'genpkey', '-genparam', + '-algorithm', $alg, '-text', @pkeyopts], + stderr => undef), + capture => 1); + } else { + @lines = run(app(['openssl', 'genpkey', '-genparam', '-algorithm', $alg, '-text', @pkeyopts]), - capture => 1); + capture => 1); + } ok(compareline(\@lines, \@expected), $msg); } @@ -157,7 +165,7 @@ sub compareline { } print "-----------------\n"; foreach (@lines) { - print $_; + print "# ".$_; } print "-----------------\n"; foreach my $ex (@expected) { diff --git a/deps/openssl/openssl/test/recipes/15-test_genrsa.t b/deps/openssl/openssl/test/recipes/15-test_genrsa.t index e11ce8947a9e8d..70f080a6dbc2e0 100644 --- a/deps/openssl/openssl/test/recipes/15-test_genrsa.t +++ b/deps/openssl/openssl/test/recipes/15-test_genrsa.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -25,7 +25,7 @@ my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); plan tests => ($no_fips ? 0 : 3) # Extra FIPS related tests - + 13; + + 15; # We want to know that an absurdly small number of bits isn't support is(run(app([ 'openssl', 'genpkey', '-out', 'genrsatest.pem', @@ -103,6 +103,11 @@ ok(run(app([ 'openssl', 'genrsa', '-f4', '-out', 'genrsatest.pem', $good ])), "genrsa -f4 $good"); ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout' ])), "rsa -check"); +ok(run(app([ 'openssl', 'rsa', '-in', 'genrsatest.pem', '-out', 'genrsatest-enc.pem', + '-aes256', '-passout', 'pass:x' ])), + "rsa encrypt"); +ok(run(app([ 'openssl', 'rsa', '-in', 'genrsatest-enc.pem', '-passin', 'pass:x' ])), + "rsa decrypt"); unless ($no_fips) { my $provconf = srctop_file("test", "fips-and-base.cnf"); diff --git a/deps/openssl/openssl/test/recipes/20-test_dgst.t b/deps/openssl/openssl/test/recipes/20-test_dgst.t index e72038d8529f68..31254de6843216 100644 --- a/deps/openssl/openssl/test/recipes/20-test_dgst.t +++ b/deps/openssl/openssl/test/recipes/20-test_dgst.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -12,7 +12,7 @@ use warnings; use File::Spec; use File::Basename; -use OpenSSL::Test qw/:DEFAULT with srctop_file bldtop_file/; +use OpenSSL::Test qw/:DEFAULT with srctop_file bldtop_dir/; use OpenSSL::Test::Utils; setup("test_dgst"); @@ -113,8 +113,8 @@ SKIP: { my $testdata = srctop_file('test', 'data.bin'); # intentionally using -engine twice, please do not remove the duplicate line my @macdata = run(app(['openssl', 'dgst', '-sha1', - '-engine', $^O eq 'linux' ? bldtop_file("engines", "ossltest.so") : "ossltest", - '-engine', $^O eq 'linux' ? bldtop_file("engines", "ossltest.so") : "ossltest", + '-engine', "ossltest", + '-engine', "ossltest", $testdata]), capture => 1); chomp(@macdata); my $expected = qr/SHA1\(\Q$testdata\E\)= 000102030405060708090a0b0c0d0e0f10111213/; diff --git a/deps/openssl/openssl/test/recipes/25-test_req.t b/deps/openssl/openssl/test/recipes/25-test_req.t index 235b53c61c8602..e615f1b338855f 100644 --- a/deps/openssl/openssl/test/recipes/25-test_req.t +++ b/deps/openssl/openssl/test/recipes/25-test_req.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/; setup("test_req"); -plan tests => 43; +plan tests => 44; require_ok(srctop_file('test', 'recipes', 'tconversion.pl')); @@ -49,6 +49,11 @@ ok(!run(app([@addext_args, "-addext", $val, "-addext", $val2]))); ok(!run(app([@addext_args, "-addext", $val, "-addext", $val3]))); ok(!run(app([@addext_args, "-addext", $val2, "-addext", $val3]))); +# If a CSR is provided with neither of -key or -CA/-CAkey, this should fail. +ok(!run(app(["openssl", "req", "-x509", + "-in", srctop_file(@certs, "x509-check.csr"), + "-out", "testreq.pem"]))); + subtest "generating alt certificate requests with RSA" => sub { plan tests => 3; @@ -383,7 +388,8 @@ sub generate_cert { my $ca_key = srctop_file(@certs, "ca-key.pem"); my $key = $is_ca ? $ca_key : srctop_file(@certs, "ee-key.pem"); my @cmd = ("openssl", "req", "-config", "", "-x509", - "-key", $key, "-subj", "/CN=$cn", @_, "-out", $cert); + "-subj", "/CN=$cn", @_, "-out", $cert); + push(@cmd, ("-key", $key)) if $ss; push(@cmd, ("-CA", $ca_cert, "-CAkey", $ca_key)) unless $ss; ok(run(app([@cmd])), "generate $cert"); } @@ -442,12 +448,14 @@ generate_cert($cert, "-addext", "keyUsage = keyCertSign"); #TODO strict_verify($cert, 1); # should be accepted because RFC 5280 does not apply $cert = "v3_EE_default_KIDs.pem"; -generate_cert($cert, "-addext", "keyUsage = dataEncipherment"); +generate_cert($cert, "-addext", "keyUsage = dataEncipherment", + "-key", srctop_file(@certs, "ee-key.pem")); cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID strict_verify($cert, 1, $ca_cert); $cert = "v3_EE_no_AKID.pem"; -generate_cert($cert, "-addext", "authorityKeyIdentifier = none"); +generate_cert($cert, "-addext", "authorityKeyIdentifier = none", + "-key", srctop_file(@certs, "ee-key.pem")); has_SKID($cert, 1); has_AKID($cert, 0); strict_verify($cert, 0, $ca_cert); diff --git a/deps/openssl/openssl/test/recipes/30-test_evp_data/evpciph_des3_common.txt b/deps/openssl/openssl/test/recipes/30-test_evp_data/evpciph_des3_common.txt index 30be60e842072b..dd2b26c1453ab6 100644 --- a/deps/openssl/openssl/test/recipes/30-test_evp_data/evpciph_des3_common.txt +++ b/deps/openssl/openssl/test/recipes/30-test_evp_data/evpciph_des3_common.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -11,7 +11,7 @@ # PrivPubKeyPair Sign Verify VerifyRecover # and continue until a blank line. Lines starting with a pound sign are ignored. -Title = DES3 Test +Title = DES3 Tests # DES EDE3 CBC tests (from destest) Cipher = DES-EDE3-CBC @@ -20,3 +20,16 @@ IV = fedcba9876543210 Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000 Ciphertext = 3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675 NextIV = 1c673812cfde9675 + +# DES EDE3 ECB test +Cipher = DES-EDE3-ECB +Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210 +Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000 +Ciphertext = 62c10cc9efbf15aaa5ae2e487b690e56d8b1dfb8f5c5b293855e77dd9024b1b1 + +# DES EDE ECB test +Availablein = default +Cipher = DES-EDE-ECB +Key = 0123456789abcdeffedcba9876543210 +Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000 +Ciphertext = 4d1332e49f380e23d80a0d8b2bae5e4e6a0094171abcfc27df2bfd40da9f4e4d diff --git a/deps/openssl/openssl/test/recipes/30-test_evp_data/evppkey_ffdhe.txt b/deps/openssl/openssl/test/recipes/30-test_evp_data/evppkey_ffdhe.txt index 183a11b1efabed..2dc732bfcbc0eb 100644 --- a/deps/openssl/openssl/test/recipes/30-test_evp_data/evppkey_ffdhe.txt +++ b/deps/openssl/openssl/test/recipes/30-test_evp_data/evppkey_ffdhe.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -93,6 +93,27 @@ PeerKey=ffdhe2048-2-pub Ctrl = dh_pad:1 SharedSecret=00006620DD85B56EE8540C8040CAC46B7385344A164E4DBDF521F7D99F88FA68EDD295A45E36E0BBD5FF5DE84598824E2CA52ED82ACA918CAECC6B22846D0FC6F0203E8B6963964D11E9E704F83AF1D60E9B1931139E9E9967C4665A831A75D99359A8BA80DD5921E74379AF4CA8DB453EDBC5E669AB17A5254CA6C96794CD5196BE90AF37742C8F6812515FFCC45B08F4158EFF9559F1AEF3665B3D91519DCBC6DF22CD6DA521B86613558602E73D2CA4666972F7D2CB6B46299B1DF2DA29A2A2D99D105E10CB553D6738A9B1DB2A0314C3CF30642D5C44695623D8B95C4426BEA830FB51816B4F086945E9B12A445F42DD68610E3F378A6E69A383D13D85BF +# The following two testcases check that the padding is implicitly enabled +# with X942KDF-ASN1 KDF. +# The plain shared secret for these keys needs padding as seen above. +Derive=ffdhe2048-1 +PeerKey=ffdhe2048-2-pub +KDFType=X942KDF-ASN1 +KDFOutlen=32 +KDFDigest=SHA-256 +CEKAlg=id-aes128-wrap +Ctrl = dh_pad:1 +SharedSecret=89A249DF4EE9033B89C2B4E52072A736D94F51143A1ED5C8F1E91FCBEBE09654 + +Derive=ffdhe2048-2 +PeerKey=ffdhe2048-1-pub +KDFType=X942KDF-ASN1 +KDFOutlen=32 +KDFDigest=SHA-256 +CEKAlg=id-aes128-wrap +Ctrl = dh_pad:0 +SharedSecret=89A249DF4EE9033B89C2B4E52072A736D94F51143A1ED5C8F1E91FCBEBE09654 + PrivateKey=ffdhe3072-1 -----BEGIN PRIVATE KEY----- MIIByQIBADCCAZsGCSqGSIb3DQEDATCCAYwCggGBAP//////////rfhUWKK7Spqv diff --git a/deps/openssl/openssl/test/recipes/70-test_verify_extra.t b/deps/openssl/openssl/test/recipes/70-test_verify_extra.t index b4bd013f369ec7..9db3014dcfbc83 100644 --- a/deps/openssl/openssl/test/recipes/70-test_verify_extra.t +++ b/deps/openssl/openssl/test/recipes/70-test_verify_extra.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -7,15 +7,11 @@ # https://www.openssl.org/source/license.html -use OpenSSL::Test qw/:DEFAULT srctop_file/; +use OpenSSL::Test qw/:DEFAULT srctop_dir/; setup("test_verify_extra"); plan tests => 1; ok(run(test(["verify_extra_test", - srctop_file("test", "certs", "rootCA.pem"), - srctop_file("test", "certs", "roots.pem"), - srctop_file("test", "certs", "untrusted.pem"), - srctop_file("test", "certs", "bad.pem"), - srctop_file("test", "certs", "sm2-csr.pem")]))); + srctop_dir("test", "certs")]))); diff --git a/deps/openssl/openssl/test/recipes/80-test_ssl_old.t b/deps/openssl/openssl/test/recipes/80-test_ssl_old.t index b144bc9fb9ca61..8c52b637fc826f 100644 --- a/deps/openssl/openssl/test/recipes/80-test_ssl_old.t +++ b/deps/openssl/openssl/test/recipes/80-test_ssl_old.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -346,11 +346,9 @@ sub testssl { } - # plan tests => 11; - subtest 'standard SSL tests' => sub { ###################################################################### - plan tests => 13; + plan tests => 19; SKIP: { skip "SSLv3 is not supported by this OpenSSL build", 4 @@ -378,7 +376,7 @@ sub testssl { } SKIP: { - skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 8 + skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 14 if $no_anytls; SKIP: { @@ -406,17 +404,29 @@ sub testssl { 'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify'); SKIP: { - skip "No IPv4 available on this machine", 1 + skip "No IPv4 available on this machine", 4 unless !disabled("sock") && have_IPv4(); ok(run(test([@ssltest, "-ipv4"])), 'test TLS via IPv4'); + ok(run(test([@ssltest, "-ipv4", "-client_ktls"])), + 'test TLS via IPv4 + ktls(client)'); + ok(run(test([@ssltest, "-ipv4", "-server_ktls"])), + 'test TLS via IPv4 + ktls(server)'); + ok(run(test([@ssltest, "-ipv4", "-client_ktls", "-server_ktls"])), + 'test TLS via IPv4 + ktls'); } SKIP: { - skip "No IPv6 available on this machine", 1 + skip "No IPv6 available on this machine", 4 unless !disabled("sock") && have_IPv6(); ok(run(test([@ssltest, "-ipv6"])), 'test TLS via IPv6'); + ok(run(test([@ssltest, "-ipv6", "-client_ktls"])), + 'test TLS via IPv6 + ktls(client)'); + ok(run(test([@ssltest, "-ipv6", "-server_ktls"])), + 'test TLS via IPv6 + ktls(client)'); + ok(run(test([@ssltest, "-ipv6", "-client_ktls", "-server_ktls"])), + 'test TLS via IPv6 + ktls'); } } }; @@ -520,7 +530,7 @@ sub testssl { subtest 'RSA/(EC)DHE/PSK tests' => sub { ###################################################################### - plan tests => 6; + plan tests => 10; SKIP: { skip "TLSv1.0 is not supported by this OpenSSL build", 6 @@ -557,7 +567,7 @@ sub testssl { ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123"])), 'test tls1 with PSK via BIO pair'); - } + } SKIP: { skip "skipping auto DH PSK tests", 1 @@ -568,6 +578,43 @@ sub testssl { } } + SKIP: { + skip "TLSv1.1 is not supported by this OpenSSL build", 4 + if $no_tls1_1; + + SKIP: { + skip "skipping auto DHE PSK test at SECLEVEL 3", 1 + if ($no_dh || $no_psk); + + ok(run(test(['ssl_old_test', '-tls1_1', '-dhe4096', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:DHE-PSK-AES256-CBC-SHA384'])), + 'test auto DHE PSK meets security strength'); + } + + SKIP: { + skip "skipping auto ECDHE PSK test at SECLEVEL 3", 1 + if ($no_ec || $no_psk); + + ok(run(test(['ssl_old_test', '-tls1_1', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:ECDHE-PSK-AES256-CBC-SHA384'])), + 'test auto ECDHE PSK meets security strength'); + } + + SKIP: { + skip "skipping no RSA PSK at SECLEVEL 3 test", 1 + if ($no_rsa || $no_psk); + + ok(!run(test(['ssl_old_test', '-tls1_1', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:RSA-PSK-AES256-CBC-SHA384'])), + 'test auto RSA PSK does not meet security level 3 requirements (PFS)'); + } + + SKIP: { + skip "skipping no PSK at SECLEVEL 3 test", 1 + if ($no_psk); + + ok(!run(test(['ssl_old_test', '-tls1_1', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:PSK-AES256-CBC-SHA384'])), + 'test auto PSK does not meet security level 3 requirements (PFS)'); + } + } + }; subtest 'Custom Extension tests' => sub { diff --git a/deps/openssl/openssl/test/run_tests.pl b/deps/openssl/openssl/test/run_tests.pl index 4899356a6ee8ad..4384ebe28e0de1 100644 --- a/deps/openssl/openssl/test/run_tests.pl +++ b/deps/openssl/openssl/test/run_tests.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -309,10 +309,12 @@ sub find_matching_tests { my $ret = $harness->runtests(map { [ abs2rel($_, rel2abs(curdir())), basename($_) ] } @preps); -die if $ret->has_errors; -$ret = - $harness->runtests(map { [ abs2rel($_, rel2abs(curdir())), basename($_) ] } - sort { reorder($a) cmp reorder($b) } keys %tests); + +if (ref($ret) ne "TAP::Parser::Aggregator" || !$ret->has_errors) { + $ret = + $harness->runtests(map { [ abs2rel($_, rel2abs(curdir())), basename($_) ] } + sort { reorder($a) cmp reorder($b) } keys %tests); +} # If this is a TAP::Parser::Aggregator, $ret->has_errors is the count of # tests that failed. We don't bother with that exact number, just exit diff --git a/deps/openssl/openssl/test/sanitytest.c b/deps/openssl/openssl/test/sanitytest.c index b1aadc4aa8333f..aba9149231f3a4 100644 --- a/deps/openssl/openssl/test/sanitytest.c +++ b/deps/openssl/openssl/test/sanitytest.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -114,6 +114,13 @@ static int test_sanity_range(void) TEST_error("int must not be wider than size_t"); return 0; } + + /* SIZE_MAX is always greater than 2*INT_MAX */ + if (SIZE_MAX - INT_MAX <= INT_MAX) { + TEST_error("SIZE_MAX must exceed 2*INT_MAX"); + return 0; + } + return 1; } diff --git a/deps/openssl/openssl/test/sm3_internal_test.c b/deps/openssl/openssl/test/sm3_internal_test.c index 2aefea82b0f9e3..7680d0242ec678 100644 --- a/deps/openssl/openssl/test/sm3_internal_test.c +++ b/deps/openssl/openssl/test/sm3_internal_test.c @@ -1,8 +1,8 @@ /* - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2021 UnionTech. All Rights Reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html diff --git a/deps/openssl/openssl/test/ssl_old_test.c b/deps/openssl/openssl/test/ssl_old_test.c index 6a206d595e3691..b07b9806249490 100644 --- a/deps/openssl/openssl/test/ssl_old_test.c +++ b/deps/openssl/openssl/test/ssl_old_test.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -629,10 +629,12 @@ static void sv_usage(void) #ifndef OPENSSL_NO_DH fprintf(stderr, " -dhe512 - use 512 bit key for DHE (to test failure)\n"); - fprintf(stderr, - " -dhe1024 - use 1024 bit key (safe prime) for DHE (default, no-op)\n"); fprintf(stderr, " -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n"); + fprintf(stderr, + " -dhe2048 - use 2048 bit key (safe prime) for DHE (default, no-op)\n"); + fprintf(stderr, + " -dhe4096 - use 4096 bit key (safe prime) for DHE\n"); #endif fprintf(stderr, " -no_dhe - disable DHE\n"); #ifndef OPENSSL_NO_EC @@ -647,6 +649,12 @@ static void sv_usage(void) #ifndef OPENSSL_NO_TLS1 fprintf(stderr, " -tls1 - use TLSv1\n"); #endif +#ifndef OPENSSL_NO_TLS1_1 + fprintf(stderr, " -tls1_1 - use TLSv1.1\n"); +#endif +#ifndef OPENSSL_NO_TLS1_2 + fprintf(stderr, " -tls1_2 - use TLSv1.2\n"); +#endif #ifndef OPENSSL_NO_DTLS fprintf(stderr, " -dtls - use DTLS\n"); #ifndef OPENSSL_NO_DTLS1 @@ -711,6 +719,8 @@ static void sv_usage(void) fprintf(stderr, " -client_sess_in - Read the client session from a file\n"); fprintf(stderr, " -should_reuse - The expected state of reusing the session\n"); fprintf(stderr, " -no_ticket - do not issue TLS session ticket\n"); + fprintf(stderr, " -client_ktls - try to enable client KTLS\n"); + fprintf(stderr, " -server_ktls - try to enable server KTLS\n"); fprintf(stderr, " -provider - Load the given provider into the library context\n"); fprintf(stderr, " -config - Load the given config file into the library context\n"); } @@ -871,7 +881,7 @@ int main(int argc, char *argv[]) int badop = 0; enum { BIO_MEM, BIO_PAIR, BIO_IPV4, BIO_IPV6 } bio_type = BIO_MEM; int force = 0; - int dtls1 = 0, dtls12 = 0, dtls = 0, tls1 = 0, tls1_2 = 0, ssl3 = 0; + int dtls1 = 0, dtls12 = 0, dtls = 0, tls1 = 0, tls1_1 = 0, tls1_2 = 0, ssl3 = 0; int ret = EXIT_FAILURE; int client_auth = 0; int server_auth = 0, i; @@ -883,10 +893,11 @@ int main(int argc, char *argv[]) int number = 1, reuse = 0; int should_reuse = -1; int no_ticket = 0; + int client_ktls = 0, server_ktls = 0; long bytes = 256L; #ifndef OPENSSL_NO_DH EVP_PKEY *dhpkey; - int dhe512 = 0, dhe1024dsa = 0; + int dhe512 = 0, dhe1024dsa = 0, dhe4096 = 0; int no_dhe = 0; #endif int no_psk = 0; @@ -981,6 +992,8 @@ int main(int argc, char *argv[]) dhe512 = 1; else if (strcmp(*argv, "-dhe1024dsa") == 0) dhe1024dsa = 1; + else if (strcmp(*argv, "-dhe4096") == 0) + dhe4096 = 1; #endif else if (strcmp(*argv, "-no_ecdhe") == 0) /* obsolete */; @@ -999,6 +1012,8 @@ int main(int argc, char *argv[]) } else if (strcmp(*argv, "-tls1_2") == 0) { tls1_2 = 1; + } else if (strcmp(*argv, "-tls1_1") == 0) { + tls1_1 = 1; } else if (strcmp(*argv, "-tls1") == 0) { tls1 = 1; } else if (strcmp(*argv, "-ssl3") == 0) { @@ -1167,6 +1182,10 @@ int main(int argc, char *argv[]) should_reuse = !!atoi(*(++argv)); } else if (strcmp(*argv, "-no_ticket") == 0) { no_ticket = 1; + } else if (strcmp(*argv, "-client_ktls") == 0) { + client_ktls = 1; + } else if (strcmp(*argv, "-server_ktls") == 0) { + server_ktls = 1; } else if (strcmp(*argv, "-provider") == 0) { if (--argc < 1) goto bad; @@ -1217,8 +1236,8 @@ int main(int argc, char *argv[]) goto end; } - if (ssl3 + tls1 + tls1_2 + dtls + dtls1 + dtls12 > 1) { - fprintf(stderr, "At most one of -ssl3, -tls1, -tls1_2, -dtls, -dtls1 or -dtls12 should " + if (ssl3 + tls1 + tls1_1 + tls1_2 + dtls + dtls1 + dtls12 > 1) { + fprintf(stderr, "At most one of -ssl3, -tls1, -tls1_1, -tls1_2, -dtls, -dtls1 or -dtls12 should " "be requested.\n"); EXIT(1); } @@ -1233,6 +1252,11 @@ int main(int argc, char *argv[]) no_protocol = 1; else #endif +#ifdef OPENSSL_NO_TLS1_1 + if (tls1_1) + no_protocol = 1; + else +#endif #ifdef OPENSSL_NO_TLS1_2 if (tls1_2) no_protocol = 1; @@ -1262,11 +1286,11 @@ int main(int argc, char *argv[]) goto end; } - if (!ssl3 && !tls1 && !tls1_2 && !dtls && !dtls1 && !dtls12 && number > 1 + if (!ssl3 && !tls1 && !tls1_1 && !tls1_2 && !dtls && !dtls1 && !dtls12 && number > 1 && !reuse && !force) { fprintf(stderr, "This case cannot work. Use -f to perform " "the test anyway (and\n-d to see what happens), " - "or add one of -ssl3, -tls1, -tls1_2, -dtls, -dtls1, -dtls12, -reuse\n" + "or add one of -ssl3, -tls1, -tls1_1, -tls1_2, -dtls, -dtls1, -dtls12, -reuse\n" "to avoid protocol mismatch.\n"); EXIT(1); } @@ -1318,6 +1342,9 @@ int main(int argc, char *argv[]) } else if (tls1) { min_version = TLS1_VERSION; max_version = TLS1_VERSION; + } else if (tls1_1) { + min_version = TLS1_1_VERSION; + max_version = TLS1_1_VERSION; } else if (tls1_2) { min_version = TLS1_2_VERSION; max_version = TLS1_2_VERSION; @@ -1482,6 +1509,8 @@ int main(int argc, char *argv[]) dhpkey = get_dh1024dsa(libctx); else if (dhe512) dhpkey = get_dh512(libctx); + else if (dhe4096) + dhpkey = get_dh4096(libctx); else dhpkey = get_dh2048(libctx); @@ -1724,6 +1753,10 @@ int main(int argc, char *argv[]) if (sn_client) SSL_set_tlsext_host_name(c_ssl, sn_client); + if (client_ktls) + SSL_set_options(c_ssl, SSL_OP_ENABLE_KTLS); + if (server_ktls) + SSL_set_options(s_ssl, SSL_OP_ENABLE_KTLS); if (!set_protocol_version(server_min_proto, s_ssl, SSL_CTRL_SET_MIN_PROTO_VERSION)) goto end; diff --git a/deps/openssl/openssl/test/sslapitest.c b/deps/openssl/openssl/test/sslapitest.c index c760f04f228894..3e0c95300b34e9 100644 --- a/deps/openssl/openssl/test/sslapitest.c +++ b/deps/openssl/openssl/test/sslapitest.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -557,10 +557,19 @@ static int test_keylog_no_master_key(void) static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg) { int res = X509_verify_cert(ctx); + int idx = SSL_get_ex_data_X509_STORE_CTX_idx(); + SSL *ssl; + + /* this should not happen but check anyway */ + if (idx < 0 + || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL) + return 0; if (res == 0 && X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) - return -1; /* indicate SSL_ERROR_WANT_RETRY_VERIFY */ + /* indicate SSL_ERROR_WANT_RETRY_VERIFY */ + return SSL_set_retry_verify(ssl); + return res; } @@ -672,15 +681,27 @@ static int test_ssl_build_cert_chain(void) return ret; } +static int get_password_cb(char *buf, int size, int rw_flag, void *userdata) +{ + static const char pass[] = "testpass"; + + if (!TEST_int_eq(size, PEM_BUFSIZE)) + return -1; + + memcpy(buf, pass, sizeof(pass) - 1); + return sizeof(pass) - 1; +} + static int test_ssl_ctx_build_cert_chain(void) { int ret = 0; SSL_CTX *ctx = NULL; - char *skey = test_mk_file_path(certsdir, "leaf.key"); + char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key"); char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem"); if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()))) goto end; + SSL_CTX_set_default_passwd_cb(ctx, get_password_cb); /* leaf_chain contains leaf + subinterCA + interCA + rootCA */ if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1) || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey, @@ -8062,8 +8083,12 @@ static int test_cert_cb_int(int prot, int tst) else cert_cb_cnt = 0; - if (tst == 2) - snictx = SSL_CTX_new(TLS_server_method()); + if (tst == 2) { + snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()); + if (!TEST_ptr(snictx)) + goto end; + } + SSL_CTX_set_cert_cb(sctx, cert_cb, snictx); if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, diff --git a/deps/openssl/openssl/test/threadstest.c b/deps/openssl/openssl/test/threadstest.c index b7e781fb6b1ee1..5080b0a8097e68 100644 --- a/deps/openssl/openssl/test/threadstest.c +++ b/deps/openssl/openssl/test/threadstest.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -33,6 +33,8 @@ static int test_lock(void) int res; res = TEST_true(CRYPTO_THREAD_read_lock(lock)) + && TEST_true(CRYPTO_THREAD_unlock(lock)) + && TEST_true(CRYPTO_THREAD_write_lock(lock)) && TEST_true(CRYPTO_THREAD_unlock(lock)); CRYPTO_THREAD_lock_free(lock); diff --git a/deps/openssl/openssl/test/tls-provider.c b/deps/openssl/openssl/test/tls-provider.c index 9ac1db51b3915a..5c44b6812e8168 100644 --- a/deps/openssl/openssl/test/tls-provider.c +++ b/deps/openssl/openssl/test/tls-provider.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -840,6 +840,9 @@ int tls_provider_init(const OSSL_CORE_HANDLE *handle, { OSSL_LIB_CTX *libctx = OSSL_LIB_CTX_new(); + if (libctx == NULL) + return 0; + *provctx = libctx; /* diff --git a/deps/openssl/openssl/test/upcallstest.c b/deps/openssl/openssl/test/upcallstest.c index 01e4e952377de3..76899fee3de096 100644 --- a/deps/openssl/openssl/test/upcallstest.c +++ b/deps/openssl/openssl/test/upcallstest.c @@ -68,6 +68,15 @@ static int obj_provider_init(const OSSL_CORE_HANDLE *handle, if (!c_obj_add_sigid(handle, SIGALG_OID, DIGEST_SN, SIG_LN)) return 0; + /* additional tests checking empty digest algs are accepted, too */ + if (!c_obj_add_sigid(handle, SIGALG_OID, "", SIG_LN)) + return 0; + if (!c_obj_add_sigid(handle, SIGALG_OID, NULL, SIG_LN)) + return 0; + /* checking wrong digest alg name is rejected: */ + if (c_obj_add_sigid(handle, SIGALG_OID, "NonsenseAlg", SIG_LN)) + return 0; + return 1; } diff --git a/deps/openssl/openssl/test/verify_extra_test.c b/deps/openssl/openssl/test/verify_extra_test.c index 6ab779671f6606..5f664f531bd8af 100644 --- a/deps/openssl/openssl/test/verify_extra_test.c +++ b/deps/openssl/openssl/test/verify_extra_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -12,15 +12,20 @@ #include #include #include +#include #include #include #include "testutil.h" -static const char *root_f; -static const char *roots_f; -static const char *untrusted_f; -static const char *bad_f; -static const char *req_f; +static const char *certs_dir; +static char *root_f = NULL; +static char *roots_f = NULL; +static char *untrusted_f = NULL; +static char *bad_f = NULL; +static char *req_f = NULL; +static char *sroot_cert = NULL; +static char *ca_cert = NULL; +static char *ee_cert = NULL; #define load_cert_from_file(file) load_cert_pem(file, NULL) @@ -99,8 +104,6 @@ static int test_alt_chains_cert_forgery(void) return ret; } -OPT_TEST_DECLARE_USAGE("roots.pem untrusted.pem bad.pem\n") - static int test_distinguishing_id(void) { X509 *x = NULL; @@ -219,6 +222,76 @@ static int test_store_ctx(void) return test_self_signed(bad_f, 0, 0); } +static int do_test_purpose(int purpose, int expected) +{ + X509 *eecert = load_cert_from_file(ee_cert); /* may result in NULL */ + X509 *untrcert = load_cert_from_file(ca_cert); + X509 *trcert = load_cert_from_file(sroot_cert); + STACK_OF(X509) *trusted = sk_X509_new_null(); + STACK_OF(X509) *untrusted = sk_X509_new_null(); + X509_STORE_CTX *ctx = X509_STORE_CTX_new(); + int testresult = 0; + + if (!TEST_ptr(eecert) + || !TEST_ptr(untrcert) + || !TEST_ptr(trcert) + || !TEST_ptr(trusted) + || !TEST_ptr(untrusted) + || !TEST_ptr(ctx)) + goto err; + + + if (!TEST_true(sk_X509_push(trusted, trcert))) + goto err; + trcert = NULL; + if (!TEST_true(sk_X509_push(untrusted, untrcert))) + goto err; + untrcert = NULL; + + if (!TEST_true(X509_STORE_CTX_init(ctx, NULL, eecert, untrusted))) + goto err; + + if (!TEST_true(X509_STORE_CTX_set_purpose(ctx, purpose))) + goto err; + + /* + * X509_STORE_CTX_set0_trusted_stack() is bady named. Despite the set0 name + * we are still responsible for freeing trusted after we have finished with + * it. + */ + X509_STORE_CTX_set0_trusted_stack(ctx, trusted); + + if (!TEST_int_eq(X509_verify_cert(ctx), expected)) + goto err; + + testresult = 1; + err: + sk_X509_pop_free(trusted, X509_free); + sk_X509_pop_free(untrusted, X509_free); + X509_STORE_CTX_free(ctx); + X509_free(eecert); + X509_free(untrcert); + X509_free(trcert); + return testresult; +} + +static int test_purpose_ssl_client(void) +{ + return do_test_purpose(X509_PURPOSE_SSL_CLIENT, 0); +} + +static int test_purpose_ssl_server(void) +{ + return do_test_purpose(X509_PURPOSE_SSL_SERVER, 1); +} + +static int test_purpose_any(void) +{ + return do_test_purpose(X509_PURPOSE_ANY, 1); +} + +OPT_TEST_DECLARE_USAGE("certs-dir\n") + int setup_tests(void) { if (!test_skip_common_options()) { @@ -226,13 +299,19 @@ int setup_tests(void) return 0; } - if (!TEST_ptr(root_f = test_get_argument(0)) - || !TEST_ptr(roots_f = test_get_argument(1)) - || !TEST_ptr(untrusted_f = test_get_argument(2)) - || !TEST_ptr(bad_f = test_get_argument(3)) - || !TEST_ptr(req_f = test_get_argument(4))) + if (!TEST_ptr(certs_dir = test_get_argument(0))) return 0; + if (!TEST_ptr(root_f = test_mk_file_path(certs_dir, "rootCA.pem")) + || !TEST_ptr(roots_f = test_mk_file_path(certs_dir, "roots.pem")) + || !TEST_ptr(untrusted_f = test_mk_file_path(certs_dir, "untrusted.pem")) + || !TEST_ptr(bad_f = test_mk_file_path(certs_dir, "bad.pem")) + || !TEST_ptr(req_f = test_mk_file_path(certs_dir, "sm2-csr.pem")) + || !TEST_ptr(sroot_cert = test_mk_file_path(certs_dir, "sroot-cert.pem")) + || !TEST_ptr(ca_cert = test_mk_file_path(certs_dir, "ca-cert.pem")) + || !TEST_ptr(ee_cert = test_mk_file_path(certs_dir, "ee-cert.pem"))) + goto err; + ADD_TEST(test_alt_chains_cert_forgery); ADD_TEST(test_store_ctx); ADD_TEST(test_distinguishing_id); @@ -240,5 +319,23 @@ int setup_tests(void) ADD_TEST(test_self_signed_good); ADD_TEST(test_self_signed_bad); ADD_TEST(test_self_signed_error); + ADD_TEST(test_purpose_ssl_client); + ADD_TEST(test_purpose_ssl_server); + ADD_TEST(test_purpose_any); return 1; + err: + cleanup_tests(); + return 0; +} + +void cleanup_tests(void) +{ + OPENSSL_free(root_f); + OPENSSL_free(roots_f); + OPENSSL_free(untrusted_f); + OPENSSL_free(bad_f); + OPENSSL_free(req_f); + OPENSSL_free(sroot_cert); + OPENSSL_free(ca_cert); + OPENSSL_free(ee_cert); } diff --git a/deps/openssl/openssl/util/missingcrypto.txt b/deps/openssl/openssl/util/missingcrypto.txt index f883219f6c10f2..4d2fd7f6b712ab 100644 --- a/deps/openssl/openssl/util/missingcrypto.txt +++ b/deps/openssl/openssl/util/missingcrypto.txt @@ -264,7 +264,6 @@ BN_mod_lshift(3) BN_mod_lshift1(3) BN_mod_lshift1_quick(3) BN_mod_lshift_quick(3) -BN_mod_sqrt(3) BN_mod_sub_quick(3) BN_nist_mod_192(3) BN_nist_mod_224(3) @@ -1277,13 +1276,10 @@ X509_STORE_CTX_get1_crls(3) X509_STORE_CTX_get_by_subject(3) X509_STORE_CTX_get_explicit_policy(3) X509_STORE_CTX_get_obj_by_subject(3) -X509_STORE_CTX_purpose_inherit(3) X509_STORE_CTX_set0_dane(3) X509_STORE_CTX_set_depth(3) X509_STORE_CTX_set_flags(3) -X509_STORE_CTX_set_purpose(3) X509_STORE_CTX_set_time(3) -X509_STORE_CTX_set_trust(3) X509_STORE_get_verify(3) X509_TRUST_add(3) X509_TRUST_cleanup(3) diff --git a/deps/openssl/openssl/util/missingssl.txt b/deps/openssl/openssl/util/missingssl.txt index ef13fca84a7153..6adf6c511784c5 100644 --- a/deps/openssl/openssl/util/missingssl.txt +++ b/deps/openssl/openssl/util/missingssl.txt @@ -22,12 +22,10 @@ SSL_certs_clear(3) SSL_copy_session_id(3) SSL_dup_CA_list(3) SSL_get0_dane(3) -SSL_get_certificate(3) SSL_get_current_compression(3) SSL_get_current_expansion(3) SSL_get_finished(3) SSL_get_peer_finished(3) -SSL_get_privatekey(3) SSL_set_SSL_CTX(3) SSL_set_debug(3) SSL_set_not_resumable_session_callback(3) diff --git a/deps/openssl/openssl/util/other.syms b/deps/openssl/openssl/util/other.syms index e1af8deef94354..af61ea04719a9e 100644 --- a/deps/openssl/openssl/util/other.syms +++ b/deps/openssl/openssl/util/other.syms @@ -364,7 +364,7 @@ OPENSSL_MSTR define OPENSSL_MSTR_HELPER define OPENSSL_VERSION_MAJOR define OPENSSL_VERSION_MINOR define -OPENSSL_VERSION_NUMBER define deprecated 3.0.0 +OPENSSL_VERSION_NUMBER define OPENSSL_VERSION_PATCH define OPENSSL_VERSION_PRE_RELEASE define OPENSSL_VERSION_PREREQ define @@ -670,3 +670,4 @@ EVP_PKEY_security_bits define EVP_PKEY_size define EVP_PKEY_id define EVP_PKEY_base_id define +SSL_set_retry_verify define diff --git a/deps/openssl/openssl/util/perl/OpenSSL/config.pm b/deps/openssl/openssl/util/perl/OpenSSL/config.pm index 7250791b5bd20a..3748788eec6cb0 100755 --- a/deps/openssl/openssl/util/perl/OpenSSL/config.pm +++ b/deps/openssl/openssl/util/perl/OpenSSL/config.pm @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -485,6 +485,14 @@ EOF [ 'x86_64-apple-darwin.*', sub { my $KERNEL_BITS = $ENV{KERNEL_BITS} // ''; + # macOS >= 10.15 is 64-bit only + my $SW_VERS = `sw_vers -productVersion 2>/dev/null`; + if ($SW_VERS =~ /^(\d+)\.(\d+)\.(\d+)$/) { + if ($1 > 10 || ($1 == 10 && $2 >= 15)) { + die "32-bit applications not supported on macOS 10.15 or later\n" if $KERNEL_BITS eq '32'; + return { target => "darwin64-x86_64" }; + } + } return { target => "darwin-i386" } if $KERNEL_BITS eq '32'; print < [ 'L_ENDIAN' ] } ], [ 'powerpc64-.*-.*bsd.*', { target => "BSD-generic64", defines => [ 'B_ENDIAN' ] } ], + [ 'riscv64-.*-.*bsd.*', { target => "BSD-riscv64" } ], [ 'sparc64-.*-.*bsd.*', { target => "BSD-sparc64" } ], [ 'ia64-.*-.*bsd.*', { target => "BSD-ia64" } ], [ 'x86_64-.*-dragonfly.*', { target => "BSD-x86_64" } ], diff --git a/deps/openssl/openssl/util/perl/OpenSSL/copyright.pm b/deps/openssl/openssl/util/perl/OpenSSL/copyright.pm index 1fd9f353f7fc80..87567c088945e7 100644 --- a/deps/openssl/openssl/util/perl/OpenSSL/copyright.pm +++ b/deps/openssl/openssl/util/perl/OpenSSL/copyright.pm @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -23,11 +23,11 @@ sub year_of { # See if git's available open my $FH, - "git log -1 --date=format:%Y --format=format:%ad $file 2>/dev/null|" + "git log -1 --date=short --format=format:%cd $file 2>/dev/null|" or return $YEAR; my $LINE = <$FH>; close $FH; - chomp($LINE); + $LINE =~ s/^([0-9]*)-.*/$1/; $YEAR = $LINE if $LINE; return $YEAR; }