diff --git a/deps/openssl/openssl/CHANGES.md b/deps/openssl/openssl/CHANGES.md index f6dff93c9d6b94..0a0bea0f28d68b 100644 --- a/deps/openssl/openssl/CHANGES.md +++ b/deps/openssl/openssl/CHANGES.md @@ -28,12 +28,175 @@ breaking changes, and mappings for the large list of deprecated functions. [Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod -### Changes between 3.0.7 and 3.0.7+quic [1 Nov 2022] +### Changes between 3.0.8 and 3.0.8+quic [7 Feb 2023] * Add QUIC API support from BoringSSL. *Todd Short* +### Changes between 3.0.7 and 3.0.8 [7 Feb 2023] + + * Fixed NULL dereference during PKCS7 data verification. + + A NULL pointer can be dereferenced when signatures are being + verified on PKCS7 signed or signedAndEnveloped data. In case the hash + algorithm used for the signature is known to the OpenSSL library but + the implementation of the hash algorithm is not available the digest + initialization will fail. There is a missing check for the return + value from the initialization function which later leads to invalid + usage of the digest API most likely leading to a crash. + ([CVE-2023-0401]) + + PKCS7 data is processed by the SMIME library calls and also by the + time stamp (TS) library calls. The TLS implementation in OpenSSL does + not call these functions however third party applications would be + affected if they call these functions to verify signatures on untrusted + data. + + *Tomáš Mráz* + + * Fixed X.400 address type confusion in X.509 GeneralName. + + There is a type confusion vulnerability relating to X.400 address processing + inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING + but the public structure definition for GENERAL_NAME incorrectly specified + the type of the x400Address field as ASN1_TYPE. This field is subsequently + interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather + than an ASN1_STRING. + + When CRL checking is enabled (i.e. the application sets the + X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to + pass arbitrary pointers to a memcmp call, enabling them to read memory + contents or enact a denial of service. + ([CVE-2023-0286]) + + *Hugo Landau* + + * Fixed NULL dereference validating DSA public key. + + An invalid pointer dereference on read can be triggered when an + application tries to check a malformed DSA public key by the + EVP_PKEY_public_check() function. This will most likely lead + to an application crash. This function can be called on public + keys supplied from untrusted sources which could allow an attacker + to cause a denial of service attack. + + The TLS implementation in OpenSSL does not call this function + but applications might call the function if there are additional + security requirements imposed by standards such as FIPS 140-3. + ([CVE-2023-0217]) + + *Shane Lontis, Tomáš Mráz* + + * Fixed Invalid pointer dereference in d2i_PKCS7 functions. + + An invalid pointer dereference on read can be triggered when an + application tries to load malformed PKCS7 data with the + d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions. + + The result of the dereference is an application crash which could + lead to a denial of service attack. The TLS implementation in OpenSSL + does not call this function however third party applications might + call these functions on untrusted data. + ([CVE-2023-0216]) + + *Tomáš Mráz* + + * Fixed Use-after-free following BIO_new_NDEF. + + The public API function BIO_new_NDEF is a helper function used for + streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL + to support the SMIME, CMS and PKCS7 streaming capabilities, but may also + be called directly by end user applications. + + The function receives a BIO from the caller, prepends a new BIO_f_asn1 + filter BIO onto the front of it to form a BIO chain, and then returns + the new head of the BIO chain to the caller. Under certain conditions, + for example if a CMS recipient public key is invalid, the new filter BIO + is freed and the function returns a NULL result indicating a failure. + However, in this case, the BIO chain is not properly cleaned up and the + BIO passed by the caller still retains internal pointers to the previously + freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO + then a use-after-free will occur. This will most likely result in a crash. + ([CVE-2023-0215]) + + *Viktor Dukhovni, Matt Caswell* + + * Fixed Double free after calling PEM_read_bio_ex. + + The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and + decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload + data. If the function succeeds then the "name_out", "header" and "data" + arguments are populated with pointers to buffers containing the relevant + decoded data. The caller is responsible for freeing those buffers. It is + possible to construct a PEM file that results in 0 bytes of payload data. + In this case PEM_read_bio_ex() will return a failure code but will populate + the header argument with a pointer to a buffer that has already been freed. + If the caller also frees this buffer then a double free will occur. This + will most likely lead to a crash. + + The functions PEM_read_bio() and PEM_read() are simple wrappers around + PEM_read_bio_ex() and therefore these functions are also directly affected. + + These functions are also called indirectly by a number of other OpenSSL + functions including PEM_X509_INFO_read_bio_ex() and + SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL + internal uses of these functions are not vulnerable because the caller does + not free the header argument if PEM_read_bio_ex() returns a failure code. + ([CVE-2022-4450]) + + *Kurt Roeckx, Matt Caswell* + + * Fixed Timing Oracle in RSA Decryption. + + A timing based side channel exists in the OpenSSL RSA Decryption + implementation which could be sufficient to recover a plaintext across + a network in a Bleichenbacher style attack. To achieve a successful + decryption an attacker would have to be able to send a very large number + of trial messages for decryption. The vulnerability affects all RSA padding + modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. + ([CVE-2022-4304]) + + *Dmitry Belyavsky, Hubert Kario* + + * Fixed X.509 Name Constraints Read Buffer Overflow. + + A read buffer overrun can be triggered in X.509 certificate verification, + specifically in name constraint checking. The read buffer overrun might + result in a crash which could lead to a denial of service attack. + In a TLS client, this can be triggered by connecting to a malicious + server. In a TLS server, this can be triggered if the server requests + client authentication and a malicious client connects. + ([CVE-2022-4203]) + + *Viktor Dukhovni* + + * Fixed X.509 Policy Constraints Double Locking security issue. + + If an X.509 certificate contains a malformed policy constraint and + policy processing is enabled, then a write lock will be taken twice + recursively. On some operating systems (most widely: Windows) this + results in a denial of service when the affected process hangs. Policy + processing being enabled on a publicly facing server is not considered + to be a common setup. + ([CVE-2022-3996]) + + *Paul Dale* + + * Our provider implementations of `OSSL_FUNC_KEYMGMT_EXPORT` and + `OSSL_FUNC_KEYMGMT_GET_PARAMS` for EC and SM2 keys now honor + `OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT` as set (and + default to `POINT_CONVERSION_UNCOMPRESSED`) when exporting + `OSSL_PKEY_PARAM_PUB_KEY`, instead of unconditionally using + `POINT_CONVERSION_COMPRESSED` as in previous 3.x releases. + For symmetry, our implementation of `EVP_PKEY_ASN1_METHOD->export_to` + for legacy EC and SM2 keys is also changed similarly to honor the + equivalent conversion format flag as specified in the underlying + `EC_KEY` object being exported to a provider, when this function is + called through `EVP_PKEY_export()`. + + *Nicola Tuveri* + ### Changes between 3.0.6 and 3.0.7 [1 Nov 2022] * Fixed two buffer overflows in punycode decoding functions. @@ -19232,7 +19395,7 @@ ndif *Ralf S. Engelschall* * Incorporated the popular no-RSA/DSA-only patches - which allow to compile a RSA-free SSLeay. + which allow to compile an RSA-free SSLeay. *Andrew Cooke / Interrader Ldt., Ralf S. Engelschall* @@ -19421,6 +19584,15 @@ ndif +[CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401 +[CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286 +[CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217 +[CVE-2023-0216]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0216 +[CVE-2023-0215]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0215 +[CVE-2022-4450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4450 +[CVE-2022-4304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4304 +[CVE-2022-4203]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4203 +[CVE-2022-3996]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3996 [CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274 [CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274 [CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971 diff --git a/deps/openssl/openssl/Configurations/descrip.mms.tmpl b/deps/openssl/openssl/Configurations/descrip.mms.tmpl index b7d1df25928053..d4a1792ec4f069 100644 --- a/deps/openssl/openssl/Configurations/descrip.mms.tmpl +++ b/deps/openssl/openssl/Configurations/descrip.mms.tmpl @@ -984,7 +984,8 @@ EOF $target : $gen0 $deps $mkdef \$(PERL) $mkdef$ord_ver --type $args{intent} --ordinals $gen0 --name $ord_name "--OS" "VMS"$case_insensitive > $target EOF - } elsif (platform->isasm($args{src})) { + } elsif (platform->isasm($args{src}) + || platform->iscppasm($args{src})) { # # Assembler generator # @@ -994,7 +995,9 @@ EOF dso => "$dso_cflags $dso_cppflags", bin => "$bin_cflags $bin_cppflags" } -> {$args{intent}}; my $defs = join("", map { ",".$_ } @{$args{defs}}); - my $target = platform->asm($args{src}); + my $target = platform->isasm($args{src}) + ? platform->asm($args{src}) + : $args{src}; my $generator; if ($gen0 =~ /\.pl$/) { @@ -1007,21 +1010,6 @@ EOF } if (defined($generator)) { - # If the target is named foo.S in build.info, we want to - # end up generating foo.s in two steps. - if ($args{src} =~ /\.S$/) { - return <<"EOF"; -$target : $gen0 $deps - $generator \$\@-S - \@ extradefines = "$defs" - PIPE \$(CPP) $cppflags \$\@-S | - - \$(PERL) -ne "/^#(\\s*line)?\\s*[0-9]+\\s+""/ or print" > \$\@-i - \@ DELETE/SYMBOL/LOCAL extradefines - RENAME \$\@-i \$\@ - DELETE \$\@-S; -EOF - } - # Otherwise.... return <<"EOF"; $target : $gen0 $deps \@ extradefines = "$defs" diff --git a/deps/openssl/openssl/Configurations/platform/BASE.pm b/deps/openssl/openssl/Configurations/platform/BASE.pm index 1ab4bf18e91af6..95c2211d830b2f 100644 --- a/deps/openssl/openssl/Configurations/platform/BASE.pm +++ b/deps/openssl/openssl/Configurations/platform/BASE.pm @@ -42,7 +42,7 @@ sub def { return __base($_[1], '.ld') . $_[0]->defext() } sub obj { return __base($_[1], '.o') . $_[0]->objext() } sub res { return __base($_[1], '.res') . $_[0]->resext() } sub dep { return __base($_[1], '.o') . $_[0]->depext() } # <- objname -sub asm { return __base($_[1], '.S', '.s') . $_[0]->asmext() } +sub asm { return __base($_[1], '.s') . $_[0]->asmext() } # Another set of convenience functions for standard checks of certain # internal extensions and conversion from internal to platform specific @@ -51,7 +51,8 @@ sub asm { return __base($_[1], '.S', '.s') . $_[0]->asmext() } sub isdef { return $_[1] =~ m|\.ld$|; } sub isobj { return $_[1] =~ m|\.o$|; } sub isres { return $_[1] =~ m|\.res$|; } -sub isasm { return $_[1] =~ m|\.[Ss]$|; } +sub isasm { return $_[1] =~ m|\.s$|; } +sub iscppasm { return $_[1] =~ m|\.S$|; } sub isstaticlib { return $_[1] =~ m|\.a$|; } sub convertext { if ($_[0]->isdef($_[1])) { return $_[0]->def($_[1]); } diff --git a/deps/openssl/openssl/Configurations/unix-Makefile.tmpl b/deps/openssl/openssl/Configurations/unix-Makefile.tmpl index 110ba0687d8012..ebf20965b7a9ff 100644 --- a/deps/openssl/openssl/Configurations/unix-Makefile.tmpl +++ b/deps/openssl/openssl/Configurations/unix-Makefile.tmpl @@ -1552,7 +1552,8 @@ EOF $target: $gen0 $deps \$(SRCDIR)/util/mkdef.pl \$(PERL) \$(SRCDIR)/util/mkdef.pl$ord_ver --type $args{intent} --ordinals $gen0 --name $ord_name --OS $mkdef_os > $target EOF - } elsif (platform->isasm($args{src})) { + } elsif (platform->isasm($args{src}) + || platform->iscppasm($args{src})) { # # Assembler generator # diff --git a/deps/openssl/openssl/Configurations/windows-makefile.tmpl b/deps/openssl/openssl/Configurations/windows-makefile.tmpl index dcf83a516a4d89..5d41af41bca2ce 100644 --- a/deps/openssl/openssl/Configurations/windows-makefile.tmpl +++ b/deps/openssl/openssl/Configurations/windows-makefile.tmpl @@ -747,7 +747,8 @@ EOF $target: $gen0 $deps $mkdef "\$(PERL)" "$mkdef"$ord_ver --type $args{intent} --ordinals $gen0 --name $ord_name --OS windows > $target EOF - } elsif (platform->isasm($args{src})) { + } elsif (platform->isasm($args{src}) + || platform->iscppasm($args{src})) { # # Assembler generator # @@ -757,7 +758,9 @@ EOF dso => '$(DSO_CFLAGS) $(DSO_CPPFLAGS)', bin => '$(BIN_CFLAGS) $(BIN_CPPFLAGS)' } -> {$args{intent}}; - my $target = platform->asm($args{src}); + my $target = platform->isasm($args{src}) + ? platform->asm($args{src}) + : $args{src}; my $generator; if ($gen0 =~ /\.pl$/) { @@ -770,18 +773,6 @@ EOF } if (defined($generator)) { - # If the target is named foo.S in build.info, we want to - # end up generating foo.s in two steps. - if ($args{src} =~ /\.S$/) { - return <<"EOF"; -$target: "$gen0" $deps - cmd /C "set "ASM=\$(AS)" & $generator \$@.S" - \$(CPP) $incs $cppflags $defs \$@.S > \$@.i - move /Y \$@.i \$@ - del /Q \$@.S -EOF - } - # Otherwise.... return <<"EOF"; $target: "$gen0" $deps cmd /C "set "ASM=\$(AS)" & $generator \$@" diff --git a/deps/openssl/openssl/Configure b/deps/openssl/openssl/Configure index 6d4821ffc1cc80..26ad8aff46e7fc 100755 --- a/deps/openssl/openssl/Configure +++ b/deps/openssl/openssl/Configure @@ -1,6 +1,6 @@ #! /usr/bin/env perl # -*- mode: perl; -*- -# Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -1397,7 +1397,7 @@ $target{build_scheme} = [ $target{build_scheme} ] my ($builder, $builder_platform, @builder_opts) = @{$target{build_scheme}}; -foreach my $checker (($builder_platform."-".$target{build_file}."-checker.pm", +foreach my $checker (($builder_platform."-".$config{build_file}."-checker.pm", $builder_platform."-checker.pm")) { my $checker_path = catfile($srcdir, "Configurations", $checker); if (-f $checker_path) { @@ -1870,8 +1870,8 @@ if ($builder eq "unified") { # Store the name of the template file we will build the build file from # in %config. This may be useful for the build file itself. my @build_file_template_names = - ( $builder_platform."-".$target{build_file}.".tmpl", - $target{build_file}.".tmpl" ); + ( $builder_platform."-".$config{build_file}.".tmpl", + $config{build_file}.".tmpl" ); my @build_file_templates = (); # First, look in the user provided directory, if given @@ -2888,7 +2888,7 @@ exit(0); # sub death_handler { die @_ if $^S; # To prevent the added message in eval blocks - my $build_file = $target{build_file} // "build file"; + my $build_file = $config{build_file} // "build file"; my @message = ( <<"_____", @_ ); Failure! $build_file wasn't produced. diff --git a/deps/openssl/openssl/INSTALL.md b/deps/openssl/openssl/INSTALL.md index 9cad405c59c0ca..59d7d869e982d0 100644 --- a/deps/openssl/openssl/INSTALL.md +++ b/deps/openssl/openssl/INSTALL.md @@ -244,9 +244,8 @@ and issue the following command. $ nmake install -The easiest way to elevate the Command Prompt is to press and hold down -the both the `` and `` key while clicking the menu item in the -task menu. +The easiest way to elevate the Command Prompt is to press and hold down both +the `` and `` keys while clicking the menu item in the task menu. The default installation location is @@ -1208,6 +1207,14 @@ and `descrip.mms` on OpenVMS) from a suitable template in `Configurations/`, and defines various macros in `include/openssl/configuration.h` (generated from `include/openssl/configuration.h.in`. +If none of the generated build files suit your purpose, it's possible to +write your own build file template and give its name through the environment +variable `BUILDFILE`. For example, Ninja build files could be supported by +writing `Configurations/build.ninja.tmpl` and then configure with `BUILDFILE` +set like this (Unix syntax shown, you'll have to adapt for other platforms): + + $ BUILDFILE=build.ninja perl Configure [options...] + ### Out of Tree Builds OpenSSL can be configured to build in a build directory separate from the diff --git a/deps/openssl/openssl/NEWS.md b/deps/openssl/openssl/NEWS.md index e55777f63ef678..36dbfa72f6d564 100644 --- a/deps/openssl/openssl/NEWS.md +++ b/deps/openssl/openssl/NEWS.md @@ -18,6 +18,18 @@ OpenSSL Releases OpenSSL 3.0 ----------- +### Major changes between OpenSSL 3.0.7 and OpenSSL 3.0.8 [7 Feb 2023] + + * Fixed NULL dereference during PKCS7 data verification ([CVE-2023-0401]) + * Fixed X.400 address type confusion in X.509 GeneralName ([CVE-2023-0286]) + * Fixed NULL dereference validating DSA public key ([CVE-2023-0217]) + * Fixed Invalid pointer dereference in d2i_PKCS7 functions ([CVE-2023-0216]) + * Fixed Use-after-free following BIO_new_NDEF ([CVE-2023-0215]) + * Fixed Double free after calling PEM_read_bio_ex ([CVE-2022-4450]) + * Fixed Timing Oracle in RSA Decryption ([CVE-2022-4304]) + * Fixed X.509 Name Constraints Read Buffer Overflow ([CVE-2022-4203]) + * Fixed X.509 Policy Constraints Double Locking ([CVE-2022-3996]) + ### Major changes between OpenSSL 3.0.6 and OpenSSL 3.0.7 [1 Nov 2022] * Added RIPEMD160 to the default provider. @@ -1418,7 +1430,15 @@ OpenSSL 0.9.x * Support for various new platforms - +[CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401 +[CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286 +[CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217 +[CVE-2023-0216]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0216 +[CVE-2023-0215]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0215 +[CVE-2022-4450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4450 +[CVE-2022-4304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4304 +[CVE-2022-4203]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4203 +[CVE-2022-3996]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3996 [CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274 [CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274 [CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971 diff --git a/deps/openssl/openssl/NOTES-NONSTOP.md b/deps/openssl/openssl/NOTES-NONSTOP.md index 586fbabef00f04..627843babf32aa 100644 --- a/deps/openssl/openssl/NOTES-NONSTOP.md +++ b/deps/openssl/openssl/NOTES-NONSTOP.md @@ -186,6 +186,9 @@ following variables: if [ -n "$PRE_RELEASE_TAG" ]; then PRE_RELEASE_TAG="-$PRE_RELEASE_TAG" fi + if [ -n "$BUILD_METADATA" ]; then + BUILD_METADATA="+$BUILD_METADATA" + fi echo "$MAJOR.$MINOR.$PATCH$PRE_RELEASE_TAG$BUILD_METADATA" |\ sed -e 's/[-.+]/_/g' ) diff --git a/deps/openssl/openssl/README-FIPS.md b/deps/openssl/openssl/README-FIPS.md index d8c3cd3dd07608..ba88ff2c4e98fe 100644 --- a/deps/openssl/openssl/README-FIPS.md +++ b/deps/openssl/openssl/README-FIPS.md @@ -1,13 +1,29 @@ OpenSSL FIPS support ==================== -This release of OpenSSL includes a cryptographic module that is intended to be +This release of OpenSSL includes a cryptographic module that can be FIPS 140-2 validated. The module is implemented as an OpenSSL provider. A provider is essentially a dynamically loadable module which implements cryptographic algorithms, see the [README-PROVIDERS](README-PROVIDERS.md) file for further details. -The OpenSSL FIPS provider comes as shared library called `fips.so` (on Unix) +A cryptographic module is only FIPS validated after it has gone through the complex +FIPS 140 validation process. As this process takes a very long time, it is not +possible to validate every minor release of OpenSSL. +If you need a FIPS validated module then you must ONLY generate a FIPS provider +using OpenSSL versions that have valid FIPS certificates. A FIPS certificate +contains a link to a Security Policy, and you MUST follow the instructions +in the Security Policy in order to be FIPS compliant. +See for information related to OpenSSL +FIPS certificates and Security Policies. + +Newer OpenSSL Releases that include security or bug fixes can be used to build +all other components (such as the core API's, TLS and the default, base and +legacy providers) without any restrictions, but the FIPS provider must be built +as specified in the Security Policy (normally with a different version of the +source code). + +The OpenSSL FIPS provider is a shared library called `fips.so` (on Unix), or resp. `fips.dll` (on Windows). The FIPS provider does not get built and installed automatically. To enable it, you need to configure OpenSSL using the `enable-fips` option. @@ -15,6 +31,9 @@ the `enable-fips` option. Installing the FIPS module ========================== +The following is only a guide. +Please read the Security Policy for up to date installation instructions. + If the FIPS provider is enabled, it gets installed automatically during the normal installation process. Simply follow the normal procedure (configure, make, make test, make install) as described in the [INSTALL](INSTALL.md) file. diff --git a/deps/openssl/openssl/README.md b/deps/openssl/openssl/README.md index 899a0f194b6005..ef1d8fcf481986 100644 --- a/deps/openssl/openssl/README.md +++ b/deps/openssl/openssl/README.md @@ -4,7 +4,7 @@ What This Is This is a fork of [OpenSSL](https://www.openssl.org) to enable QUIC. In addition to the website, the official source distribution is at . The OpenSSL `README` can be found at -[README-OpenSSL.md](https://github.com/quictls/openssl/blob/openssl-3.0.7%2Bquic/README-OpenSSL.md) +[README-OpenSSL.md](https://github.com/quictls/openssl/blob/openssl-3.0.8%2Bquic/README-OpenSSL.md) This fork adds APIs that can be used by QUIC implementations for connection handshakes. Quoting the IETF Working group diff --git a/deps/openssl/openssl/VERSION.dat b/deps/openssl/openssl/VERSION.dat index 146838347c6364..e56119d5a3e423 100644 --- a/deps/openssl/openssl/VERSION.dat +++ b/deps/openssl/openssl/VERSION.dat @@ -1,7 +1,7 @@ MAJOR=3 MINOR=0 -PATCH=7 +PATCH=8 PRE_RELEASE_TAG= BUILD_METADATA=quic -RELEASE_DATE="1 Nov 2022" +RELEASE_DATE="7 Feb 2023" SHLIB_VERSION=81.3 diff --git a/deps/openssl/openssl/apps/cmp.c b/deps/openssl/openssl/apps/cmp.c index f98e5ab938820e..9b9e405bb24822 100644 --- a/deps/openssl/openssl/apps/cmp.c +++ b/deps/openssl/openssl/apps/cmp.c @@ -2689,8 +2689,8 @@ static int cmp_server(OSSL_CMP_CTX *srv_cmp_ctx) { (void)OSSL_CMP_CTX_set1_senderNonce(srv_cmp_ctx, NULL); } if (!ret || !keep_alive - || OSSL_CMP_CTX_get_status(srv_cmp_ctx) == -1 - /* transaction closed by OSSL_CMP_CTX_server_perform() */) { + || OSSL_CMP_CTX_get_status(srv_cmp_ctx) != OSSL_CMP_PKISTATUS_trans + /* transaction closed by OSSL_CMP_CTX_server_perform() */) { BIO_free_all(cbio); cbio = NULL; } @@ -2702,6 +2702,35 @@ static int cmp_server(OSSL_CMP_CTX *srv_cmp_ctx) { } #endif +static void print_status(void) +{ + /* print PKIStatusInfo */ + int status = OSSL_CMP_CTX_get_status(cmp_ctx); + char *buf = app_malloc(OSSL_CMP_PKISI_BUFLEN, "PKIStatusInfo buf"); + const char *string = + OSSL_CMP_CTX_snprint_PKIStatus(cmp_ctx, buf, OSSL_CMP_PKISI_BUFLEN); + const char *from = "", *server = ""; + +#ifndef OPENSSL_NO_SOCK + if (opt_server != NULL) { + from = " from "; + server = opt_server; + } +#endif + CMP_print(bio_err, + status == OSSL_CMP_PKISTATUS_accepted + ? OSSL_CMP_LOG_INFO : + status == OSSL_CMP_PKISTATUS_rejection + || status == OSSL_CMP_PKISTATUS_waiting + ? OSSL_CMP_LOG_ERR : OSSL_CMP_LOG_WARNING, + status == OSSL_CMP_PKISTATUS_accepted ? "info" : + status == OSSL_CMP_PKISTATUS_rejection ? "server error" : + status == OSSL_CMP_PKISTATUS_waiting ? "internal error" + : "warning", "received%s%s %s", from, server, + string != NULL ? string : ""); + OPENSSL_free(buf); +} + int cmp_main(int argc, char **argv) { char *configfile = NULL; @@ -2924,39 +2953,10 @@ int cmp_main(int argc, char **argv) default: break; } - if (OSSL_CMP_CTX_get_status(cmp_ctx) < 0) + if (OSSL_CMP_CTX_get_status(cmp_ctx) < OSSL_CMP_PKISTATUS_accepted) goto err; /* we got no response, maybe even did not send request */ - { - /* print PKIStatusInfo */ - int status = OSSL_CMP_CTX_get_status(cmp_ctx); - char *buf = app_malloc(OSSL_CMP_PKISI_BUFLEN, "PKIStatusInfo buf"); - const char *string = - OSSL_CMP_CTX_snprint_PKIStatus(cmp_ctx, buf, - OSSL_CMP_PKISI_BUFLEN); - const char *from = "", *server = ""; - -#ifndef OPENSSL_NO_SOCK - if (opt_server != NULL) { - from = " from "; - server = opt_server; - } -#endif - CMP_print(bio_err, - status == OSSL_CMP_PKISTATUS_accepted - ? OSSL_CMP_LOG_INFO : - status == OSSL_CMP_PKISTATUS_rejection - || status == OSSL_CMP_PKISTATUS_waiting - ? OSSL_CMP_LOG_ERR : OSSL_CMP_LOG_WARNING, - status == OSSL_CMP_PKISTATUS_accepted ? "info" : - status == OSSL_CMP_PKISTATUS_rejection ? "server error" : - status == OSSL_CMP_PKISTATUS_waiting ? "internal error" - : "warning", - "received%s%s %s", from, server, - string != NULL ? string : ""); - OPENSSL_free(buf); - } - + print_status(); if (save_free_certs(cmp_ctx, OSSL_CMP_CTX_get1_extraCertsIn(cmp_ctx), opt_extracertsout, "extra") < 0) ret = 0; diff --git a/deps/openssl/openssl/apps/dgst.c b/deps/openssl/openssl/apps/dgst.c index 5f36cbcb7791db..1042d940f49ce2 100644 --- a/deps/openssl/openssl/apps/dgst.c +++ b/deps/openssl/openssl/apps/dgst.c @@ -114,6 +114,8 @@ int dgst_main(int argc, char **argv) buf = app_malloc(BUFSIZE, "I/O buffer"); md = (EVP_MD *)EVP_get_digestbyname(argv[0]); + if (md != NULL) + digestname = argv[0]; prog = opt_init(argc, argv, dgst_options); while ((o = opt_next()) != OPT_EOF) { diff --git a/deps/openssl/openssl/apps/lib/apps.c b/deps/openssl/openssl/apps/lib/apps.c index 9456a21868a45b..0d7a20b52afc28 100644 --- a/deps/openssl/openssl/apps/lib/apps.c +++ b/deps/openssl/openssl/apps/lib/apps.c @@ -308,6 +308,7 @@ static char *app_get_pass(const char *arg, int keepbio) pwdbio = BIO_push(btmp, pwdbio); #endif } else if (strcmp(arg, "stdin") == 0) { + unbuffer(stdin); pwdbio = dup_bio_in(FORMAT_TEXT); if (pwdbio == NULL) { BIO_printf(bio_err, "Can't open BIO for stdin\n"); @@ -3378,14 +3379,6 @@ int opt_legacy_okay(void) { int provider_options = opt_provider_option_given(); int libctx = app_get0_libctx() != NULL || app_get0_propq() != NULL; -#ifndef OPENSSL_NO_ENGINE - ENGINE *e = ENGINE_get_first(); - - if (e != NULL) { - ENGINE_free(e); - return 1; - } -#endif /* * Having a provider option specified or a custom library context or * property query, is a sure sign we're not using legacy. diff --git a/deps/openssl/openssl/apps/lib/cmp_mock_srv.c b/deps/openssl/openssl/apps/lib/cmp_mock_srv.c index 1fb5adca1ad577..b37f3dd3d89ce3 100644 --- a/deps/openssl/openssl/apps/lib/cmp_mock_srv.c +++ b/deps/openssl/openssl/apps/lib/cmp_mock_srv.c @@ -301,7 +301,7 @@ static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx, ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); return 0; } - if (ctx->sendError) { + if (sk_OSSL_CMP_ITAV_num(in) > 1 || ctx->sendError) { ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); return 0; } diff --git a/deps/openssl/openssl/apps/ocsp.c b/deps/openssl/openssl/apps/ocsp.c index 50bf55f3385045..821e224c6ce45d 100644 --- a/deps/openssl/openssl/apps/ocsp.c +++ b/deps/openssl/openssl/apps/ocsp.c @@ -724,6 +724,8 @@ int ocsp_main(int argc, char **argv) make_ocsp_response(bio_err, &resp, req, rdb, rca_cert, rsigner, rkey, rsign_md, rsign_sigopts, rother, rflags, nmin, ndays, badsig, resp_certid_md); + if (resp == NULL) + goto end; if (cbio != NULL) send_ocsp_response(cbio, resp); } else if (host != NULL) { diff --git a/deps/openssl/openssl/apps/pkey.c b/deps/openssl/openssl/apps/pkey.c index fb3899b08ec841..196678533c1ddb 100644 --- a/deps/openssl/openssl/apps/pkey.c +++ b/deps/openssl/openssl/apps/pkey.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -250,7 +250,7 @@ int pkey_main(int argc, char **argv) goto end; } - if (check) + if (check && !pubin) r = EVP_PKEY_check(ctx); else r = EVP_PKEY_public_check(ctx); diff --git a/deps/openssl/openssl/apps/rsautl.c b/deps/openssl/openssl/apps/rsautl.c index ae0206014d82fa..df29069bc1f4a6 100644 --- a/deps/openssl/openssl/apps/rsautl.c +++ b/deps/openssl/openssl/apps/rsautl.c @@ -243,25 +243,25 @@ int rsautl_main(int argc, char **argv) switch (rsa_mode) { case RSA_VERIFY: - rv = EVP_PKEY_verify_recover_init(ctx) - && EVP_PKEY_CTX_set_rsa_padding(ctx, pad) + rv = EVP_PKEY_verify_recover_init(ctx) > 0 + && EVP_PKEY_CTX_set_rsa_padding(ctx, pad) > 0 && EVP_PKEY_verify_recover(ctx, rsa_out, &rsa_outlen, - rsa_in, rsa_inlen); + rsa_in, rsa_inlen) > 0; break; case RSA_SIGN: - rv = EVP_PKEY_sign_init(ctx) - && EVP_PKEY_CTX_set_rsa_padding(ctx, pad) - && EVP_PKEY_sign(ctx, rsa_out, &rsa_outlen, rsa_in, rsa_inlen); + rv = EVP_PKEY_sign_init(ctx) > 0 + && EVP_PKEY_CTX_set_rsa_padding(ctx, pad) > 0 + && EVP_PKEY_sign(ctx, rsa_out, &rsa_outlen, rsa_in, rsa_inlen) > 0; break; case RSA_ENCRYPT: - rv = EVP_PKEY_encrypt_init(ctx) - && EVP_PKEY_CTX_set_rsa_padding(ctx, pad) - && EVP_PKEY_encrypt(ctx, rsa_out, &rsa_outlen, rsa_in, rsa_inlen); + rv = EVP_PKEY_encrypt_init(ctx) > 0 + && EVP_PKEY_CTX_set_rsa_padding(ctx, pad) > 0 + && EVP_PKEY_encrypt(ctx, rsa_out, &rsa_outlen, rsa_in, rsa_inlen) > 0; break; case RSA_DECRYPT: - rv = EVP_PKEY_decrypt_init(ctx) - && EVP_PKEY_CTX_set_rsa_padding(ctx, pad) - && EVP_PKEY_decrypt(ctx, rsa_out, &rsa_outlen, rsa_in, rsa_inlen); + rv = EVP_PKEY_decrypt_init(ctx) > 0 + && EVP_PKEY_CTX_set_rsa_padding(ctx, pad) > 0 + && EVP_PKEY_decrypt(ctx, rsa_out, &rsa_outlen, rsa_in, rsa_inlen) > 0; break; } diff --git a/deps/openssl/openssl/apps/s_server.c b/deps/openssl/openssl/apps/s_server.c index cfd3deb1bea200..2b0b6ba381fb6c 100644 --- a/deps/openssl/openssl/apps/s_server.c +++ b/deps/openssl/openssl/apps/s_server.c @@ -3069,7 +3069,7 @@ static int www_body(int s, int stype, int prot, unsigned char *context) } /* lets make the output buffer a reasonable size */ - if (!BIO_set_write_buffer_size(io, bufsize)) + if (BIO_set_write_buffer_size(io, bufsize) <= 0) goto err; if ((con = SSL_new(ctx)) == NULL) @@ -3505,7 +3505,7 @@ static int rev_body(int s, int stype, int prot, unsigned char *context) goto err; /* lets make the output buffer a reasonable size */ - if (!BIO_set_write_buffer_size(io, bufsize)) + if (BIO_set_write_buffer_size(io, bufsize) <= 0) goto err; if ((con = SSL_new(ctx)) == NULL) diff --git a/deps/openssl/openssl/apps/speed.c b/deps/openssl/openssl/apps/speed.c index d180a41f369f81..addf7e32137f56 100644 --- a/deps/openssl/openssl/apps/speed.c +++ b/deps/openssl/openssl/apps/speed.c @@ -2624,11 +2624,11 @@ int speed_main(int argc, char **argv) * code, for maximum performance. */ if ((test_ctx = EVP_PKEY_CTX_new(key_B, NULL)) == NULL /* test ctx from skeyB */ - || !EVP_PKEY_derive_init(test_ctx) /* init derivation test_ctx */ - || !EVP_PKEY_derive_set_peer(test_ctx, key_A) /* set peer pubkey in test_ctx */ - || !EVP_PKEY_derive(test_ctx, NULL, &test_outlen) /* determine max length */ - || !EVP_PKEY_derive(ctx, loopargs[i].secret_a, &outlen) /* compute a*B */ - || !EVP_PKEY_derive(test_ctx, loopargs[i].secret_b, &test_outlen) /* compute b*A */ + || EVP_PKEY_derive_init(test_ctx) <= 0 /* init derivation test_ctx */ + || EVP_PKEY_derive_set_peer(test_ctx, key_A) <= 0 /* set peer pubkey in test_ctx */ + || EVP_PKEY_derive(test_ctx, NULL, &test_outlen) <= 0 /* determine max length */ + || EVP_PKEY_derive(ctx, loopargs[i].secret_a, &outlen) <= 0 /* compute a*B */ + || EVP_PKEY_derive(test_ctx, loopargs[i].secret_b, &test_outlen) <= 0 /* compute b*A */ || test_outlen != outlen /* compare output length */) { ecdh_checks = 0; BIO_printf(bio_err, "ECDH computation failure.\n"); @@ -3059,10 +3059,10 @@ int speed_main(int argc, char **argv) ffdh_checks = 0; break; } - if (!EVP_PKEY_derive_init(test_ctx) || - !EVP_PKEY_derive_set_peer(test_ctx, pkey_A) || - !EVP_PKEY_derive(test_ctx, NULL, &test_out) || - !EVP_PKEY_derive(test_ctx, loopargs[i].secret_ff_b, &test_out) || + if (EVP_PKEY_derive_init(test_ctx) <= 0 || + EVP_PKEY_derive_set_peer(test_ctx, pkey_A) <= 0 || + EVP_PKEY_derive(test_ctx, NULL, &test_out) <= 0 || + EVP_PKEY_derive(test_ctx, loopargs[i].secret_ff_b, &test_out) <= 0 || test_out != secret_size) { BIO_printf(bio_err, "FFDH computation failure.\n"); op_count = 1; @@ -3456,7 +3456,12 @@ static int do_multi(int multi, int size_num) char buf[1024]; char *p; - f = fdopen(fds[n], "r"); + if ((f = fdopen(fds[n], "r")) == NULL) { + BIO_printf(bio_err, "fdopen failure with 0x%x\n", + errno); + OPENSSL_free(fds); + return 1; + } while (fgets(buf, sizeof(buf), f)) { p = strchr(buf, '\n'); if (p) diff --git a/deps/openssl/openssl/apps/storeutl.c b/deps/openssl/openssl/apps/storeutl.c index 1368caae92df17..30c9915de3e83a 100644 --- a/deps/openssl/openssl/apps/storeutl.c +++ b/deps/openssl/openssl/apps/storeutl.c @@ -163,8 +163,7 @@ int storeutl_main(int argc, char *argv[]) break; case OPT_CRITERION_ISSUER: if (criterion != 0 - || (criterion == OSSL_STORE_SEARCH_BY_ISSUER_SERIAL - && issuer != NULL)) { + && criterion != OSSL_STORE_SEARCH_BY_ISSUER_SERIAL) { BIO_printf(bio_err, "%s: criterion already given.\n", prog); goto end; @@ -181,8 +180,7 @@ int storeutl_main(int argc, char *argv[]) break; case OPT_CRITERION_SERIAL: if (criterion != 0 - || (criterion == OSSL_STORE_SEARCH_BY_ISSUER_SERIAL - && serial != NULL)) { + && criterion != OSSL_STORE_SEARCH_BY_ISSUER_SERIAL) { BIO_printf(bio_err, "%s: criterion already given.\n", prog); goto end; diff --git a/deps/openssl/openssl/configdata.pm.in b/deps/openssl/openssl/configdata.pm.in index bef90608463c32..04b901144f4779 100644 --- a/deps/openssl/openssl/configdata.pm.in +++ b/deps/openssl/openssl/configdata.pm.in @@ -91,7 +91,7 @@ unless (caller) { # We do that in two steps, where the first step emits perl # snipets. - my $buildfile = $target{build_file}; + my $buildfile = $config{build_file}; my $buildfile_template = "$buildfile.in"; my @autowarntext = ( 'WARNING: do not edit!', diff --git a/deps/openssl/openssl/crypto/asn1/asn_mime.c b/deps/openssl/openssl/crypto/asn1/asn_mime.c index b1474888aafe49..b44b0f36858bd6 100644 --- a/deps/openssl/openssl/crypto/asn1/asn_mime.c +++ b/deps/openssl/openssl/crypto/asn1/asn_mime.c @@ -515,6 +515,7 @@ int SMIME_crlf_copy(BIO *in, BIO *out, int flags) char eol; int len; char linebuf[MAX_SMLEN]; + int ret; /* * Buffer output so we don't write one line at a time. This is useful * when streaming as we don't end up with one OCTET STRING per line. @@ -552,9 +553,12 @@ int SMIME_crlf_copy(BIO *in, BIO *out, int flags) } } } - (void)BIO_flush(out); + ret = BIO_flush(out); BIO_pop(out); BIO_free(bf); + if (ret <= 0) + return 0; + return 1; } diff --git a/deps/openssl/openssl/crypto/asn1/bio_asn1.c b/deps/openssl/openssl/crypto/asn1/bio_asn1.c index f792c08806624e..0ff23912045188 100644 --- a/deps/openssl/openssl/crypto/asn1/bio_asn1.c +++ b/deps/openssl/openssl/crypto/asn1/bio_asn1.c @@ -172,7 +172,7 @@ static int asn1_bio_write(BIO *b, const char *in, int inl) case ASN1_STATE_START: if (!asn1_bio_setup_ex(b, ctx, ctx->prefix, ASN1_STATE_PRE_COPY, ASN1_STATE_HEADER)) - return 0; + return -1; break; /* Copy any pre data first */ @@ -189,7 +189,7 @@ static int asn1_bio_write(BIO *b, const char *in, int inl) case ASN1_STATE_HEADER: ctx->buflen = ASN1_object_size(0, inl, ctx->asn1_tag) - inl; if (!ossl_assert(ctx->buflen <= ctx->bufsize)) - return 0; + return -1; p = ctx->buf; ASN1_put_object(&p, 0, inl, ctx->asn1_tag, ctx->asn1_class); ctx->copylen = inl; diff --git a/deps/openssl/openssl/crypto/asn1/bio_ndef.c b/deps/openssl/openssl/crypto/asn1/bio_ndef.c index d94e3a364497b6..e5b5319d7fd07c 100644 --- a/deps/openssl/openssl/crypto/asn1/bio_ndef.c +++ b/deps/openssl/openssl/crypto/asn1/bio_ndef.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -49,13 +49,19 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg); static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen, void *parg); -/* unfortunately cannot constify this due to CMS_stream() and PKCS7_stream() */ +/* + * On success, the returned BIO owns the input BIO as part of its BIO chain. + * On failure, NULL is returned and the input BIO is owned by the caller. + * + * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream() + */ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) { NDEF_SUPPORT *ndef_aux = NULL; BIO *asn_bio = NULL; const ASN1_AUX *aux = it->funcs; ASN1_STREAM_ARG sarg; + BIO *pop_bio = NULL; if (!aux || !aux->asn1_cb) { ERR_raise(ERR_LIB_ASN1, ASN1_R_STREAMING_NOT_SUPPORTED); @@ -70,21 +76,39 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) out = BIO_push(asn_bio, out); if (out == NULL) goto err; + pop_bio = asn_bio; - BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free); - BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free); + if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0 + || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0 + || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0) + goto err; /* - * Now let callback prepends any digest, cipher etc BIOs ASN1 structure - * needs. + * Now let the callback prepend any digest, cipher, etc., that the BIO's + * ASN1 structure needs. */ sarg.out = out; sarg.ndef_bio = NULL; sarg.boundary = NULL; - if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) + /* + * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the + * middle of some partially built, but not returned BIO chain. + */ + if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) { + /* + * ndef_aux is now owned by asn_bio so we must not free it in the err + * clean up block + */ + ndef_aux = NULL; goto err; + } + + /* + * We must not fail now because the callback has prepended additional + * BIOs to the chain + */ ndef_aux->val = val; ndef_aux->it = it; @@ -92,11 +116,11 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) ndef_aux->boundary = sarg.boundary; ndef_aux->out = out; - BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux); - return sarg.ndef_bio; err: + /* BIO_pop() is NULL safe */ + (void)BIO_pop(pop_bio); BIO_free(asn_bio); OPENSSL_free(ndef_aux); return NULL; diff --git a/deps/openssl/openssl/crypto/bf/build.info b/deps/openssl/openssl/crypto/bf/build.info index 0c32fedef8ef7d..d24ab5ae573d7f 100644 --- a/deps/openssl/openssl/crypto/bf/build.info +++ b/deps/openssl/openssl/crypto/bf/build.info @@ -17,7 +17,7 @@ SOURCE[../../libcrypto]=$ALL # When all deprecated symbols are removed, libcrypto doesn't export the # blowfish functions, so we must include them directly in liblegacy.a -IF[{- $disabled{'deprecated-3.0'} -}] +IF[{- $disabled{'deprecated-3.0'} && !$disabled{module} && !$disabled{shared} -}] SOURCE[../../providers/liblegacy.a]=$ALL ENDIF diff --git a/deps/openssl/openssl/crypto/bio/bf_buff.c b/deps/openssl/openssl/crypto/bio/bf_buff.c index cfed63bd72ec84..53bd02fe1416d4 100644 --- a/deps/openssl/openssl/crypto/bio/bf_buff.c +++ b/deps/openssl/openssl/crypto/bio/bf_buff.c @@ -383,8 +383,8 @@ static long buffer_ctrl(BIO *b, int cmd, long num, void *ptr) break; case BIO_CTRL_DUP: dbio = (BIO *)ptr; - if (!BIO_set_read_buffer_size(dbio, ctx->ibuf_size) || - !BIO_set_write_buffer_size(dbio, ctx->obuf_size)) + if (BIO_set_read_buffer_size(dbio, ctx->ibuf_size) <= 0 || + BIO_set_write_buffer_size(dbio, ctx->obuf_size) <= 0) ret = 0; break; case BIO_CTRL_PEEK: diff --git a/deps/openssl/openssl/crypto/bio/bf_lbuf.c b/deps/openssl/openssl/crypto/bio/bf_lbuf.c index 73f12169876875..6908e64d365236 100644 --- a/deps/openssl/openssl/crypto/bio/bf_lbuf.c +++ b/deps/openssl/openssl/crypto/bio/bf_lbuf.c @@ -284,7 +284,7 @@ static long linebuffer_ctrl(BIO *b, int cmd, long num, void *ptr) break; case BIO_CTRL_DUP: dbio = (BIO *)ptr; - if (!BIO_set_write_buffer_size(dbio, ctx->obuf_size)) + if (BIO_set_write_buffer_size(dbio, ctx->obuf_size) <= 0) ret = 0; break; default: diff --git a/deps/openssl/openssl/crypto/bn/bn_blind.c b/deps/openssl/openssl/crypto/bn/bn_blind.c index 72457b34cf1915..0b6d1bccc2a2ef 100644 --- a/deps/openssl/openssl/crypto/bn/bn_blind.c +++ b/deps/openssl/openssl/crypto/bn/bn_blind.c @@ -1,5 +1,5 @@ /* - * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -13,20 +13,6 @@ #define BN_BLINDING_COUNTER 32 -struct bn_blinding_st { - BIGNUM *A; - BIGNUM *Ai; - BIGNUM *e; - BIGNUM *mod; /* just a reference */ - CRYPTO_THREAD_ID tid; - int counter; - unsigned long flags; - BN_MONT_CTX *m_ctx; - int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); - CRYPTO_RWLOCK *lock; -}; - BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod) { BN_BLINDING *ret = NULL; diff --git a/deps/openssl/openssl/crypto/bn/bn_exp.c b/deps/openssl/openssl/crypto/bn/bn_exp.c index 91d6b6b4bb5840..4e169ae1f9a43b 100644 --- a/deps/openssl/openssl/crypto/bn/bn_exp.c +++ b/deps/openssl/openssl/crypto/bn/bn_exp.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -36,6 +36,15 @@ /* maximum precomputation table size for *variable* sliding windows */ #define TABLE_SIZE 32 +/* + * Beyond this limit the constant time code is disabled due to + * the possible overflow in the computation of powerbufLen in + * BN_mod_exp_mont_consttime. + * When this limit is exceeded, the computation will be done using + * non-constant time code, but it will take very long. + */ +#define BN_CONSTTIME_SIZE_LIMIT (INT_MAX / BN_BYTES / 256) + /* this one works - simple but works */ int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) { @@ -303,12 +312,6 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, BIGNUM *val[TABLE_SIZE]; BN_MONT_CTX *mont = NULL; - if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0 - || BN_get_flags(a, BN_FLG_CONSTTIME) != 0 - || BN_get_flags(m, BN_FLG_CONSTTIME) != 0) { - return BN_mod_exp_mont_consttime(rr, a, p, m, ctx, in_mont); - } - bn_check_top(a); bn_check_top(p); bn_check_top(m); @@ -317,6 +320,14 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, ERR_raise(ERR_LIB_BN, BN_R_CALLED_WITH_EVEN_MODULUS); return 0; } + + if (m->top <= BN_CONSTTIME_SIZE_LIMIT + && (BN_get_flags(p, BN_FLG_CONSTTIME) != 0 + || BN_get_flags(a, BN_FLG_CONSTTIME) != 0 + || BN_get_flags(m, BN_FLG_CONSTTIME) != 0)) { + return BN_mod_exp_mont_consttime(rr, a, p, m, ctx, in_mont); + } + bits = BN_num_bits(p); if (bits == 0) { /* x**0 mod 1, or x**0 mod -1 is still zero. */ @@ -615,6 +626,11 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, top = m->top; + if (top > BN_CONSTTIME_SIZE_LIMIT) { + /* Prevent overflowing the powerbufLen computation below */ + return BN_mod_exp_mont(rr, a, p, m, ctx, in_mont); + } + /* * Use all bits stored in |p|, rather than |BN_num_bits|, so we do not leak * whether the top bits are zero. @@ -694,7 +710,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, else #endif #if defined(OPENSSL_BN_ASM_MONT5) - if (window >= 5) { + if (window >= 5 && top <= BN_SOFT_LIMIT) { window = 5; /* ~5% improvement for RSA2048 sign, and even * for RSA4096 */ /* reserve space for mont->N.d[] copy */ @@ -755,6 +771,9 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, if (!bn_to_mont_fixed_top(&am, a, mont, ctx)) goto err; + if (top > BN_SOFT_LIMIT) + goto fallback; + #if defined(SPARC_T4_MONT) if (t4) { typedef int (*bn_pwr5_mont_f) (BN_ULONG *tp, const BN_ULONG *np, @@ -1026,6 +1045,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, } else #endif { + fallback: if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 0, window)) goto err; if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&am, top, powerbuf, 1, window)) diff --git a/deps/openssl/openssl/crypto/bn/bn_local.h b/deps/openssl/openssl/crypto/bn/bn_local.h index 3c8534e1f7ba32..2cc445607e18aa 100644 --- a/deps/openssl/openssl/crypto/bn/bn_local.h +++ b/deps/openssl/openssl/crypto/bn/bn_local.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -42,6 +42,26 @@ # include # endif +/* + * This should limit the stack usage due to alloca to about 4K. + * BN_SOFT_LIMIT is a soft limit equivalent to 2*OPENSSL_RSA_MAX_MODULUS_BITS. + * Beyond that size bn_mul_mont is no longer used, and the constant time + * assembler code is disabled, due to the blatant alloca and bn_mul_mont usage. + * Note that bn_mul_mont does an alloca that is hidden away in assembly. + * It is not recommended to do computations with numbers exceeding this limit, + * since the result will be highly version dependent: + * While the current OpenSSL version will use non-optimized, but safe code, + * previous versions will use optimized code, that may crash due to unexpected + * stack overflow, and future versions may very well turn this into a hard + * limit. + * Note however, that it is possible to override the size limit using + * "./config -DBN_SOFT_LIMIT=" if necessary, and the O/S specific + * stack limit is known and taken into consideration. + */ +# ifndef BN_SOFT_LIMIT +# define BN_SOFT_LIMIT (4096 / BN_BYTES) +# endif + # ifndef OPENSSL_SMALL_FOOTPRINT # define BN_MUL_COMBA # define BN_SQR_COMBA @@ -270,6 +290,20 @@ struct bn_gencb_st { } cb; }; +struct bn_blinding_st { + BIGNUM *A; + BIGNUM *Ai; + BIGNUM *e; + BIGNUM *mod; /* just a reference */ + CRYPTO_THREAD_ID tid; + int counter; + unsigned long flags; + BN_MONT_CTX *m_ctx; + int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); + CRYPTO_RWLOCK *lock; +}; + /*- * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions * diff --git a/deps/openssl/openssl/crypto/bn/bn_mont.c b/deps/openssl/openssl/crypto/bn/bn_mont.c index 735989d98350fa..1c5d66bbf863c4 100644 --- a/deps/openssl/openssl/crypto/bn/bn_mont.c +++ b/deps/openssl/openssl/crypto/bn/bn_mont.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -42,7 +42,7 @@ int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, int num = mont->N.top; #if defined(OPENSSL_BN_ASM_MONT) && defined(MONT_WORD) - if (num > 1 && a->top == num && b->top == num) { + if (num > 1 && num <= BN_SOFT_LIMIT && a->top == num && b->top == num) { if (bn_wexpand(r, num) == NULL) return 0; if (bn_mul_mont(r->d, a->d, b->d, mont->N.d, mont->n0, num)) { diff --git a/deps/openssl/openssl/crypto/bn/bn_rand.c b/deps/openssl/openssl/crypto/bn/bn_rand.c index 05d4c6ecd7b3bb..2ca426ff76ed98 100644 --- a/deps/openssl/openssl/crypto/bn/bn_rand.c +++ b/deps/openssl/openssl/crypto/bn/bn_rand.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -320,7 +320,9 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, err: EVP_MD_CTX_free(mdctx); EVP_MD_free(md); - OPENSSL_free(k_bytes); + OPENSSL_clear_free(k_bytes, num_k_bytes); + OPENSSL_cleanse(digest, sizeof(digest)); + OPENSSL_cleanse(random_bytes, sizeof(random_bytes)); OPENSSL_cleanse(private_bytes, sizeof(private_bytes)); return ret; } diff --git a/deps/openssl/openssl/crypto/bn/build.info b/deps/openssl/openssl/crypto/bn/build.info index 92f5929d18e89c..f4ff6192393e34 100644 --- a/deps/openssl/openssl/crypto/bn/build.info +++ b/deps/openssl/openssl/crypto/bn/build.info @@ -105,7 +105,7 @@ $COMMON=bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c \ bn_mod.c bn_conv.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \ bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_sqr.c \ bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \ - bn_intern.c bn_dh.c bn_rsa_fips186_4.c bn_const.c + bn_intern.c bn_dh.c bn_rsa_fips186_4.c bn_const.c rsa_sup_mul.c SOURCE[../../libcrypto]=$COMMON $BNASM bn_print.c bn_err.c bn_srp.c DEFINE[../../libcrypto]=$BNDEF IF[{- !$disabled{'deprecated-0.9.8'} -}] @@ -116,11 +116,6 @@ IF[{- !$disabled{'deprecated-3.0'} -}] ENDIF SOURCE[../../providers/libfips.a]=$COMMON $BNASM DEFINE[../../providers/libfips.a]=$BNDEF -# Because some CPUID implementations use some BN assembler (!!!), we -# must include assembler code into the legacy provider under the same -# conditions as CPUID code is included. See ../build.info -SOURCE[../../providers/liblegacy.a]=$BNASM -DEFINE[../../providers/liblegacy.a]=$BNDEF # Implementations are now spread across several libraries, so the defines # need to be applied to all affected libraries and modules. DEFINE[../../providers/libcommon.a]=$BNDEF diff --git a/deps/openssl/openssl/crypto/bn/rsa_sup_mul.c b/deps/openssl/openssl/crypto/bn/rsa_sup_mul.c new file mode 100644 index 00000000000000..0e0d02e1946e16 --- /dev/null +++ b/deps/openssl/openssl/crypto/bn/rsa_sup_mul.c @@ -0,0 +1,604 @@ +#include +#include +#include +#include +#include +#include +#include +#include "internal/endian.h" +#include "internal/numbers.h" +#include "internal/constant_time.h" +#include "bn_local.h" + +# if BN_BYTES == 8 +typedef uint64_t limb_t; +# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16 +typedef uint128_t limb2_t; +# define HAVE_LIMB2_T +# endif +# define LIMB_BIT_SIZE 64 +# define LIMB_BYTE_SIZE 8 +# elif BN_BYTES == 4 +typedef uint32_t limb_t; +typedef uint64_t limb2_t; +# define LIMB_BIT_SIZE 32 +# define LIMB_BYTE_SIZE 4 +# define HAVE_LIMB2_T +# else +# error "Not supported" +# endif + +/* + * For multiplication we're using schoolbook multiplication, + * so if we have two numbers, each with 6 "digits" (words) + * the multiplication is calculated as follows: + * A B C D E F + * x I J K L M N + * -------------- + * N*F + * N*E + * N*D + * N*C + * N*B + * N*A + * M*F + * M*E + * M*D + * M*C + * M*B + * M*A + * L*F + * L*E + * L*D + * L*C + * L*B + * L*A + * K*F + * K*E + * K*D + * K*C + * K*B + * K*A + * J*F + * J*E + * J*D + * J*C + * J*B + * J*A + * I*F + * I*E + * I*D + * I*C + * I*B + * + I*A + * ========================== + * N*B N*D N*F + * + N*A N*C N*E + * + M*B M*D M*F + * + M*A M*C M*E + * + L*B L*D L*F + * + L*A L*C L*E + * + K*B K*D K*F + * + K*A K*C K*E + * + J*B J*D J*F + * + J*A J*C J*E + * + I*B I*D I*F + * + I*A I*C I*E + * + * 1+1 1+3 1+5 + * 1+0 1+2 1+4 + * 0+1 0+3 0+5 + * 0+0 0+2 0+4 + * + * 0 1 2 3 4 5 6 + * which requires n^2 multiplications and 2n full length additions + * as we can keep every other result of limb multiplication in two separate + * limbs + */ + +#if defined HAVE_LIMB2_T +static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) +{ + limb2_t t; + /* + * this is idiomatic code to tell compiler to use the native mul + * those three lines will actually compile to single instruction + */ + + t = (limb2_t)a * b; + *hi = t >> LIMB_BIT_SIZE; + *lo = (limb_t)t; +} +#elif (BN_BYTES == 8) && (defined _MSC_VER) +/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */ +#pragma intrinsic(_umul128) +static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) +{ + *lo = _umul128(a, b, hi); +} +#else +/* + * if the compiler doesn't have either a 128bit data type nor a "return + * high 64 bits of multiplication" + */ +static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) +{ + limb_t a_low = (limb_t)(uint32_t)a; + limb_t a_hi = a >> 32; + limb_t b_low = (limb_t)(uint32_t)b; + limb_t b_hi = b >> 32; + + limb_t p0 = a_low * b_low; + limb_t p1 = a_low * b_hi; + limb_t p2 = a_hi * b_low; + limb_t p3 = a_hi * b_hi; + + uint32_t cy = (uint32_t)(((p0 >> 32) + (uint32_t)p1 + (uint32_t)p2) >> 32); + + *lo = p0 + (p1 << 32) + (p2 << 32); + *hi = p3 + (p1 >> 32) + (p2 >> 32) + cy; +} +#endif + +/* add two limbs with carry in, return carry out */ +static ossl_inline limb_t _add_limb(limb_t *ret, limb_t a, limb_t b, limb_t carry) +{ + limb_t carry1, carry2, t; + /* + * `c = a + b; if (c < a)` is idiomatic code that makes compilers + * use add with carry on assembly level + */ + + *ret = a + carry; + if (*ret < a) + carry1 = 1; + else + carry1 = 0; + + t = *ret; + *ret = t + b; + if (*ret < t) + carry2 = 1; + else + carry2 = 0; + + return carry1 + carry2; +} + +/* + * add two numbers of the same size, return overflow + * + * add a to b, place result in ret; all arrays need to be n limbs long + * return overflow from addition (0 or 1) + */ +static ossl_inline limb_t add(limb_t *ret, limb_t *a, limb_t *b, size_t n) +{ + limb_t c = 0; + ossl_ssize_t i; + + for(i = n - 1; i > -1; i--) + c = _add_limb(&ret[i], a[i], b[i], c); + + return c; +} + +/* + * return number of limbs necessary for temporary values + * when multiplying numbers n limbs large + */ +static ossl_inline size_t mul_limb_numb(size_t n) +{ + return 2 * n * 2; +} + +/* + * multiply two numbers of the same size + * + * multiply a by b, place result in ret; a and b need to be n limbs long + * ret needs to be 2*n limbs long, tmp needs to be mul_limb_numb(n) limbs + * long + */ +static void limb_mul(limb_t *ret, limb_t *a, limb_t *b, size_t n, limb_t *tmp) +{ + limb_t *r_odd, *r_even; + size_t i, j, k; + + r_odd = tmp; + r_even = &tmp[2 * n]; + + memset(ret, 0, 2 * n * sizeof(limb_t)); + + for (i = 0; i < n; i++) { + for (k = 0; k < i + n + 1; k++) { + r_even[k] = 0; + r_odd[k] = 0; + } + for (j = 0; j < n; j++) { + /* + * place results from even and odd limbs in separate arrays so that + * we don't have to calculate overflow every time we get individual + * limb multiplication result + */ + if (j % 2 == 0) + _mul_limb(&r_even[i + j], &r_even[i + j + 1], a[i], b[j]); + else + _mul_limb(&r_odd[i + j], &r_odd[i + j + 1], a[i], b[j]); + } + /* + * skip the least significant limbs when adding multiples of + * more significant limbs (they're zero anyway) + */ + add(ret, ret, r_even, n + i + 1); + add(ret, ret, r_odd, n + i + 1); + } +} + +/* modifies the value in place by performing a right shift by one bit */ +static ossl_inline void rshift1(limb_t *val, size_t n) +{ + limb_t shift_in = 0, shift_out = 0; + size_t i; + + for (i = 0; i < n; i++) { + shift_out = val[i] & 1; + val[i] = shift_in << (LIMB_BIT_SIZE - 1) | (val[i] >> 1); + shift_in = shift_out; + } +} + +/* extend the LSB of flag to all bits of limb */ +static ossl_inline limb_t mk_mask(limb_t flag) +{ + flag |= flag << 1; + flag |= flag << 2; + flag |= flag << 4; + flag |= flag << 8; + flag |= flag << 16; +#if (LIMB_BYTE_SIZE == 8) + flag |= flag << 32; +#endif + return flag; +} + +/* + * copy from either a or b to ret based on flag + * when flag == 0, then copies from b + * when flag == 1, then copies from a + */ +static ossl_inline void cselect(limb_t flag, limb_t *ret, limb_t *a, limb_t *b, size_t n) +{ + /* + * would be more efficient with non volatile mask, but then gcc + * generates code with jumps + */ + volatile limb_t mask; + size_t i; + + mask = mk_mask(flag); + for (i = 0; i < n; i++) { +#if (LIMB_BYTE_SIZE == 8) + ret[i] = constant_time_select_64(mask, a[i], b[i]); +#else + ret[i] = constant_time_select_32(mask, a[i], b[i]); +#endif + } +} + +static limb_t _sub_limb(limb_t *ret, limb_t a, limb_t b, limb_t borrow) +{ + limb_t borrow1, borrow2, t; + /* + * while it doesn't look constant-time, this is idiomatic code + * to tell compilers to use the carry bit from subtraction + */ + + *ret = a - borrow; + if (*ret > a) + borrow1 = 1; + else + borrow1 = 0; + + t = *ret; + *ret = t - b; + if (*ret > t) + borrow2 = 1; + else + borrow2 = 0; + + return borrow1 + borrow2; +} + +/* + * place the result of a - b into ret, return the borrow bit. + * All arrays need to be n limbs long + */ +static limb_t sub(limb_t *ret, limb_t *a, limb_t *b, size_t n) +{ + limb_t borrow = 0; + ossl_ssize_t i; + + for (i = n - 1; i > -1; i--) + borrow = _sub_limb(&ret[i], a[i], b[i], borrow); + + return borrow; +} + +/* return the number of limbs necessary to allocate for the mod() tmp operand */ +static ossl_inline size_t mod_limb_numb(size_t anum, size_t modnum) +{ + return (anum + modnum) * 3; +} + +/* + * calculate a % mod, place the result in ret + * size of a is defined by anum, size of ret and mod is modnum, + * size of tmp is returned by mod_limb_numb() + */ +static void mod(limb_t *ret, limb_t *a, size_t anum, limb_t *mod, + size_t modnum, limb_t *tmp) +{ + limb_t *atmp, *modtmp, *rettmp; + limb_t res; + size_t i; + + memset(tmp, 0, mod_limb_numb(anum, modnum) * LIMB_BYTE_SIZE); + + atmp = tmp; + modtmp = &tmp[anum + modnum]; + rettmp = &tmp[(anum + modnum) * 2]; + + for (i = modnum; i 0; i--, rp--) { + v = _mul_add_limb(rp, mod, modnum, rp[modnum-1] * ni0, tmp2); + v = v + carry + rp[-1]; + carry |= (v != rp[-1]); + carry &= (v <= rp[-1]); + rp[-1] = v; + } + + /* perform the final reduction by mod... */ + carry -= sub(ret, rp, mod, modnum); + + /* ...conditionally */ + cselect(carry, ret, rp, ret, modnum); +} + +/* allocated buffer should be freed afterwards */ +static void BN_to_limb(const BIGNUM *bn, limb_t *buf, size_t limbs) +{ + int i; + int real_limbs = (BN_num_bytes(bn) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; + limb_t *ptr = buf + (limbs - real_limbs); + + for (i = 0; i < real_limbs; i++) + ptr[i] = bn->d[real_limbs - i - 1]; +} + +#if LIMB_BYTE_SIZE == 8 +static ossl_inline uint64_t be64(uint64_t host) +{ + uint64_t big = 0; + DECLARE_IS_ENDIAN; + + if (!IS_LITTLE_ENDIAN) + return host; + + big |= (host & 0xff00000000000000) >> 56; + big |= (host & 0x00ff000000000000) >> 40; + big |= (host & 0x0000ff0000000000) >> 24; + big |= (host & 0x000000ff00000000) >> 8; + big |= (host & 0x00000000ff000000) << 8; + big |= (host & 0x0000000000ff0000) << 24; + big |= (host & 0x000000000000ff00) << 40; + big |= (host & 0x00000000000000ff) << 56; + return big; +} + +#else +/* Not all platforms have htobe32(). */ +static ossl_inline uint32_t be32(uint32_t host) +{ + uint32_t big = 0; + DECLARE_IS_ENDIAN; + + if (!IS_LITTLE_ENDIAN) + return host; + + big |= (host & 0xff000000) >> 24; + big |= (host & 0x00ff0000) >> 8; + big |= (host & 0x0000ff00) << 8; + big |= (host & 0x000000ff) << 24; + return big; +} +#endif + +/* + * We assume that intermediate, possible_arg2, blinding, and ctx are used + * similar to BN_BLINDING_invert_ex() arguments. + * to_mod is RSA modulus. + * buf and num is the serialization buffer and its length. + * + * Here we use classic/Montgomery multiplication and modulo. After the calculation finished + * we serialize the new structure instead of BIGNUMs taking endianness into account. + */ +int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate, + const BN_BLINDING *blinding, + const BIGNUM *possible_arg2, + const BIGNUM *to_mod, BN_CTX *ctx, + unsigned char *buf, int num) +{ + limb_t *l_im = NULL, *l_mul = NULL, *l_mod = NULL; + limb_t *l_ret = NULL, *l_tmp = NULL, l_buf; + size_t l_im_count = 0, l_mul_count = 0, l_size = 0, l_mod_count = 0; + size_t l_tmp_count = 0; + int ret = 0; + size_t i; + unsigned char *tmp; + const BIGNUM *arg1 = intermediate; + const BIGNUM *arg2 = (possible_arg2 == NULL) ? blinding->Ai : possible_arg2; + + l_im_count = (BN_num_bytes(arg1) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; + l_mul_count = (BN_num_bytes(arg2) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; + l_mod_count = (BN_num_bytes(to_mod) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; + + l_size = l_im_count > l_mul_count ? l_im_count : l_mul_count; + l_im = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE); + l_mul = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE); + l_mod = OPENSSL_zalloc(l_mod_count * LIMB_BYTE_SIZE); + + if ((l_im == NULL) || (l_mul == NULL) || (l_mod == NULL)) + goto err; + + BN_to_limb(arg1, l_im, l_size); + BN_to_limb(arg2, l_mul, l_size); + BN_to_limb(to_mod, l_mod, l_mod_count); + + l_ret = OPENSSL_malloc(2 * l_size * LIMB_BYTE_SIZE); + + if (blinding->m_ctx != NULL) { + l_tmp_count = mul_limb_numb(l_size) > mod_montgomery_limb_numb(l_mod_count) ? + mul_limb_numb(l_size) : mod_montgomery_limb_numb(l_mod_count); + l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE); + } else { + l_tmp_count = mul_limb_numb(l_size) > mod_limb_numb(2 * l_size, l_mod_count) ? + mul_limb_numb(l_size) : mod_limb_numb(2 * l_size, l_mod_count); + l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE); + } + + if ((l_ret == NULL) || (l_tmp == NULL)) + goto err; + + if (blinding->m_ctx != NULL) { + limb_mul(l_ret, l_im, l_mul, l_size, l_tmp); + mod_montgomery(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, + blinding->m_ctx->n0[0], l_tmp); + } else { + limb_mul(l_ret, l_im, l_mul, l_size, l_tmp); + mod(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, l_tmp); + } + + /* modulus size in bytes can be equal to num but after limbs conversion it becomes bigger */ + if (num < BN_num_bytes(to_mod)) { + ERR_raise(ERR_LIB_BN, ERR_R_PASSED_INVALID_ARGUMENT); + goto err; + } + + memset(buf, 0, num); + tmp = buf + num - BN_num_bytes(to_mod); + for (i = 0; i < l_mod_count; i++) { +#if LIMB_BYTE_SIZE == 8 + l_buf = be64(l_ret[i]); +#else + l_buf = be32(l_ret[i]); +#endif + if (i == 0) { + int delta = LIMB_BYTE_SIZE - ((l_mod_count * LIMB_BYTE_SIZE) - num); + + memcpy(tmp, ((char *)&l_buf) + LIMB_BYTE_SIZE - delta, delta); + tmp += delta; + } else { + memcpy(tmp, &l_buf, LIMB_BYTE_SIZE); + tmp += LIMB_BYTE_SIZE; + } + } + ret = num; + + err: + OPENSSL_free(l_im); + OPENSSL_free(l_mul); + OPENSSL_free(l_mod); + OPENSSL_free(l_tmp); + OPENSSL_free(l_ret); + + return ret; +} diff --git a/deps/openssl/openssl/crypto/bn/rsaz_exp_x2.c b/deps/openssl/openssl/crypto/bn/rsaz_exp_x2.c index c6542ad49a388d..b19050dfee8c86 100644 --- a/deps/openssl/openssl/crypto/bn/rsaz_exp_x2.c +++ b/deps/openssl/openssl/crypto/bn/rsaz_exp_x2.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2020, Intel Corporation. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -31,14 +31,6 @@ NON_EMPTY_TRANSLATION_UNIT # define ALIGN64 # endif -# if defined(__GNUC__) -# define ALIGN1 __attribute__((aligned(1))) -# elif defined(_MSC_VER) -# define ALIGN1 __declspec(align(1)) -# else -# define ALIGN1 -# endif - # define ALIGN_OF(ptr, boundary) \ ((unsigned char *)(ptr) + (boundary - (((size_t)(ptr)) & (boundary - 1)))) @@ -50,8 +42,6 @@ NON_EMPTY_TRANSLATION_UNIT # define BITS2WORD8_SIZE(x) (((x) + 7) >> 3) # define BITS2WORD64_SIZE(x) (((x) + 63) >> 6) -typedef uint64_t ALIGN1 uint64_t_align1; - static ossl_inline uint64_t get_digit52(const uint8_t *in, int in_len); static ossl_inline void put_digit52(uint8_t *out, int out_len, uint64_t digit); static void to_words52(BN_ULONG *out, int out_len, const BN_ULONG *in, @@ -478,9 +468,13 @@ static void to_words52(BN_ULONG *out, int out_len, in_str = (uint8_t *)in; for (; in_bitsize >= (2 * DIGIT_SIZE); in_bitsize -= (2 * DIGIT_SIZE), out += 2) { - out[0] = (*(uint64_t_align1 *)in_str) & DIGIT_MASK; + uint64_t digit; + + memcpy(&digit, in_str, sizeof(digit)); + out[0] = digit & DIGIT_MASK; in_str += 6; - out[1] = ((*(uint64_t_align1 *)in_str) >> 4) & DIGIT_MASK; + memcpy(&digit, in_str, sizeof(digit)); + out[1] = (digit >> 4) & DIGIT_MASK; in_str += 7; out_len -= 2; } @@ -536,10 +530,15 @@ static void from_words52(BN_ULONG *out, int out_bitsize, const BN_ULONG *in) { uint8_t *out_str = (uint8_t *)out; - for (; out_bitsize >= (2 * DIGIT_SIZE); out_bitsize -= (2 * DIGIT_SIZE), in += 2) { - (*(uint64_t_align1 *)out_str) = in[0]; + for (; out_bitsize >= (2 * DIGIT_SIZE); + out_bitsize -= (2 * DIGIT_SIZE), in += 2) { + uint64_t digit; + + digit = in[0]; + memcpy(out_str, &digit, sizeof(digit)); out_str += 6; - (*(uint64_t_align1 *)out_str) ^= in[1] << 4; + digit = digit >> 48 | in[1] << 4; + memcpy(out_str, &digit, sizeof(digit)); out_str += 7; } diff --git a/deps/openssl/openssl/crypto/build.info b/deps/openssl/openssl/crypto/build.info index c04db5591120df..16584234feb793 100644 --- a/deps/openssl/openssl/crypto/build.info +++ b/deps/openssl/openssl/crypto/build.info @@ -97,6 +97,10 @@ $UTIL_COMMON=\ context.c sparse_array.c asn1_dsa.c packet.c param_build.c \ param_build_set.c der_writer.c threads_lib.c params_dup.c +IF[{- !$disabled{shared} -}] + SOURCE[../libssl]=sparse_array.c +ENDIF + SOURCE[../libcrypto]=$UTIL_COMMON \ mem.c mem_sec.c \ cversion.c info.c cpt_err.c ebcdic.c uid.c o_time.c o_dir.c \ diff --git a/deps/openssl/openssl/crypto/cast/build.info b/deps/openssl/openssl/crypto/cast/build.info index 7653b221881a2c..4395f0ac22a2be 100644 --- a/deps/openssl/openssl/crypto/cast/build.info +++ b/deps/openssl/openssl/crypto/cast/build.info @@ -18,7 +18,7 @@ SOURCE[../../libcrypto]=$ALL # When all deprecated symbols are removed, libcrypto doesn't export the # cast functions, so we must include them directly in liblegacy.a -IF[{- $disabled{'deprecated-3.0'} -}] +IF[{- $disabled{'deprecated-3.0'} && !$disabled{module} && !$disabled{shared} -}] SOURCE[../../providers/liblegacy.a]=$ALL ENDIF diff --git a/deps/openssl/openssl/crypto/cmp/cmp_client.c b/deps/openssl/openssl/crypto/cmp/cmp_client.c index c7674ce088695c..22ae7d07e82de2 100644 --- a/deps/openssl/openssl/crypto/cmp/cmp_client.c +++ b/deps/openssl/openssl/crypto/cmp/cmp_client.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * @@ -94,16 +94,11 @@ static int save_statusInfo(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si) if (!ossl_assert(ctx != NULL && si != NULL)) return 0; - if ((ctx->status = ossl_cmp_pkisi_get_status(si)) < 0) + ctx->status = ossl_cmp_pkisi_get_status(si); + if (ctx->status < OSSL_CMP_PKISTATUS_accepted) return 0; - ctx->failInfoCode = 0; - if (si->failInfo != NULL) { - for (i = 0; i <= OSSL_CMP_PKIFAILUREINFO_MAX; i++) { - if (ASN1_BIT_STRING_get_bit(si->failInfo, i)) - ctx->failInfoCode |= (1 << i); - } - } + ctx->failInfoCode = ossl_cmp_pkisi_get_pkifailureinfo(si); if (!ossl_cmp_ctx_set0_statusString(ctx, sk_ASN1_UTF8STRING_new_null()) || (ctx->statusString == NULL)) @@ -128,13 +123,13 @@ static int save_statusInfo(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si) static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req, OSSL_CMP_MSG **rep, int expected_type) { - int is_enrollment = IS_CREP(expected_type) - || expected_type == OSSL_CMP_PKIBODY_POLLREP - || expected_type == OSSL_CMP_PKIBODY_PKICONF; + int begin_transaction = + expected_type != OSSL_CMP_PKIBODY_POLLREP + && expected_type != OSSL_CMP_PKIBODY_PKICONF; const char *req_type_str = ossl_cmp_bodytype_to_string(OSSL_CMP_MSG_get_bodytype(req)); const char *expected_type_str = ossl_cmp_bodytype_to_string(expected_type); - int msg_timeout; + int bak_msg_timeout = ctx->msg_timeout; int bt; time_t now = time(NULL); int time_left; @@ -142,15 +137,16 @@ static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req, if (transfer_cb == NULL) transfer_cb = OSSL_CMP_MSG_http_perform; - *rep = NULL; - msg_timeout = ctx->msg_timeout; /* backup original value */ - if (is_enrollment && ctx->total_timeout > 0 /* timeout is not infinite */) { + + if (ctx->total_timeout != 0 /* not waiting indefinitely */) { + if (begin_transaction) + ctx->end_time = now + ctx->total_timeout; if (now >= ctx->end_time) { ERR_raise(ERR_LIB_CMP, CMP_R_TOTAL_TIMEOUT); return 0; } - if (!ossl_assert(ctx->end_time - time(NULL) < INT_MAX)) { + if (!ossl_assert(ctx->end_time - now < INT_MAX)) { /* actually cannot happen due to assignment in initial_certreq() */ ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS); return 0; @@ -166,11 +162,11 @@ static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req, ossl_cmp_log1(INFO, ctx, "sending %s", req_type_str); *rep = (*transfer_cb)(ctx, req); - ctx->msg_timeout = msg_timeout; /* restore original value */ + ctx->msg_timeout = bak_msg_timeout; if (*rep == NULL) { ERR_raise_data(ERR_LIB_CMP, - ctx->total_timeout > 0 && time(NULL) >= ctx->end_time ? + ctx->total_timeout != 0 && time(NULL) >= ctx->end_time ? CMP_R_TOTAL_TIMEOUT : CMP_R_TRANSFER_ERROR, "request sent: %s, expected response: %s", req_type_str, expected_type_str); @@ -242,7 +238,7 @@ static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req, * On receiving a pollRep, which includes a checkAfter value, it return this * value if sleep == 0, else it sleeps as long as indicated and retries. * - * A transaction timeout is enabled if ctx->total_timeout is > 0. + * A transaction timeout is enabled if ctx->total_timeout is != 0. * In this case polling will continue until the timeout is reached and then * polling is done a last time even if this is before the "checkAfter" time. * @@ -314,7 +310,7 @@ static int poll_for_response(OSSL_CMP_CTX *ctx, int sleep, int rid, "received polling response%s; checkAfter = %ld seconds", str, check_after); - if (ctx->total_timeout > 0) { /* timeout is not infinite */ + if (ctx->total_timeout != 0) { /* timeout is not infinite */ const int exp = 5; /* expected max time per msg round trip */ int64_t time_left = (int64_t)(ctx->end_time - exp - time(NULL)); @@ -357,7 +353,10 @@ static int poll_for_response(OSSL_CMP_CTX *ctx, int sleep, int rid, return 0; } -/* Send certConf for IR, CR or KUR sequences and check response */ +/* + * Send certConf for IR, CR or KUR sequences and check response, + * not modifying ctx->status during the certConf exchange + */ int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int fail_info, const char *txt) { @@ -386,6 +385,7 @@ int ossl_cmp_exchange_error(OSSL_CMP_CTX *ctx, int status, int fail_info, OSSL_CMP_MSG *PKIconf = NULL; int res = 0; + /* not overwriting ctx->status on error exchange */ if ((si = OSSL_CMP_STATUSINFO_new(status, fail_info, txt)) == NULL) goto err; /* ossl_cmp_error_new() also checks if all necessary options are set */ @@ -643,17 +643,15 @@ static int initial_certreq(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *req; int res; - ctx->status = -1; + ctx->status = OSSL_CMP_PKISTATUS_request; if (!ossl_cmp_ctx_set0_newCert(ctx, NULL)) return 0; - if (ctx->total_timeout > 0) /* else ctx->end_time is not used */ - ctx->end_time = time(NULL) + ctx->total_timeout; - /* also checks if all necessary options are set */ if ((req = ossl_cmp_certreq_new(ctx, req_type, crm)) == NULL) return 0; + ctx->status = OSSL_CMP_PKISTATUS_trans; res = send_receive_check(ctx, req, p_rep, rep_type); OSSL_CMP_MSG_free(req); return res; @@ -743,16 +741,17 @@ int OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx) ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS); return 0; } + ctx->status = OSSL_CMP_PKISTATUS_request; if (ctx->oldCert == NULL && ctx->p10CSR == NULL) { ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_REFERENCE_CERT); return 0; } - ctx->status = -1; /* OSSL_CMP_rr_new() also checks if all necessary options are set */ if ((rr = ossl_cmp_rr_new(ctx)) == NULL) goto end; + ctx->status = OSSL_CMP_PKISTATUS_trans; if (!send_receive_check(ctx, rr, &rp, OSSL_CMP_PKIBODY_RP)) goto end; @@ -861,27 +860,31 @@ STACK_OF(OSSL_CMP_ITAV) *OSSL_CMP_exec_GENM_ses(OSSL_CMP_CTX *ctx) { OSSL_CMP_MSG *genm; OSSL_CMP_MSG *genp = NULL; - STACK_OF(OSSL_CMP_ITAV) *rcvd_itavs = NULL; + STACK_OF(OSSL_CMP_ITAV) *itavs = NULL; if (ctx == NULL) { ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS); - return 0; + return NULL; } - ctx->status = -1; + ctx->status = OSSL_CMP_PKISTATUS_request; if ((genm = ossl_cmp_genm_new(ctx)) == NULL) goto err; + ctx->status = OSSL_CMP_PKISTATUS_trans; if (!send_receive_check(ctx, genm, &genp, OSSL_CMP_PKIBODY_GENP)) goto err; + ctx->status = OSSL_CMP_PKISTATUS_accepted; + itavs = genp->body->value.genp; + if (itavs == NULL) + itavs = sk_OSSL_CMP_ITAV_new_null(); /* received stack of itavs not to be freed with the genp */ - rcvd_itavs = genp->body->value.genp; genp->body->value.genp = NULL; err: OSSL_CMP_MSG_free(genm); OSSL_CMP_MSG_free(genp); - return rcvd_itavs; /* recv_itavs == NULL indicates an error */ + return itavs; /* NULL indicates error case */ } diff --git a/deps/openssl/openssl/crypto/cmp/cmp_ctx.c b/deps/openssl/openssl/crypto/cmp/cmp_ctx.c index f514ab27e06d54..4b610b746e451d 100644 --- a/deps/openssl/openssl/crypto/cmp/cmp_ctx.c +++ b/deps/openssl/openssl/crypto/cmp/cmp_ctx.c @@ -112,7 +112,7 @@ OSSL_CMP_CTX *OSSL_CMP_CTX_new(OSSL_LIB_CTX *libctx, const char *propq) ctx->log_verbosity = OSSL_CMP_LOG_INFO; - ctx->status = -1; + ctx->status = OSSL_CMP_PKISTATUS_unspecified; ctx->failInfoCode = -1; ctx->keep_alive = 1; @@ -142,6 +142,13 @@ OSSL_CMP_CTX *OSSL_CMP_CTX_new(OSSL_LIB_CTX *libctx, const char *propq) return NULL; } +#define OSSL_CMP_ITAVs_free(itavs) \ + sk_OSSL_CMP_ITAV_pop_free(itavs, OSSL_CMP_ITAV_free); +#define X509_EXTENSIONS_free(exts) \ + sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free) +#define OSSL_CMP_PKIFREETEXT_free(text) \ + sk_ASN1_UTF8STRING_pop_free(text, ASN1_UTF8STRING_free) + /* Prepare the OSSL_CMP_CTX for next use, partly re-initializing OSSL_CMP_CTX */ int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx) { @@ -155,9 +162,12 @@ int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx) ossl_cmp_debug(ctx, "disconnected from CMP server"); ctx->http_ctx = NULL; } - ctx->status = -1; + ctx->status = OSSL_CMP_PKISTATUS_unspecified; ctx->failInfoCode = -1; + OSSL_CMP_ITAVs_free(ctx->genm_ITAVs); + ctx->genm_ITAVs = NULL; + return ossl_cmp_ctx_set0_statusString(ctx, NULL) && ossl_cmp_ctx_set0_newCert(ctx, NULL) && ossl_cmp_ctx_set1_newChain(ctx, NULL) @@ -562,6 +572,17 @@ int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav) return OSSL_CMP_ITAV_push0_stack_item(&ctx->geninfo_ITAVs, itav); } +int OSSL_CMP_CTX_reset_geninfo_ITAVs(OSSL_CMP_CTX *ctx) +{ + if (ctx == NULL) { + ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); + return 0; + } + OSSL_CMP_ITAVs_free(ctx->geninfo_ITAVs); + ctx->geninfo_ITAVs = NULL; + return 1; +} + /* Add an itav for the body of outgoing general messages */ int OSSL_CMP_CTX_push0_genm_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav) { diff --git a/deps/openssl/openssl/crypto/cmp/cmp_err.c b/deps/openssl/openssl/crypto/cmp/cmp_err.c index 67d9964dbe224a..fe7b96348baea0 100644 --- a/deps/openssl/openssl/crypto/cmp/cmp_err.c +++ b/deps/openssl/openssl/crypto/cmp/cmp_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -98,8 +98,11 @@ static const ERR_STRING_DATA CMP_str_reasons[] = { {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_PROTECTION), "missing protection"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_REFERENCE_CERT), "missing reference cert"}, + {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_SECRET), "missing secret"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_SENDER_IDENTIFICATION), "missing sender identification"}, + {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_TRUST_ANCHOR), + "missing trust anchor"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_TRUST_STORE), "missing trust store"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MULTIPLE_REQUESTS_NOT_SUPPORTED), diff --git a/deps/openssl/openssl/crypto/cmp/cmp_msg.c b/deps/openssl/openssl/crypto/cmp/cmp_msg.c index 9890fc3dcb29c4..b244f1e17f0d15 100644 --- a/deps/openssl/openssl/crypto/cmp/cmp_msg.c +++ b/deps/openssl/openssl/crypto/cmp/cmp_msg.c @@ -463,7 +463,7 @@ OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype, OSSL_CMP_MSG *msg = NULL; OSSL_CMP_CERTREPMESSAGE *repMsg = NULL; OSSL_CMP_CERTRESPONSE *resp = NULL; - int status = -1; + int status = OSSL_CMP_PKISTATUS_unspecified; if (!ossl_assert(ctx != NULL && si != NULL)) return NULL; @@ -700,8 +700,7 @@ static OSSL_CMP_MSG *gen_new(OSSL_CMP_CTX *ctx, if ((msg = ossl_cmp_msg_create(ctx, body_type)) == NULL) return NULL; - if (ctx->genm_ITAVs != NULL - && !ossl_cmp_msg_gen_push1_ITAVs(msg, itavs)) + if (itavs != NULL && !ossl_cmp_msg_gen_push1_ITAVs(msg, itavs)) goto err; if (!ossl_cmp_msg_protect(ctx, msg)) diff --git a/deps/openssl/openssl/crypto/cmp/cmp_server.c b/deps/openssl/openssl/crypto/cmp/cmp_server.c index 7ce4662aee5f14..946c32c45ebf24 100644 --- a/deps/openssl/openssl/crypto/cmp/cmp_server.c +++ b/deps/openssl/openssl/crypto/cmp/cmp_server.c @@ -338,7 +338,7 @@ static OSSL_CMP_MSG *process_certConf(OSSL_CMP_SRV_CTX *srv_ctx, num = sk_OSSL_CMP_CERTSTATUS_num(ccc); if (OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_IMPLICIT_CONFIRM) == 1 - || ctx->status != -2 /* transaction not open */) { + || ctx->status != OSSL_CMP_PKISTATUS_trans) { ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_UNEXPECTED_CERTCONF); return NULL; } @@ -359,8 +359,8 @@ static OSSL_CMP_MSG *process_certConf(OSSL_CMP_SRV_CTX *srv_ctx, if (!srv_ctx->process_certConf(srv_ctx, req, certReqId, certHash, si)) return NULL; /* reason code may be: CMP_R_CERTHASH_UNMATCHED */ - if (si != NULL && ossl_cmp_pkisi_get_status(si) - != OSSL_CMP_PKISTATUS_accepted) { + if (si != NULL + && ossl_cmp_pkisi_get_status(si) != OSSL_CMP_PKISTATUS_accepted) { int pki_status = ossl_cmp_pkisi_get_status(si); const char *str = ossl_cmp_PKIStatus_to_string(pki_status); @@ -595,8 +595,8 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx, else ossl_cmp_log(ERR, ctx, "cannot send proper CMP response"); - /* possibly close the transaction */ - ctx->status = -2; /* this indicates transaction is open */ + /* determine whether to keep the transaction open or not */ + ctx->status = OSSL_CMP_PKISTATUS_trans; switch (rsp_type) { case OSSL_CMP_PKIBODY_IP: case OSSL_CMP_PKIBODY_CP: @@ -611,7 +611,7 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx, case OSSL_CMP_PKIBODY_ERROR: (void)OSSL_CMP_CTX_set1_transactionID(ctx, NULL); (void)OSSL_CMP_CTX_set1_senderNonce(ctx, NULL); - ctx->status = -1; /* transaction closed */ + ctx->status = OSSL_CMP_PKISTATUS_unspecified; /* transaction closed */ default: /* not closing transaction in other cases */ break; diff --git a/deps/openssl/openssl/crypto/cmp/cmp_status.c b/deps/openssl/openssl/crypto/cmp/cmp_status.c index 46be6b68992fe3..bfe6cd9906b82a 100644 --- a/deps/openssl/openssl/crypto/cmp/cmp_status.c +++ b/deps/openssl/openssl/crypto/cmp/cmp_status.c @@ -73,9 +73,10 @@ int ossl_cmp_pkisi_get_pkifailureinfo(const OSSL_CMP_PKISI *si) if (!ossl_assert(si != NULL)) return -1; - for (i = 0; i <= OSSL_CMP_PKIFAILUREINFO_MAX; i++) - if (ASN1_BIT_STRING_get_bit(si->failInfo, i)) - res |= 1 << i; + if (si->failInfo != NULL) + for (i = 0; i <= OSSL_CMP_PKIFAILUREINFO_MAX; i++) + if (ASN1_BIT_STRING_get_bit(si->failInfo, i)) + res |= 1 << i; return res; } @@ -189,8 +190,11 @@ char *snprint_PKIStatusInfo_parts(int status, int fail_info, printed_chars = BIO_snprintf(write_ptr, bufsize, "%s", status_string); ADVANCE_BUFFER; - /* failInfo is optional and may be empty */ - if (fail_info != 0) { + /* + * failInfo is optional and may be empty; + * if present, print failInfo before statusString because it is more concise + */ + if (fail_info != -1 && fail_info != 0) { printed_chars = BIO_snprintf(write_ptr, bufsize, "; PKIFailureInfo: "); ADVANCE_BUFFER; for (failure = 0; failure <= OSSL_CMP_PKIFAILUREINFO_MAX; failure++) { diff --git a/deps/openssl/openssl/crypto/cmp/cmp_vfy.c b/deps/openssl/openssl/crypto/cmp/cmp_vfy.c index b9d6fc2bdd17ee..99cd56cb091f0a 100644 --- a/deps/openssl/openssl/crypto/cmp/cmp_vfy.c +++ b/deps/openssl/openssl/crypto/cmp/cmp_vfy.c @@ -568,8 +568,9 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg) /* 5.1.3.1. Shared Secret Information */ case NID_id_PasswordBasedMAC: if (ctx->secretValue == NULL) { - ossl_cmp_warn(ctx, "no secret available for verifying PBM-based CMP message protection"); - return 1; + ossl_cmp_info(ctx, "no secret available for verifying PBM-based CMP message protection"); + ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_SECRET); + return 0; } if (verify_PBMAC(ctx, msg)) { /* @@ -619,8 +620,9 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg) scrt = ctx->srvCert; if (scrt == NULL) { if (ctx->trusted == NULL) { - ossl_cmp_warn(ctx, "no trust store nor pinned server cert available for verifying signature-based CMP message protection"); - return 1; + ossl_cmp_info(ctx, "no trust store nor pinned server cert available for verifying signature-based CMP message protection"); + ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_TRUST_ANCHOR); + return 0; } if (check_msg_find_cert(ctx, msg)) return 1; diff --git a/deps/openssl/openssl/crypto/cms/cms_enc.c b/deps/openssl/openssl/crypto/cms/cms_enc.c index a3909ba70ccf92..f7007c12319e66 100644 --- a/deps/openssl/openssl/crypto/cms/cms_enc.c +++ b/deps/openssl/openssl/crypto/cms/cms_enc.c @@ -81,6 +81,10 @@ BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, if (enc) { calg->algorithm = OBJ_nid2obj(EVP_CIPHER_CTX_get_type(ctx)); + if (calg->algorithm == NULL) { + ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM); + goto err; + } /* Generate a random IV if we need one */ ivlen = EVP_CIPHER_CTX_get_iv_length(ctx); if (ivlen < 0) { diff --git a/deps/openssl/openssl/crypto/cms/cms_err.c b/deps/openssl/openssl/crypto/cms/cms_err.c index 1fba9d8502494d..dcbea201c8e5f4 100644 --- a/deps/openssl/openssl/crypto/cms/cms_err.c +++ b/deps/openssl/openssl/crypto/cms/cms_err.c @@ -138,6 +138,8 @@ static const ERR_STRING_DATA CMS_str_reasons[] = { {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNKNOWN_ID), "unknown id"}, {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM), "unsupported compression algorithm"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM), + "unsupported content encryption algorithm"}, {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_CONTENT_TYPE), "unsupported content type"}, {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_ENCRYPTION_TYPE), diff --git a/deps/openssl/openssl/crypto/cms/cms_rsa.c b/deps/openssl/openssl/crypto/cms/cms_rsa.c index 20ed8169183a74..997567fdbfac0d 100644 --- a/deps/openssl/openssl/crypto/cms/cms_rsa.c +++ b/deps/openssl/openssl/crypto/cms/cms_rsa.c @@ -10,6 +10,7 @@ #include #include #include +#include #include "crypto/asn1.h" #include "crypto/rsa.h" #include "cms_local.h" @@ -191,7 +192,10 @@ static int rsa_cms_sign(CMS_SignerInfo *si) int pad_mode = RSA_PKCS1_PADDING; X509_ALGOR *alg; EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si); - ASN1_STRING *os = NULL; + unsigned char aid[128]; + const unsigned char *pp = aid; + size_t aid_len = 0; + OSSL_PARAM params[2]; CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg); if (pkctx != NULL) { @@ -205,10 +209,17 @@ static int rsa_cms_sign(CMS_SignerInfo *si) /* We don't support it */ if (pad_mode != RSA_PKCS1_PSS_PADDING) return 0; - os = ossl_rsa_ctx_to_pss_string(pkctx); - if (os == NULL) + + params[0] = OSSL_PARAM_construct_octet_string( + OSSL_SIGNATURE_PARAM_ALGORITHM_ID, aid, sizeof(aid)); + params[1] = OSSL_PARAM_construct_end(); + + if (EVP_PKEY_CTX_get_params(pkctx, params) <= 0) + return 0; + if ((aid_len = params[0].return_size) == 0) + return 0; + if (d2i_X509_ALGOR(&alg, &pp, aid_len) == NULL) return 0; - X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_PKEY_RSA_PSS), V_ASN1_SEQUENCE, os); return 1; } diff --git a/deps/openssl/openssl/crypto/context.c b/deps/openssl/openssl/crypto/context.c index bdfc4d02a3f0f2..548665fba265f4 100644 --- a/deps/openssl/openssl/crypto/context.c +++ b/deps/openssl/openssl/crypto/context.c @@ -15,6 +15,7 @@ #include "internal/bio.h" #include "internal/provider.h" #include "crypto/ctype.h" +#include "crypto/rand.h" struct ossl_lib_ctx_onfree_list_st { ossl_lib_ctx_onfree_fn *fn; @@ -271,6 +272,20 @@ OSSL_LIB_CTX *OSSL_LIB_CTX_set0_default(OSSL_LIB_CTX *libctx) return NULL; } + +void ossl_release_default_drbg_ctx(void) +{ + int dynidx = default_context_int.dyn_indexes[OSSL_LIB_CTX_DRBG_INDEX]; + + /* early release of the DRBG in global default libctx, no locking */ + if (dynidx != -1) { + void *data; + + data = CRYPTO_get_ex_data(&default_context_int.data, dynidx); + ossl_rand_ctx_free(data); + CRYPTO_set_ex_data(&default_context_int.data, dynidx, NULL); + } +} #endif OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx) diff --git a/deps/openssl/openssl/crypto/crmf/crmf_lib.c b/deps/openssl/openssl/crypto/crmf/crmf_lib.c index 8b42e4392e7018..3607fb0bf41758 100644 --- a/deps/openssl/openssl/crypto/crmf/crmf_lib.c +++ b/deps/openssl/openssl/crypto/crmf/crmf_lib.c @@ -648,7 +648,7 @@ X509 cikeysize = EVP_CIPHER_get_key_length(cipher); /* first the symmetric key needs to be decrypted */ pkctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, propq); - if (pkctx != NULL && EVP_PKEY_decrypt_init(pkctx)) { + if (pkctx != NULL && EVP_PKEY_decrypt_init(pkctx) > 0) { ASN1_BIT_STRING *encKey = ecert->encSymmKey; size_t failure; int retval; diff --git a/deps/openssl/openssl/crypto/des/build.info b/deps/openssl/openssl/crypto/des/build.info index 4284272cfa80d4..5a13e4f9bebc7f 100644 --- a/deps/openssl/openssl/crypto/des/build.info +++ b/deps/openssl/openssl/crypto/des/build.info @@ -23,11 +23,12 @@ $ALL=$COMMON\ SOURCE[../../libcrypto]=$ALL $DESASM SOURCE[../../providers/libfips.a]=$COMMON $DESASM -SOURCE[../../providers/liblegacy.a]=$DESASM +IF[{- !$disabled{module} && !$disabled{shared} -}] + SOURCE[../../providers/liblegacy.a]=$DESASM +ENDIF DEFINE[../../libcrypto]=$DESDEF DEFINE[../../providers/libfips.a]=$DESDEF -DEFINE[../../providers/liblegacy.a]=$DESDEF # When all deprecated symbols are removed, libcrypto doesn't export the # DES functions, so we must include them directly in liblegacy.a diff --git a/deps/openssl/openssl/crypto/dh/dh_check.c b/deps/openssl/openssl/crypto/dh/dh_check.c index c4b4ee8ff0e69f..0b391910d6b37c 100644 --- a/deps/openssl/openssl/crypto/dh/dh_check.c +++ b/deps/openssl/openssl/crypto/dh/dh_check.c @@ -73,7 +73,7 @@ int DH_check_params(const DH *dh, int *ret) BN_CTX *ctx = NULL; *ret = 0; - ctx = BN_CTX_new(); + ctx = BN_CTX_new_ex(dh->libctx); if (ctx == NULL) goto err; BN_CTX_start(ctx); @@ -155,7 +155,7 @@ int DH_check(const DH *dh, int *ret) if (!DH_check_params(dh, ret)) return 0; - ctx = BN_CTX_new(); + ctx = BN_CTX_new_ex(dh->libctx); if (ctx == NULL) goto err; BN_CTX_start(ctx); diff --git a/deps/openssl/openssl/crypto/dh/dh_gen.c b/deps/openssl/openssl/crypto/dh/dh_gen.c index 66d1f94bc005b6..aec6b853169a21 100644 --- a/deps/openssl/openssl/crypto/dh/dh_gen.c +++ b/deps/openssl/openssl/crypto/dh/dh_gen.c @@ -169,7 +169,7 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator, return 0; } - ctx = BN_CTX_new(); + ctx = BN_CTX_new_ex(ret->libctx); if (ctx == NULL) goto err; BN_CTX_start(ctx); @@ -213,7 +213,7 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator, g = generator; } - if (!BN_generate_prime_ex(ret->params.p, prime_len, 1, t1, t2, cb)) + if (!BN_generate_prime_ex2(ret->params.p, prime_len, 1, t1, t2, cb, ctx)) goto err; if (!BN_GENCB_call(cb, 3, 0)) goto err; diff --git a/deps/openssl/openssl/crypto/ec/ec_ameth.c b/deps/openssl/openssl/crypto/ec/ec_ameth.c index 7dc2232e5d3959..d4348ff244c73a 100644 --- a/deps/openssl/openssl/crypto/ec/ec_ameth.c +++ b/deps/openssl/openssl/crypto/ec/ec_ameth.c @@ -513,8 +513,10 @@ int ec_pkey_export_to(const EVP_PKEY *from, void *to_keydata, if (pub_point != NULL) { /* convert pub_point to a octet string according to the SECG standard */ + point_conversion_form_t format = EC_KEY_get_conv_form(eckey); + if ((pub_key_buflen = EC_POINT_point2buf(ecg, pub_point, - POINT_CONVERSION_COMPRESSED, + format, &pub_key_buf, bnctx)) == 0 || !OSSL_PARAM_BLD_push_octet_string(tmpl, OSSL_PKEY_PARAM_PUB_KEY, diff --git a/deps/openssl/openssl/crypto/err/README.md b/deps/openssl/openssl/crypto/err/README.md index 78085b37799d74..477dffa2ad3251 100644 --- a/deps/openssl/openssl/crypto/err/README.md +++ b/deps/openssl/openssl/crypto/err/README.md @@ -42,3 +42,14 @@ The generated C error code file `xxx_err.c` will load the header files `stdio.h`, `openssl/err.h` and `openssl/xxx.h` so the header file must load any additional header files containing any definitions it uses. + +Adding new error codes +====================== + +Instead of manually adding error codes into `crypto/err/openssl.txt`, +it is recommended to leverage `make update` for error code generation. +The target will process relevant sources and generate error codes for +any *used* error codes. + +If an error code is added manually into `crypto/err/openssl.txt`, +subsequent `make update` has no effect. diff --git a/deps/openssl/openssl/crypto/err/openssl.txt b/deps/openssl/openssl/crypto/err/openssl.txt index 84d9b0b437082e..b1e997e9504fe1 100644 --- a/deps/openssl/openssl/crypto/err/openssl.txt +++ b/deps/openssl/openssl/crypto/err/openssl.txt @@ -235,7 +235,9 @@ CMP_R_MISSING_PBM_SECRET:166:missing pbm secret CMP_R_MISSING_PRIVATE_KEY:131:missing private key CMP_R_MISSING_PROTECTION:143:missing protection CMP_R_MISSING_REFERENCE_CERT:168:missing reference cert +CMP_R_MISSING_SECRET:178:missing secret CMP_R_MISSING_SENDER_IDENTIFICATION:111:missing sender identification +CMP_R_MISSING_TRUST_ANCHOR:179:missing trust anchor CMP_R_MISSING_TRUST_STORE:144:missing trust store CMP_R_MULTIPLE_REQUESTS_NOT_SUPPORTED:161:multiple requests not supported CMP_R_MULTIPLE_RESPONSES_NOT_SUPPORTED:170:multiple responses not supported @@ -361,6 +363,8 @@ CMS_R_UNKNOWN_CIPHER:148:unknown cipher CMS_R_UNKNOWN_DIGEST_ALGORITHM:149:unknown digest algorithm CMS_R_UNKNOWN_ID:150:unknown id CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM:151:unsupported compression algorithm +CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM:194:\ + unsupported content encryption algorithm CMS_R_UNSUPPORTED_CONTENT_TYPE:152:unsupported content type CMS_R_UNSUPPORTED_ENCRYPTION_TYPE:192:unsupported encryption type CMS_R_UNSUPPORTED_KEK_ALGORITHM:153:unsupported kek algorithm @@ -1365,6 +1369,8 @@ SSL_R_INVALID_SESSION_ID:999:invalid session id SSL_R_INVALID_SRP_USERNAME:357:invalid srp username SSL_R_INVALID_STATUS_RESPONSE:328:invalid status response SSL_R_INVALID_TICKET_KEYS_LENGTH:325:invalid ticket keys length +SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED:333:\ + legacy sigalg disallowed or unsupported SSL_R_LENGTH_MISMATCH:159:length mismatch SSL_R_LENGTH_TOO_LONG:404:length too long SSL_R_LENGTH_TOO_SHORT:160:length too short diff --git a/deps/openssl/openssl/crypto/evp/bio_enc.c b/deps/openssl/openssl/crypto/evp/bio_enc.c index 2d52c48d1a0f66..304030bcb3b553 100644 --- a/deps/openssl/openssl/crypto/evp/bio_enc.c +++ b/deps/openssl/openssl/crypto/evp/bio_enc.c @@ -299,6 +299,7 @@ static long enc_ctrl(BIO *b, int cmd, long num, void *ptr) int i; EVP_CIPHER_CTX **c_ctx; BIO *next; + int pend; ctx = BIO_get_data(b); next = BIO_next(b); @@ -334,8 +335,14 @@ static long enc_ctrl(BIO *b, int cmd, long num, void *ptr) /* do a final write */ again: while (ctx->buf_len != ctx->buf_off) { + pend = ctx->buf_len - ctx->buf_off; i = enc_write(b, NULL, 0); - if (i < 0) + /* + * i should never be > 0 here because we didn't ask to write any + * new data. We stop if we get an error or we failed to make any + * progress writing pending data. + */ + if (i < 0 || (ctx->buf_len - ctx->buf_off) == pend) return i; } diff --git a/deps/openssl/openssl/crypto/evp/evp_lib.c b/deps/openssl/openssl/crypto/evp/evp_lib.c index d88066d0a2b61f..4f3d901eba5da4 100644 --- a/deps/openssl/openssl/crypto/evp/evp_lib.c +++ b/deps/openssl/openssl/crypto/evp/evp_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -209,7 +209,7 @@ int evp_cipher_asn1_to_param_ex(EVP_CIPHER_CTX *c, ASN1_TYPE *type, break; default: - ret = EVP_CIPHER_get_asn1_iv(c, type); + ret = EVP_CIPHER_get_asn1_iv(c, type) >= 0 ? 1 : -1; } } else if (cipher->prov != NULL) { OSSL_PARAM params[3], *p = params; @@ -602,7 +602,7 @@ int EVP_CIPHER_CTX_get_updated_iv(EVP_CIPHER_CTX *ctx, void *buf, size_t len) params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_UPDATED_IV, buf, len); - return evp_do_ciph_ctx_getparams(ctx->cipher, ctx->algctx, params); + return evp_do_ciph_ctx_getparams(ctx->cipher, ctx->algctx, params) > 0; } int EVP_CIPHER_CTX_get_original_iv(EVP_CIPHER_CTX *ctx, void *buf, size_t len) @@ -611,7 +611,7 @@ int EVP_CIPHER_CTX_get_original_iv(EVP_CIPHER_CTX *ctx, void *buf, size_t len) params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_IV, buf, len); - return evp_do_ciph_ctx_getparams(ctx->cipher, ctx->algctx, params); + return evp_do_ciph_ctx_getparams(ctx->cipher, ctx->algctx, params) > 0; } unsigned char *EVP_CIPHER_CTX_buf_noconst(EVP_CIPHER_CTX *ctx) @@ -1201,7 +1201,8 @@ EVP_PKEY *EVP_PKEY_Q_keygen(OSSL_LIB_CTX *libctx, const char *propq, } else if (OPENSSL_strcasecmp(type, "ED25519") != 0 && OPENSSL_strcasecmp(type, "X25519") != 0 && OPENSSL_strcasecmp(type, "ED448") != 0 - && OPENSSL_strcasecmp(type, "X448") != 0) { + && OPENSSL_strcasecmp(type, "X448") != 0 + && OPENSSL_strcasecmp(type, "SM2") != 0) { ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_INVALID_ARGUMENT); goto end; } diff --git a/deps/openssl/openssl/crypto/evp/keymgmt_lib.c b/deps/openssl/openssl/crypto/evp/keymgmt_lib.c index 82aa771c381e35..8369d9578cbd0e 100644 --- a/deps/openssl/openssl/crypto/evp/keymgmt_lib.c +++ b/deps/openssl/openssl/crypto/evp/keymgmt_lib.c @@ -93,7 +93,8 @@ int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection, export_cb, export_cbarg); } -void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) +void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, + int selection) { struct evp_keymgmt_util_try_import_data_st import_data; OP_CACHE_ELEM *op; @@ -127,7 +128,7 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) */ if (pk->dirty_cnt == pk->dirty_cnt_copy) { /* If this key is already exported to |keymgmt|, no more to do */ - op = evp_keymgmt_util_find_operation_cache(pk, keymgmt); + op = evp_keymgmt_util_find_operation_cache(pk, keymgmt, selection); if (op != NULL && op->keymgmt != NULL) { void *ret = op->keydata; @@ -157,13 +158,13 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) /* Setup for the export callback */ import_data.keydata = NULL; /* evp_keymgmt_util_try_import will create it */ import_data.keymgmt = keymgmt; - import_data.selection = OSSL_KEYMGMT_SELECT_ALL; + import_data.selection = selection; /* * The export function calls the callback (evp_keymgmt_util_try_import), * which does the import for us. If successful, we're done. */ - if (!evp_keymgmt_util_export(pk, OSSL_KEYMGMT_SELECT_ALL, + if (!evp_keymgmt_util_export(pk, selection, &evp_keymgmt_util_try_import, &import_data)) /* If there was an error, bail out */ return NULL; @@ -173,7 +174,7 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) return NULL; } /* Check to make sure some other thread didn't get there first */ - op = evp_keymgmt_util_find_operation_cache(pk, keymgmt); + op = evp_keymgmt_util_find_operation_cache(pk, keymgmt, selection); if (op != NULL && op->keydata != NULL) { void *ret = op->keydata; @@ -196,7 +197,8 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) evp_keymgmt_util_clear_operation_cache(pk, 0); /* Add the new export to the operation cache */ - if (!evp_keymgmt_util_cache_keydata(pk, keymgmt, import_data.keydata)) { + if (!evp_keymgmt_util_cache_keydata(pk, keymgmt, import_data.keydata, + selection)) { CRYPTO_THREAD_unlock(pk->lock); evp_keymgmt_freedata(keymgmt, import_data.keydata); return NULL; @@ -232,7 +234,8 @@ int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking) } OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk, - EVP_KEYMGMT *keymgmt) + EVP_KEYMGMT *keymgmt, + int selection) { int i, end = sk_OP_CACHE_ELEM_num(pk->operation_cache); OP_CACHE_ELEM *p; @@ -243,14 +246,14 @@ OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk, */ for (i = 0; i < end; i++) { p = sk_OP_CACHE_ELEM_value(pk->operation_cache, i); - if (keymgmt == p->keymgmt) + if (keymgmt == p->keymgmt && (p->selection & selection) == selection) return p; } return NULL; } -int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, - EVP_KEYMGMT *keymgmt, void *keydata) +int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, + void *keydata, int selection) { OP_CACHE_ELEM *p = NULL; @@ -266,6 +269,7 @@ int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, return 0; p->keydata = keydata; p->keymgmt = keymgmt; + p->selection = selection; if (!EVP_KEYMGMT_up_ref(keymgmt)) { OPENSSL_free(p); @@ -391,7 +395,8 @@ int evp_keymgmt_util_match(EVP_PKEY *pk1, EVP_PKEY *pk2, int selection) ok = 1; if (keydata1 != NULL) { tmp_keydata = - evp_keymgmt_util_export_to_provider(pk1, keymgmt2); + evp_keymgmt_util_export_to_provider(pk1, keymgmt2, + selection); ok = (tmp_keydata != NULL); } if (ok) { @@ -411,7 +416,8 @@ int evp_keymgmt_util_match(EVP_PKEY *pk1, EVP_PKEY *pk2, int selection) ok = 1; if (keydata2 != NULL) { tmp_keydata = - evp_keymgmt_util_export_to_provider(pk2, keymgmt1); + evp_keymgmt_util_export_to_provider(pk2, keymgmt1, + selection); ok = (tmp_keydata != NULL); } if (ok) { diff --git a/deps/openssl/openssl/crypto/evp/p5_crpt2.c b/deps/openssl/openssl/crypto/evp/p5_crpt2.c index 8e3fccb213fdfa..b7455be1cf0ac0 100644 --- a/deps/openssl/openssl/crypto/evp/p5_crpt2.c +++ b/deps/openssl/openssl/crypto/evp/p5_crpt2.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -159,7 +159,7 @@ int PKCS5_v2_PBE_keyivgen_ex(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, /* Fixup cipher based on AlgorithmIdentifier */ if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, en_de)) goto err; - if (EVP_CIPHER_asn1_to_param(ctx, pbe2->encryption->parameter) < 0) { + if (EVP_CIPHER_asn1_to_param(ctx, pbe2->encryption->parameter) <= 0) { ERR_raise(ERR_LIB_EVP, EVP_R_CIPHER_PARAMETER_ERROR); goto err; } diff --git a/deps/openssl/openssl/crypto/evp/p_lib.c b/deps/openssl/openssl/crypto/evp/p_lib.c index c8c342b3e94bd6..5803974c3221a4 100644 --- a/deps/openssl/openssl/crypto/evp/p_lib.c +++ b/deps/openssl/openssl/crypto/evp/p_lib.c @@ -1824,6 +1824,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, { EVP_KEYMGMT *allocated_keymgmt = NULL; EVP_KEYMGMT *tmp_keymgmt = NULL; + int selection = OSSL_KEYMGMT_SELECT_ALL; void *keydata = NULL; int check; @@ -1885,7 +1886,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, if (pk->ameth->dirty_cnt(pk) == pk->dirty_cnt_copy) { if (!CRYPTO_THREAD_read_lock(pk->lock)) goto end; - op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt); + op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt, + selection); /* * If |tmp_keymgmt| is present in the operation cache, it means @@ -1940,7 +1942,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, EVP_KEYMGMT_free(tmp_keymgmt); /* refcnt-- */ /* Check to make sure some other thread didn't get there first */ - op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt); + op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt, selection); if (op != NULL && op->keymgmt != NULL) { void *tmp_keydata = op->keydata; @@ -1951,7 +1953,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, } /* Add the new export to the operation cache */ - if (!evp_keymgmt_util_cache_keydata(pk, tmp_keymgmt, keydata)) { + if (!evp_keymgmt_util_cache_keydata(pk, tmp_keymgmt, keydata, + selection)) { CRYPTO_THREAD_unlock(pk->lock); evp_keymgmt_freedata(tmp_keymgmt, keydata); keydata = NULL; @@ -1966,7 +1969,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, } #endif /* FIPS_MODULE */ - keydata = evp_keymgmt_util_export_to_provider(pk, tmp_keymgmt); + keydata = evp_keymgmt_util_export_to_provider(pk, tmp_keymgmt, selection); end: /* diff --git a/deps/openssl/openssl/crypto/ffc/ffc_key_validate.c b/deps/openssl/openssl/crypto/ffc/ffc_key_validate.c index 9f6525a2c87c19..342789621d6df1 100644 --- a/deps/openssl/openssl/crypto/ffc/ffc_key_validate.c +++ b/deps/openssl/openssl/crypto/ffc/ffc_key_validate.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -24,6 +24,11 @@ int ossl_ffc_validate_public_key_partial(const FFC_PARAMS *params, BN_CTX *ctx = NULL; *ret = 0; + if (params == NULL || pub_key == NULL || params->p == NULL) { + *ret = FFC_ERROR_PASSED_NULL_PARAM; + return 0; + } + ctx = BN_CTX_new_ex(NULL); if (ctx == NULL) goto err; @@ -107,6 +112,10 @@ int ossl_ffc_validate_private_key(const BIGNUM *upper, const BIGNUM *priv, *ret = 0; + if (priv == NULL || upper == NULL) { + *ret = FFC_ERROR_PASSED_NULL_PARAM; + goto err; + } if (BN_cmp(priv, BN_value_one()) < 0) { *ret |= FFC_ERROR_PRIVKEY_TOO_SMALL; goto err; diff --git a/deps/openssl/openssl/crypto/ffc/ffc_params_generate.c b/deps/openssl/openssl/crypto/ffc/ffc_params_generate.c index f0601e1644c39f..6b018edfffcefe 100644 --- a/deps/openssl/openssl/crypto/ffc/ffc_params_generate.c +++ b/deps/openssl/openssl/crypto/ffc/ffc_params_generate.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -329,7 +329,7 @@ static int generate_q_fips186_4(BN_CTX *ctx, BIGNUM *q, const EVP_MD *evpmd, /* A.1.1.2 Step (5) : generate seed with size seed_len */ if (generate_seed - && RAND_bytes_ex(libctx, seed, seedlen, 0) < 0) + && RAND_bytes_ex(libctx, seed, seedlen, 0) <= 0) goto err; /* * A.1.1.2 Step (6) AND diff --git a/deps/openssl/openssl/crypto/idea/build.info b/deps/openssl/openssl/crypto/idea/build.info index 5441351b9cd76a..7ac120918b9117 100644 --- a/deps/openssl/openssl/crypto/idea/build.info +++ b/deps/openssl/openssl/crypto/idea/build.info @@ -5,6 +5,6 @@ SOURCE[../../libcrypto]=$ALL # When all deprecated symbols are removed, libcrypto doesn't export the # idea functions, so we must include them directly in liblegacy.a -IF[{- $disabled{'deprecated-3.0'} -}] +IF[{- $disabled{'deprecated-3.0'} && !$disabled{module} && !$disabled{shared} -}] SOURCE[../../providers/liblegacy.a]=$ALL ENDIF diff --git a/deps/openssl/openssl/crypto/info.c b/deps/openssl/openssl/crypto/info.c index 776ae7eb0c80bc..f5fa92e1580add 100644 --- a/deps/openssl/openssl/crypto/info.c +++ b/deps/openssl/openssl/crypto/info.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -46,10 +46,10 @@ DEFINE_RUN_ONCE_STATIC(init_info_strings) BIO_snprintf(ossl_cpu_info_str, sizeof(ossl_cpu_info_str), CPUINFO_PREFIX "OPENSSL_ia32cap=0x%llx:0x%llx", - (long long)OPENSSL_ia32cap_P[0] | - (long long)OPENSSL_ia32cap_P[1] << 32, - (long long)OPENSSL_ia32cap_P[2] | - (long long)OPENSSL_ia32cap_P[3] << 32); + (unsigned long long)OPENSSL_ia32cap_P[0] | + (unsigned long long)OPENSSL_ia32cap_P[1] << 32, + (unsigned long long)OPENSSL_ia32cap_P[2] | + (unsigned long long)OPENSSL_ia32cap_P[3] << 32); if ((env = getenv("OPENSSL_ia32cap")) != NULL) BIO_snprintf(ossl_cpu_info_str + strlen(ossl_cpu_info_str), sizeof(ossl_cpu_info_str) - strlen(ossl_cpu_info_str), @@ -132,8 +132,8 @@ DEFINE_RUN_ONCE_STATIC(init_info_strings) #ifdef OPENSSL_RAND_SEED_NONE add_seeds_string("none"); #endif -#ifdef OPENSSL_RAND_SEED_RTDSC - add_seeds_string("stdsc"); +#ifdef OPENSSL_RAND_SEED_RDTSC + add_seeds_string("rdtsc"); #endif #ifdef OPENSSL_RAND_SEED_RDCPU add_seeds_string("rdrand ( rdseed rdrand )"); diff --git a/deps/openssl/openssl/crypto/md2/build.info b/deps/openssl/openssl/crypto/md2/build.info index a1bb42109457c2..541245331f1238 100644 --- a/deps/openssl/openssl/crypto/md2/build.info +++ b/deps/openssl/openssl/crypto/md2/build.info @@ -4,6 +4,6 @@ SOURCE[../../libcrypto]=md2_dgst.c md2_one.c # When all deprecated symbols are removed, libcrypto doesn't export the # MD2 functions, so we must include them directly in liblegacy.a -IF[{- $disabled{'deprecated-3.0'} -}] +IF[{- $disabled{'deprecated-3.0'} && !$disabled{module} && !$disabled{shared} -}] SOURCE[../../providers/liblegacy.a]=md2_dgst.c md2_one.c ENDIF diff --git a/deps/openssl/openssl/crypto/md4/build.info b/deps/openssl/openssl/crypto/md4/build.info index bed9c0bd40cade..ccd93835f708a6 100644 --- a/deps/openssl/openssl/crypto/md4/build.info +++ b/deps/openssl/openssl/crypto/md4/build.info @@ -4,6 +4,6 @@ SOURCE[../../libcrypto]=md4_dgst.c md4_one.c # When all deprecated symbols are removed, libcrypto doesn't export the # MD4 functions, so we must include them directly in liblegacy.a -IF[{- $disabled{'deprecated-3.0'} -}] +IF[{- $disabled{'deprecated-3.0'} && !$disabled{module} && !$disabled{shared} -}] SOURCE[../../providers/liblegacy.a]=md4_dgst.c md4_one.c ENDIF diff --git a/deps/openssl/openssl/crypto/md5/build.info b/deps/openssl/openssl/crypto/md5/build.info index a1e28c81532976..9a325386065b0c 100644 --- a/deps/openssl/openssl/crypto/md5/build.info +++ b/deps/openssl/openssl/crypto/md5/build.info @@ -23,7 +23,7 @@ SOURCE[../../libcrypto]=$COMMON # default provider. A no-deprecated build removes the external definition from # libcrypto and this means that the code needs to be in liblegacy. However, # when building without 'dso', liblegacy is included in libcrypto. -IF[{- !$disabled{dso} -}] +IF[{- !$disabled{module} && !$disabled{shared} -}] SOURCE[../../providers/liblegacy.a]=$COMMON ENDIF diff --git a/deps/openssl/openssl/crypto/mdc2/build.info b/deps/openssl/openssl/crypto/mdc2/build.info index 76aa0705e465a2..f748357b1a484c 100644 --- a/deps/openssl/openssl/crypto/mdc2/build.info +++ b/deps/openssl/openssl/crypto/mdc2/build.info @@ -4,6 +4,6 @@ SOURCE[../../libcrypto]=mdc2dgst.c mdc2_one.c # When all deprecated symbols are removed, libcrypto doesn't export the # MDC2 functions, so we must include them directly in liblegacy.a -IF[{- $disabled{'deprecated-3.0'} -}] +IF[{- $disabled{'deprecated-3.0'} && !$disabled{module} && !$disabled{shared} -}] SOURCE[../../providers/liblegacy.a]=mdc2dgst.c mdc2_one.c ENDIF diff --git a/deps/openssl/openssl/crypto/mem_sec.c b/deps/openssl/openssl/crypto/mem_sec.c index 711d35f4096233..6ba75486a89723 100644 --- a/deps/openssl/openssl/crypto/mem_sec.c +++ b/deps/openssl/openssl/crypto/mem_sec.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2004-2014, Akamai Technologies. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -23,8 +23,8 @@ #ifndef OPENSSL_NO_SECURE_MEMORY # if defined(_WIN32) # include -# if defined(WINAPI_FAMILY_PARTITION) \ - && !WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP | WINAPI_PARTITION_SYSTEM) +# if defined(WINAPI_FAMILY_PARTITION) +# if !WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP | WINAPI_PARTITION_SYSTEM) /* * While VirtualLock is available under the app partition (e.g. UWP), * the headers do not define the API. Define it ourselves instead. @@ -36,6 +36,7 @@ VirtualLock( _In_ LPVOID lpAddress, _In_ SIZE_T dwSize ); +# endif # endif # endif # include diff --git a/deps/openssl/openssl/crypto/ocsp/ocsp_ext.c b/deps/openssl/openssl/crypto/ocsp/ocsp_ext.c index c2b61bd4f2c43a..9707ccb94f4c51 100644 --- a/deps/openssl/openssl/crypto/ocsp/ocsp_ext.c +++ b/deps/openssl/openssl/crypto/ocsp/ocsp_ext.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -268,8 +268,8 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, memcpy(tmpval, val, len); else if (RAND_bytes(tmpval, len) <= 0) goto err; - if (!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce, - &os, 0, X509V3_ADD_REPLACE)) + if (X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce, + &os, 0, X509V3_ADD_REPLACE) <= 0) goto err; ret = 1; err: diff --git a/deps/openssl/openssl/crypto/param_build.c b/deps/openssl/openssl/crypto/param_build.c index eaece0026dea21..51c8681f3be509 100644 --- a/deps/openssl/openssl/crypto/param_build.c +++ b/deps/openssl/openssl/crypto/param_build.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -221,6 +221,10 @@ int OSSL_PARAM_BLD_push_BN_pad(OSSL_PARAM_BLD *bld, const char *key, } if (BN_get_flags(bn, BN_FLG_SECURE) == BN_FLG_SECURE) secure = 1; + + /* The BIGNUM is zero, we must transfer at least one byte */ + if (sz == 0) + sz++; } pd = param_push(bld, key, sz, sz, OSSL_PARAM_UNSIGNED_INTEGER, secure); if (pd == NULL) diff --git a/deps/openssl/openssl/crypto/params.c b/deps/openssl/openssl/crypto/params.c index 9049041e3bbe70..5fd1e0028da917 100644 --- a/deps/openssl/openssl/crypto/params.c +++ b/deps/openssl/openssl/crypto/params.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -932,6 +932,10 @@ int OSSL_PARAM_set_BN(OSSL_PARAM *p, const BIGNUM *val) return 0; bytes = (size_t)BN_num_bytes(val); + /* We make sure that at least one byte is used, so zero is properly set */ + if (bytes == 0) + bytes++; + p->return_size = bytes; if (p->data == NULL) return 1; diff --git a/deps/openssl/openssl/crypto/pem/pem_lib.c b/deps/openssl/openssl/crypto/pem/pem_lib.c index f9ff80162a66c9..6cd998f216696c 100644 --- a/deps/openssl/openssl/crypto/pem/pem_lib.c +++ b/deps/openssl/openssl/crypto/pem/pem_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -989,7 +989,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header, out_free: pem_free(*header, flags, 0); + *header = NULL; pem_free(*data, flags, 0); + *data = NULL; end: EVP_ENCODE_CTX_free(ctx); pem_free(name, flags, 0); diff --git a/deps/openssl/openssl/crypto/pem/pem_pkey.c b/deps/openssl/openssl/crypto/pem/pem_pkey.c index f9346486dd2f19..3e76852c67a44a 100644 --- a/deps/openssl/openssl/crypto/pem/pem_pkey.c +++ b/deps/openssl/openssl/crypto/pem/pem_pkey.c @@ -75,6 +75,10 @@ static EVP_PKEY *pem_read_bio_key_decoder(BIO *bp, EVP_PKEY **x, } ERR_pop_to_mark(); + /* if we were asked for private key, the public key is optional */ + if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) + selection = selection & ~OSSL_KEYMGMT_SELECT_PUBLIC_KEY; + if (!evp_keymgmt_util_has(pkey, selection)) { EVP_PKEY_free(pkey); pkey = NULL; @@ -106,7 +110,7 @@ static EVP_PKEY *pem_read_bio_key_legacy(BIO *bp, EVP_PKEY **x, EVP_PKEY *ret = NULL; ERR_set_mark(); /* not interested in PEM read errors */ - if (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) { + if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { if (!PEM_bytes_read_bio_secmem(&data, &len, &nm, PEM_STRING_EVP_PKEY, bp, cb, u)) { @@ -116,7 +120,7 @@ static EVP_PKEY *pem_read_bio_key_legacy(BIO *bp, EVP_PKEY **x, } else { const char *pem_string = PEM_STRING_PARAMETERS; - if (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) + if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) pem_string = PEM_STRING_PUBLIC; if (!PEM_bytes_read_bio(&data, &len, &nm, pem_string, @@ -174,9 +178,13 @@ static EVP_PKEY *pem_read_bio_key_legacy(BIO *bp, EVP_PKEY **x, goto p8err; ret = ossl_d2i_PrivateKey_legacy(ameth->pkey_id, x, &p, len, libctx, propq); - } else if (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) { + } else if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) == 0 + && (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { + /* Trying legacy PUBKEY decoding only if we do not want private key. */ ret = ossl_d2i_PUBKEY_legacy(x, &p, len); - } else if ((slen = ossl_pem_check_suffix(nm, "PARAMETERS")) > 0) { + } else if ((selection & EVP_PKEY_KEYPAIR) == 0 + && (slen = ossl_pem_check_suffix(nm, "PARAMETERS")) > 0) { + /* Trying legacy params decoding only if we do not want a key. */ ret = EVP_PKEY_new(); if (ret == NULL) goto err; @@ -294,6 +302,7 @@ EVP_PKEY *PEM_read_bio_PrivateKey_ex(BIO *bp, EVP_PKEY **x, OSSL_LIB_CTX *libctx, const char *propq) { return pem_read_bio_key(bp, x, cb, u, libctx, propq, + /* we also want the public key, if available */ EVP_PKEY_KEYPAIR); } @@ -311,7 +320,7 @@ PEM_write_cb_ex_fnsig(PrivateKey, EVP_PKEY, BIO, write_bio) IMPLEMENT_PEM_provided_write_body_main(pkey, bio); legacy: - if (x->ameth == NULL || x->ameth->priv_encode != NULL) + if (x != NULL && (x->ameth == NULL || x->ameth->priv_encode != NULL)) return PEM_write_bio_PKCS8PrivateKey(out, x, enc, (const char *)kstr, klen, cb, u); return PEM_write_bio_PrivateKey_traditional(out, x, enc, kstr, klen, cb, u); @@ -336,6 +345,9 @@ int PEM_write_bio_PrivateKey_traditional(BIO *bp, const EVP_PKEY *x, EVP_PKEY *copy = NULL; int ret; + if (x == NULL) + return 0; + if (evp_pkey_is_assigned(x) && evp_pkey_is_provided(x) && evp_pkey_copy_downgraded(©, x)) @@ -343,6 +355,7 @@ int PEM_write_bio_PrivateKey_traditional(BIO *bp, const EVP_PKEY *x, if (x->ameth == NULL || x->ameth->old_priv_encode == NULL) { ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE); + EVP_PKEY_free(copy); return 0; } BIO_snprintf(pem_str, 80, "%s PRIVATE KEY", x->ameth->pem_str); diff --git a/deps/openssl/openssl/crypto/perlasm/x86asm.pl b/deps/openssl/openssl/crypto/perlasm/x86asm.pl index 98a7159a5f131c..8dcde9eacaa3d1 100644 --- a/deps/openssl/openssl/crypto/perlasm/x86asm.pl +++ b/deps/openssl/openssl/crypto/perlasm/x86asm.pl @@ -174,9 +174,9 @@ sub ::vprotd sub ::endbranch { - &::generic("%ifdef __CET__\n"); + &::generic("#ifdef __CET__\n"); &::data_byte(0xf3,0x0f,0x1e,0xfb); - &::generic("%endif\n"); + &::generic("#endif\n"); } # label management diff --git a/deps/openssl/openssl/crypto/pkcs7/pk7_doit.c b/deps/openssl/openssl/crypto/pkcs7/pk7_doit.c index f116e464115c80..1cef67b211af77 100644 --- a/deps/openssl/openssl/crypto/pkcs7/pk7_doit.c +++ b/deps/openssl/openssl/crypto/pkcs7/pk7_doit.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -84,7 +84,11 @@ static int pkcs7_bio_add_digest(BIO **pbio, X509_ALGOR *alg, } (void)ERR_pop_to_mark(); - BIO_set_md(btmp, md); + if (BIO_set_md(btmp, md) <= 0) { + ERR_raise(ERR_LIB_PKCS7, ERR_R_BIO_LIB); + EVP_MD_free(fetched); + goto err; + } EVP_MD_free(fetched); if (*pbio == NULL) *pbio = btmp; @@ -330,7 +334,7 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) if (xalg->parameter == NULL) goto err; } - if (EVP_CIPHER_param_to_asn1(ctx, xalg->parameter) < 0) + if (EVP_CIPHER_param_to_asn1(ctx, xalg->parameter) <= 0) goto err; } @@ -522,7 +526,11 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) } (void)ERR_pop_to_mark(); - BIO_set_md(btmp, md); + if (BIO_set_md(btmp, md) <= 0) { + EVP_MD_free(evp_md); + ERR_raise(ERR_LIB_PKCS7, ERR_R_BIO_LIB); + goto err; + } EVP_MD_free(evp_md); if (out == NULL) out = btmp; @@ -588,7 +596,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) BIO_get_cipher_ctx(etmp, &evp_ctx); if (EVP_CipherInit_ex(evp_ctx, cipher, NULL, NULL, NULL, 0) <= 0) goto err; - if (EVP_CIPHER_asn1_to_param(evp_ctx, enc_alg->parameter) < 0) + if (EVP_CIPHER_asn1_to_param(evp_ctx, enc_alg->parameter) <= 0) goto err; /* Generate random key as MMA defence */ len = EVP_CIPHER_CTX_get_key_length(evp_ctx); diff --git a/deps/openssl/openssl/crypto/pkcs7/pk7_lib.c b/deps/openssl/openssl/crypto/pkcs7/pk7_lib.c index 753f1276e6a64c..5ce591f758f7ff 100644 --- a/deps/openssl/openssl/crypto/pkcs7/pk7_lib.c +++ b/deps/openssl/openssl/crypto/pkcs7/pk7_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -414,6 +414,8 @@ PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509, EVP_PKEY *pkey, static STACK_OF(X509) *pkcs7_get_signer_certs(const PKCS7 *p7) { + if (p7->d.ptr == NULL) + return NULL; if (PKCS7_type_is_signed(p7)) return p7->d.sign->cert; if (PKCS7_type_is_signedAndEnveloped(p7)) @@ -423,6 +425,8 @@ static STACK_OF(X509) *pkcs7_get_signer_certs(const PKCS7 *p7) static STACK_OF(PKCS7_RECIP_INFO) *pkcs7_get_recipient_info(const PKCS7 *p7) { + if (p7->d.ptr == NULL) + return NULL; if (PKCS7_type_is_signedAndEnveloped(p7)) return p7->d.signed_and_enveloped->recipientinfo; if (PKCS7_type_is_enveloped(p7)) @@ -440,13 +444,17 @@ void ossl_pkcs7_resolve_libctx(PKCS7 *p7) const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7); OSSL_LIB_CTX *libctx = ossl_pkcs7_ctx_get0_libctx(ctx); const char *propq = ossl_pkcs7_ctx_get0_propq(ctx); - STACK_OF(PKCS7_RECIP_INFO) *rinfos = pkcs7_get_recipient_info(p7); - STACK_OF(PKCS7_SIGNER_INFO) *sinfos = PKCS7_get_signer_info(p7); - STACK_OF(X509) *certs = pkcs7_get_signer_certs(p7); + STACK_OF(PKCS7_RECIP_INFO) *rinfos; + STACK_OF(PKCS7_SIGNER_INFO) *sinfos; + STACK_OF(X509) *certs; - if (ctx == NULL) + if (ctx == NULL || p7->d.ptr == NULL) return; + rinfos = pkcs7_get_recipient_info(p7); + sinfos = PKCS7_get_signer_info(p7); + certs = pkcs7_get_signer_certs(p7); + for (i = 0; i < sk_X509_num(certs); i++) ossl_x509_set0_libctx(sk_X509_value(certs, i), libctx, propq); diff --git a/deps/openssl/openssl/crypto/property/defn_cache.c b/deps/openssl/openssl/crypto/property/defn_cache.c index b4cd67c9900105..b43f2d247ef6db 100644 --- a/deps/openssl/openssl/crypto/property/defn_cache.c +++ b/deps/openssl/openssl/crypto/property/defn_cache.c @@ -82,16 +82,18 @@ OSSL_PROPERTY_LIST *ossl_prop_defn_get(OSSL_LIB_CTX *ctx, const char *prop) elem.prop = prop; r = lh_PROPERTY_DEFN_ELEM_retrieve(property_defns, &elem); ossl_lib_ctx_unlock(ctx); - return r != NULL ? r->defn : NULL; + if (r == NULL || !ossl_assert(r->defn != NULL)) + return NULL; + return r->defn; } /* - * Cache the property list for a given property string. Callers of this function - * should call ossl_prop_defn_get first to ensure that there is no existing - * cache entry for this property string. + * Cache the property list for a given property string *pl. + * If an entry already exists in the cache *pl is freed and + * overwritten with the existing entry from the cache. */ int ossl_prop_defn_set(OSSL_LIB_CTX *ctx, const char *prop, - OSSL_PROPERTY_LIST *pl) + OSSL_PROPERTY_LIST **pl) { PROPERTY_DEFN_ELEM elem, *old, *p = NULL; size_t len; @@ -109,28 +111,27 @@ int ossl_prop_defn_set(OSSL_LIB_CTX *ctx, const char *prop, if (!ossl_lib_ctx_write_lock(ctx)) return 0; + elem.prop = prop; if (pl == NULL) { - elem.prop = prop; lh_PROPERTY_DEFN_ELEM_delete(property_defns, &elem); goto end; } + /* check if property definition is in the cache already */ + if ((p = lh_PROPERTY_DEFN_ELEM_retrieve(property_defns, &elem)) != NULL) { + ossl_property_free(*pl); + *pl = p->defn; + goto end; + } len = strlen(prop); p = OPENSSL_malloc(sizeof(*p) + len); if (p != NULL) { p->prop = p->body; - p->defn = pl; + p->defn = *pl; memcpy(p->body, prop, len + 1); old = lh_PROPERTY_DEFN_ELEM_insert(property_defns, p); - if (!ossl_assert(old == NULL)) { - /* - * This should not happen. Any caller of ossl_prop_defn_set should - * have called ossl_prop_defn_get first - so we should know that - * there is no existing entry. If we get here we have a bug. We - * deliberately leak the |old| reference in order to avoid a crash - * if there are any existing users of it. - */ + if (!ossl_assert(old == NULL)) + /* This should not happen. An existing entry is handled above. */ goto end; - } if (!lh_PROPERTY_DEFN_ELEM_error(property_defns)) goto end; } diff --git a/deps/openssl/openssl/crypto/property/properties.ebnf b/deps/openssl/openssl/crypto/property/properties.ebnf deleted file mode 100644 index a55198bd75fa4b..00000000000000 --- a/deps/openssl/openssl/crypto/property/properties.ebnf +++ /dev/null @@ -1,18 +0,0 @@ -(* https://bottlecaps.de/rr/ui *) - -Definition - ::= PropertyName ( '=' Value )? ( ',' PropertyName ( '=' Value )? )* -Query ::= PropertyQuery ( ',' PropertyQuery )* -PropertyQuery ::= '-' PropertyName - | '?'? ( PropertyName (( '=' | '!=' ) Value)?) -Value ::= NumberLiteral - | StringLiteral -StringLiteral ::= QuotedString | UnquotedString -QuotedString ::= '"' [^"]* '"' - | "'" [^']* "'" -UnquotedString ::= [^{space},]+ -NumberLiteral - ::= '0' ( [0-7]* | 'x' [0-9A-Fa-f]+ ) - | '-'? [1-9] [0-9]+ -PropertyName - ::= [A-Z] [A-Z0-9_]* ( '.' [A-Z] [A-Z0-9_]* )* diff --git a/deps/openssl/openssl/crypto/property/property.c b/deps/openssl/openssl/crypto/property/property.c index 2c92cb5e5026db..844c25cee93600 100644 --- a/deps/openssl/openssl/crypto/property/property.c +++ b/deps/openssl/openssl/crypto/property/property.c @@ -335,7 +335,7 @@ int ossl_method_store_add(OSSL_METHOD_STORE *store, const OSSL_PROVIDER *prov, impl->properties = ossl_parse_property(store->ctx, properties); if (impl->properties == NULL) goto err; - if (!ossl_prop_defn_set(store->ctx, properties, impl->properties)) { + if (!ossl_prop_defn_set(store->ctx, properties, &impl->properties)) { ossl_property_free(impl->properties); impl->properties = NULL; goto err; diff --git a/deps/openssl/openssl/crypto/property/property_local.h b/deps/openssl/openssl/crypto/property/property_local.h index 6b85ce1586e809..797fb3bf5f2bb8 100644 --- a/deps/openssl/openssl/crypto/property/property_local.h +++ b/deps/openssl/openssl/crypto/property/property_local.h @@ -52,4 +52,4 @@ int ossl_property_has_optional(const OSSL_PROPERTY_LIST *query); /* Property definition cache functions */ OSSL_PROPERTY_LIST *ossl_prop_defn_get(OSSL_LIB_CTX *ctx, const char *prop); int ossl_prop_defn_set(OSSL_LIB_CTX *ctx, const char *prop, - OSSL_PROPERTY_LIST *pl); + OSSL_PROPERTY_LIST **pl); diff --git a/deps/openssl/openssl/crypto/provider_child.c b/deps/openssl/openssl/crypto/provider_child.c index 16728f9c120e30..861bcb035baacc 100644 --- a/deps/openssl/openssl/crypto/provider_child.c +++ b/deps/openssl/openssl/crypto/provider_child.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -142,8 +142,10 @@ static int provider_create_child_cb(const OSSL_CORE_HANDLE *prov, void *cbdata) 1)) == NULL) goto err; - if (!ossl_provider_activate(cprov, 0, 0)) + if (!ossl_provider_activate(cprov, 0, 0)) { + ossl_provider_free(cprov); goto err; + } if (!ossl_provider_set_child(cprov, prov) || !ossl_provider_add_to_store(cprov, NULL, 0)) { diff --git a/deps/openssl/openssl/crypto/rand/rand_lib.c b/deps/openssl/openssl/crypto/rand/rand_lib.c index c453d3226133df..f341d915db76a2 100644 --- a/deps/openssl/openssl/crypto/rand/rand_lib.c +++ b/deps/openssl/openssl/crypto/rand/rand_lib.c @@ -96,6 +96,7 @@ void ossl_rand_cleanup_int(void) CRYPTO_THREAD_lock_free(rand_meth_lock); rand_meth_lock = NULL; # endif + ossl_release_default_drbg_ctx(); rand_inited = 0; } @@ -469,7 +470,7 @@ static void *rand_ossl_ctx_new(OSSL_LIB_CTX *libctx) return NULL; } -static void rand_ossl_ctx_free(void *vdgbl) +void ossl_rand_ctx_free(void *vdgbl) { RAND_GLOBAL *dgbl = vdgbl; @@ -494,7 +495,7 @@ static void rand_ossl_ctx_free(void *vdgbl) static const OSSL_LIB_CTX_METHOD rand_drbg_ossl_ctx_method = { OSSL_LIB_CTX_METHOD_PRIORITY_2, rand_ossl_ctx_new, - rand_ossl_ctx_free, + ossl_rand_ctx_free, }; static RAND_GLOBAL *rand_get_global(OSSL_LIB_CTX *libctx) diff --git a/deps/openssl/openssl/crypto/rc2/build.info b/deps/openssl/openssl/crypto/rc2/build.info index b6d60d6ee3060d..d1f0ff9c7b692a 100644 --- a/deps/openssl/openssl/crypto/rc2/build.info +++ b/deps/openssl/openssl/crypto/rc2/build.info @@ -6,6 +6,6 @@ SOURCE[../../libcrypto]=$ALL # When all deprecated symbols are removed, libcrypto doesn't export the # rc2 functions, so we must include them directly in liblegacy.a -IF[{- $disabled{'deprecated-3.0'} -}] +IF[{- $disabled{'deprecated-3.0'} && !$disabled{module} && !$disabled{shared} -}] SOURCE[../../providers/liblegacy.a]=$ALL ENDIF diff --git a/deps/openssl/openssl/crypto/rc4/build.info b/deps/openssl/openssl/crypto/rc4/build.info index 14ec94f9f2a758..68b3c73f55b04f 100644 --- a/deps/openssl/openssl/crypto/rc4/build.info +++ b/deps/openssl/openssl/crypto/rc4/build.info @@ -21,7 +21,7 @@ SOURCE[../../libcrypto]=$RC4ASM # When all deprecated symbols are removed, libcrypto doesn't export the # rc4 functions, so we must include them directly in liblegacy.a -IF[{- $disabled{'deprecated-3.0'} -}] +IF[{- $disabled{'deprecated-3.0'} && !$disabled{module} && !$disabled{shared} -}] SOURCE[../../providers/liblegacy.a]=$RC4ASM ENDIF diff --git a/deps/openssl/openssl/crypto/rc5/build.info b/deps/openssl/openssl/crypto/rc5/build.info index 96ed42d2cbf702..1b396252bb5cf6 100644 --- a/deps/openssl/openssl/crypto/rc5/build.info +++ b/deps/openssl/openssl/crypto/rc5/build.info @@ -18,7 +18,7 @@ SOURCE[../../libcrypto]=$ALL # When all deprecated symbols are removed, libcrypto doesn't export the # rc5 functions, so we must include them directly in liblegacy.a -IF[{- $disabled{'deprecated-3.0'} -}] +IF[{- $disabled{'deprecated-3.0'} && !$disabled{module} && !$disabled{shared} -}] SOURCE[../../providers/liblegacy.a]=$ALL ENDIF diff --git a/deps/openssl/openssl/crypto/ripemd/build.info b/deps/openssl/openssl/crypto/ripemd/build.info index f050480de4e560..17acec0bedcfcf 100644 --- a/deps/openssl/openssl/crypto/ripemd/build.info +++ b/deps/openssl/openssl/crypto/ripemd/build.info @@ -20,7 +20,7 @@ DEFINE[../../libcrypto]=$RMD160DEF # When all deprecated symbols are removed, libcrypto doesn't export the # RIPEMD160 functions, so we must include them directly in liblegacy.a -IF[{- $disabled{'deprecated-3.0'} && !$disabled{'module'} -}] +IF[{- $disabled{'deprecated-3.0'} && !$disabled{module} && !$disabled{shared} -}] SOURCE[../../providers/liblegacy.a]=rmd_dgst.c rmd_one.c $RMD160ASM DEFINE[../../providers/liblegacy.a]=$RMD160DEF ENDIF diff --git a/deps/openssl/openssl/crypto/rsa/rsa_ameth.c b/deps/openssl/openssl/crypto/rsa/rsa_ameth.c index c15554505b37f6..61ec53d4244ca6 100644 --- a/deps/openssl/openssl/crypto/rsa/rsa_ameth.c +++ b/deps/openssl/openssl/crypto/rsa/rsa_ameth.c @@ -637,22 +637,30 @@ static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, const void *asn, if (pad_mode == RSA_PKCS1_PADDING) return 2; if (pad_mode == RSA_PKCS1_PSS_PADDING) { - ASN1_STRING *os1 = NULL; - os1 = ossl_rsa_ctx_to_pss_string(pkctx); - if (!os1) + unsigned char aid[128]; + size_t aid_len = 0; + OSSL_PARAM params[2]; + + params[0] = OSSL_PARAM_construct_octet_string( + OSSL_SIGNATURE_PARAM_ALGORITHM_ID, aid, sizeof(aid)); + params[1] = OSSL_PARAM_construct_end(); + + if (EVP_PKEY_CTX_get_params(pkctx, params) <= 0) return 0; - /* Duplicate parameters if we have to */ - if (alg2) { - ASN1_STRING *os2 = ASN1_STRING_dup(os1); - if (!os2) { - ASN1_STRING_free(os1); + if ((aid_len = params[0].return_size) == 0) + return 0; + + if (alg1 != NULL) { + const unsigned char *pp = aid; + if (d2i_X509_ALGOR(&alg1, &pp, aid_len) == NULL) + return 0; + } + if (alg2 != NULL) { + const unsigned char *pp = aid; + if (d2i_X509_ALGOR(&alg2, &pp, aid_len) == NULL) return 0; - } - X509_ALGOR_set0(alg2, OBJ_nid2obj(EVP_PKEY_RSA_PSS), - V_ASN1_SEQUENCE, os2); } - X509_ALGOR_set0(alg1, OBJ_nid2obj(EVP_PKEY_RSA_PSS), - V_ASN1_SEQUENCE, os1); + return 3; } return 2; diff --git a/deps/openssl/openssl/crypto/rsa/rsa_mp.c b/deps/openssl/openssl/crypto/rsa/rsa_mp.c index b785344cf0d056..f827c0a2f8fd78 100644 --- a/deps/openssl/openssl/crypto/rsa/rsa_mp.c +++ b/deps/openssl/openssl/crypto/rsa/rsa_mp.c @@ -21,7 +21,7 @@ void ossl_rsa_multip_info_free_ex(RSA_PRIME_INFO *pinfo) void ossl_rsa_multip_info_free(RSA_PRIME_INFO *pinfo) { - /* free a RSA_PRIME_INFO structure */ + /* free an RSA_PRIME_INFO structure */ BN_clear_free(pinfo->r); BN_clear_free(pinfo->d); BN_clear_free(pinfo->t); @@ -32,7 +32,7 @@ RSA_PRIME_INFO *ossl_rsa_multip_info_new(void) { RSA_PRIME_INFO *pinfo; - /* create a RSA_PRIME_INFO structure */ + /* create an RSA_PRIME_INFO structure */ if ((pinfo = OPENSSL_zalloc(sizeof(RSA_PRIME_INFO))) == NULL) { ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); return NULL; diff --git a/deps/openssl/openssl/crypto/rsa/rsa_ossl.c b/deps/openssl/openssl/crypto/rsa/rsa_ossl.c index 381c659352ad14..96fed3ca597c6a 100644 --- a/deps/openssl/openssl/crypto/rsa/rsa_ossl.c +++ b/deps/openssl/openssl/crypto/rsa/rsa_ossl.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -469,13 +469,20 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, BN_free(d); } - if (blinding) - if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) + if (blinding) { + /* + * ossl_bn_rsa_do_unblind() combines blinding inversion and + * 0-padded BN BE serialization + */ + j = ossl_bn_rsa_do_unblind(ret, blinding, unblind, rsa->n, ctx, + buf, num); + if (j == 0) goto err; - - j = BN_bn2binpad(ret, buf, num); - if (j < 0) - goto err; + } else { + j = BN_bn2binpad(ret, buf, num); + if (j < 0) + goto err; + } switch (padding) { case RSA_PKCS1_PADDING: diff --git a/deps/openssl/openssl/crypto/rsa/rsa_sign.c b/deps/openssl/openssl/crypto/rsa/rsa_sign.c index c5a664dc0b0dd6..5745513c2f8e91 100644 --- a/deps/openssl/openssl/crypto/rsa/rsa_sign.c +++ b/deps/openssl/openssl/crypto/rsa/rsa_sign.c @@ -280,7 +280,7 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len, #ifndef FIPS_MODULE if (rsa->meth->rsa_sign != NULL) - return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa); + return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa) > 0; #endif /* FIPS_MODULE */ /* Compute the encoded digest. */ diff --git a/deps/openssl/openssl/crypto/seed/build.info b/deps/openssl/openssl/crypto/seed/build.info index 5336f0399cd7ed..f513654ecb6781 100644 --- a/deps/openssl/openssl/crypto/seed/build.info +++ b/deps/openssl/openssl/crypto/seed/build.info @@ -5,6 +5,6 @@ SOURCE[../../libcrypto]=$ALL # When all deprecated symbols are removed, libcrypto doesn't export the # seed functions, so we must include them directly in liblegacy.a -IF[{- $disabled{'deprecated-3.0'} -}] +IF[{- $disabled{'deprecated-3.0'} && !$disabled{module} && !$disabled{shared} -}] SOURCE[../../providers/liblegacy.a]=$ALL ENDIF diff --git a/deps/openssl/openssl/crypto/sha/asm/sha512-ia64.pl b/deps/openssl/openssl/crypto/sha/asm/sha512-ia64.pl index eccc6c92e767ad..e147f2682d5b89 100755 --- a/deps/openssl/openssl/crypto/sha/asm/sha512-ia64.pl +++ b/deps/openssl/openssl/crypto/sha/asm/sha512-ia64.pl @@ -78,7 +78,7 @@ # $output is the last argument if it looks like a file (it has an extension) $output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; -if ($output =~ /512.*\.[s|asm]/) { +if ($output =~ /512.*\.[s|asm]/i) { $SZ=8; $BITS=8*$SZ; $LDW="ld8"; @@ -92,7 +92,7 @@ @sigma0=(1, 8, 7); @sigma1=(19,61, 6); $rounds=80; -} elsif ($output =~ /256.*\.[s|asm]/) { +} elsif ($output =~ /256.*\.[s|asm]/i) { $SZ=4; $BITS=8*$SZ; $LDW="ld4"; diff --git a/deps/openssl/openssl/crypto/trace.c b/deps/openssl/openssl/crypto/trace.c index d790409a2d6291..3df9b5a51e9941 100644 --- a/deps/openssl/openssl/crypto/trace.c +++ b/deps/openssl/openssl/crypto/trace.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -118,17 +118,16 @@ struct trace_category_st { }; #define TRACE_CATEGORY_(name) { #name, OSSL_TRACE_CATEGORY_##name } -static const struct trace_category_st trace_categories[] = { +static const struct trace_category_st + trace_categories[OSSL_TRACE_CATEGORY_NUM] = { TRACE_CATEGORY_(ALL), TRACE_CATEGORY_(TRACE), TRACE_CATEGORY_(INIT), TRACE_CATEGORY_(TLS), TRACE_CATEGORY_(TLS_CIPHER), TRACE_CATEGORY_(CONF), -#ifndef OPENSSL_NO_ENGINE TRACE_CATEGORY_(ENGINE_TABLE), TRACE_CATEGORY_(ENGINE_REF_COUNT), -#endif TRACE_CATEGORY_(PKCS5V2), TRACE_CATEGORY_(PKCS12_KEYGEN), TRACE_CATEGORY_(PKCS12_DECRYPT), @@ -143,21 +142,29 @@ static const struct trace_category_st trace_categories[] = { const char *OSSL_trace_get_category_name(int num) { - size_t i; - - for (i = 0; i < OSSL_NELEM(trace_categories); i++) - if (trace_categories[i].num == num) - return trace_categories[i].name; - return NULL; /* not found */ + if (num < 0 || (size_t)num >= OSSL_NELEM(trace_categories)) + return NULL; + /* + * Partial check that OSSL_TRACE_CATEGORY_... macros + * are synced with trace_categories array + */ + if (!ossl_assert(trace_categories[num].name != NULL) + || !ossl_assert(trace_categories[num].num == num)) + return NULL; + return trace_categories[num].name; } int OSSL_trace_get_category_num(const char *name) { size_t i; + if (name == NULL) + return -1; + for (i = 0; i < OSSL_NELEM(trace_categories); i++) if (OPENSSL_strcasecmp(name, trace_categories[i].name) == 0) return trace_categories[i].num; + return -1; /* not found */ } @@ -280,11 +287,6 @@ static int set_trace_data(int category, int type, BIO **channel, } /* Before running callbacks are done, set new data where appropriate */ - if (channel != NULL && *channel != NULL) { - trace_channels[category].type = type; - trace_channels[category].bio = *channel; - } - if (prefix != NULL && *prefix != NULL) { if ((curr_prefix = OPENSSL_strdup(*prefix)) == NULL) return 0; @@ -297,6 +299,15 @@ static int set_trace_data(int category, int type, BIO **channel, trace_channels[category].suffix = curr_suffix; } + if (channel != NULL && *channel != NULL) { + trace_channels[category].type = type; + trace_channels[category].bio = *channel; + /* + * This must not be done before setting prefix/suffix, + * as those may fail, and then the caller is mislead to free *channel. + */ + } + /* Finally, run the attach callback on the new data */ if (channel != NULL && *channel != NULL) { attach_cb(category, CHANNEL, *channel); diff --git a/deps/openssl/openssl/crypto/whrlpool/build.info b/deps/openssl/openssl/crypto/whrlpool/build.info index 137f6dc6c6744f..c7dbecb4fd79b0 100644 --- a/deps/openssl/openssl/crypto/whrlpool/build.info +++ b/deps/openssl/openssl/crypto/whrlpool/build.info @@ -22,7 +22,7 @@ DEFINE[../../libcrypto]=$WPDEF # When all deprecated symbols are removed, libcrypto doesn't export the # WHIRLPOOL functions, so we must include them directly in liblegacy.a -IF[{- $disabled{'deprecated-3.0'} -}] +IF[{- $disabled{'deprecated-3.0'} && !$disabled{module} && !$disabled{shared} -}] SOURCE[../../providers/liblegacy.a]=wp_dgst.c $WPASM DEFINE[../../providers/liblegacy.a]=$WPDEF ENDIF diff --git a/deps/openssl/openssl/crypto/x509/by_dir.c b/deps/openssl/openssl/crypto/x509/by_dir.c index 258ad518525743..cb40c7737f72f8 100644 --- a/deps/openssl/openssl/crypto/x509/by_dir.c +++ b/deps/openssl/openssl/crypto/x509/by_dir.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -353,9 +353,13 @@ static int get_cert_by_subject_ex(X509_LOOKUP *xl, X509_LOOKUP_TYPE type, tmp = sk_X509_OBJECT_value(xl->store_ctx->objs, j); X509_STORE_unlock(xl->store_ctx); - /* If a CRL, update the last file suffix added for this */ - - if (type == X509_LU_CRL) { + /* + * If a CRL, update the last file suffix added for this. + * We don't need to add an entry if k is 0 as this is the initial value. + * This avoids the need for a write lock and sort operation in the + * simple case where no CRL is present for a hash. + */ + if (type == X509_LU_CRL && k > 0) { if (!CRYPTO_THREAD_write_lock(ctx->lock)) goto finish; /* @@ -384,6 +388,12 @@ static int get_cert_by_subject_ex(X509_LOOKUP *xl, X509_LOOKUP_TYPE type, ok = 0; goto finish; } + + /* + * Ensure stack is sorted so that subsequent sk_BY_DIR_HASH_find + * will not mutate the stack and therefore require a write lock. + */ + sk_BY_DIR_HASH_sort(ent->hashes); } else if (hent->suffix < k) { hent->suffix = k; } diff --git a/deps/openssl/openssl/crypto/x509/pcy_map.c b/deps/openssl/openssl/crypto/x509/pcy_map.c index 05406c6493fce1..60dfd1e3203b03 100644 --- a/deps/openssl/openssl/crypto/x509/pcy_map.c +++ b/deps/openssl/openssl/crypto/x509/pcy_map.c @@ -73,10 +73,6 @@ int ossl_policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps) ret = 1; bad_mapping: - if (ret == -1 && CRYPTO_THREAD_write_lock(x->lock)) { - x->ex_flags |= EXFLAG_INVALID_POLICY; - CRYPTO_THREAD_unlock(x->lock); - } sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free); return ret; diff --git a/deps/openssl/openssl/crypto/x509/v3_addr.c b/deps/openssl/openssl/crypto/x509/v3_addr.c index 3fc5f3d620159c..db010720741c7a 100644 --- a/deps/openssl/openssl/crypto/x509/v3_addr.c +++ b/deps/openssl/openssl/crypto/x509/v3_addr.c @@ -691,6 +691,14 @@ static int IPAddressFamily_cmp(const IPAddressFamily *const *a_, return cmp ? cmp : a->length - b->length; } +static int IPAddressFamily_check_len(const IPAddressFamily *f) +{ + if (f->addressFamily->length < 2 || f->addressFamily->length > 3) + return 0; + else + return 1; +} + /* * Check whether an IPAddrBLocks is in canonical form. */ @@ -713,6 +721,10 @@ int X509v3_addr_is_canonical(IPAddrBlocks *addr) for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) { const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i); const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1); + + if (!IPAddressFamily_check_len(a) || !IPAddressFamily_check_len(b)) + return 0; + if (IPAddressFamily_cmp(&a, &b) >= 0) return 0; } @@ -739,6 +751,9 @@ int X509v3_addr_is_canonical(IPAddrBlocks *addr) return 0; } + if (!IPAddressFamily_check_len(f)) + return 0; + /* * It's an IPAddressOrRanges sequence, check it. */ @@ -883,6 +898,10 @@ int X509v3_addr_canonize(IPAddrBlocks *addr) int i; for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); + + if (!IPAddressFamily_check_len(f)) + return 0; + if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && !IPAddressOrRanges_canonize(f->ipAddressChoice-> u.addressesOrRanges, @@ -1148,10 +1167,12 @@ int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) for (i = 0; i < sk_IPAddressFamily_num(a); i++) { IPAddressFamily *fa = sk_IPAddressFamily_value(a, i); int j = sk_IPAddressFamily_find(b, fa); - IPAddressFamily *fb; - fb = sk_IPAddressFamily_value(b, j); + IPAddressFamily *fb = sk_IPAddressFamily_value(b, j); + if (fb == NULL) return 0; + if (!IPAddressFamily_check_len(fa) || !IPAddressFamily_check_len(fb)) + return 0; if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges, fa->ipAddressChoice->u.addressesOrRanges, length_from_afi(X509v3_addr_get_afi(fb)))) @@ -1163,19 +1184,19 @@ int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) /* * Validation error handling via callback. */ -#define validation_err(_err_) \ - do { \ - if (ctx != NULL) { \ - ctx->error = _err_; \ - ctx->error_depth = i; \ - ctx->current_cert = x; \ - ret = ctx->verify_cb(0, ctx); \ - } else { \ - ret = 0; \ - } \ - if (!ret) \ - goto done; \ - } while (0) +# define validation_err(_err_) \ + do { \ + if (ctx != NULL) { \ + ctx->error = _err_; \ + ctx->error_depth = i; \ + ctx->current_cert = x; \ + rv = ctx->verify_cb(0, ctx); \ + } else { \ + rv = 0; \ + } \ + if (rv == 0) \ + goto done; \ + } while (0) /* * Core code for RFC 3779 2.3 path validation. @@ -1190,7 +1211,7 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx, IPAddrBlocks *ext) { IPAddrBlocks *child = NULL; - int i, j, ret = 1; + int i, j, ret = 0, rv; X509 *x; if (!ossl_assert(chain != NULL && sk_X509_num(chain) > 0) @@ -1213,7 +1234,7 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx, i = 0; x = sk_X509_value(chain, i); if ((ext = x->rfc3779_addr) == NULL) - goto done; + return 1; /* Return success */ } if (!X509v3_addr_is_canonical(ext)) validation_err(X509_V_ERR_INVALID_EXTENSION); @@ -1222,7 +1243,6 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx, ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); if (ctx != NULL) ctx->error = X509_V_ERR_OUT_OF_MEM; - ret = 0; goto done; } @@ -1237,6 +1257,10 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx, if (x->rfc3779_addr == NULL) { for (j = 0; j < sk_IPAddressFamily_num(child); j++) { IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); + + if (!IPAddressFamily_check_len(fc)) + goto done; + if (fc->ipAddressChoice->type != IPAddressChoice_inherit) { validation_err(X509_V_ERR_UNNESTED_RESOURCE); break; @@ -1251,6 +1275,7 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx, int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc); IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, k); + if (fp == NULL) { if (fc->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) { @@ -1259,6 +1284,10 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx, } continue; } + + if (!IPAddressFamily_check_len(fc) || !IPAddressFamily_check_len(fp)) + goto done; + if (fp->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) { if (fc->ipAddressChoice->type == IPAddressChoice_inherit @@ -1277,14 +1306,17 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx, */ if (x->rfc3779_addr != NULL) { for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) { - IPAddressFamily *fp = - sk_IPAddressFamily_value(x->rfc3779_addr, j); + IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, j); + + if (!IPAddressFamily_check_len(fp)) + goto done; + if (fp->ipAddressChoice->type == IPAddressChoice_inherit && sk_IPAddressFamily_find(child, fp) >= 0) validation_err(X509_V_ERR_UNNESTED_RESOURCE); } } - + ret = 1; done: sk_IPAddressFamily_free(child); return ret; diff --git a/deps/openssl/openssl/crypto/x509/v3_admis.c b/deps/openssl/openssl/crypto/x509/v3_admis.c index bee9cc9931bf43..3bce232ed2fe83 100644 --- a/deps/openssl/openssl/crypto/x509/v3_admis.c +++ b/deps/openssl/openssl/crypto/x509/v3_admis.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -199,7 +199,7 @@ static int i2r_ADMISSION_SYNTAX(const struct v3_ext_method *method, void *in, return 1; err: - return -1; + return 0; } const ASN1_OBJECT *NAMING_AUTHORITY_get0_authorityId(const NAMING_AUTHORITY *n) diff --git a/deps/openssl/openssl/crypto/x509/v3_genn.c b/deps/openssl/openssl/crypto/x509/v3_genn.c index c0a7166cd0e64b..1f67bf2f63ab87 100644 --- a/deps/openssl/openssl/crypto/x509/v3_genn.c +++ b/deps/openssl/openssl/crypto/x509/v3_genn.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) return -1; switch (a->type) { case GEN_X400: - result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address); + result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address); break; case GEN_EDIPARTY: diff --git a/deps/openssl/openssl/crypto/x509/v3_ncons.c b/deps/openssl/openssl/crypto/x509/v3_ncons.c index 70a7e8304edb3d..a51354e7fc4cc1 100644 --- a/deps/openssl/openssl/crypto/x509/v3_ncons.c +++ b/deps/openssl/openssl/crypto/x509/v3_ncons.c @@ -1,5 +1,5 @@ /* - * Copyright 2003-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2003-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -31,7 +31,8 @@ static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method, static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip); static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc); -static int nc_match_single(GENERAL_NAME *sub, GENERAL_NAME *gen); +static int nc_match_single(int effective_type, GENERAL_NAME *sub, + GENERAL_NAME *gen); static int nc_dn(const X509_NAME *sub, const X509_NAME *nm); static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns); static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml); @@ -472,14 +473,17 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) { GENERAL_SUBTREE *sub; int i, r, match = 0; + int effective_type = gen->type; + /* * We need to compare not gen->type field but an "effective" type because * the otherName field may contain EAI email address treated specially * according to RFC 8398, section 6 */ - int effective_type = ((gen->type == GEN_OTHERNAME) && - (OBJ_obj2nid(gen->d.otherName->type_id) == - NID_id_on_SmtpUTF8Mailbox)) ? GEN_EMAIL : gen->type; + if (effective_type == GEN_OTHERNAME && + (OBJ_obj2nid(gen->d.otherName->type_id) == NID_id_on_SmtpUTF8Mailbox)) { + effective_type = GEN_EMAIL; + } /* * Permitted subtrees: if any subtrees exist of matching the type at @@ -488,7 +492,10 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) { sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i); - if (effective_type != sub->base->type) + if (effective_type != sub->base->type + || (effective_type == GEN_OTHERNAME && + OBJ_cmp(gen->d.otherName->type_id, + sub->base->d.otherName->type_id) != 0)) continue; if (!nc_minmax_valid(sub)) return X509_V_ERR_SUBTREE_MINMAX; @@ -497,7 +504,7 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) continue; if (match == 0) match = 1; - r = nc_match_single(gen, sub->base); + r = nc_match_single(effective_type, gen, sub->base); if (r == X509_V_OK) match = 2; else if (r != X509_V_ERR_PERMITTED_VIOLATION) @@ -511,12 +518,15 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) { sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i); - if (effective_type != sub->base->type) + if (effective_type != sub->base->type + || (effective_type == GEN_OTHERNAME && + OBJ_cmp(gen->d.otherName->type_id, + sub->base->d.otherName->type_id) != 0)) continue; if (!nc_minmax_valid(sub)) return X509_V_ERR_SUBTREE_MINMAX; - r = nc_match_single(gen, sub->base); + r = nc_match_single(effective_type, gen, sub->base); if (r == X509_V_OK) return X509_V_ERR_EXCLUDED_VIOLATION; else if (r != X509_V_ERR_PERMITTED_VIOLATION) @@ -528,15 +538,22 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) } -static int nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base) +static int nc_match_single(int effective_type, GENERAL_NAME *gen, + GENERAL_NAME *base) { switch (gen->type) { case GEN_OTHERNAME: - /* - * We are here only when we have SmtpUTF8 name, - * so we match the value of othername with base->d.rfc822Name - */ - return nc_email_eai(gen->d.otherName->value, base->d.rfc822Name); + switch (effective_type) { + case GEN_EMAIL: + /* + * We are here only when we have SmtpUTF8 name, + * so we match the value of othername with base->d.rfc822Name + */ + return nc_email_eai(gen->d.otherName->value, base->d.rfc822Name); + + default: + return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE; + } case GEN_DIRNAME: return nc_dn(gen->d.directoryName, base->d.directoryName); diff --git a/deps/openssl/openssl/crypto/x509/x509_txt.c b/deps/openssl/openssl/crypto/x509/x509_txt.c index 0c7ae1ed79d01a..f25bb41acb528f 100644 --- a/deps/openssl/openssl/crypto/x509/x509_txt.c +++ b/deps/openssl/openssl/crypto/x509/x509_txt.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -74,7 +74,7 @@ const char *X509_verify_cert_error_string(long n) case X509_V_ERR_PATH_LENGTH_EXCEEDED: return "path length constraint exceeded"; case X509_V_ERR_INVALID_PURPOSE: - return "unsupported certificate purpose"; + return "unsuitable certificate purpose"; case X509_V_ERR_CERT_UNTRUSTED: return "certificate not trusted"; case X509_V_ERR_CERT_REJECTED: diff --git a/deps/openssl/openssl/crypto/x509/x509_v3.c b/deps/openssl/openssl/crypto/x509/x509_v3.c index 262061a20f0dda..62ae7d6b8d6225 100644 --- a/deps/openssl/openssl/crypto/x509/x509_v3.c +++ b/deps/openssl/openssl/crypto/x509/x509_v3.c @@ -19,9 +19,12 @@ int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x) { + int ret; + if (x == NULL) return 0; - return sk_X509_EXTENSION_num(x); + ret = sk_X509_EXTENSION_num(x); + return ret > 0 ? ret : 0; } int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid, diff --git a/deps/openssl/openssl/crypto/x509/x509name.c b/deps/openssl/openssl/crypto/x509/x509name.c index 690e2799ffcdee..9ae0dc5de48ff5 100644 --- a/deps/openssl/openssl/crypto/x509/x509name.c +++ b/deps/openssl/openssl/crypto/x509/x509name.c @@ -49,9 +49,12 @@ int X509_NAME_get_text_by_OBJ(const X509_NAME *name, const ASN1_OBJECT *obj, int X509_NAME_entry_count(const X509_NAME *name) { + int ret; + if (name == NULL) return 0; - return sk_X509_NAME_ENTRY_num(name->entries); + ret = sk_X509_NAME_ENTRY_num(name->entries); + return ret > 0 ? ret : 0; } int X509_NAME_get_index_by_NID(const X509_NAME *name, int nid, int lastpos) diff --git a/deps/openssl/openssl/crypto/x509/x_pubkey.c b/deps/openssl/openssl/crypto/x509/x_pubkey.c index bc90ddd89b4952..b290075c858903 100644 --- a/deps/openssl/openssl/crypto/x509/x_pubkey.c +++ b/deps/openssl/openssl/crypto/x509/x_pubkey.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -745,6 +745,30 @@ DSA *d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length) return key; } +/* Called from decoders; disallows provided DSA keys without parameters. */ +DSA *ossl_d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length) +{ + DSA *key = NULL; + const unsigned char *data; + const BIGNUM *p, *q, *g; + + data = *pp; + key = d2i_DSA_PUBKEY(NULL, &data, length); + if (key == NULL) + return NULL; + DSA_get0_pqg(key, &p, &q, &g); + if (p == NULL || q == NULL || g == NULL) { + DSA_free(key); + return NULL; + } + *pp = data; + if (a != NULL) { + DSA_free(*a); + *a = key; + } + return key; +} + int i2d_DSA_PUBKEY(const DSA *a, unsigned char **pp) { EVP_PKEY *pktmp; diff --git a/deps/openssl/openssl/demos/README.txt b/deps/openssl/openssl/demos/README.txt index dae5c881d23e6b..e10239173faa5b 100644 --- a/deps/openssl/openssl/demos/README.txt +++ b/deps/openssl/openssl/demos/README.txt @@ -31,8 +31,12 @@ poly1305.c Demonstration of Poly1305-AES message authentication siphash.c Demonstration of SIPHASH message authentication pkey: -EVP_PKEY_EC_keygen.c Generate an EC key. -EVP_PKEY_RSA_keygen.c Generate an RSA key. +EVP_PKEY_EC_keygen.c Generate an EC key. +EVP_PKEY_RSA_keygen.c Generate an RSA key. +EVP_PKEY_DSA_keygen.c Generate a DSA key. +EVP_PKEY_DSA_paramgen.c Generate a DSA param key. +EVP_PKEY_DSA_paramvalidate.c Validate a DSA param key. +EVP_PKEY_DSA_paramfromdata.c Load a DSA param key using raw data. smime: diff --git a/deps/openssl/openssl/demos/encode/rsa_encode.c b/deps/openssl/openssl/demos/encode/rsa_encode.c new file mode 100644 index 00000000000000..2bf6d13e6ff504 --- /dev/null +++ b/deps/openssl/openssl/demos/encode/rsa_encode.c @@ -0,0 +1,202 @@ +/*- + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ +#include +#include +#include +#include + +/* + * Example showing the encoding and decoding of RSA public and private keys. A + * PEM-encoded RSA key is read in from stdin, decoded, and then re-encoded and + * output for demonstration purposes. Both public and private keys are accepted. + * + * This can be used to load RSA keys from a file or save RSA keys to a file. + */ + +/* A property query used for selecting algorithm implementations. */ +static const char *propq = NULL; + +/* + * Load a PEM-encoded RSA key from a file, optionally decrypting it with a + * supplied passphrase. + */ +static EVP_PKEY *load_key(OSSL_LIB_CTX *libctx, FILE *f, const char *passphrase) +{ + int rv = 0; + EVP_PKEY *pkey = NULL; + OSSL_DECODER_CTX *dctx = NULL; + int selection = 0; + + /* + * Create PEM decoder context expecting an RSA key. + * + * For raw (non-PEM-encoded) keys, change "PEM" to "DER". + * + * The selection argument here specifies whether we are willing to accept a + * public key, private key, or either. If it is set to zero, either will be + * accepted. If set to EVP_PKEY_KEYPAIR, a private key will be required, and + * if set to EVP_PKEY_PUBLIC_KEY, a public key will be required. + */ + dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "PEM", NULL, "RSA", + selection, + libctx, propq); + if (dctx == NULL) { + fprintf(stderr, "OSSL_DECODER_CTX_new_for_pkey() failed\n"); + goto cleanup; + } + + /* + * Set passphrase if provided; needed to decrypt encrypted PEM files. + * If the input is not encrypted, any passphrase provided is ignored. + * + * Alternative methods for specifying passphrases exist, such as a callback + * (see OSSL_DECODER_CTX_set_passphrase_cb(3)), which may be more useful for + * interactive applications which do not know if a passphrase should be + * prompted for in advance, or for GUI applications. + */ + if (passphrase != NULL) { + if (OSSL_DECODER_CTX_set_passphrase(dctx, + (const unsigned char *)passphrase, + strlen(passphrase)) == 0) { + fprintf(stderr, "OSSL_DECODER_CTX_set_passphrase() failed\n"); + goto cleanup; + } + } + + /* Do the decode, reading from file. */ + if (OSSL_DECODER_from_fp(dctx, f) == 0) { + fprintf(stderr, "OSSL_DECODER_from_fp() failed\n"); + goto cleanup; + } + + rv = 1; +cleanup: + OSSL_DECODER_CTX_free(dctx); + + /* + * pkey is created by OSSL_DECODER_CTX_new_for_pkey, but we + * might fail subsequently, so ensure it's properly freed + * in this case. + */ + if (rv == 0) { + EVP_PKEY_free(pkey); + pkey = NULL; + } + + return pkey; +} + +/* + * Store an RSA public or private key to a file using PEM encoding. + * + * If a passphrase is supplied, the file is encrypted, otherwise + * it is unencrypted. + */ +static int store_key(EVP_PKEY *pkey, FILE *f, const char *passphrase) +{ + int rv = 0; + int selection; + OSSL_ENCODER_CTX *ectx = NULL; + + /* + * Create a PEM encoder context. + * + * For raw (non-PEM-encoded) output, change "PEM" to "DER". + * + * The selection argument controls whether the private key is exported + * (EVP_PKEY_KEYPAIR), or only the public key (EVP_PKEY_PUBLIC_KEY). The + * former will fail if we only have a public key. + * + * Note that unlike the decode API, you cannot specify zero here. + * + * Purely for the sake of demonstration, here we choose to export the whole + * key if a passphrase is provided and the public key otherwise. + */ + selection = (passphrase != NULL) + ? EVP_PKEY_KEYPAIR + : EVP_PKEY_PUBLIC_KEY; + + ectx = OSSL_ENCODER_CTX_new_for_pkey(pkey, selection, "PEM", NULL, propq); + if (ectx == NULL) { + fprintf(stderr, "OSSL_ENCODER_CTX_new_for_pkey() failed\n"); + goto cleanup; + } + + /* + * Set passphrase if provided; the encoded output will then be encrypted + * using the passphrase. + * + * Alternative methods for specifying passphrases exist, such as a callback + * (see OSSL_ENCODER_CTX_set_passphrase_cb(3), just as for OSSL_DECODER_CTX; + * however you are less likely to need them as you presumably know whether + * encryption is desired in advance. + * + * Note that specifying a passphrase alone is not enough to cause the + * key to be encrypted. You must set both a cipher and a passphrase. + */ + if (passphrase != NULL) { + /* Set cipher. AES-128-CBC is a reasonable default. */ + if (OSSL_ENCODER_CTX_set_cipher(ectx, "AES-128-CBC", propq) == 0) { + fprintf(stderr, "OSSL_ENCODER_CTX_set_cipher() failed\n"); + goto cleanup; + } + + /* Set passphrase. */ + if (OSSL_ENCODER_CTX_set_passphrase(ectx, + (const unsigned char *)passphrase, + strlen(passphrase)) == 0) { + fprintf(stderr, "OSSL_ENCODER_CTX_set_passphrase() failed\n"); + goto cleanup; + } + } + + /* Do the encode, writing to the given file. */ + if (OSSL_ENCODER_to_fp(ectx, f) == 0) { + fprintf(stderr, "OSSL_ENCODER_to_fp() failed\n"); + goto cleanup; + } + + rv = 1; +cleanup: + OSSL_ENCODER_CTX_free(ectx); + return rv; +} + +int main(int argc, char **argv) +{ + int rv = 1; + OSSL_LIB_CTX *libctx = NULL; + EVP_PKEY *pkey = NULL; + const char *passphrase_in = NULL, *passphrase_out = NULL; + + /* usage: rsa_encode */ + if (argc > 1 && argv[1][0]) + passphrase_in = argv[1]; + + if (argc > 2 && argv[2][0]) + passphrase_out = argv[2]; + + /* Decode PEM key from stdin and then PEM encode it to stdout. */ + pkey = load_key(libctx, stdin, passphrase_in); + if (pkey == NULL) { + fprintf(stderr, "Failed to decode key\n"); + goto cleanup; + } + + if (store_key(pkey, stdout, passphrase_out) == 0) { + fprintf(stderr, "Failed to encode key\n"); + goto cleanup; + } + + rv = 0; +cleanup: + EVP_PKEY_free(pkey); + OSSL_LIB_CTX_free(libctx); + return rv; +} diff --git a/deps/openssl/openssl/demos/pkey/EVP_PKEY_DSA_keygen.c b/deps/openssl/openssl/demos/pkey/EVP_PKEY_DSA_keygen.c new file mode 100644 index 00000000000000..bf74a2e6230ad7 --- /dev/null +++ b/deps/openssl/openssl/demos/pkey/EVP_PKEY_DSA_keygen.c @@ -0,0 +1,83 @@ +/*- + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * Example showing how to generate an DSA key pair. + */ + +#include +#include "dsa.inc" + +/* + * Generate dsa params using default values. + * See the EVP_PKEY_DSA_param_fromdata demo if you need + * to load DSA params from raw values. + * See the EVP_PKEY_DSA_paramgen demo if you need to + * use non default parameters. + */ +EVP_PKEY *dsa_genparams(OSSL_LIB_CTX *libctx, const char *propq) +{ + EVP_PKEY *dsaparamkey = NULL; + EVP_PKEY_CTX *ctx = NULL; + + /* Use the dsa params in a EVP_PKEY ctx */ + ctx = EVP_PKEY_CTX_new_from_name(libctx, "DSA", propq); + if (ctx == NULL) { + fprintf(stderr, "EVP_PKEY_CTX_new_from_name() failed\n"); + return NULL; + } + + if (EVP_PKEY_paramgen_init(ctx) <= 0 + || EVP_PKEY_paramgen(ctx, &dsaparamkey) <= 0) { + fprintf(stderr, "DSA paramgen failed\n"); + goto cleanup; + } +cleanup: + EVP_PKEY_CTX_free(ctx); + return dsaparamkey; +} + +int main(int argc, char **argv) +{ + int rv = EXIT_FAILURE; + OSSL_LIB_CTX *libctx = NULL; + const char *propq = NULL; + EVP_PKEY *dsaparamskey = NULL; + EVP_PKEY *dsakey = NULL; + EVP_PKEY_CTX *ctx = NULL; + + /* Generate random dsa params */ + dsaparamskey = dsa_genparams(libctx, propq); + if (dsaparamskey == NULL) + goto cleanup; + + /* Use the dsa params in a EVP_PKEY ctx */ + ctx = EVP_PKEY_CTX_new_from_pkey(libctx, dsaparamskey, propq); + if (ctx == NULL) { + fprintf(stderr, "EVP_PKEY_CTX_new_from_pkey() failed\n"); + goto cleanup; + } + + /* Generate a key using the dsa params */ + if (EVP_PKEY_keygen_init(ctx) <= 0 + || EVP_PKEY_keygen(ctx, &dsakey) <= 0) { + fprintf(stderr, "DSA keygen failed\n"); + goto cleanup; + } + + if (!dsa_print_key(dsakey, 1, libctx, propq)) + goto cleanup; + + rv = EXIT_SUCCESS; +cleanup: + EVP_PKEY_free(dsakey); + EVP_PKEY_free(dsaparamskey); + EVP_PKEY_CTX_free(ctx); + return rv; +} diff --git a/deps/openssl/openssl/demos/pkey/EVP_PKEY_DSA_paramfromdata.c b/deps/openssl/openssl/demos/pkey/EVP_PKEY_DSA_paramfromdata.c new file mode 100644 index 00000000000000..4c9e55820e9430 --- /dev/null +++ b/deps/openssl/openssl/demos/pkey/EVP_PKEY_DSA_paramfromdata.c @@ -0,0 +1,75 @@ +/*- + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * Example showing how to load DSA params from raw data + * using EVP_PKEY_fromdata() + */ + +#include +#include +#include +#include "dsa.inc" + +int main(int argc, char **argv) +{ + int rv = EXIT_FAILURE; + OSSL_LIB_CTX *libctx = NULL; + const char *propq = NULL; + EVP_PKEY_CTX *ctx = NULL; + EVP_PKEY *dsaparamkey = NULL; + OSSL_PARAM_BLD *bld = NULL; + OSSL_PARAM *params = NULL; + BIGNUM *p = NULL, *q = NULL, *g = NULL; + + p = BN_bin2bn(dsa_p, sizeof(dsa_p), NULL); + q = BN_bin2bn(dsa_q, sizeof(dsa_q), NULL); + g = BN_bin2bn(dsa_g, sizeof(dsa_g), NULL); + if (p == NULL || q == NULL || g == NULL) + goto cleanup; + + /* Use OSSL_PARAM_BLD if you need to handle BIGNUM Parameters */ + bld = OSSL_PARAM_BLD_new(); + if (bld == NULL) + goto cleanup; + if (!OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p) + || !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q) + || !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g)) + goto cleanup; + params = OSSL_PARAM_BLD_to_param(bld); + if (params == NULL) + goto cleanup; + + ctx = EVP_PKEY_CTX_new_from_name(libctx, "DSA", propq); + if (ctx == NULL) { + fprintf(stderr, "EVP_PKEY_CTX_new_from_name() failed\n"); + goto cleanup; + } + + if (EVP_PKEY_fromdata_init(ctx) <= 0 + || EVP_PKEY_fromdata(ctx, &dsaparamkey, EVP_PKEY_KEY_PARAMETERS, params) <= 0) { + fprintf(stderr, "EVP_PKEY_fromdata() failed\n"); + goto cleanup; + } + + if (!dsa_print_key(dsaparamkey, 0, libctx, propq)) + goto cleanup; + + rv = EXIT_SUCCESS; +cleanup: + EVP_PKEY_free(dsaparamkey); + EVP_PKEY_CTX_free(ctx); + OSSL_PARAM_free(params); + OSSL_PARAM_BLD_free(bld); + BN_free(g); + BN_free(q); + BN_free(p); + + return rv; +} diff --git a/deps/openssl/openssl/demos/pkey/EVP_PKEY_DSA_paramgen.c b/deps/openssl/openssl/demos/pkey/EVP_PKEY_DSA_paramgen.c new file mode 100644 index 00000000000000..05dda29c9667aa --- /dev/null +++ b/deps/openssl/openssl/demos/pkey/EVP_PKEY_DSA_paramgen.c @@ -0,0 +1,66 @@ +/*- + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * Example showing how to generate DSA params using + * FIPS 186-4 DSA FFC parameter generation. + */ + +#include +#include "dsa.inc" + +int main(int argc, char **argv) +{ + int rv = EXIT_FAILURE; + OSSL_LIB_CTX *libctx = NULL; + const char *propq = NULL; + EVP_PKEY_CTX *ctx = NULL; + EVP_PKEY *dsaparamkey = NULL; + OSSL_PARAM params[7]; + unsigned int pbits = 2048; + unsigned int qbits = 256; + int gindex = 42; + + ctx = EVP_PKEY_CTX_new_from_name(libctx, "DSA", propq); + if (ctx == NULL) + goto cleanup; + + /* + * Demonstrate how to set optional DSA fields as params. + * See doc/man7/EVP_PKEY-FFC.pod and doc/man7/EVP_PKEY-DSA.pod + * for more information. + */ + params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_FFC_TYPE, + "fips186_4", 0); + params[1] = OSSL_PARAM_construct_uint(OSSL_PKEY_PARAM_FFC_PBITS, &pbits); + params[2] = OSSL_PARAM_construct_uint(OSSL_PKEY_PARAM_FFC_QBITS, &qbits); + params[3] = OSSL_PARAM_construct_int(OSSL_PKEY_PARAM_FFC_GINDEX, &gindex); + params[4] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_FFC_DIGEST, + "SHA384", 0); + params[5] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_FFC_DIGEST_PROPS, + "provider=default", 0); + params[6] = OSSL_PARAM_construct_end(); + + /* Generate a dsa param key using optional params */ + if (EVP_PKEY_paramgen_init(ctx) <= 0 + || EVP_PKEY_CTX_set_params(ctx, params) <= 0 + || EVP_PKEY_paramgen(ctx, &dsaparamkey) <= 0) { + fprintf(stderr, "DSA paramgen failed\n"); + goto cleanup; + } + + if (!dsa_print_key(dsaparamkey, 0, libctx, propq)) + goto cleanup; + + rv = EXIT_SUCCESS; +cleanup: + EVP_PKEY_free(dsaparamkey); + EVP_PKEY_CTX_free(ctx); + return rv; +} diff --git a/deps/openssl/openssl/demos/pkey/EVP_PKEY_DSA_paramvalidate.c b/deps/openssl/openssl/demos/pkey/EVP_PKEY_DSA_paramvalidate.c new file mode 100644 index 00000000000000..f726d30fbf7f2b --- /dev/null +++ b/deps/openssl/openssl/demos/pkey/EVP_PKEY_DSA_paramvalidate.c @@ -0,0 +1,202 @@ +/*- + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * Example showing how to validate DSA parameters. + * + * Proper FIPS 186-4 DSA (FFC) parameter validation requires that all + * the parameters used during parameter generation are supplied + * when doing the validation. Unfortunately saving DSA parameters as + * a PEM or DER file does not write out all required fields. Because + * of this the default provider normally only does a partial + * validation. The FIPS provider will however try to do a full + * validation. To force the default provider to use full + * validation the 'seed' that is output during generation must be + * added to the key. See doc/man7/EVP_PKEY-FFC for more information. + */ + +#include +#include +#include +#include "dsa.inc" + +/* The following values were output from the EVP_PKEY_DSA_paramgen demo */ +static const char dsapem[] = + "-----BEGIN DSA PARAMETERS-----\n" + "MIICLAKCAQEA1pobSR1FJ3+Tvi0J6Tk1PSV2owZey1Nuo847hGw/59VCS6RPQEqr\n" + "vp5fhbvBjupBeVGA/AMH6rI4i4h6jlhurrqH1CqUHVcDhJzxV668bMLiP3mIxg5o\n" + "9Yq8x6BnSOtH5Je0tpeE0/fEvvLjCwBUbwnwWxzjANcvDUEt9XYeRrtB2v52fr56\n" + "hVYz3wMMNog4CEDOLTvx7/84eVPuUeWDRQFH1EaHMdulP34KBcatEEpEZapkepng\n" + "nohm9sFSPQhq2utpkH7pNXdG0EILBtRDCvUpF5720a48LYofdggh2VEZfgElAGFk\n" + "dW/CkvyBDmGIzil5aTz4MMsdudaVYgzt6wIhAPsSGC42Qa+X0AFGvonb5nmfUVm/\n" + "8aC+tHk7Nb2AYLHXAoIBADx5C0H1+QHsmGKvuOaY+WKUt7aWUrEivD1zBMJAQ6bL\n" + "Wv9lbCq1CFHvVzojeOVpn872NqDEpkx4HTpvqhxWL5CkbN/HaGItsQzkD59AQg3v\n" + "4YsLlkesq9Jq6x/aWetJXWO36fszFv1gpD3NY3wliBvMYHx62jfc5suh9D3ZZvu7\n" + "PLGH4X4kcfzK/R2b0oVbEBjVTe5GMRYZRqnvfSW2f2fA7BzI1OL83UxDDe58cL2M\n" + "GcAoUYXOBAfZ37qLMm2juf+o5gCrT4CXfRPu6kbapt7V/YIc1nsNgeAOKKoFBHBQ\n" + "gc5u5G6G/j79FVoSDq9DYwTJcHPsU+eHj1uWHso1AjQ=\n" + "-----END DSA PARAMETERS-----\n"; + +static const char hexseed[] = + "cba30ccd905aa7675a0b81769704bf3c" + "ccf2ca1892b2eaf6b9e2b38d9bf6affc" + "42ada55986d8a1772b442770954d0b65"; +const int gindex = 42; +const int pcounter = 363; +static const char digest[] = "SHA384"; + +/* + * Create a new dsa param key that is the combination of an existing param key + * plus extra parameters. + */ +EVP_PKEY_CTX *create_merged_key(EVP_PKEY *dsaparams, const OSSL_PARAM *newparams, + OSSL_LIB_CTX *libctx, const char *propq) +{ + EVP_PKEY_CTX *out = NULL; + EVP_PKEY_CTX *ctx = NULL; + EVP_PKEY *pkey = NULL; + OSSL_PARAM *mergedparams = NULL; + OSSL_PARAM *loadedparams = NULL; + + /* Specify EVP_PKEY_KEY_PUBLIC here if you have a public key */ + if (EVP_PKEY_todata(dsaparams, EVP_PKEY_KEY_PARAMETERS, &loadedparams) <= 0) { + fprintf(stderr, "EVP_PKEY_todata() failed\n"); + goto cleanup; + } + mergedparams = OSSL_PARAM_merge(loadedparams, newparams); + if (mergedparams == NULL) { + fprintf(stderr, "OSSL_PARAM_merge() failed\n"); + goto cleanup; + } + + ctx = EVP_PKEY_CTX_new_from_name(libctx, "DSA", propq); + if (ctx == NULL) { + fprintf(stderr, "EVP_PKEY_CTX_new_from_name() failed\n"); + goto cleanup; + } + if (EVP_PKEY_fromdata_init(ctx) <= 0 + || EVP_PKEY_fromdata(ctx, &pkey, + EVP_PKEY_KEY_PARAMETERS, mergedparams) <= 0) { + fprintf(stderr, "EVP_PKEY_fromdata() failed\n"); + goto cleanup; + } + out = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, propq); + if (out == NULL) { + fprintf(stderr, "EVP_PKEY_CTX_new_from_pkey() failed\n"); + goto cleanup; + } + +cleanup: + EVP_PKEY_free(pkey); + OSSL_PARAM_free(loadedparams); + OSSL_PARAM_free(mergedparams); + EVP_PKEY_CTX_free(ctx); + return out; +} + +int main(int argc, char **argv) +{ + int rv = EXIT_FAILURE; + OSSL_LIB_CTX *libctx = NULL; + const char *propq = NULL; + EVP_PKEY *dsaparamskey = NULL; + EVP_PKEY_CTX *ctx = NULL; + EVP_PKEY_CTX *ctx1 = NULL; + EVP_PKEY_CTX *ctx2 = NULL; + BIO *in = NULL; + OSSL_PARAM params[6]; + unsigned char seed[64]; + size_t seedlen; + + if (!OPENSSL_hexstr2buf_ex(seed, sizeof(seed), &seedlen, hexseed, '\0')) + goto cleanup; + /* + * This example loads the PEM data from a memory buffer + * Use BIO_new_fp() to load a PEM file instead + */ + in = BIO_new_mem_buf(dsapem, strlen(dsapem)); + if (in == NULL) { + fprintf(stderr, "BIO_new_mem_buf() failed\n"); + goto cleanup; + } + + /* Load DSA params from pem data */ + dsaparamskey = PEM_read_bio_Parameters_ex(in, NULL, libctx, propq); + if (dsaparamskey == NULL) { + fprintf(stderr, "Failed to load dsa params\n"); + goto cleanup; + } + + ctx = EVP_PKEY_CTX_new_from_pkey(libctx, dsaparamskey, propq); + if (ctx == NULL) { + fprintf(stderr, "EVP_PKEY_CTX_new_from_pkey() failed\n"); + goto cleanup; + } + /* + * When using the default provider this only does a partial check to + * make sure that the values of p, q and g are ok. + * This will fail however if the FIPS provider is used since it does + * a proper FIPS 186-4 key validation which requires extra parameters + */ + if (EVP_PKEY_param_check(ctx) <= 0) { + fprintf(stderr, "Simple EVP_PKEY_param_check() failed \n"); + goto cleanup; + } + + /* + * Setup parameters that we want to add. + * For illustration purposes it deliberately omits a required parameter. + */ + params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_FFC_TYPE, + "fips186_4", 0); + /* Force it to do a proper validation by setting the seed */ + params[1] = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_FFC_SEED, + (void *)seed, seedlen); + params[2] = OSSL_PARAM_construct_int(OSSL_PKEY_PARAM_FFC_GINDEX, (int *)&gindex); + params[3] = OSSL_PARAM_construct_int(OSSL_PKEY_PARAM_FFC_PCOUNTER, (int *)&pcounter); + params[4] = OSSL_PARAM_construct_end(); + + /* generate a new key that is the combination of the existing key and the new params */ + ctx1 = create_merged_key(dsaparamskey, params, libctx, propq); + if (ctx1 == NULL) + goto cleanup; + /* This will fail since not all the parameters used for key generation are added */ + if (EVP_PKEY_param_check(ctx1) > 0) { + fprintf(stderr, "EVP_PKEY_param_check() should fail\n"); + goto cleanup; + } + + /* + * Add the missing parameters onto the end of the existing list of params + * If the default was used for the generation then this parameter is not + * needed + */ + params[4] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_FFC_DIGEST, + (char *)digest, 0); + params[5] = OSSL_PARAM_construct_end(); + ctx2 = create_merged_key(dsaparamskey, params, libctx, propq); + if (ctx2 == NULL) + goto cleanup; + if (EVP_PKEY_param_check(ctx2) <= 0) { + fprintf(stderr, "EVP_PKEY_param_check() failed\n"); + goto cleanup; + } + + if (!dsa_print_key(EVP_PKEY_CTX_get0_pkey(ctx2), 0, libctx, propq)) + goto cleanup; + + rv = EXIT_SUCCESS; +cleanup: + EVP_PKEY_free(dsaparamskey); + EVP_PKEY_CTX_free(ctx2); + EVP_PKEY_CTX_free(ctx1); + EVP_PKEY_CTX_free(ctx); + BIO_free(in); + return rv; +} diff --git a/deps/openssl/openssl/demos/pkey/Makefile b/deps/openssl/openssl/demos/pkey/Makefile index f19c0d14f4e4d9..9e7013003d6138 100644 --- a/deps/openssl/openssl/demos/pkey/Makefile +++ b/deps/openssl/openssl/demos/pkey/Makefile @@ -3,21 +3,35 @@ # # LD_LIBRARY_PATH=../.. ./EVP_PKEY_EC_keygen # LD_LIBRARY_PATH=../.. ./EVP_PKEY_RSA_keygen +# LD_LIBRARY_PATH=../.. ./EVP_PKEY_DSA_keygen +# LD_LIBRARY_PATH=../.. ./EVP_PKEY_DSA_paramgen +# LD_LIBRARY_PATH=../.. ./EVP_PKEY_DSA_paramvalidate +# LD_LIBRARY_PATH=../.. ./EVP_PKEY_DSA_paramfromdata CFLAGS = -I../../include -g -Wall LDFLAGS = -L../.. LDLIBS = -lcrypto -all: EVP_PKEY_EC_keygen EVP_PKEY_RSA_keygen +all: EVP_PKEY_EC_keygen EVP_PKEY_RSA_keygen EVP_PKEY_DSA_keygen \ + EVP_PKEY_DSA_paramgen EVP_PKEY_DSA_paramvalidate EVP_PKEY_DSA_paramfromdata \ -%.o: %.c +%.o: %.c dsa.inc $(CC) $(CFLAGS) -c $< EVP_PKEY_EC_keygen: EVP_PKEY_EC_keygen.o EVP_PKEY_RSA_keygen: EVP_PKEY_RSA_keygen.o +EVP_PKEY_DSA_keygen: EVP_PKEY_DSA_keygen.o + +EVP_PKEY_DSA_paramgen: EVP_PKEY_DSA_paramgen.o + +EVP_PKEY_DSA_paramvalidate: EVP_PKEY_DSA_paramvalidate.o + +EVP_PKEY_DSA_paramfromdata: EVP_PKEY_DSA_paramfromdata.o + test: ; clean: - $(RM) *.o EVP_PKEY_EC_keygen EVP_PKEY_RSA_keygen + $(RM) *.o EVP_PKEY_EC_keygen EVP_PKEY_RSA_keygen EVP_PKEY_DSA_keygen \ + EVP_PKEY_DSA_paramgen EVP_PKEY_DSA_paramfromdata EVP_PKEY_DSA_paramvalidate diff --git a/deps/openssl/openssl/demos/pkey/dsa.inc b/deps/openssl/openssl/demos/pkey/dsa.inc new file mode 100644 index 00000000000000..82c65057eb2af4 --- /dev/null +++ b/deps/openssl/openssl/demos/pkey/dsa.inc @@ -0,0 +1,172 @@ +/*- + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include + +/* Raw DSA params for P, Q and G */ +static const unsigned char dsa_p[] = { + 0xa2, 0x9b, 0x88, 0x72, 0xce, 0x8b, 0x84, 0x23, + 0xb7, 0xd5, 0xd2, 0x1d, 0x4b, 0x02, 0xf5, 0x7e, + 0x03, 0xe9, 0xe6, 0xb8, 0xa2, 0x58, 0xdc, 0x16, + 0x61, 0x1b, 0xa0, 0x98, 0xab, 0x54, 0x34, 0x15, + 0xe4, 0x15, 0xf1, 0x56, 0x99, 0x7a, 0x3e, 0xe2, + 0x36, 0x65, 0x8f, 0xa0, 0x93, 0x26, 0x0d, 0xe3, + 0xad, 0x42, 0x2e, 0x05, 0xe0, 0x46, 0xf9, 0xec, + 0x29, 0x16, 0x1a, 0x37, 0x5f, 0x0e, 0xb4, 0xef, + 0xfc, 0xef, 0x58, 0x28, 0x5c, 0x5d, 0x39, 0xed, + 0x42, 0x5d, 0x7a, 0x62, 0xca, 0x12, 0x89, 0x6c, + 0x4a, 0x92, 0xcb, 0x19, 0x46, 0xf2, 0x95, 0x2a, + 0x48, 0x13, 0x3f, 0x07, 0xda, 0x36, 0x4d, 0x1b, + 0xdf, 0x6b, 0x0f, 0x71, 0x39, 0x98, 0x3e, 0x69, + 0x3c, 0x80, 0x05, 0x9b, 0x0e, 0xac, 0xd1, 0x47, + 0x9b, 0xa9, 0xf2, 0x85, 0x77, 0x54, 0xed, 0xe7, + 0x5f, 0x11, 0x2b, 0x07, 0xeb, 0xbf, 0x35, 0x34, + 0x8b, 0xbf, 0x3e, 0x01, 0xe0, 0x2f, 0x2d, 0x47, + 0x3d, 0xe3, 0x94, 0x53, 0xf9, 0x9d, 0xd2, 0x36, + 0x75, 0x41, 0xca, 0xca, 0x3b, 0xa0, 0x11, 0x66, + 0x34, 0x3d, 0x7b, 0x5b, 0x58, 0xa3, 0x7b, 0xd1, + 0xb7, 0x52, 0x1d, 0xb2, 0xf1, 0x3b, 0x86, 0x70, + 0x71, 0x32, 0xfe, 0x09, 0xf4, 0xcd, 0x09, 0xdc, + 0x16, 0x18, 0xfa, 0x34, 0x01, 0xeb, 0xf9, 0xcc, + 0x7b, 0x19, 0xfa, 0x94, 0xaa, 0x47, 0x20, 0x88, + 0x13, 0x3d, 0x6c, 0xb2, 0xd3, 0x5c, 0x11, 0x79, + 0xc8, 0xc8, 0xff, 0x36, 0x87, 0x58, 0xd5, 0x07, + 0xd9, 0xf9, 0xa1, 0x7d, 0x46, 0xc1, 0x10, 0xfe, + 0x31, 0x44, 0xce, 0x9b, 0x02, 0x2b, 0x42, 0xe4, + 0x19, 0xeb, 0x4f, 0x53, 0x88, 0x61, 0x3b, 0xfc, + 0x3e, 0x26, 0x24, 0x1a, 0x43, 0x2e, 0x87, 0x06, + 0xbc, 0x58, 0xef, 0x76, 0x11, 0x72, 0x78, 0xde, + 0xab, 0x6c, 0xf6, 0x92, 0x61, 0x82, 0x91, 0xb7 +}; + +static const unsigned char dsa_q[] = { + 0xa3, 0xbf, 0xd9, 0xab, 0x78, 0x84, 0x79, 0x4e, + 0x38, 0x34, 0x50, 0xd5, 0x89, 0x1d, 0xc1, 0x8b, + 0x65, 0x15, 0x7b, 0xdc, 0xfc, 0xda, 0xc5, 0x15, + 0x18, 0x90, 0x28, 0x67 +}; + +static const unsigned char dsa_g[] = { + 0x68, 0x19, 0x27, 0x88, 0x69, 0xc7, 0xfd, 0x3d, + 0x2d, 0x7b, 0x77, 0xf7, 0x7e, 0x81, 0x50, 0xd9, + 0xad, 0x43, 0x3b, 0xea, 0x3b, 0xa8, 0x5e, 0xfc, + 0x80, 0x41, 0x5a, 0xa3, 0x54, 0x5f, 0x78, 0xf7, + 0x22, 0x96, 0xf0, 0x6c, 0xb1, 0x9c, 0xed, 0xa0, + 0x6c, 0x94, 0xb0, 0x55, 0x1c, 0xfe, 0x6e, 0x6f, + 0x86, 0x3e, 0x31, 0xd1, 0xde, 0x6e, 0xed, 0x7d, + 0xab, 0x8b, 0x0c, 0x9d, 0xf2, 0x31, 0xe0, 0x84, + 0x34, 0xd1, 0x18, 0x4f, 0x91, 0xd0, 0x33, 0x69, + 0x6b, 0xb3, 0x82, 0xf8, 0x45, 0x5e, 0x98, 0x88, + 0xf5, 0xd3, 0x1d, 0x47, 0x84, 0xec, 0x40, 0x12, + 0x02, 0x46, 0xf4, 0xbe, 0xa6, 0x17, 0x94, 0xbb, + 0xa5, 0x86, 0x6f, 0x09, 0x74, 0x64, 0x63, 0xbd, + 0xf8, 0xe9, 0xe1, 0x08, 0xcd, 0x95, 0x29, 0xc3, + 0xd0, 0xf6, 0xdf, 0x80, 0x31, 0x6e, 0x2e, 0x70, + 0xaa, 0xeb, 0x1b, 0x26, 0xcd, 0xb8, 0xad, 0x97, + 0xbc, 0x3d, 0x28, 0x7e, 0x0b, 0x8d, 0x61, 0x6c, + 0x42, 0xe6, 0x5b, 0x87, 0xdb, 0x20, 0xde, 0xb7, + 0x00, 0x5b, 0xc4, 0x16, 0x74, 0x7a, 0x64, 0x70, + 0x14, 0x7a, 0x68, 0xa7, 0x82, 0x03, 0x88, 0xeb, + 0xf4, 0x4d, 0x52, 0xe0, 0x62, 0x8a, 0xf9, 0xcf, + 0x1b, 0x71, 0x66, 0xd0, 0x34, 0x65, 0xf3, 0x5a, + 0xcc, 0x31, 0xb6, 0x11, 0x0c, 0x43, 0xda, 0xbc, + 0x7c, 0x5d, 0x59, 0x1e, 0x67, 0x1e, 0xaf, 0x7c, + 0x25, 0x2c, 0x1c, 0x14, 0x53, 0x36, 0xa1, 0xa4, + 0xdd, 0xf1, 0x32, 0x44, 0xd5, 0x5e, 0x83, 0x56, + 0x80, 0xca, 0xb2, 0x53, 0x3b, 0x82, 0xdf, 0x2e, + 0xfe, 0x55, 0xec, 0x18, 0xc1, 0xe6, 0xcd, 0x00, + 0x7b, 0xb0, 0x89, 0x75, 0x8b, 0xb1, 0x7c, 0x2c, + 0xbe, 0x14, 0x44, 0x1b, 0xd0, 0x93, 0xae, 0x66, + 0xe5, 0x97, 0x6d, 0x53, 0x73, 0x3f, 0x4f, 0xa3, + 0x26, 0x97, 0x01, 0xd3, 0x1d, 0x23, 0xd4, 0x67 +}; + +/* Helper function to retrieve and print a key BIGNUM field */ +static void print_bn(BIO *bio, const EVP_PKEY *pkey, const char *name) +{ + BIGNUM *bn = NULL; + + if (EVP_PKEY_get_bn_param(pkey, name, &bn) == 0) + return; + + BIO_printf(bio, " %s = 0x", name); + BN_print(bio, bn); + BIO_printf(bio, "\n"); + BN_clear_free(bn); +} + +/* + * Print DSA key info + * + * This method shows how to extract DSA data from an EVP_PKEY. + * There are simpler ways to print using EVP_PKEY_print_XXXX(). + */ +static int dsa_print_key(const EVP_PKEY *pkey, int keypair, + OSSL_LIB_CTX *libctx, const char *propq) +{ + + int rv = 0, gindex, counter; + BIO *bio = BIO_new_fp(stdout, BIO_NOCLOSE); + unsigned char seed[2048]; + size_t seedlen; + + if (bio == NULL) + return 0; + + /* Output hexadecimal representations of the BIGNUM objects. */ + BIO_printf(bio, "\nPublic values:\n"); + print_bn(bio, pkey, OSSL_PKEY_PARAM_FFC_P); + print_bn(bio, pkey, OSSL_PKEY_PARAM_FFC_Q); + print_bn(bio, pkey, OSSL_PKEY_PARAM_FFC_G); + + if (EVP_PKEY_get_octet_string_param(pkey, OSSL_PKEY_PARAM_FFC_SEED, seed, + sizeof(seed), &seedlen) > 0) { + BIO_printf(bio, " %s\n", OSSL_PKEY_PARAM_FFC_SEED); + BIO_dump(bio, seed, seedlen); + } + if (EVP_PKEY_get_int_param(pkey, OSSL_PKEY_PARAM_FFC_GINDEX, &gindex) > 0) { + if (gindex != -1) + BIO_printf(bio, " %s = %d\n", OSSL_PKEY_PARAM_FFC_GINDEX, gindex); + } + if (EVP_PKEY_get_int_param(pkey, OSSL_PKEY_PARAM_FFC_PCOUNTER, &counter) > 0) { + if (counter != -1) + BIO_printf(bio, " %s = %d\n", OSSL_PKEY_PARAM_FFC_PCOUNTER, counter); + } + + if (keypair) { + fprintf(stdout, "\nPrivate value:\n"); + print_bn(bio, pkey, OSSL_PKEY_PARAM_PRIV_KEY); + + /* Output a PEM encoding of the public key. */ + if (PEM_write_bio_PUBKEY_ex(bio, pkey, libctx, propq) == 0) { + fprintf(stderr, "Failed to output PEM-encoded public key\n"); + goto cleanup; + } + + /* + * Output a PEM encoding of the private key. Please note that this output is + * not encrypted. You may wish to use the arguments to specify encryption of + * the key if you are storing it on disk. See PEM_write_bio_PrivateKey_ex(3). + */ + if (PEM_write_bio_PrivateKey_ex(bio, pkey, NULL, NULL, 0, NULL, NULL, libctx, propq) == 0) { + fprintf(stderr, "Failed to output PEM-encoded private key\n"); + goto cleanup; + } + } else { + if (PEM_write_bio_Parameters(bio, pkey) == 0) { + fprintf(stderr, "Failed to output PEM-encoded params\n"); + goto cleanup; + } + } + rv = 1; +cleanup: + BIO_free(bio); + return rv; +} diff --git a/deps/openssl/openssl/dev/release-aux/release-version-fn.sh b/deps/openssl/openssl/dev/release-aux/release-version-fn.sh index e9e1ac3850785f..b924fad8c0cc1c 100644 --- a/deps/openssl/openssl/dev/release-aux/release-version-fn.sh +++ b/deps/openssl/openssl/dev/release-aux/release-version-fn.sh @@ -54,6 +54,9 @@ get_version () { -e 's|^dev$|0|' \ -e 's|^alpha([0-9]+)(-(dev))?$|\1|' \ -e 's|^beta([0-9]+)(-(dev))?$|\1|' ) + _BUILD_METADATA='' + if [ -n "$PRE_RELEASE_TAG" ]; then _PRE_RELEASE_TAG="-${PRE_RELEASE_TAG}"; fi + if [ -n "$BUILD_METADATA" ]; then _BUILD_METADATA="+${BUILD_METADATA}"; fi } # $1 is one of "alpha", "beta", "final", "", or "minor" @@ -102,6 +105,7 @@ set_version () { PRE_RELEASE_TAG="$PRE_LABEL$PRE_NUM" ;; esac + if [ -n "$PRE_RELEASE_TAG" ]; then _PRE_RELEASE_TAG="-${PRE_RELEASE_TAG}"; fi cat > "$SOURCEDIR/VERSION.dat" < + +Extra build metadata to be used by anyone for their own purposes. + =item B This is normally empty in the git workspace, but should always have the diff --git a/deps/openssl/openssl/doc/HOWTO/certificates.txt b/deps/openssl/openssl/doc/HOWTO/certificates.txt index cfd2bdabb130c7..78ab97b4192800 100644 --- a/deps/openssl/openssl/doc/HOWTO/certificates.txt +++ b/deps/openssl/openssl/doc/HOWTO/certificates.txt @@ -30,7 +30,7 @@ keys, so before you create a certificate or a certificate request, you need to create a private key. Private keys are generated with 'openssl genrsa -out privkey.pem' if -you want a RSA private key, or if you want a DSA private key: +you want an RSA private key, or if you want a DSA private key: 'openssl dsaparam -out dsaparam.pem 2048; openssl gendsa -out privkey.pem dsaparam.pem'. The private keys created by these commands are not passphrase protected; diff --git a/deps/openssl/openssl/doc/HOWTO/keys.txt b/deps/openssl/openssl/doc/HOWTO/keys.txt index 9f0967cf55778a..c4a74c54fcb8c1 100644 --- a/deps/openssl/openssl/doc/HOWTO/keys.txt +++ b/deps/openssl/openssl/doc/HOWTO/keys.txt @@ -14,9 +14,9 @@ algorithms. The most popular ones associated with certificates are RSA and DSA, and this HOWTO will show how to generate each of them. -2. To generate a RSA key +2. To generate an RSA key -A RSA key can be used both for encryption and for signing. +An RSA key can be used both for encryption and for signing. Generating a key for the RSA algorithm is quite easy, all you have to do is the following: diff --git a/deps/openssl/openssl/doc/build.info b/deps/openssl/openssl/doc/build.info index 48741c1bfd8e45..91de84cbedf72f 100644 --- a/deps/openssl/openssl/doc/build.info +++ b/deps/openssl/openssl/doc/build.info @@ -651,6 +651,10 @@ DEPEND[html/man3/BIO_s_core.html]=man3/BIO_s_core.pod GENERATE[html/man3/BIO_s_core.html]=man3/BIO_s_core.pod DEPEND[man/man3/BIO_s_core.3]=man3/BIO_s_core.pod GENERATE[man/man3/BIO_s_core.3]=man3/BIO_s_core.pod +DEPEND[html/man3/BIO_s_datagram.html]=man3/BIO_s_datagram.pod +GENERATE[html/man3/BIO_s_datagram.html]=man3/BIO_s_datagram.pod +DEPEND[man/man3/BIO_s_datagram.3]=man3/BIO_s_datagram.pod +GENERATE[man/man3/BIO_s_datagram.3]=man3/BIO_s_datagram.pod DEPEND[html/man3/BIO_s_fd.html]=man3/BIO_s_fd.pod GENERATE[html/man3/BIO_s_fd.html]=man3/BIO_s_fd.pod DEPEND[man/man3/BIO_s_fd.3]=man3/BIO_s_fd.pod @@ -991,6 +995,10 @@ DEPEND[html/man3/ECDSA_SIG_new.html]=man3/ECDSA_SIG_new.pod GENERATE[html/man3/ECDSA_SIG_new.html]=man3/ECDSA_SIG_new.pod DEPEND[man/man3/ECDSA_SIG_new.3]=man3/ECDSA_SIG_new.pod GENERATE[man/man3/ECDSA_SIG_new.3]=man3/ECDSA_SIG_new.pod +DEPEND[html/man3/ECDSA_sign.html]=man3/ECDSA_sign.pod +GENERATE[html/man3/ECDSA_sign.html]=man3/ECDSA_sign.pod +DEPEND[man/man3/ECDSA_sign.3]=man3/ECDSA_sign.pod +GENERATE[man/man3/ECDSA_sign.3]=man3/ECDSA_sign.pod DEPEND[html/man3/ECPKParameters_print.html]=man3/ECPKParameters_print.pod GENERATE[html/man3/ECPKParameters_print.html]=man3/ECPKParameters_print.pod DEPEND[man/man3/ECPKParameters_print.3]=man3/ECPKParameters_print.pod @@ -1159,6 +1167,10 @@ DEPEND[html/man3/EVP_PKEY_CTX_get0_libctx.html]=man3/EVP_PKEY_CTX_get0_libctx.po GENERATE[html/man3/EVP_PKEY_CTX_get0_libctx.html]=man3/EVP_PKEY_CTX_get0_libctx.pod DEPEND[man/man3/EVP_PKEY_CTX_get0_libctx.3]=man3/EVP_PKEY_CTX_get0_libctx.pod GENERATE[man/man3/EVP_PKEY_CTX_get0_libctx.3]=man3/EVP_PKEY_CTX_get0_libctx.pod +DEPEND[html/man3/EVP_PKEY_CTX_get0_pkey.html]=man3/EVP_PKEY_CTX_get0_pkey.pod +GENERATE[html/man3/EVP_PKEY_CTX_get0_pkey.html]=man3/EVP_PKEY_CTX_get0_pkey.pod +DEPEND[man/man3/EVP_PKEY_CTX_get0_pkey.3]=man3/EVP_PKEY_CTX_get0_pkey.pod +GENERATE[man/man3/EVP_PKEY_CTX_get0_pkey.3]=man3/EVP_PKEY_CTX_get0_pkey.pod DEPEND[html/man3/EVP_PKEY_CTX_new.html]=man3/EVP_PKEY_CTX_new.pod GENERATE[html/man3/EVP_PKEY_CTX_new.html]=man3/EVP_PKEY_CTX_new.pod DEPEND[man/man3/EVP_PKEY_CTX_new.3]=man3/EVP_PKEY_CTX_new.pod @@ -1539,6 +1551,14 @@ DEPEND[html/man3/OPENSSL_strcasecmp.html]=man3/OPENSSL_strcasecmp.pod GENERATE[html/man3/OPENSSL_strcasecmp.html]=man3/OPENSSL_strcasecmp.pod DEPEND[man/man3/OPENSSL_strcasecmp.3]=man3/OPENSSL_strcasecmp.pod GENERATE[man/man3/OPENSSL_strcasecmp.3]=man3/OPENSSL_strcasecmp.pod +DEPEND[html/man3/OSSL_ALGORITHM.html]=man3/OSSL_ALGORITHM.pod +GENERATE[html/man3/OSSL_ALGORITHM.html]=man3/OSSL_ALGORITHM.pod +DEPEND[man/man3/OSSL_ALGORITHM.3]=man3/OSSL_ALGORITHM.pod +GENERATE[man/man3/OSSL_ALGORITHM.3]=man3/OSSL_ALGORITHM.pod +DEPEND[html/man3/OSSL_CALLBACK.html]=man3/OSSL_CALLBACK.pod +GENERATE[html/man3/OSSL_CALLBACK.html]=man3/OSSL_CALLBACK.pod +DEPEND[man/man3/OSSL_CALLBACK.3]=man3/OSSL_CALLBACK.pod +GENERATE[man/man3/OSSL_CALLBACK.3]=man3/OSSL_CALLBACK.pod DEPEND[html/man3/OSSL_CMP_CTX_new.html]=man3/OSSL_CMP_CTX_new.pod GENERATE[html/man3/OSSL_CMP_CTX_new.html]=man3/OSSL_CMP_CTX_new.pod DEPEND[man/man3/OSSL_CMP_CTX_new.3]=man3/OSSL_CMP_CTX_new.pod @@ -1619,6 +1639,10 @@ DEPEND[html/man3/OSSL_DECODER_from_bio.html]=man3/OSSL_DECODER_from_bio.pod GENERATE[html/man3/OSSL_DECODER_from_bio.html]=man3/OSSL_DECODER_from_bio.pod DEPEND[man/man3/OSSL_DECODER_from_bio.3]=man3/OSSL_DECODER_from_bio.pod GENERATE[man/man3/OSSL_DECODER_from_bio.3]=man3/OSSL_DECODER_from_bio.pod +DEPEND[html/man3/OSSL_DISPATCH.html]=man3/OSSL_DISPATCH.pod +GENERATE[html/man3/OSSL_DISPATCH.html]=man3/OSSL_DISPATCH.pod +DEPEND[man/man3/OSSL_DISPATCH.3]=man3/OSSL_DISPATCH.pod +GENERATE[man/man3/OSSL_DISPATCH.3]=man3/OSSL_DISPATCH.pod DEPEND[html/man3/OSSL_ENCODER.html]=man3/OSSL_ENCODER.pod GENERATE[html/man3/OSSL_ENCODER.html]=man3/OSSL_ENCODER.pod DEPEND[man/man3/OSSL_ENCODER.3]=man3/OSSL_ENCODER.pod @@ -1651,6 +1675,10 @@ DEPEND[html/man3/OSSL_HTTP_transfer.html]=man3/OSSL_HTTP_transfer.pod GENERATE[html/man3/OSSL_HTTP_transfer.html]=man3/OSSL_HTTP_transfer.pod DEPEND[man/man3/OSSL_HTTP_transfer.3]=man3/OSSL_HTTP_transfer.pod GENERATE[man/man3/OSSL_HTTP_transfer.3]=man3/OSSL_HTTP_transfer.pod +DEPEND[html/man3/OSSL_ITEM.html]=man3/OSSL_ITEM.pod +GENERATE[html/man3/OSSL_ITEM.html]=man3/OSSL_ITEM.pod +DEPEND[man/man3/OSSL_ITEM.3]=man3/OSSL_ITEM.pod +GENERATE[man/man3/OSSL_ITEM.3]=man3/OSSL_ITEM.pod DEPEND[html/man3/OSSL_LIB_CTX.html]=man3/OSSL_LIB_CTX.pod GENERATE[html/man3/OSSL_LIB_CTX.html]=man3/OSSL_LIB_CTX.pod DEPEND[man/man3/OSSL_LIB_CTX.3]=man3/OSSL_LIB_CTX.pod @@ -2902,6 +2930,7 @@ html/man3/BIO_s_accept.html \ html/man3/BIO_s_bio.html \ html/man3/BIO_s_connect.html \ html/man3/BIO_s_core.html \ +html/man3/BIO_s_datagram.html \ html/man3/BIO_s_fd.html \ html/man3/BIO_s_file.html \ html/man3/BIO_s_mem.html \ @@ -2987,6 +3016,7 @@ html/man3/DTLS_get_data_mtu.html \ html/man3/DTLS_set_timer_cb.html \ html/man3/DTLSv1_listen.html \ html/man3/ECDSA_SIG_new.html \ +html/man3/ECDSA_sign.html \ html/man3/ECPKParameters_print.html \ html/man3/EC_GFp_simple_method.html \ html/man3/EC_GROUP_copy.html \ @@ -3029,6 +3059,7 @@ html/man3/EVP_PKEY2PKCS8.html \ html/man3/EVP_PKEY_ASN1_METHOD.html \ html/man3/EVP_PKEY_CTX_ctrl.html \ html/man3/EVP_PKEY_CTX_get0_libctx.html \ +html/man3/EVP_PKEY_CTX_get0_pkey.html \ html/man3/EVP_PKEY_CTX_new.html \ html/man3/EVP_PKEY_CTX_set1_pbe_pass.html \ html/man3/EVP_PKEY_CTX_set_hkdf_md.html \ @@ -3124,6 +3155,8 @@ html/man3/OPENSSL_malloc.html \ html/man3/OPENSSL_s390xcap.html \ html/man3/OPENSSL_secure_malloc.html \ html/man3/OPENSSL_strcasecmp.html \ +html/man3/OSSL_ALGORITHM.html \ +html/man3/OSSL_CALLBACK.html \ html/man3/OSSL_CMP_CTX_new.html \ html/man3/OSSL_CMP_HDR_get0_transactionID.html \ html/man3/OSSL_CMP_ITAV_set0.html \ @@ -3144,6 +3177,7 @@ html/man3/OSSL_DECODER.html \ html/man3/OSSL_DECODER_CTX.html \ html/man3/OSSL_DECODER_CTX_new_for_pkey.html \ html/man3/OSSL_DECODER_from_bio.html \ +html/man3/OSSL_DISPATCH.html \ html/man3/OSSL_ENCODER.html \ html/man3/OSSL_ENCODER_CTX.html \ html/man3/OSSL_ENCODER_CTX_new_for_pkey.html \ @@ -3152,6 +3186,7 @@ html/man3/OSSL_ESS_check_signing_certs.html \ html/man3/OSSL_HTTP_REQ_CTX.html \ html/man3/OSSL_HTTP_parse_url.html \ html/man3/OSSL_HTTP_transfer.html \ +html/man3/OSSL_ITEM.html \ html/man3/OSSL_LIB_CTX.html \ html/man3/OSSL_PARAM.html \ html/man3/OSSL_PARAM_BLD.html \ @@ -3499,6 +3534,7 @@ man/man3/BIO_s_accept.3 \ man/man3/BIO_s_bio.3 \ man/man3/BIO_s_connect.3 \ man/man3/BIO_s_core.3 \ +man/man3/BIO_s_datagram.3 \ man/man3/BIO_s_fd.3 \ man/man3/BIO_s_file.3 \ man/man3/BIO_s_mem.3 \ @@ -3584,6 +3620,7 @@ man/man3/DTLS_get_data_mtu.3 \ man/man3/DTLS_set_timer_cb.3 \ man/man3/DTLSv1_listen.3 \ man/man3/ECDSA_SIG_new.3 \ +man/man3/ECDSA_sign.3 \ man/man3/ECPKParameters_print.3 \ man/man3/EC_GFp_simple_method.3 \ man/man3/EC_GROUP_copy.3 \ @@ -3626,6 +3663,7 @@ man/man3/EVP_PKEY2PKCS8.3 \ man/man3/EVP_PKEY_ASN1_METHOD.3 \ man/man3/EVP_PKEY_CTX_ctrl.3 \ man/man3/EVP_PKEY_CTX_get0_libctx.3 \ +man/man3/EVP_PKEY_CTX_get0_pkey.3 \ man/man3/EVP_PKEY_CTX_new.3 \ man/man3/EVP_PKEY_CTX_set1_pbe_pass.3 \ man/man3/EVP_PKEY_CTX_set_hkdf_md.3 \ @@ -3721,6 +3759,8 @@ man/man3/OPENSSL_malloc.3 \ man/man3/OPENSSL_s390xcap.3 \ man/man3/OPENSSL_secure_malloc.3 \ man/man3/OPENSSL_strcasecmp.3 \ +man/man3/OSSL_ALGORITHM.3 \ +man/man3/OSSL_CALLBACK.3 \ man/man3/OSSL_CMP_CTX_new.3 \ man/man3/OSSL_CMP_HDR_get0_transactionID.3 \ man/man3/OSSL_CMP_ITAV_set0.3 \ @@ -3741,6 +3781,7 @@ man/man3/OSSL_DECODER.3 \ man/man3/OSSL_DECODER_CTX.3 \ man/man3/OSSL_DECODER_CTX_new_for_pkey.3 \ man/man3/OSSL_DECODER_from_bio.3 \ +man/man3/OSSL_DISPATCH.3 \ man/man3/OSSL_ENCODER.3 \ man/man3/OSSL_ENCODER_CTX.3 \ man/man3/OSSL_ENCODER_CTX_new_for_pkey.3 \ @@ -3749,6 +3790,7 @@ man/man3/OSSL_ESS_check_signing_certs.3 \ man/man3/OSSL_HTTP_REQ_CTX.3 \ man/man3/OSSL_HTTP_parse_url.3 \ man/man3/OSSL_HTTP_transfer.3 \ +man/man3/OSSL_ITEM.3 \ man/man3/OSSL_LIB_CTX.3 \ man/man3/OSSL_PARAM.3 \ man/man3/OSSL_PARAM_BLD.3 \ @@ -4069,6 +4111,10 @@ html/man5/x509v3_config.html MANDOCS[man5]=man/man5/config.5 \ man/man5/fips_config.5 \ man/man5/x509v3_config.5 +DEPEND[html/man7/EVP_ASYM_CIPHER-RSA.html]=man7/EVP_ASYM_CIPHER-RSA.pod +GENERATE[html/man7/EVP_ASYM_CIPHER-RSA.html]=man7/EVP_ASYM_CIPHER-RSA.pod +DEPEND[man/man7/EVP_ASYM_CIPHER-RSA.7]=man7/EVP_ASYM_CIPHER-RSA.pod +GENERATE[man/man7/EVP_ASYM_CIPHER-RSA.7]=man7/EVP_ASYM_CIPHER-RSA.pod DEPEND[html/man7/EVP_ASYM_CIPHER-SM2.html]=man7/EVP_ASYM_CIPHER-SM2.pod GENERATE[html/man7/EVP_ASYM_CIPHER-SM2.html]=man7/EVP_ASYM_CIPHER-SM2.pod DEPEND[man/man7/EVP_ASYM_CIPHER-SM2.7]=man7/EVP_ASYM_CIPHER-SM2.pod @@ -4569,7 +4615,8 @@ man7/img/kdf.png \ man7/img/mac.png \ man7/img/pkey.png \ man7/img/rand.png -HTMLDOCS[man7]=html/man7/EVP_ASYM_CIPHER-SM2.html \ +HTMLDOCS[man7]=html/man7/EVP_ASYM_CIPHER-RSA.html \ +html/man7/EVP_ASYM_CIPHER-SM2.html \ html/man7/EVP_CIPHER-AES.html \ html/man7/EVP_CIPHER-ARIA.html \ html/man7/EVP_CIPHER-BLOWFISH.html \ @@ -4692,7 +4739,8 @@ html/man7/provider.html \ html/man7/proxy-certificates.html \ html/man7/ssl.html \ html/man7/x509.html -MANDOCS[man7]=man/man7/EVP_ASYM_CIPHER-SM2.7 \ +MANDOCS[man7]=man/man7/EVP_ASYM_CIPHER-RSA.7 \ +man/man7/EVP_ASYM_CIPHER-SM2.7 \ man/man7/EVP_CIPHER-AES.7 \ man/man7/EVP_CIPHER-ARIA.7 \ man/man7/EVP_CIPHER-BLOWFISH.7 \ diff --git a/deps/openssl/openssl/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod b/deps/openssl/openssl/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod index 1fee9f6ff9729e..7099e449647312 100644 --- a/deps/openssl/openssl/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod +++ b/deps/openssl/openssl/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod @@ -20,12 +20,14 @@ OP_CACHE_ELEM int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection, OSSL_CALLBACK *export_cb, void *export_cbarg); - void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt); + void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, + int selection); OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk, - EVP_KEYMGMT *keymgmt); + EVP_KEYMGMT *keymgmt, + int selection); int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking); - int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, - EVP_KEYMGMT *keymgmt, void *keydata); + int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, + void *keydata, int selection); void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk); void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt, int selection, const OSSL_PARAM params[]); @@ -65,6 +67,11 @@ evp_keymgmt_util_fromdata() can be used to add key object data to a given key I via a B interface. This is used as a helper for L. +In all functions that take a I argument, the selection is used to +constraint the information requested on export. It is also used in the cache +so that key data is guaranteed to contain all the information requested in +the selection. + =head1 RETURN VALUES evp_keymgmt_export_to_provider() and evp_keymgmt_util_fromdata() diff --git a/deps/openssl/openssl/doc/internal/man3/ossl_provider_new.pod b/deps/openssl/openssl/doc/internal/man3/ossl_provider_new.pod index 591c3451934bd2..8bd5594c484c47 100644 --- a/deps/openssl/openssl/doc/internal/man3/ossl_provider_new.pod +++ b/deps/openssl/openssl/doc/internal/man3/ossl_provider_new.pod @@ -301,7 +301,7 @@ I<*result> to 1 or 0 accorddingly. ossl_provider_init_as_child() stores in the library context I references to the necessary upcalls for managing child providers. The I and I -parameters are the B and B pointers that were +parameters are the B and L pointers that were passed to the provider's B function. ossl_provider_deinit_child() deregisters callbacks from the parent library diff --git a/deps/openssl/openssl/doc/man1/openssl-cmp.pod.in b/deps/openssl/openssl/doc/man1/openssl-cmp.pod.in index 2982b2ad0bde0c..77e82091413b8e 100644 --- a/deps/openssl/openssl/doc/man1/openssl-cmp.pod.in +++ b/deps/openssl/openssl/doc/man1/openssl-cmp.pod.in @@ -503,15 +503,17 @@ The default value is 1, which means preferring to keep the connection open. =item B<-msg_timeout> I -Number of seconds (or 0 for infinite) a CMP request-response message round trip +Number of seconds a CMP request-response message round trip is allowed to take before a timeout error is returned. +A value <= 0 means no limitation (waiting indefinitely). Default is to use the B<-total_timeout> setting. =item B<-total_timeout> I -Maximum number seconds an overall enrollment transaction may take, -including attempts polling for certificates on C PKIStatus. -Default is 0 (infinite). +Maximum total number of seconds a transaction may take, +including polling etc. +A value <= 0 means no limitation (waiting indefinitely). +Default is 0. =back @@ -1232,7 +1234,7 @@ The B<-engine option> was deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man1/openssl-enc.pod.in b/deps/openssl/openssl/doc/man1/openssl-enc.pod.in index f424358ab3dcf2..fdfa7f67d3ee5e 100644 --- a/deps/openssl/openssl/doc/man1/openssl-enc.pod.in +++ b/deps/openssl/openssl/doc/man1/openssl-enc.pod.in @@ -256,6 +256,19 @@ All RC2 ciphers have the same key and effective key length. Blowfish and RC5 algorithms use a 128 bit key. +Please note that OpenSSL 3.0 changed the effect of the B<-S> option. +Any explicit salt value specified via this option is no longer prepended to the +ciphertext when encrypting, and must again be explicitly provided when decrypting. +Conversely, when the B<-S> option is used during decryption, the ciphertext +is expected to not have a prepended salt value. + +When using OpenSSL 3.0 or later to decrypt data that was encrypted with an +explicit salt under OpenSSL 1.1.1 do not use the B<-S> option, the salt will +then be read from the ciphertext. +To generate ciphertext that can be decrypted with OpenSSL 1.1.1 do not use +the B<-S> option, the salt will be then be generated randomly and prepended +to the output. + =head1 SUPPORTED CIPHERS Note that some of these ciphers can be disabled at compile time @@ -435,7 +448,7 @@ The B<-ciphers> and B<-engine> options were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man1/openssl-gendsa.pod.in b/deps/openssl/openssl/doc/man1/openssl-gendsa.pod.in index 3dc2e3a6bde6bf..b6d37c576d3a0e 100644 --- a/deps/openssl/openssl/doc/man1/openssl-gendsa.pod.in +++ b/deps/openssl/openssl/doc/man1/openssl-gendsa.pod.in @@ -57,6 +57,9 @@ These options encrypt the private key with specified cipher before outputting it. A pass phrase is prompted for. If none of these options is specified no encryption is used. +Note that all options must be given before the I argument. +Otherwise they are ignored. + =item B<-verbose> Print extra details about the operations being performed. @@ -95,7 +98,7 @@ The B<-engine> option was deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man1/openssl-storeutl.pod.in b/deps/openssl/openssl/doc/man1/openssl-storeutl.pod.in index 80dc7e36c8fdde..26d5ee28e647d2 100644 --- a/deps/openssl/openssl/doc/man1/openssl-storeutl.pod.in +++ b/deps/openssl/openssl/doc/man1/openssl-storeutl.pod.in @@ -28,12 +28,12 @@ B B [B<-fingerprint> I] [B<-I>] {- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} -I ... +I =head1 DESCRIPTION This command can be used to display the contents (after -decryption as the case may be) fetched from the given URIs. +decryption as the case may be) fetched from the given URI. =head1 OPTIONS @@ -76,6 +76,9 @@ Only select the certificates, keys or CRLs from the given URI. However, if this URI would return a set of names (URIs), those are always returned. +Note that all options must be given before the I argument. +Otherwise they are ignored. + =item B<-subject> I Search for an object having the subject name I. @@ -134,7 +137,7 @@ The B<-engine> option was deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man1/openssl-x509.pod.in b/deps/openssl/openssl/doc/man1/openssl-x509.pod.in index 06ed965d784e70..dd8f17154af966 100644 --- a/deps/openssl/openssl/doc/man1/openssl-x509.pod.in +++ b/deps/openssl/openssl/doc/man1/openssl-x509.pod.in @@ -411,7 +411,7 @@ or given with the B<-key> (or B<-signkey>) option. This option is useful for creating self-issued certificates that are not self-signed, for instance when the key cannot be used for signing, such as DH. -It can also be used in conjunction with b<-new> and B<-subj> to directly +It can also be used in conjunction with B<-new> and B<-subj> to directly generate a certificate containing any desired public key. =item B<-clrext> diff --git a/deps/openssl/openssl/doc/man3/BIO_read.pod b/deps/openssl/openssl/doc/man3/BIO_read.pod index a2d8ab3af0e60f..f337aab353bb68 100644 --- a/deps/openssl/openssl/doc/man3/BIO_read.pod +++ b/deps/openssl/openssl/doc/man3/BIO_read.pod @@ -42,7 +42,7 @@ if present in the input data. On binary input there may be NUL characters within the string; in this case the return value (if nonnegative) may give an incorrect length. -BIO_get_line() attempts to read from BIO a line of data up to the next '\n' +BIO_get_line() attempts to read from BIO I a line of data up to the next '\n' or the maximum length I is reached and places the data in I. The returned string is always NUL-terminated and the '\n' is preserved if present in the input data. @@ -119,7 +119,7 @@ I parameter of the function can be NULL since OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/BIO_s_connect.pod b/deps/openssl/openssl/doc/man3/BIO_s_connect.pod index 88450dffce527e..ab813b32d03159 100644 --- a/deps/openssl/openssl/doc/man3/BIO_s_connect.pod +++ b/deps/openssl/openssl/doc/man3/BIO_s_connect.pod @@ -28,7 +28,7 @@ BIO_set_nbio, BIO_do_connect - connect BIO long BIO_set_nbio(BIO *b, long n); - int BIO_do_connect(BIO *b); + long BIO_do_connect(BIO *b); =head1 DESCRIPTION @@ -201,7 +201,7 @@ Use BIO_set_conn_address() and BIO_get_conn_address() instead. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/BIO_s_datagram.pod b/deps/openssl/openssl/doc/man3/BIO_s_datagram.pod new file mode 100644 index 00000000000000..f5bdd831cfe1d6 --- /dev/null +++ b/deps/openssl/openssl/doc/man3/BIO_s_datagram.pod @@ -0,0 +1,234 @@ +=pod + +=head1 NAME + +BIO_s_datagram, BIO_new_dgram, +BIO_ctrl_dgram_connect, +BIO_ctrl_set_connected, +BIO_dgram_recv_timedout, +BIO_dgram_send_timedout, +BIO_dgram_get_peer, +BIO_dgram_set_peer, +BIO_dgram_get_mtu_overhead - Network BIO with datagram semantics + +=head1 SYNOPSIS + + #include + + BIO_METHOD *BIO_s_datagram(void); + BIO *BIO_new_dgram(int fd, int close_flag); + + int BIO_ctrl_dgram_connect(BIO *bio, const BIO_ADDR *peer); + int BIO_ctrl_set_connected(BIO *bio, const BIO_ADDR *peer); + int BIO_dgram_recv_timedout(BIO *bio); + int BIO_dgram_send_timedout(BIO *bio); + int BIO_dgram_get_peer(BIO *bio, BIO_ADDR *peer); + int BIO_dgram_set_peer(BIO *bio, const BIO_ADDR *peer); + int BIO_dgram_get_mtu_overhead(BIO *bio); + +=head1 DESCRIPTION + +BIO_s_datagram() is a BIO implementation designed for use with network sockets +which provide datagram semantics, such as UDP sockets. It is suitable for use +with DTLSv1. + +Because BIO_s_datagram() has datagram semantics, a single BIO_write() call sends +a single datagram and a single BIO_read() call receives a single datagram. If +the size of the buffer passed to BIO_read() is inadequate, the datagram is +silently truncated. + +When using BIO_s_datagram(), it is important to note that: + +=over 4 + +=item + +This BIO can be used with either a connected or unconnected network socket. A +connected socket is a network socket which has had L or a +similar OS-specific function called on it. Such a socket can only receive +datagrams from the specified peer. Any other socket is an unconnected socket and +can receive datagrams from any host. + +=item + +Despite their naming, +neither BIO_ctrl_dgram_connect() nor BIO_ctrl_set_connected() cause a socket +to become connected. These controls are provided to indicate to the BIO how +the underlying socket is configured and how it is to be used; see below. + +=item + +Use of BIO_s_datagram() with an unconnected network socket is hazardous hecause +any successful call to BIO_read() results in the peer address used for any +subsequent call to BIO_write() being set to the source address of the datagram +received by that call to BIO_read(). Thus, unless the caller calls +BIO_dgram_set_peer() immediately prior to every call to BIO_write(), or never +calls BIO_read(), any host on the network may cause future datagrams written to +be redirected to that host. Therefore, it is recommended that users use +BIO_s_dgram() only with a connected socket. An exception is where +L must be used; see L for further +discussion. + +=back + +Various controls are available for configuring the BIO_s_datagram() using +L: + +=over 4 + +=item BIO_ctrl_dgram_connect (BIO_CTRL_DGRAM_CONNECT) + +This is equivalent to calling L. + +Despite its name, this function does not cause the underlying socket to become +connected. + +=item BIO_ctrl_set_connected (BIO_CTRL_SET_CONNECTED) + +This informs the BIO_s_datagram() whether the underlying socket has been +connected, and therefore how the BIO_s_datagram() should attempt to use the +socket. + +If the I argument is non-NULL, BIO_s_datagram() assumes that the +underlying socket has been connected and will attempt to use the socket using OS +APIs which do not specify peer addresses (for example, send(3) and recv(3) or +similar). The I argument should specify the peer address to which the socket +is connected. + +If the I argument is NULL, BIO_s_datagram() assumes that the underlying +socket is not connected and will attempt to use the socket using an OS APIs +which specify peer addresses (for example, sendto(3) and recvfrom(3)). + +=item BIO_dgram_get_peer (BIO_CTRL_DGRAM_GET_PEER) + +This outputs a B which specifies one of the following values, +whichever happened most recently: + +=over 4 + +=item + +The peer address last passed to BIO_dgram_set_peer(), BIO_ctrl_dgram_connect() +or BIO_ctrl_set_connected(). + +=item + +The peer address of the datagram last received by a call to BIO_read(). + +=back + +=item BIO_dgram_set_peer (BIO_CTRL_DGRAM_SET_PEER) + +Sets the peer address to be used for subsequent writes to this BIO. + +Warning: When used with an unconnected network socket, the value set may be +modified by future calls to L, making use of BIO_s_datagram() +hazardous when used with unconnected network sockets; see above. + +=item BIO_dgram_recv_timeout (BIO_CTRL_DGRAM_GET_RECV_TIMER_EXP) + +Returns 1 if the last I/O operation performed on the BIO (for example, via a +call to L) may have been caused by a receive timeout. + +=item BIO_dgram_send_timedout (BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP) + +Returns 1 if the last I/O operation performed on the BIO (for example, via a +call to L) may have been caused by a send timeout. + +=item BIO_dgram_get_mtu_overhead (BIO_CTRL_DGRAM_GET_MTU_OVERHEAD) + +Returns a quantity in bytes which is a rough estimate of the number of bytes of +overhead which should typically be added to a datagram payload size in order to +estimate the final size of the Layer 3 (e.g. IP) packet which will contain the +datagram. In most cases, the maximum datagram payload size which can be +transmitted can be determined by determining the link MTU in bytes and +subtracting the value returned by this call. + +The value returned by this call depends on the network layer protocol being +used. + +The value returned is not fully reliable because datagram overheads can be +higher in atypical network configurations, for example where IPv6 extension +headers or IPv4 options are used. + +=item BIO_CTRL_DGRAM_SET_DONT_FRAG + +If I is nonzero, configures the underlying network socket to enable Don't +Fragment mode, in which datagrams will be set with the IP Don't Fragment (DF) +bit set. If I is zero, Don't Fragment mode is disabled. + +=item BIO_CTRL_DGRAM_QUERY_MTU + +Queries the OS for its assessment of the Path MTU for the destination to which +the underlying network socket, and returns that Path MTU in bytes. This control +can only be used with a connected socket. + +This is not supported on all platforms and depends on OS support being +available. Returns 0 on failure. + +=item BIO_CTRL_DGRAM_MTU_DISCOVER + +This control requests that Path MTU discovery be enabled on the underlying +network socket. + +=item BIO_CTRL_DGRAM_GET_FALLBACK_MTU + +Returns the estimated minimum size of datagram payload which should always be +supported on the BIO. This size is determined by the minimum MTU required to be +supported by the applicable underlying network layer. Use of datagrams of this +size may lead to suboptimal performance, but should be routable in all +circumstances. The value returned is the datagram payload size in bytes and does +not include the size of layer 3 or layer 4 protocol headers. + +=item BIO_CTRL_DGRAM_MTU_EXCEEDED + +Returns 1 if the last attempted write to the BIO failed due to the size of the +attempted write exceeding the applicable MTU. + +=item BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT + +Accepts a pointer to a B. If the time specified is zero, +disables receive timeouts. Otherwise, configures the specified time interval as +the receive timeout for the socket for the purposes of future L +calls. + +=item BIO_CTRL_DGRAM_SET_PEEK_MODE + +If B is nonzero, enables peek mode; otherwise, disables peek mode. Where +peek mode is enabled, calls to L read datagrams from the underlying +network socket in peek mode, meaning that a future call to L will +yield the same datagram until peek mode is disabled. + +=back + +BIO_new_dgram() is a helper function which instantiates a BIO_s_datagram() and +sets the BIO to use the socket given in I by calling BIO_set_fd(). + +=head1 RETURN VALUES + +BIO_s_datagram() returns a BIO method. + +BIO_new_dgram() returns a BIO on success and NULL on failure. + +BIO_ctrl_dgram_connect(), BIO_ctrl_set_connected(), +BIO_dgram_get_peer(), BIO_dgram_set_peer() return 1 on success and 0 on failure. + +BIO_dgram_recv_timedout() and BIO_dgram_send_timedout() return 0 or 1 depending +on the circumstance; see discussion above. + +BIO_dgram_get_mtu_overhead() returns a value in bytes. + +=head1 SEE ALSO + +L, L + +=head1 COPYRIGHT + +Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/deps/openssl/openssl/doc/man3/DES_random_key.pod b/deps/openssl/openssl/doc/man3/DES_random_key.pod index 0887453f27a291..ff16961ea92adf 100644 --- a/deps/openssl/openssl/doc/man3/DES_random_key.pod +++ b/deps/openssl/openssl/doc/man3/DES_random_key.pod @@ -294,9 +294,12 @@ not suitable for most applications; see L. =head1 RETURN VALUES -DES_set_key(), DES_key_sched(), DES_set_key_checked() and DES_is_weak_key() +DES_set_key(), DES_key_sched(), and DES_set_key_checked() return 0 on success or negative values on error. +DES_is_weak_key() returns 1 if the passed key is a weak key, 0 if it +is ok. + DES_cbc_cksum() and DES_quad_cksum() return 4-byte integer representing the last 4 bytes of the checksum of the input. diff --git a/deps/openssl/openssl/doc/man3/DTLSv1_listen.pod b/deps/openssl/openssl/doc/man3/DTLSv1_listen.pod index 13f6f1ff14575f..26f34e33acf577 100644 --- a/deps/openssl/openssl/doc/man3/DTLSv1_listen.pod +++ b/deps/openssl/openssl/doc/man3/DTLSv1_listen.pod @@ -64,6 +64,23 @@ does not support this), then B<*peer> will be cleared and the family set to AF_UNSPEC. Typically user code is expected to "connect" the underlying socket to the peer and continue the handshake in a connected state. +Warning: It is essential that the calling code connects the underlying socket to +the peer after making use of DTLSv1_listen(). In the typical case where +L is used, the peer address is updated when receiving a +datagram on an unconnected socket. If the socket is not connected, it can +receive datagrams from any host on the network, which will cause subsequent +outgoing datagrams transmitted by DTLS to be transmitted to that host. In other +words, failing to call BIO_connect() or a similar OS-specific function on a +socket means that any host on the network can cause outgoing DTLS traffic to be +redirected to it by sending a datagram to the socket in question. This does not +break the cryptographic protections of DTLS but may facilitate a +denial-of-service attack or allow unencrypted information in the DTLS handshake +to be learned by an attacker. This is due to the historical design of +L; see L for details on this issue. + +Once a socket has been connected, L should be used to +inform the BIO that the socket is to be used in connected mode. + Prior to calling DTLSv1_listen() user code must ensure that cookie generation and verification callbacks have been set up using L and L @@ -126,7 +143,7 @@ The type of "peer" also changed in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/ECDSA_SIG_new.pod b/deps/openssl/openssl/doc/man3/ECDSA_SIG_new.pod index 00c611251e43b4..3266c43b550c43 100644 --- a/deps/openssl/openssl/doc/man3/ECDSA_SIG_new.pod +++ b/deps/openssl/openssl/doc/man3/ECDSA_SIG_new.pod @@ -2,11 +2,9 @@ =head1 NAME -ECDSA_SIG_get0, ECDSA_SIG_get0_r, ECDSA_SIG_get0_s, ECDSA_SIG_set0, -ECDSA_SIG_new, ECDSA_SIG_free, ECDSA_size, ECDSA_sign, ECDSA_do_sign, -ECDSA_verify, ECDSA_do_verify, ECDSA_sign_setup, ECDSA_sign_ex, -ECDSA_do_sign_ex - low-level elliptic curve digital signature algorithm (ECDSA) -functions +ECDSA_SIG_new, ECDSA_SIG_free, +ECDSA_SIG_get0, ECDSA_SIG_get0_r, ECDSA_SIG_get0_s, ECDSA_SIG_set0 +- Functions for creating, destroying and manipulating ECDSA_SIG objects =head1 SYNOPSIS @@ -19,37 +17,18 @@ functions const BIGNUM *ECDSA_SIG_get0_s(const ECDSA_SIG *sig); int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s); -The following functions have been deprecated since OpenSSL 3.0, and can be -hidden entirely by defining B with a suitable version value, -see L: - - int ECDSA_size(const EC_KEY *eckey); - - int ECDSA_sign(int type, const unsigned char *dgst, int dgstlen, - unsigned char *sig, unsigned int *siglen, EC_KEY *eckey); - ECDSA_SIG *ECDSA_do_sign(const unsigned char *dgst, int dgst_len, - EC_KEY *eckey); - - int ECDSA_verify(int type, const unsigned char *dgst, int dgstlen, - const unsigned char *sig, int siglen, EC_KEY *eckey); - int ECDSA_do_verify(const unsigned char *dgst, int dgst_len, - const ECDSA_SIG *sig, EC_KEY* eckey); - - ECDSA_SIG *ECDSA_do_sign_ex(const unsigned char *dgst, int dgstlen, - const BIGNUM *kinv, const BIGNUM *rp, - EC_KEY *eckey); - int ECDSA_sign_setup(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinv, BIGNUM **rp); - int ECDSA_sign_ex(int type, const unsigned char *dgst, int dgstlen, - unsigned char *sig, unsigned int *siglen, - const BIGNUM *kinv, const BIGNUM *rp, EC_KEY *eckey); - =head1 DESCRIPTION B is an opaque structure consisting of two BIGNUMs for the -I and I value of an ECDSA signature (see X9.62 or FIPS186-2). +I and I value of an Elliptic Curve Digital Signature Algorithm (ECDSA) signature +(see FIPS186-4 or X9.62). +The B object was mainly used by the deprecated low level functions described in +L, it is still required in order to be able to set or get the values of +I and I into or from a signature. This is mainly used for testing purposes as shown +in the L. -ECDSA_SIG_new() allocates an empty B structure. Note: before -OpenSSL 1.1.0 the: the I and I components were initialised. +ECDSA_SIG_new() allocates an empty B structure. +Note: before OpenSSL 1.1.0, the I and I components were initialised. ECDSA_SIG_free() frees the B structure I. @@ -69,52 +48,6 @@ passed in should not be freed by the caller. See L and L for information about encoding and decoding ECDSA signatures to/from DER. -All of the functions described below are deprecated. Applications should -use the higher level B interface such as L -or L instead. - -ECDSA_size() returns the maximum length of a DER encoded ECDSA signature -created with the private EC key I. To obtain the actual signature -size use L with a NULL I parameter. - -ECDSA_sign() computes a digital signature of the I bytes hash value -I using the private EC key I. The DER encoded signatures is -stored in I and its length is returned in I. Note: I must -point to ECDSA_size(eckey) bytes of memory. The parameter I is currently -ignored. ECDSA_sign() is wrapper function for ECDSA_sign_ex() with I -and I set to NULL. - -ECDSA_do_sign() is similar to ECDSA_sign() except the signature is returned -as a newly allocated B structure (or NULL on error). ECDSA_do_sign() -is a wrapper function for ECDSA_do_sign_ex() with I and I set to -NULL. - -ECDSA_verify() verifies that the signature in I of size I is a -valid ECDSA signature of the hash value I of size I using the -public key I. The parameter I is ignored. - -ECDSA_do_verify() is similar to ECDSA_verify() except the signature is -presented in the form of a pointer to an B structure. - -The remaining functions utilise the internal I and I values used -during signature computation. Most applications will never need to call these -and some external ECDSA ENGINE implementations may not support them at all if -either I or I is not NULL. - -ECDSA_sign_setup() may be used to precompute parts of the signing operation. -I is the private EC key and I is a pointer to B structure -(or NULL). The precomputed values or returned in I and I and can be -used in a later call to ECDSA_sign_ex() or ECDSA_do_sign_ex(). - -ECDSA_sign_ex() computes a digital signature of the I bytes hash value -I using the private EC key I and the optional pre-computed values -I and I. The DER encoded signature is stored in I and its -length is returned in I. Note: I must point to ECDSA_size(eckey) -bytes of memory. The parameter I is ignored. - -ECDSA_do_sign_ex() is similar to ECDSA_sign_ex() except the signature is -returned as a newly allocated B structure (or NULL on error). - =head1 RETURN VALUES ECDSA_SIG_new() returns NULL if the allocation fails. @@ -124,74 +57,71 @@ ECDSA_SIG_set0() returns 1 on success or 0 on failure. ECDSA_SIG_get0_r() and ECDSA_SIG_get0_s() return the corresponding value, or NULL if it is unset. -ECDSA_size() returns the maximum length signature or 0 on error. - -ECDSA_sign(), ECDSA_sign_ex() and ECDSA_sign_setup() return 1 if successful -or 0 on error. - -ECDSA_do_sign() and ECDSA_do_sign_ex() return a pointer to an allocated -B structure or NULL on error. - -ECDSA_verify() and ECDSA_do_verify() return 1 for a valid -signature, 0 for an invalid signature and -1 on error. -The error codes can be obtained by L. - =head1 EXAMPLES -Creating an ECDSA signature of a given SHA-256 hash value using the -named curve prime256v1 (aka P-256). +Extract signature I and I values from a ECDSA I +of size I: -First step: create an EC_KEY object (note: this part is B ECDSA -specific) + ECDSA_SIG *obj; + const BIGNUM *r, *s; - int ret; - ECDSA_SIG *sig; - EC_KEY *eckey; - - eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); - if (eckey == NULL) - /* error */ - if (EC_KEY_generate_key(eckey) == 0) + /* Load a signature into the ECDSA_SIG object */ + obj = d2i_ECDSA_SIG(NULL, &signature, signaturelen); + if (obj == NULL) /* error */ -Second step: compute the ECDSA signature of a SHA-256 hash value -using ECDSA_do_sign(): - - sig = ECDSA_do_sign(digest, 32, eckey); - if (sig == NULL) + r = ECDSA_SIG_get0_r(obj); + s = ECDSA_SIG_get0_s(obj); + if (r == NULL || s == NULL) /* error */ -or using ECDSA_sign(): + /* Use BN_bn2binpad() here to convert to r and s into byte arrays */ - unsigned char *buffer, *pp; - int buf_len; + /* + * Do not try to access I or I after calling ECDSA_SIG_free(), + * as they are both freed by this call. + */ + ECDSA_SIG_free(obj); - buf_len = ECDSA_size(eckey); - buffer = OPENSSL_malloc(buf_len); - pp = buffer; - if (ECDSA_sign(0, dgst, dgstlen, pp, &buf_len, eckey) == 0) - /* error */ +Convert I and I byte arrays into an ECDSA_SIG I of +size I: -Third step: verify the created ECDSA signature using ECDSA_do_verify(): + ECDSA_SIG *obj = NULL; + unsigned char *signature = NULL; + size_t signaturelen; + BIGNUM *rbn = NULL, *sbn = NULL; - ret = ECDSA_do_verify(digest, 32, sig, eckey); + obj = ECDSA_SIG_new(); + if (obj == NULL) + /* error */ + rbn = BN_bin2bn(r, rlen, NULL); + sbn = BN_bin2bn(s, slen, NULL); + if (rbn == NULL || sbn == NULL) + /* error */ -or using ECDSA_verify(): + if (!ECDSA_SIG_set0(obj, rbn, sbn)) + /* error */ + /* Set these to NULL since they are now owned by obj */ + rbn = sbn = NULL; - ret = ECDSA_verify(0, digest, 32, buffer, buf_len, eckey); + signaturelen = i2d_ECDSA_SIG(obj, &signature); + if (signaturelen <= 0) + /* error */ -and finally evaluate the return value: + /* + * This signature could now be passed to L + * or L + */ - if (ret == 1) - /* signature ok */ - else if (ret == 0) - /* incorrect signature */ - else - /* error */ + BN_free(rbn); + BN_free(sbn); + OPENSSL_free(signature); + ECDSA_SIG_free(obj); =head1 CONFORMING TO -ANSI X9.62, US Federal Information Processing Standard FIPS186-2 +ANSI X9.62, +US Federal Information Processing Standard FIPS186-4 (Digital Signature Standard, DSS) =head1 SEE ALSO @@ -201,13 +131,8 @@ L, L, L L, -L - -=head1 HISTORY - -The ECDSA_size(), ECDSA_sign(), ECDSA_do_sign(), ECDSA_verify(), -ECDSA_do_verify(), ECDSA_sign_setup(), ECDSA_sign_ex() and ECDSA_do_sign_ex() -functions were deprecated in OpenSSL 3.0. +L, +L =head1 COPYRIGHT diff --git a/deps/openssl/openssl/doc/man3/ECDSA_sign.pod b/deps/openssl/openssl/doc/man3/ECDSA_sign.pod new file mode 100644 index 00000000000000..7e5646665335a0 --- /dev/null +++ b/deps/openssl/openssl/doc/man3/ECDSA_sign.pod @@ -0,0 +1,186 @@ +=pod + +=head1 NAME + +ECDSA_size, ECDSA_sign, ECDSA_do_sign, +ECDSA_verify, ECDSA_do_verify, ECDSA_sign_setup, ECDSA_sign_ex, +ECDSA_do_sign_ex - deprecated low-level elliptic curve digital signature algorithm +(ECDSA) functions + +=head1 SYNOPSIS + + #include + +The following functions have been deprecated since OpenSSL 3.0, and can be +hidden entirely by defining B with a suitable version value, +see L: + + int ECDSA_size(const EC_KEY *eckey); + + int ECDSA_sign(int type, const unsigned char *dgst, int dgstlen, + unsigned char *sig, unsigned int *siglen, EC_KEY *eckey); + ECDSA_SIG *ECDSA_do_sign(const unsigned char *dgst, int dgst_len, + EC_KEY *eckey); + + int ECDSA_verify(int type, const unsigned char *dgst, int dgstlen, + const unsigned char *sig, int siglen, EC_KEY *eckey); + int ECDSA_do_verify(const unsigned char *dgst, int dgst_len, + const ECDSA_SIG *sig, EC_KEY* eckey); + + ECDSA_SIG *ECDSA_do_sign_ex(const unsigned char *dgst, int dgstlen, + const BIGNUM *kinv, const BIGNUM *rp, + EC_KEY *eckey); + int ECDSA_sign_setup(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinv, BIGNUM **rp); + int ECDSA_sign_ex(int type, const unsigned char *dgst, int dgstlen, + unsigned char *sig, unsigned int *siglen, + const BIGNUM *kinv, const BIGNUM *rp, EC_KEY *eckey); + +=head1 DESCRIPTION + +See L for a description of the B object. + +See L and L for information about encoding +and decoding ECDSA signatures to/from DER. + +All of the functions described below are deprecated. Applications should +use the higher level B interface such as L +or L instead. + +ECDSA_size() returns the maximum length of a DER encoded ECDSA signature +created with the private EC key I. To obtain the actual signature +size use L with a NULL I parameter. + +ECDSA_sign() computes a digital signature of the I bytes hash value +I using the private EC key I. The DER encoded signatures is +stored in I and its length is returned in I. Note: I must +point to ECDSA_size(eckey) bytes of memory. The parameter I is currently +ignored. ECDSA_sign() is wrapper function for ECDSA_sign_ex() with I +and I set to NULL. + +ECDSA_do_sign() is similar to ECDSA_sign() except the signature is returned +as a newly allocated B structure (or NULL on error). ECDSA_do_sign() +is a wrapper function for ECDSA_do_sign_ex() with I and I set to +NULL. + +ECDSA_verify() verifies that the signature in I of size I is a +valid ECDSA signature of the hash value I of size I using the +public key I. The parameter I is ignored. + +ECDSA_do_verify() is similar to ECDSA_verify() except the signature is +presented in the form of a pointer to an B structure. + +The remaining functions utilise the internal I and I values used +during signature computation. Most applications will never need to call these +and some external ECDSA ENGINE implementations may not support them at all if +either I or I is not NULL. + +ECDSA_sign_setup() may be used to precompute parts of the signing operation. +I is the private EC key and I is a pointer to B structure +(or NULL). The precomputed values or returned in I and I and can be +used in a later call to ECDSA_sign_ex() or ECDSA_do_sign_ex(). + +ECDSA_sign_ex() computes a digital signature of the I bytes hash value +I using the private EC key I and the optional pre-computed values +I and I. The DER encoded signature is stored in I and its +length is returned in I. Note: I must point to ECDSA_size(eckey) +bytes of memory. The parameter I is ignored. + +ECDSA_do_sign_ex() is similar to ECDSA_sign_ex() except the signature is +returned as a newly allocated B structure (or NULL on error). + +=head1 RETURN VALUES + +ECDSA_size() returns the maximum length signature or 0 on error. + +ECDSA_sign(), ECDSA_sign_ex() and ECDSA_sign_setup() return 1 if successful +or 0 on error. + +ECDSA_do_sign() and ECDSA_do_sign_ex() return a pointer to an allocated +B structure or NULL on error. + +ECDSA_verify() and ECDSA_do_verify() return 1 for a valid +signature, 0 for an invalid signature and -1 on error. +The error codes can be obtained by L. + +=head1 EXAMPLES + +Creating an ECDSA signature of a given SHA-256 hash value using the +named curve prime256v1 (aka P-256). +This example uses deprecated functionality. See L. + +First step: create an EC_KEY object (note: this part is B ECDSA +specific) + + int ret; + ECDSA_SIG *sig; + EC_KEY *eckey; + + eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + if (eckey == NULL) + /* error */ + if (EC_KEY_generate_key(eckey) == 0) + /* error */ + +Second step: compute the ECDSA signature of a SHA-256 hash value +using ECDSA_do_sign(): + + sig = ECDSA_do_sign(digest, 32, eckey); + if (sig == NULL) + /* error */ + +or using ECDSA_sign(): + + unsigned char *buffer, *pp; + int buf_len; + + buf_len = ECDSA_size(eckey); + buffer = OPENSSL_malloc(buf_len); + pp = buffer; + if (ECDSA_sign(0, dgst, dgstlen, pp, &buf_len, eckey) == 0) + /* error */ + +Third step: verify the created ECDSA signature using ECDSA_do_verify(): + + ret = ECDSA_do_verify(digest, 32, sig, eckey); + +or using ECDSA_verify(): + + ret = ECDSA_verify(0, digest, 32, buffer, buf_len, eckey); + +and finally evaluate the return value: + + if (ret == 1) + /* signature ok */ + else if (ret == 0) + /* incorrect signature */ + else + /* error */ + +=head1 CONFORMING TO + +ANSI X9.62, US Federal Information Processing Standard FIPS186-2 +(Digital Signature Standard, DSS) + +=head1 SEE ALSO + +L, +L, +L, +L +L, +L + +=head1 HISTORY + +All functionality described here was deprecated in OpenSSL 3.0. + +=head1 COPYRIGHT + +Copyright 2004-2022 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/deps/openssl/openssl/doc/man3/EC_GROUP_copy.pod b/deps/openssl/openssl/doc/man3/EC_GROUP_copy.pod index bb5e6abaf2c6fa..651f059d4fd54b 100644 --- a/deps/openssl/openssl/doc/man3/EC_GROUP_copy.pod +++ b/deps/openssl/openssl/doc/man3/EC_GROUP_copy.pod @@ -247,12 +247,12 @@ L, L =head1 HISTORY EC_GROUP_method_of() was deprecated in OpenSSL 3.0. - -EC_GROUP_check_named_curve() and EC_GROUP_get_field_type() were added in OpenSSL 3.0. +EC_GROUP_get0_field(), EC_GROUP_check_named_curve() and EC_GROUP_get_field_type() were added in OpenSSL 3.0. +EC_GROUP_get0_order(), EC_GROUP_order_bits() and EC_GROUP_get0_cofactor() were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2013-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/ERR_GET_LIB.pod b/deps/openssl/openssl/doc/man3/ERR_GET_LIB.pod index f0779548e6d4b9..1d7fa587f9df1a 100644 --- a/deps/openssl/openssl/doc/man3/ERR_GET_LIB.pod +++ b/deps/openssl/openssl/doc/man3/ERR_GET_LIB.pod @@ -42,6 +42,14 @@ The library number, reason code, and whether the error is fatal, respectively. Starting with OpenSSL 3.0.0, the function code is always set to zero. +=head1 NOTES + +Applications should not make control flow decisions based on specific error +codes. Error codes are subject to change at any time (even in patch releases of +OpenSSL). A particular error code can only be considered meaningful for control +flow decisions if it is explicitly documented as such. New failure codes may +still appear at any time. + =head1 SEE ALSO L @@ -54,7 +62,7 @@ ERR_GET_FUNC() was removed in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/EVP_ASYM_CIPHER_free.pod b/deps/openssl/openssl/doc/man3/EVP_ASYM_CIPHER_free.pod index 72910a55990158..c158ec1ae74a7e 100644 --- a/deps/openssl/openssl/doc/man3/EVP_ASYM_CIPHER_free.pod +++ b/deps/openssl/openssl/doc/man3/EVP_ASYM_CIPHER_free.pod @@ -75,7 +75,7 @@ meant for display and human consumption. The description is at the discretion of the I implementation. EVP_ASYM_CIPHER_gettable_ctx_params() and EVP_ASYM_CIPHER_settable_ctx_params() -return a constant B array that describes the names and types of key +return a constant L array that describes the names and types of key parameters that can be retrieved or set by a key encryption algorithm using L and L. @@ -90,7 +90,7 @@ EVP_ASYM_CIPHER_names_do_all() returns 1 if the callback was called for all names. A return value of 0 means that the callback was not called for any names. EVP_ASYM_CIPHER_gettable_ctx_params() and EVP_ASYM_CIPHER_settable_ctx_params() -return a constant B array or NULL on error. +return a constant L array or NULL on error. =head1 SEE ALSO diff --git a/deps/openssl/openssl/doc/man3/EVP_DigestInit.pod b/deps/openssl/openssl/doc/man3/EVP_DigestInit.pod index 5b9d75b7040470..1953df3c5e8d45 100644 --- a/deps/openssl/openssl/doc/man3/EVP_DigestInit.pod +++ b/deps/openssl/openssl/doc/man3/EVP_DigestInit.pod @@ -207,27 +207,24 @@ See L below for more information. =item EVP_MD_gettable_params() -Get a constant B array that describes the retrievable parameters -that can be used with EVP_MD_get_params(). See L for the -use of B as a parameter descriptor. +Get a constant L array that describes the retrievable parameters +that can be used with EVP_MD_get_params(). =item EVP_MD_gettable_ctx_params(), EVP_MD_CTX_gettable_params() -Get a constant B array that describes the retrievable parameters +Get a constant L array that describes the retrievable parameters that can be used with EVP_MD_CTX_get_params(). EVP_MD_gettable_ctx_params() returns the parameters that can be retrieved from the algorithm, whereas EVP_MD_CTX_gettable_params() returns the parameters that can be retrieved -in the context's current state. See L for the use of -B as a parameter descriptor. +in the context's current state. =item EVP_MD_settable_ctx_params(), EVP_MD_CTX_settable_params() -Get a constant B array that describes the settable parameters +Get a constant L array that describes the settable parameters that can be used with EVP_MD_CTX_set_params(). EVP_MD_settable_ctx_params() returns the parameters that can be set from the algorithm, whereas EVP_MD_CTX_settable_params() returns the parameters that can be set in the -context's current state. See L for the use of B -as a parameter descriptor. +context's current state. =item EVP_MD_CTX_set_flags(), EVP_MD_CTX_clear_flags(), EVP_MD_CTX_test_flags() @@ -569,6 +566,7 @@ Returns 1 for success or 0 for failure. EVP_Digest(), EVP_DigestInit_ex2(), EVP_DigestInit_ex(), +EVP_DigestInit(), EVP_DigestUpdate(), EVP_DigestFinal_ex(), EVP_DigestFinalXOF(), and @@ -589,7 +587,7 @@ Returns 1 if successful or 0 for failure. =item EVP_MD_CTX_settable_params(), EVP_MD_CTX_gettable_params() -Return an array of constant Bs, or NULL if there is none +Return an array of constant Ls, or NULL if there is none to get. =item EVP_MD_CTX_copy_ex() @@ -607,7 +605,7 @@ EVP_MD_get_block_size(), EVP_MD_CTX_get_size(), EVP_MD_CTX_get_block_size() -Returns the digest or block size in bytes. +Returns the digest or block size in bytes or -1 for failure. =item EVP_md_null() @@ -643,6 +641,13 @@ are still in common use. For most applications the I parameter to EVP_DigestInit_ex() will be set to NULL to use the default digest implementation. +Ignoring failure returns of EVP_DigestInit_ex(), EVP_DigestInit_ex2(), or +EVP_DigestInit() can lead to undefined behavior on subsequent calls +updating or finalizing the B such as the EVP_DigestUpdate() or +EVP_DigestFinal() functions. The only valid calls on the B +when initialization fails are calls that attempt another initialization of +the context or release the context. + The functions EVP_DigestInit(), EVP_DigestFinal() and EVP_MD_CTX_copy() are obsolete but are retained to maintain compatibility with existing code. New applications should use EVP_DigestInit_ex(), EVP_DigestFinal_ex() and @@ -690,10 +695,26 @@ digest name passed on the command line. } mdctx = EVP_MD_CTX_new(); - EVP_DigestInit_ex2(mdctx, md, NULL); - EVP_DigestUpdate(mdctx, mess1, strlen(mess1)); - EVP_DigestUpdate(mdctx, mess2, strlen(mess2)); - EVP_DigestFinal_ex(mdctx, md_value, &md_len); + if (!EVP_DigestInit_ex2(mdctx, md, NULL)) { + printf("Message digest initialization failed.\n"); + EVP_MD_CTX_free(mdctx); + exit(1); + } + if (!EVP_DigestUpdate(mdctx, mess1, strlen(mess1))) { + printf("Message digest update failed.\n"); + EVP_MD_CTX_free(mdctx); + exit(1); + } + if (!EVP_DigestUpdate(mdctx, mess2, strlen(mess2))) { + printf("Message digest update failed.\n"); + EVP_MD_CTX_free(mdctx); + exit(1); + } + if (!EVP_DigestFinal_ex(mdctx, md_value, &md_len)) { + printf("Message digest finalization failed.\n"); + EVP_MD_CTX_free(mdctx); + exit(1); + } EVP_MD_CTX_free(mdctx); printf("Digest is: "); @@ -763,7 +784,7 @@ in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/EVP_DigestSignInit.pod b/deps/openssl/openssl/doc/man3/EVP_DigestSignInit.pod index f142639bfc287a..7232e9786026c5 100644 --- a/deps/openssl/openssl/doc/man3/EVP_DigestSignInit.pod +++ b/deps/openssl/openssl/doc/man3/EVP_DigestSignInit.pod @@ -172,6 +172,10 @@ multiple times on a context and the parameters set by previous calls should be preserved if the I parameter is NULL. The call then just resets the state of the I. +Ignoring failure returns of EVP_DigestSignInit() and EVP_DigestSignInit_ex() +functions can lead to subsequent undefined behavior when calling +EVP_DigestSignUpdate(), EVP_DigestSignFinal(), or EVP_DigestSign(). + The use of EVP_PKEY_get_size() with these functions is discouraged because some signature operations may have a signature length which depends on the parameters set. As a result EVP_PKEY_get_size() would have to return a value @@ -197,7 +201,7 @@ EVP_DigestSignUpdate() was converted from a macro to a function in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/EVP_DigestVerifyInit.pod b/deps/openssl/openssl/doc/man3/EVP_DigestVerifyInit.pod index 87739a9a02b107..55826fe16bd54f 100644 --- a/deps/openssl/openssl/doc/man3/EVP_DigestVerifyInit.pod +++ b/deps/openssl/openssl/doc/man3/EVP_DigestVerifyInit.pod @@ -161,6 +161,10 @@ multiple times on a context and the parameters set by previous calls should be preserved if the I parameter is NULL. The call then just resets the state of the I. +Ignoring failure returns of EVP_DigestVerifyInit() and EVP_DigestVerifyInit_ex() +functions can lead to subsequent undefined behavior when calling +EVP_DigestVerifyUpdate(), EVP_DigestVerifyFinal(), or EVP_DigestVerify(). + =head1 SEE ALSO L, @@ -182,7 +186,7 @@ EVP_DigestVerifyUpdate() was converted from a macro to a function in OpenSSL =head1 COPYRIGHT -Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/EVP_EncryptInit.pod b/deps/openssl/openssl/doc/man3/EVP_EncryptInit.pod index 15834349f00570..7d7db3c9f708e7 100644 --- a/deps/openssl/openssl/doc/man3/EVP_EncryptInit.pod +++ b/deps/openssl/openssl/doc/man3/EVP_EncryptInit.pod @@ -316,27 +316,24 @@ See L below for more information. =item EVP_CIPHER_gettable_params() -Get a constant B array that describes the retrievable parameters -that can be used with EVP_CIPHER_get_params(). See L for the -use of B as a parameter descriptor. +Get a constant L array that describes the retrievable parameters +that can be used with EVP_CIPHER_get_params(). =item EVP_CIPHER_gettable_ctx_params() and EVP_CIPHER_CTX_gettable_params() -Get a constant B array that describes the retrievable parameters +Get a constant L array that describes the retrievable parameters that can be used with EVP_CIPHER_CTX_get_params(). EVP_CIPHER_gettable_ctx_params() returns the parameters that can be retrieved from the algorithm, whereas EVP_CIPHER_CTX_gettable_params() returns the parameters that can be retrieved in the context's current state. -See L for the use of B as a parameter descriptor. =item EVP_CIPHER_settable_ctx_params() and EVP_CIPHER_CTX_settable_params() -Get a constant B array that describes the settable parameters +Get a constant L array that describes the settable parameters that can be used with EVP_CIPHER_CTX_set_params(). EVP_CIPHER_settable_ctx_params() returns the parameters that can be set from the algorithm, whereas EVP_CIPHER_CTX_settable_params() returns the parameters that can be set in the context's current state. -See L for the use of B as a parameter descriptor. =item EVP_EncryptInit_ex2() @@ -640,7 +637,7 @@ See L for information about passing parameters. When EVP_CIPHER_fetch() is called it internally calls EVP_CIPHER_get_params() and caches the results. -EVP_CIPHER_get_params() can be used with the following B keys: +EVP_CIPHER_get_params() can be used with the following L keys: =over 4 @@ -711,7 +708,7 @@ all other OpenSSL ciphers return 0. =head2 Gettable and Settable EVP_CIPHER_CTX parameters -The following B keys can be used with both EVP_CIPHER_CTX_get_params() +The following L keys can be used with both EVP_CIPHER_CTX_get_params() and EVP_CIPHER_CTX_set_params(). =over 4 @@ -802,7 +799,7 @@ cipher operation (either 4 or 8 records). =head2 Gettable EVP_CIPHER_CTX parameters -The following B keys can be used with EVP_CIPHER_CTX_get_params(): +The following L keys can be used with EVP_CIPHER_CTX_get_params(): =over 4 @@ -871,7 +868,7 @@ Used to pass the TLS MAC data. =head2 Settable EVP_CIPHER_CTX parameters -The following B keys can be used with EVP_CIPHER_CTX_set_params(): +The following L keys can be used with EVP_CIPHER_CTX_set_params(): =over 4 @@ -1240,7 +1237,8 @@ EVP_CIPHER_CTX_is_encrypting() returns 1 if the I is set up for encryption EVP_CIPHER_param_to_asn1() and EVP_CIPHER_asn1_to_param() return greater than zero for success and zero or a negative number on failure. -EVP_CIPHER_CTX_rand_key() returns 1 for success. +EVP_CIPHER_CTX_rand_key() returns 1 for success and zero or a negative number +for failure. EVP_CIPHER_names_do_all() returns 1 if the callback was called for all names. A return value of 0 means that the callback was not called for any names. @@ -1417,11 +1415,10 @@ The following Is are supported for the ChaCha20-Poly1305 AEAD algorithm. =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL) -Sets the nonce length. This call can only be made before specifying the nonce. -If not called a default nonce length of 12 (i.e. 96 bits) is used. The maximum -nonce length is 12 bytes (i.e. 96-bits). If a nonce of less than 12 bytes is set -then the nonce is automatically padded with leading 0 bytes to make it 12 bytes -in length. +Sets the nonce length. This call is now redundant since the only valid value +is the default length of 12 (i.e. 96 bits). +Prior to OpenSSL 3.0 a nonce of less than 12 bytes could be used to automatically +pad the iv with leading 0 bytes to make it 12 bytes in length. =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag) @@ -1484,6 +1481,12 @@ removed, and it is especially important for the B flag treated specially in EVP_CipherInit_ex(). +Ignoring failure returns of the B initialization functions can +lead to subsequent undefined behavior when calling the functions that update or +finalize the context. The only valid calls on the B when +initialization fails are calls that attempt another initialization of the +context or release the context. + EVP_get_cipherbynid(), and EVP_get_cipherbyobj() are implemented as macros. =head1 BUGS @@ -1516,7 +1519,11 @@ Encrypt a string using IDEA: FILE *out; ctx = EVP_CIPHER_CTX_new(); - EVP_EncryptInit_ex2(ctx, EVP_idea_cbc(), key, iv, NULL); + if (!EVP_EncryptInit_ex2(ctx, EVP_idea_cbc(), key, iv, NULL)) { + /* Error */ + EVP_CIPHER_CTX_free(ctx); + return 0; + } if (!EVP_EncryptUpdate(ctx, outbuf, &outlen, intext, strlen(intext))) { /* Error */ @@ -1574,13 +1581,21 @@ with a 128-bit key: /* Don't set key or IV right away; we want to check lengths */ ctx = EVP_CIPHER_CTX_new(); - EVP_CipherInit_ex2(ctx, EVP_aes_128_cbc(), NULL, NULL, - do_encrypt, NULL); + if (!EVP_CipherInit_ex2(ctx, EVP_aes_128_cbc(), NULL, NULL, + do_encrypt, NULL)) { + /* Error */ + EVP_CIPHER_CTX_free(ctx); + return 0; + } OPENSSL_assert(EVP_CIPHER_CTX_get_key_length(ctx) == 16); OPENSSL_assert(EVP_CIPHER_CTX_get_iv_length(ctx) == 16); /* Now we can set key and IV */ - EVP_CipherInit_ex2(ctx, NULL, key, iv, do_encrypt, NULL); + if (!EVP_CipherInit_ex2(ctx, NULL, key, iv, do_encrypt, NULL)) { + /* Error */ + EVP_CIPHER_CTX_free(ctx); + return 0; + } for (;;) { inlen = fread(inbuf, 1, 1024, in); @@ -1637,9 +1652,9 @@ Encryption using AES-CBC with a 256-bit key with "CS1" ciphertext stealing. goto err; /* NOTE: CTS mode does not support multiple calls to EVP_CipherUpdate() */ - if (!EVP_CipherUpdate(ctx, encrypted, &outlen, msg, msglen)) + if (!EVP_CipherUpdate(ctx, out, &outlen, msg, msg_len)) goto err; - if (!EVP_CipherFinal_ex(ctx, encrypted + outlen, &len)) + if (!EVP_CipherFinal_ex(ctx, out + outlen, &len)) goto err; ret = 1; err: @@ -1712,7 +1727,7 @@ The EVP_CIPHER_CTX_flags() macro was deprecated in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/EVP_KDF.pod b/deps/openssl/openssl/doc/man3/EVP_KDF.pod index e89e7034836d30..3b4e2b79aa1458 100644 --- a/deps/openssl/openssl/doc/man3/EVP_KDF.pod +++ b/deps/openssl/openssl/doc/man3/EVP_KDF.pod @@ -131,26 +131,23 @@ simply ignored. Also, what happens when a needed parameter isn't passed down is defined by the implementation. -EVP_KDF_gettable_params() returns an B array that describes +EVP_KDF_gettable_params() returns an L array that describes the retrievable and settable parameters. EVP_KDF_gettable_params() returns parameters that can be used with EVP_KDF_get_params(). -See L for the use of B as a parameter descriptor. EVP_KDF_gettable_ctx_params() and EVP_KDF_CTX_gettable_params() -return constant B arrays that describe the retrievable +return constant L arrays that describe the retrievable parameters that can be used with EVP_KDF_CTX_get_params(). EVP_KDF_gettable_ctx_params() returns the parameters that can be retrieved from the algorithm, whereas EVP_KDF_CTX_gettable_params() returns the parameters that can be retrieved in the context's current state. -See L for the use of B as a parameter descriptor. EVP_KDF_settable_ctx_params() and EVP_KDF_CTX_settable_params() return -constant B arrays that describe the settable parameters that +constant L arrays that describe the settable parameters that can be used with EVP_KDF_CTX_set_params(). EVP_KDF_settable_ctx_params() returns the parameters that can be retrieved from the algorithm, whereas EVP_KDF_CTX_settable_params() returns the parameters that can -be retrieved in the context's current state. See L -for the use of B as a parameter descriptor. +be retrieved in the context's current state. =head2 Information functions @@ -294,7 +291,7 @@ L. =head1 HISTORY -This functionality was added to OpenSSL 3.0. +This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/deps/openssl/openssl/doc/man3/EVP_KEM_free.pod b/deps/openssl/openssl/doc/man3/EVP_KEM_free.pod index e77b89d3b97fca..575abc5f5798c3 100644 --- a/deps/openssl/openssl/doc/man3/EVP_KEM_free.pod +++ b/deps/openssl/openssl/doc/man3/EVP_KEM_free.pod @@ -68,7 +68,7 @@ display and human consumption. The description is at the discretion of the I implementation. EVP_KEM_gettable_ctx_params() and EVP_KEM_settable_ctx_params() return -a constant B array that describes the names and types of key +a constant L array that describes the names and types of key parameters that can be retrieved or set by a key encapsulation algorithm using L and L. @@ -83,7 +83,7 @@ EVP_KEM_names_do_all() returns 1 if the callback was called for all names. A return value of 0 means that the callback was not called for any names. EVP_KEM_gettable_ctx_params() and EVP_KEM_settable_ctx_params() return -a constant B array or NULL on error. +a constant L array or NULL on error. =head1 SEE ALSO diff --git a/deps/openssl/openssl/doc/man3/EVP_KEYEXCH_free.pod b/deps/openssl/openssl/doc/man3/EVP_KEYEXCH_free.pod index 42c7e1289c00ef..272855ccb3dd81 100644 --- a/deps/openssl/openssl/doc/man3/EVP_KEYEXCH_free.pod +++ b/deps/openssl/openssl/doc/man3/EVP_KEYEXCH_free.pod @@ -71,7 +71,7 @@ of the implementations, calls I with the implementation method and I as arguments. EVP_KEYEXCH_gettable_ctx_params() and EVP_KEYEXCH_settable_ctx_params() return -a constant B array that describes the names and types of key +a constant L array that describes the names and types of key parameters that can be retrieved or set by a key exchange algorithm using L and L. @@ -89,7 +89,7 @@ EVP_KEYEXCH_is_a() returns 1 of I was identifiable, otherwise 0. EVP_KEYEXCH_gettable_ctx_params() and EVP_KEYEXCH_settable_ctx_params() return -a constant B array or NULL on error. +a constant L array or NULL on error. =head1 SEE ALSO diff --git a/deps/openssl/openssl/doc/man3/EVP_KEYMGMT.pod b/deps/openssl/openssl/doc/man3/EVP_KEYMGMT.pod index 6b6e1173696a71..f81fc9efb00b93 100644 --- a/deps/openssl/openssl/doc/man3/EVP_KEYMGMT.pod +++ b/deps/openssl/openssl/doc/man3/EVP_KEYMGMT.pod @@ -88,12 +88,11 @@ of the implementations, calls I with the implementation method and I as arguments. EVP_KEYMGMT_gettable_params() and EVP_KEYMGMT_settable_params() return a -constant B array that describes the names and types of key +constant L array that describes the names and types of key parameters that can be retrieved or set. EVP_KEYMGMT_gettable_params() is used by L. -See L for the use of B as a parameter descriptor. -EVP_KEYMGMT_gen_settable_params() returns a constant B array that +EVP_KEYMGMT_gen_settable_params() returns a constant L array that describes the names and types of key generation parameters that can be set via L. @@ -128,7 +127,7 @@ EVP_KEYMGMT_get0_description() returns a pointer to a decription, or NULL if there isn't one. EVP_KEYMGMT_gettable_params(), EVP_KEYMGMT_settable_params() and -EVP_KEYMGMT_gen_settable_params() return a constant B array or +EVP_KEYMGMT_gen_settable_params() return a constant L array or NULL on error. =head1 SEE ALSO diff --git a/deps/openssl/openssl/doc/man3/EVP_MAC.pod b/deps/openssl/openssl/doc/man3/EVP_MAC.pod index 289cbda7571974..13482ac5e188e7 100644 --- a/deps/openssl/openssl/doc/man3/EVP_MAC.pod +++ b/deps/openssl/openssl/doc/man3/EVP_MAC.pod @@ -187,26 +187,23 @@ simply ignored. Also, what happens when a needed parameter isn't passed down is defined by the implementation. -EVP_MAC_gettable_params() returns an B array that describes +EVP_MAC_gettable_params() returns an L array that describes the retrievable and settable parameters. EVP_MAC_gettable_params() returns parameters that can be used with EVP_MAC_get_params(). -See L for the use of B as a parameter descriptor. EVP_MAC_gettable_ctx_params() and EVP_MAC_CTX_gettable_params() -return constant B arrays that describe the retrievable +return constant L arrays that describe the retrievable parameters that can be used with EVP_MAC_CTX_get_params(). EVP_MAC_gettable_ctx_params() returns the parameters that can be retrieved from the algorithm, whereas EVP_MAC_CTX_gettable_params() returns the parameters that can be retrieved in the context's current state. -See L for the use of B as a parameter descriptor. EVP_MAC_settable_ctx_params() and EVP_MAC_CTX_settable_params() return -constant B arrays that describe the settable parameters that +constant L arrays that describe the settable parameters that can be used with EVP_MAC_CTX_set_params(). EVP_MAC_settable_ctx_params() returns the parameters that can be retrieved from the algorithm, whereas EVP_MAC_CTX_settable_params() returns the parameters that can -be retrieved in the context's current state. See L -for the use of B as a parameter descriptor. +be retrieved in the context's current state. =head2 Information functions diff --git a/deps/openssl/openssl/doc/man3/EVP_PKEY_CTX_get0_pkey.pod b/deps/openssl/openssl/doc/man3/EVP_PKEY_CTX_get0_pkey.pod new file mode 100644 index 00000000000000..8db726127ec635 --- /dev/null +++ b/deps/openssl/openssl/doc/man3/EVP_PKEY_CTX_get0_pkey.pod @@ -0,0 +1,56 @@ +=pod + +=head1 NAME + +EVP_PKEY_CTX_get0_pkey, +EVP_PKEY_CTX_get0_peerkey +- functions for accessing the EVP_PKEY associated with an EVP_PKEY_CTX + +=head1 SYNOPSIS + + #include + + EVP_PKEY *EVP_PKEY_CTX_get0_pkey(EVP_PKEY_CTX *ctx); + EVP_PKEY *EVP_PKEY_CTX_get0_peerkey(EVP_PKEY_CTX *ctx); + +=head1 DESCRIPTION + +EVP_PKEY_CTX_get0_pkey() is used to access the B +associated with the given B I. +The B obtained is the one used for creating the B +using either L or L. + +EVP_PKEY_CTX_get0_peerkey() is used to access the peer B +associated with the given B I. +The peer B obtained is the one set using +either L or L. + +=head1 RETURN VALUES + +EVP_PKEY_CTX_get0_pkey() returns the B associated with the +EVP_PKEY_CTX or NULL if it is not set. + +EVP_PKEY_CTX_get0_peerkey() returns the peer B associated with the +EVP_PKEY_CTX or NULL if it is not set. + +The returned EVP_PKEY objects are owned by the EVP_PKEY_CTX, +and therefore should not explicitly be freed by the caller. + +These functions do not affect the EVP_PKEY reference count. +They merely act as getter functions, and should be treated as such. + +=head1 SEE ALSO + +L, L, +L, L + +=head1 COPYRIGHT + +Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). +You may not use this file except in compliance with the License. +You can obtain a copy in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/deps/openssl/openssl/doc/man3/EVP_PKEY_CTX_set_params.pod b/deps/openssl/openssl/doc/man3/EVP_PKEY_CTX_set_params.pod index b8855c2670fbb5..c02151654c3a62 100644 --- a/deps/openssl/openssl/doc/man3/EVP_PKEY_CTX_set_params.pod +++ b/deps/openssl/openssl/doc/man3/EVP_PKEY_CTX_set_params.pod @@ -30,11 +30,10 @@ These methods replace the EVP_PKEY_CTX_ctrl() mechanism. (EVP_PKEY_CTX_ctrl now calls these methods internally to interact with providers). EVP_PKEY_CTX_gettable_params() and EVP_PKEY_CTX_settable_params() get a -constant B array that describes the gettable and +constant L array that describes the gettable and settable parameters for the current algorithm implementation, i.e. parameters that can be used with EVP_PKEY_CTX_get_params() and EVP_PKEY_CTX_set_params() respectively. -See L for the use of B as parameter descriptor. These functions must only be called after the EVP_PKEY_CTX has been initialised for use in an operation. diff --git a/deps/openssl/openssl/doc/man3/EVP_PKEY_decrypt.pod b/deps/openssl/openssl/doc/man3/EVP_PKEY_decrypt.pod index 5c3d863201649b..b6f9bad5f18adb 100644 --- a/deps/openssl/openssl/doc/man3/EVP_PKEY_decrypt.pod +++ b/deps/openssl/openssl/doc/man3/EVP_PKEY_decrypt.pod @@ -18,19 +18,21 @@ EVP_PKEY_decrypt - decrypt using a public key algorithm =head1 DESCRIPTION The EVP_PKEY_decrypt_init() function initializes a public key algorithm -context using key B for a decryption operation. +context using key I for a decryption operation. The EVP_PKEY_decrypt_init_ex() function initializes a public key algorithm -context using key B for a decryption operation and sets the -algorithm specific B. +context using key I for a decryption operation and sets the +algorithm specific I. The EVP_PKEY_decrypt() function performs a public key decryption operation -using B. The data to be decrypted is specified using the B and -B parameters. If B is B then the maximum size of the output -buffer is written to the B parameter. If B is not B then -before the call the B parameter should contain the length of the -B buffer, if the call is successful the decrypted data is written to -B and the amount of data written to B. +using I. The data to be decrypted is specified using the I and +I parameters. If I is NULL then the minimum required size of +the output buffer is written to the I<*outlen> parameter. + +If I is not NULL then before the call the I<*outlen> parameter must +contain the length of the I buffer. If the call is successful the +decrypted data is written to I and the amount of the decrypted data +written to I<*outlen>, otherwise an error is returned. =head1 NOTES diff --git a/deps/openssl/openssl/doc/man3/EVP_PKEY_fromdata.pod b/deps/openssl/openssl/doc/man3/EVP_PKEY_fromdata.pod index 096ecc601f07f5..3e9e06d1a20298 100644 --- a/deps/openssl/openssl/doc/man3/EVP_PKEY_fromdata.pod +++ b/deps/openssl/openssl/doc/man3/EVP_PKEY_fromdata.pod @@ -48,10 +48,9 @@ and L(7)|EVP_PKEY-ED25519(7)/Common X25519, X448, ED25519 an =for comment the awful list of links above is made this way so we get nice rendering as a man-page while still getting proper links in HTML -EVP_PKEY_fromdata_settable() gets a constant B array that describes +EVP_PKEY_fromdata_settable() gets a constant L array that describes the settable parameters that can be used with EVP_PKEY_fromdata(). I is described in L. -See L for the use of B as parameter descriptor. Parameters in the I array that are not among the settable parameters for the given I are ignored. diff --git a/deps/openssl/openssl/doc/man3/EVP_PKEY_gettable_params.pod b/deps/openssl/openssl/doc/man3/EVP_PKEY_gettable_params.pod index 1afda9c19b7f01..b51e4c4de1859d 100644 --- a/deps/openssl/openssl/doc/man3/EVP_PKEY_gettable_params.pod +++ b/deps/openssl/openssl/doc/man3/EVP_PKEY_gettable_params.pod @@ -29,15 +29,15 @@ EVP_PKEY_get_octet_string_param =head1 DESCRIPTION +See L for information about parameters. + EVP_PKEY_get_params() retrieves parameters from the key I, according to the contents of I. -See L for information about parameters. EVP_PKEY_gettable_params() returns a constant list of I indicating the names and types of key parameters that can be retrieved. -See L for information about parameters. -An B of type B or +An L of type B or B is of arbitrary length. Such a parameter can be obtained using any of the functions EVP_PKEY_get_int_param(), EVP_PKEY_get_size_t_param() or EVP_PKEY_get_bn_param(). Attempting to diff --git a/deps/openssl/openssl/doc/man3/EVP_PKEY_keygen.pod b/deps/openssl/openssl/doc/man3/EVP_PKEY_keygen.pod index 87644cc5c37568..433123618606f7 100644 --- a/deps/openssl/openssl/doc/man3/EVP_PKEY_keygen.pod +++ b/deps/openssl/openssl/doc/man3/EVP_PKEY_keygen.pod @@ -100,7 +100,7 @@ If I is C, a B parameter must be given to specify the size of the RSA key. If I is C, a string parameter must be given to specify the name of the EC curve. -If I is C, C, C, or C +If I is C, C, C, C, or C no further parameter is needed. =head1 RETURN VALUES diff --git a/deps/openssl/openssl/doc/man3/EVP_PKEY_set1_encoded_public_key.pod b/deps/openssl/openssl/doc/man3/EVP_PKEY_set1_encoded_public_key.pod index 20ae767dd6a17a..cf27919a2c3f65 100644 --- a/deps/openssl/openssl/doc/man3/EVP_PKEY_set1_encoded_public_key.pod +++ b/deps/openssl/openssl/doc/man3/EVP_PKEY_set1_encoded_public_key.pod @@ -64,7 +64,7 @@ should use EVP_PKEY_get1_encoded_public_key() instead. EVP_PKEY_set1_encoded_public_key() returns 1 for success and 0 or a negative value for failure. -EVP_PKEY_get1_encoded_public_key() return 1 +EVP_PKEY_get1_encoded_public_key() returns the length of the encoded key or 0 for failure. =head1 EXAMPLES diff --git a/deps/openssl/openssl/doc/man3/EVP_PKEY_todata.pod b/deps/openssl/openssl/doc/man3/EVP_PKEY_todata.pod index 98ae484755422f..dedfb1b0cf8ae8 100644 --- a/deps/openssl/openssl/doc/man3/EVP_PKEY_todata.pod +++ b/deps/openssl/openssl/doc/man3/EVP_PKEY_todata.pod @@ -16,7 +16,7 @@ EVP_PKEY_todata, EVP_PKEY_export =head1 DESCRIPTION The functions described here are used to extract B key values as an -array of B. +array of L. EVP_PKEY_todata() extracts values from a key I using the I. I is described in L. @@ -26,7 +26,7 @@ I<*params>. EVP_PKEY_export() is similiar to EVP_PKEY_todata() but uses a callback I that gets passed the value of I. See L for more information about the callback. Note that the -B array that is passed to the callback is not persistent after the +L array that is passed to the callback is not persistent after the callback returns. The user must preserve the items of interest, or use EVP_PKEY_todata() if persistence is required. diff --git a/deps/openssl/openssl/doc/man3/EVP_RAND.pod b/deps/openssl/openssl/doc/man3/EVP_RAND.pod index f21b2f69d73638..a4d72b70432f72 100644 --- a/deps/openssl/openssl/doc/man3/EVP_RAND.pod +++ b/deps/openssl/openssl/doc/man3/EVP_RAND.pod @@ -186,26 +186,23 @@ simply ignored. Also, what happens when a needed parameter isn't passed down is defined by the implementation. -EVP_RAND_gettable_params() returns an B array that describes +EVP_RAND_gettable_params() returns an L array that describes the retrievable and settable parameters. EVP_RAND_gettable_params() returns -parameters that can be used with EVP_RAND_get_params(). See L -for the use of B as a parameter descriptor. +parameters that can be used with EVP_RAND_get_params(). EVP_RAND_gettable_ctx_params() and EVP_RAND_CTX_gettable_params() return -constant B arrays that describe the retrievable parameters that +constant L arrays that describe the retrievable parameters that can be used with EVP_RAND_CTX_get_params(). EVP_RAND_gettable_ctx_params() returns the parameters that can be retrieved from the algorithm, whereas EVP_RAND_CTX_gettable_params() returns the parameters that can be retrieved -in the context's current state. See L for the use of -B as a parameter descriptor. +in the context's current state. EVP_RAND_settable_ctx_params() and EVP_RAND_CTX_settable_params() return -constant B arrays that describe the settable parameters that +constant L arrays that describe the settable parameters that can be used with EVP_RAND_CTX_set_params(). EVP_RAND_settable_ctx_params() returns the parameters that can be retrieved from the algorithm, whereas EVP_RAND_CTX_settable_params() returns the parameters that can be retrieved -in the context's current state. See L for the use of -B as a parameter descriptor. +in the context's current state. =head2 Information functions diff --git a/deps/openssl/openssl/doc/man3/EVP_SIGNATURE.pod b/deps/openssl/openssl/doc/man3/EVP_SIGNATURE.pod index 9fb389e7aeb0ec..600522085398c2 100644 --- a/deps/openssl/openssl/doc/man3/EVP_SIGNATURE.pod +++ b/deps/openssl/openssl/doc/man3/EVP_SIGNATURE.pod @@ -79,7 +79,7 @@ meant for display and human consumption. The description is at the discretion of the I implementation. EVP_SIGNATURE_gettable_ctx_params() and EVP_SIGNATURE_settable_ctx_params() -return a constant B array that describes the names and types of key +return a constant L array that describes the names and types of key parameters that can be retrieved or set by a signature algorithm using L and L. @@ -94,7 +94,7 @@ EVP_SIGNATURE_names_do_all() returns 1 if the callback was called for all names. A return value of 0 means that the callback was not called for any names. EVP_SIGNATURE_gettable_ctx_params() and EVP_SIGNATURE_settable_ctx_params() -return a constant B array or NULL on error. +return a constant L array or NULL on error. =head1 SEE ALSO diff --git a/deps/openssl/openssl/doc/man3/EVP_SignInit.pod b/deps/openssl/openssl/doc/man3/EVP_SignInit.pod index 64de251843ae52..11832ff7618028 100644 --- a/deps/openssl/openssl/doc/man3/EVP_SignInit.pod +++ b/deps/openssl/openssl/doc/man3/EVP_SignInit.pod @@ -60,10 +60,9 @@ The B interface to digital signatures should almost always be used in preference to the low-level interfaces. This is because the code then becomes transparent to the algorithm used and much more flexible. -When signing with DSA private keys the random number generator must be seeded. -If the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to -external circumstances (see L), the operation will fail. -This requirement does not hold for RSA signatures. +When signing with some private key types the random number generator must +be seeded. If the automatic seeding or reseeding of the OpenSSL CSPRNG fails +due to external circumstances (see L), the operation will fail. The call to EVP_SignFinal() internally finalizes a copy of the digest context. This means that calls to EVP_SignUpdate() and EVP_SignFinal() can be called @@ -85,7 +84,7 @@ data have been passed through EVP_SignUpdate(). It is not possible to change the signing parameters using these function. -The previous two bugs are fixed in the newer EVP_SignDigest*() function. +The previous two bugs are fixed in the newer EVP_DigestSign*() functions. =head1 SEE ALSO diff --git a/deps/openssl/openssl/doc/man3/EVP_VerifyInit.pod b/deps/openssl/openssl/doc/man3/EVP_VerifyInit.pod index 0cb67d7dc1e039..a6d5772c3b83cf 100644 --- a/deps/openssl/openssl/doc/man3/EVP_VerifyInit.pod +++ b/deps/openssl/openssl/doc/man3/EVP_VerifyInit.pod @@ -50,7 +50,7 @@ EVP_VerifyInit_ex() and EVP_VerifyUpdate() return 1 for success and 0 for failure. EVP_VerifyFinal_ex() and EVP_VerifyFinal() return 1 for a correct -signature, 0 for failure and -1 if some other error occurred. +signature, 0 for failure and a negative value if some other error occurred. The error codes can be obtained by L. diff --git a/deps/openssl/openssl/doc/man3/HMAC.pod b/deps/openssl/openssl/doc/man3/HMAC.pod index 43aca065f0d285..87a567242f60fa 100644 --- a/deps/openssl/openssl/doc/man3/HMAC.pod +++ b/deps/openssl/openssl/doc/man3/HMAC.pod @@ -71,6 +71,9 @@ I is a message digest such as EVP_sha1(), EVP_ripemd160() etc. HMAC does not support variable output length digests such as EVP_shake128() and EVP_shake256(). +HMAC() uses the default B. +Use L instead if a library context is required. + All of the functions described below are deprecated. Applications should instead use L, L, L, L and L diff --git a/deps/openssl/openssl/doc/man3/MD5.pod b/deps/openssl/openssl/doc/man3/MD5.pod index 5d1a8eb7da92cb..2e01fe8193dd96 100644 --- a/deps/openssl/openssl/doc/man3/MD5.pod +++ b/deps/openssl/openssl/doc/man3/MD5.pod @@ -80,8 +80,8 @@ etc. instead of calling the hash functions directly. =head1 NOTE MD2, MD4, and MD5 are recommended only for compatibility with existing -applications. In new applications, SHA-1 or RIPEMD-160 should be -preferred. +applications. In new applications, hashes from the SHA-2 or SHA-3 family +should be preferred. =head1 RETURN VALUES @@ -97,7 +97,7 @@ RFC 1319, RFC 1320, RFC 1321 =head1 SEE ALSO -L +L, L, L =head1 HISTORY @@ -105,7 +105,7 @@ All of these functions were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/OCSP_REQUEST_new.pod b/deps/openssl/openssl/doc/man3/OCSP_REQUEST_new.pod index e9d260fec1d02b..e34e591fe01bec 100644 --- a/deps/openssl/openssl/doc/man3/OCSP_REQUEST_new.pod +++ b/deps/openssl/openssl/doc/man3/OCSP_REQUEST_new.pod @@ -62,7 +62,7 @@ OCSP_request_sign() and OCSP_request_add1_cert() return 1 for success and 0 for failure. OCSP_request_onereq_count() returns the total number of B -structures in B. +structures in B and -1 on error. OCSP_request_onereq_get0() returns a pointer to an B structure or B if the index value is out or range. diff --git a/deps/openssl/openssl/doc/man3/OPENSSL_ia32cap.pod b/deps/openssl/openssl/doc/man3/OPENSSL_ia32cap.pod index e529c6c64f4e10..c6c1c0185ad87a 100644 --- a/deps/openssl/openssl/doc/man3/OPENSSL_ia32cap.pod +++ b/deps/openssl/openssl/doc/man3/OPENSSL_ia32cap.pod @@ -97,6 +97,8 @@ and RORX; =item bit #64+16 denoting availability of AVX512F extension; +=item bit #64+17 denoting availability of AVX512DQ extension; + =item bit #64+18 denoting availability of RDSEED instruction; =item bit #64+19 denoting availability of ADCX and ADOX instructions; diff --git a/deps/openssl/openssl/doc/man3/OSSL_ALGORITHM.pod b/deps/openssl/openssl/doc/man3/OSSL_ALGORITHM.pod new file mode 100644 index 00000000000000..cc9271b9a412cb --- /dev/null +++ b/deps/openssl/openssl/doc/man3/OSSL_ALGORITHM.pod @@ -0,0 +1,151 @@ +=pod + +=head1 NAME + +OSSL_ALGORITHM - OpenSSL Core type to define a fetchable algorithm + +=head1 SYNOPSIS + + #include + + typedef struct ossl_algorithm_st OSSL_ALGORITHM; + struct ossl_algorithm_st { + const char *algorithm_names; /* key */ + const char *property_definition; /* key */ + const OSSL_DISPATCH *implementation; + const char *algorithm_description; + }; + +=head1 DESCRIPTION + +The B type is a I that describes an +algorithm that a L provides. Arrays of this type are returned +by providers on demand from the OpenSSL libraries to describe what +algorithms the providers provide implementations of, and with what +properties. + +Arrays of this type must be terminated with a tuple where I +is NULL. + +This type of array is typically returned by the provider's operation querying +function, further described in L. + +=head2 B fields + +=over 4 + +=item I + +This string is a colon separated set of names / identities, and is used by +the appropriate fetching functionality (such as L, +L, etc) to find the desired algorithm. + +Multiple names / identities allow a specific algorithm implementation to be +fetched multiple ways. For example, the RSA algorithm has the following +known identities: + +=over 4 + +=item * + +C + +=item * + +C + +This is the name of the algorithm's OBJECT IDENTIFIER (OID), as given by the +L + +=item * + +C<1.2.840.113549.1.1.1> + +This is the OID itself for C, in canonical decimal text form. + +=back + +The resulting I string would look like this: + + "RSA:rsaEncryption:1.2.840.113549.1.1.1" + +The OpenSSL libraries use the first of the algorithm names as the main +or canonical name, on a per algorithm implementation basis. + +See the notes L below for a more in +depth discussion on I and how that may interact with +applications and libraries, including OpenSSL's. + +=item I + +This string defines a set of properties associated with a particular +algorithm implementation, and is used by the appropriate fetching +functionality (such as L, L, etc) for +a finer grained lookup of an algorithm implementation, which is useful in +case multiple implementations of the same algorithm are available. + +See L for a further description of the contents of this +string. + +=item I + +Pointer to an L array, containing pointers to the +functions of a particular algorithm implementation. + +=item I + +A string with a short human-readable description of the algorithm. + +=back + +=head1 NOTES + +=head2 On the subject of algorithm names + +Providers may find the need to register ASN.1 OIDs for algorithms using +L (via the B upcall described in +L, because some application or library -- possibly still +the OpenSSL libraries, even -- use NIDs to look up algorithms. + +In that scenario, you must make sure that the corresponding B's +I includes both the short and the long name. + +Most of the time, registering ASN.1 OIDs like this shouldn't be necessary, +and applications and libraries are encouraged to use L to +get a text representation of the OID, which may be a long or short name for +OIDs that are registered, or the OID itself in canonical decimal text form +if not (or if L is called with I = 1). + +It's recommended to make sure that the corresponding B's +I include known names as well as the OID itself in +canonical decimal text form. That should cover all scenarios. + +=begin comment RETURN VALUES doesn't make sense for a manual that only +describes a type, but document checkers still want that section, and +to have more than just the section title. + +=head1 RETURN VALUES + +txt + +=end comment + +=head1 SEE ALSO + +L, L, L, +L, L + +=head1 HISTORY + +B was added in OpenSSL 3.0 + +=head1 COPYRIGHT + +Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/deps/openssl/openssl/doc/man3/OSSL_CALLBACK.pod b/deps/openssl/openssl/doc/man3/OSSL_CALLBACK.pod new file mode 100644 index 00000000000000..5fa8a8f089161f --- /dev/null +++ b/deps/openssl/openssl/doc/man3/OSSL_CALLBACK.pod @@ -0,0 +1,77 @@ +=pod + +=head1 NAME + +OSSL_CALLBACK, OSSL_PASSPHRASE_CALLBACK - OpenSSL Core type to define callbacks + +=head1 SYNOPSIS + + #include + typedef int (OSSL_CALLBACK)(const OSSL_PARAM params[], void *arg); + typedef int (OSSL_PASSPHRASE_CALLBACK)(char *pass, size_t pass_size, + size_t *pass_len, + const OSSL_PARAM params[], + void *arg); + +=head1 DESCRIPTION + +For certain events or activities, provider functionality may need help from +the application or the calling OpenSSL libraries themselves. For example, +user input or direct (possibly optional) user output could be implemented +this way. + +Callback functions themselves are always provided by or through the calling +OpenSSL libraries, along with a generic pointer to data I. As far as +the function receiving the pointer to the function pointer and I is +concerned, the data that I points at is opaque, and the pointer should +simply be passed back to the callback function when it's called. + +=over 4 + +=item B + +This is a generic callback function. When calling this callback function, +the caller is expected to build an L array of data it wants or +is expected to pass back, and pass that as I, as well as the opaque +data pointer it received, as I. + +=item B + +This is a specialised callback function, used specifically to prompt the +user for a passphrase. When calling this callback function, a buffer to +store the pass phrase needs to be given with I, and its size with +I. The length of the prompted pass phrase will be given back in +I<*pass_len>. + +Additional parameters can be passed with the L array I, + +=back + +=begin comment RETURN VALUES doesn't make sense for a manual that only +describes a type, but document checkers still want that section, and +to have more than just the section title. + +=head1 RETURN VALUES + +txt + +=end comment + +=head1 SEE ALSO + +L + +=head1 HISTORY + +The types described here were added in OpenSSL 3.0. + +=head1 COPYRIGHT + +Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/deps/openssl/openssl/doc/man3/OSSL_CMP_CTX_new.pod b/deps/openssl/openssl/doc/man3/OSSL_CMP_CTX_new.pod index 8ac5b815be74a8..3c4e2d3f7d06a2 100644 --- a/deps/openssl/openssl/doc/man3/OSSL_CMP_CTX_new.pod +++ b/deps/openssl/openssl/doc/man3/OSSL_CMP_CTX_new.pod @@ -35,6 +35,7 @@ OSSL_CMP_CTX_set1_referenceValue, OSSL_CMP_CTX_set1_secretValue, OSSL_CMP_CTX_set1_recipient, OSSL_CMP_CTX_push0_geninfo_ITAV, +OSSL_CMP_CTX_reset_geninfo_ITAVs, OSSL_CMP_CTX_set1_extraCertsOut, OSSL_CMP_CTX_set0_newPkey, OSSL_CMP_CTX_get0_newPkey, @@ -116,6 +117,7 @@ OSSL_CMP_CTX_set1_senderNonce /* CMP message header and extra certificates: */ int OSSL_CMP_CTX_set1_recipient(OSSL_CMP_CTX *ctx, const X509_NAME *name); int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav); + int OSSL_CMP_CTX_reset_geninfo_ITAVs(OSSL_CMP_CTX *ctx); int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx, STACK_OF(X509) *extraCertsOut); @@ -179,6 +181,7 @@ OSSL_CMP_CTX_reinit() prepares the given I for a further transaction by clearing the internal CMP transaction (aka session) status, PKIStatusInfo, and any previous results (newCert, newChain, caPubs, and extraCertsIn) from the last executed transaction. +It also clears any ITAVs that were added by OSSL_CMP_CTX_push0_genm_ITAV(). All other field values (i.e., CMP options) are retained for potential re-use. OSSL_CMP_CTX_set_option() sets the given value for the given option @@ -205,14 +208,17 @@ The following options can be set: =item B - Number of seconds (or 0 for infinite) a CMP message round trip is - allowed to take before a timeout error is returned. - Default is to use the B setting. + Number of seconds a CMP request-response message round trip + is allowed to take before a timeout error is returned. + A value <= 0 means no limitation (waiting indefinitely). + Default is to use the B setting. =item B - Maximum total number of seconds an enrollment (including polling) - may take. Default is 0 (infinite). + Maximum total number of seconds a transaction may take, + including polling etc. + A value <= 0 means no limitation (waiting indefinitely). + Default is 0. =item B @@ -509,6 +515,9 @@ OSSL_CMP_CTX_push0_geninfo_ITAV() adds I to the stack in the I to be added to the GeneralInfo field of the CMP PKIMessage header of a request message sent with this context. +OSSL_CMP_CTX_reset_geninfo_ITAVs() +clears any ITAVs that were added by OSSL_CMP_CTX_push0_geninfo_ITAV(). + OSSL_CMP_CTX_set1_extraCertsOut() sets the stack of extraCerts that will be sent to remote. @@ -612,15 +621,36 @@ OSSL_CMP_CTX_get_certConf_cb_arg() gets the argument, respectively the pointer to a structure containing arguments, previously set by OSSL_CMP_CTX_set_certConf_cb_arg(), or NULL if unset. -OSSL_CMP_CTX_get_status() returns the PKIstatus from the last received -CertRepMessage or Revocation Response or error message, or -1 if unset. -For server contexts it returns -2 if a transaction is open, else -1. +OSSL_CMP_CTX_get_status() returns for client contexts the PKIstatus from +the last received CertRepMessage or Revocation Response or error message: +=item B on sucessful receipt of a GENP message: + +=over 4 + +=item B + +if an IR/CR/KUR/RR/GENM request message could not be produced, + +=item B + +on a transmission error or transaction error for this type of request, and + +=item B + +if no such request was attempted or OSSL_CMP_CTX_reinit() has been called. + +=back + +For server contexts it returns +B if a transaction is open, +otherwise B. OSSL_CMP_CTX_get0_statusString() returns the statusString from the last received CertRepMessage or Revocation Response or error message, or NULL if unset. OSSL_CMP_CTX_get_failInfoCode() returns the error code from the failInfo field -of the last received CertRepMessage or Revocation Response or error message. +of the last received CertRepMessage or Revocation Response or error message, +or -1 if no such response was received or OSSL_CMP_CTX_reinit() has been called. This is a bit field and the flags for it are specified in the header file F<< >>. The flags start with OSSL_CMP_CTX_FAILINFO, for example: @@ -681,7 +711,9 @@ OSSL_CMP_certConf_cb() returns I if it is not equal to 0, else 0 on successful validation, or else a bit field with the B bit set. -All other functions return 1 on success, 0 on error. +All other functions, including OSSL_CMP_CTX_reinit() +and OSSL_CMP_CTX_reset_geninfo_ITAVs(), +return 1 on success, 0 on error. =head1 EXAMPLES @@ -737,7 +769,7 @@ the id-it-signKeyPairTypes OID and prints info on the General Response contents: OSSL_CMP_CTX_reinit(cmp_ctx); ASN1_OBJECT *type = OBJ_txt2obj("1.3.6.1.5.5.7.4.2", 1); - OSSL_CMP_ITAV *itav = OSSL_CMP_ITAV_new(type, NULL); + OSSL_CMP_ITAV *itav = OSSL_CMP_ITAV_create(type, NULL); OSSL_CMP_CTX_push0_genm_ITAV(cmp_ctx, itav); STACK_OF(OSSL_CMP_ITAV) *itavs; @@ -756,9 +788,11 @@ L The OpenSSL CMP support was added in OpenSSL 3.0. +OSSL_CMP_CTX_reset_geninfo_ITAVs() was added in OpenSSL 3.0.8. + =head1 COPYRIGHT -Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/OSSL_CMP_MSG_get0_header.pod b/deps/openssl/openssl/doc/man3/OSSL_CMP_MSG_get0_header.pod index 6fc620f83b3636..c3297a3577ac9d 100644 --- a/deps/openssl/openssl/doc/man3/OSSL_CMP_MSG_get0_header.pod +++ b/deps/openssl/openssl/doc/man3/OSSL_CMP_MSG_get0_header.pod @@ -118,10 +118,11 @@ d2i_OSSL_CMP_MSG_bio() returns the parsed message or NULL on error. OSSL_CMP_MSG_read() and d2i_OSSL_CMP_MSG_bio() return the parsed CMP message or NULL on error. -OSSL_CMP_MSG_write() and i2d_OSSL_CMP_MSG_bio() return -the number of bytes successfully encoded or a negative value if an error occurs. +OSSL_CMP_MSG_write() returns the number of bytes successfully encoded or a +negative value if an error occurs. -OSSL_CMP_MSG_update_transactionID() returns 1 on success, 0 on error. +i2d_OSSL_CMP_MSG_bio() and OSSL_CMP_MSG_update_transactionID() return 1 on +success, 0 on error. =head1 SEE ALSO diff --git a/deps/openssl/openssl/doc/man3/OSSL_CMP_exec_certreq.pod b/deps/openssl/openssl/doc/man3/OSSL_CMP_exec_certreq.pod index 60e2cf0f226862..b0d81c7c41a968 100644 --- a/deps/openssl/openssl/doc/man3/OSSL_CMP_exec_certreq.pod +++ b/deps/openssl/openssl/doc/man3/OSSL_CMP_exec_certreq.pod @@ -109,8 +109,9 @@ make no sense for revocation and thus are treated as an error as well. OSSL_CMP_exec_GENM_ses() sends a general message containing the sequence of infoType and infoValue pairs (InfoTypeAndValue; short: B) -provided in the I using L. -It returns the list of Bs received in the GenRep. +optionally provided in the I using L. +On success it records in I the status B +and returns the list of Bs received in the GENP message. This can be used, for instance, to poll for CRLs or CA Key Updates. See RFC 4210 section 5.3.19 and appendix E.5 for details. @@ -139,8 +140,8 @@ assign the received value unless I is NULL. OSSL_CMP_exec_RR_ses() returns 1 on success, 0 on error. -OSSL_CMP_exec_GENM_ses() returns a -pointer to the received B sequence on success, NULL on error. +OSSL_CMP_exec_GENM_ses() returns NULL on error, +otherwise a pointer to the sequence of B received, which may be empty. This pointer must be freed by the caller. =head1 EXAMPLES diff --git a/deps/openssl/openssl/doc/man3/OSSL_CMP_validate_msg.pod b/deps/openssl/openssl/doc/man3/OSSL_CMP_validate_msg.pod index 5007e8829cbcb8..44c901210feb94 100644 --- a/deps/openssl/openssl/doc/man3/OSSL_CMP_validate_msg.pod +++ b/deps/openssl/openssl/doc/man3/OSSL_CMP_validate_msg.pod @@ -19,8 +19,11 @@ This is the API for validating the protection of CMP messages, which includes validating CMP message sender certificates and their paths while optionally checking the revocation status of the certificates(s). -OSSL_CMP_validate_msg() validates the protection of the given I -using either password-based mac (PBM) or a signature algorithm. +OSSL_CMP_validate_msg() validates the protection of the given I, +which must be signature-based or using password-based MAC (PBM). +In the former case a suitable trust anchor must be given in the CMP context +I, and in the latter case the matching secret must have been set there +using L. In case of signature algorithm, the certificate to use for the signature check is preferably the one provided by a call to L. @@ -61,7 +64,9 @@ return 1 on success, 0 on error or validation failed. =head1 SEE ALSO -L, L +L, L, +L, L, +L, L =head1 HISTORY diff --git a/deps/openssl/openssl/doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod b/deps/openssl/openssl/doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod index 5a01a19ebe2a46..213791404c778e 100644 --- a/deps/openssl/openssl/doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod +++ b/deps/openssl/openssl/doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod @@ -78,10 +78,10 @@ callback may be specified with the following functions. OSSL_DECODER_CTX_set_pem_password_cb(), OSSL_DECODER_CTX_set_passphrase_ui() and OSSL_DECODER_CTX_set_passphrase_cb() set up a callback method that the implementation can use to prompt for a pass phrase, giving the caller the -choice of prefered pass phrase callback form. These are called indirectly, -through an internal B function. +choice of preferred pass phrase callback form. These are called indirectly, +through an internal L function. -The internal B function caches the pass phrase, to +The internal L function caches the pass phrase, to be re-used in all decodings that are performed in the same decoding run (for example, within one L call). diff --git a/deps/openssl/openssl/doc/man3/OSSL_DISPATCH.pod b/deps/openssl/openssl/doc/man3/OSSL_DISPATCH.pod new file mode 100644 index 00000000000000..1aca4019dcbc18 --- /dev/null +++ b/deps/openssl/openssl/doc/man3/OSSL_DISPATCH.pod @@ -0,0 +1,81 @@ +=pod + +=head1 NAME + +OSSL_DISPATCH - OpenSSL Core type to define a dispatchable function table + +=head1 SYNOPSIS + + #include + + typedef struct ossl_dispatch_st OSSL_DISPATCH; + struct ossl_dispatch_st { + int function_id; + void (*function)(void); + }; + +=head1 DESCRIPTION + +This type is a tuple of function identity and function pointer. +Arrays of this type are passed between the OpenSSL libraries and the +providers to describe what functionality one side provides to the other. + +Arrays of this type must be terminated with a tuple having function identity +zero and function pointer NULL. + +=head2 B fields + +=over 4 + +=item I + +OpenSSL defined function identity of the implemented function. + +=item I + +Pointer to the implemented function itself. Despite the generic definition +of this field, the implemented function it points to must have a function +signature that corresponds to the I + +=back + +Available function identities and corresponding function signatures are +defined in L. +Furthermore, the chosen function identities and associated function +signature must be chosen specifically for the operation that it's intended +for, as determined by the intended L array. + +Any function identity not recognised by the recipient of this type +will be ignored. +This ensures that providers built with one OpenSSL version in mind +will work together with any other OpenSSL version that supports this +mechanism. + +=begin comment RETURN VALUES doesn't make sense for a manual that only +describes a type, but document checkers still want that section, and +to have more than just the section title. + +=head1 RETURN VALUES + +txt + +=end comment + +=head1 SEE ALSO + +L, L, L + +=head1 HISTORY + +B was added in OpenSSL 3.0. + +=head1 COPYRIGHT + +Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/deps/openssl/openssl/doc/man3/OSSL_ENCODER_CTX_new_for_pkey.pod b/deps/openssl/openssl/doc/man3/OSSL_ENCODER_CTX_new_for_pkey.pod index 9db6e3d2a4f2d6..8ba3bdd467183c 100644 --- a/deps/openssl/openssl/doc/man3/OSSL_ENCODER_CTX_new_for_pkey.pod +++ b/deps/openssl/openssl/doc/man3/OSSL_ENCODER_CTX_new_for_pkey.pod @@ -78,8 +78,8 @@ following functions. OSSL_ENCODER_CTX_set_pem_password_cb(), OSSL_ENCODER_CTX_set_passphrase_ui() and OSSL_ENCODER_CTX_set_passphrase_cb() sets up a callback method that the implementation can use to prompt for a pass phrase, giving the caller the -choice of prefered pass phrase callback form. These are called indirectly, -through an internal B function. +choice of preferred pass phrase callback form. These are called indirectly, +through an internal L function. =head2 Output types diff --git a/deps/openssl/openssl/doc/man3/OSSL_ITEM.pod b/deps/openssl/openssl/doc/man3/OSSL_ITEM.pod new file mode 100644 index 00000000000000..70d4bf361b75e9 --- /dev/null +++ b/deps/openssl/openssl/doc/man3/OSSL_ITEM.pod @@ -0,0 +1,56 @@ +=pod + +=head1 NAME + +OSSL_ITEM - OpenSSL Core type for generic itemized data + +=head1 SYNOPSIS + + #include + + typedef struct ossl_item_st OSSL_ITEM; + struct ossl_item_st { + unsigned int id; + void *ptr; + }; + +=head1 DESCRIPTION + +This type is a tuple of integer and pointer. +It's a generic type used as a generic descriptor, its exact meaning +being defined by how it's used. +Arrays of this type are passed between the OpenSSL libraries and the +providers, and must be terminated with a tuple where the integer is +zero and the pointer NULL. + +This is currently mainly used for the return value of the provider's error +reason strings array, see L. + +=begin comment RETURN VALUES doesn't make sense for a manual that only +describes a type, but document checkers still want that section, and +to have more than just the section title. + +=head1 RETURN VALUES + +txt + +=end comment + +=head1 SEE ALSO + +L, L, L + +=head1 HISTORY + +B was added in OpenSSL 3.0 + +=head1 COPYRIGHT + +Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/deps/openssl/openssl/doc/man3/OSSL_PARAM_allocate_from_text.pod b/deps/openssl/openssl/doc/man3/OSSL_PARAM_allocate_from_text.pod index 80ba555a8feac6..e6dc2549fdb1bb 100644 --- a/deps/openssl/openssl/doc/man3/OSSL_PARAM_allocate_from_text.pod +++ b/deps/openssl/openssl/doc/man3/OSSL_PARAM_allocate_from_text.pod @@ -102,7 +102,7 @@ I and there was no other failure, otherwise 0. The parameter descriptor array comes from functions dedicated to return them. -The following B attributes are used: +The following L attributes are used: =over 4 diff --git a/deps/openssl/openssl/doc/man3/OSSL_PARAM_dup.pod b/deps/openssl/openssl/doc/man3/OSSL_PARAM_dup.pod index 5130c9e1dcd9c6..4ae33faf1e4e8f 100644 --- a/deps/openssl/openssl/doc/man3/OSSL_PARAM_dup.pod +++ b/deps/openssl/openssl/doc/man3/OSSL_PARAM_dup.pod @@ -16,8 +16,8 @@ OSSL_PARAM_dup, OSSL_PARAM_merge, OSSL_PARAM_free =head1 DESCRIPTION Algorithm parameters can be exported/imported from/to providers using arrays of -B. The following utility functions allow the parameters to be -duplicated and merged with other B to assist in this process. +L. The following utility functions allow the parameters to be +duplicated and merged with other L to assist in this process. OSSL_PARAM_dup() duplicates the parameter array I. This function does a deep copy of the data. @@ -36,7 +36,7 @@ OSSL_PARAM_dup(), OSSL_PARAM_merge() or OSSL_PARAM_BLD_to_param(). =head1 RETURN VALUES The functions OSSL_PARAM_dup() and OSSL_PARAM_merge() return a newly allocated -B array, or NULL if there was an error. If both parameters are NULL +L array, or NULL if there was an error. If both parameters are NULL then NULL is returned. =head1 SEE ALSO diff --git a/deps/openssl/openssl/doc/man3/OSSL_PARAM_int.pod b/deps/openssl/openssl/doc/man3/OSSL_PARAM_int.pod index 9ca725d120ec2d..8864404a7a1502 100644 --- a/deps/openssl/openssl/doc/man3/OSSL_PARAM_int.pod +++ b/deps/openssl/openssl/doc/man3/OSSL_PARAM_int.pod @@ -110,7 +110,7 @@ OSSL_PARAM_UNMODIFIED, OSSL_PARAM_modified, OSSL_PARAM_set_all_unmodified =head1 DESCRIPTION A collection of utility functions that simplify and add type safety to the -B arrays. The following B> names are supported: +L arrays. The following B> names are supported: =over 1 @@ -161,7 +161,7 @@ unsigned long int (ulong) =back OSSL_PARAM_TYPE() are a series of macros designed to assist initialising an -array of B structures. +array of L structures. Each of these macros defines a parameter of the specified B> with the provided I and parameter variable I
. @@ -172,46 +172,46 @@ A parameter with name I is defined. The storage for this parameter is at I
and is of I bytes. OSSL_PARAM_END provides an end of parameter list marker. -This should terminate all B arrays. +This should terminate all L arrays. The OSSL_PARAM_DEFN() macro provides the ability to construct a single -B (typically used in the construction of B arrays). The +L (typically used in the construction of B arrays). The I, I, I and I arguments correspond to the I, -I, I and I fields of the B structure as +I, I and I fields of the L structure as described on the L page. -OSSL_PARAM_construct_TYPE() are a series of functions that create B +OSSL_PARAM_construct_TYPE() are a series of functions that create L records dynamically. A parameter with name I is created. The parameter will use storage pointed to by I and return size of I. OSSL_PARAM_construct_BN() is a function that constructs a large integer -B structure. +L structure. A parameter with name I, storage I, size I and return size I is created. OSSL_PARAM_construct_utf8_string() is a function that constructs a UTF8 -string B structure. +string L structure. A parameter with name I, storage I and size I is created. If I is zero, the string length is determined using strlen(3). Generally pass zero for I instead of calling strlen(3) yourself. OSSL_PARAM_construct_octet_string() is a function that constructs an OCTET -string B structure. +string L structure. A parameter with name I, storage I and size I is created. OSSL_PARAM_construct_utf8_ptr() is a function that constructs a UTF8 string -pointer B structure. +pointer L structure. A parameter with name I, storage pointer I<*buf> and size I is created. OSSL_PARAM_construct_octet_ptr() is a function that constructs an OCTET string -pointer B structure. +pointer L structure. A parameter with name I, storage pointer I<*buf> and size I is created. OSSL_PARAM_construct_end() is a function that constructs the terminating -B structure. +L structure. OSSL_PARAM_locate() is a function that searches an I of parameters for the one matching the I name. @@ -314,10 +314,10 @@ in the array I. OSSL_PARAM_construct_TYPE(), OSSL_PARAM_construct_BN(), OSSL_PARAM_construct_utf8_string(), OSSL_PARAM_construct_octet_string(), OSSL_PARAM_construct_utf8_ptr() and OSSL_PARAM_construct_octet_ptr() -return a populated B structure. +return a populated L structure. OSSL_PARAM_locate() and OSSL_PARAM_locate_const() return a pointer to -the matching B object. They return NULL on error or when +the matching L object. They return NULL on error or when no object matching I exists in the I. OSSL_PARAM_modified() returns 1 if the parameter was set and 0 otherwise. @@ -334,11 +334,11 @@ expected type of the parameter. OSSL_PARAM_get_BN() and OSSL_PARAM_set_BN() currently only support nonnegative Bs, and by consequence, only B. OSSL_PARAM_construct_BN() currently -constructs an B structure with the data type +constructs an L structure with the data type B. For OSSL_PARAM_construct_utf8_ptr() and OSSL_PARAM_consstruct_octet_ptr(), -I is not relevant if the purpose is to send the B array +I is not relevant if the purpose is to send the L array to a I, i.e. to get parameter data back. In that case, I can safely be given zero. See L for further information on the @@ -347,7 +347,7 @@ possible purposes. =head1 EXAMPLES Reusing the examples from L to just show how -B arrays can be handled using the macros and functions +L arrays can be handled using the macros and functions defined herein. =head2 Example 1 diff --git a/deps/openssl/openssl/doc/man3/OSSL_PROVIDER.pod b/deps/openssl/openssl/doc/man3/OSSL_PROVIDER.pod index 47e296c1864689..9710469e07f2c4 100644 --- a/deps/openssl/openssl/doc/man3/OSSL_PROVIDER.pod +++ b/deps/openssl/openssl/doc/man3/OSSL_PROVIDER.pod @@ -110,11 +110,10 @@ See L for more information on this fallback behaviour. OSSL_PROVIDER_gettable_params() is used to get a provider parameter -descriptor set as a constant B array. -See L for more information. +descriptor set as a constant L array. OSSL_PROVIDER_get_params() is used to get provider parameter values. -The caller must prepare the B array before calling this +The caller must prepare the L array before calling this function, and the variables acting as buffers for this parameter array should be filled with data when it returns successfully. @@ -150,7 +149,7 @@ OSSL_PROVIDER_get0_name() returns the name of the given provider. OSSL_PROVIDER_get_capabilities() provides information about the capabilities supported by the provider specified in I with the capability name I. For each capability of that name supported by the provider it -will call the callback I and supply a set of Bs describing the +will call the callback I and supply a set of Ls describing the capability. It will also pass back the argument I. For more details about capabilities and what they can be used for please see L. @@ -173,7 +172,7 @@ OSSL_PROVIDER_available() returns 1 if the named provider is available, otherwise 0. OSSL_PROVIDER_gettable_params() returns a pointer to an array -of constant B, or NULL if none is provided. +of constant L, or NULL if none is provided. OSSL_PROVIDER_get_params() and returns 1 on success, or 0 on error. diff --git a/deps/openssl/openssl/doc/man3/OSSL_SELF_TEST_new.pod b/deps/openssl/openssl/doc/man3/OSSL_SELF_TEST_new.pod index 744c82e204fea0..5fe838351908b5 100644 --- a/deps/openssl/openssl/doc/man3/OSSL_SELF_TEST_new.pod +++ b/deps/openssl/openssl/doc/man3/OSSL_SELF_TEST_new.pod @@ -36,7 +36,7 @@ OSSL_SELF_TEST_free() frees the space allocated by OSSL_SELF_TEST_new(). OSSL_SELF_TEST_onbegin() may be inserted at the start of a block of self test code. It can be used for diagnostic purposes. If this method is called the callback I will receive the following -B object. +L object. =over 4 @@ -53,7 +53,7 @@ otherwise it leaves the array unaltered. It can be used for failure testing. The I and I can be used to identify an individual self test to target for failure testing. If this method is called the callback I will receive the following -B object. +L object. =over 4 @@ -67,7 +67,7 @@ OSSL_SELF_TEST_onend() may be inserted at the end of a block of self test code just before cleanup to indicate if the test passed or failed. It can be used for diagnostic purposes. If this method is called the callback I will receive the following -B object. +L object. =over 4 @@ -82,7 +82,7 @@ After the callback I has been called the values that were set by OSSL_SELF_TEST_onbegin() for I and I are set to the value "None". If OSSL_SELF_TEST_onbegin(), OSSL_SELF_TEST_oncorrupt_byte() or -OSSL_SELF_TEST_onend() is called the following additional B are +OSSL_SELF_TEST_onend() is called the following additional L are passed to the callback. =over 4 diff --git a/deps/openssl/openssl/doc/man3/OSSL_SELF_TEST_set_callback.pod b/deps/openssl/openssl/doc/man3/OSSL_SELF_TEST_set_callback.pod index ed4f261fdc4885..9866de01849418 100644 --- a/deps/openssl/openssl/doc/man3/OSSL_SELF_TEST_set_callback.pod +++ b/deps/openssl/openssl/doc/man3/OSSL_SELF_TEST_set_callback.pod @@ -16,7 +16,7 @@ OSSL_SELF_TEST_get_callback - specify a callback for processing self tests Set or gets the optional application callback (and the callback argument) that is called during self testing. -The application callback B is associated with a B. +The application callback L is associated with a B. The application callback function receives information about a running self test, and may return a result to the calling self test. See L for further information on the callback. diff --git a/deps/openssl/openssl/doc/man3/OSSL_STORE_open.pod b/deps/openssl/openssl/doc/man3/OSSL_STORE_open.pod index a3fe7e13eed124..fe51912e84c053 100644 --- a/deps/openssl/openssl/doc/man3/OSSL_STORE_open.pod +++ b/deps/openssl/openssl/doc/man3/OSSL_STORE_open.pod @@ -69,7 +69,7 @@ B with all necessary internal information. The given I and I will be reused by all functions that use B when interaction is needed, for instance to provide a password. -The auxiliary B parameters in I can be set to further +The auxiliary L parameters in I can be set to further modify the store operation. The given I and I will be reused by OSSL_STORE_load() to manipulate or drop the value to be returned. diff --git a/deps/openssl/openssl/doc/man3/OSSL_trace_set_channel.pod b/deps/openssl/openssl/doc/man3/OSSL_trace_set_channel.pod index 56b02ad34fd648..3b9c64e5412f7f 100644 --- a/deps/openssl/openssl/doc/man3/OSSL_trace_set_channel.pod +++ b/deps/openssl/openssl/doc/man3/OSSL_trace_set_channel.pod @@ -42,6 +42,8 @@ respectively. OSSL_trace_set_channel() is used to enable the given trace C by attaching the B I object as (simple) trace channel. +On success the ownership of the BIO is transferred to the channel, +so the caller must not free it directly. OSSL_trace_set_prefix() and OSSL_trace_set_suffix() can be used to add an extra line for each channel, to be output before and after group of @@ -320,7 +322,7 @@ in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/RSA_sign.pod b/deps/openssl/openssl/doc/man3/RSA_sign.pod index 1917d977849282..e883caf7682fda 100644 --- a/deps/openssl/openssl/doc/man3/RSA_sign.pod +++ b/deps/openssl/openssl/doc/man3/RSA_sign.pod @@ -46,8 +46,8 @@ B is the signer's public key. =head1 RETURN VALUES -RSA_sign() returns 1 on success. -RSA_verify() returns 1 on successful verification. +RSA_sign() returns 1 on success and 0 for failure. +RSA_verify() returns 1 on successful verification and 0 for failure. The error codes can be obtained by L. diff --git a/deps/openssl/openssl/doc/man3/SSL_CTX_set_cipher_list.pod b/deps/openssl/openssl/doc/man3/SSL_CTX_set_cipher_list.pod index 29e4a424f7213d..71f399400c2a12 100644 --- a/deps/openssl/openssl/doc/man3/SSL_CTX_set_cipher_list.pod +++ b/deps/openssl/openssl/doc/man3/SSL_CTX_set_cipher_list.pod @@ -80,7 +80,7 @@ additional restrictions apply. All ciphers have additional requirements. ADH ciphers don't need a certificate, but DH-parameters must have been set. All other ciphers need a corresponding certificate and key. -A RSA cipher can only be chosen, when a RSA certificate is available. +An RSA cipher can only be chosen, when an RSA certificate is available. RSA ciphers using DHE need a certificate and key and additional DH-parameters (see L). diff --git a/deps/openssl/openssl/doc/man3/SSL_CTX_set_generate_session_id.pod b/deps/openssl/openssl/doc/man3/SSL_CTX_set_generate_session_id.pod index 7fb8a7662923b6..14fb12cfd0f3c9 100644 --- a/deps/openssl/openssl/doc/man3/SSL_CTX_set_generate_session_id.pod +++ b/deps/openssl/openssl/doc/man3/SSL_CTX_set_generate_session_id.pod @@ -85,10 +85,10 @@ reason and return 1 on success. =head1 RETURN VALUES SSL_CTX_set_generate_session_id() and SSL_set_generate_session_id() -always return 1. +return 1 on success and 0 for failure. SSL_has_matching_session_id() returns 1 if another session with the -same id is already in the cache. +same id is already in the cache, or 0 otherwise. =head1 EXAMPLES diff --git a/deps/openssl/openssl/doc/man3/SSL_CTX_use_certificate.pod b/deps/openssl/openssl/doc/man3/SSL_CTX_use_certificate.pod index 1bad97454a99a9..ca1827dada8a8d 100644 --- a/deps/openssl/openssl/doc/man3/SSL_CTX_use_certificate.pod +++ b/deps/openssl/openssl/doc/man3/SSL_CTX_use_certificate.pod @@ -130,7 +130,7 @@ RSA key found to B. SSL_CTX_check_private_key() checks the consistency of a private key with the corresponding certificate loaded into B. If more than one key/certificate pair (RSA/DSA) is installed, the last item installed will -be checked. If e.g. the last item was a RSA certificate or key, the RSA +be checked. If e.g. the last item was an RSA certificate or key, the RSA key/certificate pair will be checked. SSL_check_private_key() performs the same check for B. If no key/certificate was explicitly added for this B, the last item added into B will be checked. diff --git a/deps/openssl/openssl/doc/man3/SSL_CTX_use_serverinfo.pod b/deps/openssl/openssl/doc/man3/SSL_CTX_use_serverinfo.pod index ece8744d552e4b..ebdb5c6f7ca130 100644 --- a/deps/openssl/openssl/doc/man3/SSL_CTX_use_serverinfo.pod +++ b/deps/openssl/openssl/doc/man3/SSL_CTX_use_serverinfo.pod @@ -59,7 +59,7 @@ SSL_SERVERINFOV2 data or "BEGIN SERVERINFO FOR " for SSL_SERVERINFOV1 data. If more than one certificate (RSA/DSA) is installed using SSL_CTX_use_certificate(), the serverinfo extension will be loaded into the -last certificate installed. If e.g. the last item was a RSA certificate, the +last certificate installed. If e.g. the last item was an RSA certificate, the loaded serverinfo extension data will be loaded for that certificate. To use the serverinfo extension for multiple certificates, SSL_CTX_use_serverinfo() needs to be called multiple times, once B diff --git a/deps/openssl/openssl/doc/man3/X509_NAME_get_index_by_NID.pod b/deps/openssl/openssl/doc/man3/X509_NAME_get_index_by_NID.pod index 5049e50c48d16b..805c5fc519fa94 100644 --- a/deps/openssl/openssl/doc/man3/X509_NAME_get_index_by_NID.pod +++ b/deps/openssl/openssl/doc/man3/X509_NAME_get_index_by_NID.pod @@ -79,7 +79,8 @@ return the index of the next matching entry or -1 if not found. X509_NAME_get_index_by_NID() can also return -2 if the supplied NID is invalid. -X509_NAME_entry_count() returns the total number of entries. +X509_NAME_entry_count() returns the total number of entries, and 0 +for failure. X509_NAME_get_entry() returns an B pointer to the requested entry or B if the index is invalid. diff --git a/deps/openssl/openssl/doc/man3/X509_STORE_CTX_get_error.pod b/deps/openssl/openssl/doc/man3/X509_STORE_CTX_get_error.pod index f103b7b50f4899..d0036b38b6a6be 100644 --- a/deps/openssl/openssl/doc/man3/X509_STORE_CTX_get_error.pod +++ b/deps/openssl/openssl/doc/man3/X509_STORE_CTX_get_error.pod @@ -49,8 +49,10 @@ X509_STORE_CTX_set_error_depth() sets the error I. This can be used in combination with X509_STORE_CTX_set_error() to set the depth at which an error condition was detected. -X509_STORE_CTX_get_current_cert() returns the certificate in I which -caused the error or NULL if no certificate is relevant. +X509_STORE_CTX_get_current_cert() returns the current certificate in +I. If an error occurred, the current certificate will be the one +that is most closely related to the error, or possibly NULL if no such +certificate is relevant. X509_STORE_CTX_set_current_cert() sets the certificate I in I which caused the error. @@ -227,7 +229,7 @@ consistent with the supplied purpose. The basicConstraints path-length parameter has been exceeded. -=item B +=item B The target certificate cannot be used for the specified purpose. @@ -471,7 +473,7 @@ L. =head1 COPYRIGHT -Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2009-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/deps/openssl/openssl/doc/man3/X509_VERIFY_PARAM_set_flags.pod index 5c0ca3075b3835..75a16770229679 100644 --- a/deps/openssl/openssl/doc/man3/X509_VERIFY_PARAM_set_flags.pod +++ b/deps/openssl/openssl/doc/man3/X509_VERIFY_PARAM_set_flags.pod @@ -90,6 +90,7 @@ X509_VERIFY_PARAM_clear_flags() clears the flags B in B. X509_VERIFY_PARAM_set_purpose() sets the verification purpose in B to B. This determines the acceptable purpose of the certificate chain, for example B. +The purpose requirement is cleared if B is 0. X509_VERIFY_PARAM_set_trust() sets the trust setting in B to B. @@ -401,7 +402,7 @@ and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2009-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/X509v3_get_ext_by_NID.pod b/deps/openssl/openssl/doc/man3/X509v3_get_ext_by_NID.pod index 9d26bfe19a7c5e..4010a71c4371a8 100644 --- a/deps/openssl/openssl/doc/man3/X509v3_get_ext_by_NID.pod +++ b/deps/openssl/openssl/doc/man3/X509v3_get_ext_by_NID.pod @@ -121,13 +121,15 @@ using X509_EXTENSION_free(). =head1 RETURN VALUES -X509v3_get_ext_count() returns the extension count. +X509v3_get_ext_count() returns the extension count or 0 for failure. X509v3_get_ext(), X509v3_delete_ext() and X509_delete_ext() return an B structure or NULL if an error occurs. -X509v3_get_ext_by_NID(), X509v3_get_ext_by_OBJ() and -X509v3_get_ext_by_critical() return the extension index or -1 if an +X509v3_get_ext_by_OBJ() and X509v3_get_ext_by_critical() return +the extension index or -1 if an error occurs. + +X509v3_get_ext_by_NID() returns the extension index or negative values if an error occurs. X509v3_add_ext() returns a STACK of extensions or NULL on error. diff --git a/deps/openssl/openssl/doc/man3/d2i_PrivateKey.pod b/deps/openssl/openssl/doc/man3/d2i_PrivateKey.pod index aac92336c3de0d..fe78d5bc6f1316 100644 --- a/deps/openssl/openssl/doc/man3/d2i_PrivateKey.pod +++ b/deps/openssl/openssl/doc/man3/d2i_PrivateKey.pod @@ -103,14 +103,15 @@ EC_GROUP. The d2i_PrivateKey_ex(), d2i_PrivateKey(), d2i_AutoPrivateKey_ex(), d2i_AutoPrivateKey(), d2i_PrivateKey_ex_bio(), d2i_PrivateKey_bio(), d2i_PrivateKey_ex_fp(), d2i_PrivateKey_fp(), d2i_PublicKey(), d2i_KeyParams() -and d2i_KeyParams_bio() functions return a valid B structure or NULL -if an error occurs. The error code can be obtained by calling -L. - -i2d_PrivateKey(), i2d_PrivateKey_bio(), i2d_PrivateKey_fp(), i2d_PublicKey(), -i2d_KeyParams() i2d_KeyParams_bio() return the number of bytes successfully -encoded or a negative value if an error occurs. The error code can be obtained -by calling L. +and d2i_KeyParams_bio() functions return a valid B structure or NULL if +an error occurs. The error code can be obtained by calling L. + +i2d_PrivateKey(), i2d_PublicKey() and i2d_KeyParams() return the number of +bytes successfully encoded or a negative value if an error occurs. The error +code can be obtained by calling L. + +i2d_PrivateKey_bio(), i2d_PrivateKey_fp() and i2d_KeyParams_bio() return 1 if +successfully encoded or zero if an error occurs. =head1 SEE ALSO diff --git a/deps/openssl/openssl/doc/man3/d2i_X509.pod b/deps/openssl/openssl/doc/man3/d2i_X509.pod index 2bb1522f05dd4b..c79a964e6d7f98 100644 --- a/deps/openssl/openssl/doc/man3/d2i_X509.pod +++ b/deps/openssl/openssl/doc/man3/d2i_X509.pod @@ -469,7 +469,7 @@ Represents an ECDSA signature. Represents an B structure as used in IETF RFC 6960 and elsewhere. -=item B +=item B Represents a B type as used for subject and issuer names in IETF RFC 6960 and elsewhere. @@ -588,14 +588,14 @@ fixed in future so code should not assume that B>() will always succeed. Any function which encodes a structure (B>(), -B>() or B>()) may return a stale encoding if the +B_bio>() or B_fp>()) may return a stale encoding if the structure has been modified after deserialization or previous serialization. This is because some objects cache the encoding for efficiency reasons. =head1 COPYRIGHT -Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 1998-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/i2d_re_X509_tbs.pod b/deps/openssl/openssl/doc/man3/i2d_re_X509_tbs.pod index 97208a92224358..d9247794fc594f 100644 --- a/deps/openssl/openssl/doc/man3/i2d_re_X509_tbs.pod +++ b/deps/openssl/openssl/doc/man3/i2d_re_X509_tbs.pod @@ -55,7 +55,7 @@ d2i_X509_AUX() returns a valid B structure or NULL if an error occurred. i2d_X509_AUX() returns the length of encoded data or -1 on error. i2d_re_X509_tbs(), i2d_re_X509_CRL_tbs() and i2d_re_X509_REQ_tbs() return the -length of encoded data or 0 on error. +length of encoded data or <=0 on error. =head1 SEE ALSO diff --git a/deps/openssl/openssl/doc/man5/fips_config.pod b/deps/openssl/openssl/doc/man5/fips_config.pod index 50eefba6ef5291..cd0012a73a1074 100644 --- a/deps/openssl/openssl/doc/man5/fips_config.pod +++ b/deps/openssl/openssl/doc/man5/fips_config.pod @@ -107,6 +107,10 @@ See L. L L +=head1 HISTORY + +This functionality was added in OpenSSL 3.0. + =head1 COPYRIGHT Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. diff --git a/deps/openssl/openssl/doc/man7/EVP_ASYM_CIPHER-RSA.pod b/deps/openssl/openssl/doc/man7/EVP_ASYM_CIPHER-RSA.pod new file mode 100644 index 00000000000000..c68cad6c42f9e0 --- /dev/null +++ b/deps/openssl/openssl/doc/man7/EVP_ASYM_CIPHER-RSA.pod @@ -0,0 +1,90 @@ +=pod + +=head1 NAME + +EVP_ASYM_CIPHER-RSA +- RSA Asymmetric Cipher algorithm support + +=head1 DESCRIPTION + +Asymmetric Cipher support for the B key type. + +=head2 RSA Asymmetric Cipher parameters + +=over 4 + +=item "pad-mode" (B) + +The default provider understands these RSA padding modes in string form: + +=over 4 + +=item "none" (B) + +=item "oaep" (B) + +=item "pkcs1" (B) + +=item "x931" (B) + +=back + +=item "pad-mode" (B) + +The default provider understands these RSA padding modes in integer form: + +=over 4 + +=item 1 (B) + +=item 3 (B) + +=item 4 (B) + +=item 5 (B) + +=back + +See L for further details. + +=item "digest" (B) + +=item "digest-props" (B) + +=item "mgf1-digest" (B) + +=item "mgf1-digest-props" (B) + +=item "oaep-label" (B) + +=item "tls-client-version" (B) + +See B on the page L. + +=item "tls-negotiated-version" (B) + +See B on the page L. + +See L for more information. + +=back + +=head1 SEE ALSO + +L, +L, +L, +L, +L +L + +=head1 COPYRIGHT + +Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/deps/openssl/openssl/doc/man7/EVP_CIPHER-AES.pod b/deps/openssl/openssl/doc/man7/EVP_CIPHER-AES.pod index b6a970b84cc187..2c790d9cbd9e55 100644 --- a/deps/openssl/openssl/doc/man7/EVP_CIPHER-AES.pod +++ b/deps/openssl/openssl/doc/man7/EVP_CIPHER-AES.pod @@ -29,8 +29,6 @@ default provider: =item "AES-192-OFB", "AES-128-OFB" and "AES-256-OFB" -=item "AES-128-SIV", "AES-192-SIV" and "AES-256-SIV" - =item "AES-128-XTS" and "AES-256-XTS" =item "AES-128-CCM", "AES-192-CCM" and "AES-256-CCM" @@ -54,6 +52,8 @@ FIPS provider: =item "AES-128-OCB", "AES-192-OCB" and "AES-256-OCB" +=item "AES-128-SIV", "AES-192-SIV" and "AES-256-SIV" + =back =head2 Parameters diff --git a/deps/openssl/openssl/doc/man7/EVP_KDF-HKDF.pod b/deps/openssl/openssl/doc/man7/EVP_KDF-HKDF.pod index 5ef09aed36ffde..5fc0a73241cca4 100644 --- a/deps/openssl/openssl/doc/man7/EVP_KDF-HKDF.pod +++ b/deps/openssl/openssl/doc/man7/EVP_KDF-HKDF.pod @@ -140,6 +140,10 @@ L, L, L +=head1 HISTORY + +This functionality was added in OpenSSL 3.0. + =head1 COPYRIGHT Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. diff --git a/deps/openssl/openssl/doc/man7/EVP_KDF-KB.pod b/deps/openssl/openssl/doc/man7/EVP_KDF-KB.pod index d4fad66f765457..6e25882d674c6e 100644 --- a/deps/openssl/openssl/doc/man7/EVP_KDF-KB.pod +++ b/deps/openssl/openssl/doc/man7/EVP_KDF-KB.pod @@ -157,7 +157,7 @@ L =head1 HISTORY -This functionality was added to OpenSSL 3.0. +This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/deps/openssl/openssl/doc/man7/EVP_KDF-KRB5KDF.pod b/deps/openssl/openssl/doc/man7/EVP_KDF-KRB5KDF.pod index 1d71aca17b6525..014f55e7982763 100644 --- a/deps/openssl/openssl/doc/man7/EVP_KDF-KRB5KDF.pod +++ b/deps/openssl/openssl/doc/man7/EVP_KDF-KRB5KDF.pod @@ -100,7 +100,7 @@ L =head1 HISTORY -This functionality was added to OpenSSL 3.0. +This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/deps/openssl/openssl/doc/man7/EVP_KDF-PBKDF1.pod b/deps/openssl/openssl/doc/man7/EVP_KDF-PBKDF1.pod index ae13765211de5d..c73ad6a9ec38a3 100644 --- a/deps/openssl/openssl/doc/man7/EVP_KDF-PBKDF1.pod +++ b/deps/openssl/openssl/doc/man7/EVP_KDF-PBKDF1.pod @@ -68,7 +68,7 @@ L =head1 HISTORY -This functionality was added to OpenSSL 3.0. +This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/deps/openssl/openssl/doc/man7/EVP_KDF-PBKDF2.pod b/deps/openssl/openssl/doc/man7/EVP_KDF-PBKDF2.pod index 1392affb3ee80a..e6cadc8b826d35 100644 --- a/deps/openssl/openssl/doc/man7/EVP_KDF-PBKDF2.pod +++ b/deps/openssl/openssl/doc/man7/EVP_KDF-PBKDF2.pod @@ -90,7 +90,7 @@ L =head1 HISTORY -This functionality was added to OpenSSL 3.0. +This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/deps/openssl/openssl/doc/man7/EVP_KDF-PKCS12KDF.pod b/deps/openssl/openssl/doc/man7/EVP_KDF-PKCS12KDF.pod index 68f987b050ba97..7edde1dc9bf7f0 100644 --- a/deps/openssl/openssl/doc/man7/EVP_KDF-PKCS12KDF.pod +++ b/deps/openssl/openssl/doc/man7/EVP_KDF-PKCS12KDF.pod @@ -72,7 +72,7 @@ L =head1 HISTORY -This functionality was added to OpenSSL 3.0. +This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/deps/openssl/openssl/doc/man7/EVP_KDF-SCRYPT.pod b/deps/openssl/openssl/doc/man7/EVP_KDF-SCRYPT.pod index d2a1b4503afd1c..2bda54c520777e 100644 --- a/deps/openssl/openssl/doc/man7/EVP_KDF-SCRYPT.pod +++ b/deps/openssl/openssl/doc/man7/EVP_KDF-SCRYPT.pod @@ -134,6 +134,10 @@ L, L, L +=head1 HISTORY + +This functionality was added in OpenSSL 3.0. + =head1 COPYRIGHT Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. diff --git a/deps/openssl/openssl/doc/man7/EVP_KDF-SS.pod b/deps/openssl/openssl/doc/man7/EVP_KDF-SS.pod index 1c0c9d0f817198..7f158e421698ee 100644 --- a/deps/openssl/openssl/doc/man7/EVP_KDF-SS.pod +++ b/deps/openssl/openssl/doc/man7/EVP_KDF-SS.pod @@ -43,6 +43,8 @@ The supported parameters are: =item "digest" (B) +This parameter is ignored for KMAC. + =item "mac" (B) =item "maclen" (B) @@ -133,7 +135,7 @@ fixedinfo value "label", salt of "salt" and KMAC outlen of 20: EVP_KDF *kdf; EVP_KDF_CTX *kctx; unsigned char out[10]; - OSSL_PARAM params[7], *p = params; + OSSL_PARAM params[6], *p = params; kdf = EVP_KDF_fetch(NULL, "SSKDF", NULL); kctx = EVP_KDF_CTX_new(kdf); @@ -141,8 +143,6 @@ fixedinfo value "label", salt of "salt" and KMAC outlen of 20: *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC, SN_kmac128, strlen(SN_kmac128)); - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, - SN_sha256, strlen(SN_sha256)); *p++ = OSSL_PARAM_construct_octet_string(EVP_KDF_CTRL_SET_KEY, "secret", (size_t)6); *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, @@ -173,11 +173,11 @@ L =head1 HISTORY -This functionality was added to OpenSSL 3.0. +This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. Copyright +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/deps/openssl/openssl/doc/man7/EVP_KDF-SSHKDF.pod b/deps/openssl/openssl/doc/man7/EVP_KDF-SSHKDF.pod index 2b3c556aab9fe5..c7a3263f455ad2 100644 --- a/deps/openssl/openssl/doc/man7/EVP_KDF-SSHKDF.pod +++ b/deps/openssl/openssl/doc/man7/EVP_KDF-SSHKDF.pod @@ -144,6 +144,10 @@ L, L, L +=head1 HISTORY + +This functionality was added in OpenSSL 3.0. + =head1 COPYRIGHT Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. diff --git a/deps/openssl/openssl/doc/man7/EVP_KDF-TLS13_KDF.pod b/deps/openssl/openssl/doc/man7/EVP_KDF-TLS13_KDF.pod index a049a7cd7e7a25..d588b121faf5a3 100644 --- a/deps/openssl/openssl/doc/man7/EVP_KDF-TLS13_KDF.pod +++ b/deps/openssl/openssl/doc/man7/EVP_KDF-TLS13_KDF.pod @@ -116,6 +116,10 @@ L, L, L +=head1 HISTORY + +This functionality was added in OpenSSL 3.0. + =head1 COPYRIGHT Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. diff --git a/deps/openssl/openssl/doc/man7/EVP_KDF-TLS1_PRF.pod b/deps/openssl/openssl/doc/man7/EVP_KDF-TLS1_PRF.pod index 9996721d3c135d..8a60e97315549c 100644 --- a/deps/openssl/openssl/doc/man7/EVP_KDF-TLS1_PRF.pod +++ b/deps/openssl/openssl/doc/man7/EVP_KDF-TLS1_PRF.pod @@ -98,6 +98,10 @@ L, L, L +=head1 HISTORY + +This functionality was added in OpenSSL 3.0. + =head1 COPYRIGHT Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. diff --git a/deps/openssl/openssl/doc/man7/EVP_KDF-X942-ASN1.pod b/deps/openssl/openssl/doc/man7/EVP_KDF-X942-ASN1.pod index c4abfe198d6967..a5786ab83faa8a 100644 --- a/deps/openssl/openssl/doc/man7/EVP_KDF-X942-ASN1.pod +++ b/deps/openssl/openssl/doc/man7/EVP_KDF-X942-ASN1.pod @@ -137,7 +137,7 @@ L =head1 HISTORY -This functionality was added to OpenSSL 3.0. +This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/deps/openssl/openssl/doc/man7/EVP_KDF-X942-CONCAT.pod b/deps/openssl/openssl/doc/man7/EVP_KDF-X942-CONCAT.pod index 52e84579bf500c..6b8ebff37747f9 100644 --- a/deps/openssl/openssl/doc/man7/EVP_KDF-X942-CONCAT.pod +++ b/deps/openssl/openssl/doc/man7/EVP_KDF-X942-CONCAT.pod @@ -21,7 +21,7 @@ See L for a list of supported parameters and examples. =head1 HISTORY -This functionality was added to OpenSSL 3.0. +This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/deps/openssl/openssl/doc/man7/EVP_KDF-X963.pod b/deps/openssl/openssl/doc/man7/EVP_KDF-X963.pod index 1efda01ee08239..3d6f4372cf3122 100644 --- a/deps/openssl/openssl/doc/man7/EVP_KDF-X963.pod +++ b/deps/openssl/openssl/doc/man7/EVP_KDF-X963.pod @@ -94,7 +94,7 @@ L =head1 HISTORY -This functionality was added to OpenSSL 3.0. +This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/deps/openssl/openssl/doc/man7/EVP_KEM-RSA.pod b/deps/openssl/openssl/doc/man7/EVP_KEM-RSA.pod index 21dc8ad3dd1855..3a89f5db39a3d3 100644 --- a/deps/openssl/openssl/doc/man7/EVP_KEM-RSA.pod +++ b/deps/openssl/openssl/doc/man7/EVP_KEM-RSA.pod @@ -54,6 +54,10 @@ L, L, L +=head1 HISTORY + +This functionality was added in OpenSSL 3.0. + =head1 COPYRIGHT Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. diff --git a/deps/openssl/openssl/doc/man7/EVP_MAC-KMAC.pod b/deps/openssl/openssl/doc/man7/EVP_MAC-KMAC.pod index 0197a4b3c12a0e..1065c166db2c8f 100644 --- a/deps/openssl/openssl/doc/man7/EVP_MAC-KMAC.pod +++ b/deps/openssl/openssl/doc/man7/EVP_MAC-KMAC.pod @@ -41,11 +41,12 @@ EVP_MAC_CTX_get_params(), or with EVP_MAC_CTX_get_block_size(). Sets the MAC key. Setting this parameter is identical to passing a I to L. +The length of the key (in bytes) must be in the range 4...512. =item "custom" (B) Sets the custom value. -It is an optional value of at most 256 bytes, and is empty by default. +It is an optional value with a length of at most 512 bytes, and is empty by default. =item "size" (B) diff --git a/deps/openssl/openssl/doc/man7/EVP_PKEY-EC.pod b/deps/openssl/openssl/doc/man7/EVP_PKEY-EC.pod index d9b1666b2eb804..668a024014b4ad 100644 --- a/deps/openssl/openssl/doc/man7/EVP_PKEY-EC.pod +++ b/deps/openssl/openssl/doc/man7/EVP_PKEY-EC.pod @@ -79,6 +79,10 @@ Enable Cofactor DH (ECC CDH) if this value is 1, otherwise it uses normal EC DH if the value is zero. The cofactor variant multiplies the shared secret by the EC curve's cofactor (note for some curves the cofactor is 1). +See also L for the related +B parameter that can be set on a +per-operation basis. + =item "encoding" (B) Set the format used for serializing the EC group parameters. @@ -104,15 +108,21 @@ but is equivalent to "named-nist" for the OpenSSL FIPS provider. Setting this value to 0 indicates that the public key should not be included when encoding the private key. The default value of 1 will include the public key. -See also L for the related -B parameter that can be set on a -per-operation basis. - =item "pub" (B) -The public key value in encoded EC point format. This parameter is used -when importing or exporting the public key value with the EVP_PKEY_fromdata() -and EVP_PKEY_todata() functions. +The public key value in encoded EC point format conforming to Sec. 2.3.3 and +2.3.4 of the SECG SEC 1 ("Elliptic Curve Cryptography") standard. +This parameter is used when importing or exporting the public key value with the +EVP_PKEY_fromdata() and EVP_PKEY_todata() functions. + +Note, in particular, that the choice of point compression format used for +encoding the exported value via EVP_PKEY_todata() depends on the underlying +provider implementation. +Before OpenSSL 3.0.8, the implementation of providers included with OpenSSL always +opted for an encoding in compressed format, unconditionally. +Since OpenSSL 3.0.8, the implementation has been changed to honor the +B parameter, if set, or to default +to uncompressed format. =item "priv" (B) diff --git a/deps/openssl/openssl/doc/man7/EVP_PKEY-RSA.pod b/deps/openssl/openssl/doc/man7/EVP_PKEY-RSA.pod index f102d8e1c0c77f..f1141a364b8616 100644 --- a/deps/openssl/openssl/doc/man7/EVP_PKEY-RSA.pod +++ b/deps/openssl/openssl/doc/man7/EVP_PKEY-RSA.pod @@ -23,15 +23,18 @@ supports the following. =item "n" (B) -The RSA "n" value. +The RSA modulus "n" value. =item "e" (B) -The RSA "e" value. +The RSA public exponent "e" value. +This value must always be set when creating a raw key using L. +Note that when a decryption operation is performed, that this value is used for +blinding purposes to prevent timing attacks. =item "d" (B) -The RSA "d" value. +The RSA private exponent "d" value. =item "rsa-factor1" (B) @@ -261,7 +264,7 @@ L, L, L, L =head1 COPYRIGHT -Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man7/EVP_RAND-TEST-RAND.pod b/deps/openssl/openssl/doc/man7/EVP_RAND-TEST-RAND.pod index a70015345b7edd..a5527cee3f872e 100644 --- a/deps/openssl/openssl/doc/man7/EVP_RAND-TEST-RAND.pod +++ b/deps/openssl/openssl/doc/man7/EVP_RAND-TEST-RAND.pod @@ -100,6 +100,10 @@ A context for a test generator can be obtained by calling: L, L +=head1 HISTORY + +This functionality was added in OpenSSL 3.0. + =head1 COPYRIGHT Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. diff --git a/deps/openssl/openssl/doc/man7/OSSL_PROVIDER-FIPS.pod b/deps/openssl/openssl/doc/man7/OSSL_PROVIDER-FIPS.pod index 75f20122ef0a7b..58008ae59f1986 100644 --- a/deps/openssl/openssl/doc/man7/OSSL_PROVIDER-FIPS.pod +++ b/deps/openssl/openssl/doc/man7/OSSL_PROVIDER-FIPS.pod @@ -88,7 +88,7 @@ The OpenSSL FIPS provider supports these operations and algorithms: =item TLS13-KDF, see L -=item SSKDF, see L +=item SSKDF, see L =item PBKDF2, see L @@ -96,7 +96,7 @@ The OpenSSL FIPS provider supports these operations and algorithms: =item TLS1-PRF, see L -=item KBKDF, see L +=item KBKDF, see L =item X942KDF-ASN1, see L @@ -124,8 +124,6 @@ The OpenSSL FIPS provider supports these operations and algorithms: =over 4 -=item DSA, see L - =item RSA, see L =item X25519, see L @@ -142,7 +140,7 @@ The OpenSSL FIPS provider supports these operations and algorithms: =over 4 -=item RSA, see L +=item RSA, see L =back @@ -407,7 +405,7 @@ L =head1 HISTORY -The type and functions described here were added in OpenSSL 3.0. +This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/deps/openssl/openssl/doc/man7/OSSL_PROVIDER-base.pod b/deps/openssl/openssl/doc/man7/OSSL_PROVIDER-base.pod index 06b608be60e621..c51adbde1e97de 100644 --- a/deps/openssl/openssl/doc/man7/OSSL_PROVIDER-base.pod +++ b/deps/openssl/openssl/doc/man7/OSSL_PROVIDER-base.pod @@ -84,6 +84,10 @@ provider. L, L, L, L +=head1 HISTORY + +This functionality was added in OpenSSL 3.0. + =head1 COPYRIGHT Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. diff --git a/deps/openssl/openssl/doc/man7/OSSL_PROVIDER-default.pod b/deps/openssl/openssl/doc/man7/OSSL_PROVIDER-default.pod index 7bb4617c05a848..43ba0ef02d526e 100644 --- a/deps/openssl/openssl/doc/man7/OSSL_PROVIDER-default.pod +++ b/deps/openssl/openssl/doc/man7/OSSL_PROVIDER-default.pod @@ -247,6 +247,8 @@ L The RIPEMD160 digest was added to the default provider in OpenSSL 3.0.7. +All other functionality was added in OpenSSL 3.0. + =head1 COPYRIGHT Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. diff --git a/deps/openssl/openssl/doc/man7/OSSL_PROVIDER-legacy.pod b/deps/openssl/openssl/doc/man7/OSSL_PROVIDER-legacy.pod index d2fdfe3676c9ee..f10827de7baa96 100644 --- a/deps/openssl/openssl/doc/man7/OSSL_PROVIDER-legacy.pod +++ b/deps/openssl/openssl/doc/man7/OSSL_PROVIDER-legacy.pod @@ -115,6 +115,10 @@ L, L, L +=head1 HISTORY + +This functionality was added in OpenSSL 3.0. + =head1 COPYRIGHT Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. diff --git a/deps/openssl/openssl/doc/man7/OSSL_PROVIDER-null.pod b/deps/openssl/openssl/doc/man7/OSSL_PROVIDER-null.pod index 10ce5844f1d38f..618ca1df1892a6 100644 --- a/deps/openssl/openssl/doc/man7/OSSL_PROVIDER-null.pod +++ b/deps/openssl/openssl/doc/man7/OSSL_PROVIDER-null.pod @@ -23,6 +23,10 @@ The OpenSSL null provider supports no operations and algorithms. L +=head1 HISTORY + +This functionality was added in OpenSSL 3.0. + =head1 COPYRIGHT Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. diff --git a/deps/openssl/openssl/doc/man7/crypto.pod b/deps/openssl/openssl/doc/man7/crypto.pod index d6c80fbf754de2..59c60e4b5f92a6 100644 --- a/deps/openssl/openssl/doc/man7/crypto.pod +++ b/deps/openssl/openssl/doc/man7/crypto.pod @@ -367,7 +367,7 @@ Most of these follow a common pattern. A "context" object is first created. For example for a digest operation you would use an B, and for an encryption/decryption operation you would use an B. The operation is then initialised ready for use via an "init" function - optionally -passing in a set of parameters (using the B type) to configure how +passing in a set of parameters (using the L type) to configure how the operation should behave. Next data is fed into the operation in a series of "update" calls. The operation is finalised using a "final" call which will typically provide some kind of output. Finally the context is cleaned up and diff --git a/deps/openssl/openssl/doc/man7/fips_module.pod b/deps/openssl/openssl/doc/man7/fips_module.pod index 3736aa1daedaf8..b1d67ca61b43d9 100644 --- a/deps/openssl/openssl/doc/man7/fips_module.pod +++ b/deps/openssl/openssl/doc/man7/fips_module.pod @@ -460,6 +460,11 @@ L. L, L, L +=head1 HISTORY + +The FIPS module guide was created for use with the new FIPS provider +in OpenSSL 3.0. + =head1 COPYRIGHT Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. diff --git a/deps/openssl/openssl/doc/man7/migration_guide.pod b/deps/openssl/openssl/doc/man7/migration_guide.pod index c2d885d49253b0..a234147f46a0c2 100644 --- a/deps/openssl/openssl/doc/man7/migration_guide.pod +++ b/deps/openssl/openssl/doc/man7/migration_guide.pod @@ -472,6 +472,14 @@ The function code part of the error code is now always set to 0. For that reason the ERR_GET_FUNC() macro was removed. Applications must resolve the error codes only using the library number and the reason code. +=head4 ChaCha20-Poly1305 cipher does not allow a truncated IV length to be used + +In OpenSSL 3.0 setting the IV length to any value other than 12 will result in an +error. +Prior to OpenSSL 3.0 the ivlen could be smaller that the required 12 byte length, +using EVP_CIPHER_CTX_ctrl(ctx, EVP_CRTL_AEAD_SET_IVLEN, ivlen, NULL). This resulted +in an IV that had leading zero padding. + =head2 Installation and Compilation Please refer to the INSTALL.md file in the top of the distribution for @@ -957,7 +965,7 @@ See also L. Implicit and Explicit Fetching is described in detail here L. -=head3 Mapping EVP controls and flags to provider B parameters +=head3 Mapping EVP controls and flags to provider L parameters The existing functions for controls (such as L) and manipulating flags (such as L)internally use @@ -1074,7 +1082,8 @@ See L, L, L, L, L, L, L and L for additional information. -Note that the one-shot method HMAC() is still available for compatability purposes. +Note that the one-shot method HMAC() is still available for compatibility purposes, +but this can also be replaced by using EVP_Q_MAC if a library context is required. =head4 Deprecated low-level validation functions @@ -1459,7 +1468,7 @@ See L. ECDH_KDF_X9_62() Applications may either set this using the helper function -L or by setting an B using the +L or by setting an L using the "kdf-type" as shown in L =item * @@ -2407,9 +2416,13 @@ options of the commands. L +=head1 HISTORY + +The migration guide was created for OpenSSL 3.0. + =head1 COPYRIGHT -Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man7/openssl-core.h.pod b/deps/openssl/openssl/doc/man7/openssl-core.h.pod index 3d1eca3e649ab9..568bf397b4a7b2 100644 --- a/deps/openssl/openssl/doc/man7/openssl-core.h.pod +++ b/deps/openssl/openssl/doc/man7/openssl-core.h.pod @@ -20,95 +20,17 @@ The types are: =over 4 -=item B +=item L -This type is a tuple of function identity and function pointer. -Arrays of this type are passed between the OpenSSL libraries and the -providers to describe what functionality one side provides to the -other. -Arrays of this type must be terminated with a tuple having function -identity zero and function pointer NULL. +=item L -The available function identities and corresponding function -signatures are defined in L. +=item L -Any function identity not recognised by the recipient of this type -will be ignored. -This ensures that providers built with one OpenSSL version in mind -will work together with any other OpenSSL version that supports this -mechanism. +=item L -=item B +=item L -This type is a tuple of integer and pointer. -It's a generic type used as a generic descriptor, its exact meaning -being defined by how it's used. -Arrays of this type are passed between the OpenSSL libraries and the -providers, and must be terminated with a tuple where the integer is -zero and the pointer NULL. - -=item B - -This type is a tuple of an algorithm name (string), a property -definition (string) and a dispatch table (array of B). -Arrays of this type are passed on demand from the providers to the -OpenSSL libraries to describe what algorithms the providers provide -implementations of, and with what properties. -Arrays of this type must be terminated with a tuple having function -identity zero and function pointer NULL. - -The algorithm names and property definitions are defined by the -providers. - -The OpenSSL libraries use the first of the algorithm names as the main -or canonical name, on a per algorithm implementation basis. - -=item B - -This type is a structure that allows passing arbitrary object data -between two parties that have no or very little shared knowledge about -their respective internal structures for that object. -It's normally passed in arrays, where the array is terminated with an -element where all fields are zero (for non-pointers) or NULL (for -pointers). - -These arrays can be used to set parameters for some object, to request -parameters, and to describe parameters. - -B is further described in L - -=item B - -This is a function type for a generic feedback callback function: - - typedef int (OSSL_CALLBACK)(const OSSL_PARAM params[], void *arg); - -A function that takes a pointer of this type should also take a -pointer to caller data. When calling this callback, the function is -expected to build an B array of data it wants or is -expected to pass back, and pass that as I, as well as -the caller data pointer it received, as I. - -=item B - -This is a function type for a generic pass phrase callback function: - - typedef int (OSSL_PASSPHRASE_CALLBACK)(char *pass, size_t pass_size, - size_t *pass_len, - const OSSL_PARAM params[], - void *arg); - -This callback can be used to prompt the user for a passphrase. When -calling it, a buffer to store the pass phrase needs to be given with -I, and its size with I. The length of the prompted -pass phrase will be given back in I<*pass_len>. - -Additional parameters can be passed with the B array -I. - -A function that takes a pointer of this type should also take a -pointer to caller data, which should be passed as I to this -callback. +=item L =back diff --git a/deps/openssl/openssl/doc/man7/property.pod b/deps/openssl/openssl/doc/man7/property.pod index 7b89d1823b0382..eb0f6b176ccb9a 100644 --- a/deps/openssl/openssl/doc/man7/property.pod +++ b/deps/openssl/openssl/doc/man7/property.pod @@ -154,9 +154,12 @@ The lexical syntax in EBNF is given by: Value ::= NumberLiteral | StringLiteral StringLiteral ::= QuotedString | UnquotedString QuotedString ::= '"' [^"]* '"' | "'" [^']* "'" - UnquotedString ::= [^{space},]+ + UnquotedString ::= [A-Za-z] [^{space},]+ NumberLiteral ::= '0' ( [0-7]* | 'x' [0-9A-Fa-f]+ ) | '-'? [1-9] [0-9]+ - PropertyName ::= [A-Z] [A-Z0-9_]* ( '.' [A-Z] [A-Z0-9_]* )* + PropertyName ::= [A-Za-z] [A-Za-z0-9_]* ( '.' [A-Za-z] [A-Za-z0-9_]* )* + +The flavour of EBNF being used is defined by: +L. =head1 HISTORY @@ -164,7 +167,7 @@ Properties were added in OpenSSL 3.0 =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man7/provider-asym_cipher.pod b/deps/openssl/openssl/doc/man7/provider-asym_cipher.pod index 99207b4e652b61..ac3f6271969dee 100644 --- a/deps/openssl/openssl/doc/man7/provider-asym_cipher.pod +++ b/deps/openssl/openssl/doc/man7/provider-asym_cipher.pod @@ -54,14 +54,14 @@ L and other related functions). All "functions" mentioned here are passed as function pointers between -F and the provider in B arrays via -B arrays that are returned by the provider's +F and the provider in L arrays via +L arrays that are returned by the provider's provider_query_operation() function (see L). All these "functions" have a corresponding function type definition named B, and a helper function to retrieve the -function pointer from an B element named +function pointer from an L element named B. For example, the "function" OSSL_FUNC_asym_cipher_newctx() has these: @@ -69,7 +69,7 @@ For example, the "function" OSSL_FUNC_asym_cipher_newctx() has these: static ossl_inline OSSL_FUNC_asym_cipher_newctx_fn OSSL_FUNC_asym_cipher_newctx(const OSSL_DISPATCH *opf); -B arrays are indexed by numbers that are provided as +L arrays are indexed by numbers that are provided as macros in L, as follows: OSSL_FUNC_asym_cipher_newctx OSSL_FUNC_ASYM_CIPHER_NEWCTX @@ -187,14 +187,10 @@ algorithms: =over 4 -=item "pad-mode" (B) +=item "pad-mode" (B) OR The type of padding to be used. The interpretation of this value will depend -on the algorithm in use. The default provider understands these RSA padding -modes: 1 (RSA_PKCS1_PADDING), 3 (RSA_NO_PADDING), -4 (RSA_PKCS1_OAEP_PADDING), 5 (RSA_X931_PADDING), 6 (RSA_PKCS1_PSS_PADDING) and -7 (RSA_PKCS1_WITH_TLS_PADDING). See L for -further details. +on the algorithm in use. =item "digest" (B) @@ -223,27 +219,28 @@ is in use. Gets or sets the properties to use when fetching the MGF1 digest algorithm. +=item "oaep-label" (B) + +Gets the OAEP label used when OAEP padding is in use. + =item "oaep-label" (B) -Gets or sets the OAEP label used when OAEP padding is in use. +Sets the OAEP label used when OAEP padding is in use. =item "tls-client-version" (B) -The TLS protocol version first requested by the client. See -B on the page L. +The TLS protocol version first requested by the client. =item "tls-negotiated-version" (B) -The negotiated TLS protocol version. See -B on the page L. +The negotiated TLS protocol version. =back OSSL_FUNC_asym_cipher_gettable_ctx_params() and OSSL_FUNC_asym_cipher_settable_ctx_params() -get a constant B array that describes the gettable and settable +get a constant L array that describes the gettable and settable parameters, i.e. parameters that can be used with OSSL_FUNC_asym_cipherget_ctx_params() and OSSL_FUNC_asym_cipher_set_ctx_params() respectively. -See L for the use of B as parameter descriptor. =head1 RETURN VALUES diff --git a/deps/openssl/openssl/doc/man7/provider-base.pod b/deps/openssl/openssl/doc/man7/provider-base.pod index 977f8566feb0dd..c587e0e529b63e 100644 --- a/deps/openssl/openssl/doc/man7/provider-base.pod +++ b/deps/openssl/openssl/doc/man7/provider-base.pod @@ -116,13 +116,13 @@ provider-base =head1 DESCRIPTION All "functions" mentioned here are passed as function pointers between -F and the provider in B arrays, in the call +F and the provider in L arrays, in the call of the provider initialization function. See L for a description of the initialization function. They are known as "upcalls". All these "functions" have a corresponding function type definition named B, and a helper function to retrieve the -function pointer from a B element named +function pointer from a L element named B. For example, the "function" core_gettable_params() has these: @@ -131,10 +131,10 @@ For example, the "function" core_gettable_params() has these: static ossl_inline OSSL_NAME_core_gettable_params_fn OSSL_FUNC_core_gettable_params(const OSSL_DISPATCH *opf); -B arrays are indexed by numbers that are provided as +L arrays are indexed by numbers that are provided as macros in L, as follows: -For I (the B array passed from F to the +For I (the L array passed from F to the provider): core_gettable_params OSSL_FUNC_CORE_GETTABLE_PARAMS @@ -182,7 +182,7 @@ provider): provider_up_ref OSSL_FUNC_PROVIDER_UP_REF provider_free OSSL_FUNC_PROVIDER_FREE -For I<*out> (the B array passed from the provider to +For I<*out> (the L array passed from the provider to F): provider_teardown OSSL_FUNC_PROVIDER_TEARDOWN @@ -197,7 +197,7 @@ F): =head2 Core functions core_gettable_params() returns a constant array of descriptor -B, for parameters that core_get_params() can handle. +L, for parameters that core_get_params() can handle. core_get_params() retrieves parameters from the core for the given I. See L below for a description of currently known @@ -290,7 +290,7 @@ BIO_new_file(), BIO_new_mem_buf(), BIO_read_ex(), BIO_write_ex(), BIO_up_ref(), BIO_free(), BIO_vprintf(), BIO_vsnprintf(), BIO_gets(), BIO_puts(), BIO_ctrl(), OPENSSL_cleanse() and OPENSSL_hexstr2buf() correspond exactly to the public functions with -the same name. As a matter of fact, the pointers in the B +the same name. As a matter of fact, the pointers in the L array are typically direct pointers to those public functions. Note that the BIO functions take an B type rather than the standard B type. This is to ensure that a provider does not mix BIOs from the core @@ -372,13 +372,13 @@ from the core's provider store. It must free the passed I. provider_gettable_params() should return a constant array of -descriptor B, for parameters that provider_get_params() +descriptor L, for parameters that provider_get_params() can handle. -provider_get_params() should process the B array +provider_get_params() should process the L array I, setting the values of the parameters it understands. -provider_query_operation() should return a constant B +provider_query_operation() should return a constant L that corresponds to the given I. It should indicate if the core may store a reference to this array by setting I<*no_store> to 0 (core may store a reference) or 1 (core may @@ -389,13 +389,13 @@ provider_query_operation() is no longer directly required and that the function pointers have been copied. The I should match that passed to provider_query_operation() and I should be its return value. -provider_get_reason_strings() should return a constant B +provider_get_reason_strings() should return a constant L array that provides reason strings for reason codes the provider may use when reporting errors using core_put_error(). The provider_get_capabilities() function should call the callback I passing -it a set of Bs and the caller supplied argument I. The -Bs should provide details about the capability with the name given +it a set of Ls and the caller supplied argument I. The +Ls should provide details about the capability with the name given in the I argument relevant for the provider context I. If a provider supports multiple capabilities with the given name then it may call the callback multiple times (one for each capability). Capabilities can be useful for diff --git a/deps/openssl/openssl/doc/man7/provider-cipher.pod b/deps/openssl/openssl/doc/man7/provider-cipher.pod index 712c30511cd76e..1faf698107befa 100644 --- a/deps/openssl/openssl/doc/man7/provider-cipher.pod +++ b/deps/openssl/openssl/doc/man7/provider-cipher.pod @@ -63,14 +63,14 @@ L and L (as well as the decrypt equivalents and other related functions). All "functions" mentioned here are passed as function pointers between -F and the provider in B arrays via -B arrays that are returned by the provider's +F and the provider in L arrays via +L arrays that are returned by the provider's provider_query_operation() function (see L). All these "functions" have a corresponding function type definition named B, and a helper function to retrieve the -function pointer from an B element named +function pointer from an L element named B. For example, the "function" OSSL_FUNC_cipher_newctx() has these: @@ -78,7 +78,7 @@ For example, the "function" OSSL_FUNC_cipher_newctx() has these: static ossl_inline OSSL_FUNC_cipher_newctx_fn OSSL_FUNC_cipher_newctx(const OSSL_DISPATCH *opf); -B arrays are indexed by numbers that are provided as +L arrays are indexed by numbers that are provided as macros in L, as follows: OSSL_FUNC_cipher_newctx OSSL_FUNC_CIPHER_NEWCTX @@ -193,7 +193,7 @@ the given provider side cipher context I and stores them in I. Passing NULL for I should return true. OSSL_FUNC_cipher_gettable_params(), OSSL_FUNC_cipher_gettable_ctx_params(), -and OSSL_FUNC_cipher_settable_ctx_params() all return constant B +and OSSL_FUNC_cipher_settable_ctx_params() all return constant L arrays as descriptors of the parameters that OSSL_FUNC_cipher_get_params(), OSSL_FUNC_cipher_get_ctx_params(), and OSSL_FUNC_cipher_set_ctx_params() can handle, respectively. OSSL_FUNC_cipher_gettable_ctx_params() and @@ -217,7 +217,7 @@ OSSL_FUNC_cipher_get_ctx_params() and OSSL_FUNC_cipher_set_ctx_params() should r success or 0 on error. OSSL_FUNC_cipher_gettable_params(), OSSL_FUNC_cipher_gettable_ctx_params() and -OSSL_FUNC_cipher_settable_ctx_params() should return a constant B +OSSL_FUNC_cipher_settable_ctx_params() should return a constant L array, or NULL if none is offered. =head1 SEE ALSO diff --git a/deps/openssl/openssl/doc/man7/provider-decoder.pod b/deps/openssl/openssl/doc/man7/provider-decoder.pod index 2ac56cf1d125c0..f279955a6088cc 100644 --- a/deps/openssl/openssl/doc/man7/provider-decoder.pod +++ b/deps/openssl/openssl/doc/man7/provider-decoder.pod @@ -50,7 +50,7 @@ object reference or intermediate decoded data from an encoded form read from the given B. If the caller wants to decode data from memory, it should provide a L B. The decoded data or object reference is passed along with eventual metadata -to the I as B parameters. +to the I as L parameters. The decoder doesn't need to know more about the B pointer than being able to pass it to the appropriate BIO upcalls (see @@ -67,14 +67,14 @@ that object into a different provider the OSSL_FUNC_decoder_export_object() can be called as the final step of the decoding process. All "functions" mentioned here are passed as function pointers between -F and the provider in B arrays via -B arrays that are returned by the provider's +F and the provider in L arrays via +L arrays that are returned by the provider's provider_query_operation() function (see L). All these "functions" have a corresponding function type definition named B, and a helper function to retrieve the -function pointer from an B element named +function pointer from an L element named B. For example, the "function" OSSL_FUNC_decoder_decode() has these: @@ -86,7 +86,7 @@ For example, the "function" OSSL_FUNC_decoder_decode() has these: static ossl_inline OSSL_FUNC_decoder_decode_fn OSSL_FUNC_decoder_decode(const OSSL_DISPATCH *opf); -B arrays are indexed by numbers that are provided as +L arrays are indexed by numbers that are provided as macros in L, as follows: OSSL_FUNC_decoder_get_params OSSL_FUNC_DECODER_GET_PARAMS @@ -202,7 +202,7 @@ from I that it recognises. Unrecognised parameters should be ignored. Passing NULL for I should return true. -OSSL_FUNC_decoder_settable_ctx_params() returns a constant B +OSSL_FUNC_decoder_settable_ctx_params() returns a constant L array describing the parameters that OSSL_FUNC_decoder_set_ctx_params() can handle. @@ -217,18 +217,18 @@ exporting the object into that foreign provider if the foreign provider supports the type of the object and provides an import function. OSSL_FUNC_decoder_export_object() should export the object of size I -referenced by I as an B array and pass that into the +referenced by I as an L array and pass that into the I as well as the given I. =head2 Decoding functions OSSL_FUNC_decoder_decode() should decode the data as read from the B I to produce decoded data or an object to be -passed as reference in an B array along with possible other -metadata that was decoded from the input. This B array is +passed as reference in an L array along with possible other +metadata that was decoded from the input. This L array is then passed to the I callback. The I bits, if relevant, should determine what the input data should contain. -The decoding functions also take an B function +The decoding functions also take an L function pointer along with a pointer to application data I, which should be used when a pass phrase prompt is needed. @@ -284,7 +284,7 @@ OSSL_FUNC_decoder_set_ctx_params() returns 1, unless a recognised parameter was invalid or caused an error, for which 0 is returned. OSSL_FUNC_decoder_settable_ctx_params() returns a pointer to an array of -constant B elements. +constant L elements. OSSL_FUNC_decoder_does_selection() returns 1 if the decoder implementation supports any of the I bits, otherwise 0. diff --git a/deps/openssl/openssl/doc/man7/provider-digest.pod b/deps/openssl/openssl/doc/man7/provider-digest.pod index 41caf0a1b19d1e..c96dfe396676c6 100644 --- a/deps/openssl/openssl/doc/man7/provider-digest.pod +++ b/deps/openssl/openssl/doc/man7/provider-digest.pod @@ -55,14 +55,14 @@ them available to applications via the API functions L, L and L (and other related functions). All "functions" mentioned here are passed as function pointers between -F and the provider in B arrays via -B arrays that are returned by the provider's +F and the provider in L arrays via +L arrays that are returned by the provider's provider_query_operation() function (see L). All these "functions" have a corresponding function type definition named B, and a helper function to retrieve the -function pointer from an B element named +function pointer from an L element named B. For example, the "function" OSSL_FUNC_digest_newctx() has these: @@ -70,7 +70,7 @@ For example, the "function" OSSL_FUNC_digest_newctx() has these: static ossl_inline OSSL_FUNC_digest_newctx_fn OSSL_FUNC_digest_newctx(const OSSL_DISPATCH *opf); -B arrays are indexed by numbers that are provided as +L arrays are indexed by numbers that are provided as macros in L, as follows: OSSL_FUNC_digest_newctx OSSL_FUNC_DIGEST_NEWCTX @@ -158,13 +158,13 @@ OSSL_FUNC_digest_get_ctx_params() gets digest operation details details from the given provider side digest context I and stores them in I. Passing NULL for I should return true. -OSSL_FUNC_digest_gettable_params() returns a constant B array +OSSL_FUNC_digest_gettable_params() returns a constant L array containing descriptors of the parameters that OSSL_FUNC_digest_get_params() can handle. OSSL_FUNC_digest_gettable_ctx_params() and OSSL_FUNC_digest_settable_ctx_params() both return constant -B arrays as descriptors of the parameters that +L arrays as descriptors of the parameters that OSSL_FUNC_digest_get_ctx_params() and OSSL_FUNC_digest_set_ctx_params() can handle, respectively. The array is based on the current state of the provider side context if I is not NULL and on the provider diff --git a/deps/openssl/openssl/doc/man7/provider-encoder.pod b/deps/openssl/openssl/doc/man7/provider-encoder.pod index 274f1456ec9e28..f3e9ce5b163276 100644 --- a/deps/openssl/openssl/doc/man7/provider-encoder.pod +++ b/deps/openssl/openssl/doc/man7/provider-encoder.pod @@ -83,14 +83,14 @@ with provider data coming from the same provider, for example keys with the L provider. All "functions" mentioned here are passed as function pointers between -F and the provider in B arrays via -B arrays that are returned by the provider's +F and the provider in L arrays via +L arrays that are returned by the provider's provider_query_operation() function (see L). All these "functions" have a corresponding function type definition named B, and a helper function to retrieve the -function pointer from an B element named +function pointer from an L element named B. For example, the "function" OSSL_FUNC_encoder_encode() has these: @@ -103,7 +103,7 @@ For example, the "function" OSSL_FUNC_encoder_encode() has these: static ossl_inline OSSL_FUNC_encoder_encode_fn OSSL_FUNC_encoder_encode(const OSSL_DISPATCH *opf); -B arrays are indexed by numbers that are provided as +L arrays are indexed by numbers that are provided as macros in L, as follows: OSSL_FUNC_encoder_get_params OSSL_FUNC_ENCODER_GET_PARAMS @@ -213,7 +213,7 @@ from I that it recognises. Unrecognised parameters should be ignored. Passing NULL for I should return true. -OSSL_FUNC_encoder_settable_ctx_params() returns a constant B +OSSL_FUNC_encoder_settable_ctx_params() returns a constant L array describing the parameters that OSSL_FUNC_encoder_set_ctx_params() can handle. @@ -242,7 +242,7 @@ OSSL_FUNC_encoder_encode() should take a provider-native object (in I) or an object abstraction (in I), and should output the object in encoded form to the B. The I bits, if relevant, should determine in greater detail what will be output. -The encoding functions also take an B function +The encoding functions also take an L function pointer along with a pointer to application data I, which should be used when a pass phrase prompt is needed. @@ -304,7 +304,7 @@ OSSL_FUNC_encoder_set_ctx_params() returns 1, unless a recognised parameter was invalid or caused an error, for which 0 is returned. OSSL_FUNC_encoder_settable_ctx_params() returns a pointer to an array of -constant B elements. +constant L elements. OSSL_FUNC_encoder_does_selection() returns 1 if the encoder implementation supports any of the I bits, otherwise 0. diff --git a/deps/openssl/openssl/doc/man7/provider-kdf.pod b/deps/openssl/openssl/doc/man7/provider-kdf.pod index 6cd76d889ea85b..ad80869ebea7c3 100644 --- a/deps/openssl/openssl/doc/man7/provider-kdf.pod +++ b/deps/openssl/openssl/doc/man7/provider-kdf.pod @@ -47,14 +47,14 @@ them available to applications via the API functions L, and L. All "functions" mentioned here are passed as function pointers between -F and the provider in B arrays via -B arrays that are returned by the provider's +F and the provider in L arrays via +L arrays that are returned by the provider's provider_query_operation() function (see L). All these "functions" have a corresponding function type definition named B, and a helper function to retrieve the -function pointer from an B element named +function pointer from an L element named B. For example, the "function" OSSL_FUNC_kdf_newctx() has these: @@ -62,7 +62,7 @@ For example, the "function" OSSL_FUNC_kdf_newctx() has these: static ossl_inline OSSL_FUNC_kdf_newctx_fn OSSL_FUNC_kdf_newctx(const OSSL_DISPATCH *opf); -B array entries are identified by numbers that are provided as +L array entries are identified by numbers that are provided as macros in L, as follows: OSSL_FUNC_kdf_newctx OSSL_FUNC_KDF_NEWCTX @@ -134,7 +134,7 @@ with the given provider side KDF context I and stores them in I. Passing NULL for I should return true. OSSL_FUNC_kdf_gettable_params(), OSSL_FUNC_kdf_gettable_ctx_params(), -and OSSL_FUNC_kdf_settable_ctx_params() all return constant B +and OSSL_FUNC_kdf_settable_ctx_params() all return constant L arrays as descriptors of the parameters that OSSL_FUNC_kdf_get_params(), OSSL_FUNC_kdf_get_ctx_params(), and OSSL_FUNC_kdf_set_ctx_params() can handle, respectively. OSSL_FUNC_kdf_gettable_ctx_params() and @@ -330,7 +330,7 @@ OSSL_FUNC_kdf_get_ctx_params() and OSSL_FUNC_kdf_set_ctx_params() should return success or 0 on error. OSSL_FUNC_kdf_gettable_params(), OSSL_FUNC_kdf_gettable_ctx_params() and -OSSL_FUNC_kdf_settable_ctx_params() should return a constant B +OSSL_FUNC_kdf_settable_ctx_params() should return a constant L array, or NULL if none is offered. =head1 NOTES diff --git a/deps/openssl/openssl/doc/man7/provider-kem.pod b/deps/openssl/openssl/doc/man7/provider-kem.pod index f7476e5e9d6159..8436a7f25e3f08 100644 --- a/deps/openssl/openssl/doc/man7/provider-kem.pod +++ b/deps/openssl/openssl/doc/man7/provider-kem.pod @@ -50,14 +50,14 @@ via the API functions L, L and other related functions. All "functions" mentioned here are passed as function pointers between -F and the provider in B arrays via -B arrays that are returned by the provider's +F and the provider in L arrays via +L arrays that are returned by the provider's provider_query_operation() function (see L). All these "functions" have a corresponding function type definition named B, and a helper function to retrieve the -function pointer from an B element named +function pointer from an L element named B. For example, the "function" OSSL_FUNC_kem_newctx() has these: @@ -65,7 +65,7 @@ For example, the "function" OSSL_FUNC_kem_newctx() has these: static ossl_inline OSSL_FUNC_kem_newctx_fn OSSL_FUNC_kem_newctx(const OSSL_DISPATCH *opf); -B arrays are indexed by numbers that are provided as +L arrays are indexed by numbers that are provided as macros in L, as follows: OSSL_FUNC_kem_newctx OSSL_FUNC_KEM_NEWCTX @@ -181,10 +181,9 @@ Passing NULL for I should return true. No parameters are currently recognised by built-in asymmetric kem algorithms. OSSL_FUNC_kem_gettable_ctx_params() and OSSL_FUNC_kem_settable_ctx_params() -get a constant B array that describes the gettable and settable +get a constant L array that describes the gettable and settable parameters, i.e. parameters that can be used with OSSL_FUNC_kem_get_ctx_params() and OSSL_FUNC_kem_set_ctx_params() respectively. -See L for the use of B as parameter descriptor. =head1 RETURN VALUES diff --git a/deps/openssl/openssl/doc/man7/provider-keyexch.pod b/deps/openssl/openssl/doc/man7/provider-keyexch.pod index 48d27988f5394a..9e146d31c719bf 100644 --- a/deps/openssl/openssl/doc/man7/provider-keyexch.pod +++ b/deps/openssl/openssl/doc/man7/provider-keyexch.pod @@ -48,14 +48,14 @@ L and other related functions). All "functions" mentioned here are passed as function pointers between -F and the provider in B arrays via -B arrays that are returned by the provider's +F and the provider in L arrays via +L arrays that are returned by the provider's provider_query_operation() function (see L). All these "functions" have a corresponding function type definition named B, and a helper function to retrieve the -function pointer from an B element named +function pointer from an L element named B. For example, the "function" OSSL_FUNC_keyexch_newctx() has these: @@ -63,7 +63,7 @@ For example, the "function" OSSL_FUNC_keyexch_newctx() has these: static ossl_inline OSSL_FUNC_keyexch_newctx_fn OSSL_FUNC_keyexch_newctx(const OSSL_DISPATCH *opf); -B arrays are indexed by numbers that are provided as +L arrays are indexed by numbers that are provided as macros in L, as follows: OSSL_FUNC_keyexch_newctx OSSL_FUNC_KEYEXCH_NEWCTX @@ -146,17 +146,16 @@ given provider side key exchange context I into I, see L. Passing NULL for I should return true. -OSSL_FUNC_keyexch_settable_ctx_params() yields a constant B array that +OSSL_FUNC_keyexch_settable_ctx_params() yields a constant L array that describes the settable parameters, i.e. parameters that can be used with OP_signature_set_ctx_params(). If OSSL_FUNC_keyexch_settable_ctx_params() is present, OSSL_FUNC_keyexch_set_ctx_params() must also be present, and vice versa. -Similarly, OSSL_FUNC_keyexch_gettable_ctx_params() yields a constant B +Similarly, OSSL_FUNC_keyexch_gettable_ctx_params() yields a constant L array that describes the gettable parameters, i.e. parameters that can be handled by OP_signature_get_ctx_params(). If OSSL_FUNC_keyexch_gettable_ctx_params() is present, OSSL_FUNC_keyexch_get_ctx_params() must also be present, and vice versa. -See L for the use of B as parameter descriptor. Notice that not all settable parameters are also gettable, and vice versa. @@ -217,7 +216,7 @@ OSSL_FUNC_keyexch_set_params(), and OSSL_FUNC_keyexch_get_params() should return or 0 on error. OSSL_FUNC_keyexch_settable_ctx_params() and OSSL_FUNC_keyexch_gettable_ctx_params() should -always return a constant B array. +always return a constant L array. =head1 SEE ALSO diff --git a/deps/openssl/openssl/doc/man7/provider-keymgmt.pod b/deps/openssl/openssl/doc/man7/provider-keymgmt.pod index 0c38f336c0b2c4..be3a65e3197828 100644 --- a/deps/openssl/openssl/doc/man7/provider-keymgmt.pod +++ b/deps/openssl/openssl/doc/man7/provider-keymgmt.pod @@ -72,14 +72,14 @@ The primary responsibility of the KEYMGMT operation is to hold the provider side key data for the OpenSSL library EVP_PKEY structure. All "functions" mentioned here are passed as function pointers between -F and the provider in B arrays via -B arrays that are returned by the provider's +F and the provider in L arrays via +L arrays that are returned by the provider's provider_query_operation() function (see L). All these "functions" have a corresponding function type definition named B, and a helper function to retrieve the -function pointer from a B element named +function pointer from a L element named B. For example, the "function" OSSL_FUNC_keymgmt_new() has these: @@ -87,7 +87,7 @@ For example, the "function" OSSL_FUNC_keymgmt_new() has these: static ossl_inline OSSL_FUNC_keymgmt_new_fn OSSL_FUNC_keymgmt_new(const OSSL_DISPATCH *opf); -B arrays are indexed by numbers that are provided as +L arrays are indexed by numbers that are provided as macros in L, as follows: OSSL_FUNC_keymgmt_new OSSL_FUNC_KEYMGMT_NEW @@ -236,7 +236,7 @@ OSSL_FUNC_keymgmt_gen_set_params() should set additional parameters from I in the key object generation context I. OSSL_FUNC_keymgmt_gen_settable_params() should return a constant array of -descriptor B, for parameters that OSSL_FUNC_keymgmt_gen_set_params() +descriptor L, for parameters that OSSL_FUNC_keymgmt_gen_set_params() can handle. OSSL_FUNC_keymgmt_gen() should perform the key object generation itself, and @@ -264,7 +264,7 @@ OSSL_FUNC_keymgmt_get_params() should extract information data associated with the given I, see L. OSSL_FUNC_keymgmt_gettable_params() should return a constant array of -descriptor B, for parameters that OSSL_FUNC_keymgmt_get_params() +descriptor L, for parameters that OSSL_FUNC_keymgmt_get_params() can handle. If OSSL_FUNC_keymgmt_gettable_params() is present, OSSL_FUNC_keymgmt_get_params() @@ -274,7 +274,7 @@ OSSL_FUNC_keymgmt_set_params() should update information data associated with the given I, see L. OSSL_FUNC_keymgmt_settable_params() should return a constant array of -descriptor B, for parameters that OSSL_FUNC_keymgmt_set_params() +descriptor L, for parameters that OSSL_FUNC_keymgmt_set_params() can handle. If OSSL_FUNC_keymgmt_settable_params() is present, OSSL_FUNC_keymgmt_set_params() @@ -323,18 +323,18 @@ by the implementation of this function. =head2 Key Object Import, Export and Duplication Functions OSSL_FUNC_keymgmt_import() should import data indicated by I into -I with values taken from the B array I. +I with values taken from the L array I. OSSL_FUNC_keymgmt_export() should extract values indicated by I -from I, create an B array with them and call +from I, create an L array with them and call I with that array as well as the given I. OSSL_FUNC_keymgmt_import_types() should return a constant array of descriptor -B for data indicated by I, for parameters that +L for data indicated by I, for parameters that OSSL_FUNC_keymgmt_import() can handle. OSSL_FUNC_keymgmt_export_types() should return a constant array of descriptor -B for data indicated by I, that the +L for data indicated by I, that the OSSL_FUNC_keymgmt_export() callback can expect to receive. OSSL_FUNC_keymgmt_dup() should duplicate data subsets indicated by @@ -397,7 +397,7 @@ applies. OSSL_FUNC_keymgmt_gettable_params() and OSSL_FUNC_keymgmt_settable_params() OSSL_FUNC_keymgmt_import_types(), OSSL_FUNC_keymgmt_export_types() should -always return a constant B array. +always return a constant L array. =head1 SEE ALSO diff --git a/deps/openssl/openssl/doc/man7/provider-mac.pod b/deps/openssl/openssl/doc/man7/provider-mac.pod index bb6b3d5b68e73e..a90bf15948b494 100644 --- a/deps/openssl/openssl/doc/man7/provider-mac.pod +++ b/deps/openssl/openssl/doc/man7/provider-mac.pod @@ -48,14 +48,14 @@ them available to applications via the API functions L, L and L. All "functions" mentioned here are passed as function pointers between -F and the provider in B arrays via -B arrays that are returned by the provider's +F and the provider in L arrays via +L arrays that are returned by the provider's provider_query_operation() function (see L). All these "functions" have a corresponding function type definition named B, and a helper function to retrieve the -function pointer from an B element named +function pointer from an L element named B. For example, the "function" OSSL_FUNC_mac_newctx() has these: @@ -63,7 +63,7 @@ For example, the "function" OSSL_FUNC_mac_newctx() has these: static ossl_inline OSSL_FUNC_mac_newctx_fn OSSL_FUNC_mac_newctx(const OSSL_DISPATCH *opf); -B arrays are indexed by numbers that are provided as +L arrays are indexed by numbers that are provided as macros in L, as follows: OSSL_FUNC_mac_newctx OSSL_FUNC_MAC_NEWCTX @@ -145,7 +145,7 @@ in I. Passing NULL for I should return true. OSSL_FUNC_mac_gettable_params(), OSSL_FUNC_mac_gettable_ctx_params(), -and OSSL_FUNC_mac_settable_ctx_params() all return constant B +and OSSL_FUNC_mac_settable_ctx_params() all return constant L arrays as descriptors of the parameters that OSSL_FUNC_mac_get_params(), OSSL_FUNC_mac_get_ctx_params(), and OSSL_FUNC_mac_set_ctx_params() can handle, respectively. OSSL_FUNC_mac_gettable_ctx_params() and @@ -209,7 +209,7 @@ OSSL_FUNC_mac_get_ctx_params() and OSSL_FUNC_mac_set_ctx_params() should return success or 0 on error. OSSL_FUNC_mac_gettable_params(), OSSL_FUNC_mac_gettable_ctx_params() and -OSSL_FUNC_mac_settable_ctx_params() should return a constant B +OSSL_FUNC_mac_settable_ctx_params() should return a constant L array, or NULL if none is offered. =head1 SEE ALSO diff --git a/deps/openssl/openssl/doc/man7/provider-rand.pod b/deps/openssl/openssl/doc/man7/provider-rand.pod index 951f483b60ab01..e115d845dcd908 100644 --- a/deps/openssl/openssl/doc/man7/provider-rand.pod +++ b/deps/openssl/openssl/doc/man7/provider-rand.pod @@ -168,7 +168,7 @@ in I. Passing NULL for I should return true. OSSL_FUNC_rand_gettable_params(), OSSL_FUNC_rand_gettable_ctx_params(), -and OSSL_FUNC_rand_settable_ctx_params() all return constant B +and OSSL_FUNC_rand_settable_ctx_params() all return constant L arrays as descriptors of the parameters that OSSL_FUNC_rand_get_params(), OSSL_FUNC_rand_get_ctx_params(), and OSSL_FUNC_rand_set_ctx_params() can handle, respectively. OSSL_FUNC_rand_gettable_ctx_params() @@ -262,7 +262,7 @@ OSSL_FUNC_rand_newctx() should return the newly created provider side rand context, or NULL on failure. OSSL_FUNC_rand_gettable_params(), OSSL_FUNC_rand_gettable_ctx_params() and -OSSL_FUNC_rand_settable_ctx_params() should return a constant B +OSSL_FUNC_rand_settable_ctx_params() should return a constant L array, or NULL if none is offered. OSSL_FUNC_rand_nonce() returns the size of the generated nonce, or 0 on error. diff --git a/deps/openssl/openssl/doc/man7/provider-signature.pod b/deps/openssl/openssl/doc/man7/provider-signature.pod index 30de3d865529e1..fa38be1b16da64 100644 --- a/deps/openssl/openssl/doc/man7/provider-signature.pod +++ b/deps/openssl/openssl/doc/man7/provider-signature.pod @@ -93,14 +93,14 @@ and L (as well as other related functions). All "functions" mentioned here are passed as function pointers between -F and the provider in B arrays via -B arrays that are returned by the provider's +F and the provider in L arrays via +L arrays that are returned by the provider's provider_query_operation() function (see L). All these "functions" have a corresponding function type definition named B, and a helper function to retrieve the -function pointer from an B element named +function pointer from an L element named B. For example, the "function" OSSL_FUNC_signature_newctx() has these: @@ -108,7 +108,7 @@ For example, the "function" OSSL_FUNC_signature_newctx() has these: static ossl_inline OSSL_FUNC_signature_newctx_fn OSSL_FUNC_signature_newctx(const OSSL_DISPATCH *opf); -B arrays are indexed by numbers that are provided as +L arrays are indexed by numbers that are provided as macros in L, as follows: OSSL_FUNC_signature_newctx OSSL_FUNC_SIGNATURE_NEWCTX @@ -379,10 +379,9 @@ supply known values that either pass or fail. =back OSSL_FUNC_signature_gettable_ctx_params() and OSSL_FUNC_signature_settable_ctx_params() get a -constant B array that describes the gettable and settable parameters, +constant L array that describes the gettable and settable parameters, i.e. parameters that can be used with OSSL_FUNC_signature_get_ctx_params() and OSSL_FUNC_signature_set_ctx_params() respectively. -See L for the use of B as parameter descriptor. =head2 MD parameters @@ -404,11 +403,10 @@ as those for built-in digest algorithms. See L for further information. OSSL_FUNC_signature_gettable_md_ctx_params() and OSSL_FUNC_signature_settable_md_ctx_params() -get a constant B array that describes the gettable and settable +get a constant L array that describes the gettable and settable digest parameters, i.e. parameters that can be used with OSSL_FUNC_signature_get_md_ctx_params() and OSSL_FUNC_signature_set_md_ctx_params() -respectively. See L for the use of B as parameter -descriptor. +respectively. =head1 RETURN VALUES @@ -417,7 +415,7 @@ provider side signature, or NULL on failure. OSSL_FUNC_signature_gettable_ctx_params(), OSSL_FUNC_signature_settable_ctx_params(), OSSL_FUNC_signature_gettable_md_ctx_params() and OSSL_FUNC_signature_settable_md_ctx_params(), -return the gettable or settable parameters in a constant B array. +return the gettable or settable parameters in a constant L array. All other functions should return 1 for success or 0 on error. diff --git a/deps/openssl/openssl/doc/man7/provider-storemgmt.pod b/deps/openssl/openssl/doc/man7/provider-storemgmt.pod index 3d3dcf61bcc2d6..cde95f66e1eee1 100644 --- a/deps/openssl/openssl/doc/man7/provider-storemgmt.pod +++ b/deps/openssl/openssl/doc/man7/provider-storemgmt.pod @@ -44,14 +44,14 @@ OSSL_FUNC_store_export_object() (which exports the object in parameterized form). All "functions" mentioned here are passed as function pointers between -F and the provider in B arrays via -B arrays that are returned by the provider's +F and the provider in L arrays via +L arrays that are returned by the provider's provider_query_operation() function (see L). All these "functions" have a corresponding function type definition named B, and a helper function to retrieve the function pointer -from a B element named B. +from a L element named B. For example, the "function" OSSL_FUNC_store_attach() has these: typedef void *(OSSL_FUNC_store_attach_fn)(void *provctx, @@ -59,7 +59,7 @@ For example, the "function" OSSL_FUNC_store_attach() has these: static ossl_inline OSSL_FUNC_store_attach_fn OSSL_FUNC_store_attach(const OSSL_DISPATCH *opf); -B arrays are indexed by numbers that are provided as macros +L arrays are indexed by numbers that are provided as macros in L, as follows: OSSL_FUNC_store_open OSSL_FUNC_STORE_OPEN @@ -82,7 +82,7 @@ B I attached. This is an alternative to using a URI to find storage, supporting L. OSSL_FUNC_store_settable_ctx_params() should return a constant array of -descriptor B, for parameters that OSSL_FUNC_store_set_ctx_params() +descriptor L, for parameters that OSSL_FUNC_store_set_ctx_params() can handle. OSSL_FUNC_store_set_ctx_params() should set additional parameters, such as what @@ -111,7 +111,7 @@ exporting the object to that foreign provider if the foreign provider supports the type of the object and provides an import function. OSSL_FUNC_store_export_object() should export the object of size I -referenced by I as an B array and pass that to the +referenced by I as an L array and pass that to the I as well as the given I. =head2 Load Parameters diff --git a/deps/openssl/openssl/doc/man7/provider.pod b/deps/openssl/openssl/doc/man7/provider.pod index fb092931c92db4..a061fc4709d0bb 100644 --- a/deps/openssl/openssl/doc/man7/provider.pod +++ b/deps/openssl/openssl/doc/man7/provider.pod @@ -34,8 +34,8 @@ See L for further details. =head2 Provider A I offers an initialization function, as a set of base -functions in the form of an B array, and by extension, -a set of Bs (see L). +functions in the form of an L array, and by extension, +a set of Ls (see L). It may be a dynamically loadable module, or may be built-in, in OpenSSL libraries or in the application. If it's a dynamically loadable module, the initialization function @@ -92,7 +92,7 @@ nonzero, signifies that the OpenSSL libraries will not store a reference to the returned data in their internal store of implementations. -The returned B is the foundation of any OpenSSL +The returned L is the foundation of any OpenSSL library API that uses providers for their implementation, most commonly in the I type of functions (see L). diff --git a/deps/openssl/openssl/engines/asm/e_padlock-x86.pl b/deps/openssl/openssl/engines/asm/e_padlock-x86.pl index f579a4d933f8e3..3e9a22fca4bf09 100644 --- a/deps/openssl/openssl/engines/asm/e_padlock-x86.pl +++ b/deps/openssl/openssl/engines/asm/e_padlock-x86.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2011-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -115,6 +115,8 @@ &function_begin_B("padlock_key_bswap"); &mov ("edx",&wparam(0)); &mov ("ecx",&DWP(240,"edx")); + &inc ("ecx"); + &shl ("ecx",2); &set_label("bswap_loop"); &mov ("eax",&DWP(0,"edx")); &bswap ("eax"); diff --git a/deps/openssl/openssl/engines/asm/e_padlock-x86_64.pl b/deps/openssl/openssl/engines/asm/e_padlock-x86_64.pl index 7982f199327201..b147868851d52c 100644 --- a/deps/openssl/openssl/engines/asm/e_padlock-x86_64.pl +++ b/deps/openssl/openssl/engines/asm/e_padlock-x86_64.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2011-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -94,6 +94,8 @@ .align 16 padlock_key_bswap: mov 240($arg1),%edx + inc %edx + shl \$2,%edx .Lbswap_loop: mov ($arg1),%eax bswap %eax diff --git a/deps/openssl/openssl/engines/e_dasync.c b/deps/openssl/openssl/engines/e_dasync.c index 5a303a9f852820..7974106ae2197f 100644 --- a/deps/openssl/openssl/engines/e_dasync.c +++ b/deps/openssl/openssl/engines/e_dasync.c @@ -139,6 +139,14 @@ static int dasync_aes128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl); static int dasync_aes128_cbc_cleanup(EVP_CIPHER_CTX *ctx); +static int dasync_aes256_ctr_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, + void *ptr); +static int dasync_aes256_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, + const unsigned char *iv, int enc); +static int dasync_aes256_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t inl); +static int dasync_aes256_ctr_cleanup(EVP_CIPHER_CTX *ctx); + static int dasync_aes128_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr); static int dasync_aes128_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, @@ -171,6 +179,12 @@ static const EVP_CIPHER *dasync_aes_128_cbc(void) return _hidden_aes_128_cbc; } +static EVP_CIPHER *_hidden_aes_256_ctr = NULL; +static const EVP_CIPHER *dasync_aes_256_ctr(void) +{ + return _hidden_aes_256_ctr; +} + /* * Holds the EVP_CIPHER object for aes_128_cbc_hmac_sha1 in this engine. Set up * once only during engine bind and can then be reused many times. @@ -192,8 +206,10 @@ static const EVP_CIPHER *dasync_aes_128_cbc_hmac_sha1(void) static void destroy_ciphers(void) { EVP_CIPHER_meth_free(_hidden_aes_128_cbc); + EVP_CIPHER_meth_free(_hidden_aes_256_ctr); EVP_CIPHER_meth_free(_hidden_aes_128_cbc_hmac_sha1); _hidden_aes_128_cbc = NULL; + _hidden_aes_256_ctr = NULL; _hidden_aes_128_cbc_hmac_sha1 = NULL; } @@ -202,6 +218,7 @@ static int dasync_ciphers(ENGINE *e, const EVP_CIPHER **cipher, static int dasync_cipher_nids[] = { NID_aes_128_cbc, + NID_aes_256_ctr, NID_aes_128_cbc_hmac_sha1, 0 }; @@ -284,6 +301,30 @@ static int bind_dasync(ENGINE *e) _hidden_aes_128_cbc = NULL; } + _hidden_aes_256_ctr = EVP_CIPHER_meth_new(NID_aes_256_ctr, + 1 /* block size */, + 32 /* key len */); + if (_hidden_aes_256_ctr == NULL + || !EVP_CIPHER_meth_set_iv_length(_hidden_aes_256_ctr,16) + || !EVP_CIPHER_meth_set_flags(_hidden_aes_256_ctr, + EVP_CIPH_FLAG_DEFAULT_ASN1 + | EVP_CIPH_CTR_MODE + | EVP_CIPH_FLAG_PIPELINE + | EVP_CIPH_CUSTOM_COPY) + || !EVP_CIPHER_meth_set_init(_hidden_aes_256_ctr, + dasync_aes256_init_key) + || !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_256_ctr, + dasync_aes256_ctr_cipher) + || !EVP_CIPHER_meth_set_cleanup(_hidden_aes_256_ctr, + dasync_aes256_ctr_cleanup) + || !EVP_CIPHER_meth_set_ctrl(_hidden_aes_256_ctr, + dasync_aes256_ctr_ctrl) + || !EVP_CIPHER_meth_set_impl_ctx_size(_hidden_aes_256_ctr, + sizeof(struct dasync_pipeline_ctx))) { + EVP_CIPHER_meth_free(_hidden_aes_256_ctr); + _hidden_aes_256_ctr = NULL; + } + _hidden_aes_128_cbc_hmac_sha1 = EVP_CIPHER_meth_new( NID_aes_128_cbc_hmac_sha1, 16 /* block size */, @@ -445,6 +486,9 @@ static int dasync_ciphers(ENGINE *e, const EVP_CIPHER **cipher, case NID_aes_128_cbc: *cipher = dasync_aes_128_cbc(); break; + case NID_aes_256_ctr: + *cipher = dasync_aes_256_ctr(); + break; case NID_aes_128_cbc_hmac_sha1: *cipher = dasync_aes_128_cbc_hmac_sha1(); break; @@ -779,6 +823,29 @@ static int dasync_aes128_cbc_cleanup(EVP_CIPHER_CTX *ctx) return dasync_cipher_cleanup_helper(ctx, EVP_aes_128_cbc()); } +static int dasync_aes256_ctr_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, + void *ptr) +{ + return dasync_cipher_ctrl_helper(ctx, type, arg, ptr, 0, EVP_aes_256_ctr()); +} + +static int dasync_aes256_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, + const unsigned char *iv, int enc) +{ + return dasync_cipher_init_key_helper(ctx, key, iv, enc, EVP_aes_256_ctr()); +} + +static int dasync_aes256_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t inl) +{ + return dasync_cipher_helper(ctx, out, in, inl, EVP_aes_256_ctr()); +} + +static int dasync_aes256_ctr_cleanup(EVP_CIPHER_CTX *ctx) +{ + return dasync_cipher_cleanup_helper(ctx, EVP_aes_256_ctr()); +} + /* * AES128 CBC HMAC SHA1 Implementation diff --git a/deps/openssl/openssl/include/crypto/bn.h b/deps/openssl/openssl/include/crypto/bn.h index cf69bea848f1c7..390e5ac07c2b10 100644 --- a/deps/openssl/openssl/include/crypto/bn.h +++ b/deps/openssl/openssl/include/crypto/bn.h @@ -1,5 +1,5 @@ /* - * Copyright 2014-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2014-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -114,4 +114,10 @@ OSSL_LIB_CTX *ossl_bn_get_libctx(BN_CTX *ctx); extern const BIGNUM ossl_bn_inv_sqrt_2; +int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate, + const BN_BLINDING *blinding, + const BIGNUM *possible_arg2, + const BIGNUM *to_mod, BN_CTX *ctx, + unsigned char *buf, int num); + #endif diff --git a/deps/openssl/openssl/include/crypto/bn_conf.h b/deps/openssl/openssl/include/crypto/bn_conf.h deleted file mode 100644 index 79400c6472a49c..00000000000000 --- a/deps/openssl/openssl/include/crypto/bn_conf.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/bn_conf.h" diff --git a/deps/openssl/openssl/include/crypto/dso_conf.h b/deps/openssl/openssl/include/crypto/dso_conf.h deleted file mode 100644 index e7f2afa9872320..00000000000000 --- a/deps/openssl/openssl/include/crypto/dso_conf.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/dso_conf.h" diff --git a/deps/openssl/openssl/include/crypto/evp.h b/deps/openssl/openssl/include/crypto/evp.h index e571c546c68332..e70d8e9e8459ae 100644 --- a/deps/openssl/openssl/include/crypto/evp.h +++ b/deps/openssl/openssl/include/crypto/evp.h @@ -589,6 +589,7 @@ int evp_cipher_asn1_to_param_ex(EVP_CIPHER_CTX *c, ASN1_TYPE *type, typedef struct { EVP_KEYMGMT *keymgmt; void *keydata; + int selection; } OP_CACHE_ELEM; DEFINE_STACK_OF(OP_CACHE_ELEM) @@ -778,12 +779,14 @@ EVP_PKEY *evp_keymgmt_util_make_pkey(EVP_KEYMGMT *keymgmt, void *keydata); int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection, OSSL_CALLBACK *export_cb, void *export_cbarg); -void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt); +void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, + int selection); OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk, - EVP_KEYMGMT *keymgmt); + EVP_KEYMGMT *keymgmt, + int selection); int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking); -int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, - EVP_KEYMGMT *keymgmt, void *keydata); +int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, + void *keydata, int selection); void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk); void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt, int selection, const OSSL_PARAM params[]); diff --git a/deps/openssl/openssl/include/crypto/rand.h b/deps/openssl/openssl/include/crypto/rand.h index 6a71a339c81228..165deaf95c5ec2 100644 --- a/deps/openssl/openssl/include/crypto/rand.h +++ b/deps/openssl/openssl/include/crypto/rand.h @@ -125,4 +125,5 @@ void ossl_rand_cleanup_nonce(ossl_unused const OSSL_CORE_HANDLE *handle, size_t ossl_pool_acquire_entropy(RAND_POOL *pool); int ossl_pool_add_nonce_data(RAND_POOL *pool); +void ossl_rand_ctx_free(void *vdgbl); #endif diff --git a/deps/openssl/openssl/include/crypto/types.h b/deps/openssl/openssl/include/crypto/types.h index 0d8140409123cf..ad17f052e45f50 100644 --- a/deps/openssl/openssl/include/crypto/types.h +++ b/deps/openssl/openssl/include/crypto/types.h @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -20,6 +20,9 @@ typedef struct rsa_meth_st RSA_METHOD; typedef struct ec_key_st EC_KEY; typedef struct ec_key_method_st EC_KEY_METHOD; # endif +# ifndef OPENSSL_NO_DSA +typedef struct dsa_st DSA; +# endif # endif # ifndef OPENSSL_NO_EC diff --git a/deps/openssl/openssl/include/crypto/x509.h b/deps/openssl/openssl/include/crypto/x509.h index 1f00178e897b90..631150b76969b1 100644 --- a/deps/openssl/openssl/include/crypto/x509.h +++ b/deps/openssl/openssl/include/crypto/x509.h @@ -1,5 +1,5 @@ /* - * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -339,6 +339,9 @@ void ossl_X509_PUBKEY_INTERNAL_free(X509_PUBKEY *xpub); RSA *ossl_d2i_RSA_PSS_PUBKEY(RSA **a, const unsigned char **pp, long length); int ossl_i2d_RSA_PSS_PUBKEY(const RSA *a, unsigned char **pp); +# ifndef OPENSSL_NO_DSA +DSA *ossl_d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length); +# endif /* OPENSSL_NO_DSA */ # ifndef OPENSSL_NO_DH DH *ossl_d2i_DH_PUBKEY(DH **a, const unsigned char **pp, long length); int ossl_i2d_DH_PUBKEY(const DH *a, unsigned char **pp); diff --git a/deps/openssl/openssl/include/internal/cryptlib.h b/deps/openssl/openssl/include/internal/cryptlib.h index 1291299b6e50ea..934d4b089c209a 100644 --- a/deps/openssl/openssl/include/internal/cryptlib.h +++ b/deps/openssl/openssl/include/internal/cryptlib.h @@ -199,6 +199,8 @@ int ossl_lib_ctx_run_once(OSSL_LIB_CTX *ctx, unsigned int idx, int ossl_lib_ctx_onfree(OSSL_LIB_CTX *ctx, ossl_lib_ctx_onfree_fn onfreefn); const char *ossl_lib_ctx_get_descriptor(OSSL_LIB_CTX *libctx); +void ossl_release_default_drbg_ctx(void); + OSSL_LIB_CTX *ossl_crypto_ex_data_get_ossl_lib_ctx(const CRYPTO_EX_DATA *ad); int ossl_crypto_new_ex_data_ex(OSSL_LIB_CTX *ctx, int class_index, void *obj, CRYPTO_EX_DATA *ad); diff --git a/deps/openssl/openssl/include/internal/ffc.h b/deps/openssl/openssl/include/internal/ffc.h index 732514a6c254c8..c4f090875f33c6 100644 --- a/deps/openssl/openssl/include/internal/ffc.h +++ b/deps/openssl/openssl/include/internal/ffc.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -76,6 +76,7 @@ # define FFC_ERROR_NOT_SUITABLE_GENERATOR 0x08 # define FFC_ERROR_PRIVKEY_TOO_SMALL 0x10 # define FFC_ERROR_PRIVKEY_TOO_LARGE 0x20 +# define FFC_ERROR_PASSED_NULL_PARAM 0x40 /* * Finite field cryptography (FFC) domain parameters are used by DH and DSA. diff --git a/deps/openssl/openssl/include/openssl/asn1.h b/deps/openssl/openssl/include/openssl/asn1.h deleted file mode 100644 index cd9fc7cc706c37..00000000000000 --- a/deps/openssl/openssl/include/openssl/asn1.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/asn1.h" diff --git a/deps/openssl/openssl/include/openssl/asn1t.h b/deps/openssl/openssl/include/openssl/asn1t.h deleted file mode 100644 index 6ff4f574949bbd..00000000000000 --- a/deps/openssl/openssl/include/openssl/asn1t.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/asn1t.h" diff --git a/deps/openssl/openssl/include/openssl/bio.h b/deps/openssl/openssl/include/openssl/bio.h deleted file mode 100644 index dcece3cb4d6ebf..00000000000000 --- a/deps/openssl/openssl/include/openssl/bio.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/bio.h" diff --git a/deps/openssl/openssl/include/openssl/cmp.h b/deps/openssl/openssl/include/openssl/cmp.h deleted file mode 100644 index 7c8a6dc96fc360..00000000000000 --- a/deps/openssl/openssl/include/openssl/cmp.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/cmp.h" diff --git a/deps/openssl/openssl/include/openssl/cmp.h.in b/deps/openssl/openssl/include/openssl/cmp.h.in index b47344215b251b..f05cb3e548515a 100644 --- a/deps/openssl/openssl/include/openssl/cmp.h.in +++ b/deps/openssl/openssl/include/openssl/cmp.h.in @@ -194,13 +194,16 @@ typedef ASN1_BIT_STRING OSSL_CMP_PKIFAILUREINFO; * -- CertReqMsg * } */ -# define OSSL_CMP_PKISTATUS_accepted 0 -# define OSSL_CMP_PKISTATUS_grantedWithMods 1 -# define OSSL_CMP_PKISTATUS_rejection 2 -# define OSSL_CMP_PKISTATUS_waiting 3 -# define OSSL_CMP_PKISTATUS_revocationWarning 4 +# define OSSL_CMP_PKISTATUS_request -3 +# define OSSL_CMP_PKISTATUS_trans -2 +# define OSSL_CMP_PKISTATUS_unspecified -1 +# define OSSL_CMP_PKISTATUS_accepted 0 +# define OSSL_CMP_PKISTATUS_grantedWithMods 1 +# define OSSL_CMP_PKISTATUS_rejection 2 +# define OSSL_CMP_PKISTATUS_waiting 3 +# define OSSL_CMP_PKISTATUS_revocationWarning 4 # define OSSL_CMP_PKISTATUS_revocationNotification 5 -# define OSSL_CMP_PKISTATUS_keyUpdateWarning 6 +# define OSSL_CMP_PKISTATUS_keyUpdateWarning 6 typedef ASN1_INTEGER OSSL_CMP_PKISTATUS; DECLARE_ASN1_ITEM(OSSL_CMP_PKISTATUS) @@ -325,6 +328,7 @@ int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, const unsigned char *sec, /* CMP message header and extra certificates: */ int OSSL_CMP_CTX_set1_recipient(OSSL_CMP_CTX *ctx, const X509_NAME *name); int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav); +int OSSL_CMP_CTX_reset_geninfo_ITAVs(OSSL_CMP_CTX *ctx); int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx, STACK_OF(X509) *extraCertsOut); /* certificate template: */ diff --git a/deps/openssl/openssl/include/openssl/cmperr.h b/deps/openssl/openssl/include/openssl/cmperr.h index 3a26fd0bda3bf8..06e9dbff363d6c 100644 --- a/deps/openssl/openssl/include/openssl/cmperr.h +++ b/deps/openssl/openssl/include/openssl/cmperr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -69,7 +69,9 @@ # define CMP_R_MISSING_PRIVATE_KEY 131 # define CMP_R_MISSING_PROTECTION 143 # define CMP_R_MISSING_REFERENCE_CERT 168 +# define CMP_R_MISSING_SECRET 178 # define CMP_R_MISSING_SENDER_IDENTIFICATION 111 +# define CMP_R_MISSING_TRUST_ANCHOR 179 # define CMP_R_MISSING_TRUST_STORE 144 # define CMP_R_MULTIPLE_REQUESTS_NOT_SUPPORTED 161 # define CMP_R_MULTIPLE_RESPONSES_NOT_SUPPORTED 170 diff --git a/deps/openssl/openssl/include/openssl/cms.h b/deps/openssl/openssl/include/openssl/cms.h deleted file mode 100644 index 33a00775c9fa76..00000000000000 --- a/deps/openssl/openssl/include/openssl/cms.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/cms.h" diff --git a/deps/openssl/openssl/include/openssl/cmserr.h b/deps/openssl/openssl/include/openssl/cmserr.h index 1c4f4c799dc3d5..d48c2a4ab89f03 100644 --- a/deps/openssl/openssl/include/openssl/cmserr.h +++ b/deps/openssl/openssl/include/openssl/cmserr.h @@ -105,6 +105,7 @@ # define CMS_R_UNKNOWN_DIGEST_ALGORITHM 149 # define CMS_R_UNKNOWN_ID 150 # define CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM 151 +# define CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM 194 # define CMS_R_UNSUPPORTED_CONTENT_TYPE 152 # define CMS_R_UNSUPPORTED_ENCRYPTION_TYPE 192 # define CMS_R_UNSUPPORTED_KEK_ALGORITHM 153 diff --git a/deps/openssl/openssl/include/openssl/conf.h b/deps/openssl/openssl/include/openssl/conf.h deleted file mode 100644 index 2712886cafcd78..00000000000000 --- a/deps/openssl/openssl/include/openssl/conf.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/conf.h" diff --git a/deps/openssl/openssl/include/openssl/configuration.h b/deps/openssl/openssl/include/openssl/configuration.h deleted file mode 100644 index 8ffad996047c5e..00000000000000 --- a/deps/openssl/openssl/include/openssl/configuration.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/configuration.h" diff --git a/deps/openssl/openssl/include/openssl/crmf.h b/deps/openssl/openssl/include/openssl/crmf.h deleted file mode 100644 index 4103852ecb21c2..00000000000000 --- a/deps/openssl/openssl/include/openssl/crmf.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/crmf.h" diff --git a/deps/openssl/openssl/include/openssl/crypto.h b/deps/openssl/openssl/include/openssl/crypto.h deleted file mode 100644 index 6d0e701ebd3c19..00000000000000 --- a/deps/openssl/openssl/include/openssl/crypto.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/crypto.h" diff --git a/deps/openssl/openssl/include/openssl/ct.h b/deps/openssl/openssl/include/openssl/ct.h deleted file mode 100644 index 7ebb84387135be..00000000000000 --- a/deps/openssl/openssl/include/openssl/ct.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/ct.h" diff --git a/deps/openssl/openssl/include/openssl/err.h b/deps/openssl/openssl/include/openssl/err.h deleted file mode 100644 index bf482070474781..00000000000000 --- a/deps/openssl/openssl/include/openssl/err.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/err.h" diff --git a/deps/openssl/openssl/include/openssl/ess.h b/deps/openssl/openssl/include/openssl/ess.h deleted file mode 100644 index 64cc016225119f..00000000000000 --- a/deps/openssl/openssl/include/openssl/ess.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/ess.h" diff --git a/deps/openssl/openssl/include/openssl/fipskey.h b/deps/openssl/openssl/include/openssl/fipskey.h deleted file mode 100644 index c012013d98d4e8..00000000000000 --- a/deps/openssl/openssl/include/openssl/fipskey.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/fipskey.h" diff --git a/deps/openssl/openssl/include/openssl/lhash.h b/deps/openssl/openssl/include/openssl/lhash.h deleted file mode 100644 index 8d824f5cfe6274..00000000000000 --- a/deps/openssl/openssl/include/openssl/lhash.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/lhash.h" diff --git a/deps/openssl/openssl/include/openssl/ocsp.h b/deps/openssl/openssl/include/openssl/ocsp.h deleted file mode 100644 index 5b13afedf36bb6..00000000000000 --- a/deps/openssl/openssl/include/openssl/ocsp.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/ocsp.h" diff --git a/deps/openssl/openssl/include/openssl/opensslv.h b/deps/openssl/openssl/include/openssl/opensslv.h deleted file mode 100644 index 078cfba40fbe73..00000000000000 --- a/deps/openssl/openssl/include/openssl/opensslv.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/opensslv.h" diff --git a/deps/openssl/openssl/include/openssl/pkcs12.h b/deps/openssl/openssl/include/openssl/pkcs12.h deleted file mode 100644 index 2d7e2c08e99175..00000000000000 --- a/deps/openssl/openssl/include/openssl/pkcs12.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/pkcs12.h" diff --git a/deps/openssl/openssl/include/openssl/pkcs7.h b/deps/openssl/openssl/include/openssl/pkcs7.h deleted file mode 100644 index b553f9d0f053b0..00000000000000 --- a/deps/openssl/openssl/include/openssl/pkcs7.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/pkcs7.h" diff --git a/deps/openssl/openssl/include/openssl/safestack.h b/deps/openssl/openssl/include/openssl/safestack.h deleted file mode 100644 index 989eafb33023b9..00000000000000 --- a/deps/openssl/openssl/include/openssl/safestack.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/safestack.h" diff --git a/deps/openssl/openssl/include/openssl/srp.h b/deps/openssl/openssl/include/openssl/srp.h deleted file mode 100644 index 9df42dad4c3127..00000000000000 --- a/deps/openssl/openssl/include/openssl/srp.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/srp.h" diff --git a/deps/openssl/openssl/include/openssl/ssl.h b/deps/openssl/openssl/include/openssl/ssl.h deleted file mode 100644 index eb74ca98a9759a..00000000000000 --- a/deps/openssl/openssl/include/openssl/ssl.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/ssl.h" diff --git a/deps/openssl/openssl/include/openssl/sslerr.h b/deps/openssl/openssl/include/openssl/sslerr.h index 91befc0a704366..3d07ecc8135439 100644 --- a/deps/openssl/openssl/include/openssl/sslerr.h +++ b/deps/openssl/openssl/include/openssl/sslerr.h @@ -150,6 +150,7 @@ # define SSL_R_INVALID_SRP_USERNAME 357 # define SSL_R_INVALID_STATUS_RESPONSE 328 # define SSL_R_INVALID_TICKET_KEYS_LENGTH 325 +# define SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED 333 # define SSL_R_LENGTH_MISMATCH 159 # define SSL_R_LENGTH_TOO_LONG 404 # define SSL_R_LENGTH_TOO_SHORT 160 diff --git a/deps/openssl/openssl/include/openssl/trace.h b/deps/openssl/openssl/include/openssl/trace.h index 282001336732e3..ae14f6d9b91124 100644 --- a/deps/openssl/openssl/include/openssl/trace.h +++ b/deps/openssl/openssl/include/openssl/trace.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -43,10 +43,8 @@ extern "C" { # define OSSL_TRACE_CATEGORY_TLS 3 # define OSSL_TRACE_CATEGORY_TLS_CIPHER 4 # define OSSL_TRACE_CATEGORY_CONF 5 -# ifndef OPENSSL_NO_ENGINE -# define OSSL_TRACE_CATEGORY_ENGINE_TABLE 6 -# define OSSL_TRACE_CATEGORY_ENGINE_REF_COUNT 7 -# endif +# define OSSL_TRACE_CATEGORY_ENGINE_TABLE 6 +# define OSSL_TRACE_CATEGORY_ENGINE_REF_COUNT 7 # define OSSL_TRACE_CATEGORY_PKCS5V2 8 # define OSSL_TRACE_CATEGORY_PKCS12_KEYGEN 9 # define OSSL_TRACE_CATEGORY_PKCS12_DECRYPT 10 diff --git a/deps/openssl/openssl/include/openssl/ui.h b/deps/openssl/openssl/include/openssl/ui.h deleted file mode 100644 index f5edb766b4fc6c..00000000000000 --- a/deps/openssl/openssl/include/openssl/ui.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/ui.h" diff --git a/deps/openssl/openssl/include/openssl/x509.h b/deps/openssl/openssl/include/openssl/x509.h deleted file mode 100644 index ed28bd68cb2474..00000000000000 --- a/deps/openssl/openssl/include/openssl/x509.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/x509.h" diff --git a/deps/openssl/openssl/include/openssl/x509_vfy.h b/deps/openssl/openssl/include/openssl/x509_vfy.h deleted file mode 100644 index 9270a3ee09750a..00000000000000 --- a/deps/openssl/openssl/include/openssl/x509_vfy.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/x509_vfy.h" diff --git a/deps/openssl/openssl/include/openssl/x509v3.h b/deps/openssl/openssl/include/openssl/x509v3.h deleted file mode 100644 index 5629ae9a3a90af..00000000000000 --- a/deps/openssl/openssl/include/openssl/x509v3.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/x509v3.h" diff --git a/deps/openssl/openssl/include/openssl/x509v3.h.in b/deps/openssl/openssl/include/openssl/x509v3.h.in index d00a66a343010a..fe7756df9a1ac2 100644 --- a/deps/openssl/openssl/include/openssl/x509v3.h.in +++ b/deps/openssl/openssl/include/openssl/x509v3.h.in @@ -1,7 +1,7 @@ /* * {- join("\n * ", @autowarntext) -} * - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -154,7 +154,7 @@ typedef struct GENERAL_NAME_st { OTHERNAME *otherName; /* otherName */ ASN1_IA5STRING *rfc822Name; ASN1_IA5STRING *dNSName; - ASN1_TYPE *x400Address; + ASN1_STRING *x400Address; X509_NAME *directoryName; EDIPARTYNAME *ediPartyName; ASN1_IA5STRING *uniformResourceIdentifier; diff --git a/deps/openssl/openssl/providers/common/der/oids_to_c.pm b/deps/openssl/openssl/providers/common/der/oids_to_c.pm index aa5b80cc1288c0..6f57df09b93afc 100644 --- a/deps/openssl/openssl/providers/common/der/oids_to_c.pm +++ b/deps/openssl/openssl/providers/common/der/oids_to_c.pm @@ -23,8 +23,6 @@ my $OID_def_re = qr/ \s* ${OID_value_re} /x; -use Data::Dumper; - sub filter_to_H { my ($name, $comment) = @{ shift() }; my @oid_nums = @_; diff --git a/deps/openssl/openssl/providers/fips-sources.checksums b/deps/openssl/openssl/providers/fips-sources.checksums index ba596f5fae97ce..10076d9d2e052a 100644 --- a/deps/openssl/openssl/providers/fips-sources.checksums +++ b/deps/openssl/openssl/providers/fips-sources.checksums @@ -67,41 +67,42 @@ da7f7780d27eed164797e5334cd45b35d9c113e86afaca051463aef9a8fd787c crypto/bn/asm/ 259fb8d7f40c0dba46920b1f169d5b37de03b0fda645463d19e3ae2b56de851d crypto/bn/asm/x86_64-mont5.pl 0ea8185a037a2951bb3d1e590bbbdeac305176d5e618f3e43a04c09733a9de34 crypto/bn/bn_add.c 3962dfaa0142e67115ab84f7809d46d59bd122758be09a081b08b2e0d4743b2e crypto/bn/bn_asm.c -3e86e6e5777499703420afade11dd23a7c6912f8eccd08da47308c7aadd7459d crypto/bn/bn_blind.c +01a35f971062b97b4953604151d3b6a411be439743b5540aa25b638d2186db6f crypto/bn/bn_blind.c 7b761d541e3b7f6a3f2b14a09b2b3836a079a845cf67a54db4853e3fd38277c6 crypto/bn/bn_const.c 58b587e20404efa408b31a88ba9c357059ced709bea78c07deb91df7b687db81 crypto/bn/bn_conv.c 2893b6d03d4850d09c15959941b0759bbb50d8c20e873bed088e7cde4e15a65a crypto/bn/bn_ctx.c d94295953ab91469fe2b9da2a542b8ea11ac38551ecde8f8202b7f645c2dea16 crypto/bn/bn_dh.c 74b63a4515894592b7241fb30b91b21510beaa3d397809e3d74bc9a73e879d18 crypto/bn/bn_div.c -73cd9bd700b652a83280aa1a7a970351aed71111c9a1b0ddd81a1157cc6f3fb6 crypto/bn/bn_exp.c +a29b8b7fa8460f11e50f880e3c3c9e0755b93889bcbb5476206c4d938a9c5735 crypto/bn/bn_exp.c ec2b6e3af6df473a23e7f1a8522f2554cb0eb5d34e3282458c4a66d242278434 crypto/bn/bn_exp2.c 1abab2cc5466b005b939d156e7d8664a4d42a191c9040dbb83941269d6844f0c crypto/bn/bn_gcd.c 4d6cc7ed36978247a191df1eea0120f8ee97b639ba228793dabe5a8355a1a609 crypto/bn/bn_gf2m.c 081e8a6abc23599307dab3b1a92113a65e0bf8717cbc40c970c7469350bc4581 crypto/bn/bn_intern.c 602ed46fbfe12c899dfb7d9d99ff0dbfff96b454fce3cd02817f3e2488dd9192 crypto/bn/bn_kron.c b33295765dc6d3843e3571007e2d6dbe75564645ebf181191a91464706d9fadb crypto/bn/bn_lib.c -64bce599181c45d999f0c5bda9ce36b2820f0e91ec6590cc8cba77e2760f8287 crypto/bn/bn_local.h +0567e3881c4577f25eb7b93070ac1914251d5ef98e3ac4ebacec09a65a12868c crypto/bn/bn_local.h 07247dc2ccc55f3be525baed92fd20031bbaa80fd0bc56155e80ee0da3fc943d crypto/bn/bn_mod.c -4f8763847752d570ef95dc0d06e51240829ab55c3529301214d3c2b613c6a18b crypto/bn/bn_mont.c +f60f3d49b183b04bcdf9b82f7c961b8c1bcb00e68a2c1166fe9edd95a783356e crypto/bn/bn_mont.c 2da73a76b746a47d8cf8ec8b3e0708c2a34e810abde4b4f1241a49e7f5bb2b60 crypto/bn/bn_mpi.c 76982b18b0803d59b33168b260677e7412970757d3b9513de5c80025290f211d crypto/bn/bn_mul.c 4e3bf49a788ec36cd1d919475bc410a743931aa144e7c60d603e9c0b448faab4 crypto/bn/bn_nist.c c6760a724d696b7209f0a71f8483fabcf4f081f7e93e2628284c32ef78f69365 crypto/bn/bn_prime.c c56ad3073108a0de21c5820a48beae2bccdbf5aa8075ec21738878222eb9adc3 crypto/bn/bn_prime.h -eeeb2f85b60ae10e00907335032724f6ce198eb319e7a81f8eddaef0f67db6e3 crypto/bn/bn_rand.c +628419eabdb88b265823e43a7a1c88fdfecef79771180836f6089050dc9eadb1 crypto/bn/bn_rand.c 1f6e13da1d9965b341f81bc0842a987a7db9b7de0fa7f7040d49be01b92d282b crypto/bn/bn_recp.c 626226d4dae8e19530a60d8a94b270b262740550787fc46f686b301a043c705b crypto/bn/bn_rsa_fips186_4.c 704b0b4723e5c9e9bae5f3e35f9ae8ae8dca3383929e954de9e5169845abfdb2 crypto/bn/bn_shift.c 622e90766b29e0d25f46474429aebda8eba2246835b9e85dc26da7cdbd49334f crypto/bn/bn_sqr.c 42c8ce944c889abcfcf089d0ad2744b7587696d8d7785efa91b3f7ec53dc062a crypto/bn/bn_sqrt.c 24e62baa56e02f2db6454e10168b7c7fa7638db9221b9acda1803d43f38f36e0 crypto/bn/bn_word.c +2e69544977adab07422acab5cbb32f4efb7ab68bc160dde711e3f7a8e755b43d crypto/bn/rsa_sup_mul.c be27115efd36f0077a3ec26b1ff1f586b0b8969ba05d8ffa34b2ff4badf227bf crypto/bn/rsaz_exp.c c4d64da1cdc732ea918fccd6a7bb2746b03365dd26f7ba1e74e08c307ca4c58e crypto/bn/rsaz_exp.h -d231fa689f53994616b9ef1f661e4f90333184deae324d5d4a218aad891c500d crypto/bn/rsaz_exp_x2.c +5b82cb8dbf3087c2e671871cb0a92e4039223a51af533a2ee996f3bfd47453a7 crypto/bn/rsaz_exp_x2.c 834db8ff36006e5cb53e09ca6c44290124bd23692f4341ea6563b66fcade4cea crypto/bsearch.c c39334b70e1394e43f378ae8d31b6e6dc125e4d9181e6536d38e649c4eaadb75 crypto/buffer/buffer.c 0e1a41a2d81b5765bca3df448f60bf1fad91e485fe89dd65a7300ffc419e316d crypto/cmac/cmac.c -58068d6533fed9359b164ddc9711b2dd7b2a76f32ad94103d91dbe3462ac95d8 crypto/context.c +ff9be205d6d7ff00b0e64508f0eb8d9ec0415fbabc0948d26e308212b3f7b2d8 crypto/context.c c309d81ea991ddf5be4337afad2fd132169f7443c76f863349d3f3c82f3374e4 crypto/core_algorithm.c f0fd9eb38bf7f196bbb4d26ce8fdf86d0a4f9db219157e66b2c0ffefb4f42005 crypto/core_fetch.c 02670d631bf0f34cca1e3477079d7fe5de4e03c391cf3992986f44f55319597c crypto/core_namemap.c @@ -190,7 +191,7 @@ b4b7c683279454ba41438f50a015cb63ef056ccb9be0168918dfbae00313dc68 crypto/ec/ecp_ 838277f228cd3025cf95a9cd435e5606ad1fb5d207bbb057aa29892e6a657c55 crypto/evp/ec_support.c 1c3d1b1f800b1f1f5adb1fdbdd67cdf37ca7ea93b264d1468c72a63c140873ce crypto/evp/evp_enc.c 7f10367f9b6191c4a8c01784130d26b2d778485a41cdac5fa17c9a1c4096f132 crypto/evp/evp_fetch.c -d2b6c0e2736f20e4db4b7b8dd2b372de861624f3fed1290ee4c6dde383842071 crypto/evp/evp_lib.c +ebe32b2895f7f9767710674352c8949efe93b4bbb5e7b71c27bb5d1822339b46 crypto/evp/evp_lib.c 78f07bf50b6999611a4e9414ab3a20b219b0ab29ca2bd05002d6919a3f67b8eb crypto/evp/evp_local.h 117e679d49d2ae87e49d3c942ff0ce768959e8b9713f84a99025cabba462ccd5 crypto/evp/evp_rand.c 2a128617ec0178e9eeacbe41d75a5530755f41ea524cd124607543cf73456a0c crypto/evp/evp_utils.c @@ -198,12 +199,12 @@ ca8c6cfd30efd53f2e5d1f19bcf09a3a3d0dff6d8947c3943d07a3f4b354aa86 crypto/evp/exc 9e25042581b73e295c059c6217f3ecf809134d518eb79b1b67f34e3ca9145677 crypto/evp/kdf_lib.c 1d72f5506984df1df8606e8c7045f041cf517223e2e1b50c4da8ba8bf1c6c186 crypto/evp/kdf_meth.c 5179624b8e03615dc9caedc9ec16d094fa081495613dd552d71c2c39475bcd83 crypto/evp/kem.c -724d2ac784d6f22cb0a382abc23ac0f2d76f2f6831fcd09e101f6f27d0c3e4ed crypto/evp/keymgmt_lib.c +5016dd7ef8b4cf7e9ea8465c18d1daa4c8808cb589261cf236058ee75bc868d7 crypto/evp/keymgmt_lib.c a976cf4e7bfb61e06a147360b748238010d23efb069d191fd023abc38d9a2af9 crypto/evp/keymgmt_meth.c e1a052839b8b70dca20dbac1282d61abd1c415bf4fb6afb56b811e8770d8a2e1 crypto/evp/m_sigver.c 4290c95f63b43688a8da57690d122add5161a6811f9753da1444d28f46739961 crypto/evp/mac_lib.c e7e8eb5683cd3fbd409df888020dc353b65ac291361829cc4131d5bc86c9fcb3 crypto/evp/mac_meth.c -9c5ef2f0b513ad1b8458146efbff80c2b6185626d0571e5aa6a31e471d37d615 crypto/evp/p_lib.c +b3eebfe75d050bef62a2ce6c13399a2b72bdf60bb540666d01a47691f68931b3 crypto/evp/p_lib.c 3b4228b92eebd04616ecc3ee58684095313dd5ffd1b43cf698a7d6c202cb4622 crypto/evp/pmeth_check.c 1f0e9e94e9b0ad322956521b438b78d44cfcd8eb974e8921d05f9e21ba1c05cf crypto/evp/pmeth_gn.c 76511fba789089a50ef87774817a5482c33633a76a94ecf7b6e8eb915585575d crypto/evp/pmeth_lib.c @@ -212,9 +213,9 @@ b06cb8fd4bd95aae1f66e1e145269c82169257f1a60ef0f78f80a3d4c5131fac crypto/ex_data 709d40d5096497349b8b9e2917e949a0a75e6065df62798d1816866ca7e7b4ca crypto/ffc/ffc_backend.c a12af33e605315cdddd6d759e70cd9632f0f33682b9aa7103ed1ecd354fc7e55 crypto/ffc/ffc_dh.c 854378f57707e31ad02cca6eec94369f91f327288d3665713e249c12f7b13211 crypto/ffc/ffc_key_generate.c -084ae8e68a9df5785376bb961a998036336ed13092ffd1c4258b56e6a7e0478b crypto/ffc/ffc_key_validate.c +2695c9c8ad9193a8c1ab53d5d09712d50d12c91eb8d62e8a15cbc78f327afe84 crypto/ffc/ffc_key_validate.c b18d5d7cfc95163defea41f5a081e90f6a7163a6b81c6cfadb8b470ef2e83fc5 crypto/ffc/ffc_params.c -5174e008f44909724e0ee7109095ee353e67e9ba77e1ab3bedfcf6eaecab7b6c crypto/ffc/ffc_params_generate.c +1a1d227f9a0f427d2ec93bc646c726c9cd49a84a343b4aff0c9c744fa6df05a9 crypto/ffc/ffc_params_generate.c 73dac805abab36cd9df53a421221c71d06a366a4ce479fa788be777f11b47159 crypto/ffc/ffc_params_validate.c 0a4fc92e408b0562cf95c480df93a9907a318a2c92356642903a5d50ed04fd88 crypto/hmac/hmac.c 0395c1b0834f2f4a0ca1756385f4dc1a4ef6fb925b2db3743df7f57256c5166f crypto/hmac/hmac_local.h @@ -245,21 +246,21 @@ e55a816c356b2d526bc6e40c8b81afa02576e4d44c7d7b6bbe444fb8b01aad41 crypto/modes/w 608a04f387be2a509b4d4ad414b7015ab833e56b85020e692e193160f36883a2 crypto/modes/xts128.c 8aa2504f84a0637b5122f0c963c9d82773ba248bad972ab92be7169995d162b5 crypto/o_str.c 8ddbbdf43131c10dcd4428aef0eff2b1e98b0410accada0fad41a4925868beef crypto/packet.c -cc4483ec9ba7a30908e3a433a6817e2f211d4c1f69c206e6bae24bbd39a68281 crypto/param_build.c +a20bfd927d69737c86ca95d3cf636afa8cefd8fe23412d1a3897644a0da21211 crypto/param_build.c c2fe815fb3fd5efe9a6544cae55f9469063a0f6fb728361737b927f6182ae0bb crypto/param_build_set.c -02dfeb286c85567bb1b6323a53c089ba66447db97695cc78eceb6677fbc76bf9 crypto/params.c +06e67fdd2a308bf355c8dae2e0acd9af94f6e53d428a7d31966311eb5c0aebc1 crypto/params.c 4fda13f6af05d80b0ab89ec4f5813c274a21a9b4565be958a02d006236cef05c crypto/params_dup.c a0097ff2da8955fe15ba204cb54f3fd48a06f846e2b9826f507b26acf65715c3 crypto/params_from_text.c -48c20b804e18ede5e45697a766e7dbe6ef6b3da9f58c7b37bd8f293df2ac7d34 crypto/property/defn_cache.c -32539c14a8e4a0992b001e99a79f112746fd518d51edab57ccdec3516715ed4b crypto/property/property.c -a2c69527b60692a8b07cfdfe7e75f654daa092411d5de5e02b446a4ef3752855 crypto/property/property_local.h +b4d34272a0bd1fbe6562022bf7ea6259b6a5a021a48222d415be47ef5ef2a905 crypto/property/defn_cache.c +7da6ae864beb1a4daa4be31eb41d48141a3a7eb7a263a4937a6889e05656a595 crypto/property/property.c +66da4f28d408133fb544b14aeb9ad4913e7c5c67e2826e53f0dc5bf4d8fada26 crypto/property/property_local.h 921305e62749aec22da4843738bee3448b61e7e30d5309beddc7141ad07a8004 crypto/property/property_parse.c a7cefda6a117550e2c76e0f307565ce1e11640b11ba10c80e469a837fd1212a3 crypto/property/property_query.c 065698c8d88a5facc0cbc02a3bd0c642c94687a8c5dd79901c942138b406067d crypto/property/property_string.c 9653ec9c1476350a94b9cc7f8be3d99961fd803870c9ac03315298d2909a6a8e crypto/provider_core.c d0af10d4091b2032aac1b7db80f8c2e14fa7176592716b25b9437ab6b53c0a89 crypto/provider_local.h 5ba2e1c74ddcd0453d02e32612299d1eef18eff8493a7606c15d0dc3738ad1d9 crypto/provider_predefined.c -4e6b7d1d8278067c18bcb5e3ac9b7fe7e9b1d0d03bc5a276275483f541d1a12c crypto/rand/rand_lib.c +a5a4472636b8b0095ad8d4acd37e275ad79da1a67ecff7b7b5c3e46c9ebc65b7 crypto/rand/rand_lib.c fd03b9bb2c23470fa40880ed3bf9847bb17d50592101a78c0ad7a0f121209788 crypto/rand/rand_local.h f0c8792a99132e0b9c027cfa7370f45594a115934cdc9e8f23bdd64abecaf7fd crypto/rsa/rsa_acvp_test_params.c 9e7dd6fc91d3266d4aa4f0f41b7986381122b7d98114e63ebf04c5ee298b5fda crypto/rsa/rsa_backend.c @@ -271,7 +272,7 @@ a65e85be5269d8cb88e86b3413c978fa8994419a671092cbf104ff1a08fda23b crypto/rsa/rsa cf0b75cd54b61b9b9a290ef18d0ddce9fb26a029a54eb3f720d9b25188440f00 crypto/rsa/rsa_mp_names.c 5c60f6e05db82e13178d805deb1947b8eee4a905e6e77523d3b288da70a46bb5 crypto/rsa/rsa_none.c 33de2accc3af530fd0a4758eb83d5e1d994bf49bac4512b01387dbae656e1a7d crypto/rsa/rsa_oaep.c -1b58825809bb9c5fc9e876d71e5b787b08f034eaee3c30eb20d30a1d889bdbd5 crypto/rsa/rsa_ossl.c +178c98421b54ec50ee55470a7b1acb771ed22efef2c2c0e059544baa7e6d387e crypto/rsa/rsa_ossl.c be3f39c1fcb777d6c0122061f9ef735d10a6bee95d67fcc1ca6ae2a664022d2b crypto/rsa/rsa_pk1.c 174a42e156be48927fe6d6bf0d95575619b8e643a99761275bff933bc3449722 crypto/rsa/rsa_pss.c bf6d300b7e7e9e512a47c5bd1f8713806ae3033a140d83dfae4a16ad58d11170 crypto/rsa/rsa_schemes.c @@ -314,7 +315,7 @@ dd82e1311703abb019975fc7b61fb87d67e1ed916dddd065aced051e851114b9 crypto/sha/asm 8d84164f3cfd53290c0c14bb5655510b7a9238857866328c0604d64b4e76fe21 crypto/sha/asm/sha512-armv4.pl dadacb6d66b160913bffb4e1a6c3e5f7be6509b26e2c099701d8d3fdb92c1be0 crypto/sha/asm/sha512-armv8.pl 6f548a088feae3b6faa179653ba449df9d3f5cda1e0561e5b5f120b32274d1eb crypto/sha/asm/sha512-c64xplus.pl -f999dbef1f95004b7dd926208dd942dc4106750de7a7ccfb70c6487e9916feac crypto/sha/asm/sha512-ia64.pl +9fa54fbc34fd881f4b344374b9b4f8fb15b641424be7af9a31c71af89ae5d577 crypto/sha/asm/sha512-ia64.pl fb06844e7c3b014a58dccc8ec6020c71843cfdc5be08288bc7d204f0a840c474 crypto/sha/asm/sha512-mips.pl 11548f06d213947104a80898e000218ec0d6ff3f6913f6582de498476482ce9f crypto/sha/asm/sha512-parisc.pl 7c0c490ce6bb11a228853aecad5e164ce84e5bdabb8a6658ae7184782076c7d3 crypto/sha/asm/sha512-ppc.pl @@ -338,7 +339,7 @@ fd6c27cf7c6b5449b17f2b725f4203c4c10207f1973db09fd41571efe5de08fd crypto/x86_64c 0a9c484f640d96e918921f57f592e82e99ccdbe35d3138d64b10c7af839e9a07 e_os.h 6f353dc7c8c4d8f24f7ffbf920668ccb224ebb5810805a7c80d96770cd858005 include/crypto/aes_platform.h 8c6f308c1ca774e6127e325c3b80511dbcdc99631f032694d8db53a5c02364ee include/crypto/asn1_dsa.h -8ce1b35c6924555ef316c7c51d6c27656869e6da7f513f45b7a7051579e3e54d include/crypto/bn.h +f49a26fc4348f3b79507dc4a04fade82cf870f7c22e6c977f402c859fdd1b98b include/crypto/bn.h 1c46818354d42bd1b1c4e5fdae9e019814936e775fd8c918ca49959c2a6416df include/crypto/bn_conf.h.in 7a43a4898fcc8446065e6c99249bcc14e475716e8c1d40d50408c0ab179520e6 include/crypto/bn_dh.h e69b2b20fb415e24b970941c84a62b752b5d0175bc68126e467f7cc970495504 include/crypto/cryptlib.h @@ -348,27 +349,27 @@ daf508bb7ed5783f1c8c622f0c230e179244dd3f584e1223a19ab95930fbcb4f include/crypto 20d99c9a740e4d7d67e23fa4ae4c6a39d114e486c66ad41b65d91a8244cd1dea include/crypto/dsa.h 2ea47c059e84ce9d14cc31f4faf45f64d631de9e2937aa1d7a83de5571c63574 include/crypto/ec.h edbfae8720502a4708983b60eac72aa04f031059f197ada31627cb5e72812858 include/crypto/ecx.h -41974ef3d365c608cf35310f99f7006f7995f8cc380f316ab4a280772cd092ae include/crypto/evp.h +9dab9af8b0a657fe5de46375b71aefcad7e98af272b69ed69c7c104e9e057414 include/crypto/evp.h bbe5e52d84e65449a13e42cd2d6adce59b8ed6e73d6950917aa77dc1f3f5dff6 include/crypto/lhash.h 162812058c69f65a824906193057cd3edeabc22f51a4220aea7cb9064379a9b6 include/crypto/md32_common.h f12bfc145290444bcc7bf408874bded348e742443c145b8b5bc70ae558d96c31 include/crypto/modes.h -8aa4f71ebd9753baceed428e323d5f550d74aff43ab9a55eda7c096d838b8f49 include/crypto/rand.h +f326212c978576c5346c89ae0336c2428594494b54054f6045b1f1038bfbc004 include/crypto/rand.h 90930fc8788d6e04e57829346e0405293ac7a678c3cef23d0692c742e9586d09 include/crypto/rand_pool.h 306abf9d327a9e63fff2cdef730275abc4d2781254a032b1f370f3428eb5a2ef include/crypto/rsa.h 32f0149ab1d82fddbdfbbc44e3078b4a4cc6936d35187e0f8d02cc0bc19f2401 include/crypto/security_bits.h 0f743762f646656b5480648c05632575fe8acc7506460c63e0fcdf42cf20c08a include/crypto/sha.h 7676b02824b2d68df6bddeb251e9b8a8fa2e35a95dad9a7ebeca53f9ab8d2dad include/crypto/sparse_array.h -5bfeea62d21b7cb43d9a819c5cd2800f02ea019687a8331abf313d615889ad37 include/crypto/types.h +7ad02c7de77304c3b298deeb038ab2550cf8b2bce03021994477c6c43dbcf86e include/crypto/types.h 782a83d4e489fd865e2768a20bfa31e78c2071fd0ceeb9eb077276ae2bcc6590 include/internal/bio.h 92aacb3e49288f91b44f97e41933e88fe455706e1dd21a365683c2ab545db131 include/internal/constant_time.h c5bb97f654984130c8b44c09a52395bce0b22985d5dbc9c4d9377d86283f11f8 include/internal/core.h -d7ddeab97434a21cb2cad1935a3cb130f6cd0b3c75322463d431c5eab3ab1ae1 include/internal/cryptlib.h +0b572801dfb8a41cc239e3439f8097a0ad11bbdf5d54811d10ceba3175cf2f17 include/internal/cryptlib.h 9571cfd3d5666749084b354a6d65adee443deeb5713a58c098c7b03bc69dbc63 include/internal/deprecated.h 3325b895d15c0a6341f456a8d866a0f83e80fc8a31a01c34fcfd717715b33075 include/internal/der.h fd1722d6b79520ee4ac477280d5131eb1b744c3b422fd15f5e737ef966a97c3b include/internal/dso.h f144daebef828a5bd4416466257a50f06b894e0ce0adf1601aa381f34f25a9e7 include/internal/dsoerr.h 70d3e0d5a1bd8db58dcc57bea4d1c3ed816c735fe0e6b2f4b07073712d2dc5ef include/internal/endian.h -557aa7985c8cde8fd9fa59a49f47fa955ec36b36f6fe9edd4bfd3872e3b13a9a include/internal/ffc.h +094b69aeb8f349cafa8865b577e253132088c25eabb61b910fab141e6f7d2929 include/internal/ffc.h 100053a1bad1a85a98c5b919cf81ace0ee147b2164732963e40474d7b5fbbb99 include/internal/namemap.h b02701592960eb4608bb83b297eed90184004828c7fc03ea81568062f347623d include/internal/nelem.h ae41a2fb41bf592bbb47e4855cf4efd9ef85fc11f910a7e195ceef78fb4321dc include/internal/numbers.h @@ -445,7 +446,7 @@ af5cc56fb31161ccd87cf925f3d3f22119dfbca78bc39a2e2d65d78bfcf0f0c6 include/openss 2964274ab32b1ba8578a06b06663db2eda4317ae806369271d889176bb5a7d04 include/openssl/sha.h c169a015d7be52b7b99dd41c418a48d97e52ad21687c39c512a83a7c3f3ddb70 include/openssl/stack.h 22d7584ad609e30e818b54dca1dfae8dea38913fffedd25cd540c550372fb9a6 include/openssl/symhacks.h -410c6eb3ffadcbee13d511d6b8ee576db75b35b324cb394b5e05dbd4a17fb92e include/openssl/trace.h +5e452bf61d802fdf7b6a65d1c8a1e3f72a7885e4bf2f521eca6443cea69f4ce5 include/openssl/trace.h 873d2ec2054ec24c52df4abe830cb2b9666fe4e75cc62b4de0f50ef9d20c5812 include/openssl/types.h c0a9551efccf43f3dd748d4fd8ec897ddaabbc629c00ec1ad76ce983e1195a13 providers/common/bio_prov.c 4546387d6642603c81ec4cd8d5fc4af8ba60ac7359eb6f31e7d24827031e68ad providers/common/capabilities.c @@ -544,19 +545,19 @@ b9a61ce951c1904d8315b1bb26c0ab0aaadb47e71d4ead5df0a891608c728c4b providers/impl c95ce5498e724b9b3d58e3c2f4723e7e3e4beb07f9bea9422e43182cbadb43af providers/implementations/include/prov/macsignature.h 29d1a112b799e1f45fdf8bcee8361c2ed67428c250c1cdf408a9fbb7ebf4cce1 providers/implementations/include/prov/names.h 2187713b446d8b6d24ee986748b941ac3e24292c71e07ff9fb53a33021decdda providers/implementations/include/prov/seeding.h -86026710ea733f0dd44e400c43e7dab745526f2255816f48a6b00dd8b8009879 providers/implementations/kdfs/hkdf.c +04f22d6afbad5a6e806cf3af9a25843ccfefb748e24d97a09830a1677706acd5 providers/implementations/kdfs/hkdf.c a62e3af09f5af84dcf36f951ba4ac90ca1694adaf3747126186020b155f94186 providers/implementations/kdfs/kbkdf.c e0644e727aacfea4da3cf2c4d2602d7ef0626ebb760b6467432ffd54d5fbb24d providers/implementations/kdfs/pbkdf2.c c0778565abff112c0c5257329a7750ec4605e62f26cc36851fa1fbee6e03c70c providers/implementations/kdfs/pbkdf2.h abe2b0f3711eaa34846e155cffc9242e4051c45de896f747afd5ac9d87f637dc providers/implementations/kdfs/pbkdf2_fips.c 9cc42a4b0a8089e6d1be64637dbb9e41bd21ae5e3386022a27a8f29308ad25c9 providers/implementations/kdfs/sshkdf.c -7c692170729ab1d648564abdbf9bcbba5071f9a81a25fab9eae66899316bcd4a providers/implementations/kdfs/sskdf.c +8571556d77d10e8edc98212473a38f09632e3f19e9995dde89ee6c95f2e84ccf providers/implementations/kdfs/sskdf.c 589f6133799da80760e8bc3ab0191a341ab6d4d2706e92e6eb4a24b0250fefa6 providers/implementations/kdfs/tls1_prf.c 4d4a6d9a562d2dcfec941d3f113a544663b5ac2fbe4accd89ec70c1cc11751d0 providers/implementations/kdfs/x942kdf.c 6b6c776b12664164f3cb54c21df61e1c4477c7855d89431a16fb338cdae58d43 providers/implementations/kem/rsa_kem.c -6ac9f9b04d195bd545d2357fad1769c098b84896c188d19de0b7f747b2db0ff6 providers/implementations/keymgmt/dh_kmgmt.c -5db963d0b3d86912b8234d90f2d8d15438c3e9710572b9d6a8d911a5bcd29836 providers/implementations/keymgmt/dsa_kmgmt.c -c7ff403834b8ead9c4b0f3fdbaae72500c350a51529af4205a61cef92612dd19 providers/implementations/keymgmt/ec_kmgmt.c +37120f8a420de0e44b7dc1f31b50d59520e5318cf546e83684e0c3de5c7b76c5 providers/implementations/keymgmt/dh_kmgmt.c +2a4493c9e68f41d37d7ec69c272005c6df7b1a34db2d49663f52e836e4fd888c providers/implementations/keymgmt/dsa_kmgmt.c +ed6825fb92d0ab30f9f858ee29dfa403caa22430cccf493f850f993fd03a975e providers/implementations/keymgmt/ec_kmgmt.c 258ae17bb2dd87ed1511a8eb3fe99eed9b77f5c2f757215ff6b3d0e8791fc251 providers/implementations/keymgmt/ec_kmgmt_imexport.inc d77ece2494e6b12a6201a2806ee5fb24a6dc2fa3e1891a46012a870e0b781ab1 providers/implementations/keymgmt/ecx_kmgmt.c 053a2be39a87f50b877ebdbbf799cf5faf8b2de33b04311d819d212ee1ea329b providers/implementations/keymgmt/kdf_legacy_kmgmt.c @@ -565,7 +566,7 @@ e30357311e4a3e1c78266af6315fd1fc99584bfb09f4a7cd0ddc7261cf1e17e1 providers/impl aeb42590728ca87b916b8a3d337351b1c82ee0747213e5ce740c2350b3db7185 providers/implementations/macs/cmac_prov.c e69aa06f8f3c6f5a26702b9f44a844b8589b99dc0ee590953a29e8b9ef10acbe providers/implementations/macs/gmac_prov.c 895c8dc7235b9ad5ff893be0293cbc245a5455e8850195ac7d446646e4ea71d0 providers/implementations/macs/hmac_prov.c -aa7ba1d39ea4e3347294eb50b4dfcb895ef1a22bd6117d3b076a74e9ff11c242 providers/implementations/macs/kmac_prov.c +f75fbfe5348f93ad610da7d310f4e8fecf18c0549f27605da25d393c33e0edc2 providers/implementations/macs/kmac_prov.c bf30274dd6b528ae913984775bd8f29c6c48c0ef06d464d0f738217727b7aa5c providers/implementations/rands/crngt.c c7236e6e2e8adce14f8206da0ceef63c7974d4ba1a7dd71b94fa100cac6b46ba providers/implementations/rands/drbg.c bb5f8161a80d0d1a7ee919af2b167972b00afd62e326252ca6aa93101f315f19 providers/implementations/rands/drbg_ctr.c @@ -575,7 +576,7 @@ fc43558964bdf12442d3f6ab6cc3e6849f7adb42f4d0123a1279819befcf71cb providers/impl 04339b66c10017229ef368cb48077f58a252ebfda9ab12b9f919e4149b1036ed providers/implementations/rands/test_rng.c cafb9e6f54ad15889fcebddac6df61336bff7d78936f7de3bb5aab8aee5728d2 providers/implementations/signature/dsa_sig.c a30dc6308de0ca33406e7ce909f3bcf7580fb84d863b0976b275839f866258df providers/implementations/signature/ecdsa_sig.c -effdaa4a7b8f6c2326994ba1578a77af5e60a9ed89a5b8fab876950657366da0 providers/implementations/signature/eddsa_sig.c +02e833a767afbe98247d6f09dfb1eb5a5cf7304a93f2c5427a9f6af9c8a3b549 providers/implementations/signature/eddsa_sig.c 3bb0f342b4cc1b4594ed0986adc47791c0a7b5c1ae7b1888c1fb5edb268a78d9 providers/implementations/signature/mac_legacy_sig.c 2334c8bba705032b8c1db5dd28e024a45a73b72cae82a2d815fe855445a49d10 providers/implementations/signature/rsa_sig.c a14e901b02fe095713624db4080b3aa3ca685d43f9ebec03041f992240973346 ssl/record/tls_pad.c diff --git a/deps/openssl/openssl/providers/fips.checksum b/deps/openssl/openssl/providers/fips.checksum index 4ed6a8c4c8eec2..7f7abb3eaa22e9 100644 --- a/deps/openssl/openssl/providers/fips.checksum +++ b/deps/openssl/openssl/providers/fips.checksum @@ -1 +1 @@ -674597de1e7bfa5782d42c044d5475e6fd473c737008a297e8e90746eafb97d9 providers/fips-sources.checksums +fd6bce79efec94a99e40c919e0a5ee392514b81cac01d4d46b5c76f27fb1b839 providers/fips-sources.checksums diff --git a/deps/openssl/openssl/providers/fips.module.sources b/deps/openssl/openssl/providers/fips.module.sources index 66ffd513da28b9..8861ceaca3112c 100644 --- a/deps/openssl/openssl/providers/fips.module.sources +++ b/deps/openssl/openssl/providers/fips.module.sources @@ -95,6 +95,7 @@ crypto/bn/bn_shift.c crypto/bn/bn_sqr.c crypto/bn/bn_sqrt.c crypto/bn/bn_word.c +crypto/bn/rsa_sup_mul.c crypto/bn/rsaz_exp.c crypto/bn/rsaz_exp.h crypto/bn/rsaz_exp_x2.c diff --git a/deps/openssl/openssl/providers/implementations/ciphers/cipher_chacha20_poly1305.c b/deps/openssl/openssl/providers/implementations/ciphers/cipher_chacha20_poly1305.c index 0ba7483780f471..abe670add7a82f 100644 --- a/deps/openssl/openssl/providers/implementations/ciphers/cipher_chacha20_poly1305.c +++ b/deps/openssl/openssl/providers/implementations/ciphers/cipher_chacha20_poly1305.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -14,7 +14,6 @@ #include "prov/implementations.h" #include "prov/providercommon.h" - #define CHACHA20_POLY1305_KEYLEN CHACHA_KEY_SIZE #define CHACHA20_POLY1305_BLKLEN 1 #define CHACHA20_POLY1305_MAX_IVLEN 12 @@ -53,7 +52,6 @@ static void *chacha20_poly1305_newctx(void *provctx) ossl_prov_cipher_hw_chacha20_poly1305( CHACHA20_POLY1305_KEYLEN * 8), NULL); - ctx->nonce_len = CHACHA20_POLY1305_IVLEN; ctx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH; ossl_chacha20_initctx(&ctx->chacha); } @@ -85,7 +83,7 @@ static int chacha20_poly1305_get_ctx_params(void *vctx, OSSL_PARAM params[]) p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN); if (p != NULL) { - if (!OSSL_PARAM_set_size_t(p, ctx->nonce_len)) { + if (!OSSL_PARAM_set_size_t(p, CHACHA20_POLY1305_IVLEN)) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); return 0; } @@ -169,11 +167,10 @@ static int chacha20_poly1305_set_ctx_params(void *vctx, ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); return 0; } - if (len == 0 || len > CHACHA20_POLY1305_MAX_IVLEN) { + if (len != CHACHA20_POLY1305_MAX_IVLEN) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH); return 0; } - ctx->nonce_len = len; } p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG); diff --git a/deps/openssl/openssl/providers/implementations/ciphers/cipher_chacha20_poly1305.h b/deps/openssl/openssl/providers/implementations/ciphers/cipher_chacha20_poly1305.h index 1f6f0066dc758d..f2ea26a77f3a42 100644 --- a/deps/openssl/openssl/providers/implementations/ciphers/cipher_chacha20_poly1305.h +++ b/deps/openssl/openssl/providers/implementations/ciphers/cipher_chacha20_poly1305.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -25,7 +25,7 @@ typedef struct { struct { uint64_t aad, text; } len; unsigned int aad : 1; unsigned int mac_inited : 1; - size_t tag_len, nonce_len; + size_t tag_len; size_t tls_payload_length; size_t tls_aad_pad_sz; } PROV_CHACHA20_POLY1305_CTX; diff --git a/deps/openssl/openssl/providers/implementations/ciphers/cipher_chacha20_poly1305_hw.c b/deps/openssl/openssl/providers/implementations/ciphers/cipher_chacha20_poly1305_hw.c index 1533a3869b8937..8173663e5e7eec 100644 --- a/deps/openssl/openssl/providers/implementations/ciphers/cipher_chacha20_poly1305_hw.c +++ b/deps/openssl/openssl/providers/implementations/ciphers/cipher_chacha20_poly1305_hw.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -55,7 +55,6 @@ static int chacha_poly1305_tls_iv_set_fixed(PROV_CIPHER_CTX *bctx, return 1; } - static int chacha20_poly1305_initkey(PROV_CIPHER_CTX *bctx, const unsigned char *key, size_t keylen) { @@ -78,6 +77,7 @@ static int chacha20_poly1305_initiv(PROV_CIPHER_CTX *bctx) PROV_CHACHA20_POLY1305_CTX *ctx = (PROV_CHACHA20_POLY1305_CTX *)bctx; unsigned char tempiv[CHACHA_CTR_SIZE] = { 0 }; int ret = 1; + size_t noncelen = CHACHA20_POLY1305_IVLEN; ctx->len.aad = 0; ctx->len.text = 0; @@ -85,22 +85,20 @@ static int chacha20_poly1305_initiv(PROV_CIPHER_CTX *bctx) ctx->mac_inited = 0; ctx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH; - /* pad on the left */ - if (ctx->nonce_len <= CHACHA_CTR_SIZE) { - memcpy(tempiv + CHACHA_CTR_SIZE - ctx->nonce_len, bctx->oiv, - ctx->nonce_len); - - if (bctx->enc) - ret = ossl_chacha20_einit(&ctx->chacha, NULL, 0, - tempiv, sizeof(tempiv), NULL); - else - ret = ossl_chacha20_dinit(&ctx->chacha, NULL, 0, - tempiv, sizeof(tempiv), NULL); - ctx->nonce[0] = ctx->chacha.counter[1]; - ctx->nonce[1] = ctx->chacha.counter[2]; - ctx->nonce[2] = ctx->chacha.counter[3]; - bctx->iv_set = 1; - } + /* pad on the left */ + memcpy(tempiv + CHACHA_CTR_SIZE - noncelen, bctx->oiv, + noncelen); + + if (bctx->enc) + ret = ossl_chacha20_einit(&ctx->chacha, NULL, 0, + tempiv, sizeof(tempiv), NULL); + else + ret = ossl_chacha20_dinit(&ctx->chacha, NULL, 0, + tempiv, sizeof(tempiv), NULL); + ctx->nonce[0] = ctx->chacha.counter[1]; + ctx->nonce[1] = ctx->chacha.counter[2]; + ctx->nonce[2] = ctx->chacha.counter[3]; + bctx->iv_set = 1; return ret; } diff --git a/deps/openssl/openssl/providers/implementations/encode_decode/decode_der2key.c b/deps/openssl/openssl/providers/implementations/encode_decode/decode_der2key.c index ebc2d24833397f..b9cee2571bf392 100644 --- a/deps/openssl/openssl/providers/implementations/encode_decode/decode_der2key.c +++ b/deps/openssl/openssl/providers/implementations/encode_decode/decode_der2key.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -374,7 +374,7 @@ static void *dsa_d2i_PKCS8(void **key, const unsigned char **der, long der_len, (key_from_pkcs8_t *)ossl_dsa_key_from_pkcs8); } -# define dsa_d2i_PUBKEY (d2i_of_void *)d2i_DSA_PUBKEY +# define dsa_d2i_PUBKEY (d2i_of_void *)ossl_d2i_DSA_PUBKEY # define dsa_free (free_key_fn *)DSA_free # define dsa_check NULL diff --git a/deps/openssl/openssl/providers/implementations/kdfs/hkdf.c b/deps/openssl/openssl/providers/implementations/kdfs/hkdf.c index afdb7138e13267..dfa7786bde0cf5 100644 --- a/deps/openssl/openssl/providers/implementations/kdfs/hkdf.c +++ b/deps/openssl/openssl/providers/implementations/kdfs/hkdf.c @@ -32,6 +32,7 @@ #include "e_os.h" #define HKDF_MAXBUF 2048 +#define HKDF_MAXINFO (32*1024) static OSSL_FUNC_kdf_newctx_fn kdf_hkdf_new; static OSSL_FUNC_kdf_freectx_fn kdf_hkdf_free; @@ -82,7 +83,7 @@ typedef struct { size_t label_len; unsigned char *data; size_t data_len; - unsigned char info[HKDF_MAXBUF]; + unsigned char *info; size_t info_len; } KDF_HKDF; @@ -121,7 +122,7 @@ static void kdf_hkdf_reset(void *vctx) OPENSSL_free(ctx->label); OPENSSL_clear_free(ctx->data, ctx->data_len); OPENSSL_clear_free(ctx->key, ctx->key_len); - OPENSSL_cleanse(ctx->info, ctx->info_len); + OPENSSL_clear_free(ctx->info, ctx->info_len); memset(ctx, 0, sizeof(*ctx)); ctx->provctx = provctx; } @@ -244,6 +245,41 @@ static int hkdf_common_set_ctx_params(KDF_HKDF *ctx, const OSSL_PARAM params[]) return 1; } +/* + * Use WPACKET to concat one or more OSSL_KDF_PARAM_INFO fields into a fixed + * out buffer of size *outlen. + * If out is NULL then outlen is used to return the required buffer size. + */ +static int setinfo_fromparams(const OSSL_PARAM *p, unsigned char *out, size_t *outlen) +{ + int ret = 0; + WPACKET pkt; + + if (out == NULL) { + if (!WPACKET_init_null(&pkt, 0)) + return 0; + } else { + if (!WPACKET_init_static_len(&pkt, out, *outlen, 0)) + return 0; + } + + for (; p != NULL; p = OSSL_PARAM_locate_const(p + 1, OSSL_KDF_PARAM_INFO)) { + if (p->data_type != OSSL_PARAM_OCTET_STRING) + goto err; + if (p->data != NULL + && p->data_size != 0 + && !WPACKET_memcpy(&pkt, p->data, p->data_size)) + goto err; + } + if (!WPACKET_get_total_written(&pkt, outlen) + || !WPACKET_finish(&pkt)) + goto err; + ret = 1; +err: + WPACKET_cleanup(&pkt); + return ret; +} + static int kdf_hkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) { const OSSL_PARAM *p; @@ -257,20 +293,26 @@ static int kdf_hkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) /* The info fields concatenate, so process them all */ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_INFO)) != NULL) { - ctx->info_len = 0; - for (; p != NULL; p = OSSL_PARAM_locate_const(p + 1, - OSSL_KDF_PARAM_INFO)) { - const void *q = ctx->info + ctx->info_len; - size_t sz = 0; - - if (p->data_size != 0 - && p->data != NULL - && !OSSL_PARAM_get_octet_string(p, (void **)&q, - HKDF_MAXBUF - ctx->info_len, - &sz)) - return 0; - ctx->info_len += sz; - } + size_t sz = 0; + + /* calculate the total size */ + if (!setinfo_fromparams(p, NULL, &sz)) + return 0; + if (sz > HKDF_MAXINFO) + return 0; + + OPENSSL_clear_free(ctx->info, ctx->info_len); + ctx->info = NULL; + if (sz == 0) + return 1; + /* Alloc the buffer */ + ctx->info = OPENSSL_malloc(sz); + if (ctx->info == NULL) + return 0; + ctx->info_len = sz; + /* Concat one or more OSSL_KDF_PARAM_INFO fields */ + if (!setinfo_fromparams(p, ctx->info, &sz)) + return 0; } return 1; } diff --git a/deps/openssl/openssl/providers/implementations/kdfs/sskdf.c b/deps/openssl/openssl/providers/implementations/kdfs/sskdf.c index 297ddcdc2de1cd..eb54972e1c44f2 100644 --- a/deps/openssl/openssl/providers/implementations/kdfs/sskdf.c +++ b/deps/openssl/openssl/providers/implementations/kdfs/sskdf.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -62,6 +62,7 @@ typedef struct { unsigned char *salt; size_t salt_len; size_t out_len; /* optional KMAC parameter */ + int is_kmac; } KDF_SSKDF; #define SSKDF_MAX_INLEN (1<<30) @@ -332,8 +333,12 @@ static int sskdf_set_buffer(unsigned char **out, size_t *out_len, static size_t sskdf_size(KDF_SSKDF *ctx) { int len; - const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); + const EVP_MD *md = NULL; + if (ctx->is_kmac) + return SIZE_MAX; + + md = ossl_prov_digest_md(&ctx->digest); if (md == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); return 0; @@ -373,8 +378,7 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen, default_salt_len = EVP_MD_get_size(md); if (default_salt_len <= 0) return 0; - } else if (EVP_MAC_is_a(mac, OSSL_MAC_NAME_KMAC128) - || EVP_MAC_is_a(mac, OSSL_MAC_NAME_KMAC256)) { + } else if (ctx->is_kmac) { /* H(x) = KMACzzz(x, salt, custom) */ custom = kmac_custom_str; custom_len = sizeof(kmac_custom_str); @@ -452,12 +456,20 @@ static int sskdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) if (params == NULL) return 1; - if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx)) - return 0; - if (!ossl_prov_macctx_load_from_params(&ctx->macctx, params, NULL, NULL, NULL, libctx)) return 0; + if (ctx->macctx != NULL) { + if (EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx), + OSSL_MAC_NAME_KMAC128) + || EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx), + OSSL_MAC_NAME_KMAC256)) { + ctx->is_kmac = 1; + } + } + + if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx)) + return 0; if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL || (p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL) diff --git a/deps/openssl/openssl/providers/implementations/keymgmt/dh_kmgmt.c b/deps/openssl/openssl/providers/implementations/keymgmt/dh_kmgmt.c index 58a5fd009f097e..9a7dde7c66273b 100644 --- a/deps/openssl/openssl/providers/implementations/keymgmt/dh_kmgmt.c +++ b/deps/openssl/openssl/providers/implementations/keymgmt/dh_kmgmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -198,8 +198,8 @@ static int dh_import(void *keydata, int selection, const OSSL_PARAM params[]) if ((selection & DH_POSSIBLE_SELECTIONS) == 0) return 0; - if ((selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0) - ok = ok && ossl_dh_params_fromdata(dh, params); + /* a key without parameters is meaningless */ + ok = ok && ossl_dh_params_fromdata(dh, params); if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { int include_private = diff --git a/deps/openssl/openssl/providers/implementations/keymgmt/dsa_kmgmt.c b/deps/openssl/openssl/providers/implementations/keymgmt/dsa_kmgmt.c index 100e9171679501..cd8b4410b0db63 100644 --- a/deps/openssl/openssl/providers/implementations/keymgmt/dsa_kmgmt.c +++ b/deps/openssl/openssl/providers/implementations/keymgmt/dsa_kmgmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -199,8 +199,9 @@ static int dsa_import(void *keydata, int selection, const OSSL_PARAM params[]) if ((selection & DSA_POSSIBLE_SELECTIONS) == 0) return 0; - if ((selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0) - ok = ok && ossl_dsa_ffc_params_fromdata(dsa, params); + /* a key without parameters is meaningless */ + ok = ok && ossl_dsa_ffc_params_fromdata(dsa, params); + if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { int include_private = selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0; diff --git a/deps/openssl/openssl/providers/implementations/keymgmt/ec_kmgmt.c b/deps/openssl/openssl/providers/implementations/keymgmt/ec_kmgmt.c index 3938e5c1c06240..3f1dc9e191bef6 100644 --- a/deps/openssl/openssl/providers/implementations/keymgmt/ec_kmgmt.c +++ b/deps/openssl/openssl/providers/implementations/keymgmt/ec_kmgmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -147,8 +147,10 @@ int key_to_params(const EC_KEY *eckey, OSSL_PARAM_BLD *tmpl, if (p != NULL || tmpl != NULL) { /* convert pub_point to a octet string according to the SECG standard */ + point_conversion_form_t format = EC_KEY_get_conv_form(eckey); + if ((pub_key_len = EC_POINT_point2buf(ecg, pub_point, - POINT_CONVERSION_COMPRESSED, + format, pub_key, bnctx)) == 0 || !ossl_param_build_set_octet_string(tmpl, p, OSSL_PKEY_PARAM_PUB_KEY, @@ -156,10 +158,16 @@ int key_to_params(const EC_KEY *eckey, OSSL_PARAM_BLD *tmpl, goto err; } if (px != NULL || py != NULL) { - if (px != NULL) + if (px != NULL) { x = BN_CTX_get(bnctx); - if (py != NULL) + if (x == NULL) + goto err; + } + if (py != NULL) { y = BN_CTX_get(bnctx); + if (y == NULL) + goto err; + } if (!EC_POINT_get_affine_coordinates(ecg, pub_point, x, y, bnctx)) goto err; @@ -946,7 +954,7 @@ int ec_validate(const void *keydata, int selection, int checktype) if ((flags & EC_FLAG_CHECK_NAMED_GROUP) != 0) ok = ok && EC_GROUP_check_named_curve(EC_KEY_get0_group(eck), - (flags & EC_FLAG_CHECK_NAMED_GROUP_NIST) != 0, ctx); + (flags & EC_FLAG_CHECK_NAMED_GROUP_NIST) != 0, ctx) > 0; else ok = ok && EC_GROUP_check(EC_KEY_get0_group(eck), ctx); } @@ -996,10 +1004,10 @@ static void *ec_gen_init(void *provctx, int selection, gctx->libctx = libctx; gctx->selection = selection; gctx->ecdh_mode = 0; - } - if (!ec_gen_set_params(gctx, params)) { - OPENSSL_free(gctx); - gctx = NULL; + if (!ec_gen_set_params(gctx, params)) { + OPENSSL_free(gctx); + gctx = NULL; + } } return gctx; } diff --git a/deps/openssl/openssl/providers/implementations/macs/kmac_prov.c b/deps/openssl/openssl/providers/implementations/macs/kmac_prov.c index 123c40f54f8748..b2f85398b4e284 100644 --- a/deps/openssl/openssl/providers/implementations/macs/kmac_prov.c +++ b/deps/openssl/openssl/providers/implementations/macs/kmac_prov.c @@ -91,21 +91,21 @@ static OSSL_FUNC_mac_final_fn kmac_final; * Restrict the maximum length of the customisation string. This must not * exceed 64 bits = 8k bytes. */ -#define KMAC_MAX_CUSTOM 256 +#define KMAC_MAX_CUSTOM 512 /* Maximum size of encoded custom string */ #define KMAC_MAX_CUSTOM_ENCODED (KMAC_MAX_CUSTOM + KMAC_MAX_ENCODED_HEADER_LEN) -/* Maximum key size in bytes = 256 (2048 bits) */ -#define KMAC_MAX_KEY 256 +/* Maximum key size in bytes = 512 (4096 bits) */ +#define KMAC_MAX_KEY 512 #define KMAC_MIN_KEY 4 /* * Maximum Encoded Key size will be padded to a multiple of the blocksize - * i.e KMAC_MAX_KEY + KMAC_MAX_ENCODED_HEADER_LEN = 256 + 4 + * i.e KMAC_MAX_KEY + KMAC_MAX_ENCODED_HEADER_LEN = 512 + 4 * Padded to a multiple of KMAC_MAX_BLOCKSIZE */ -#define KMAC_MAX_KEY_ENCODED (KMAC_MAX_BLOCKSIZE * 2) +#define KMAC_MAX_KEY_ENCODED (KMAC_MAX_BLOCKSIZE * 4) /* Fixed value of encode_string("KMAC") */ static const unsigned char kmac_string[] = { diff --git a/deps/openssl/openssl/providers/implementations/signature/eddsa_sig.c b/deps/openssl/openssl/providers/implementations/signature/eddsa_sig.c index ebb7fc7e1b00f7..c78f1fbb5fa6bf 100644 --- a/deps/openssl/openssl/providers/implementations/signature/eddsa_sig.c +++ b/deps/openssl/openssl/providers/implementations/signature/eddsa_sig.c @@ -164,6 +164,10 @@ int ed25519_digest_sign(void *vpeddsactx, unsigned char *sigret, ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); return 0; } + if (edkey->privkey == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_NOT_A_PRIVATE_KEY); + return 0; + } #ifdef S390X_EC_ASM if (S390X_CAN_SIGN(ED25519)) { if (s390x_ed25519_digestsign(edkey, sigret, tbs, tbslen) == 0) { @@ -201,6 +205,10 @@ int ed448_digest_sign(void *vpeddsactx, unsigned char *sigret, ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); return 0; } + if (edkey->privkey == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_NOT_A_PRIVATE_KEY); + return 0; + } #ifdef S390X_EC_ASM if (S390X_CAN_SIGN(ED448)) { if (s390x_ed448_digestsign(edkey, sigret, tbs, tbslen) == 0) { diff --git a/deps/openssl/openssl/ssl/record/rec_layer_s3.c b/deps/openssl/openssl/ssl/record/rec_layer_s3.c index a267889a5172a0..4121f3b2ae1c9e 100644 --- a/deps/openssl/openssl/ssl/record/rec_layer_s3.c +++ b/deps/openssl/openssl/ssl/record/rec_layer_s3.c @@ -16,6 +16,7 @@ #include #include "record_local.h" #include "internal/packet.h" +#include "internal/cryptlib.h" #if defined(OPENSSL_SMALL_FOOTPRINT) || \ !( defined(AES_ASM) && ( \ @@ -1015,14 +1016,15 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, } /* - * Reserve some bytes for any growth that may occur during encryption. - * This will be at most one cipher block or the tag length if using - * AEAD. SSL_RT_MAX_CIPHER_BLOCK_SIZE covers either case. - */ + * Reserve some bytes for any growth that may occur during encryption. If + * we are adding the MAC independently of the cipher algorithm, then the + * max encrypted overhead does not need to include an allocation for that + * MAC + */ if (!BIO_get_ktls_send(s->wbio)) { if (!WPACKET_reserve_bytes(thispkt, - SSL_RT_MAX_CIPHER_BLOCK_SIZE, - NULL) + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + - mac_size, NULL) /* * We also need next the amount of bytes written to this * sub-packet @@ -1074,6 +1076,9 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, /* Allocate bytes for the encryption overhead */ if (!WPACKET_get_length(thispkt, &origlen) + /* Check we allowed enough room for the encryption growth */ + || !ossl_assert(origlen + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + - mac_size >= thiswr->length) /* Encryption should never shrink the data! */ || origlen > thiswr->length || (thiswr->length > origlen diff --git a/deps/openssl/openssl/ssl/record/ssl3_buffer.c b/deps/openssl/openssl/ssl/record/ssl3_buffer.c index 01c553ebff5918..f631829ef64686 100644 --- a/deps/openssl/openssl/ssl/record/ssl3_buffer.c +++ b/deps/openssl/openssl/ssl/record/ssl3_buffer.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -96,11 +96,16 @@ int ssl3_setup_write_buffer(SSL *s, size_t numwpipes, size_t len) #endif len = ssl_get_max_send_fragment(s) - + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + headerlen + align; + + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + headerlen + align + + SSL_RT_MAX_CIPHER_BLOCK_SIZE /* Explicit IV allowance */; #ifndef OPENSSL_NO_COMP if (ssl_allow_compression(s)) len += SSL3_RT_MAX_COMPRESSED_OVERHEAD; #endif + /* + * We don't need to add an allowance for eivlen here since empty + * fragments only occur when we don't have an explicit IV + */ if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) len += headerlen + align + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD; } diff --git a/deps/openssl/openssl/ssl/record/ssl3_record.c b/deps/openssl/openssl/ssl/record/ssl3_record.c index dcaaeef951aa91..1867f001179f71 100644 --- a/deps/openssl/openssl/ssl/record/ssl3_record.c +++ b/deps/openssl/openssl/ssl/record/ssl3_record.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1314,7 +1314,7 @@ int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) } t = EVP_MD_CTX_get_size(hash); - if (t < 0) + if (t <= 0) return 0; md_size = t; npad = (48 / md_size) * md_size; diff --git a/deps/openssl/openssl/ssl/ssl_err.c b/deps/openssl/openssl/ssl/ssl_err.c index 97d29ea3ddc698..79c2ed95c1859f 100644 --- a/deps/openssl/openssl/ssl/ssl_err.c +++ b/deps/openssl/openssl/ssl/ssl_err.c @@ -225,6 +225,8 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { "invalid status response"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_TICKET_KEYS_LENGTH), "invalid ticket keys length"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED), + "legacy sigalg disallowed or unsupported"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LENGTH_MISMATCH), "length mismatch"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LENGTH_TOO_LONG), "length too long"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LENGTH_TOO_SHORT), "length too short"}, diff --git a/deps/openssl/openssl/ssl/ssl_lib.c b/deps/openssl/openssl/ssl/ssl_lib.c index 99efb33de2581b..a00e1fe3621c9c 100644 --- a/deps/openssl/openssl/ssl/ssl_lib.c +++ b/deps/openssl/openssl/ssl/ssl_lib.c @@ -4348,7 +4348,7 @@ int ssl_init_wbio_buffer(SSL *s) } bbio = BIO_new(BIO_f_buffer()); - if (bbio == NULL || !BIO_set_read_buffer_size(bbio, 1)) { + if (bbio == NULL || BIO_set_read_buffer_size(bbio, 1) <= 0) { BIO_free(bbio); ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB); return 0; diff --git a/deps/openssl/openssl/ssl/statem/statem_clnt.c b/deps/openssl/openssl/ssl/statem/statem_clnt.c index 5c65d8263bbbc2..9d925091b6c618 100644 --- a/deps/openssl/openssl/ssl/statem/statem_clnt.c +++ b/deps/openssl/openssl/ssl/statem/statem_clnt.c @@ -2259,7 +2259,8 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) goto err; } } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED); goto err; } diff --git a/deps/openssl/openssl/ssl/statem/statem_lib.c b/deps/openssl/openssl/ssl/statem/statem_lib.c index e995f281180ec6..8053bbc86b69fb 100644 --- a/deps/openssl/openssl/ssl/statem/statem_lib.c +++ b/deps/openssl/openssl/ssl/statem/statem_lib.c @@ -462,7 +462,8 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) goto err; } } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED); goto err; } diff --git a/deps/openssl/openssl/test/bio_memleak_test.c b/deps/openssl/openssl/test/bio_memleak_test.c index e95c21768cc97d..d9c744ff49cc55 100644 --- a/deps/openssl/openssl/test/bio_memleak_test.c +++ b/deps/openssl/openssl/test/bio_memleak_test.c @@ -261,13 +261,9 @@ static int test_bio_i2d_ASN1_mime(void) error_callback_fired = 0; - /* - * The call succeeds even if the input stream ends unexpectedly as - * there is no handling for this case in SMIME_crlf_copy(). - */ - if (!TEST_true(i2d_ASN1_bio_stream(out, (ASN1_VALUE*) p7, bio, - SMIME_STREAM | SMIME_BINARY, - ASN1_ITEM_rptr(PKCS7)))) + if (!TEST_false(i2d_ASN1_bio_stream(out, (ASN1_VALUE*) p7, bio, + SMIME_STREAM | SMIME_BINARY, + ASN1_ITEM_rptr(PKCS7)))) goto finish; if (!TEST_int_eq(error_callback_fired, 1)) diff --git a/deps/openssl/openssl/test/build.info b/deps/openssl/openssl/test/build.info index 638f215da6459d..4e385770e8c8e2 100644 --- a/deps/openssl/openssl/test/build.info +++ b/deps/openssl/openssl/test/build.info @@ -877,6 +877,11 @@ IF[{- !$disabled{tests} -}] INCLUDE[hexstr_test]=.. ../include ../apps/include DEPEND[hexstr_test]=../libcrypto.a libtestutil.a + PROGRAMS{noinst}=trace_api_test + SOURCE[trace_api_test]=trace_api_test.c + INCLUDE[trace_api_test]=.. ../include ../apps/include + DEPEND[trace_api_test]=../libcrypto.a libtestutil.a + PROGRAMS{noinst}=endecode_test SOURCE[endecode_test]=endecode_test.c helpers/predefined_dhparams.c INCLUDE[endecode_test]=.. ../include ../apps/include diff --git a/deps/openssl/openssl/test/certs/bad-othername-cert.pem b/deps/openssl/openssl/test/certs/bad-othername-cert.pem new file mode 100644 index 00000000000000..cf279de5ea748f --- /dev/null +++ b/deps/openssl/openssl/test/certs/bad-othername-cert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDRDCCAiygAwIBAgIBAjANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRUZXN0 +IE5DIENBIG90aGVybmFtZTAgFw0yMjEyMTMxODMzMTZaGA8yMTIyMTIxNDE4MzMx +NlowMTEvMC0GA1UECgwmTkMgZW1haWwgaW4gb3RoZXJuYW1lIFRlc3QgQ2VydGlm +aWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPgeoakqHk1zYt +JZpEC0qkJPU/X0lfI+6GY2LHFY9KOSFqqmTXxrUtjQc3SdpQvBZhPuMZ8p82Jid2 +kkRHnWs0uqX9NtLO923yQalYvP6Mt3fokcYgw/C9b+I/q1PKUyN0kPB6McROguD5 +Jz2DcEufJBhbpyay1bFjEI2DAQJKDP/U7uH0EA7kH/27UMk0vfvL5uVjDvlo8i6S +Ul8+u0cDV5ZFJW2VAJKLU3wp6IY4fZl9UqkHZuRQpMJGqAjAleWOIEpyyvfGGh0b +75n3GJ+4YZ7CIBEgY7K0nIbKxtcDZPvmtbYg3g1tkPMTHcodFT7yEdqkBTJ5AGL7 +6U850OhjAgMBAAGjdzB1MB0GA1UdDgQWBBTBz0k+q6d4c3aM+s2IyOF/QP6zCTAf +BgNVHSMEGDAWgBTwhghX7uNdMejZ3f4XorqOQoMqwTAJBgNVHRMEAjAAMCgGA1Ud +EQQhMB+gHQYIKwYBBQUHCAegEQwPZm9vQGV4YW1wbGUub3JnMA0GCSqGSIb3DQEB +CwUAA4IBAQAhxbCEVH8pq0aUMaLWaodyXdCqA0AKTFG6Mz9Rpwn89OwC8FylTEru +t+Bqx/ZuTo8YzON8h9m7DIrQIjZKDLW/g5YbvIsxIVV9gWhAGohdsIyMKRBepSmr +NxJQkO74RLBTamfl0WUCVM4HqroflFjBBG67CTJaQ9cH9ug3TKxaXCK1L6iQAXtq +enILGai98Byo0LCFH4MQOhmhV1BDT2boIG/iYb5VKCTSX25vhaF+PNBhUoysjW0O +vhQX8vrw42QRr4Qi7VfUBXzrbRTzxjOc4yqki7h2DcEdpginqe+aGyaFY+H9m/ka +1AR5KN8h5SYKltSXknjs0pp1w4k49aHl +-----END CERTIFICATE----- diff --git a/deps/openssl/openssl/test/certs/ee-ed25519.pem b/deps/openssl/openssl/test/certs/ee-ed25519.pem index 3f4b5b2ac79d96..559179d018f709 100644 --- a/deps/openssl/openssl/test/certs/ee-ed25519.pem +++ b/deps/openssl/openssl/test/certs/ee-ed25519.pem @@ -1,9 +1,38 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 6197312946105598768 (0x5601474a2a8dc330) + Signature Algorithm: ED25519 + Issuer: CN = IETF Test Demo + Validity + Not Before: Aug 1 12:19:24 2016 GMT + Not After : Nov 11 16:34:03 2121 GMT + Subject: CN = IETF Test Demo + Subject Public Key Info: + Public Key Algorithm: X25519 + X25519 Public-Key: + pub: + 85:20:f0:09:89:30:a7:54:74:8b:7d:dc:b4:3e:f7: + 5a:0d:bf:3a:0d:26:38:1a:f4:eb:a4:a9:8e:aa:9b: + 4e:6a + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Key Usage: + Key Agreement + X509v3 Subject Key Identifier: + 9B:1F:5E:ED:ED:04:33:85:E4:F7:BC:62:3C:59:75:B9:0B:C8:BB:3B + Signature Algorithm: ED25519 + 72:b4:22:9c:d5:7b:85:10:ff:7c:28:59:e5:bb:1e:e8:b6:5f: + 74:39:94:dd:2f:8a:3d:6c:f3:23:28:d1:5e:3c:d1:56:e7:0a: + ea:99:ff:62:5c:48:0f:1c:24:24:35:98:1a:bb:ae:96:b9:93: + b3:cb:8e:45:e3:c0:ef:2e:5c:07 -----BEGIN CERTIFICATE----- -MIIBLDCB36ADAgECAghWAUdKKo3DMDAFBgMrZXAwGTEXMBUGA1UEAwwOSUVURiBUZX -N0IERlbW8wHhcNMTYwODAxMTIxOTI0WhcNNDAxMjMxMjM1OTU5WjAZMRcwFQYDVQQD -DA5JRVRGIFRlc3QgRGVtbzAqMAUGAytlbgMhAIUg8AmJMKdUdIt93LQ+91oNvzoNJj -ga9OukqY6qm05qo0UwQzAPBgNVHRMBAf8EBTADAQEAMA4GA1UdDwEBAAQEAwIDCDAg -BgNVHQ4BAQAEFgQUmx9e7e0EM4Xk97xiPFl1uQvIuzswBQYDK2VwA0EAryMB/t3J5v -/BzKc9dNZIpDmAgs3babFOTQbs+BolzlDUwsPrdGxO3YNGhW7Ibz3OGhhlxXrCe1Cg -w1AH9efZBw== +MIIBLjCB4aADAgECAghWAUdKKo3DMDAFBgMrZXAwGTEXMBUGA1UEAwwOSUVURiBU +ZXN0IERlbW8wIBcNMTYwODAxMTIxOTI0WhgPMjEyMTExMTExNjM0MDNaMBkxFzAV +BgNVBAMMDklFVEYgVGVzdCBEZW1vMCowBQYDK2VuAyEAhSDwCYkwp1R0i33ctD73 +Wg2/Og0mOBr066SpjqqbTmqjRTBDMA8GA1UdEwEB/wQFMAMBAQAwDgYDVR0PAQEA +BAQDAgMIMCAGA1UdDgEBAAQWBBSbH17t7QQzheT3vGI8WXW5C8i7OzAFBgMrZXAD +QQBytCKc1XuFEP98KFnlux7otl90OZTdL4o9bPMjKNFePNFW5wrqmf9iXEgPHCQk +NZgau66WuZOzy45F48DvLlwH -----END CERTIFICATE----- diff --git a/deps/openssl/openssl/test/certs/nccaothername-cert.pem b/deps/openssl/openssl/test/certs/nccaothername-cert.pem new file mode 100644 index 00000000000000..f9b9b07b8042a7 --- /dev/null +++ b/deps/openssl/openssl/test/certs/nccaothername-cert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDPjCCAiagAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIyMTIxMzE4MTgwM1oYDzIxMjIxMjE0MTgxODAzWjAfMR0wGwYDVQQD +DBRUZXN0IE5DIENBIG90aGVybmFtZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBAN0Dx+ei8CgtRKnDcYiLwX4vrA48at/o/zfX24X/WZZM1o9HUKo1FQBN +vhESJu+gqPxuIePrk+/L25XdRqwCKk8wkWX0XIz18q5orOHUUFAWNK3g0FDj6N8H +d8urNIbDJ44FCx+/0n8Ppiht/EYN3aVOW5enqbgZ+EEt+3AUG6ibieRdGri9g4oh +IIx60MmVHLbuT/TcVZxaeWyTl6iWmsYosUyqlhTtu1uGtbVtkCAhBYloVvz4J5eA +mVu/JuJbsNxbxVeO9Q8Kj6nb4jPPdGvZ3JPcabbWrz5LwaereBf5IPrXEVdQTlYB +gI0pTz2CEDHSIrd7jzRUX/9EC2gMk6UCAwEAAaOBjzCBjDAPBgNVHRMBAf8EBTAD +AQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU8IYIV+7jXTHo2d3+F6K6jkKDKsEw +HwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwLAYDVR0eBCUwI6EhMB+g +HQYIKwYBBQUHCAegEQwPZm9vQGV4YW1wbGUub3JnMA0GCSqGSIb3DQEBCwUAA4IB +AQDPI5uZd8DhSNKMvYF5bxOshd6h6UJ7YzZS7K6fhiygltdqzkHQ/5+4yiuUkDe4 +hOZlH8MCfXQy5jVZDTk24yNchpdfie5Bswn4SmQVQh3QyzOLxizoh0rLCf2PHueu +dNVNhfiiJNJ5kd8MIuVG7CPK68dP0QrVR+DihROuJgvGB3ClKttLrgle19t4PFRR +2wW6hJT9aXEjzLNyN1QFZKoShuiGX4xwjZh7VyKkV64p8hjojhcLk6dQkel+Jw4y +OP26XbVfM8/6KG8f6WAZ8P0qJwHlhmi0EvRTnEpAM8WuenOeZH6ERZ9uZbRGh6xx +LKQu2Aw2+bOEZ2vUtz0dBhX8 +-----END CERTIFICATE----- diff --git a/deps/openssl/openssl/test/certs/nccaothername-key.pem b/deps/openssl/openssl/test/certs/nccaothername-key.pem new file mode 100644 index 00000000000000..d3e300ac2f4e51 --- /dev/null +++ b/deps/openssl/openssl/test/certs/nccaothername-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDdA8fnovAoLUSp +w3GIi8F+L6wOPGrf6P8319uF/1mWTNaPR1CqNRUATb4REibvoKj8biHj65Pvy9uV +3UasAipPMJFl9FyM9fKuaKzh1FBQFjSt4NBQ4+jfB3fLqzSGwyeOBQsfv9J/D6Yo +bfxGDd2lTluXp6m4GfhBLftwFBuom4nkXRq4vYOKISCMetDJlRy27k/03FWcWnls +k5eolprGKLFMqpYU7btbhrW1bZAgIQWJaFb8+CeXgJlbvybiW7DcW8VXjvUPCo+p +2+Izz3Rr2dyT3Gm21q8+S8Gnq3gX+SD61xFXUE5WAYCNKU89ghAx0iK3e480VF// +RAtoDJOlAgMBAAECggEAMFSJlCyEFlER3Qq9asXe9eRgXEuXdmfZ2aEVIuf8M/sR +B0tpxxKtCUA24j5FL+0CzxKZTCFBnDRIzCyTbf1aOa9t+CzXyUZmP3/p4EdgmabF +dcl93FZ+X7kfF/VUGu0Vmv+c12BH3Fu0cs5cVohlMecg7diu6zCYok43F+L5ymRy +2mTcKkGc0ShWizj8Z9R3WJGssZOlxbxa/Zr4rZwRC24UVhfN8AfGWYx/StyQPQIw +gtbbtOmwbyredQmY4jwNqgrnfZS9bkWwJbRuCmD5l7lxubBgcHQpoM+DQVeOLZIq +uksFXeNfal9G5Bo747MMzpD7dJMCGmX+gbMY5oZF+QKBgQDs2MbY4nbxi+fV+KuV +zUvis8m8Lpzf3T6NLkgSkUPRN9tGr95iLIrB/bRPJg5Ne02q/cT7d86B9rpE42w7 +eeIF9fANezX2AF8LUqNZhIR23J3tfB/eqGlJRZeMNia+lD09a7SWGwrS7sufY1I+ +JQGcHx77ntt+eQT1MUJ1skF06QKBgQDu4z+TW4QIA5ItxIReVdcfh5e3xLkzDEVP +3KNo9tpXxvPwqapdeBh6c9z4Lqe3MKr5UPlDvVW+o40t6OjKxDCXczB8+JAM0OyX +8V+K3zXXUxRgieSd3oMncTylSWIvouPP3aW37B67TKdRlRHgaBrpJT2wdk3kYR4t +62J1eDdjXQKBgQDMsY0pZI/nskJrar7geM1c4IU5Xg+2aj/lRFqFsYYrC1s3fEd2 +EYjan6l1vi4eSLKXVTspGiIfsFzLrMGdpXjyLduJyzKXqTp7TrBebWkOUR0sYloo +1OQprzuKskJJ81P6AVvRXw27vyW8Wtp5WwJJK5xbWq/YXj8qqagGkEiCAQKBgQCc +RK3XAFurPmLGa7JHX5Hc/z8BKMAZo6JHrsZ6qFiGaRA0U1it0hz5JYfcFfECheSi +ORUF+fn4PlbhPGXkFljPCbwjVBovOBA9CNl+J6u50pAW4r1ZhDB5gbqxSQLgtIaf ++JcqbFxiG6+sT36lNJS+BO2I3KrxhZJPaZY7z8szxQKBgQDRy70XzwOk8jXayiF2 +ej2IN7Ow9cgSE4tLEwR/vCjxvOlWhA3jC3wxoggshGJkpbP3DqLkQtwQm0h1lM8J +QNtFwKzjtpf//bTlfFq08/YxWimTPMqzcV2PgRacB8P3yf1r8T7M4fA5TORCDWpW +5FtOCFEmwQHTR8lu4c63qfxkEQ== +-----END PRIVATE KEY----- diff --git a/deps/openssl/openssl/test/certs/pkitsta.pem b/deps/openssl/openssl/test/certs/pkitsta.pem new file mode 100644 index 00000000000000..4cb5ec5b957d19 --- /dev/null +++ b/deps/openssl/openssl/test/certs/pkitsta.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDRzCCAi+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJVUzEf +MB0GA1UEChMWVGVzdCBDZXJ0aWZpY2F0ZXMgMjAxMTEVMBMGA1UEAxMMVHJ1c3Qg +QW5jaG9yMB4XDTEwMDEwMTA4MzAwMFoXDTMwMTIzMTA4MzAwMFowRTELMAkGA1UE +BhMCVVMxHzAdBgNVBAoTFlRlc3QgQ2VydGlmaWNhdGVzIDIwMTExFTATBgNVBAMT +DFRydXN0IEFuY2hvcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALmZ +UYkRR+DNRbmEJ4ITAhbNRDmqrNsJw97iLE7bpFeflDUoNcJrZPZbC208bG+g5M0A +TzV0vOqg88Ds1/FjFDK1oPItqsiDImJIq0xb/et5w72WNPxHVrcsr7Ap6DHfdwLp +NMncqtzX92hU/iGVHLE/w/OCWwAIIbTHaxdrGMUG7DkJJ6iI7mzqpcyPvyAAo9O3 +SHjJr+uw5vSrHRretnV2un0bohvGslN64MY/UIiRnPFwd2gD76byDzoM1ioyLRCl +lfBJ5sRDz9xrUHNigTAUdlblb6yrnNtNJmkrROYvkh6sLETUh9EYh0Ar+94fZVXf +GVi57Sw7x1jyANTlA40CAwEAAaNCMEAwHQYDVR0OBBYEFOR9X9FclYYILAWuvnW2 +ZafZXahmMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3 +DQEBCwUAA4IBAQCYoa9uR55KJTkpwyPihIgXHq7/Z8dx3qZlCJQwE5qQBZXIsf5e +C8Va/QjnTHOC4Gt4MwpnqqmoDqyqSW8pBVQgAUFAXqO91nLCQb4+/yfjiiNjzprp +xQlcqIZYjJSVtckH1IDWFLFeuGW+OgPPEFgN4hjU5YFIsE2r1i4+ixkeuorxxsK1 +D/jYbVwQMXLqn1pjJttOPJwuA8+ho1f2c8FrKlqjHgOwxuHhsiGN6MKgs1baalpR +/lnNFCIpq+/+3cnhufDjvxMy5lg+cwgMCiGzCxn4n4dBMw41C+4KhNF7ZtKuKSZ1 +eczztXD9NUkGUGw3LzpLDJazz3JhlZ/9pXzF +-----END CERTIFICATE----- diff --git a/deps/openssl/openssl/test/certs/root-ed25519.pem b/deps/openssl/openssl/test/certs/root-ed25519.pem index e509d540110f72..44077801ed3d6b 100644 --- a/deps/openssl/openssl/test/certs/root-ed25519.pem +++ b/deps/openssl/openssl/test/certs/root-ed25519.pem @@ -1,9 +1,40 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 84:f1:08:3d:1c:e3:2d:95 + Signature Algorithm: ED25519 + Issuer: CN = IETF Test Demo + Validity + Not Before: Apr 19 21:36:39 2017 GMT + Not After : Nov 11 15:37:05 2122 GMT + Subject: CN = IETF Test Demo + Subject Public Key Info: + Public Key Algorithm: ED25519 + ED25519 Public-Key: + pub: + 19:bf:44:09:69:84:cd:fe:85:41:ba:c1:67:dc:3b: + 96:c8:50:86:aa:30:b6:b6:cb:0c:5c:38:ad:70:31: + 66:e1 + X509v3 extensions: + X509v3 Subject Key Identifier: + A2:8C:C1:F8:6E:59:60:D3:E0:3A:E7:5C:96:2C:97:A8:D4:48:29:3C + X509v3 Authority Key Identifier: + keyid:A2:8C:C1:F8:6E:59:60:D3:E0:3A:E7:5C:96:2C:97:A8:D4:48:29:3C + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: ED25519 + 08:f9:fc:49:37:0c:03:64:ed:90:70:89:eb:f1:69:ca:75:3b: + 71:15:8f:eb:80:45:00:db:88:9b:66:46:9c:a4:e1:50:c5:59: + 43:98:66:37:6d:b7:59:51:5d:b4:9d:1d:89:25:b4:f6:87:43: + b7:d3:3b:85:b9:8e:e1:a8:46:04 -----BEGIN CERTIFICATE----- -MIIBODCB66ADAgECAgkAhPEIPRzjLZUwBQYDK2VwMBkxFzAVBgNVBAMMDklFVEYg -VGVzdCBEZW1vMB4XDTE3MDQxOTIxMzYzOVoXDTQxMDIxMjIxMzYzOVowGTEXMBUG -A1UEAwwOSUVURiBUZXN0IERlbW8wKjAFBgMrZXADIQAZv0QJaYTN/oVBusFn3DuW -yFCGqjC2tssMXDitcDFm4aNQME4wHQYDVR0OBBYEFKKMwfhuWWDT4DrnXJYsl6jU -SCk8MB8GA1UdIwQYMBaAFKKMwfhuWWDT4DrnXJYsl6jUSCk8MAwGA1UdEwQFMAMB -Af8wBQYDK2VwA0EAa6iEoQZBWB1MhCzASv5HuFM7fR5Nz2/KM7GxYjQWsfvK2Ds1 -jaPSG7Lx4uywIndMafp5CoPoFr6yLBkt+NZLAg== +MIIBOjCB7aADAgECAgkAhPEIPRzjLZUwBQYDK2VwMBkxFzAVBgNVBAMMDklFVEYg +VGVzdCBEZW1vMCAXDTE3MDQxOTIxMzYzOVoYDzIxMjIxMTExMTUzNzA1WjAZMRcw +FQYDVQQDDA5JRVRGIFRlc3QgRGVtbzAqMAUGAytlcAMhABm/RAlphM3+hUG6wWfc +O5bIUIaqMLa2ywxcOK1wMWbho1AwTjAdBgNVHQ4EFgQUoozB+G5ZYNPgOudcliyX +qNRIKTwwHwYDVR0jBBgwFoAUoozB+G5ZYNPgOudcliyXqNRIKTwwDAYDVR0TBAUw +AwEB/zAFBgMrZXADQQAI+fxJNwwDZO2QcInr8WnKdTtxFY/rgEUA24ibZkacpOFQ +xVlDmGY3bbdZUV20nR2JJbT2h0O30zuFuY7hqEYE -----END CERTIFICATE----- diff --git a/deps/openssl/openssl/test/certs/rootCA.pem b/deps/openssl/openssl/test/certs/rootCA.pem index ef73d001b67758..c2abbf8a58a521 100644 --- a/deps/openssl/openssl/test/certs/rootCA.pem +++ b/deps/openssl/openssl/test/certs/rootCA.pem @@ -1,21 +1,79 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 88:43:29:cb:c2:eb:15:9a + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = rootCA + Validity + Not Before: Jul 2 13:15:11 2015 GMT + Not After : Jul 2 17:50:05 2122 GMT + Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = rootCA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c0:f1:6b:77:88:ac:35:df:fb:73:53:2f:92:80: + 2f:74:16:32:4d:f5:10:20:6f:6c:3a:8e:d1:dc:6b: + e1:2e:3e:c3:04:0f:bf:9b:c4:c9:12:d1:e4:0b:45: + 97:e5:06:cd:66:3a:e1:e0:e2:2b:df:a2:c4:ec:7b: + d3:3d:3c:8a:ff:5e:74:a0:ab:a7:03:6a:16:5b:5e: + 92:c4:7e:5b:79:8a:69:d4:bc:83:5e:ae:42:92:74: + a5:2b:e7:00:c1:a9:dc:d5:b1:53:07:0f:73:f7:8e: + ad:14:3e:25:9e:e5:1e:e6:cc:91:cd:95:0c:80:44: + 20:c3:fd:17:cf:91:3d:63:10:1c:14:5b:fb:c3:a8: + c1:88:b2:77:ff:9c:db:fc:6a:44:44:44:f7:85:ec: + 08:2c:d4:df:81:a3:79:c9:fe:1e:9b:93:16:53:b7: + 97:ab:be:4f:1a:a5:e2:fa:46:05:e4:0d:9c:2a:a4: + cc:b9:1e:21:a0:6c:c4:ab:59:b0:40:39:bb:f9:88: + ad:fd:df:8d:b4:0b:af:7e:41:e0:21:3c:c8:33:45: + 49:84:2f:93:06:ee:fd:4f:ed:4f:f3:bc:9b:de:fc: + 25:5e:55:d5:75:d4:c5:7b:3a:40:35:06:9f:c4:84: + b4:6c:93:0c:af:37:5a:af:b6:41:4d:26:23:1c:b8: + 02:b3 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 85:56:89:35:E2:9F:00:1A:E1:86:03:0B:4B:AF:76:12:6B:33:6D:FD + X509v3 Authority Key Identifier: + keyid:85:56:89:35:E2:9F:00:1A:E1:86:03:0B:4B:AF:76:12:6B:33:6D:FD + + Signature Algorithm: sha256WithRSAEncryption + b9:5c:c3:39:31:e9:c1:63:f9:f1:29:2c:c6:84:80:ed:33:e5: + 72:3c:2c:e8:93:1f:07:03:65:cd:bb:04:ed:10:29:00:5f:ea: + 91:08:19:df:10:88:e9:00:5c:2e:eb:b5:af:98:70:c8:c4:8b: + 53:c4:26:c5:a1:d8:46:b9:9f:7d:48:e0:26:74:2c:61:b8:c1: + 89:06:b6:e5:b5:ba:6b:75:2b:16:ad:ca:88:26:25:73:9b:15: + 22:59:6a:94:dc:61:34:88:28:58:9f:de:fd:71:1e:37:af:90: + 74:7b:cf:bb:93:1c:73:24:15:26:7a:33:8c:5d:5b:81:97:14: + 62:01:7e:17:76:fb:aa:7a:4d:ed:81:2b:bd:d9:f3:12:69:86: + 01:b3:91:0a:8d:6b:bd:71:41:a9:93:63:c2:a1:ab:0d:48:05: + 99:7d:9e:a2:a4:ac:9f:73:0d:5b:5c:05:3a:52:64:fe:17:79: + 2a:27:51:d7:5b:af:dc:10:d5:23:6b:2c:62:51:00:c9:67:17: + 2d:29:a3:21:88:fd:14:48:0d:99:8c:d8:f8:c8:c7:ec:d2:83: + 3d:ba:d4:94:7b:df:39:61:4b:e3:7c:b9:ea:77:09:01:bc:ec: + db:1c:fa:42:1b:6d:1d:b1:51:5f:e4:87:dd:41:24:00:a2:52: + e0:1a:c0:1c -----BEGIN CERTIFICATE----- -MIIDfzCCAmegAwIBAgIJAIhDKcvC6xWaMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV +MIIDgTCCAmmgAwIBAgIJAIhDKcvC6xWaMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX -aWRnaXRzIFB0eSBMdGQxDzANBgNVBAMMBnJvb3RDQTAeFw0xNTA3MDIxMzE1MTFa -Fw0zNTA3MDIxMzE1MTFaMFYxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0 -YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxDzANBgNVBAMM -BnJvb3RDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMDxa3eIrDXf -+3NTL5KAL3QWMk31ECBvbDqO0dxr4S4+wwQPv5vEyRLR5AtFl+UGzWY64eDiK9+i -xOx70z08iv9edKCrpwNqFlteksR+W3mKadS8g16uQpJ0pSvnAMGp3NWxUwcPc/eO -rRQ+JZ7lHubMkc2VDIBEIMP9F8+RPWMQHBRb+8OowYiyd/+c2/xqRERE94XsCCzU -34Gjecn+HpuTFlO3l6u+Txql4vpGBeQNnCqkzLkeIaBsxKtZsEA5u/mIrf3fjbQL -r35B4CE8yDNFSYQvkwbu/U/tT/O8m978JV5V1XXUxXs6QDUGn8SEtGyTDK83Wq+2 -QU0mIxy4ArMCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUhVaJNeKf -ABrhhgMLS692Emszbf0wHwYDVR0jBBgwFoAUhVaJNeKfABrhhgMLS692Emszbf0w -DQYJKoZIhvcNAQELBQADggEBADIKvyoK4rtPQ86I2lo5EDeAuzctXi2I3SZpnOe0 -mCCxJeZhWW0S7JuHvlfhEgXFBPEXzhS4HJLUlZUsWyiJ+3KcINMygaiF7MgIe6hZ -WzpsMatS4mbNFElc89M+YryRFrQc9d1Uqjxhl3ms5MhDNcMP/PNwHa/wnIoqkpNI -qtDoR741wcZ7bdr6XVdF8+pBjzbBPPRSf24x3bqavHBWcTjcSVcM/ZEXxeqH5SN0 -GbK2mQxrogX4UWjtl+DfYvl+ejpEcYNXKEmIabUUHtpG42544cuPtZizLW5bt/aT -JBQfpPZpvf9MUlACxUONFOLQdZ8SXpSJ0e93iX2J2Z52mSQ= +aWRnaXRzIFB0eSBMdGQxDzANBgNVBAMMBnJvb3RDQTAgFw0xNTA3MDIxMzE1MTFa +GA8yMTIyMDcwMjE3NTAwNVowVjELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUt +U3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEPMA0GA1UE +AwwGcm9vdENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwPFrd4is +Nd/7c1MvkoAvdBYyTfUQIG9sOo7R3GvhLj7DBA+/m8TJEtHkC0WX5QbNZjrh4OIr +36LE7HvTPTyK/150oKunA2oWW16SxH5beYpp1LyDXq5CknSlK+cAwanc1bFTBw9z +946tFD4lnuUe5syRzZUMgEQgw/0Xz5E9YxAcFFv7w6jBiLJ3/5zb/GpERET3hewI +LNTfgaN5yf4em5MWU7eXq75PGqXi+kYF5A2cKqTMuR4hoGzEq1mwQDm7+Yit/d+N +tAuvfkHgITzIM0VJhC+TBu79T+1P87yb3vwlXlXVddTFezpANQafxIS0bJMMrzda +r7ZBTSYjHLgCswIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBSFVok1 +4p8AGuGGAwtLr3YSazNt/TAfBgNVHSMEGDAWgBSFVok14p8AGuGGAwtLr3YSazNt +/TANBgkqhkiG9w0BAQsFAAOCAQEAuVzDOTHpwWP58SksxoSA7TPlcjws6JMfBwNl +zbsE7RApAF/qkQgZ3xCI6QBcLuu1r5hwyMSLU8QmxaHYRrmffUjgJnQsYbjBiQa2 +5bW6a3UrFq3KiCYlc5sVIllqlNxhNIgoWJ/e/XEeN6+QdHvPu5MccyQVJnozjF1b +gZcUYgF+F3b7qnpN7YErvdnzEmmGAbORCo1rvXFBqZNjwqGrDUgFmX2eoqSsn3MN +W1wFOlJk/hd5KidR11uv3BDVI2ssYlEAyWcXLSmjIYj9FEgNmYzY+MjH7NKDPbrU +lHvfOWFL43y56ncJAbzs2xz6QhttHbFRX+SH3UEkAKJS4BrAHA== -----END CERTIFICATE----- diff --git a/deps/openssl/openssl/test/certs/setup.sh b/deps/openssl/openssl/test/certs/setup.sh index b9766aab20fe16..2240cd9df0fd8c 100755 --- a/deps/openssl/openssl/test/certs/setup.sh +++ b/deps/openssl/openssl/test/certs/setup.sh @@ -388,6 +388,17 @@ REQMASK=MASK:0x800 ./mkcert.sh req badalt7-key "O = Bad NC Test Certificate 7" \ "email.1 = good@good.org" "email.2 = any@good.com" \ "IP = 127.0.0.1" "IP = 192.168.0.1" +# Certs for CVE-2022-4203 testcase + +NC="excluded;otherName:SRVName;UTF8STRING:foo@example.org" ./mkcert.sh genca \ + "Test NC CA othername" nccaothername-key nccaothername-cert \ + root-key root-cert + +./mkcert.sh req alt-email-key "O = NC email in othername Test Certificate" | \ + ./mkcert.sh geneealt bad-othername-key bad-othername-cert \ + nccaothername-key nccaothername-cert \ + "otherName.1 = SRVName;UTF8STRING:foo@example.org" + # RSA-PSS signatures # SHA1 ./mkcert.sh genee PSS-SHA1 ee-key ee-pss-sha1-cert ca-key ca-cert \ diff --git a/deps/openssl/openssl/test/cmp_asn_test.c b/deps/openssl/openssl/test/cmp_asn_test.c index 36ae8a60087be7..1e65b383753eab 100644 --- a/deps/openssl/openssl/test/cmp_asn_test.c +++ b/deps/openssl/openssl/test/cmp_asn_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * @@ -47,7 +47,10 @@ static int execute_cmp_asn1_get_int_test(CMP_ASN_TEST_FIXTURE *fixture) if (!TEST_ptr(asn1integer)) return 0; - ASN1_INTEGER_set(asn1integer, 77); + if (!TEST_true(ASN1_INTEGER_set(asn1integer, 77))) { + ASN1_INTEGER_free(asn1integer); + return 0; + } res = TEST_int_eq(77, ossl_cmp_asn1_get_int(asn1integer)); ASN1_INTEGER_free(asn1integer); return res; diff --git a/deps/openssl/openssl/test/cmp_client_test.c b/deps/openssl/openssl/test/cmp_client_test.c index f470f5e4456501..dc326250af20e6 100644 --- a/deps/openssl/openssl/test/cmp_client_test.c +++ b/deps/openssl/openssl/test/cmp_client_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * @@ -89,27 +89,49 @@ static CMP_SES_TEST_FIXTURE *set_up(const char *const test_case_name) return NULL; } -static int execute_exec_RR_ses_test(CMP_SES_TEST_FIXTURE *fixture) +static int execute_exec_RR_ses_test(CMP_SES_TEST_FIXTURE *fixt) { - return TEST_int_eq(fixture->expected, - OSSL_CMP_exec_RR_ses(fixture->cmp_ctx) == 1); + return TEST_int_eq(OSSL_CMP_CTX_get_status(fixt->cmp_ctx), + OSSL_CMP_PKISTATUS_unspecified) + && TEST_int_eq(OSSL_CMP_exec_RR_ses(fixt->cmp_ctx), + fixt->expected == OSSL_CMP_PKISTATUS_accepted) + && TEST_int_eq(OSSL_CMP_CTX_get_status(fixt->cmp_ctx), fixt->expected); } -static int execute_exec_GENM_ses_test(CMP_SES_TEST_FIXTURE *fixture) +static int execute_exec_GENM_ses_test_single(CMP_SES_TEST_FIXTURE *fixture) { - STACK_OF(OSSL_CMP_ITAV) *itavs = NULL; - if (!TEST_ptr(itavs = OSSL_CMP_exec_GENM_ses(fixture->cmp_ctx))) - return 0; + OSSL_CMP_CTX *ctx = fixture->cmp_ctx; + ASN1_OBJECT *type = OBJ_txt2obj("1.3.6.1.5.5.7.4.2", 1); + OSSL_CMP_ITAV *itav = OSSL_CMP_ITAV_create(type, NULL); + STACK_OF(OSSL_CMP_ITAV) *itavs; + + OSSL_CMP_CTX_push0_genm_ITAV(ctx, itav); + itavs = OSSL_CMP_exec_GENM_ses(ctx); + sk_OSSL_CMP_ITAV_pop_free(itavs, OSSL_CMP_ITAV_free); - return 1; + return TEST_int_eq(OSSL_CMP_CTX_get_status(ctx), fixture->expected) + && fixture->expected == OSSL_CMP_PKISTATUS_accepted ? + TEST_ptr(itavs) : TEST_ptr_null(itavs); +} + +static int execute_exec_GENM_ses_test(CMP_SES_TEST_FIXTURE *fixture) +{ + return execute_exec_GENM_ses_test_single(fixture) + && OSSL_CMP_CTX_reinit(fixture->cmp_ctx) + && execute_exec_GENM_ses_test_single(fixture); } static int execute_exec_certrequest_ses_test(CMP_SES_TEST_FIXTURE *fixture) { - X509 *res = OSSL_CMP_exec_certreq(fixture->cmp_ctx, - fixture->req_type, NULL); + OSSL_CMP_CTX *ctx = fixture->cmp_ctx; + X509 *res = OSSL_CMP_exec_certreq(ctx, fixture->req_type, NULL); + int status = OSSL_CMP_CTX_get_status(ctx); - if (fixture->expected == 0) + if (!TEST_int_eq(status, fixture->expected) + && !(fixture->expected == OSSL_CMP_PKISTATUS_waiting + && TEST_int_eq(status, OSSL_CMP_PKISTATUS_trans))) + return 0; + if (fixture->expected != OSSL_CMP_PKISTATUS_accepted) return TEST_ptr_null(res); if (!TEST_ptr(res) || !TEST_int_eq(X509_cmp(res, client_cert), 0)) @@ -124,14 +146,27 @@ static int execute_exec_certrequest_ses_test(CMP_SES_TEST_FIXTURE *fixture) return 1; } -static int test_exec_RR_ses(void) +static int test_exec_RR_ses(int request_error) { SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up); - fixture->expected = 1; + if (request_error) + OSSL_CMP_CTX_set1_oldCert(fixture->cmp_ctx, NULL); + fixture->expected = request_error ? OSSL_CMP_PKISTATUS_request + : OSSL_CMP_PKISTATUS_accepted; EXECUTE_TEST(execute_exec_RR_ses_test, tear_down); return result; } +static int test_exec_RR_ses_ok(void) +{ + return test_exec_RR_ses(0); +} + +static int test_exec_RR_ses_request_error(void) +{ + return test_exec_RR_ses(1); +} + static int test_exec_RR_ses_receive_error(void) { SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up); @@ -140,7 +175,7 @@ static int test_exec_RR_ses_receive_error(void) OSSL_CMP_CTX_FAILINFO_signerNotTrusted, "test string"); ossl_cmp_mock_srv_set_send_error(fixture->srv_ctx, 1); - fixture->expected = 0; + fixture->expected = OSSL_CMP_PKISTATUS_rejection; EXECUTE_TEST(execute_exec_RR_ses_test, tear_down); return result; } @@ -149,7 +184,7 @@ static int test_exec_IR_ses(void) { SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up); fixture->req_type = OSSL_CMP_IR; - fixture->expected = 1; + fixture->expected = OSSL_CMP_PKISTATUS_accepted; fixture->caPubs = sk_X509_new_null(); sk_X509_push(fixture->caPubs, server_cert); sk_X509_push(fixture->caPubs, server_cert); @@ -158,71 +193,90 @@ static int test_exec_IR_ses(void) return result; } -static const int checkAfter = 1; -static int test_exec_IR_ses_poll(void) +static int test_exec_IR_ses_poll(int check_after, int poll_count, + int total_timeout, int expect) { SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up); fixture->req_type = OSSL_CMP_IR; - fixture->expected = 1; - ossl_cmp_mock_srv_set_pollCount(fixture->srv_ctx, 2); - ossl_cmp_mock_srv_set_checkAfterTime(fixture->srv_ctx, checkAfter); + fixture->expected = expect; + ossl_cmp_mock_srv_set_checkAfterTime(fixture->srv_ctx, check_after); + ossl_cmp_mock_srv_set_pollCount(fixture->srv_ctx, poll_count); + OSSL_CMP_CTX_set_option(fixture->cmp_ctx, + OSSL_CMP_OPT_TOTAL_TIMEOUT, total_timeout); EXECUTE_TEST(execute_exec_certrequest_ses_test, tear_down); return result; } -static int test_exec_IR_ses_poll_timeout(void) +static int checkAfter = 1; +static int test_exec_IR_ses_poll_ok(void) { - const int pollCount = 3; - const int tout = pollCount * checkAfter; + return test_exec_IR_ses_poll(checkAfter, 2, 0, OSSL_CMP_PKISTATUS_accepted); +} - SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up); - fixture->req_type = OSSL_CMP_IR; - fixture->expected = 0; - ossl_cmp_mock_srv_set_pollCount(fixture->srv_ctx, pollCount + 1); - ossl_cmp_mock_srv_set_checkAfterTime(fixture->srv_ctx, checkAfter); - OSSL_CMP_CTX_set_option(fixture->cmp_ctx, OSSL_CMP_OPT_TOTAL_TIMEOUT, tout); - EXECUTE_TEST(execute_exec_certrequest_ses_test, tear_down); - return result; +static int test_exec_IR_ses_poll_no_timeout(void) +{ + return test_exec_IR_ses_poll(checkAfter, 1 /* pollCount */, checkAfter + 1, + OSSL_CMP_PKISTATUS_accepted); } +static int test_exec_IR_ses_poll_total_timeout(void) +{ + return test_exec_IR_ses_poll(checkAfter + 1, 2 /* pollCount */, checkAfter, + OSSL_CMP_PKISTATUS_waiting); +} -static int test_exec_CR_ses(void) +static int test_exec_CR_ses(int implicit_confirm, int granted) { SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up); fixture->req_type = OSSL_CMP_CR; - fixture->expected = 1; + fixture->expected = OSSL_CMP_PKISTATUS_accepted; + OSSL_CMP_CTX_set_option(fixture->cmp_ctx, + OSSL_CMP_OPT_IMPLICIT_CONFIRM, implicit_confirm); + OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(fixture->srv_ctx, granted); EXECUTE_TEST(execute_exec_certrequest_ses_test, tear_down); return result; } +static int test_exec_CR_ses_explicit_confirm(void) +{ + return test_exec_CR_ses(0, 0); +} + static int test_exec_CR_ses_implicit_confirm(void) { - SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up); - fixture->req_type = OSSL_CMP_CR; - fixture->expected = 1; - OSSL_CMP_CTX_set_option(fixture->cmp_ctx, - OSSL_CMP_OPT_IMPLICIT_CONFIRM, 1); - OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(fixture->srv_ctx, 1); - EXECUTE_TEST(execute_exec_certrequest_ses_test, tear_down); - return result; + return test_exec_CR_ses(1, 0) + && test_exec_CR_ses(1, 1); } -static int test_exec_KUR_ses(void) +static int test_exec_KUR_ses(int transfer_error) { SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up); fixture->req_type = OSSL_CMP_KUR; - fixture->expected = 1; + if (transfer_error) + OSSL_CMP_CTX_set_transfer_cb_arg(fixture->cmp_ctx, NULL); + fixture->expected = transfer_error ? OSSL_CMP_PKISTATUS_trans + : OSSL_CMP_PKISTATUS_accepted; EXECUTE_TEST(execute_exec_certrequest_ses_test, tear_down); return result; } +static int test_exec_KUR_ses_ok(void) +{ + return test_exec_KUR_ses(0); +} + +static int test_exec_KUR_ses_transfer_error(void) +{ + return test_exec_KUR_ses(1); +} + static int test_exec_P10CR_ses(void) { X509_REQ *req = NULL; SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up); fixture->req_type = OSSL_CMP_P10CR; - fixture->expected = 1; + fixture->expected = OSSL_CMP_PKISTATUS_accepted; if (!TEST_ptr(req = load_csr_der(pkcs10_f, libctx)) || !TEST_true(OSSL_CMP_CTX_set1_p10CSR(fixture->cmp_ctx, req))) { tear_down(fixture); @@ -287,13 +341,36 @@ static int test_try_certreq_poll_abort(void) return result; } -static int test_exec_GENM_ses(void) +static int test_exec_GENM_ses(int transfer_error, int total_timeout, int expect) { SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up); + if (transfer_error) + OSSL_CMP_CTX_set_transfer_cb_arg(fixture->cmp_ctx, NULL); + /* + * cannot use OSSL_CMP_CTX_set_option(... OSSL_CMP_OPT_TOTAL_TIMEOUT) + * here because this will correct total_timeout to be >= 0 + */ + fixture->cmp_ctx->total_timeout = total_timeout; + fixture->expected = expect; EXECUTE_TEST(execute_exec_GENM_ses_test, tear_down); return result; } +static int test_exec_GENM_ses_ok(void) +{ + return test_exec_GENM_ses(0, 0, OSSL_CMP_PKISTATUS_accepted); +} + +static int test_exec_GENM_ses_transfer_error(void) +{ + return test_exec_GENM_ses(1, 0, OSSL_CMP_PKISTATUS_trans); +} + +static int test_exec_GENM_ses_total_timeout(void) +{ + return test_exec_GENM_ses(0, -1, OSSL_CMP_PKISTATUS_trans); +} + static int execute_exchange_certConf_test(CMP_SES_TEST_FIXTURE *fixture) { int res = @@ -375,18 +452,23 @@ int setup_tests(void) return 0; } - ADD_TEST(test_exec_RR_ses); + ADD_TEST(test_exec_RR_ses_ok); + ADD_TEST(test_exec_RR_ses_request_error); ADD_TEST(test_exec_RR_ses_receive_error); - ADD_TEST(test_exec_CR_ses); + ADD_TEST(test_exec_CR_ses_explicit_confirm); ADD_TEST(test_exec_CR_ses_implicit_confirm); ADD_TEST(test_exec_IR_ses); - ADD_TEST(test_exec_IR_ses_poll); - ADD_TEST(test_exec_IR_ses_poll_timeout); - ADD_TEST(test_exec_KUR_ses); + ADD_TEST(test_exec_IR_ses_poll_ok); + ADD_TEST(test_exec_IR_ses_poll_no_timeout); + ADD_TEST(test_exec_IR_ses_poll_total_timeout); + ADD_TEST(test_exec_KUR_ses_ok); + ADD_TEST(test_exec_KUR_ses_transfer_error); ADD_TEST(test_exec_P10CR_ses); ADD_TEST(test_try_certreq_poll); ADD_TEST(test_try_certreq_poll_abort); - ADD_TEST(test_exec_GENM_ses); + ADD_TEST(test_exec_GENM_ses_ok); + ADD_TEST(test_exec_GENM_ses_transfer_error); + ADD_TEST(test_exec_GENM_ses_total_timeout); ADD_TEST(test_exchange_certConf); ADD_TEST(test_exchange_error); return 1; diff --git a/deps/openssl/openssl/test/cmp_hdr_test.c b/deps/openssl/openssl/test/cmp_hdr_test.c index 5a49299b42b113..ed49a0bb619901 100644 --- a/deps/openssl/openssl/test/cmp_hdr_test.c +++ b/deps/openssl/openssl/test/cmp_hdr_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * @@ -333,12 +333,12 @@ execute_HDR_generalInfo_push1_items_test(CMP_HDR_TEST_FIXTURE *fixture) if (!TEST_ptr(asn1int)) return 0; - if (!TEST_ptr(val)) { + if (!TEST_ptr(val) + || !TEST_true(ASN1_INTEGER_set(asn1int, 88))) { ASN1_INTEGER_free(asn1int); return 0; } - ASN1_INTEGER_set(asn1int, 88); ASN1_TYPE_set(val, V_ASN1_INTEGER, asn1int); if (!TEST_ptr(itav = OSSL_CMP_ITAV_create(OBJ_txt2obj(oid, 1), val))) { ASN1_TYPE_free(val); diff --git a/deps/openssl/openssl/test/cmp_vfy_test.c b/deps/openssl/openssl/test/cmp_vfy_test.c index 5aa6a008ccbb0f..ed8e1b31437242 100644 --- a/deps/openssl/openssl/test/cmp_vfy_test.c +++ b/deps/openssl/openssl/test/cmp_vfy_test.c @@ -83,6 +83,12 @@ static X509 *insta_cert = NULL, *instaca_cert = NULL; static unsigned char rand_data[OSSL_CMP_TRANSACTIONID_LENGTH]; static OSSL_CMP_MSG *ir_unprotected, *ir_rmprotection; +/* secret value used for IP_waitingStatus_PBM.der */ +static const unsigned char sec_1[] = { + '9', 'p', 'p', '8', '-', 'b', '3', '5', 'i', '-', 'X', 'd', '3', + 'Q', '-', 'u', 'd', 'N', 'R' +}; + static int flip_bit(ASN1_BIT_STRING *bitstr) { int bit_num = 7; @@ -142,19 +148,14 @@ static int execute_validate_cert_path_test(CMP_VFY_TEST_FIXTURE *fixture) return res; } -static int test_validate_msg_mac_alg_protection(void) +static int test_validate_msg_mac_alg_protection(int miss, int wrong) { - /* secret value belonging to cmp-test/CMP_IP_waitingStatus_PBM.der */ - const unsigned char sec_1[] = { - '9', 'p', 'p', '8', '-', 'b', '3', '5', 'i', '-', 'X', 'd', '3', - 'Q', '-', 'u', 'd', 'N', 'R' - }; - SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); - fixture->expected = 1; - if (!TEST_true(OSSL_CMP_CTX_set1_secretValue(fixture->cmp_ctx, sec_1, - sizeof(sec_1))) + fixture->expected = !miss && !wrong; + if (!TEST_true(miss ? OSSL_CMP_CTX_set0_trustedStore(fixture->cmp_ctx, NULL) + : OSSL_CMP_CTX_set1_secretValue(fixture->cmp_ctx, sec_1, + wrong ? 4 : sizeof(sec_1))) || !TEST_ptr(fixture->msg = load_pkimsg(ip_waiting_f, libctx))) { tear_down(fixture); fixture = NULL; @@ -163,6 +164,21 @@ static int test_validate_msg_mac_alg_protection(void) return result; } +static int test_validate_msg_mac_alg_protection_ok(void) +{ + return test_validate_msg_mac_alg_protection(0, 0); +} + +static int test_validate_msg_mac_alg_protection_missing(void) +{ + return test_validate_msg_mac_alg_protection(1, 0); +} + +static int test_validate_msg_mac_alg_protection_wrong(void) +{ + return test_validate_msg_mac_alg_protection(0, 1); +} + #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION static int test_validate_msg_mac_alg_protection_bad(void) { @@ -231,12 +247,17 @@ static int test_validate_msg_signature_trusted_expired(void) } #endif -static int test_validate_msg_signature_srvcert_wrong(void) +static int test_validate_msg_signature_srvcert(int bad_sig, int miss, int wrong) { SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); - fixture->expected = 0; + fixture->cert = srvcert; + fixture->expected = !bad_sig && !wrong && !miss; if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f, libctx)) - || !TEST_true(OSSL_CMP_CTX_set1_srvCert(fixture->cmp_ctx, clcert))) { + || !TEST_true(miss ? OSSL_CMP_CTX_set1_secretValue(fixture->cmp_ctx, + sec_1, sizeof(sec_1)) + : OSSL_CMP_CTX_set1_srvCert(fixture->cmp_ctx, + wrong? clcert : srvcert)) + || (bad_sig && !flip_bit(fixture->msg->protection))) { tear_down(fixture); fixture = NULL; } @@ -244,30 +265,26 @@ static int test_validate_msg_signature_srvcert_wrong(void) return result; } -static int test_validate_msg_signature_srvcert(int bad_sig) +static int test_validate_msg_signature_srvcert_missing(void) { - SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); - fixture->expected = !bad_sig; - if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f, libctx)) - || !TEST_true(OSSL_CMP_CTX_set1_srvCert(fixture->cmp_ctx, srvcert)) - || (bad_sig && !flip_bit(fixture->msg->protection))) { - tear_down(fixture); - fixture = NULL; - } - EXECUTE_TEST(execute_validate_msg_test, tear_down); - return result; + return test_validate_msg_signature_srvcert(0, 1, 0); +} + +static int test_validate_msg_signature_srvcert_wrong(void) +{ + return test_validate_msg_signature_srvcert(0, 0, 1); } #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION static int test_validate_msg_signature_bad(void) { - return test_validate_msg_signature_srvcert(1); + return test_validate_msg_signature_srvcert(1, 0, 0); } #endif static int test_validate_msg_signature_sender_cert_srvcert(void) { - return test_validate_msg_signature_srvcert(0); + return test_validate_msg_signature_srvcert(0, 0, 0); } static int test_validate_msg_signature_sender_cert_untrusted(void) @@ -634,6 +651,7 @@ int setup_tests(void) ADD_TEST(test_validate_msg_signature_trusted_ok); #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION ADD_TEST(test_validate_msg_signature_trusted_expired); + ADD_TEST(test_validate_msg_signature_srvcert_missing); #endif ADD_TEST(test_validate_msg_signature_srvcert_wrong); #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION @@ -651,8 +669,10 @@ int setup_tests(void) #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION ADD_TEST(test_validate_msg_unprotected_request); #endif - ADD_TEST(test_validate_msg_mac_alg_protection); + ADD_TEST(test_validate_msg_mac_alg_protection_ok); #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + ADD_TEST(test_validate_msg_mac_alg_protection_missing); + ADD_TEST(test_validate_msg_mac_alg_protection_wrong); ADD_TEST(test_validate_msg_mac_alg_protection_bad); #endif diff --git a/deps/openssl/openssl/test/ectest.c b/deps/openssl/openssl/test/ectest.c index 38772ba16f4b83..946973c2f4d9fd 100644 --- a/deps/openssl/openssl/test/ectest.c +++ b/deps/openssl/openssl/test/ectest.c @@ -2724,6 +2724,13 @@ static int custom_params_test(int id) if (!TEST_ptr(ctx = BN_CTX_new())) return 0; + BN_CTX_start(ctx); + if (!TEST_ptr(p = BN_CTX_get(ctx)) + || !TEST_ptr(a = BN_CTX_get(ctx)) + || !TEST_ptr(b = BN_CTX_get(ctx)) + || !TEST_ptr(k = BN_CTX_get(ctx))) + goto err; + if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) goto err; @@ -2735,13 +2742,6 @@ static int custom_params_test(int id) } #endif - BN_CTX_start(ctx); - if (!TEST_ptr(p = BN_CTX_get(ctx)) - || !TEST_ptr(a = BN_CTX_get(ctx)) - || !TEST_ptr(b = BN_CTX_get(ctx)) - || !TEST_ptr(k = BN_CTX_get(ctx))) - goto err; - /* expected byte length of encoded points */ bsize = (EC_GROUP_get_degree(group) + 7) / 8; bsize = 1 + 2 * bsize; /* UNCOMPRESSED_POINT format */ diff --git a/deps/openssl/openssl/test/evp_extra_test.c b/deps/openssl/openssl/test/evp_extra_test.c index ae41c462c53012..3747532ff0b3c6 100644 --- a/deps/openssl/openssl/test/evp_extra_test.c +++ b/deps/openssl/openssl/test/evp_extra_test.c @@ -31,6 +31,7 @@ #include #include #include +#include #include "testutil.h" #include "internal/nelem.h" #include "internal/sizes.h" @@ -2039,7 +2040,7 @@ static int test_EVP_SM2(void) sizeof(kMsg)))) goto done; - if (!TEST_true(EVP_PKEY_decrypt_init(cctx))) + if (!TEST_int_gt(EVP_PKEY_decrypt_init(cctx), 0)) goto done; if (!TEST_true(EVP_PKEY_CTX_set_params(cctx, sparams))) @@ -4622,11 +4623,13 @@ static int test_ecx_short_keys(int tst) EVP_PKEY *pkey; - pkey = EVP_PKEY_new_raw_private_key(ecxnids[tst], NULL, &ecxkeydata, 1); + pkey = EVP_PKEY_new_raw_private_key_ex(testctx, OBJ_nid2sn(ecxnids[tst]), + NULL, &ecxkeydata, 1); if (!TEST_ptr_null(pkey)) { EVP_PKEY_free(pkey); return 0; } + return 1; } @@ -4647,6 +4650,73 @@ const OPTIONS *test_get_options(void) return options; } +#ifndef OPENSSL_NO_EC +/* Test that trying to sign with a public key errors out gracefully */ +static int test_ecx_not_private_key(int tst) +{ + EVP_PKEY *pkey = NULL; + + const unsigned char msg[] = { 0x00, 0x01, 0x02, 0x03 }; + int testresult = 0; + EVP_MD_CTX *ctx = NULL; + unsigned char *mac = NULL; + size_t maclen = 0; + unsigned char *pubkey; + size_t pubkeylen; + + switch (keys[tst].type) { + case NID_X25519: + case NID_X448: + return TEST_skip("signing not supported for X25519/X448"); + } + + /* Check if this algorithm supports public keys */ + if (keys[tst].pub == NULL) + return TEST_skip("no public key present"); + + pubkey = (unsigned char *)keys[tst].pub; + pubkeylen = strlen(keys[tst].pub); + + pkey = EVP_PKEY_new_raw_public_key_ex(testctx, OBJ_nid2sn(keys[tst].type), + NULL, pubkey, pubkeylen); + if (!TEST_ptr(pkey)) + goto err; + + if (!TEST_ptr(ctx = EVP_MD_CTX_new())) + goto err; + + if (EVP_DigestSignInit(ctx, NULL, NULL, NULL, pkey) != 1) + goto check_err; + + if (EVP_DigestSign(ctx, NULL, &maclen, msg, sizeof(msg)) != 1) + goto check_err; + + if (!TEST_ptr(mac = OPENSSL_malloc(maclen))) + goto err; + + if (!TEST_int_eq(EVP_DigestSign(ctx, mac, &maclen, msg, sizeof(msg)), 0)) + goto err; + + check_err: + /* + * Currently only EVP_DigestSign will throw PROV_R_NOT_A_PRIVATE_KEY, + * but we relax the check to allow error also thrown by + * EVP_DigestSignInit and EVP_DigestSign. + */ + if (ERR_GET_REASON(ERR_peek_error()) == PROV_R_NOT_A_PRIVATE_KEY) { + testresult = 1; + ERR_clear_error(); + } + + err: + EVP_MD_CTX_free(ctx); + OPENSSL_free(mac); + EVP_PKEY_free(pkey); + + return testresult; +} +#endif /* OPENSSL_NO_EC */ + int setup_tests(void) { OPTION_CHOICE o; @@ -4782,6 +4852,10 @@ int setup_tests(void) ADD_ALL_TESTS(test_ecx_short_keys, OSSL_NELEM(ecxnids)); +#ifndef OPENSSL_NO_EC + ADD_ALL_TESTS(test_ecx_not_private_key, OSSL_NELEM(keys)); +#endif + return 1; } diff --git a/deps/openssl/openssl/test/evp_extra_test2.c b/deps/openssl/openssl/test/evp_extra_test2.c index cacd04ce3cb1ca..5430ec462b2c89 100644 --- a/deps/openssl/openssl/test/evp_extra_test2.c +++ b/deps/openssl/openssl/test/evp_extra_test2.c @@ -356,6 +356,37 @@ static int test_dh_tofrom_data_select(void) EVP_PKEY_CTX_free(gctx); return ret; } + +static int test_dh_paramgen(void) +{ + int ret; + OSSL_PARAM params[3]; + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *gctx = NULL; + unsigned int pbits = 512; /* minimum allowed for speed */ + + params[0] = OSSL_PARAM_construct_uint(OSSL_PKEY_PARAM_FFC_PBITS, &pbits); + params[1] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_FFC_TYPE, + "generator", 0); + params[2] = OSSL_PARAM_construct_end(); + + ret = TEST_ptr(gctx = EVP_PKEY_CTX_new_from_name(mainctx, "DH", NULL)) + && TEST_int_gt(EVP_PKEY_paramgen_init(gctx), 0) + && TEST_true(EVP_PKEY_CTX_set_params(gctx, params)) + && TEST_true(EVP_PKEY_paramgen(gctx, &pkey)) + && TEST_ptr(pkey); + + EVP_PKEY_CTX_free(gctx); + gctx = NULL; + + ret = ret && TEST_ptr(gctx = EVP_PKEY_CTX_new_from_pkey(mainctx, pkey, NULL)) + && TEST_int_eq(EVP_PKEY_param_check(gctx), 1) + && TEST_int_eq(EVP_PKEY_param_check_quick(gctx), 1); + + EVP_PKEY_CTX_free(gctx); + EVP_PKEY_free(pkey); + return ret; +} #endif #ifndef OPENSSL_NO_EC @@ -382,6 +413,19 @@ static int test_ecx_tofrom_data_select(void) } #endif +#ifndef OPENSSL_NO_SM2 +static int test_sm2_tofrom_data_select(void) +{ + int ret; + EVP_PKEY *key = NULL; + + ret = TEST_ptr(key = EVP_PKEY_Q_keygen(mainctx, NULL, "SM2")) + && TEST_true(do_pkey_tofrom_data_select(key, "SM2")); + EVP_PKEY_free(key); + return ret; +} +#endif + static int test_rsa_tofrom_data_select(void) { int ret; @@ -1105,12 +1149,16 @@ int setup_tests(void) #else ADD_ALL_TESTS(test_d2i_PrivateKey_ex, 1); #endif +#ifndef OPENSSL_NO_SM2 + ADD_TEST(test_sm2_tofrom_data_select); +#endif #ifndef OPENSSL_NO_DSA ADD_TEST(test_dsa_todata); ADD_TEST(test_dsa_tofrom_data_select); #endif #ifndef OPENSSL_NO_DH ADD_TEST(test_dh_tofrom_data_select); + ADD_TEST(test_dh_paramgen); #endif ADD_TEST(test_rsa_tofrom_data_select); diff --git a/deps/openssl/openssl/test/evp_kdf_test.c b/deps/openssl/openssl/test/evp_kdf_test.c index 145e64fbdb4f29..bab8da1cb8dfe7 100644 --- a/deps/openssl/openssl/test/evp_kdf_test.c +++ b/deps/openssl/openssl/test/evp_kdf_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2018-2020, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -1399,7 +1399,7 @@ static int test_kdf_ss_kmac(void) { int ret; EVP_KDF_CTX *kctx; - OSSL_PARAM params[6], *p = params; + OSSL_PARAM params[7], *p = params; unsigned char out[64]; size_t mac_size = 20; static unsigned char z[] = { @@ -1422,6 +1422,9 @@ static int test_kdf_ss_kmac(void) *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC, (char *)OSSL_MAC_NAME_KMAC128, 0); + /* The digest parameter is not needed here and should be ignored */ + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, + (char *)"SHA256", 0); *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, z, sizeof(z)); *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, other, sizeof(other)); @@ -1432,7 +1435,12 @@ static int test_kdf_ss_kmac(void) ret = TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SSKDF)) - && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), params), 0) + && TEST_size_t_eq(EVP_KDF_CTX_get_kdf_size(kctx), 0) + && TEST_int_eq(EVP_KDF_CTX_set_params(kctx, params), 1) + /* The bug fix for KMAC returning SIZE_MAX was added in 3.0.8 */ + && (fips_provider_version_lt(NULL, 3, 0, 8) + || TEST_size_t_eq(EVP_KDF_CTX_get_kdf_size(kctx), SIZE_MAX)) + && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0) && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)); EVP_KDF_CTX_free(kctx); diff --git a/deps/openssl/openssl/test/evp_pkey_provided_test.c b/deps/openssl/openssl/test/evp_pkey_provided_test.c index 8faf0838d03fe2..1aabfef893b085 100644 --- a/deps/openssl/openssl/test/evp_pkey_provided_test.c +++ b/deps/openssl/openssl/test/evp_pkey_provided_test.c @@ -188,7 +188,12 @@ static int test_print_key_using_pem(const char *alg, const EVP_PKEY *pk) /* Unencrypted private key in PEM form */ || !TEST_true(PEM_write_bio_PrivateKey(membio, pk, NULL, NULL, 0, NULL, NULL)) - || !TEST_true(compare_with_file(alg, PRIV_PEM, membio))) + || !TEST_true(compare_with_file(alg, PRIV_PEM, membio)) + /* NULL key */ + || !TEST_false(PEM_write_bio_PrivateKey(membio, NULL, + NULL, NULL, 0, NULL, NULL)) + || !TEST_false(PEM_write_bio_PrivateKey_traditional(membio, NULL, + NULL, NULL, 0, NULL, NULL))) goto err; ret = 1; @@ -1180,13 +1185,20 @@ static int test_fromdata_ec(void) 0x7f, 0x59, 0x5f, 0x8c, 0xd1, 0x96, 0x0b, 0xdf, 0x29, 0x3e, 0x49, 0x07, 0x88, 0x3f, 0x9a, 0x29 }; + /* SAME BUT COMPRESSED FORMAT */ + static const unsigned char ec_pub_keydata_compressed[] = { + POINT_CONVERSION_COMPRESSED+1, + 0x1b, 0x93, 0x67, 0x55, 0x1c, 0x55, 0x9f, 0x63, + 0xd1, 0x22, 0xa4, 0xd8, 0xd1, 0x0a, 0x60, 0x6d, + 0x02, 0xa5, 0x77, 0x57, 0xc8, 0xa3, 0x47, 0x73, + 0x3a, 0x6a, 0x08, 0x28, 0x39, 0xbd, 0xc9, 0xd2 + }; static const unsigned char ec_priv_keydata[] = { 0x33, 0xd0, 0x43, 0x83, 0xa9, 0x89, 0x56, 0x03, 0xd2, 0xd7, 0xfe, 0x6b, 0x01, 0x6f, 0xe4, 0x59, 0xcc, 0x0d, 0x9a, 0x24, 0x6c, 0x86, 0x1b, 0x2e, 0xdc, 0x4b, 0x4d, 0x35, 0x43, 0xe1, 0x1b, 0xad }; - const int compressed_sz = 1 + (sizeof(ec_pub_keydata) - 1) / 2; unsigned char out_pub[sizeof(ec_pub_keydata)]; char out_curve_name[80]; const OSSL_PARAM *gettable = NULL; @@ -1209,9 +1221,17 @@ static int test_fromdata_ec(void) if (OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_PKEY_PARAM_GROUP_NAME, curve, 0) <= 0) goto err; + /* + * We intentionally provide the input point in compressed format, + * and avoid setting `OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT`. + * + * Later on we check what format is used when exporting the + * `OSSL_PKEY_PARAM_PUB_KEY` and expect to default to uncompressed + * format. + */ if (OSSL_PARAM_BLD_push_octet_string(bld, OSSL_PKEY_PARAM_PUB_KEY, - ec_pub_keydata, - sizeof(ec_pub_keydata)) <= 0) + ec_pub_keydata_compressed, + sizeof(ec_pub_keydata_compressed)) <= 0) goto err; if (OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, ec_priv_bn) <= 0) goto err; @@ -1282,9 +1302,17 @@ static int test_fromdata_ec(void) || !TEST_str_eq(out_curve_name, curve) || !EVP_PKEY_get_octet_string_param(pk, OSSL_PKEY_PARAM_PUB_KEY, out_pub, sizeof(out_pub), &len) - || !TEST_true(out_pub[0] == (POINT_CONVERSION_COMPRESSED + 1)) + + /* + * Our providers use uncompressed format by default if + * `OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT` was not + * explicitly set, irrespective of the format used for the + * input point given as a param to create this key. + */ + || !TEST_true(out_pub[0] == POINT_CONVERSION_UNCOMPRESSED) || !TEST_mem_eq(out_pub + 1, len - 1, - ec_pub_keydata + 1, compressed_sz - 1) + ec_pub_keydata + 1, sizeof(ec_pub_keydata) - 1) + || !TEST_true(EVP_PKEY_get_bn_param(pk, OSSL_PKEY_PARAM_PRIV_KEY, &bn_priv)) || !TEST_BN_eq(ec_priv_bn, bn_priv)) diff --git a/deps/openssl/openssl/test/exptest.c b/deps/openssl/openssl/test/exptest.c index 71ee031a439610..59285b17a39290 100644 --- a/deps/openssl/openssl/test/exptest.c +++ b/deps/openssl/openssl/test/exptest.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -49,7 +49,8 @@ static int test_mod_exp_zero(void) BIGNUM *r = NULL; BN_ULONG one_word = 1; BN_CTX *ctx = BN_CTX_new(); - int ret = 1, failed = 0; + int ret = 0, failed = 0; + BN_MONT_CTX *mont = NULL; if (!TEST_ptr(m = BN_new()) || !TEST_ptr(a = BN_new()) @@ -94,6 +95,33 @@ static int test_mod_exp_zero(void) if (!TEST_true(a_is_zero_mod_one("BN_mod_exp_mont_consttime", r, a))) failed = 1; + if (!TEST_ptr(mont = BN_MONT_CTX_new())) + goto err; + + ERR_set_mark(); + /* mont is not set but passed in */ + if (!TEST_false(BN_mod_exp_mont_consttime(r, p, a, m, ctx, mont))) + goto err; + if (!TEST_false(BN_mod_exp_mont(r, p, a, m, ctx, mont))) + goto err; + ERR_pop_to_mark(); + + if (!TEST_true(BN_MONT_CTX_set(mont, m, ctx))) + goto err; + + /* we compute 0 ** a mod 1 here, to execute code that uses mont */ + if (!TEST_true(BN_mod_exp_mont_consttime(r, p, a, m, ctx, mont))) + goto err; + + if (!TEST_true(a_is_zero_mod_one("BN_mod_exp_mont_consttime", r, a))) + failed = 1; + + if (!TEST_true(BN_mod_exp_mont(r, p, a, m, ctx, mont))) + goto err; + + if (!TEST_true(a_is_zero_mod_one("BN_mod_exp_mont", r, a))) + failed = 1; + /* * A different codepath exists for single word multiplication * in non-constant-time only. @@ -114,6 +142,7 @@ static int test_mod_exp_zero(void) BN_free(a); BN_free(p); BN_free(m); + BN_MONT_CTX_free(mont); BN_CTX_free(ctx); return ret; diff --git a/deps/openssl/openssl/test/fake_rsaprov.c b/deps/openssl/openssl/test/fake_rsaprov.c index 6d8c8c68ca0492..be08bfd399814c 100644 --- a/deps/openssl/openssl/test/fake_rsaprov.c +++ b/deps/openssl/openssl/test/fake_rsaprov.c @@ -22,24 +22,34 @@ static OSSL_FUNC_keymgmt_has_fn fake_rsa_keymgmt_has; static OSSL_FUNC_keymgmt_query_operation_name_fn fake_rsa_keymgmt_query; static OSSL_FUNC_keymgmt_import_fn fake_rsa_keymgmt_import; static OSSL_FUNC_keymgmt_import_types_fn fake_rsa_keymgmt_imptypes; +static OSSL_FUNC_keymgmt_export_fn fake_rsa_keymgmt_export; +static OSSL_FUNC_keymgmt_export_types_fn fake_rsa_keymgmt_exptypes; static OSSL_FUNC_keymgmt_load_fn fake_rsa_keymgmt_load; static int has_selection; static int imptypes_selection; +static int exptypes_selection; static int query_id; +struct fake_rsa_keydata { + int selection; + int status; +}; + static void *fake_rsa_keymgmt_new(void *provctx) { - unsigned char *keydata = OPENSSL_zalloc(1); + struct fake_rsa_keydata *key; - TEST_ptr(keydata); + if (!TEST_ptr(key = OPENSSL_zalloc(sizeof(struct fake_rsa_keydata)))) + return NULL; /* clear test globals */ has_selection = 0; imptypes_selection = 0; + exptypes_selection = 0; query_id = 0; - return keydata; + return key; } static void fake_rsa_keymgmt_free(void *keydata) @@ -67,14 +77,104 @@ static const char *fake_rsa_keymgmt_query(int id) static int fake_rsa_keymgmt_import(void *keydata, int selection, const OSSL_PARAM *p) { - unsigned char *fake_rsa_key = keydata; + struct fake_rsa_keydata *fake_rsa_key = keydata; /* key was imported */ - *fake_rsa_key = 1; + fake_rsa_key->status = 1; return 1; } +static unsigned char fake_rsa_n[] = + "\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F" + "\x90\xEF\xA0\x0D\xF3\x77\x4A\x25\x9F\x2E\x62\xB4\xC5\xD9\x9C\xB5" + "\xAD\xB3\x00\xA0\x28\x5E\x53\x01\x93\x0E\x0C\x70\xFB\x68\x76\x93" + "\x9C\xE6\x16\xCE\x62\x4A\x11\xE0\x08\x6D\x34\x1E\xBC\xAC\xA0\xA1" + "\xF5"; + +static unsigned char fake_rsa_e[] = "\x11"; + +static unsigned char fake_rsa_d[] = + "\x0A\x03\x37\x48\x62\x64\x87\x69\x5F\x5F\x30\xBC\x38\xB9\x8B\x44" + "\xC2\xCD\x2D\xFF\x43\x40\x98\xCD\x20\xD8\xA1\x38\xD0\x90\xBF\x64" + "\x79\x7C\x3F\xA7\xA2\xCD\xCB\x3C\xD1\xE0\xBD\xBA\x26\x54\xB4\xF9" + "\xDF\x8E\x8A\xE5\x9D\x73\x3D\x9F\x33\xB3\x01\x62\x4A\xFD\x1D\x51"; + +static unsigned char fake_rsa_p[] = + "\x00\xD8\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5" + "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x12" + "\x0D"; + +static unsigned char fake_rsa_q[] = + "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9" + "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D" + "\x89"; + +static unsigned char fake_rsa_dmp1[] = + "\x59\x0B\x95\x72\xA2\xC2\xA9\xC4\x06\x05\x9D\xC2\xAB\x2F\x1D\xAF" + "\xEB\x7E\x8B\x4F\x10\xA7\x54\x9E\x8E\xED\xF5\xB4\xFC\xE0\x9E\x05"; + +static unsigned char fake_rsa_dmq1[] = + "\x00\x8E\x3C\x05\x21\xFE\x15\xE0\xEA\x06\xA3\x6F\xF0\xF1\x0C\x99" + "\x52\xC3\x5B\x7A\x75\x14\xFD\x32\x38\xB8\x0A\xAD\x52\x98\x62\x8D" + "\x51"; + +static unsigned char fake_rsa_iqmp[] = + "\x36\x3F\xF7\x18\x9D\xA8\xE9\x0B\x1D\x34\x1F\x71\xD0\x9B\x76\xA8" + "\xA9\x43\xE1\x1D\x10\xB2\x4D\x24\x9F\x2D\xEA\xFE\xF8\x0C\x18\x26"; + +OSSL_PARAM *fake_rsa_key_params(int priv) +{ + if (priv) { + OSSL_PARAM params[] = { + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, fake_rsa_n, + sizeof(fake_rsa_n) -1), + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, fake_rsa_e, + sizeof(fake_rsa_e) -1), + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_D, fake_rsa_d, + sizeof(fake_rsa_d) -1), + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR1, fake_rsa_p, + sizeof(fake_rsa_p) -1), + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR2, fake_rsa_q, + sizeof(fake_rsa_q) -1), + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT1, fake_rsa_dmp1, + sizeof(fake_rsa_dmp1) -1), + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT2, fake_rsa_dmq1, + sizeof(fake_rsa_dmq1) -1), + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_COEFFICIENT1, fake_rsa_iqmp, + sizeof(fake_rsa_iqmp) -1), + OSSL_PARAM_END + }; + return OSSL_PARAM_dup(params); + } else { + OSSL_PARAM params[] = { + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, fake_rsa_n, + sizeof(fake_rsa_n) -1), + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, fake_rsa_e, + sizeof(fake_rsa_e) -1), + OSSL_PARAM_END + }; + return OSSL_PARAM_dup(params); + } +} + +static int fake_rsa_keymgmt_export(void *keydata, int selection, + OSSL_CALLBACK *param_callback, void *cbarg) +{ + OSSL_PARAM *params = NULL; + int ret; + + if (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) + return 0; + + if (!TEST_ptr(params = fake_rsa_key_params(0))) + return 0; + + ret = param_callback(params, cbarg); + OSSL_PARAM_free(params); + return ret; +} + static const OSSL_PARAM fake_rsa_import_key_types[] = { OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, NULL, 0), OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0), @@ -95,19 +195,33 @@ static const OSSL_PARAM *fake_rsa_keymgmt_imptypes(int selection) return fake_rsa_import_key_types; } +static const OSSL_PARAM fake_rsa_export_key_types[] = { + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, NULL, 0), + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0), + OSSL_PARAM_END +}; + +static const OSSL_PARAM *fake_rsa_keymgmt_exptypes(int selection) +{ + /* record global for checking */ + exptypes_selection = selection; + + return fake_rsa_export_key_types; +} + static void *fake_rsa_keymgmt_load(const void *reference, size_t reference_sz) { - unsigned char *key = NULL; + struct fake_rsa_keydata *key = NULL; - if (reference_sz != sizeof(key)) + if (reference_sz != sizeof(*key)) return NULL; - key = *(unsigned char **)reference; - if (*key != 1) + key = *(struct fake_rsa_keydata **)reference; + if (key->status != 1) return NULL; /* detach the reference */ - *(unsigned char **)reference = NULL; + *(struct fake_rsa_keydata **)reference = NULL; return key; } @@ -129,7 +243,7 @@ static void *fake_rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) { unsigned char *gctx = genctx; static const unsigned char inited[] = { 1 }; - unsigned char *keydata; + struct fake_rsa_keydata *keydata; if (!TEST_ptr(gctx) || !TEST_mem_eq(gctx, sizeof(*gctx), inited, sizeof(inited))) @@ -138,7 +252,7 @@ static void *fake_rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) if (!TEST_ptr(keydata = fake_rsa_keymgmt_new(NULL))) return NULL; - *keydata = 2; + keydata->status = 2; return keydata; } @@ -156,6 +270,9 @@ static const OSSL_DISPATCH fake_rsa_keymgmt_funcs[] = { { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))fake_rsa_keymgmt_import }, { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))fake_rsa_keymgmt_imptypes }, + { OSSL_FUNC_KEYMGMT_EXPORT, (void (*)(void))fake_rsa_keymgmt_export }, + { OSSL_FUNC_KEYMGMT_EXPORT_TYPES, + (void (*)(void))fake_rsa_keymgmt_exptypes }, { OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))fake_rsa_keymgmt_load }, { OSSL_FUNC_KEYMGMT_GEN_INIT, (void (*)(void))fake_rsa_gen_init }, { OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))fake_rsa_gen }, @@ -191,14 +308,14 @@ static int fake_rsa_sig_sign_init(void *ctx, void *provkey, const OSSL_PARAM params[]) { unsigned char *sigctx = ctx; - unsigned char *keydata = provkey; + struct fake_rsa_keydata *keydata = provkey; /* we must have a ctx */ if (!TEST_ptr(sigctx)) return 0; /* we must have some initialized key */ - if (!TEST_ptr(keydata) || !TEST_int_gt(keydata[0], 0)) + if (!TEST_ptr(keydata) || !TEST_int_gt(keydata->status, 0)) return 0; /* record that sign init was called */ @@ -289,7 +406,7 @@ static int fake_rsa_st_load(void *loaderctx, unsigned char *storectx = loaderctx; OSSL_PARAM params[4]; int object_type = OSSL_OBJECT_PKEY; - void *key = NULL; + struct fake_rsa_keydata *key = NULL; int rv = 0; switch (*storectx) { @@ -307,7 +424,7 @@ static int fake_rsa_st_load(void *loaderctx, /* The address of the key becomes the octet string */ params[2] = OSSL_PARAM_construct_octet_string(OSSL_OBJECT_PARAM_REFERENCE, - &key, sizeof(key)); + &key, sizeof(*key)); params[3] = OSSL_PARAM_construct_end(); rv = object_cb(params, object_cbarg); *storectx = 1; diff --git a/deps/openssl/openssl/test/fake_rsaprov.h b/deps/openssl/openssl/test/fake_rsaprov.h index 57de1ecf8dea53..190c46a285c0ae 100644 --- a/deps/openssl/openssl/test/fake_rsaprov.h +++ b/deps/openssl/openssl/test/fake_rsaprov.h @@ -12,3 +12,4 @@ /* Fake RSA provider implementation */ OSSL_PROVIDER *fake_rsa_start(OSSL_LIB_CTX *libctx); void fake_rsa_finish(OSSL_PROVIDER *p); +OSSL_PARAM *fake_rsa_key_params(int priv); diff --git a/deps/openssl/openssl/test/ffc_internal_test.c b/deps/openssl/openssl/test/ffc_internal_test.c index 2c9729357398b1..7f8f44c8a9fdc7 100644 --- a/deps/openssl/openssl/test/ffc_internal_test.c +++ b/deps/openssl/openssl/test/ffc_internal_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019-2020, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -510,6 +510,27 @@ static int ffc_public_validate_test(void) if (!TEST_true(ossl_ffc_validate_public_key(params, pub, &res))) goto err; + /* Fail if params is NULL */ + if (!TEST_false(ossl_ffc_validate_public_key(NULL, pub, &res))) + goto err; + if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res)) + goto err; + res = -1; + /* Fail if pubkey is NULL */ + if (!TEST_false(ossl_ffc_validate_public_key(params, NULL, &res))) + goto err; + if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res)) + goto err; + res = -1; + + BN_free(params->p); + params->p = NULL; + /* Fail if params->p is NULL */ + if (!TEST_false(ossl_ffc_validate_public_key(params, pub, &res))) + goto err; + if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res)) + goto err; + ret = 1; err: DH_free(dh); @@ -567,6 +588,16 @@ static int ffc_private_validate_test(void) if (!TEST_true(ossl_ffc_validate_private_key(params->q, priv, &res))) goto err; + if (!TEST_false(ossl_ffc_validate_private_key(NULL, priv, &res))) + goto err; + if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res)) + goto err; + res = -1; + if (!TEST_false(ossl_ffc_validate_private_key(params->q, NULL, &res))) + goto err; + if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res)) + goto err; + ret = 1; err: DH_free(dh); diff --git a/deps/openssl/openssl/test/keymgmt_internal_test.c b/deps/openssl/openssl/test/keymgmt_internal_test.c index bd95d4c984c9d4..ce2e458f8c311d 100644 --- a/deps/openssl/openssl/test/keymgmt_internal_test.c +++ b/deps/openssl/openssl/test/keymgmt_internal_test.c @@ -227,7 +227,7 @@ static int test_pass_rsa(FIXTURE *fixture) while (dup_pk == NULL) { ret = 0; km = km3; - /* Check that we can't export an RSA key into a RSA-PSS keymanager */ + /* Check that we can't export an RSA key into an RSA-PSS keymanager */ if (!TEST_ptr_null(provkey2 = evp_pkey_export_to_provider(pk, NULL, &km, NULL))) diff --git a/deps/openssl/openssl/test/packettest.c b/deps/openssl/openssl/test/packettest.c index b82b9fb5022532..17831d940bffb6 100644 --- a/deps/openssl/openssl/test/packettest.c +++ b/deps/openssl/openssl/test/packettest.c @@ -12,13 +12,13 @@ #define BUF_LEN 255 -static unsigned char smbuf[BUF_LEN]; +static unsigned char smbuf[BUF_LEN + 1]; static int test_PACKET_remaining(void) { PACKET pkt; - if (!TEST_true(PACKET_buf_init(&pkt, smbuf, sizeof(smbuf))) + if (!TEST_true(PACKET_buf_init(&pkt, smbuf, BUF_LEN)) || !TEST_size_t_eq(PACKET_remaining(&pkt), BUF_LEN) || !TEST_true(PACKET_forward(&pkt, BUF_LEN - 1)) || !TEST_size_t_eq(PACKET_remaining(&pkt), 1) @@ -33,7 +33,7 @@ static int test_PACKET_end(void) { PACKET pkt; - if (!TEST_true(PACKET_buf_init(&pkt, smbuf, sizeof(smbuf))) + if (!TEST_true(PACKET_buf_init(&pkt, smbuf, BUF_LEN)) || !TEST_size_t_eq(PACKET_remaining(&pkt), BUF_LEN) || !TEST_ptr_eq(PACKET_end(&pkt), smbuf + BUF_LEN) || !TEST_true(PACKET_forward(&pkt, BUF_LEN - 1)) diff --git a/deps/openssl/openssl/test/param_build_test.c b/deps/openssl/openssl/test/param_build_test.c index bfa463acc5351d..8257c6fba9f3c2 100644 --- a/deps/openssl/openssl/test/param_build_test.c +++ b/deps/openssl/openssl/test/param_build_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -16,11 +16,78 @@ static const OSSL_PARAM params_empty[] = { OSSL_PARAM_END }; +static int template_public_single_zero_test(void) +{ + OSSL_PARAM_BLD *bld = NULL; + OSSL_PARAM *params = NULL, *params_blt = NULL, *p; + BIGNUM *zbn = NULL, *zbn_res = NULL; + int res = 0; + + if (!TEST_ptr(bld = OSSL_PARAM_BLD_new()) + || !TEST_ptr(zbn = BN_new()) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, "zeronumber", zbn)) + || !TEST_ptr(params_blt = OSSL_PARAM_BLD_to_param(bld))) + goto err; + + params = params_blt; + /* Check BN (zero BN becomes unsigned integer) */ + if (!TEST_ptr(p = OSSL_PARAM_locate(params, "zeronumber")) + || !TEST_str_eq(p->key, "zeronumber") + || !TEST_uint_eq(p->data_type, OSSL_PARAM_UNSIGNED_INTEGER) + || !TEST_true(OSSL_PARAM_get_BN(p, &zbn_res)) + || !TEST_BN_eq(zbn_res, zbn)) + goto err; + res = 1; +err: + if (params != params_blt) + OPENSSL_free(params); + OSSL_PARAM_free(params_blt); + OSSL_PARAM_BLD_free(bld); + BN_free(zbn); + BN_free(zbn_res); + return res; +} + +static int template_private_single_zero_test(void) +{ + OSSL_PARAM_BLD *bld = NULL; + OSSL_PARAM *params = NULL, *params_blt = NULL, *p; + BIGNUM *zbn = NULL, *zbn_res = NULL; + int res = 0; + + if (!TEST_ptr(bld = OSSL_PARAM_BLD_new()) + || !TEST_ptr(zbn = BN_secure_new()) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, "zeronumber", zbn)) + || !TEST_ptr(params_blt = OSSL_PARAM_BLD_to_param(bld))) + goto err; + + params = params_blt; + /* Check BN (zero BN becomes unsigned integer) */ + if (!TEST_ptr(p = OSSL_PARAM_locate(params, "zeronumber")) + || !TEST_true(CRYPTO_secure_allocated(p->data)) + || !TEST_str_eq(p->key, "zeronumber") + || !TEST_uint_eq(p->data_type, OSSL_PARAM_UNSIGNED_INTEGER) + || !TEST_true(OSSL_PARAM_get_BN(p, &zbn_res)) + || !TEST_int_eq(BN_get_flags(zbn, BN_FLG_SECURE), BN_FLG_SECURE) + || !TEST_BN_eq(zbn_res, zbn)) + goto err; + res = 1; +err: + if (params != params_blt) + OPENSSL_free(params); + OSSL_PARAM_free(params_blt); + OSSL_PARAM_BLD_free(bld); + BN_free(zbn); + BN_free(zbn_res); + return res; +} + static int template_public_test(int tstid) { OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new(); OSSL_PARAM *params = NULL, *params_blt = NULL, *p1 = NULL, *p; BIGNUM *bn = NULL, *bn_res = NULL; + BIGNUM *zbn = NULL, *zbn_res = NULL; int i; long int l; int32_t i32; @@ -37,6 +104,8 @@ static int template_public_test(int tstid) || !TEST_true(OSSL_PARAM_BLD_push_int64(bld, "i64", -9999999)) || !TEST_true(OSSL_PARAM_BLD_push_time_t(bld, "t", 11224)) || !TEST_true(OSSL_PARAM_BLD_push_double(bld, "d", 1.61803398875)) + || !TEST_ptr(zbn = BN_new()) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, "zeronumber", zbn)) || !TEST_ptr(bn = BN_new()) || !TEST_true(BN_set_word(bn, 1729)) || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, "bignumber", bn)) @@ -118,6 +187,12 @@ static int template_public_test(int tstid) || !TEST_ptr(p = OSSL_PARAM_locate(params, "utf8_p")) || !TEST_true(OSSL_PARAM_get_utf8_ptr(p, &cutf)) || !TEST_str_eq(cutf, "bar-boom") + /* Check BN (zero BN becomes unsigned integer) */ + || !TEST_ptr(p = OSSL_PARAM_locate(params, "zeronumber")) + || !TEST_str_eq(p->key, "zeronumber") + || !TEST_uint_eq(p->data_type, OSSL_PARAM_UNSIGNED_INTEGER) + || !TEST_true(OSSL_PARAM_get_BN(p, &zbn_res)) + || !TEST_BN_eq(zbn_res, zbn) /* Check BN */ || !TEST_ptr(p = OSSL_PARAM_locate(params, "bignumber")) || !TEST_str_eq(p->key, "bignumber") @@ -133,6 +208,8 @@ static int template_public_test(int tstid) OSSL_PARAM_free(params_blt); OSSL_PARAM_BLD_free(bld); OPENSSL_free(utf); + BN_free(zbn); + BN_free(zbn_res); BN_free(bn); BN_free(bn_res); return res; @@ -152,6 +229,7 @@ static int template_private_test(int tstid) uint32_t i32; uint64_t i64; size_t st; + BIGNUM *zbn = NULL, *zbn_res = NULL; BIGNUM *bn = NULL, *bn_res = NULL; int res = 0; @@ -170,6 +248,8 @@ static int template_private_test(int tstid) || !TEST_true(OSSL_PARAM_BLD_push_uint32(bld, "i32", 1532)) || !TEST_true(OSSL_PARAM_BLD_push_uint64(bld, "i64", 9999999)) || !TEST_true(OSSL_PARAM_BLD_push_size_t(bld, "st", 65537)) + || !TEST_ptr(zbn = BN_secure_new()) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, "zeronumber", zbn)) || !TEST_ptr(bn = BN_secure_new()) || !TEST_true(BN_set_word(bn, 1729)) || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, "bignumber", bn)) @@ -251,6 +331,14 @@ static int template_private_test(int tstid) || !TEST_str_eq(p->key, "oct_p") || !TEST_uint_eq(p->data_type, OSSL_PARAM_OCTET_PTR) || !TEST_mem_eq(*(void **)p->data, p->data_size, data2, data2_size) + /* Check BN (zero BN becomes unsigned integer) */ + || !TEST_ptr(p = OSSL_PARAM_locate(params, "zeronumber")) + || !TEST_true(CRYPTO_secure_allocated(p->data)) + || !TEST_str_eq(p->key, "zeronumber") + || !TEST_uint_eq(p->data_type, OSSL_PARAM_UNSIGNED_INTEGER) + || !TEST_true(OSSL_PARAM_get_BN(p, &zbn_res)) + || !TEST_int_eq(BN_get_flags(zbn, BN_FLG_SECURE), BN_FLG_SECURE) + || !TEST_BN_eq(zbn_res, zbn) /* Check BN */ || !TEST_ptr(p = OSSL_PARAM_locate(params, "bignumber")) || !TEST_true(CRYPTO_secure_allocated(p->data)) @@ -269,6 +357,8 @@ static int template_private_test(int tstid) OSSL_PARAM_BLD_free(bld); OPENSSL_secure_free(data1); OPENSSL_secure_free(data2); + BN_free(zbn); + BN_free(zbn_res); BN_free(bn); BN_free(bn_res); return res; @@ -432,10 +522,13 @@ static int builder_merge_test(void) int setup_tests(void) { + ADD_TEST(template_public_single_zero_test); ADD_ALL_TESTS(template_public_test, 5); /* Only run the secure memory testing if we have secure memory available */ - if (CRYPTO_secure_malloc_init(1<<16, 16)) + if (CRYPTO_secure_malloc_init(1<<16, 16)) { + ADD_TEST(template_private_single_zero_test); ADD_ALL_TESTS(template_private_test, 5); + } ADD_TEST(builder_limit_test); ADD_TEST(builder_merge_test); return 1; diff --git a/deps/openssl/openssl/test/pemtest.c b/deps/openssl/openssl/test/pemtest.c index a8d2d49bb52c13..c8c88bf1f1656f 100644 --- a/deps/openssl/openssl/test/pemtest.c +++ b/deps/openssl/openssl/test/pemtest.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -96,6 +96,35 @@ static int test_cert_key_cert(void) return 1; } +static int test_empty_payload(void) +{ + BIO *b; + static char *emptypay = + "-----BEGIN CERTIFICATE-----\n" + "-\n" /* Base64 EOF character */ + "-----END CERTIFICATE-----"; + char *name = NULL, *header = NULL; + unsigned char *data = NULL; + long len; + int ret = 0; + + b = BIO_new_mem_buf(emptypay, strlen(emptypay)); + if (!TEST_ptr(b)) + return 0; + + /* Expected to fail because the payload is empty */ + if (!TEST_false(PEM_read_bio_ex(b, &name, &header, &data, &len, 0))) + goto err; + + ret = 1; + err: + OPENSSL_free(name); + OPENSSL_free(header); + OPENSSL_free(data); + BIO_free(b); + return ret; +} + int setup_tests(void) { if (!TEST_ptr(pemfile = test_get_argument(0))) @@ -103,5 +132,6 @@ int setup_tests(void) ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data)); ADD_TEST(test_invalid); ADD_TEST(test_cert_key_cert); + ADD_TEST(test_empty_payload); return 1; } diff --git a/deps/openssl/openssl/test/property_test.c b/deps/openssl/openssl/test/property_test.c index 844315c2261dfe..6a405e364baf10 100644 --- a/deps/openssl/openssl/test/property_test.c +++ b/deps/openssl/openssl/test/property_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -165,6 +165,7 @@ static const struct { { 0, "a=abc,#@!, n=1" }, /* non-ASCII character located */ { 1, "a='Hello" }, /* Unterminated string */ { 0, "a=\"World" }, /* Unterminated string */ + { 0, "a=_abd_" }, /* Unquoted string not starting with alphabetic */ { 1, "a=2, n=012345678" }, /* Bad octal digit */ { 0, "n=0x28FG, a=3" }, /* Bad hex digit */ { 0, "n=145d, a=2" }, /* Bad decimal digit */ @@ -255,19 +256,42 @@ static int test_property_merge(int n) static int test_property_defn_cache(void) { OSSL_METHOD_STORE *store; - OSSL_PROPERTY_LIST *red, *blue; - int r = 0; + OSSL_PROPERTY_LIST *red = NULL, *blue = NULL, *blue2 = NULL; + int r; - if (TEST_ptr(store = ossl_method_store_new(NULL)) + r = TEST_ptr(store = ossl_method_store_new(NULL)) && add_property_names("red", "blue", NULL) && TEST_ptr(red = ossl_parse_property(NULL, "red")) && TEST_ptr(blue = ossl_parse_property(NULL, "blue")) && TEST_ptr_ne(red, blue) - && TEST_true(ossl_prop_defn_set(NULL, "red", red)) - && TEST_true(ossl_prop_defn_set(NULL, "blue", blue)) - && TEST_ptr_eq(ossl_prop_defn_get(NULL, "red"), red) - && TEST_ptr_eq(ossl_prop_defn_get(NULL, "blue"), blue)) - r = 1; + && TEST_true(ossl_prop_defn_set(NULL, "red", &red)); + + if (!r) { + ossl_property_free(red); + red = NULL; + ossl_property_free(blue); + blue = NULL; + } + + r = r && TEST_true(ossl_prop_defn_set(NULL, "blue", &blue)); + if (!r) { + ossl_property_free(blue); + blue = NULL; + } + + r = r && TEST_ptr_eq(ossl_prop_defn_get(NULL, "red"), red) + && TEST_ptr_eq(ossl_prop_defn_get(NULL, "blue"), blue) + && TEST_ptr(blue2 = ossl_parse_property(NULL, "blue")) + && TEST_ptr_ne(blue2, blue) + && TEST_true(ossl_prop_defn_set(NULL, "blue", &blue2)); + if (!r) { + ossl_property_free(blue2); + blue2 = NULL; + } + + r = r && TEST_ptr_eq(blue2, blue) + && TEST_ptr_eq(ossl_prop_defn_get(NULL, "blue"), blue); + ossl_method_store_free(store); return r; } diff --git a/deps/openssl/openssl/test/provider_pkey_test.c b/deps/openssl/openssl/test/provider_pkey_test.c index 457c648bc4e59e..249e9babcfa85b 100644 --- a/deps/openssl/openssl/test/provider_pkey_test.c +++ b/deps/openssl/openssl/test/provider_pkey_test.c @@ -176,6 +176,67 @@ static int test_alternative_keygen_init(void) return ret; } +static int test_pkey_eq(void) +{ + OSSL_PROVIDER *deflt = NULL; + OSSL_PROVIDER *fake_rsa = NULL; + EVP_PKEY *pkey_fake = NULL; + EVP_PKEY *pkey_dflt = NULL; + EVP_PKEY_CTX *ctx = NULL; + OSSL_PARAM *params = NULL; + int ret = 0; + + if (!TEST_ptr(fake_rsa = fake_rsa_start(libctx))) + return 0; + + if (!TEST_ptr(deflt = OSSL_PROVIDER_load(libctx, "default"))) + goto end; + + /* Construct a public key for fake-rsa */ + if (!TEST_ptr(params = fake_rsa_key_params(0)) + || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", + "provider=fake-rsa")) + || !TEST_true(EVP_PKEY_fromdata_init(ctx)) + || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_fake, EVP_PKEY_PUBLIC_KEY, + params)) + || !TEST_ptr(pkey_fake)) + goto end; + + EVP_PKEY_CTX_free(ctx); + ctx = NULL; + OSSL_PARAM_free(params); + params = NULL; + + /* Construct a public key for default */ + if (!TEST_ptr(params = fake_rsa_key_params(0)) + || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", + "provider=default")) + || !TEST_true(EVP_PKEY_fromdata_init(ctx)) + || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_dflt, EVP_PKEY_PUBLIC_KEY, + params)) + || !TEST_ptr(pkey_dflt)) + goto end; + + EVP_PKEY_CTX_free(ctx); + ctx = NULL; + OSSL_PARAM_free(params); + params = NULL; + + /* now test for equality */ + if (!TEST_int_eq(EVP_PKEY_eq(pkey_fake, pkey_dflt), 1)) + goto end; + + ret = 1; +end: + fake_rsa_finish(fake_rsa); + OSSL_PROVIDER_unload(deflt); + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey_fake); + EVP_PKEY_free(pkey_dflt); + OSSL_PARAM_free(params); + return ret; +} + static int test_pkey_store(int idx) { OSSL_PROVIDER *deflt = NULL; @@ -235,6 +296,7 @@ int setup_tests(void) ADD_TEST(test_pkey_sig); ADD_TEST(test_alternative_keygen_init); + ADD_TEST(test_pkey_eq); ADD_ALL_TESTS(test_pkey_store, 2); return 1; diff --git a/deps/openssl/openssl/test/punycode_test.c b/deps/openssl/openssl/test/punycode_test.c index 113d04b7a98901..9d8171346caa82 100644 --- a/deps/openssl/openssl/test/punycode_test.c +++ b/deps/openssl/openssl/test/punycode_test.c @@ -154,7 +154,7 @@ static int test_punycode(int n) if (!TEST_true(ossl_punycode_decode(tc->encoded, strlen(tc->encoded), buffer, &bsize))) return 0; - for (i = 0; i < sizeof(tc->raw); i++) + for (i = 0; i < OSSL_NELEM(tc->raw); i++) if (tc->raw[i] == 0) break; if (!TEST_mem_eq(buffer, bsize * sizeof(*buffer), diff --git a/deps/openssl/openssl/test/recipes/03-test_fipsinstall.t b/deps/openssl/openssl/test/recipes/03-test_fipsinstall.t index 007e1be821b053..c39b2cee09ecc7 100644 --- a/deps/openssl/openssl/test/recipes/03-test_fipsinstall.t +++ b/deps/openssl/openssl/test/recipes/03-test_fipsinstall.t @@ -28,6 +28,7 @@ plan tests => 29; my $infile = bldtop_file('providers', platform->dso('fips')); my $fipskey = $ENV{FIPSKEY} // config('FIPSKEY') // '00'; +my $provconf = srctop_file("test", "fips-and-base.cnf"); # Read in a text $infile and replace the regular expression in $srch with the # value in $repl and output to a new file $outfile. @@ -230,6 +231,12 @@ SKIP: { SKIP: { skip "Skipping Signature DSA corruption test because of no dsa in this build", 1 if disabled("dsa"); + + run(test(["fips_version_test", "-config", $provconf, "<3.1.0"]), + capture => 1, statusvar => \my $exit); + skip "FIPS provider version is too new for PCT DSA signature test", 1 + if !$exit; + ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, '-provider_name', 'fips', '-mac_name', 'HMAC', '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", diff --git a/deps/openssl/openssl/test/recipes/05-test_rand.t b/deps/openssl/openssl/test/recipes/05-test_rand.t index 4da1e64cb6da0f..3f352db9df3a6d 100644 --- a/deps/openssl/openssl/test/recipes/05-test_rand.t +++ b/deps/openssl/openssl/test/recipes/05-test_rand.t @@ -11,9 +11,30 @@ use warnings; use OpenSSL::Test; use OpenSSL::Test::Utils; -plan tests => 3; +plan tests => 5; setup("test_rand"); ok(run(test(["rand_test"]))); ok(run(test(["drbgtest"]))); ok(run(test(["rand_status_test"]))); + +SKIP: { + skip "engine is not supported by this OpenSSL build", 2 + if disabled("engine") || disabled("dynamic-engine"); + + my $success; + my @randdata; + my $expected = '0102030405060708090a0b0c0d0e0f10'; + + @randdata = run(app(['openssl', 'rand', '-engine', 'ossltest', '-hex', '16' ]), + capture => 1, statusvar => \$success); + chomp(@randdata); + ok($success and $randdata[0] eq $expected, + "rand with ossltest: Check rand output is as expected"); + + @randdata = run(app(['openssl', 'rand', '-engine', 'dasync', '-hex', '16' ]), + capture => 1, statusvar => \$success); + chomp(@randdata); + ok($success and length($randdata[0]) == 32, + "rand with dasync: Check rand output is of expected length"); +} diff --git a/deps/openssl/openssl/test/recipes/15-test_rsapss.t b/deps/openssl/openssl/test/recipes/15-test_rsapss.t index aba7e16b8f4bd8..c566ade933e9d6 100644 --- a/deps/openssl/openssl/test/recipes/15-test_rsapss.t +++ b/deps/openssl/openssl/test/recipes/15-test_rsapss.t @@ -16,7 +16,7 @@ use OpenSSL::Test::Utils; setup("test_rsapss"); -plan tests => 10; +plan tests => 11; #using test/testrsa.pem which happens to be a 512 bit RSA ok(run(app(['openssl', 'dgst', '-sign', srctop_file('test', 'testrsa.pem'), '-sha1', @@ -58,6 +58,15 @@ ok(run(app(['openssl', 'dgst', '-prverify', srctop_file('test', 'testrsa.pem'), srctop_file('test', 'testrsa.pem')])), "openssl dgst -prverify [plain RSA key, PSS padding mode, PSS restrictions]"); +ok(run(app(['openssl', 'dgst', '-prverify', srctop_file('test', 'testrsa.pem'), + '-sha1', + '-sigopt', 'rsa_padding_mode:pss', + '-sigopt', 'rsa_pss_saltlen:42', + '-sigopt', 'rsa_mgf1_md:sha512', + '-signature', 'testrsapss-restricted.sig', + srctop_file('test', 'testrsa.pem')])), + "openssl dgst -sign rsa512bit.pem -sha1 -sigopt rsa_pss_saltlen:max produces 42 bits of PSS salt"); + ok(run(app(['openssl', 'dgst', '-prverify', srctop_file('test', 'testrsa.pem'), '-sha1', '-sigopt', 'rsa_padding_mode:pss', diff --git a/deps/openssl/openssl/test/recipes/20-test_dgst.t b/deps/openssl/openssl/test/recipes/20-test_dgst.t index f5895747caf6cc..96744b3741fad0 100644 --- a/deps/openssl/openssl/test/recipes/20-test_dgst.t +++ b/deps/openssl/openssl/test/recipes/20-test_dgst.t @@ -17,7 +17,7 @@ use OpenSSL::Test::Utils; setup("test_dgst"); -plan tests => 12; +plan tests => 13; sub tsignverify { my $testtext = shift; @@ -51,6 +51,43 @@ sub tsignverify { $testtext.": Expect failure verifying mismatching data"); } +sub tsignverify_sha512 { + my $testtext = shift; + my $privkey = shift; + my $pubkey = shift; + + my $data_to_sign = srctop_file('test', 'data.bin'); + my $other_data = srctop_file('test', 'data2.bin'); + + my $sigfile = basename($privkey, '.pem') . '.sig'; + plan tests => 5; + + ok(run(app(['openssl', 'sha512', '-sign', $privkey, + '-out', $sigfile, + $data_to_sign])), + $testtext.": Generating signature using sha512 command"); + + ok(run(app(['openssl', 'sha512', '-verify', $pubkey, + '-signature', $sigfile, + $data_to_sign])), + $testtext.": Verify signature with public key using sha512 command"); + + ok(run(app(['openssl', 'dgst', '-sha512', '-prverify', $privkey, + '-signature', $sigfile, + $data_to_sign])), + $testtext.": Verify signature with private key"); + + ok(run(app(['openssl', 'dgst', '-sha512', '-verify', $pubkey, + '-signature', $sigfile, + $data_to_sign])), + $testtext.": Verify signature with public key"); + + ok(!run(app(['openssl', 'dgst', '-sha512', '-verify', $pubkey, + '-signature', $sigfile, + $other_data])), + $testtext.": Expect failure verifying mismatching data"); +} + SKIP: { skip "RSA is not supported by this OpenSSL build", 1 if disabled("rsa"); @@ -60,6 +97,12 @@ SKIP: { srctop_file("test","testrsa.pem"), srctop_file("test","testrsapub.pem")); }; + + subtest "RSA signature generation and verification with `sha512` CLI" => sub { + tsignverify_sha512("RSA", + srctop_file("test","testrsa2048.pem"), + srctop_file("test","testrsa2048pub.pem")); + }; } SKIP: { diff --git a/deps/openssl/openssl/test/recipes/20-test_legacy_okay.t b/deps/openssl/openssl/test/recipes/20-test_legacy_okay.t new file mode 100755 index 00000000000000..183499f3fd93f9 --- /dev/null +++ b/deps/openssl/openssl/test/recipes/20-test_legacy_okay.t @@ -0,0 +1,23 @@ +#! /usr/bin/env perl +# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use warnings; + +use OpenSSL::Test; + +setup("test_legacy"); + +plan tests => 3; + +ok(run(app(['openssl', 'rand', '-out', 'rand.txt', '256'])), "Generate random file"); + +ok(run(app(['openssl', 'dgst', '-sha256', 'rand.txt'])), "Generate a digest"); + +ok(!run(app(['openssl', 'dgst', '-sha256', '-propquery', 'foo=1', + 'rand.txt'])), "Fail to generate a digest"); diff --git a/deps/openssl/openssl/test/recipes/25-test_pkcs7.t b/deps/openssl/openssl/test/recipes/25-test_pkcs7.t index 37cd43dc6bf8cd..cbb9902bdddd9a 100644 --- a/deps/openssl/openssl/test/recipes/25-test_pkcs7.t +++ b/deps/openssl/openssl/test/recipes/25-test_pkcs7.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -11,11 +11,11 @@ use strict; use warnings; use File::Spec; -use OpenSSL::Test qw/:DEFAULT srctop_file/; +use OpenSSL::Test qw/:DEFAULT srctop_file data_file/; setup("test_pkcs7"); -plan tests => 3; +plan tests => 4; require_ok(srctop_file('test','recipes','tconversion.pl')); @@ -27,3 +27,6 @@ subtest 'pkcs7 conversions -- pkcs7d' => sub { tconversion( -type => 'p7d', -in => srctop_file("test", "pkcs7-1.pem"), -args => ["pkcs7"] ); }; + +my $malformed = data_file('malformed.pkcs7'); +ok(run(app(["openssl", "pkcs7", "-in", $malformed]))); diff --git a/deps/openssl/openssl/test/recipes/25-test_pkcs7_data/malformed.pkcs7 b/deps/openssl/openssl/test/recipes/25-test_pkcs7_data/malformed.pkcs7 new file mode 100644 index 00000000000000..e30d1b582c9f46 --- /dev/null +++ b/deps/openssl/openssl/test/recipes/25-test_pkcs7_data/malformed.pkcs7 @@ -0,0 +1,3 @@ +-----BEGIN PKCS7----- +MAsGCSqGSIb3DQEHAg== +-----END PKCS7----- diff --git a/deps/openssl/openssl/test/recipes/25-test_verify.t b/deps/openssl/openssl/test/recipes/25-test_verify.t index 4613489f5764e5..2a4c36e86daff0 100644 --- a/deps/openssl/openssl/test/recipes/25-test_verify.t +++ b/deps/openssl/openssl/test/recipes/25-test_verify.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -29,7 +29,7 @@ sub verify { run(app([@args])); } -plan tests => 163; +plan tests => 164; # Canonical success ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), @@ -402,6 +402,9 @@ ok(!verify("badalt9-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ), ok(!verify("badalt10-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ), "Name constraints nested DNS name excluded"); +ok(!verify("bad-othername-cert", "", ["root-cert"], ["nccaothername-cert"], ), + "CVE-2022-4203 type confusion test"); + #Check that we get the expected failure return code with({ exit_checker => sub { return shift == 2; } }, sub { diff --git a/deps/openssl/openssl/test/recipes/30-test_evp.t b/deps/openssl/openssl/test/recipes/30-test_evp.t index 54c386295907e3..0a036b7da01826 100644 --- a/deps/openssl/openssl/test/recipes/30-test_evp.t +++ b/deps/openssl/openssl/test/recipes/30-test_evp.t @@ -26,7 +26,6 @@ my $no_des = disabled("des"); my $no_dh = disabled("dh"); my $no_dsa = disabled("dsa"); my $no_ec = disabled("ec"); -my $no_gost = disabled("gost"); my $no_sm2 = disabled("sm2"); # Default config depends on if the legacy module is built or not @@ -76,7 +75,7 @@ push @files, qw( evppkey_ecdsa.txt evppkey_kas.txt evppkey_mismatch.txt - ) unless $no_ec || $no_gost; + ) unless $no_ec; # A list of tests that only run with the default provider # (i.e. The algorithms are not present in the fips provider) diff --git a/deps/openssl/openssl/test/recipes/30-test_evp_data/evpciph_chacha.txt b/deps/openssl/openssl/test/recipes/30-test_evp_data/evpciph_chacha.txt index 3315a66f33757d..52a39c03f8f2ff 100644 --- a/deps/openssl/openssl/test/recipes/30-test_evp_data/evpciph_chacha.txt +++ b/deps/openssl/openssl/test/recipes/30-test_evp_data/evpciph_chacha.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -153,6 +153,16 @@ Tag = eead9d67890cbb22392336fea1851f38 Plaintext = 496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67726573732e2fe2809d Ciphertext = 64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c29a6ad5cb4022b02709b +# Test that a truncated IV is no longer allowed (since 3.0) +# This is the same test as above with the leading zeros stripped from the IV +Cipher = chacha20-poly1305 +Key = 1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0 +IV = 0102030405060708 +AAD = f33388860000000000004e91 +Tag = eead9d67890cbb22392336fea1851f38 +Plaintext = 496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67726573732e2fe2809d +Result = INVALID_IV_LENGTH + Cipher = chacha20-poly1305 Key = 1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0 IV = 000000000102030405060708 diff --git a/deps/openssl/openssl/test/recipes/30-test_evp_data/evpkdf_hkdf.txt b/deps/openssl/openssl/test/recipes/30-test_evp_data/evpkdf_hkdf.txt index d8adb7f732579f..60f92c4db4fba4 100644 --- a/deps/openssl/openssl/test/recipes/30-test_evp_data/evpkdf_hkdf.txt +++ b/deps/openssl/openssl/test/recipes/30-test_evp_data/evpkdf_hkdf.txt @@ -202,3 +202,14 @@ Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b Ctrl.salt = salt: Output = da8c8a73 Result = KDF_DERIVE_ERROR + +# Test concat of multiple info (Uses existing test data, and just splits the info into separate fields) +KDF = HKDF +Ctrl.mode = mode:EXPAND_ONLY +Ctrl.digest = digest:SHA1 +Ctrl.IKM = hexkey:8adae09a2a307059478d309b26c4115a224cfaf6 +Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0 +Ctrl.info = hexinfo:c1c2c3 +Ctrl.info = hexinfo:c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9 +Ctrl.info = hexinfo:dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff +Output = 0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4 diff --git a/deps/openssl/openssl/test/recipes/30-test_evp_data/evpmac_common.txt b/deps/openssl/openssl/test/recipes/30-test_evp_data/evpmac_common.txt index 9a0f9cc29cefd1..a7300fd01767b7 100644 --- a/deps/openssl/openssl/test/recipes/30-test_evp_data/evpmac_common.txt +++ b/deps/openssl/openssl/test/recipes/30-test_evp_data/evpmac_common.txt @@ -486,7 +486,7 @@ Title = KMAC long customisation string negative test MAC = KMAC128 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -Custom = ":abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789::abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789::abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789::abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789::" +Custom = ":abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789::abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789::abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789::abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789:::abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789::abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789::abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789::abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789::" Result = MAC_INIT_ERROR Title = KMAC output is too large diff --git a/deps/openssl/openssl/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/deps/openssl/openssl/test/recipes/30-test_evp_data/evppkey_rsa_common.txt index b8d8bb2993eb5c..24ec6a4f770521 100644 --- a/deps/openssl/openssl/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +++ b/deps/openssl/openssl/test/recipes/30-test_evp_data/evppkey_rsa_common.txt @@ -254,6 +254,7 @@ Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C70 Output = "Hello World" # Corrupted ciphertext +FIPSversion = <3.2.0 Decrypt = RSA-2048 Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79 Output = "Hello World" diff --git a/deps/openssl/openssl/test/recipes/80-test_cms.t b/deps/openssl/openssl/test/recipes/80-test_cms.t index 48a92f735d5013..abe299b6a2ec1e 100644 --- a/deps/openssl/openssl/test/recipes/80-test_cms.t +++ b/deps/openssl/openssl/test/recipes/80-test_cms.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -13,7 +13,7 @@ use warnings; use POSIX; use File::Spec::Functions qw/catfile/; use File::Compare qw/compare_text compare/; -use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file/; +use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with data_file/; use OpenSSL::Test::Utils; @@ -50,7 +50,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) $no_rc2 = 1 if disabled("legacy"); -plan tests => 12; +plan tests => 16; ok(run(test(["pkcs7_test"])), "test pkcs7"); @@ -64,6 +64,7 @@ my @prov = ("-provider-path", $provpath, @config, "-provider", $provname); +my $smrsa1024 = catfile($smdir, "smrsa1024.pem"); my $smrsa1 = catfile($smdir, "smrsa1.pem"); my $smroot = catfile($smdir, "smroot.pem"); @@ -498,6 +499,7 @@ my @smime_cms_param_tests = ( "-signer", $smrsa1, "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:max", "-out", "{output}.cms" ], + sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 222; }, [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM", "-CAfile", $smroot, "-out", "{output}.txt" ], \&final_compare @@ -523,6 +525,29 @@ my @smime_cms_param_tests = ( \&final_compare ], + [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=16", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", + "-signer", $smrsa1, "-md", "sha256", + "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:16", + "-out", "{output}.cms" ], + sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 16; }, + [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM", + "-CAfile", $smroot, "-out", "{output}.txt" ], + \&final_compare + ], + + [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=digest", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", + "-signer", $smrsa1, "-md", "sha256", + "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:digest", + "-out", "{output}.cms" ], + # digest is SHA-256, which produces 32 bytes of output + sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 32; }, + [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM", + "-CAfile", $smroot, "-out", "{output}.txt" ], + \&final_compare + ], + [ "enveloped content test streaming S/MIME format, DES, OAEP default parameters", [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, "-stream", "-out", "{output}.cms", @@ -738,6 +763,57 @@ sub contentType_matches { return scalar(@c); } +sub rsapssSaltlen { + my ($in) = @_; + my $exit = 0; + + my @asn1parse = run(app(["openssl", "asn1parse", "-in", $in, "-dump"]), + capture => 1, + statusvar => $exit); + return -1 if $exit != 0; + + my $pssparam_offset = -1; + while ($_ = shift @asn1parse) { + chomp; + next unless /:rsassaPss/; + # This line contains :rsassaPss, the next line contains a raw dump of the + # RSA_PSS_PARAMS sequence; obtain its offset + $_ = shift @asn1parse; + if (/^\s*(\d+):/) { + $pssparam_offset = int($1); + } + } + + if ($pssparam_offset == -1) { + note "Failed to determine RSA_PSS_PARAM offset in CMS. " + + "Was the file correctly signed with RSASSA-PSS?"; + return -1; + } + + my @pssparam = run(app(["openssl", "asn1parse", "-in", $in, + "-strparse", $pssparam_offset]), + capture => 1, + statusvar => $exit); + return -1 if $exit != 0; + + my $saltlen = -1; + # Can't use asn1parse -item RSA_PSS_PARAMS here, because that's deprecated. + # This assumes the salt length is the last field, which may possibly be + # incorrect if there is a non-standard trailer field, but there almost never + # is in PSS. + if ($pssparam[-1] =~ /prim:\s+INTEGER\s+:([A-Fa-f0-9]+)/) { + $saltlen = hex($1); + } + + if ($saltlen == -1) { + note "Failed to determine salt length from RSA_PSS_PARAM struct. " + + "Was the file correctly signed with RSASSA-PSS?"; + return -1; + } + + return $saltlen; +} + subtest "CMS Check the content type attribute is added for additional signers\n" => sub { plan tests => (scalar @contenttype_cms_test); @@ -760,6 +836,24 @@ subtest "CMS Check that bad attributes fail when verifying signers\n" => sub { } }; +subtest "CMS Check that bad encryption algorithm fails\n" => sub { + plan tests => 1; + + SKIP: { + skip "DES or Legacy isn't supported in this build", 1 + if disabled("des") || disabled("legacy"); + + my $out = "smtst.txt"; + + ok(!run(app(["openssl", "cms", @legacyprov, "-encrypt", + "-in", $smcont, + "-stream", "-recip", $smrsa1, + "-des-ede3", + "-out", $out ])), + "Decrypt message from OpenSSL 1.1.1"); + } +}; + subtest "CMS Decrypt message encrypted with OpenSSL 1.1.1\n" => sub { plan tests => 1; @@ -847,6 +941,17 @@ subtest "CMS binary input tests\n" => sub { "verify binary input with -binary missing -crlfeol"); }; +# Test case for missing MD algorithm (must not segfault) + +with({ exit_checker => sub { return shift == 4; } }, + sub { + ok(run(app(['openssl', 'smime', '-verify', '-noverify', + '-inform', 'PEM', + '-in', data_file("pkcs7-md4.pem"), + ])), + "Check failure of EVP_DigestInit is handled correctly"); + }); + sub check_availability { my $tnam = shift; @@ -867,3 +972,25 @@ sub check_availability { return ""; } + +# Test case for the locking problem reported in #19643. +# This will fail if the fix is in and deadlock on Windows (and possibly +# other platforms) if not. +ok(!run(app(['openssl', 'cms', '-verify', + '-CAfile', srctop_file("test/certs", "pkitsta.pem"), + '-policy', 'anyPolicy', + '-in', srctop_file("test/smime-eml", + "SignedInvalidMappingFromanyPolicyTest7.eml") + ])), + "issue#19643"); + +# Check that we get the expected failure return code +with({ exit_checker => sub { return shift == 6; } }, + sub { + ok(run(app(['openssl', 'cms', '-encrypt', + '-in', srctop_file("test", "smcont.txt"), + '-stream', '-recip', + srctop_file("test/smime-certs", "badrsa.pem"), + ])), + "Check failure during BIO setup with -stream is handled correctly"); + }); diff --git a/deps/openssl/openssl/test/recipes/80-test_cms_data/pkcs7-md4.pem b/deps/openssl/openssl/test/recipes/80-test_cms_data/pkcs7-md4.pem new file mode 100644 index 00000000000000..ecff611deb0bb8 --- /dev/null +++ b/deps/openssl/openssl/test/recipes/80-test_cms_data/pkcs7-md4.pem @@ -0,0 +1,32 @@ +-----BEGIN PKCS7----- +MIIFhAYJKoZIhvcNAQcCoIIFdTCCBXECAQExDjAMBggqhkiG9w0CBAUAMB0GCSqG +SIb3DQEHAaAQBA5UZXN0IGNvbnRlbnQNCqCCAyQwggMgMIICCKADAgECAgECMA0G +CSqGSIb3DQEBCwUAMA0xCzAJBgNVBAMMAkNBMCAXDTE2MDExNTA4MTk0OVoYDzIx +MTYwMTE2MDgxOTQ5WjAZMRcwFQYDVQQDDA5zZXJ2ZXIuZXhhbXBsZTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKj/iVhhha7e2ywP1XP74reoG3p1YCvU +fTxzdrWu3pMvfySQbckc9Io4zZ+igBZWy7Qsu5PlFx//DcZD/jE0+CjYdemju4iC +76Ny4lNiBUVN4DGX76qdENJYDZ4GnjK7GwhWXWUPP2aOwjagEf/AWTX9SRzdHEIz +BniuBDgj5ed1Z9OUrVqpQB+sWRD1DMFkrUrExjVTs5ZqghsVi9GZq+Seb5Sq0pbl +V/uMkWSKPCQWxtIZvoJgEztisO0+HbPK+WvfMbl6nktHaKcpxz9K4iIntO+QY9fv +0HJJPlutuRvUK2+GaN3VcxK4Q8ncQQ+io0ZPi2eIhA9h/nk0H0qJH7cCAwEAAaN9 +MHswHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4HmCKX4XOiMB8GA1UdIwQYMBaAFLQR +M/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQCMAAwEwYDVR0lBAwwCgYIKwYBBQUH +AwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1wbGUwDQYJKoZIhvcNAQELBQADggEB +AEG0PE9hQuXlvtUULv9TQ2BXy9MmTjOk+dQwxDhAXYBYMUB6TygsqvPXwpDwz8MS +EPGCRqh5cQwtPoElQRU1i4URgcQMZquXScwNFcvE6AATF/PdN/+mOwtqFrlpYfs3 +IJIpYL6ViQg4n8pv+b/pCwMmhewQLwCGs9+omHNTOwKjEiVoNaprAfj5Lxt15fS2 ++zZW0mT9Y4kfEypetrqSAjh8CDK+vaQhkeKdDfJyBfjS4ALfxvCkT3mQnsWFJ9CU +TVG3uw6ylSPT3wN3RE0Ofa4rI5PESogQsd/DgBc7dcDO3yoPKGjycR3/GJDqqCxC +e9dr6FJEnDjaDf9zNWyTFHExggITMIICDwIBATASMA0xCzAJBgNVBAMMAkNBAgEC +MAwGCCqGSIb3DQIEBQCggdQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkq +hkiG9w0BCQUxDxcNMjMwMTE4MTU0NzExWjAfBgkqhkiG9w0BCQQxEgQQRXO4TKpp +RgA4XHb8bD1pczB5BgkqhkiG9w0BCQ8xbDBqMAsGCWCGSAFlAwQBKjALBglghkgB +ZQMEARYwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAN +BggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0B +AQEFAASCAQAe+xlm/TGg/s/7b0xBc3FFnmmUDEe7ljkehIx61OnBV9ZWA+LcBX/7 +kmMSMdaHjRq4w8FmwBMLzn0ttXVqf0QuPbBF/E6X5EqK9lpOdkUQhNiN2v+ZfY6c +lrH4ADsSD9D+UHw0sxo5KEF+PPuneUfYCJZosFUJosBbuSEXK0C9yfJoDKVE8Syp +0vdqh73ogLeNgZLAUGSSB66OmHDxwgAj4qPAv6FHFBy1Xs4uFZER5vniYrH9OrAk +Z6XdvzDoYZC4XcGMDtcOpOM6D4owqy5svHPDw8wIlM4GVhrTw7CQmuBz5uRNnf6a +ZK3jZIxG1hr/INaNWheHoPIhPblYaVc6 +-----END PKCS7----- diff --git a/deps/openssl/openssl/test/recipes/90-test_traceapi.t b/deps/openssl/openssl/test/recipes/90-test_traceapi.t new file mode 100644 index 00000000000000..a63bcf9984b423 --- /dev/null +++ b/deps/openssl/openssl/test/recipes/90-test_traceapi.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_traceapi", "trace_api_test"); diff --git a/deps/openssl/openssl/test/recipes/91-test_pkey_check.t b/deps/openssl/openssl/test/recipes/91-test_pkey_check.t index 612a3e3d6cbfff..dc7cc64533af26 100644 --- a/deps/openssl/openssl/test/recipes/91-test_pkey_check.t +++ b/deps/openssl/openssl/test/recipes/91-test_pkey_check.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -11,19 +11,24 @@ use strict; use warnings; use File::Spec; -use OpenSSL::Test qw/:DEFAULT data_file/; +use OpenSSL::Test qw/:DEFAULT data_file with/; use OpenSSL::Test::Utils; sub pkey_check { my $f = shift; + my $pubcheck = shift; + my @checkopt = ('-check'); - return run(app(['openssl', 'pkey', '-check', '-text', + @checkopt = ('-pubcheck', '-pubin') if $pubcheck; + + return run(app(['openssl', 'pkey', @checkopt, '-text', '-in', $f])); } sub check_key { my $f = shift; my $should_fail = shift; + my $pubcheck = shift; my $str; @@ -33,11 +38,10 @@ sub check_key { $f = data_file($f); if ( -s $f ) { - if ($should_fail) { - ok(!pkey_check($f), $str); - } else { - ok(pkey_check($f), $str); - } + with({ exit_checker => sub { return shift == $should_fail; } }, + sub { + ok(pkey_check($f, $pubcheck), $str); + }); } else { fail("Missing file $f"); } @@ -66,15 +70,37 @@ push(@positive_tests, ( "dhpkey.pem" )) unless disabled("dh"); +my @negative_pubtests = (); + +push(@negative_pubtests, ( + "dsapub_noparam.der" + )) unless disabled("dsa"); + +my @positive_pubtests = (); + +push(@positive_pubtests, ( + "dsapub.pem" + )) unless disabled("dsa"); + plan skip_all => "No tests within the current enabled feature set" - unless @negative_tests && @positive_tests; + unless @negative_tests && @positive_tests + && @negative_pubtests && @positive_pubtests; -plan tests => scalar(@negative_tests) + scalar(@positive_tests); +plan tests => scalar(@negative_tests) + scalar(@positive_tests) + + scalar(@negative_pubtests) + scalar(@positive_pubtests); foreach my $t (@negative_tests) { - check_key($t, 1); + check_key($t, 1, 0); } foreach my $t (@positive_tests) { - check_key($t, 0); + check_key($t, 0, 0); +} + +foreach my $t (@negative_pubtests) { + check_key($t, 1, 1); +} + +foreach my $t (@positive_pubtests) { + check_key($t, 0, 1); } diff --git a/deps/openssl/openssl/test/recipes/91-test_pkey_check_data/dsapub.pem b/deps/openssl/openssl/test/recipes/91-test_pkey_check_data/dsapub.pem new file mode 100644 index 00000000000000..0ff4bd83ed3bcf --- /dev/null +++ b/deps/openssl/openssl/test/recipes/91-test_pkey_check_data/dsapub.pem @@ -0,0 +1,12 @@ +-----BEGIN PUBLIC KEY----- +MIIBvzCCATQGByqGSM44BAEwggEnAoGBAIjbXpOVVciVNuagg26annKkghIIZFI4 +4WdMomnV+I/oXyxHbZTBBBpW9xy/E1+yMjbp4GmX+VxyDj3WxUWxXllzL+miEkzD +9Xz638VzIBhjFbMvk1/N4kS4bKVUd9yk7HfvYzAdnRphk0WI+RoDiDrBNPPxSoQD +CEWgvwgsLIDhAh0A6dbz1IQpQwGF4+Ca28x6OO+UfJJv3ggeZ++fNwKBgQCA9XKV +lRrTY8ALBxS0KbZjpaIXuUj5nr3i1lIDyP3ISksDF0ekyLtn6eK9VijX6Pm65Np+ +4ic9Nr5WKLKhPaUSpLNRx1gDqo3sd92hYgiEUifzEuhLYfK/CsgFED+l2hDXtJUq +bISNSHVwI5lsyNXLu7HI1Fk8F5UO3LqsboFAngOBhAACgYATxFY89nEYcUhgHGgr +YDHhXBQfMKnTKYdvon4DN7WQ9ip+t4VUsLpTD1ZE9zrM2R/B04+8C6KGoViwyeER +kS4dxWOkX71x4X2DlNpYevcR53tNcTDqmMD7YKfDDmrb0lftMyfW8aESaiymVMys +DRjhKHBjdo0rZeSM8DAk3ctrXA== +-----END PUBLIC KEY----- diff --git a/deps/openssl/openssl/test/recipes/91-test_pkey_check_data/dsapub_noparam.der b/deps/openssl/openssl/test/recipes/91-test_pkey_check_data/dsapub_noparam.der new file mode 100644 index 00000000000000..b8135f1ca94da9 Binary files /dev/null and b/deps/openssl/openssl/test/recipes/91-test_pkey_check_data/dsapub_noparam.der differ diff --git a/deps/openssl/openssl/test/smime-certs/badrsa.pem b/deps/openssl/openssl/test/smime-certs/badrsa.pem new file mode 100644 index 00000000000000..f824fc22673254 --- /dev/null +++ b/deps/openssl/openssl/test/smime-certs/badrsa.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIDbTCCAlWgAwIBAgIToTV4Z0iuK08vZP20oTh//hC8BDANBgkqhkiG9w0BAQ0FADAtMSswKQYD +VfcDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY +DzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOw +I2juwdRrjFBmXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A +/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6s +yTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0 +zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSxgCAwEAAaOBlzCB +lDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAww +CgYIKwYBBQUHAwQwDwYDVR0PAQH/BAUDAwfAADAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm +ZnMwHwYDVR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBABbW +eonR6TMTckehDKNOabwaCIcekahAIL6l9tTzUX5ew6ufiAPlC6I/zQlmUaU0iSyFDG1NW14kNbFt +5CAokyLhMtE4ASHBIHbiOp/ZSbUBTVYJZB61ot7w1/ol5QECSs08b8zrxIncf+t2DHGuVEy/Qq1d +rBz8d4ay8zpqAE1tUyL5Da6ZiKUfWwZQXSI/JlbjQFzYQqTRDnzHWrg1xPeMTO1P2/cplFaseTiv +yk4cYwOp/W9UAWymOZXF8WcJYCIUXkdcG/nEZxr057KlScrJmFXOoh7Y+8ON4iWYYcAfiNgpUFo/ +j8BAwrKKaFvdlZS9k1Ypb2+UQY75mKJE9Bg= +-----END CERTIFICATE----- diff --git a/deps/openssl/openssl/test/smime-eml/SignedInvalidMappingFromanyPolicyTest7.eml b/deps/openssl/openssl/test/smime-eml/SignedInvalidMappingFromanyPolicyTest7.eml new file mode 100644 index 00000000000000..5d6b49d2c1ece2 --- /dev/null +++ b/deps/openssl/openssl/test/smime-eml/SignedInvalidMappingFromanyPolicyTest7.eml @@ -0,0 +1,93 @@ +To: recipient@testcertificates.gov +From: sender@testcertificates.gov +Subject: Invalid Mapping From anyPolicy Test7 +MIME-Version: 1.0 +Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="----C124D5D1A319E09E6A4BB51A44961168" + +This is an S/MIME signed message + +------C124D5D1A319E09E6A4BB51A44961168 +Content-Type: text/plain + +This is a sample signed message. + +------C124D5D1A319E09E6A4BB51A44961168 +Content-Type: application/pkcs7-signature; name="smime.p7s" +Content-Transfer-Encoding: base64 +Content-Disposition: attachment; filename="smime.p7s" + +MIINTQYJKoZIhvcNAQcCoIINPjCCDToCAQExDzANBglghkgBZQMEAgEFADALBgkq +hkiG9w0BBwGgggdpMIIDvTCCAqWgAwIBAgIBMzANBgkqhkiG9w0BAQsFADBFMQsw +CQYDVQQGEwJVUzEfMB0GA1UEChMWVGVzdCBDZXJ0aWZpY2F0ZXMgMjAxMTEVMBMG +A1UEAxMMVHJ1c3QgQW5jaG9yMB4XDTEwMDEwMTA4MzAwMFoXDTMwMTIzMTA4MzAw +MFowUjELMAkGA1UEBhMCVVMxHzAdBgNVBAoTFlRlc3QgQ2VydGlmaWNhdGVzIDIw +MTExIjAgBgNVBAMTGU1hcHBpbmcgRnJvbSBhbnlQb2xpY3kgQ0EwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrp6IDBPUKqlzfwBrwMM0/8mXKVyogMBl5 +xjRYIAzPCs0Mwv7RkEQbM1BIsYtbSJgsFJtldgS1u2yhYklqgcTsHZK7NrBL/Qle +ugZcze2gunSlvAYW2qO6t9japmswZ5/8l2hTia0T7P7Nk9lcBbDi+HjNDRqZglal +b/gXvfWnsWxOxAiSQY35dAnqxXl5KlkscU7uvsQubTBmNaQHsDrxoqSAXnMZG8dy +s1G3ET5Emp6FvYBZLSYQqK2nWkL8xFIbbdureHpD1Af+HWFDTntlZzw1Vb2MXvmz +0pYFdRGA75KD7SSpLEl5BiXwPLMF/UHmMZWhqVug0MlJ7mWl1UkzAgMBAAGjgaow +gacwHwYDVR0jBBgwFoAU5H1f0VyVhggsBa6+dbZlp9ldqGYwHQYDVR0OBBYEFGhz +FOALNM9yQNqUltYVq3qkby6MMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTAD +AQH/MBEGA1UdIAQKMAgwBgYEVR0gADAgBgNVHSEBAf8EFjAUMBIGBFUdIAAGCmCG +SAFlAwIBMAEwDwYDVR0kAQH/BAUwA4ABADANBgkqhkiG9w0BAQsFAAOCAQEACkuU +lU5OLnBP9XTQLJdC4cZ2L1LbaCvAnUSD5ZU1UyDAPHcs+YsbjerZT1Alt/KqnVyD +9pvkUuScevjjvLCyfSGq4slrV8mHUVBbMuumv5q+0Z4J2PFgNXIvdxHiIRFUq9A1 +89ZiQkfUxSeRPUK4M3YmPO0iaeuS0SlAKIQ8a1dxNgm9ax8GOj+SQsx84FxED2wC +R024sOajIHIPVvyhbWPQMQbdJVSuVULjsfuGDyMZyN6a0gR5uBQ1MXmsIVrnwAia +0LTH7kjudgabGYa9MJkUVscZiu01jZBYfDqpaCN4MWkXCNvf9gksys7HoBvFlGyH +m32/XiFrVKYufBkfiDCCA6QwggKMoAMCAQICAQEwDQYJKoZIhvcNAQELBQAwUjEL +MAkGA1UEBhMCVVMxHzAdBgNVBAoTFlRlc3QgQ2VydGlmaWNhdGVzIDIwMTExIjAg +BgNVBAMTGU1hcHBpbmcgRnJvbSBhbnlQb2xpY3kgQ0EwHhcNMTAwMTAxMDgzMDAw +WhcNMzAxMjMxMDgzMDAwWjBsMQswCQYDVQQGEwJVUzEfMB0GA1UEChMWVGVzdCBD +ZXJ0aWZpY2F0ZXMgMjAxMTE8MDoGA1UEAxMzSW52YWxpZCBNYXBwaW5nIEZyb20g +YW55UG9saWN5IEVFIENlcnRpZmljYXRlIFRlc3Q3MIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAxfXuaqNaFrVVSPjnxUFtGQ+B4oSrl3Dmch6wknP1ECbn +OIpxuf4PAiwpc11/YMUpznskRKJuZNQGNDflv8p8h99ZWyj1WbwZk/5zDIYMyFau +vdXdzt8EiImBB+ODosDMoZGPpgkR3q4dC5LaSF+X55ktBb09cGAFRYhAqxTwjkdn +DbLyi/CmTrraCWLSBpzNkLSnFGH3WIcKSqvt39WnvJ5RK5YVkvBiJ9AuxPMdRz3q +AjwKDwbjPQQ7GuKu0bUPL5Aoi/u5jDH9Npgb2OqnXTyvi6Qr2hWUkxRhWcF+0/k0 +FF52bWERYyNGjFmo5l+zRkGI8A66I59L9O1DJoy5pQIDAQABo2swaTAfBgNVHSME +GDAWgBRocxTgCzTPckDalJbWFat6pG8ujDAdBgNVHQ4EFgQUMYuIk253zuy75Ecs +q5WlLPrSs3UwDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEw +ATANBgkqhkiG9w0BAQsFAAOCAQEAO99EfWAFfz2p7FCmZMuITeZtkUImyyI7tTDR ++sakA9E+wZKuGj9ZkE6s2W5O5+79YXC6S8Q2Q0J2WdQEAB0JeSTYyzMCoKJy/IF9 +GCyMqV1xXmbcVO6CUc3ZlTT8U5nJz4C3DJurj1URke+qldg4YYElmFeAuHsCLhBt +WZeseGsyeXjpC+cadcjPWq2v9E/pRssIDq9Ok9Pu+vypsK6/pBfnx15G+a/Lp1N9 +pb0qSLiisZMoxHDegNbPYOgcRZH6TVc2VLl6YWKAMtKJZDAL1FpqwHjM/4z/WauA +ZqvFByxphRYOMufn4ejld0RUQ5Nwc1/FrhuNK5cxNSGIAw5lf6GCA7cwggHMMIG1 +AgEBMA0GCSqGSIb3DQEBCwUAMFIxCzAJBgNVBAYTAlVTMR8wHQYDVQQKExZUZXN0 +IENlcnRpZmljYXRlcyAyMDExMSIwIAYDVQQDExlNYXBwaW5nIEZyb20gYW55UG9s +aWN5IENBFw0xMDAxMDEwODMwMDBaFw0zMDEyMzEwODMwMDBaoC8wLTAfBgNVHSME +GDAWgBRocxTgCzTPckDalJbWFat6pG8ujDAKBgNVHRQEAwIBATANBgkqhkiG9w0B +AQsFAAOCAQEApnKINszWHTlYmTKNj9GLq8l9TJd4c92R4ubYr4O7FWxU6t4xx29s +oIOb5WMC53Xb36i70JQVlSfa8/CFnn5bpnuiHNSijxB5YahaS+Vj/JT8d/ipHpA7 +FQBMav9/27em2xtWMEoSEPrpD869eCIEU3M51k6oq64j/H+udfI5Kjilgn9F5xRv +Wb1ZpWM7V4pAIYiYxusdOcg7OICDjv8h0LO25vG1bC1XyOZ3/OLkT7QU7+UGcXLK +CGo2M+cwvQsdBQzwuvUScVT0uDab9AWDataCGtZp1gqhrqWug8qF0yeFMv4GdNmS +vCUns60IjXBAPU0cgmaIvqUMEVPpMwfU/TCCAeMwgcwCAQEwDQYJKoZIhvcNAQEL +BQAwRTELMAkGA1UEBhMCVVMxHzAdBgNVBAoTFlRlc3QgQ2VydGlmaWNhdGVzIDIw +MTExFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMTAwMTAxMDgzMDAwWhcNMzAxMjMx +MDgzMDAwWjAiMCACAWgXDTEwMDEwMTA4MzAwMFowDDAKBgNVHRUEAwoBAaAvMC0w +HwYDVR0jBBgwFoAU5H1f0VyVhggsBa6+dbZlp9ldqGYwCgYDVR0UBAMCAQEwDQYJ +KoZIhvcNAQELBQADggEBAKsZHbW7IWu24UzN8Lc3npU40dSBkICuEfD7HNn8NjTs +nZavD3knN6orR1epuHah83IUJcrWKaziuHUYrRIfkWGOFClDbvjkEOVRS0r7gtFr +98Z9sNvVaqULWrwRXyfC7LfedtKXnHusfOnwfS+lT+GDRiKy3Pu4RIxAwCybPrbT +6MTTVxjAKUEIuccmRJLF0AKOtGXR/6/eZXVQmu1NjlVztTArmZVkEZapdAYtwsxN +unFtY3HBHVOskNDjSjbkTkfujbF2dkJtgpRxBlhSQGfwlgezY0PZmjZKIqGW+CAd +gCjygXG9Jk902LKYE/M3GUj+QywvIlTq3Mdki0r3d+YxggHtMIIB6QIBATBXMFIx +CzAJBgNVBAYTAlVTMR8wHQYDVQQKExZUZXN0IENlcnRpZmljYXRlcyAyMDExMSIw +IAYDVQQDExlNYXBwaW5nIEZyb20gYW55UG9saWN5IENBAgEBMA0GCWCGSAFlAwQC +AQUAoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN +MTEwNDE0MTMwMjIwWjAvBgkqhkiG9w0BCQQxIgQgwrMnqwOj7H0umdTqIoQwrAZp +r3vR7I+xbnE9vb7qK4cwDQYJKoZIhvcNAQEBBQAEggEAHe7vG964RqLsMJhpYO1C ++wB6qmYM4JGbNLkx3XveYcpY18CVDyWuOOdO7UF0ynUv1K6zx/pffuWmtfRkuhXA +mwMxTXrZThsS+1xoGX1mvmX1LZdok2kYeqbyzv87mPogqATLb11ihjcfB98j4wVJ +wKxl2/DYbW2DCHUy+lwwHWExwHqAt2jOSQDtOfyfFz+nT52k60ZA4tkW6GnqguFx +R4lE9Ovg/7wfxSUE1w3HFrPuzzN3ZsOLGQiUXG55KTFgI4YXr7PXHkR+eJsvC9nP +JSF6GxiEeZcwmciv5FQxc6QWyOrWPtHimROS2RbDzv/aP7mwFu7HTU47hu2AW9/X +yg== + +------C124D5D1A319E09E6A4BB51A44961168-- + diff --git a/deps/openssl/openssl/test/sslapitest.c b/deps/openssl/openssl/test/sslapitest.c index 5359944cefe7bd..615ec4e0775c16 100644 --- a/deps/openssl/openssl/test/sslapitest.c +++ b/deps/openssl/openssl/test/sslapitest.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -399,7 +399,7 @@ static int test_keylog(void) * Now we want to test that our output data was vaguely sensible. We * do that by using strtok and confirming that we have more or less the * data we expect. For both client and server, we expect to see one master - * secret. The client should also see a RSA key exchange. + * secret. The client should also see an RSA key exchange. */ expected.rsa_key_exchange_count = 1; expected.master_secret_count = 1; @@ -1427,7 +1427,9 @@ static struct ktls_test_cipher { { TLS1_2_VERSION, "AES256-GCM-SHA384"}, # endif # ifdef OPENSSL_KTLS_CHACHA20_POLY1305 +# ifndef OPENSSL_NO_EC { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"}, +# endif # endif # endif # if !defined(OSSL_NO_USABLE_TLS1_3) @@ -1505,6 +1507,167 @@ static int test_large_message_dtls(void) } #endif +/* + * Test we can successfully send the maximum amount of application data. We + * test each protocol version individually, each with and without EtM enabled. + * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is + * simpler this way. We also test all combinations with and without the + * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the + * underlying buffer. + */ +static int test_large_app_data(int tst) +{ + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + int testresult = 0, prot; + unsigned char *msg, *buf = NULL; + size_t written, readbytes; + const SSL_METHOD *smeth = TLS_server_method(); + const SSL_METHOD *cmeth = TLS_client_method(); + + switch (tst >> 2) { + case 0: +#ifndef OSSL_NO_USABLE_TLS1_3 + prot = TLS1_3_VERSION; + break; +#else + return 1; +#endif + + case 1: +#ifndef OPENSSL_NO_TLS1_2 + prot = TLS1_2_VERSION; + break; +#else + return 1; +#endif + + case 2: +#ifndef OPENSSL_NO_TLS1_1 + prot = TLS1_1_VERSION; + break; +#else + return 1; +#endif + + case 3: +#ifndef OPENSSL_NO_TLS1 + prot = TLS1_VERSION; + break; +#else + return 1; +#endif + + case 4: +#ifndef OPENSSL_NO_SSL3 + prot = SSL3_VERSION; + break; +#else + return 1; +#endif + + case 5: +#ifndef OPENSSL_NO_DTLS1_2 + prot = DTLS1_2_VERSION; + smeth = DTLS_server_method(); + cmeth = DTLS_client_method(); + break; +#else + return 1; +#endif + + case 6: +#ifndef OPENSSL_NO_DTLS1 + prot = DTLS1_VERSION; + smeth = DTLS_server_method(); + cmeth = DTLS_client_method(); + break; +#else + return 1; +#endif + + default: + /* Shouldn't happen */ + return 0; + } + + if ((prot < TLS1_2_VERSION || prot == DTLS1_VERSION) && is_fips) + return 1; + + /* Maximal sized message of zeros */ + msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH); + if (!TEST_ptr(msg)) + goto end; + + buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1); + if (!TEST_ptr(buf)) + goto end; + /* Set whole buffer to all bits set */ + memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1); + + if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot, + &sctx, &cctx, cert, privkey))) + goto end; + + if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) { + /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */ + if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")) + || !TEST_true(SSL_CTX_set_cipher_list(sctx, + "DEFAULT:@SECLEVEL=0"))) + goto end; + } + + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, + &clientssl, NULL, NULL))) + goto end; + + if ((tst & 1) != 0) { + /* Setting this option gives us a minimally sized underlying buffer */ + if (!TEST_true(SSL_set_options(serverssl, + SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) + || !TEST_true(SSL_set_options(clientssl, + SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))) + goto end; + } + + if ((tst & 2) != 0) { + /* + * Setting this option means the MAC is added before encryption + * giving us a larger record for the encryption process + */ + if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC)) + || !TEST_true(SSL_set_options(clientssl, + SSL_OP_NO_ENCRYPT_THEN_MAC))) + goto end; + } + + if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) + goto end; + + if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH, + &written)) + || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH)) + goto end; + + /* We provide a buffer slightly larger than what we are actually expecting */ + if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1, + &readbytes))) + goto end; + + if (!TEST_mem_eq(msg, written, buf, readbytes)) + goto end; + + testresult = 1; +end: + OPENSSL_free(msg); + OPENSSL_free(buf); + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + return testresult; +} + static int execute_cleanse_plaintext(const SSL_METHOD *smeth, const SSL_METHOD *cmeth, int min_version, int max_version) @@ -10373,6 +10536,7 @@ int setup_tests(void) #ifndef OPENSSL_NO_DTLS ADD_TEST(test_large_message_dtls); #endif + ADD_ALL_TESTS(test_large_app_data, 28); ADD_TEST(test_cleanse_plaintext); #ifndef OPENSSL_NO_OCSP ADD_TEST(test_tlsext_status_type); diff --git a/deps/openssl/openssl/test/testrsa2048pub.pem b/deps/openssl/openssl/test/testrsa2048pub.pem new file mode 100644 index 00000000000000..64406a88cad43b --- /dev/null +++ b/deps/openssl/openssl/test/testrsa2048pub.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzQCB6nsq4eoG1Z98c9n/ +uUoJYVwuS6fGNs7wjdNTPsMYVSWwFcdpuZp31nJb+cNTKptuX2Yn1fuFFgdo092p +y9NZdFEXF9w9MJ0vxH7kH5fjKtt/ndhkocR2emZuzXG8Gqz151F/SzhZT+qbBeQt +WtqZEgCAE+RTFqTZu47QhriNKHWLrK+SLUaoaLSF0jnJuusOK2RZJxD0Ky0eoKS0 +gCwL7Ksyj4posAc721Rv7qmAnShJkSs5DBUyvH4px2WPgXX65G80My/4e8qz5AZJ +uYV3hp2g6nGDU/ByJ1SIaRNkh2DRIr5nbg/Eg90g/8Mb2pajGWbJqi51rQPeR+HE +TwIDAQAB +-----END PUBLIC KEY----- diff --git a/deps/openssl/openssl/test/testutil.h b/deps/openssl/openssl/test/testutil.h index d9c98269827a28..443d01d7fb2ab7 100644 --- a/deps/openssl/openssl/test/testutil.h +++ b/deps/openssl/openssl/test/testutil.h @@ -256,7 +256,9 @@ void cleanup_tests(void); int fips_provider_version_eq(OSSL_LIB_CTX *libctx, int major, int minor, int patch); int fips_provider_version_ne(OSSL_LIB_CTX *libctx, int major, int minor, int patch); int fips_provider_version_le(OSSL_LIB_CTX *libctx, int major, int minor, int patch); +int fips_provider_version_lt(OSSL_LIB_CTX *libctx, int major, int minor, int patch); int fips_provider_version_gt(OSSL_LIB_CTX *libctx, int major, int minor, int patch); +int fips_provider_version_ge(OSSL_LIB_CTX *libctx, int major, int minor, int patch); /* * This function matches fips provider version with (potentially multiple) diff --git a/deps/openssl/openssl/test/testutil/provider.c b/deps/openssl/openssl/test/testutil/provider.c index 69b81363b6d914..0f46077a32f97d 100644 --- a/deps/openssl/openssl/test/testutil/provider.c +++ b/deps/openssl/openssl/test/testutil/provider.c @@ -129,6 +129,19 @@ int fips_provider_version_le(OSSL_LIB_CTX *libctx, int major, int minor, int pat || (prov.minor == minor && prov.patch <= patch))); } +int fips_provider_version_lt(OSSL_LIB_CTX *libctx, int major, int minor, int patch) +{ + FIPS_VERSION prov; + int res; + + if ((res = fips_provider_version(libctx, &prov)) <= 0) + return res == 0; + return prov.major < major + || (prov.major == major + && (prov.minor < minor + || (prov.minor == minor && prov.patch < patch))); +} + int fips_provider_version_gt(OSSL_LIB_CTX *libctx, int major, int minor, int patch) { FIPS_VERSION prov; @@ -142,12 +155,25 @@ int fips_provider_version_gt(OSSL_LIB_CTX *libctx, int major, int minor, int pat || (prov.minor == minor && prov.patch > patch))); } +int fips_provider_version_ge(OSSL_LIB_CTX *libctx, int major, int minor, int patch) +{ + FIPS_VERSION prov; + int res; + + if ((res = fips_provider_version(libctx, &prov)) <= 0) + return res == 0; + return prov.major > major + || (prov.major == major + && (prov.minor > minor + || (prov.minor == minor && prov.patch >= patch))); +} + int fips_provider_version_match(OSSL_LIB_CTX *libctx, const char *versions) { const char *p; int major, minor, patch, r; enum { - MODE_EQ, MODE_NE, MODE_LE, MODE_GT + MODE_EQ, MODE_NE, MODE_LE, MODE_LT, MODE_GT, MODE_GE } mode; while (*versions != '\0') { @@ -166,6 +192,12 @@ int fips_provider_version_match(OSSL_LIB_CTX *libctx, const char *versions) } else if (*p == '<' && p[1] == '=') { mode = MODE_LE; p += 2; + } else if (*p == '>' && p[1] == '=') { + mode = MODE_GE; + p += 2; + } else if (*p == '<') { + mode = MODE_LT; + p++; } else if (*p == '>') { mode = MODE_GT; p++; @@ -189,9 +221,15 @@ int fips_provider_version_match(OSSL_LIB_CTX *libctx, const char *versions) case MODE_LE: r = fips_provider_version_le(libctx, major, minor, patch); break; + case MODE_LT: + r = fips_provider_version_lt(libctx, major, minor, patch); + break; case MODE_GT: r = fips_provider_version_gt(libctx, major, minor, patch); break; + case MODE_GE: + r = fips_provider_version_ge(libctx, major, minor, patch); + break; } if (r < 0) { TEST_info("Error matching FIPS version: internal error\n"); diff --git a/deps/openssl/openssl/test/trace_api_test.c b/deps/openssl/openssl/test/trace_api_test.c new file mode 100644 index 00000000000000..e6c4fdc28c71a7 --- /dev/null +++ b/deps/openssl/openssl/test/trace_api_test.c @@ -0,0 +1,163 @@ +/* + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include + +#include "testutil.h" + +static int test_trace_categories(void) +{ + int cat_num; + + for (cat_num = -1; cat_num <= OSSL_TRACE_CATEGORY_NUM + 1; ++cat_num) { + const char *cat_name = OSSL_trace_get_category_name(cat_num); + int is_cat_name_eq = 0; + int ret_cat_num; + int expected_ret; + + switch (cat_num) { +#define CASE(name) \ + case OSSL_TRACE_CATEGORY_##name: \ + is_cat_name_eq = TEST_str_eq(cat_name, #name); \ + break + + CASE(ALL); + CASE(TRACE); + CASE(INIT); + CASE(TLS); + CASE(TLS_CIPHER); + CASE(CONF); + CASE(ENGINE_TABLE); + CASE(ENGINE_REF_COUNT); + CASE(PKCS5V2); + CASE(PKCS12_KEYGEN); + CASE(PKCS12_DECRYPT); + CASE(X509V3_POLICY); + CASE(BN_CTX); + CASE(CMP); + CASE(STORE); + CASE(DECODER); + CASE(ENCODER); + CASE(REF_COUNT); +#undef CASE + default: + is_cat_name_eq = TEST_ptr_null(cat_name); + break; + } + + if (!TEST_true(is_cat_name_eq)) + return 0; + ret_cat_num = + OSSL_trace_get_category_num(cat_name); + expected_ret = cat_name != NULL ? cat_num : -1; + if (!TEST_int_eq(expected_ret, ret_cat_num)) + return 0; + } + + return 1; +} + +#ifndef OPENSSL_NO_TRACE +static void put_trace_output(void) +{ + OSSL_TRACE_BEGIN(REF_COUNT) { + BIO_printf(trc_out, "Hello World\n"); + BIO_printf(trc_out, "Good Bye Universe\n"); + } OSSL_TRACE_END(REF_COUNT); +} + +static int test_trace_channel(void) +{ + static const char expected[] = "xyz-\nHello World\nGood Bye Universe\n-abc\n"; + static const char expected_len = sizeof(expected) - 1; + BIO *bio = NULL; + char *p_buf = NULL; + long len = 0; + int ret = 0; + + bio = BIO_new(BIO_s_mem()); + if (!TEST_ptr(bio)) + goto end; + + if (!TEST_int_eq(OSSL_trace_set_channel(OSSL_TRACE_CATEGORY_REF_COUNT, bio), 1)) + goto end; + + if (!TEST_true(OSSL_trace_enabled(OSSL_TRACE_CATEGORY_REF_COUNT))) + goto end; + + if (!TEST_int_eq(OSSL_trace_set_prefix(OSSL_TRACE_CATEGORY_REF_COUNT, "xyz-"), 1)) + goto end; + if (!TEST_int_eq(OSSL_trace_set_suffix(OSSL_TRACE_CATEGORY_REF_COUNT, "-abc"), 1)) + goto end; + + put_trace_output(); + len = BIO_get_mem_data(bio, &p_buf); + if (!TEST_strn2_eq(p_buf, len, expected, expected_len)) + goto end; + if (!TEST_int_eq(OSSL_trace_set_channel(OSSL_TRACE_CATEGORY_REF_COUNT, NULL), 1)) + goto end; + bio = NULL; + + ret = 1; + end: + BIO_free(bio); + return ret; +} + +static int trace_cb_failure; +static int trace_cb_called; + +static size_t trace_cb(const char *buffer, size_t count, + int category, int cmd, void *data) +{ + trace_cb_called = 1; + if (!TEST_true(category == OSSL_TRACE_CATEGORY_TRACE)) + trace_cb_failure = 1; + return count; +} + +static int test_trace_callback(void) +{ + int ret = 0; + + if (!TEST_true(OSSL_trace_set_callback(OSSL_TRACE_CATEGORY_TRACE, trace_cb, + NULL))) + goto end; + + put_trace_output(); + + if (!TEST_false(trace_cb_failure) || !TEST_true(trace_cb_called)) + goto end; + + ret = 1; + end: + return ret; +} +#endif + +OPT_TEST_DECLARE_USAGE("\n") + +int setup_tests(void) +{ + if (!test_skip_common_options()) { + TEST_error("Error parsing test options\n"); + return 0; + } + + ADD_TEST(test_trace_categories); +#ifndef OPENSSL_NO_TRACE + ADD_TEST(test_trace_channel); + ADD_TEST(test_trace_callback); +#endif + return 1; +} + +void cleanup_tests(void) +{ +} diff --git a/deps/openssl/openssl/test/v3ext.c b/deps/openssl/openssl/test/v3ext.c index 0f4979a89ab96f..88034db271559d 100644 --- a/deps/openssl/openssl/test/v3ext.c +++ b/deps/openssl/openssl/test/v3ext.c @@ -226,6 +226,92 @@ static int test_addr_ranges(void) return testresult; } +static int test_addr_fam_len(void) +{ + int testresult = 0; + IPAddrBlocks *addr = NULL; + IPAddressFamily *f1 = NULL; + ASN1_OCTET_STRING *ip1 = NULL, *ip2 = NULL; + unsigned char key[6]; + unsigned int keylen; + unsigned afi = IANA_AFI_IPV4; + + /* Create the IPAddrBlocks with a good IPAddressFamily */ + addr = sk_IPAddressFamily_new_null(); + if (!TEST_ptr(addr)) + goto end; + ip1 = a2i_IPADDRESS(ranges[0].ip1); + if (!TEST_ptr(ip1)) + goto end; + ip2 = a2i_IPADDRESS(ranges[0].ip2); + if (!TEST_ptr(ip2)) + goto end; + if (!TEST_true(X509v3_addr_add_range(addr, ranges[0].afi, NULL, ip1->data, ip2->data))) + goto end; + if (!TEST_true(X509v3_addr_is_canonical(addr))) + goto end; + + /* Create our malformed IPAddressFamily */ + key[0] = (afi >> 8) & 0xFF; + key[1] = afi & 0xFF; + key[2] = 0xD; + key[3] = 0xE; + key[4] = 0xA; + key[5] = 0xD; + keylen = 6; + if ((f1 = IPAddressFamily_new()) == NULL) + goto end; + if (f1->ipAddressChoice == NULL && + (f1->ipAddressChoice = IPAddressChoice_new()) == NULL) + goto end; + if (f1->addressFamily == NULL && + (f1->addressFamily = ASN1_OCTET_STRING_new()) == NULL) + goto end; + if (!ASN1_OCTET_STRING_set(f1->addressFamily, key, keylen)) + goto end; + if (!sk_IPAddressFamily_push(addr, f1)) + goto end; + + /* Shouldn't be able to canonize this as the len is > 3*/ + if (!TEST_false(X509v3_addr_canonize(addr))) + goto end; + + /* Create a well formed IPAddressFamily */ + f1 = sk_IPAddressFamily_pop(addr); + IPAddressFamily_free(f1); + + key[0] = (afi >> 8) & 0xFF; + key[1] = afi & 0xFF; + key[2] = 0x1; + keylen = 3; + if ((f1 = IPAddressFamily_new()) == NULL) + goto end; + if (f1->ipAddressChoice == NULL && + (f1->ipAddressChoice = IPAddressChoice_new()) == NULL) + goto end; + if (f1->addressFamily == NULL && + (f1->addressFamily = ASN1_OCTET_STRING_new()) == NULL) + goto end; + if (!ASN1_OCTET_STRING_set(f1->addressFamily, key, keylen)) + goto end; + + /* Mark this as inheritance so we skip some of the is_canonize checks */ + f1->ipAddressChoice->type = IPAddressChoice_inherit; + if (!sk_IPAddressFamily_push(addr, f1)) + goto end; + + /* Should be able to canonize now */ + if (!TEST_true(X509v3_addr_canonize(addr))) + goto end; + + testresult = 1; + end: + sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free); + ASN1_OCTET_STRING_free(ip1); + ASN1_OCTET_STRING_free(ip2); + return testresult; +} + static struct extvalues_st { const char *value; int pass; @@ -323,6 +409,49 @@ static int test_ext_syntax(void) return testresult; } + +static int test_addr_subset(void) +{ + int i; + int ret = 0; + IPAddrBlocks *addrEmpty = NULL; + IPAddrBlocks *addr[3] = { NULL, NULL }; + ASN1_OCTET_STRING *ip1[3] = { NULL, NULL }; + ASN1_OCTET_STRING *ip2[3] = { NULL, NULL }; + int sz = OSSL_NELEM(addr); + + for (i = 0; i < sz; ++i) { + /* Create the IPAddrBlocks with a good IPAddressFamily */ + if (!TEST_ptr(addr[i] = sk_IPAddressFamily_new_null()) + || !TEST_ptr(ip1[i] = a2i_IPADDRESS(ranges[i].ip1)) + || !TEST_ptr(ip2[i] = a2i_IPADDRESS(ranges[i].ip2)) + || !TEST_true(X509v3_addr_add_range(addr[i], ranges[i].afi, NULL, + ip1[i]->data, ip2[i]->data))) + goto end; + } + + ret = TEST_ptr(addrEmpty = sk_IPAddressFamily_new_null()) + && TEST_true(X509v3_addr_subset(NULL, NULL)) + && TEST_true(X509v3_addr_subset(NULL, addr[0])) + && TEST_true(X509v3_addr_subset(addrEmpty, addr[0])) + && TEST_true(X509v3_addr_subset(addr[0], addr[0])) + && TEST_true(X509v3_addr_subset(addr[0], addr[1])) + && TEST_true(X509v3_addr_subset(addr[0], addr[2])) + && TEST_true(X509v3_addr_subset(addr[1], addr[2])) + && TEST_false(X509v3_addr_subset(addr[0], NULL)) + && TEST_false(X509v3_addr_subset(addr[1], addr[0])) + && TEST_false(X509v3_addr_subset(addr[2], addr[1])) + && TEST_false(X509v3_addr_subset(addr[0], addrEmpty)); +end: + sk_IPAddressFamily_pop_free(addrEmpty, IPAddressFamily_free); + for (i = 0; i < sz; ++i) { + sk_IPAddressFamily_pop_free(addr[i], IPAddressFamily_free); + ASN1_OCTET_STRING_free(ip1[i]); + ASN1_OCTET_STRING_free(ip2[i]); + } + return ret; +} + #endif /* OPENSSL_NO_RFC3779 */ OPT_TEST_DECLARE_USAGE("cert.pem\n") @@ -342,6 +471,8 @@ int setup_tests(void) ADD_TEST(test_asid); ADD_TEST(test_addr_ranges); ADD_TEST(test_ext_syntax); + ADD_TEST(test_addr_fam_len); + ADD_TEST(test_addr_subset); #endif /* OPENSSL_NO_RFC3779 */ return 1; } diff --git a/deps/openssl/openssl/test/v3nametest.c b/deps/openssl/openssl/test/v3nametest.c index 6d2e2f8e270a0a..3609eba04552ae 100644 --- a/deps/openssl/openssl/test/v3nametest.c +++ b/deps/openssl/openssl/test/v3nametest.c @@ -1,5 +1,5 @@ /* - * Copyright 2012-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2012-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -644,6 +644,14 @@ static struct gennamedata { 0xb7, 0x09, 0x02, 0x02 }, 15 + }, { + /* + * Regression test for CVE-2023-0286. + */ + { + 0xa3, 0x00 + }, + 2 } }; diff --git a/deps/openssl/openssl/util/libcrypto.num b/deps/openssl/openssl/util/libcrypto.num index d9c040fb470ce7..716aa0cb13f7d0 100644 --- a/deps/openssl/openssl/util/libcrypto.num +++ b/deps/openssl/openssl/util/libcrypto.num @@ -5427,3 +5427,4 @@ EVP_PKEY_get0_provider 5554 3_0_0 EXIST::FUNCTION: EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION: OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION: OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION: +OSSL_CMP_CTX_reset_geninfo_ITAVs 5558 3_0_8 EXIST::FUNCTION:CMP diff --git a/deps/openssl/openssl/util/missingcrypto.txt b/deps/openssl/openssl/util/missingcrypto.txt index 990e2e97464c39..27c8018c24db93 100644 --- a/deps/openssl/openssl/util/missingcrypto.txt +++ b/deps/openssl/openssl/util/missingcrypto.txt @@ -202,7 +202,6 @@ BIO_indent(3) BIO_method_name(3) BIO_new_NDEF(3) BIO_new_PKCS7(3) -BIO_new_dgram(3) BIO_new_dgram_sctp(3) BIO_nread(3) BIO_nread0(3) @@ -210,7 +209,6 @@ BIO_number_read(3) BIO_number_written(3) BIO_nwrite(3) BIO_nwrite0(3) -BIO_s_datagram(3) BIO_s_datagram_sctp(3) BIO_s_log(3) BIO_set_flags(3) @@ -553,42 +551,6 @@ ENGINE_setup_bsd_cryptodev(3) ENGINE_unregister_EC(3) ENGINE_unregister_pkey_asn1_meths(3) ENGINE_unregister_pkey_meths(3) -EVP_ASYM_CIPHER-RSA(7) -EVP_CIPHER-AES(7) -EVP_CIPHER-ARIA(7) -EVP_CIPHER-BF(7) -EVP_CIPHER-DES(7) -EVP_CIPHER-CAMELLIA(7) -EVP_CIPHER-CAST5(7) -EVP_CIPHER-ChaCha20(7) -EVP_CIPHER-ChaCha20-Poly1305(7) -EVP_CIPHER-DES(7) -EVP_CIPHER-IDEA(7) -EVP_CIPHER-RC2(7) -EVP_CIPHER-RC4(7) -EVP_CIPHER-RC5(7) -EVP_CIPHER-SEED(7) -EVP_CIPHER-SM4(7) -EVP_KDF-KBKDF(7) -EVP_KDF-SSKDF(7) -EVP_KDF-TLS1-PRF(7) -EVP_KEYEXCH-DH(7) -EVP_KEYEXCH-ECDH(7) -EVP_KEYEXCH-DSA(7) -EVP_KEYEXCH-RSA(7) -EVP_KEYEXCH-X25519(7) -EVP_KEYEXCH-X448(7) -EVP_KEYMGMT-DH(7) -EVP_KEYMGMT-EC(7) -EVP_KEYMGMT-DSA(7) -EVP_KEYMGMT-RSA(7) -EVP_KEYMGMT-X25519(7) -EVP_KEYMGMT-X448(7) -EVP_SIGNATURE-DSA(7) -EVP_SIGNATURE-ECDSA(7) -EVP_SIGNATURE-ED25519(7) -EVP_SIGNATURE-ED448(7) -EVP_SIGNATURE-RSA(7) ERR_get_state(3) ERR_load_ASN1_strings(3) ERR_load_ASYNC_strings(3) @@ -637,8 +599,6 @@ EVP_MD_do_all(3) EVP_MD_do_all_sorted(3) EVP_PBE_cleanup(3) EVP_PBE_get(3) -EVP_PKEY_CTX_get0_peerkey(3) -EVP_PKEY_CTX_get0_pkey(3) EVP_PKEY_CTX_get_data(3) EVP_PKEY_CTX_get_operation(3) EVP_PKEY_CTX_hex2ctrl(3) @@ -1412,7 +1372,6 @@ i2v_ASN1_BIT_STRING(3) i2v_GENERAL_NAME(3) i2v_GENERAL_NAMES(3) o2i_ECPublicKey(3) -provider-kdf(7) v2i_ASN1_BIT_STRING(3) v2i_GENERAL_NAME(3) v2i_GENERAL_NAMES(3) diff --git a/deps/openssl/openssl/util/missingmacro.txt b/deps/openssl/openssl/util/missingmacro.txt index 97d22205afc543..bc16c026dd30ee 100644 --- a/deps/openssl/openssl/util/missingmacro.txt +++ b/deps/openssl/openssl/util/missingmacro.txt @@ -13,13 +13,6 @@ BIO_set_conn_mode(3) BIO_dup_state(3) BIO_buffer_get_num_lines(3) BIO_buffer_peek(3) -BIO_ctrl_dgram_connect(3) -BIO_ctrl_set_connected(3) -BIO_dgram_recv_timedout(3) -BIO_dgram_send_timedout(3) -BIO_dgram_get_peer(3) -BIO_dgram_set_peer(3) -BIO_dgram_get_mtu_overhead(3) BIO_sock_cleanup(3) ossl_bio__attr__(3) BN_prime_checks_for_size(3) diff --git a/deps/openssl/openssl/util/mktar.sh b/deps/openssl/openssl/util/mktar.sh index 06a1f92150a563..353ff716d307ae 100755 --- a/deps/openssl/openssl/util/mktar.sh +++ b/deps/openssl/openssl/util/mktar.sh @@ -12,6 +12,7 @@ HERE=`dirname $0` . $HERE/../VERSION.dat if [ -n "$PRE_RELEASE_TAG" ]; then PRE_RELEASE_TAG=-$PRE_RELEASE_TAG; fi +if [ -n "$BUILD_METADATA" ]; then BUILD_METADATA=+$BUILD_METADATA; fi version=$MAJOR.$MINOR.$PATCH$PRE_RELEASE_TAG$BUILD_METADATA basename=openssl diff --git a/deps/openssl/openssl/util/other.syms b/deps/openssl/openssl/util/other.syms index e5bce5a4e786b6..baba363337e30d 100644 --- a/deps/openssl/openssl/util/other.syms +++ b/deps/openssl/openssl/util/other.syms @@ -53,23 +53,28 @@ EVP_RAND datatype EVP_RAND_CTX datatype EVP_SIGNATURE datatype GEN_SESSION_CB datatype -OPENSSL_Applink external -OSSL_LIB_CTX datatype NAMING_AUTHORITY datatype +OPENSSL_Applink external +OSSL_ALGORITHM datatype +OSSL_CALLBACK datatype OSSL_DECODER datatype OSSL_DECODER_CTX datatype OSSL_DECODER_CONSTRUCT datatype OSSL_DECODER_CLEANUP datatype OSSL_DECODER_INSTANCE datatype -OSSL_HTTP_bio_cb_t datatype -OSSL_PARAM datatype -OSSL_PROVIDER datatype +OSSL_DISPATCH datatype OSSL_ENCODER datatype OSSL_ENCODER_CTX datatype OSSL_ENCODER_CONSTRUCT datatype OSSL_ENCODER_CLEANUP datatype OSSL_ENCODER_INSTANCE datatype +OSSL_HTTP_bio_cb_t datatype OSSL_HTTP_REQ_CTX datatype +OSSL_ITEM datatype +OSSL_LIB_CTX datatype +OSSL_PARAM datatype +OSSL_PASSPHRASE_CALLBACK datatype +OSSL_PROVIDER datatype OSSL_STORE_CTX datatype OSSL_STORE_INFO datatype OSSL_STORE_LOADER datatype @@ -143,6 +148,13 @@ SSL_QUIC_METHOD datatype ASN1_BIT_STRING_digest define BIO_append_filename define BIO_destroy_bio_pair define +BIO_ctrl_dgram_connect define +BIO_ctrl_set_connected define +BIO_dgram_get_mtu_overhead define +BIO_dgram_get_peer define +BIO_dgram_set_peer define +BIO_dgram_recv_timedout define +BIO_dgram_send_timedout define BIO_do_accept define BIO_do_connect define BIO_do_handshake define diff --git a/deps/openssl/openssl/util/perl/OpenSSL/ParseC.pm b/deps/openssl/openssl/util/perl/OpenSSL/ParseC.pm index e3cfe078276318..f98dd0e25e3b8b 100644 --- a/deps/openssl/openssl/util/perl/OpenSSL/ParseC.pm +++ b/deps/openssl/openssl/util/perl/OpenSSL/ParseC.pm @@ -822,7 +822,7 @@ sub parse { # We use ¦undef¦ as a marker for a new line from the file. # Since we convert one line to several and unshift that into @lines, # that's the only safe way we have to track the original lines - my @lines = map { ( undef, $_ ) } split $/, $line; + my @lines = map { ( undef, $_ ) } split m|\R|, $line; # Remember that extra # we added above? Now we remove it pop @lines;