packages/openssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

openssl upgrade from 1.1.1 to 3.0

Browse Source
This commit is contained in:
hzero1996 2023-01-28 15:43:27 +08:00
parent 8d3df73d7e
commit 0ad7278f0b
94 changed files with 92 additions and 32360 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

108
Backport-Add-documents-for-SM2-cert-verification.patch
View File

@ -1,108 +0,0 @@
From 400e9ffc906d66318e4f9364494809d5a519c718 Mon Sep 17 00:00:00 2001
From: Paul Yang <yang.yang@baishancloud.com>
Date: Wed, 13 Mar 2019 17:22:31 +0800
Subject: [PATCH 06/15] Add documents for SM2 cert verification
This follows #8321 which added the SM2 certificate verification feature.
This commit adds the related docs - the newly added 2 APIs and options
in apps/verify.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8465)
---
doc/man1/verify.pod | 14 ++++++++++++
doc/man3/X509_get0_sm2_id.pod | 43 +++++++++++++++++++++++++++++++++++
2 files changed, 57 insertions(+)
create mode 100644 doc/man3/X509_get0_sm2_id.pod
diff --git a/doc/man1/verify.pod b/doc/man1/verify.pod
index da2b702..a6b6b2b 100644
--- a/doc/man1/verify.pod
+++ b/doc/man1/verify.pod
@@ -50,6 +50,8 @@ B<openssl> B<verify>
[B<-verify_name name>]
[B<-x509_strict>]
[B<-show_chain>]
+[B<-sm2-id string>]
+[B<-sm2-hex-id hex-string>]
[B<->]
[certificates]
@@ -319,6 +321,16 @@ Display information about the certificate chain that has been built (if
successful). Certificates in the chain that came from the untrusted list will be
flagged as "untrusted".
+=item B<-sm2-id>
+
+Specify the ID string to use when verifying an SM2 certificate. The ID string is
+required by the SM2 signature algorithm for signing and verification.
+
+=item B<-sm2-hex-id>
+
+Specify a binary ID string to use when signing or verifying using an SM2
+certificate. The argument for this option is string of hexadecimal digits.
+
=item B<->
Indicates the last option. All arguments following this are assumed to be
@@ -774,6 +786,8 @@ The B<-show_chain> option was added in OpenSSL 1.1.0.
The B<-issuer_checks> option is deprecated as of OpenSSL 1.1.0 and
is silently ignored.
+The B<-sm2-id> and B<-sm2-hex-id> options were added in OpenSSL 3.0.0.
+
=head1 COPYRIGHT
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/doc/man3/X509_get0_sm2_id.pod b/doc/man3/X509_get0_sm2_id.pod
new file mode 100644
index 0000000..84da71e
--- /dev/null
+++ b/doc/man3/X509_get0_sm2_id.pod
@@ -0,0 +1,43 @@
+=pod
+
+=head1 NAME
+
+X509_get0_sm2_id, X509_set_sm2_id - get or set SM2 ID for certificate operations
+
+=head1 SYNOPSIS
+
+ #include <openssl/x509.h>
+
+ ASN1_OCTET_STRING *X509_get0_sm2_id(X509 *x);
+ void X509_set_sm2_id(X509 *x, ASN1_OCTET_STRING *sm2_id);
+
+=head1 DESCRIPTION
+
+X509_get0_sm2_id() gets the ID value of an SM2 certificate B<x> by returning an
+B<ASN1_OCTET_STRING> object which should not be freed by the caller.
+X509_set_sm2_id() sets the B<sm2_id> value to an SM2 certificate B<x>.
+
+=head1 NOTES
+
+SM2 signature algorithm requires an ID value when generating and verifying a
+signature. The functions described in this manual provide the user with the
+ability to set and retrieve the SM2 ID value.
+
+=head1 RETURN VALUES
+
+X509_set_sm2_id() does not return a value.
+
+=head1 SEE ALSO
+
+L<X509_verify(3)>, L<SM2(7)>
+
+=head1 COPYRIGHT
+
+Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
--
2.20.1 (Apple Git-117)

127
Backport-Add-test-cases-for-SM2-cert-verification.patch
View File

@ -1,127 +0,0 @@
From c08251384c0405c151a90b315b8f333c38c74eb2 Mon Sep 17 00:00:00 2001
From: Paul Yang <yang.yang@baishancloud.com>
Date: Wed, 13 Mar 2019 16:54:11 +0800
Subject: [PATCH 05/15] Add test cases for SM2 cert verification
This follows #8321 which added the SM2 certificate verification feature.
This commit adds some test cases for #8321.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8465)
---
test/certs/sm2-ca-cert.pem | 14 +++++++++++++
test/certs/{sm2.crt => sm2.pem} | 0
test/recipes/20-test_pkeyutl.t | 37 +++++++++++++--------------------
test/recipes/25-test_verify.t | 14 ++++++++++++-
4 files changed, 42 insertions(+), 23 deletions(-)
create mode 100644 test/certs/sm2-ca-cert.pem
rename test/certs/{sm2.crt => sm2.pem} (100%)
diff --git a/test/certs/sm2-ca-cert.pem b/test/certs/sm2-ca-cert.pem
new file mode 100644
index 0000000..5677ac6
--- /dev/null
+++ b/test/certs/sm2-ca-cert.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICJDCCAcqgAwIBAgIJAOlkpDpSrmVbMAoGCCqBHM9VAYN1MGgxCzAJBgNVBAYT
+AkNOMQswCQYDVQQIDAJMTjERMA8GA1UEBwwIU2hlbnlhbmcxETAPBgNVBAoMCFRl
+c3QgT3JnMRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTAe
+Fw0xOTAyMTkwNzA1NDhaFw0yMzAzMzAwNzA1NDhaMGgxCzAJBgNVBAYTAkNOMQsw
+CQYDVQQIDAJMTjERMA8GA1UEBwwIU2hlbnlhbmcxETAPBgNVBAoMCFRlc3QgT3Jn
+MRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTBZMBMGByqG
+SM49AgEGCCqBHM9VAYItA0IABHRYnqErofBdXPptvvO7+BSVJxcpHuTGnZ+UPrbU
+5kVEUMaUnNOeMJZl/vRGimZCm/AkReJmRfnb15ESHR+ssp6jXTBbMB0GA1UdDgQW
+BBTFjcWu/zJgSZ5SKUlU5Vx4/0W5dDAfBgNVHSMEGDAWgBTFjcWu/zJgSZ5SKUlU
+5Vx4/0W5dDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAKBggqgRzPVQGDdQNI
+ADBFAiEAs6byi1nSQtFELOw/2tQIv5AEsZFR5MJ/oB2ztXzs2LYCIEfIw4xlUH6X
+YFhs4RnIa0K9Ng1ebsGPrifYkudwBIk3
+-----END CERTIFICATE-----
diff --git a/test/certs/sm2.crt b/test/certs/sm2.pem
similarity index 100%
rename from test/certs/sm2.crt
rename to test/certs/sm2.pem
diff --git a/test/recipes/20-test_pkeyutl.t b/test/recipes/20-test_pkeyutl.t
index 1457530..a36d41e 100644
--- a/test/recipes/20-test_pkeyutl.t
+++ b/test/recipes/20-test_pkeyutl.t
@@ -17,32 +17,25 @@ setup("test_pkeyutl");
plan tests => 2;
-sub sign
-{
- # Utilize the sm2.crt as the TBS file
- return run(app(([ 'openssl', 'pkeyutl', '-sign',
- '-in', srctop_file('test', 'certs', 'sm2.crt'),
- '-inkey', srctop_file('test', 'certs', 'sm2.key'),
- '-out', 'signature.sm2', '-rawin',
- '-digest', 'sm3', '-pkeyopt', 'sm2_id:someid'])));
-}
-
-sub verify
-{
- # Utilize the sm2.crt as the TBS file
- return run(app(([ 'openssl', 'pkeyutl', '-verify', '-certin',
- '-in', srctop_file('test', 'certs', 'sm2.crt'),
- '-inkey', srctop_file('test', 'certs', 'sm2.crt'),
- '-sigfile', 'signature.sm2', '-rawin',
- '-digest', 'sm3', '-pkeyopt', 'sm2_id:someid'])));
-}
+# For the tests below we use the cert itself as the TBS file
SKIP: {
skip "Skipping tests that require EC, SM2 or SM3", 2
if disabled("ec") || disabled("sm2") || disabled("sm3");
- ok(sign, "Sign a piece of data using SM2");
- ok(verify, "Verify an SM2 signature against a piece of data");
+ # SM2
+ ok(run(app(([ 'openssl', 'pkeyutl', '-sign',
+ '-in', srctop_file('test', 'certs', 'sm2.pem'),
+ '-inkey', srctop_file('test', 'certs', 'sm2.key'),
+ '-out', 'signature.dat', '-rawin',
+ '-digest', 'sm3', '-pkeyopt', 'sm2_id:someid']))),
+ "Sign a piece of data using SM2");
+ ok(run(app(([ 'openssl', 'pkeyutl', '-verify', '-certin',
+ '-in', srctop_file('test', 'certs', 'sm2.pem'),
+ '-inkey', srctop_file('test', 'certs', 'sm2.pem'),
+ '-sigfile', 'signature.dat', '-rawin',
+ '-digest', 'sm3', '-pkeyopt', 'sm2_id:someid']))),
+ "Verify an SM2 signature against a piece of data");
}
-unlink 'signature.sm2';
+unlink 'signature.dat';
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
index ffa48ed..b340833 100644
--- a/test/recipes/25-test_verify.t
+++ b/test/recipes/25-test_verify.t
@@ -27,7 +27,7 @@ sub verify {
run(app([@args]));
}
-plan tests => 146;
+plan tests => 148;
# Canonical success
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -409,3 +409,15 @@ SKIP: {
"ED25519 signature");
}
+
+SKIP: {
+ skip "SM2 is not supported by this OpenSSL build", 1
+ if disabled("sm2");
+
+ # Test '-sm2-id' and '-sm2-hex-id' option
+ ok(verify("sm2", "any", ["sm2-ca-cert"], [], "-sm2-id", "1234567812345678"),
+ "SM2 ID test");
+ ok(verify("sm2", "any", ["sm2-ca-cert"], [], "-sm2-hex-id",
+ "31323334353637383132333435363738"),
+ "SM2 hex ID test");
+}
--
2.20.1 (Apple Git-117)

29
Backport-Fix-a-document-description-in-apps-req.patch
View File

@ -1,29 +0,0 @@
From 7e64be50900c4aa8cd040c4e3999540883bdeeb6 Mon Sep 17 00:00:00 2001
From: Paul Yang <kaishen.yy@antfin.com>
Date: Thu, 26 Sep 2019 10:57:23 +0800
Subject: [PATCH 13/15] Fix a document description in apps/req
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9958)
---
doc/man1/req.pod | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/doc/man1/req.pod b/doc/man1/req.pod
index 7b00bad..e117ec6 100644
--- a/doc/man1/req.pod
+++ b/doc/man1/req.pod
@@ -348,8 +348,8 @@ string is required by the SM2 signature algorithm for signing and verification.
=item B<-sm2-hex-id>
-Specify a binary ID string to use when signing or verifying using an SM2
-certificate. The argument for this option is string of hexadecimal digits.
+Specify a binary ID string to use when verifying an SM2 certificate request. The
+argument for this option is string of hexadecimal digits.
=back
--
2.20.1 (Apple Git-117)

121
Backport-Fix-a-double-free-issue-when-signing-SM2-cert.patch
View File

@ -1,121 +0,0 @@
From a63238684c1d2e15f417f766f44418a8b52ef383 Mon Sep 17 00:00:00 2001
From: Paul Yang <kaishen.yy@antfin.com>
Date: Sat, 21 Sep 2019 00:32:57 +0800
Subject: [PATCH 12/15] Fix a double free issue when signing SM2 cert
If the SM2 ID value has not been passed correctly when signing an SM2
certificate/certificate request, a double free occurs. For instance:
openssl req -x509 ... -sm2-id 1234567812345678
The '-sm2-id' should not be used in this scenario, while the '-sigopt' is
the correct one to use. Documentation has also been updated to make the
options more clear.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9958)
---
apps/req.c | 48 ++++++++++++++++++++++++++++++------------------
doc/man1/req.pod | 4 ++--
2 files changed, 32 insertions(+), 20 deletions(-)
diff --git a/apps/req.c b/apps/req.c
index 96f1edd..95dd0e4 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -1756,15 +1756,19 @@ int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
#endif
rv = do_sign_init(mctx, pkey, md, sigopts);
- if (rv > 0)
+ if (rv > 0) {
rv = X509_sign_ctx(x, mctx);
#ifndef OPENSSL_NO_SM2
- /* only in SM2 case we need to free the pctx explicitly */
- if (ec_pkey_is_sm2(pkey)) {
- pctx = EVP_MD_CTX_pkey_ctx(mctx);
- EVP_PKEY_CTX_free(pctx);
- }
+ /*
+ * only in SM2 case we need to free the pctx explicitly
+ * if do_sign_init() fails, pctx is already freed in it
+ */
+ if (ec_pkey_is_sm2(pkey)) {
+ pctx = EVP_MD_CTX_pkey_ctx(mctx);
+ EVP_PKEY_CTX_free(pctx);
+ }
#endif
+ }
EVP_MD_CTX_free(mctx);
return rv > 0 ? 1 : 0;
}
@@ -1779,15 +1783,19 @@ int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
#endif
rv = do_sign_init(mctx, pkey, md, sigopts);
- if (rv > 0)
+ if (rv > 0) {
rv = X509_REQ_sign_ctx(x, mctx);
#ifndef OPENSSL_NO_SM2
- /* only in SM2 case we need to free the pctx explicitly */
- if (ec_pkey_is_sm2(pkey)) {
- pctx = EVP_MD_CTX_pkey_ctx(mctx);
- EVP_PKEY_CTX_free(pctx);
- }
+ /*
+ * only in SM2 case we need to free the pctx explicitly
+ * if do_sign_init() fails, pctx is already freed in it
+ */
+ if (ec_pkey_is_sm2(pkey)) {
+ pctx = EVP_MD_CTX_pkey_ctx(mctx);
+ EVP_PKEY_CTX_free(pctx);
+ }
#endif
+ }
EVP_MD_CTX_free(mctx);
return rv > 0 ? 1 : 0;
}
@@ -1802,15 +1810,19 @@ int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
#endif
rv = do_sign_init(mctx, pkey, md, sigopts);
- if (rv > 0)
+ if (rv > 0) {
rv = X509_CRL_sign_ctx(x, mctx);
#ifndef OPENSSL_NO_SM2
- /* only in SM2 case we need to free the pctx explicitly */
- if (ec_pkey_is_sm2(pkey)) {
- pctx = EVP_MD_CTX_pkey_ctx(mctx);
- EVP_PKEY_CTX_free(pctx);
- }
+ /*
+ * only in SM2 case we need to free the pctx explicitly
+ * if do_sign_init() fails, no need to double free pctx
+ */
+ if (ec_pkey_is_sm2(pkey)) {
+ pctx = EVP_MD_CTX_pkey_ctx(mctx);
+ EVP_PKEY_CTX_free(pctx);
+ }
#endif
+ }
EVP_MD_CTX_free(mctx);
return rv > 0 ? 1 : 0;
}
diff --git a/doc/man1/req.pod b/doc/man1/req.pod
index 3b9fcc3..7b00bad 100644
--- a/doc/man1/req.pod
+++ b/doc/man1/req.pod
@@ -343,8 +343,8 @@ for key generation operations.
=item B<-sm2-id>
-Specify the ID string to use when verifying an SM2 certificate. The ID string is
-required by the SM2 signature algorithm for signing and verification.
+Specify the ID string to use when verifying an SM2 certificate request. The ID
+string is required by the SM2 signature algorithm for signing and verification.
=item B<-sm2-hex-id>
--
2.20.1 (Apple Git-117)

43
Backport-Fix-a-memleak-in-apps-verify.patch
View File

@ -1,43 +0,0 @@
From 1c243548ef736329b08344ad9191803e5a93ec17 Mon Sep 17 00:00:00 2001
From: Paul Yang <yang.yang@baishancloud.com>
Date: Wed, 13 Mar 2019 18:04:05 +0800
Subject: [PATCH 07/15] Fix a memleak in apps/verify
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8465)
---
apps/verify.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/apps/verify.c b/apps/verify.c
index 09b31cf..5052d80 100644
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -80,6 +80,7 @@ int verify_main(int argc, char **argv)
OPTION_CHOICE o;
unsigned char *sm2_id = NULL;
size_t sm2_idlen = 0;
+ int sm2_free = 0;
if ((vpm = X509_VERIFY_PARAM_new()) == NULL)
goto end;
@@ -174,6 +175,7 @@ int verify_main(int argc, char **argv)
break;
case OPT_SM2HEXID:
/* try to parse the input as hex string first */
+ sm2_free = 1;
sm2_id = OPENSSL_hexstr2buf(opt_arg(), (long *)&sm2_idlen);
if (sm2_id == NULL) {
BIO_printf(bio_err, "Invalid hex string input\n");
@@ -216,6 +218,8 @@ int verify_main(int argc, char **argv)
}
end:
+ if (sm2_free)
+ OPENSSL_free(sm2_id);
X509_VERIFY_PARAM_free(vpm);
X509_STORE_free(store);
sk_X509_pop_free(untrusted, X509_free);
--
2.20.1 (Apple Git-117)

67
Backport-Fix-no-ec-no-sm2-and-no-sm3.patch
View File

@ -1,67 +0,0 @@
From 380cf570be1ded495141e16ceab7afb7f7c57ab7 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Thu, 28 Feb 2019 13:47:26 +0000
Subject: [PATCH 02/15] Fix no-ec, no-sm2 and no-sm3
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8372)
---
apps/pkeyutl.c | 11 +++++++----
test/recipes/20-test_pkeyutl.t | 9 +++++++--
2 files changed, 14 insertions(+), 6 deletions(-)
diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c
index bca0464..1d3d57b 100644
--- a/apps/pkeyutl.c
+++ b/apps/pkeyutl.c
@@ -473,14 +473,16 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
}
ctx = EVP_PKEY_CTX_new_id(kdfnid, impl);
} else {
- EC_KEY *eckey = NULL;
- const EC_GROUP *group = NULL;
- int nid;
-
if (pkey == NULL)
goto end;
+
+#ifndef OPENSSL_NO_EC
/* SM2 needs a special treatment */
if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
+ EC_KEY *eckey = NULL;
+ const EC_GROUP *group = NULL;
+ int nid;
+
if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL
|| (group = EC_KEY_get0_group(eckey)) == NULL
|| (nid = EC_GROUP_get_curve_name(group)) == 0)
@@ -488,6 +490,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
if (nid == NID_sm2)
EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2);
}
+#endif
*pkeysize = EVP_PKEY_size(pkey);
ctx = EVP_PKEY_CTX_new(pkey, impl);
if (ppkey != NULL)
diff --git a/test/recipes/20-test_pkeyutl.t b/test/recipes/20-test_pkeyutl.t
index a051138..1457530 100644
--- a/test/recipes/20-test_pkeyutl.t
+++ b/test/recipes/20-test_pkeyutl.t
@@ -37,7 +37,12 @@ sub verify
'-digest', 'sm3', '-pkeyopt', 'sm2_id:someid'])));
}
-ok(sign, "Sign a piece of data using SM2");
-ok(verify, "Verify an SM2 signature against a piece of data");
+SKIP: {
+ skip "Skipping tests that require EC, SM2 or SM3", 2
+ if disabled("ec") || disabled("sm2") || disabled("sm3");
+
+ ok(sign, "Sign a piece of data using SM2");
+ ok(verify, "Verify an SM2 signature against a piece of data");
+}
unlink 'signature.sm2';
--
2.20.1 (Apple Git-117)

44
Backport-Guard-some-SM2-functions-with-OPENSSL_NO_SM2.patch
View File

@ -1,44 +0,0 @@
From 908570d02b683195ddfdc8e8c324638bfaa0d2c2 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Thu, 14 Mar 2019 11:14:38 +0000
Subject: [PATCH 04/15] Guard some SM2 functions with OPENSSL_NO_SM2
Fixes the no-ec build
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8481)
---
include/openssl/x509.h | 2 ++
util/libcrypto.num | 4 ++--
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 5f17057..5c88251 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -573,8 +573,10 @@ void X509_get0_signature(const ASN1_BIT_STRING **psig,
const X509_ALGOR **palg, const X509 *x);
int X509_get_signature_nid(const X509 *x);
+# ifndef OPENSSL_NO_SM2
void X509_set_sm2_id(X509 *x, ASN1_OCTET_STRING *sm2_id);
ASN1_OCTET_STRING *X509_get0_sm2_id(X509 *x);
+# endif
int X509_trusted(const X509 *x);
int X509_alias_set1(X509 *x, const unsigned char *name, int len);
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 8635ac4..233d1c7 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4626,5 +4626,5 @@ FIPS_drbg_get_strength 6379 1_1_0g EXIST::FUNCTION:
FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION:
FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION:
FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION:
-X509_set_sm2_id 6383 1_1_1m EXIST::FUNCTION:
-X509_get0_sm2_id 6384 1_1_1m EXIST::FUNCTION:
+X509_set_sm2_id 6383 1_1_1m EXIST::FUNCTION:SM2
+X509_get0_sm2_id 6384 1_1_1m EXIST::FUNCTION:SM2
--
2.20.1 (Apple Git-117)

320
Backport-Make-X509_set_sm2_id-consistent-with-other-setters.patch
View File

@ -1,320 +0,0 @@
From 0717cc33d72b011cce4f53661c58d628b684275c Mon Sep 17 00:00:00 2001
From: Paul Yang <yang.yang@baishancloud.com>
Date: Mon, 1 Apr 2019 10:21:53 +0900
Subject: [PATCH 09/15] Make X509_set_sm2_id consistent with other setters
This commit makes the X509_set_sm2_id to 'set0' behaviour, which means
the memory management is passed to X509 and user doesn't need to free
the sm2_id parameter later. API name also changes to X509_set0_sm2_id.
Document and test case are also updated.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8626)
---
apps/verify.c | 40 +++++++++++++++++++-----------
crypto/x509/x_all.c | 5 +++-
crypto/x509/x_x509.c | 13 +++++++---
doc/man3/X509_get0_sm2_id.pod | 12 ++++++---
include/crypto/x509.h | 2 +-
include/openssl/x509.h | 2 +-
test/verify_extra_test.c | 46 +++++++++++++++++++++++++++++++++++
util/libcrypto.num | 2 +-
8 files changed, 97 insertions(+), 25 deletions(-)
diff --git a/apps/verify.c b/apps/verify.c
index 5052d80..9000567 100644
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -246,27 +246,37 @@ static int check(X509_STORE *ctx, const char *file,
if (sm2id != NULL) {
#ifndef OPENSSL_NO_SM2
- ASN1_OCTET_STRING v;
+ ASN1_OCTET_STRING *v;
- v.data = sm2id;
- v.length = sm2idlen;
+ v = ASN1_OCTET_STRING_new();
+ if (v == NULL) {
+ BIO_printf(bio_err, "error: SM2 ID allocation failed\n");
+ goto end;
+ }
- X509_set_sm2_id(x, &v);
+ if (!ASN1_OCTET_STRING_set(v, sm2id, sm2idlen)) {
+ BIO_printf(bio_err, "error: setting SM2 ID failed\n");
+ ASN1_OCTET_STRING_free(v);
+ goto end;
+ }
+
+ X509_set0_sm2_id(x, v);
#endif
}
csc = X509_STORE_CTX_new();
if (csc == NULL) {
- printf("error %s: X.509 store context allocation failed\n",
- (file == NULL) ? "stdin" : file);
+ BIO_printf(bio_err, "error %s: X.509 store context allocation failed\n",
+ (file == NULL) ? "stdin" : file);
goto end;
}
X509_STORE_set_flags(ctx, vflags);
if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) {
X509_STORE_CTX_free(csc);
- printf("error %s: X.509 store context initialization failed\n",
- (file == NULL) ? "stdin" : file);
+ BIO_printf(bio_err,
+ "error %s: X.509 store context initialization failed\n",
+ (file == NULL) ? "stdin" : file);
goto end;
}
if (tchain != NULL)
@@ -275,28 +285,30 @@ static int check(X509_STORE *ctx, const char *file,
X509_STORE_CTX_set0_crls(csc, crls);
i = X509_verify_cert(csc);
if (i > 0 && X509_STORE_CTX_get_error(csc) == X509_V_OK) {
- printf("%s: OK\n", (file == NULL) ? "stdin" : file);
+ BIO_printf(bio_out, "%s: OK\n", (file == NULL) ? "stdin" : file);
ret = 1;
if (show_chain) {
int j;
chain = X509_STORE_CTX_get1_chain(csc);
num_untrusted = X509_STORE_CTX_get_num_untrusted(csc);
- printf("Chain:\n");
+ BIO_printf(bio_out, "Chain:\n");
for (j = 0; j < sk_X509_num(chain); j++) {
X509 *cert = sk_X509_value(chain, j);
- printf("depth=%d: ", j);
+ BIO_printf(bio_out, "depth=%d: ", j);
X509_NAME_print_ex_fp(stdout,
X509_get_subject_name(cert),
0, get_nameopt());
if (j < num_untrusted)
- printf(" (untrusted)");
- printf("\n");
+ BIO_printf(bio_out, " (untrusted)");
+ BIO_printf(bio_out, "\n");
}
sk_X509_pop_free(chain, X509_free);
}
} else {
- printf("error %s: verification failed\n", (file == NULL) ? "stdin" : file);
+ BIO_printf(bio_err,
+ "error %s: verification failed\n",
+ (file == NULL) ? "stdin" : file);
}
X509_STORE_CTX_free(csc);
diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
index 60a2892..9c8aea5 100644
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@@ -72,7 +72,10 @@ static int x509_verify_sm2(X509 *x, EVP_PKEY *pkey, int mdnid, int pknid)
ret = 0;
goto err;
}
- if (EVP_PKEY_CTX_set1_id(pctx, x->sm2_id.data, x->sm2_id.length) != 1) {
+ /* NOTE: we tolerate no actual ID, to provide maximum flexibility */
+ if (x->sm2_id != NULL
+ && EVP_PKEY_CTX_set1_id(pctx, x->sm2_id->data,
+ x->sm2_id->length) != 1) {
X509err(X509_F_X509_VERIFY_SM2, ERR_R_EVP_LIB);
ret = 0;
goto err;
diff --git a/crypto/x509/x_x509.c b/crypto/x509/x_x509.c
index 1beab78..fb03bb2 100644
--- a/crypto/x509/x_x509.c
+++ b/crypto/x509/x_x509.c
@@ -72,6 +72,9 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
#ifndef OPENSSL_NO_RFC3779
ret->rfc3779_addr = NULL;
ret->rfc3779_asid = NULL;
+#endif
+#ifndef OPENSSL_NO_SM2
+ ret->sm2_id = NULL;
#endif
ret->aux = NULL;
ret->crldp = NULL;
@@ -91,6 +94,9 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
#ifndef OPENSSL_NO_RFC3779
sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free);
ASIdentifiers_free(ret->rfc3779_asid);
+#endif
+#ifndef OPENSSL_NO_SM2
+ ASN1_OCTET_STRING_free(ret->sm2_id);
#endif
break;
@@ -247,13 +253,14 @@ int X509_get_signature_nid(const X509 *x)
}
#ifndef OPENSSL_NO_SM2
-void X509_set_sm2_id(X509 *x, ASN1_OCTET_STRING *sm2_id)
+void X509_set0_sm2_id(X509 *x, ASN1_OCTET_STRING *sm2_id)
{
- x->sm2_id = *sm2_id;
+ ASN1_OCTET_STRING_free(x->sm2_id);
+ x->sm2_id = sm2_id;
}
ASN1_OCTET_STRING *X509_get0_sm2_id(X509 *x)
{
- return &x->sm2_id;
+ return x->sm2_id;
}
#endif
diff --git a/doc/man3/X509_get0_sm2_id.pod b/doc/man3/X509_get0_sm2_id.pod
index 84da71e..9698c86 100644
--- a/doc/man3/X509_get0_sm2_id.pod
+++ b/doc/man3/X509_get0_sm2_id.pod
@@ -2,20 +2,24 @@
=head1 NAME
-X509_get0_sm2_id, X509_set_sm2_id - get or set SM2 ID for certificate operations
+X509_get0_sm2_id, X509_set0_sm2_id - get or set SM2 ID for certificate operations
=head1 SYNOPSIS
#include <openssl/x509.h>
ASN1_OCTET_STRING *X509_get0_sm2_id(X509 *x);
- void X509_set_sm2_id(X509 *x, ASN1_OCTET_STRING *sm2_id);
+ void X509_set0_sm2_id(X509 *x, ASN1_OCTET_STRING *sm2_id);
=head1 DESCRIPTION
X509_get0_sm2_id() gets the ID value of an SM2 certificate B<x> by returning an
B<ASN1_OCTET_STRING> object which should not be freed by the caller.
-X509_set_sm2_id() sets the B<sm2_id> value to an SM2 certificate B<x>.
+
+X509_set0_sm2_id() sets the B<sm2_id> value to an SM2 certificate B<x>. Calling
+this function transfers the memory management of the value to the X509 object,
+and therefore the value that has been passed in should not be freed by the
+caller after this function has been called.
=head1 NOTES
@@ -25,7 +29,7 @@ ability to set and retrieve the SM2 ID value.
=head1 RETURN VALUES
-X509_set_sm2_id() does not return a value.
+X509_set0_sm2_id() does not return a value.
=head1 SEE ALSO
diff --git a/include/crypto/x509.h b/include/crypto/x509.h
index 418c427..5c314a8 100644
--- a/include/crypto/x509.h
+++ b/include/crypto/x509.h
@@ -186,7 +186,7 @@ struct x509_st {
CRYPTO_RWLOCK *lock;
volatile int ex_cached;
# ifndef OPENSSL_NO_SM2
- ASN1_OCTET_STRING sm2_id;
+ ASN1_OCTET_STRING *sm2_id;
# endif
} /* X509 */ ;
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 5c88251..a02cf50 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -574,7 +574,7 @@ void X509_get0_signature(const ASN1_BIT_STRING **psig,
int X509_get_signature_nid(const X509 *x);
# ifndef OPENSSL_NO_SM2
-void X509_set_sm2_id(X509 *x, ASN1_OCTET_STRING *sm2_id);
+void X509_set0_sm2_id(X509 *x, ASN1_OCTET_STRING *sm2_id);
ASN1_OCTET_STRING *X509_get0_sm2_id(X509 *x);
# endif
diff --git a/test/verify_extra_test.c b/test/verify_extra_test.c
index b9959e0..763ea4f 100644
--- a/test/verify_extra_test.c
+++ b/test/verify_extra_test.c
@@ -8,6 +8,7 @@
*/
#include <stdio.h>
+#include <string.h>
#include <openssl/crypto.h>
#include <openssl/bio.h>
#include <openssl/x509.h>
@@ -231,6 +232,48 @@ static int test_self_signed_bad(void)
return test_self_signed(bad_f, 0);
}
+#ifndef OPENSSL_NO_SM2
+static int test_sm2_id(void)
+{
+ /* we only need an X509 structure, no matter if it's a real SM2 cert */
+ X509 *x = NULL;
+ BIO *bio = NULL;
+ int ret = 0;
+ ASN1_OCTET_STRING *v = NULL, *v2 = NULL;
+ char *sm2id = "this is an ID";
+
+ bio = BIO_new_file(bad_f, "r");
+ if (bio == NULL)
+ goto err;
+
+ x = PEM_read_bio_X509(bio, NULL, 0, NULL);
+ if (x == NULL)
+ goto err;
+
+ v = ASN1_OCTET_STRING_new();
+ if (v == NULL)
+ goto err;
+
+ if (!ASN1_OCTET_STRING_set(v, (unsigned char *)sm2id, (int)strlen(sm2id))) {
+ ASN1_OCTET_STRING_free(v);
+ goto err;
+ }
+
+ X509_set0_sm2_id(x, v);
+
+ v2 = X509_get0_sm2_id(x);
+ if (!TEST_ptr(v2)
+ || !TEST_int_eq(ASN1_OCTET_STRING_cmp(v, v2), 0))
+ goto err;
+
+ ret = 1;
+ err:
+ X509_free(x);
+ BIO_free(bio);
+ return ret;
+}
+#endif
+
int setup_tests(void)
{
if (!TEST_ptr(roots_f = test_get_argument(0))
@@ -245,5 +288,8 @@ int setup_tests(void)
ADD_TEST(test_store_ctx);
ADD_TEST(test_self_signed_good);
ADD_TEST(test_self_signed_bad);
+#ifndef OPENSSL_NO_SM2
+ ADD_TEST(test_sm2_id);
+#endif
return 1;
}
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 233d1c7..d7abe91 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4626,5 +4626,5 @@ FIPS_drbg_get_strength 6379 1_1_0g EXIST::FUNCTION:
FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION:
FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION:
FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION:
-X509_set_sm2_id 6383 1_1_1m EXIST::FUNCTION:SM2
+X509_set0_sm2_id 6383 1_1_1m EXIST::FUNCTION:SM2
X509_get0_sm2_id 6384 1_1_1m EXIST::FUNCTION:SM2
--
2.20.1 (Apple Git-117)

492
Backport-SM3-acceleration-with-SM3-hardware-instruction-on-aa.patch
View File

@ -1,492 +0,0 @@
From 4d2e328357ac4b468d4762a5a5f615d7e7bf46a6 Mon Sep 17 00:00:00 2001
From: Xu Yizhou <xuyizhou1@huawei.com>
Date: Thu, 27 Oct 2022 20:49:34 +0800
Subject: [PATCH 1/3] SM3 acceleration with SM3 hardware instruction on aarch64
This patch contains the following two PRs,
1. SM3 acceleration with SM3 hardware instruction on aarch64
SM3 hardware instruction is optional feature of crypto extension for
aarch64. This implementation accelerates SM3 via SM3 instructions. For
the platform not supporting SM3 instruction, the original C
implementation still works. Thanks to AliBaba for testing and reporting
the following perf numbers for Yitian710:
Benchmark on T-Head Yitian-710 2.75GHz:
Before:
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
sm3 49297.82k 121062.63k 223106.05k 283371.52k 307574.10k 309400.92k
After (33% - 74% faster):
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
sm3 65640.01k 179121.79k 359854.59k 481448.96k 534055.59k 538274.47k
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17454)
2. Fix sm3ss1 translation issue in sm3-armv8.pl
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17542)
Signed-off-by: Xu Yizhou <xuyizhou1@huawei.com>
---
Configurations/00-base-templates.conf | 1 +
Configure | 4 +
crypto/arm64cpuid.pl | 7 +
crypto/arm_arch.h | 1 +
crypto/armcap.c | 10 +
crypto/sm3/asm/sm3-armv8.pl | 280 ++++++++++++++++++++++++++
crypto/sm3/build.info | 15 +-
crypto/sm3/sm3_local.h | 16 +-
8 files changed, 332 insertions(+), 2 deletions(-)
create mode 100644 crypto/sm3/asm/sm3-armv8.pl
diff --git a/Configurations/00-base-templates.conf b/Configurations/00-base-templates.conf
index 1d35012..a67ae65 100644
--- a/Configurations/00-base-templates.conf
+++ b/Configurations/00-base-templates.conf
@@ -322,6 +322,7 @@ my %targets=(
poly1305_asm_src=> "poly1305-armv8.S",
keccak1600_asm_src => "keccak1600-armv8.S",
sm4_asm_src => "vpsm4_ex-armv8.S",
+ sm3_asm_src => "sm3-armv8.S",
},
parisc11_asm => {
template => 1,
diff --git a/Configure b/Configure
index 3bfe360..fce460d 100755
--- a/Configure
+++ b/Configure
@@ -1423,6 +1423,9 @@ unless ($disabled{asm}) {
if ($target{sm4_asm_src} ne "") {
push @{$config{lib_defines}}, "VPSM4_EX_ASM";
}
+ if ($target{sm3_asm_src} ne "") {
+ push @{$config{lib_defines}}, "SM3_ASM";
+ }
}
my %predefined_C = compiler_predefined($config{CROSS_COMPILE}.$config{CC});
@@ -3379,6 +3382,7 @@ sub print_table_entry
"multilib",
"build_scheme",
"sm4_asm_src",
+ "sm3_asm_src",
);
if ($type eq "TABLE") {
diff --git a/crypto/arm64cpuid.pl b/crypto/arm64cpuid.pl
index 319927e..1e9b167 100755
--- a/crypto/arm64cpuid.pl
+++ b/crypto/arm64cpuid.pl
@@ -78,6 +78,13 @@ _armv8_sha512_probe:
ret
.size _armv8_sha512_probe,.-_armv8_sha512_probe
+.globl _armv8_sm3_probe
+.type _armv8_sm3_probe,%function
+_armv8_sm3_probe:
+ .long 0xce63c004 // sm3partw1 v4.4s, v0.4s, v3.4s
+ ret
+.size _armv8_sm3_probe,.-_armv8_sm3_probe
+
.globl OPENSSL_cleanse
.type OPENSSL_cleanse,%function
.align 5
diff --git a/crypto/arm_arch.h b/crypto/arm_arch.h
index 8b71055..8839b21 100644
--- a/crypto/arm_arch.h
+++ b/crypto/arm_arch.h
@@ -80,5 +80,6 @@ extern unsigned int OPENSSL_armcap_P;
# define ARMV8_SHA256 (1<<4)
# define ARMV8_PMULL (1<<5)
# define ARMV8_SHA512 (1<<6)
+# define ARMV8_SM3 (1<<9)
#endif
diff --git a/crypto/armcap.c b/crypto/armcap.c
index 48c5d4d..8b2f4a5 100644
--- a/crypto/armcap.c
+++ b/crypto/armcap.c
@@ -47,6 +47,7 @@ void _armv8_sha1_probe(void);
void _armv8_sha256_probe(void);
void _armv8_pmull_probe(void);
# ifdef __aarch64__
+void _armv8_sm3_probe(void);
void _armv8_sha512_probe(void);
# endif
uint32_t _armv7_tick(void);
@@ -130,6 +131,7 @@ static unsigned long getauxval(unsigned long key)
# define HWCAP_CE_PMULL (1 << 4)
# define HWCAP_CE_SHA1 (1 << 5)
# define HWCAP_CE_SHA256 (1 << 6)
+# define HWCAP_CE_SM3 (1 << 18)
# define HWCAP_CE_SHA512 (1 << 21)
# endif
@@ -190,6 +192,9 @@ void OPENSSL_cpuid_setup(void)
# ifdef __aarch64__
if (hwcap & HWCAP_CE_SHA512)
OPENSSL_armcap_P |= ARMV8_SHA512;
+
+ if (hwcap & HWCAP_CE_SM3)
+ OPENSSL_armcap_P |= ARMV8_SM3;
# endif
}
# endif
@@ -233,6 +238,11 @@ void OPENSSL_cpuid_setup(void)
_armv8_sha512_probe();
OPENSSL_armcap_P |= ARMV8_SHA512;
}
+
+ if (sigsetjmp(ill_jmp, 1) == 0) {
+ _armv8_sm3_probe();
+ OPENSSL_armcap_P |= ARMV8_SM3;
+ }
# endif
}
# endif
diff --git a/crypto/sm3/asm/sm3-armv8.pl b/crypto/sm3/asm/sm3-armv8.pl
new file mode 100644
index 0000000..677ca52
--- /dev/null
+++ b/crypto/sm3/asm/sm3-armv8.pl
@@ -0,0 +1,280 @@
+#! /usr/bin/env perl
+# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+#
+# This module implements support for Armv8 SM3 instructions
+
+# $output is the last argument if it looks like a file (it has an extension)
+# $flavour is the first argument if it doesn't look like a file
+$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
+$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
+
+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+die "can't locate arm-xlate.pl";
+
+open OUT,"| \"$^X\" $xlate $flavour \"$output\""
+ or die "can't call $xlate: $!";
+*STDOUT=*OUT;
+
+# Message expanding:
+# Wj <- P1(W[j-16]^W[j-9]^(W[j-3]<<<15))^(W[j-13]<<<7)^W[j-6]
+# Input: s0, s1, s2, s3
+# s0 = w0 | w1 | w2 | w3
+# s1 = w4 | w5 | w6 | w7
+# s2 = w8 | w9 | w10 | w11
+# s3 = w12 | w13 | w14 | w15
+# Output: s4
+sub msg_exp () {
+my $s0 = shift;
+my $s1 = shift;
+my $s2 = shift;
+my $s3 = shift;
+my $s4 = shift;
+my $vtmp1 = shift;
+my $vtmp2 = shift;
+$code.=<<___;
+ // s4 = w7 | w8 | w9 | w10
+ ext $s4.16b, $s1.16b, $s2.16b, #12
+ // vtmp1 = w3 | w4 | w5 | w6
+ ext $vtmp1.16b, $s0.16b, $s1.16b, #12
+ // vtmp2 = w10 | w11 | w12 | w13
+ ext $vtmp2.16b, $s2.16b, $s3.16b, #8
+ sm3partw1 $s4.4s, $s0.4s, $s3.4s
+ sm3partw2 $s4.4s, $vtmp2.4s, $vtmp1.4s
+___
+}
+
+# A round of compresson function
+# Input:
+# ab - choose instruction among sm3tt1a, sm3tt1b, sm3tt2a, sm3tt2b
+# vstate0 - vstate1, store digest status(A - H)
+# vconst0 - vconst1, interleaved used to store Tj <<< j
+# vtmp - temporary register
+# vw - for sm3tt1ab, vw = s0 eor s1
+# s0 - for sm3tt2ab, just be s0
+# i, choose wj' or wj from vw
+sub round () {
+my $ab = shift;
+my $vstate0 = shift;
+my $vstate1 = shift;
+my $vconst0 = shift;
+my $vconst1 = shift;
+my $vtmp = shift;
+my $vw = shift;
+my $s0 = shift;
+my $i = shift;
+$code.=<<___;
+ sm3ss1 $vtmp.4s, $vstate0.4s, $vconst0.4s, $vstate1.4s
+ shl $vconst1.4s, $vconst0.4s, #1
+ sri $vconst1.4s, $vconst0.4s, #31
+ sm3tt1$ab $vstate0.4s, $vtmp.4s, $vw.4s[$i]
+ sm3tt2$ab $vstate1.4s, $vtmp.4s, $s0.4s[$i]
+___
+}
+
+sub qround () {
+my $ab = shift;
+my $vstate0 = shift;
+my $vstate1 = shift;
+my $vconst0 = shift;
+my $vconst1 = shift;
+my $vtmp1 = shift;
+my $vtmp2 = shift;
+my $s0 = shift;
+my $s1 = shift;
+my $s2 = shift;
+my $s3 = shift;
+my $s4 = shift;
+ if($s4) {
+ &msg_exp($s0, $s1, $s2, $s3, $s4, $vtmp1, $vtmp2);
+ }
+$code.=<<___;
+ eor $vtmp1.16b, $s0.16b, $s1.16b
+___
+ &round($ab, $vstate0, $vstate1, $vconst0, $vconst1, $vtmp2,
+ $vtmp1, $s0, 0);
+ &round($ab, $vstate0, $vstate1, $vconst1, $vconst0, $vtmp2,
+ $vtmp1, $s0, 1);
+ &round($ab, $vstate0, $vstate1, $vconst0, $vconst1, $vtmp2,
+ $vtmp1, $s0, 2);
+ &round($ab, $vstate0, $vstate1, $vconst1, $vconst0, $vtmp2,
+ $vtmp1, $s0, 3);
+}
+
+$code=<<___;
+#include "arm_arch.h"
+.arch armv8.2-a
+.text
+___
+
+{{{
+my ($pstate,$pdata,$num)=("x0","x1","w2");
+my ($state1,$state2)=("v5","v6");
+my ($sconst1, $sconst2)=("s16","s17");
+my ($vconst1, $vconst2)=("v16","v17");
+my ($s0,$s1,$s2,$s3,$s4)=map("v$_",(0..4));
+my ($bkstate1,$bkstate2)=("v18","v19");
+my ($vconst_tmp1,$vconst_tmp2)=("v20","v21");
+my ($vtmp1,$vtmp2)=("v22","v23");
+my $constaddr="x8";
+# void ossl_hwsm3_block_data_order(SM3_CTX *c, const void *p, size_t num)
+$code.=<<___;
+.globl ossl_hwsm3_block_data_order
+.type ossl_hwsm3_block_data_order,%function
+.align 5
+ossl_hwsm3_block_data_order:
+ // load state
+ ld1 {$state1.4s-$state2.4s}, [$pstate]
+ rev64 $state1.4s, $state1.4s
+ rev64 $state2.4s, $state2.4s
+ ext $state1.16b, $state1.16b, $state1.16b, #8
+ ext $state2.16b, $state2.16b, $state2.16b, #8
+
+ adr $constaddr, .Tj
+ ldp $sconst1, $sconst2, [$constaddr]
+
+.Loop:
+ // load input
+ ld1 {$s0.16b-$s3.16b}, [$pdata], #64
+ sub $num, $num, #1
+
+ mov $bkstate1.16b, $state1.16b
+ mov $bkstate2.16b, $state2.16b
+
+#ifndef __ARMEB__
+ rev32 $s0.16b, $s0.16b
+ rev32 $s1.16b, $s1.16b
+ rev32 $s2.16b, $s2.16b
+ rev32 $s3.16b, $s3.16b
+#endif
+
+ ext $vconst_tmp1.16b, $vconst1.16b, $vconst1.16b, #4
+___
+ &qround("a",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
+ $s0,$s1,$s2,$s3,$s4);
+ &qround("a",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
+ $s1,$s2,$s3,$s4,$s0);
+ &qround("a",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
+ $s2,$s3,$s4,$s0,$s1);
+ &qround("a",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
+ $s3,$s4,$s0,$s1,$s2);
+
+$code.=<<___;
+ ext $vconst_tmp1.16b, $vconst2.16b, $vconst2.16b, #4
+___
+
+ &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
+ $s4,$s0,$s1,$s2,$s3);
+ &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
+ $s0,$s1,$s2,$s3,$s4);
+ &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
+ $s1,$s2,$s3,$s4,$s0);
+ &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
+ $s2,$s3,$s4,$s0,$s1);
+ &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
+ $s3,$s4,$s0,$s1,$s2);
+ &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
+ $s4,$s0,$s1,$s2,$s3);
+ &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
+ $s0,$s1,$s2,$s3,$s4);
+ &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
+ $s1,$s2,$s3,$s4,$s0);
+ &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
+ $s2,$s3,$s4,$s0,$s1);
+ &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
+ $s3,$s4);
+ &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
+ $s4,$s0);
+ &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
+ $s0,$s1);
+
+$code.=<<___;
+ eor $state1.16b, $state1.16b, $bkstate1.16b
+ eor $state2.16b, $state2.16b, $bkstate2.16b
+
+ // any remained blocks?
+ cbnz $num, .Loop
+
+ // save state
+ rev64 $state1.4s, $state1.4s
+ rev64 $state2.4s, $state2.4s
+ ext $state1.16b, $state1.16b, $state1.16b, #8
+ ext $state2.16b, $state2.16b, $state2.16b, #8
+ st1 {$state1.4s-$state2.4s}, [$pstate]
+ ret
+.size ossl_hwsm3_block_data_order,.-ossl_hwsm3_block_data_order
+
+.align 3
+.Tj:
+.word 0x79cc4519, 0x9d8a7a87
+___
+}}}
+
+#########################################
+my %sm3partopcode = (
+ "sm3partw1" => 0xce60C000,
+ "sm3partw2" => 0xce60C400);
+
+my %sm3ss1opcode = (
+ "sm3ss1" => 0xce400000);
+
+my %sm3ttopcode = (
+ "sm3tt1a" => 0xce408000,
+ "sm3tt1b" => 0xce408400,
+ "sm3tt2a" => 0xce408800,
+ "sm3tt2b" => 0xce408C00);
+
+sub unsm3part {
+ my ($mnemonic,$arg)=@_;
+
+ $arg=~ m/[qv](\d+)[^,]*,\s*[qv](\d+)[^,]*,\s*[qv](\d+)/o
+ &&
+ sprintf ".inst\t0x%08x\t//%s %s",
+ $sm3partopcode{$mnemonic}|$1|($2<<5)|($3<<16),
+ $mnemonic,$arg;
+}
+
+sub unsm3ss1 {
+ my ($mnemonic,$arg)=@_;
+
+ $arg=~ m/[qv](\d+)[^,]*,\s*[qv](\d+)[^,]*,\s*[qv](\d+)[^,]*,\s*[qv](\d+)/o
+ &&
+ sprintf ".inst\t0x%08x\t//%s %s",
+ $sm3ss1opcode{$mnemonic}|$1|($2<<5)|($3<<16)|($4<<10),
+ $mnemonic,$arg;
+}
+
+sub unsm3tt {
+ my ($mnemonic,$arg)=@_;
+
+ $arg=~ m/[qv](\d+)[^,]*,\s*[qv](\d+)[^,]*,\s*[qv](\d+)[^,]*\[([0-3])\]/o
+ &&
+ sprintf ".inst\t0x%08x\t//%s %s",
+ $sm3ttopcode{$mnemonic}|$1|($2<<5)|($3<<16)|($4<<12),
+ $mnemonic,$arg;
+}
+
+open SELF,$0;
+while(<SELF>) {
+ next if (/^#!/);
+ last if (!s/^#/\/\// and !/^$/);
+ print;
+}
+close SELF;
+
+foreach(split("\n",$code)) {
+ s/\`([^\`]*)\`/eval($1)/ge;
+
+ s/\b(sm3partw[1-2])\s+([qv].*)/unsm3part($1,$2)/ge;
+ s/\b(sm3ss1)\s+([qv].*)/unsm3ss1($1,$2)/ge;
+ s/\b(sm3tt[1-2][a-b])\s+([qv].*)/unsm3tt($1,$2)/ge;
+ print $_,"\n";
+}
+
+close STDOUT or die "error closing STDOUT: $!";
diff --git a/crypto/sm3/build.info b/crypto/sm3/build.info
index 6009b19..e113729 100644
--- a/crypto/sm3/build.info
+++ b/crypto/sm3/build.info
@@ -1,2 +1,15 @@
LIBS=../../libcrypto
-SOURCE[../../libcrypto]=sm3.c m_sm3.c
+SOURCE[../../libcrypto]=\
+ sm3.c m_sm3.c {- $target{sm3_asm_src} -}
+
+GENERATE[sm3-armv8.S]=asm/sm3-armv8.pl $(PERLASM_SCHEME)
+INCLUDE[sm3-armv8.o]=..
+
+BEGINRAW[Makefile]
+##### SM3 assembler implementations
+
+# GNU make "catch all"
+{- $builddir -}/sm3-%.S: {- $sourcedir -}/asm/sm3-%.pl
+ CC="$(CC)" $(PERL) $< $(PERLASM_SCHEME) $@
+
+ENDRAW[Makefile]
\ No newline at end of file
diff --git a/crypto/sm3/sm3_local.h b/crypto/sm3/sm3_local.h
index 7171de5..aafff63 100644
--- a/crypto/sm3/sm3_local.h
+++ b/crypto/sm3/sm3_local.h
@@ -32,7 +32,21 @@
ll=(c)->G; (void)HOST_l2c(ll, (s)); \
ll=(c)->H; (void)HOST_l2c(ll, (s)); \
} while (0)
-#define HASH_BLOCK_DATA_ORDER sm3_block_data_order
+
+#if defined(SM3_ASM)
+# if defined(__aarch64__)
+# include "crypto/arm_arch.h"
+# define HWSM3_CAPABLE (OPENSSL_armcap_P & ARMV8_SM3)
+void ossl_hwsm3_block_data_order(SM3_CTX *c, const void *p, size_t num);
+# endif
+#endif
+
+#if defined(HWSM3_CAPABLE)
+# define HASH_BLOCK_DATA_ORDER (HWSM3_CAPABLE ? ossl_hwsm3_block_data_order \
+ : sm3_block_data_order)
+#else
+# define HASH_BLOCK_DATA_ORDER sm3_block_data_order
+#endif
void sm3_transform(SM3_CTX *c, const unsigned char *data);
--
2.36.1

1032
Backport-SM4-optimization-for-ARM-by-HW-instruction.patch
View File

File diff suppressed because it is too large Load Diff

30
Backport-Skip-the-correct-number-of-tests-if-SM2-is-disabled.patch
View File

@ -1,30 +0,0 @@
From f0dd65378296590d87250bf2130bad567483ee3d Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 3 Apr 2019 09:44:41 +0100
Subject: [PATCH 08/15] Skip the correct number of tests if SM2 is disabled
Fixes no-sm2 (and also no-sm3 and no-ec)
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8650)
---
test/recipes/25-test_verify.t | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
index b340833..d254bd8 100644
--- a/test/recipes/25-test_verify.t
+++ b/test/recipes/25-test_verify.t
@@ -411,7 +411,7 @@ SKIP: {
}
SKIP: {
- skip "SM2 is not supported by this OpenSSL build", 1
+ skip "SM2 is not supported by this OpenSSL build", 2
if disabled("sm2");
# Test '-sm2-id' and '-sm2-hex-id' option
--
2.20.1 (Apple Git-117)

1189
Backport-Support-SM2-certificate-signing.patch
View File

File diff suppressed because it is too large Load Diff

579
Backport-Support-SM2-certificate-verification.patch
View File

@ -1,579 +0,0 @@
From 7d86ccd1282aeff8f6d564c5d37625ffcc048f2d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=9D=A8=E6=B4=8B?= <yang.yang@baishancloud.com>
Date: Fri, 26 Oct 2018 21:34:08 +0800
Subject: [PATCH 03/15] Support SM2 certificate verification
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8321)
---
apps/verify.c | 45 +++++++++++++--
crypto/asn1/a_verify.c | 3 +-
crypto/err/openssl.txt | 2 +
crypto/objects/obj_dat.h | 17 ++++--
crypto/objects/obj_mac.num | 1 +
crypto/objects/obj_xref.h | 4 +-
crypto/objects/obj_xref.txt | 2 +
crypto/objects/objects.txt | 2 +
crypto/x509/x509_err.c | 2 +
crypto/x509/x_all.c | 110 ++++++++++++++++++++++++++++++++++++
crypto/x509/x_x509.c | 12 ++++
fuzz/oids.txt | 1 +
include/crypto/x509.h | 5 +-
include/openssl/obj_mac.h | 7 ++-
include/openssl/x509.h | 3 +
include/openssl/x509err.h | 2 +
util/libcrypto.num | 2 +
17 files changed, 204 insertions(+), 16 deletions(-)
diff --git a/apps/verify.c b/apps/verify.c
index 1f93856..09b31cf 100644
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -21,7 +21,8 @@
static int cb(int ok, X509_STORE_CTX *ctx);
static int check(X509_STORE *ctx, const char *file,
STACK_OF(X509) *uchain, STACK_OF(X509) *tchain,
- STACK_OF(X509_CRL) *crls, int show_chain);
+ STACK_OF(X509_CRL) *crls, int show_chain,
+ unsigned char *sm2id, size_t sm2idlen);
static int v_verbose = 0, vflags = 0;
typedef enum OPTION_choice {
@@ -29,7 +30,7 @@ typedef enum OPTION_choice {
OPT_ENGINE, OPT_CAPATH, OPT_CAFILE, OPT_NOCAPATH, OPT_NOCAFILE,
OPT_UNTRUSTED, OPT_TRUSTED, OPT_CRLFILE, OPT_CRL_DOWNLOAD, OPT_SHOW_CHAIN,
OPT_V_ENUM, OPT_NAMEOPT,
- OPT_VERBOSE
+ OPT_VERBOSE, OPT_SM2ID, OPT_SM2HEXID
} OPTION_CHOICE;
const OPTIONS verify_options[] = {
@@ -56,6 +57,12 @@ const OPTIONS verify_options[] = {
OPT_V_OPTIONS,
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+#endif
+#ifndef OPENSSL_NO_SM2
+ {"sm2-id", OPT_SM2ID, 's',
+ "Specify an ID string to verify an SM2 certificate"},
+ {"sm2-hex-id", OPT_SM2HEXID, 's',
+ "Specify a hex ID string to verify an SM2 certificate"},
#endif
{NULL}
};
@@ -71,6 +78,8 @@ int verify_main(int argc, char **argv)
int noCApath = 0, noCAfile = 0;
int vpmtouched = 0, crl_download = 0, show_chain = 0, i = 0, ret = 1;
OPTION_CHOICE o;
+ unsigned char *sm2_id = NULL;
+ size_t sm2_idlen = 0;
if ((vpm = X509_VERIFY_PARAM_new()) == NULL)
goto end;
@@ -158,6 +167,19 @@ int verify_main(int argc, char **argv)
case OPT_VERBOSE:
v_verbose = 1;
break;
+ case OPT_SM2ID:
+ /* we assume the input is not a hex string */
+ sm2_id = (unsigned char *)opt_arg();
+ sm2_idlen = strlen((const char *)sm2_id);
+ break;
+ case OPT_SM2HEXID:
+ /* try to parse the input as hex string first */
+ sm2_id = OPENSSL_hexstr2buf(opt_arg(), (long *)&sm2_idlen);
+ if (sm2_id == NULL) {
+ BIO_printf(bio_err, "Invalid hex string input\n");
+ goto end;
+ }
+ break;
}
}
argc = opt_num_rest();
@@ -183,12 +205,13 @@ int verify_main(int argc, char **argv)
ret = 0;
if (argc < 1) {
- if (check(store, NULL, untrusted, trusted, crls, show_chain) != 1)
+ if (check(store, NULL, untrusted, trusted, crls, show_chain,
+ sm2_id, sm2_idlen) != 1)
ret = -1;
} else {
for (i = 0; i < argc; i++)
if (check(store, argv[i], untrusted, trusted, crls,
- show_chain) != 1)
+ show_chain, sm2_id, sm2_idlen) != 1)
ret = -1;
}
@@ -204,7 +227,8 @@ int verify_main(int argc, char **argv)
static int check(X509_STORE *ctx, const char *file,
STACK_OF(X509) *uchain, STACK_OF(X509) *tchain,
- STACK_OF(X509_CRL) *crls, int show_chain)
+ STACK_OF(X509_CRL) *crls, int show_chain,
+ unsigned char *sm2id, size_t sm2idlen)
{
X509 *x = NULL;
int i = 0, ret = 0;
@@ -216,6 +240,17 @@ static int check(X509_STORE *ctx, const char *file,
if (x == NULL)
goto end;
+ if (sm2id != NULL) {
+#ifndef OPENSSL_NO_SM2
+ ASN1_OCTET_STRING v;
+
+ v.data = sm2id;
+ v.length = sm2idlen;
+
+ X509_set_sm2_id(x, &v);
+#endif
+ }
+
csc = X509_STORE_CTX_new();
if (csc == NULL) {
printf("error %s: X.509 store context allocation failed\n",
diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
index 4b5f542..f543aa1 100644
--- a/crypto/asn1/a_verify.c
+++ b/crypto/asn1/a_verify.c
@@ -94,7 +94,7 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
int mdnid, pknid;
size_t inll = 0;
- if (!pkey) {
+ if (pkey == NULL) {
ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ERR_R_PASSED_NULL_PARAMETER);
return -1;
}
@@ -150,7 +150,6 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
ret = 0;
goto err;
}
-
}
inl = ASN1_item_i2d(asn, &buf_in, it);
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 902e97b..5e71e65 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -1766,8 +1766,10 @@ X509_F_X509_STORE_NEW:158:X509_STORE_new
X509_F_X509_TO_X509_REQ:126:X509_to_X509_REQ
X509_F_X509_TRUST_ADD:133:X509_TRUST_add
X509_F_X509_TRUST_SET:141:X509_TRUST_set
+X509_F_X509_VERIFY:161:X509_verify
X509_F_X509_VERIFY_CERT:127:X509_verify_cert
X509_F_X509_VERIFY_PARAM_NEW:159:X509_VERIFY_PARAM_new
+X509_F_X509_VERIFY_SM2:162:x509_verify_sm2
#Reason codes
ASN1_R_ADDING_OBJECT:171:adding object
diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
index 24b49a2..eb4cce4 100644
--- a/crypto/objects/obj_dat.h
+++ b/crypto/objects/obj_dat.h
@@ -2,7 +2,7 @@
* WARNING: do not edit!
* Generated by crypto/objects/obj_dat.pl
*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
@@ -10,7 +10,7 @@
*/
/* Serialized OID's */
-static const unsigned char so[7762] = {
+static const unsigned char so[7770] = {
0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 0] OBJ_rsadsi */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 6] OBJ_pkcs */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02, /* [ 13] OBJ_md2 */
@@ -1076,9 +1076,10 @@ static const unsigned char so[7762] = {
0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x01,0x04, /* [ 7736] OBJ_id_tc26_gost_3410_2012_256_paramSetD */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0C, /* [ 7745] OBJ_hmacWithSHA512_224 */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D, /* [ 7753] OBJ_hmacWithSHA512_256 */
+ 0x2A,0x81,0x1C,0xCF,0x55,0x01,0x83,0x75, /* [ 7761] OBJ_SM2_with_SM3 */
};
-#define NUM_NID 1195
+#define NUM_NID 1196
static const ASN1_OBJECT nid_objs[NUM_NID] = {
{"UNDEF", "undefined", NID_undef},
{"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]},
@@ -2275,9 +2276,10 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = {
{"magma-mac", "magma-mac", NID_magma_mac},
{"hmacWithSHA512-224", "hmacWithSHA512-224", NID_hmacWithSHA512_224, 8, &so[7745]},
{"hmacWithSHA512-256", "hmacWithSHA512-256", NID_hmacWithSHA512_256, 8, &so[7753]},
+ {"SM2-SM3", "SM2-with-SM3", NID_SM2_with_SM3, 8, &so[7761]},
};
-#define NUM_SN 1186
+#define NUM_SN 1187
static const unsigned int sn_objs[NUM_SN] = {
364, /* "AD_DVCS" */
419, /* "AES-128-CBC" */
@@ -2543,6 +2545,7 @@ static const unsigned int sn_objs[NUM_SN] = {
1100, /* "SHAKE128" */
1101, /* "SHAKE256" */
1172, /* "SM2" */
+ 1195, /* "SM2-SM3" */
1143, /* "SM3" */
1134, /* "SM4-CBC" */
1137, /* "SM4-CFB" */
@@ -3467,7 +3470,7 @@ static const unsigned int sn_objs[NUM_SN] = {
1093, /* "x509ExtAdmission" */
};
-#define NUM_LN 1186
+#define NUM_LN 1187
static const unsigned int ln_objs[NUM_LN] = {
363, /* "AD Time Stamping" */
405, /* "ANSI X9.62" */
@@ -3623,6 +3626,7 @@ static const unsigned int ln_objs[NUM_LN] = {
1119, /* "RSA-SHA3-512" */
188, /* "S/MIME" */
167, /* "S/MIME Capabilities" */
+ 1195, /* "SM2-with-SM3" */
1006, /* "SNILS" */
387, /* "SNMPv2" */
1025, /* "SSH Client" */
@@ -4657,7 +4661,7 @@ static const unsigned int ln_objs[NUM_LN] = {
125, /* "zlib compression" */
};
-#define NUM_OBJ 1071
+#define NUM_OBJ 1072
static const unsigned int obj_objs[NUM_OBJ] = {
0, /* OBJ_undef 0 */
181, /* OBJ_iso 1 */
@@ -5126,6 +5130,7 @@ static const unsigned int obj_objs[NUM_OBJ] = {
1139, /* OBJ_sm4_ctr 1 2 156 10197 1 104 7 */
1172, /* OBJ_sm2 1 2 156 10197 1 301 */
1143, /* OBJ_sm3 1 2 156 10197 1 401 */
+ 1195, /* OBJ_SM2_with_SM3 1 2 156 10197 1 501 */
1144, /* OBJ_sm3WithRSAEncryption 1 2 156 10197 1 504 */
776, /* OBJ_seed_ecb 1 2 410 200004 1 3 */
777, /* OBJ_seed_cbc 1 2 410 200004 1 4 */
diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
index 1b6a9c6..8b797b0 100644
--- a/crypto/objects/obj_mac.num
+++ b/crypto/objects/obj_mac.num
@@ -1192,3 +1192,4 @@ magma_cfb 1191
magma_mac 1192
hmacWithSHA512_224 1193
hmacWithSHA512_256 1194
+SM2_with_SM3 1195
diff --git a/crypto/objects/obj_xref.h b/crypto/objects/obj_xref.h
index 5c3561a..1acfcde 100644
--- a/crypto/objects/obj_xref.h
+++ b/crypto/objects/obj_xref.h
@@ -2,7 +2,7 @@
* WARNING: do not edit!
* Generated by objxref.pl
*
- * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -79,6 +79,7 @@ static const nid_triple sigoid_srt[] = {
{NID_RSA_SHA3_256, NID_sha3_256, NID_rsaEncryption},
{NID_RSA_SHA3_384, NID_sha3_384, NID_rsaEncryption},
{NID_RSA_SHA3_512, NID_sha3_512, NID_rsaEncryption},
+ {NID_SM2_with_SM3, NID_sm3, NID_sm2},
};
static const nid_triple *const sigoid_srt_xref[] = {
@@ -125,4 +126,5 @@ static const nid_triple *const sigoid_srt_xref[] = {
&sigoid_srt[45],
&sigoid_srt[46],
&sigoid_srt[47],
+ &sigoid_srt[48],
};
diff --git a/crypto/objects/obj_xref.txt b/crypto/objects/obj_xref.txt
index ca3e744..f3dd8ed 100644
--- a/crypto/objects/obj_xref.txt
+++ b/crypto/objects/obj_xref.txt
@@ -64,3 +64,5 @@ dhSinglePass_cofactorDH_sha224kdf_scheme sha224 dh_cofactor_kdf
dhSinglePass_cofactorDH_sha256kdf_scheme sha256 dh_cofactor_kdf
dhSinglePass_cofactorDH_sha384kdf_scheme sha384 dh_cofactor_kdf
dhSinglePass_cofactorDH_sha512kdf_scheme sha512 dh_cofactor_kdf
+
+SM2_with_SM3 sm3 sm2
diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
index c49d4c5..be9da47 100644
--- a/crypto/objects/objects.txt
+++ b/crypto/objects/objects.txt
@@ -385,6 +385,8 @@ sm-scheme 301 : SM2 : sm2
sm-scheme 401 : SM3 : sm3
sm-scheme 504 : RSA-SM3 : sm3WithRSAEncryption
+sm-scheme 501 : SM2-SM3 : SM2-with-SM3
+
# From RFC4231
rsadsi 2 8 : : hmacWithSHA224
rsadsi 2 9 : : hmacWithSHA256
diff --git a/crypto/x509/x509_err.c b/crypto/x509/x509_err.c
index bdd1e67..c91ad7c 100644
--- a/crypto/x509/x509_err.c
+++ b/crypto/x509/x509_err.c
@@ -105,9 +105,11 @@ static const ERR_STRING_DATA X509_str_functs[] = {
{ERR_PACK(ERR_LIB_X509, X509_F_X509_TO_X509_REQ, 0), "X509_to_X509_REQ"},
{ERR_PACK(ERR_LIB_X509, X509_F_X509_TRUST_ADD, 0), "X509_TRUST_add"},
{ERR_PACK(ERR_LIB_X509, X509_F_X509_TRUST_SET, 0), "X509_TRUST_set"},
+ {ERR_PACK(ERR_LIB_X509, X509_F_X509_VERIFY, 0), "X509_verify"},
{ERR_PACK(ERR_LIB_X509, X509_F_X509_VERIFY_CERT, 0), "X509_verify_cert"},
{ERR_PACK(ERR_LIB_X509, X509_F_X509_VERIFY_PARAM_NEW, 0),
"X509_VERIFY_PARAM_new"},
+ {ERR_PACK(ERR_LIB_X509, X509_F_X509_VERIFY_SM2, 0), "x509_verify_sm2"},
{0, NULL}
};
diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
index a4e9cda..60a2892 100644
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@@ -19,10 +19,120 @@
#include <openssl/dsa.h>
#include <openssl/x509v3.h>
+#ifndef OPENSSL_NO_SM2
+
+# include "crypto/asn1.h"
+# include "crypto/evp.h"
+
+static int x509_verify_sm2(X509 *x, EVP_PKEY *pkey, int mdnid, int pknid)
+{
+ EVP_MD_CTX *ctx = NULL;
+ unsigned char *buf_in = NULL;
+ int ret = -1, inl = 0;
+ size_t inll = 0;
+ EVP_PKEY_CTX *pctx = NULL;
+ const EVP_MD *type = EVP_get_digestbynid(mdnid);
+
+ if (type == NULL) {
+ X509err(X509_F_X509_VERIFY_SM2,
+ ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
+ goto err;
+ }
+
+ if (pkey == NULL) {
+ X509err(X509_F_X509_VERIFY_SM2, ERR_R_PASSED_NULL_PARAMETER);
+ return -1;
+ }
+
+ if (x->signature.type == V_ASN1_BIT_STRING && x->signature.flags & 0x7) {
+ X509err(X509_F_X509_VERIFY_SM2, ASN1_R_INVALID_BIT_STRING_BITS_LEFT);
+ return -1;
+ }
+
+ ctx = EVP_MD_CTX_new();
+ if (ctx == NULL) {
+ X509err(X509_F_X509_VERIFY_SM2, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ /* Check public key OID matches public key type */
+ if (EVP_PKEY_type(pknid) != pkey->ameth->pkey_id) {
+ X509err(X509_F_X509_VERIFY_SM2, ASN1_R_WRONG_PUBLIC_KEY_TYPE);
+ goto err;
+ }
+
+ if (!EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)) {
+ X509err(X509_F_X509_VERIFY_SM2, ERR_R_EVP_LIB);
+ ret = 0;
+ goto err;
+ }
+ pctx = EVP_PKEY_CTX_new(pkey, NULL);
+ if (pctx == NULL) {
+ X509err(X509_F_X509_VERIFY_SM2, ERR_R_EVP_LIB);
+ ret = 0;
+ goto err;
+ }
+ if (EVP_PKEY_CTX_set1_id(pctx, x->sm2_id.data, x->sm2_id.length) != 1) {
+ X509err(X509_F_X509_VERIFY_SM2, ERR_R_EVP_LIB);
+ ret = 0;
+ goto err;
+ }
+ EVP_MD_CTX_set_pkey_ctx(ctx, pctx);
+
+ if (!EVP_DigestVerifyInit(ctx, NULL, type, NULL, pkey)) {
+ X509err(X509_F_X509_VERIFY_SM2, ERR_R_EVP_LIB);
+ ret = 0;
+ goto err;
+ }
+
+ inl = ASN1_item_i2d((ASN1_VALUE *)&x->cert_info, &buf_in,
+ ASN1_ITEM_rptr(X509_CINF));
+ if (inl <= 0) {
+ X509err(X509_F_X509_VERIFY_SM2, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+ if (buf_in == NULL) {
+ X509err(X509_F_X509_VERIFY_SM2, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ inll = inl;
+
+ ret = EVP_DigestVerify(ctx, x->signature.data,
+ (size_t)x->signature.length, buf_in, inl);
+ if (ret <= 0) {
+ X509err(X509_F_X509_VERIFY_SM2, ERR_R_EVP_LIB);
+ goto err;
+ }
+ ret = 1;
+ err:
+ OPENSSL_clear_free(buf_in, inll);
+ EVP_MD_CTX_free(ctx);
+ EVP_PKEY_CTX_free(pctx);
+ return ret;
+}
+#endif
+
int X509_verify(X509 *a, EVP_PKEY *r)
{
+#ifndef OPENSSL_NO_SM2
+ int mdnid, pknid;
+#endif
+
if (X509_ALGOR_cmp(&a->sig_alg, &a->cert_info.signature))
return 0;
+
+#ifndef OPENSSL_NO_SM2
+ /* Convert signature OID into digest and public key OIDs */
+ if (!OBJ_find_sigid_algs(OBJ_obj2nid(a->sig_alg.algorithm),
+ &mdnid, &pknid)) {
+ X509err(X509_F_X509_VERIFY, ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM);
+ return 0;
+ }
+
+ if (pknid == NID_sm2)
+ return x509_verify_sm2(a, r, mdnid, pknid);
+#endif
+
return (ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF), &a->sig_alg,
&a->signature, &a->cert_info, r));
}
diff --git a/crypto/x509/x_x509.c b/crypto/x509/x_x509.c
index 7aa8b77..1beab78 100644
--- a/crypto/x509/x_x509.c
+++ b/crypto/x509/x_x509.c
@@ -245,3 +245,15 @@ int X509_get_signature_nid(const X509 *x)
{
return OBJ_obj2nid(x->sig_alg.algorithm);
}
+
+#ifndef OPENSSL_NO_SM2
+void X509_set_sm2_id(X509 *x, ASN1_OCTET_STRING *sm2_id)
+{
+ x->sm2_id = *sm2_id;
+}
+
+ASN1_OCTET_STRING *X509_get0_sm2_id(X509 *x)
+{
+ return &x->sm2_id;
+}
+#endif
diff --git a/fuzz/oids.txt b/fuzz/oids.txt
index eda55e4..8dfdea9 100644
--- a/fuzz/oids.txt
+++ b/fuzz/oids.txt
@@ -1063,3 +1063,4 @@ OBJ_id_tc26_gost_3410_2012_256_paramSetC="\x2A\x85\x03\x07\x01\x02\x01\x01\x03"
OBJ_id_tc26_gost_3410_2012_256_paramSetD="\x2A\x85\x03\x07\x01\x02\x01\x01\x04"
OBJ_hmacWithSHA512_224="\x2A\x86\x48\x86\xF7\x0D\x02\x0C"
OBJ_hmacWithSHA512_256="\x2A\x86\x48\x86\xF7\x0D\x02\x0D"
+OBJ_SM2_with_SM3="\x2A\x81\x1C\xCF\x55\x01\x83\x75"
diff --git a/include/crypto/x509.h b/include/crypto/x509.h
index 243ea74..418c427 100644
--- a/include/crypto/x509.h
+++ b/include/crypto/x509.h
@@ -177,7 +177,7 @@ struct x509_st {
STACK_OF(DIST_POINT) *crldp;
STACK_OF(GENERAL_NAME) *altname;
NAME_CONSTRAINTS *nc;
-#ifndef OPENSSL_NO_RFC3779
+# ifndef OPENSSL_NO_RFC3779
STACK_OF(IPAddressFamily) *rfc3779_addr;
struct ASIdentifiers_st *rfc3779_asid;
# endif
@@ -185,6 +185,9 @@ struct x509_st {
X509_CERT_AUX *aux;
CRYPTO_RWLOCK *lock;
volatile int ex_cached;
+# ifndef OPENSSL_NO_SM2
+ ASN1_OCTET_STRING sm2_id;
+# endif
} /* X509 */ ;
/*
diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h
index eb812ed..9b125c1 100644
--- a/include/openssl/obj_mac.h
+++ b/include/openssl/obj_mac.h
@@ -2,7 +2,7 @@
* WARNING: do not edit!
* Generated by crypto/objects/objects.pl
*
- * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
@@ -1179,6 +1179,11 @@
#define NID_sm3WithRSAEncryption 1144
#define OBJ_sm3WithRSAEncryption OBJ_sm_scheme,504L
+#define SN_SM2_with_SM3 "SM2-SM3"
+#define LN_SM2_with_SM3 "SM2-with-SM3"
+#define NID_SM2_with_SM3 1195
+#define OBJ_SM2_with_SM3 OBJ_sm_scheme,501L
+
#define LN_hmacWithSHA224 "hmacWithSHA224"
#define NID_hmacWithSHA224 798
#define OBJ_hmacWithSHA224 OBJ_rsadsi,2L,8L
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 3ff86ec..5f17057 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -573,6 +573,9 @@ void X509_get0_signature(const ASN1_BIT_STRING **psig,
const X509_ALGOR **palg, const X509 *x);
int X509_get_signature_nid(const X509 *x);
+void X509_set_sm2_id(X509 *x, ASN1_OCTET_STRING *sm2_id);
+ASN1_OCTET_STRING *X509_get0_sm2_id(X509 *x);
+
int X509_trusted(const X509 *x);
int X509_alias_set1(X509 *x, const unsigned char *name, int len);
int X509_keyid_set1(X509 *x, const unsigned char *id, int len);
diff --git a/include/openssl/x509err.h b/include/openssl/x509err.h
index cd08673..06d75f0 100644
--- a/include/openssl/x509err.h
+++ b/include/openssl/x509err.h
@@ -81,8 +81,10 @@ int ERR_load_X509_strings(void);
# define X509_F_X509_TO_X509_REQ 126
# define X509_F_X509_TRUST_ADD 133
# define X509_F_X509_TRUST_SET 141
+# define X509_F_X509_VERIFY 161
# define X509_F_X509_VERIFY_CERT 127
# define X509_F_X509_VERIFY_PARAM_NEW 159
+# define X509_F_X509_VERIFY_SM2 162
/*
* X509 reason codes.
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 1566231..8635ac4 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4626,3 +4626,5 @@ FIPS_drbg_get_strength 6379 1_1_0g EXIST::FUNCTION:
FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION:
FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION:
FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION:
+X509_set_sm2_id 6383 1_1_1m EXIST::FUNCTION:
+X509_get0_sm2_id 6384 1_1_1m EXIST::FUNCTION:
--
2.20.1 (Apple Git-117)

127
Backport-Support-parsing-of-SM2-ID-in-hexdecimal.patch
View File

@ -1,127 +0,0 @@
From 1d9e832e41858b13a96899d842afd183f1c66c48 Mon Sep 17 00:00:00 2001
From: Paul Yang <kaishen.yy@antfin.com>
Date: Tue, 30 Jul 2019 23:05:44 +0800
Subject: [PATCH 11/15] Support parsing of SM2 ID in hexdecimal
The current EVP_PEKY_ctrl for SM2 has no capability of parsing an ID
input in hexdecimal.
The newly added ctrl string is called: sm2_hex_id
Test cases and documentation are updated.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9584)
---
crypto/sm2/sm2_pmeth.c | 19 +++++++++++++++++++
doc/man1/pkeyutl.pod | 7 +++++++
include/openssl/ec.h | 1 -
test/recipes/25-test_req.t | 15 +++++++++++++--
4 files changed, 39 insertions(+), 3 deletions(-)
diff --git a/crypto/sm2/sm2_pmeth.c b/crypto/sm2/sm2_pmeth.c
index 837bdc1..9551d70 100644
--- a/crypto/sm2/sm2_pmeth.c
+++ b/crypto/sm2/sm2_pmeth.c
@@ -232,6 +232,10 @@ static int pkey_sm2_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
static int pkey_sm2_ctrl_str(EVP_PKEY_CTX *ctx,
const char *type, const char *value)
{
+ uint8_t *hex_id;
+ long hex_len = 0;
+ int ret = 0;
+
if (strcmp(type, "ec_paramgen_curve") == 0) {
int nid = NID_undef;
@@ -255,6 +259,21 @@ static int pkey_sm2_ctrl_str(EVP_PKEY_CTX *ctx,
} else if (strcmp(type, "sm2_id") == 0) {
return pkey_sm2_ctrl(ctx, EVP_PKEY_CTRL_SET1_ID,
(int)strlen(value), (void *)value);
+ } else if (strcmp(type, "sm2_hex_id") == 0) {
+ /*
+ * TODO(3.0): reconsider the name "sm2_hex_id", OR change
+ * OSSL_PARAM_construct_from_text() / OSSL_PARAM_allocate_from_text()
+ * to handle infix "_hex_"
+ */
+ hex_id = OPENSSL_hexstr2buf((const char *)value, &hex_len);
+ if (hex_id == NULL) {
+ SM2err(SM2_F_PKEY_SM2_CTRL_STR, ERR_R_PASSED_INVALID_ARGUMENT);
+ return 0;
+ }
+ ret = pkey_sm2_ctrl(ctx, EVP_PKEY_CTRL_SET1_ID, (int)hex_len,
+ (void *)hex_id);
+ OPENSSL_free(hex_id);
+ return ret;
}
return -2;
diff --git a/doc/man1/pkeyutl.pod b/doc/man1/pkeyutl.pod
index f0f80af..1a742ab 100644
--- a/doc/man1/pkeyutl.pod
+++ b/doc/man1/pkeyutl.pod
@@ -329,6 +329,13 @@ This sets the ID string used in SM2 sign or verify operations. While verifying
an SM2 signature, the ID string must be the same one used when signing the data.
Otherwise the verification will fail.
+=item B<sm2_hex_id:hex_string>
+
+This sets the ID string used in SM2 sign or verify operations. While verifying
+an SM2 signature, the ID string must be the same one used when signing the data.
+Otherwise the verification will fail. The ID string provided with this option
+should be a valid hexadecimal value.
+
=back
=head1 EXAMPLES
diff --git a/include/openssl/ec.h b/include/openssl/ec.h
index 24baf53..e8c8869 100644
--- a/include/openssl/ec.h
+++ b/include/openssl/ec.h
@@ -1444,7 +1444,6 @@ void EC_KEY_METHOD_get_verify(const EC_KEY_METHOD *meth,
# define EVP_PKEY_CTX_set1_id(ctx, id, id_len) \
EVP_PKEY_CTX_ctrl(ctx, -1, -1, \
EVP_PKEY_CTRL_SET1_ID, (int)id_len, (void*)(id))
-
# define EVP_PKEY_CTX_get1_id(ctx, id) \
EVP_PKEY_CTX_ctrl(ctx, -1, -1, \
EVP_PKEY_CTRL_GET1_ID, 0, (void*)(id))
diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t
index 8289959..d53e577 100644
--- a/test/recipes/25-test_req.t
+++ b/test/recipes/25-test_req.t
@@ -182,10 +182,10 @@ subtest "generating certificate requests" => sub {
};
subtest "generating SM2 certificate requests" => sub {
- plan tests => 2;
+ plan tests => 4;
SKIP: {
- skip "SM2 is not supported by this OpenSSL build", 2
+ skip "SM2 is not supported by this OpenSSL build", 4
if disabled("sm2");
ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"),
"-new", "-key", srctop_file("test", "certs", "sm2.key"),
@@ -197,6 +197,17 @@ subtest "generating SM2 certificate requests" => sub {
"-verify", "-in", "testreq.pem", "-noout",
"-sm2-id", "1234567812345678", "-sm3"])),
"Verifying signature on SM2 certificate request");
+
+ ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"),
+ "-new", "-key", srctop_file("test", "certs", "sm2.key"),
+ "-sigopt", "sm2_hex_id:DEADBEEF",
+ "-out", "testreq.pem", "-sm3"])),
+ "Generating SM2 certificate request with hex id");
+
+ ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"),
+ "-verify", "-in", "testreq.pem", "-noout",
+ "-sm2-hex-id", "DEADBEEF", "-sm3"])),
+ "Verifying signature on SM2 certificate request");
}
};
--
2.20.1 (Apple Git-117)

482
Backport-Support-raw-input-data-in-apps-pkeyutl.patch
View File

@ -1,482 +0,0 @@
From b14bf717ccb166cce13173a817106effb02f6c2e Mon Sep 17 00:00:00 2001
From: Paul Yang <yang.yang@baishancloud.com>
Date: Wed, 16 Jan 2019 16:16:28 +0800
Subject: [PATCH 01/15] Support raw input data in apps/pkeyutl
Some signature algorithms require special treatment for digesting, such
as SM2. This patch adds the ability of handling raw input data in
apps/pkeyutl other than accepting only pre-hashed input data.
Beside, SM2 requries an ID string when signing or verifying a piece of data,
this patch also adds the ability for apps/pkeyutil to specify that ID
string.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8186)
---
apps/pkeyutl.c | 168 +++++++++++++++++++++++++++++----
crypto/sm2/sm2_pmeth.c | 3 +
doc/man1/pkeyutl.pod | 45 +++++++++
test/certs/sm2.crt | 13 +++
test/certs/sm2.key | 5 +
test/recipes/20-test_pkeyutl.t | 43 +++++++++
6 files changed, 260 insertions(+), 17 deletions(-)
create mode 100644 test/certs/sm2.crt
create mode 100644 test/certs/sm2.key
create mode 100644 test/recipes/20-test_pkeyutl.t
diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c
index 831e14d..bca0464 100644
--- a/apps/pkeyutl.c
+++ b/apps/pkeyutl.c
@@ -22,7 +22,7 @@
static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
const char *keyfile, int keyform, int key_type,
char *passinarg, int pkey_op, ENGINE *e,
- const int impl);
+ const int impl, EVP_PKEY **ppkey);
static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
ENGINE *e);
@@ -31,6 +31,11 @@ static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
unsigned char *out, size_t *poutlen,
const unsigned char *in, size_t inlen);
+static int do_raw_keyop(int pkey_op, EVP_PKEY_CTX *ctx,
+ const EVP_MD *md, EVP_PKEY *pkey, BIO *in,
+ unsigned char *sig, int siglen,
+ unsigned char **out, size_t *poutlen);
+
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_ENGINE, OPT_ENGINE_IMPL, OPT_IN, OPT_OUT,
@@ -38,12 +43,15 @@ typedef enum OPTION_choice {
OPT_VERIFY, OPT_VERIFYRECOVER, OPT_REV, OPT_ENCRYPT, OPT_DECRYPT,
OPT_DERIVE, OPT_SIGFILE, OPT_INKEY, OPT_PEERKEY, OPT_PASSIN,
OPT_PEERFORM, OPT_KEYFORM, OPT_PKEYOPT, OPT_KDF, OPT_KDFLEN,
- OPT_R_ENUM
+ OPT_R_ENUM, OPT_RAWIN, OPT_DIGEST
} OPTION_CHOICE;
const OPTIONS pkeyutl_options[] = {
{"help", OPT_HELP, '-', "Display this summary"},
{"in", OPT_IN, '<', "Input file - default stdin"},
+ {"rawin", OPT_RAWIN, '-', "Indicate the input data is in raw form"},
+ {"digest", OPT_DIGEST, 's',
+ "Specify the digest algorithm when signing the raw input data"},
{"out", OPT_OUT, '>', "Output file - default stdout"},
{"pubin", OPT_PUBIN, '-', "Input is a public key"},
{"certin", OPT_CERTIN, '-', "Input is a cert with a public key"},
@@ -80,6 +88,7 @@ int pkeyutl_main(int argc, char **argv)
BIO *in = NULL, *out = NULL;
ENGINE *e = NULL;
EVP_PKEY_CTX *ctx = NULL;
+ EVP_PKEY *pkey = NULL;
char *infile = NULL, *outfile = NULL, *sigfile = NULL, *passinarg = NULL;
char hexdump = 0, asn1parse = 0, rev = 0, *prog;
unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL;
@@ -94,6 +103,8 @@ int pkeyutl_main(int argc, char **argv)
const char *kdfalg = NULL;
int kdflen = 0;
STACK_OF(OPENSSL_STRING) *pkeyopts = NULL;
+ int rawin = 0;
+ const EVP_MD *md = NULL;
prog = opt_init(argc, argv, pkeyutl_options);
while ((o = opt_next()) != OPT_EOF) {
@@ -192,12 +203,39 @@ int pkeyutl_main(int argc, char **argv)
goto end;
}
break;
+ case OPT_RAWIN:
+ rawin = 1;
+ break;
+ case OPT_DIGEST:
+ if (!opt_md(opt_arg(), &md))
+ goto end;
+ break;
}
}
argc = opt_num_rest();
if (argc != 0)
goto opthelp;
+ if (rawin && pkey_op != EVP_PKEY_OP_SIGN && pkey_op != EVP_PKEY_OP_VERIFY) {
+ BIO_printf(bio_err,
+ "%s: -rawin can only be used with -sign or -verify\n",
+ prog);
+ goto opthelp;
+ }
+
+ if (md != NULL && !rawin) {
+ BIO_printf(bio_err,
+ "%s: -digest can only be used with -rawin\n",
+ prog);
+ goto opthelp;
+ }
+
+ if (rawin && rev) {
+ BIO_printf(bio_err, "%s: -rev cannot be used with raw input\n",
+ prog);
+ goto opthelp;
+ }
+
if (kdfalg != NULL) {
if (kdflen == 0) {
BIO_printf(bio_err,
@@ -214,7 +252,7 @@ int pkeyutl_main(int argc, char **argv)
goto opthelp;
}
ctx = init_ctx(kdfalg, &keysize, inkey, keyform, key_type,
- passinarg, pkey_op, e, engine_impl);
+ passinarg, pkey_op, e, engine_impl, &pkey);
if (ctx == NULL) {
BIO_printf(bio_err, "%s: Error initializing context\n", prog);
ERR_print_errors(bio_err);
@@ -277,7 +315,8 @@ int pkeyutl_main(int argc, char **argv)
}
}
- if (in != NULL) {
+ /* Raw input data is handled elsewhere */
+ if (in != NULL && !rawin) {
/* Read the input data */
buf_inlen = bio_to_mem(&buf_in, keysize * 10, in);
if (buf_inlen < 0) {
@@ -296,8 +335,9 @@ int pkeyutl_main(int argc, char **argv)
}
}
- /* Sanity check the input */
- if (buf_inlen > EVP_MAX_MD_SIZE
+ /* Sanity check the input if the input is not raw */
+ if (!rawin
+ && buf_inlen > EVP_MAX_MD_SIZE
&& (pkey_op == EVP_PKEY_OP_SIGN
|| pkey_op == EVP_PKEY_OP_VERIFY)) {
BIO_printf(bio_err,
@@ -306,8 +346,13 @@ int pkeyutl_main(int argc, char **argv)
}
if (pkey_op == EVP_PKEY_OP_VERIFY) {
- rv = EVP_PKEY_verify(ctx, sig, (size_t)siglen,
- buf_in, (size_t)buf_inlen);
+ if (rawin) {
+ rv = do_raw_keyop(pkey_op, ctx, md, pkey, in, sig, siglen,
+ NULL, 0);
+ } else {
+ rv = EVP_PKEY_verify(ctx, sig, (size_t)siglen,
+ buf_in, (size_t)buf_inlen);
+ }
if (rv == 1) {
BIO_puts(out, "Signature Verified Successfully\n");
ret = 0;
@@ -320,14 +365,20 @@ int pkeyutl_main(int argc, char **argv)
buf_outlen = kdflen;
rv = 1;
} else {
- rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen,
- buf_in, (size_t)buf_inlen);
- }
- if (rv > 0 && buf_outlen != 0) {
- buf_out = app_malloc(buf_outlen, "buffer output");
- rv = do_keyop(ctx, pkey_op,
- buf_out, (size_t *)&buf_outlen,
- buf_in, (size_t)buf_inlen);
+ if (rawin) {
+ /* rawin allocates the buffer in do_raw_keyop() */
+ rv = do_raw_keyop(pkey_op, ctx, md, pkey, in, NULL, 0,
+ &buf_out, (size_t *)&buf_outlen);
+ } else {
+ rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen,
+ buf_in, (size_t)buf_inlen);
+ if (rv > 0 && buf_outlen != 0) {
+ buf_out = app_malloc(buf_outlen, "buffer output");
+ rv = do_keyop(ctx, pkey_op,
+ buf_out, (size_t *)&buf_outlen,
+ buf_in, (size_t)buf_inlen);
+ }
+ }
}
if (rv <= 0) {
if (pkey_op != EVP_PKEY_OP_DERIVE) {
@@ -364,7 +415,7 @@ int pkeyutl_main(int argc, char **argv)
static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
const char *keyfile, int keyform, int key_type,
char *passinarg, int pkey_op, ENGINE *e,
- const int engine_impl)
+ const int engine_impl, EVP_PKEY **ppkey)
{
EVP_PKEY *pkey = NULL;
EVP_PKEY_CTX *ctx = NULL;
@@ -422,10 +473,25 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
}
ctx = EVP_PKEY_CTX_new_id(kdfnid, impl);
} else {
+ EC_KEY *eckey = NULL;
+ const EC_GROUP *group = NULL;
+ int nid;
+
if (pkey == NULL)
goto end;
+ /* SM2 needs a special treatment */
+ if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
+ if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL
+ || (group = EC_KEY_get0_group(eckey)) == NULL
+ || (nid = EC_GROUP_get_curve_name(group)) == 0)
+ goto end;
+ if (nid == NID_sm2)
+ EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2);
+ }
*pkeysize = EVP_PKEY_size(pkey);
ctx = EVP_PKEY_CTX_new(pkey, impl);
+ if (ppkey != NULL)
+ *ppkey = pkey;
EVP_PKEY_free(pkey);
}
@@ -522,3 +588,71 @@ static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
}
return rv;
}
+
+#define TBUF_MAXSIZE 2048
+
+static int do_raw_keyop(int pkey_op, EVP_PKEY_CTX *ctx,
+ const EVP_MD *md, EVP_PKEY *pkey, BIO *in,
+ unsigned char *sig, int siglen,
+ unsigned char **out, size_t *poutlen)
+{
+ int rv = 0;
+ EVP_MD_CTX *mctx = NULL;
+ unsigned char tbuf[TBUF_MAXSIZE];
+ int tbuf_len = 0;
+
+ if ((mctx = EVP_MD_CTX_new()) == NULL) {
+ BIO_printf(bio_err, "Error: out of memory\n");
+ return rv;
+ }
+ EVP_MD_CTX_set_pkey_ctx(mctx, ctx);
+
+ switch(pkey_op) {
+ case EVP_PKEY_OP_VERIFY:
+ if (EVP_DigestVerifyInit(mctx, NULL, md, NULL, pkey) != 1)
+ goto end;
+ for (;;) {
+ tbuf_len = BIO_read(in, tbuf, TBUF_MAXSIZE);
+ if (tbuf_len == 0)
+ break;
+ if (tbuf_len < 0) {
+ BIO_printf(bio_err, "Error reading raw input data\n");
+ goto end;
+ }
+ rv = EVP_DigestVerifyUpdate(mctx, tbuf, (size_t)tbuf_len);
+ if (rv != 1) {
+ BIO_printf(bio_err, "Error verifying raw input data\n");
+ goto end;
+ }
+ }
+ rv = EVP_DigestVerifyFinal(mctx, sig, (size_t)siglen);
+ break;
+ case EVP_PKEY_OP_SIGN:
+ if (EVP_DigestSignInit(mctx, NULL, md, NULL, pkey) != 1)
+ goto end;
+ for (;;) {
+ tbuf_len = BIO_read(in, tbuf, TBUF_MAXSIZE);
+ if (tbuf_len == 0)
+ break;
+ if (tbuf_len < 0) {
+ BIO_printf(bio_err, "Error reading raw input data\n");
+ goto end;
+ }
+ rv = EVP_DigestSignUpdate(mctx, tbuf, (size_t)tbuf_len);
+ if (rv != 1) {
+ BIO_printf(bio_err, "Error signing raw input data\n");
+ goto end;
+ }
+ }
+ rv = EVP_DigestSignFinal(mctx, NULL, poutlen);
+ if (rv == 1 && out != NULL) {
+ *out = app_malloc(*poutlen, "buffer output");
+ rv = EVP_DigestSignFinal(mctx, *out, poutlen);
+ }
+ break;
+ }
+
+ end:
+ EVP_MD_CTX_free(mctx);
+ return rv;
+}
diff --git a/crypto/sm2/sm2_pmeth.c b/crypto/sm2/sm2_pmeth.c
index 0e722b9..837bdc1 100644
--- a/crypto/sm2/sm2_pmeth.c
+++ b/crypto/sm2/sm2_pmeth.c
@@ -252,6 +252,9 @@ static int pkey_sm2_ctrl_str(EVP_PKEY_CTX *ctx,
else
return -2;
return EVP_PKEY_CTX_set_ec_param_enc(ctx, param_enc);
+ } else if (strcmp(type, "sm2_id") == 0) {
+ return pkey_sm2_ctrl(ctx, EVP_PKEY_CTRL_SET1_ID,
+ (int)strlen(value), (void *)value);
}
return -2;
diff --git a/doc/man1/pkeyutl.pod b/doc/man1/pkeyutl.pod
index f6fd48d..f0f80af 100644
--- a/doc/man1/pkeyutl.pod
+++ b/doc/man1/pkeyutl.pod
@@ -10,6 +10,8 @@ pkeyutl - public key algorithm utility
B<openssl> B<pkeyutl>
[B<-help>]
[B<-in file>]
+[B<-rawin>]
+[B<-digest algorithm>]
[B<-out file>]
[B<-sigfile file>]
[B<-inkey file>]
@@ -54,6 +56,23 @@ Print out a usage message.
This specifies the input filename to read data from or standard input
if this option is not specified.
+=item B<-rawin>
+
+This indicates that the input data is raw data, which is not hashed by any
+message digest algorithm. The user can specify a digest algorithm by using
+the B<-digest> option. This option can only be used with B<-sign> and
+B<-verify>.
+
+=item B<-digest algorithm>
+
+This specifies the digest algorithm which is used to hash the input data before
+signing or verifying it with the input key. This option could be omitted if the
+signature algorithm does not require one (for instance, EdDSA). If this option
+is omitted but the signature algorithm requires one, a default value will be
+used. For signature algorithms like RSA, DSA and ECDSA, SHA-256 will be the
+default digest algorithm. For SM2, it will be SM3. If this option is present,
+then the B<-rawin> option must be also specified to B<pkeyutl>.
+
=item B<-out filename>
Specifies the output filename to write to or standard output by
@@ -296,6 +315,22 @@ the B<-pkeyopt> B<digest> option.
The X25519 and X448 algorithms support key derivation only. Currently there are
no additional options.
+=head1 SM2
+
+The SM2 algorithm supports sign, verify, encrypt and decrypt operations. For
+the sign and verify operations, SM2 requires an ID string to be passed in. The
+following B<pkeyopt> value is supported:
+
+=over 4
+
+=item B<sm2_id:string>
+
+This sets the ID string used in SM2 sign or verify operations. While verifying
+an SM2 signature, the ID string must be the same one used when signing the data.
+Otherwise the verification will fail.
+
+=back
+
=head1 EXAMPLES
Sign some data using a private key:
@@ -329,6 +364,16 @@ Decrypt some data using a private key with OAEP padding using SHA256:
openssl pkeyutl -decrypt -in file -inkey key.pem -out secret \
-pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
+Sign some data using an L<SM2(7)> private key and a specific ID:
+
+ openssl pkeyutl -sign -in file -inkey sm2.key -out sig -rawin -digest sm3 \
+ -pkeyopt sm2_id:someid
+
+Verify some data using an L<SM2(7)> certificate and a specific ID:
+
+ openssl pkeyutl -verify -certin -in file -inkey sm2.cert -sigfile sig \
+ -rawin -digest sm3 -pkeyopt sm2_id:someid
+
=head1 SEE ALSO
L<genpkey(1)>, L<pkey(1)>, L<rsautl(1)>
diff --git a/test/certs/sm2.crt b/test/certs/sm2.crt
new file mode 100644
index 0000000..189abb1
--- /dev/null
+++ b/test/certs/sm2.crt
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB6DCCAY6gAwIBAgIJAKH2BR6ITHZeMAoGCCqBHM9VAYN1MGgxCzAJBgNVBAYT
+AkNOMQswCQYDVQQIDAJMTjERMA8GA1UEBwwIU2hlbnlhbmcxETAPBgNVBAoMCFRl
+c3QgT3JnMRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTAe
+Fw0xOTAyMTkwNzA1NDhaFw0yMzAzMzAwNzA1NDhaMG8xCzAJBgNVBAYTAkNOMQsw
+CQYDVQQIDAJMTjERMA8GA1UEBwwIU2hlbnlhbmcxETAPBgNVBAoMCFRlc3QgT3Jn
+MRAwDgYDVQQLDAdUZXN0IE9VMRswGQYDVQQDDBJUZXN0IFNNMiBTaWduIENlcnQw
+WTATBgcqhkjOPQIBBggqgRzPVQGCLQNCAAQwqeNkWp7fiu1KZnuDkAucpM8piEzE
+TL1ymrcrOBvv8mhNNkeb20asbWgFQI2zOrSM99/sXGn9rM2/usM/MlcaoxowGDAJ
+BgNVHRMEAjAAMAsGA1UdDwQEAwIGwDAKBggqgRzPVQGDdQNIADBFAiEA9edBnAqT
+TNuGIUIvXsj6/nP+AzXA9HGtAIY4nrqW8LkCIHyZzhRTlxYtgfqkDl0OK5QQRCZH
+OZOfmtx613VyzXwc
+-----END CERTIFICATE-----
diff --git a/test/certs/sm2.key b/test/certs/sm2.key
new file mode 100644
index 0000000..1efd364
--- /dev/null
+++ b/test/certs/sm2.key
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqBHM9VAYItBG0wawIBAQQgSKhk+4xGyDI+IS2H
+WVfFPDxh1qv5+wtrddaIsGNXGZihRANCAAQwqeNkWp7fiu1KZnuDkAucpM8piEzE
+TL1ymrcrOBvv8mhNNkeb20asbWgFQI2zOrSM99/sXGn9rM2/usM/Mlca
+-----END PRIVATE KEY-----
diff --git a/test/recipes/20-test_pkeyutl.t b/test/recipes/20-test_pkeyutl.t
new file mode 100644
index 0000000..a051138
--- /dev/null
+++ b/test/recipes/20-test_pkeyutl.t
@@ -0,0 +1,43 @@
+#! /usr/bin/env perl
+# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+use strict;
+use warnings;
+
+use File::Spec;
+use OpenSSL::Test qw/:DEFAULT srctop_file/;
+use OpenSSL::Test::Utils;
+
+setup("test_pkeyutl");
+
+plan tests => 2;
+
+sub sign
+{
+ # Utilize the sm2.crt as the TBS file
+ return run(app(([ 'openssl', 'pkeyutl', '-sign',
+ '-in', srctop_file('test', 'certs', 'sm2.crt'),
+ '-inkey', srctop_file('test', 'certs', 'sm2.key'),
+ '-out', 'signature.sm2', '-rawin',
+ '-digest', 'sm3', '-pkeyopt', 'sm2_id:someid'])));
+}
+
+sub verify
+{
+ # Utilize the sm2.crt as the TBS file
+ return run(app(([ 'openssl', 'pkeyutl', '-verify', '-certin',
+ '-in', srctop_file('test', 'certs', 'sm2.crt'),
+ '-inkey', srctop_file('test', 'certs', 'sm2.crt'),
+ '-sigfile', 'signature.sm2', '-rawin',
+ '-digest', 'sm3', '-pkeyopt', 'sm2_id:someid'])));
+}
+
+ok(sign, "Sign a piece of data using SM2");
+ok(verify, "Verify an SM2 signature against a piece of data");
+
+unlink 'signature.sm2';
--
2.20.1 (Apple Git-117)

191
Backport-Update-expired-SCT-certificates.patch
View File

@ -1,191 +0,0 @@
From acb105a848fd0a282550f6132dc131575cc5a655 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Wed, 1 Jun 2022 12:47:44 +0200
Subject: [PATCH 14/15] Update expired SCT certificates
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18446)
---
test/certs/embeddedSCTs1-key.pem | 38 ++++++++++++++++---------
test/certs/embeddedSCTs1.pem | 35 ++++++++++++-----------
test/certs/embeddedSCTs1.sct | 12 ++++----
test/certs/embeddedSCTs1_issuer-key.pem | 15 ++++++++++
test/certs/embeddedSCTs1_issuer.pem | 30 +++++++++----------
5 files changed, 79 insertions(+), 51 deletions(-)
create mode 100644 test/certs/embeddedSCTs1_issuer-key.pem
diff --git a/test/certs/embeddedSCTs1-key.pem b/test/certs/embeddedSCTs1-key.pem
index e3e66d5..28dd206 100644
--- a/test/certs/embeddedSCTs1-key.pem
+++ b/test/certs/embeddedSCTs1-key.pem
@@ -1,15 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIICWwIBAAKBgQC+75jnwmh3rjhfdTJaDB0ym+3xj6r015a/BH634c4VyVui+A7k
-WL19uG+KSyUhkaeb1wDDjpwDibRc1NyaEgqyHgy0HNDnKAWkEM2cW9tdSSdyba8X
-EPYBhzd+olsaHjnu0LiBGdwVTcaPfajjDK8VijPmyVCfSgWwFAn/Xdh+tQIDAQAB
-AoGAK/daG0vt6Fkqy/hdrtSJSKUVRoGRmS2nnba4Qzlwzh1+x2kdbMFuaOu2a37g
-PvmeQclheKZ3EG1+Jb4yShwLcBCV6pkRJhOKuhvqGnjngr6uBH4gMCjpZVj7GDMf
-flYHhdJCs3Cz/TY0wKN3o1Fldil2DHR/AEOc1nImeSp5/EUCQQDjKS3W957kYtTU
-X5BeRjvg03Ug8tJq6IFuhTFvUJ+XQ5bAc0DmxAbQVKqRS7Wje59zTknVvS+MFdeQ
-pz4dGuV7AkEA1y0X2yarIls+0A/S1uwkvwRTIkfS+QwFJ1zVya8sApRdKAcidIzA
-b70hkKLilU9+LrXg5iZdFp8l752qJiw9jwJAXjItN/7mfH4fExGto+or2kbVQxxt
-9LcFNPc2UJp2ExuL37HrL8YJrUnukOF8KJaSwBWuuFsC5GwKP4maUCdfEQJAUwBR
-83c3DEmmMRvpeH4erpA8gTyzZN3+HvDwhpvLnjMcvBQEdnDUykVqbSBnxrCjO+Fs
-n1qtDczWFVf8Cj2GgQJAQ14Awx32Cn9sF+3M+sEVtlAf6CqiEbkYeYdSCbsplMmZ
-1UoaxiwXY3z+B7epsRnnPR3KaceAlAxw2/zQJMFNOQ==
+MIIEpQIBAAKCAQEAuIjpA4/iCpDA2mjywI5zG6IBX6bNcRQYDsB7Cv0VonNXtJBw
+XxMENP4jVpvEmWpJ5iMBknGHV+XWBkngYapczIsY4LGn6aMU6ySABBVQpNOQSRfT
+48xGGPR9mzOBG/yplmpFOVq1j+b65lskvAXKYaLFpFn3oY/pBSdcCNBP8LypVXAJ
+b3IqEXsBL/ErgHG9bgIRP8VxBAaryCz77kLzAXkfHL2LfSGIfNONyEKB3xI94S4L
+eouOSoWL1VkEfJs87vG4G5xoXw3KOHyiueQUUlMnu8p+Bx0xPVKPEsLje3R9k0rG
+a5ca7dXAn9UypKKp25x4NXpnjGX5txVEYfNvqQIDAQABAoIBAE0zqhh9Z5n3+Vbm
+tTht4CZdXqm/xQ9b0rzJNjDgtN5j1vuJuhlsgUQSVoJzZIqydvw7BPtZV8AkPagf
+3Cm/9lb0kpHegVsziRrfCFes+zIZ+LE7sMAKxADIuIvnvkoRKHnvN8rI8lCj16/r
+zbCD06mJSZp6sSj8ZgZr8wsU63zRGt1TeGM67uVW4agphfzuKGlXstPLsSMwknpF
+nxFS2TYbitxa9oH76oCpEk5fywYsYgUP4TdzOzfVAgMzNSu0FobvWl0CECB+G3RQ
+XQ5VWbYkFoj5XbE5kYz6sYHMQWL1NQpglUp+tAQ1T8Nca0CvbSpD77doRGm7UqYw
+ziVQKokCgYEA6BtHwzyD1PHdAYtOcy7djrpnIMaiisSxEtMhctoxg8Vr2ePEvMpZ
+S1ka8A1Pa9GzjaUk+VWKWsTf+VkmMHGtpB1sv8S7HjujlEmeQe7p8EltjstvLDmi
+BhAA7ixvZpXXjQV4GCVdUVu0na6gFGGueZb2FHEXB8j1amVwleJj2lcCgYEAy4f3
+2wXqJfz15+YdJPpG9BbH9d/plKJm5ID3p2ojAGo5qvVuIJMNJA4elcfHDwzCWVmn
+MtR/WwtxYVVmy1BAnmk6HPSYc3CStvv1800vqN3fyJWtZ1P+8WBVZWZzIQdjdiaU
+JSRevPnjQGc+SAZQQIk1yVclbz5790yuXsdIxf8CgYEApqlABC5lsvfga4Vt1UMn
+j57FAkHe4KmPRCcZ83A88ZNGd/QWhkD9kR7wOsIz7wVqWiDkxavoZnjLIi4jP9HA
+jwEZ3zER8wl70bRy0IEOtZzj8A6fSzAu6Q+Au4RokU6yse3lZ+EcepjQvhBvnXLu
+ZxxAojj6AnsHzVf9WYJvlI0CgYEAoATIw/TEgRV/KNHs/BOiEWqP0Co5dVix2Nnk
+3EVAO6VIrbbE3OuAm2ZWeaBWSujXLHSmVfpoHubCP6prZVI1W9aTkAxmh+xsDV3P
+o3h+DiBTP1seuGx7tr7spQqFXeR3OH9gXktYCO/W0d3aQ7pjAjpehWv0zJ+ty2MI
+fQ/lkXUCgYEAgbP+P5UmY7Fqm/mi6TprEJ/eYktji4Ne11GDKGFQCfjF5RdKhdw1
+5+elGhZes+cpzu5Ak6zBDu4bviT+tRTWJu5lVLEzlHHv4nAU7Ks5Aj67ApH21AnP
+RtlATdhWOt5Dkdq1WSpDfz5bvWgvyBx9D66dSmQdbKKe2dH327eQll4=
-----END RSA PRIVATE KEY-----
diff --git a/test/certs/embeddedSCTs1.pem b/test/certs/embeddedSCTs1.pem
index d1e8512..d2a111f 100644
--- a/test/certs/embeddedSCTs1.pem
+++ b/test/certs/embeddedSCTs1.pem
@@ -1,20 +1,21 @@
-----BEGIN CERTIFICATE-----
-MIIDWTCCAsKgAwIBAgIBBzANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJHQjEk
+MIIDeDCCAuGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJHQjEk
MCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4wDAYDVQQIEwVX
-YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAeFw0xMjA2MDEwMDAwMDBaFw0yMjA2MDEw
-MDAwMDBaMFIxCzAJBgNVBAYTAkdCMSEwHwYDVQQKExhDZXJ0aWZpY2F0ZSBUcmFu
-c3BhcmVuY3kxDjAMBgNVBAgTBVdhbGVzMRAwDgYDVQQHEwdFcncgV2VuMIGfMA0G
-CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+75jnwmh3rjhfdTJaDB0ym+3xj6r015a/
-BH634c4VyVui+A7kWL19uG+KSyUhkaeb1wDDjpwDibRc1NyaEgqyHgy0HNDnKAWk
-EM2cW9tdSSdyba8XEPYBhzd+olsaHjnu0LiBGdwVTcaPfajjDK8VijPmyVCfSgWw
-FAn/Xdh+tQIDAQABo4IBOjCCATYwHQYDVR0OBBYEFCAxVBryXAX/2GWLaEN5T16Q
-Nve0MH0GA1UdIwR2MHSAFF+diA3Ic+ZU1PgN2OawwSS0R8NVoVmkVzBVMQswCQYD
-VQQGEwJHQjEkMCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4w
-DAYDVQQIEwVXYWxlczEQMA4GA1UEBxMHRXJ3IFdlboIBADAJBgNVHRMEAjAAMIGK
-BgorBgEEAdZ5AgQCBHwEegB4AHYA3xwuwRUAlFJHqWFoMl3cXHlZ6PfG04j8AC4L
-vT9012QAAAE92yffkwAABAMARzBFAiBIL2dRrzXbplQ2vh/WZA89v5pBQpSVkkUw
-KI+j5eI+BgIhAOTtwNs6xXKx4vXoq2poBlOYfc9BAn3+/6EFUZ2J7b8IMA0GCSqG
-SIb3DQEBBQUAA4GBAIoMS+8JnUeSea+goo5on5HhxEIb4tJpoupspOghXd7dyhUE
-oR58h8S3foDw6XkDUmjyfKIOFmgErlVvMWmB+Wo5Srer/T4lWsAERRP+dlcMZ5Wr
-5HAxM9MD+J86+mu8/FFzGd/ZW5NCQSEfY0A1w9B4MHpoxgdaLiDInza4kQyg
+YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAgFw0yMDAxMjUxMTUwMTNaGA8yMTIwMDEy
+NjExNTAxM1owGTEXMBUGA1UEAwwOc2VydmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC4iOkDj+IKkMDaaPLAjnMbogFfps1xFBgOwHsK
+/RWic1e0kHBfEwQ0/iNWm8SZaknmIwGScYdX5dYGSeBhqlzMixjgsafpoxTrJIAE
+FVCk05BJF9PjzEYY9H2bM4Eb/KmWakU5WrWP5vrmWyS8BcphosWkWfehj+kFJ1wI
+0E/wvKlVcAlvcioRewEv8SuAcb1uAhE/xXEEBqvILPvuQvMBeR8cvYt9IYh8043I
+QoHfEj3hLgt6i45KhYvVWQR8mzzu8bgbnGhfDco4fKK55BRSUye7yn4HHTE9Uo8S
+wuN7dH2TSsZrlxrt1cCf1TKkoqnbnHg1emeMZfm3FURh82+pAgMBAAGjggEMMIIB
+CDAdBgNVHQ4EFgQUtMa8XD5ylrF9AqCdnPEhXa63H2owHwYDVR0jBBgwFoAUX52I
+Dchz5lTU+A3Y5rDBJLRHw1UwCQYDVR0TBAIwADATBgNVHSUEDDAKBggrBgEFBQcD
+ATCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN8cLsEVAJRSR6lhaDJd3Fx5Wej3xtOI
+/AAuC70/dNdkAAABb15m6AAAAAQDAEcwRQIgfDPo8RArm/vcSEZ608Q1u+XQ55QB
+u67SZEuZxLpbUM0CIQDRsgcTud4PDy8Cgg+lHeAS7UxgSKBbWAznYOuorwNewzAZ
+BgNVHREEEjAQgg5zZXJ2ZXIuZXhhbXBsZTANBgkqhkiG9w0BAQsFAAOBgQCWFKKR
+RNkDRzB25NK07OLkbzebhnpKtbP4i3blRx1HAvTSamf/3uuHI7kfiPJorJymJpT1
+IuJvSVKyMu1qONWBimiBfiyGL7+le1izHEJIP5lVTbddfzSIBIvrlHHcWIOL3H+W
+YT6yTEIzJuO07Xp61qnB1CE2TrinUWlyC46Zkw==
-----END CERTIFICATE-----
diff --git a/test/certs/embeddedSCTs1.sct b/test/certs/embeddedSCTs1.sct
index 59362dc..35c9eb9 100644
--- a/test/certs/embeddedSCTs1.sct
+++ b/test/certs/embeddedSCTs1.sct
@@ -2,11 +2,11 @@ Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : DF:1C:2E:C1:15:00:94:52:47:A9:61:68:32:5D:DC:5C:
79:59:E8:F7:C6:D3:88:FC:00:2E:0B:BD:3F:74:D7:64
- Timestamp : Apr 5 17:04:16.275 2013 GMT
+ Timestamp : Jan 1 00:00:00.000 2020 GMT
Extensions: none
Signature : ecdsa-with-SHA256
- 30:45:02:20:48:2F:67:51:AF:35:DB:A6:54:36:BE:1F:
- D6:64:0F:3D:BF:9A:41:42:94:95:92:45:30:28:8F:A3:
- E5:E2:3E:06:02:21:00:E4:ED:C0:DB:3A:C5:72:B1:E2:
- F5:E8:AB:6A:68:06:53:98:7D:CF:41:02:7D:FE:FF:A1:
- 05:51:9D:89:ED:BF:08
\ No newline at end of file
+ 30:45:02:20:7C:33:E8:F1:10:2B:9B:FB:DC:48:46:7A:
+ D3:C4:35:BB:E5:D0:E7:94:01:BB:AE:D2:64:4B:99:C4:
+ BA:5B:50:CD:02:21:00:D1:B2:07:13:B9:DE:0F:0F:2F:
+ 02:82:0F:A5:1D:E0:12:ED:4C:60:48:A0:5B:58:0C:E7:
+ 60:EB:A8:AF:03:5E:C3
\ No newline at end of file
diff --git a/test/certs/embeddedSCTs1_issuer-key.pem b/test/certs/embeddedSCTs1_issuer-key.pem
new file mode 100644
index 0000000..9326e38
--- /dev/null
+++ b/test/certs/embeddedSCTs1_issuer-key.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDVimhTYhCicRmTbneDIRgcKkATxtB7jHbrkVfT0PtLO1FuzsvR
+yY2RxS90P6tjXVUJnNE6uvMa5UFEJFGnTHgW8iQ8+EjPKDHM5nugSlojgZ88ujfm
+JNnDvbKZuDnd/iYx0ss6hPx7srXFL8/BT/9Ab1zURmnLsvfP34b7arnRsQIDAQAB
+AoGAJLR6xEJp+5IXRFlLn7WTkFvO0ddtxJ7bXhiIkTctyruyfqp7LF9Jv1G2m3PK
+QPUtBc73w/GYkfnwIwdfJbOmPHL7XyEGHZYmEXgIgEtw6LXvAv0G5JpUnNwsSBfL
+GfSQqI5Z5ytyzlJXkMcTGA2kTgNAYc73h4EnU+pwUnDPdAECQQD2aj+4LtYk1XPq
+r3gjgI6MoGvgYJfPmAtZhxxVbhXQKciFUCAcBiwlQdHIdLWE9j65ctmZRWidKifr
+4O4nz+TBAkEA3djNW/rTQq5fKZy+mCF1WYnIU/3yhJaptzRqLm7AHqe7+hdrGXJw
++mCtU8T3L/Ms8bH1yFBZhmkp1PbR8gl48QJAQo70YyWThiN5yfxXcQ96cZWrTdIJ
+b3NcLXSHPLQdhDqlBQ1dfvRT3ERpC8IqfZ2d162kBPhwh3MpkVcSPQK0gQJAC/dY
+xGBYKt2a9nSk9zG+0bCT5Kvq++ngh6hFHfINXNnxUsEWns3EeEzkrIMQTj7QqszN
+lBt5aL2dawZRNrv6EQJBAOo4STF9KEwQG0HLC/ryh1FeB0OBA5yIepXze+eJVKei
+T0cCECOQJKfWHEzYJYDJhyEFF/sYp9TXwKSDjOifrsU=
+-----END RSA PRIVATE KEY-----
diff --git a/test/certs/embeddedSCTs1_issuer.pem b/test/certs/embeddedSCTs1_issuer.pem
index 1fa449d..6aa9455 100644
--- a/test/certs/embeddedSCTs1_issuer.pem
+++ b/test/certs/embeddedSCTs1_issuer.pem
@@ -1,18 +1,18 @@
-----BEGIN CERTIFICATE-----
-MIIC0DCCAjmgAwIBAgIBADANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJHQjEk
+MIIC0jCCAjugAwIBAgIBADANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJHQjEk
MCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4wDAYDVQQIEwVX
-YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAeFw0xMjA2MDEwMDAwMDBaFw0yMjA2MDEw
-MDAwMDBaMFUxCzAJBgNVBAYTAkdCMSQwIgYDVQQKExtDZXJ0aWZpY2F0ZSBUcmFu
-c3BhcmVuY3kgQ0ExDjAMBgNVBAgTBVdhbGVzMRAwDgYDVQQHEwdFcncgV2VuMIGf
-MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDVimhTYhCicRmTbneDIRgcKkATxtB7
-jHbrkVfT0PtLO1FuzsvRyY2RxS90P6tjXVUJnNE6uvMa5UFEJFGnTHgW8iQ8+EjP
-KDHM5nugSlojgZ88ujfmJNnDvbKZuDnd/iYx0ss6hPx7srXFL8/BT/9Ab1zURmnL
-svfP34b7arnRsQIDAQABo4GvMIGsMB0GA1UdDgQWBBRfnYgNyHPmVNT4DdjmsMEk
-tEfDVTB9BgNVHSMEdjB0gBRfnYgNyHPmVNT4DdjmsMEktEfDVaFZpFcwVTELMAkG
-A1UEBhMCR0IxJDAiBgNVBAoTG0NlcnRpZmljYXRlIFRyYW5zcGFyZW5jeSBDQTEO
-MAwGA1UECBMFV2FsZXMxEDAOBgNVBAcTB0VydyBXZW6CAQAwDAYDVR0TBAUwAwEB
-/zANBgkqhkiG9w0BAQUFAAOBgQAGCMxKbWTyIF4UbASydvkrDvqUpdryOvw4BmBt
-OZDQoeojPUApV2lGOwRmYef6HReZFSCa6i4Kd1F2QRIn18ADB8dHDmFYT9czQiRy
-f1HWkLxHqd81TbD26yWVXeGJPE3VICskovPkQNJ0tU4b03YmnKliibduyqQQkOFP
-OwqULg==
+YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAgFw0yMjA2MDExMDM4MDJaGA8yMTIyMDUw
+ODEwMzgwMlowVTELMAkGA1UEBhMCR0IxJDAiBgNVBAoTG0NlcnRpZmljYXRlIFRy
+YW5zcGFyZW5jeSBDQTEOMAwGA1UECBMFV2FsZXMxEDAOBgNVBAcTB0VydyBXZW4w
+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANWKaFNiEKJxGZNud4MhGBwqQBPG
+0HuMduuRV9PQ+0s7UW7Oy9HJjZHFL3Q/q2NdVQmc0Tq68xrlQUQkUadMeBbyJDz4
+SM8oMczme6BKWiOBnzy6N+Yk2cO9spm4Od3+JjHSyzqE/HuytcUvz8FP/0BvXNRG
+acuy98/fhvtqudGxAgMBAAGjga8wgawwHQYDVR0OBBYEFF+diA3Ic+ZU1PgN2Oaw
+wSS0R8NVMH0GA1UdIwR2MHSAFF+diA3Ic+ZU1PgN2OawwSS0R8NVoVmkVzBVMQsw
+CQYDVQQGEwJHQjEkMCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENB
+MQ4wDAYDVQQIEwVXYWxlczEQMA4GA1UEBxMHRXJ3IFdlboIBADAMBgNVHRMEBTAD
+AQH/MA0GCSqGSIb3DQEBCwUAA4GBAD0aYh9OkFYfXV7kBfhrtD0PJG2U47OV/1qq
++uFpqB0S1WO06eJT0pzYf1ebUcxjBkajbJZm/FHT85VthZ1lFHsky87aFD8XlJCo
+2IOhKOkvvWKPUdFLoO/ZVXqEVKkcsS1eXK1glFvb07eJZya3JVG0KdMhV2YoDg6c
+Doud4XrO
-----END CERTIFICATE-----
--
2.20.1 (Apple Git-117)

28
Backport-ct_test.c-Update-the-epoch-time.patch
View File

@ -1,28 +0,0 @@
From 7dbefac7fa259eee188017f6dbcfd11376fe6345 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Wed, 1 Jun 2022 13:06:46 +0200
Subject: [PATCH 15/15] ct_test.c: Update the epoch time
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18446)
---
test/ct_test.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/test/ct_test.c b/test/ct_test.c
index 78d11ca..535897d 100644
--- a/test/ct_test.c
+++ b/test/ct_test.c
@@ -63,7 +63,7 @@ static CT_TEST_FIXTURE *set_up(const char *const test_case_name)
if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture))))
goto end;
fixture->test_case_name = test_case_name;
- fixture->epoch_time_in_ms = 1473269626000ULL; /* Sep 7 17:33:46 2016 GMT */
+ fixture->epoch_time_in_ms = 1580335307000ULL; /* Wed 29 Jan 2020 10:01:47 PM UTC */
if (!TEST_ptr(fixture->ctlog_store = CTLOG_STORE_new())
|| !TEST_int_eq(
CTLOG_STORE_load_default_file(fixture->ctlog_store), 1))
--
2.20.1 (Apple Git-117)

58
CVE-2022-0778-Add-a-negative-testcase-for-BN_mod_sqrt.patch
View File

@ -1,58 +0,0 @@
From 3ef5c3034e5c545f34d6929568f3f2b10ac4bdf0 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Mon, 28 Feb 2022 18:26:35 +0100
Subject: [PATCH] Add a negative testcase for BN_mod_sqrt
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
---
test/bntest.c | 11 ++++++++++-
test/recipes/10-test_bn_data/bnmod.txt | 12 ++++++++++++
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/test/bntest.c b/test/bntest.c
index 390dd80073..1cab660bca 100644
--- a/test/bntest.c
+++ b/test/bntest.c
@@ -1729,8 +1729,17 @@ static int file_modsqrt(STANZA *s)
|| !TEST_ptr(ret2 = BN_new()))
goto err;
+ if (BN_is_negative(mod_sqrt)) {
+ /* A negative testcase */
+ if (!TEST_ptr_null(BN_mod_sqrt(ret, a, p, ctx)))
+ goto err;
+
+ st = 1;
+ goto err;
+ }
+
/* There are two possible answers. */
- if (!TEST_true(BN_mod_sqrt(ret, a, p, ctx))
+ if (!TEST_ptr(BN_mod_sqrt(ret, a, p, ctx))
|| !TEST_true(BN_sub(ret2, p, ret)))
goto err;
diff --git a/test/recipes/10-test_bn_data/bnmod.txt b/test/recipes/10-test_bn_data/bnmod.txt
index 5ea4d031f2..e28cc6bfb0 100644
--- a/test/recipes/10-test_bn_data/bnmod.txt
+++ b/test/recipes/10-test_bn_data/bnmod.txt
@@ -2799,3 +2799,15 @@ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
ModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186
A = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81
P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
+
+# Negative testcases for BN_mod_sqrt()
+
+# This one triggers an infinite loop with unfixed implementation
+# It should just fail.
+ModSqrt = -1
+A = 20a7ee
+P = 460201
+
+ModSqrt = -1
+A = 65bebdb00a96fc814ec44b81f98b59fba3c30203928fa5214c51e0a97091645280c947b005847f239758482b9bfc45b066fde340d1fe32fc9c1bf02e1b2d0ed
+P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
--
2.27.0

69
CVE-2022-0778-Fix-possible-infinite-loop-in-BN_mod_sqrt.patch
View File

@ -1,69 +0,0 @@
From 3118eb64934499d93db3230748a452351d1d9a65 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Mon, 28 Feb 2022 18:26:21 +0100
Subject: [PATCH] Fix possible infinite loop in BN_mod_sqrt()
The calculation in some cases does not finish for non-prime p.
This fixes CVE-2022-0778.
Based on patch by David Benjamin <davidben@google.com>.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
---
crypto/bn/bn_sqrt.c | 30 ++++++++++++++++++------------
1 file changed, 18 insertions(+), 12 deletions(-)
diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c
index 1723d5ded5..53b0f55985 100644
--- a/crypto/bn/bn_sqrt.c
+++ b/crypto/bn/bn_sqrt.c
@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
/*
* Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks
* algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number
- * Theory", algorithm 1.5.1). 'p' must be prime!
+ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or
+ * an incorrect "result" will be returned.
*/
{
BIGNUM *ret = in;
@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
goto vrfy;
}
- /* find smallest i such that b^(2^i) = 1 */
- i = 1;
- if (!BN_mod_sqr(t, b, p, ctx))
- goto end;
- while (!BN_is_one(t)) {
- i++;
- if (i == e) {
- BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
- goto end;
+ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */
+ for (i = 1; i < e; i++) {
+ if (i == 1) {
+ if (!BN_mod_sqr(t, b, p, ctx))
+ goto end;
+
+ } else {
+ if (!BN_mod_mul(t, t, t, p, ctx))
+ goto end;
}
- if (!BN_mod_mul(t, t, t, p, ctx))
- goto end;
+ if (BN_is_one(t))
+ break;
+ }
+ /* If not found, a is not a square or p is not prime. */
+ if (i >= e) {
+ BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
+ goto end;
}
/* t := y^2^(e - i - 1) */
--
2.27.0

76
CVE-2022-1292.patch
View File

@ -1,76 +0,0 @@
From e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Tue, 26 Apr 2022 12:40:24 +0200
Subject: [PATCH] c_rehash: Do not use shell to invoke openssl
Except on VMS where it is safe.
This fixes CVE-2022-1292.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
---
tools/c_rehash.in | 29 +++++++++++++++++++++++++----
1 file changed, 25 insertions(+), 4 deletions(-)
diff --git a/tools/c_rehash.in b/tools/c_rehash.in
index fa7c6c9..83c1cc8 100644
--- a/tools/c_rehash.in
+++ b/tools/c_rehash.in
@@ -152,6 +152,23 @@ sub check_file {
return ($is_cert, $is_crl);
}
+sub compute_hash {
+ my $fh;
+ if ( $^O eq "VMS" ) {
+ # VMS uses the open through shell
+ # The file names are safe there and list form is unsupported
+ if (!open($fh, "-|", join(' ', @_))) {
+ print STDERR "Cannot compute hash on '$fname'\n";
+ return;
+ }
+ } else {
+ if (!open($fh, "-|", @_)) {
+ print STDERR "Cannot compute hash on '$fname'\n";
+ return;
+ }
+ }
+ return (<$fh>, <$fh>);
+}
# Link a certificate to its subject name hash value, each hash is of
# the form <hash>.<n> where n is an integer. If the hash value already exists
@@ -161,10 +178,12 @@ sub check_file {
sub link_hash_cert {
my $fname = $_[0];
- $fname =~ s/\"/\\\"/g;
- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
+ my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
+ "-fingerprint", "-noout",
+ "-in", $fname);
chomp $hash;
chomp $fprint;
+ return if !$hash;
$fprint =~ s/^.*=//;
$fprint =~ tr/://d;
my $suffix = 0;
@@ -202,10 +221,12 @@ sub link_hash_cert {
sub link_hash_crl {
my $fname = $_[0];
- $fname =~ s/'/'\\''/g;
- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
+ my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
+ "-fingerprint", "-noout",
+ "-in", $fname);
chomp $hash;
chomp $fprint;
+ return if !$hash;
$fprint =~ s/^.*=//;
$fprint =~ tr/://d;
my $suffix = 0;
--
1.8.3.1

257
CVE-2022-2068-Fix-file-operations-in-c_rehash.patch
View File

@ -1,257 +0,0 @@
From 9639817dac8bbbaa64d09efad7464ccc405527c7 Mon Sep 17 00:00:00 2001
From: Daniel Fiala <daniel@openssl.org>
Date: Sun, 29 May 2022 20:11:24 +0200
Subject: [PATCH] Fix file operations in c_rehash.
CVE-2022-2068
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
---
tools/c_rehash.in | 216 +++++++++++++++++++++++++++---------------------------
1 file changed, 107 insertions(+), 109 deletions(-)
diff --git a/tools/c_rehash.in b/tools/c_rehash.in
index cfd18f5..9d2a6f6 100644
--- a/tools/c_rehash.in
+++ b/tools/c_rehash.in
@@ -104,52 +104,78 @@ foreach (@dirlist) {
}
exit($errorcount);
+sub copy_file {
+ my ($src_fname, $dst_fname) = @_;
+
+ if (open(my $in, "<", $src_fname)) {
+ if (open(my $out, ">", $dst_fname)) {
+ print $out $_ while (<$in>);
+ close $out;
+ } else {
+ warn "Cannot open $dst_fname for write, $!";
+ }
+ close $in;
+ } else {
+ warn "Cannot open $src_fname for read, $!";
+ }
+}
+
sub hash_dir {
- my %hashlist;
- print "Doing $_[0]\n";
- chdir $_[0];
- opendir(DIR, ".");
- my @flist = sort readdir(DIR);
- closedir DIR;
- if ( $removelinks ) {
- # Delete any existing symbolic links
- foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
- if (-l $_) {
- print "unlink $_" if $verbose;
- unlink $_ || warn "Can't unlink $_, $!\n";
- }
- }
- }
- FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
- # Check to see if certificates and/or CRLs present.
- my ($cert, $crl) = check_file($fname);
- if (!$cert && !$crl) {
- print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
- next;
- }
- link_hash_cert($fname) if ($cert);
- link_hash_crl($fname) if ($crl);
- }
+ my $dir = shift;
+ my %hashlist;
+
+ print "Doing $dir\n";
+
+ if (!chdir $dir) {
+ print STDERR "WARNING: Cannot chdir to '$dir', $!\n";
+ return;
+ }
+
+ opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n";
+ my @flist = sort readdir(DIR);
+ closedir DIR;
+ if ( $removelinks ) {
+ # Delete any existing symbolic links
+ foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
+ if (-l $_) {
+ print "unlink $_\n" if $verbose;
+ unlink $_ || warn "Can't unlink $_, $!\n";
+ }
+ }
+ }
+ FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
+ # Check to see if certificates and/or CRLs present.
+ my ($cert, $crl) = check_file($fname);
+ if (!$cert && !$crl) {
+ print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
+ next;
+ }
+ link_hash_cert($fname) if ($cert);
+ link_hash_crl($fname) if ($crl);
+ }
+
+ chdir $pwd;
}
sub check_file {
- my ($is_cert, $is_crl) = (0,0);
- my $fname = $_[0];
- open IN, $fname;
- while(<IN>) {
- if (/^-----BEGIN (.*)-----/) {
- my $hdr = $1;
- if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
- $is_cert = 1;
- last if ($is_crl);
- } elsif ($hdr eq "X509 CRL") {
- $is_crl = 1;
- last if ($is_cert);
- }
- }
- }
- close IN;
- return ($is_cert, $is_crl);
+ my ($is_cert, $is_crl) = (0,0);
+ my $fname = $_[0];
+
+ open(my $in, "<", $fname);
+ while(<$in>) {
+ if (/^-----BEGIN (.*)-----/) {
+ my $hdr = $1;
+ if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
+ $is_cert = 1;
+ last if ($is_crl);
+ } elsif ($hdr eq "X509 CRL") {
+ $is_crl = 1;
+ last if ($is_cert);
+ }
+ }
+ }
+ close $in;
+ return ($is_cert, $is_crl);
}
sub compute_hash {
@@ -177,76 +203,48 @@ sub compute_hash {
# certificate fingerprints
sub link_hash_cert {
- my $fname = $_[0];
- my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
- "-fingerprint", "-noout",
- "-in", $fname);
- chomp $hash;
- chomp $fprint;
- return if !$hash;
- $fprint =~ s/^.*=//;
- $fprint =~ tr/://d;
- my $suffix = 0;
- # Search for an unused hash filename
- while(exists $hashlist{"$hash.$suffix"}) {
- # Hash matches: if fingerprint matches its a duplicate cert
- if ($hashlist{"$hash.$suffix"} eq $fprint) {
- print STDERR "WARNING: Skipping duplicate certificate $fname\n";
- return;
- }
- $suffix++;
- }
- $hash .= ".$suffix";
- if ($symlink_exists) {
- print "link $fname -> $hash\n" if $verbose;
- symlink $fname, $hash || warn "Can't symlink, $!";
- } else {
- print "copy $fname -> $hash\n" if $verbose;
- if (open($in, "<", $fname)) {
- if (open($out,">", $hash)) {
- print $out $_ while (<$in>);
- close $out;
- } else {
- warn "can't open $hash for write, $!";
- }
- close $in;
- } else {
- warn "can't open $fname for read, $!";
- }
- }
- $hashlist{$hash} = $fprint;
+ link_hash($_[0], 'cert');
}
# Same as above except for a CRL. CRL links are of the form <hash>.r<n>
sub link_hash_crl {
- my $fname = $_[0];
- my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
- "-fingerprint", "-noout",
- "-in", $fname);
- chomp $hash;
- chomp $fprint;
- return if !$hash;
- $fprint =~ s/^.*=//;
- $fprint =~ tr/://d;
- my $suffix = 0;
- # Search for an unused hash filename
- while(exists $hashlist{"$hash.r$suffix"}) {
- # Hash matches: if fingerprint matches its a duplicate cert
- if ($hashlist{"$hash.r$suffix"} eq $fprint) {
- print STDERR "WARNING: Skipping duplicate CRL $fname\n";
- return;
- }
- $suffix++;
- }
- $hash .= ".r$suffix";
- if ($symlink_exists) {
- print "link $fname -> $hash\n" if $verbose;
- symlink $fname, $hash || warn "Can't symlink, $!";
- } else {
- print "cp $fname -> $hash\n" if $verbose;
- system ("cp", $fname, $hash);
- warn "Can't copy, $!" if ($? >> 8) != 0;
- }
- $hashlist{$hash} = $fprint;
+ link_hash($_[0], 'crl');
+}
+
+sub link_hash {
+ my ($fname, $type) = @_;
+ my $is_cert = $type eq 'cert';
+
+ my ($hash, $fprint) = compute_hash($openssl,
+ $is_cert ? "x509" : "crl",
+ $is_cert ? $x509hash : $crlhash,
+ "-fingerprint", "-noout",
+ "-in", $fname);
+ chomp $hash;
+ chomp $fprint;
+ return if !$hash;
+ $fprint =~ s/^.*=//;
+ $fprint =~ tr/://d;
+ my $suffix = 0;
+ # Search for an unused hash filename
+ my $crlmark = $is_cert ? "" : "r";
+ while(exists $hashlist{"$hash.$crlmark$suffix"}) {
+ # Hash matches: if fingerprint matches its a duplicate cert
+ if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) {
+ my $what = $is_cert ? 'certificate' : 'CRL';
+ print STDERR "WARNING: Skipping duplicate $what $fname\n";
+ return;
+ }
+ $suffix++;
+ }
+ $hash .= ".$crlmark$suffix";
+ if ($symlink_exists) {
+ print "link $fname -> $hash\n" if $verbose;
+ symlink $fname, $hash || warn "Can't symlink, $!";
+ } else {
+ print "copy $fname -> $hash\n" if $verbose;
+ copy_file($fname, $hash);
+ }
+ $hashlist{$hash} = $fprint;
}
--
1.8.3.1

73
CVE-2022-2097-Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch
View File

@ -1,73 +0,0 @@
From 919925673d6c9cfed3c1085497f5dfbbed5fc431 Mon Sep 17 00:00:00 2001
From: Alex Chernyakhovsky <achernya@google.com>
Date: Thu, 16 Jun 2022 12:00:22 +1000
Subject: [PATCH] Fix AES OCB encrypt/decrypt for x86 AES-NI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path
that performs operations on 6 16-byte blocks concurrently (the
"grandloop") and then proceeds to handle the "short" tail (which can
be anywhere from 0 to 5 blocks) that remain.
As part of initialization, the assembly initializes $len to the true
length, less 96 bytes and converts it to a pointer so that the $inp
can be compared to it. Each iteration of "grandloop" checks to see if
there's a full 96-byte chunk to process, and if so, continues. Once
this has been exhausted, it falls through to "short", which handles
the remaining zero to five blocks.
Unfortunately, the jump at the end of "grandloop" had a fencepost
error, doing a `jb` ("jump below") rather than `jbe` (jump below or
equal). This should be `jbe`, as $inp is pointing to the *end* of the
chunk currently being handled. If $inp == $len, that means that
there's a whole 96-byte chunk waiting to be handled. If $inp > $len,
then there's 5 or fewer 16-byte blocks left to be handled, and the
fall-through is intended.
The net effect of `jb` instead of `jbe` is that the last 16-byte block
of the last 96-byte chunk was completely omitted. The contents of
`out` in this position were never written to. Additionally, since
those bytes were never processed, the authentication tag generated is
also incorrect.
The same fencepost error, and identical logic, exists in both
aesni_ocb_encrypt and aesni_ocb_decrypt.
This addresses CVE-2022-2097.
Co-authored-by: Alejandro Sedeño <asedeno@google.com>
Co-authored-by: David Benjamin <davidben@google.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
---
crypto/aes/asm/aesni-x86.pl | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl
index fe2b265..812758e 100644
--- a/crypto/aes/asm/aesni-x86.pl
+++ b/crypto/aes/asm/aesni-x86.pl
@@ -2027,7 +2027,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out);
&movdqu (&QWP(-16*2,$out,$inp),$inout4);
&movdqu (&QWP(-16*1,$out,$inp),$inout5);
&cmp ($inp,$len); # done yet?
- &jb (&label("grandloop"));
+ &jbe (&label("grandloop"));
&set_label("short");
&add ($len,16*6);
@@ -2453,7 +2453,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out);
&pxor ($rndkey1,$inout5);
&movdqu (&QWP(-16*1,$out,$inp),$inout5);
&cmp ($inp,$len); # done yet?
- &jb (&label("grandloop"));
+ &jbe (&label("grandloop"));
&set_label("short");
&add ($len,16*6);
--
1.8.3.1

74
Feature-PKCS7-sign-and-verify-support-SM2-algorithm.patch
View File

@ -1,74 +0,0 @@
From fa3d5b8af929c296f4d684345dedf1e2b4b390e2 Mon Sep 17 00:00:00 2001
From: gaoyusong <gaoyusong2@huawei.com>
Date: Fri, 30 Sep 2022 12:10:15 +0800
Subject: [PATCH] PKCS7 sign and verify support SM2 algorithm
Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
---
crypto/pkcs7/pk7_doit.c | 23 +++++++++++++++++++++--
crypto/sm2/sm2_pmeth.c | 1 +
2 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index f63fbc5..916a35a 100644
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -946,6 +946,9 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
STACK_OF(X509_ATTRIBUTE) *sk;
BIO *btmp;
EVP_PKEY *pkey;
+#ifndef OPENSSL_NO_SM2
+ EVP_PKEY_CTX *pctx = NULL;
+#endif
mdc_tmp = EVP_MD_CTX_new();
if (mdc_tmp == NULL) {
@@ -1013,7 +1016,19 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
goto err;
}
- if (!EVP_VerifyInit_ex(mdc_tmp, EVP_get_digestbynid(md_type), NULL))
+ pkey = X509_get0_pubkey(x509);
+ if (!pkey) {
+ ret = -1;
+ goto err;
+ }
+
+ ret =
+#ifndef OPENSSL_NO_SM2
+ EVP_PKEY_is_sm2(pkey) ?
+ EVP_DigestVerifyInit(mdc_tmp, &pctx, EVP_get_digestbynid(md_type), NULL, pkey) :
+#endif
+ EVP_VerifyInit_ex(mdc_tmp, EVP_get_digestbynid(md_type), NULL);
+ if (!ret)
goto err;
alen = ASN1_item_i2d((ASN1_VALUE *)sk, &abuf,
@@ -1036,7 +1051,11 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
goto err;
}
- i = EVP_VerifyFinal(mdc_tmp, os->data, os->length, pkey);
+ i =
+#ifndef OPENSSL_NO_SM2
+ EVP_PKEY_is_sm2(pkey) ? EVP_DigestVerifyFinal(mdc_tmp, os->data, os->length) :
+#endif
+ EVP_VerifyFinal(mdc_tmp, os->data, os->length, pkey);
if (i <= 0) {
PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_SIGNATURE_FAILURE);
ret = -1;
diff --git a/crypto/sm2/sm2_pmeth.c b/crypto/sm2/sm2_pmeth.c
index 1998812..53cdbe9 100644
--- a/crypto/sm2/sm2_pmeth.c
+++ b/crypto/sm2/sm2_pmeth.c
@@ -221,6 +221,7 @@ static int pkey_sm2_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
return 1;
case EVP_PKEY_CTRL_DIGESTINIT:
+ case EVP_PKEY_CTRL_PKCS7_SIGN:
/* nothing to be inited, this is to suppress the error... */
return 1;
--
2.33.0

621
Feature-SM4-XTS-optimization-for-ARM-by-HW-instruction.patch
View File

@ -1,621 +0,0 @@
From 3f0898b2aea424f18f58a182803478f25548674e Mon Sep 17 00:00:00 2001
From: Xu Yizhou <xuyizhou1@huawei.com>
Date: Wed, 2 Nov 2022 11:13:07 +0800
Subject: [PATCH 3/3] SM4 XTS optimization for ARM by HW instruction
This patch implements the SM4 XTS optimization for ARM processor,
using SM4 HW instruction, which is an optional feature of
crypto extension for aarch64 V8.
Signed-off-by: Xu Yizhou <xuyizhou1@huawei.com>
---
crypto/evp/e_sm4.c | 28 ++
crypto/sm4/asm/sm4-armv8.pl | 498 +++++++++++++++++++++++++++++++++-
include/crypto/sm4_platform.h | 14 +
3 files changed, 537 insertions(+), 3 deletions(-)
diff --git a/crypto/evp/e_sm4.c b/crypto/evp/e_sm4.c
index eaa5ba0..da4dbd3 100644
--- a/crypto/evp/e_sm4.c
+++ b/crypto/evp/e_sm4.c
@@ -281,6 +281,34 @@ static int sm4_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2;
xctx->stream_gb = NULL;
xctx->stream = NULL;
+#ifdef HWSM4_CAPABLE
+ if (HWSM4_CAPABLE) {
+ if (enc) {
+ HWSM4_set_encrypt_key(key, &xctx->ks1.ks);
+ xctx->xts.block1 = (block128_f) HWSM4_encrypt;
+# ifdef HWSM4_xts_encrypt_gb
+ xctx->stream_gb = HWSM4_xts_encrypt_gb;
+# endif
+# ifdef HWSM4_xts_encrypt
+ xctx->stream = HWSM4_xts_encrypt;
+# endif
+ } else {
+ HWSM4_set_decrypt_key(key, &xctx->ks1.ks);
+ xctx->xts.block1 = (block128_f) HWSM4_decrypt;
+# ifdef HWSM4_xts_decrypt_gb
+ xctx->stream_gb = HWSM4_xts_decrypt_gb;
+# endif
+# ifdef HWSM4_xts_decrypt
+ xctx->stream = HWSM4_xts_decrypt;
+# endif
+ }
+ HWSM4_set_encrypt_key(key + bytes, &xctx->ks2.ks);
+ xctx->xts.block2 = (block128_f) HWSM4_encrypt;
+
+ xctx->xts.key1 = &xctx->ks1;
+ break;
+ } else
+#endif
#ifdef VPSM4_EX_CAPABLE
if (VPSM4_EX_CAPABLE) {
if (enc) {
diff --git a/crypto/sm4/asm/sm4-armv8.pl b/crypto/sm4/asm/sm4-armv8.pl
index dbacad2..923c1c0 100644
--- a/crypto/sm4/asm/sm4-armv8.pl
+++ b/crypto/sm4/asm/sm4-armv8.pl
@@ -11,9 +11,9 @@
# Oct 2021
#
-# $output is the last argument if it looks like a file (it has an extension)
+# $outut is the last argument if it looks like a file (it has an extension)
# $flavour is the first argument if it doesn't look like a file
-$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
+$outut = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
@@ -21,7 +21,7 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
die "can't locate arm-xlate.pl";
-open OUT,"| \"$^X\" $xlate $flavour \"$output\""
+open OUT,"| \"$^X\" $xlate $flavour \"$outut\""
or die "can't call $xlate: $!";
*STDOUT=*OUT;
@@ -110,6 +110,120 @@ $code.=<<___;
___
}
+sub mov_reg_to_vec() {
+ my $src0 = shift;
+ my $src1 = shift;
+ my $desv = shift;
+$code.=<<___;
+ mov $desv.d[0],$src0
+ mov $desv.d[1],$src1
+#ifdef __ARMEB__
+ rev32 $desv.16b,$desv.16b
+#endif
+___
+}
+
+sub mov_vec_to_reg() {
+ my $srcv = shift;
+ my $des0 = shift;
+ my $des1 = shift;
+$code.=<<___;
+ mov $des0,$srcv.d[0]
+ mov $des1,$srcv.d[1]
+___
+}
+
+sub compute_tweak() {
+ my $src0 = shift;
+ my $src1 = shift;
+ my $des0 = shift;
+ my $des1 = shift;
+ my $tmp0 = shift;
+ my $tmp1 = shift;
+ my $magic = shift;
+$code.=<<___;
+ extr x$tmp1,$src1,$src1,#32
+ extr $des1,$src1,$src0,#63
+ and w$tmp0,w$magic,w$tmp1,asr#31
+ eor $des0,x$tmp0,$src0,lsl#1
+___
+}
+
+sub compute_tweak_vec() {
+ my $src = shift;
+ my $des = shift;
+ my $tmp0 = shift;
+ my $tmp1 = shift;
+ my $magic = shift;
+ &rbit($tmp1,$src);
+$code.=<<___;
+ shl $des.16b, $tmp1.16b, #1
+ ext $tmp0.16b, $tmp1.16b, $tmp1.16b,#15
+ ushr $tmp0.16b, $tmp0.16b, #7
+ mul $tmp0.16b, $tmp0.16b, $magic.16b
+ eor $des.16b, $des.16b, $tmp0.16b
+___
+ &rbit($des,$des);
+}
+
+sub mov_en_to_enc(){
+ my $en = shift;
+ my $enc = shift;
+ if ($en eq "en") {
+$code.=<<___;
+ mov $enc,1
+___
+ } else {
+$code.=<<___;
+ mov $enc,0
+___
+ }
+}
+
+sub rbit() {
+ my $dst = shift;
+ my $src = shift;
+
+ if ($src and ("$src" ne "$dst")) {
+ if ($standard eq "_gb") {
+$code.=<<___;
+ rbit $dst.16b,$src.16b
+___
+ } else {
+$code.=<<___;
+ mov $dst.16b,$src.16b
+___
+ }
+ } else {
+ if ($standard eq "_gb") {
+$code.=<<___;
+ rbit $dst.16b,$src.16b
+___
+ }
+ }
+}
+
+sub rev32_armeb() {
+ my $dst = shift;
+ my $src = shift;
+
+ if ($src and ("$src" ne "$dst")) {
+$code.=<<___;
+#ifdef __ARMEB__
+ rev32 $dst.16b,$src.16b
+#else
+ mov $dst.16b,$src.16b
+#endif
+___
+ } else {
+$code.=<<___;
+#ifdef __ARMEB__
+ rev32 $dst.16b,$dst.16b
+#endif
+___
+ }
+}
+
$code=<<___;
#include "arm_arch.h"
.arch armv8-a+crypto
@@ -595,6 +709,384 @@ $code.=<<___;
.size ${prefix}_ctr32_encrypt_blocks,.-${prefix}_ctr32_encrypt_blocks
___
}}}
+
+
+{{{
+my ($inp,$out,$len,$rk1,$rk2,$ivp)=map("x$_",(0..5));
+my ($blocks)=("x2");
+my ($enc)=("x6");
+my ($remain)=("x7");
+my @twx=map("x$_",(9..24));
+my $lastBlk=("x25");
+
+my @tweak=map("v$_",(8..15));
+my @dat=map("v$_",(16..23));
+my $lastTweak=("v24");
+
+# x/w/v/q registers for compute tweak
+my ($magic)=("8");
+my ($tmp0,$tmp1)=("26","27");
+my ($qMagic,$vMagic)=("q25","v25");
+my ($vTmp0,$vTmp1)=("v26","v27");
+
+sub gen_xts_do_cipher() {
+$code.=<<___;
+.globl ${prefix}_xts_do_cipher${standard}
+.type ${prefix}_xts_do_cipher${standard},%function
+.align 5
+${prefix}_xts_do_cipher${standard}:
+ mov w$magic,0x87
+ ldr $qMagic, =0x01010101010101010101010101010187
+ // used to encrypt the XORed plaintext blocks
+ ld1 {@rks[0].4s,@rks[1].4s,@rks[2].4s,@rks[3].4s},[$rk2],#64
+ ld1 {@rks[4].4s,@rks[5].4s,@rks[6].4s,@rks[7].4s},[$rk2]
+ ld1 {@tweak[0].4s}, [$ivp]
+___
+ &rev32(@tweak[0],@tweak[0]);
+ &enc_blk(@tweak[0]);
+ &rev32(@tweak[0],@tweak[0]);
+$code.=<<___;
+ // used to encrypt the initial vector to yield the initial tweak
+ ld1 {@rks[0].4s,@rks[1].4s,@rks[2].4s,@rks[3].4s},[$rk1],#64
+ ld1 {@rks[4].4s,@rks[5].4s,@rks[6].4s,@rks[7].4s},[$rk1]
+
+ and $remain,$len,#0x0F
+ // convert length into blocks
+ lsr $blocks,$len,4
+ cmp $blocks,#1 // $len must be at least 16
+ b.lt 99f
+
+ cmp $remain,0 // if $len is a multiple of 16
+ b.eq .xts_encrypt_blocks${standard}
+ // if $len is not a multiple of 16
+ subs $blocks,$blocks,#1
+ b.eq .only_2blks_tweak${standard} // if $len is less than 32
+
+.xts_encrypt_blocks${standard}:
+___
+ &rbit(@tweak[0],@tweak[0]);
+ &rev32_armeb(@tweak[0],@tweak[0]);
+ &mov_vec_to_reg(@tweak[0],@twx[0],@twx[1]);
+ &compute_tweak(@twx[0],@twx[1],@twx[2],@twx[3],$tmp0,$tmp1,$magic);
+ &compute_tweak(@twx[2],@twx[3],@twx[4],@twx[5],$tmp0,$tmp1,$magic);
+ &compute_tweak(@twx[4],@twx[5],@twx[6],@twx[7],$tmp0,$tmp1,$magic);
+ &compute_tweak(@twx[6],@twx[7],@twx[8],@twx[9],$tmp0,$tmp1,$magic);
+ &compute_tweak(@twx[8],@twx[9],@twx[10],@twx[11],$tmp0,$tmp1,$magic);
+ &compute_tweak(@twx[10],@twx[11],@twx[12],@twx[13],$tmp0,$tmp1,$magic);
+ &compute_tweak(@twx[12],@twx[13],@twx[14],@twx[15],$tmp0,$tmp1,$magic);
+$code.=<<___;
+1:
+ cmp $blocks,#8
+___
+ &mov_reg_to_vec(@twx[0],@twx[1],@tweak[0]);
+ &compute_tweak(@twx[14],@twx[15],@twx[0],@twx[1],$tmp0,$tmp1,$magic);
+ &mov_reg_to_vec(@twx[2],@twx[3],@tweak[1]);
+ &compute_tweak(@twx[0],@twx[1],@twx[2],@twx[3],$tmp0,$tmp1,$magic);
+ &mov_reg_to_vec(@twx[4],@twx[5],@tweak[2]);
+ &compute_tweak(@twx[2],@twx[3],@twx[4],@twx[5],$tmp0,$tmp1,$magic);
+ &mov_reg_to_vec(@twx[6],@twx[7],@tweak[3]);
+ &compute_tweak(@twx[4],@twx[5],@twx[6],@twx[7],$tmp0,$tmp1,$magic);
+ &mov_reg_to_vec(@twx[8],@twx[9],@tweak[4]);
+ &compute_tweak(@twx[6],@twx[7],@twx[8],@twx[9],$tmp0,$tmp1,$magic);
+ &mov_reg_to_vec(@twx[10],@twx[11],@tweak[5]);
+ &compute_tweak(@twx[8],@twx[9],@twx[10],@twx[11],$tmp0,$tmp1,$magic);
+ &mov_reg_to_vec(@twx[12],@twx[13],@tweak[6]);
+ &compute_tweak(@twx[10],@twx[11],@twx[12],@twx[13],$tmp0,$tmp1,$magic);
+ &mov_reg_to_vec(@twx[14],@twx[15],@tweak[7]);
+ &compute_tweak(@twx[12],@twx[13],@twx[14],@twx[15],$tmp0,$tmp1,$magic);
+$code.=<<___;
+ b.lt 2f
+ ld1 {@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$inp],#64
+___
+ &rbit(@tweak[0],@tweak[0]);
+ &rbit(@tweak[1],@tweak[1]);
+ &rbit(@tweak[2],@tweak[2]);
+ &rbit(@tweak[3],@tweak[3]);
+$code.=<<___;
+ eor @dat[0].16b, @dat[0].16b, @tweak[0].16b
+ eor @dat[1].16b, @dat[1].16b, @tweak[1].16b
+ eor @dat[2].16b, @dat[2].16b, @tweak[2].16b
+ eor @dat[3].16b, @dat[3].16b, @tweak[3].16b
+ ld1 {@dat[4].4s,@dat[5].4s,@dat[6].4s,@dat[7].4s},[$inp],#64
+___
+ &rbit(@tweak[4],@tweak[4]);
+ &rbit(@tweak[5],@tweak[5]);
+ &rbit(@tweak[6],@tweak[6]);
+ &rbit(@tweak[7],@tweak[7]);
+$code.=<<___;
+ eor @dat[4].16b, @dat[4].16b, @tweak[4].16b
+ eor @dat[5].16b, @dat[5].16b, @tweak[5].16b
+ eor @dat[6].16b, @dat[6].16b, @tweak[6].16b
+ eor @dat[7].16b, @dat[7].16b, @tweak[7].16b
+___
+ &rev32(@dat[0],@dat[0]);
+ &rev32(@dat[1],@dat[1]);
+ &rev32(@dat[2],@dat[2]);
+ &rev32(@dat[3],@dat[3]);
+ &rev32(@dat[4],@dat[4]);
+ &rev32(@dat[5],@dat[5]);
+ &rev32(@dat[6],@dat[6]);
+ &rev32(@dat[7],@dat[7]);
+ &enc_4blks(@dat[0],@dat[1],@dat[2],@dat[3]);
+ &enc_4blks(@dat[4],@dat[5],@dat[6],@dat[7]);
+ &rev32(@dat[0],@dat[0]);
+ &rev32(@dat[1],@dat[1]);
+ &rev32(@dat[2],@dat[2]);
+ &rev32(@dat[3],@dat[3]);
+ &rev32(@dat[4],@dat[4]);
+ &rev32(@dat[5],@dat[5]);
+ &rev32(@dat[6],@dat[6]);
+ &rev32(@dat[7],@dat[7]);
+$code.=<<___;
+ eor @dat[0].16b, @dat[0].16b, @tweak[0].16b
+ eor @dat[1].16b, @dat[1].16b, @tweak[1].16b
+ eor @dat[2].16b, @dat[2].16b, @tweak[2].16b
+ eor @dat[3].16b, @dat[3].16b, @tweak[3].16b
+ eor @dat[4].16b, @dat[4].16b, @tweak[4].16b
+ eor @dat[5].16b, @dat[5].16b, @tweak[5].16b
+ eor @dat[6].16b, @dat[6].16b, @tweak[6].16b
+ eor @dat[7].16b, @dat[7].16b, @tweak[7].16b
+
+ // save the last tweak
+ mov $lastTweak.16b,@tweak[7].16b
+ st1 {@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$out],#64
+ st1 {@dat[4].4s,@dat[5].4s,@dat[6].4s,@dat[7].4s},[$out],#64
+ subs $blocks,$blocks,#8
+ b.eq 100f
+ b 1b
+2:
+ // process 4 blocks
+ cmp $blocks,#4
+ b.lt 1f
+ ld1 {@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$inp],#64
+___
+ &rbit(@tweak[0],@tweak[0]);
+ &rbit(@tweak[1],@tweak[1]);
+ &rbit(@tweak[2],@tweak[2]);
+ &rbit(@tweak[3],@tweak[3]);
+$code.=<<___;
+ eor @dat[0].16b, @dat[0].16b, @tweak[0].16b
+ eor @dat[1].16b, @dat[1].16b, @tweak[1].16b
+ eor @dat[2].16b, @dat[2].16b, @tweak[2].16b
+ eor @dat[3].16b, @dat[3].16b, @tweak[3].16b
+___
+ &rev32(@dat[0],@dat[0]);
+ &rev32(@dat[1],@dat[1]);
+ &rev32(@dat[2],@dat[2]);
+ &rev32(@dat[3],@dat[3]);
+ &enc_4blks(@dat[0],@dat[1],@dat[2],@dat[3]);
+ &rev32(@dat[0],@dat[0]);
+ &rev32(@dat[1],@dat[1]);
+ &rev32(@dat[2],@dat[2]);
+ &rev32(@dat[3],@dat[3]);
+$code.=<<___;
+ eor @dat[0].16b, @dat[0].16b, @tweak[0].16b
+ eor @dat[1].16b, @dat[1].16b, @tweak[1].16b
+ eor @dat[2].16b, @dat[2].16b, @tweak[2].16b
+ eor @dat[3].16b, @dat[3].16b, @tweak[3].16b
+ st1 {@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$out],#64
+ sub $blocks,$blocks,#4
+ mov @tweak[0].16b,@tweak[4].16b
+ mov @tweak[1].16b,@tweak[5].16b
+ mov @tweak[2].16b,@tweak[6].16b
+ // save the last tweak
+ mov $lastTweak.16b,@tweak[3].16b
+1:
+ // process last block
+ cmp $blocks,#1
+ b.lt 100f
+ b.gt 1f
+ ld1 {@dat[0].4s},[$inp],#16
+___
+ &rbit(@tweak[0],@tweak[0]);
+$code.=<<___;
+ eor @dat[0].16b, @dat[0].16b, @tweak[0].16b
+___
+ &rev32(@dat[0],@dat[0]);
+ &enc_blk(@dat[0]);
+ &rev32(@dat[0],@dat[0]);
+$code.=<<___;
+ eor @dat[0].16b, @dat[0].16b, @tweak[0].16b
+ st1 {@dat[0].4s},[$out],#16
+ // save the last tweak
+ mov $lastTweak.16b,@tweak[0].16b
+ b 100f
+1: // process last 2 blocks
+ cmp $blocks,#2
+ b.gt 1f
+ ld1 {@dat[0].4s,@dat[1].4s},[$inp],#32
+___
+ &rbit(@tweak[0],@tweak[0]);
+ &rbit(@tweak[1],@tweak[1]);
+$code.=<<___;
+ eor @dat[0].16b, @dat[0].16b, @tweak[0].16b
+ eor @dat[1].16b, @dat[1].16b, @tweak[1].16b
+___
+ &rev32(@dat[0],@dat[0]);
+ &rev32(@dat[1],@dat[1]);
+ &enc_4blks(@dat[0],@dat[1],@dat[2],@dat[3]);
+ &rev32(@dat[0],@dat[0]);
+ &rev32(@dat[1],@dat[1]);
+$code.=<<___;
+ eor @dat[0].16b, @dat[0].16b, @tweak[0].16b
+ eor @dat[1].16b, @dat[1].16b, @tweak[1].16b
+ st1 {@dat[0].4s,@dat[1].4s},[$out],#32
+ // save the last tweak
+ mov $lastTweak.16b,@tweak[1].16b
+ b 100f
+1: // process last 3 blocks
+ ld1 {@dat[0].4s,@dat[1].4s,@dat[2].4s},[$inp],#48
+___
+ &rbit(@tweak[0],@tweak[0]);
+ &rbit(@tweak[1],@tweak[1]);
+ &rbit(@tweak[2],@tweak[2]);
+$code.=<<___;
+ eor @dat[0].16b, @dat[0].16b, @tweak[0].16b
+ eor @dat[1].16b, @dat[1].16b, @tweak[1].16b
+ eor @dat[2].16b, @dat[2].16b, @tweak[2].16b
+___
+ &rev32(@dat[0],@dat[0]);
+ &rev32(@dat[1],@dat[1]);
+ &rev32(@dat[2],@dat[2]);
+ &enc_4blks(@dat[0],@dat[1],@dat[2],@dat[3]);
+ &rev32(@dat[0],@dat[0]);
+ &rev32(@dat[1],@dat[1]);
+ &rev32(@dat[2],@dat[2]);
+$code.=<<___;
+ eor @dat[0].16b, @dat[0].16b, @tweak[0].16b
+ eor @dat[1].16b, @dat[1].16b, @tweak[1].16b
+ eor @dat[2].16b, @dat[2].16b, @tweak[2].16b
+ st1 {@dat[0].4s,@dat[1].4s,@dat[2].4s},[$out],#48
+ // save the last tweak
+ mov $lastTweak.16b,@tweak[2].16b
+100:
+ cmp $remain,0
+ b.eq 99f
+
+// This brance calculates the last two tweaks,
+// while the encryption/decryption length is larger than 32
+.last_2blks_tweak${standard}:
+___
+ &rev32_armeb($lastTweak,$lastTweak);
+ &compute_tweak_vec($lastTweak,@tweak[1],$vTmp0,$vTmp1,$vMagic);
+ &compute_tweak_vec(@tweak[1],@tweak[2],$vTmp0,$vTmp1,$vMagic);
+$code.=<<___;
+ b .check_dec${standard}
+
+
+// This brance calculates the last two tweaks,
+// while the encryption/decryption length is less than 32, who only need two tweaks
+.only_2blks_tweak${standard}:
+ mov @tweak[1].16b,@tweak[0].16b
+___
+ &rev32_armeb(@tweak[1],@tweak[1]);
+ &compute_tweak_vec(@tweak[1],@tweak[2],$vTmp0,$vTmp1,$vMagic);
+$code.=<<___;
+ b .check_dec${standard}
+
+
+// Determine whether encryption or decryption is required.
+// The last two tweaks need to be swapped for decryption.
+.check_dec${standard}:
+ // encryption:1 decryption:0
+ cmp $enc,1
+ b.eq .prcess_last_2blks${standard}
+ mov $vTmp0.16B,@tweak[1].16b
+ mov @tweak[1].16B,@tweak[2].16b
+ mov @tweak[2].16B,$vTmp0.16b
+
+.prcess_last_2blks${standard}:
+___
+ &rev32_armeb(@tweak[1],@tweak[1]);
+ &rev32_armeb(@tweak[2],@tweak[2]);
+$code.=<<___;
+ ld1 {@dat[0].4s},[$inp],#16
+ eor @dat[0].16b, @dat[0].16b, @tweak[1].16b
+___
+ &rev32(@dat[0],@dat[0]);
+ &enc_blk(@dat[0]);
+ &rev32(@dat[0],@dat[0]);
+$code.=<<___;
+ eor @dat[0].16b, @dat[0].16b, @tweak[1].16b
+ st1 {@dat[0].4s},[$out],#16
+
+ sub $lastBlk,$out,16
+ .loop${standard}:
+ subs $remain,$remain,1
+ ldrb w$tmp0,[$lastBlk,$remain]
+ ldrb w$tmp1,[$inp,$remain]
+ strb w$tmp1,[$lastBlk,$remain]
+ strb w$tmp0,[$out,$remain]
+ b.gt .loop${standard}
+ ld1 {@dat[0].4s}, [$lastBlk]
+ eor @dat[0].16b, @dat[0].16b, @tweak[2].16b
+___
+ &rev32(@dat[0],@dat[0]);
+ &enc_blk(@dat[0]);
+ &rev32(@dat[0],@dat[0]);
+$code.=<<___;
+ eor @dat[0].16b, @dat[0].16b, @tweak[2].16b
+ st1 {@dat[0].4s}, [$lastBlk]
+99:
+ ret
+.size ${prefix}_xts_do_cipher${standard},.-${prefix}_xts_do_cipher${standard}
+___
+} #end of gen_xts_do_cipher
+
+}}}
+
+{{{
+my ($enc)=("w6");
+
+sub gen_xts_cipher() {
+ my $en = shift;
+$code.=<<___;
+.globl ${prefix}_xts_${en}crypt${standard}
+.type ${prefix}_xts_${en}crypt${standard},%function
+.align 5
+${prefix}_xts_${en}crypt${standard}:
+ stp x15, x16, [sp, #-0x10]!
+ stp x17, x18, [sp, #-0x10]!
+ stp x19, x20, [sp, #-0x10]!
+ stp x21, x22, [sp, #-0x10]!
+ stp x23, x24, [sp, #-0x10]!
+ stp x25, x26, [sp, #-0x10]!
+ stp x27, x28, [sp, #-0x10]!
+ stp x29, x30, [sp, #-0x10]!
+ stp d8, d9, [sp, #-0x10]!
+ stp d10, d11, [sp, #-0x10]!
+ stp d12, d13, [sp, #-0x10]!
+ stp d14, d15, [sp, #-0x10]!
+___
+ &mov_en_to_enc($en,$enc);
+$code.=<<___;
+ bl ${prefix}_xts_do_cipher${standard}
+ ldp d14, d15, [sp], #0x10
+ ldp d12, d13, [sp], #0x10
+ ldp d10, d11, [sp], #0x10
+ ldp d8, d9, [sp], #0x10
+ ldp x29, x30, [sp], #0x10
+ ldp x27, x28, [sp], #0x10
+ ldp x25, x26, [sp], #0x10
+ ldp x23, x24, [sp], #0x10
+ ldp x21, x22, [sp], #0x10
+ ldp x19, x20, [sp], #0x10
+ ldp x17, x18, [sp], #0x10
+ ldp x15, x16, [sp], #0x10
+ ret
+.size ${prefix}_xts_${en}crypt${standard},.-${prefix}_xts_${en}crypt${standard}
+___
+
+} # end of gen_xts_cipher
+$standard="_gb";
+&gen_xts_do_cipher();
+&gen_xts_cipher("en");
+&gen_xts_cipher("de");
+$standard="";
+&gen_xts_do_cipher();
+&gen_xts_cipher("en");
+&gen_xts_cipher("de");
+}}}
########################################
{ my %opcode = (
"sm4e" => 0xcec08400,
diff --git a/include/crypto/sm4_platform.h b/include/crypto/sm4_platform.h
index 2f5a6cf..0bde96f 100644
--- a/include/crypto/sm4_platform.h
+++ b/include/crypto/sm4_platform.h
@@ -26,6 +26,10 @@
# define HWSM4_cbc_encrypt sm4_v8_cbc_encrypt
# define HWSM4_ecb_encrypt sm4_v8_ecb_encrypt
# define HWSM4_ctr32_encrypt_blocks sm4_v8_ctr32_encrypt_blocks
+# define HWSM4_xts_encrypt_gb sm4_v8_xts_encrypt_gb
+# define HWSM4_xts_decrypt_gb sm4_v8_xts_decrypt_gb
+# define HWSM4_xts_encrypt sm4_v8_xts_encrypt
+# define HWSM4_xts_decrypt sm4_v8_xts_decrypt
# endif
# endif
# endif /* OPENSSL_CPUID_OBJ */
@@ -46,6 +50,16 @@ void HWSM4_ecb_encrypt(const unsigned char *in, unsigned char *out,
void HWSM4_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
size_t len, const void *key,
const unsigned char ivec[16]);
+/* xts mode in GB/T 17964-2021 */
+void HWSM4_xts_encrypt_gb(const unsigned char *in, unsigned char *out, size_t length, const SM4_KEY *key1,
+ const SM4_KEY *key2, const uint8_t iv[16]);
+void HWSM4_xts_decrypt_gb(const unsigned char *in, unsigned char *out, size_t length, const SM4_KEY *key1,
+ const SM4_KEY *key2, const uint8_t iv[16]);
+/* xts mode in IEEE Std 1619-2007 */
+void HWSM4_xts_encrypt(const unsigned char *in, unsigned char *out, size_t length, const SM4_KEY *key1,
+ const SM4_KEY *key2, const uint8_t iv[16]);
+void HWSM4_xts_decrypt(const unsigned char *in, unsigned char *out, size_t length, const SM4_KEY *key1,
+ const SM4_KEY *key2, const uint8_t iv[16]);
# endif /* HWSM4_CAPABLE */
#ifdef VPSM4_EX_CAPABLE
--
2.36.1

6353
Feature-Support-TLCP-protocol.patch
View File

File diff suppressed because it is too large Load Diff

87
Feature-X509-command-supports-SM2-certificate-signing-with-default-sm2id.patch
View File

@ -1,87 +0,0 @@
From d3e1106ea296a2ec94d27dd34692c34ad543ad04 Mon Sep 17 00:00:00 2001
From: s_c_c <shichuchao@huawei.com>
Date: Wed, 29 Jun 2022 17:54:50 +0800
Subject: [PATCH] X509 command supports SM2 certificate signing with default
sm2id
---
apps/x509.c | 4 ++++
include/openssl/sm2.h | 9 +++++++++
test/recipes/25-test_req.t | 13 ++++++++++---
3 files changed, 23 insertions(+), 3 deletions(-)
diff --git a/apps/x509.c b/apps/x509.c
index 1043eba..2669894 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -1078,6 +1078,10 @@ static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext,
if (!X509V3_EXT_add_nconf(conf, &ctx, section, x))
goto err;
}
+#ifndef OPENSSL_NO_SM2
+ if (EVP_PKEY_is_sm2(pkey) && !EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2))
+ goto err;
+#endif
if (!X509_sign(x, pkey, digest))
goto err;
return 1;
diff --git a/include/openssl/sm2.h b/include/openssl/sm2.h
index 505ebfc..cc517bc 100644
--- a/include/openssl/sm2.h
+++ b/include/openssl/sm2.h
@@ -1,3 +1,12 @@
+/*
+ * Copyright 2022 Huawei Technologies Co., Ltd. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
#ifndef HEADER_SM2_H
# define HEADER_SM2_H
diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t
index d53e577..2b0c08c 100644
--- a/test/recipes/25-test_req.t
+++ b/test/recipes/25-test_req.t
@@ -182,10 +182,10 @@ subtest "generating certificate requests" => sub {
};
subtest "generating SM2 certificate requests" => sub {
- plan tests => 4;
+ plan tests => 5;
SKIP: {
- skip "SM2 is not supported by this OpenSSL build", 4
+ skip "SM2 is not supported by this OpenSSL build", 5
if disabled("sm2");
ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"),
"-new", "-key", srctop_file("test", "certs", "sm2.key"),
@@ -198,6 +198,13 @@ subtest "generating SM2 certificate requests" => sub {
"-sm2-id", "1234567812345678", "-sm3"])),
"Verifying signature on SM2 certificate request");
+ # Use default sm2 id
+ ok(run(app(["openssl", "x509", "-req", "-extfile", srctop_file("test", "CAss.cnf"),
+ "-extensions", "v3_ca", "-sm3", "-days", "365",
+ "-in", "testreq.pem", "-signkey", srctop_file("test", "certs", "sm2.key"),
+ "-out", "testsign.pem"])),
+ "Signing SM2 certificate request");
+
ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"),
"-new", "-key", srctop_file("test", "certs", "sm2.key"),
"-sigopt", "sm2_hex_id:DEADBEEF",
@@ -218,7 +225,7 @@ run_conversion('req conversions',
run_conversion('req conversions -- testreq2',
srctop_file("test", "testreq2.pem"));
-unlink "testkey.pem", "testreq.pem", "testreq_withattrs_pem.pem", "testreq_withattrs_der.pem";
+unlink "testkey.pem", "testreq.pem", "testreq_withattrs_pem.pem", "testreq_withattrs_der.pem", "testsign.pem";
sub run_conversion {
my $title = shift;
--
2.20.1 (Apple Git-117)

2225
Feature-add-ARMv8-implementations-of-SM4-in-ECB-and-XTS.patch
View File

File diff suppressed because it is too large Load Diff

146
Fix-reported-performance-degradation-on-aarch64.patch
View File

@ -1,146 +0,0 @@
From a8f6d73fda64d514171e99a50d1483c0c0b8d968 Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Sun, 12 Jun 2022 09:37:26 +0200
Subject: [PATCH] Fix reported performance degradation on aarch64
This restores the implementation prior to
commit 2621751 ("aes/asm/aesv8-armx.pl: avoid 32-bit lane assignment in CTR mode")
for 64bit targets only, since it is reportedly 2-17% slower,
and the silicon errata only affects 32bit targets.
Only for 32bit targets the new algorithm is used.
Fixes #18445
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18539)
---
crypto/aes/asm/aesv8-armx.pl | 62 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 62 insertions(+)
diff --git a/crypto/aes/asm/aesv8-armx.pl b/crypto/aes/asm/aesv8-armx.pl
index 2b0e982..1856d99 100755
--- a/crypto/aes/asm/aesv8-armx.pl
+++ b/crypto/aes/asm/aesv8-armx.pl
@@ -740,6 +740,21 @@ $code.=<<___;
#ifndef __ARMEB__
rev $ctr, $ctr
#endif
+___
+$code.=<<___ if ($flavour =~ /64/);
+ vorr $dat1,$dat0,$dat0
+ add $tctr1, $ctr, #1
+ vorr $dat2,$dat0,$dat0
+ add $ctr, $ctr, #2
+ vorr $ivec,$dat0,$dat0
+ rev $tctr1, $tctr1
+ vmov.32 ${dat1}[3],$tctr1
+ b.ls .Lctr32_tail
+ rev $tctr2, $ctr
+ sub $len,$len,#3 // bias
+ vmov.32 ${dat2}[3],$tctr2
+___
+$code.=<<___ if ($flavour !~ /64/);
add $tctr1, $ctr, #1
vorr $ivec,$dat0,$dat0
rev $tctr1, $tctr1
@@ -751,6 +766,8 @@ $code.=<<___;
vmov.32 ${ivec}[3],$tctr2
sub $len,$len,#3 // bias
vorr $dat2,$ivec,$ivec
+___
+$code.=<<___;
b .Loop3x_ctr32
.align 4
@@ -777,11 +794,25 @@ $code.=<<___;
aese $dat1,q8
aesmc $tmp1,$dat1
vld1.8 {$in0},[$inp],#16
+___
+$code.=<<___ if ($flavour =~ /64/);
+ vorr $dat0,$ivec,$ivec
+___
+$code.=<<___ if ($flavour !~ /64/);
add $tctr0,$ctr,#1
+___
+$code.=<<___;
aese $dat2,q8
aesmc $dat2,$dat2
vld1.8 {$in1},[$inp],#16
+___
+$code.=<<___ if ($flavour =~ /64/);
+ vorr $dat1,$ivec,$ivec
+___
+$code.=<<___ if ($flavour !~ /64/);
rev $tctr0,$tctr0
+___
+$code.=<<___;
aese $tmp0,q9
aesmc $tmp0,$tmp0
aese $tmp1,q9
@@ -790,6 +821,12 @@ $code.=<<___;
mov $key_,$key
aese $dat2,q9
aesmc $tmp2,$dat2
+___
+$code.=<<___ if ($flavour =~ /64/);
+ vorr $dat2,$ivec,$ivec
+ add $tctr0,$ctr,#1
+___
+$code.=<<___;
aese $tmp0,q12
aesmc $tmp0,$tmp0
aese $tmp1,q12
@@ -805,22 +842,47 @@ $code.=<<___;
aese $tmp1,q13
aesmc $tmp1,$tmp1
veor $in2,$in2,$rndlast
+___
+$code.=<<___ if ($flavour =~ /64/);
+ rev $tctr0,$tctr0
+ aese $tmp2,q13
+ aesmc $tmp2,$tmp2
+ vmov.32 ${dat0}[3], $tctr0
+___
+$code.=<<___ if ($flavour !~ /64/);
vmov.32 ${ivec}[3], $tctr0
aese $tmp2,q13
aesmc $tmp2,$tmp2
vorr $dat0,$ivec,$ivec
+___
+$code.=<<___;
rev $tctr1,$tctr1
aese $tmp0,q14
aesmc $tmp0,$tmp0
+___
+$code.=<<___ if ($flavour !~ /64/);
vmov.32 ${ivec}[3], $tctr1
rev $tctr2,$ctr
+___
+$code.=<<___;
aese $tmp1,q14
aesmc $tmp1,$tmp1
+___
+$code.=<<___ if ($flavour =~ /64/);
+ vmov.32 ${dat1}[3], $tctr1
+ rev $tctr2,$ctr
+ aese $tmp2,q14
+ aesmc $tmp2,$tmp2
+ vmov.32 ${dat2}[3], $tctr2
+___
+$code.=<<___ if ($flavour !~ /64/);
vorr $dat1,$ivec,$ivec
vmov.32 ${ivec}[3], $tctr2
aese $tmp2,q14
aesmc $tmp2,$tmp2
vorr $dat2,$ivec,$ivec
+___
+$code.=<<___;
subs $len,$len,#3
aese $tmp0,q15
aese $tmp1,q15
--
1.8.3.1

187
backport-APPS-x509-With-CA-but-both-CAserial-and-CAcreateseri.patch
View File

@ -1,187 +0,0 @@
From 55eafed6fbefbc1e725bf7b17b2bbca083a457fc Mon Sep 17 00:00:00 2001
From: "Dr. David von Oheimb" <David.von.Oheimb@siemens.com>
Date: Mon, 30 May 2022 16:53:05 +0200
Subject: [PATCH] APPS/x509: With -CA but both -CAserial and -CAcreateserial
not given, use random serial.
Also improve openssl-x509.pod.in and error handling of load_serial() in apps.c.
Backported from https://github.com/openssl/openssl/pull/18373
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18803)
---
apps/apps.c | 15 +++++++++++++--
apps/apps.h | 9 ++++++---
apps/ca.c | 6 ++++--
apps/x509.c | 12 ++++++++----
doc/man1/x509.pod | 12 +++++++-----
5 files changed, 38 insertions(+), 16 deletions(-)
diff --git a/apps/apps.c b/apps/apps.c
index db5b48e4cf..f2447fb0be 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -1376,7 +1376,8 @@ static IMPLEMENT_LHASH_HASH_FN(index_name, OPENSSL_CSTRING)
static IMPLEMENT_LHASH_COMP_FN(index_name, OPENSSL_CSTRING)
#undef BSIZE
#define BSIZE 256
-BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai)
+BIGNUM *load_serial(const char *serialfile, int *exists, int create,
+ ASN1_INTEGER **retai)
{
BIO *in = NULL;
BIGNUM *ret = NULL;
@@ -1388,6 +1389,8 @@ BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai)
goto err;
in = BIO_new_file(serialfile, "r");
+ if (exists != NULL)
+ *exists = in != NULL;
if (in == NULL) {
if (!create) {
perror(serialfile);
@@ -1395,8 +1398,14 @@ BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai)
}
ERR_clear_error();
ret = BN_new();
- if (ret == NULL || !rand_serial(ret, ai))
+ if (ret == NULL) {
BIO_printf(bio_err, "Out of memory\n");
+ } else if (!rand_serial(ret, ai)) {
+ BIO_printf(bio_err, "Error creating random number to store in %s\n",
+ serialfile);
+ BN_free(ret);
+ ret = NULL;
+ }
} else {
if (!a2i_ASN1_INTEGER(in, ai, buf, 1024)) {
BIO_printf(bio_err, "unable to load number from %s\n",
@@ -1416,6 +1425,8 @@ BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai)
ai = NULL;
}
err:
+ if (ret == NULL)
+ ERR_print_errors(bio_err);
BIO_free(in);
ASN1_INTEGER_free(ai);
return ret;
diff --git a/apps/apps.h b/apps/apps.h
index 34c3fd8633..775342b4f3 100644
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -527,9 +527,12 @@ typedef struct ca_db_st {
} CA_DB;
void* app_malloc(int sz, const char *what);
-BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai);
-int save_serial(const char *serialfile, const char *suffix, const BIGNUM *serial,
- ASN1_INTEGER **retai);
+
+/* load_serial, save_serial, and rotate_serial are also used for CRL numbers */
+BIGNUM *load_serial(const char *serialfile, int *exists, int create,
+ ASN1_INTEGER **retai);
+int save_serial(const char *serialfile, const char *suffix,
+ const BIGNUM *serial, ASN1_INTEGER **retai);
int rotate_serial(const char *serialfile, const char *new_suffix,
const char *old_suffix);
int rand_serial(BIGNUM *b, ASN1_INTEGER *ai);
diff --git a/apps/ca.c b/apps/ca.c
index 390ac37493..ad01bba55a 100755
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -842,7 +842,8 @@ end_of_options:
goto end;
}
} else {
- if ((serial = load_serial(serialfile, create_ser, NULL)) == NULL) {
+ serial = load_serial(serialfile, NULL, create_ser, NULL);
+ if (serial == NULL) {
BIO_printf(bio_err, "error while loading serial number\n");
goto end;
}
@@ -1078,7 +1079,8 @@ end_of_options:
if ((crlnumberfile = NCONF_get_string(conf, section, ENV_CRLNUMBER))
!= NULL)
- if ((crlnumber = load_serial(crlnumberfile, 0, NULL)) == NULL) {
+ if ((crlnumber = load_serial(crlnumberfile, NULL, 0, NULL))
+ == NULL) {
BIO_printf(bio_err, "error while loading CRL number\n");
goto end;
}
diff --git a/apps/x509.c b/apps/x509.c
index 1f53504209..67a70e7fea 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -400,7 +400,7 @@ int x509_main(int argc, char **argv)
aliasout = ++num;
break;
case OPT_CACREATESERIAL:
- CA_createserial = ++num;
+ CA_createserial = 1;
break;
case OPT_CLREXT:
clrext = 1;
@@ -916,6 +916,7 @@ static ASN1_INTEGER *x509_load_serial(const char *CAfile,
char *buf = NULL;
ASN1_INTEGER *bs = NULL;
BIGNUM *serial = NULL;
+ int defaultfile = 0, file_exists;
if (serialfile == NULL) {
const char *p = strrchr(CAfile, '.');
@@ -925,9 +926,10 @@ static ASN1_INTEGER *x509_load_serial(const char *CAfile,
memcpy(buf, CAfile, len);
memcpy(buf + len, POSTFIX, sizeof(POSTFIX));
serialfile = buf;
+ defaultfile = 1;
}
- serial = load_serial(serialfile, create, NULL);
+ serial = load_serial(serialfile, &file_exists, create || defaultfile, NULL);
if (serial == NULL)
goto end;
@@ -936,8 +938,10 @@ static ASN1_INTEGER *x509_load_serial(const char *CAfile,
goto end;
}
- if (!save_serial(serialfile, NULL, serial, &bs))
- goto end;
+ if (file_exists || create)
+ save_serial(serialfile, NULL, serial, &bs);
+ else
+ bs = BN_to_ASN1_INTEGER(serial, NULL);
end:
OPENSSL_free(buf);
diff --git a/doc/man1/x509.pod b/doc/man1/x509.pod
index 3c9b2f2263..67d131389a 100644
--- a/doc/man1/x509.pod
+++ b/doc/man1/x509.pod
@@ -443,13 +443,15 @@ The default filename consists of the CA certificate file base name with
".srl" appended. For example if the CA certificate file is called
"mycacert.pem" it expects to find a serial number file called "mycacert.srl".
+If the B<-CA> option is specified and both the <-CAserial> and <-CAcreateserial>
+options are not given and the default serial number file does not exist,
+a random number is generated; this is the recommended practice.
+
=item B<-CAcreateserial>
-With this option the CA serial number file is created if it does not exist:
-it will contain the serial number "02" and the certificate being signed will
-have the 1 as its serial number. If the B<-CA> option is specified
-and the serial number file does not exist a random number is generated;
-this is the recommended practice.
+With this option the CA serial number file is created if it does not exist.
+A random number is generated, used for the certificate, and saved into the
+serial number file in that case.
=item B<-extfile filename>
--
2.17.1

123
backport-Add-an-extra-reduction-step-to-RSAZ-mod_exp-implemen.patch
View File

@ -1,123 +0,0 @@
From 8438d3a7b7309cbea521d3628fddeda7bd6d6e20 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Thu, 9 Jun 2022 16:20:05 +0200
Subject: [PATCH] Add an extra reduction step to RSAZ mod_exp implementations
Inspired by BoringSSL fix by David Benjamin.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18511)
---
crypto/bn/rsaz_exp.c | 8 ++++++++
crypto/bn/rsaz_exp.h | 23 +++++++++++++++++++++++
test/recipes/10-test_bn_data/bnmod.txt | 10 ++++------
3 files changed, 35 insertions(+), 6 deletions(-)
diff --git a/crypto/bn/rsaz_exp.c b/crypto/bn/rsaz_exp.c
index 22455b8a63..5c5cd4c282 100644
--- a/crypto/bn/rsaz_exp.c
+++ b/crypto/bn/rsaz_exp.c
@@ -66,6 +66,7 @@ void RSAZ_1024_mod_exp_avx2(BN_ULONG result_norm[16],
unsigned char *R2 = table_s; /* borrow */
int index;
int wvalue;
+ BN_ULONG tmp[16];
if ((((size_t)p_str & 4095) + 320) >> 12) {
result = p_str;
@@ -237,7 +238,10 @@ void RSAZ_1024_mod_exp_avx2(BN_ULONG result_norm[16],
rsaz_1024_red2norm_avx2(result_norm, result);
+ bn_reduce_once_in_place(result_norm, /*carry=*/0, m_norm, tmp, 16);
+
OPENSSL_cleanse(storage, sizeof(storage));
+ OPENSSL_cleanse(tmp, sizeof(tmp));
}
/*
@@ -266,6 +270,7 @@ void RSAZ_512_mod_exp(BN_ULONG result[8],
unsigned char *p_str = (unsigned char *)exponent;
int index;
unsigned int wvalue;
+ BN_ULONG tmp[8];
/* table[0] = 1_inv */
temp[0] = 0 - m[0];
@@ -309,7 +314,10 @@ void RSAZ_512_mod_exp(BN_ULONG result[8],
/* from Montgomery */
rsaz_512_mul_by_one(result, temp, m, k0);
+ bn_reduce_once_in_place(result, /*carry=*/0, m, tmp, 8);
+
OPENSSL_cleanse(storage, sizeof(storage));
+ OPENSSL_cleanse(tmp, sizeof(tmp));
}
#endif
diff --git a/crypto/bn/rsaz_exp.h b/crypto/bn/rsaz_exp.h
index 88f65a4bae..606496d45a 100644
--- a/crypto/bn/rsaz_exp.h
+++ b/crypto/bn/rsaz_exp.h
@@ -22,6 +22,8 @@
# define RSAZ_ENABLED
# include <openssl/bn.h>
+# include "internal/constant_time.h"
+# include "bn_local.h"
void RSAZ_1024_mod_exp_avx2(BN_ULONG result[16],
const BN_ULONG base_norm[16],
@@ -35,6 +37,27 @@ void RSAZ_512_mod_exp(BN_ULONG result[8],
const BN_ULONG m_norm[8], BN_ULONG k0,
const BN_ULONG RR[8]);
+static ossl_inline void bn_select_words(BN_ULONG *r, BN_ULONG mask,
+ const BN_ULONG *a,
+ const BN_ULONG *b, size_t num)
+{
+ size_t i;
+
+ for (i = 0; i < num; i++) {
+ r[i] = constant_time_select_64(mask, a[i], b[i]);
+ }
+}
+
+static ossl_inline BN_ULONG bn_reduce_once_in_place(BN_ULONG *r,
+ BN_ULONG carry,
+ const BN_ULONG *m,
+ BN_ULONG *tmp, size_t num)
+{
+ carry -= bn_sub_words(tmp, r, m, num);
+ bn_select_words(r, carry, r /* tmp < 0 */, tmp /* tmp >= 0 */, num);
+ return carry;
+}
+
# endif
#endif
diff --git a/test/recipes/10-test_bn_data/bnmod.txt b/test/recipes/10-test_bn_data/bnmod.txt
index 69f8af43d5..edde03bd62 100644
--- a/test/recipes/10-test_bn_data/bnmod.txt
+++ b/test/recipes/10-test_bn_data/bnmod.txt
@@ -2493,12 +2493,10 @@ E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
M = 8f42c9e9e351ba9b32ab0cf69da43f4acf7028d19cff6e5059ea0e3fcc97c97f36a31470044737d4c0c933ac441ecb29e32c81401523afdac7de9c3fd8493c97
# 1024-bit
-# TODO(davidben): This test breaks the RSAZ implementation. Fix it and enable
-# this test.
-# ModExp = 00
-# A = 800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002f
-# E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
-# M = 9da8dc26fdf4d2e49833b240ee552beb7a6e251caa91bfb5d6cafaf8ed9461877fda8f6ac299036d35806bc1ae7872e54eaac1ec6bee6d02c6621a9cf8883b3abc33c49b3e601203e0e86ef8f0562412cc689ee2670704583909ca6d7774c9f9f9f4d77d37fedef9cb51d207cb629ec02fa03b526fd6594bfa8f2da71238a0b7
+ModExp = 00
+A = 800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002f
+E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+M = 9da8dc26fdf4d2e49833b240ee552beb7a6e251caa91bfb5d6cafaf8ed9461877fda8f6ac299036d35806bc1ae7872e54eaac1ec6bee6d02c6621a9cf8883b3abc33c49b3e601203e0e86ef8f0562412cc689ee2670704583909ca6d7774c9f9f9f4d77d37fedef9cb51d207cb629ec02fa03b526fd6594bfa8f2da71238a0b7
# 1025-bit
ModExp = 00
--
2.17.1

33
backport-Add-missing-header-for-memcmp.patch
View File

@ -1,33 +0,0 @@
From 60f011f584d80447e86cae1d1bd3ae24bc13235b Mon Sep 17 00:00:00 2001
From: Gregor Jasny <gjasny@googlemail.com>
Date: Tue, 5 Jul 2022 12:57:06 +0200
Subject: [PATCH] Add missing header for memcmp
CLA: trivial
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18719)
(cherry picked from commit f9e578e720bb35228948564192adbe3bc503d5fb)
---
test/v3ext.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/test/v3ext.c b/test/v3ext.c
index 386135fed8..7a240cd706 100644
--- a/test/v3ext.c
+++ b/test/v3ext.c
@@ -8,6 +8,7 @@
*/
#include <stdio.h>
+#include <string.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/pem.h>
--
2.17.1

71
backport-Add-test-for-EC_KEY_set_private_key.patch
View File

@ -1,71 +0,0 @@
From 1c2f52bed3ebee6222cf078278074c72717df4ec Mon Sep 17 00:00:00 2001
From: Roberto Hueso Gomez <roberto@robertohueso.org>
Date: Mon, 1 Aug 2022 02:08:47 +0200
Subject: [PATCH] Add test for EC_KEY_set_private_key()
This tests the behavior and API of the EC_KEY_set_private_key function.
It tests compliance with legacy features related to NULL private keys
too.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18874)
---
test/ec_internal_test.c | 34 ++++++++++++++++++++++++++++++++++
1 file changed, 34 insertions(+)
diff --git a/test/ec_internal_test.c b/test/ec_internal_test.c
index 45a36ab94a..4da842a8a7 100644
--- a/test/ec_internal_test.c
+++ b/test/ec_internal_test.c
@@ -183,6 +183,39 @@ static int field_tests_default(int n)
return ret;
}
+/*
+ * Tests behavior of the EC_KEY_set_private_key
+ */
+static int set_private_key(void)
+{
+ EC_KEY *key = NULL, *aux_key = NULL;
+ int testresult = 0;
+
+ key = EC_KEY_new_by_curve_name(NID_secp224r1);
+ aux_key = EC_KEY_new_by_curve_name(NID_secp224r1);
+ if (!TEST_ptr(key)
+ || !TEST_ptr(aux_key)
+ || !TEST_int_eq(EC_KEY_generate_key(key), 1)
+ || !TEST_int_eq(EC_KEY_generate_key(aux_key), 1))
+ goto err;
+
+ /* Test setting a valid private key */
+ if (!TEST_int_eq(EC_KEY_set_private_key(key, aux_key->priv_key), 1))
+ goto err;
+
+ /* Test compliance with legacy behavior for NULL private keys */
+ if (!TEST_int_eq(EC_KEY_set_private_key(key, NULL), 0)
+ || !TEST_ptr_null(key->priv_key))
+ goto err;
+
+ testresult = 1;
+
+ err:
+ EC_KEY_free(key);
+ EC_KEY_free(aux_key);
+ return testresult;
+}
+
/*
* Tests behavior of the decoded_from_explicit_params flag and API
*/
@@ -337,6 +370,7 @@ int setup_tests(void)
ADD_TEST(field_tests_ec2_simple);
#endif
ADD_ALL_TESTS(field_tests_default, crv_len);
+ ADD_TEST(set_private_key);
ADD_TEST(decoded_flag_test);
ADD_ALL_TESTS(ecpkparams_i2d2i_test, crv_len);
--
2.17.1

157
backport-Add-test-for-empty-supported-groups-extension.patch
View File

@ -1,157 +0,0 @@
From c7d6c08290b67cbeef2b4f636f04788ea405520a Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Fri, 29 Apr 2022 17:02:19 +0200
Subject: [PATCH] Add test for empty supported-groups extension
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18213)
---
test/recipes/80-test_ssl_new.t | 4 +-
test/ssl-tests/16-certstatus.conf | 0
test/ssl-tests/30-supported-groups.conf | 54 ++++++++++++++++++++++
test/ssl-tests/30-supported-groups.conf.in | 45 ++++++++++++++++++
4 files changed, 102 insertions(+), 1 deletion(-)
delete mode 100644 test/ssl-tests/16-certstatus.conf
create mode 100644 test/ssl-tests/30-supported-groups.conf
create mode 100644 test/ssl-tests/30-supported-groups.conf.in
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
index 81d8f59a70..fa62b30850 100644
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@@ -28,7 +28,7 @@ map { s/\^// } @conf_files if $^O eq "VMS";
# We hard-code the number of tests to double-check that the globbing above
# finds all files as expected.
-plan tests => 29; # = scalar @conf_srcs
+plan tests => 30; # = scalar @conf_srcs
# Some test results depend on the configuration of enabled protocols. We only
# verify generated sources in the default configuration.
@@ -70,6 +70,8 @@ my %conf_dependent_tests = (
"25-cipher.conf" => disabled("poly1305") || disabled("chacha"),
"27-ticket-appdata.conf" => !$is_default_tls,
"28-seclevel.conf" => disabled("tls1_2") || $no_ec,
+ "30-supported-groups.conf" => disabled("tls1_2") || disabled("tls1_3")
+ || $no_ec || $no_ec2m
);
# Add your test here if it should be skipped for some compile-time
diff --git a/test/ssl-tests/16-certstatus.conf b/test/ssl-tests/16-certstatus.conf
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/test/ssl-tests/30-supported-groups.conf b/test/ssl-tests/30-supported-groups.conf
new file mode 100644
index 0000000000..4280db7114
--- /dev/null
+++ b/test/ssl-tests/30-supported-groups.conf
@@ -0,0 +1,54 @@
+# Generated with generate_ssl_tests.pl
+
+num_tests = 2
+
+test-0 = 0-Just a sanity test case
+test-1 = 1-Pass with empty groups with TLS1.2
+# ===========================================================
+
+[0-Just a sanity test case]
+ssl_conf = 0-Just a sanity test case-ssl
+
+[0-Just a sanity test case-ssl]
+server = 0-Just a sanity test case-server
+client = 0-Just a sanity test case-client
+
+[0-Just a sanity test case-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[0-Just a sanity test case-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-0]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[1-Pass with empty groups with TLS1.2]
+ssl_conf = 1-Pass with empty groups with TLS1.2-ssl
+
+[1-Pass with empty groups with TLS1.2-ssl]
+server = 1-Pass with empty groups with TLS1.2-server
+client = 1-Pass with empty groups with TLS1.2-client
+
+[1-Pass with empty groups with TLS1.2-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[1-Pass with empty groups with TLS1.2-client]
+CipherString = DEFAULT
+Groups = sect163k1
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-1]
+ExpectedResult = Success
+
+
diff --git a/test/ssl-tests/30-supported-groups.conf.in b/test/ssl-tests/30-supported-groups.conf.in
new file mode 100644
index 0000000000..438a07a11f
--- /dev/null
+++ b/test/ssl-tests/30-supported-groups.conf.in
@@ -0,0 +1,45 @@
+# -*- mode: perl; -*-
+# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+## SSL test configurations
+
+package ssltests;
+use OpenSSL::Test::Utils;
+
+our @tests = (
+ {
+ name => "Just a sanity test case",
+ server => { },
+ client => { },
+ test => { "ExpectedResult" => "Success" },
+ },
+);
+
+our @tests_tls1_3 = (
+ {
+ name => "Fail empty groups with TLS1.3",
+ server => { },
+ client => { "Groups" => "sect163k1" },
+ test => { "ExpectedResult" => "ClientFail" },
+ },
+);
+
+our @tests_tls1_2 = (
+ {
+ name => "Pass with empty groups with TLS1.2",
+ server => { },
+ client => { "Groups" => "sect163k1",
+ "MaxProtocol" => "TLSv1.2" },
+ test => { "ExpectedResult" => "Success" },
+ },
+);
+
+push @tests, @tests_tls1_3 unless disabled("tls1_3")
+ || !disabled("ec2m") || disabled("ec");
+push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec");
--
2.17.1

406
backport-Always-end-BN_mod_exp_mont_consttime-with-normal-Mon.patch
View File

@ -1,406 +0,0 @@
From 0ed27fb7a8d85685cb671bf0a1e41bcdfc2624dc Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Thu, 9 Jun 2022 12:34:55 +0200
Subject: [PATCH] Always end BN_mod_exp_mont_consttime with normal Montgomery
reduction.
This partially fixes a bug where, on x86_64, BN_mod_exp_mont_consttime
would sometimes return m, the modulus, when it should have returned
zero. Thanks to Guido Vranken for reporting it. It is only a partial fix
because the same bug also exists in the "rsaz" codepath.
The bug only affects zero outputs (with non-zero inputs), so we believe
it has no security impact on our cryptographic functions.
The fx is to delete lowercase bn_from_montgomery altogether, and have the
mont5 path use the same BN_from_montgomery ending as the non-mont5 path.
This only impacts the final step of the whole exponentiation and has no
measurable perf impact.
See the original BoringSSL commit
https://boringssl.googlesource.com/boringssl/+/13c9d5c69d04485a7a8840c12185c832026c8315
for further analysis.
Original-author: David Benjamin <davidben@google.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18511)
---
crypto/bn/asm/x86_64-mont5.pl | 196 -------------------------
crypto/bn/bn_exp.c | 44 +++---
test/recipes/10-test_bn_data/bnmod.txt | 67 +++++++++
3 files changed, 93 insertions(+), 214 deletions(-)
diff --git a/crypto/bn/asm/x86_64-mont5.pl b/crypto/bn/asm/x86_64-mont5.pl
index 8c37d132e4..cc7b610145 100755
--- a/crypto/bn/asm/x86_64-mont5.pl
+++ b/crypto/bn/asm/x86_64-mont5.pl
@@ -2101,193 +2101,6 @@ __bn_post4x_internal:
.size __bn_post4x_internal,.-__bn_post4x_internal
___
}
-{
-$code.=<<___;
-.globl bn_from_montgomery
-.type bn_from_montgomery,\@abi-omnipotent
-.align 32
-bn_from_montgomery:
-.cfi_startproc
- testl \$7,`($win64?"48(%rsp)":"%r9d")`
- jz bn_from_mont8x
- xor %eax,%eax
- ret
-.cfi_endproc
-.size bn_from_montgomery,.-bn_from_montgomery
-
-.type bn_from_mont8x,\@function,6
-.align 32
-bn_from_mont8x:
-.cfi_startproc
- .byte 0x67
- mov %rsp,%rax
-.cfi_def_cfa_register %rax
- push %rbx
-.cfi_push %rbx
- push %rbp
-.cfi_push %rbp
- push %r12
-.cfi_push %r12
- push %r13
-.cfi_push %r13
- push %r14
-.cfi_push %r14
- push %r15
-.cfi_push %r15
-.Lfrom_prologue:
-
- shl \$3,${num}d # convert $num to bytes
- lea ($num,$num,2),%r10 # 3*$num in bytes
- neg $num
- mov ($n0),$n0 # *n0
-
- ##############################################################
- # Ensure that stack frame doesn't alias with $rptr+3*$num
- # modulo 4096, which covers ret[num], am[num] and n[num]
- # (see bn_exp.c). The stack is allocated to aligned with
- # bn_power5's frame, and as bn_from_montgomery happens to be
- # last operation, we use the opportunity to cleanse it.
- #
- lea -320(%rsp,$num,2),%r11
- mov %rsp,%rbp
- sub $rptr,%r11
- and \$4095,%r11
- cmp %r11,%r10
- jb .Lfrom_sp_alt
- sub %r11,%rbp # align with $aptr
- lea -320(%rbp,$num,2),%rbp # future alloca(frame+2*$num*8+256)
- jmp .Lfrom_sp_done
-
-.align 32
-.Lfrom_sp_alt:
- lea 4096-320(,$num,2),%r10
- lea -320(%rbp,$num,2),%rbp # future alloca(frame+2*$num*8+256)
- sub %r10,%r11
- mov \$0,%r10
- cmovc %r10,%r11
- sub %r11,%rbp
-.Lfrom_sp_done:
- and \$-64,%rbp
- mov %rsp,%r11
- sub %rbp,%r11
- and \$-4096,%r11
- lea (%rbp,%r11),%rsp
- mov (%rsp),%r10
- cmp %rbp,%rsp
- ja .Lfrom_page_walk
- jmp .Lfrom_page_walk_done
-
-.Lfrom_page_walk:
- lea -4096(%rsp),%rsp
- mov (%rsp),%r10
- cmp %rbp,%rsp
- ja .Lfrom_page_walk
-.Lfrom_page_walk_done:
-
- mov $num,%r10
- neg $num
-
- ##############################################################
- # Stack layout
- #
- # +0 saved $num, used in reduction section
- # +8 &t[2*$num], used in reduction section
- # +32 saved *n0
- # +40 saved %rsp
- # +48 t[2*$num]
- #
- mov $n0, 32(%rsp)
- mov %rax, 40(%rsp) # save original %rsp
-.cfi_cfa_expression %rsp+40,deref,+8
-.Lfrom_body:
- mov $num,%r11
- lea 48(%rsp),%rax
- pxor %xmm0,%xmm0
- jmp .Lmul_by_1
-
-.align 32
-.Lmul_by_1:
- movdqu ($aptr),%xmm1
- movdqu 16($aptr),%xmm2
- movdqu 32($aptr),%xmm3
- movdqa %xmm0,(%rax,$num)
- movdqu 48($aptr),%xmm4
- movdqa %xmm0,16(%rax,$num)
- .byte 0x48,0x8d,0xb6,0x40,0x00,0x00,0x00 # lea 64($aptr),$aptr
- movdqa %xmm1,(%rax)
- movdqa %xmm0,32(%rax,$num)
- movdqa %xmm2,16(%rax)
- movdqa %xmm0,48(%rax,$num)
- movdqa %xmm3,32(%rax)
- movdqa %xmm4,48(%rax)
- lea 64(%rax),%rax
- sub \$64,%r11
- jnz .Lmul_by_1
-
- movq $rptr,%xmm1
- movq $nptr,%xmm2
- .byte 0x67
- mov $nptr,%rbp
- movq %r10, %xmm3 # -num
-___
-$code.=<<___ if ($addx);
- mov OPENSSL_ia32cap_P+8(%rip),%r11d
- and \$0x80108,%r11d
- cmp \$0x80108,%r11d # check for AD*X+BMI2+BMI1
- jne .Lfrom_mont_nox
-
- lea (%rax,$num),$rptr
- call __bn_sqrx8x_reduction
- call __bn_postx4x_internal
-
- pxor %xmm0,%xmm0
- lea 48(%rsp),%rax
- jmp .Lfrom_mont_zero
-
-.align 32
-.Lfrom_mont_nox:
-___
-$code.=<<___;
- call __bn_sqr8x_reduction
- call __bn_post4x_internal
-
- pxor %xmm0,%xmm0
- lea 48(%rsp),%rax
- jmp .Lfrom_mont_zero
-
-.align 32
-.Lfrom_mont_zero:
- mov 40(%rsp),%rsi # restore %rsp
-.cfi_def_cfa %rsi,8
- movdqa %xmm0,16*0(%rax)
- movdqa %xmm0,16*1(%rax)
- movdqa %xmm0,16*2(%rax)
- movdqa %xmm0,16*3(%rax)
- lea 16*4(%rax),%rax
- sub \$32,$num
- jnz .Lfrom_mont_zero
-
- mov \$1,%rax
- mov -48(%rsi),%r15
-.cfi_restore %r15
- mov -40(%rsi),%r14
-.cfi_restore %r14
- mov -32(%rsi),%r13
-.cfi_restore %r13
- mov -24(%rsi),%r12
-.cfi_restore %r12
- mov -16(%rsi),%rbp
-.cfi_restore %rbp
- mov -8(%rsi),%rbx
-.cfi_restore %rbx
- lea (%rsi),%rsp
-.cfi_def_cfa_register %rsp
-.Lfrom_epilogue:
- ret
-.cfi_endproc
-.size bn_from_mont8x,.-bn_from_mont8x
-___
-}
}}}
if ($addx) {{{
@@ -3894,10 +3707,6 @@ mul_handler:
.rva .LSEH_begin_bn_power5
.rva .LSEH_end_bn_power5
.rva .LSEH_info_bn_power5
-
- .rva .LSEH_begin_bn_from_mont8x
- .rva .LSEH_end_bn_from_mont8x
- .rva .LSEH_info_bn_from_mont8x
___
$code.=<<___ if ($addx);
.rva .LSEH_begin_bn_mulx4x_mont_gather5
@@ -3929,11 +3738,6 @@ $code.=<<___;
.byte 9,0,0,0
.rva mul_handler
.rva .Lpower5_prologue,.Lpower5_body,.Lpower5_epilogue # HandlerData[]
-.align 8
-.LSEH_info_bn_from_mont8x:
- .byte 9,0,0,0
- .rva mul_handler
- .rva .Lfrom_prologue,.Lfrom_body,.Lfrom_epilogue # HandlerData[]
___
$code.=<<___ if ($addx);
.align 8
diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c
index 8c54ab005c..e21dcff027 100644
--- a/crypto/bn/bn_exp.c
+++ b/crypto/bn/bn_exp.c
@@ -900,14 +900,21 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
#if defined(OPENSSL_BN_ASM_MONT5)
if (window == 5 && top > 1) {
/*
- * This optimization uses ideas from http://eprint.iacr.org/2011/239,
- * specifically optimization of cache-timing attack countermeasures
- * and pre-computation optimization.
- */
-
- /*
- * Dedicated window==4 case improves 512-bit RSA sign by ~15%, but as
- * 512-bit RSA is hardly relevant, we omit it to spare size...
+ * This optimization uses ideas from https://eprint.iacr.org/2011/239,
+ * specifically optimization of cache-timing attack countermeasures,
+ * pre-computation optimization, and Almost Montgomery Multiplication.
+ *
+ * The paper discusses a 4-bit window to optimize 512-bit modular
+ * exponentiation, used in RSA-1024 with CRT, but RSA-1024 is no longer
+ * important.
+ *
+ * |bn_mul_mont_gather5| and |bn_power5| implement the "almost"
+ * reduction variant, so the values here may not be fully reduced.
+ * They are bounded by R (i.e. they fit in |top| words), not |m|.
+ * Additionally, we pass these "almost" reduced inputs into
+ * |bn_mul_mont|, which implements the normal reduction variant.
+ * Given those inputs, |bn_mul_mont| may not give reduced
+ * output, but it will still produce "almost" reduced output.
*/
void bn_mul_mont_gather5(BN_ULONG *rp, const BN_ULONG *ap,
const void *table, const BN_ULONG *np,
@@ -919,9 +926,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
const void *table, const BN_ULONG *np,
const BN_ULONG *n0, int num, int power);
int bn_get_bits5(const BN_ULONG *ap, int off);
- int bn_from_montgomery(BN_ULONG *rp, const BN_ULONG *ap,
- const BN_ULONG *not_used, const BN_ULONG *np,
- const BN_ULONG *n0, int num);
BN_ULONG *n0 = mont->n0, *np;
@@ -1010,14 +1014,18 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
}
}
- ret = bn_from_montgomery(tmp.d, tmp.d, NULL, np, n0, top);
tmp.top = top;
- bn_correct_top(&tmp);
- if (ret) {
- if (!BN_copy(rr, &tmp))
- ret = 0;
- goto err; /* non-zero ret means it's not error */
- }
+ /*
+ * The result is now in |tmp| in Montgomery form, but it may not be
+ * fully reduced. This is within bounds for |BN_from_montgomery|
+ * (tmp < R <= m*R) so it will, when converting from Montgomery form,
+ * produce a fully reduced result.
+ *
+ * This differs from Figure 2 of the paper, which uses AMM(h, 1) to
+ * convert from Montgomery form with unreduced output, followed by an
+ * extra reduction step. In the paper's terminology, we replace
+ * steps 9 and 10 with MM(h, 1).
+ */
} else
#endif
{
diff --git a/test/recipes/10-test_bn_data/bnmod.txt b/test/recipes/10-test_bn_data/bnmod.txt
index 6c94a0f025..69f8af43d5 100644
--- a/test/recipes/10-test_bn_data/bnmod.txt
+++ b/test/recipes/10-test_bn_data/bnmod.txt
@@ -2474,6 +2474,73 @@ A = 9025e6183706105e948b1b0edf922f9011b9e11887d70adb00b26f272b9e76a38f3099084d9c
E = d7e6df5d755284929b986cd9b61c9c2c8843f24c711fbdbae1a468edcae159400943725570726cdc92b3ea94f9f206729516fdda83e31d815b0c7720e7598a91d992273e3bd8ac413b441d8f1dfe5aa7c3bf3ef573adc38292676217467731e6cf440a59611b8110af88d3e62f60209b513b01fbb69a097458ad02096b5e38f0
M = e4e784aa1fa88625a43ba0185a153a929663920be7fe674a4d33c943d3b898cff051482e7050a070cede53be5e89f31515772c7aea637576f99f82708f89d9e244f6ad3a24a02cbe5c0ff7bcf2dad5491f53db7c3f2698a7c41b44f086652f17bb05fe4c5c0a92433c34086b49d7e1825b28bab6c5a9bd0bc95b53d659afa0d7
+# The following inputs trigger an edge case between Montgomery reduction and the
+# "almost" reduction variant from https://eprint.iacr.org/2011/239
+ModExp = 00
+A = 19c7bc9b97c6083cd7b8d1cd001452c9b67983247169c6532047eb7fc8933014dbf69fee7a358769f1429802c8ea89d4f9ca6ba6f368fbdb1fa5717b4a00
+E = bbc7e09147408571050e8d0c634682c5863b7e8a573626648902cff12e590c74f5a23ecce39732266bc15b8afbd6c48a48c83fbdc33947515cc0b6e4fb98ae2cd730e58f951fec8be7e2e3c74f4506c7fd7e29bdb28675fe8a59789ab1148e931a2ebd2d36f78bc241682a3d8083d8ff538858cd240c5a693936e5a391dc9d77118062a3f868c058440a4192267faaaba91112f45eee5842060febbf9353a6d3e7f7996573209136a5506062ea23d74067f08c613f3ff74bade25f8c3368e6dba84eae672eac11be1137fc514924fcab8c82e46d092bd047dcbadaa48c67a096ec1a04f392a8511e6acbad9954949b703e71ff837337b594055ae6f3c0fc154447a687c9ac8a2cdfd64a2e680c6ff21254735af7f5eb6b43f0bce86bda55a04143a991711081435ed4f4a89b23fc3a588022b7a8543db4bf5c8ac93603367c750ff2191f59a716340fab49bb7544759c8d846465eec1438e76395f73e7b5e945f31f1b87fefa854a0d208846eaab5fa27144fd039911608bab0eaee80f1d3553dfa2d9ba95268479b97a059613660df5ad79796e0b272244aca90ccc13449ec15c206eeed7b60405a4c5cfdf5da5d136c27fa9385d810ad198dfe794ffce9955e10520efea1e2eb794e379401b9affd863b9566ce941c4726755574a1b1946acf0090bfb93f37dd55f524485bbba7fa84b53addfde01ae1de9c57fe50d4b708dd0fa45d02af398b3d05c6d17f84c11e9aacdbe0b146cad6ddbd877731e26a17f3ebed459560d12ed7a6abc2ea6fe922e69d2622ef11b6b245b9ba8f0940faaa671a4beb727be5393a94dafaeff7221b29183e7418f4c5bb95a6a586c93dbc8ce0236d9dbe26c40513611b4141fed66599adbfb20fc30e09a4815e4159f65a6708f34584a7a77b3843941cd61a6917dcc3d07a3dfb5a2cb108bacea7e782f2111b4d22ecaaeff469ecd0da371df1ac5e9bf6df6ccba2d3a9f393d597499eaca2c206bfb81c3426c5fe45bcf16e38aecd246a319a1f37041c638b75a4839517e43a6d01bee7d85eaeedbce13cd15699d3ee42c7414cfed576590e4fb6ddb6edd3e1957efaf039bfe8b9dc75869b1f93abff15cae8b234161070fa3542303c2ed35ca66083d0ac299b81182317a2a3985269602b1fa1e822fcbda48e686d80b273f06b0a702ca7f42cbbbd2fc2b3601422c8bff6302eda3c61b293049636002649b16f3c1f0be2b6599d66493a4497cd795b10a2ab8220fafad24fa90e1bfcf39ecce337e705695c7a224bf9f445a287d6aab221341659ca4be7861f6ac4c9d33dac811e6
+M = 519b6e57781d40d897ec0c1b648d195526726b295438c9a70928ac25979563d72db91c8c42298a33b572edecdf40904c68a23337aa5341b56e92b0da5041
+
+# To fully exercise BN_mod_exp_mont_consttime codepaths, we generate inputs at
+# different bitwidths. rsaz-avx2.pl only runs at 1024-bit moduli, and
+# x86_64-mont5.pl unrolls 8 64-bit words at a time, so we want to capture both
+# multiples of 512- and non-multiples. Also include moduli that are not quite a
+# full word.
+# 512-bit
+ModExp = 00
+A = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000e
+E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+M = 8f42c9e9e351ba9b32ab0cf69da43f4acf7028d19cff6e5059ea0e3fcc97c97f36a31470044737d4c0c933ac441ecb29e32c81401523afdac7de9c3fd8493c97
+
+# 1024-bit
+# TODO(davidben): This test breaks the RSAZ implementation. Fix it and enable
+# this test.
+# ModExp = 00
+# A = 800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002f
+# E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+# M = 9da8dc26fdf4d2e49833b240ee552beb7a6e251caa91bfb5d6cafaf8ed9461877fda8f6ac299036d35806bc1ae7872e54eaac1ec6bee6d02c6621a9cf8883b3abc33c49b3e601203e0e86ef8f0562412cc689ee2670704583909ca6d7774c9f9f9f4d77d37fedef9cb51d207cb629ec02fa03b526fd6594bfa8f2da71238a0b7
+
+# 1025-bit
+ModExp = 00
+A = 010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011
+E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+M = 010223abfdda02e84e11cec8ee7fc784fa135733935f7b9054bb70f1f06d234d76dcf3beed55c7f39e955dc1fef2b65009240fd02f7a1b27a78fc2867144bf666efb929856db9f671c356c4c67a068a70fe83c52eebda03668872fd270d0794f0771d217fb6b93b12529a944f7f0496a9158757c55b8ee14f803f1d2d887e2f561
+
+# 1088-bit
+ModExp = 00
+A = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003d
+E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+M = e91f6d748773cb212a23aa348125615123b1800c9ea222c9374c757702ae4140fa333790ed8f6bf60a1d7dda65c2767cc5f33e32e333d19fbfb5a2b85795757c9ca070268763a618e9d33873d28a89bf88acd209efbb15b80cd33b92a6b3a682e1c91782fc24fb86ddff4f809219c977b54b99359094bbcc51dfe17b992ab24b74a17950ad754281
+
+# 1472-bit
+ModExp = 00
+A = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001d
+E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+M = a8770362f4bfe4fc1ab0e52705c11a9b6ba235d5a5f22197c2d68e27ed18426ede3316af706aa79bcf943dbd51459eb15ae1f9386216b3f3a847f94440a65b97659bc5ba2adb67173714ecaa886c0b926d7a64ea45576f9d2171784ce7e801724d5b0abfd93357d538ea7ad3ad89a74f4660bdb66dfb5f684dcf00402e3cdf0ab58afd867c943c8f47b80268a789456aa7c50a619dd2f9f5e3f74b5d810f0f8dadbf4ad5b917cdcb156c4c132611c8b3b035118a9e03551f
+
+# 1536-bit
+ModExp = 00
+A = 800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002
+E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+M = 878cd000778f927b2f1a4b8bac86efd282079a7ac0d25e09ffd2f72fbc282e65e233929d2457c7b1d63c56fb706cdfa04fb87e654c578c98d7cf59c2293dc5641086b68db4867105981daaf147a0ee91f6932ef064deae4142c19e58d50c0686f0eaf778be72450f89a98b4680bbc5ffab942195e44dd20616150fd1deca058068ca31ab2f861e99082588f17a2025bf5e536150142fca3187a259c791fc721430f24d7e338f8dc02e693a7e694d42775e80f7f7c03600b6ae86b4aba2b0e991
+
+# 2048-bit
+ModExp = 00
+A = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f
+E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+M = 9f40a7535c561208ecb38e17c9336d9bc8484d335901b2cd42759cf03689227f6992f10cb6b586d767fbcdf30e9d82a0eda60d2694ccd0194fa96b50b56e0cdeec1951ea9e58b07e334a7f108841a0ab28256917fecea561388807ed124a17386a7a7b501f9cbf3404247a76948d0561e48137d3f9669e36f175731796aeaf78851f7d866917f661422186a4814aa35c066b5a90b9cfc918af769a9f0bb30c12581027df64ac328a0f07dbd20adb704479f6d0f233a131828c71bab19c3c34795ea4fb68aa632c6f688e5b3b84413c9031d8dc251003a590dec0dd09bfa6109ed4570701439b6f265b84ac2170c317357b5fbe5535e2bbdd93c1aacfdaa28c85
+
+# 3072-bit
+ModExp = 00
+A = 80000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001d
+E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+M = c23dfd244a58a668d514498a705c8f8f548311b24f0f98b023d2d33632534c2ae948d6641d41fd7a29fbbd594bfc7fdd6e8162cbb3056af3075347b6fc8876458d33a9d0ffdbcdf482de0c73d1310fd8fa8f9f92dd0dbb0e2034e98a30f6c11b482f7476c5b593f673a322b1130daa4314e9074270dce1076436f0d56cf196afcbb235a9a7b3ac85b9062e85fc0e63a12c468c787019f6805f9faab64fc6a0babc80785d88740243f11366bffb40ccbe8b2bb7a99a2c8238a6f656bb0117d7b2602aa400f4d77de5f93c673f13264ca70de949454e3e3f261993c1aa427e8ef4f507af744f71f3b4aaf3c981d44cc1bfb1eb1151168762b242b740573df698e500d99612e17dc760f7b3bf7c235e39e81ad7edbe6c07dbb8b139745bb394d61cb799bcafec5de074932b0b2d74797e779ac8d81f63a2b2e9baa229dfaa7f90f34ffade1d2ad022a3407d35eb2d7477c6ae8ad100f6e95c05b4f947c1fabfb11a17add384e6b4cd3a02fd9b43f46805c6c74e366b74aa3b766be7a5fbbd67fa81
+
+# 4096-bit
+ModExp = 00
+A = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001
+E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+M = 8030411ecbddcb0fe4e76fd6b5bf542e8b015d1610cf96130ded12ba2cda0641bd9692080f218ea8b0d751845b519d95b843542ec8d2a07f1f93afe3189b69a4f35c983011c7f7928c3df458cc3eae85c36e6934a4b1bc0a67c8a521de336642c49e10a7ffa8d0af911aacc19e3900449161940f139220e099a150dcaf0ff96ffff6e726c1ac139969103cf6a828ac3adf0301506aa02787b4f570d5dde53a34acab8fec6fa94760abf16ee99954371ad65a6e899daab87b95811d069404991de9abe064ebbddf886e970f10d260c899dda940191a82d4c8bd36651363aff5493f4f59e700007dcadf37ebea7fcfd7600d16617ffea0d9ae659446d851d93c564e50e558f734c894d735fa273770703dab62844d9f01badf632f3d14a00f739c022c9be95f54e9cea46ec6da7cb11f4602e06962951c48204726b7f120ddbd0eb3566dc8d1e6f195a9196e96db33322d088b43aecffe9b4df182dd016aca0bd14f1c56cd1a18b89165c027029862b09ffd78e92ab614349c4fd67f49cb12cd33d0728930d0538bda57acef1365a73cc8fbac7d463b9e3c3bae0bb6224b080cdb8b5cd47d546d53111fdc22b7ff679bcfe27192920ee163b2be337d8cccc93b4de7d2d31934b9c0e97af291dcc1135b4a473bd37114eec3ba75c411887b57799d3188e7353f33a4d31735ebfc9fcfc044985148dd96da3876a5ab7ea7a404b411
# These test vectors satisfy (ModSqrt * ModSqrt) mod P = A mod P with P a prime.
# ModSqrt is in [0, (P-1)/2].
--
2.17.1

36
backport-Avoid-potential-memory-leak.patch
View File

@ -1,36 +0,0 @@
From c02fff5aecd4d002143a0e901f3dde3d14934a18 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Mon, 7 Mar 2022 17:05:57 +0100
Subject: [PATCH] Avoid potential memory leak
Resolves #17827
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17828)
(cherry picked from commit 175355923046921a689b500f7a72455f7095708f)
---
crypto/x509v3/v3_utl.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c
index 40d8f31554..83a4bc8a06 100644
--- a/crypto/x509v3/v3_utl.c
+++ b/crypto/x509v3/v3_utl.c
@@ -538,8 +538,11 @@ static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, const ASN1_IA5STRING *email
return 0;
emtmp = OPENSSL_strndup((char *)email->data, email->length);
- if (emtmp == NULL)
+ if (emtmp == NULL) {
+ X509_email_free(*sk);
+ *sk = NULL;
return 0;
+ }
/* Don't add duplicates */
if (sk_OPENSSL_STRING_find(*sk, emtmp) != -1) {
--
2.17.1

30
backport-Check-password-length-only-when-verify-is-enabled.patch
View File

@ -1,30 +0,0 @@
From 0a9bb445893b4a98ad1588aef2d14c29e6c4c5e3 Mon Sep 17 00:00:00 2001
From: Daniel Fiala <daniel@openssl.org>
Date: Wed, 16 Mar 2022 07:42:55 +0100
Subject: [PATCH] Check password length only when verify is enabled.
Fixes #16231.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17899)
---
apps/apps.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/apps/apps.c b/apps/apps.c
index 1a92271595..db5b48e4cf 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -307,6 +307,8 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
if (cb_data != NULL && cb_data->password != NULL
&& *(const char*)cb_data->password != '\0')
pw_min_len = 1;
+ else if (!verify)
+ pw_min_len = 0;
prompt = UI_construct_prompt(ui, "pass phrase", prompt_info);
if (!prompt) {
BIO_printf(bio_err, "Out of memory\n");
--
2.17.1

376
backport-Convert-serverinfo-in-SSL_CTX_use_serverinfo-to-v2.patch
View File

@ -1,376 +0,0 @@
From 6e6aad333f26694ff39aba1e59b358e3f25a9a1d Mon Sep 17 00:00:00 2001
From: Daniel Fiala <daniel@openssl.org>
Date: Sun, 28 Aug 2022 11:53:32 +0200
Subject: [PATCH] Convert serverinfo in SSL_CTX_use_serverinfo() to v2.
Fixes #18183.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19081)
---
ssl/ssl_rsa.c | 81 ++++++++++++++++------
test/sslapitest.c | 171 +++++++++++++++++++++++++++++++---------------
2 files changed, 177 insertions(+), 75 deletions(-)
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index 6457c0c0ef..3535c95354 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -727,6 +727,34 @@ static int serverinfoex_srv_parse_cb(SSL *s, unsigned int ext_type,
return 1;
}
+static size_t extension_contextoff(unsigned int version)
+{
+ return version == SSL_SERVERINFOV1 ? 4 : 0;
+}
+
+static size_t extension_append_length(unsigned int version, size_t extension_length)
+{
+ return extension_length + extension_contextoff(version);
+}
+
+static void extension_append(unsigned int version,
+ const unsigned char *extension,
+ const size_t extension_length,
+ unsigned char *serverinfo)
+{
+ const size_t contextoff = extension_contextoff(version);
+
+ if (contextoff > 0) {
+ /* We know this only uses the last 2 bytes */
+ serverinfo[0] = 0;
+ serverinfo[1] = 0;
+ serverinfo[2] = (SYNTHV1CONTEXT >> 8) & 0xff;
+ serverinfo[3] = SYNTHV1CONTEXT & 0xff;
+ }
+
+ memcpy(serverinfo + contextoff, extension, extension_length);
+}
+
static int serverinfo_srv_parse_cb(SSL *s, unsigned int ext_type,
const unsigned char *in,
size_t inlen, int *al, void *arg)
@@ -842,12 +870,36 @@ int SSL_CTX_use_serverinfo_ex(SSL_CTX *ctx, unsigned int version,
const unsigned char *serverinfo,
size_t serverinfo_length)
{
- unsigned char *new_serverinfo;
+ unsigned char *new_serverinfo = NULL;
if (ctx == NULL || serverinfo == NULL || serverinfo_length == 0) {
SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
+ if (version == SSL_SERVERINFOV1) {
+ /*
+ * Convert serverinfo version v1 to v2 and call yourself recursively
+ * over the converted serverinfo.
+ */
+ const size_t sinfo_length = extension_append_length(SSL_SERVERINFOV1,
+ serverinfo_length);
+ unsigned char *sinfo;
+ int ret;
+
+ sinfo = OPENSSL_malloc(sinfo_length);
+ if (sinfo == NULL) {
+ SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+
+ extension_append(SSL_SERVERINFOV1, serverinfo, serverinfo_length, sinfo);
+
+ ret = SSL_CTX_use_serverinfo_ex(ctx, SSL_SERVERINFOV2, sinfo,
+ sinfo_length);
+
+ OPENSSL_free(sinfo);
+ return ret;
+ }
if (!serverinfo_process_buffer(version, serverinfo, serverinfo_length,
NULL)) {
SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, SSL_R_INVALID_SERVERINFO_DATA);
@@ -899,7 +951,7 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)
char namePrefix2[] = "SERVERINFOV2 FOR ";
int ret = 0;
BIO *bin = NULL;
- size_t num_extensions = 0, contextoff = 0;
+ size_t num_extensions = 0;
if (ctx == NULL || file == NULL) {
SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_PASSED_NULL_PARAMETER);
@@ -918,6 +970,7 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)
for (num_extensions = 0;; num_extensions++) {
unsigned int version;
+ size_t append_length;
if (PEM_read_bio(bin, &name, &header, &extension, &extension_length)
== 0) {
@@ -962,11 +1015,6 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)
SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_BAD_DATA);
goto end;
}
- /*
- * File does not have a context value so we must take account of
- * this later.
- */
- contextoff = 4;
} else {
/* 8 byte header: 4 bytes context, 2 bytes type, 2 bytes len */
if (extension_length < 8
@@ -977,25 +1025,16 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)
}
}
/* Append the decoded extension to the serverinfo buffer */
- tmp = OPENSSL_realloc(serverinfo, serverinfo_length + extension_length
- + contextoff);
+ append_length = extension_append_length(version, extension_length);
+ tmp = OPENSSL_realloc(serverinfo, serverinfo_length + append_length);
if (tmp == NULL) {
SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_MALLOC_FAILURE);
goto end;
}
serverinfo = tmp;
- if (contextoff > 0) {
- unsigned char *sinfo = serverinfo + serverinfo_length;
-
- /* We know this only uses the last 2 bytes */
- sinfo[0] = 0;
- sinfo[1] = 0;
- sinfo[2] = (SYNTHV1CONTEXT >> 8) & 0xff;
- sinfo[3] = SYNTHV1CONTEXT & 0xff;
- }
- memcpy(serverinfo + serverinfo_length + contextoff,
- extension, extension_length);
- serverinfo_length += extension_length + contextoff;
+ extension_append(version, extension, extension_length,
+ serverinfo + serverinfo_length);
+ serverinfo_length += append_length;
OPENSSL_free(name);
name = NULL;
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 7197e15cac..685c28d934 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -85,20 +85,6 @@ struct sslapitest_log_counts {
};
-static unsigned char serverinfov1[] = {
- 0xff, 0xff, /* Dummy extension type */
- 0x00, 0x01, /* Extension length is 1 byte */
- 0xff /* Dummy extension data */
-};
-
-static unsigned char serverinfov2[] = {
- 0x00, 0x00, 0x00,
- (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
- 0xff, 0xff, /* Dummy extension type */
- 0x00, 0x01, /* Extension length is 1 byte */
- 0xff /* Dummy extension data */
-};
-
static int hostname_cb(SSL *s, int *al, void *arg)
{
const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
@@ -4349,62 +4335,137 @@ end:
return testresult;
}
-/*
- * Test loading of serverinfo data in various formats. test_sslmessages actually
- * tests to make sure the extensions appear in the handshake
- */
-static int test_serverinfo(int tst)
+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
+
+#define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
+ | SSL_EXT_CLIENT_HELLO \
+ | SSL_EXT_TLS1_2_SERVER_HELLO \
+ | SSL_EXT_IGNORE_ON_RESUMPTION)
+
+#define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
+ | SSL_EXT_TLS1_2_SERVER_HELLO \
+ | SSL_EXT_CLIENT_HELLO)
+
+#define SERVERINFO_CUSTOM \
+ 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
+ 0x00, 0x03, \
+ 0x04, 0x05, 0x06 \
+
+static const unsigned char serverinfo_custom_tls13[] = {
+ 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
+ SERVERINFO_CUSTOM
+};
+static const unsigned char serverinfo_custom_v2[] = {
+ 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
+ SERVERINFO_CUSTOM
+};
+static const unsigned char serverinfo_custom_v1[] = {
+ SERVERINFO_CUSTOM
+};
+static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
+static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
+static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
+
+static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
+ unsigned int context,
+ const unsigned char *in,
+ size_t inlen, X509 *x,
+ size_t chainidx, int *al,
+ void *parse_arg)
{
- unsigned int version;
- unsigned char *sibuf;
- size_t sibuflen;
- int ret, expected, testresult = 0;
- SSL_CTX *ctx;
+ const size_t len = serverinfo_custom_v1_len;
+ const unsigned char *si = &serverinfo_custom_v1[len - 3];
+ int *p_cb_result = (int*)parse_arg;
+ *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
+ return 1;
+}
- ctx = SSL_CTX_new(TLS_method());
- if (!TEST_ptr(ctx))
- goto end;
+static int test_serverinfo_custom(const int idx)
+{
+ SSL_CTX *sctx = NULL, *cctx = NULL;
+ SSL *clientssl = NULL, *serverssl = NULL;
+ int testresult = 0;
+ int cb_result = 0;
- if ((tst & 0x01) == 0x01)
- version = SSL_SERVERINFOV2;
- else
- version = SSL_SERVERINFOV1;
+ /*
+ * Following variables are set in the switch statement
+ * according to the test iteration.
+ * Default values do not make much sense: test would fail with them.
+ */
+ int serverinfo_version = 0;
+ int protocol_version = 0;
+ unsigned int extension_context = 0;
+ const unsigned char *si = NULL;
+ size_t si_len = 0;
- if ((tst & 0x02) == 0x02) {
- sibuf = serverinfov2;
- sibuflen = sizeof(serverinfov2);
- expected = (version == SSL_SERVERINFOV2);
- } else {
- sibuf = serverinfov1;
- sibuflen = sizeof(serverinfov1);
- expected = (version == SSL_SERVERINFOV1);
+ const int call_use_serverinfo_ex = idx > 0;
+ switch (idx) {
+ case 0: /* FALLTHROUGH */
+ case 1:
+ serverinfo_version = SSL_SERVERINFOV1;
+ protocol_version = TLS1_2_VERSION;
+ extension_context = SYNTHV1CONTEXT;
+ si = serverinfo_custom_v1;
+ si_len = serverinfo_custom_v1_len;
+ break;
+ case 2:
+ serverinfo_version = SSL_SERVERINFOV2;
+ protocol_version = TLS1_2_VERSION;
+ extension_context = SYNTHV1CONTEXT;
+ si = serverinfo_custom_v2;
+ si_len = serverinfo_custom_v2_len;
+ break;
+ case 3:
+ serverinfo_version = SSL_SERVERINFOV2;
+ protocol_version = TLS1_3_VERSION;
+ extension_context = TLS13CONTEXT;
+ si = serverinfo_custom_tls13;
+ si_len = serverinfo_custom_tls13_len;
+ break;
}
- if ((tst & 0x04) == 0x04) {
- ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
- } else {
- ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
+ if (!TEST_true(create_ssl_ctx_pair(TLS_method(),
+ TLS_method(),
+ protocol_version,
+ protocol_version,
+ &sctx, &cctx, cert, privkey)))
+ goto end;
- /*
- * The version variable is irrelevant in this case - it's what is in the
- * buffer that matters
- */
- if ((tst & 0x02) == 0x02)
- expected = 0;
- else
- expected = 1;
+ if (call_use_serverinfo_ex) {
+ if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
+ si, si_len)))
+ goto end;
+ } else {
+ if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
+ goto end;
}
- if (!TEST_true(ret == expected))
+ if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
+ extension_context,
+ NULL, NULL, NULL,
+ serverinfo_custom_parse_cb,
+ &cb_result))
+ || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
+ NULL, NULL))
+ || !TEST_true(create_ssl_connection(serverssl, clientssl,
+ SSL_ERROR_NONE))
+ || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
+ goto end;
+
+ if (!TEST_true(cb_result))
goto end;
testresult = 1;
end:
- SSL_CTX_free(ctx);
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
return testresult;
}
+#endif
/*
* Test that SSL_export_keying_material() produces expected results. There are
@@ -7175,7 +7236,6 @@ int setup_tests(void)
#else
ADD_ALL_TESTS(test_custom_exts, 3);
#endif
- ADD_ALL_TESTS(test_serverinfo, 8);
ADD_ALL_TESTS(test_export_key_mat, 6);
#ifndef OPENSSL_NO_TLS1_3
ADD_ALL_TESTS(test_export_key_mat_early, 3);
@@ -7207,6 +7267,9 @@ int setup_tests(void)
#endif
ADD_TEST(test_set_alpn);
ADD_TEST(test_inherit_verify_param);
+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
+ ADD_ALL_TESTS(test_serverinfo_custom, 4);
+#endif
return 1;
}
--
2.17.1

67
backport-Coverity-1508534-1508540-misuses-of-time_t.patch
View File

@ -1,67 +0,0 @@
From 552603edfed18f30466277d29b70939390fea65b Mon Sep 17 00:00:00 2001
From: Pauli <pauli@openssl.org>
Date: Tue, 16 Aug 2022 11:05:02 +1000
Subject: [PATCH] Coverity 1508534 & 1508540: misuses of time_t
Avoid problems when the lower 32 bits of time_t roll over by delaying
the cast to integer until after the time delta has been computed.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19004)
(cherry picked from commit a6cadcbdc3b4f3fbd0fd228e41177f0661b68264)
---
ssl/statem/extensions_clnt.c | 5 ++---
ssl/statem/extensions_srvr.c | 5 ++---
2 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index b6f72d685c..1cbaefa9f1 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -1002,7 +1002,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx)
{
#ifndef OPENSSL_NO_TLS1_3
- uint32_t now, agesec, agems = 0;
+ uint32_t agesec, agems = 0;
size_t reshashsize = 0, pskhashsize = 0, binderoffset, msglen;
unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL;
const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL;
@@ -1059,8 +1059,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
* this in multiple places in the code, so portability shouldn't be an
* issue.
*/
- now = (uint32_t)time(NULL);
- agesec = now - (uint32_t)s->session->time;
+ agesec = (uint32_t)(time(NULL) - s->session->time);
/*
* We calculate the age in seconds but the server may work in ms. Due to
* rounding errors we could overestimate the age by up to 1s. It is
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 04f64f8106..f110053273 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -1167,7 +1167,7 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
s->ext.early_data_ok = 1;
s->ext.ticket_expected = 1;
} else {
- uint32_t ticket_age = 0, now, agesec, agems;
+ uint32_t ticket_age = 0, agesec, agems;
int ret;
/*
@@ -1209,8 +1209,7 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
}
ticket_age = (uint32_t)ticket_agel;
- now = (uint32_t)time(NULL);
- agesec = now - (uint32_t)sess->time;
+ agesec = (uint32_t)(time(NULL) - sess->time);
agems = agesec * (uint32_t)1000;
ticket_age -= sess->ext.tick_age_add;
--
2.17.1

54
backport-Do-not-send-an-empty-supported-groups-extension.patch
View File

@ -1,54 +0,0 @@
From bd164884f258d99ca876f6cdcdf9bd0dcceee6ad Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Fri, 29 Apr 2022 16:36:36 +0200
Subject: [PATCH] Do not send an empty supported groups extension
This allows handshake to proceed if the maximum TLS version enabled is <1.3
Fixes #13583
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18213)
---
CHANGES | 24 ++++++++++++++----------
ssl/statem/extensions_clnt.c | 16 +++++++++++++++-
2 files changed, 29 insertions(+), 11 deletions(-)
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 9d38ac23b5..036a9b3c48 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -118,6 +118,8 @@ static int use_ecc(SSL *s)
int i, end, ret = 0;
unsigned long alg_k, alg_a;
STACK_OF(SSL_CIPHER) *cipher_stack = NULL;
+ const uint16_t *pgroups = NULL;
+ size_t num_groups, j;
/* See if we support any ECC ciphersuites */
if (s->version == SSL3_VERSION)
@@ -139,7 +141,19 @@ static int use_ecc(SSL *s)
}
sk_SSL_CIPHER_free(cipher_stack);
- return ret;
+ if (!ret)
+ return 0;
+
+ /* Check we have at least one EC supported group */
+ tls1_get_supported_groups(s, &pgroups, &num_groups);
+ for (j = 0; j < num_groups; j++) {
+ uint16_t ctmp = pgroups[j];
+
+ if (tls_curve_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED))
+ return 1;
+ }
+
+ return 0;
}
EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt,
--
2.17.1

37
backport-Fix-Coverity-1201763-uninitialised-pointer-read.patch
View File

@ -1,37 +0,0 @@
From ad24941228eafe59fe3807d1659585c4d98eac97 Mon Sep 17 00:00:00 2001
From: Pauli <pauli@openssl.org>
Date: Wed, 16 Mar 2022 13:48:27 +1100
Subject: [PATCH] Fix Coverity 1201763 uninitialised pointer read
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17890)
(cherry picked from commit a0238b7ed87998c48b1c92bad7fa82dcbba507f9)
---
crypto/bn/bn_exp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c
index 9531acfc3c..451e88ac3c 100644
--- a/crypto/bn/bn_exp.c
+++ b/crypto/bn/bn_exp.c
@@ -188,13 +188,14 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
return ret;
}
+ BN_RECP_CTX_init(&recp);
+
BN_CTX_start(ctx);
aa = BN_CTX_get(ctx);
val[0] = BN_CTX_get(ctx);
if (val[0] == NULL)
goto err;
- BN_RECP_CTX_init(&recp);
if (m->neg) {
/* ignore sign of 'm' */
if (!BN_copy(aa, m))
--
2.17.1

37
backport-Fix-Coverity-1498611-1498608-uninitialised-read.patch
View File

@ -1,37 +0,0 @@
From cd2471cd797ae5a6355814bb14a176af6a7d883f Mon Sep 17 00:00:00 2001
From: Pauli <pauli@openssl.org>
Date: Wed, 16 Mar 2022 14:21:01 +1100
Subject: [PATCH] Fix Coverity 1498611 & 1498608: uninitialised read
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17893)
(cherry picked from commit 09134f183f76539aa1294adfef10fcc694e90267)
---
ssl/ssl_lib.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 9c411a3293..7383badce3 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2084,6 +2084,7 @@ int SSL_shutdown(SSL *s)
if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
struct ssl_async_args args;
+ memset(&args, 0, sizeof(args));
args.s = s;
args.type = OTHERFUNC;
args.f.func_other = s->method->ssl_shutdown;
@@ -3709,6 +3710,7 @@ int SSL_do_handshake(SSL *s)
if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
struct ssl_async_args args;
+ memset(&args, 0, sizeof(args));
args.s = s;
ret = ssl_start_async_job(s, &args, ssl_do_handshake_intern);
--
2.17.1

42
backport-Fix-EC_KEY_set_private_key-priv_key-regression.patch
View File

@ -1,42 +0,0 @@
From 143d7d4c791df8b9051356be51d9f77bc241fe4c Mon Sep 17 00:00:00 2001
From: Roberto Hueso Gomez <roberto@robertohueso.org>
Date: Tue, 26 Jul 2022 20:41:02 +0200
Subject: [PATCH] Fix EC_KEY_set_private_key() priv_key regression
This allows to set EC_KEY's private key to NULL and fixes regression
issue following OTC guideline in
https://github.com/openssl/openssl/issues/18744#issuecomment-1195175696
Fixes #18744.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18874)
---
crypto/ec/ec_key.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c
index 3017f0936c..63799002bc 100644
--- a/crypto/ec/ec_key.c
+++ b/crypto/ec/ec_key.c
@@ -443,6 +443,16 @@ int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key)
&& key->meth->set_private(key, priv_key) == 0)
return 0;
+ /*
+ * Return `0` to comply with legacy behavior for this function, see
+ * https://github.com/openssl/openssl/issues/18744#issuecomment-1195175696
+ */
+ if (priv_key == NULL) {
+ BN_clear_free(key->priv_key);
+ key->priv_key = NULL;
+ return 0; /* intentional for legacy compatibility */
+ }
+
/*
* We should never leak the bit length of the secret scalar in the key,
* so we always set the `BN_FLG_CONSTTIME` flag on the internal `BIGNUM`
--
2.17.1

98
backport-Fix-NULL-pointer-dereference-for-BN_mod_exp2_mont.patch
View File

@ -1,98 +0,0 @@
From 8845aeb3ed528491b9eccba365182f90540e5b95 Mon Sep 17 00:00:00 2001
From: Hugo Landau <hlandau@openssl.org>
Date: Tue, 1 Mar 2022 14:08:12 +0000
Subject: [PATCH] Fix NULL pointer dereference for BN_mod_exp2_mont
This fixes a bug whereby BN_mod_exp2_mont can dereference a NULL pointer
if BIGNUM argument m represents zero.
Regression test added. Fixes #17648. Backport from master to 1.1.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17787)
---
crypto/bn/bn_exp2.c | 2 +-
test/bntest.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 46 insertions(+), 1 deletion(-)
diff --git a/crypto/bn/bn_exp2.c b/crypto/bn/bn_exp2.c
index e542abe46f..de3e249d78 100644
--- a/crypto/bn/bn_exp2.c
+++ b/crypto/bn/bn_exp2.c
@@ -32,7 +32,7 @@ int BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1,
bn_check_top(p2);
bn_check_top(m);
- if (!(m->d[0] & 1)) {
+ if (!BN_is_odd(m)) {
BNerr(BN_F_BN_MOD_EXP2_MONT, BN_R_CALLED_WITH_EVEN_MODULUS);
return 0;
}
diff --git a/test/bntest.c b/test/bntest.c
index bab34ba54b..390dd80073 100644
--- a/test/bntest.c
+++ b/test/bntest.c
@@ -2798,6 +2798,50 @@ static int test_mod_exp_consttime(int i)
return res;
}
+/*
+ * Regression test to ensure BN_mod_exp2_mont fails safely if argument m is
+ * zero.
+ */
+static int test_mod_exp2_mont(void)
+{
+ int res = 0;
+ BIGNUM *exp_result = NULL;
+ BIGNUM *exp_a1 = NULL, *exp_p1 = NULL, *exp_a2 = NULL, *exp_p2 = NULL,
+ *exp_m = NULL;
+
+ if (!TEST_ptr(exp_result = BN_new())
+ || !TEST_ptr(exp_a1 = BN_new())
+ || !TEST_ptr(exp_p1 = BN_new())
+ || !TEST_ptr(exp_a2 = BN_new())
+ || !TEST_ptr(exp_p2 = BN_new())
+ || !TEST_ptr(exp_m = BN_new()))
+ goto err;
+
+ if (!TEST_true(BN_one(exp_a1))
+ || !TEST_true(BN_one(exp_p1))
+ || !TEST_true(BN_one(exp_a2))
+ || !TEST_true(BN_one(exp_p2)))
+ goto err;
+
+ BN_zero(exp_m);
+
+ /* input of 0 is even, so must fail */
+ if (!TEST_int_eq(BN_mod_exp2_mont(exp_result, exp_a1, exp_p1, exp_a2,
+ exp_p2, exp_m, ctx, NULL), 0))
+ goto err;
+
+ res = 1;
+
+err:
+ BN_free(exp_result);
+ BN_free(exp_a1);
+ BN_free(exp_p1);
+ BN_free(exp_a2);
+ BN_free(exp_p2);
+ BN_free(exp_m);
+ return res;
+}
+
static int file_test_run(STANZA *s)
{
static const FILETEST filetests[] = {
@@ -2906,6 +2950,7 @@ int setup_tests(void)
ADD_TEST(test_gcd_prime);
ADD_ALL_TESTS(test_mod_exp, (int)OSSL_NELEM(ModExpTests));
ADD_ALL_TESTS(test_mod_exp_consttime, (int)OSSL_NELEM(ModExpTests));
+ ADD_TEST(test_mod_exp2_mont);
} else {
ADD_ALL_TESTS(run_file_tests, n);
}
--
2.17.1

89
backport-Fix-SSL_pending-and-SSL_has_pending-with-DTLS.patch
View File

@ -1,89 +0,0 @@
From 01fc812cb0aafc3cfc271303b6646d1c0a86b020 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Mon, 25 Jul 2022 15:59:38 +0100
Subject: [PATCH] Fix SSL_pending() and SSL_has_pending() with DTLS
If app data is received before a Finished message in DTLS then we buffer
it to return later. The function SSL_pending() is supposed to tell you
how much processed app data we have already buffered, and SSL_has_pending()
is supposed to tell you if we have any data buffered (whether processed or
not, and whether app data or not).
Neither SSL_pending() or SSL_has_pending() were taking account of this
DTLS specific app data buffer.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18976)
---
ssl/record/rec_layer_s3.c | 14 +++++++++++++-
ssl/ssl_lib.c | 24 +++++++++++++++++++-----
2 files changed, 32 insertions(+), 6 deletions(-)
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 8249b4ace9..23cd4219e9 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -115,10 +115,22 @@ size_t ssl3_pending(const SSL *s)
if (s->rlayer.rstate == SSL_ST_READ_BODY)
return 0;
+ /* Take into account DTLS buffered app data */
+ if (SSL_IS_DTLS(s)) {
+ DTLS1_RECORD_DATA *rdata;
+ pitem *item, *iter;
+
+ iter = pqueue_iterator(s->rlayer.d->buffered_app_data.q);
+ while ((item = pqueue_next(&iter)) != NULL) {
+ rdata = item->data;
+ num += rdata->rrec.length;
+ }
+ }
+
for (i = 0; i < RECORD_LAYER_get_numrpipes(&s->rlayer); i++) {
if (SSL3_RECORD_get_type(&s->rlayer.rrec[i])
!= SSL3_RT_APPLICATION_DATA)
- return 0;
+ return num;
num += SSL3_RECORD_get_length(&s->rlayer.rrec[i]);
}
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 25a1a44785..47adc3211c 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1510,12 +1510,26 @@ int SSL_has_pending(const SSL *s)
{
/*
* Similar to SSL_pending() but returns a 1 to indicate that we have
- * unprocessed data available or 0 otherwise (as opposed to the number of
- * bytes available). Unlike SSL_pending() this will take into account
- * read_ahead data. A 1 return simply indicates that we have unprocessed
- * data. That data may not result in any application data, or we may fail
- * to parse the records for some reason.
+ * processed or unprocessed data available or 0 otherwise (as opposed to the
+ * number of bytes available). Unlike SSL_pending() this will take into
+ * account read_ahead data. A 1 return simply indicates that we have data.
+ * That data may not result in any application data, or we may fail to parse
+ * the records for some reason.
*/
+
+ /* Check buffered app data if any first */
+ if (SSL_IS_DTLS(s)) {
+ DTLS1_RECORD_DATA *rdata;
+ pitem *item, *iter;
+
+ iter = pqueue_iterator(s->rlayer.d->buffered_app_data.q);
+ while ((item = pqueue_next(&iter)) != NULL) {
+ rdata = item->data;
+ if (rdata->rrec.length > 0)
+ return 1;
+ }
+ }
+
if (RECORD_LAYER_processed_read_pending(&s->rlayer))
return 1;
--
2.17.1

440
backport-Fix-a-DTLS-server-hangup-due-to-TLS13_AD_MISSING_EXT.patch
View File

@ -1,440 +0,0 @@
From 6e73a0a0bd608daecb8e2c1e46de9d1014194c84 Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Tue, 12 Apr 2022 08:27:21 +0200
Subject: [PATCH] Fix a DTLS server hangup due to TLS13_AD_MISSING_EXTENSION
This causes the DTLS server to enter an error state:
./openssl s_server -dtls
./openssl s_client -dtls -maxfraglen 512 -sess_out s1.txt
[...]
Q
./openssl s_client -dtls -sess_in s1.txt
CONNECTED(00000003)
^C
./openssl s_client -dtls
CONNECTED(00000003)
140335537067840:error:14102410:SSL routines:dtls1_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_d1.c:614:SSL alert number 40
At this point the dtls server needs to be restarted,
because verify_cookie_callback always fails, because
the previous cookie is checked against the current one.
The reason for this is not fully understood.
In wireshark we see the following each time:
c->s Client Hello (without cookie)
s->c Hello Verify Request (with new cookie)
s->c Alert (Level: Fatal, Description: Handshake Failure)
c->s Client Hello (echoes new cookie)
The client gives up when the Alert arrives.
The Alert is triggered because the server calls
verify_cookie_callback with the previous cookie,
although it just sent the current cookie in the
Hello Verify Request.
However this does only happen because no Alert message
is sent when the client re-connects the session with
the missing -maxfraglen option.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18094)
---
ssl/s3_enc.c | 2 +
ssl/t1_enc.c | 2 +
test/ssl-tests/10-resumption.conf | 121 +++++++++++++++++++++++-
test/ssl-tests/11-dtls_resumption.conf | 124 ++++++++++++++++++++++++-
test/ssl-tests/protocol_version.pm | 63 +++++++++++++
5 files changed, 310 insertions(+), 2 deletions(-)
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index 8a89f512fe..eb1f36ac7e 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -589,6 +589,8 @@ int ssl3_alert_code(int code)
return TLS1_AD_NO_APPLICATION_PROTOCOL;
case SSL_AD_CERTIFICATE_REQUIRED:
return SSL_AD_HANDSHAKE_FAILURE;
+ case SSL_AD_MISSING_EXTENSION:
+ return SSL_AD_HANDSHAKE_FAILURE;
default:
return -1;
}
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index c85c0b0310..2087b274d1 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -672,6 +672,8 @@ int tls1_alert_code(int code)
return TLS1_AD_NO_APPLICATION_PROTOCOL;
case SSL_AD_CERTIFICATE_REQUIRED:
return SSL_AD_HANDSHAKE_FAILURE;
+ case SSL_AD_MISSING_EXTENSION:
+ return SSL_AD_HANDSHAKE_FAILURE;
default:
return -1;
}
diff --git a/test/ssl-tests/10-resumption.conf b/test/ssl-tests/10-resumption.conf
index 73de974ab0..a33a1d80e4 100644
--- a/test/ssl-tests/10-resumption.conf
+++ b/test/ssl-tests/10-resumption.conf
@@ -1,6 +1,6 @@
# Generated with generate_ssl_tests.pl
-num_tests = 65
+num_tests = 68
test-0 = 0-resumption
test-1 = 1-resumption
@@ -67,6 +67,9 @@ test-61 = 61-resumption
test-62 = 62-resumption
test-63 = 63-resumption
test-64 = 64-resumption-with-hrr
+test-65 = 65-resumption-when-mfl-ext-is-missing
+test-66 = 66-resumption-when-mfl-ext-is-different
+test-67 = 67-resumption-when-mfl-ext-is-correct
# ===========================================================
[0-resumption]
@@ -2437,3 +2440,119 @@ Method = TLS
ResumptionExpected = Yes
+# ===========================================================
+
+[65-resumption-when-mfl-ext-is-missing]
+ssl_conf = 65-resumption-when-mfl-ext-is-missing-ssl
+
+[65-resumption-when-mfl-ext-is-missing-ssl]
+server = 65-resumption-when-mfl-ext-is-missing-server
+client = 65-resumption-when-mfl-ext-is-missing-client
+resume-server = 65-resumption-when-mfl-ext-is-missing-server
+resume-client = 65-resumption-when-mfl-ext-is-missing-resume-client
+
+[65-resumption-when-mfl-ext-is-missing-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[65-resumption-when-mfl-ext-is-missing-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[65-resumption-when-mfl-ext-is-missing-resume-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-65]
+ExpectedResult = ServerFail
+HandshakeMode = Resume
+ResumptionExpected = No
+client = 65-resumption-when-mfl-ext-is-missing-client-extra
+
+[65-resumption-when-mfl-ext-is-missing-client-extra]
+MaxFragmentLenExt = 512
+
+
+# ===========================================================
+
+[66-resumption-when-mfl-ext-is-different]
+ssl_conf = 66-resumption-when-mfl-ext-is-different-ssl
+
+[66-resumption-when-mfl-ext-is-different-ssl]
+server = 66-resumption-when-mfl-ext-is-different-server
+client = 66-resumption-when-mfl-ext-is-different-client
+resume-server = 66-resumption-when-mfl-ext-is-different-server
+resume-client = 66-resumption-when-mfl-ext-is-different-resume-client
+
+[66-resumption-when-mfl-ext-is-different-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[66-resumption-when-mfl-ext-is-different-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[66-resumption-when-mfl-ext-is-different-resume-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-66]
+ExpectedResult = ServerFail
+HandshakeMode = Resume
+ResumptionExpected = No
+client = 66-resumption-when-mfl-ext-is-different-client-extra
+resume-client = 66-resumption-when-mfl-ext-is-different-resume-client-extra
+
+[66-resumption-when-mfl-ext-is-different-client-extra]
+MaxFragmentLenExt = 512
+
+[66-resumption-when-mfl-ext-is-different-resume-client-extra]
+MaxFragmentLenExt = 1024
+
+
+# ===========================================================
+
+[67-resumption-when-mfl-ext-is-correct]
+ssl_conf = 67-resumption-when-mfl-ext-is-correct-ssl
+
+[67-resumption-when-mfl-ext-is-correct-ssl]
+server = 67-resumption-when-mfl-ext-is-correct-server
+client = 67-resumption-when-mfl-ext-is-correct-client
+resume-server = 67-resumption-when-mfl-ext-is-correct-server
+resume-client = 67-resumption-when-mfl-ext-is-correct-resume-client
+
+[67-resumption-when-mfl-ext-is-correct-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[67-resumption-when-mfl-ext-is-correct-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[67-resumption-when-mfl-ext-is-correct-resume-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-67]
+ExpectedResult = Success
+HandshakeMode = Resume
+ResumptionExpected = Yes
+client = 67-resumption-when-mfl-ext-is-correct-client-extra
+resume-client = 67-resumption-when-mfl-ext-is-correct-resume-client-extra
+
+[67-resumption-when-mfl-ext-is-correct-client-extra]
+MaxFragmentLenExt = 512
+
+[67-resumption-when-mfl-ext-is-correct-resume-client-extra]
+MaxFragmentLenExt = 512
+
+
diff --git a/test/ssl-tests/11-dtls_resumption.conf b/test/ssl-tests/11-dtls_resumption.conf
index a981fa51df..635279a30f 100644
--- a/test/ssl-tests/11-dtls_resumption.conf
+++ b/test/ssl-tests/11-dtls_resumption.conf
@@ -1,6 +1,6 @@
# Generated with generate_ssl_tests.pl
-num_tests = 16
+num_tests = 19
test-0 = 0-resumption
test-1 = 1-resumption
@@ -18,6 +18,9 @@ test-12 = 12-resumption
test-13 = 13-resumption
test-14 = 14-resumption
test-15 = 15-resumption
+test-16 = 16-resumption-when-mfl-ext-is-missing
+test-17 = 17-resumption-when-mfl-ext-is-different
+test-18 = 18-resumption-when-mfl-ext-is-correct
# ===========================================================
[0-resumption]
@@ -618,3 +621,122 @@ Method = DTLS
ResumptionExpected = Yes
+# ===========================================================
+
+[16-resumption-when-mfl-ext-is-missing]
+ssl_conf = 16-resumption-when-mfl-ext-is-missing-ssl
+
+[16-resumption-when-mfl-ext-is-missing-ssl]
+server = 16-resumption-when-mfl-ext-is-missing-server
+client = 16-resumption-when-mfl-ext-is-missing-client
+resume-server = 16-resumption-when-mfl-ext-is-missing-server
+resume-client = 16-resumption-when-mfl-ext-is-missing-resume-client
+
+[16-resumption-when-mfl-ext-is-missing-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[16-resumption-when-mfl-ext-is-missing-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[16-resumption-when-mfl-ext-is-missing-resume-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-16]
+ExpectedResult = ServerFail
+HandshakeMode = Resume
+Method = DTLS
+ResumptionExpected = No
+client = 16-resumption-when-mfl-ext-is-missing-client-extra
+
+[16-resumption-when-mfl-ext-is-missing-client-extra]
+MaxFragmentLenExt = 512
+
+
+# ===========================================================
+
+[17-resumption-when-mfl-ext-is-different]
+ssl_conf = 17-resumption-when-mfl-ext-is-different-ssl
+
+[17-resumption-when-mfl-ext-is-different-ssl]
+server = 17-resumption-when-mfl-ext-is-different-server
+client = 17-resumption-when-mfl-ext-is-different-client
+resume-server = 17-resumption-when-mfl-ext-is-different-server
+resume-client = 17-resumption-when-mfl-ext-is-different-resume-client
+
+[17-resumption-when-mfl-ext-is-different-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[17-resumption-when-mfl-ext-is-different-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[17-resumption-when-mfl-ext-is-different-resume-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-17]
+ExpectedResult = ServerFail
+HandshakeMode = Resume
+Method = DTLS
+ResumptionExpected = No
+client = 17-resumption-when-mfl-ext-is-different-client-extra
+resume-client = 17-resumption-when-mfl-ext-is-different-resume-client-extra
+
+[17-resumption-when-mfl-ext-is-different-client-extra]
+MaxFragmentLenExt = 512
+
+[17-resumption-when-mfl-ext-is-different-resume-client-extra]
+MaxFragmentLenExt = 1024
+
+
+# ===========================================================
+
+[18-resumption-when-mfl-ext-is-correct]
+ssl_conf = 18-resumption-when-mfl-ext-is-correct-ssl
+
+[18-resumption-when-mfl-ext-is-correct-ssl]
+server = 18-resumption-when-mfl-ext-is-correct-server
+client = 18-resumption-when-mfl-ext-is-correct-client
+resume-server = 18-resumption-when-mfl-ext-is-correct-server
+resume-client = 18-resumption-when-mfl-ext-is-correct-resume-client
+
+[18-resumption-when-mfl-ext-is-correct-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[18-resumption-when-mfl-ext-is-correct-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[18-resumption-when-mfl-ext-is-correct-resume-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-18]
+ExpectedResult = Success
+HandshakeMode = Resume
+Method = DTLS
+ResumptionExpected = Yes
+client = 18-resumption-when-mfl-ext-is-correct-client-extra
+resume-client = 18-resumption-when-mfl-ext-is-correct-resume-client-extra
+
+[18-resumption-when-mfl-ext-is-correct-client-extra]
+MaxFragmentLenExt = 512
+
+[18-resumption-when-mfl-ext-is-correct-resume-client-extra]
+MaxFragmentLenExt = 512
+
+
diff --git a/test/ssl-tests/protocol_version.pm b/test/ssl-tests/protocol_version.pm
index 943719e84a..039d782b73 100644
--- a/test/ssl-tests/protocol_version.pm
+++ b/test/ssl-tests/protocol_version.pm
@@ -265,6 +265,69 @@ sub generate_resumption_tests {
};
}
+ push @client_tests, {
+ "name" => "resumption-when-mfl-ext-is-missing",
+ "server" => {
+ },
+ "client" => {
+ "extra" => {
+ "MaxFragmentLenExt" => 512,
+ },
+ },
+ "resume_client" => {
+ },
+ "test" => {
+ "Method" => $method,
+ "HandshakeMode" => "Resume",
+ "ResumptionExpected" => "No",
+ "ExpectedResult" => "ServerFail",
+ }
+ };
+
+ push @client_tests, {
+ "name" => "resumption-when-mfl-ext-is-different",
+ "server" => {
+ },
+ "client" => {
+ "extra" => {
+ "MaxFragmentLenExt" => 512,
+ },
+ },
+ "resume_client" => {
+ "extra" => {
+ "MaxFragmentLenExt" => 1024,
+ },
+ },
+ "test" => {
+ "Method" => $method,
+ "HandshakeMode" => "Resume",
+ "ResumptionExpected" => "No",
+ "ExpectedResult" => "ServerFail",
+ }
+ };
+
+ push @client_tests, {
+ "name" => "resumption-when-mfl-ext-is-correct",
+ "server" => {
+ },
+ "client" => {
+ "extra" => {
+ "MaxFragmentLenExt" => 512,
+ },
+ },
+ "resume_client" => {
+ "extra" => {
+ "MaxFragmentLenExt" => 512,
+ },
+ },
+ "test" => {
+ "Method" => $method,
+ "HandshakeMode" => "Resume",
+ "ResumptionExpected" => "Yes",
+ "ExpectedResult" => "Success",
+ }
+ };
+
return (@server_tests, @client_tests);
}
--
2.17.1

161
backport-Fix-a-crash-in-X509v3_asid_subset.patch
View File

@ -1,161 +0,0 @@
From 8f078819556da83c15751678c39558a59bc746fc Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Thu, 9 Jun 2022 16:57:30 +0100
Subject: [PATCH] Fix a crash in X509v3_asid_subset()
If the asnum or rdi fields are NULL and the ASIdentifiers are otherwise
subsets then this will result in a crash. Of note is that rdi will usually
be NULL.
Reported by Theo Buehler (@botovq)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18514)
(cherry picked from commit 01fc9b6bce82f0534d6673659a0e59a71f57ee82)
---
crypto/x509v3/v3_asid.c | 31 +++++++++++-----
test/v3ext.c | 78 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 100 insertions(+), 9 deletions(-)
diff --git a/crypto/x509v3/v3_asid.c b/crypto/x509v3/v3_asid.c
index ac68572672..9bdc682978 100644
--- a/crypto/x509v3/v3_asid.c
+++ b/crypto/x509v3/v3_asid.c
@@ -700,15 +700,28 @@ static int asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child)
*/
int X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b)
{
- return (a == NULL ||
- a == b ||
- (b != NULL &&
- !X509v3_asid_inherits(a) &&
- !X509v3_asid_inherits(b) &&
- asid_contains(b->asnum->u.asIdsOrRanges,
- a->asnum->u.asIdsOrRanges) &&
- asid_contains(b->rdi->u.asIdsOrRanges,
- a->rdi->u.asIdsOrRanges)));
+ int subset;
+
+ if (a == NULL || a == b)
+ return 1;
+
+ if (b == NULL)
+ return 0;
+
+ if (X509v3_asid_inherits(a) || X509v3_asid_inherits(b))
+ return 0;
+
+ subset = a->asnum == NULL
+ || (b->asnum != NULL
+ && asid_contains(b->asnum->u.asIdsOrRanges,
+ a->asnum->u.asIdsOrRanges));
+ if (!subset)
+ return 0;
+
+ return a->rdi == NULL
+ || (b->rdi != NULL
+ && asid_contains(b->rdi->u.asIdsOrRanges,
+ a->rdi->u.asIdsOrRanges));
}
/*
diff --git a/test/v3ext.c b/test/v3ext.c
index 14ae49969d..1575e923da 100644
--- a/test/v3ext.c
+++ b/test/v3ext.c
@@ -37,11 +37,89 @@ end:
return ret;
}
+static int test_asid(void)
+{
+ ASN1_INTEGER *val1 = NULL, *val2 = NULL;
+ ASIdentifiers *asid1 = ASIdentifiers_new(), *asid2 = ASIdentifiers_new(),
+ *asid3 = ASIdentifiers_new(), *asid4 = ASIdentifiers_new();
+ int testresult = 0;
+
+ if (!TEST_ptr(asid1)
+ || !TEST_ptr(asid2)
+ || !TEST_ptr(asid3))
+ goto err;
+
+ if (!TEST_ptr(val1 = ASN1_INTEGER_new())
+ || !TEST_true(ASN1_INTEGER_set_int64(val1, 64496)))
+ goto err;
+
+ if (!TEST_true(X509v3_asid_add_id_or_range(asid1, V3_ASID_ASNUM, val1, NULL)))
+ goto err;
+
+ val1 = NULL;
+ if (!TEST_ptr(val2 = ASN1_INTEGER_new())
+ || !TEST_true(ASN1_INTEGER_set_int64(val2, 64497)))
+ goto err;
+
+ if (!TEST_true(X509v3_asid_add_id_or_range(asid2, V3_ASID_ASNUM, val2, NULL)))
+ goto err;
+
+ val2 = NULL;
+ if (!TEST_ptr(val1 = ASN1_INTEGER_new())
+ || !TEST_true(ASN1_INTEGER_set_int64(val1, 64496))
+ || !TEST_ptr(val2 = ASN1_INTEGER_new())
+ || !TEST_true(ASN1_INTEGER_set_int64(val2, 64497)))
+ goto err;
+
+ /*
+ * Just tests V3_ASID_ASNUM for now. Could be extended at some point to also
+ * test V3_ASID_RDI if we think it is worth it.
+ */
+ if (!TEST_true(X509v3_asid_add_id_or_range(asid3, V3_ASID_ASNUM, val1, val2)))
+ goto err;
+ val1 = val2 = NULL;
+
+ /* Actual subsets */
+ if (!TEST_true(X509v3_asid_subset(NULL, NULL))
+ || !TEST_true(X509v3_asid_subset(NULL, asid1))
+ || !TEST_true(X509v3_asid_subset(asid1, asid1))
+ || !TEST_true(X509v3_asid_subset(asid2, asid2))
+ || !TEST_true(X509v3_asid_subset(asid1, asid3))
+ || !TEST_true(X509v3_asid_subset(asid2, asid3))
+ || !TEST_true(X509v3_asid_subset(asid3, asid3))
+ || !TEST_true(X509v3_asid_subset(asid4, asid1))
+ || !TEST_true(X509v3_asid_subset(asid4, asid2))
+ || !TEST_true(X509v3_asid_subset(asid4, asid3)))
+ goto err;
+
+ /* Not subsets */
+ if (!TEST_false(X509v3_asid_subset(asid1, NULL))
+ || !TEST_false(X509v3_asid_subset(asid1, asid2))
+ || !TEST_false(X509v3_asid_subset(asid2, asid1))
+ || !TEST_false(X509v3_asid_subset(asid3, asid1))
+ || !TEST_false(X509v3_asid_subset(asid3, asid2))
+ || !TEST_false(X509v3_asid_subset(asid1, asid4))
+ || !TEST_false(X509v3_asid_subset(asid2, asid4))
+ || !TEST_false(X509v3_asid_subset(asid3, asid4)))
+ goto err;
+
+ testresult = 1;
+ err:
+ ASN1_INTEGER_free(val1);
+ ASN1_INTEGER_free(val2);
+ ASIdentifiers_free(asid1);
+ ASIdentifiers_free(asid2);
+ ASIdentifiers_free(asid3);
+ ASIdentifiers_free(asid4);
+ return testresult;
+}
+
int setup_tests(void)
{
if (!TEST_ptr(infile = test_get_argument(0)))
return 0;
ADD_TEST(test_pathlen);
+ ADD_TEST(test_asid);
return 1;
}
--
2.17.1

93
backport-Fix-a-crash-in-asn1_item_embed_new.patch
View File

@ -1,93 +0,0 @@
From 8e60f41d064786f95440e4c56660ffe9777783d7 Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Fri, 20 May 2022 08:02:47 +0200
Subject: [PATCH] Fix a crash in asn1_item_embed_new
This happens usually if an template object is created
and there is an out of memory error before the ASN1_OP_NEW_POST
method is called, but asn1_item_embed_free calls now the
ASN1_OP_FREE_POST which may crash because the object is not
properly initialized. Apparently that is only an issue with
the ASN1_OP_FREE_POST handling of crypot/x509/x_crl.c, which
ought to be tolerant to incomplete initialized objects.
The error can be reproduced with the reproducible error injection patch:
$ ERROR_INJECT=1652890550 ../util/shlib_wrap.sh ./asn1-test ./corpora/asn1/0ff17293911f54d1538b9896563a4048d67d9ee4
#0 0x7faae9dbeeba in __sanitizer_print_stack_trace ../../../../gcc-trunk/libsanitizer/asan/asan_stack.cpp:87
#1 0x408dc4 in my_malloc fuzz/test-corpus.c:114
#2 0x7faae99f2430 in CRYPTO_zalloc crypto/mem.c:230
#3 0x7faae97f09e5 in ASN1_STRING_type_new crypto/asn1/asn1_lib.c:341
#4 0x7faae98118f7 in asn1_primitive_new crypto/asn1/tasn_new.c:318
#5 0x7faae9812401 in asn1_item_embed_new crypto/asn1/tasn_new.c:78
#6 0x7faae9812401 in asn1_template_new crypto/asn1/tasn_new.c:240
#7 0x7faae9812315 in asn1_item_embed_new crypto/asn1/tasn_new.c:137
#8 0x7faae9812315 in asn1_template_new crypto/asn1/tasn_new.c:240
#9 0x7faae9812a54 in asn1_item_embed_new crypto/asn1/tasn_new.c:137
#10 0x7faae9812a54 in ASN1_item_ex_new crypto/asn1/tasn_new.c:39
#11 0x7faae980be51 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:325
#12 0x7faae980c813 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:611
#13 0x7faae980d288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
#14 0x7faae980b9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
#15 0x7faae980caf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643
#16 0x7faae980d7d3 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:494
#17 0x7faae980b9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
#18 0x7faae980dd1f in ASN1_item_ex_d2i crypto/asn1/tasn_dec.c:124
#19 0x7faae980de35 in ASN1_item_d2i crypto/asn1/tasn_dec.c:114
#20 0x40712c in FuzzerTestOneInput fuzz/asn1.c:301
#21 0x40893b in testfile fuzz/test-corpus.c:182
#22 0x406b86 in main fuzz/test-corpus.c:226
#23 0x7faae8eb1f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1194==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7faae9b0625f bp 0x7fffffe41a00 sp 0x7fffffe41920 T0)
==1194==The signal is caused by a READ memory access.
==1194==Hint: address points to the zero page.
#0 0x7faae9b0625f in crl_cb crypto/x509/x_crl.c:258
#1 0x7faae9811255 in asn1_item_embed_free crypto/asn1/tasn_fre.c:113
#2 0x7faae9812a65 in asn1_item_embed_new crypto/asn1/tasn_new.c:150
#3 0x7faae9812a65 in ASN1_item_ex_new crypto/asn1/tasn_new.c:39
#4 0x7faae980be51 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:325
#5 0x7faae980c813 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:611
#6 0x7faae980d288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
#7 0x7faae980b9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
#8 0x7faae980caf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643
#9 0x7faae980d7d3 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:494
#10 0x7faae980b9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
#11 0x7faae980dd1f in ASN1_item_ex_d2i crypto/asn1/tasn_dec.c:124
#12 0x7faae980de35 in ASN1_item_d2i crypto/asn1/tasn_dec.c:114
#13 0x40712c in FuzzerTestOneInput fuzz/asn1.c:301
#14 0x40893b in testfile fuzz/test-corpus.c:182
#15 0x406b86 in main fuzz/test-corpus.c:226
#16 0x7faae8eb1f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV crypto/x509/x_crl.c:258 in crl_cb
==1194==ABORTING
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18360)
(cherry picked from commit 557825acd622f98fc21423aba092e374db84f483)
---
crypto/x509/x_crl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c
index c9762f9e23..9af39a45fc 100644
--- a/crypto/x509/x_crl.c
+++ b/crypto/x509/x_crl.c
@@ -255,7 +255,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
break;
case ASN1_OP_FREE_POST:
- if (crl->meth->crl_free) {
+ if (crl->meth != NULL && crl->meth->crl_free != NULL) {
if (!crl->meth->crl_free(crl))
return 0;
}
--
2.17.1

88
backport-Fix-a-crash-in-ssl_security_cert_chain.patch
View File

@ -1,88 +0,0 @@
From 4a28f8451fbc1848fd2d1b99203a7c75876123f6 Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Sun, 22 May 2022 20:12:56 +0200
Subject: [PATCH] Fix a crash in ssl_security_cert_chain
Prior to the crash there is an out of memory error
in X509_verify_cert which makes the chain NULL or
empty. The error is ignored by ssl_add_cert_chain,
and ssl_security_cert_chain crashes due to the
unchecked null pointer.
This is reproducible with my error injection patch.
The test vector has been validated on the 1.1.1 branch
but the issue is of course identical in all branches.
$ ERROR_INJECT=1652848273 ../util/shlib_wrap.sh ./server-test ./corpora/server/47c8e933c4ec66fa3c309422283dfe0f31aafae8# ./corpora/server/47c8e933c4ec66fa3c309422283dfe0f31aafae8
#0 0x7f3a8f766eba in __sanitizer_print_stack_trace ../../../../gcc-trunk/libsanitizer/asan/asan_stack.cpp:87
#1 0x403ba4 in my_malloc fuzz/test-corpus.c:114
#2 0x7f3a8f39a430 in CRYPTO_zalloc crypto/mem.c:230
#3 0x7f3a8f46bd3b in sk_reserve crypto/stack/stack.c:180
#4 0x7f3a8f46bd3b in OPENSSL_sk_insert crypto/stack/stack.c:242
#5 0x7f3a8f4a4fd8 in sk_X509_push include/openssl/x509.h:99
#6 0x7f3a8f4a4fd8 in X509_verify_cert crypto/x509/x509_vfy.c:286
#7 0x7f3a8fed726e in ssl_add_cert_chain ssl/statem/statem_lib.c:959
#8 0x7f3a8fed726e in ssl3_output_cert_chain ssl/statem/statem_lib.c:1015
#9 0x7f3a8fee1c50 in tls_construct_server_certificate ssl/statem/statem_srvr.c:3812
#10 0x7f3a8feb8b0a in write_state_machine ssl/statem/statem.c:843
#11 0x7f3a8feb8b0a in state_machine ssl/statem/statem.c:443
#12 0x7f3a8fe84b3f in SSL_do_handshake ssl/ssl_lib.c:3718
#13 0x403202 in FuzzerTestOneInput fuzz/server.c:740
#14 0x40371b in testfile fuzz/test-corpus.c:182
#15 0x402856 in main fuzz/test-corpus.c:226
#16 0x7f3a8e859f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#17 0x402936 (/home/ed/OPC/openssl/fuzz/server-test+0x402936)
AddressSanitizer:DEADLYSIGNAL
=================================================================
==8400==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000158 (pc 0x7f3a8f4d822f bp 0x7ffc39b76190 sp 0x7ffc39b760a0 T0)
==8400==The signal is caused by a READ memory access.
==8400==Hint: address points to the zero page.
#0 0x7f3a8f4d822f in x509v3_cache_extensions crypto/x509v3/v3_purp.c:386
#1 0x7f3a8f4d9d3a in X509_check_purpose crypto/x509v3/v3_purp.c:84
#2 0x7f3a8f4da02a in X509_get_extension_flags crypto/x509v3/v3_purp.c:921
#3 0x7f3a8feff7d2 in ssl_security_cert_sig ssl/t1_lib.c:2518
#4 0x7f3a8feff7d2 in ssl_security_cert ssl/t1_lib.c:2542
#5 0x7f3a8feffa03 in ssl_security_cert_chain ssl/t1_lib.c:2562
#6 0x7f3a8fed728d in ssl_add_cert_chain ssl/statem/statem_lib.c:963
#7 0x7f3a8fed728d in ssl3_output_cert_chain ssl/statem/statem_lib.c:1015
#8 0x7f3a8fee1c50 in tls_construct_server_certificate ssl/statem/statem_srvr.c:3812
#9 0x7f3a8feb8b0a in write_state_machine ssl/statem/statem.c:843
#10 0x7f3a8feb8b0a in state_machine ssl/statem/statem.c:443
#11 0x7f3a8fe84b3f in SSL_do_handshake ssl/ssl_lib.c:3718
#12 0x403202 in FuzzerTestOneInput fuzz/server.c:740
#13 0x40371b in testfile fuzz/test-corpus.c:182
#14 0x402856 in main fuzz/test-corpus.c:226
#15 0x7f3a8e859f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#16 0x402936 (/home/ed/OPC/openssl/fuzz/server-test+0x402936)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV crypto/x509v3/v3_purp.c:386 in x509v3_cache_extensions
==8400==ABORTING
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18376)
(cherry picked from commit dc0ef292f7df4ce0c49c64b47726a6768f9ac044)
---
ssl/t1_lib.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index b1d3add187..4de4623a49 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2555,6 +2555,8 @@ int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
int rv, start_idx, i;
if (x == NULL) {
x = sk_X509_value(sk, 0);
+ if (x == NULL)
+ return ERR_R_INTERNAL_ERROR;
start_idx = 1;
} else
start_idx = 0;
--
2.17.1

76
backport-Fix-a-crash-in-v2i_IPAddrBlocks.patch
View File

@ -1,76 +0,0 @@
From 264a3f453c418dc01f4b74928ed2a76a08a65513 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 10 Jun 2022 12:33:45 +0100
Subject: [PATCH] Fix a crash in v2i_IPAddrBlocks()
If an IP address prefix value is supplied that is too large then a crash
can result. v2i_IPAddrBlocks() should sanity check the prefix value, as
should X509v3_addr_add_prefix().
Reported by Theo Buehler (@botovq)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18847)
---
crypto/x509v3/v3_addr.c | 17 ++++---
test/v3ext.c | 99 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 111 insertions(+), 5 deletions(-)
diff --git a/crypto/x509v3/v3_addr.c b/crypto/x509v3/v3_addr.c
index ccce34ef2e..f9c368bea4 100644
--- a/crypto/x509v3/v3_addr.c
+++ b/crypto/x509v3/v3_addr.c
@@ -392,12 +392,14 @@ static int range_should_be_prefix(const unsigned char *min,
/*
* Construct a prefix.
*/
-static int make_addressPrefix(IPAddressOrRange **result,
- unsigned char *addr, const int prefixlen)
+static int make_addressPrefix(IPAddressOrRange **result, unsigned char *addr,
+ const int prefixlen, const int afilen)
{
int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8;
IPAddressOrRange *aor = IPAddressOrRange_new();
+ if (prefixlen < 0 || prefixlen > (afilen * 8))
+ return 0;
if (aor == NULL)
return 0;
aor->type = IPAddressOrRange_addressPrefix;
@@ -437,7 +439,7 @@ static int make_addressRange(IPAddressOrRange **result,
return 0;
if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0)
- return make_addressPrefix(result, min, prefixlen);
+ return make_addressPrefix(result, min, prefixlen, length);
if ((aor = IPAddressOrRange_new()) == NULL)
return 0;
@@ -599,7 +601,9 @@ int X509v3_addr_add_prefix(IPAddrBlocks *addr,
{
IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
IPAddressOrRange *aor;
- if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen))
+
+ if (aors == NULL
+ || !make_addressPrefix(&aor, a, prefixlen, length_from_afi(afi)))
return 0;
if (sk_IPAddressOrRange_push(aors, aor))
return 1;
@@ -996,7 +1000,10 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
switch (delim) {
case '/':
prefixlen = (int)strtoul(s + i2, &t, 10);
- if (t == s + i2 || *t != '\0') {
+ if (t == s + i2
+ || *t != '\0'
+ || prefixlen > (length * 8)
+ || prefixlen < 0) {
X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
X509V3_R_EXTENSION_VALUE_ERROR);
X509V3_conf_err(val);
--
2.17.1

134
backport-Fix-a-memory-leak-in-EC_GROUP_new_from_ecparameters.patch
View File

@ -1,134 +0,0 @@
From 6c8879c8bf6030666c851623f93fff03c1266715 Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Wed, 22 Jun 2022 17:05:55 +0200
Subject: [PATCH] Fix a memory leak in EC_GROUP_new_from_ecparameters
This can be reproduced with my error injection patch.
The test vector has been validated on the 1.1.1 branch
but the issue is of course identical in all branches.
$ ERROR_INJECT=1656112173 ../util/shlib_wrap.sh ./x509-test ./corpora/x509/fe543a8d7e09109a9a08114323eefec802ad79e2
#0 0x7fb61945eeba in __sanitizer_print_stack_trace ../../../../gcc-trunk/libsanitizer/asan/asan_stack.cpp:87
#1 0x402f84 in my_malloc fuzz/test-corpus.c:114
#2 0x7fb619092430 in CRYPTO_zalloc crypto/mem.c:230
#3 0x7fb618ef7561 in bn_expand_internal crypto/bn/bn_lib.c:280
#4 0x7fb618ef7561 in bn_expand2 crypto/bn/bn_lib.c:304
#5 0x7fb618ef819d in BN_bin2bn crypto/bn/bn_lib.c:454
#6 0x7fb618e7aa13 in asn1_string_to_bn crypto/asn1/a_int.c:503
#7 0x7fb618e7aa13 in ASN1_INTEGER_to_BN crypto/asn1/a_int.c:559
#8 0x7fb618fd8e79 in EC_GROUP_new_from_ecparameters crypto/ec/ec_asn1.c:814
#9 0x7fb618fd98e8 in EC_GROUP_new_from_ecpkparameters crypto/ec/ec_asn1.c:935
#10 0x7fb618fd9aec in d2i_ECPKParameters crypto/ec/ec_asn1.c:966
#11 0x7fb618fdace9 in d2i_ECParameters crypto/ec/ec_asn1.c:1184
#12 0x7fb618fd1fc7 in eckey_type2param crypto/ec/ec_ameth.c:119
#13 0x7fb618fd57b4 in eckey_pub_decode crypto/ec/ec_ameth.c:165
#14 0x7fb6191a9c62 in x509_pubkey_decode crypto/x509/x_pubkey.c:124
#15 0x7fb6191a9e42 in pubkey_cb crypto/x509/x_pubkey.c:46
#16 0x7fb618eac032 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:432
#17 0x7fb618eacaf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643
#18 0x7fb618ead288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
#19 0x7fb618eab9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
#20 0x7fb618eacaf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643
#21 0x7fb618ead288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
#22 0x7fb618eab9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
#23 0x7fb618eadd1f in ASN1_item_ex_d2i crypto/asn1/tasn_dec.c:124
#24 0x7fb618eade35 in ASN1_item_d2i crypto/asn1/tasn_dec.c:114
#25 0x40310c in FuzzerTestOneInput fuzz/x509.c:33
#26 0x402afb in testfile fuzz/test-corpus.c:182
#27 0x402656 in main fuzz/test-corpus.c:226
#28 0x7fb618551f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#29 0x402756 (/home/ed/OPC/openssl/fuzz/x509-test+0x402756)
=================================================================
==12221==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 24 byte(s) in 1 object(s) allocated from:
#0 0x7fb61945309f in __interceptor_malloc ../../../../gcc-trunk/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fb619092430 in CRYPTO_zalloc crypto/mem.c:230
#2 0x7fb618ef5f11 in BN_new crypto/bn/bn_lib.c:246
#3 0x7fb618ef82f4 in BN_bin2bn crypto/bn/bn_lib.c:440
#4 0x7fb618fd8933 in EC_GROUP_new_from_ecparameters crypto/ec/ec_asn1.c:618
#5 0x7fb618fd98e8 in EC_GROUP_new_from_ecpkparameters crypto/ec/ec_asn1.c:935
#6 0x7fb618fd9aec in d2i_ECPKParameters crypto/ec/ec_asn1.c:966
#7 0x7fb618fdace9 in d2i_ECParameters crypto/ec/ec_asn1.c:1184
#8 0x7fb618fd1fc7 in eckey_type2param crypto/ec/ec_ameth.c:119
#9 0x7fb618fd57b4 in eckey_pub_decode crypto/ec/ec_ameth.c:165
#10 0x7fb6191a9c62 in x509_pubkey_decode crypto/x509/x_pubkey.c:124
#11 0x7fb6191a9e42 in pubkey_cb crypto/x509/x_pubkey.c:46
#12 0x7fb618eac032 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:432
#13 0x7fb618eacaf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643
#14 0x7fb618ead288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
#15 0x7fb618eab9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
#16 0x7fb618eacaf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643
#17 0x7fb618ead288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
#18 0x7fb618eab9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
#19 0x7fb618eadd1f in ASN1_item_ex_d2i crypto/asn1/tasn_dec.c:124
#20 0x7fb618eade35 in ASN1_item_d2i crypto/asn1/tasn_dec.c:114
#21 0x40310c in FuzzerTestOneInput fuzz/x509.c:33
#22 0x402afb in testfile fuzz/test-corpus.c:182
#23 0x402656 in main fuzz/test-corpus.c:226
#24 0x7fb618551f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
Indirect leak of 56 byte(s) in 1 object(s) allocated from:
#0 0x7fb61945309f in __interceptor_malloc ../../../../gcc-trunk/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fb619092430 in CRYPTO_zalloc crypto/mem.c:230
#2 0x7fb618ef7561 in bn_expand_internal crypto/bn/bn_lib.c:280
#3 0x7fb618ef7561 in bn_expand2 crypto/bn/bn_lib.c:304
#4 0x7fb618ef819d in BN_bin2bn crypto/bn/bn_lib.c:454
#5 0x7fb618fd8933 in EC_GROUP_new_from_ecparameters crypto/ec/ec_asn1.c:618
#6 0x7fb618fd98e8 in EC_GROUP_new_from_ecpkparameters crypto/ec/ec_asn1.c:935
#7 0x7fb618fd9aec in d2i_ECPKParameters crypto/ec/ec_asn1.c:966
#8 0x7fb618fdace9 in d2i_ECParameters crypto/ec/ec_asn1.c:1184
#9 0x7fb618fd1fc7 in eckey_type2param crypto/ec/ec_ameth.c:119
#10 0x7fb618fd57b4 in eckey_pub_decode crypto/ec/ec_ameth.c:165
#11 0x7fb6191a9c62 in x509_pubkey_decode crypto/x509/x_pubkey.c:124
#12 0x7fb6191a9e42 in pubkey_cb crypto/x509/x_pubkey.c:46
#13 0x7fb618eac032 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:432
#14 0x7fb618eacaf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643
#15 0x7fb618ead288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
#16 0x7fb618eab9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
#17 0x7fb618eacaf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643
#18 0x7fb618ead288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
#19 0x7fb618eab9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
#20 0x7fb618eadd1f in ASN1_item_ex_d2i crypto/asn1/tasn_dec.c:124
#21 0x7fb618eade35 in ASN1_item_d2i crypto/asn1/tasn_dec.c:114
#22 0x40310c in FuzzerTestOneInput fuzz/x509.c:33
#23 0x402afb in testfile fuzz/test-corpus.c:182
#24 0x402656 in main fuzz/test-corpus.c:226
#25 0x7fb618551f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
SUMMARY: AddressSanitizer: 80 byte(s) leaked in 2 allocation(s).
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/18632)
---
crypto/ec/ec_asn1.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index 34de7b2aab..1acbbde3d3 100644
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -794,7 +794,7 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
}
/* extract the order */
- if ((a = ASN1_INTEGER_to_BN(params->order, a)) == NULL) {
+ if (ASN1_INTEGER_to_BN(params->order, a) == NULL) {
ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_ASN1_LIB);
goto err;
}
@@ -811,7 +811,7 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
if (params->cofactor == NULL) {
BN_free(b);
b = NULL;
- } else if ((b = ASN1_INTEGER_to_BN(params->cofactor, b)) == NULL) {
+ } else if (ASN1_INTEGER_to_BN(params->cofactor, b) == NULL) {
ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_ASN1_LIB);
goto err;
}
--
2.17.1

74
backport-Fix-a-memory-leak-in-X509_issuer_and_serial_hash.patch
View File

@ -1,74 +0,0 @@
From 59b8eca400d9ea7b77dc98fe08a91bbfe35d025a Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Sat, 21 May 2022 15:41:46 +0200
Subject: [PATCH] Fix a memory leak in X509_issuer_and_serial_hash
This is reproducible with my error injection patch:
$ ERROR_INJECT=1653267699 ../util/shlib_wrap.sh ./x509-test ./corpora/x509/5f4034ae85d6587dcad4da3e812e80f3d312894d
ERROR_INJECT=1653267699
#0 0x7fd485a6ad4f in __sanitizer_print_stack_trace ../../../../src/libsanitizer/asan/asan_stack.cc:36
#1 0x55c12d268724 in my_malloc fuzz/test-corpus.c:114
#2 0x7fd484f51a75 in CRYPTO_zalloc crypto/mem.c:230
#3 0x7fd484ed778d in EVP_DigestInit_ex crypto/evp/digest.c:139
#4 0x7fd4850a9849 in X509_issuer_and_serial_hash crypto/x509/x509_cmp.c:44
#5 0x55c12d268951 in FuzzerTestOneInput fuzz/x509.c:44
#6 0x55c12d268239 in testfile fuzz/test-corpus.c:182
#7 0x55c12d267c7f in main fuzz/test-corpus.c:226
#8 0x7fd483a42082 in __libc_start_main ../csu/libc-start.c:308
#9 0x55c12d267e5d in _start (/home/ed/OPCToolboxV5/Source/Core/OpenSSL/openssl/fuzz/x509-test+0x3e5d)
=================================================================
==1058475==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 268 byte(s) in 1 object(s) allocated from:
#0 0x7fd485a5dc3e in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:163
#1 0x7fd484d2eb9b in BUF_MEM_grow crypto/buffer/buffer.c:97
#2 0x7fd4850b2913 in X509_NAME_oneline crypto/x509/x509_obj.c:43
#3 0x7fd4850a982f in X509_issuer_and_serial_hash crypto/x509/x509_cmp.c:41
#4 0x55c12d268951 in FuzzerTestOneInput fuzz/x509.c:44
#5 0x55c12d268239 in testfile fuzz/test-corpus.c:182
#6 0x55c12d267c7f in main fuzz/test-corpus.c:226
#7 0x7fd483a42082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: 268 byte(s) leaked in 1 allocation(s).
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18370)
---
crypto/x509/x509_cmp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index 1d8d2d7b28..1661cac634 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -34,7 +34,7 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
unsigned long ret = 0;
EVP_MD_CTX *ctx = EVP_MD_CTX_new();
unsigned char md[16];
- char *f;
+ char *f = NULL;
if (ctx == NULL)
goto err;
@@ -45,7 +45,6 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
goto err;
if (!EVP_DigestUpdate(ctx, (unsigned char *)f, strlen(f)))
goto err;
- OPENSSL_free(f);
if (!EVP_DigestUpdate
(ctx, (unsigned char *)a->cert_info.serialNumber.data,
(unsigned long)a->cert_info.serialNumber.length))
@@ -56,6 +55,7 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L)
) & 0xffffffffL;
err:
+ OPENSSL_free(f);
EVP_MD_CTX_free(ctx);
return ret;
}
--
2.17.1

118
backport-Fix-a-memory-leak-in-crl_set_issuers.patch
View File

@ -1,118 +0,0 @@
From 8754fa5f60ac4fdb5127f2eded9c7bbe0651c880 Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Sat, 21 May 2022 07:50:46 +0200
Subject: [PATCH] Fix a memory leak in crl_set_issuers
This can be reproduced with my error injection patch.
The test vector has been validated on the 1.1.1 branch
but the issue is of course identical in all branches.
$ ERROR_INJECT=1653520461 ../util/shlib_wrap.sh ./cms-test ./corpora/cms/3eff1d2f1232bd66d5635db2c3f9e7f23830dfd1
log file: cms-3eff1d2f1232bd66d5635db2c3f9e7f23830dfd1-32454-test.out
ERROR_INJECT=1653520461
#0 0x7fd5d8b8eeba in __sanitizer_print_stack_trace ../../../../gcc-trunk/libsanitizer/asan/asan_stack.cpp:87
#1 0x402fc4 in my_realloc fuzz/test-corpus.c:129
#2 0x7fd5d8893c49 in sk_reserve crypto/stack/stack.c:198
#3 0x7fd5d8893c49 in OPENSSL_sk_insert crypto/stack/stack.c:242
#4 0x7fd5d88d6d7f in sk_GENERAL_NAMES_push include/openssl/x509v3.h:168
#5 0x7fd5d88d6d7f in crl_set_issuers crypto/x509/x_crl.c:111
#6 0x7fd5d88d6d7f in crl_cb crypto/x509/x_crl.c:246
#7 0x7fd5d85dc032 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:432
#8 0x7fd5d85dcaf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643
#9 0x7fd5d85dd288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
#10 0x7fd5d85db2b5 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:259
#11 0x7fd5d85dc813 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:611
#12 0x7fd5d85dd288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
#13 0x7fd5d85db9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
#14 0x7fd5d85dca28 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:633
#15 0x7fd5d85dd288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
#16 0x7fd5d85db9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
#17 0x7fd5d85dcaf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643
#18 0x7fd5d85dd7d3 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:494
#19 0x7fd5d85db9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
#20 0x7fd5d85ddd1f in ASN1_item_ex_d2i crypto/asn1/tasn_dec.c:124
#21 0x7fd5d85dde35 in ASN1_item_d2i crypto/asn1/tasn_dec.c:114
#22 0x7fd5d85a77e0 in ASN1_item_d2i_bio crypto/asn1/a_d2i_fp.c:69
#23 0x402845 in FuzzerTestOneInput fuzz/cms.c:43
#24 0x402bbb in testfile fuzz/test-corpus.c:182
#25 0x402626 in main fuzz/test-corpus.c:226
#26 0x7fd5d7c81f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#27 0x402706 (/home/ed/OPC/openssl/fuzz/cms-test+0x402706)
=================================================================
==29625==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 32 byte(s) in 1 object(s) allocated from:
#0 0x7fd5d8b8309f in __interceptor_malloc ../../../../gcc-trunk/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fd5d87c2430 in CRYPTO_zalloc crypto/mem.c:230
#2 0x7fd5d889501f in OPENSSL_sk_new_reserve crypto/stack/stack.c:209
#3 0x7fd5d85dcbc3 in sk_ASN1_VALUE_new_null include/openssl/asn1t.h:928
#4 0x7fd5d85dcbc3 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:577
#5 0x7fd5d85dd288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
#6 0x7fd5d85db104 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:178
#7 0x7fd5d85ddd1f in ASN1_item_ex_d2i crypto/asn1/tasn_dec.c:124
#8 0x7fd5d85dde35 in ASN1_item_d2i crypto/asn1/tasn_dec.c:114
#9 0x7fd5d88f86d9 in X509V3_EXT_d2i crypto/x509v3/v3_lib.c:142
#10 0x7fd5d88d6d3c in crl_set_issuers crypto/x509/x_crl.c:97
#11 0x7fd5d88d6d3c in crl_cb crypto/x509/x_crl.c:246
#12 0x7fd5d85dc032 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:432
#13 0x7fd5d85dcaf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643
#14 0x7fd5d85dd288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
#15 0x7fd5d85db2b5 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:259
#16 0x7fd5d85dc813 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:611
#17 0x7fd5d85dd288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
#18 0x7fd5d85db9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
#19 0x7fd5d85dca28 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:633
#20 0x7fd5d85dd288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
#21 0x7fd5d85db9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
#22 0x7fd5d85dcaf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643
#23 0x7fd5d85dd7d3 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:494
#24 0x7fd5d85db9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
#25 0x7fd5d85ddd1f in ASN1_item_ex_d2i crypto/asn1/tasn_dec.c:124
#26 0x7fd5d85dde35 in ASN1_item_d2i crypto/asn1/tasn_dec.c:114
#27 0x7fd5d85a77e0 in ASN1_item_d2i_bio crypto/asn1/a_d2i_fp.c:69
#28 0x402845 in FuzzerTestOneInput fuzz/cms.c:43
#29 0x402bbb in testfile fuzz/test-corpus.c:182
#30 0x402626 in main fuzz/test-corpus.c:226
#31 0x7fd5d7c81f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
SUMMARY: AddressSanitizer: 32 byte(s) leaked in 1 allocation(s).
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18391)
(cherry picked from commit e9007e09792e3735d4973743634ff55d354fc7d8)
---
crypto/x509/x_crl.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c
index 9af39a45fc..a4e4a415de 100644
--- a/crypto/x509/x_crl.c
+++ b/crypto/x509/x_crl.c
@@ -103,13 +103,17 @@ static int crl_set_issuers(X509_CRL *crl)
if (gtmp) {
gens = gtmp;
- if (!crl->issuers) {
+ if (crl->issuers == NULL) {
crl->issuers = sk_GENERAL_NAMES_new_null();
- if (!crl->issuers)
+ if (crl->issuers == NULL) {
+ GENERAL_NAMES_free(gtmp);
return 0;
+ }
}
- if (!sk_GENERAL_NAMES_push(crl->issuers, gtmp))
+ if (!sk_GENERAL_NAMES_push(crl->issuers, gtmp)) {
+ GENERAL_NAMES_free(gtmp);
return 0;
+ }
}
rev->issuer = gens;
--
2.17.1

61
backport-Fix-a-memory-leak-in-ec_key_simple_oct2priv.patch
View File

@ -1,61 +0,0 @@
From 8e1ece20cdb4a584be5311370256c4e813c09826 Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Fri, 20 May 2022 16:15:44 +0200
Subject: [PATCH] Fix a memory leak in ec_key_simple_oct2priv
This is reproducible with my error injection patch:
$ ERROR_INJECT=1652710284 ../util/shlib_wrap.sh ./server-test ./corpora/server/4e48da8aecce6b9b58e8e4dbbf0523e6d2dd56dc
140587884632000:error:03078041:bignum routines:bn_expand_internal:malloc failure:crypto/bn/bn_lib.c:282:
140587884632000:error:10103003:elliptic curve routines:ec_key_simple_oct2priv:BN lib:crypto/ec/ec_key.c:662:
140587884632000:error:100DE08E:elliptic curve routines:old_ec_priv_decode:decode error:crypto/ec/ec_ameth.c:464:
140587884632000:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1149:
140587884632000:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:309:Type=X509_ALGOR
140587884632000:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:646:Field=pkeyalg, Type=PKCS8_PRIV_KEY_INFO
140587884632000:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:crypto/pem/pem_pkey.c:88:
=================================================================
==19676==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 24 byte(s) in 1 object(s) allocated from:
#0 0x7fdd2a6bb09f in __interceptor_malloc ../../../../gcc-trunk/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fdd2a2fa430 in CRYPTO_zalloc crypto/mem.c:230
#2 0x7fdd2a15df11 in BN_new crypto/bn/bn_lib.c:246
#3 0x7fdd2a15df88 in BN_secure_new crypto/bn/bn_lib.c:257
#4 0x7fdd2a247390 in ec_key_simple_oct2priv crypto/ec/ec_key.c:655
#5 0x7fdd2a241fc5 in d2i_ECPrivateKey crypto/ec/ec_asn1.c:1030
#6 0x7fdd2a23dac5 in old_ec_priv_decode crypto/ec/ec_ameth.c:463
#7 0x7fdd2a109db7 in d2i_PrivateKey crypto/asn1/d2i_pr.c:46
#8 0x7fdd2a33ab16 in PEM_read_bio_PrivateKey crypto/pem/pem_pkey.c:84
#9 0x7fdd2a3330b6 in PEM_read_bio_ECPrivateKey crypto/pem/pem_all.c:151
#10 0x402dba in FuzzerTestOneInput fuzz/server.c:592
#11 0x40370b in testfile fuzz/test-corpus.c:182
#12 0x402846 in main fuzz/test-corpus.c:226
#13 0x7fdd297b9f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
SUMMARY: AddressSanitizer: 24 byte(s) leaked in 1 allocation(s).
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18361)
---
crypto/ec/ec_key.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c
index 23efbd015c..27d5a43b5f 100644
--- a/crypto/ec/ec_key.c
+++ b/crypto/ec/ec_key.c
@@ -657,8 +657,7 @@ int ec_key_simple_oct2priv(EC_KEY *eckey, const unsigned char *buf, size_t len)
ECerr(EC_F_EC_KEY_SIMPLE_OCT2PRIV, ERR_R_MALLOC_FAILURE);
return 0;
}
- eckey->priv_key = BN_bin2bn(buf, len, eckey->priv_key);
- if (eckey->priv_key == NULL) {
+ if (BN_bin2bn(buf, len, eckey->priv_key) == NULL) {
ECerr(EC_F_EC_KEY_SIMPLE_OCT2PRIV, ERR_R_BN_LIB);
return 0;
}
--
2.17.1

117
backport-Fix-a-memory-leak-in-tls13_generate_secret.patch
View File

@ -1,117 +0,0 @@
From a937806043bda5775091844050e8c632a41922ac Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Tue, 5 Jul 2022 20:39:06 +0200
Subject: [PATCH] Fix a memory leak in tls13_generate_secret
This was found by my Reproducible Error Injection patch (#18356)
Due to the exact location of the injected memory
error the sha256 digest is missing, and this causes much later
the memory leak (and a failed assertion) in tls13_generate_secret.
But the reproduction is a bit challenging, as it requires AESNI
and RDRAND capability.
OPENSSL_ia32cap=0x4200000000000000 ERROR_INJECT=1657070330 ../util/shlib_wrap.sh ./client-test ./corpora/client/791afc153e17db072175eeef85385a38d7f6d194
#0 0x7fceaffb7d4f in __sanitizer_print_stack_trace ../../../../src/libsanitizer/asan/asan_stack.cc:36
#1 0x55fb9117f934 in my_malloc fuzz/test-corpus.c:114
#2 0x7fceafa147f3 in OPENSSL_LH_insert crypto/lhash/lhash.c:109
#3 0x7fceafa42639 in lh_OBJ_NAME_insert crypto/objects/obj_local.h:12
#4 0x7fceafa42639 in OBJ_NAME_add crypto/objects/o_names.c:236
#5 0x7fceaf9f7baa in EVP_add_digest crypto/evp/names.c:39
#6 0x7fceaf9c6b97 in openssl_add_all_digests_int crypto/evp/c_alld.c:39
#7 0x7fceafa0f8ec in ossl_init_add_all_digests crypto/init.c:275
#8 0x7fceafa0f8ec in ossl_init_add_all_digests_ossl_ crypto/init.c:264
#9 0x7fceaf69b4de in __pthread_once_slow /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_once.c:116
#10 0x7fceafafb27c in CRYPTO_THREAD_run_once crypto/threads_pthread.c:118
#11 0x7fceafa1000e in OPENSSL_init_crypto crypto/init.c:677
#12 0x7fceafa1000e in OPENSSL_init_crypto crypto/init.c:611
#13 0x7fceafdad3e8 in OPENSSL_init_ssl ssl/ssl_init.c:190
#14 0x55fb9117ee0f in FuzzerInitialize fuzz/client.c:46
#15 0x55fb9117e939 in main fuzz/test-corpus.c:194
#16 0x7fceaf4bc082 in __libc_start_main ../csu/libc-start.c:308
#17 0x55fb9117ec7d in _start (.../openssl/fuzz/client-test+0x2c7d)
#0 0x7fceaffb7d4f in __sanitizer_print_stack_trace ../../../../src/libsanitizer/asan/asan_stack.cc:36
#1 0x55fb9117f934 in my_malloc fuzz/test-corpus.c:114
#2 0x7fceafa147f3 in OPENSSL_LH_insert crypto/lhash/lhash.c:109
#3 0x7fceafa42639 in lh_OBJ_NAME_insert crypto/objects/obj_local.h:12
#4 0x7fceafa42639 in OBJ_NAME_add crypto/objects/o_names.c:236
#5 0x7fceaf9f7baa in EVP_add_digest crypto/evp/names.c:39
#6 0x7fceafdad328 in ossl_init_ssl_base ssl/ssl_init.c:87
#7 0x7fceafdad328 in ossl_init_ssl_base_ossl_ ssl/ssl_init.c:24
#8 0x7fceaf69b4de in __pthread_once_slow /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_once.c:116
#9 0x7fceafafb27c in CRYPTO_THREAD_run_once crypto/threads_pthread.c:118
#10 0x7fceafdad412 in OPENSSL_init_ssl ssl/ssl_init.c:193
#11 0x55fb9117ee0f in FuzzerInitialize fuzz/client.c:46
#12 0x55fb9117e939 in main fuzz/test-corpus.c:194
#13 0x7fceaf4bc082 in __libc_start_main ../csu/libc-start.c:308
#14 0x55fb9117ec7d in _start (.../openssl/fuzz/client-test+0x2c7d)
=================================================================
==1320996==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 80 byte(s) in 1 object(s) allocated from:
#0 0x7fceaffaa808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x7fceafa19425 in CRYPTO_zalloc crypto/mem.c:230
#2 0x7fceafa03a85 in int_ctx_new crypto/evp/pmeth_lib.c:144
#3 0x7fceafa03a85 in EVP_PKEY_CTX_new_id crypto/evp/pmeth_lib.c:250
#4 0x7fceafe38de5 in tls13_generate_secret ssl/tls13_enc.c:174
#5 0x7fceafd9537f in ssl_derive ssl/s3_lib.c:4833
#6 0x7fceafdde91c in tls_parse_stoc_key_share ssl/statem/extensions_clnt.c:1902
#7 0x7fceafdd4ac1 in tls_parse_all_extensions ssl/statem/extensions.c:752
#8 0x7fceafdf8079 in tls_process_server_hello ssl/statem/statem_clnt.c:1698
#9 0x7fceafe01f87 in ossl_statem_client_process_message ssl/statem/statem_clnt.c:1034
#10 0x7fceafdeec0d in read_state_machine ssl/statem/statem.c:636
#11 0x7fceafdeec0d in state_machine ssl/statem/statem.c:434
#12 0x7fceafdb88d7 in SSL_do_handshake ssl/ssl_lib.c:3718
#13 0x55fb9117f07c in FuzzerTestOneInput fuzz/client.c:98
#14 0x55fb9117f463 in testfile fuzz/test-corpus.c:182
#15 0x55fb9117eb92 in main fuzz/test-corpus.c:226
#16 0x7fceaf4bc082 in __libc_start_main ../csu/libc-start.c:308
Indirect leak of 1080 byte(s) in 1 object(s) allocated from:
#0 0x7fceaffaa808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x7fceafa19425 in CRYPTO_zalloc crypto/mem.c:230
#2 0x7fceafa11555 in pkey_hkdf_init crypto/kdf/hkdf.c:51
#3 0x7fceafa03b36 in int_ctx_new crypto/evp/pmeth_lib.c:160
#4 0x7fceafa03b36 in EVP_PKEY_CTX_new_id crypto/evp/pmeth_lib.c:250
#5 0x7fceafe38de5 in tls13_generate_secret ssl/tls13_enc.c:174
#6 0x7fceafd9537f in ssl_derive ssl/s3_lib.c:4833
#7 0x7fceafdde91c in tls_parse_stoc_key_share ssl/statem/extensions_clnt.c:1902
#8 0x7fceafdd4ac1 in tls_parse_all_extensions ssl/statem/extensions.c:752
#9 0x7fceafdf8079 in tls_process_server_hello ssl/statem/statem_clnt.c:1698
#10 0x7fceafe01f87 in ossl_statem_client_process_message ssl/statem/statem_clnt.c:1034
#11 0x7fceafdeec0d in read_state_machine ssl/statem/statem.c:636
#12 0x7fceafdeec0d in state_machine ssl/statem/statem.c:434
#13 0x7fceafdb88d7 in SSL_do_handshake ssl/ssl_lib.c:3718
#14 0x55fb9117f07c in FuzzerTestOneInput fuzz/client.c:98
#15 0x55fb9117f463 in testfile fuzz/test-corpus.c:182
#16 0x55fb9117eb92 in main fuzz/test-corpus.c:226
#17 0x7fceaf4bc082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: 1160 byte(s) leaked in 2 allocation(s).
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18725)
---
ssl/tls13_enc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index b8fb07f210..51ca1050a4 100644
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -190,6 +190,7 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md,
if (!ossl_assert(mdleni >= 0)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET,
ERR_R_INTERNAL_ERROR);
+ EVP_PKEY_CTX_free(pctx);
return 0;
}
mdlen = (size_t)mdleni;
--
2.17.1

145
backport-Fix-an-assertion-in-the-DTLS-server-code.patch
View File

@ -1,145 +0,0 @@
From 564a8d442cbd8ce68d452ff2e8a58c0aea6b0632 Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Mon, 11 Apr 2022 10:12:48 +0200
Subject: [PATCH] Fix an assertion in the DTLS server code
This fixes an internal error alert from the server and
an unexpected connection failure in the release version,
but a failed assertion and a server crash in the
debug version.
Reproduce this issue with a DTLS server/client like that:
./openssl s_server -dtls -mtu 1500
./openssl s_client -dtls -maxfraglen 512
In the debug version a crash happens in the Server now:
./openssl s_server -dtls -mtu 1500
Using default temp DH parameters
ACCEPT
ssl/statem/statem_dtls.c:269: OpenSSL internal error: Assertion failed: len == written
Aborted (core dumped)
While in the release version the handshake exceeds the
negotiated max fragment size, and fails because of this:
$ ./openssl s_server -dtls -mtu 1500
Using default temp DH parameters
ACCEPT
ERROR
4057152ADA7F0000:error:0A0000C2:SSL routines:do_dtls1_write:exceeds max fragment size:ssl/record/rec_layer_d1.c:826:
shutting down SSL
CONNECTION CLOSED
From the client's point of view the connection fails
with an Internal Error Alert:
$ ./openssl s_client -dtls -maxfraglen 512
Connecting to ::1
CONNECTED(00000003)
40B76343377F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_d1.c:613:SSL alert number 80
and now the connection attempt fails unexpectedly.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18093)
(cherry picked from commit e915c3f5381cd38ebdc1824c3ba9896ea7160103)
---
ssl/statem/statem_dtls.c | 6 ++---
test/dtls_mtu_test.c | 48 +++++++++++++++++++++++++++++++++++++++-
2 files changed, 50 insertions(+), 4 deletions(-)
diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c
index 8e3fb686ee..620367ace4 100644
--- a/ssl/statem/statem_dtls.c
+++ b/ssl/statem/statem_dtls.c
@@ -218,8 +218,8 @@ int dtls1_do_write(SSL *s, int type)
else
len = s->init_num;
- if (len > s->max_send_fragment)
- len = s->max_send_fragment;
+ if (len > ssl_get_max_send_fragment(s))
+ len = ssl_get_max_send_fragment(s);
/*
* XDTLS: this function is too long. split out the CCS part
@@ -241,7 +241,7 @@ int dtls1_do_write(SSL *s, int type)
ret = dtls1_write_bytes(s, type, &s->init_buf->data[s->init_off], len,
&written);
- if (ret < 0) {
+ if (ret <= 0) {
/*
* might need to update MTU here, but we don't know which
* previous packet caused the failure -- so can't really
diff --git a/test/dtls_mtu_test.c b/test/dtls_mtu_test.c
index f20edf02d2..9b69e80a62 100644
--- a/test/dtls_mtu_test.c
+++ b/test/dtls_mtu_test.c
@@ -185,12 +185,58 @@ static int run_mtu_tests(void)
end:
SSL_CTX_free(ctx);
- bio_s_mempacket_test_free();
return ret;
}
+static int test_server_mtu_larger_than_max_fragment_length(void)
+{
+ SSL_CTX *ctx = NULL;
+ SSL *srvr_ssl = NULL, *clnt_ssl = NULL;
+ int rv = 0;
+
+ if (!TEST_ptr(ctx = SSL_CTX_new(DTLS_method())))
+ goto end;
+
+ SSL_CTX_set_psk_server_callback(ctx, srvr_psk_callback);
+ SSL_CTX_set_psk_client_callback(ctx, clnt_psk_callback);
+
+#ifndef OPENSSL_NO_DH
+ if (!TEST_true(SSL_CTX_set_dh_auto(ctx, 1)))
+ goto end;
+#endif
+
+ if (!TEST_true(create_ssl_objects(ctx, ctx, &srvr_ssl, &clnt_ssl,
+ NULL, NULL)))
+ goto end;
+
+ SSL_set_options(srvr_ssl, SSL_OP_NO_QUERY_MTU);
+ if (!TEST_true(DTLS_set_link_mtu(srvr_ssl, 1500)))
+ goto end;
+
+ SSL_set_tlsext_max_fragment_length(clnt_ssl,
+ TLSEXT_max_fragment_length_512);
+
+ if (!TEST_true(create_ssl_connection(srvr_ssl, clnt_ssl,
+ SSL_ERROR_NONE)))
+ goto end;
+
+ rv = 1;
+
+ end:
+ SSL_free(clnt_ssl);
+ SSL_free(srvr_ssl);
+ SSL_CTX_free(ctx);
+ return rv;
+}
+
int setup_tests(void)
{
ADD_TEST(run_mtu_tests);
+ ADD_TEST(test_server_mtu_larger_than_max_fragment_length);
return 1;
}
+
+void cleanup_tests(void)
+{
+ bio_s_mempacket_test_free();
+}
--
2.17.1

47
backport-Fix-bn_gcd-code-to-check-return-value-when-calling-B.patch
View File

@ -1,47 +0,0 @@
From 6495cab1c876ad80ce983d848ccaa1dc286a63e1 Mon Sep 17 00:00:00 2001
From: slontis <shane.lontis@oracle.com>
Date: Fri, 1 Jul 2022 13:47:11 +1000
Subject: [PATCH] Fix bn_gcd code to check return value when calling BN_one()
BN_one() uses the expand function which calls malloc which may fail.
All other places that reference BN_one() check the return value.
The issue is triggered by a memory allocation failure.
Detected by PR #18355
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18697)
(cherry picked from commit 7fe7cc57af3db1e497877f0329ba17609b2efc8b)
---
crypto/bn/bn_gcd.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/crypto/bn/bn_gcd.c b/crypto/bn/bn_gcd.c
index 0941f7b97f..c4b7854e1a 100644
--- a/crypto/bn/bn_gcd.c
+++ b/crypto/bn/bn_gcd.c
@@ -47,7 +47,8 @@ BIGNUM *bn_mod_inverse_no_branch(BIGNUM *in,
if (R == NULL)
goto err;
- BN_one(X);
+ if (!BN_one(X))
+ goto err;
BN_zero(Y);
if (BN_copy(B, a) == NULL)
goto err;
@@ -235,7 +236,8 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in,
if (R == NULL)
goto err;
- BN_one(X);
+ if (!BN_one(X))
+ goto err;
BN_zero(Y);
if (BN_copy(B, a) == NULL)
goto err;
--
2.17.1

29
backport-Fix-coverity-1498607-uninitialised-value.patch
View File

@ -1,29 +0,0 @@
From 2f1c42553dbaac97d38657cd1ac1209ef4c11e78 Mon Sep 17 00:00:00 2001
From: Pauli <pauli@openssl.org>
Date: Wed, 16 Mar 2022 14:45:44 +1100
Subject: [PATCH] Fix coverity 1498607: uninitialised value
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17897)
(cherry picked from commit 70cd9a51911e9a4e2f24e29ddd84fa9fcb778b63)
---
crypto/ec/ecp_nistz256.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c
index 5005249b05..43eab75fa7 100644
--- a/crypto/ec/ecp_nistz256.c
+++ b/crypto/ec/ecp_nistz256.c
@@ -973,6 +973,7 @@ __owur static int ecp_nistz256_points_mul(const EC_GROUP *group,
return 0;
}
+ memset(&p, 0, sizeof(p));
BN_CTX_start(ctx);
if (scalar) {
--
2.17.1

36
backport-Fix-failure-to-check-result-of-bn_rshift_fixed_top.patch
View File

@ -1,36 +0,0 @@
From 93ac3b8dd1cc49b27c402278cbe73a1c4ac91f9b Mon Sep 17 00:00:00 2001
From: Hugo Landau <hlandau@openssl.org>
Date: Mon, 4 Apr 2022 12:25:16 +0100
Subject: [PATCH] Fix failure to check result of bn_rshift_fixed_top
Fixes #18010.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18034)
(cherry picked from commit bc6bac8561ead83d6135f376ffcbbb0b657e64fe)
---
crypto/bn/bn_div.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/crypto/bn/bn_div.c b/crypto/bn/bn_div.c
index 0da9f39b31..e2821fb6cd 100644
--- a/crypto/bn/bn_div.c
+++ b/crypto/bn/bn_div.c
@@ -446,8 +446,10 @@ int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num,
snum->neg = num_neg;
snum->top = div_n;
snum->flags |= BN_FLG_FIXED_TOP;
- if (rm != NULL)
- bn_rshift_fixed_top(rm, snum, norm_shift);
+
+ if (rm != NULL && bn_rshift_fixed_top(rm, snum, norm_shift) == 0)
+ goto err;
+
BN_CTX_end(ctx);
return 1;
err:
--
2.17.1

62
backport-Fix-integer-overflow-in-evp_EncryptDecryptUpdate.patch
View File

@ -1,62 +0,0 @@
From eed53b9addd097a5d39f896b05aa857d6f29b245 Mon Sep 17 00:00:00 2001
From: Hugo Landau <hlandau@openssl.org>
Date: Fri, 11 Mar 2022 08:36:11 +0000
Subject: [PATCH] Fix integer overflow in evp_EncryptDecryptUpdate
Fixes #17871.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17872)
---
crypto/evp/evp_enc.c | 8 +++++---
crypto/evp/evp_local.h | 2 +-
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index d835968f25..b8b9d90d36 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -281,7 +281,7 @@ int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
# define PTRDIFF_T size_t
#endif
-int is_partially_overlapping(const void *ptr1, const void *ptr2, int len)
+int is_partially_overlapping(const void *ptr1, const void *ptr2, size_t len)
{
PTRDIFF_T diff = (PTRDIFF_T)ptr1-(PTRDIFF_T)ptr2;
/*
@@ -299,7 +299,8 @@ static int evp_EncryptDecryptUpdate(EVP_CIPHER_CTX *ctx,
unsigned char *out, int *outl,
const unsigned char *in, int inl)
{
- int i, j, bl, cmpl = inl;
+ int i, j, bl;
+ size_t cmpl = (size_t)inl;
if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS))
cmpl = (cmpl + 7) / 8;
@@ -464,8 +465,9 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
const unsigned char *in, int inl)
{
- int fix_len, cmpl = inl;
+ int fix_len;
unsigned int b;
+ size_t cmpl = (size_t)inl;
/* Prevent accidental use of encryption context when decrypting */
if (ctx->encrypt) {
diff --git a/crypto/evp/evp_local.h b/crypto/evp/evp_local.h
index f1589d6828..cd3c1cf148 100644
--- a/crypto/evp/evp_local.h
+++ b/crypto/evp/evp_local.h
@@ -65,4 +65,4 @@ struct evp_Encode_Ctx_st {
typedef struct evp_pbe_st EVP_PBE_CTL;
DEFINE_STACK_OF(EVP_PBE_CTL)
-int is_partially_overlapping(const void *ptr1, const void *ptr2, int len);
+int is_partially_overlapping(const void *ptr1, const void *ptr2, size_t len);
--
2.17.1

45
backport-Fix-ipv4_from_asc-behavior-on-invalid-Ip-addresses.patch
View File

@ -1,45 +0,0 @@
From 65e30e7d56f01008d29e65c9ae7a42ce074def2f Mon Sep 17 00:00:00 2001
From: Amir Mohammadi <amiremohamadi@yahoo.com>
Date: Wed, 4 Aug 2021 09:43:49 +0430
Subject: [PATCH] Fix ipv4_from_asc behavior on invalid Ip addresses
sscanf() call in ipv4_from_asc does not check that
the string is terminated immediately after the last digit.
(cherry picked from commit 8b9a13b43ba3d71e441fca47a52e800ce79b3d2b)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18847)
---
crypto/x509v3/v3_utl.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c
index a7ff4b4fb4..eac78259fc 100644
--- a/crypto/x509v3/v3_utl.c
+++ b/crypto/x509v3/v3_utl.c
@@ -1087,12 +1087,17 @@ int a2i_ipadd(unsigned char *ipout, const char *ipasc)
static int ipv4_from_asc(unsigned char *v4, const char *in)
{
- int a0, a1, a2, a3;
- if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4)
+ const char *p;
+ int a0, a1, a2, a3, n;
+
+ if (sscanf(in, "%d.%d.%d.%d%n", &a0, &a1, &a2, &a3, &n) != 4)
return 0;
if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255)
|| (a2 < 0) || (a2 > 255) || (a3 < 0) || (a3 > 255))
return 0;
+ p = in + n;
+ if (!(*p == '\0' || ossl_isspace(*p)))
+ return 0;
v4[0] = a0;
v4[1] = a1;
v4[2] = a2;
--
2.17.1

80
backport-Fix-issue-where-OBJ_nid2obj-doesn-t-always-raise-an-.patch
View File

@ -1,80 +0,0 @@
From add8c29badb315cb8137655893826562ff12a581 Mon Sep 17 00:00:00 2001
From: Hugo Landau <hlandau@openssl.org>
Date: Thu, 3 Mar 2022 17:27:23 +0000
Subject: [PATCH] Fix issue where OBJ_nid2obj doesn't always raise an error
This was previously fixed in 3.0 but not 1.1.
Fixes #13008.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17808)
---
crypto/objects/obj_dat.c | 5 +++--
test/asn1_internal_test.c | 27 +++++++++++++++++++++++++++
2 files changed, 30 insertions(+), 2 deletions(-)
diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c
index 46006fe6cf..a501ca104b 100644
--- a/crypto/objects/obj_dat.c
+++ b/crypto/objects/obj_dat.c
@@ -228,9 +228,10 @@ ASN1_OBJECT *OBJ_nid2obj(int n)
return NULL;
}
return (ASN1_OBJECT *)&(nid_objs[n]);
- } else if (added == NULL)
+ } else if (added == NULL) {
+ OBJerr(OBJ_F_OBJ_NID2OBJ, OBJ_R_UNKNOWN_NID);
return NULL;
- else {
+ } else {
ad.type = ADDED_NID;
ad.obj = &ob;
ob.nid = n;
diff --git a/test/asn1_internal_test.c b/test/asn1_internal_test.c
index 865e058421..caca0cb15e 100644
--- a/test/asn1_internal_test.c
+++ b/test/asn1_internal_test.c
@@ -107,9 +107,36 @@ static int test_standard_methods(void)
return 0;
}
+/**********************************************************************
+ *
+ * Regression test for issue where OBJ_nid2obj does not raise
+ * an error when a NID is not registered.
+ *
+ ***/
+static int test_nid2obj_nonexist(void)
+{
+ ASN1_OBJECT *obj;
+ unsigned long err;
+
+ obj = OBJ_nid2obj(INT_MAX);
+ if (!TEST_true(obj == NULL))
+ return 0;
+
+ err = ERR_get_error();
+
+ if (!TEST_int_eq(ERR_GET_FUNC(err), OBJ_F_OBJ_NID2OBJ))
+ return 0;
+
+ if (!TEST_int_eq(ERR_GET_REASON(err), OBJ_R_UNKNOWN_NID))
+ return 0;
+
+ return 1;
+}
+
int setup_tests(void)
{
ADD_TEST(test_tbl_standard);
ADD_TEST(test_standard_methods);
+ ADD_TEST(test_nid2obj_nonexist);
return 1;
}
--
2.17.1

61
backport-Fix-leakage-when-the-cacheline-is-32-bytes-in-CBC_MA.patch
View File

@ -1,61 +0,0 @@
From 6ef91d8153e04a2302bff11b29caf7e888b62fe8 Mon Sep 17 00:00:00 2001
From: basavesh <basavesh.shivakumar@gmail.com>
Date: Tue, 5 Apr 2022 17:49:09 +0200
Subject: [PATCH] Fix leakage when the cacheline is 32-bytes in
CBC_MAC_ROTATE_IN_PLACE
rotated_mac is a 64-byte aligned buffer of size 64 and rotate_offset is secret.
Consider a weaker leakage model(CL) where only cacheline base address is leaked,
i.e address/32 for 32-byte cacheline(CL32).
Previous code used to perform two loads
1. rotated_mac[rotate_offset ^ 32] and
2. rotated_mac[rotate_offset++]
which would leak 2q + 1, 2q for 0 <= rotate_offset < 32
and 2q, 2q + 1 for 32 <= rotate_offset < 64
The proposed fix performs load operations which will always leak 2q, 2q + 1 and
selects the appropriate value in constant-time.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18050)
---
ssl/record/ssl3_record.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index f158544789..69f1a64cb3 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -1532,6 +1532,7 @@ int ssl3_cbc_copy_mac(unsigned char *out,
#if defined(CBC_MAC_ROTATE_IN_PLACE)
unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE];
unsigned char *rotated_mac;
+ char aux1, aux2, aux3, mask;
#else
unsigned char rotated_mac[EVP_MAX_MD_SIZE];
#endif
@@ -1581,9 +1582,16 @@ int ssl3_cbc_copy_mac(unsigned char *out,
#if defined(CBC_MAC_ROTATE_IN_PLACE)
j = 0;
for (i = 0; i < md_size; i++) {
- /* in case cache-line is 32 bytes, touch second line */
- ((volatile unsigned char *)rotated_mac)[rotate_offset ^ 32];
- out[j++] = rotated_mac[rotate_offset++];
+ /*
+ * in case cache-line is 32 bytes,
+ * load from both lines and select appropriately
+ */
+ aux1 = rotated_mac[rotate_offset & ~32];
+ aux2 = rotated_mac[rotate_offset | 32];
+ mask = constant_time_eq_8(rotate_offset & ~32, rotate_offset);
+ aux3 = constant_time_select_8(mask, aux1, aux2);
+ out[j++] = aux3;
+ rotate_offset++;
rotate_offset &= constant_time_lt_s(rotate_offset, md_size);
}
#else
--
2.17.1

36
backport-Fix-memory-leak-in-X509V3_add1_i2d-when-flag-is-X509.patch
View File

@ -1,36 +0,0 @@
From c3efe5c96128d699f0884128ce905906bc28ed34 Mon Sep 17 00:00:00 2001
From: Allan <allanchang96@gmail.com>
Date: Thu, 7 Jul 2022 16:04:09 -0700
Subject: [PATCH] Fix memory leak in X509V3_add1_i2d when flag is
X509V3_ADD_DELETE
Fixes #18677
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18698)
(cherry picked from commit 4798e0680b112993815098ca21d7d68ff31ebc6e)
---
crypto/x509v3/v3_lib.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/crypto/x509v3/v3_lib.c b/crypto/x509v3/v3_lib.c
index 97c1cbc20f..d7e7c9a5cb 100644
--- a/crypto/x509v3/v3_lib.c
+++ b/crypto/x509v3/v3_lib.c
@@ -242,8 +242,10 @@ int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
}
/* If delete, just delete it */
if (ext_op == X509V3_ADD_DELETE) {
- if (!sk_X509_EXTENSION_delete(*x, extidx))
+ extmp = sk_X509_EXTENSION_delete(*x, extidx);
+ if (extmp == NULL)
return -1;
+ X509_EXTENSION_free(extmp);
return 1;
}
} else {
--
2.17.1

72
backport-Fix-password_callback-to-handle-short-passwords.patch
View File

@ -1,72 +0,0 @@
From f4942134815f95845706993c15ca7e4fd6e44627 Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Fri, 7 Jan 2022 10:18:58 +0100
Subject: [PATCH] Fix password_callback to handle short passwords
Fixes #17426
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17439)
---
apps/apps.c | 8 ++++++--
test/recipes/15-test_genrsa.t | 7 ++++++-
2 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/apps/apps.c b/apps/apps.c
index c06241abb9..531fbec551 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -300,9 +300,13 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
int ui_flags = 0;
const char *prompt_info = NULL;
char *prompt;
+ int pw_min_len = PW_MIN_LENGTH;
if (cb_data != NULL && cb_data->prompt_info != NULL)
prompt_info = cb_data->prompt_info;
+ if (cb_data != NULL && cb_data->password != NULL
+ && *(const char*)cb_data->password != '\0')
+ pw_min_len = 1;
prompt = UI_construct_prompt(ui, "pass phrase", prompt_info);
if (!prompt) {
BIO_printf(bio_err, "Out of memory\n");
@@ -317,12 +321,12 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
(void)UI_add_user_data(ui, cb_data);
ok = UI_add_input_string(ui, prompt, ui_flags, buf,
- PW_MIN_LENGTH, bufsiz - 1);
+ pw_min_len, bufsiz - 1);
if (ok >= 0 && verify) {
buff = app_malloc(bufsiz, "password buffer");
ok = UI_add_verify_string(ui, prompt, ui_flags, buff,
- PW_MIN_LENGTH, bufsiz - 1, buf);
+ pw_min_len, bufsiz - 1, buf);
}
if (ok >= 0)
do {
diff --git a/test/recipes/15-test_genrsa.t b/test/recipes/15-test_genrsa.t
index e16a9a4042..c9bc6bdc8a 100644
--- a/test/recipes/15-test_genrsa.t
+++ b/test/recipes/15-test_genrsa.t
@@ -16,7 +16,7 @@ use OpenSSL::Test::Utils;
setup("test_genrsa");
-plan tests => 5;
+plan tests => 7;
# We want to know that an absurdly small number of bits isn't support
is(run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', '8'])), 0, "genrsa -3 8");
@@ -52,3 +52,8 @@ ok(run(app([ 'openssl', 'genrsa', '-f4', '-out', 'genrsatest.pem', $good ])),
"genrsa -f4 $good");
ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout' ])),
"rsa -check");
+ok(run(app([ 'openssl', 'rsa', '-in', 'genrsatest.pem', '-out', 'genrsatest-enc.pem',
+ '-aes256', '-passout', 'pass:x' ])),
+ "rsa encrypt");
+ok(run(app([ 'openssl', 'rsa', '-in', 'genrsatest-enc.pem', '-passin', 'pass:x' ])),
+ "rsa decrypt");
--
2.17.1

71
backport-Fix-range_should_be_prefix-to-actually-return-the-co.patch
View File

@ -1,71 +0,0 @@
From a1d80edcf830739131e0567dc03b1e80b7988b1e Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 10 Jun 2022 15:58:58 +0100
Subject: [PATCH] Fix range_should_be_prefix() to actually return the correct
result
range_should_be_prefix() was misidentifying whether an IP address range
should in fact be represented as a prefix. This was due to a bug introduced
in commit 42d7d7dd which made this incorrect change:
- OPENSSL_assert(memcmp(min, max, length) <= 0);
+ if (memcmp(min, max, length) <= 0)
+ return -1;
This error leads to incorrect DER being encoded/accepted.
Reported by Theo Buehler (@botovq)
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18524)
(cherry picked from commit 30532e59f475e0066c030693e4d614311a9e0cae)
(cherry picked from commit 2c6550c6db9b1b69dc24f968b4ceb534edcf4841)
---
crypto/x509v3/v3_addr.c | 14 ++++-
test/v3ext.c | 111 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 123 insertions(+), 2 deletions(-)
diff --git a/crypto/x509v3/v3_addr.c b/crypto/x509v3/v3_addr.c
index 4258dbc40c..32f77a2679 100644
--- a/crypto/x509v3/v3_addr.c
+++ b/crypto/x509v3/v3_addr.c
@@ -13,6 +13,8 @@
#include <stdio.h>
#include <stdlib.h>
+#include <assert.h>
+#include <string.h>
#include "internal/cryptlib.h"
#include <openssl/conf.h>
@@ -342,8 +344,13 @@ static int range_should_be_prefix(const unsigned char *min,
unsigned char mask;
int i, j;
- if (memcmp(min, max, length) <= 0)
- return -1;
+ /*
+ * It is the responsibility of the caller to confirm min <= max. We don't
+ * use ossl_assert() here since we have no way of signalling an error from
+ * this function - so we just use a plain assert instead.
+ */
+ assert(memcmp(min, max, length) <= 0);
+
for (i = 0; i < length && min[i] == max[i]; i++) ;
for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) ;
if (i < j)
@@ -426,6 +433,9 @@ static int make_addressRange(IPAddressOrRange **result,
IPAddressOrRange *aor;
int i, prefixlen;
+ if (memcmp(min, max, length) > 0)
+ return 0;
+
if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0)
return make_addressPrefix(result, min, prefixlen);
--
2.17.1

131
backport-Fix-re-signing-certificates-with-different-key-sizes.patch
View File

@ -1,131 +0,0 @@
From 952fab01bebb15a8408c6ac27b59c28c979f7d49 Mon Sep 17 00:00:00 2001
From: Todd Short <tshort@akamai.com>
Date: Wed, 20 Jul 2022 16:42:50 -0400
Subject: [PATCH] Fix re-signing certificates with different key sizes
PR #18129 broke the scenario of signing a certificate (not CSR) with
different-sized key. This works in 3.0, so port the fix from 3.0
(which is to only update the issuer for a request).
Partially undo #18129, but keep setting the issuer only for a CSR
Create two certs (a and ca) then sign a with c (into b):
```
openssl req -x509 -newkey rsa:2048 -keyout a-key.pem -out a-cert.pem -days 365 -nodes -subj /CN=a.example.com
openssl req -x509 -newkey rsa:4096 -keyout ${HERE}/ca-key.pem -out ${HERE}/ca-cert.pem -days 3650 -nodes -subj /CN=ca.example.com
openssl x509 -in a-cert.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial '1234567890' -preserve_dates -sha256 -out b-cert.pem
```
The above succeeds in 1.1.1n and 3.0, fails in 1.1.1o (which includes #18129)
The issue in #16080 is also fixed.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/18836)
---
apps/x509.c | 4 ++-
test/recipes/25-test_x509.t | 61 ++++++++++++++++++++++++++++++++++++-
2 files changed, 63 insertions(+), 2 deletions(-)
diff --git a/apps/x509.c b/apps/x509.c
index 67a70e7fea..8d4bf71a03 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -590,7 +590,7 @@ int x509_main(int argc, char **argv)
xca = load_cert(CAfile, CAformat, "CA Certificate");
if (xca == NULL)
goto end;
- if (!X509_set_issuer_name(x, X509_get_subject_name(xca)))
+ if (reqfile && !X509_set_issuer_name(x, X509_get_subject_name(xca)))
goto end;
}
@@ -993,6 +993,8 @@ static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *diges
goto end;
}
+ if (!X509_set_issuer_name(x, X509_get_subject_name(xca)))
+ goto end;
if (!X509_set_serialNumber(x, bs))
goto end;
diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t
index f5ef0f9963..73548145c8 100644
--- a/test/recipes/25-test_x509.t
+++ b/test/recipes/25-test_x509.t
@@ -15,7 +15,11 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_x509");
-plan tests => 9;
+plan tests => 16;
+
+# Prevent MSys2 filename munging for arguments that look like file paths but
+# aren't
+$ENV{MSYS2_ARG_CONV_EXCL} = "/CN=";
require_ok(srctop_file('test','recipes','tconversion.pl'));
@@ -46,4 +50,59 @@ subtest 'x509 -- second x.509 v3 certificate' => sub {
subtest 'x509 -- pathlen' => sub {
ok(run(test(["v3ext", srctop_file("test/certs", "pathlen.pem")])));
+};
+
+# extracts issuer from a -text formatted-output
+sub get_issuer {
+ my $f = shift(@_);
+ my $issuer = "";
+ open my $fh, $f or die;
+ while (my $line = <$fh>) {
+ if ($line =~ /Issuer:/) {
+ $issuer = $line;
+ }
+ }
+ close $fh;
+ return $issuer;
}
+
+# Tests for signing certs (broken in 1.1.1o)
+my $a_key = "a-key.pem";
+my $a_cert = "a-cert.pem";
+my $a2_cert = "a2-cert.pem";
+my $ca_key = "ca-key.pem";
+my $ca_cert = "ca-cert.pem";
+my $cnf = srctop_file('apps', 'openssl.cnf');
+
+# Create cert A
+ok(run(app(["openssl", "req", "-x509", "-newkey", "rsa:2048",
+ "-config", $cnf,
+ "-keyout", $a_key, "-out", $a_cert, "-days", "365",
+ "-nodes", "-subj", "/CN=test.example.com"])));
+# Create cert CA - note key size
+ok(run(app(["openssl", "req", "-x509", "-newkey", "rsa:4096",
+ "-config", $cnf,
+ "-keyout", $ca_key, "-out", $ca_cert, "-days", "3650",
+ "-nodes", "-subj", "/CN=ca.example.com"])));
+# Sign cert A with CA (errors on 1.1.1o)
+ok(run(app(["openssl", "x509", "-in", $a_cert, "-CA", $ca_cert,
+ "-CAkey", $ca_key, "-set_serial", "1234567890",
+ "-preserve_dates", "-sha256", "-text", "-out", $a2_cert])));
+# verify issuer is CA
+ok (get_issuer($a2_cert) =~ /CN = ca.example.com/);
+
+# Tests for issue #16080 (fixed in 1.1.1o)
+my $b_key = "b-key.pem";
+my $b_csr = "b-cert.csr";
+my $b_cert = "b-cert.pem";
+# Create the CSR
+ok(run(app(["openssl", "req", "-new", "-newkey", "rsa:4096",
+ "-keyout", $b_key, "-out", $b_csr, "-nodes",
+ "-config", $cnf,
+ "-subj", "/CN=b.example.com"])));
+# Sign it - position of "-text" matters!
+ok(run(app(["openssl", "x509", "-req", "-text", "-CAcreateserial",
+ "-CA", $ca_cert, "-CAkey", $ca_key,
+ "-in", $b_csr, "-out", $b_cert])));
+# Verify issuer is CA
+ok(get_issuer($b_cert) =~ /CN = ca.example.com/);
--
2.17.1

54
backport-Fix-strict-client-chain-check-with-TLS-1.3.patch
View File

@ -1,54 +0,0 @@
From 3bd976551e549c030bdbd150c7aa8a1980cb00fe Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Tue, 29 Mar 2022 13:31:34 +0200
Subject: [PATCH] Fix strict client chain check with TLS-1.3
When TLS-1.3 is used and the server does not send any CA names
the ca_dn will be NULL. sk_X509_NAME_num() returns -1 on null
argument.
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17986)
(cherry picked from commit 89dd85430770d39cbfb15eb586c921958ca7687f)
---
ssl/t1_lib.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 4de4623a49..5fcb40eaff 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2369,22 +2369,20 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
ca_dn = s->s3->tmp.peer_ca_names;
- if (!sk_X509_NAME_num(ca_dn))
+ if (ca_dn == NULL
+ || sk_X509_NAME_num(ca_dn) == 0
+ || ssl_check_ca_name(ca_dn, x))
rv |= CERT_PKEY_ISSUER_NAME;
-
- if (!(rv & CERT_PKEY_ISSUER_NAME)) {
- if (ssl_check_ca_name(ca_dn, x))
- rv |= CERT_PKEY_ISSUER_NAME;
- }
- if (!(rv & CERT_PKEY_ISSUER_NAME)) {
+ else
for (i = 0; i < sk_X509_num(chain); i++) {
X509 *xtmp = sk_X509_value(chain, i);
+
if (ssl_check_ca_name(ca_dn, xtmp)) {
rv |= CERT_PKEY_ISSUER_NAME;
break;
}
}
- }
+
if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
goto end;
} else
--
2.17.1

42
backport-Fix-test-case-for-a2i_IPADDRESS.patch
View File

@ -1,42 +0,0 @@
From c3b0279bda7bf4f0f81a3dba952698fa68a51639 Mon Sep 17 00:00:00 2001
From: Amir Mohammadi <amiremohamadi@yahoo.com>
Date: Wed, 4 Aug 2021 09:44:29 +0430
Subject: [PATCH] Fix test case for a2i_IPADDRESS
(cherry picked from commit 9b887d5d5a8ef9aa1c3ce6e54a82ddcba25b9415)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18847)
---
test/x509_internal_test.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/test/x509_internal_test.c b/test/x509_internal_test.c
index 3eec970352..63f350f74b 100644
--- a/test/x509_internal_test.c
+++ b/test/x509_internal_test.c
@@ -61,7 +61,6 @@ typedef struct {
const char *ipasc;
const char *data;
int length;
- ASN1_OCTET_STRING ip;
} IP_TESTDATA;
static IP_TESTDATA a2i_ipaddress_tests[] = {
@@ -81,8 +80,10 @@ static IP_TESTDATA a2i_ipaddress_tests[] = {
{"example.test", NULL, 0},
{"", NULL, 0},
+ {"1.2.3.4 ", "\x01\x02\x03\x04", 4},
+ {" 1.2.3.4", "\x01\x02\x03\x04", 4},
+ {" 1.2.3.4 ", "\x01\x02\x03\x04", 4},
{"1.2.3.4.example.test", NULL, 0},
- {"1.2.3.4 ", NULL, 0},
};
--
2.17.1

41
backport-Fix-undefined-behaviour-in-EC_GROUP_new_from_ecparam.patch
View File

@ -1,41 +0,0 @@
From e4b84b7514e5cbcbfc80e31b4ce609c7584e14bb Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Fri, 20 May 2022 16:54:41 +0200
Subject: [PATCH] Fix undefined behaviour in EC_GROUP_new_from_ecparameters
This happens for instance with
fuzz/corpora/asn1/65cf44e85614c62f10cf3b7a7184c26293a19e4a
and causes the OPENSSL_malloc below to choke on the
zero length allocation request.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18363)
---
crypto/ec/ec_asn1.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index 4335b3da1a..ad9a54dc50 100644
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -751,6 +751,16 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
/* extract seed (optional) */
if (params->curve->seed != NULL) {
+ /*
+ * This happens for instance with
+ * fuzz/corpora/asn1/65cf44e85614c62f10cf3b7a7184c26293a19e4a
+ * and causes the OPENSSL_malloc below to choke on the
+ * zero length allocation request.
+ */
+ if (params->curve->seed->length == 0) {
+ ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_ASN1_ERROR);
+ goto err;
+ }
OPENSSL_free(ret->seed);
if ((ret->seed = OPENSSL_malloc(params->curve->seed->length)) == NULL) {
ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_MALLOC_FAILURE);
--
2.17.1

36
backport-Fix-usage-of-SSLfatal.patch
View File

@ -1,36 +0,0 @@
From 3e8f70c30d84861fcd257a6e280dc49e104eb145 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 30 Mar 2022 14:49:24 +0100
Subject: [PATCH] Fix usage of SSLfatal
A cherry-pick from the master branch incorrectly introduced a usage of
3 argument SSLfatal. In 1.1.1 the function code is also required.
Fixes #17999
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18000)
---
ssl/statem/statem_clnt.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index e3aba393f9..2bc5cf5ec3 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1423,7 +1423,8 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
&& PACKET_remaining(pkt) >= SSL3_RANDOM_SIZE
&& memcmp(hrrrandom, PACKET_data(pkt), SSL3_RANDOM_SIZE) == 0) {
if (s->hello_retry_request != SSL_HRR_NONE) {
- SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
+ SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
+ SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_UNEXPECTED_MESSAGE);
goto err;
}
s->hello_retry_request = SSL_HRR_PENDING;
--
2.17.1

64
backport-Fix-verify_callback-in-the-openssl-s_client-s_server.patch
View File

@ -1,64 +0,0 @@
From 86945b10ccd84f685bd6215bbb00d1e700303e49 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Thu, 14 Jul 2022 21:41:48 +0200
Subject: [PATCH] Fix verify_callback in the openssl s_client/s_server app
We need to check that error cert is available before printing its data
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18805)
(cherry picked from commit fad0f80eff188ef938fed614245a56ed56110deb)
---
apps/s_cb.c | 26 ++++++++++++++++----------
1 file changed, 16 insertions(+), 10 deletions(-)
diff --git a/apps/s_cb.c b/apps/s_cb.c
index d066a423de..a4ff978908 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -74,22 +74,28 @@ int verify_callback(int ok, X509_STORE_CTX *ctx)
}
switch (err) {
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
- BIO_puts(bio_err, "issuer= ");
- X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert),
- 0, get_nameopt());
- BIO_puts(bio_err, "\n");
+ if (err_cert != NULL) {
+ BIO_puts(bio_err, "issuer= ");
+ X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert),
+ 0, get_nameopt());
+ BIO_puts(bio_err, "\n");
+ }
break;
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
- BIO_printf(bio_err, "notBefore=");
- ASN1_TIME_print(bio_err, X509_get0_notBefore(err_cert));
- BIO_printf(bio_err, "\n");
+ if (err_cert != NULL) {
+ BIO_printf(bio_err, "notBefore=");
+ ASN1_TIME_print(bio_err, X509_get0_notBefore(err_cert));
+ BIO_printf(bio_err, "\n");
+ }
break;
case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
- BIO_printf(bio_err, "notAfter=");
- ASN1_TIME_print(bio_err, X509_get0_notAfter(err_cert));
- BIO_printf(bio_err, "\n");
+ if (err_cert != NULL) {
+ BIO_printf(bio_err, "notAfter=");
+ ASN1_TIME_print(bio_err, X509_get0_notAfter(err_cert));
+ BIO_printf(bio_err, "\n");
+ }
break;
case X509_V_ERR_NO_EXPLICIT_POLICY:
if (!verify_args.quiet)
--
2.17.1

37
backport-Fixes-segfault-occurrence-in-PEM_write.patch
View File

@ -1,37 +0,0 @@
From 3b9082c844913d3a0efada9fac0bd2924ce1a8f2 Mon Sep 17 00:00:00 2001
From: valdaarhun <icegambit91@gmail.com>
Date: Mon, 25 Jul 2022 18:49:19 +0530
Subject: [PATCH] Fixes segfault occurrence in PEM_write()
Checks if header is NULL or not before calling strlen().
CLA: trivial
Fixes #18825
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18865)
(cherry picked from commit 205957405d08ef199e6ab654e333a627bbca9ccc)
---
crypto/pem/pem_lib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
index 2de093595d..c2cf407931 100644
--- a/crypto/pem/pem_lib.c
+++ b/crypto/pem/pem_lib.c
@@ -621,7 +621,7 @@ int PEM_write_bio(BIO *bp, const char *name, const char *header,
(BIO_write(bp, "-----\n", 6) != 6))
goto err;
- i = strlen(header);
+ i = header != NULL ? strlen(header) : 0;
if (i > 0) {
if ((BIO_write(bp, header, i) != i) || (BIO_write(bp, "\n", 1) != 1))
goto err;
--
2.17.1

77
backport-Make-the-DRBG-seed-propagation-thread-safe.patch
View File

@ -1,77 +0,0 @@
From 17098c116d68b3a01fcb688487dccdc0c10b8f63 Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Sat, 23 Oct 2021 11:58:27 +0200
Subject: [PATCH] Make the DRBG seed propagation thread safe
Currently there is a race possible because the reseed_counter
of the master drbg may be incremented after the get_entropy call.
Therefore access the parent's reseed_counter while still holding
the rand_drbg_lock.
This improves commit 958fec77928a28350f6af252ac5e8d0e6e081faa
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16900)
---
crypto/rand/drbg_lib.c | 18 ++++--------------
crypto/rand/rand_lib.c | 6 +++++-
2 files changed, 9 insertions(+), 15 deletions(-)
diff --git a/crypto/rand/drbg_lib.c b/crypto/rand/drbg_lib.c
index 8c7c28c970..0ba20ca326 100644
--- a/crypto/rand/drbg_lib.c
+++ b/crypto/rand/drbg_lib.c
@@ -354,13 +354,8 @@ int RAND_DRBG_instantiate(RAND_DRBG *drbg,
drbg->state = DRBG_READY;
drbg->generate_counter = 1;
drbg->reseed_time = time(NULL);
- if (drbg->enable_reseed_propagation) {
- if (drbg->parent == NULL)
- tsan_counter(&drbg->reseed_counter);
- else
- tsan_store(&drbg->reseed_counter,
- tsan_load(&drbg->parent->reseed_counter));
- }
+ if (drbg->enable_reseed_propagation && drbg->parent == NULL)
+ tsan_counter(&drbg->reseed_counter);
end:
if (entropy != NULL && drbg->cleanup_entropy != NULL)
@@ -444,13 +439,8 @@ int RAND_DRBG_reseed(RAND_DRBG *drbg,
drbg->state = DRBG_READY;
drbg->generate_counter = 1;
drbg->reseed_time = time(NULL);
- if (drbg->enable_reseed_propagation) {
- if (drbg->parent == NULL)
- tsan_counter(&drbg->reseed_counter);
- else
- tsan_store(&drbg->reseed_counter,
- tsan_load(&drbg->parent->reseed_counter));
- }
+ if (drbg->enable_reseed_propagation && drbg->parent == NULL)
+ tsan_counter(&drbg->reseed_counter);
end:
if (entropy != NULL && drbg->cleanup_entropy != NULL)
diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
index 5c72fad8ca..545ab46315 100644
--- a/crypto/rand/rand_lib.c
+++ b/crypto/rand/rand_lib.c
@@ -172,8 +172,12 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
if (RAND_DRBG_generate(drbg->parent,
buffer, bytes_needed,
prediction_resistance,
- (unsigned char *)&drbg, sizeof(drbg)) != 0)
+ (unsigned char *)&drbg, sizeof(drbg)) != 0) {
bytes = bytes_needed;
+ if (drbg->enable_reseed_propagation)
+ tsan_store(&drbg->reseed_counter,
+ tsan_load(&drbg->parent->reseed_counter));
+ }
rand_drbg_unlock(drbg->parent);
rand_pool_add_end(pool, bytes, 8 * bytes);
--
2.17.1

40
backport-Moving-notify-check-after-the-no-time-check.patch
View File

@ -1,40 +0,0 @@
From 9eae491721209f302a9a475bffd271370e8bcb8f Mon Sep 17 00:00:00 2001
From: Ryan Kelley <ryan.parker.kelley@gmail.com>
Date: Tue, 16 Aug 2022 05:28:50 +0000
Subject: [PATCH] Moving notify check after the no time check
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19007)
(cherry picked from commit c92c3dfb99485eb2cfb840e92bd0ece8cdd72d0c)
---
crypto/x509/x509_vfy.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index b18489f67f..925fbb5412 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -973,14 +973,14 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
time_t *ptime;
int i;
- if (notify)
- ctx->current_crl = crl;
if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
ptime = &ctx->param->check_time;
else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
return 1;
else
ptime = NULL;
+ if (notify)
+ ctx->current_crl = crl;
i = X509_cmp_time(X509_CRL_get0_lastUpdate(crl), ptime);
if (i == 0) {
--
2.17.1

33
backport-Set-protocol-in-init_client.patch
View File

@ -1,33 +0,0 @@
From 3aeed22c593ae036c2503ac07276768c82fe5782 Mon Sep 17 00:00:00 2001
From: Todd Short <todd.short@me.com>
Date: Tue, 8 Mar 2022 09:36:43 -0500
Subject: [PATCH] Set protocol in init_client()
If TCP is being used, protocol = 0 is passed to init_client(), then
protocol == IPPROTO_TCP fails when attempting to set BIO_SOCK_NODELAY.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17838)
(cherry picked from commit 54b6755702309487ea860e1cc3e60ccef4cf7878)
---
apps/s_socket.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/apps/s_socket.c b/apps/s_socket.c
index aee366d5f4..a518d56200 100644
--- a/apps/s_socket.c
+++ b/apps/s_socket.c
@@ -147,7 +147,7 @@ int init_client(int *sock, const char *host, const char *port,
#endif
if (!BIO_connect(*sock, BIO_ADDRINFO_address(ai),
- protocol == IPPROTO_TCP ? BIO_SOCK_NODELAY : 0)) {
+ BIO_ADDRINFO_protocol(ai) == IPPROTO_TCP ? BIO_SOCK_NODELAY : 0)) {
BIO_closesocket(*sock);
*sock = INVALID_SOCKET;
continue;
--
2.17.1

91
backport-Test-case-for-a2i_IPADDRESS.patch
View File

@ -1,91 +0,0 @@
From bd41b84bede84c1a5716be4eafddd1dd052faa72 Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Sat, 15 Aug 2020 20:01:49 +0200
Subject: [PATCH] Test case for a2i_IPADDRESS
Unit test to show that a2i_IPADDRESS("1.2.3.4.test.example") ignores
trailing data.
See: https://github.com/openssl/openssl/issues/12649
See: https://bugs.python.org/issue41556
(cherry picked from commit 1a9411a30b09a98498366979a1ea4898f70f6d19)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18847)
---
test/x509_internal_test.c | 54 +++++++++++++++++++++++++++++++++++++++
1 file changed, 54 insertions(+)
diff --git a/test/x509_internal_test.c b/test/x509_internal_test.c
index d2f41d7085..3eec970352 100644
--- a/test/x509_internal_test.c
+++ b/test/x509_internal_test.c
@@ -57,8 +57,62 @@ static int test_standard_exts(void)
return good;
}
+typedef struct {
+ const char *ipasc;
+ const char *data;
+ int length;
+ ASN1_OCTET_STRING ip;
+} IP_TESTDATA;
+
+static IP_TESTDATA a2i_ipaddress_tests[] = {
+ {"127.0.0.1", "\x7f\x00\x00\x01", 4},
+ {"1.2.3.4", "\x01\x02\x03\x04", 4},
+ {"1.2.3.255", "\x01\x02\x03\xff", 4},
+ {"1.2.3", NULL, 0},
+ {"1.2.3 .4", NULL, 0},
+
+ {"::1", "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01", 16},
+ {"1:1:1:1:1:1:1:1", "\x00\x01\x00\x01\x00\x01\x00\x01\x00\x01\x00\x01\x00\x01\x00\x01", 16},
+ {"2001:db8::ff00:42:8329", "\x20\x01\x0d\xb8\x00\x00\x00\x00\x00\x00\xff\x00\x00\x42\x83\x29", 16},
+ {"1:1:1:1:1:1:1:1.test", NULL, 0},
+ {":::1", NULL, 0},
+ {"2001::123g", NULL, 0},
+
+ {"example.test", NULL, 0},
+ {"", NULL, 0},
+
+ {"1.2.3.4.example.test", NULL, 0},
+ {"1.2.3.4 ", NULL, 0},
+};
+
+
+static int test_a2i_ipaddress(int idx)
+{
+ int good = 1;
+ ASN1_OCTET_STRING *ip;
+ int len = a2i_ipaddress_tests[idx].length;
+
+ ip = a2i_IPADDRESS(a2i_ipaddress_tests[idx].ipasc);
+ if (len == 0) {
+ if (!TEST_ptr_null(ip)) {
+ good = 0;
+ TEST_note("'%s' should not be parsed as IP address", a2i_ipaddress_tests[idx].ipasc);
+ }
+ } else {
+ if (!TEST_ptr(ip)
+ || !TEST_int_eq(ASN1_STRING_length(ip), len)
+ || !TEST_mem_eq(ASN1_STRING_get0_data(ip), len,
+ a2i_ipaddress_tests[idx].data, len)) {
+ good = 0;
+ }
+ }
+ ASN1_OCTET_STRING_free(ip);
+ return good;
+}
+
int setup_tests(void)
{
ADD_TEST(test_standard_exts);
+ ADD_ALL_TESTS(test_a2i_ipaddress, OSSL_NELEM(a2i_ipaddress_tests));
return 1;
}
--
2.17.1

100
backport-Test-processing-of-a-duplicated-HRR.patch
View File

@ -1,100 +0,0 @@
From f29ec6563ddf81db46c464d14f2bb29a3fa5592f Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Tue, 22 Mar 2022 16:33:52 +0100
Subject: [PATCH] Test processing of a duplicated HRR
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17936)
(cherry picked from commit db44b55aaa42141921217183667800425227b658)
---
test/recipes/70-test_tls13hrr.t | 51 +++++++++++++++++++++++++++++++--
1 file changed, 49 insertions(+), 2 deletions(-)
diff --git a/test/recipes/70-test_tls13hrr.t b/test/recipes/70-test_tls13hrr.t
index e0b47ed359..411e749971 100644
--- a/test/recipes/70-test_tls13hrr.t
+++ b/test/recipes/70-test_tls13hrr.t
@@ -37,7 +37,8 @@ my $proxy = TLSProxy::Proxy->new(
use constant {
CHANGE_HRR_CIPHERSUITE => 0,
- CHANGE_CH1_CIPHERSUITE => 1
+ CHANGE_CH1_CIPHERSUITE => 1,
+ DUPLICATE_HRR => 2
};
#Test 1: A client should fail if the server changes the ciphersuite between the
@@ -46,7 +47,7 @@ $proxy->filter(\&hrr_filter);
$proxy->serverflags("-curves P-256");
my $testtype = CHANGE_HRR_CIPHERSUITE;
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-plan tests => 2;
+plan tests => 3;
ok(TLSProxy::Message->fail(), "Server ciphersuite changes");
#Test 2: It is an error if the client changes the offered ciphersuites so that
@@ -58,6 +59,19 @@ $testtype = CHANGE_CH1_CIPHERSUITE;
$proxy->start();
ok(TLSProxy::Message->fail(), "Client ciphersuite changes");
+#Test 3: A client should fail with unexpected_message alert if the server
+# sends more than 1 HRR
+my $fatal_alert = 0;
+$proxy->clear();
+if (disabled("ec")) {
+ $proxy->serverflags("-curves ffdhe3072");
+} else {
+ $proxy->serverflags("-curves P-256");
+}
+$testtype = DUPLICATE_HRR;
+$proxy->start();
+ok($fatal_alert, "Server duplicated HRR");
+
sub hrr_filter
{
my $proxy = shift;
@@ -78,6 +92,39 @@ sub hrr_filter
return;
}
+ if ($testtype == DUPLICATE_HRR) {
+ # We're only interested in the HRR
+ # and the unexpected_message alert from client
+ if ($proxy->flight == 4) {
+ $fatal_alert = 1
+ if @{$proxy->record_list}[-1]->is_fatal_alert(0) == 10;
+ return;
+ }
+ if ($proxy->flight != 3) {
+ return;
+ }
+
+ # Find ServerHello record (HRR actually) and insert after that
+ my $i;
+ for ($i = 0; ${$proxy->record_list}[$i]->flight() < 1; $i++) {
+ next;
+ }
+ my $hrr_record = ${$proxy->record_list}[$i];
+ my $dup_hrr = TLSProxy::Record->new(3,
+ $hrr_record->content_type(),
+ $hrr_record->version(),
+ $hrr_record->len(),
+ $hrr_record->sslv2(),
+ $hrr_record->len_real(),
+ $hrr_record->decrypt_len(),
+ $hrr_record->data(),
+ $hrr_record->decrypt_data());
+
+ $i++;
+ splice @{$proxy->record_list}, $i, 0, $dup_hrr;
+ return;
+ }
+
# CHANGE_CH1_CIPHERSUITE
if ($proxy->flight != 0) {
return;
--
2.17.1

183
backport-Test-that-swapping-the-first-app-data-record-with-Fi.patch
View File

@ -1,183 +0,0 @@
From d87e99df3162b2d56b8d44907fde88b67d7e3900 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Mon, 25 Jul 2022 12:39:52 +0100
Subject: [PATCH] Test that swapping the first app data record with Finished
msg works
If the first app data record arrives before the Finished message we should
be able to buffer it and move on to the Finished message.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18976)
---
test/dtlstest.c | 88 +++++++++++++++++++++++++++++++++++++++++++++++
test/ssltestlib.c | 33 ++++++++++++++++++
test/ssltestlib.h | 1 +
3 files changed, 122 insertions(+)
diff --git a/test/dtlstest.c b/test/dtlstest.c
index 1d7b105fb6..f5c9dcfcd8 100644
--- a/test/dtlstest.c
+++ b/test/dtlstest.c
@@ -328,6 +328,93 @@ static int test_dtls_duplicate_records(void)
return testresult;
}
+/*
+ * Test that swapping an app data record so that it is received before the
+ * Finished message still works.
+ */
+static int test_swap_app_data(void)
+{
+ SSL_CTX *sctx = NULL, *cctx = NULL;
+ SSL *sssl = NULL, *cssl = NULL;
+ int testresult = 0;
+ BIO *bio;
+ char msg[] = { 0x00, 0x01, 0x02, 0x03 };
+ char buf[10];
+
+ if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
+ DTLS_client_method(),
+ DTLS1_VERSION, 0,
+ &sctx, &cctx, cert, privkey)))
+ return 0;
+
+#ifndef OPENSSL_NO_DTLS1_2
+ if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES128-SHA")))
+ goto end;
+#else
+ /* Default sigalgs are SHA1 based in <DTLS1.2 which is in security level 0 */
+ if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "AES128-SHA:@SECLEVEL=0"))
+ || !TEST_true(SSL_CTX_set_cipher_list(cctx,
+ "AES128-SHA:@SECLEVEL=0")))
+ goto end;
+#endif
+
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &sssl, &cssl,
+ NULL, NULL)))
+ goto end;
+
+ /* Send flight 1: ClientHello */
+ if (!TEST_int_le(SSL_connect(cssl), 0))
+ goto end;
+
+ /* Recv flight 1, send flight 2: ServerHello, Certificate, ServerHelloDone */
+ if (!TEST_int_le(SSL_accept(sssl), 0))
+ goto end;
+
+ /* Recv flight 2, send flight 3: ClientKeyExchange, CCS, Finished */
+ if (!TEST_int_le(SSL_connect(cssl), 0))
+ goto end;
+
+ /* Recv flight 3, send flight 4: datagram 1(NST, CCS) datagram 2(Finished) */
+ if (!TEST_int_gt(SSL_accept(sssl), 0))
+ goto end;
+
+ /* Send flight 5: app data */
+ if (!TEST_int_eq(SSL_write(sssl, msg, sizeof(msg)), (int)sizeof(msg)))
+ goto end;
+
+ bio = SSL_get_wbio(sssl);
+ if (!TEST_ptr(bio)
+ || !TEST_true(mempacket_swap_recent(bio)))
+ goto end;
+
+ /*
+ * Recv flight 4 (datagram 1): NST, CCS, + flight 5: app data
+ * + flight 4 (datagram 2): Finished
+ */
+ if (!TEST_int_gt(SSL_connect(cssl), 0))
+ goto end;
+
+ /* The app data should be buffered already */
+ if (!TEST_int_eq(SSL_pending(cssl), (int)sizeof(msg))
+ || !TEST_true(SSL_has_pending(cssl)))
+ goto end;
+
+ /*
+ * Recv flight 5 (app data)
+ * We already buffered this so it should be available.
+ */
+ if (!TEST_int_eq(SSL_read(cssl, buf, sizeof(buf)), (int)sizeof(msg)))
+ goto end;
+
+ testresult = 1;
+ end:
+ SSL_free(cssl);
+ SSL_free(sssl);
+ SSL_CTX_free(cctx);
+ SSL_CTX_free(sctx);
+ return testresult;
+}
+
int setup_tests(void)
{
if (!TEST_ptr(cert = test_get_argument(0))
@@ -338,6 +425,7 @@ int setup_tests(void)
ADD_ALL_TESTS(test_dtls_drop_records, TOTAL_RECORDS);
ADD_TEST(test_cookie);
ADD_TEST(test_dtls_duplicate_records);
+ ADD_TEST(test_swap_app_data);
return 1;
}
diff --git a/test/ssltestlib.c b/test/ssltestlib.c
index 456afdf471..44d435454b 100644
--- a/test/ssltestlib.c
+++ b/test/ssltestlib.c
@@ -435,6 +435,39 @@ static int mempacket_test_read(BIO *bio, char *out, int outl)
return outl;
}
+/* Take the last and penultimate packets and swap them around */
+int mempacket_swap_recent(BIO *bio)
+{
+ MEMPACKET_TEST_CTX *ctx = BIO_get_data(bio);
+ MEMPACKET *thispkt;
+ int numpkts = sk_MEMPACKET_num(ctx->pkts);
+
+ /* We need at least 2 packets to be able to swap them */
+ if (numpkts <= 1)
+ return 0;
+
+ /* Get the penultimate packet */
+ thispkt = sk_MEMPACKET_value(ctx->pkts, numpkts - 2);
+ if (thispkt == NULL)
+ return 0;
+
+ if (sk_MEMPACKET_delete(ctx->pkts, numpkts - 2) != thispkt)
+ return 0;
+
+ /* Re-add it to the end of the list */
+ thispkt->num++;
+ if (sk_MEMPACKET_insert(ctx->pkts, thispkt, numpkts - 1) <= 0)
+ return 0;
+
+ /* We also have to adjust the packet number of the other packet */
+ thispkt = sk_MEMPACKET_value(ctx->pkts, numpkts - 2);
+ if (thispkt == NULL)
+ return 0;
+ thispkt->num--;
+
+ return 1;
+}
+
int mempacket_test_inject(BIO *bio, const char *in, int inl, int pktnum,
int type)
{
diff --git a/test/ssltestlib.h b/test/ssltestlib.h
index 17b278219a..b47004f62e 100644
--- a/test/ssltestlib.h
+++ b/test/ssltestlib.h
@@ -46,6 +46,7 @@ void bio_s_always_retry_free(void);
#define MEMPACKET_CTRL_GET_DROP_REC (3 << 15)
#define MEMPACKET_CTRL_SET_DUPLICATE_REC (4 << 15)
+int mempacket_swap_recent(BIO *bio);
int mempacket_test_inject(BIO *bio, const char *in, int inl, int pktnum,
int type);
--
2.17.1

111
backport-X509-x509_req.c-Set-modified-flag-when-X509_req_info.patch
View File

@ -1,111 +0,0 @@
From 002cf9a68e20700388326c92b0c9ec8630b5c5d2 Mon Sep 17 00:00:00 2001
From: Gibeom Gwon <gb.gwon@stackframe.dev>
Date: Sat, 27 Aug 2022 22:04:38 +0900
Subject: [PATCH] X509 x509_req.c: Set 'modified' flag when X509_req_info_st
member data updated
We need to reencode X509_req_info_st if member data updated.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18879)
---
crypto/x509/x509_req.c | 40 ++++++++++++++++++++++++----------------
crypto/x509/x_all.c | 2 ++
2 files changed, 26 insertions(+), 16 deletions(-)
diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c
index a69f9a723d..1be47174ac 100644
--- a/crypto/x509/x509_req.c
+++ b/crypto/x509/x509_req.c
@@ -229,44 +229,52 @@ X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc)
X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc)
{
- return X509at_delete_attr(req->req_info.attributes, loc);
+ X509_ATTRIBUTE *attr = X509at_delete_attr(req->req_info.attributes, loc);
+
+ if (attr != NULL)
+ req->req_info.enc.modified = 1;
+ return attr;
}
int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr)
{
- if (X509at_add1_attr(&req->req_info.attributes, attr))
- return 1;
- return 0;
+ if (!X509at_add1_attr(&req->req_info.attributes, attr))
+ return 0;
+ req->req_info.enc.modified = 1;
+ return 1;
}
int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
const ASN1_OBJECT *obj, int type,
const unsigned char *bytes, int len)
{
- if (X509at_add1_attr_by_OBJ(&req->req_info.attributes, obj,
- type, bytes, len))
- return 1;
- return 0;
+ if (!X509at_add1_attr_by_OBJ(&req->req_info.attributes, obj,
+ type, bytes, len))
+ return 0;
+ req->req_info.enc.modified = 1;
+ return 1;
}
int X509_REQ_add1_attr_by_NID(X509_REQ *req,
int nid, int type,
const unsigned char *bytes, int len)
{
- if (X509at_add1_attr_by_NID(&req->req_info.attributes, nid,
- type, bytes, len))
- return 1;
- return 0;
+ if (!X509at_add1_attr_by_NID(&req->req_info.attributes, nid,
+ type, bytes, len))
+ return 0;
+ req->req_info.enc.modified = 1;
+ return 1;
}
int X509_REQ_add1_attr_by_txt(X509_REQ *req,
const char *attrname, int type,
const unsigned char *bytes, int len)
{
- if (X509at_add1_attr_by_txt(&req->req_info.attributes, attrname,
- type, bytes, len))
- return 1;
- return 0;
+ if (!X509at_add1_attr_by_txt(&req->req_info.attributes, attrname,
+ type, bytes, len))
+ return 0;
+ req->req_info.enc.modified = 1;
+ return 1;
}
long X509_REQ_get_version(const X509_REQ *req)
diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
index a4e9cdaee8..ae061f234c 100644
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@@ -65,12 +65,14 @@ int X509_http_nbio(OCSP_REQ_CTX *rctx, X509 **pcert)
int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
{
+ x->req_info.enc.modified = 1;
return (ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL,
x->signature, &x->req_info, pkey, md));
}
int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx)
{
+ x->req_info.enc.modified = 1;
return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_REQ_INFO),
&x->sig_alg, NULL, x->signature, &x->req_info,
ctx);
--
2.17.1

32
backport-X509_REQ_get_extensions-Return-empty-stack-if-no-ext.patch
View File

@ -1,32 +0,0 @@
From 0b755cdfb52ff51830aa004799e1f78548423c00 Mon Sep 17 00:00:00 2001
From: "Dr. David von Oheimb" <David.von.Oheimb@siemens.com>
Date: Fri, 8 Jan 2021 08:27:17 +0100
Subject: [PATCH] X509_REQ_get_extensions(): Return empty stack if no
extensions found
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18926)
---
crypto/x509/x509_req.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c
index dd674926dd..a69f9a723d 100644
--- a/crypto/x509/x509_req.c
+++ b/crypto/x509/x509_req.c
@@ -167,7 +167,9 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
ext = X509_ATTRIBUTE_get0_type(attr, 0);
break;
}
- if (!ext || (ext->type != V_ASN1_SEQUENCE))
+ if (ext == NULL) /* no extensions is not an error */
+ return sk_X509_EXTENSION_new_null();
+ if (ext->type != V_ASN1_SEQUENCE)
return NULL;
p = ext->value.sequence->data;
return (STACK_OF(X509_EXTENSION) *)
--
2.17.1

58
backport-crypto-x509-v3_utl.c-Add-missing-check-for-OPENSSL_s.patch
View File

@ -1,58 +0,0 @@
From 999cce6ea7393e1daa40e9994064b2955b24a831 Mon Sep 17 00:00:00 2001
From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Date: Mon, 21 Feb 2022 09:51:54 +0800
Subject: [PATCH] crypto/x509/v3_utl.c: Add missing check for OPENSSL_strndup
Since the potential failure of memory allocation, it
should be better to check the return value of the
OPENSSL_strndup(), like x509v3_add_len_value().
And following the comment of 'if (astrlen < 0)',
return -1 if fails.
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17737)
(cherry picked from commit 366a16263959c0b6599f0b9ec18124d75560c6ef)
---
crypto/x509v3/v3_utl.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c
index f41c699b5a..40d8f31554 100644
--- a/crypto/x509v3/v3_utl.c
+++ b/crypto/x509v3/v3_utl.c
@@ -828,8 +828,11 @@ static int do_check_string(const ASN1_STRING *a, int cmp_type, equal_fn equal,
rv = equal(a->data, a->length, (unsigned char *)b, blen, flags);
else if (a->length == (int)blen && !memcmp(a->data, b, blen))
rv = 1;
- if (rv > 0 && peername)
+ if (rv > 0 && peername != NULL) {
*peername = OPENSSL_strndup((char *)a->data, a->length);
+ if (*peername == NULL)
+ return -1;
+ }
} else {
int astrlen;
unsigned char *astr;
@@ -842,8 +845,13 @@ static int do_check_string(const ASN1_STRING *a, int cmp_type, equal_fn equal,
return -1;
}
rv = equal(astr, astrlen, (unsigned char *)b, blen, flags);
- if (rv > 0 && peername)
+ if (rv > 0 && peername != NULL) {
*peername = OPENSSL_strndup((char *)astr, astrlen);
+ if (*peername == NULL) {
+ OPENSSL_free(astr);
+ return -1;
+ }
+ }
OPENSSL_free(astr);
}
return rv;
--
2.17.1

40
backport-ssl_cipher_process_rulestr-don-t-read-outside-rule_s.patch
View File

@ -1,40 +0,0 @@
From 9b3219ba544db82cdad3058b9872058739559944 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Mon, 24 Oct 2022 08:00:48 -0600
Subject: [PATCH] ssl_cipher_process_rulestr: don't read outside rule_str
buffer
If rule_str ended in a "-", "l" was incremented one byte past the
end of the buffer. This resulted in an out-of-bounds read when "l"
is dereferenced at the end of the loop. It is safest to just return
early in this case since the condition occurs inside a nested loop.
CLA: trivial
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19166)
(cherry picked from commit 428511ca66670e169a0e1b12e7540714b0be4cf8)
---
ssl/ssl_ciph.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 55f919fcd5..62d0a58b22 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1026,9 +1026,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
* alphanumeric, so we call this an error.
*/
SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_INVALID_COMMAND);
- retval = found = 0;
- l++;
- break;
+ return 0;
}
if (rule == CIPHER_SPECIAL) {
--
2.17.1

156
backport-ticket_lifetime_hint-may-exceed-1-week-in-TLSv1.3.patch
View File

@ -1,156 +0,0 @@
From 79dbd85fe27ebabc278417af64ab8e3eb43d2d40 Mon Sep 17 00:00:00 2001
From: Todd Short <todd.short@me.com>
Date: Wed, 23 Mar 2022 18:55:10 -0400
Subject: [PATCH] ticket_lifetime_hint may exceed 1 week in TLSv1.3
For TLSv1.3, limit ticket lifetime hint to 1 week per RFC8446
Fixes #17948
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17952)
(cherry picked from commit 0089cc7f9d42f6e39872161199fb8b6a99da2492)
---
doc/man3/SSL_CTX_set_timeout.pod | 10 ++++++
ssl/statem/statem_srvr.c | 21 ++++++++----
test/sslapitest.c | 59 ++++++++++++++++++++++++++++++++
3 files changed, 84 insertions(+), 6 deletions(-)
diff --git a/doc/man3/SSL_CTX_set_timeout.pod b/doc/man3/SSL_CTX_set_timeout.pod
index c32585e45f..54592654ff 100644
--- a/doc/man3/SSL_CTX_set_timeout.pod
+++ b/doc/man3/SSL_CTX_set_timeout.pod
@@ -42,6 +42,16 @@ basis, see L<SSL_get_default_timeout(3)>.
All currently supported protocols have the same default timeout value
of 300 seconds.
+This timeout value is used as the ticket lifetime hint for stateless session
+tickets. It is also used as the timeout value within the ticket itself.
+
+For TLSv1.3, RFC8446 limits transmission of this value to 1 week (604800
+seconds).
+
+For TLSv1.2, tickets generated during an initial handshake use the value
+as specified. Tickets generated during a resumed handshake have a value
+of 0 for the ticket lifetime hint.
+
=head1 RETURN VALUES
SSL_CTX_set_timeout() returns the previously set timeout value.
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index d701c46b43..79cfd1d835 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -3820,15 +3820,24 @@ int tls_construct_server_certificate(SSL *s, WPACKET *pkt)
static int create_ticket_prequel(SSL *s, WPACKET *pkt, uint32_t age_add,
unsigned char *tick_nonce)
{
+ uint32_t timeout = (uint32_t)s->session->timeout;
+
/*
- * Ticket lifetime hint: For TLSv1.2 this is advisory only and we leave this
- * unspecified for resumed session (for simplicity).
+ * Ticket lifetime hint:
* In TLSv1.3 we reset the "time" field above, and always specify the
- * timeout.
+ * timeout, limited to a 1 week period per RFC8446.
+ * For TLSv1.2 this is advisory only and we leave this unspecified for
+ * resumed session (for simplicity).
*/
- if (!WPACKET_put_bytes_u32(pkt,
- (s->hit && !SSL_IS_TLS13(s))
- ? 0 : s->session->timeout)) {
+#define ONE_WEEK_SEC (7 * 24 * 60 * 60)
+
+ if (SSL_IS_TLS13(s)) {
+ if (s->session->timeout > ONE_WEEK_SEC)
+ timeout = ONE_WEEK_SEC;
+ } else if (s->hit)
+ timeout = 0;
+
+ if (!WPACKET_put_bytes_u32(pkt, timeout)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CREATE_TICKET_PREQUEL,
ERR_R_INTERNAL_ERROR);
return 0;
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 21322ceec5..09a732f577 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -6734,6 +6734,64 @@ end:
SSL_CTX_free(cctx);
return testresult;
}
+
+/*
+ * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
+ * 0 = TLSv1.2
+ * 1 = TLSv1.3
+ */
+static int test_ticket_lifetime(int idx)
+{
+ SSL_CTX *cctx = NULL, *sctx = NULL;
+ SSL *clientssl = NULL, *serverssl = NULL;
+ int testresult = 0;
+ int version = TLS1_3_VERSION;
+
+#define ONE_WEEK_SEC (7 * 24 * 60 * 60)
+#define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
+
+ if (idx == 0) {
+ version = TLS1_2_VERSION;
+ }
+
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ TLS_client_method(), version, version,
+ &sctx, &cctx, cert, privkey)))
+ goto end;
+
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
+ &clientssl, NULL, NULL)))
+ goto end;
+
+ /*
+ * Set the timeout to be more than 1 week
+ * make sure the returned value is the default
+ */
+ if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
+ SSL_get_default_timeout(serverssl)))
+ goto end;
+
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
+ goto end;
+
+ if (idx == 0) {
+ /* TLSv1.2 uses the set value */
+ if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
+ goto end;
+ } else {
+ /* TLSv1.3 uses the limited value */
+ if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
+ goto end;
+ }
+ testresult = 1;
+
+end:
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+ return testresult;
+}
#endif
/*
* Test that setting an ALPN does not violate RFC
@@ -6973,6 +7031,7 @@ int setup_tests(void)
#endif
#ifndef OPENSSL_NO_TLS1_3
ADD_TEST(test_sni_tls13);
+ ADD_ALL_TESTS(test_ticket_lifetime, 2);
#endif
ADD_TEST(test_set_alpn);
ADD_TEST(test_inherit_verify_param);
--
2.17.1

36
backport-tls_process_server_hello-Disallow-repeated-HRR.patch
View File

@ -1,36 +0,0 @@
From fb67978a9eb076b23ddf17f6b95f697ed526c584 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Tue, 22 Mar 2022 12:34:07 +0100
Subject: [PATCH] tls_process_server_hello: Disallow repeated HRR
Repeated HRR must be rejected.
Fixes #17934
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17936)
(cherry picked from commit d204a50b898435fbf937316d5693008cebf62eef)
---
ssl/statem/statem_clnt.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index d1a3969812..e3aba393f9 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1422,6 +1422,10 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
&& sversion == TLS1_2_VERSION
&& PACKET_remaining(pkt) >= SSL3_RANDOM_SIZE
&& memcmp(hrrrandom, PACKET_data(pkt), SSL3_RANDOM_SIZE) == 0) {
+ if (s->hello_retry_request != SSL_HRR_NONE) {
+ SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
+ goto err;
+ }
s->hello_retry_request = SSL_HRR_PENDING;
hrr = 1;
if (!PACKET_forward(pkt, SSL3_RANDOM_SIZE)) {
--
2.17.1

30
backport-v3_sxnet-add-a-check-for-the-return-of-i2s_ASN1_INTE.patch
View File

@ -1,30 +0,0 @@
From 7a05fcb1fc276a7ecfe599d45655d4e617c5e2d4 Mon Sep 17 00:00:00 2001
From: xkernel <xkernel.wang@foxmail.com>
Date: Mon, 20 Jun 2022 17:46:39 +0800
Subject: [PATCH] v3_sxnet: add a check for the return of i2s_ASN1_INTEGER()
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/18608)
(cherry picked from commit 9ef1f848a646565d4dd86e56542cf921d4921ad9)
---
crypto/x509v3/v3_sxnet.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/crypto/x509v3/v3_sxnet.c b/crypto/x509v3/v3_sxnet.c
index 144e8bee84..3c5508f941 100644
--- a/crypto/x509v3/v3_sxnet.c
+++ b/crypto/x509v3/v3_sxnet.c
@@ -78,6 +78,8 @@ static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out,
for (i = 0; i < sk_SXNETID_num(sx->ids); i++) {
id = sk_SXNETID_value(sx->ids, i);
tmp = i2s_ASN1_INTEGER(NULL, id->zone);
+ if (tmp == NULL)
+ return 0;
BIO_printf(out, "\n%*sZone: %s, User: ", indent, "", tmp);
OPENSSL_free(tmp);
ASN1_STRING_print(out, id->user);
--
2.17.1

39
backport-x509-use-actual-issuer-name-if-a-CA-is-used.patch
View File

@ -1,39 +0,0 @@
From 91db522f31981b3fafdec4120de1027e8bc4d792 Mon Sep 17 00:00:00 2001
From: Daniel Fiala <daniel@openssl.org>
Date: Mon, 18 Apr 2022 11:30:13 +0200
Subject: [PATCH] x509: use actual issuer name if a CA is used
Fixes openssl#16080.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18129)
---
apps/x509.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/apps/x509.c b/apps/x509.c
index 1043eba0c8..2329d9b2d4 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -590,6 +590,8 @@ int x509_main(int argc, char **argv)
xca = load_cert(CAfile, CAformat, "CA Certificate");
if (xca == NULL)
goto end;
+ if (!X509_set_issuer_name(x, X509_get_subject_name(xca)))
+ goto end;
}
out = bio_open_default(outfile, 'w', outformat);
@@ -987,8 +989,6 @@ static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *diges
goto end;
}
- if (!X509_set_issuer_name(x, X509_get_subject_name(xca)))
- goto end;
if (!X509_set_serialNumber(x, bs))
goto end;
--
2.17.1

30
fix-add-loongarch64-target.patch
View File

@ -1,30 +0,0 @@
From 5fd4cc31c0eba0813a005d3559afc1b42df8ee32 Mon Sep 17 00:00:00 2001
From: Shi Pujin <shipujin.t@gmail.com>
Date: Wed, 16 Feb 2022 10:53:56 +0800
Subject: [PATCH] Add loongarch64 target
---
Configurations/10-main.conf | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
index 61c6689..7102c95 100644
--- a/Configurations/10-main.conf
+++ b/Configurations/10-main.conf
@@ -761,6 +761,13 @@ my %targets = (
perlasm_scheme => "linux64",
},
+ # loongarch64 below refers to contemporary LOONGARCH Architecture
+ # specifications,
+ "linux-loongarch64" => {
+ inherit_from => [ "linux-generic64"],
+ perlasm_scheme => "linux64",
+ },
+
#### IA-32 targets...
#### These two targets are a bit aged and are to be used on older Linux
#### machines where gcc doesn't understand -m32 and -m64
--
2.27.0

40
openssl-1.1.1-build.patch
View File

@ -1,40 +0,0 @@
diff -up openssl-1.1.1f/Configurations/10-main.conf.build openssl-1.1.1f/Configurations/10-main.conf
--- openssl-1.1.1f/Configurations/10-main.conf.build 2020-03-31 14:17:45.000000000 +0200
+++ openssl-1.1.1f/Configurations/10-main.conf 2020-04-07 16:42:10.920546387 +0200
@@ -678,6 +678,7 @@ my %targets = (
cxxflags => add("-m64"),
lib_cppflags => add("-DL_ENDIAN"),
perlasm_scheme => "linux64le",
+ multilib => "64",
},
"linux-armv4" => {
@@ -718,6 +719,7 @@ my %targets = (
"linux-aarch64" => {
inherit_from => [ "linux-generic64", asm("aarch64_asm") ],
perlasm_scheme => "linux64",
+ multilib => "64",
},
"linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
inherit_from => [ "linux-generic32", asm("aarch64_asm") ],
diff -up openssl-1.1.1f/Configurations/unix-Makefile.tmpl.build openssl-1.1.1f/Configurations/unix-Makefile.tmpl
--- openssl-1.1.1f/Configurations/unix-Makefile.tmpl.build 2020-04-07 16:42:10.920546387 +0200
+++ openssl-1.1.1f/Configurations/unix-Makefile.tmpl 2020-04-07 16:44:23.539142108 +0200
@@ -823,7 +823,7 @@ uninstall_runtime_libs:
install_man_docs:
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(ECHO) "*** Installing manpages"
- $(PERL) $(SRCDIR)/util/process_docs.pl \
+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
"--destdir=$(DESTDIR)$(MANDIR)" --type=man --suffix=$(MANSUFFIX)
uninstall_man_docs:
@@ -835,7 +835,7 @@ uninstall_man_docs:
install_html_docs:
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(ECHO) "*** Installing HTML manpages"
- $(PERL) $(SRCDIR)/util/process_docs.pl \
+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
"--destdir=$(DESTDIR)$(HTMLDIR)" --type=html
uninstall_html_docs:

11635
openssl-1.1.1-fips.patch
View File

File diff suppressed because it is too large Load Diff

BIN
openssl-1.1.1m.tar.gz
View File

Binary file not shown.

38
openssl-3.0-build.patch Normal file
View File

@ -0,0 +1,38 @@
From 262bff1615d4461120327c5a9fe904ad1c6ce813 Mon Sep 17 00:00:00 2001
From: hzero1996 <wangcheng156@huawei.com>
Date: Sun, 29 Jan 2023 14:53:03 +0800
Subject: [PATCH] openssl-3.0-build
---
Configurations/10-main.conf | 1 +
Configurations/unix-Makefile.tmpl | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
index b578a3c..1ad81c3 100644
--- a/Configurations/10-main.conf
+++ b/Configurations/10-main.conf
@@ -772,6 +772,7 @@ my %targets = (
inherit_from => [ "linux-generic64" ],
asm_arch => 'aarch64',
perlasm_scheme => "linux64",
+ multilib => "64",
},
"linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
inherit_from => [ "linux-generic32" ],
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
index 110ba06..712a779 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -611,7 +611,7 @@ install_sw: install_dev install_engines install_modules install_runtime
uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev
-install_docs: install_man_docs install_html_docs
+install_docs: install_man_docs
uninstall_docs: uninstall_man_docs uninstall_html_docs
$(RM) -r $(DESTDIR)$(DOCDIR)
--
2.27.0

BIN
openssl-3.0.7.tar.gz Normal file
View File

Binary file not shown.

337
openssl.spec
View File

@ -1,107 +1,18 @@
%define soversion 1.1
%define soversion 3
Name: openssl
Epoch: 1
Version: 1.1.1m
Release: 20
Version: 3.0.7
Release: 1
Summary: Cryptography and SSL/TLS Toolkit
License: OpenSSL and SSLeay
URL: https://www.openssl.org/
Source0: https://www.openssl.org/source/%{name}-%{version}.tar.gz
Source1: Makefile.certificate
Patch1: openssl-1.1.1-build.patch
Patch2: openssl-1.1.1-fips.patch
Patch3: CVE-2022-0778-Add-a-negative-testcase-for-BN_mod_sqrt.patch
Patch4: CVE-2022-0778-Fix-possible-infinite-loop-in-BN_mod_sqrt.patch
Patch5: CVE-2022-1292.patch
Patch6: Backport-Support-raw-input-data-in-apps-pkeyutl.patch
Patch7: Backport-Fix-no-ec-no-sm2-and-no-sm3.patch
Patch8: Backport-Support-SM2-certificate-verification.patch
Patch9: Backport-Guard-some-SM2-functions-with-OPENSSL_NO_SM2.patch
Patch10: Backport-Add-test-cases-for-SM2-cert-verification.patch
Patch11: Backport-Add-documents-for-SM2-cert-verification.patch
Patch12: Backport-Fix-a-memleak-in-apps-verify.patch
Patch13: Backport-Skip-the-correct-number-of-tests-if-SM2-is-disabled.patch
Patch14: Backport-Make-X509_set_sm2_id-consistent-with-other-setters.patch
Patch15: Backport-Support-SM2-certificate-signing.patch
Patch16: Backport-Support-parsing-of-SM2-ID-in-hexdecimal.patch
Patch17: Backport-Fix-a-double-free-issue-when-signing-SM2-cert.patch
Patch18: Backport-Fix-a-document-description-in-apps-req.patch
Patch19: Backport-Update-expired-SCT-certificates.patch
Patch20: Backport-ct_test.c-Update-the-epoch-time.patch
Patch21: Feature-Support-TLCP-protocol.patch
Patch22: Feature-X509-command-supports-SM2-certificate-signing-with-default-sm2id.patch
Patch23: CVE-2022-2068-Fix-file-operations-in-c_rehash.patch
Patch24: CVE-2022-2097-Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch
Patch25: Feature-add-ARMv8-implementations-of-SM4-in-ECB-and-XTS.patch
Patch26: Fix-reported-performance-degradation-on-aarch64.patch
Patch27: Feature-PKCS7-sign-and-verify-support-SM2-algorithm.patch
Patch28: Backport-SM3-acceleration-with-SM3-hardware-instruction-on-aa.patch
Patch29: Backport-SM4-optimization-for-ARM-by-HW-instruction.patch
Patch30: Feature-SM4-XTS-optimization-for-ARM-by-HW-instruction.patch
Patch31: backport-Fix-failure-to-check-result-of-bn_rshift_fixed_top.patch
Patch32: backport-Test-processing-of-a-duplicated-HRR.patch
Patch33: backport-tls_process_server_hello-Disallow-repeated-HRR.patch
Patch34: backport-Avoid-potential-memory-leak.patch
Patch35: backport-Fix-NULL-pointer-dereference-for-BN_mod_exp2_mont.patch
Patch36: backport-crypto-x509-v3_utl.c-Add-missing-check-for-OPENSSL_s.patch
Patch37: backport-Fix-password_callback-to-handle-short-passwords.patch
Patch38: backport-Fix-usage-of-SSLfatal.patch
Patch39: backport-Fix-integer-overflow-in-evp_EncryptDecryptUpdate.patch
Patch40: backport-Fix-Coverity-1201763-uninitialised-pointer-read.patch
Patch41: backport-Fix-Coverity-1498611-1498608-uninitialised-read.patch
Patch42: backport-Fix-coverity-1498607-uninitialised-value.patch
Patch43: backport-Check-password-length-only-when-verify-is-enabled.patch
Patch44: backport-Fix-issue-where-OBJ_nid2obj-doesn-t-always-raise-an-.patch
Patch45: backport-Set-protocol-in-init_client.patch
Patch46: backport-Fix-a-crash-in-ssl_security_cert_chain.patch
Patch47: backport-Fix-undefined-behaviour-in-EC_GROUP_new_from_ecparam.patch
Patch48: backport-Fix-a-memory-leak-in-ec_key_simple_oct2priv.patch
Patch49: backport-Fix-a-crash-in-asn1_item_embed_new.patch
Patch50: backport-Fix-leakage-when-the-cacheline-is-32-bytes-in-CBC_MA.patch
Patch51: backport-Add-test-for-empty-supported-groups-extension.patch
Patch52: backport-Do-not-send-an-empty-supported-groups-extension.patch
Patch53: backport-x509-use-actual-issuer-name-if-a-CA-is-used.patch
Patch54: backport-ticket_lifetime_hint-may-exceed-1-week-in-TLSv1.3.patch
Patch55: backport-Fix-a-memory-leak-in-crl_set_issuers.patch
Patch56: backport-Fix-a-DTLS-server-hangup-due-to-TLS13_AD_MISSING_EXT.patch
Patch57: backport-Fix-an-assertion-in-the-DTLS-server-code.patch
Patch58: backport-Fix-a-memory-leak-in-X509_issuer_and_serial_hash.patch
Patch59: backport-Fix-strict-client-chain-check-with-TLS-1.3.patch
Patch60: backport-Fix-a-crash-in-X509v3_asid_subset.patch
Patch61: backport-Fix-a-memory-leak-in-EC_GROUP_new_from_ecparameters.patch
Patch62: backport-Fix-range_should_be_prefix-to-actually-return-the-co.patch
Patch63: backport-v3_sxnet-add-a-check-for-the-return-of-i2s_ASN1_INTE.patch
Patch64: backport-Fix-bn_gcd-code-to-check-return-value-when-calling-B.patch
Patch65: backport-Add-missing-header-for-memcmp.patch
Patch66: backport-Fix-a-memory-leak-in-tls13_generate_secret.patch
Patch67: backport-Make-the-DRBG-seed-propagation-thread-safe.patch
Patch68: backport-Fix-memory-leak-in-X509V3_add1_i2d-when-flag-is-X509.patch
Patch69: fix-add-loongarch64-target.patch
Patch70: backport-APPS-x509-With-CA-but-both-CAserial-and-CAcreateseri.patch
Patch71: backport-Fix-verify_callback-in-the-openssl-s_client-s_server.patch
Patch72: backport-Fix-re-signing-certificates-with-different-key-sizes.patch
Patch73: backport-Fix-ipv4_from_asc-behavior-on-invalid-Ip-addresses.patch
Patch74: backport-Test-case-for-a2i_IPADDRESS.patch
Patch75: backport-Fix-test-case-for-a2i_IPADDRESS.patch
Patch76: backport-Fix-a-crash-in-v2i_IPAddrBlocks.patch
Patch77: backport-Fixes-segfault-occurrence-in-PEM_write.patch
Patch78: backport-X509_REQ_get_extensions-Return-empty-stack-if-no-ext.patch
Patch79: backport-Fix-EC_KEY_set_private_key-priv_key-regression.patch
Patch80: backport-Add-test-for-EC_KEY_set_private_key.patch
Patch81: backport-Fix-SSL_pending-and-SSL_has_pending-with-DTLS.patch
Patch82: backport-Test-that-swapping-the-first-app-data-record-with-Fi.patch
Patch83: backport-Always-end-BN_mod_exp_mont_consttime-with-normal-Mon.patch
Patch84: backport-Add-an-extra-reduction-step-to-RSAZ-mod_exp-implemen.patch
Patch85: backport-Coverity-1508534-1508540-misuses-of-time_t.patch
Patch86: backport-Moving-notify-check-after-the-no-time-check.patch
Patch87: backport-Convert-serverinfo-in-SSL_CTX_use_serverinfo-to-v2.patch
Patch88: backport-X509-x509_req.c-Set-modified-flag-when-X509_req_info.patch
Patch89: backport-ssl_cipher_process_rulestr-don-t-read-outside-rule_s.patch
BuildRequires: gcc perl make lksctp-tools-devel coreutils util-linux zlib-devel
Patch1: openssl-3.0-build.patch
BuildRequires: gcc gcc-c++ perl make lksctp-tools-devel coreutils util-linux zlib-devel
Requires: coreutils %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
Obsoletes: openssl-SMx < %{epoch}:%{version}-%{release}
Provides: openssl-SMx = %{epoch}:%{version}-%{release}
%description
OpenSSL is a robust, commercial-grade, and full-featured toolkit for the
@ -113,11 +24,6 @@ Group: System Environment/Libraries
Requires: ca-certificates >= 2008-5
Requires: crypto-policies >= 20180730
Recommends: openssl-pkcs11%{?_isa}
Obsoletes: openssl < 1:1.0.1-0.3.beta3
Obsoletes: openssl-fips < 1:1.0.1e-28
Provides: openssl-fips = %{epoch}:%{version}-%{release}
Obsoletes: openssl-SMx-libs < %{epoch}:%{version}-%{release}
Provides: openssl-SMx-libs = %{epoch}:%{version}-%{release}
%description libs
The openssl-libs package contains the libraries that are used
@ -137,16 +43,18 @@ from other formats to the formats used by the OpenSSL toolkit.
%package devel
Summary: Development files for openssl
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: krb5-devel zlib-devel pkgconfig
Obsoletes: openssl-static < %{epoch}:%{version}-%{release}
Provides: openssl-static = %{epoch}:%{version}-%{release} openssl-static%{?_isa} = %{epoch}:%{version}-%{release}
Obsoletes: openssl-SMx-devel < %{epoch}:%{version}-%{release}
Provides: openssl-SMx-devel = %{epoch}:%{version}-%{release}
Requires: pkgconfig
%description devel
%{summary}.
%package_help
%package help
Summary: Documents for %{name}
Buildarch: noarch
Requires: man info
%description help
Man pages and other related documents for %{name}.
%prep
%autosetup -n %{name}-%{version} -p1
@ -154,36 +62,30 @@ Provides: openssl-SMx-devel = %{epoch}:%{version}-%{release}
%build
sslarch=%{_os}-%{_target_cpu}
%ifarch i686
sslarch=linux-elf
%endif
%ifarch x86_64 aarch64
sslflags=enable-ec_nistp_64_gcc_128
%endif
%ifarch loongarch64
sslflags="--libdir=%{_libdir}"
%endif
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -DPURIFY $RPM_LD_FLAGS"
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS"
./Configure \
--prefix=%{_prefix} \
--openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \
enable-weak-ssl-ciphers \
no-mdc2 no-ec2m enable-sm2 enable-sm3 enable-sm4 enable-tlcp \
shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'
--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips\
no-mdc2 no-ec2m enable-sm2 enable-sm4 enable-buildtest-c++\
shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""' \
-Wl,--allow-multiple-definition
%make_build all
%define __spec_install_post \
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%{__os_install_post} \
crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{version}.hmac \
ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{soversion}.hmac \
crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{version}.hmac \
ln -sf .libssl.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{soversion}.hmac \
%{nil}
%install
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
# Install OpenSSL.
install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl,%{_pkgdocdir}}
%make_install
@ -230,15 +132,16 @@ sed -i '/^\#ifndef OPENSSL_NO_SSL_TRACE/i\
# define OPENSSL_NO_SSL3\
#endif' $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h
basearch=%{_arch}
%ifarch %{ix86}
basearch=i386
%endif
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/*.dist
%check
LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
export LD_LIBRARY_PATH
crypto/fips/fips_standalone_hmac libcrypto.so.%{soversion} >.libcrypto.so.%{soversion}.hmac
ln -s .libcrypto.so.%{soversion}.hmac .libcrypto.so.hmac
crypto/fips/fips_standalone_hmac libssl.so.%{soversion} >.libssl.so.%{soversion}.hmac
ln -s .libssl.so.%{soversion}.hmac .libssl.so.hmac
OPENSSL_ENABLE_MD5_VERIFY=
export OPENSSL_ENABLE_MD5_VERIFY
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
@ -250,49 +153,50 @@ make test || :
%postun libs -p /sbin/ldconfig
%files
%defattr(-,root,root)
%license LICENSE
%doc AUTHORS CHANGES FAQ NEWS README
%{_pkgdocdir}/Makefile.certificate
%license LICENSE.txt
%doc NEWS.md README.md
%{_bindir}/openssl
%{_pkgdocdir}/Makefile.certificate
%files libs
%defattr(-,root,root)
%license LICENSE
%license LICENSE.txt
%dir %{_sysconfdir}/pki/tls
%dir %{_sysconfdir}/pki/tls/certs
%dir %{_sysconfdir}/pki/tls/misc
%dir %{_sysconfdir}/pki/tls/private
%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
%config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf
%{_libdir}/libcrypto.so.%{version}
%config(noreplace) %{_sysconfdir}/pki/tls/fipsmodule.cnf
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version}
%{_libdir}/libcrypto.so.%{soversion}
%{_libdir}/libssl.so.%{version}
%attr(0755,root,root) %{_libdir}/libssl.so.%{version}
%{_libdir}/libssl.so.%{soversion}
%{_libdir}/engines-%{soversion}
%attr(0644,root,root) %{_libdir}/.libcrypto.so.*.hmac
%attr(0644,root,root) %{_libdir}/.libssl.so.*.hmac
%attr(0755,root,root) %{_libdir}/engines-%{soversion}
%attr(0755,root,root) %{_libdir}/ossl-modules
%files devel
%defattr(-,root,root)
%doc doc/dir-locals.example.el doc/openssl-c-indent.el
%doc CHANGES.md doc/dir-locals.example.el doc/openssl-c-indent.el
%{_prefix}/include/openssl
%{_libdir}/pkgconfig/*.pc
%{_libdir}/*.so
%{_libdir}/*.a
%{_mandir}/man3/*
%{_libdir}/pkgconfig/*.pc
%files help
%defattr(-,root,root)
%{_mandir}/man1/*
%{_mandir}/man3/*
%{_mandir}/man5/*
%{_mandir}/man7/*
%{_pkgdocdir}/html/
%exclude %{_mandir}/man1/*.pl*
%exclude %{_mandir}/man1/tsget*
%files perl
%{_bindir}/c_rehash
%{_bindir}/*.pl
%{_bindir}/tsget
%{_mandir}/man1/*.pl*
%{_mandir}/man1/tsget*
%dir %{_sysconfdir}/pki/CA
%dir %{_sysconfdir}/pki/CA/private
%dir %{_sysconfdir}/pki/CA/certs
@ -302,140 +206,7 @@ make test || :
%ldconfig_scriptlets libs
%changelog
* Wed Dec 21 2022 wangcheng <wangcheng156@huawei.com> - 1:1.1.1m-20
- backport some patches
* Mon Nov 28 2022 zhujianwei001 <zhujianwei7@huawei.com> - 1:1.1.1m-19
- backport some patches
* Mon Nov 14 2022 zhaozhen <zhaozhen@loongson.cn> - 1:1.1.1m-18
- Add loongarch support
* Mon Nov 7 2022 ExtinctFire<shenyining_00@126.com> - 1:1.1.1m-17
- backport some patches
* Mon Nov 7 2022 steven.ygui<steven_ygui@163.com> - 1:1.1.1m-16
- backport some patches
* Mon Nov 7 2022 fangxiuning<fangxiuning@huawei.com> - 1:1.1.1m-15
- backport some patches
* Mon Nov 7 2022 fangxiuning<fangxiuning@huawei.com> - 1:1.1.1m-14
- backport some patches
* Fri Nov 4 2022 wangcheng<wangcheng156@huawei.com> - 1:1.1.1m-13
- backport some patches
* Wed Nov 2 2022 Xu Yizhou <xuyizhou1@huawei.com> - 1:1.1.1m-12
- SM3 acceleration with SM3 hardware instruction on aarch64
- SM4 optimization for ARM by HW instruction
- SM4 XTS optimization for ARM by HW instruction
* Wed Oct 26 2022 luhuaxin <luhuaxin1@huawei.com> - 1:1.1.1m-11
- fix cms testcase
* Fri Oct 21 2022 luhuaxin <luhuaxin1@huawei.com> - 1:1.1.1m-10
- add support for SM2 PKCS7
* Thu Oct 20 2022 fangxiuning <fangxiuning@huawei.com> - 1:1.1.1m-9
- fix proformance degradation on aarch64
* Tue Sep 13 2022 Xu Yizhou <xuyizhou1@huawei.com> - 1:1.1.1m-8
- add ARMv8 implementations of SM4 in ECB and XTS
* Tue Sep 13 2022 wangcheng <wangcheng156@huawei.com> - 1:1.1.1m-7
- add provides for openssl-SMx
* Tue Jul 12 2022 wangcheng <wangcheng156@huawei.com> - 1:1.1.1m-6
- fix CVE-2022-2097
* Thu Jun 30 2022 wangcheng <wangcheng156@huawei.com> - 1:1.1.1m-5
- fix CVE-2022-2068
* Wed Jun 29 2022 shichuchao <shichuchao@huawei.com> - 1:1.1.1m-4
- x509 command support SM2 signing with default sm2id
* Thu Jun 9 2022 shichuchao <shichuchao@huawei.com> - 1:1.1.1m-3
- support sm2 certificate sign and verify
- fix ct test errors
- add TLCP feature
* Mon May 16 2022 zhouchenchen <zhouchenchen@huawei.com> - 1:1.1.1m-2
- fix the CVE-2022-1292
* Thu Mar 24 2022 duyiwei <duyiwei@kylinos.cn> - 1:1.1.1m-1
- update openssl-1.1.1f to openssl-1.1.1m
- add subpackage openssl-perl
- fix the cve-2022-0778
* Wed Dec 8 2021 lujie42 <lujie42@huawei.com> - 1:1.1.1l-1
- update openssl-1.1.1f to openssl-1.1.1l
* Fri Sep 24 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-9
- bugfix Overflow when printing Thawte Strong Extranet
* Sat Sep 18 2021 zhuyan <zhuyan34@huawei.com> - 1:1.1.1f-8
- fix software package format problem
* Mon Aug 30 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-7
- fix the CVE-2021-3711 and CVE-2021-3712
* Tue Jun 29 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-6
- add perl BuildRequires
* Wed Apr 7 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-5
- fix CVE-2021-3449
* Wed Mar 10 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-4
- fix CVE-2021-23840 and CVE-2021-23841
* Tue Jan 19 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-3
- fix CVE-2020-1971
* Fri Sep 11 2020 Liquor <lirui130@huawei.com> - 1:1.1.1f-2
- provides openssl-perl
* Tue May 12 2020 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-1
- update openssl-1.1.1d to openssl-1.1.1f and fix CVE-2020-1967
* Wed Mar 18 2020 steven <steven_ygui@163.com> - 1:1.1.1d-9
- fix division zero issue which found by oss-fuzz
* Tue Mar 3 2020 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1d-8
- add missiong /sbin/ldconfig
* Tue Mar 3 2020 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1d-7
- Fix problem caused by missing hmac files
* Mon Feb 17 2020 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1d-6
- add openssl-libs containing dynamic library for openssl
* Sun Jan 19 2020 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1d-5
- add obsoletes
* Tue Jan 14 2020 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1d-4
- clean code
* Fri Jan 10 2020 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1d-3
- delete unused files
* Fri Dec 27 2019 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1d-2
- modify obsoletes
* Mon Dec 16 2019 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1d-1
- update to 1:1.1.1d
* Thu Nov 21 2019 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1c-5
- enable sm2 and sm4
* Fri Oct 25 2019 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1c-4
- Add missing openssl/fips.h
* Thu Oct 24 2019 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1c-3
- Add buildrequires zlib-devel
* Tue Sep 24 2019 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1c-2
- Adjust requires
* Mon Sep 16 2019 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1c-1
* Thu Jan 19 2023 wangcheng <wangcheng156@huawei.com> - 1:3.0.7-1
- Package init

4
openssl.yaml
View File

@ -1,4 +0,0 @@
version_control: github
src_repo: OpenSC/OpenSC
tag_prefix:
seperator: