git: d11e17c114 - main - Add SA-23:02 and SA-23:03.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 16 Feb 2023 18:14:18 UTC
The branch main has been updated by gordon (src committer): URL: https://cgit.FreeBSD.org/doc/commit/?id=d11e17c11401207a60993baa2c510b5812209646 commit d11e17c11401207a60993baa2c510b5812209646 Author: Gordon Tetlow <gordon@FreeBSD.org> AuthorDate: 2023-02-16 18:14:00 +0000 Commit: Gordon Tetlow <gordon@FreeBSD.org> CommitDate: 2023-02-16 18:14:00 +0000 Add SA-23:02 and SA-23:03. Approved by: so --- website/data/security/advisories.toml | 8 + .../advisories/FreeBSD-SA-23:02.openssh.asc | 146 ++++ .../advisories/FreeBSD-SA-23:03.openssl.asc | 222 ++++++ .../static/security/patches/SA-23:02/openssh.patch | 42 + .../security/patches/SA-23:02/openssh.patch.asc | 16 + .../static/security/patches/SA-23:03/openssl.patch | 865 +++++++++++++++++++++ .../security/patches/SA-23:03/openssl.patch.asc | 16 + 7 files changed, 1315 insertions(+) diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml index 2c697786f8..8694a6a8ae 100644 --- a/website/data/security/advisories.toml +++ b/website/data/security/advisories.toml @@ -1,6 +1,14 @@ # Sort advisories by year, month and day # $FreeBSD$ +[[advisories]] +name = "FreeBSD-SA-23:03.openssl" +date = "2023-02-16" + +[[advisories]] +name = "FreeBSD-SA-23:02.openssh" +date = "2023-02-16" + [[advisories]] name = "FreeBSD-SA-23:01.geli" date = "2023-02-08" diff --git a/website/static/security/advisories/FreeBSD-SA-23:02.openssh.asc b/website/static/security/advisories/FreeBSD-SA-23:02.openssh.asc new file mode 100644 index 0000000000..f82c0f08a5 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-23:02.openssh.asc @@ -0,0 +1,146 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-23:02.openssh Security Advisory + The FreeBSD Project + +Topic: OpenSSH pre-authentication double free + +Category: contrib +Module: openssh +Announced: 2023-02-16 +Credits: Mantas Mikulenas +Affects: FreeBSD 12.4 +Corrected: 2023-02-08 21:06:22 UTC (stable/13, 13.2-STABLE) + 2023-02-08 21:07:30 UTC (stable/12, 12.4-STABLE) + 2023-02-16 18:04:07 UTC (releng/12.4, 12.4-RELEASE-p2) +CVE Name: CVE-2023-25136 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +OpenSSH is an implementation of the SSH protocol suite, providing an +encrypted and authenticated transport for a variety of services, +including remote shell access. + +II. Problem Description + +A flaw in the backwards-compatibility key exchange route allows a pointer +to be freed twice. + +III. Impact + +A remote, unauthenticated attacker may be able to cause a denial of service, +or possibly remote code execution. + +Note that FreeBSD 12.3 and FreeBSD 13.1 include older versions of OpenSSH, +and are not affected. FreeBSD 13.2-BETA1 and later include the fix. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 12.4] +# fetch https://security.FreeBSD.org/patches/SA-23:02/openssh.patch +# fetch https://security.FreeBSD.org/patches/SA-23:02/openssh.patch.asc +# gpg --verify openssh.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart the applicable daemons, or reboot the system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 296ec8eae0c8 stable/13-n260933 +stable/12/ r372919 +releng/12.4/ r372938 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25136> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:02.openssh.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmPucY4ACgkQbljekB8A +Gu+iNA/+OSEEsiNqkwsODt83JcagAx2MmEyDOjj0sz5IHXpjSWB0kfM4HU7spG1p +F94ELys9aMzedPtvHtt0xZGTb6mMmdo+xJyit8NJaEsTqfsx6qjaEwyieakJleLs +HMWBpvf8Gd7WVek8uxSmw146LpvuIXMPvASJ2aW0x8KDcPMagmZjHenFtX73F3c7 +Hkqn3dgwoQCtwGLNVliQukq7v0Vdhq8s0WbmYcZxqXkg8l8Kf8NusT2koDcQUWR+ +PH7OAAwA4DLxvOrPnmni2rxdfDgbXmcwpr8tBvHliN/Sgw3zH0fLUr2sL6gi/ORX +iUKZB+RaI8Edw+FZhycKRSFJbl29TpzCr8ucgyspNamsbuPHVwai0mGCZ4UuKSuo +mfnEup9DGkBYWZNPMeq4t7BF7oytDZTIKxmHS89XGZR22NZe7UNeRwIkxct61H8Z +HBObWH/i2pCSOrFghVW8xnqgYbIr/evb95otL0Drkl605oR34pIlcH/4dvfrxadz +Ugn83baGssvqYVL41Uc73ofL6ESveRjyYKKwP0EWSHDqOgjFcybFtf5y4mZqZr3f +sjusHcHhzcQ5Cn1XL7cHVyM0/6ErGUD36Suy6LoAwUwXvXgM1B1QOQeopMiGE4EF +40AmlMBHMmWrMKauhOrs5n4J2MRZIeJg0uTmg7QS7I2+BE56NN8= +=IJSD +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-23:03.openssl.asc b/website/static/security/advisories/FreeBSD-SA-23:03.openssl.asc new file mode 100644 index 0000000000..d953338970 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-23:03.openssl.asc @@ -0,0 +1,222 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-23:03.openssl Security Advisory + The FreeBSD Project + +Topic: Multiple vulnerabilities in OpenSSL + +Category: contrib +Module: openssl +Announced: 2023-02-16 +Credits: See referenced OpenSSL advisory. +Affects: All supported versions of FreeBSD. +Corrected: 2023-02-07 22:38:40 UTC (stable/13, 13.1-STABLE) + 2023-02-16 17:58:13 UTC (releng/13.1, 13.1-RELEASE-p7) + 2023-02-07 23:09:41 UTC (stable/12, 12.4-STABLE) + 2023-02-16 18:04:12 UTC (releng/12.4, 12.4-RELEASE-p2) + 2023-02-16 18:03:37 UTC (releng/12.3, 12.3-RELEASE-p12) +CVE Name: CVE-2023-0286, CVE-2023-0215, CVE-2022-4450, CVE-2022-4304 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a +collaborative effort to develop a robust, commercial-grade, full-featured +Open Source toolkit for the Transport Layer Security (TLS) protocol. It is +also a general-purpose cryptography library. + +II. Problem Description + +* X.400 address type confusion in X.509 GeneralName (CVE-2023-0286) + +There is a type confusion vulnerability relating to X.400 address processing +inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but +the public structure definition for GENERAL_NAME incorrectly specified the type +of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by +the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an +ASN1_STRING. + +* Timing Oracle in RSA Decryption (CVE-2022-4304) + +A timing based side channel exists in the OpenSSL RSA Decryption +implementation. + +* Use-after-free following BIO_new_NDEF (CVE-2023-0215) + +The public API function BIO_new_NDEF is a helper function used for streaming +ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support +the SMIME, CMS and PKCS7 streaming capabilities, but may also be called +directly by end user applications. + +The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter +BIO onto the front of it to form a BIO chain, and then returns the new head +of the BIO chain to the caller. Under certain conditions, for example if a +CMS recipient public key is invalid, the new filter BIO is freed and the +function returns a NULL result indicating a failure. However, in this case, +the BIO chain is not properly cleaned up and the BIO passed by the caller +still retains internal pointers to the previously freed filter BIO. + +* Double free after calling PEM_read_bio_ex (CVE-2022-4450) + +The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and +decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload +data. If the function succeeds then the "name_out", "header" and "data" +arguments are populated with pointers to buffers containing the relevant +decoded data. The caller is responsible for freeing those buffers. It is +possible to construct a PEM file that results in 0 bytes of payload data. In +this case PEM_read_bio_ex() will return a failure code but will populate the +header argument with a pointer to a buffer that has already been freed. + +III. Impact + +* X.400 address type confusion in X.509 GeneralName (CVE-2023-0286) + +When CRL checking is enabled (i.e. the application sets the +X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass +arbitrary pointers to a memcmp call, enabling them to read memory contents or +enact a denial of service. In most cases, the attack requires the attacker to +provide both the certificate chain and CRL, neither of which need to have a +valid signature. If the attacker only controls one of these inputs, the other +input must already contain an X.400 address as a CRL distribution point, which +is uncommon. As such, this vulnerability is most likely to only affect +applications which have implemented their own functionality for retrieving CRLs +over a network. + +* Timing Oracle in RSA Decryption (CVE-2022-4304) + +A timing based side channel exists in the OpenSSL RSA Decryption implementation +which could be sufficient to recover a plaintext across a network in a +Bleichenbacher style attack. To achieve a successful decryption an attacker +would have to be able to send a very large number of trial messages for +decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, +RSA-OEAP and RSASVE. + +* Use-after-free following BIO_new_NDEF (CVE-2023-0215) + +A use-after-free will occur under certain conditions. This will most likely +result in a crash. + +* Double free after calling PEM_read_bio_ex (CVE-2022-4450) + +A double free may occur. This will most likely lead to a crash. This could be +exploited by an attacker who has the ability to supply malicious PEM files +for parsing to achieve a denial of service attack. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-23:03/openssl.patch +# fetch https://security.FreeBSD.org/patches/SA-23:03/openssl.patch.asc +# gpg --verify openssl.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all daemons that use the library, or reboot the system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 0904c29a0a11 stable/13-n254398 +releng/13.1/ e237b128e080 releng/13.1-n250181 +stable/12/ r372906 +releng/12.4/ r372939 +releng/12.3/ r372936 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://www.openssl.org/news/secadv/20230207.txt> +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0286> +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0215> +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4450> +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4304> + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:03.openssl.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmPucZwACgkQbljekB8A +Gu9HjQ//Re9YWzj2N2OaIbEljpogMIUxDzltPdCk+v6SODdiMh2ZesKojEHv9u3G +3pFkJxzvqPX1BID8S7arZHnHUTeDKGq+eJef+q6gVmSA7F92l9eAK9UhTgeV5CDT +VzFijM225KzFWA6VeD5pUtnCxze+Cor1y/XHAFPU1Ld5O+Tiem+vpN3OQt/hRlxI +3YC2zOKbpZiXX0vAiSsJw4r31yLqbY97Lmu3ccEAnKSNagkuFzuXyCSHroOPrIuB +zvNmFK6Brv6hnG+yucqdGi2g21oIW2i/UhObohCcxnUXBIa6xAbVVoiEy+fmutXx +T0JAOR75GqMuBUv4B4OT32cVkhZZJqWzSmeDed28cr5J3fWov+z7iePTezcFVMKj +gY3G5Awm41Qg6zjVqxZdj5n56yFSUgD63ZN0MKBPy8VDgSOv9vQzVR12/XyGOQrv +LnMtwtiI1qAoLiHXBLhrUOqrYw/WABHGNJVIVer4dzZCXw3VUqqxluqsUw0r5h9A +J9Ox1zcTV3N6wTHeVwUsScwjANg5dfQ2xnDZHWsPwPJuyCCiDXx8X7D13ACkHYVS +3MqvRC4+wZTNttp3jH1JINe0CE7Z/euLDtPUdM3/xD/+mtO9g9ADg+GHkF5Tief2 +i+AAWY/igHC1jQiXvmdFHf3IddxLoyhJAL5MiPxyTwAErR/8Xwc= +=G1z4 +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-23:02/openssh.patch b/website/static/security/patches/SA-23:02/openssh.patch new file mode 100644 index 0000000000..adec957c53 --- /dev/null +++ b/website/static/security/patches/SA-23:02/openssh.patch @@ -0,0 +1,42 @@ +--- crypto/openssh/compat.c.orig ++++ crypto/openssh/compat.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: compat.c,v 1.120 2022/07/01 03:35:45 dtucker Exp $ */ ++/* $OpenBSD: compat.c,v 1.121 2023/02/02 12:10:05 djm Exp $ */ + /* + * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. + * +@@ -190,26 +190,26 @@ + char * + compat_kex_proposal(struct ssh *ssh, char *p) + { +- char *cp = NULL; ++ char *cp = NULL, *cp2 = NULL; + + if ((ssh->compat & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0) + return xstrdup(p); + debug2_f("original KEX proposal: %s", p); + if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0) +- if ((p = match_filter_denylist(p, ++ if ((cp = match_filter_denylist(p, + "curve25519-sha256@libssh.org")) == NULL) + fatal("match_filter_denylist failed"); + if ((ssh->compat & SSH_OLD_DHGEX) != 0) { +- cp = p; +- if ((p = match_filter_denylist(p, ++ if ((cp2 = match_filter_denylist(cp ? cp : p, + "diffie-hellman-group-exchange-sha256," + "diffie-hellman-group-exchange-sha1")) == NULL) + fatal("match_filter_denylist failed"); + free(cp); ++ cp = cp2; + } +- debug2_f("compat KEX proposal: %s", p); +- if (*p == '\0') ++ if (cp == NULL || *cp == '\0') + fatal("No supported key exchange algorithms found"); +- return p; ++ debug2_f("compat KEX proposal: %s", cp); ++ return cp; + } + diff --git a/website/static/security/patches/SA-23:02/openssh.patch.asc b/website/static/security/patches/SA-23:02/openssh.patch.asc new file mode 100644 index 0000000000..aa289aba79 --- /dev/null +++ b/website/static/security/patches/SA-23:02/openssh.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmPucZsACgkQbljekB8A +Gu/lKw//SLauKatiyh4mpoW0G8ideFIrQ9UmF3rqX02krZUC97567Gb6YhmuBSNT +fCVWO8ib11a+zvDz1ANlESN5qF5w8f/xvKIlfdHYReGrK6dn1w/bUpYDft5yAXjM +3kJ+K+8foZ9N66GQHN3ZFfu+chnIpfx478UfFvf3uGdVtOURjXDWBbpoBm7H4UEY +nbJ9G3ZsmPnsEctjYPGzjK/4KPC29ZsmnVaXQD+OdBYcr8FQm58ujiB5uIUmuFfg +EuGDJ9EHT/AnOJi0/3DQu+Psp8jcukRz8GfqOXeaVWeipctNMVGm9AiMduftbgsU +Dv9JeDruNWpFOdA8+ZDvBLruqyyA/7sp+Li4VVrdFV3oxiKqojnoLX6mavCGvphj +Mtjr7I/tzDu51S6gCVQ8ZouqnApJPGDYg+awR7UbeWK6KLUXEKXbJ4ZjbjP7A/A3 +bEMotavD/JHw7WGsOGEmLGXwNie5fvB+mcow7IWPSvQV65dwG/q66go29wTOpX5k +THNTD6zEonE5SrMShPwrlOd2+qk3E4WYkzkzKuxe0tVJ1agWk+euixNrdwaa2rZ4 +LCxI/oPxzPdT6lGyLt6KWB+F72xthMguuLa9Ke7iobH8TbUF9bhQgbKZ7/KOSmhL +1Up/XMFph6PDJsQh/5Wi6HFB214RThFlHz9rxqhAaZLyuomTgUY= +=GaxV +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-23:03/openssl.patch b/website/static/security/patches/SA-23:03/openssl.patch new file mode 100644 index 0000000000..0ecce4ed6c --- /dev/null +++ b/website/static/security/patches/SA-23:03/openssl.patch @@ -0,0 +1,865 @@ +--- crypto/openssl/crypto/asn1/bio_ndef.c.orig ++++ crypto/openssl/crypto/asn1/bio_ndef.c +@@ -49,12 +49,19 @@ + static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen, + void *parg); + ++/* ++ * On success, the returned BIO owns the input BIO as part of its BIO chain. ++ * On failure, NULL is returned and the input BIO is owned by the caller. ++ * ++ * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream() ++ */ + BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) + { + NDEF_SUPPORT *ndef_aux = NULL; + BIO *asn_bio = NULL; + const ASN1_AUX *aux = it->funcs; + ASN1_STREAM_ARG sarg; ++ BIO *pop_bio = NULL; + + if (!aux || !aux->asn1_cb) { + ASN1err(ASN1_F_BIO_NEW_NDEF, ASN1_R_STREAMING_NOT_SUPPORTED); +@@ -69,21 +76,39 @@ + out = BIO_push(asn_bio, out); + if (out == NULL) + goto err; ++ pop_bio = asn_bio; + +- BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free); +- BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free); ++ if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0 ++ || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0 ++ || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0) ++ goto err; + + /* +- * Now let callback prepends any digest, cipher etc BIOs ASN1 structure +- * needs. ++ * Now let the callback prepend any digest, cipher, etc., that the BIO's ++ * ASN1 structure needs. + */ + + sarg.out = out; + sarg.ndef_bio = NULL; + sarg.boundary = NULL; + +- if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) ++ /* ++ * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the ++ * middle of some partially built, but not returned BIO chain. ++ */ ++ if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) { ++ /* ++ * ndef_aux is now owned by asn_bio so we must not free it in the err ++ * clean up block ++ */ ++ ndef_aux = NULL; + goto err; ++ } ++ ++ /* ++ * We must not fail now because the callback has prepended additional ++ * BIOs to the chain ++ */ + + ndef_aux->val = val; + ndef_aux->it = it; +@@ -91,11 +116,11 @@ + ndef_aux->boundary = sarg.boundary; + ndef_aux->out = out; + +- BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux); +- + return sarg.ndef_bio; + + err: ++ /* BIO_pop() is NULL safe */ ++ (void)BIO_pop(pop_bio); + BIO_free(asn_bio); + OPENSSL_free(ndef_aux); + return NULL; +--- crypto/openssl/crypto/bn/bn_blind.c.orig ++++ crypto/openssl/crypto/bn/bn_blind.c +@@ -13,20 +13,6 @@ + + #define BN_BLINDING_COUNTER 32 + +-struct bn_blinding_st { +- BIGNUM *A; +- BIGNUM *Ai; +- BIGNUM *e; +- BIGNUM *mod; /* just a reference */ +- CRYPTO_THREAD_ID tid; +- int counter; +- unsigned long flags; +- BN_MONT_CTX *m_ctx; +- int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, +- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); +- CRYPTO_RWLOCK *lock; +-}; +- + BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod) + { + BN_BLINDING *ret = NULL; +--- crypto/openssl/crypto/bn/bn_err.c.orig ++++ crypto/openssl/crypto/bn/bn_err.c +@@ -73,6 +73,8 @@ + {ERR_PACK(ERR_LIB_BN, BN_F_BN_SET_WORDS, 0), "bn_set_words"}, + {ERR_PACK(ERR_LIB_BN, BN_F_BN_STACK_PUSH, 0), "BN_STACK_push"}, + {ERR_PACK(ERR_LIB_BN, BN_F_BN_USUB, 0), "BN_usub"}, ++ {ERR_PACK(ERR_LIB_BN, BN_F_OSSL_BN_RSA_DO_UNBLIND, 0), ++ "ossl_bn_rsa_do_unblind"}, + {0, NULL} + }; + +--- crypto/openssl/crypto/bn/bn_local.h.orig ++++ crypto/openssl/crypto/bn/bn_local.h +@@ -263,6 +263,20 @@ + } cb; + }; + ++struct bn_blinding_st { ++ BIGNUM *A; ++ BIGNUM *Ai; ++ BIGNUM *e; ++ BIGNUM *mod; /* just a reference */ ++ CRYPTO_THREAD_ID tid; ++ int counter; ++ unsigned long flags; ++ BN_MONT_CTX *m_ctx; ++ int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, ++ const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); ++ CRYPTO_RWLOCK *lock; ++}; ++ + /*- + * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions + * +--- /dev/null ++++ crypto/openssl/crypto/bn/rsa_sup_mul.c +@@ -0,0 +1,614 @@ ++#include <openssl/e_os2.h> ++#include <stddef.h> ++#include <sys/types.h> ++#include <string.h> ++#include <openssl/bn.h> ++#include <openssl/err.h> ++#include <openssl/rsaerr.h> ++#include "internal/numbers.h" ++#include "internal/constant_time.h" ++#include "bn_local.h" ++ ++# if BN_BYTES == 8 ++typedef uint64_t limb_t; ++# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16 ++/* nonstandard; implemented by gcc on 64-bit platforms */ ++typedef __uint128_t limb2_t; ++# define HAVE_LIMB2_T ++# endif ++# define LIMB_BIT_SIZE 64 ++# define LIMB_BYTE_SIZE 8 ++# elif BN_BYTES == 4 ++typedef uint32_t limb_t; ++typedef uint64_t limb2_t; ++# define LIMB_BIT_SIZE 32 ++# define LIMB_BYTE_SIZE 4 ++# define HAVE_LIMB2_T ++# else ++# error "Not supported" ++# endif ++ ++/* ++ * For multiplication we're using schoolbook multiplication, ++ * so if we have two numbers, each with 6 "digits" (words) ++ * the multiplication is calculated as follows: ++ * A B C D E F ++ * x I J K L M N ++ * -------------- ++ * N*F ++ * N*E ++ * N*D ++ * N*C ++ * N*B ++ * N*A ++ * M*F ++ * M*E ++ * M*D ++ * M*C ++ * M*B ++ * M*A ++ * L*F ++ * L*E ++ * L*D ++ * L*C ++ * L*B ++ * L*A ++ * K*F ++ * K*E ++ * K*D ++ * K*C ++ * K*B ++ * K*A ++ * J*F ++ * J*E ++ * J*D ++ * J*C ++ * J*B ++ * J*A ++ * I*F ++ * I*E ++ * I*D ++ * I*C ++ * I*B ++ * + I*A ++ * ========================== ++ * N*B N*D N*F ++ * + N*A N*C N*E ++ * + M*B M*D M*F ++ * + M*A M*C M*E ++ * + L*B L*D L*F ++ * + L*A L*C L*E ++ * + K*B K*D K*F ++ * + K*A K*C K*E ++ * + J*B J*D J*F ++ * + J*A J*C J*E ++ * + I*B I*D I*F ++ * + I*A I*C I*E ++ * ++ * 1+1 1+3 1+5 ++ * 1+0 1+2 1+4 ++ * 0+1 0+3 0+5 ++ * 0+0 0+2 0+4 ++ * ++ * 0 1 2 3 4 5 6 ++ * which requires n^2 multiplications and 2n full length additions ++ * as we can keep every other result of limb multiplication in two separate ++ * limbs ++ */ ++ ++#if defined HAVE_LIMB2_T ++static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) ++{ ++ limb2_t t; ++ /* ++ * this is idiomatic code to tell compiler to use the native mul ++ * those three lines will actually compile to single instruction ++ */ ++ ++ t = (limb2_t)a * b; ++ *hi = t >> LIMB_BIT_SIZE; ++ *lo = (limb_t)t; ++} ++#elif (BN_BYTES == 8) && (defined _MSC_VER) ++/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */ ++#pragma intrinsic(_umul128) ++static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) ++{ ++ *lo = _umul128(a, b, hi); ++} ++#else ++/* ++ * if the compiler doesn't have either a 128bit data type nor a "return ++ * high 64 bits of multiplication" ++ */ ++static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) ++{ ++ limb_t a_low = (limb_t)(uint32_t)a; ++ limb_t a_hi = a >> 32; ++ limb_t b_low = (limb_t)(uint32_t)b; ++ limb_t b_hi = b >> 32; ++ ++ limb_t p0 = a_low * b_low; ++ limb_t p1 = a_low * b_hi; ++ limb_t p2 = a_hi * b_low; ++ limb_t p3 = a_hi * b_hi; ++ ++ uint32_t cy = (uint32_t)(((p0 >> 32) + (uint32_t)p1 + (uint32_t)p2) >> 32); ++ ++ *lo = p0 + (p1 << 32) + (p2 << 32); ++ *hi = p3 + (p1 >> 32) + (p2 >> 32) + cy; ++} ++#endif ++ ++/* add two limbs with carry in, return carry out */ ++static ossl_inline limb_t _add_limb(limb_t *ret, limb_t a, limb_t b, limb_t carry) ++{ ++ limb_t carry1, carry2, t; ++ /* ++ * `c = a + b; if (c < a)` is idiomatic code that makes compilers ++ * use add with carry on assembly level ++ */ ++ ++ *ret = a + carry; ++ if (*ret < a) ++ carry1 = 1; ++ else ++ carry1 = 0; ++ ++ t = *ret; ++ *ret = t + b; ++ if (*ret < t) ++ carry2 = 1; ++ else ++ carry2 = 0; ++ ++ return carry1 + carry2; ++} ++ ++/* ++ * add two numbers of the same size, return overflow ++ * ++ * add a to b, place result in ret; all arrays need to be n limbs long ++ * return overflow from addition (0 or 1) ++ */ ++static ossl_inline limb_t add(limb_t *ret, limb_t *a, limb_t *b, size_t n) ++{ ++ limb_t c = 0; ++ ossl_ssize_t i; ++ ++ for(i = n - 1; i > -1; i--) ++ c = _add_limb(&ret[i], a[i], b[i], c); ++ ++ return c; ++} ++ ++/* ++ * return number of limbs necessary for temporary values ++ * when multiplying numbers n limbs large ++ */ ++static ossl_inline size_t mul_limb_numb(size_t n) ++{ ++ return 2 * n * 2; ++} ++ ++/* ++ * multiply two numbers of the same size ++ * ++ * multiply a by b, place result in ret; a and b need to be n limbs long ++ * ret needs to be 2*n limbs long, tmp needs to be mul_limb_numb(n) limbs ++ * long ++ */ ++static void limb_mul(limb_t *ret, limb_t *a, limb_t *b, size_t n, limb_t *tmp) ++{ ++ limb_t *r_odd, *r_even; ++ size_t i, j, k; ++ ++ r_odd = tmp; ++ r_even = &tmp[2 * n]; ++ ++ memset(ret, 0, 2 * n * sizeof(limb_t)); ++ ++ for (i = 0; i < n; i++) { ++ for (k = 0; k < i + n + 1; k++) { ++ r_even[k] = 0; ++ r_odd[k] = 0; ++ } ++ for (j = 0; j < n; j++) { ++ /* ++ * place results from even and odd limbs in separate arrays so that ++ * we don't have to calculate overflow every time we get individual ++ * limb multiplication result ++ */ ++ if (j % 2 == 0) ++ _mul_limb(&r_even[i + j], &r_even[i + j + 1], a[i], b[j]); ++ else ++ _mul_limb(&r_odd[i + j], &r_odd[i + j + 1], a[i], b[j]); ++ } ++ /* ++ * skip the least significant limbs when adding multiples of ++ * more significant limbs (they're zero anyway) ++ */ ++ add(ret, ret, r_even, n + i + 1); ++ add(ret, ret, r_odd, n + i + 1); ++ } ++} ++ ++/* modifies the value in place by performing a right shift by one bit */ ++static ossl_inline void rshift1(limb_t *val, size_t n) ++{ ++ limb_t shift_in = 0, shift_out = 0; ++ size_t i; ++ ++ for (i = 0; i < n; i++) { ++ shift_out = val[i] & 1; ++ val[i] = shift_in << (LIMB_BIT_SIZE - 1) | (val[i] >> 1); ++ shift_in = shift_out; ++ } ++} ++ ++/* extend the LSB of flag to all bits of limb */ ++static ossl_inline limb_t mk_mask(limb_t flag) ++{ ++ flag |= flag << 1; ++ flag |= flag << 2; ++ flag |= flag << 4; ++ flag |= flag << 8; ++ flag |= flag << 16; ++#if (LIMB_BYTE_SIZE == 8) ++ flag |= flag << 32; ++#endif ++ return flag; ++} ++ ++/* ++ * copy from either a or b to ret based on flag ++ * when flag == 0, then copies from b ++ * when flag == 1, then copies from a ++ */ ++static ossl_inline void cselect(limb_t flag, limb_t *ret, limb_t *a, limb_t *b, size_t n) ++{ ++ /* ++ * would be more efficient with non volatile mask, but then gcc ++ * generates code with jumps ++ */ ++ volatile limb_t mask; ++ size_t i; ++ ++ mask = mk_mask(flag); ++ for (i = 0; i < n; i++) { ++#if (LIMB_BYTE_SIZE == 8) ++ ret[i] = constant_time_select_64(mask, a[i], b[i]); ++#else ++ ret[i] = constant_time_select_32(mask, a[i], b[i]); ++#endif ++ } ++} ++ ++static limb_t _sub_limb(limb_t *ret, limb_t a, limb_t b, limb_t borrow) ++{ ++ limb_t borrow1, borrow2, t; ++ /* ++ * while it doesn't look constant-time, this is idiomatic code ++ * to tell compilers to use the carry bit from subtraction ++ */ ++ ++ *ret = a - borrow; ++ if (*ret > a) ++ borrow1 = 1; ++ else ++ borrow1 = 0; ++ ++ t = *ret; ++ *ret = t - b; ++ if (*ret > t) ++ borrow2 = 1; ++ else ++ borrow2 = 0; ++ ++ return borrow1 + borrow2; ++} ++ ++/* ++ * place the result of a - b into ret, return the borrow bit. ++ * All arrays need to be n limbs long ++ */ ++static limb_t sub(limb_t *ret, limb_t *a, limb_t *b, size_t n) ++{ ++ limb_t borrow = 0; ++ ossl_ssize_t i; ++ ++ for (i = n - 1; i > -1; i--) ++ borrow = _sub_limb(&ret[i], a[i], b[i], borrow); ++ ++ return borrow; ++} ++ ++/* return the number of limbs necessary to allocate for the mod() tmp operand */ ++static ossl_inline size_t mod_limb_numb(size_t anum, size_t modnum) ++{ ++ return (anum + modnum) * 3; ++} ++ ++/* ++ * calculate a % mod, place the result in ret ++ * size of a is defined by anum, size of ret and mod is modnum, ++ * size of tmp is returned by mod_limb_numb() ++ */ ++static void mod(limb_t *ret, limb_t *a, size_t anum, limb_t *mod, ++ size_t modnum, limb_t *tmp) ++{ ++ limb_t *atmp, *modtmp, *rettmp; ++ limb_t res; ++ size_t i; ++ ++ memset(tmp, 0, mod_limb_numb(anum, modnum) * LIMB_BYTE_SIZE); ++ ++ atmp = tmp; ++ modtmp = &tmp[anum + modnum]; ++ rettmp = &tmp[(anum + modnum) * 2]; *** 398 LINES SKIPPED ***