git: 84e736e3222b - stable/12 - Import OpenSSL 1.1.1s
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 18 Nov 2022 03:20:33 UTC
The branch stable/12 has been updated by jkim:
URL: https://cgit.FreeBSD.org/src/commit/?id=84e736e3222be5e89065c66780fd2ff2d39cdef1
commit 84e736e3222be5e89065c66780fd2ff2d39cdef1
Author: Jung-uk Kim <jkim@FreeBSD.org>
AuthorDate: 2022-11-01 22:43:36 +0000
Commit: Jung-uk Kim <jkim@FreeBSD.org>
CommitDate: 2022-11-18 03:15:25 +0000
Import OpenSSL 1.1.1s
(cherry picked from commit b6b67f23b82101d4c04c89f81d726b902ab77106)
---
crypto/openssl/CHANGES | 46 ++++++++++
crypto/openssl/NEWS | 10 +++
crypto/openssl/README | 2 +-
crypto/openssl/apps/apps.c | 15 +++-
crypto/openssl/apps/apps.h | 11 ++-
crypto/openssl/apps/ca.c | 8 +-
crypto/openssl/apps/ocsp.c | 4 +-
crypto/openssl/apps/s_cb.c | 28 +++---
crypto/openssl/apps/x509.c | 16 ++--
crypto/openssl/crypto/aes/asm/aesv8-armx.pl | 64 ++++++++++++-
crypto/openssl/crypto/asn1/charmap.pl | 9 +-
crypto/openssl/crypto/bn/bn_nist.c | 35 +++++---
crypto/openssl/crypto/bn/bn_prime.pl | 9 +-
crypto/openssl/crypto/conf/keysets.pl | 10 ++-
crypto/openssl/crypto/ec/ec_key.c | 10 +++
crypto/openssl/crypto/objects/obj_dat.pl | 11 +--
crypto/openssl/crypto/objects/objects.pl | 13 ++-
crypto/openssl/crypto/objects/objxref.pl | 13 ++-
crypto/openssl/crypto/pem/pem_lib.c | 4 +-
crypto/openssl/crypto/rand/drbg_lib.c | 20 ++---
crypto/openssl/crypto/rand/rand_lib.c | 8 +-
crypto/openssl/crypto/x509/x509_req.c | 46 ++++++----
crypto/openssl/crypto/x509/x509_vfy.c | 4 +-
crypto/openssl/crypto/x509/x_all.c | 11 ++-
crypto/openssl/crypto/x509v3/v3_addr.c | 17 ++--
crypto/openssl/crypto/x509v3/v3_lib.c | 6 +-
crypto/openssl/crypto/x509v3/v3_utl.c | 9 +-
crypto/openssl/doc/man1/x509.pod | 24 ++---
crypto/openssl/doc/man3/CMS_add0_cert.pod | 32 ++++---
crypto/openssl/doc/man3/CMS_verify.pod | 83 +++++++++--------
crypto/openssl/doc/man3/EC_KEY_new.pod | 20 +++--
crypto/openssl/doc/man3/EVP_EncryptInit.pod | 4 +-
crypto/openssl/doc/man3/OPENSSL_LH_COMPFUNC.pod | 4 +-
crypto/openssl/doc/man3/OPENSSL_init_crypto.pod | 4 +-
crypto/openssl/doc/man3/PKCS7_sign.pod | 47 +++++-----
crypto/openssl/doc/man3/PKCS7_sign_add_signer.pod | 55 +++++++-----
crypto/openssl/doc/man3/PKCS7_verify.pod | 104 ++++++++++++----------
crypto/openssl/doc/man3/X509_STORE_CTX_new.pod | 10 ++-
crypto/openssl/include/openssl/opensslv.h | 4 +-
crypto/openssl/ssl/packet.c | 8 +-
crypto/openssl/ssl/packet_local.h | 39 +++++++-
crypto/openssl/ssl/record/rec_layer_s3.c | 16 +++-
crypto/openssl/ssl/ssl_ciph.c | 6 +-
crypto/openssl/ssl/ssl_lib.c | 24 +++--
crypto/openssl/ssl/ssl_rsa.c | 83 ++++++++++++-----
crypto/openssl/ssl/statem/extensions_clnt.c | 5 +-
crypto/openssl/ssl/statem/extensions_srvr.c | 21 +++--
crypto/openssl/ssl/tls13_enc.c | 3 +-
48 files changed, 693 insertions(+), 342 deletions(-)
diff --git a/crypto/openssl/CHANGES b/crypto/openssl/CHANGES
index c18a1f514968..979170072d17 100644
--- a/crypto/openssl/CHANGES
+++ b/crypto/openssl/CHANGES
@@ -7,6 +7,52 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
+ Changes between 1.1.1r and 1.1.1s [1 Nov 2022]
+
+ *) Fixed a regression introduced in 1.1.1r version not refreshing the
+ certificate data to be signed before signing the certificate.
+
+ [Gibeom Gwon]
+
+ Changes between 1.1.1q and 1.1.1r [11 Oct 2022]
+
+ *) Fixed the linux-mips64 Configure target which was missing the
+ SIXTY_FOUR_BIT bn_ops flag. This was causing heap corruption on that
+ platform.
+ [Adam Joseph]
+
+ *) Fixed a strict aliasing problem in bn_nist. Clang-14 optimisation was
+ causing incorrect results in some cases as a result.
+ [Paul Dale]
+
+ *) Fixed SSL_pending() and SSL_has_pending() with DTLS which were failing to
+ report correct results in some cases
+ [Matt Caswell]
+
+ *) Fixed a regression introduced in 1.1.1o for re-signing certificates with
+ different key sizes
+ [Todd Short]
+
+ *) Added the loongarch64 target
+ [Shi Pujin]
+
+ *) Fixed a DRBG seed propagation thread safety issue
+ [Bernd Edlinger]
+
+ *) Fixed a memory leak in tls13_generate_secret
+ [Bernd Edlinger]
+
+ *) Fixed reported performance degradation on aarch64. Restored the
+ implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid
+ 32-bit lane assignment in CTR mode") for 64bit targets only, since it is
+ reportedly 2-17% slower and the silicon errata only affects 32bit targets.
+ The new algorithm is still used for 32 bit targets.
+ [Bernd Edlinger]
+
+ *) Added a missing header for memcmp that caused compilation failure on some
+ platforms
+ [Gregor Jasny]
+
Changes between 1.1.1p and 1.1.1q [5 Jul 2022]
*) AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
diff --git a/crypto/openssl/NEWS b/crypto/openssl/NEWS
index 75e9ba062df3..c9e63eea63a6 100644
--- a/crypto/openssl/NEWS
+++ b/crypto/openssl/NEWS
@@ -5,6 +5,16 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.1.1r and OpenSSL 1.1.1s [1 Nov 2022]
+
+ o Fixed a regression introduced in OpenSSL 1.1.1r not refreshing the
+ certificate data to be signed before signing the certificate.
+
+ Major changes between OpenSSL 1.1.1q and OpenSSL 1.1.1r [11 Oct 2022]
+
+ o Added a missing header for memcmp that caused compilation failure on
+ some platforms
+
Major changes between OpenSSL 1.1.1p and OpenSSL 1.1.1q [5 Jul 2022]
o Fixed AES OCB failure to encrypt some bytes on 32-bit x86 platforms
diff --git a/crypto/openssl/README b/crypto/openssl/README
index 79f9c611a933..2f6d91c6337c 100644
--- a/crypto/openssl/README
+++ b/crypto/openssl/README
@@ -1,5 +1,5 @@
- OpenSSL 1.1.1q 5 Jul 2022
+ OpenSSL 1.1.1s 1 Nov 2022
Copyright (c) 1998-2022 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/crypto/openssl/apps/apps.c b/crypto/openssl/apps/apps.c
index db5b48e4cf2f..f2447fb0bef8 100644
--- a/crypto/openssl/apps/apps.c
+++ b/crypto/openssl/apps/apps.c
@@ -1376,7 +1376,8 @@ static IMPLEMENT_LHASH_HASH_FN(index_name, OPENSSL_CSTRING)
static IMPLEMENT_LHASH_COMP_FN(index_name, OPENSSL_CSTRING)
#undef BSIZE
#define BSIZE 256
-BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai)
+BIGNUM *load_serial(const char *serialfile, int *exists, int create,
+ ASN1_INTEGER **retai)
{
BIO *in = NULL;
BIGNUM *ret = NULL;
@@ -1388,6 +1389,8 @@ BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai)
goto err;
in = BIO_new_file(serialfile, "r");
+ if (exists != NULL)
+ *exists = in != NULL;
if (in == NULL) {
if (!create) {
perror(serialfile);
@@ -1395,8 +1398,14 @@ BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai)
}
ERR_clear_error();
ret = BN_new();
- if (ret == NULL || !rand_serial(ret, ai))
+ if (ret == NULL) {
BIO_printf(bio_err, "Out of memory\n");
+ } else if (!rand_serial(ret, ai)) {
+ BIO_printf(bio_err, "Error creating random number to store in %s\n",
+ serialfile);
+ BN_free(ret);
+ ret = NULL;
+ }
} else {
if (!a2i_ASN1_INTEGER(in, ai, buf, 1024)) {
BIO_printf(bio_err, "unable to load number from %s\n",
@@ -1416,6 +1425,8 @@ BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai)
ai = NULL;
}
err:
+ if (ret == NULL)
+ ERR_print_errors(bio_err);
BIO_free(in);
ASN1_INTEGER_free(ai);
return ret;
diff --git a/crypto/openssl/apps/apps.h b/crypto/openssl/apps/apps.h
index 34c3fd8633c1..3e8f50fda87b 100644
--- a/crypto/openssl/apps/apps.h
+++ b/crypto/openssl/apps/apps.h
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -527,9 +527,12 @@ typedef struct ca_db_st {
} CA_DB;
void* app_malloc(int sz, const char *what);
-BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai);
-int save_serial(const char *serialfile, const char *suffix, const BIGNUM *serial,
- ASN1_INTEGER **retai);
+
+/* load_serial, save_serial, and rotate_serial are also used for CRL numbers */
+BIGNUM *load_serial(const char *serialfile, int *exists, int create,
+ ASN1_INTEGER **retai);
+int save_serial(const char *serialfile, const char *suffix,
+ const BIGNUM *serial, ASN1_INTEGER **retai);
int rotate_serial(const char *serialfile, const char *new_suffix,
const char *old_suffix);
int rand_serial(BIGNUM *b, ASN1_INTEGER *ai);
diff --git a/crypto/openssl/apps/ca.c b/crypto/openssl/apps/ca.c
index 390ac37493c8..ea375ca0b1d3 100644
--- a/crypto/openssl/apps/ca.c
+++ b/crypto/openssl/apps/ca.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -842,7 +842,8 @@ end_of_options:
goto end;
}
} else {
- if ((serial = load_serial(serialfile, create_ser, NULL)) == NULL) {
+ serial = load_serial(serialfile, NULL, create_ser, NULL);
+ if (serial == NULL) {
BIO_printf(bio_err, "error while loading serial number\n");
goto end;
}
@@ -1078,7 +1079,8 @@ end_of_options:
if ((crlnumberfile = NCONF_get_string(conf, section, ENV_CRLNUMBER))
!= NULL)
- if ((crlnumber = load_serial(crlnumberfile, 0, NULL)) == NULL) {
+ if ((crlnumber = load_serial(crlnumberfile, NULL, 0, NULL))
+ == NULL) {
BIO_printf(bio_err, "error while loading CRL number\n");
goto end;
}
diff --git a/crypto/openssl/apps/ocsp.c b/crypto/openssl/apps/ocsp.c
index 27ec94fa6b8d..8f20864cea51 100644
--- a/crypto/openssl/apps/ocsp.c
+++ b/crypto/openssl/apps/ocsp.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -176,7 +176,7 @@ const OPTIONS ocsp_options[] = {
{"no_intern", OPT_NO_INTERN, '-',
"Don't search certificates contained in response for signer"},
{"badsig", OPT_BADSIG, '-',
- "Corrupt last byte of loaded OSCP response signature (for test)"},
+ "Corrupt last byte of loaded OCSP response signature (for test)"},
{"text", OPT_TEXT, '-', "Print text form of request and response"},
{"req_text", OPT_REQ_TEXT, '-', "Print text form of request"},
{"resp_text", OPT_RESP_TEXT, '-', "Print text form of response"},
diff --git a/crypto/openssl/apps/s_cb.c b/crypto/openssl/apps/s_cb.c
index d066a423dee8..2f94c13393a5 100644
--- a/crypto/openssl/apps/s_cb.c
+++ b/crypto/openssl/apps/s_cb.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -74,22 +74,28 @@ int verify_callback(int ok, X509_STORE_CTX *ctx)
}
switch (err) {
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
- BIO_puts(bio_err, "issuer= ");
- X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert),
- 0, get_nameopt());
- BIO_puts(bio_err, "\n");
+ if (err_cert != NULL) {
+ BIO_puts(bio_err, "issuer= ");
+ X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert),
+ 0, get_nameopt());
+ BIO_puts(bio_err, "\n");
+ }
break;
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
- BIO_printf(bio_err, "notBefore=");
- ASN1_TIME_print(bio_err, X509_get0_notBefore(err_cert));
- BIO_printf(bio_err, "\n");
+ if (err_cert != NULL) {
+ BIO_printf(bio_err, "notBefore=");
+ ASN1_TIME_print(bio_err, X509_get0_notBefore(err_cert));
+ BIO_printf(bio_err, "\n");
+ }
break;
case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
- BIO_printf(bio_err, "notAfter=");
- ASN1_TIME_print(bio_err, X509_get0_notAfter(err_cert));
- BIO_printf(bio_err, "\n");
+ if (err_cert != NULL) {
+ BIO_printf(bio_err, "notAfter=");
+ ASN1_TIME_print(bio_err, X509_get0_notAfter(err_cert));
+ BIO_printf(bio_err, "\n");
+ }
break;
case X509_V_ERR_NO_EXPLICIT_POLICY:
if (!verify_args.quiet)
diff --git a/crypto/openssl/apps/x509.c b/crypto/openssl/apps/x509.c
index 1f53504209de..8d4bf71a03ee 100644
--- a/crypto/openssl/apps/x509.c
+++ b/crypto/openssl/apps/x509.c
@@ -400,7 +400,7 @@ int x509_main(int argc, char **argv)
aliasout = ++num;
break;
case OPT_CACREATESERIAL:
- CA_createserial = ++num;
+ CA_createserial = 1;
break;
case OPT_CLREXT:
clrext = 1;
@@ -590,7 +590,7 @@ int x509_main(int argc, char **argv)
xca = load_cert(CAfile, CAformat, "CA Certificate");
if (xca == NULL)
goto end;
- if (!X509_set_issuer_name(x, X509_get_subject_name(xca)))
+ if (reqfile && !X509_set_issuer_name(x, X509_get_subject_name(xca)))
goto end;
}
@@ -916,6 +916,7 @@ static ASN1_INTEGER *x509_load_serial(const char *CAfile,
char *buf = NULL;
ASN1_INTEGER *bs = NULL;
BIGNUM *serial = NULL;
+ int defaultfile = 0, file_exists;
if (serialfile == NULL) {
const char *p = strrchr(CAfile, '.');
@@ -925,9 +926,10 @@ static ASN1_INTEGER *x509_load_serial(const char *CAfile,
memcpy(buf, CAfile, len);
memcpy(buf + len, POSTFIX, sizeof(POSTFIX));
serialfile = buf;
+ defaultfile = 1;
}
- serial = load_serial(serialfile, create, NULL);
+ serial = load_serial(serialfile, &file_exists, create || defaultfile, NULL);
if (serial == NULL)
goto end;
@@ -936,8 +938,10 @@ static ASN1_INTEGER *x509_load_serial(const char *CAfile,
goto end;
}
- if (!save_serial(serialfile, NULL, serial, &bs))
- goto end;
+ if (file_exists || create)
+ save_serial(serialfile, NULL, serial, &bs);
+ else
+ bs = BN_to_ASN1_INTEGER(serial, NULL);
end:
OPENSSL_free(buf);
@@ -989,6 +993,8 @@ static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *diges
goto end;
}
+ if (!X509_set_issuer_name(x, X509_get_subject_name(xca)))
+ goto end;
if (!X509_set_serialNumber(x, bs))
goto end;
diff --git a/crypto/openssl/crypto/aes/asm/aesv8-armx.pl b/crypto/openssl/crypto/aes/asm/aesv8-armx.pl
index 72f74295bf58..ff5b742cf5ed 100755
--- a/crypto/openssl/crypto/aes/asm/aesv8-armx.pl
+++ b/crypto/openssl/crypto/aes/asm/aesv8-armx.pl
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2014-2022 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -740,6 +740,21 @@ $code.=<<___;
#ifndef __ARMEB__
rev $ctr, $ctr
#endif
+___
+$code.=<<___ if ($flavour =~ /64/);
+ vorr $dat1,$dat0,$dat0
+ add $tctr1, $ctr, #1
+ vorr $dat2,$dat0,$dat0
+ add $ctr, $ctr, #2
+ vorr $ivec,$dat0,$dat0
+ rev $tctr1, $tctr1
+ vmov.32 ${dat1}[3],$tctr1
+ b.ls .Lctr32_tail
+ rev $tctr2, $ctr
+ sub $len,$len,#3 // bias
+ vmov.32 ${dat2}[3],$tctr2
+___
+$code.=<<___ if ($flavour !~ /64/);
add $tctr1, $ctr, #1
vorr $ivec,$dat0,$dat0
rev $tctr1, $tctr1
@@ -751,6 +766,8 @@ $code.=<<___;
vmov.32 ${ivec}[3],$tctr2
sub $len,$len,#3 // bias
vorr $dat2,$ivec,$ivec
+___
+$code.=<<___;
b .Loop3x_ctr32
.align 4
@@ -777,11 +794,25 @@ $code.=<<___;
aese $dat1,q8
aesmc $tmp1,$dat1
vld1.8 {$in0},[$inp],#16
+___
+$code.=<<___ if ($flavour =~ /64/);
+ vorr $dat0,$ivec,$ivec
+___
+$code.=<<___ if ($flavour !~ /64/);
add $tctr0,$ctr,#1
+___
+$code.=<<___;
aese $dat2,q8
aesmc $dat2,$dat2
vld1.8 {$in1},[$inp],#16
+___
+$code.=<<___ if ($flavour =~ /64/);
+ vorr $dat1,$ivec,$ivec
+___
+$code.=<<___ if ($flavour !~ /64/);
rev $tctr0,$tctr0
+___
+$code.=<<___;
aese $tmp0,q9
aesmc $tmp0,$tmp0
aese $tmp1,q9
@@ -790,6 +821,12 @@ $code.=<<___;
mov $key_,$key
aese $dat2,q9
aesmc $tmp2,$dat2
+___
+$code.=<<___ if ($flavour =~ /64/);
+ vorr $dat2,$ivec,$ivec
+ add $tctr0,$ctr,#1
+___
+$code.=<<___;
aese $tmp0,q12
aesmc $tmp0,$tmp0
aese $tmp1,q12
@@ -805,22 +842,47 @@ $code.=<<___;
aese $tmp1,q13
aesmc $tmp1,$tmp1
veor $in2,$in2,$rndlast
+___
+$code.=<<___ if ($flavour =~ /64/);
+ rev $tctr0,$tctr0
+ aese $tmp2,q13
+ aesmc $tmp2,$tmp2
+ vmov.32 ${dat0}[3], $tctr0
+___
+$code.=<<___ if ($flavour !~ /64/);
vmov.32 ${ivec}[3], $tctr0
aese $tmp2,q13
aesmc $tmp2,$tmp2
vorr $dat0,$ivec,$ivec
+___
+$code.=<<___;
rev $tctr1,$tctr1
aese $tmp0,q14
aesmc $tmp0,$tmp0
+___
+$code.=<<___ if ($flavour !~ /64/);
vmov.32 ${ivec}[3], $tctr1
rev $tctr2,$ctr
+___
+$code.=<<___;
aese $tmp1,q14
aesmc $tmp1,$tmp1
+___
+$code.=<<___ if ($flavour =~ /64/);
+ vmov.32 ${dat1}[3], $tctr1
+ rev $tctr2,$ctr
+ aese $tmp2,q14
+ aesmc $tmp2,$tmp2
+ vmov.32 ${dat2}[3], $tctr2
+___
+$code.=<<___ if ($flavour !~ /64/);
vorr $dat1,$ivec,$ivec
vmov.32 ${ivec}[3], $tctr2
aese $tmp2,q14
aesmc $tmp2,$tmp2
vorr $dat2,$ivec,$ivec
+___
+$code.=<<___;
subs $len,$len,#3
aese $tmp0,q15
aese $tmp1,q15
diff --git a/crypto/openssl/crypto/asn1/charmap.pl b/crypto/openssl/crypto/asn1/charmap.pl
index dadd8df7749d..52fa5a7900ca 100755
--- a/crypto/openssl/crypto/asn1/charmap.pl
+++ b/crypto/openssl/crypto/asn1/charmap.pl
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -7,6 +7,9 @@
# https://www.openssl.org/source/license.html
use strict;
+use FindBin;
+use lib "$FindBin::Bin/../../util/perl";
+use OpenSSL::copyright;
my ($i, @arr);
@@ -82,8 +85,8 @@ $arr[ord("?")] |= $PSTRING_CHAR;
# Now generate the C code
-# Output year depends on the year of the script.
-my $YEAR = [localtime([stat($0)]->[9])]->[5] + 1900;
+# Year the file was generated.
+my $YEAR = OpenSSL::copyright::year_of($0);
print <<EOF;
/*
* WARNING: do not edit!
diff --git a/crypto/openssl/crypto/bn/bn_nist.c b/crypto/openssl/crypto/bn/bn_nist.c
index 325dc228490a..c29e62ed3fef 100644
--- a/crypto/openssl/crypto/bn/bn_nist.c
+++ b/crypto/openssl/crypto/bn/bn_nist.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -249,17 +249,28 @@ const BIGNUM *BN_get0_nist_prime_521(void)
return &_bignum_nist_p_521;
}
-static void nist_cp_bn_0(BN_ULONG *dst, const BN_ULONG *src, int top, int max)
-{
- int i;
-
-#ifdef BN_DEBUG
- (void)ossl_assert(top <= max);
-#endif
- for (i = 0; i < top; i++)
- dst[i] = src[i];
- for (; i < max; i++)
- dst[i] = 0;
+/*
+ * To avoid more recent compilers (specifically clang-14) from treating this
+ * code as a violation of the strict aliasing conditions and omiting it, this
+ * cannot be declared as a function. Moreover, the dst parameter cannot be
+ * cached in a local since this no longer references the union and again falls
+ * foul of the strict aliasing criteria. Refer to #18225 for the initial
+ * diagnostics and llvm/llvm-project#55255 for the later discussions with the
+ * LLVM developers. The problem boils down to if an array in the union is
+ * converted to a pointer or if it is used directly.
+ *
+ * This function was inlined regardless, so there is no space cost to be
+ * paid for making it a macro.
+ */
+#define nist_cp_bn_0(dst, src_in, top, max) \
+{ \
+ int ii; \
+ const BN_ULONG *src = src_in; \
+ \
+ for (ii = 0; ii < top; ii++) \
+ (dst)[ii] = src[ii]; \
+ for (; ii < max; ii++) \
+ (dst)[ii] = 0; \
}
static void nist_cp_bn(BN_ULONG *dst, const BN_ULONG *src, int top)
diff --git a/crypto/openssl/crypto/bn/bn_prime.pl b/crypto/openssl/crypto/bn/bn_prime.pl
index b0b16087429b..d2eaac6564f8 100755
--- a/crypto/openssl/crypto/bn/bn_prime.pl
+++ b/crypto/openssl/crypto/bn/bn_prime.pl
@@ -1,13 +1,16 @@
#! /usr/bin/env perl
-# Copyright 1998-2019 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
+use FindBin;
+use lib "$FindBin::Bin/../../util/perl";
+use OpenSSL::copyright;
-# Output year depends on the year of the script.
-my $YEAR = [localtime([stat($0)]->[9])]->[5] + 1900;
+# The year the output file is generated.
+my $YEAR = OpenSSL::copyright::year_of($0);
print <<"EOF";
/*
* WARNING: do not edit!
diff --git a/crypto/openssl/crypto/conf/keysets.pl b/crypto/openssl/crypto/conf/keysets.pl
index 27a7214cc519..9c9a00dea8d7 100755
--- a/crypto/openssl/crypto/conf/keysets.pl
+++ b/crypto/openssl/crypto/conf/keysets.pl
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -8,6 +8,9 @@
use strict;
use warnings;
+use FindBin;
+use lib "$FindBin::Bin/../../util/perl";
+use OpenSSL::copyright;
my $NUMBER = 0x0001;
my $UPPER = 0x0002;
@@ -54,9 +57,8 @@ foreach (0 .. 127) {
push(@V_w32, $v);
}
-# Output year depends on the year of the script.
-my $YEAR = [localtime([stat($0)]->[9])]->[5] + 1900;
-
+# The year the output file is generated.
+my $YEAR = OpenSSL::copyright::year_of($0);
print <<"EOF";
/*
* WARNING: do not edit!
diff --git a/crypto/openssl/crypto/ec/ec_key.c b/crypto/openssl/crypto/ec/ec_key.c
index 3017f0936c0d..63799002bc98 100644
--- a/crypto/openssl/crypto/ec/ec_key.c
+++ b/crypto/openssl/crypto/ec/ec_key.c
@@ -443,6 +443,16 @@ int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key)
&& key->meth->set_private(key, priv_key) == 0)
return 0;
+ /*
+ * Return `0` to comply with legacy behavior for this function, see
+ * https://github.com/openssl/openssl/issues/18744#issuecomment-1195175696
+ */
+ if (priv_key == NULL) {
+ BN_clear_free(key->priv_key);
+ key->priv_key = NULL;
+ return 0; /* intentional for legacy compatibility */
+ }
+
/*
* We should never leak the bit length of the secret scalar in the key,
* so we always set the `BN_FLG_CONSTTIME` flag on the internal `BIGNUM`
diff --git a/crypto/openssl/crypto/objects/obj_dat.pl b/crypto/openssl/crypto/objects/obj_dat.pl
index e5d38147eccf..e1b4a02f288f 100755
--- a/crypto/openssl/crypto/objects/obj_dat.pl
+++ b/crypto/openssl/crypto/objects/obj_dat.pl
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -9,6 +9,9 @@
use integer;
use strict;
use warnings;
+use FindBin;
+use lib "$FindBin::Bin/../../util/perl";
+use OpenSSL::copyright;
# Generate the DER encoding for the given OID.
sub der_it
@@ -36,10 +39,8 @@ sub der_it
return $ret;
}
-# Output year depends on the year of the script and the input file.
-my $YEAR = [localtime([stat($0)]->[9])]->[5] + 1900;
-my $iYEAR = [localtime([stat($ARGV[0])]->[9])]->[5] + 1900;
-$YEAR = $iYEAR if $iYEAR > $YEAR;
+# The year the output file is generated.
+my $YEAR = OpenSSL::copyright::latest(($0, $ARGV[0]));
# Read input, parse all #define's into OID name and value.
# Populate %ln and %sn with long and short names (%dupln and %dupsn)
diff --git a/crypto/openssl/crypto/objects/objects.pl b/crypto/openssl/crypto/objects/objects.pl
index d7d1962c9999..8b258d4df509 100755
--- a/crypto/openssl/crypto/objects/objects.pl
+++ b/crypto/openssl/crypto/objects/objects.pl
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -7,16 +7,15 @@
# https://www.openssl.org/source/license.html
use Getopt::Std;
+use FindBin;
+use lib "$FindBin::Bin/../../util/perl";
+use OpenSSL::copyright;
our($opt_n);
getopts('n');
-# Output year depends on the year of the script and the input file.
-my $YEAR = [localtime([stat($0)]->[9])]->[5] + 1900;
-my $iYEAR = [localtime([stat($ARGV[0])]->[9])]->[5] + 1900;
-$YEAR = $iYEAR if $iYEAR > $YEAR;
-$iYEAR = [localtime([stat($ARGV[1])]->[9])]->[5] + 1900;
-$YEAR = $iYEAR if $iYEAR > $YEAR;
+# The year the output file is generated.
+my $YEAR = OpenSSL::copyright::latest(($0, $ARGV[1], $ARGV[0]));
open (NUMIN,"$ARGV[1]") || die "Can't open number file $ARGV[1]";
$max_nid=0;
diff --git a/crypto/openssl/crypto/objects/objxref.pl b/crypto/openssl/crypto/objects/objxref.pl
index ce76cadae31c..4d4b9074fc26 100755
--- a/crypto/openssl/crypto/objects/objxref.pl
+++ b/crypto/openssl/crypto/objects/objxref.pl
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 1998-2019 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -8,18 +8,17 @@
use strict;
+use FindBin;
+use lib "$FindBin::Bin/../../util/perl";
+use OpenSSL::copyright;
my %xref_tbl;
my %oid_tbl;
my ($mac_file, $xref_file) = @ARGV;
-# Output year depends on the year of the script and the input file.
-my $YEAR = [localtime([stat($0)]->[9])]->[5] + 1900;
-my $iYEAR = [localtime([stat($mac_file)]->[9])]->[5] + 1900;
-$YEAR = $iYEAR if $iYEAR > $YEAR;
-$iYEAR = [localtime([stat($xref_file)]->[9])]->[5] + 1900;
-$YEAR = $iYEAR if $iYEAR > $YEAR;
+# The year the output file is generated.
+my $YEAR = OpenSSL::copyright::latest(($0, $mac_file, $xref_file));
open(IN, $mac_file) || die "Can't open $mac_file, $!\n";
diff --git a/crypto/openssl/crypto/pem/pem_lib.c b/crypto/openssl/crypto/pem/pem_lib.c
index 2de093595d0d..aae42d98d297 100644
--- a/crypto/openssl/crypto/pem/pem_lib.c
+++ b/crypto/openssl/crypto/pem/pem_lib.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -621,7 +621,7 @@ int PEM_write_bio(BIO *bp, const char *name, const char *header,
(BIO_write(bp, "-----\n", 6) != 6))
goto err;
- i = strlen(header);
+ i = header != NULL ? strlen(header) : 0;
if (i > 0) {
if ((BIO_write(bp, header, i) != i) || (BIO_write(bp, "\n", 1) != 1))
goto err;
diff --git a/crypto/openssl/crypto/rand/drbg_lib.c b/crypto/openssl/crypto/rand/drbg_lib.c
index 8c7c28c9703a..d32fa80cf89d 100644
--- a/crypto/openssl/crypto/rand/drbg_lib.c
+++ b/crypto/openssl/crypto/rand/drbg_lib.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2011-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -354,13 +354,8 @@ int RAND_DRBG_instantiate(RAND_DRBG *drbg,
drbg->state = DRBG_READY;
drbg->generate_counter = 1;
drbg->reseed_time = time(NULL);
- if (drbg->enable_reseed_propagation) {
- if (drbg->parent == NULL)
- tsan_counter(&drbg->reseed_counter);
- else
- tsan_store(&drbg->reseed_counter,
- tsan_load(&drbg->parent->reseed_counter));
- }
+ if (drbg->enable_reseed_propagation && drbg->parent == NULL)
+ tsan_counter(&drbg->reseed_counter);
end:
if (entropy != NULL && drbg->cleanup_entropy != NULL)
@@ -444,13 +439,8 @@ int RAND_DRBG_reseed(RAND_DRBG *drbg,
drbg->state = DRBG_READY;
drbg->generate_counter = 1;
drbg->reseed_time = time(NULL);
- if (drbg->enable_reseed_propagation) {
- if (drbg->parent == NULL)
- tsan_counter(&drbg->reseed_counter);
- else
- tsan_store(&drbg->reseed_counter,
- tsan_load(&drbg->parent->reseed_counter));
- }
+ if (drbg->enable_reseed_propagation && drbg->parent == NULL)
+ tsan_counter(&drbg->reseed_counter);
end:
if (entropy != NULL && drbg->cleanup_entropy != NULL)
diff --git a/crypto/openssl/crypto/rand/rand_lib.c b/crypto/openssl/crypto/rand/rand_lib.c
index 5c72fad8ca26..3fdb56cb0024 100644
--- a/crypto/openssl/crypto/rand/rand_lib.c
+++ b/crypto/openssl/crypto/rand/rand_lib.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -172,8 +172,12 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
if (RAND_DRBG_generate(drbg->parent,
buffer, bytes_needed,
prediction_resistance,
- (unsigned char *)&drbg, sizeof(drbg)) != 0)
+ (unsigned char *)&drbg, sizeof(drbg)) != 0) {
bytes = bytes_needed;
+ if (drbg->enable_reseed_propagation)
+ tsan_store(&drbg->reseed_counter,
+ tsan_load(&drbg->parent->reseed_counter));
+ }
rand_drbg_unlock(drbg->parent);
rand_pool_add_end(pool, bytes, 8 * bytes);
diff --git a/crypto/openssl/crypto/x509/x509_req.c b/crypto/openssl/crypto/x509/x509_req.c
index dd674926ddb5..c2b8cb9f3e2d 100644
--- a/crypto/openssl/crypto/x509/x509_req.c
+++ b/crypto/openssl/crypto/x509/x509_req.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -167,7 +167,9 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
ext = X509_ATTRIBUTE_get0_type(attr, 0);
break;
}
- if (!ext || (ext->type != V_ASN1_SEQUENCE))
+ if (ext == NULL) /* no extensions is not an error */
+ return sk_X509_EXTENSION_new_null();
+ if (ext->type != V_ASN1_SEQUENCE)
return NULL;
p = ext->value.sequence->data;
return (STACK_OF(X509_EXTENSION) *)
@@ -227,44 +229,52 @@ X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc)
X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc)
{
- return X509at_delete_attr(req->req_info.attributes, loc);
+ X509_ATTRIBUTE *attr = X509at_delete_attr(req->req_info.attributes, loc);
+
+ if (attr != NULL)
+ req->req_info.enc.modified = 1;
+ return attr;
}
int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr)
{
- if (X509at_add1_attr(&req->req_info.attributes, attr))
- return 1;
- return 0;
+ if (!X509at_add1_attr(&req->req_info.attributes, attr))
+ return 0;
+ req->req_info.enc.modified = 1;
+ return 1;
}
int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
const ASN1_OBJECT *obj, int type,
const unsigned char *bytes, int len)
{
- if (X509at_add1_attr_by_OBJ(&req->req_info.attributes, obj,
- type, bytes, len))
- return 1;
- return 0;
+ if (!X509at_add1_attr_by_OBJ(&req->req_info.attributes, obj,
+ type, bytes, len))
+ return 0;
+ req->req_info.enc.modified = 1;
+ return 1;
}
int X509_REQ_add1_attr_by_NID(X509_REQ *req,
int nid, int type,
const unsigned char *bytes, int len)
{
- if (X509at_add1_attr_by_NID(&req->req_info.attributes, nid,
- type, bytes, len))
- return 1;
- return 0;
+ if (!X509at_add1_attr_by_NID(&req->req_info.attributes, nid,
+ type, bytes, len))
+ return 0;
+ req->req_info.enc.modified = 1;
+ return 1;
}
int X509_REQ_add1_attr_by_txt(X509_REQ *req,
const char *attrname, int type,
const unsigned char *bytes, int len)
{
- if (X509at_add1_attr_by_txt(&req->req_info.attributes, attrname,
- type, bytes, len))
- return 1;
- return 0;
+ if (!X509at_add1_attr_by_txt(&req->req_info.attributes, attrname,
+ type, bytes, len))
+ return 0;
+ req->req_info.enc.modified = 1;
+ return 1;
}
long X509_REQ_get_version(const X509_REQ *req)
diff --git a/crypto/openssl/crypto/x509/x509_vfy.c b/crypto/openssl/crypto/x509/x509_vfy.c
index b18489f67f6e..925fbb541258 100644
--- a/crypto/openssl/crypto/x509/x509_vfy.c
+++ b/crypto/openssl/crypto/x509/x509_vfy.c
@@ -973,14 +973,14 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
time_t *ptime;
int i;
- if (notify)
- ctx->current_crl = crl;
if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
ptime = &ctx->param->check_time;
else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
return 1;
else
ptime = NULL;
+ if (notify)
+ ctx->current_crl = crl;
i = X509_cmp_time(X509_CRL_get0_lastUpdate(crl), ptime);
if (i == 0) {
diff --git a/crypto/openssl/crypto/x509/x_all.c b/crypto/openssl/crypto/x509/x_all.c
index a4e9cdaee837..fcf6b5ba3780 100644
*** 1440 LINES SKIPPED ***